Add ECDSA with curve P-256

for TLS testing

Author: guanzhi

CMakeLists.txt

@@ -54,6 +54,8 @@ option(ENABLE_SM4_CBC_MAC "Enable SM4-CBC-MAC" ON)
 
 option(ENABLE_SM2_EXTS "Enable SM2 Extensions" OFF)
 
+option(ENABLE_SECP256R1 "Enable ECDH/ECDSA on curve secp256r1" ON)
+
 option(ENABLE_LMS "Enable LMS/HSS signature" ON)
 option(ENABLE_XMSS "Enable XMSS/XMSS^MT signature" ON)
 option(ENABLE_SPHINCS "Enable SPHINCS+ signature" ON)
@@ -108,6 +110,7 @@ set(src
 	src/sm4_cbc_sm3_hmac.c
 	src/sm4_ctr_sm3_hmac.c
 	src/pkcs8.c
+	src/bn.c
 	src/ec.c
 	src/rsa.c
 	src/asn1.c
@@ -128,6 +131,7 @@ set(src
 	src/tls_trace.c
 	src/tlcp.c
 	src/tls12.c
+	src/tls12_handshake.c
 	src/tls13.c
 	src/file.c
 	src/file.c
@@ -203,6 +207,7 @@ set(tests
 	gf128
 	ghash
 	pkcs8
+	bn
 	ec
 	asn1
 	hex
@@ -419,6 +424,14 @@ if (ENABLE_SM2_EXTS)
 endif()
 
 
+if (ENABLE_SECP256R1)
+	message(STATUS "ENABLE_SECP256R1 is ON")
+	add_definitions(-DENABLE_SECP256R1)
+	list(APPEND src src/secp256r1.c src/secp256r1_key.c src/ecdsa.c)
+	list(APPEND tests secp256r1 secp256r1_key ecdsa)
+endif()
+
+
 if (ENABLE_LMS)
 	message(STATUS "ENABLE_LMS is ON")
 	add_definitions(-DENABLE_LMS)

include/gmssl/bn.h

@@ -0,0 +1,86 @@
+/*
+ *  Copyright 2014-2026 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+
+
+#ifndef GMSSL_BN_H
+#define GMSSL_BN_H
+
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+void bn_set_word(uint32_t *r, uint32_t a, size_t k);
+void bn_copy(uint32_t *r, const uint32_t *a, size_t k);
+int  bn_cmp(const uint32_t *a, const uint32_t *b, size_t k);
+int  bn_is_zero(const uint32_t *a, size_t k);
+int  bn_is_one(const uint32_t *a, size_t k);
+int  bn_add(uint32_t *r, const uint32_t *a, const uint32_t *b, size_t k);
+int  bn_sub(uint32_t *r, const uint32_t *a, const uint32_t *b, size_t k);
+void bn_mul(uint32_t *r, const uint32_t *a, const uint32_t *b, size_t k);
+void bn_mul_lo(uint32_t *r, const uint32_t *a, const uint32_t *b, size_t k);
+void bn_to_bytes(const uint32_t *a, size_t k, uint8_t *out);
+void bn_from_bytes(uint32_t *a, size_t k, const uint8_t *in);
+int  bn_print(FILE *fp, int fmt, int ind, const char *label, const uint32_t *a, size_t k);
+
+void bn_mod_add(uint32_t *r, const uint32_t *a, const uint32_t *b, const uint32_t *p, size_t k);
+void bn_mod_sub(uint32_t *r, const uint32_t *a, const uint32_t *b, const uint32_t *p, size_t k);
+void bn_mod_neg(uint32_t *r, const uint32_t *a, const uint32_t *p, size_t k);
+
+// multiplication with barrett reduction, need caller prepare temp values
+// u = floor(2^512 / p) for bn256
+void bn_barrett_mod_mul(uint32_t *r, const uint32_t *a, const uint32_t *b, const uint32_t *p,
+	const uint32_t *u, // uint32_t u[k + 1]
+	uint32_t *tmp, // uint32_t tmp[6*k + 4]
+	size_t k);
+void bn_barrett_mod_sqr(uint32_t *r, const uint32_t *a, const uint32_t *p,
+	const uint32_t *u, // uint32_t u[k + 1]
+	uint32_t *tmp, // uint32_t tmp[6*k + 4]
+	size_t k);
+void bn_barrett_mod_exp(uint32_t *r, const uint32_t *a, const uint32_t *e, const uint32_t *p,
+	const uint32_t *u, // uint32_t u[k + 1]
+	uint32_t *tmp, // uint32_t tmp[7*k + 4]
+	size_t k);
+void bn_barrett_mod_inv(uint32_t *r, const uint32_t *a, const uint32_t *p,
+	const uint32_t *u, // uint32_t u[k + 1]
+	uint32_t *tmp, // uint32_t tmp[8*k + 4]
+	size_t k);
+
+// montgomery multiplication, all values in montgomery format, need caller prepare temp values
+void bn_mont_mod_mul(uint32_t *r, const uint32_t *a, const uint32_t *b, const uint32_t *p, const uint32_t *p_inv_neg,
+	uint32_t *tmp, // uint32_t tmp[5 * k]
+	size_t k);
+void bn_mont_mod_sqr(uint32_t *r, const uint32_t *a, const uint32_t *p, const uint32_t *p_inv_neg,
+	uint32_t *tmp, // uint32_t tmp[5 * k]
+	size_t k);
+void bn_mont_mod_exp(uint32_t *r, const uint32_t *a, const uint32_t *e, const uint32_t *p, const uint32_t *p_inv_neg,
+	uint32_t *tmp, // uint32_t tmp[6 * k]
+	size_t k);
+void bn_mont_mod_inv(uint32_t *r, const uint32_t *a, const uint32_t *p, const uint32_t *p_inv_neg,
+	uint32_t *tmp, // uint32_t tmp[7 * k]
+	size_t k);
+void bn_mont_set(uint32_t *r, const uint32_t *a, const uint32_t *one_sqr, const uint32_t *p, const uint32_t *p_inv_neg,
+	uint32_t *tmp, // uint32_t tmp[5 * k]
+	size_t k);
+void bn_mont_get(uint32_t *r, const uint32_t *a, const uint32_t *p, const uint32_t *p_inv_neg,
+	uint32_t *tmp, // uint32_t tmp[5 * k]
+	size_t k);
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif

include/gmssl/ecdsa.h

@@ -0,0 +1,68 @@
+/*
+ *  Copyright 2014-2026 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+
+#ifndef GMSSL_ECDSA_H
+#define GMSSL_ECDSA_H
+
+
+#include <string.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <gmssl/sha2.h>
+#include <gmssl/secp256r1_key.h>
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+typedef struct {
+	secp256r1_t r;
+	secp256r1_t s;
+} ECDSA_SIGNATURE;
+
+#define ECDSA_SIGNATURE_COMPACT_SIZE	70
+#define ECDSA_SIGNATURE_TYPICAL_SIZE	71
+#define ECDSA_SIGNATURE_MAX_SIZE	72
+
+int ecdsa_signature_to_der(const ECDSA_SIGNATURE *sig, uint8_t **out, size_t *outlen);
+int ecdsa_signature_from_der(ECDSA_SIGNATURE *sig, const uint8_t **in, size_t *inlen);
+int ecdsa_signature_print_ex(FILE *fp, int fmt, int ind, const char *label, const ECDSA_SIGNATURE *sig);
+int ecdsa_signature_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *sig, size_t siglen);
+
+int ecdsa_do_sign_ex(const SECP256R1_KEY *key, const secp256r1_t k, const uint8_t dgst[32], ECDSA_SIGNATURE *sig);
+int ecdsa_do_sign(const SECP256R1_KEY *key, const uint8_t dgst[32], ECDSA_SIGNATURE *sig);
+int ecdsa_do_verify(const SECP256R1_KEY *key, const uint8_t dgst[32], const ECDSA_SIGNATURE *sig);
+int ecdsa_sign(const SECP256R1_KEY *key, const uint8_t dgst[32], uint8_t *sig, size_t *siglen);
+int ecdsa_sign_fixlen(const SECP256R1_KEY *key, const uint8_t dgst[32], size_t siglen, uint8_t *sig);
+int ecdsa_verify(const SECP256R1_KEY *key, const uint8_t dgst[32], const uint8_t *sig, size_t siglen);
+
+
+typedef struct {
+	SHA256_CTX sha256_ctx;
+	SECP256R1_KEY key;
+	ECDSA_SIGNATURE sig;
+} ECDSA_SIGN_CTX;
+
+int ecdsa_sign_init(ECDSA_SIGN_CTX *ctx, const SECP256R1_KEY *key);
+int ecdsa_sign_update(ECDSA_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);
+int ecdsa_sign_finish(ECDSA_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen);
+int ecdsa_sign_finish_fixlen(ECDSA_SIGN_CTX *ctx, size_t siglen, uint8_t *sig);
+int ecdsa_verify_init(ECDSA_SIGN_CTX *ctx, const SECP256R1_KEY *key, const uint8_t *sig, size_t siglen);
+int ecdsa_verify_update(ECDSA_SIGN_CTX *ctx, const uint8_t *data, size_t datalen);
+int ecdsa_verify_finish(ECDSA_SIGN_CTX *ctx);
+
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif

include/gmssl/oid.h

@@ -210,6 +210,7 @@ enum {
 
 
 
+#define OID_secp256r1 OID_prime256v1
 
 
 #define oid_cnt(nodes)	(sizeof(nodes)/sizeof((nodes)[0]))

include/gmssl/secp256r1.h

@@ -0,0 +1,108 @@
+/*
+ *  Copyright 2014-2026 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+
+
+#ifndef GMSSL_SECP256R1_H
+#define GMSSL_SECP256R1_H
+
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+// p = 2^256 - 2^224 + 2^192 + 2^96 - 1
+//   = 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF
+// a = -3
+// b = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
+// x = 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296
+// y = 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5
+// n = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551
+// h = 1
+
+
+typedef uint32_t secp256r1_t[8];
+
+#define SECP256R1_K (sizeof(secp256r1_t)/sizeof(uint32_t))
+
+extern const secp256r1_t SECP256R1_P;
+extern const secp256r1_t SECP256R1_B;
+extern const secp256r1_t SECP256R1_N;
+extern const uint32_t SECP256R1_U_P[9];
+extern const uint32_t SECP256R1_U_N[9];
+
+int  secp256r1_is_zero(const secp256r1_t a);
+int  secp256r1_is_one(const secp256r1_t a);
+int  secp256r1_cmp(const secp256r1_t a, const secp256r1_t b);
+void secp256r1_set_zero(secp256r1_t r);
+void secp256r1_set_one(secp256r1_t r);
+void secp256r1_copy(secp256r1_t r, const secp256r1_t a);
+void secp256r1_to_32bytes(const secp256r1_t a, uint8_t out[32]);
+void secp256r1_from_32bytes(secp256r1_t r, const uint8_t in[32]);
+int  secp256r1_print(FILE *fp, int fmt, int ind, const char *label, const secp256r1_t a);
+
+void secp256r1_modp_add(secp256r1_t r, const secp256r1_t a, const secp256r1_t b);
+void secp256r1_modp_dbl(secp256r1_t r, const secp256r1_t a);
+void secp256r1_modp_tri(secp256r1_t r, const secp256r1_t a);
+void secp256r1_modp_sub(secp256r1_t r, const secp256r1_t a, const secp256r1_t b);
+void secp256r1_modp_neg(secp256r1_t r, const secp256r1_t a);
+void secp256r1_modp_haf(secp256r1_t r, const secp256r1_t a);
+void secp256r1_modp_mul(secp256r1_t r, const secp256r1_t a, const secp256r1_t b);
+void secp256r1_modp_sqr(secp256r1_t r, const secp256r1_t a);
+void secp256r1_modp_exp(secp256r1_t r, const secp256r1_t a, const secp256r1_t e);
+void secp256r1_modp_inv(secp256r1_t r, const secp256r1_t a);
+
+void secp256r1_modn(secp256r1_t r, const secp256r1_t a);
+void secp256r1_modn_add(secp256r1_t r, const secp256r1_t a, const secp256r1_t b);
+void secp256r1_modn_dbl(secp256r1_t r, const secp256r1_t a);
+void secp256r1_modn_tri(secp256r1_t r, const secp256r1_t a);
+void secp256r1_modn_sub(secp256r1_t r, const secp256r1_t a, const secp256r1_t b);
+void secp256r1_modn_neg(secp256r1_t r, const secp256r1_t a);
+void secp256r1_modn_mul(secp256r1_t r, const secp256r1_t a, const secp256r1_t b);
+void secp256r1_modn_sqr(secp256r1_t r, const secp256r1_t a);
+void secp256r1_modn_exp(secp256r1_t r, const secp256r1_t a, const secp256r1_t e);
+void secp256r1_modn_inv(secp256r1_t r, const secp256r1_t a);
+
+
+typedef struct {
+	secp256r1_t X;
+	secp256r1_t Y;
+	secp256r1_t Z;
+} SECP256R1_POINT;
+
+extern const SECP256R1_POINT SECP256R1_POINT_G;
+
+void secp256r1_point_set_infinity(SECP256R1_POINT *R);
+int  secp256r1_point_is_at_infinity(const SECP256R1_POINT *P);
+int  secp256r1_point_is_on_curve(const SECP256R1_POINT *P);
+int  secp256r1_point_equ(const SECP256R1_POINT *P, const SECP256R1_POINT *Q);
+int  secp256r1_point_set_xy(SECP256R1_POINT *R, const secp256r1_t x, const secp256r1_t y);
+int  secp256r1_point_get_xy(const SECP256R1_POINT *P, secp256r1_t x, secp256r1_t y);
+void secp256r1_point_copy(SECP256R1_POINT *R, const SECP256R1_POINT *P);
+void secp256r1_point_dbl(SECP256R1_POINT *R, const SECP256R1_POINT *P);
+void secp256r1_point_add(SECP256R1_POINT *R, const SECP256R1_POINT *P, const SECP256R1_POINT *Q);
+void secp256r1_point_neg(SECP256R1_POINT *R, const SECP256R1_POINT *P);
+void secp256r1_point_sub(SECP256R1_POINT *R, const SECP256R1_POINT *P, const SECP256R1_POINT *Q);
+void secp256r1_point_mul(SECP256R1_POINT *R, const secp256r1_t k, const SECP256R1_POINT *P);
+void secp256r1_point_mul_generator(SECP256R1_POINT *R, const secp256r1_t k);
+int  secp256r1_point_print(FILE *fp, int fmt, int ind, const char *label, const SECP256R1_POINT *P);
+int  secp256r1_point_to_uncompressed_octets(const SECP256R1_POINT *P, uint8_t octets[65]);
+int  secp256r1_point_from_uncompressed_octets(SECP256R1_POINT *P, const uint8_t octets[65]);
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif

include/gmssl/secp256r1_key.h

@@ -0,0 +1,56 @@
+/*
+ *  Copyright 2014-2026 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+#ifndef GMSSL_SECP256R1_KEY_H
+#define GMSSL_SECP256R1_KEY_H
+
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <gmssl/secp256r1.h>
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct {
+	SECP256R1_POINT public_key;
+	secp256r1_t private_key;
+} SECP256R1_KEY;
+
+int secp256r1_key_generate(SECP256R1_KEY *key);
+int secp256r1_key_set_private_key(SECP256R1_KEY *key, const secp256r1_t private_key);
+int secp256r1_public_key_equ(const SECP256R1_KEY *key, const SECP256R1_KEY *pub);
+void secp256r1_key_cleanup(SECP256R1_KEY *key);
+
+int secp256r1_public_key_print(FILE *fp, int fmt, int ind, const char *label, const SECP256R1_KEY *key);
+int secp256r1_private_key_print(FILE *fp, int fmt, int ind, const char *label, const SECP256R1_KEY *key);
+
+int secp256r1_public_key_to_bytes(const SECP256R1_KEY *key, uint8_t **out, size_t *outlen);
+int secp256r1_public_key_from_bytes(SECP256R1_KEY *key, const uint8_t **in, size_t *inlen);
+int secp256r1_public_key_to_der(const SECP256R1_KEY *key, uint8_t **out, size_t *outlen);
+int secp256r1_public_key_from_der(SECP256R1_KEY *key, const uint8_t **in, size_t *inlen);
+int secp256r1_private_key_to_der(const SECP256R1_KEY *key, uint8_t **out, size_t *outlen);
+int secp256r1_private_key_from_der(SECP256R1_KEY *key, const uint8_t **in, size_t *inlen);
+int secp256r1_private_key_info_to_der(const SECP256R1_KEY *key, uint8_t **out, size_t *outlen);
+int secp256r1_private_key_info_from_der(SECP256R1_KEY *key, const uint8_t **attrs, size_t *attrslen,
+	const uint8_t **in, size_t *inlen);
+int secp256r1_private_key_info_encrypt_to_der(const SECP256R1_KEY *ec_key, const char *pass,
+	uint8_t **out, size_t *outlen);
+int secp256r1_private_key_info_decrypt_from_der(SECP256R1_KEY *ec_key,
+	const uint8_t **attrs, size_t *attrs_len,
+	const char *pass, const uint8_t **in, size_t *inlen);
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif

include/gmssl/tls.h

@@ -752,6 +752,11 @@ typedef struct {
 	BLOCK_CIPHER_KEY server_write_key;
 
 	int quiet;
+
+	// handshake state for state machine
+	int state;
+	SM3_CTX sm3_ctx;
+	SM2_SIGN_CTX sign_ctx;
 } TLS_CONNECT;