5079590438

Committed 25 May 2023 12:28PM UTC coverage: 92.228% (+0.5%) from 91.723%

Build # 5079590438

Build Type

Pull #3502

github

Pull Request Pull Request #3502: Apply clang-format to the codebase

Run Details

75589 of 81959 relevant lines covered (92.23%)

12139530.51 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

88.89

/src/lib/pubkey/ecdsa/ecdsa.cpp

/*
* ECDSA implemenation
* (C) 2007 Manuel Hartl, FlexSecure GmbH
*     2007 Falko Strenzke, FlexSecure GmbH
*     2008-2010,2015,2016,2018 Jack Lloyd
*     2016 René Korthaus
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/ecdsa.h>

#include <botan/reducer.h>
#include <botan/internal/keypair.h>
#include <botan/internal/pk_ops_impl.h>
#include <botan/internal/point_mul.h>

#if defined(BOTAN_HAS_RFC6979_GENERATOR)
   #include <botan/internal/rfc6979.h>
#endif

namespace Botan {

namespace {

EC_Point recover_ecdsa_public_key(
   const EC_Group& group, const std::vector<uint8_t>& msg, const BigInt& r, const BigInt& s, uint8_t v) {
   if(group.get_cofactor() != 1)
      throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups");

   if(v >= 4)
      throw Invalid_Argument("Unexpected v param for ECDSA public key recovery");

   const BigInt& group_order = group.get_order();

   if(r <= 0 || r >= group_order || s <= 0 || s >= group_order) {
      throw Invalid_Argument("Out of range r/s cannot recover ECDSA public key");
   }

   const uint8_t y_odd = v % 2;
   const uint8_t add_order = v >> 1;
   const size_t p_bytes = group.get_p_bytes();

   try {
      const BigInt e = BigInt::from_bytes_with_max_bits(msg.data(), msg.size(), group.get_order_bits());
      const BigInt r_inv = group.inverse_mod_order(r);

      BigInt x = r + add_order * group_order;

      std::vector<uint8_t> X(p_bytes + 1);

      X[0] = 0x02 | y_odd;
      BigInt::encode_1363(&X[1], p_bytes, x);

      const EC_Point R = group.OS2ECP(X);

      if((R * group_order).is_zero() == false)
         throw Decoding_Error("Unable to recover ECDSA public key");

      // Compute r_inv * (s*R - eG)
      EC_Point_Multi_Point_Precompute RG_mul(R, group.get_base_point());
      const BigInt ne = group.mod_order(group_order - e);
      return r_inv * RG_mul.multi_exp(s, ne);
   } catch(...) {
      // continue on and throw
   }

   throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair");
}

}

ECDSA_PublicKey::ECDSA_PublicKey(
   const EC_Group& group, const std::vector<uint8_t>& msg, const BigInt& r, const BigInt& s, uint8_t v) :
      EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {}

uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg, const BigInt& r, const BigInt& s) const {
   for(uint8_t v = 0; v != 4; ++v) {
      try {
         EC_Point R = recover_ecdsa_public_key(this->domain(), msg, r, s, v);

         if(R == this->public_point()) {
            return v;
         }
      } catch(Decoding_Error&) {
         // try the next v
      }
   }

   throw Internal_Error("Could not determine ECDSA recovery parameter");
}

std::unique_ptr<Public_Key> ECDSA_PrivateKey::public_key() const {
   return std::make_unique<ECDSA_PublicKey>(domain(), public_point());
}

bool ECDSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {
   if(!public_point().on_the_curve())
      return false;

   if(!strong)
      return true;

   return KeyPair::signature_consistency_check(rng, *this, "SHA-256");
}

namespace {

/**
* ECDSA signature operation
*/
class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_Hash {
   public:
      ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa, std::string_view padding, RandomNumberGenerator& rng) :
            PK_Ops::Signature_with_Hash(padding), m_group(ecdsa.domain()), m_x(ecdsa.private_value()) {
#if defined(BOTAN_HAS_RFC6979_GENERATOR)
         m_rfc6979 = std::make_unique<RFC6979_Nonce_Generator>(this->rfc6979_hash_function(), m_group.get_order(), m_x);
#endif

         m_b = m_group.random_scalar(rng);
         m_b_inv = m_group.inverse_mod_order(m_b);
      }

      size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }

      secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len, RandomNumberGenerator& rng) override;

      AlgorithmIdentifier algorithm_identifier() const override;

   private:
      const EC_Group m_group;
      const BigInt& m_x;

#if defined(BOTAN_HAS_RFC6979_GENERATOR)
      std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
#endif

      std::vector<BigInt> m_ws;

      BigInt m_b, m_b_inv;
};

AlgorithmIdentifier ECDSA_Signature_Operation::algorithm_identifier() const {
   const std::string full_name = "ECDSA/" + hash_function();
   const OID oid = OID::from_string(full_name);
   return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM);
}

secure_vector<uint8_t> ECDSA_Signature_Operation::raw_sign(const uint8_t msg[],
                                                           size_t msg_len,
                                                           RandomNumberGenerator& rng) {
   BigInt m = BigInt::from_bytes_with_max_bits(msg, msg_len, m_group.get_order_bits());

#if defined(BOTAN_HAS_RFC6979_GENERATOR)
   const BigInt k = m_rfc6979->nonce_for(m);
#else
   const BigInt k = m_group.random_scalar(rng);
#endif

   const BigInt r = m_group.mod_order(m_group.blinded_base_point_multiply_x(k, rng, m_ws));

   const BigInt k_inv = m_group.inverse_mod_order(k);

   /*
   * Blind the input message and compute x*r+m as (x*r*b + m*b)/b
   */
   m_b = m_group.square_mod_order(m_b);
   m_b_inv = m_group.square_mod_order(m_b_inv);

   m = m_group.multiply_mod_order(m_b, m_group.mod_order(m));
   const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m);

   const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv);

   // With overwhelming probability, a bug rather than actual zero r/s
   if(r.is_zero() || s.is_zero())
      throw Internal_Error("During ECDSA signature generated zero r/s");

   return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes());
}

/**
* ECDSA verification operation
*/
class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_Hash {
   public:
      ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa, std::string_view padding) :
            PK_Ops::Verification_with_Hash(padding),
            m_group(ecdsa.domain()),
            m_gy_mul(m_group.get_base_point(), ecdsa.public_point()) {}

      ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa, const AlgorithmIdentifier& alg_id) :
            PK_Ops::Verification_with_Hash(alg_id, "ECDSA", true),
            m_group(ecdsa.domain()),
            m_gy_mul(m_group.get_base_point(), ecdsa.public_point()) {}

      bool verify(const uint8_t msg[], size_t msg_len, const uint8_t sig[], size_t sig_len) override;

   private:
      const EC_Group m_group;
      const EC_Point_Multi_Point_Precompute m_gy_mul;
};

bool ECDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len, const uint8_t sig[], size_t sig_len) {
   if(sig_len != m_group.get_order_bytes() * 2)
      return false;

   const BigInt e = BigInt::from_bytes_with_max_bits(msg, msg_len, m_group.get_order_bits());

   const BigInt r(sig, sig_len / 2);
   const BigInt s(sig + sig_len / 2, sig_len / 2);

   // Cannot be negative here since we just decoded from binary
   if(r.is_zero() || s.is_zero())
      return false;

   if(r >= m_group.get_order() || s >= m_group.get_order())
      return false;

   const BigInt w = m_group.inverse_mod_order(s);

   const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w);
   const BigInt u2 = m_group.multiply_mod_order(r, w);
   const EC_Point R = m_gy_mul.multi_exp(u1, u2);

   if(R.is_zero())
      return false;

   const BigInt v = m_group.mod_order(R.get_affine_x());
   return (v == r);
}

}

std::unique_ptr<PK_Ops::Verification> ECDSA_PublicKey::create_verification_op(std::string_view params,
                                                                              std::string_view provider) const {
   if(provider == "base" || provider.empty())
      return std::make_unique<ECDSA_Verification_Operation>(*this, params);

   throw Provider_Not_Found(algo_name(), provider);
}

std::unique_ptr<PK_Ops::Verification> ECDSA_PublicKey::create_x509_verification_op(
   const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const {
   if(provider == "base" || provider.empty())
      return std::make_unique<ECDSA_Verification_Operation>(*this, signature_algorithm);

   throw Provider_Not_Found(algo_name(), provider);
}

std::unique_ptr<PK_Ops::Signature> ECDSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
                                                                         std::string_view params,
                                                                         std::string_view provider) const {
   if(provider == "base" || provider.empty())
      return std::make_unique<ECDSA_Signature_Operation>(*this, params, rng);

   throw Provider_Not_Found(algo_name(), provider);
}

}

1	/*
2	* ECDSA implemenation
3	* (C) 2007 Manuel Hartl, FlexSecure GmbH
4	* 2007 Falko Strenzke, FlexSecure GmbH
5	* 2008-2010,2015,2016,2018 Jack Lloyd
6	* 2016 René Korthaus
7	*
8	* Botan is released under the Simplified BSD License (see license.txt)
9	*/
10
11	#include <botan/ecdsa.h>
12
13	#include <botan/reducer.h>
14	#include <botan/internal/keypair.h>
15	#include <botan/internal/pk_ops_impl.h>
16	#include <botan/internal/point_mul.h>
17
18	#if defined(BOTAN_HAS_RFC6979_GENERATOR)
19	#include <botan/internal/rfc6979.h>
20	#endif
21
22	namespace Botan {
23
24	namespace {
25
26	EC_Point recover_ecdsa_public_key(	20✔
27	const EC_Group& group, const std::vector<uint8_t>& msg, const BigInt& r, const BigInt& s, uint8_t v) {
28	if(group.get_cofactor() != 1)	20✔
29	throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups");	×
30
31	if(v >= 4)	20✔
32	throw Invalid_Argument("Unexpected v param for ECDSA public key recovery");	×
33
34	const BigInt& group_order = group.get_order();	20✔
35
36	if(r <= 0 \|\| r >= group_order \|\| s <= 0 \|\| s >= group_order) {	80✔
37	throw Invalid_Argument("Out of range r/s cannot recover ECDSA public key");	×
38	}
39
40	const uint8_t y_odd = v % 2;	20✔
41	const uint8_t add_order = v >> 1;	20✔
42	const size_t p_bytes = group.get_p_bytes();	20✔
43
44	try {	20✔
45	const BigInt e = BigInt::from_bytes_with_max_bits(msg.data(), msg.size(), group.get_order_bits());	20✔
46	const BigInt r_inv = group.inverse_mod_order(r);	20✔
47
48	BigInt x = r + add_order * group_order;	20✔
49
50	std::vector<uint8_t> X(p_bytes + 1);	20✔
51
52	X[0] = 0x02 \| y_odd;	20✔
53	BigInt::encode_1363(&X[1], p_bytes, x);	20✔
54
55	const EC_Point R = group.OS2ECP(X);	20✔
56
57	if((R * group_order).is_zero() == false)	20✔
58	throw Decoding_Error("Unable to recover ECDSA public key");	×
59
60	// Compute r_inv * (s*R - eG)
61	EC_Point_Multi_Point_Precompute RG_mul(R, group.get_base_point());	20✔
62	const BigInt ne = group.mod_order(group_order - e);	20✔
63	return r_inv * RG_mul.multi_exp(s, ne);	20✔
64	} catch(...) {	140✔
65	// continue on and throw
66	}	×
67
68	throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair");	×
69	}
70
71	}
72
73	ECDSA_PublicKey::ECDSA_PublicKey(	8✔
74	const EC_Group& group, const std::vector<uint8_t>& msg, const BigInt& r, const BigInt& s, uint8_t v) :	8✔
75	EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {}	8✔
76
77	uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg, const BigInt& r, const BigInt& s) const {	8✔
78	for(uint8_t v = 0; v != 4; ++v) {	12✔
79	try {	12✔
80	EC_Point R = recover_ecdsa_public_key(this->domain(), msg, r, s, v);	12✔
81
82	if(R == this->public_point()) {	12✔
83	return v;	8✔
84	}
85	} catch(Decoding_Error&) {	12✔
86	// try the next v
87	}	×
88	}
89
90	throw Internal_Error("Could not determine ECDSA recovery parameter");	×
91	}
92
93	std::unique_ptr<Public_Key> ECDSA_PrivateKey::public_key() const {	193✔
94	return std::make_unique<ECDSA_PublicKey>(domain(), public_point());	193✔
95	}
96
97	bool ECDSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {	8✔
98	if(!public_point().on_the_curve())	8✔
99	return false;
100
101	if(!strong)	8✔
102	return true;
103
104	return KeyPair::signature_consistency_check(rng, *this, "SHA-256");	7✔
105	}
106
107	namespace {
108
109	/**
110	* ECDSA signature operation
111	*/
112	class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_Hash {	×
113	public:
114	ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa, std::string_view padding, RandomNumberGenerator& rng) :	393✔
115	PK_Ops::Signature_with_Hash(padding), m_group(ecdsa.domain()), m_x(ecdsa.private_value()) {	393✔
116	#if defined(BOTAN_HAS_RFC6979_GENERATOR)
117	m_rfc6979 = std::make_unique<RFC6979_Nonce_Generator>(this->rfc6979_hash_function(), m_group.get_order(), m_x);	393✔
118	#endif
119
120	m_b = m_group.random_scalar(rng);	786✔
121	m_b_inv = m_group.inverse_mod_order(m_b);	786✔
122	}	393✔
123
124	size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }	108✔
125
126	secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len, RandomNumberGenerator& rng) override;
127
128	AlgorithmIdentifier algorithm_identifier() const override;
129
130	private:
131	const EC_Group m_group;
132	const BigInt& m_x;
133
134	#if defined(BOTAN_HAS_RFC6979_GENERATOR)
135	std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
136	#endif
137
138	std::vector<BigInt> m_ws;
139
140	BigInt m_b, m_b_inv;
141	};
142
143	AlgorithmIdentifier ECDSA_Signature_Operation::algorithm_identifier() const {	62✔
144	const std::string full_name = "ECDSA/" + hash_function();	62✔
145	const OID oid = OID::from_string(full_name);	62✔
146	return AlgorithmIdentifier(oid, AlgorithmIdentifier::USE_EMPTY_PARAM);	62✔
147	}	62✔
148
149	secure_vector<uint8_t> ECDSA_Signature_Operation::raw_sign(const uint8_t msg[],	403✔
150	size_t msg_len,
151	RandomNumberGenerator& rng) {
152	BigInt m = BigInt::from_bytes_with_max_bits(msg, msg_len, m_group.get_order_bits());	403✔
153
154	#if defined(BOTAN_HAS_RFC6979_GENERATOR)
155	const BigInt k = m_rfc6979->nonce_for(m);	403✔
156	#else
157	const BigInt k = m_group.random_scalar(rng);
158	#endif
159
160	const BigInt r = m_group.mod_order(m_group.blinded_base_point_multiply_x(k, rng, m_ws));	403✔
161
162	const BigInt k_inv = m_group.inverse_mod_order(k);	403✔
163
164	/*
165	* Blind the input message and compute xr+m as (xrb + mb)/b
166	*/
167	m_b = m_group.square_mod_order(m_b);	403✔
168	m_b_inv = m_group.square_mod_order(m_b_inv);	403✔
169
170	m = m_group.multiply_mod_order(m_b, m_group.mod_order(m));	806✔
171	const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m);	806✔
172
173	const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv);	403✔
174
175	// With overwhelming probability, a bug rather than actual zero r/s
176	if(r.is_zero() \|\| s.is_zero())	806✔
177	throw Internal_Error("During ECDSA signature generated zero r/s");	×
178
179	return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes());	403✔
180	}	2,418✔
181
182	/**
183	* ECDSA verification operation
184	*/
185	class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_Hash {	×
186	public:
187	ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa, std::string_view padding) :	12,414✔
188	PK_Ops::Verification_with_Hash(padding),
189	m_group(ecdsa.domain()),	16,328✔
190	m_gy_mul(m_group.get_base_point(), ecdsa.public_point()) {}	12,414✔
191
192	ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa, const AlgorithmIdentifier& alg_id) :	1,657✔
193	PK_Ops::Verification_with_Hash(alg_id, "ECDSA", true),
194	m_group(ecdsa.domain()),	3,292✔
195	m_gy_mul(m_group.get_base_point(), ecdsa.public_point()) {}	1,657✔
196
197	bool verify(const uint8_t msg[], size_t msg_len, const uint8_t sig[], size_t sig_len) override;
198
199	private:
200	const EC_Group m_group;
201	const EC_Point_Multi_Point_Precompute m_gy_mul;
202	};
203
204	bool ECDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len, const uint8_t sig[], size_t sig_len) {	16,121✔
205	if(sig_len != m_group.get_order_bytes() * 2)	16,121✔
206	return false;
207
208	const BigInt e = BigInt::from_bytes_with_max_bits(msg, msg_len, m_group.get_order_bits());	13,123✔
209
210	const BigInt r(sig, sig_len / 2);	13,123✔
211	const BigInt s(sig + sig_len / 2, sig_len / 2);	13,123✔
212
213	// Cannot be negative here since we just decoded from binary
214	if(r.is_zero() \|\| s.is_zero())	38,924✔
215	return false;	590✔
216
217	if(r >= m_group.get_order() \|\| s >= m_group.get_order())	12,533✔
218	return false;	678✔
219
220	const BigInt w = m_group.inverse_mod_order(s);	11,855✔
221
222	const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w);	11,855✔
223	const BigInt u2 = m_group.multiply_mod_order(r, w);	11,855✔
224	const EC_Point R = m_gy_mul.multi_exp(u1, u2);	11,855✔
225
226	if(R.is_zero())	23,596✔
227	return false;
228
229	const BigInt v = m_group.mod_order(R.get_affine_x());	11,744✔
230	return (v == r);	11,744✔
231	}	91,055✔
232
233	}
234
235	std::unique_ptr<PK_Ops::Verification> ECDSA_PublicKey::create_verification_op(std::string_view params,	48,927✔
236	std::string_view provider) const {
237	if(provider == "base" \|\| provider.empty())	61,105✔
238	return std::make_unique<ECDSA_Verification_Operation>(*this, params);	12,414✔
239
240	throw Provider_Not_Found(algo_name(), provider);	73,026✔
241	}
242
243	std::unique_ptr<PK_Ops::Verification> ECDSA_PublicKey::create_x509_verification_op(	1,657✔
244	const AlgorithmIdentifier& signature_algorithm, std::string_view provider) const {
245	if(provider == "base" \|\| provider.empty())	1,657✔
246	return std::make_unique<ECDSA_Verification_Operation>(*this, signature_algorithm);	1,657✔
247
248	throw Provider_Not_Found(algo_name(), provider);	×
249	}
250
251	std::unique_ptr<PK_Ops::Signature> ECDSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,	705✔
252	std::string_view params,
253	std::string_view provider) const {
254	if(provider == "base" \|\| provider.empty())	811✔
255	return std::make_unique<ECDSA_Signature_Operation>(*this, params, rng);	393✔
256
257	throw Provider_Not_Found(algo_name(), provider);	624✔
258	}
259
260	}

randombit / botan / 5079590438

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous