/* * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include #include #include #include #include "crypto/bn.h" #include "crypto/ec.h" #include "ec_local.h" #include "e_os.h" #include "internal/param_build_set.h" /* Mapping between a flag and a name */ static const OSSL_ITEM encoding_nameid_map[] = { { OPENSSL_EC_EXPLICIT_CURVE, OSSL_PKEY_EC_ENCODING_EXPLICIT }, { OPENSSL_EC_NAMED_CURVE, OSSL_PKEY_EC_ENCODING_GROUP }, }; int ec_encoding_name2id(const char *name) { size_t i, sz; /* Return the default value if there is no name */ if (name == NULL) return OPENSSL_EC_NAMED_CURVE; for (i = 0, sz = OSSL_NELEM(encoding_nameid_map); i < sz; i++) { if (strcasecmp(name, encoding_nameid_map[i].ptr) == 0) return encoding_nameid_map[i].id; } return -1; } static char *ec_param_encoding_id2name(int id) { size_t i, sz; for (i = 0, sz = OSSL_NELEM(encoding_nameid_map); i < sz; i++) { if (id == (int)encoding_nameid_map[i].id) return encoding_nameid_map[i].ptr; } return NULL; } int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, OSSL_PARAM params[], OSSL_LIB_CTX *libctx, const char *propq, BN_CTX *bnctx, unsigned char **genbuf) { int ret = 0, curve_nid, encoding_flag; const char *field_type, *encoding_name; const BIGNUM *cofactor, *order; BIGNUM *p = NULL, *a = NULL, *b = NULL; point_conversion_form_t genform; const EC_POINT *genpt; unsigned char *seed = NULL; size_t genbuf_len, seed_len; if (group == NULL) { ERR_raise(ERR_LIB_EC,EC_R_PASSED_NULL_PARAMETER); return 0; } encoding_flag = EC_GROUP_get_asn1_flag(group) & OPENSSL_EC_NAMED_CURVE; encoding_name = ec_param_encoding_id2name(encoding_flag); if (encoding_name == NULL || !ossl_param_build_set_utf8_string(tmpl, params, OSSL_PKEY_PARAM_EC_ENCODING, encoding_name)) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING); return 0; } curve_nid = EC_GROUP_get_curve_name(group); if (curve_nid == NID_undef) { /* explicit curve */ int fid = EC_GROUP_get_field_type(group); if (fid == NID_X9_62_prime_field) { field_type = SN_X9_62_prime_field; } else if (fid == NID_X9_62_characteristic_two_field) { field_type = SN_X9_62_characteristic_two_field; } else { ERR_raise(ERR_LIB_EC, EC_R_INVALID_FIELD); return 0; } p = BN_CTX_get(bnctx); a = BN_CTX_get(bnctx); b = BN_CTX_get(bnctx); if (b == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); goto err; } if (!EC_GROUP_get_curve(group, p, a, b, bnctx)) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_CURVE); goto err; } order = EC_GROUP_get0_order(group); if (order == NULL) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_GROUP_ORDER); goto err; } genpt = EC_GROUP_get0_generator(group); if (genpt == NULL) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_GENERATOR); goto err; } genform = EC_GROUP_get_point_conversion_form(group); genbuf_len = EC_POINT_point2buf(group, genpt, genform, genbuf, bnctx); if (genbuf_len == 0) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_GENERATOR); goto err; } if (!ossl_param_build_set_utf8_string(tmpl, params, OSSL_PKEY_PARAM_EC_FIELD_TYPE, field_type) || !ossl_param_build_set_bn(tmpl, params, OSSL_PKEY_PARAM_EC_P, p) || !ossl_param_build_set_bn(tmpl, params, OSSL_PKEY_PARAM_EC_A, a) || !ossl_param_build_set_bn(tmpl, params, OSSL_PKEY_PARAM_EC_B, b) || !ossl_param_build_set_bn(tmpl, params, OSSL_PKEY_PARAM_EC_ORDER, order) || !ossl_param_build_set_octet_string(tmpl, params, OSSL_PKEY_PARAM_EC_GENERATOR, *genbuf, genbuf_len)) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); goto err; } cofactor = EC_GROUP_get0_cofactor(group); if (cofactor != NULL && !ossl_param_build_set_bn(tmpl, params, OSSL_PKEY_PARAM_EC_COFACTOR, cofactor)) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); goto err; } seed = EC_GROUP_get0_seed(group); seed_len = EC_GROUP_get_seed_len(group); if (seed != NULL && seed_len > 0 && !ossl_param_build_set_octet_string(tmpl, params, OSSL_PKEY_PARAM_EC_SEED, seed, seed_len)) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); goto err; } #ifdef OPENSSL_NO_EC2M if (fid == NID_X9_62_characteristic_two_field) { ERR_raise(ERR_LIB_EC, EC_R_GF2M_NOT_SUPPORTED); goto err; } #endif } else { /* named curve */ const char *curve_name = ec_curve_nid2name(curve_nid); if (curve_name == NULL || !ossl_param_build_set_utf8_string(tmpl, params, OSSL_PKEY_PARAM_GROUP_NAME, curve_name)) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_CURVE); goto err; } } ret = 1; err: return ret; } /* * The intention with the "backend" source file is to offer backend support * for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider * implementations alike. */ int ec_set_ecdh_cofactor_mode(EC_KEY *ec, int mode) { const EC_GROUP *ecg = EC_KEY_get0_group(ec); const BIGNUM *cofactor; /* * mode can be only 0 for disable, or 1 for enable here. * * This is in contrast with the same parameter on an ECDH EVP_PKEY_CTX that * also supports mode == -1 with the meaning of "reset to the default for * the associated key". */ if (mode < 0 || mode > 1) return 0; if ((cofactor = EC_GROUP_get0_cofactor(ecg)) == NULL ) return 0; /* ECDH cofactor mode has no effect if cofactor is 1 */ if (BN_is_one(cofactor)) return 1; if (mode == 1) EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH); else if (mode == 0) EC_KEY_clear_flags(ec, EC_FLAG_COFACTOR_ECDH); return 1; } /* * Callers of ec_key_fromdata MUST make sure that ec_key_params_fromdata has * been called before! * * This function only gets the bare keypair, domain parameters and other * parameters are treated separately, and domain parameters are required to * define a keypair. */ int ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_private) { const OSSL_PARAM *param_priv_key = NULL, *param_pub_key = NULL; BN_CTX *ctx = NULL; BIGNUM *priv_key = NULL; unsigned char *pub_key = NULL; size_t pub_key_len; const EC_GROUP *ecg = NULL; EC_POINT *pub_point = NULL; int ok = 0; ecg = EC_KEY_get0_group(ec); if (ecg == NULL) return 0; param_pub_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY); if (include_private) param_priv_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); ctx = BN_CTX_new_ex(ec_key_get_libctx(ec)); if (ctx == NULL) goto err; /* OpenSSL decree: If there's a private key, there must be a public key */ if (param_priv_key != NULL && param_pub_key == NULL) goto err; if (param_pub_key != NULL) if (!OSSL_PARAM_get_octet_string(param_pub_key, (void **)&pub_key, 0, &pub_key_len) || (pub_point = EC_POINT_new(ecg)) == NULL || !EC_POINT_oct2point(ecg, pub_point, pub_key, pub_key_len, ctx)) goto err; if (param_priv_key != NULL && include_private) { int fixed_words; const BIGNUM *order; /* * Key import/export should never leak the bit length of the secret * scalar in the key. * * For this reason, on export we use padded BIGNUMs with fixed length. * * When importing we also should make sure that, even if short lived, * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as * soon as possible, so that any processing of this BIGNUM might opt for * constant time implementations in the backend. * * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have * to preallocate the BIGNUM internal buffer to a fixed public size big * enough that operations performed during the processing never trigger * a realloc which would leak the size of the scalar through memory * accesses. * * Fixed Length * ------------ * * The order of the large prime subgroup of the curve is our choice for * a fixed public size, as that is generally the upper bound for * generating a private key in EC cryptosystems and should fit all valid * secret scalars. * * For padding on export we just use the bit length of the order * converted to bytes (rounding up). * * For preallocating the BIGNUM storage we look at the number of "words" * required for the internal representation of the order, and we * preallocate 2 extra "words" in case any of the subsequent processing * might temporarily overflow the order length. */ order = EC_GROUP_get0_order(ecg); if (order == NULL || BN_is_zero(order)) goto err; fixed_words = bn_get_top(order) + 2; if ((priv_key = BN_secure_new()) == NULL) goto err; if (bn_wexpand(priv_key, fixed_words) == NULL) goto err; BN_set_flags(priv_key, BN_FLG_CONSTTIME); if (!OSSL_PARAM_get_BN(param_priv_key, &priv_key)) goto err; } if (priv_key != NULL && !EC_KEY_set_private_key(ec, priv_key)) goto err; if (pub_point != NULL && !EC_KEY_set_public_key(ec, pub_point)) goto err; ok = 1; err: BN_CTX_free(ctx); BN_clear_free(priv_key); OPENSSL_free(pub_key); EC_POINT_free(pub_point); return ok; } int ec_group_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) { int ok = 0; EC_GROUP *group = NULL; if (ec == NULL) return 0; group = EC_GROUP_new_from_params(params, ec_key_get_libctx(ec), ec_key_get0_propq(ec)); if (!EC_KEY_set_group(ec, group)) goto err; /* * TODO(3.0): if the group has changed, should we invalidate the private and * public key? */ ok = 1; err: EC_GROUP_free(group); return ok; } int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) { const OSSL_PARAM *p; if (ec == NULL) return 0; p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH); if (p != NULL) { int mode; if (!OSSL_PARAM_get_int(p, &mode) || !ec_set_ecdh_cofactor_mode(ec, mode)) return 0; } return 1; }