2
0

ec_key.c 30 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124
  1. /*
  2. * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. *
  5. * Licensed under the Apache License 2.0 (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or at
  8. * https://www.openssl.org/source/license.html
  9. */
  10. /*
  11. * EC_KEY low level APIs are deprecated for public use, but still ok for
  12. * internal use.
  13. */
  14. #include "internal/deprecated.h"
  15. #include "internal/cryptlib.h"
  16. #include <string.h>
  17. #include "ec_local.h"
  18. #include "internal/refcount.h"
  19. #include <openssl/err.h>
  20. #ifndef FIPS_MODULE
  21. # include <openssl/engine.h>
  22. #endif
  23. #include <openssl/self_test.h>
  24. #include "prov/providercommon.h"
  25. #include "prov/ecx.h"
  26. #include "crypto/bn.h"
  27. static int ecdsa_keygen_pairwise_test(EC_KEY *eckey, OSSL_CALLBACK *cb,
  28. void *cbarg);
  29. #ifndef FIPS_MODULE
  30. EC_KEY *EC_KEY_new(void)
  31. {
  32. return ossl_ec_key_new_method_int(NULL, NULL, NULL);
  33. }
  34. #endif
  35. EC_KEY *EC_KEY_new_ex(OSSL_LIB_CTX *ctx, const char *propq)
  36. {
  37. return ossl_ec_key_new_method_int(ctx, propq, NULL);
  38. }
  39. EC_KEY *EC_KEY_new_by_curve_name_ex(OSSL_LIB_CTX *ctx, const char *propq,
  40. int nid)
  41. {
  42. EC_KEY *ret = EC_KEY_new_ex(ctx, propq);
  43. if (ret == NULL)
  44. return NULL;
  45. ret->group = EC_GROUP_new_by_curve_name_ex(ctx, propq, nid);
  46. if (ret->group == NULL) {
  47. EC_KEY_free(ret);
  48. return NULL;
  49. }
  50. if (ret->meth->set_group != NULL
  51. && ret->meth->set_group(ret, ret->group) == 0) {
  52. EC_KEY_free(ret);
  53. return NULL;
  54. }
  55. return ret;
  56. }
  57. #ifndef FIPS_MODULE
  58. EC_KEY *EC_KEY_new_by_curve_name(int nid)
  59. {
  60. return EC_KEY_new_by_curve_name_ex(NULL, NULL, nid);
  61. }
  62. #endif
  63. void EC_KEY_free(EC_KEY *r)
  64. {
  65. int i;
  66. if (r == NULL)
  67. return;
  68. CRYPTO_DOWN_REF(&r->references, &i);
  69. REF_PRINT_COUNT("EC_KEY", r);
  70. if (i > 0)
  71. return;
  72. REF_ASSERT_ISNT(i < 0);
  73. if (r->meth != NULL && r->meth->finish != NULL)
  74. r->meth->finish(r);
  75. #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
  76. ENGINE_finish(r->engine);
  77. #endif
  78. if (r->group && r->group->meth->keyfinish)
  79. r->group->meth->keyfinish(r);
  80. #ifndef FIPS_MODULE
  81. CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, r, &r->ex_data);
  82. #endif
  83. CRYPTO_FREE_REF(&r->references);
  84. EC_GROUP_free(r->group);
  85. EC_POINT_free(r->pub_key);
  86. BN_clear_free(r->priv_key);
  87. OPENSSL_free(r->propq);
  88. OPENSSL_clear_free((void *)r, sizeof(EC_KEY));
  89. }
  90. EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
  91. {
  92. if (dest == NULL || src == NULL) {
  93. ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
  94. return NULL;
  95. }
  96. if (src->meth != dest->meth) {
  97. if (dest->meth->finish != NULL)
  98. dest->meth->finish(dest);
  99. if (dest->group && dest->group->meth->keyfinish)
  100. dest->group->meth->keyfinish(dest);
  101. #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
  102. if (ENGINE_finish(dest->engine) == 0)
  103. return 0;
  104. dest->engine = NULL;
  105. #endif
  106. }
  107. dest->libctx = src->libctx;
  108. /* copy the parameters */
  109. if (src->group != NULL) {
  110. /* clear the old group */
  111. EC_GROUP_free(dest->group);
  112. dest->group = ossl_ec_group_new_ex(src->libctx, src->propq,
  113. src->group->meth);
  114. if (dest->group == NULL)
  115. return NULL;
  116. if (!EC_GROUP_copy(dest->group, src->group))
  117. return NULL;
  118. /* copy the public key */
  119. if (src->pub_key != NULL) {
  120. EC_POINT_free(dest->pub_key);
  121. dest->pub_key = EC_POINT_new(src->group);
  122. if (dest->pub_key == NULL)
  123. return NULL;
  124. if (!EC_POINT_copy(dest->pub_key, src->pub_key))
  125. return NULL;
  126. }
  127. /* copy the private key */
  128. if (src->priv_key != NULL) {
  129. if (dest->priv_key == NULL) {
  130. dest->priv_key = BN_new();
  131. if (dest->priv_key == NULL)
  132. return NULL;
  133. }
  134. if (!BN_copy(dest->priv_key, src->priv_key))
  135. return NULL;
  136. if (src->group->meth->keycopy
  137. && src->group->meth->keycopy(dest, src) == 0)
  138. return NULL;
  139. }
  140. }
  141. /* copy the rest */
  142. dest->enc_flag = src->enc_flag;
  143. dest->conv_form = src->conv_form;
  144. dest->version = src->version;
  145. dest->flags = src->flags;
  146. #ifndef FIPS_MODULE
  147. if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY,
  148. &dest->ex_data, &src->ex_data))
  149. return NULL;
  150. #endif
  151. if (src->meth != dest->meth) {
  152. #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
  153. if (src->engine != NULL && ENGINE_init(src->engine) == 0)
  154. return NULL;
  155. dest->engine = src->engine;
  156. #endif
  157. dest->meth = src->meth;
  158. }
  159. if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0)
  160. return NULL;
  161. dest->dirty_cnt++;
  162. return dest;
  163. }
  164. EC_KEY *EC_KEY_dup(const EC_KEY *ec_key)
  165. {
  166. return ossl_ec_key_dup(ec_key, OSSL_KEYMGMT_SELECT_ALL);
  167. }
  168. int EC_KEY_up_ref(EC_KEY *r)
  169. {
  170. int i;
  171. if (CRYPTO_UP_REF(&r->references, &i) <= 0)
  172. return 0;
  173. REF_PRINT_COUNT("EC_KEY", r);
  174. REF_ASSERT_ISNT(i < 2);
  175. return ((i > 1) ? 1 : 0);
  176. }
  177. ENGINE *EC_KEY_get0_engine(const EC_KEY *eckey)
  178. {
  179. return eckey->engine;
  180. }
  181. int EC_KEY_generate_key(EC_KEY *eckey)
  182. {
  183. if (eckey == NULL || eckey->group == NULL) {
  184. ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
  185. return 0;
  186. }
  187. if (eckey->meth->keygen != NULL) {
  188. int ret;
  189. ret = eckey->meth->keygen(eckey);
  190. if (ret == 1)
  191. eckey->dirty_cnt++;
  192. return ret;
  193. }
  194. ERR_raise(ERR_LIB_EC, EC_R_OPERATION_NOT_SUPPORTED);
  195. return 0;
  196. }
  197. int ossl_ec_key_gen(EC_KEY *eckey)
  198. {
  199. int ret;
  200. ret = eckey->group->meth->keygen(eckey);
  201. if (ret == 1)
  202. eckey->dirty_cnt++;
  203. return ret;
  204. }
  205. /*
  206. * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1
  207. * Perform a KAT by duplicating the public key generation.
  208. *
  209. * NOTE: This issue requires a background understanding, provided in a separate
  210. * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for
  211. * the key agreement scenario.
  212. *
  213. * Currently IG 10.3.A requires PCT in the mode of use prior to use of the
  214. * key pair, citing the PCT defined in the associated standard. For key
  215. * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4:
  216. * the comparison of the original public key to a newly calculated public key.
  217. */
  218. static int ecdsa_keygen_knownanswer_test(EC_KEY *eckey, BN_CTX *ctx,
  219. OSSL_CALLBACK *cb, void *cbarg)
  220. {
  221. int len, ret = 0;
  222. OSSL_SELF_TEST *st = NULL;
  223. unsigned char bytes[512] = {0};
  224. EC_POINT *pub_key2 = EC_POINT_new(eckey->group);
  225. if (pub_key2 == NULL)
  226. return 0;
  227. st = OSSL_SELF_TEST_new(cb, cbarg);
  228. if (st == NULL)
  229. return 0;
  230. OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT,
  231. OSSL_SELF_TEST_DESC_PCT_ECDSA);
  232. /* pub_key = priv_key * G (where G is a point on the curve) */
  233. if (!EC_POINT_mul(eckey->group, pub_key2, eckey->priv_key, NULL, NULL, ctx))
  234. goto err;
  235. if (BN_num_bytes(pub_key2->X) > (int)sizeof(bytes))
  236. goto err;
  237. len = BN_bn2bin(pub_key2->X, bytes);
  238. if (OSSL_SELF_TEST_oncorrupt_byte(st, bytes)
  239. && BN_bin2bn(bytes, len, pub_key2->X) == NULL)
  240. goto err;
  241. ret = !EC_POINT_cmp(eckey->group, eckey->pub_key, pub_key2, ctx);
  242. err:
  243. OSSL_SELF_TEST_onend(st, ret);
  244. OSSL_SELF_TEST_free(st);
  245. EC_POINT_free(pub_key2);
  246. return ret;
  247. }
  248. /*
  249. * ECC Key generation.
  250. * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates"
  251. *
  252. * Params:
  253. * libctx A context containing an optional self test callback.
  254. * eckey An EC key object that contains domain params. The generated keypair
  255. * is stored in this object.
  256. * pairwise_test Set to non zero to perform a pairwise test. If the test
  257. * fails then the keypair is not generated,
  258. * Returns 1 if the keypair was generated or 0 otherwise.
  259. */
  260. static int ec_generate_key(EC_KEY *eckey, int pairwise_test)
  261. {
  262. int ok = 0;
  263. BIGNUM *priv_key = NULL;
  264. const BIGNUM *tmp = NULL;
  265. BIGNUM *order = NULL;
  266. EC_POINT *pub_key = NULL;
  267. const EC_GROUP *group = eckey->group;
  268. BN_CTX *ctx = BN_CTX_secure_new_ex(eckey->libctx);
  269. int sm2 = EC_KEY_get_flags(eckey) & EC_FLAG_SM2_RANGE ? 1 : 0;
  270. if (ctx == NULL)
  271. goto err;
  272. if (eckey->priv_key == NULL) {
  273. priv_key = BN_secure_new();
  274. if (priv_key == NULL)
  275. goto err;
  276. } else
  277. priv_key = eckey->priv_key;
  278. /*
  279. * Steps (1-2): Check domain parameters and security strength.
  280. * These steps must be done by the user. This would need to be
  281. * stated in the security policy.
  282. */
  283. tmp = EC_GROUP_get0_order(group);
  284. if (tmp == NULL)
  285. goto err;
  286. /*
  287. * Steps (3-7): priv_key = DRBG_RAND(order_n_bits) (range [1, n-1]).
  288. * Although this is slightly different from the standard, it is effectively
  289. * equivalent as it gives an unbiased result ranging from 1..n-1. It is also
  290. * faster as the standard needs to retry more often. Also doing
  291. * 1 + rand[0..n-2] would effect the way that tests feed dummy entropy into
  292. * rand so the simpler backward compatible method has been used here.
  293. */
  294. /* range of SM2 private key is [1, n-1) */
  295. if (sm2) {
  296. order = BN_new();
  297. if (order == NULL || !BN_sub(order, tmp, BN_value_one()))
  298. goto err;
  299. } else {
  300. order = BN_dup(tmp);
  301. if (order == NULL)
  302. goto err;
  303. }
  304. do
  305. if (!BN_priv_rand_range_ex(priv_key, order, 0, ctx))
  306. goto err;
  307. while (BN_is_zero(priv_key)) ;
  308. if (eckey->pub_key == NULL) {
  309. pub_key = EC_POINT_new(group);
  310. if (pub_key == NULL)
  311. goto err;
  312. } else
  313. pub_key = eckey->pub_key;
  314. /* Step (8) : pub_key = priv_key * G (where G is a point on the curve) */
  315. if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx))
  316. goto err;
  317. eckey->priv_key = priv_key;
  318. eckey->pub_key = pub_key;
  319. priv_key = NULL;
  320. pub_key = NULL;
  321. eckey->dirty_cnt++;
  322. #ifdef FIPS_MODULE
  323. pairwise_test = 1;
  324. #endif /* FIPS_MODULE */
  325. ok = 1;
  326. if (pairwise_test) {
  327. OSSL_CALLBACK *cb = NULL;
  328. void *cbarg = NULL;
  329. OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg);
  330. ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg)
  331. && ecdsa_keygen_knownanswer_test(eckey, ctx, cb, cbarg);
  332. }
  333. err:
  334. /* Step (9): If there is an error return an invalid keypair. */
  335. if (!ok) {
  336. ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
  337. BN_clear(eckey->priv_key);
  338. if (eckey->pub_key != NULL)
  339. EC_POINT_set_to_infinity(group, eckey->pub_key);
  340. }
  341. EC_POINT_free(pub_key);
  342. BN_clear_free(priv_key);
  343. BN_CTX_free(ctx);
  344. BN_free(order);
  345. return ok;
  346. }
  347. #ifndef FIPS_MODULE
  348. /*
  349. * This is similar to ec_generate_key(), except it uses an ikm to
  350. * derive the private key.
  351. */
  352. int ossl_ec_generate_key_dhkem(EC_KEY *eckey,
  353. const unsigned char *ikm, size_t ikmlen)
  354. {
  355. int ok = 0;
  356. if (eckey->priv_key == NULL) {
  357. eckey->priv_key = BN_secure_new();
  358. if (eckey->priv_key == NULL)
  359. goto err;
  360. }
  361. if (ossl_ec_dhkem_derive_private(eckey, eckey->priv_key, ikm, ikmlen) <= 0)
  362. goto err;
  363. if (eckey->pub_key == NULL) {
  364. eckey->pub_key = EC_POINT_new(eckey->group);
  365. if (eckey->pub_key == NULL)
  366. goto err;
  367. }
  368. if (!ossl_ec_key_simple_generate_public_key(eckey))
  369. goto err;
  370. ok = 1;
  371. err:
  372. if (!ok) {
  373. BN_clear_free(eckey->priv_key);
  374. eckey->priv_key = NULL;
  375. if (eckey->pub_key != NULL)
  376. EC_POINT_set_to_infinity(eckey->group, eckey->pub_key);
  377. }
  378. return ok;
  379. }
  380. #endif
  381. int ossl_ec_key_simple_generate_key(EC_KEY *eckey)
  382. {
  383. return ec_generate_key(eckey, 0);
  384. }
  385. int ossl_ec_key_simple_generate_public_key(EC_KEY *eckey)
  386. {
  387. int ret;
  388. BN_CTX *ctx = BN_CTX_new_ex(eckey->libctx);
  389. if (ctx == NULL)
  390. return 0;
  391. /*
  392. * See SP800-56AR3 5.6.1.2.2: Step (8)
  393. * pub_key = priv_key * G (where G is a point on the curve)
  394. */
  395. ret = EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL,
  396. NULL, ctx);
  397. BN_CTX_free(ctx);
  398. if (ret == 1)
  399. eckey->dirty_cnt++;
  400. return ret;
  401. }
  402. int EC_KEY_check_key(const EC_KEY *eckey)
  403. {
  404. if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) {
  405. ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
  406. return 0;
  407. }
  408. if (eckey->group->meth->keycheck == NULL) {
  409. ERR_raise(ERR_LIB_EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  410. return 0;
  411. }
  412. return eckey->group->meth->keycheck(eckey);
  413. }
  414. /*
  415. * Check the range of the EC public key.
  416. * See SP800-56A R3 Section 5.6.2.3.3 (Part 2)
  417. * i.e.
  418. * - If q = odd prime p: Verify that xQ and yQ are integers in the
  419. * interval[0, p - 1], OR
  420. * - If q = 2m: Verify that xQ and yQ are bit strings of length m bits.
  421. * Returns 1 if the public key has a valid range, otherwise it returns 0.
  422. */
  423. static int ec_key_public_range_check(BN_CTX *ctx, const EC_KEY *key)
  424. {
  425. int ret = 0;
  426. BIGNUM *x, *y;
  427. BN_CTX_start(ctx);
  428. x = BN_CTX_get(ctx);
  429. y = BN_CTX_get(ctx);
  430. if (y == NULL)
  431. goto err;
  432. if (!EC_POINT_get_affine_coordinates(key->group, key->pub_key, x, y, ctx))
  433. goto err;
  434. if (EC_GROUP_get_field_type(key->group) == NID_X9_62_prime_field) {
  435. if (BN_is_negative(x)
  436. || BN_cmp(x, key->group->field) >= 0
  437. || BN_is_negative(y)
  438. || BN_cmp(y, key->group->field) >= 0) {
  439. goto err;
  440. }
  441. } else {
  442. int m = EC_GROUP_get_degree(key->group);
  443. if (BN_num_bits(x) > m || BN_num_bits(y) > m) {
  444. goto err;
  445. }
  446. }
  447. ret = 1;
  448. err:
  449. BN_CTX_end(ctx);
  450. return ret;
  451. }
  452. /*
  453. * ECC Partial Public-Key Validation as specified in SP800-56A R3
  454. * Section 5.6.2.3.4 ECC Partial Public-Key Validation Routine.
  455. */
  456. int ossl_ec_key_public_check_quick(const EC_KEY *eckey, BN_CTX *ctx)
  457. {
  458. if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) {
  459. ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
  460. return 0;
  461. }
  462. /* 5.6.2.3.3 (Step 1): Q != infinity */
  463. if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key)) {
  464. ERR_raise(ERR_LIB_EC, EC_R_POINT_AT_INFINITY);
  465. return 0;
  466. }
  467. /* 5.6.2.3.3 (Step 2) Test if the public key is in range */
  468. if (!ec_key_public_range_check(ctx, eckey)) {
  469. ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
  470. return 0;
  471. }
  472. /* 5.6.2.3.3 (Step 3) is the pub_key on the elliptic curve */
  473. if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) {
  474. ERR_raise(ERR_LIB_EC, EC_R_POINT_IS_NOT_ON_CURVE);
  475. return 0;
  476. }
  477. return 1;
  478. }
  479. /*
  480. * ECC Key validation as specified in SP800-56A R3.
  481. * Section 5.6.2.3.3 ECC Full Public-Key Validation Routine.
  482. */
  483. int ossl_ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx)
  484. {
  485. int ret = 0;
  486. EC_POINT *point = NULL;
  487. const BIGNUM *order = NULL;
  488. if (!ossl_ec_key_public_check_quick(eckey, ctx))
  489. return 0;
  490. point = EC_POINT_new(eckey->group);
  491. if (point == NULL)
  492. return 0;
  493. order = eckey->group->order;
  494. if (BN_is_zero(order)) {
  495. ERR_raise(ERR_LIB_EC, EC_R_INVALID_GROUP_ORDER);
  496. goto err;
  497. }
  498. /* 5.6.2.3.3 (Step 4) : pub_key * order is the point at infinity. */
  499. if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) {
  500. ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
  501. goto err;
  502. }
  503. if (!EC_POINT_is_at_infinity(eckey->group, point)) {
  504. ERR_raise(ERR_LIB_EC, EC_R_WRONG_ORDER);
  505. goto err;
  506. }
  507. ret = 1;
  508. err:
  509. EC_POINT_free(point);
  510. return ret;
  511. }
  512. /*
  513. * ECC Key validation as specified in SP800-56A R3.
  514. * Section 5.6.2.1.2 Owner Assurance of Private-Key Validity
  515. * The private key is in the range [1, order-1]
  516. */
  517. int ossl_ec_key_private_check(const EC_KEY *eckey)
  518. {
  519. if (eckey == NULL || eckey->group == NULL || eckey->priv_key == NULL) {
  520. ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
  521. return 0;
  522. }
  523. if (BN_cmp(eckey->priv_key, BN_value_one()) < 0
  524. || BN_cmp(eckey->priv_key, eckey->group->order) >= 0) {
  525. ERR_raise(ERR_LIB_EC, EC_R_INVALID_PRIVATE_KEY);
  526. return 0;
  527. }
  528. return 1;
  529. }
  530. /*
  531. * ECC Key validation as specified in SP800-56A R3.
  532. * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency (b)
  533. * Check if generator * priv_key = pub_key
  534. */
  535. int ossl_ec_key_pairwise_check(const EC_KEY *eckey, BN_CTX *ctx)
  536. {
  537. int ret = 0;
  538. EC_POINT *point = NULL;
  539. if (eckey == NULL
  540. || eckey->group == NULL
  541. || eckey->pub_key == NULL
  542. || eckey->priv_key == NULL) {
  543. ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
  544. return 0;
  545. }
  546. point = EC_POINT_new(eckey->group);
  547. if (point == NULL)
  548. goto err;
  549. if (!EC_POINT_mul(eckey->group, point, eckey->priv_key, NULL, NULL, ctx)) {
  550. ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
  551. goto err;
  552. }
  553. if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, ctx) != 0) {
  554. ERR_raise(ERR_LIB_EC, EC_R_INVALID_PRIVATE_KEY);
  555. goto err;
  556. }
  557. ret = 1;
  558. err:
  559. EC_POINT_free(point);
  560. return ret;
  561. }
  562. /*
  563. * ECC Key validation as specified in SP800-56A R3.
  564. * Section 5.6.2.3.3 ECC Full Public-Key Validation
  565. * Section 5.6.2.1.2 Owner Assurance of Private-Key Validity
  566. * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency
  567. * NOTES:
  568. * Before calling this method in fips mode, there should be an assurance that
  569. * an approved elliptic-curve group is used.
  570. * Returns 1 if the key is valid, otherwise it returns 0.
  571. */
  572. int ossl_ec_key_simple_check_key(const EC_KEY *eckey)
  573. {
  574. int ok = 0;
  575. BN_CTX *ctx = NULL;
  576. if (eckey == NULL) {
  577. ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
  578. return 0;
  579. }
  580. if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL)
  581. return 0;
  582. if (!ossl_ec_key_public_check(eckey, ctx))
  583. goto err;
  584. if (eckey->priv_key != NULL) {
  585. if (!ossl_ec_key_private_check(eckey)
  586. || !ossl_ec_key_pairwise_check(eckey, ctx))
  587. goto err;
  588. }
  589. ok = 1;
  590. err:
  591. BN_CTX_free(ctx);
  592. return ok;
  593. }
  594. int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
  595. BIGNUM *y)
  596. {
  597. BN_CTX *ctx = NULL;
  598. BIGNUM *tx, *ty;
  599. EC_POINT *point = NULL;
  600. int ok = 0;
  601. if (key == NULL || key->group == NULL || x == NULL || y == NULL) {
  602. ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
  603. return 0;
  604. }
  605. ctx = BN_CTX_new_ex(key->libctx);
  606. if (ctx == NULL)
  607. return 0;
  608. BN_CTX_start(ctx);
  609. point = EC_POINT_new(key->group);
  610. if (point == NULL)
  611. goto err;
  612. tx = BN_CTX_get(ctx);
  613. ty = BN_CTX_get(ctx);
  614. if (ty == NULL)
  615. goto err;
  616. if (!EC_POINT_set_affine_coordinates(key->group, point, x, y, ctx))
  617. goto err;
  618. if (!EC_POINT_get_affine_coordinates(key->group, point, tx, ty, ctx))
  619. goto err;
  620. /*
  621. * Check if retrieved coordinates match originals. The range check is done
  622. * inside EC_KEY_check_key().
  623. */
  624. if (BN_cmp(x, tx) || BN_cmp(y, ty)) {
  625. ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
  626. goto err;
  627. }
  628. /* EC_KEY_set_public_key updates dirty_cnt */
  629. if (!EC_KEY_set_public_key(key, point))
  630. goto err;
  631. if (EC_KEY_check_key(key) == 0)
  632. goto err;
  633. ok = 1;
  634. err:
  635. BN_CTX_end(ctx);
  636. BN_CTX_free(ctx);
  637. EC_POINT_free(point);
  638. return ok;
  639. }
  640. OSSL_LIB_CTX *ossl_ec_key_get_libctx(const EC_KEY *key)
  641. {
  642. return key->libctx;
  643. }
  644. const char *ossl_ec_key_get0_propq(const EC_KEY *key)
  645. {
  646. return key->propq;
  647. }
  648. void ossl_ec_key_set0_libctx(EC_KEY *key, OSSL_LIB_CTX *libctx)
  649. {
  650. key->libctx = libctx;
  651. /* Do we need to propagate this to the group? */
  652. }
  653. const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key)
  654. {
  655. return key->group;
  656. }
  657. int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group)
  658. {
  659. if (key->meth->set_group != NULL && key->meth->set_group(key, group) == 0)
  660. return 0;
  661. EC_GROUP_free(key->group);
  662. key->group = EC_GROUP_dup(group);
  663. if (key->group != NULL && EC_GROUP_get_curve_name(key->group) == NID_sm2)
  664. EC_KEY_set_flags(key, EC_FLAG_SM2_RANGE);
  665. key->dirty_cnt++;
  666. return (key->group == NULL) ? 0 : 1;
  667. }
  668. const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key)
  669. {
  670. return key->priv_key;
  671. }
  672. int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
  673. {
  674. int fixed_top;
  675. const BIGNUM *order = NULL;
  676. BIGNUM *tmp_key = NULL;
  677. if (key->group == NULL || key->group->meth == NULL)
  678. return 0;
  679. /*
  680. * Not only should key->group be set, but it should also be in a valid
  681. * fully initialized state.
  682. *
  683. * Specifically, to operate in constant time, we need that the group order
  684. * is set, as we use its length as the fixed public size of any scalar used
  685. * as an EC private key.
  686. */
  687. order = EC_GROUP_get0_order(key->group);
  688. if (order == NULL || BN_is_zero(order))
  689. return 0; /* This should never happen */
  690. if (key->group->meth->set_private != NULL
  691. && key->group->meth->set_private(key, priv_key) == 0)
  692. return 0;
  693. if (key->meth->set_private != NULL
  694. && key->meth->set_private(key, priv_key) == 0)
  695. return 0;
  696. /*
  697. * Return `0` to comply with legacy behavior for this function, see
  698. * https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696
  699. */
  700. if (priv_key == NULL) {
  701. BN_clear_free(key->priv_key);
  702. key->priv_key = NULL;
  703. return 0; /* intentional for legacy compatibility */
  704. }
  705. /*
  706. * We should never leak the bit length of the secret scalar in the key,
  707. * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
  708. * holding the secret scalar.
  709. *
  710. * This is important also because `BN_dup()` (and `BN_copy()`) do not
  711. * propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and
  712. * this brings an extra risk of inadvertently losing the flag, even when
  713. * the caller specifically set it.
  714. *
  715. * The propagation has been turned on and off a few times in the past
  716. * years because in some conditions has shown unintended consequences in
  717. * some code paths, so at the moment we can't fix this in the BN layer.
  718. *
  719. * In `EC_KEY_set_private_key()` we can work around the propagation by
  720. * manually setting the flag after `BN_dup()` as we know for sure that
  721. * inside the EC module the `BN_FLG_CONSTTIME` is always treated
  722. * correctly and should not generate unintended consequences.
  723. *
  724. * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
  725. * to preallocate the BIGNUM internal buffer to a fixed public size big
  726. * enough that operations performed during the processing never trigger
  727. * a realloc which would leak the size of the scalar through memory
  728. * accesses.
  729. *
  730. * Fixed Length
  731. * ------------
  732. *
  733. * The order of the large prime subgroup of the curve is our choice for
  734. * a fixed public size, as that is generally the upper bound for
  735. * generating a private key in EC cryptosystems and should fit all valid
  736. * secret scalars.
  737. *
  738. * For preallocating the BIGNUM storage we look at the number of "words"
  739. * required for the internal representation of the order, and we
  740. * preallocate 2 extra "words" in case any of the subsequent processing
  741. * might temporarily overflow the order length.
  742. */
  743. tmp_key = BN_dup(priv_key);
  744. if (tmp_key == NULL)
  745. return 0;
  746. BN_set_flags(tmp_key, BN_FLG_CONSTTIME);
  747. fixed_top = bn_get_top(order) + 2;
  748. if (bn_wexpand(tmp_key, fixed_top) == NULL) {
  749. BN_clear_free(tmp_key);
  750. return 0;
  751. }
  752. BN_clear_free(key->priv_key);
  753. key->priv_key = tmp_key;
  754. key->dirty_cnt++;
  755. return 1;
  756. }
  757. const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key)
  758. {
  759. return key->pub_key;
  760. }
  761. int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key)
  762. {
  763. if (key->meth->set_public != NULL
  764. && key->meth->set_public(key, pub_key) == 0)
  765. return 0;
  766. EC_POINT_free(key->pub_key);
  767. key->pub_key = EC_POINT_dup(pub_key, key->group);
  768. key->dirty_cnt++;
  769. return (key->pub_key == NULL) ? 0 : 1;
  770. }
  771. unsigned int EC_KEY_get_enc_flags(const EC_KEY *key)
  772. {
  773. return key->enc_flag;
  774. }
  775. void EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags)
  776. {
  777. key->enc_flag = flags;
  778. }
  779. point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key)
  780. {
  781. return key->conv_form;
  782. }
  783. void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform)
  784. {
  785. key->conv_form = cform;
  786. if (key->group != NULL)
  787. EC_GROUP_set_point_conversion_form(key->group, cform);
  788. }
  789. void EC_KEY_set_asn1_flag(EC_KEY *key, int flag)
  790. {
  791. if (key->group != NULL)
  792. EC_GROUP_set_asn1_flag(key->group, flag);
  793. }
  794. #ifndef OPENSSL_NO_DEPRECATED_3_0
  795. int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx)
  796. {
  797. if (key->group == NULL)
  798. return 0;
  799. return EC_GROUP_precompute_mult(key->group, ctx);
  800. }
  801. #endif
  802. int EC_KEY_get_flags(const EC_KEY *key)
  803. {
  804. return key->flags;
  805. }
  806. void EC_KEY_set_flags(EC_KEY *key, int flags)
  807. {
  808. key->flags |= flags;
  809. key->dirty_cnt++;
  810. }
  811. void EC_KEY_clear_flags(EC_KEY *key, int flags)
  812. {
  813. key->flags &= ~flags;
  814. key->dirty_cnt++;
  815. }
  816. int EC_KEY_decoded_from_explicit_params(const EC_KEY *key)
  817. {
  818. if (key == NULL || key->group == NULL)
  819. return -1;
  820. return key->group->decoded_from_explicit_params;
  821. }
  822. size_t EC_KEY_key2buf(const EC_KEY *key, point_conversion_form_t form,
  823. unsigned char **pbuf, BN_CTX *ctx)
  824. {
  825. if (key == NULL || key->pub_key == NULL || key->group == NULL)
  826. return 0;
  827. return EC_POINT_point2buf(key->group, key->pub_key, form, pbuf, ctx);
  828. }
  829. int EC_KEY_oct2key(EC_KEY *key, const unsigned char *buf, size_t len,
  830. BN_CTX *ctx)
  831. {
  832. if (key == NULL || key->group == NULL)
  833. return 0;
  834. if (key->pub_key == NULL)
  835. key->pub_key = EC_POINT_new(key->group);
  836. if (key->pub_key == NULL)
  837. return 0;
  838. if (EC_POINT_oct2point(key->group, key->pub_key, buf, len, ctx) == 0)
  839. return 0;
  840. key->dirty_cnt++;
  841. /*
  842. * Save the point conversion form.
  843. * For non-custom curves the first octet of the buffer (excluding
  844. * the last significant bit) contains the point conversion form.
  845. * EC_POINT_oct2point() has already performed sanity checking of
  846. * the buffer so we know it is valid.
  847. */
  848. if ((key->group->meth->flags & EC_FLAGS_CUSTOM_CURVE) == 0)
  849. key->conv_form = (point_conversion_form_t)(buf[0] & ~0x01);
  850. return 1;
  851. }
  852. size_t EC_KEY_priv2oct(const EC_KEY *eckey,
  853. unsigned char *buf, size_t len)
  854. {
  855. if (eckey->group == NULL || eckey->group->meth == NULL)
  856. return 0;
  857. if (eckey->group->meth->priv2oct == NULL) {
  858. ERR_raise(ERR_LIB_EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  859. return 0;
  860. }
  861. return eckey->group->meth->priv2oct(eckey, buf, len);
  862. }
  863. size_t ossl_ec_key_simple_priv2oct(const EC_KEY *eckey,
  864. unsigned char *buf, size_t len)
  865. {
  866. size_t buf_len;
  867. buf_len = (EC_GROUP_order_bits(eckey->group) + 7) / 8;
  868. if (eckey->priv_key == NULL)
  869. return 0;
  870. if (buf == NULL)
  871. return buf_len;
  872. else if (len < buf_len)
  873. return 0;
  874. /* Octetstring may need leading zeros if BN is to short */
  875. if (BN_bn2binpad(eckey->priv_key, buf, buf_len) == -1) {
  876. ERR_raise(ERR_LIB_EC, EC_R_BUFFER_TOO_SMALL);
  877. return 0;
  878. }
  879. return buf_len;
  880. }
  881. int EC_KEY_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
  882. {
  883. int ret;
  884. if (eckey->group == NULL || eckey->group->meth == NULL)
  885. return 0;
  886. if (eckey->group->meth->oct2priv == NULL) {
  887. ERR_raise(ERR_LIB_EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  888. return 0;
  889. }
  890. ret = eckey->group->meth->oct2priv(eckey, buf, len);
  891. if (ret == 1)
  892. eckey->dirty_cnt++;
  893. return ret;
  894. }
  895. int ossl_ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf,
  896. size_t len)
  897. {
  898. if (eckey->priv_key == NULL)
  899. eckey->priv_key = BN_secure_new();
  900. if (eckey->priv_key == NULL) {
  901. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  902. return 0;
  903. }
  904. if (BN_bin2bn(buf, len, eckey->priv_key) == NULL) {
  905. ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
  906. return 0;
  907. }
  908. eckey->dirty_cnt++;
  909. return 1;
  910. }
  911. size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf)
  912. {
  913. size_t len;
  914. unsigned char *buf;
  915. len = EC_KEY_priv2oct(eckey, NULL, 0);
  916. if (len == 0)
  917. return 0;
  918. if ((buf = OPENSSL_malloc(len)) == NULL)
  919. return 0;
  920. len = EC_KEY_priv2oct(eckey, buf, len);
  921. if (len == 0) {
  922. OPENSSL_free(buf);
  923. return 0;
  924. }
  925. *pbuf = buf;
  926. return len;
  927. }
  928. int EC_KEY_can_sign(const EC_KEY *eckey)
  929. {
  930. if (eckey->group == NULL || eckey->group->meth == NULL
  931. || (eckey->group->meth->flags & EC_FLAGS_NO_SIGN))
  932. return 0;
  933. return 1;
  934. }
  935. /*
  936. * FIPS 140-2 IG 9.9 AS09.33
  937. * Perform a sign/verify operation.
  938. *
  939. * NOTE: When generating keys for key-agreement schemes - FIPS 140-2 IG 9.9
  940. * states that no additional pairwise tests are required (apart from the tests
  941. * specified in SP800-56A) when generating keys. Hence pairwise ECDH tests are
  942. * omitted here.
  943. */
  944. static int ecdsa_keygen_pairwise_test(EC_KEY *eckey, OSSL_CALLBACK *cb,
  945. void *cbarg)
  946. {
  947. int ret = 0;
  948. unsigned char dgst[16] = {0};
  949. int dgst_len = (int)sizeof(dgst);
  950. ECDSA_SIG *sig = NULL;
  951. OSSL_SELF_TEST *st = NULL;
  952. st = OSSL_SELF_TEST_new(cb, cbarg);
  953. if (st == NULL)
  954. return 0;
  955. OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
  956. OSSL_SELF_TEST_DESC_PCT_ECDSA);
  957. sig = ECDSA_do_sign(dgst, dgst_len, eckey);
  958. if (sig == NULL)
  959. goto err;
  960. OSSL_SELF_TEST_oncorrupt_byte(st, dgst);
  961. if (ECDSA_do_verify(dgst, dgst_len, sig, eckey) != 1)
  962. goto err;
  963. ret = 1;
  964. err:
  965. OSSL_SELF_TEST_onend(st, ret);
  966. OSSL_SELF_TEST_free(st);
  967. ECDSA_SIG_free(sig);
  968. return ret;
  969. }