1 /*
2 * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 /*
12 * EC_KEY low level APIs are deprecated for public use, but still ok for
13 * internal use.
14 */
15 #include "internal/deprecated.h"
16
17 #include "internal/cryptlib.h"
18 #include <string.h>
19 #include "ec_local.h"
20 #include "internal/refcount.h"
21 #include <openssl/err.h>
22 #ifndef FIPS_MODULE
23 # include <openssl/engine.h>
24 #endif
25 #include <openssl/self_test.h>
26 #include "prov/providercommon.h"
27 #include "crypto/bn.h"
28
29 static int ecdsa_keygen_pairwise_test(EC_KEY *eckey, OSSL_CALLBACK *cb,
30 void *cbarg);
31
32 #ifndef FIPS_MODULE
EC_KEY_new(void)33 EC_KEY *EC_KEY_new(void)
34 {
35 return ossl_ec_key_new_method_int(NULL, NULL, NULL);
36 }
37 #endif
38
EC_KEY_new_ex(OSSL_LIB_CTX * ctx,const char * propq)39 EC_KEY *EC_KEY_new_ex(OSSL_LIB_CTX *ctx, const char *propq)
40 {
41 return ossl_ec_key_new_method_int(ctx, propq, NULL);
42 }
43
EC_KEY_new_by_curve_name_ex(OSSL_LIB_CTX * ctx,const char * propq,int nid)44 EC_KEY *EC_KEY_new_by_curve_name_ex(OSSL_LIB_CTX *ctx, const char *propq,
45 int nid)
46 {
47 EC_KEY *ret = EC_KEY_new_ex(ctx, propq);
48 if (ret == NULL)
49 return NULL;
50 ret->group = EC_GROUP_new_by_curve_name_ex(ctx, propq, nid);
51 if (ret->group == NULL) {
52 EC_KEY_free(ret);
53 return NULL;
54 }
55 if (ret->meth->set_group != NULL
56 && ret->meth->set_group(ret, ret->group) == 0) {
57 EC_KEY_free(ret);
58 return NULL;
59 }
60 return ret;
61 }
62
63 #ifndef FIPS_MODULE
EC_KEY_new_by_curve_name(int nid)64 EC_KEY *EC_KEY_new_by_curve_name(int nid)
65 {
66 return EC_KEY_new_by_curve_name_ex(NULL, NULL, nid);
67 }
68 #endif
69
EC_KEY_free(EC_KEY * r)70 void EC_KEY_free(EC_KEY *r)
71 {
72 int i;
73
74 if (r == NULL)
75 return;
76
77 CRYPTO_DOWN_REF(&r->references, &i, r->lock);
78 REF_PRINT_COUNT("EC_KEY", r);
79 if (i > 0)
80 return;
81 REF_ASSERT_ISNT(i < 0);
82
83 if (r->meth != NULL && r->meth->finish != NULL)
84 r->meth->finish(r);
85
86 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
87 ENGINE_finish(r->engine);
88 #endif
89
90 if (r->group && r->group->meth->keyfinish)
91 r->group->meth->keyfinish(r);
92
93 #ifndef FIPS_MODULE
94 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, r, &r->ex_data);
95 #endif
96 CRYPTO_THREAD_lock_free(r->lock);
97 EC_GROUP_free(r->group);
98 EC_POINT_free(r->pub_key);
99 BN_clear_free(r->priv_key);
100 OPENSSL_free(r->propq);
101
102 OPENSSL_clear_free((void *)r, sizeof(EC_KEY));
103 }
104
EC_KEY_copy(EC_KEY * dest,const EC_KEY * src)105 EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
106 {
107 if (dest == NULL || src == NULL) {
108 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
109 return NULL;
110 }
111 if (src->meth != dest->meth) {
112 if (dest->meth->finish != NULL)
113 dest->meth->finish(dest);
114 if (dest->group && dest->group->meth->keyfinish)
115 dest->group->meth->keyfinish(dest);
116 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
117 if (ENGINE_finish(dest->engine) == 0)
118 return 0;
119 dest->engine = NULL;
120 #endif
121 }
122 dest->libctx = src->libctx;
123 /* copy the parameters */
124 if (src->group != NULL) {
125 /* clear the old group */
126 EC_GROUP_free(dest->group);
127 dest->group = ossl_ec_group_new_ex(src->libctx, src->propq,
128 src->group->meth);
129 if (dest->group == NULL)
130 return NULL;
131 if (!EC_GROUP_copy(dest->group, src->group))
132 return NULL;
133
134 /* copy the public key */
135 if (src->pub_key != NULL) {
136 EC_POINT_free(dest->pub_key);
137 dest->pub_key = EC_POINT_new(src->group);
138 if (dest->pub_key == NULL)
139 return NULL;
140 if (!EC_POINT_copy(dest->pub_key, src->pub_key))
141 return NULL;
142 }
143 /* copy the private key */
144 if (src->priv_key != NULL) {
145 if (dest->priv_key == NULL) {
146 dest->priv_key = BN_new();
147 if (dest->priv_key == NULL)
148 return NULL;
149 }
150 if (!BN_copy(dest->priv_key, src->priv_key))
151 return NULL;
152 if (src->group->meth->keycopy
153 && src->group->meth->keycopy(dest, src) == 0)
154 return NULL;
155 }
156 }
157
158
159 /* copy the rest */
160 dest->enc_flag = src->enc_flag;
161 dest->conv_form = src->conv_form;
162 dest->version = src->version;
163 dest->flags = src->flags;
164 #ifndef FIPS_MODULE
165 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY,
166 &dest->ex_data, &src->ex_data))
167 return NULL;
168 #endif
169
170 if (src->meth != dest->meth) {
171 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
172 if (src->engine != NULL && ENGINE_init(src->engine) == 0)
173 return NULL;
174 dest->engine = src->engine;
175 #endif
176 dest->meth = src->meth;
177 }
178
179 if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0)
180 return NULL;
181
182 dest->dirty_cnt++;
183
184 return dest;
185 }
186
EC_KEY_dup(const EC_KEY * ec_key)187 EC_KEY *EC_KEY_dup(const EC_KEY *ec_key)
188 {
189 return ossl_ec_key_dup(ec_key, OSSL_KEYMGMT_SELECT_ALL);
190 }
191
EC_KEY_up_ref(EC_KEY * r)192 int EC_KEY_up_ref(EC_KEY *r)
193 {
194 int i;
195
196 if (CRYPTO_UP_REF(&r->references, &i, r->lock) <= 0)
197 return 0;
198
199 REF_PRINT_COUNT("EC_KEY", r);
200 REF_ASSERT_ISNT(i < 2);
201 return ((i > 1) ? 1 : 0);
202 }
203
EC_KEY_get0_engine(const EC_KEY * eckey)204 ENGINE *EC_KEY_get0_engine(const EC_KEY *eckey)
205 {
206 return eckey->engine;
207 }
208
EC_KEY_generate_key(EC_KEY * eckey)209 int EC_KEY_generate_key(EC_KEY *eckey)
210 {
211 if (eckey == NULL || eckey->group == NULL) {
212 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
213 return 0;
214 }
215 if (eckey->meth->keygen != NULL) {
216 int ret;
217
218 ret = eckey->meth->keygen(eckey);
219 if (ret == 1)
220 eckey->dirty_cnt++;
221
222 return ret;
223 }
224 ERR_raise(ERR_LIB_EC, EC_R_OPERATION_NOT_SUPPORTED);
225 return 0;
226 }
227
ossl_ec_key_gen(EC_KEY * eckey)228 int ossl_ec_key_gen(EC_KEY *eckey)
229 {
230 int ret;
231
232 ret = eckey->group->meth->keygen(eckey);
233
234 if (ret == 1)
235 eckey->dirty_cnt++;
236 return ret;
237 }
238
239 /*
240 * ECC Key generation.
241 * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates"
242 *
243 * Params:
244 * libctx A context containing an optional self test callback.
245 * eckey An EC key object that contains domain params. The generated keypair
246 * is stored in this object.
247 * pairwise_test Set to non zero to perform a pairwise test. If the test
248 * fails then the keypair is not generated,
249 * Returns 1 if the keypair was generated or 0 otherwise.
250 */
ec_generate_key(EC_KEY * eckey,int pairwise_test)251 static int ec_generate_key(EC_KEY *eckey, int pairwise_test)
252 {
253 int ok = 0;
254 BIGNUM *priv_key = NULL;
255 const BIGNUM *tmp = NULL;
256 BIGNUM *order = NULL;
257 EC_POINT *pub_key = NULL;
258 const EC_GROUP *group = eckey->group;
259 BN_CTX *ctx = BN_CTX_secure_new_ex(eckey->libctx);
260 int sm2 = EC_KEY_get_flags(eckey) & EC_FLAG_SM2_RANGE ? 1 : 0;
261
262 if (ctx == NULL)
263 goto err;
264
265 if (eckey->priv_key == NULL) {
266 priv_key = BN_secure_new();
267 if (priv_key == NULL)
268 goto err;
269 } else
270 priv_key = eckey->priv_key;
271
272 /*
273 * Steps (1-2): Check domain parameters and security strength.
274 * These steps must be done by the user. This would need to be
275 * stated in the security policy.
276 */
277
278 tmp = EC_GROUP_get0_order(group);
279 if (tmp == NULL)
280 goto err;
281
282 /*
283 * Steps (3-7): priv_key = DRBG_RAND(order_n_bits) (range [1, n-1]).
284 * Although this is slightly different from the standard, it is effectively
285 * equivalent as it gives an unbiased result ranging from 1..n-1. It is also
286 * faster as the standard needs to retry more often. Also doing
287 * 1 + rand[0..n-2] would effect the way that tests feed dummy entropy into
288 * rand so the simpler backward compatible method has been used here.
289 */
290
291 /* range of SM2 private key is [1, n-1) */
292 if (sm2) {
293 order = BN_new();
294 if (order == NULL || !BN_sub(order, tmp, BN_value_one()))
295 goto err;
296 } else {
297 order = BN_dup(tmp);
298 if (order == NULL)
299 goto err;
300 }
301
302 do
303 if (!BN_priv_rand_range_ex(priv_key, order, 0, ctx))
304 goto err;
305 while (BN_is_zero(priv_key)) ;
306
307 if (eckey->pub_key == NULL) {
308 pub_key = EC_POINT_new(group);
309 if (pub_key == NULL)
310 goto err;
311 } else
312 pub_key = eckey->pub_key;
313
314 /* Step (8) : pub_key = priv_key * G (where G is a point on the curve) */
315 if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx))
316 goto err;
317
318 eckey->priv_key = priv_key;
319 eckey->pub_key = pub_key;
320 priv_key = NULL;
321 pub_key = NULL;
322
323 eckey->dirty_cnt++;
324
325 #ifdef FIPS_MODULE
326 pairwise_test = 1;
327 #endif /* FIPS_MODULE */
328
329 ok = 1;
330 if (pairwise_test) {
331 OSSL_CALLBACK *cb = NULL;
332 void *cbarg = NULL;
333
334 OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg);
335 ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg);
336 }
337 err:
338 /* Step (9): If there is an error return an invalid keypair. */
339 if (!ok) {
340 ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
341 BN_clear(eckey->priv_key);
342 if (eckey->pub_key != NULL)
343 EC_POINT_set_to_infinity(group, eckey->pub_key);
344 }
345
346 EC_POINT_free(pub_key);
347 BN_clear_free(priv_key);
348 BN_CTX_free(ctx);
349 BN_free(order);
350 return ok;
351 }
352
ossl_ec_key_simple_generate_key(EC_KEY * eckey)353 int ossl_ec_key_simple_generate_key(EC_KEY *eckey)
354 {
355 return ec_generate_key(eckey, 0);
356 }
357
ossl_ec_key_simple_generate_public_key(EC_KEY * eckey)358 int ossl_ec_key_simple_generate_public_key(EC_KEY *eckey)
359 {
360 int ret;
361 BN_CTX *ctx = BN_CTX_new_ex(eckey->libctx);
362
363 if (ctx == NULL)
364 return 0;
365
366 /*
367 * See SP800-56AR3 5.6.1.2.2: Step (8)
368 * pub_key = priv_key * G (where G is a point on the curve)
369 */
370 ret = EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL,
371 NULL, ctx);
372
373 BN_CTX_free(ctx);
374 if (ret == 1)
375 eckey->dirty_cnt++;
376
377 return ret;
378 }
379
EC_KEY_check_key(const EC_KEY * eckey)380 int EC_KEY_check_key(const EC_KEY *eckey)
381 {
382 if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) {
383 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
384 return 0;
385 }
386
387 if (eckey->group->meth->keycheck == NULL) {
388 ERR_raise(ERR_LIB_EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
389 return 0;
390 }
391
392 return eckey->group->meth->keycheck(eckey);
393 }
394
395 /*
396 * Check the range of the EC public key.
397 * See SP800-56A R3 Section 5.6.2.3.3 (Part 2)
398 * i.e.
399 * - If q = odd prime p: Verify that xQ and yQ are integers in the
400 * interval[0, p - 1], OR
401 * - If q = 2m: Verify that xQ and yQ are bit strings of length m bits.
402 * Returns 1 if the public key has a valid range, otherwise it returns 0.
403 */
ec_key_public_range_check(BN_CTX * ctx,const EC_KEY * key)404 static int ec_key_public_range_check(BN_CTX *ctx, const EC_KEY *key)
405 {
406 int ret = 0;
407 BIGNUM *x, *y;
408
409 BN_CTX_start(ctx);
410 x = BN_CTX_get(ctx);
411 y = BN_CTX_get(ctx);
412 if (y == NULL)
413 goto err;
414
415 if (!EC_POINT_get_affine_coordinates(key->group, key->pub_key, x, y, ctx))
416 goto err;
417
418 if (EC_GROUP_get_field_type(key->group) == NID_X9_62_prime_field) {
419 if (BN_is_negative(x)
420 || BN_cmp(x, key->group->field) >= 0
421 || BN_is_negative(y)
422 || BN_cmp(y, key->group->field) >= 0) {
423 goto err;
424 }
425 } else {
426 int m = EC_GROUP_get_degree(key->group);
427 if (BN_num_bits(x) > m || BN_num_bits(y) > m) {
428 goto err;
429 }
430 }
431 ret = 1;
432 err:
433 BN_CTX_end(ctx);
434 return ret;
435 }
436
437 /*
438 * ECC Partial Public-Key Validation as specified in SP800-56A R3
439 * Section 5.6.2.3.4 ECC Partial Public-Key Validation Routine.
440 */
ossl_ec_key_public_check_quick(const EC_KEY * eckey,BN_CTX * ctx)441 int ossl_ec_key_public_check_quick(const EC_KEY *eckey, BN_CTX *ctx)
442 {
443 if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) {
444 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
445 return 0;
446 }
447
448 /* 5.6.2.3.3 (Step 1): Q != infinity */
449 if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key)) {
450 ERR_raise(ERR_LIB_EC, EC_R_POINT_AT_INFINITY);
451 return 0;
452 }
453
454 /* 5.6.2.3.3 (Step 2) Test if the public key is in range */
455 if (!ec_key_public_range_check(ctx, eckey)) {
456 ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
457 return 0;
458 }
459
460 /* 5.6.2.3.3 (Step 3) is the pub_key on the elliptic curve */
461 if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) {
462 ERR_raise(ERR_LIB_EC, EC_R_POINT_IS_NOT_ON_CURVE);
463 return 0;
464 }
465 return 1;
466 }
467
468 /*
469 * ECC Key validation as specified in SP800-56A R3.
470 * Section 5.6.2.3.3 ECC Full Public-Key Validation Routine.
471 */
ossl_ec_key_public_check(const EC_KEY * eckey,BN_CTX * ctx)472 int ossl_ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx)
473 {
474 int ret = 0;
475 EC_POINT *point = NULL;
476 const BIGNUM *order = NULL;
477
478 if (!ossl_ec_key_public_check_quick(eckey, ctx))
479 return 0;
480
481 point = EC_POINT_new(eckey->group);
482 if (point == NULL)
483 return 0;
484
485 order = eckey->group->order;
486 if (BN_is_zero(order)) {
487 ERR_raise(ERR_LIB_EC, EC_R_INVALID_GROUP_ORDER);
488 goto err;
489 }
490 /* 5.6.2.3.3 (Step 4) : pub_key * order is the point at infinity. */
491 if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) {
492 ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
493 goto err;
494 }
495 if (!EC_POINT_is_at_infinity(eckey->group, point)) {
496 ERR_raise(ERR_LIB_EC, EC_R_WRONG_ORDER);
497 goto err;
498 }
499 ret = 1;
500 err:
501 EC_POINT_free(point);
502 return ret;
503 }
504
505 /*
506 * ECC Key validation as specified in SP800-56A R3.
507 * Section 5.6.2.1.2 Owner Assurance of Private-Key Validity
508 * The private key is in the range [1, order-1]
509 */
ossl_ec_key_private_check(const EC_KEY * eckey)510 int ossl_ec_key_private_check(const EC_KEY *eckey)
511 {
512 if (eckey == NULL || eckey->group == NULL || eckey->priv_key == NULL) {
513 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
514 return 0;
515 }
516 if (BN_cmp(eckey->priv_key, BN_value_one()) < 0
517 || BN_cmp(eckey->priv_key, eckey->group->order) >= 0) {
518 ERR_raise(ERR_LIB_EC, EC_R_INVALID_PRIVATE_KEY);
519 return 0;
520 }
521 return 1;
522 }
523
524 /*
525 * ECC Key validation as specified in SP800-56A R3.
526 * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency (b)
527 * Check if generator * priv_key = pub_key
528 */
ossl_ec_key_pairwise_check(const EC_KEY * eckey,BN_CTX * ctx)529 int ossl_ec_key_pairwise_check(const EC_KEY *eckey, BN_CTX *ctx)
530 {
531 int ret = 0;
532 EC_POINT *point = NULL;
533
534 if (eckey == NULL
535 || eckey->group == NULL
536 || eckey->pub_key == NULL
537 || eckey->priv_key == NULL) {
538 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
539 return 0;
540 }
541
542 point = EC_POINT_new(eckey->group);
543 if (point == NULL)
544 goto err;
545
546
547 if (!EC_POINT_mul(eckey->group, point, eckey->priv_key, NULL, NULL, ctx)) {
548 ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
549 goto err;
550 }
551 if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, ctx) != 0) {
552 ERR_raise(ERR_LIB_EC, EC_R_INVALID_PRIVATE_KEY);
553 goto err;
554 }
555 ret = 1;
556 err:
557 EC_POINT_free(point);
558 return ret;
559 }
560
561
562 /*
563 * ECC Key validation as specified in SP800-56A R3.
564 * Section 5.6.2.3.3 ECC Full Public-Key Validation
565 * Section 5.6.2.1.2 Owner Assurance of Private-Key Validity
566 * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency
567 * NOTES:
568 * Before calling this method in fips mode, there should be an assurance that
569 * an approved elliptic-curve group is used.
570 * Returns 1 if the key is valid, otherwise it returns 0.
571 */
ossl_ec_key_simple_check_key(const EC_KEY * eckey)572 int ossl_ec_key_simple_check_key(const EC_KEY *eckey)
573 {
574 int ok = 0;
575 BN_CTX *ctx = NULL;
576
577 if (eckey == NULL) {
578 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
579 return 0;
580 }
581 if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL)
582 return 0;
583
584 if (!ossl_ec_key_public_check(eckey, ctx))
585 goto err;
586
587 if (eckey->priv_key != NULL) {
588 if (!ossl_ec_key_private_check(eckey)
589 || !ossl_ec_key_pairwise_check(eckey, ctx))
590 goto err;
591 }
592 ok = 1;
593 err:
594 BN_CTX_free(ctx);
595 return ok;
596 }
597
EC_KEY_set_public_key_affine_coordinates(EC_KEY * key,BIGNUM * x,BIGNUM * y)598 int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
599 BIGNUM *y)
600 {
601 BN_CTX *ctx = NULL;
602 BIGNUM *tx, *ty;
603 EC_POINT *point = NULL;
604 int ok = 0;
605
606 if (key == NULL || key->group == NULL || x == NULL || y == NULL) {
607 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
608 return 0;
609 }
610 ctx = BN_CTX_new_ex(key->libctx);
611 if (ctx == NULL)
612 return 0;
613
614 BN_CTX_start(ctx);
615 point = EC_POINT_new(key->group);
616
617 if (point == NULL)
618 goto err;
619
620 tx = BN_CTX_get(ctx);
621 ty = BN_CTX_get(ctx);
622 if (ty == NULL)
623 goto err;
624
625 if (!EC_POINT_set_affine_coordinates(key->group, point, x, y, ctx))
626 goto err;
627 if (!EC_POINT_get_affine_coordinates(key->group, point, tx, ty, ctx))
628 goto err;
629
630 /*
631 * Check if retrieved coordinates match originals. The range check is done
632 * inside EC_KEY_check_key().
633 */
634 if (BN_cmp(x, tx) || BN_cmp(y, ty)) {
635 ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
636 goto err;
637 }
638
639 /* EC_KEY_set_public_key updates dirty_cnt */
640 if (!EC_KEY_set_public_key(key, point))
641 goto err;
642
643 if (EC_KEY_check_key(key) == 0)
644 goto err;
645
646 ok = 1;
647
648 err:
649 BN_CTX_end(ctx);
650 BN_CTX_free(ctx);
651 EC_POINT_free(point);
652 return ok;
653
654 }
655
ossl_ec_key_get_libctx(const EC_KEY * key)656 OSSL_LIB_CTX *ossl_ec_key_get_libctx(const EC_KEY *key)
657 {
658 return key->libctx;
659 }
660
ossl_ec_key_get0_propq(const EC_KEY * key)661 const char *ossl_ec_key_get0_propq(const EC_KEY *key)
662 {
663 return key->propq;
664 }
665
ossl_ec_key_set0_libctx(EC_KEY * key,OSSL_LIB_CTX * libctx)666 void ossl_ec_key_set0_libctx(EC_KEY *key, OSSL_LIB_CTX *libctx)
667 {
668 key->libctx = libctx;
669 /* Do we need to propagate this to the group? */
670 }
671
EC_KEY_get0_group(const EC_KEY * key)672 const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key)
673 {
674 return key->group;
675 }
676
EC_KEY_set_group(EC_KEY * key,const EC_GROUP * group)677 int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group)
678 {
679 if (key->meth->set_group != NULL && key->meth->set_group(key, group) == 0)
680 return 0;
681 EC_GROUP_free(key->group);
682 key->group = EC_GROUP_dup(group);
683 if (key->group != NULL && EC_GROUP_get_curve_name(key->group) == NID_sm2)
684 EC_KEY_set_flags(key, EC_FLAG_SM2_RANGE);
685
686 key->dirty_cnt++;
687 return (key->group == NULL) ? 0 : 1;
688 }
689
EC_KEY_get0_private_key(const EC_KEY * key)690 const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key)
691 {
692 return key->priv_key;
693 }
694
EC_KEY_set_private_key(EC_KEY * key,const BIGNUM * priv_key)695 int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
696 {
697 int fixed_top;
698 const BIGNUM *order = NULL;
699 BIGNUM *tmp_key = NULL;
700
701 if (key->group == NULL || key->group->meth == NULL)
702 return 0;
703
704 /*
705 * Not only should key->group be set, but it should also be in a valid
706 * fully initialized state.
707 *
708 * Specifically, to operate in constant time, we need that the group order
709 * is set, as we use its length as the fixed public size of any scalar used
710 * as an EC private key.
711 */
712 order = EC_GROUP_get0_order(key->group);
713 if (order == NULL || BN_is_zero(order))
714 return 0; /* This should never happen */
715
716 if (key->group->meth->set_private != NULL
717 && key->group->meth->set_private(key, priv_key) == 0)
718 return 0;
719 if (key->meth->set_private != NULL
720 && key->meth->set_private(key, priv_key) == 0)
721 return 0;
722
723 /*
724 * Return `0` to comply with legacy behavior for this function, see
725 * https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696
726 */
727 if (priv_key == NULL) {
728 BN_clear_free(key->priv_key);
729 key->priv_key = NULL;
730 return 0; /* intentional for legacy compatibility */
731 }
732
733 /*
734 * We should never leak the bit length of the secret scalar in the key,
735 * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
736 * holding the secret scalar.
737 *
738 * This is important also because `BN_dup()` (and `BN_copy()`) do not
739 * propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and
740 * this brings an extra risk of inadvertently losing the flag, even when
741 * the caller specifically set it.
742 *
743 * The propagation has been turned on and off a few times in the past
744 * years because in some conditions has shown unintended consequences in
745 * some code paths, so at the moment we can't fix this in the BN layer.
746 *
747 * In `EC_KEY_set_private_key()` we can work around the propagation by
748 * manually setting the flag after `BN_dup()` as we know for sure that
749 * inside the EC module the `BN_FLG_CONSTTIME` is always treated
750 * correctly and should not generate unintended consequences.
751 *
752 * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
753 * to preallocate the BIGNUM internal buffer to a fixed public size big
754 * enough that operations performed during the processing never trigger
755 * a realloc which would leak the size of the scalar through memory
756 * accesses.
757 *
758 * Fixed Length
759 * ------------
760 *
761 * The order of the large prime subgroup of the curve is our choice for
762 * a fixed public size, as that is generally the upper bound for
763 * generating a private key in EC cryptosystems and should fit all valid
764 * secret scalars.
765 *
766 * For preallocating the BIGNUM storage we look at the number of "words"
767 * required for the internal representation of the order, and we
768 * preallocate 2 extra "words" in case any of the subsequent processing
769 * might temporarily overflow the order length.
770 */
771 tmp_key = BN_dup(priv_key);
772 if (tmp_key == NULL)
773 return 0;
774
775 BN_set_flags(tmp_key, BN_FLG_CONSTTIME);
776
777 fixed_top = bn_get_top(order) + 2;
778 if (bn_wexpand(tmp_key, fixed_top) == NULL) {
779 BN_clear_free(tmp_key);
780 return 0;
781 }
782
783 BN_clear_free(key->priv_key);
784 key->priv_key = tmp_key;
785 key->dirty_cnt++;
786
787 return 1;
788 }
789
EC_KEY_get0_public_key(const EC_KEY * key)790 const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key)
791 {
792 return key->pub_key;
793 }
794
EC_KEY_set_public_key(EC_KEY * key,const EC_POINT * pub_key)795 int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key)
796 {
797 if (key->meth->set_public != NULL
798 && key->meth->set_public(key, pub_key) == 0)
799 return 0;
800 EC_POINT_free(key->pub_key);
801 key->pub_key = EC_POINT_dup(pub_key, key->group);
802 key->dirty_cnt++;
803 return (key->pub_key == NULL) ? 0 : 1;
804 }
805
EC_KEY_get_enc_flags(const EC_KEY * key)806 unsigned int EC_KEY_get_enc_flags(const EC_KEY *key)
807 {
808 return key->enc_flag;
809 }
810
EC_KEY_set_enc_flags(EC_KEY * key,unsigned int flags)811 void EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags)
812 {
813 key->enc_flag = flags;
814 }
815
EC_KEY_get_conv_form(const EC_KEY * key)816 point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key)
817 {
818 return key->conv_form;
819 }
820
EC_KEY_set_conv_form(EC_KEY * key,point_conversion_form_t cform)821 void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform)
822 {
823 key->conv_form = cform;
824 if (key->group != NULL)
825 EC_GROUP_set_point_conversion_form(key->group, cform);
826 }
827
EC_KEY_set_asn1_flag(EC_KEY * key,int flag)828 void EC_KEY_set_asn1_flag(EC_KEY *key, int flag)
829 {
830 if (key->group != NULL)
831 EC_GROUP_set_asn1_flag(key->group, flag);
832 }
833
834 #ifndef OPENSSL_NO_DEPRECATED_3_0
EC_KEY_precompute_mult(EC_KEY * key,BN_CTX * ctx)835 int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx)
836 {
837 if (key->group == NULL)
838 return 0;
839 return EC_GROUP_precompute_mult(key->group, ctx);
840 }
841 #endif
842
EC_KEY_get_flags(const EC_KEY * key)843 int EC_KEY_get_flags(const EC_KEY *key)
844 {
845 return key->flags;
846 }
847
EC_KEY_set_flags(EC_KEY * key,int flags)848 void EC_KEY_set_flags(EC_KEY *key, int flags)
849 {
850 key->flags |= flags;
851 key->dirty_cnt++;
852 }
853
EC_KEY_clear_flags(EC_KEY * key,int flags)854 void EC_KEY_clear_flags(EC_KEY *key, int flags)
855 {
856 key->flags &= ~flags;
857 key->dirty_cnt++;
858 }
859
EC_KEY_decoded_from_explicit_params(const EC_KEY * key)860 int EC_KEY_decoded_from_explicit_params(const EC_KEY *key)
861 {
862 if (key == NULL || key->group == NULL)
863 return -1;
864 return key->group->decoded_from_explicit_params;
865 }
866
EC_KEY_key2buf(const EC_KEY * key,point_conversion_form_t form,unsigned char ** pbuf,BN_CTX * ctx)867 size_t EC_KEY_key2buf(const EC_KEY *key, point_conversion_form_t form,
868 unsigned char **pbuf, BN_CTX *ctx)
869 {
870 if (key == NULL || key->pub_key == NULL || key->group == NULL)
871 return 0;
872 return EC_POINT_point2buf(key->group, key->pub_key, form, pbuf, ctx);
873 }
874
EC_KEY_oct2key(EC_KEY * key,const unsigned char * buf,size_t len,BN_CTX * ctx)875 int EC_KEY_oct2key(EC_KEY *key, const unsigned char *buf, size_t len,
876 BN_CTX *ctx)
877 {
878 if (key == NULL || key->group == NULL)
879 return 0;
880 if (key->pub_key == NULL)
881 key->pub_key = EC_POINT_new(key->group);
882 if (key->pub_key == NULL)
883 return 0;
884 if (EC_POINT_oct2point(key->group, key->pub_key, buf, len, ctx) == 0)
885 return 0;
886 key->dirty_cnt++;
887 /*
888 * Save the point conversion form.
889 * For non-custom curves the first octet of the buffer (excluding
890 * the last significant bit) contains the point conversion form.
891 * EC_POINT_oct2point() has already performed sanity checking of
892 * the buffer so we know it is valid.
893 */
894 if ((key->group->meth->flags & EC_FLAGS_CUSTOM_CURVE) == 0)
895 key->conv_form = (point_conversion_form_t)(buf[0] & ~0x01);
896 return 1;
897 }
898
EC_KEY_priv2oct(const EC_KEY * eckey,unsigned char * buf,size_t len)899 size_t EC_KEY_priv2oct(const EC_KEY *eckey,
900 unsigned char *buf, size_t len)
901 {
902 if (eckey->group == NULL || eckey->group->meth == NULL)
903 return 0;
904 if (eckey->group->meth->priv2oct == NULL) {
905 ERR_raise(ERR_LIB_EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
906 return 0;
907 }
908
909 return eckey->group->meth->priv2oct(eckey, buf, len);
910 }
911
ossl_ec_key_simple_priv2oct(const EC_KEY * eckey,unsigned char * buf,size_t len)912 size_t ossl_ec_key_simple_priv2oct(const EC_KEY *eckey,
913 unsigned char *buf, size_t len)
914 {
915 size_t buf_len;
916
917 buf_len = (EC_GROUP_order_bits(eckey->group) + 7) / 8;
918 if (eckey->priv_key == NULL)
919 return 0;
920 if (buf == NULL)
921 return buf_len;
922 else if (len < buf_len)
923 return 0;
924
925 /* Octetstring may need leading zeros if BN is to short */
926
927 if (BN_bn2binpad(eckey->priv_key, buf, buf_len) == -1) {
928 ERR_raise(ERR_LIB_EC, EC_R_BUFFER_TOO_SMALL);
929 return 0;
930 }
931
932 return buf_len;
933 }
934
EC_KEY_oct2priv(EC_KEY * eckey,const unsigned char * buf,size_t len)935 int EC_KEY_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
936 {
937 int ret;
938
939 if (eckey->group == NULL || eckey->group->meth == NULL)
940 return 0;
941 if (eckey->group->meth->oct2priv == NULL) {
942 ERR_raise(ERR_LIB_EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
943 return 0;
944 }
945 ret = eckey->group->meth->oct2priv(eckey, buf, len);
946 if (ret == 1)
947 eckey->dirty_cnt++;
948 return ret;
949 }
950
ossl_ec_key_simple_oct2priv(EC_KEY * eckey,const unsigned char * buf,size_t len)951 int ossl_ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf,
952 size_t len)
953 {
954 if (eckey->priv_key == NULL)
955 eckey->priv_key = BN_secure_new();
956 if (eckey->priv_key == NULL) {
957 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
958 return 0;
959 }
960 if (BN_bin2bn(buf, len, eckey->priv_key) == NULL) {
961 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
962 return 0;
963 }
964 eckey->dirty_cnt++;
965 return 1;
966 }
967
EC_KEY_priv2buf(const EC_KEY * eckey,unsigned char ** pbuf)968 size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf)
969 {
970 size_t len;
971 unsigned char *buf;
972
973 len = EC_KEY_priv2oct(eckey, NULL, 0);
974 if (len == 0)
975 return 0;
976 if ((buf = OPENSSL_malloc(len)) == NULL) {
977 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
978 return 0;
979 }
980 len = EC_KEY_priv2oct(eckey, buf, len);
981 if (len == 0) {
982 OPENSSL_free(buf);
983 return 0;
984 }
985 *pbuf = buf;
986 return len;
987 }
988
EC_KEY_can_sign(const EC_KEY * eckey)989 int EC_KEY_can_sign(const EC_KEY *eckey)
990 {
991 if (eckey->group == NULL || eckey->group->meth == NULL
992 || (eckey->group->meth->flags & EC_FLAGS_NO_SIGN))
993 return 0;
994 return 1;
995 }
996
997 /*
998 * FIPS 140-2 IG 9.9 AS09.33
999 * Perform a sign/verify operation.
1000 *
1001 * NOTE: When generating keys for key-agreement schemes - FIPS 140-2 IG 9.9
1002 * states that no additional pairwise tests are required (apart from the tests
1003 * specified in SP800-56A) when generating keys. Hence pairwise ECDH tests are
1004 * omitted here.
1005 */
ecdsa_keygen_pairwise_test(EC_KEY * eckey,OSSL_CALLBACK * cb,void * cbarg)1006 static int ecdsa_keygen_pairwise_test(EC_KEY *eckey, OSSL_CALLBACK *cb,
1007 void *cbarg)
1008 {
1009 int ret = 0;
1010 unsigned char dgst[16] = {0};
1011 int dgst_len = (int)sizeof(dgst);
1012 ECDSA_SIG *sig = NULL;
1013 OSSL_SELF_TEST *st = NULL;
1014
1015 st = OSSL_SELF_TEST_new(cb, cbarg);
1016 if (st == NULL)
1017 return 0;
1018
1019 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
1020 OSSL_SELF_TEST_DESC_PCT_ECDSA);
1021
1022 sig = ECDSA_do_sign(dgst, dgst_len, eckey);
1023 if (sig == NULL)
1024 goto err;
1025
1026 OSSL_SELF_TEST_oncorrupt_byte(st, dgst);
1027
1028 if (ECDSA_do_verify(dgst, dgst_len, sig, eckey) != 1)
1029 goto err;
1030
1031 ret = 1;
1032 err:
1033 OSSL_SELF_TEST_onend(st, ret);
1034 OSSL_SELF_TEST_free(st);
1035 ECDSA_SIG_free(sig);
1036 return ret;
1037 }
1038