From f2c75a9e87efb55629607ba71d0ccb39aa560422 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 5 Sep 2013 12:14:30 -0700 Subject: [PATCH] ECDSA signatures need a zero padding for the ASN.1 storage of the R and S values --- ctaocrypt/src/asn.c | 13 ++++++++++--- ctaocrypt/src/integer.c | 22 ++++++++++++++++++++++ ctaocrypt/src/tfm.c | 25 +++++++++++++++++++++++++ cyassl/ctaocrypt/integer.h | 1 + cyassl/ctaocrypt/tfm.h | 2 ++ src/internal.c | 2 +- 6 files changed, 61 insertions(+), 4 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 6477c084a..f228f9f0c 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -4390,6 +4390,9 @@ int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s) word32 sSz; word32 headerSz = 4; /* 2*ASN_TAG + 2*LEN(ENUM) */ + /* If the leading bit on the INTEGER is a 1, add a leading zero */ + int rLeadingZero = mp_leading_bit(r); + int sLeadingZero = mp_leading_bit(s); int rLen = mp_unsigned_bin_size(r); /* big int size */ int sLen = mp_unsigned_bin_size(s); int err; @@ -4397,20 +4400,24 @@ int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s) if (*outLen < (rLen + sLen + headerSz + 2)) /* SEQ_TAG + LEN(ENUM) */ return BAD_FUNC_ARG; - idx = SetSequence(rLen + sLen + headerSz, out); + idx = SetSequence(rLen+rLeadingZero+sLen+sLeadingZero+headerSz, out); /* store r */ out[idx++] = ASN_INTEGER; - rSz = SetLength(rLen, &out[idx]); + rSz = SetLength(rLen + rLeadingZero, &out[idx]); idx += rSz; + if (rLeadingZero) + out[idx++] = 0; err = mp_to_unsigned_bin(r, &out[idx]); if (err != MP_OKAY) return err; idx += rLen; /* store s */ out[idx++] = ASN_INTEGER; - sSz = SetLength(sLen, &out[idx]); + sSz = SetLength(sLen + sLeadingZero, &out[idx]); idx += sSz; + if (sLeadingZero) + out[idx++] = 0; err = mp_to_unsigned_bin(s, &out[idx]); if (err != MP_OKAY) return err; idx += sLen; diff --git a/ctaocrypt/src/integer.c b/ctaocrypt/src/integer.c index 5c3315498..2d79da593 100644 --- a/ctaocrypt/src/integer.c +++ b/ctaocrypt/src/integer.c @@ -179,6 +179,28 @@ mp_count_bits (mp_int * a) } +int mp_leading_bit (mp_int * a) +{ + int bit = 0; + mp_int t; + + if (mp_init_copy(&t, a) != MP_OKAY) + return 0; + + while (mp_iszero(&t) == 0) { +#ifndef MP_8BIT + bit = (t.dp[0] & 0x80) != 0; +#else + bit = (t.dp[0] | ((t.dp[1] & 0x01) << 7)) & 0x80 != 0; +#endif + if (mp_div_2d (&t, 8, &t, NULL) != MP_OKAY) + break; + } + mp_clear(&t); + return bit; +} + + /* store in unsigned [big endian] format */ int mp_to_unsigned_bin (mp_int * a, unsigned char *b) { diff --git a/ctaocrypt/src/tfm.c b/ctaocrypt/src/tfm.c index 706e1e653..9f71484d6 100644 --- a/ctaocrypt/src/tfm.c +++ b/ctaocrypt/src/tfm.c @@ -1706,6 +1706,25 @@ int fp_count_bits (fp_int * a) return r; } +int fp_leading_bit(fp_int *a) +{ + int bit = 0; + + if (a->used != 0) { + fp_digit q = a->dp[a->used - 1]; + int qSz = sizeof(fp_digit); + + while (qSz > 0) { + if ((unsigned char)q != 0) + bit = (q & 0x80) != 0; + q >>= 8; + qSz--; + } + } + + return bit; +} + void fp_lshd(fp_int *a, int x) { int y; @@ -1968,6 +1987,12 @@ int mp_count_bits (mp_int* a) } +int mp_leading_bit (mp_int* a) +{ + return fp_leading_bit(a); +} + + /* fast math conversion */ void mp_rshb (mp_int* a, int x) { diff --git a/cyassl/ctaocrypt/integer.h b/cyassl/ctaocrypt/integer.h index 8383fa602..2c4d80a7f 100644 --- a/cyassl/ctaocrypt/integer.h +++ b/cyassl/ctaocrypt/integer.h @@ -225,6 +225,7 @@ int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y); /* functions added to support above needed, removed TOOM and KARATSUBA */ int mp_count_bits (mp_int * a); +int mp_leading_bit (mp_int * a); int mp_init_copy (mp_int * a, mp_int * b); int mp_copy (mp_int * a, mp_int * b); int mp_grow (mp_int * a, int size); diff --git a/cyassl/ctaocrypt/tfm.h b/cyassl/ctaocrypt/tfm.h index 636507eb4..2495f67ab 100644 --- a/cyassl/ctaocrypt/tfm.h +++ b/cyassl/ctaocrypt/tfm.h @@ -490,6 +490,7 @@ int fp_exptmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d); /* radix conersions */ int fp_count_bits(fp_int *a); +int fp_leading_bit(fp_int *a); int fp_unsigned_bin_size(fp_int *a); void fp_read_unsigned_bin(fp_int *a, unsigned char *b, int c); @@ -655,6 +656,7 @@ int mp_copy(fp_int* a, fp_int* b); int mp_isodd(mp_int* a); int mp_iszero(mp_int* a); int mp_count_bits(mp_int *a); +int mp_leading_bit(mp_int *a); int mp_set_int(fp_int *a, fp_digit b); void mp_rshb(mp_int *a, int x); diff --git a/src/internal.c b/src/internal.c index 60b8eca50..4bc3ae8fb 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8433,7 +8433,7 @@ static void PickHashSigAlgo(CYASSL* ssl, ret = EccPrivateKeyDecode(ssl->buffers.key.buffer, &i, &dsaKey, ssl->buffers.key.length); if (ret != 0) return ret; - sigSz = ecc_sig_size(&dsaKey) + 2; /* worst case estimate */ + sigSz = ecc_sig_size(&dsaKey) + 4; /* worst case estimate */ } else { #ifndef NO_RSA