From 0abae1636d7054266dd20724c0d5e06617d9f679 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 23 Mar 2020 05:40:47 +0100 Subject: EVP: Implement support for key downgrading in backends Downgrading EVP_PKEYs from containing provider side internal keys to containing legacy keys demands support in the EVP_PKEY_ASN1_METHOD. This became a bit elaborate because the code would be almost exactly the same as the import functions int EVP_KEYMGMT. Therefore, we end up moving most of the code to common backend support files that can be used both by legacy backend code and by our providers. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/11375) --- crypto/ec/build.info | 2 +- crypto/ec/ec_ameth.c | 23 ++++- crypto/ec/ec_backend.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++++ crypto/ec/ecx_backend.c | 62 +++++++++++++ crypto/ec/ecx_backend.h | 20 +++++ crypto/ec/ecx_meth.c | 64 ++++++++++---- 6 files changed, 381 insertions(+), 19 deletions(-) create mode 100644 crypto/ec/ec_backend.c create mode 100644 crypto/ec/ecx_backend.c create mode 100644 crypto/ec/ecx_backend.h (limited to 'crypto/ec') diff --git a/crypto/ec/build.info b/crypto/ec/build.info index f70543dd00..4494ce7a66 100644 --- a/crypto/ec/build.info +++ b/crypto/ec/build.info @@ -51,7 +51,7 @@ $COMMON=ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c \ ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c curve25519.c \ curve448/arch_32/f_impl.c curve448/f_generic.c curve448/scalar.c \ curve448/curve448_tables.c curve448/eddsa.c curve448/curve448.c \ - $ECASM ecdsa_aid.c + $ECASM ecdsa_aid.c ec_backend.c ecx_backend.c SOURCE[../../libcrypto]=$COMMON ec_ameth.c ec_pmeth.c ecx_meth.c ecx_key.c \ ec_err.c ecdh_kdf.c eck_prn.c ec_evp_lib.c SOURCE[../../providers/libfips.a]=$COMMON diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index 944fc05835..f3812e46b5 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -744,6 +744,26 @@ int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata, return rv; } +static int ec_pkey_import_from(const OSSL_PARAM params[], void *key) +{ + EVP_PKEY *pkey = key; + EC_KEY *ec = EC_KEY_new(); + + if (ec == NULL) { + ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE); + return 0; + } + + if (!ec_key_domparams_fromdata(ec, params) + || !ec_key_otherparams_fromdata(ec, params) + || !ec_key_fromdata(ec, params, 1) + || !EVP_PKEY_assign_EC_KEY(pkey, ec)) { + EC_KEY_free(ec); + return 0; + } + return 1; +} + const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = { EVP_PKEY_EC, EVP_PKEY_EC, @@ -789,7 +809,8 @@ const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = { 0, /* get_pub_key */ ec_pkey_dirty_cnt, - ec_pkey_export_to + ec_pkey_export_to, + ec_pkey_import_from }; #if !defined(OPENSSL_NO_SM2) diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c new file mode 100644 index 0000000000..b4520a7c60 --- /dev/null +++ b/crypto/ec/ec_backend.c @@ -0,0 +1,229 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "crypto/bn.h" +#include "crypto/ec.h" + +/* + * The intention with the "backend" source file is to offer backend support + * for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider + * implementations alike. + */ + +int ec_set_param_ecdh_cofactor_mode(EC_KEY *ec, const OSSL_PARAM *p) +{ + const EC_GROUP *ecg = EC_KEY_get0_group(ec); + const BIGNUM *cofactor; + int mode; + + if (!OSSL_PARAM_get_int(p, &mode)) + return 0; + + /* + * mode can be only 0 for disable, or 1 for enable here. + * + * This is in contrast with the same parameter on an ECDH EVP_PKEY_CTX that + * also supports mode == -1 with the meaning of "reset to the default for + * the associated key". + */ + if (mode < 0 || mode > 1) + return 0; + + if ((cofactor = EC_GROUP_get0_cofactor(ecg)) == NULL ) + return 0; + + /* ECDH cofactor mode has no effect if cofactor is 1 */ + if (BN_is_one(cofactor)) + return 1; + + if (mode == 1) + EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH); + else if (mode == 0) + EC_KEY_clear_flags(ec, EC_FLAG_COFACTOR_ECDH); + + return 1; +} + +/* + * Callers of ec_key_fromdata MUST make sure that ec_key_params_fromdata has + * been called before! + * + * This function only gets the bare keypair, domain parameters and other + * parameters are treated separately, and domain parameters are required to + * define a keypair. + */ +int ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_private) +{ + const OSSL_PARAM *param_priv_key, *param_pub_key; + BN_CTX *ctx = NULL; + BIGNUM *priv_key = NULL; + unsigned char *pub_key = NULL; + size_t pub_key_len; + const EC_GROUP *ecg = NULL; + EC_POINT *pub_point = NULL; + int ok = 0; + + ecg = EC_KEY_get0_group(ec); + if (ecg == NULL) + return 0; + + param_priv_key = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); + param_pub_key = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY); + + ctx = BN_CTX_new_ex(ec_key_get_libctx(ec)); + if (ctx == NULL) + goto err; + /* + * We want to have at least a public key either way, so we end up + * requiring it unconditionally. + */ + if (param_pub_key == NULL + || !OSSL_PARAM_get_octet_string(param_pub_key, + (void **)&pub_key, 0, &pub_key_len) + || (pub_point = EC_POINT_new(ecg)) == NULL + || !EC_POINT_oct2point(ecg, pub_point, + pub_key, pub_key_len, ctx)) + goto err; + + if (param_priv_key != NULL && include_private) { + int fixed_words; + const BIGNUM *order; + + /* + * Key import/export should never leak the bit length of the secret + * scalar in the key. + * + * For this reason, on export we use padded BIGNUMs with fixed length. + * + * When importing we also should make sure that, even if short lived, + * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as + * soon as possible, so that any processing of this BIGNUM might opt for + * constant time implementations in the backend. + * + * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have + * to preallocate the BIGNUM internal buffer to a fixed public size big + * enough that operations performed during the processing never trigger + * a realloc which would leak the size of the scalar through memory + * accesses. + * + * Fixed Length + * ------------ + * + * The order of the large prime subgroup of the curve is our choice for + * a fixed public size, as that is generally the upper bound for + * generating a private key in EC cryptosystems and should fit all valid + * secret scalars. + * + * For padding on export we just use the bit length of the order + * converted to bytes (rounding up). + * + * For preallocating the BIGNUM storage we look at the number of "words" + * required for the internal representation of the order, and we + * preallocate 2 extra "words" in case any of the subsequent processing + * might temporarily overflow the order length. + */ + order = EC_GROUP_get0_order(ecg); + if (order == NULL || BN_is_zero(order)) + goto err; + + fixed_words = bn_get_top(order) + 2; + + if ((priv_key = BN_secure_new()) == NULL) + goto err; + if (bn_wexpand(priv_key, fixed_words) == NULL) + goto err; + BN_set_flags(priv_key, BN_FLG_CONSTTIME); + + if (!OSSL_PARAM_get_BN(param_priv_key, &priv_key)) + goto err; + } + + if (priv_key != NULL + && !EC_KEY_set_private_key(ec, priv_key)) + goto err; + + if (!EC_KEY_set_public_key(ec, pub_point)) + goto err; + + ok = 1; + + err: + BN_CTX_free(ctx); + BN_clear_free(priv_key); + OPENSSL_free(pub_key); + EC_POINT_free(pub_point); + return ok; +} + +int ec_key_domparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *param_ec_name; + EC_GROUP *ecg = NULL; + char *curve_name = NULL; + int ok = 0; + + if (ec == NULL) + return 0; + + param_ec_name = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_NAME); + if (param_ec_name == NULL) { + /* explicit parameters */ + + /* + * TODO(3.0): should we support explicit parameters curves? + */ + return 0; + } else { + /* named curve */ + int curve_nid; + + if (!OSSL_PARAM_get_utf8_string(param_ec_name, &curve_name, 0) + || curve_name == NULL + || (curve_nid = ec_curve_name2nid(curve_name)) == NID_undef) + goto err; + + if ((ecg = EC_GROUP_new_by_curve_name_ex(ec_key_get_libctx(ec), + curve_nid)) == NULL) + goto err; + } + + if (!EC_KEY_set_group(ec, ecg)) + goto err; + + /* + * TODO(3.0): if the group has changed, should we invalidate the private and + * public key? + */ + + ok = 1; + + err: + OPENSSL_free(curve_name); + EC_GROUP_free(ecg); + return ok; +} + +int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + + if (ec == NULL) + return 0; + + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH); + if (p != NULL && !ec_set_param_ecdh_cofactor_mode(ec, p)) + return 0; + + return 1; +} diff --git a/crypto/ec/ecx_backend.c b/crypto/ec/ecx_backend.c new file mode 100644 index 0000000000..e613337029 --- /dev/null +++ b/crypto/ec/ecx_backend.c @@ -0,0 +1,62 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "crypto/ecx.h" +#include "ecx_backend.h" + +/* + * The intention with the "backend" source file is to offer backend support + * for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider + * implementations alike. + */ + +int ecx_key_fromdata(ECX_KEY *ecx, const OSSL_PARAM params[], + int include_private) +{ + size_t privkeylen = 0, pubkeylen; + const OSSL_PARAM *param_priv_key = NULL, *param_pub_key; + unsigned char *pubkey; + + if (ecx == NULL) + return 0; + + param_pub_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY); + if (include_private) + param_priv_key = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); + /* + * If a private key is present then a public key must also be present. + * Alternatively we've just got a public key. + */ + if (param_pub_key == NULL) + return 0; + + if (param_priv_key != NULL + && !OSSL_PARAM_get_octet_string(param_priv_key, + (void **)&ecx->privkey, ecx->keylen, + &privkeylen)) + return 0; + + pubkey = ecx->pubkey; + if (!OSSL_PARAM_get_octet_string(param_pub_key, + (void **)&pubkey, + sizeof(ecx->pubkey), &pubkeylen)) + return 0; + + if (pubkeylen != ecx->keylen + || (param_priv_key != NULL && privkeylen != ecx->keylen)) + return 0; + + ecx->haspubkey = 1; + + return 1; +} + diff --git a/crypto/ec/ecx_backend.h b/crypto/ec/ecx_backend.h new file mode 100644 index 0000000000..50ece17abb --- /dev/null +++ b/crypto/ec/ecx_backend.h @@ -0,0 +1,20 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#define ISX448(id) ((id) == EVP_PKEY_X448) +#define IS25519(id) ((id) == EVP_PKEY_X25519 || (id) == EVP_PKEY_ED25519) +#define KEYLENID(id) (IS25519(id) ? X25519_KEYLEN \ + : ((id) == EVP_PKEY_X448 ? X448_KEYLEN \ + : ED448_KEYLEN)) +#define KEYNID2TYPE(id) \ + (IS25519(id) ? ECX_KEY_TYPE_X25519 \ + : ((id) == EVP_PKEY_X448 ? ECX_KEY_TYPE_X448 \ + : ((id) == EVP_PKEY_ED25519 ? ECX_KEY_TYPE_ED25519 \ + : ECX_KEY_TYPE_ED448))) +#define KEYLEN(p) KEYLENID((p)->ameth->pkey_id) diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index 9b9536f022..97d1b13f5a 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -25,19 +25,7 @@ #include "crypto/ecx.h" #include "ec_local.h" #include "curve448/curve448_local.h" - -#define ISX448(id) ((id) == EVP_PKEY_X448) -#define IS25519(id) ((id) == EVP_PKEY_X25519 || (id) == EVP_PKEY_ED25519) -#define KEYLENID(id) (IS25519(id) ? X25519_KEYLEN \ - : ((id) == EVP_PKEY_X448 ? X448_KEYLEN \ - : ED448_KEYLEN)) -#define KEYNID2TYPE(id) \ - (IS25519(id) ? ECX_KEY_TYPE_X25519 \ - : ((id) == EVP_PKEY_X448 ? ECX_KEY_TYPE_X448 \ - : ((id) == EVP_PKEY_ED25519 ? ECX_KEY_TYPE_ED25519 \ - : ECX_KEY_TYPE_ED448))) -#define KEYLEN(p) KEYLENID((p)->ameth->pkey_id) - +#include "ecx_backend.h" typedef enum { KEY_OP_PUBLIC, @@ -452,6 +440,30 @@ static int ecx_pkey_export_to(const EVP_PKEY *from, void *to_keydata, return rv; } +static int ecx_generic_import_from(const OSSL_PARAM params[], void *key, + int keytype) +{ + EVP_PKEY *pkey = key; + ECX_KEY *ecx = ecx_key_new(KEYNID2TYPE(keytype), 0); + + if (ecx == NULL) { + ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE); + return 0; + } + + if (!ecx_key_fromdata(ecx, params, 1) + || !EVP_PKEY_assign(pkey, keytype, ecx)) { + ecx_key_free(ecx); + return 0; + } + return 1; +} + +static int x25519_import_from(const OSSL_PARAM params[], void *key) +{ + return ecx_generic_import_from(params, key, EVP_PKEY_X25519); +} + const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth = { EVP_PKEY_X25519, EVP_PKEY_X25519, @@ -494,9 +506,15 @@ const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth = { ecx_get_priv_key, ecx_get_pub_key, ecx_pkey_dirty_cnt, - ecx_pkey_export_to + ecx_pkey_export_to, + x25519_import_from }; +static int x448_import_from(const OSSL_PARAM params[], void *key) +{ + return ecx_generic_import_from(params, key, EVP_PKEY_X448); +} + const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth = { EVP_PKEY_X448, EVP_PKEY_X448, @@ -539,7 +557,8 @@ const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth = { ecx_get_priv_key, ecx_get_pub_key, ecx_pkey_dirty_cnt, - ecx_pkey_export_to + ecx_pkey_export_to, + x448_import_from }; static int ecd_size25519(const EVP_PKEY *pkey) @@ -614,6 +633,10 @@ static int ecd_sig_info_set448(X509_SIG_INFO *siginf, const X509_ALGOR *alg, return 1; } +static int ed25519_import_from(const OSSL_PARAM params[], void *key) +{ + return ecx_generic_import_from(params, key, EVP_PKEY_ED25519); +} const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = { EVP_PKEY_ED25519, @@ -656,9 +679,15 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = { ecx_get_priv_key, ecx_get_pub_key, ecx_pkey_dirty_cnt, - ecx_pkey_export_to + ecx_pkey_export_to, + ed25519_import_from }; +static int ed448_import_from(const OSSL_PARAM params[], void *key) +{ + return ecx_generic_import_from(params, key, EVP_PKEY_ED448); +} + const EVP_PKEY_ASN1_METHOD ed448_asn1_meth = { EVP_PKEY_ED448, EVP_PKEY_ED448, @@ -700,7 +729,8 @@ const EVP_PKEY_ASN1_METHOD ed448_asn1_meth = { ecx_get_priv_key, ecx_get_pub_key, ecx_pkey_dirty_cnt, - ecx_pkey_export_to + ecx_pkey_export_to, + ed448_import_from }; static int pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) -- cgit v1.2.3