Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ecc.c and test.c changes to add support in ecc_sign_determinsitic.c #7700

Merged
merged 8 commits into from
Jul 16, 2024
Merged

ecc.c and test.c changes to add support in ecc_sign_determinsitic.c #7700

merged 8 commits into from
Jul 16, 2024

Conversation

aidangarske
Copy link

@aidangarske aidangarske commented Jul 1, 2024
edited by dgarske
Loading

Description

Added support for ECDSA deterministric K signing for all curves with SHA256, SHA384, and SHA512.

The tests for ecc_test_deterministic_k, ecc384_test_deterministic_k, and ecc521_test_deterministic_k were not run because FIPS_VERSION_GE was always defined.

Added wc_ecc_set_deterministic_ex to support custom hash type for deterministic sign or verify. By default it will detect hash type based on input hash size.

Feature request for ZD 14235

Testing

./configure CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_ECDSA_DETERMINISTIC_K" --enable-debug && make
./wolfcrypt/test/testwolfcrypt

ecc.c and test.c changes to add support in ecc_sign_determinsitic.c f…
b5b0e17 
…or SHA256, SHA384, and SHA512 for SECP256R1, SECP384R1, SECP521R1.
@aidangarske aidangarske self-assigned this Jul 1, 2024
dgarske
dgarske requested changes Jul 1, 2024
View reviewed changes
wolfcrypt/test/test.c Outdated Show resolved Hide resolved
@dgarske dgarske self-requested a review July 1, 2024 16:51
dgarske
dgarske previously approved these changes Jul 1, 2024
View reviewed changes
@dgarske dgarske requested a review from SparkiDev July 1, 2024 19:05
SparkiDev
SparkiDev requested changes Jul 1, 2024
View reviewed changes
Copy link
Contributor

@SparkiDev SparkiDev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need a new ECDSA signing API that will take the hash algorithm.
The original will call the new with WC_HASH_TYPE_NONE.
The new will pass the hash algorithm in.
The code to guess the hash algorithm is fine.

@dgarske
Copy link
Contributor

dgarske commented Jul 3, 2024

@SparkiDev ,

I would prefer not to add sign/verify variants. What about just extending the set_derministic API to accept a hash type?

Suggested patch:

diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index e0ce9ec20..b4e891334 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -6847,7 +6847,7 @@ static int deterministic_sign_helper(const byte* in, word32 inlen, ecc_key* key)
         }
         if (key->sign_k != NULL) {
             if (wc_ecc_gen_deterministic_k(in, inlen,
-                        WC_HASH_TYPE_NONE, ecc_get_k(key), key->sign_k,
+                        key->hashType, ecc_get_k(key), key->sign_k,
                         curve->order, key->heap) != 0) {
                 mp_free(key->sign_k);
                 XFREE(key->sign_k, key->heap, DYNAMIC_TYPE_ECC);
@@ -6865,7 +6865,7 @@ static int deterministic_sign_helper(const byte* in, word32 inlen, ecc_key* key)
         }
     #else
         key->sign_k_set = 0;
-        if (wc_ecc_gen_deterministic_k(in, inlen, WC_HASH_TYPE_NONE,
+        if (wc_ecc_gen_deterministic_k(in, inlen, key->hashType,
                 ecc_get_k(key), key->sign_k, curve->order, key->heap) != 0) {
             err = ECC_PRIV_KEY_E;
         }
@@ -7561,6 +7561,14 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
         }
     }
 
+    /* For deterministic k only SHA2-256, SHA2-384 and SHA2-512 are supported */
+    if ( hashType != WC_HASH_TYPE_SHA256 &&
+         hashType != WC_HASH_TYPE_SHA384 &&
+         hashType != WC_HASH_TYPE_SHA512) {
+        WOLFSSL_MSG("Invalid deterministic hash type");
+        return BAD_FUNC_ARG;
+    }
+
     if (mp_unsigned_bin_size(priv) > MAX_ECC_BYTES) {
         WOLFSSL_MSG("private key larger than max expected!");
         return BAD_FUNC_ARG;
@@ -7775,15 +7783,22 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
 /* Sets the deterministic flag for 'k' generation with sign.
  * returns 0 on success
  */
-int wc_ecc_set_deterministic(ecc_key* key, byte flag)
+int wc_ecc_set_deterministic_ex(ecc_key* key, byte flag, int hashType)
 {
     if (key == NULL) {
         return BAD_FUNC_ARG;
     }
 
     key->deterministic = flag ? 1 : 0;
+    key->hashType = hashType;
     return 0;
 }
+
+int wc_ecc_set_deterministic(ecc_key* key, byte flag)
+{
+    return wc_ecc_set_deterministic_ex(key, flag, WC_HASH_TYPE_NONE);
+}
+
 #endif /* end sign_ex and deterministic sign */
 
 
diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h
index 4a198a6b0..aa23e2530 100644
--- a/wolfssl/wolfcrypt/ecc.h
+++ b/wolfssl/wolfcrypt/ecc.h
@@ -595,6 +595,7 @@ struct ecc_key {
 #if defined(WOLFSSL_ECDSA_DETERMINISTIC_K) || \
     defined(WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT)
     byte deterministic:1;
+    int hashType;
 #endif
 
 #if defined(WOLFSSL_SMALL_STACK_CACHE) && !defined(WOLFSSL_ECC_NO_SMALL_STACK)
@@ -719,6 +720,8 @@ int wc_ecc_sign_hash_ex(const byte* in, word32 inlen, WC_RNG* rng,
 WOLFSSL_API
 int wc_ecc_set_deterministic(ecc_key* key, byte flag);
 WOLFSSL_API
+int wc_ecc_set_deterministic_ex(ecc_key* key, byte flag, int hashType);
+WOLFSSL_API
 int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
         enum wc_HashType hashType, mp_int* priv, mp_int* k, mp_int* order,
         void* heap);

@dgarske dgarske requested a review from SparkiDev July 3, 2024 20:44
@SparkiDev
Copy link
Contributor

I'm happy with that change.
It makes sense to only set the hash when doing deterministic k.

dgarske
dgarske reviewed Jul 4, 2024
View reviewed changes
wolfcrypt/src/ecc.c Outdated
}
}

/* For deterministic k only SHA2-256, SHA2-384 and SHA2-512 are supported */
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SparkiDev do we need this restriction? Seems like any supported HMAC algo would be fine. As long as we properly fail later if the hash type is unsupported or invalid. Thoughts?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep. We can remove this now.

@dgarske dgarske assigned wolfSSL-Bot and unassigned dgarske and aidangarske Jul 4, 2024
SparkiDev
SparkiDev requested changes Jul 15, 2024
View reviewed changes
wolfcrypt/src/ecc.c Outdated Show resolved Hide resolved
wolfcrypt/src/ecc.c Outdated Show resolved Hide resolved
wolfcrypt/src/ecc.c Outdated Show resolved Hide resolved
wolfcrypt/src/ecc.c Outdated Show resolved Hide resolved
@SparkiDev SparkiDev assigned aidangarske and unassigned SparkiDev Jul 15, 2024
@dgarske dgarske requested a review from SparkiDev July 16, 2024 18:17
SparkiDev
SparkiDev requested changes Jul 16, 2024
View reviewed changes
wolfcrypt/src/ecc.c Outdated Show resolved Hide resolved
@SparkiDev SparkiDev removed their assignment Jul 16, 2024
@SparkiDev
Copy link
Contributor

retest this please

@SparkiDev SparkiDev merged commit 0f3ebed into wolfSSL:master Jul 16, 2024
119 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dgarske dgarske dgarske left review comments

@SparkiDev SparkiDev SparkiDev approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

@aidangarske aidangarske

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aidangarske @dgarske @SparkiDev @wolfSSL-Bot