diff options
-rw-r--r-- | CHANGES | 11 | ||||
-rw-r--r-- | crypto/ec/ec_asn1.c | 76 | ||||
-rw-r--r-- | crypto/ec/ec_curve.c | 114 | ||||
-rw-r--r-- | crypto/ec/ec_lcl.h | 15 | ||||
-rw-r--r-- | crypto/ec/ec_lib.c | 57 |
5 files changed, 268 insertions, 5 deletions
@@ -9,6 +9,17 @@ Changes between 1.0.2s and 1.0.2t [xx XXX xxxx] + *) For built-in EC curves, ensure an EC_GROUP built from the curve name is + used even when parsing explicit parameters, when loading a serialized key + or calling `EC_GROUP_new_from_ecpkparameters()`/ + `EC_GROUP_new_from_ecparameters()`. + This prevents bypass of security hardening and performance gains, + especially for curves with specialized EC_METHODs. + By default, if a key encoded with explicit parameters is loaded and later + serialized, the output is still encoded with explicit parameters, even if + internally a "named" EC_GROUP is used for computation. + [Nicola Tuveri] + *) Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index b0cd3e1788..a9b90787c5 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -695,10 +695,12 @@ ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *group, static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params) { int ok = 0, tmp; - EC_GROUP *ret = NULL; + EC_GROUP *ret = NULL, *dup = NULL; BIGNUM *p = NULL, *a = NULL, *b = NULL; EC_POINT *point = NULL; long field_bits; + int curve_name = NID_undef; + BN_CTX *ctx = NULL; if (!params->fieldID || !params->fieldID->fieldType || !params->fieldID->p.ptr) { @@ -914,13 +916,75 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params) goto err; } + /* + * Check if the explicit parameters group just created matches one of the + * built-in curves. + * + * We create a copy of the group just built, so that we can remove optional + * fields for the lookup: we do this to avoid the possibility that one of + * the optional parameters is used to force the library into using a less + * performant and less secure EC_METHOD instead of the specialized one. + * In any case, `seed` is not really used in any computation, while a + * cofactor different from the one in the built-in table is just + * mathematically wrong anyway and should not be used. + */ + if ((ctx = BN_CTX_new()) == NULL) { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_BN_LIB); + goto err; + } + if ((dup = EC_GROUP_dup(ret)) == NULL + || EC_GROUP_set_seed(dup, NULL, 0) != 1 + || !EC_GROUP_set_generator(dup, point, a, NULL)) { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB); + goto err; + } + if ((curve_name = ec_curve_nid_from_params(dup, ctx)) != NID_undef) { + /* + * The input explicit parameters successfully matched one of the + * built-in curves: often for built-in curves we have specialized + * methods with better performance and hardening. + * + * In this case we replace the `EC_GROUP` created through explicit + * parameters with one created from a named group. + */ + EC_GROUP *named_group = NULL; + +#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + /* + * NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for + * the same curve, we prefer the SECP nid when matching explicit + * parameters as that is associated with a specialized EC_METHOD. + */ + if (curve_name == NID_wap_wsg_idm_ecid_wtls12) + curve_name = NID_secp224r1; +#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ + + if ((named_group = EC_GROUP_new_by_curve_name(curve_name)) == NULL) { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB); + goto err; + } + EC_GROUP_free(ret); + ret = named_group; + + /* + * Set the flag so that EC_GROUPs created from explicit parameters are + * serialized using explicit parameters by default. + * + * 0x0 = OPENSSL_EC_EXPLICIT_CURVE + */ + EC_GROUP_set_asn1_flag(ret, 0x0); + } + ok = 1; - err:if (!ok) { + err: + if (!ok) { if (ret) - EC_GROUP_clear_free(ret); + EC_GROUP_free(ret); ret = NULL; } + if (dup) + EC_GROUP_free(dup); if (p) BN_free(p); @@ -930,6 +994,8 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params) BN_free(b); if (point) EC_POINT_free(point); + if (ctx) + BN_CTX_free(ctx); return (ret); } @@ -990,7 +1056,7 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len) } if (a && *a) - EC_GROUP_clear_free(*a); + EC_GROUP_free(*a); if (a) *a = group; @@ -1040,7 +1106,7 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) if (priv_key->parameters) { if (ret->group) - EC_GROUP_clear_free(ret->group); + EC_GROUP_free(ret->group); ret->group = ec_asn1_pkparameters2group(priv_key->parameters); } diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index 6dbe9d8258..9d4c71637b 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -75,6 +75,8 @@ #include <openssl/obj_mac.h> #include <openssl/opensslconf.h> +#include "bn_int.h" + #ifdef OPENSSL_FIPS # include <openssl/fips.h> #endif @@ -3246,3 +3248,115 @@ int EC_curve_nist2nid(const char *name) } return NID_undef; } + +#define NUM_BN_FIELDS 6 +/* + * Validates EC domain parameter data for known named curves. + * This can be used when a curve is loaded explicitly (without a curve + * name) or to validate that domain parameters have not been modified. + * + * Returns: The nid associated with the found named curve, or NID_undef + * if not found. If there was an error it returns -1. + */ +int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx) +{ + int ret = -1, nid, len, field_type, param_len; + size_t i, seed_len; + const unsigned char *seed, *params_seed, *params; + unsigned char *param_bytes = NULL; + const EC_CURVE_DATA *data; + const EC_POINT *generator = NULL; + const EC_METHOD *meth; + const BIGNUM *cofactor = NULL; + /* An array of BIGNUMs for (p, a, b, x, y, order) */ + BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL}; + + meth = EC_GROUP_method_of(group); + if (meth == NULL) + return -1; + /* Use the optional named curve nid as a search field */ + nid = EC_GROUP_get_curve_name(group); + field_type = EC_METHOD_get_field_type(meth); + seed_len = EC_GROUP_get_seed_len(group); + seed = EC_GROUP_get0_seed(group); + cofactor = &group->cofactor; + + BN_CTX_start(ctx); + + /* + * The built-in curves contains data fields (p, a, b, x, y, order) that are + * all zero-padded to be the same size. The size of the padding is + * determined by either the number of bytes in the field modulus (p) or the + * EC group order, whichever is larger. + */ + param_len = BN_num_bytes(&group->order); + len = BN_num_bytes(&group->field); + if (len > param_len) + param_len = len; + + /* Allocate space to store the padded data for (p, a, b, x, y, order) */ + param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS); + if (param_bytes == NULL) + goto end; + + /* Create the bignums */ + for (i = 0; i < NUM_BN_FIELDS; ++i) { + if ((bn[i] = BN_CTX_get(ctx)) == NULL) + goto end; + } + /* + * Fill in the bn array with the same values as the internal curves + * i.e. the values are p, a, b, x, y, order. + */ + /* Get p, a & b */ + if (!(ec_group_get_curve(group, bn[0], bn[1], bn[2], ctx) + && ((generator = EC_GROUP_get0_generator(group)) != NULL) + /* Get x & y */ + && ec_point_get_affine_coordinates(group, generator, bn[3], bn[4], ctx) + /* Get order */ + && EC_GROUP_get_order(group, bn[5], ctx))) + goto end; + + /* + * Convert the bignum array to bytes that are joined together to form + * a single buffer that contains data for all fields. + * (p, a, b, x, y, order) are all zero padded to be the same size. + */ + for (i = 0; i < NUM_BN_FIELDS; ++i) { + if (bn_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0) + goto end; + } + + for (i = 0; i < curve_list_length; i++) { + const ec_list_element curve = curve_list[i]; + + data = curve.data; + /* Get the raw order byte data */ + params_seed = (const unsigned char *)(data + 1); /* skip header */ + params = params_seed + data->seed_len; + + /* Look for unique fields in the fixed curve data */ + if (data->field_type == field_type + && param_len == data->param_len + && (nid <= 0 || nid == curve.nid) + /* check the optional cofactor (ignore if its zero) */ + && (BN_is_zero(cofactor) + || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor)) + /* Check the optional seed (ignore if its not set) */ + && (data->seed_len == 0 || seed_len == 0 + || ((size_t)data->seed_len == seed_len + && memcmp(params_seed, seed, seed_len) == 0)) + /* Check that the groups params match the built-in curve params */ + && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS) + == 0) { + ret = curve.nid; + goto end; + } + } + /* Gets here if the group was not found */ + ret = NID_undef; +end: + OPENSSL_free(param_bytes); + BN_CTX_end(ctx); + return ret; +} diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index 8665a4c9c7..76deef170d 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -565,3 +565,18 @@ EC_GROUP *FIPS_ec_group_new_curve_gf2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); EC_GROUP *FIPS_ec_group_new_by_curve_name(int nid); #endif + +int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx); + +/* + * The next 2 functions are just internal wrappers around the omonimous + * functions with either the `_GFp` or the `_GF2m` suffix. + * + * They are meant to facilitate backporting of code from newer branches, where + * the public API includes a "field agnostic" version of these 2 functions. + */ +int ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, + BIGNUM *b, BN_CTX *ctx); +int ec_point_get_affine_coordinates(const EC_GROUP *group, + const EC_POINT *point, BIGNUM *x, + BIGNUM *y, BN_CTX *ctx); diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 15302322f7..e3f2e82f68 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -1257,3 +1257,60 @@ int ec_precompute_mont_data(EC_GROUP *group) BN_CTX_free(ctx); return ret; } + +/* + * This is just a wrapper around the public functions + * - EC_GROUP_get_curve_GF2m + * - EC_GROUP_get_curve_GFp + * + * It is meant to facilitate backporting of code from newer branches, where + * the public API includes a "field agnostic" version of it. + */ +int ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, + BIGNUM *b, BN_CTX *ctx) +{ + int field_nid; + + field_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group)); + +#ifndef OPENSSL_NO_EC2M + if (field_nid == NID_X9_62_characteristic_two_field) { + return EC_GROUP_get_curve_GF2m(group, p, a, b, ctx); + } else +#endif /* !def(OPENSSL_NO_EC2M) */ + if (field_nid == NID_X9_62_prime_field) { + return EC_GROUP_get_curve_GFp(group, p, a, b, ctx); + } else { + /* this should never happen */ + return 0; + } +} + +/* + * This is just a wrapper around the public functions + * - EC_POINT_get_affine_coordinates_GF2m + * - EC_POINT_get_affine_coordinates_GFp + * + * It is meant to facilitate backporting of code from newer branches, where + * the public API includes a "field agnostic" version of it. + */ +int ec_point_get_affine_coordinates(const EC_GROUP *group, + const EC_POINT *point, BIGNUM *x, + BIGNUM *y, BN_CTX *ctx) +{ + int field_nid; + + field_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group)); + +#ifndef OPENSSL_NO_EC2M + if (field_nid == NID_X9_62_characteristic_two_field) { + return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx); + } else +#endif /* !def(OPENSSL_NO_EC2M) */ + if (field_nid == NID_X9_62_prime_field) { + return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx); + } else { + /* this should never happen */ + return 0; + } +} |