From b68733bf62f7d443d74ab4c7a206d1f54f044701 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Sun, 18 Jun 2017 16:03:14 +0300 Subject: [PATCH 1/4] ECDSA alternative support Support for alternative implementation of ECDSA, at the higher layer --- ChangeLog | 4 ++ include/mbedtls/config.h | 1 + library/ecdsa.c | 103 +++++++++++++++++++------------------ library/version_features.c | 3 ++ 4 files changed, 61 insertions(+), 50 deletions(-) diff --git a/ChangeLog b/ChangeLog index 243bd6bc0..e9be97bd4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,10 @@ Changes * Clarify ECDSA documentation and improve the sample code to avoid misunderstandings and potentially dangerous use of the API. Pointed out by Jean-Philippe Aumasson. + * Add support for alternative implementation for ECDSA, controlled by new + configuration flag MBEDTLS_ECDSA_ALT in config.h. + Alternative Ecdsa is supported for implementation of `mbedtls_ecdsa_sign` + and `mbedtls_ecdsa_verify`. = mbed TLS 2.5.0 branch released 2017-05-17 diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index c4b8995c1..54dc2372d 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -238,6 +238,7 @@ //#define MBEDTLS_BLOWFISH_ALT //#define MBEDTLS_CAMELLIA_ALT //#define MBEDTLS_DES_ALT +//#define MBEDTLS_ECDSA_ALT //#define MBEDTLS_XTEA_ALT //#define MBEDTLS_MD2_ALT //#define MBEDTLS_MD4_ALT diff --git a/library/ecdsa.c b/library/ecdsa.c index 4156f3c3c..d95dcae22 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -37,11 +37,10 @@ #include "mbedtls/asn1write.h" #include - +#include "mbedtls/platform.h" #if defined(MBEDTLS_ECDSA_DETERMINISTIC) #include "mbedtls/hmac_drbg.h" #endif - /* * Derive a suitable integer for group grp from a buffer of length len * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3 @@ -65,6 +64,8 @@ cleanup: return( ret ); } +#if !defined(MBEDTLS_ECDSA_ALT) + /* * Compute ECDSA signature of a hashed message (SEC1 4.1.3) * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message) @@ -154,43 +155,6 @@ cleanup: return( ret ); } -#if defined(MBEDTLS_ECDSA_DETERMINISTIC) -/* - * Deterministic signature wrapper - */ -int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, - const mbedtls_mpi *d, const unsigned char *buf, size_t blen, - mbedtls_md_type_t md_alg ) -{ - int ret; - mbedtls_hmac_drbg_context rng_ctx; - unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES]; - size_t grp_len = ( grp->nbits + 7 ) / 8; - const mbedtls_md_info_t *md_info; - mbedtls_mpi h; - - if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - - mbedtls_mpi_init( &h ); - mbedtls_hmac_drbg_init( &rng_ctx ); - - /* Use private key and message hash (reduced) to initialize HMAC_DRBG */ - MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) ); - MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) ); - mbedtls_hmac_drbg_seed_buf( &rng_ctx, md_info, data, 2 * grp_len ); - - ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen, - mbedtls_hmac_drbg_random, &rng_ctx ); - -cleanup: - mbedtls_hmac_drbg_free( &rng_ctx ); - mbedtls_mpi_free( &h ); - - return( ret ); -} -#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ /* * Verify ECDSA signature of hashed message (SEC1 4.1.4) @@ -278,6 +242,56 @@ cleanup: return( ret ); } +/* + * Generate key pair + */ +int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) +{ + return( mbedtls_ecp_group_load( &ctx->grp, gid ) || + mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) ); +} + +#endif /* MBEDTLS_ECDSA_ALT */ + +#if defined(MBEDTLS_ECDSA_DETERMINISTIC) +/* + * Deterministic signature wrapper + */ +int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, + const mbedtls_mpi *d, const unsigned char *buf, size_t blen, + mbedtls_md_type_t md_alg ) +{ + int ret; + mbedtls_hmac_drbg_context rng_ctx; + unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES]; + size_t grp_len = ( grp->nbits + 7 ) / 8; + const mbedtls_md_info_t *md_info; + mbedtls_mpi h; + + if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + mbedtls_mpi_init( &h ); + mbedtls_hmac_drbg_init( &rng_ctx ); + + /* Use private key and message hash (reduced) to initialize HMAC_DRBG */ + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) ); + MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) ); + mbedtls_hmac_drbg_seed_buf( &rng_ctx, md_info, data, 2 * grp_len ); + + ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen, + mbedtls_hmac_drbg_random, &rng_ctx ); + +cleanup: + mbedtls_hmac_drbg_free( &rng_ctx ); + mbedtls_mpi_free( &h ); + + return( ret ); +} +#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ + /* * Convert a signature (given by context) to ASN.1 */ @@ -301,7 +315,6 @@ static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s, return( 0 ); } - /* * Compute and write signature */ @@ -402,16 +415,6 @@ cleanup: return( ret ); } -/* - * Generate key pair - */ -int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) -{ - return( mbedtls_ecp_group_load( &ctx->grp, gid ) || - mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) ); -} - /* * Set context from an mbedtls_ecp_keypair */ diff --git a/library/version_features.c b/library/version_features.c index 9f97c7bc3..df7f957fe 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -93,6 +93,9 @@ static const char *features[] = { #if defined(MBEDTLS_DES_ALT) "MBEDTLS_DES_ALT", #endif /* MBEDTLS_DES_ALT */ +#if defined(MBEDTLS_ECDSA_ALT) + "MBEDTLS_ECDSA_ALT", +#endif /* MBEDTLS_ECDSA_ALT */ #if defined(MBEDTLS_XTEA_ALT) "MBEDTLS_XTEA_ALT", #endif /* MBEDTLS_XTEA_ALT */ From 7268ca95008bf1a881fee881223978449c828b6e Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 5 Sep 2017 14:29:20 +0300 Subject: [PATCH 2/4] remove redundant include Remove redunadnat include for platform.h which was acciddently pushed, for debugging purposes --- library/ecdsa.c | 1 - 1 file changed, 1 deletion(-) diff --git a/library/ecdsa.c b/library/ecdsa.c index d95dcae22..8804ca62f 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -37,7 +37,6 @@ #include "mbedtls/asn1write.h" #include -#include "mbedtls/platform.h" #if defined(MBEDTLS_ECDSA_DETERMINISTIC) #include "mbedtls/hmac_drbg.h" #endif From 2981a0a7402ea331b6eb74599de64d0c825c9e73 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Sun, 24 Sep 2017 15:41:09 +0300 Subject: [PATCH 3/4] Address Andres PR comments Address Andres' comments in the PR --- ChangeLog | 5 +++-- library/ecdsa.c | 3 +++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e9be97bd4..94eba4208 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,8 +38,9 @@ Changes by Jean-Philippe Aumasson. * Add support for alternative implementation for ECDSA, controlled by new configuration flag MBEDTLS_ECDSA_ALT in config.h. - Alternative Ecdsa is supported for implementation of `mbedtls_ecdsa_sign` - and `mbedtls_ecdsa_verify`. + The following functions from the ECDSA module can be replaced + with an alternative implementation: + mbedtls_ecdsa_sign(), mbedtls_ecdsa_verify() and mbedtls_ecdsa_genkey(). = mbed TLS 2.5.0 branch released 2017-05-17 diff --git a/library/ecdsa.c b/library/ecdsa.c index 8804ca62f..804884bca 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -37,9 +37,11 @@ #include "mbedtls/asn1write.h" #include + #if defined(MBEDTLS_ECDSA_DETERMINISTIC) #include "mbedtls/hmac_drbg.h" #endif + /* * Derive a suitable integer for group grp from a buffer of length len * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3 @@ -314,6 +316,7 @@ static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s, return( 0 ); } + /* * Compute and write signature */ From 314adb6baa2cabf4244162da68c9733ece3afabc Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 10 Oct 2017 18:28:25 +0300 Subject: [PATCH 4/4] Address PR review comments 1) update ChangLog to have new feature in Features instead of Changes 2) Change MBEDTLS_ECDSA_ALT to function specific alternative definitions: MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and MBEDTLS_ECDSA_GENKEY_ALT --- ChangeLog | 9 ++-- include/mbedtls/config.h | 4 +- library/ecdsa.c | 105 +++++++++++++++++++------------------ library/version_features.c | 12 +++-- 4 files changed, 71 insertions(+), 59 deletions(-) diff --git a/ChangeLog b/ChangeLog index 94eba4208..040632cf4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,10 +36,13 @@ Changes * Clarify ECDSA documentation and improve the sample code to avoid misunderstandings and potentially dangerous use of the API. Pointed out by Jean-Philippe Aumasson. - * Add support for alternative implementation for ECDSA, controlled by new - configuration flag MBEDTLS_ECDSA_ALT in config.h. + +Features + * Add support for alternative implementations for ECDSA, controlled by new + configuration flags MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and + MBEDTLS_ECDSDA_GENKEY_AT in config.h. The following functions from the ECDSA module can be replaced - with an alternative implementation: + with alternative implementation: mbedtls_ecdsa_sign(), mbedtls_ecdsa_verify() and mbedtls_ecdsa_genkey(). = mbed TLS 2.5.0 branch released 2017-05-17 diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 54dc2372d..7c06ec488 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -238,7 +238,6 @@ //#define MBEDTLS_BLOWFISH_ALT //#define MBEDTLS_CAMELLIA_ALT //#define MBEDTLS_DES_ALT -//#define MBEDTLS_ECDSA_ALT //#define MBEDTLS_XTEA_ALT //#define MBEDTLS_MD2_ALT //#define MBEDTLS_MD4_ALT @@ -295,6 +294,9 @@ //#define MBEDTLS_AES_SETKEY_DEC_ALT //#define MBEDTLS_AES_ENCRYPT_ALT //#define MBEDTLS_AES_DECRYPT_ALT +//#define MBEDTLS_ECDSA_VERIFY_ALT +//#define MBEDTLS_ECDSA_SIGN_ALT +//#define MBEDTLS_ECDSA_GENKEY_ALT /** * \def MBEDTLS_ECP_INTERNAL_ALT diff --git a/library/ecdsa.c b/library/ecdsa.c index 804884bca..a241072c3 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -65,8 +65,7 @@ cleanup: return( ret ); } -#if !defined(MBEDTLS_ECDSA_ALT) - +#if !defined(MBEDTLS_ECDSA_SIGN_ALT) /* * Compute ECDSA signature of a hashed message (SEC1 4.1.3) * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message) @@ -155,8 +154,47 @@ cleanup: return( ret ); } +#endif /* MBEDTLS_ECDSA_SIGN_ALT */ +#if defined(MBEDTLS_ECDSA_DETERMINISTIC) +/* + * Deterministic signature wrapper + */ +int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, + const mbedtls_mpi *d, const unsigned char *buf, size_t blen, + mbedtls_md_type_t md_alg ) +{ + int ret; + mbedtls_hmac_drbg_context rng_ctx; + unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES]; + size_t grp_len = ( grp->nbits + 7 ) / 8; + const mbedtls_md_info_t *md_info; + mbedtls_mpi h; + if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + mbedtls_mpi_init( &h ); + mbedtls_hmac_drbg_init( &rng_ctx ); + + /* Use private key and message hash (reduced) to initialize HMAC_DRBG */ + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) ); + MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) ); + mbedtls_hmac_drbg_seed_buf( &rng_ctx, md_info, data, 2 * grp_len ); + + ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen, + mbedtls_hmac_drbg_random, &rng_ctx ); + +cleanup: + mbedtls_hmac_drbg_free( &rng_ctx ); + mbedtls_mpi_free( &h ); + + return( ret ); +} +#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ + +#if !defined(MBEDTLS_ECDSA_VERIFY_ALT) /* * Verify ECDSA signature of hashed message (SEC1 4.1.4) * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message) @@ -242,56 +280,7 @@ cleanup: return( ret ); } - -/* - * Generate key pair - */ -int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) -{ - return( mbedtls_ecp_group_load( &ctx->grp, gid ) || - mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) ); -} - -#endif /* MBEDTLS_ECDSA_ALT */ - -#if defined(MBEDTLS_ECDSA_DETERMINISTIC) -/* - * Deterministic signature wrapper - */ -int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, - const mbedtls_mpi *d, const unsigned char *buf, size_t blen, - mbedtls_md_type_t md_alg ) -{ - int ret; - mbedtls_hmac_drbg_context rng_ctx; - unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES]; - size_t grp_len = ( grp->nbits + 7 ) / 8; - const mbedtls_md_info_t *md_info; - mbedtls_mpi h; - - if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - - mbedtls_mpi_init( &h ); - mbedtls_hmac_drbg_init( &rng_ctx ); - - /* Use private key and message hash (reduced) to initialize HMAC_DRBG */ - MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) ); - MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) ); - mbedtls_hmac_drbg_seed_buf( &rng_ctx, md_info, data, 2 * grp_len ); - - ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen, - mbedtls_hmac_drbg_random, &rng_ctx ); - -cleanup: - mbedtls_hmac_drbg_free( &rng_ctx ); - mbedtls_mpi_free( &h ); - - return( ret ); -} -#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ +#endif /* MBEDTLS_ECDSA_VERIFY_ALT */ /* * Convert a signature (given by context) to ASN.1 @@ -417,6 +406,18 @@ cleanup: return( ret ); } +#if !defined(MBEDTLS_ECDSA_GENKEY_ALT) +/* + * Generate key pair + */ +int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) +{ + return( mbedtls_ecp_group_load( &ctx->grp, gid ) || + mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) ); +} +#endif /* MBEDTLS_ECDSA_GENKEY_ALT */ + /* * Set context from an mbedtls_ecp_keypair */ diff --git a/library/version_features.c b/library/version_features.c index df7f957fe..2629098a6 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -93,9 +93,6 @@ static const char *features[] = { #if defined(MBEDTLS_DES_ALT) "MBEDTLS_DES_ALT", #endif /* MBEDTLS_DES_ALT */ -#if defined(MBEDTLS_ECDSA_ALT) - "MBEDTLS_ECDSA_ALT", -#endif /* MBEDTLS_ECDSA_ALT */ #if defined(MBEDTLS_XTEA_ALT) "MBEDTLS_XTEA_ALT", #endif /* MBEDTLS_XTEA_ALT */ @@ -165,6 +162,15 @@ static const char *features[] = { #if defined(MBEDTLS_AES_DECRYPT_ALT) "MBEDTLS_AES_DECRYPT_ALT", #endif /* MBEDTLS_AES_DECRYPT_ALT */ +#if defined(MBEDTLS_ECDSA_VERIFY_ALT) + "MBEDTLS_ECDSA_VERIFY_ALT", +#endif /* MBEDTLS_ECDSA_VERIFY_ALT */ +#if defined(MBEDTLS_ECDSA_SIGN_ALT) + "MBEDTLS_ECDSA_SIGN_ALT", +#endif /* MBEDTLS_ECDSA_SIGN_ALT */ +#if defined(MBEDTLS_ECDSA_GENKEY_ALT) + "MBEDTLS_ECDSA_GENKEY_ALT", +#endif /* MBEDTLS_ECDSA_GENKEY_ALT */ #if defined(MBEDTLS_ECP_INTERNAL_ALT) "MBEDTLS_ECP_INTERNAL_ALT", #endif /* MBEDTLS_ECP_INTERNAL_ALT */