From 55f5988781d3a1ba2d00a5c19e1527a1640a0e4d Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Tue, 14 May 2019 13:54:56 -0400 Subject: [PATCH] tpm2: Switch ECDSA signature creation to OpenSSL Use OpenSSL crypto library now also for the ECDSA signature creation. Signed-off-by: Stefan Berger --- configure.ac | 1 + src/tpm2/crypto/openssl/CryptEccSignature.c | 51 +++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/configure.ac b/configure.ac index 84772066..ae95200d 100644 --- a/configure.ac +++ b/configure.ac @@ -171,6 +171,7 @@ AS_IF([test "x$enable_use_openssl_functions" != "xno"], [ AC_CHECK_LIB([crypto], [ECDSA_SIG_new],, not_found=1) AC_CHECK_LIB([crypto], [ECDSA_SIG_set0],, not_found=1) AC_CHECK_LIB([crypto], [ECDSA_do_verify],, not_found=1) + AC_CHECK_LIB([crypto], [ECDSA_do_sign],, not_found=1) AC_CHECK_LIB([crypto], [EC_KEY_set_group],, not_found=1) if test "x$not_found" = "x0"; then use_openssl_functions_ecdsa=1 diff --git a/src/tpm2/crypto/openssl/CryptEccSignature.c b/src/tpm2/crypto/openssl/CryptEccSignature.c index d1c6d47d..1ac6c546 100644 --- a/src/tpm2/crypto/openssl/CryptEccSignature.c +++ b/src/tpm2/crypto/openssl/CryptEccSignature.c @@ -69,6 +69,7 @@ /* 10.2.12.2.1 EcdsaDigest() */ /* Function to adjust the digest so that it is no larger than the order of the curve. This is used for ECDSA sign and verification. */ +#if !USE_OPENSSL_FUNCTIONS_ECDSA // libtpms added static bigNum EcdsaDigest( bigNum bnD, // OUT: the adjusted digest @@ -92,6 +93,7 @@ EcdsaDigest( } return bnD; } +#endif // libtpms added /* 10.2.12.2.2 BnSchnorrSign() */ /* This contains the Schnorr signature computation. It is used by both ECDSA and Schnorr signing. The result is computed as: [s = k + r * d (mod n)] where */ @@ -132,6 +134,7 @@ BnSchnorrSign( /* 10.2.12.3.1 BnSignEcdsa() */ /* This function implements the ECDSA signing algorithm. The method is described in the comments below. This version works with internal numbers. */ +#if !USE_OPENSSL_FUNCTIONS_ECDSA // libtpms added TPM_RC BnSignEcdsa( bigNum bnR, // OUT: r component of the signature @@ -204,6 +207,54 @@ BnSignEcdsa( Exit: return retVal; } +#else // !USE_OPENSSL_FUNCTIONS_ECDSA libtpms added begin +TPM_RC +BnSignEcdsa( + bigNum bnR, // OUT: r component of the signature + bigNum bnS, // OUT: s component of the signature + bigCurve E, // IN: the curve used in the signature + // process + bigNum bnD, // IN: private signing key + const TPM2B_DIGEST *digest, // IN: the digest to sign + RAND_STATE *rand // IN: used in debug of signing + ) +{ + ECDSA_SIG *sig = NULL; + EC_KEY *eckey; + int retVal; + const BIGNUM *r; + const BIGNUM *s; + BIGNUM *d = BigInitialized(bnD); + + eckey = EC_KEY_new(); + + if (d == NULL || eckey == NULL) + ERROR_RETURN(TPM_RC_FAILURE); + + if (EC_KEY_set_group(eckey, E->G) != 1) + ERROR_RETURN(TPM_RC_FAILURE); + + if (EC_KEY_set_private_key(eckey, d) != 1) + ERROR_RETURN(TPM_RC_FAILURE); + + sig = ECDSA_do_sign(digest->b.buffer, digest->b.size, eckey); + if (sig == NULL) + ERROR_RETURN(TPM_RC_FAILURE); + + ECDSA_SIG_get0(sig, &r, &s); + OsslToTpmBn(bnR, r); + OsslToTpmBn(bnS, s); + + retVal = TPM_RC_SUCCESS; + + Exit: + BN_clear_free(d); + EC_KEY_free(eckey); + ECDSA_SIG_free(sig); + + return retVal; +} +#endif // USE_OPENSSL_FUNCTIONS_ECDSA libtpms added end #if ALG_ECDAA /* 10.2.12.3.2 BnSignEcdaa() */ /* This function performs s = r + T * d mod q where */