Finish up RFC6979 ECDSA keygen

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>

Author: sjaeckel

doc/crypt.tex

@@ -5816,6 +5816,7 @@ \subsection{Signature Generation}
 To sign a message digest (hash) use the following function:
 
 \index{ecc\_sign\_hash()}
+\index{ECC\_SET\_RFC6979\_HASH\_ALG()}
 \begin{verbatim}
 int ecc_sign_hash(const unsigned char *in,
                         unsigned long  inlen,
@@ -5830,8 +5831,14 @@ \subsection{Signature Generation}
 will be stored in the array pointed to by \code{out} of length \code{outlen} octets.  The function requires that the \textit{ECC}
 \code{key} provided must be a private key.
 
-It requires a properly seeded \textit{PRNG} for standard \textit{ECDSA}, or if \code{prng} is NULL and/or \code{wprng} is less than zero,
-the private key and the message itself will be used to create a deterministic signature according to \textit{RFC6979}.
+In order to execute standard \textit{ECDSA} it requires a properly seeded \textit{PRNG}  which gets passed via \code{prng} and \code{wprng}.
+
+The deterministic signature mechanism according to \textit{RFC6979} is also supported. This does not require a \textit{PRNG}, but
+instead a valid hash function shall be set via the macro
+
+\code{ECC\_SET\_RFC6979\_HASH\_ALG(key, hash\_alg)}
+
+The expected types of the arguments to that macro are \code{(ecc\_key*, const char*)}.
 
 \index{ecc\_sign\_hash\_rfc7518()}
 \begin{verbatim}

src/headers/tomcrypt_pk.h

@@ -281,8 +281,18 @@ typedef struct {
 
     /** The private key */
     void *k;
+
+    /** The hash algorithm to use when creating a signature.
+     *  Setting this will enable RFC6979 compatible signature generation.
+     *  The macro ECC_SET_RFC6979_HASH_ALG() is provided as a helper
+     *  to set this.*/
+    const char *rfc6979_hash_alg;
 } ecc_key;
 
+#define ECC_SET_RFC6979_HASH_ALG(key, alg) do { \
+   (key)->rfc6979_hash_alg = (alg);             \
+} while(0)
+
 /** Formats of ECC signatures */
 typedef enum ecc_signature_type_ {
    /* ASN.1 encoded, ANSI X9.62 */
@@ -304,7 +314,6 @@ int  ecc_get_size(const ecc_key *key);
 int  ecc_find_curve(const char* name_or_oid, const ltc_ecc_curve** cu);
 int  ecc_set_curve(const ltc_ecc_curve *cu, ecc_key *key);
 int  ecc_generate_key(prng_state *prng, int wprng, ecc_key *key);
-int  ecc_rfc6979_key(const ecc_key *priv, const unsigned char *in, int inlen, ecc_key *key);
 int  ecc_set_key(const unsigned char *in, unsigned long inlen, int type, ecc_key *key);
 int  ecc_get_key(unsigned char *out, unsigned long *outlen, int type, const ecc_key *key);
 int  ecc_get_oid_str(char *out, unsigned long *outlen, const ecc_key *key);

src/headers/tomcrypt_private.h

@@ -441,6 +441,8 @@ int ecc_verify_hash_internal(void *r, void *s,
                              const unsigned char *hash, unsigned long hashlen,
                              int *stat, const ecc_key *key);
 
+int ecc_rfc6979_key(const ecc_key *priv, const unsigned char *in, unsigned long inlen, ecc_key *key);
+
 #ifdef LTC_SSH
 int ecc_ssh_ecdsa_encode_name(char *buffer, unsigned long *buflen, const ecc_key *key);
 #endif

src/pk/ecc/ecc_make_key.c

@@ -59,6 +59,7 @@ int ecc_generate_key(prng_state *prng, int wprng, ecc_key *key)
       goto error;
    }
    key->type = PK_PRIVATE;
+   key->rfc6979_hash_alg = NULL;
 
    /* success */
    err = CRYPT_OK;

src/pk/ecc/ecc_rfc6979_key.c

@@ -1,11 +1,5 @@
-/* LibTomCrypt, modular cryptographic library -- Tom St Denis
- *
- * LibTomCrypt is a library that provides various cryptographic
- * algorithms in a highly modular and flexible manner.
- *
- * The library is free for all purposes without any express
- * guarantee it works.
- */
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis */
+/* SPDX-License-Identifier: Unlicense */
 
 #include "tomcrypt_private.h"
 
@@ -25,99 +19,127 @@
   @param key          [out] Newly created deterministic key
   @return CRYPT_OK if successful, upon error all allocated memory will be freed
 */
-int ecc_rfc6979_key(const ecc_key *priv, const unsigned char *in, int inlen, ecc_key *key)
+int ecc_rfc6979_key(const ecc_key *priv, const unsigned char *in, unsigned long inlen, ecc_key *key)
 {
-   int            err, hash, i;
-   unsigned char  v[32], k[32], digest[32]; /* No way to determine hash so always use SHA256 */
-   unsigned char  buffer[256];
-   unsigned long  outlen, buflen, qlen;
+   int            err, hash = -1;
+   unsigned char  v[MAXBLOCKSIZE], k[MAXBLOCKSIZE];
+   unsigned char  buffer[256], sep[1], privkey[128];
+   unsigned long  order_bits, len_diff, pk_len, zero_extend, outlen, klen, vlen, buflen, qlen, hashsize;
+   void *r, *d;
 
    LTC_ARGCHK(ltc_mp.name != NULL);
+   LTC_ARGCHK(priv        != NULL);
    LTC_ARGCHK(key         != NULL);
    LTC_ARGCHK(key->dp.size > 0);
 
-   hash = find_hash("sha256");
-   if (hash == -1) {err = CRYPT_ERROR; goto error;}
+   if (priv->rfc6979_hash_alg == NULL) {
+      return CRYPT_INVALID_ARG;
+   }
+   hash = find_hash(priv->rfc6979_hash_alg);
+   if ((err = hash_is_valid(hash)) != CRYPT_OK) {
+      return err;
+   }
+
+   hashsize = hash_descriptor[hash].hashsize;
+
+   if ((err = ltc_mp_init_multi(&r, &d, NULL)) != CRYPT_OK) {
+      return err;
+   }
 
    /* Length, in bytes, of key */
-   i = mp_count_bits(key->dp.order);
-   qlen = (i+7) >> 3;
+   order_bits = ltc_mp_count_bits(key->dp.order);
+   qlen = (order_bits+7) >> 3;
+   len_diff = qlen > inlen ? qlen - inlen : 0;
+   pk_len = (ltc_mp_count_bits(priv->k)+7) >> 3;
+   zero_extend = qlen - pk_len;
+   XMEMSET(buffer, 0x00, len_diff + zero_extend);
 
    /* RFC6979 3.2b, set V */
-   for (i=0; i<32; i++) v[i] = 0x01;
+   XMEMSET(v, 0x01, hashsize);
 
    /* RFC6979 3.2c, set K */
-   for (i=0; i<32; i++) k[i] = 0x00;
+   XMEMSET(k, 0x00, hashsize);
 
+   if ((err = ltc_mp_to_unsigned_bin(priv->k, privkey) != CRYPT_OK))                                     { goto error; }
    /* RFC6979 3.2d, set K to HMAC_K(V::0x00::priv::in) */
-   XMEMCPY(&buffer[0], v, 32);
-   buffer[32] = 0x00;
-   if ((err = mp_to_unsigned_bin(priv->k, &buffer[33]) != CRYPT_OK))                                   { goto error; }
-   XMEMCPY(&buffer[33+qlen], in, inlen);
-   buflen = 32 + 1 + qlen + inlen;
-   outlen = sizeof(digest);
-   if((err = hmac_memory(hash, k, 32, buffer, buflen, digest, &outlen)) != CRYPT_OK)                   { goto error; }
-   XMEMCPY(k, digest, 32);
+   sep[0] = 0;
+   klen = sizeof(k);
+   if((err = hmac_memory_multi(hash,
+                               k, hashsize,
+                               k, &klen,
+                               v, hashsize,
+                               sep, 1,
+                               buffer, zero_extend,
+                               privkey, qlen - zero_extend,
+                               buffer, len_diff,
+                               in, qlen - len_diff,
+                               LTC_NULL)) != CRYPT_OK)                                                   { goto error; }
 
    /* RFC6979 3.2e, set V = HMAC_K(V) */
-   outlen = sizeof(digest);
-   if((err = hmac_memory(hash, k, 32, v, 32, digest, &outlen)) != CRYPT_OK)                            { goto error; }
-   XMEMCPY(v, digest, 32);
+   vlen = sizeof(v);
+   if((err = hmac_memory(hash, k, klen, v, hashsize, v, &vlen)) != CRYPT_OK)                             { goto error; }
 
    /* RFC6979 3.2f, set K to HMAC_K(V::0x01::priv::in) */
-   XMEMCPY(&buffer[0], v, 32);
-   buffer[32] = 0x01;
-   if ((err = mp_to_unsigned_bin(priv->k, &buffer[33]) != CRYPT_OK))                                   { goto error; }
-   XMEMCPY(&buffer[33+qlen], in, inlen);
-   buflen = 32 + 1 + qlen + inlen;
-   outlen = sizeof(digest);
-   if((err = hmac_memory(hash, k, 32, buffer, buflen, digest, &outlen)) != CRYPT_OK)                   { goto error; }
-   XMEMCPY(k, digest, 32);
+   sep[0] = 0x01;
+   outlen = sizeof(k);
+   if((err = hmac_memory_multi(hash,
+                               k, klen,
+                               k, &klen,
+                               v, hashsize,
+                               sep, 1,
+                               buffer, zero_extend,
+                               privkey, qlen - zero_extend,
+                               buffer, len_diff,
+                               in, qlen - len_diff,
+                               LTC_NULL)) != CRYPT_OK)                                                   { goto error; }
 
    /* RFC6979 3.2g, set V = HMAC_K(V) */
-   outlen = sizeof(digest);
-   if((err = hmac_memory(hash, k, 32, v, 32, digest, &outlen)) != CRYPT_OK)                            { goto error; }
-   XMEMCPY(v, digest, 32);
+   outlen = sizeof(v);
+   if((err = hmac_memory(hash, k, klen, v, hashsize, v, &outlen)) != CRYPT_OK)                           { goto error; }
 
    /* RFC6979 3.2h, generate and check key */
    do {
       /* concatenate hash bits into T */
       buflen = 0;
       while (buflen < qlen) {
-         outlen = sizeof(digest);
-         if((err = hmac_memory(hash, k, 32, v, 32, digest, &outlen)) != CRYPT_OK)                      { goto error; }
-         XMEMCPY(v, digest, 32);
-         XMEMCPY(&buffer[buflen], v, 32);
-         buflen += 32;
+         if (buflen + hashsize >= sizeof(buffer) || buflen + hashsize < buflen) {
+            err = CRYPT_BUFFER_OVERFLOW;
+            goto error;
+         }
+         outlen = sizeof(v);
+         if((err = hmac_memory(hash, k, klen, v, hashsize, v, &outlen)) != CRYPT_OK)                     { goto error; }
+         XMEMCPY(&buffer[buflen], v, hashsize);
+         buflen += hashsize;
       }
 
       /* key->k = bits2int(T) */
-      if ((err = mp_read_unsigned_bin(key->k, (unsigned char *)buffer, qlen)) != CRYPT_OK)             { goto error; }
-
-      /* make the public key */
-      if ((err = ltc_mp.ecc_ptmul(key->k, &key->dp.base, &key->pubkey, key->dp.A, key->dp.prime, 1)) != CRYPT_OK) {
-         goto error;
+      if ((err = ltc_mp_read_unsigned_bin(r, buffer, qlen)) != CRYPT_OK)                                 { goto error; }
+      if ((qlen * 8) > order_bits) {
+         if ((err = ltc_mp_2expt(d, (qlen * 8) - order_bits)) != CRYPT_OK)                               { goto error; }
+         if ((err = ltc_mp_div(r, d, r, NULL)) != CRYPT_OK)                                              { goto error; }
+         if ((err = ltc_mp_to_unsigned_bin(r, buffer)) != CRYPT_OK)                                      { goto error; }
+         qlen = ltc_mp_unsigned_bin_size(r);
       }
 
+      if ((err = ecc_set_key(buffer, qlen, PK_PRIVATE, key))!= CRYPT_OK)                                 { goto error; }
+
       /* check that k is in range [1,q-1] */
-      if (mp_cmp_d(key->k, 0) == LTC_MP_GT && mp_cmp(key->k, key->dp.order) == LTC_MP_LT) {
-         /* TODO: Check that pubkey.x != 0 (mod p) */
+      if (ltc_mp_cmp_d(key->k, 0) == LTC_MP_GT && ltc_mp_cmp(key->k, key->dp.order) == LTC_MP_LT) {
+         /* Check that pubkey.x != 0 (mod p) */
+         if ((err = ltc_mp_mod(key->pubkey.x, key->dp.order, r)) != CRYPT_OK)                            { goto error; }
 
          /* if we have a valid key, exit loop */
-         break;
+         if (ltc_mp_iszero(r) == LTC_MP_NO)
+            break;
       } else {
          /* K = HMAC_K(V::0x00) */
-         XMEMCPY(&buffer[0], v, 32);
-         buffer[32] = 0x00;
-         buflen = 32 + 1;
-         outlen = sizeof(digest);
-         if((err = hmac_memory(hash, k, 32, buffer, buflen, digest, &outlen)) != CRYPT_OK)             { goto error; }
-         XMEMCPY(k, digest, 32);
+         buffer[0] = 0x0;
+         outlen = sizeof(k);
+         if((err = hmac_memory_multi(hash, k, klen, k, &klen, v, hashsize, buffer, 1, LTC_NULL)) != CRYPT_OK)  { goto error; }
 
          /* V = HMAC_K(V) */
-         outlen = sizeof(digest);
-         if((err = hmac_memory(hash, k, 32, v, 32, digest, &outlen)) != CRYPT_OK)                      { goto error; }
-         XMEMCPY(v, digest, 32);
+         outlen = sizeof(v);
+         if((err = hmac_memory(hash, k, klen, v, hashsize, v, &outlen)) != CRYPT_OK)                           { goto error; }
 
          /* ... and try again! */
       }
@@ -132,12 +154,9 @@ int ecc_rfc6979_key(const ecc_key *priv, const unsigned char *in, int inlen, ecc
 error:
    ecc_free(key);
 cleanup:
+   ltc_mp_cleanup_multi(&d, &r, NULL);
    return err;
 }
 
 #endif
 #endif
-/* ref:         $Format:%D$ */
-/* git commit:  $Format:%H$ */
-/* commit time: $Format:%ai$ */
-

src/pk/ecc/ecc_set_curve.c

@@ -19,6 +19,8 @@ int ecc_set_curve(const ltc_ecc_curve *cu, ecc_key *key)
       return err;
    }
 
+   key->rfc6979_hash_alg = NULL;
+
    /* A, B, order, prime, Gx, Gy */
    if ((err = ltc_mp_read_radix(key->dp.prime, cu->prime, 16)) != CRYPT_OK) { goto error; }
    if ((err = ltc_mp_read_radix(key->dp.order, cu->order, 16)) != CRYPT_OK) { goto error; }

src/pk/ecc/ecc_set_key.c

@@ -33,7 +33,7 @@ int ecc_set_key(const unsigned char *in, unsigned long inlen, int type, ecc_key
    else if (type == PK_PUBLIC) {
       /* load public key */
       if ((err = ltc_ecc_import_point(in, inlen, prime, a, b, key->pubkey.x, key->pubkey.y)) != CRYPT_OK) { goto error; }
-      if ((err = ltc_mp_set(key->pubkey.z, 1)) != CRYPT_OK)                                                   { goto error; }
+      if ((err = ltc_mp_set(key->pubkey.z, 1)) != CRYPT_OK)                                               { goto error; }
    }
    else {
       err = CRYPT_INVALID_PACKET;
@@ -46,6 +46,7 @@ int ecc_set_key(const unsigned char *in, unsigned long inlen, int type, ecc_key
    }
 
    key->type = type;
+   key->rfc6979_hash_alg = NULL;
    return CRYPT_OK;
 
 error:

src/pk/ecc/ecc_sign_hash.c

@@ -11,10 +11,8 @@
   @param inlen     The length of the digest
   @param out       [out] The destination for the signature
   @param outlen    [in/out] The max size and resulting size of the signature
-  @param prng      An active PRNG state, NULL for RFC6979 deterministic signatures
-  @param wprng     The index of the PRNG you wish to use, -1 for RFC6979 deterministic signatures
-  @param sigformat The format of the signature to generate (ecc_signature_type)
-  @param recid     [out] The recovery ID for this signature (optional)
+  @param prng      An active PRNG state
+  @param wprng     The index of the PRNG you wish to use
   @param key       A private ECC key
   @return CRYPT_OK if successful
 */

src/pk/ecc/ecc_sign_hash_internal.c

@@ -57,8 +57,12 @@ int ecc_sign_hash_internal(const unsigned char *in,  unsigned long inlen,
 
    /* make up a key and export the public copy */
    do {
-      if ((err = ecc_copy_curve(key, &pubkey)) != CRYPT_OK)                { goto errnokey; }
-      if ((err = ecc_generate_key(prng, wprng, &pubkey)) != CRYPT_OK)      { goto errnokey; }
+      if ((err = ecc_copy_curve(key, &pubkey)) != CRYPT_OK)                    { goto errnokey; }
+      if (key->rfc6979_hash_alg != NULL) {
+         if ((err = ecc_rfc6979_key(key, in, inlen, &pubkey)) != CRYPT_OK)     { goto errnokey; }
+      } else {
+         if ((err = ecc_generate_key(prng, wprng, &pubkey)) != CRYPT_OK)       { goto errnokey; }
+      }
 
       /* find r = x1 mod n */
       if ((err = ltc_mp_mod(pubkey.pubkey.x, p, r)) != CRYPT_OK)               { goto error; }
@@ -78,7 +82,7 @@ int ecc_sign_hash_internal(const unsigned char *in,  unsigned long inlen,
       if (ltc_mp_iszero(r) == LTC_MP_YES) {
          ecc_free(&pubkey);
       } else {
-         if ((err = rand_bn_upto(b, p, prng, wprng)) != CRYPT_OK)          { goto error; } /* b = blinding value */
+         if ((err = rand_bn_upto(b, p, prng, wprng)) != CRYPT_OK)              { goto error; } /* b = blinding value */
          /* find s = (e + xr)/k */
          if ((err = ltc_mp_mulmod(pubkey.k, b, p, pubkey.k)) != CRYPT_OK)      { goto error; } /* k = kb */
          if ((err = ltc_mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK)         { goto error; } /* k = 1/kb */