diff options
| author | Jack Lloyd <jack.lloyd@ribose.com> | 2018-01-24 11:56:02 -0500 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2018-03-19 14:33:25 +0100 |
| commit | 3d328a445c2ad0eff2e9e843c384711be58a7c2f (patch) | |
| tree | 888d7dee8ebe744a5fd6a62a6b12c7b6b72bee83 | |
| parent | df3a15512bd0f5ddd9f0dd74f0a058ee55b33904 (diff) | |
Add SM2 signature and ECIES schemes
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4793)
| -rwxr-xr-x | Configure | 2 | ||||
| -rw-r--r-- | apps/openssl.c | 3 | ||||
| -rwxr-xr-x | config | 2 | ||||
| -rw-r--r-- | crypto/ec/ec_curve.c | 39 | ||||
| -rw-r--r-- | crypto/ec/ec_pmeth.c | 32 | ||||
| -rw-r--r-- | crypto/err/err.c | 1 | ||||
| -rw-r--r-- | crypto/err/openssl.ec | 1 | ||||
| -rw-r--r-- | crypto/err/openssl.txt | 65 | ||||
| -rw-r--r-- | crypto/objects/obj_dat.h | 15 | ||||
| -rw-r--r-- | crypto/objects/obj_mac.num | 1 | ||||
| -rw-r--r-- | crypto/objects/objects.txt | 14 | ||||
| -rw-r--r-- | crypto/sm2/build.info | 6 | ||||
| -rw-r--r-- | crypto/sm2/sm2_crypt.c | 321 | ||||
| -rw-r--r-- | crypto/sm2/sm2_err.c | 129 | ||||
| -rw-r--r-- | crypto/sm2/sm2_sign.c | 324 | ||||
| -rw-r--r-- | crypto/sm2/sm2_za.c | 132 | ||||
| -rw-r--r-- | fuzz/oids.txt | 1 | ||||
| -rw-r--r-- | include/openssl/err.h | 2 | ||||
| -rw-r--r-- | include/openssl/evp.h | 1 | ||||
| -rw-r--r-- | include/openssl/obj_mac.h | 35 | ||||
| -rw-r--r-- | include/openssl/sm2.h | 70 | ||||
| -rw-r--r-- | include/openssl/sm2err.h | 95 | ||||
| -rw-r--r-- | openssl_sm2.pem | 5 | ||||
| -rw-r--r-- | test/build.info | 9 | ||||
| -rw-r--r-- | test/recipes/30-test_evp_data/evppkey.txt | 14 | ||||
| -rw-r--r-- | test/sm2crypttest.c | 249 | ||||
| -rw-r--r-- | test/sm2sigtest.c | 238 | ||||
| -rw-r--r-- | util/libcrypto.num | 9 |
28 files changed, 1784 insertions, 31 deletions
@@ -297,7 +297,7 @@ $config{sdirs} = [ "objects", "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3", "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes", - "bn", "ec", "rsa", "dsa", "dh", "dso", "engine", + "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine", "buffer", "bio", "stack", "lhash", "rand", "err", "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" diff --git a/apps/openssl.c b/apps/openssl.c index 39b4f2ce54..8224ae3d0f 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -762,6 +762,9 @@ static void list_disabled(void) #ifdef OPENSSL_NO_SEED BIO_puts(bio_out, "SEED\n"); #endif +#ifdef OPENSSL_NO_SM2 + BIO_puts(bio_out, "SM2\n"); +#endif #ifdef OPENSSL_NO_SM3 BIO_puts(bio_out, "SM3\n"); #endif @@ -886,7 +886,7 @@ case "$GUESSOS" in i386-*) options="$options 386" ;; esac -for i in aes aria bf camellia cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa seed sha sm3 sm4 +for i in aes aria bf camellia cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa seed sha sm2 sm3 sm4 do if [ ! -d $THERE/crypto/$i ] then diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index 75fc541101..01d56543db 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -2751,6 +2751,43 @@ static const struct { } }; +static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; +} _EC_sm2p256v1 = { + { + NID_X9_62_prime_field, 0, 32, 1 + }, + { + /* no seed */ + + /* p */ + 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + /* a */ + 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc, + /* b */ + 0x28, 0xe9, 0xfa, 0x9e, 0x9d, 0x9f, 0x5e, 0x34, 0x4d, 0x5a, 0x9e, 0x4b, + 0xcf, 0x65, 0x09, 0xa7, 0xf3, 0x97, 0x89, 0xf5, 0x15, 0xab, 0x8f, 0x92, + 0xdd, 0xbc, 0xbd, 0x41, 0x4d, 0x94, 0x0e, 0x93, + /* x */ + 0x32, 0xc4, 0xae, 0x2c, 0x1f, 0x19, 0x81, 0x19, 0x5f, 0x99, 0x04, 0x46, + 0x6a, 0x39, 0xc9, 0x94, 0x8f, 0xe3, 0x0b, 0xbf, 0xf2, 0x66, 0x0b, 0xe1, + 0x71, 0x5a, 0x45, 0x89, 0x33, 0x4c, 0x74, 0xc7, + /* y */ + 0xbc, 0x37, 0x36, 0xa2, 0xf4, 0xf6, 0x77, 0x9c, 0x59, 0xbd, 0xce, 0xe3, + 0x6b, 0x69, 0x21, 0x53, 0xd0, 0xa9, 0x87, 0x7c, 0xc6, 0x2a, 0x47, 0x40, + 0x02, 0xdf, 0x32, 0xe5, 0x21, 0x39, 0xf0, 0xa0, + /* order */ + 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0x72, 0x03, 0xdf, 0x6b, 0x21, 0xc6, 0x05, 0x2b, + 0x53, 0xbb, 0xf4, 0x09, 0x39, 0xd5, 0x41, 0x23, + } +}; + typedef struct _ec_list_element_st { int nid; const EC_CURVE_DATA *data; @@ -2960,6 +2997,8 @@ static const ec_list_element curve_list[] = { "RFC 5639 curve over a 512 bit prime field"}, {NID_brainpoolP512t1, &_EC_brainpoolP512t1.h, 0, "RFC 5639 curve over a 512 bit prime field"}, + {NID_sm2, &_EC_sm2p256v1.h, 0, + "SM2 curve over a 256 bit prime field"}, }; #define curve_list_length OSSL_NELEM(curve_list) diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index 68ff2bbccf..82a4ffabf9 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -16,6 +16,10 @@ #include <openssl/evp.h> #include "internal/evp_int.h" +#if !defined(OPENSSL_NO_SM2) + #include <openssl/sm2.h> +#endif + /* EC pkey context structure */ typedef struct { @@ -102,6 +106,7 @@ static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, unsigned int sltmp; EC_PKEY_CTX *dctx = ctx->data; EC_KEY *ec = ctx->pkey->pkey.ec; + const int ec_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); if (!sig) { *siglen = ECDSA_size(ec); @@ -116,7 +121,16 @@ static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, else type = NID_sha1; - ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec); + if (ec_nid == NID_sm2) { +#if defined(OPENSSL_NO_SM2) + ret = -1; +#else + ret = SM2_sign(type, tbs, tbslen, sig, &sltmp, ec); +#endif + } + else { + ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec); + } if (ret <= 0) return ret; @@ -131,13 +145,24 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx, int ret, type; EC_PKEY_CTX *dctx = ctx->data; EC_KEY *ec = ctx->pkey->pkey.ec; + const int ec_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); if (dctx->md) type = EVP_MD_type(dctx->md); else type = NID_sha1; - ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec); + if (ec_nid == NID_sm2) { +#if defined(OPENSSL_NO_SM2) + ret = -1; +#else + ret = SM2_verify(type, tbs, tbslen, sig, siglen, ec); +#endif + } + else { + ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec); + } + return ret; } @@ -318,7 +343,8 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) EVP_MD_type((const EVP_MD *)p2) != NID_sha224 && EVP_MD_type((const EVP_MD *)p2) != NID_sha256 && EVP_MD_type((const EVP_MD *)p2) != NID_sha384 && - EVP_MD_type((const EVP_MD *)p2) != NID_sha512) { + EVP_MD_type((const EVP_MD *)p2) != NID_sha512 && + EVP_MD_type((const EVP_MD *)p2) != NID_sm3) { ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE); return 0; } diff --git a/crypto/err/err.c b/crypto/err/err.c index 68afa93ae8..c0a6b2b16f 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -60,6 +60,7 @@ static ERR_STRING_DATA ERR_str_libraries[] = { {ERR_PACK(ERR_LIB_ASYNC, 0, 0), "ASYNC routines"}, {ERR_PACK(ERR_LIB_KDF, 0, 0), "KDF routines"}, {ERR_PACK(ERR_LIB_OSSL_STORE, 0, 0), "STORE routines"}, + {ERR_PACK(ERR_LIB_SM2, 0, 0), "SM2 routines"}, {0, NULL}, }; diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index be84c7cb23..f45e230749 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -32,6 +32,7 @@ L CMS include/openssl/cms.h crypto/cms/cms_err.c L CT include/openssl/ct.h crypto/ct/ct_err.c L ASYNC include/openssl/async.h crypto/async/async_err.c L KDF include/openssl/kdf.h crypto/kdf/kdf_err.c +L SM2 include/openssl/sm2.h crypto/sm2/sm2_err.c L OSSL_STORE include/openssl/store.h crypto/store/store_err.c # additional header files to be scanned for function names diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 0052ddf2fe..bb8c157405 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -986,6 +986,11 @@ RSA_F_RSA_SIGN_ASN1_OCTET_STRING:118:RSA_sign_ASN1_OCTET_STRING RSA_F_RSA_VERIFY:119:RSA_verify RSA_F_RSA_VERIFY_ASN1_OCTET_STRING:120:RSA_verify_ASN1_OCTET_STRING RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1:126:RSA_verify_PKCS1_PSS_mgf1 +SM2_F_PKEY_SM2_CTRL:274:pkey_sm2_ctrl +SM2_F_PKEY_SM2_CTRL_STR:275:pkey_sm2_ctrl_str +SM2_F_PKEY_SM2_KEYGEN:276:pkey_sm2_keygen +SM2_F_PKEY_SM2_PARAMGEN:277:pkey_sm2_paramgen +SM2_F_PKEY_SM2_SIGN:278:pkey_sm2_sign SSL_F_ADD_CLIENT_KEY_SHARE_EXT:438:* SSL_F_ADD_KEY_SHARE:512:add_key_share SSL_F_BYTES_TO_CIPHER_LIST:519:bytes_to_cipher_list @@ -2394,6 +2399,66 @@ RSA_R_UNSUPPORTED_MASK_PARAMETER:154:unsupported mask parameter RSA_R_UNSUPPORTED_SIGNATURE_TYPE:155:unsupported signature type RSA_R_VALUE_MISSING:147:value missing RSA_R_WRONG_SIGNATURE_LENGTH:119:wrong signature length +SM2_R_ASN1_ERROR:115:asn1 error +SM2_R_ASN5_ERROR:1150:asn5 error +SM2_R_BAD_SIGNATURE:156:bad signature +SM2_R_BIGNUM_OUT_OF_RANGE:144:bignum out of range +SM2_R_BUFFER_TOO_SMALL:100:buffer too small +SM2_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range +SM2_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh +SM2_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing +SM2_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure +SM2_R_DECODE_ERROR:142:decode error +SM2_R_DISCRIMINANT_IS_ZERO:118:discriminant is zero +SM2_R_EC_GROUP_NEW_BY_NAME_FAILURE:119:ec group new by name failure +SM2_R_FIELD_TOO_LARGE:143:field too large +SM2_R_GF2M_NOT_SUPPORTED:147:gf2m not supported +SM2_R_GROUP2PKPARAMETERS_FAILURE:120:group2pkparameters failure +SM2_R_I2D_ECPKPARAMETERS_FAILURE:121:i2d ecpkparameters failure +SM2_R_INCOMPATIBLE_OBJECTS:101:incompatible objects +SM2_R_INVALID_ARGUMENT:112:invalid argument +SM2_R_INVALID_COMPRESSED_POINT:110:invalid compressed point +SM2_R_INVALID_COMPRESSION_BIT:109:invalid compression bit +SM2_R_INVALID_CURVE:141:invalid curve +SM2_R_INVALID_DIGEST:151:invalid digest +SM2_R_INVALID_DIGEST_TYPE:138:invalid digest type +SM2_R_INVALID_ENCODING:102:invalid encoding +SM2_R_INVALID_FIELD:103:invalid field +SM2_R_INVALID_FORM:104:invalid form +SM2_R_INVALID_GROUP_ORDER:122:invalid group order +SM2_R_INVALID_KEY:116:invalid key +SM2_R_INVALID_OUTPUT_LENGTH:161:invalid output length +SM2_R_INVALID_PEER_KEY:133:invalid peer key +SM2_R_INVALID_PENTANOMIAL_BASIS:132:invalid pentanomial basis +SM2_R_INVALID_PRIVATE_KEY:123:invalid private key +SM2_R_INVALID_TRINOMIAL_BASIS:137:invalid trinomial basis +SM2_R_KDF_PARAMETER_ERROR:148:kdf parameter error +SM2_R_KEYS_NOT_SET:140:keys not set +SM2_R_MISSING_PARAMETERS:124:missing parameters +SM2_R_MISSING_PRIVATE_KEY:125:missing private key +SM2_R_NEED_NEW_SETUP_VALUES:157:need new setup values +SM2_R_NOT_A_NIST_PRIME:135:not a NIST prime +SM2_R_NOT_IMPLEMENTED:126:not implemented +SM2_R_NOT_INITIALIZED:111:not initialized +SM2_R_NO_PARAMETERS_SET:139:no parameters set +SM2_R_NO_PRIVATE_VALUE:154:no private value +SM2_R_OPERATION_NOT_SUPPORTED:152:operation not supported +SM2_R_PASSED_NULL_PARAMETER:134:passed null parameter +SM2_R_PEER_KEY_ERROR:149:peer key error +SM2_R_PKPARAMETERS2GROUP_FAILURE:127:pkparameters2group failure +SM2_R_POINT_ARITHMETIC_FAILURE:155:point arithmetic failure +SM2_R_POINT_AT_INFINITY:106:point at infinity +SM2_R_POINT_IS_NOT_ON_CURVE:107:point is not on curve +SM2_R_RANDOM_NUMBER_GENERATION_FAILED:158:random number generation failed +SM2_R_SHARED_INFO_ERROR:150:shared info error +SM2_R_SLOT_FULL:108:slot full +SM2_R_UNDEFINED_GENERATOR:113:undefined generator +SM2_R_UNDEFINED_ORDER:128:undefined order +SM2_R_UNKNOWN_GROUP:129:unknown group +SM2_R_UNKNOWN_ORDER:114:unknown order +SM2_R_UNSUPPORTED_FIELD:131:unsupported field +SM2_R_WRONG_CURVE_PARAMETERS:145:wrong curve parameters +SM2_R_WRONG_ORDER:130:wrong order SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT:272:\ attempt to reuse session in different context diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index d392586380..60c3826799 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -10,7 +10,7 @@ */ /* Serialized OID's */ -static const unsigned char so[7618] = { +static const unsigned char so[7626] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -1059,9 +1059,10 @@ static const unsigned char so[7618] = { 0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x02,0x09, /* [ 7597] OBJ_uacurve9 */ 0x2B,0x6F, /* [ 7610] OBJ_ieee */ 0x2B,0x6F,0x02,0x8C,0x53, /* [ 7612] OBJ_ieee_siswg */ + 0x2A,0x81,0x1C,0xCF,0x55,0x01,0x82,0x2D, /* [ 7617] OBJ_sm2 */ }; -#define NUM_NID 1172 +#define NUM_NID 1173 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, @@ -2235,9 +2236,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { {"uacurve9", "DSTU curve 9", NID_uacurve9, 13, &so[7597]}, {"ieee", "ieee", NID_ieee, 2, &so[7610]}, {"ieee-siswg", "IEEE Security in Storage Working Group", NID_ieee_siswg, 5, &so[7612]}, + {"SM2", "sm2", NID_sm2, 8, &so[7617]}, }; -#define NUM_SN 1163 +#define NUM_SN 1164 static const unsigned int sn_objs[NUM_SN] = { 364, /* "AD_DVCS" */ 419, /* "AES-128-CBC" */ @@ -2502,6 +2504,7 @@ static const unsigned int sn_objs[NUM_SN] = { 1095, /* "SHA512-256" */ 1100, /* "SHAKE128" */ 1101, /* "SHAKE256" */ + 1172, /* "SM2" */ 1143, /* "SM3" */ 1134, /* "SM4-CBC" */ 1137, /* "SM4-CFB" */ @@ -3404,7 +3407,7 @@ static const unsigned int sn_objs[NUM_SN] = { 1093, /* "x509ExtAdmission" */ }; -#define NUM_LN 1163 +#define NUM_LN 1164 static const unsigned int ln_objs[NUM_LN] = { 363, /* "AD Time Stamping" */ 405, /* "ANSI X9.62" */ @@ -4514,6 +4517,7 @@ static const unsigned int ln_objs[NUM_LN] = { 496, /* "singleLevelQuality" */ 1062, /* "siphash" */ 1142, /* "sm-scheme" */ + 1172, /* "sm2" */ 1143, /* "sm3" */ 1144, /* "sm3WithRSAEncryption" */ 1134, /* "sm4-cbc" */ @@ -4571,7 +4575,7 @@ static const unsigned int ln_objs[NUM_LN] = { 125, /* "zlib compression" */ }; -#define NUM_OBJ 1054 +#define NUM_OBJ 1055 static const unsigned int obj_objs[NUM_OBJ] = { 0, /* OBJ_undef 0 */ 181, /* OBJ_iso 1 */ @@ -5037,6 +5041,7 @@ static const unsigned int obj_objs[NUM_OBJ] = { 1136, /* OBJ_sm4_cfb1 1 2 156 10197 1 104 5 */ 1138, /* OBJ_sm4_cfb8 1 2 156 10197 1 104 6 */ 1139, /* OBJ_sm4_ctr 1 2 156 10197 1 104 7 */ + 1172, /* OBJ_sm2 1 2 156 10197 1 301 */ 1143, /* OBJ_sm3 1 2 156 10197 1 401 */ 1144, /* OBJ_sm3WithRSAEncryption 1 2 156 10197 1 504 */ 776, /* OBJ_seed_ecb 1 2 410 200004 1 3 */ diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 228ee84fab..ca8fdfba48 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -1169,3 +1169,4 @@ uacurve8 1168 uacurve9 1169 ieee 1170 ieee_siswg 1171 +sm2 1172 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 2a9112967f..e565864a48 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -36,6 +36,10 @@ member-body 840 : ISO-US : ISO US Member Body ISO-US 10040 : X9-57 : X9.57 X9-57 4 : X9cm : X9.57 CM ? +member-body 156 : ISO-CN : ISO CN Member Body +ISO-CN 10197 : oscca +oscca 1 : sm-scheme + !Cname dsa X9cm 1 : DSA : dsaEncryption X9cm 3 : DSA-SHA1 : dsaWithSHA1 @@ -376,8 +380,10 @@ rsadsi 2 5 : MD5 : md5 rsadsi 2 6 : : hmacWithMD5 rsadsi 2 7 : : hmacWithSHA1 -member-body 156 10197 1 401 : SM3 : sm3 -member-body 156 10197 1 504 : RSA-SM3 : sm3WithRSAEncryption +sm-scheme 301 : SM2 : sm2 + +sm-scheme 401 : SM3 : sm3 +sm-scheme 504 : RSA-SM3 : sm3WithRSAEncryption # From RFC4231 rsadsi 2 8 : : hmacWithSHA224 @@ -1476,10 +1482,6 @@ kisa 1 6 : SEED-OFB : seed-ofb # Definitions for SM4 cipher -member-body 156 : ISO-CN : ISO CN Member Body -ISO-CN 10197 : oscca -oscca 1 : sm-scheme - sm-scheme 104 1 : SM4-ECB : sm4-ecb sm-scheme 104 2 : SM4-CBC : sm4-cbc !Cname sm4-ofb128 diff --git a/crypto/sm2/build.info b/crypto/sm2/build.info new file mode 100644 index 0000000000..fbf8dba10f --- /dev/null +++ b/crypto/sm2/build.info @@ -0,0 +1,6 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=\ + sm2_za.c sm2_sign.c sm2_crypt.c sm2_err.c + + + diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c new file mode 100644 index 0000000000..a450146a7b --- /dev/null +++ b/crypto/sm2/sm2_crypt.c @@ -0,0 +1,321 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017 Ribose Inc. All Rights Reserved. + * Ported from Ribose contributions from Botan. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/sm2.h> +#include <openssl/evp.h> +#include <openssl/bn.h> +#include <openssl/asn1.h> +#include <openssl/asn1t.h> +#include <string.h> + +typedef struct SM2_Ciphertext_st SM2_Ciphertext; +DECLARE_ASN1_FUNCTIONS(SM2_Ciphertext) + +struct SM2_Ciphertext_st { + BIGNUM *C1x; + BIGNUM *C1y; + ASN1_OCTET_STRING *C3; + ASN1_OCTET_STRING *C2; +}; + +ASN1_SEQUENCE(SM2_Ciphertext) = { + ASN1_SIMPLE(SM2_Ciphertext, C1x, BIGNUM), + ASN1_SIMPLE(SM2_Ciphertext, C1y, BIGNUM), + ASN1_SIMPLE(SM2_Ciphertext, C3, ASN1_OCTET_STRING), + ASN1_SIMPLE(SM2_Ciphertext, C2, ASN1_OCTET_STRING), +} ASN1_SEQUENCE_END(SM2_Ciphertext) + +IMPLEMENT_ASN1_FUNCTIONS(SM2_Ciphertext) + +static size_t EC_field_size(const EC_GROUP *group) +{ + /* Is there some simpler way to do this? */ + BIGNUM *p = BN_new(); + BIGNUM *a = BN_new(); + BIGNUM *b = BN_new(); + size_t field_size = 0; + + if (p == NULL || a == NULL || b == NULL) + goto done; + + EC_GROUP_get_curve_GFp(group, p, a, b, NULL); + field_size = (BN_num_bits(p) + 7) / 8; + + done: + BN_free(p); + BN_free(a); + BN_free(b); + + return field_size; +} + +size_t SM2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len) +{ + return 10 + 2 * EC_field_size(EC_KEY_get0_group(key)) + + EVP_MD_size(digest) + msg_len; +} + +int SM2_encrypt(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *msg, + size_t msg_len, uint8_t *ciphertext_buf, size_t *ciphertext_len) +{ + int rc = 0; + size_t i; + BN_CTX *ctx = NULL; + BIGNUM *k = NULL; + BIGNUM *x1 = NULL; + BIGNUM *y1 = NULL; + BIGNUM *x2 = NULL; + BIGNUM *y2 = NULL; + + EVP_MD_CTX *hash = EVP_MD_CTX_new(); + + struct SM2_Ciphertext_st ctext_struct; + const EC_GROUP *group = EC_KEY_get0_group(key); + const BIGNUM *order = EC_GROUP_get0_order(group); + const EC_POINT *P = EC_KEY_get0_public_key(key); + EC_POINT *kG = NULL; + EC_POINT *kP = NULL; + uint8_t *msg_mask = NULL; + + uint8_t *x2y2 = NULL; + uint8_t *C3 = NULL; + + const size_t field_size = EC_field_size(group); + const size_t C3_size = EVP_MD_size(digest); + + if (field_size == 0 || C3_size == 0) + goto done; + + kG = EC_POINT_new(group); + kP = EC_POINT_new(group); + if (kG == NULL || kP == NULL) + goto done; + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto done; + + BN_CTX_start(ctx); + k = BN_CTX_get(ctx); + x1 = BN_CTX_get(ctx); + x2 = BN_CTX_get(ctx); + y1 = BN_CTX_get(ctx); + y2 = BN_CTX_get(ctx); + + if (y2 == NULL) + goto done; + + x2y2 = OPENSSL_zalloc(2 * field_size); + C3 = OPENSSL_zalloc(C3_size); + + if (x2y2 == NULL || C3 == NULL) + goto done; + + memset(ciphertext_buf, 0, *ciphertext_len); + + BN_priv_rand_range(k, order); + + if (EC_POINT_mul(group, kG, k, NULL, NULL, ctx) == 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, kG, x1, y1, ctx) == 0) + goto done; + + if (EC_POINT_mul(group, kP, NULL, P, k, ctx) == 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, kP, x2, y2, ctx) == 0) + goto done; + + BN_bn2binpad(x2, x2y2, field_size); + BN_bn2binpad(y2, x2y2 + field_size, field_size); + + msg_mask = OPENSSL_zalloc(msg_len); + if (msg_mask == NULL) + goto done; + + /* X9.63 with no salt happens to match the KDF used in SM2 */ + if (ECDH_KDF_X9_62(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, digest) + == 0) + goto done; + + for (i = 0; i != msg_len; ++i) + msg_mask[i] ^= msg[i]; + + if (EVP_DigestInit(hash, digest) == 0) + goto done; + + if (EVP_DigestUpdate(hash, x2y2, field_size) == 0) + goto done; + + if (EVP_DigestUpdate(hash, msg, msg_len) == 0) + goto done; + + if (EVP_DigestUpdate(hash, x2y2 + field_size, field_size) == 0) + goto done; + + if (EVP_DigestFinal(hash, C3, NULL) == 0) + goto done; + + ctext_struct.C1x = x1; + ctext_struct.C1y = y1; + ctext_struct.C3 = ASN1_OCTET_STRING_new(); + ASN1_OCTET_STRING_set(ctext_struct.C3, C3, C3_size); + ctext_struct.C2 = ASN1_OCTET_STRING_new(); + ASN1_OCTET_STRING_set(ctext_struct.C2, msg_mask, msg_len); + + *ciphertext_len = i2d_SM2_Ciphertext(&ctext_struct, &ciphertext_buf); + + ASN1_OCTET_STRING_free(ctext_struct.C2); + ASN1_OCTET_STRING_free(ctext_struct.C3); + + rc = 1; + + done: + OPENSSL_free(msg_mask); + OPENSSL_free(x2y2); + OPENSSL_free(C3); + EVP_MD_CTX_free(hash); + BN_CTX_free(ctx); + EC_POINT_free(kG); + EC_POINT_free(kP); + return rc; +} + +int SM2_decrypt(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *ciphertext, + size_t ciphertext_len, uint8_t *ptext_buf, size_t *ptext_len) +{ + int rc = 0; + int i; + + BN_CTX *ctx = NULL; + const EC_GROUP *group = EC_KEY_get0_group(key); + EC_POINT *C1 = NULL; + struct SM2_Ciphertext_st *sm2_ctext = NULL; + BIGNUM *x2 = NULL; + BIGNUM *y2 = NULL; + + uint8_t *x2y2 = NULL; + uint8_t *computed_C3 = NULL; + + const size_t field_size = EC_field_size(group); + const int hash_size = EVP_MD_size(digest); + + uint8_t *msg_mask = NULL; + const uint8_t *C2 = NULL; + const uint8_t *C3 = NULL; + int msg_len = 0; + EVP_MD_CTX *hash = NULL; + + if (field_size == 0 || hash_size == 0) + goto done; + + memset(ptext_buf, 0xFF, *ptext_len); + + sm2_ctext = d2i_SM2_Ciphertext(NULL, &ciphertext, ciphertext_len); + + if (sm2_ctext == NULL) + goto done; + + if (sm2_ctext->C3->length != hash_size) + goto done; + + C2 = sm2_ctext->C2->data; + C3 = sm2_ctext->C3->data; + msg_len = sm2_ctext->C2->length; + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto done; + + BN_CTX_start(ctx); + x2 = BN_CTX_get(ctx); + y2 = BN_CTX_get(ctx); + + if(y2 == NULL) + goto done; + + msg_mask = OPENSSL_zalloc(msg_len); + x2y2 = OPENSSL_zalloc(2 * field_size); + computed_C3 = OPENSSL_zalloc(hash_size); + + if(msg_mask == NULL || x2y2 == NULL || computed_C3 == NULL) + goto done; + + C1 = EC_POINT_new(group); + if (C1 == NULL) + goto done; + + if (EC_POINT_set_affine_coordinates_GFp + (group, C1, sm2_ctext->C1x, sm2_ctext->C1y, ctx) == 0) + goto done; + + if (EC_POINT_mul(group, C1, NULL, C1, EC_KEY_get0_private_key(key), ctx) == + 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, C1, x2, y2, ctx) == 0) + goto done; + + BN_bn2binpad(x2, x2y2, field_size); + BN_bn2binpad(y2, x2y2 + field_size, field_size); + + if (ECDH_KDF_X9_62(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, digest) + == 0) + goto done; + + for (i = 0; i != msg_len; ++i) + ptext_buf[i] = C2[i] ^ msg_mask[i]; + + hash = EVP_MD_CTX_new(); + + if (hash == NULL) + goto done; + + if (EVP_DigestInit(hash, digest) == 0) + goto done; + + if (EVP_DigestUpdate(hash, x2y2, field_size) == 0) + goto done; + + if (EVP_DigestUpdate(hash, ptext_buf, msg_len) == 0) + goto done; + + if (EVP_DigestUpdate(hash, x2y2 + field_size, field_size) == 0) + goto done; + + if (EVP_DigestFinal(hash, computed_C3, NULL) == 0) + goto done; + + if (memcmp(computed_C3, C3, hash_size) != 0) + goto done; + + rc = 1; + + done: + + if (rc == 0) + memset(ptext_buf, 0, *ptext_len); + + OPENSSL_free(msg_mask); + OPENSSL_free(x2y2); + OPENSSL_free(computed_C3); + EC_POINT_free(C1); + BN_CTX_free(ctx); + SM2_Ciphertext_free(sm2_ctext); + EVP_MD_CTX_free(hash); + + return rc; +} diff --git a/crypto/sm2/sm2_err.c b/crypto/sm2/sm2_err.c new file mode 100644 index 0000000000..acb4502b86 --- /dev/null +++ b/crypto/sm2/sm2_err.c @@ -0,0 +1,129 @@ +/* + * Generated by util/mkerr.pl DO NOT EDIT + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/err.h> +#include <openssl/sm2err.h> + +#ifndef OPENSSL_NO_ERR + +static const ERR_STRING_DATA SM2_str_functs[] = { + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_CTRL, 0), "pkey_sm2_ctrl"}, + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_CTRL_STR, 0), "pkey_sm2_ctrl_str"}, + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_KEYGEN, 0), "pkey_sm2_keygen"}, + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_PARAMGEN, 0), "pkey_sm2_paramgen"}, + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_SIGN, 0), "pkey_sm2_sign"}, + {0, NULL} +}; + +static const ERR_STRING_DATA SM2_str_reasons[] = { + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_ASN1_ERROR), "asn1 error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_ASN5_ERROR), "asn5 error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_BAD_SIGNATURE), "bad signature"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_BIGNUM_OUT_OF_RANGE), + "bignum out of range"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_BUFFER_TOO_SMALL), "buffer too small"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_COORDINATES_OUT_OF_RANGE), + "coordinates out of range"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_CURVE_DOES_NOT_SUPPORT_ECDH), + "curve does not support ecdh"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_CURVE_DOES_NOT_SUPPORT_SIGNING), + "curve does not support signing"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_D2I_ECPKPARAMETERS_FAILURE), + "d2i ecpkparameters failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_DECODE_ERROR), "decode error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_DISCRIMINANT_IS_ZERO), + "discriminant is zero"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_EC_GROUP_NEW_BY_NAME_FAILURE), + "ec group new by name failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_FIELD_TOO_LARGE), "field too large"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_GF2M_NOT_SUPPORTED), "gf2m not supported"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_GROUP2PKPARAMETERS_FAILURE), + "group2pkparameters failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_I2D_ECPKPARAMETERS_FAILURE), + "i2d ecpkparameters failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INCOMPATIBLE_OBJECTS), |