398 lines
9.7 KiB
C
Executable file
398 lines
9.7 KiB
C
Executable file
/* $OpenBSD: gostr341001.c,v 1.7 2017/01/29 17:49:23 beck Exp $ */
|
|
/*
|
|
* Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
* Copyright (c) 2005-2006 Cryptocom LTD
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in
|
|
* the documentation and/or other materials provided with the
|
|
* distribution.
|
|
*
|
|
* 3. All advertising materials mentioning features or use of this
|
|
* software must display the following acknowledgment:
|
|
* "This product includes software developed by the OpenSSL Project
|
|
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
|
*
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
* endorse or promote products derived from this software without
|
|
* prior written permission. For written permission, please contact
|
|
* openssl-core@openssl.org.
|
|
*
|
|
* 5. Products derived from this software may not be called "OpenSSL"
|
|
* nor may "OpenSSL" appear in their names without prior written
|
|
* permission of the OpenSSL Project.
|
|
*
|
|
* 6. Redistributions of any form whatsoever must retain the following
|
|
* acknowledgment:
|
|
* "This product includes software developed by the OpenSSL Project
|
|
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
* ====================================================================
|
|
*/
|
|
|
|
#include <string.h>
|
|
|
|
#include <openssl/opensslconf.h>
|
|
|
|
#ifndef OPENSSL_NO_GOST
|
|
#include <openssl/bn.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/gost.h>
|
|
|
|
#include "bn_lcl.h"
|
|
#include "gost_locl.h"
|
|
|
|
/* Convert little-endian byte array into bignum */
|
|
BIGNUM *
|
|
GOST_le2bn(const unsigned char *buf, size_t len, BIGNUM *bn)
|
|
{
|
|
unsigned char temp[64];
|
|
int i;
|
|
|
|
if (len > 64)
|
|
return NULL;
|
|
|
|
for (i = 0; i < len; i++) {
|
|
temp[len - 1 - i] = buf[i];
|
|
}
|
|
|
|
return BN_bin2bn(temp, len, bn);
|
|
}
|
|
|
|
int
|
|
GOST_bn2le(BIGNUM *bn, unsigned char *buf, int len)
|
|
{
|
|
unsigned char temp[64];
|
|
int i, bytes;
|
|
|
|
bytes = BN_num_bytes(bn);
|
|
if (len > 64 || bytes > len)
|
|
return 0;
|
|
|
|
BN_bn2bin(bn, temp);
|
|
|
|
for (i = 0; i < bytes; i++) {
|
|
buf[bytes - 1 - i] = temp[i];
|
|
}
|
|
|
|
memset(buf + bytes, 0, len - bytes);
|
|
|
|
return 1;
|
|
}
|
|
|
|
int
|
|
gost2001_compute_public(GOST_KEY *ec)
|
|
{
|
|
const EC_GROUP *group = GOST_KEY_get0_group(ec);
|
|
EC_POINT *pub_key = NULL;
|
|
const BIGNUM *priv_key = NULL;
|
|
BN_CTX *ctx = NULL;
|
|
int ok = 0;
|
|
|
|
if (group == NULL) {
|
|
GOSTerror(GOST_R_KEY_IS_NOT_INITIALIZED);
|
|
return 0;
|
|
}
|
|
ctx = BN_CTX_new();
|
|
if (ctx == NULL) {
|
|
GOSTerror(ERR_R_MALLOC_FAILURE);
|
|
return 0;
|
|
}
|
|
BN_CTX_start(ctx);
|
|
if ((priv_key = GOST_KEY_get0_private_key(ec)) == NULL)
|
|
goto err;
|
|
|
|
pub_key = EC_POINT_new(group);
|
|
if (pub_key == NULL)
|
|
goto err;
|
|
if (EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx) == 0)
|
|
goto err;
|
|
if (GOST_KEY_set_public_key(ec, pub_key) == 0)
|
|
goto err;
|
|
ok = 1;
|
|
|
|
if (ok == 0) {
|
|
err:
|
|
GOSTerror(ERR_R_EC_LIB);
|
|
}
|
|
EC_POINT_free(pub_key);
|
|
if (ctx != NULL) {
|
|
BN_CTX_end(ctx);
|
|
BN_CTX_free(ctx);
|
|
}
|
|
return ok;
|
|
}
|
|
|
|
ECDSA_SIG *
|
|
gost2001_do_sign(BIGNUM *md, GOST_KEY *eckey)
|
|
{
|
|
ECDSA_SIG *newsig = NULL;
|
|
BIGNUM *order = NULL;
|
|
const EC_GROUP *group;
|
|
const BIGNUM *priv_key;
|
|
BIGNUM *r = NULL, *s = NULL, *X = NULL, *tmp = NULL, *tmp2 = NULL, *k =
|
|
NULL, *e = NULL;
|
|
EC_POINT *C = NULL;
|
|
BN_CTX *ctx = BN_CTX_new();
|
|
int ok = 0;
|
|
|
|
if (ctx == NULL) {
|
|
GOSTerror(ERR_R_MALLOC_FAILURE);
|
|
return NULL;
|
|
}
|
|
BN_CTX_start(ctx);
|
|
newsig = ECDSA_SIG_new();
|
|
if (newsig == NULL) {
|
|
GOSTerror(ERR_R_MALLOC_FAILURE);
|
|
goto err;
|
|
}
|
|
s = newsig->s;
|
|
r = newsig->r;
|
|
group = GOST_KEY_get0_group(eckey);
|
|
if ((order = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if (EC_GROUP_get_order(group, order, ctx) == 0)
|
|
goto err;
|
|
priv_key = GOST_KEY_get0_private_key(eckey);
|
|
if ((e = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if (BN_mod_ct(e, md, order, ctx) == 0)
|
|
goto err;
|
|
if (BN_is_zero(e))
|
|
BN_one(e);
|
|
if ((k = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if ((X = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if ((C = EC_POINT_new(group)) == NULL)
|
|
goto err;
|
|
do {
|
|
do {
|
|
if (!BN_rand_range(k, order)) {
|
|
GOSTerror(GOST_R_RANDOM_NUMBER_GENERATOR_FAILED);
|
|
goto err;
|
|
}
|
|
/*
|
|
* We do not want timing information to leak the length
|
|
* of k, so we compute G*k using an equivalent scalar
|
|
* of fixed bit-length.
|
|
*/
|
|
if (BN_add(k, k, order) == 0)
|
|
goto err;
|
|
if (BN_num_bits(k) <= BN_num_bits(order))
|
|
if (BN_add(k, k, order) == 0)
|
|
goto err;
|
|
|
|
if (EC_POINT_mul(group, C, k, NULL, NULL, ctx) == 0) {
|
|
GOSTerror(ERR_R_EC_LIB);
|
|
goto err;
|
|
}
|
|
if (EC_POINT_get_affine_coordinates_GFp(group, C, X,
|
|
NULL, ctx) == 0) {
|
|
GOSTerror(ERR_R_EC_LIB);
|
|
goto err;
|
|
}
|
|
if (BN_nnmod(r, X, order, ctx) == 0)
|
|
goto err;
|
|
} while (BN_is_zero(r));
|
|
/* s = (r*priv_key+k*e) mod order */
|
|
if (tmp == NULL) {
|
|
if ((tmp = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
}
|
|
if (BN_mod_mul(tmp, priv_key, r, order, ctx) == 0)
|
|
goto err;
|
|
if (tmp2 == NULL) {
|
|
if ((tmp2 = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
}
|
|
if (BN_mod_mul(tmp2, k, e, order, ctx) == 0)
|
|
goto err;
|
|
if (BN_mod_add(s, tmp, tmp2, order, ctx) == 0)
|
|
goto err;
|
|
} while (BN_is_zero(s));
|
|
ok = 1;
|
|
|
|
err:
|
|
EC_POINT_free(C);
|
|
if (ctx != NULL) {
|
|
BN_CTX_end(ctx);
|
|
BN_CTX_free(ctx);
|
|
}
|
|
if (ok == 0) {
|
|
ECDSA_SIG_free(newsig);
|
|
newsig = NULL;
|
|
}
|
|
return newsig;
|
|
}
|
|
|
|
int
|
|
gost2001_do_verify(BIGNUM *md, ECDSA_SIG *sig, GOST_KEY *ec)
|
|
{
|
|
BN_CTX *ctx = BN_CTX_new();
|
|
const EC_GROUP *group = GOST_KEY_get0_group(ec);
|
|
BIGNUM *order;
|
|
BIGNUM *e = NULL, *R = NULL, *v = NULL, *z1 = NULL, *z2 = NULL;
|
|
BIGNUM *X = NULL, *tmp = NULL;
|
|
EC_POINT *C = NULL;
|
|
const EC_POINT *pub_key = NULL;
|
|
int ok = 0;
|
|
|
|
if (ctx == NULL)
|
|
goto err;
|
|
BN_CTX_start(ctx);
|
|
if ((order = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if ((e = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if ((z1 = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if ((z2 = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if ((tmp = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if ((X = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if ((R = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if ((v = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
|
|
if (EC_GROUP_get_order(group, order, ctx) == 0)
|
|
goto err;
|
|
pub_key = GOST_KEY_get0_public_key(ec);
|
|
if (BN_is_zero(sig->s) || BN_is_zero(sig->r) ||
|
|
BN_cmp(sig->s, order) >= 1 || BN_cmp(sig->r, order) >= 1) {
|
|
GOSTerror(GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q);
|
|
goto err;
|
|
}
|
|
|
|
if (BN_mod_ct(e, md, order, ctx) == 0)
|
|
goto err;
|
|
if (BN_is_zero(e))
|
|
BN_one(e);
|
|
if ((v = BN_mod_inverse_ct(v, e, order, ctx)) == NULL)
|
|
goto err;
|
|
if (BN_mod_mul(z1, sig->s, v, order, ctx) == 0)
|
|
goto err;
|
|
if (BN_sub(tmp, order, sig->r) == 0)
|
|
goto err;
|
|
if (BN_mod_mul(z2, tmp, v, order, ctx) == 0)
|
|
goto err;
|
|
if ((C = EC_POINT_new(group)) == NULL)
|
|
goto err;
|
|
if (EC_POINT_mul(group, C, z1, pub_key, z2, ctx) == 0) {
|
|
GOSTerror(ERR_R_EC_LIB);
|
|
goto err;
|
|
}
|
|
if (EC_POINT_get_affine_coordinates_GFp(group, C, X, NULL, ctx) == 0) {
|
|
GOSTerror(ERR_R_EC_LIB);
|
|
goto err;
|
|
}
|
|
if (BN_mod_ct(R, X, order, ctx) == 0)
|
|
goto err;
|
|
if (BN_cmp(R, sig->r) != 0) {
|
|
GOSTerror(GOST_R_SIGNATURE_MISMATCH);
|
|
} else {
|
|
ok = 1;
|
|
}
|
|
err:
|
|
EC_POINT_free(C);
|
|
if (ctx != NULL) {
|
|
BN_CTX_end(ctx);
|
|
BN_CTX_free(ctx);
|
|
}
|
|
return ok;
|
|
}
|
|
|
|
/* Implementation of CryptoPro VKO 34.10-2001 algorithm */
|
|
int
|
|
VKO_compute_key(BIGNUM *X, BIGNUM *Y, const GOST_KEY *pkey, GOST_KEY *priv_key,
|
|
const BIGNUM *ukm)
|
|
{
|
|
BIGNUM *p = NULL, *order = NULL;
|
|
const BIGNUM *key = GOST_KEY_get0_private_key(priv_key);
|
|
const EC_GROUP *group = GOST_KEY_get0_group(priv_key);
|
|
const EC_POINT *pub_key = GOST_KEY_get0_public_key(pkey);
|
|
EC_POINT *pnt;
|
|
BN_CTX *ctx = NULL;
|
|
int ok = 0;
|
|
|
|
pnt = EC_POINT_new(group);
|
|
if (pnt == NULL)
|
|
goto err;
|
|
ctx = BN_CTX_new();
|
|
if (ctx == NULL)
|
|
goto err;
|
|
BN_CTX_start(ctx);
|
|
if ((p = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if ((order = BN_CTX_get(ctx)) == NULL)
|
|
goto err;
|
|
if (EC_GROUP_get_order(group, order, ctx) == 0)
|
|
goto err;
|
|
if (BN_mod_mul(p, key, ukm, order, ctx) == 0)
|
|
goto err;
|
|
if (EC_POINT_mul(group, pnt, NULL, pub_key, p, ctx) == 0)
|
|
goto err;
|
|
if (EC_POINT_get_affine_coordinates_GFp(group, pnt, X, Y, ctx) == 0)
|
|
goto err;
|
|
ok = 1;
|
|
|
|
err:
|
|
if (ctx != NULL) {
|
|
BN_CTX_end(ctx);
|
|
BN_CTX_free(ctx);
|
|
}
|
|
EC_POINT_free(pnt);
|
|
return ok;
|
|
}
|
|
|
|
int
|
|
gost2001_keygen(GOST_KEY *ec)
|
|
{
|
|
BIGNUM *order = BN_new(), *d = BN_new();
|
|
const EC_GROUP *group = GOST_KEY_get0_group(ec);
|
|
int rc = 0;
|
|
|
|
if (order == NULL || d == NULL)
|
|
goto err;
|
|
if (EC_GROUP_get_order(group, order, NULL) == 0)
|
|
goto err;
|
|
|
|
do {
|
|
if (BN_rand_range(d, order) == 0) {
|
|
GOSTerror(GOST_R_RANDOM_NUMBER_GENERATOR_FAILED);
|
|
goto err;
|
|
}
|
|
} while (BN_is_zero(d));
|
|
|
|
if (GOST_KEY_set_private_key(ec, d) == 0)
|
|
goto err;
|
|
rc = gost2001_compute_public(ec);
|
|
|
|
err:
|
|
BN_free(d);
|
|
BN_free(order);
|
|
return rc;
|
|
}
|
|
#endif
|