1 /* 2 * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright 2017 Ribose Inc. All Rights Reserved. 4 * Ported from Ribose contributions from Botan. 5 * 6 * Licensed under the Apache License 2.0 (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 /* 13 * ECDSA low level APIs are deprecated for public use, but still ok for 14 * internal use. 15 */ 16 #include "internal/deprecated.h" 17 18 #include "crypto/sm2.h" 19 #include "crypto/sm2err.h" 20 #include "crypto/ec.h" /* ossl_ecdh_kdf_X9_63() */ 21 #include <openssl/err.h> 22 #include <openssl/evp.h> 23 #include <openssl/bn.h> 24 #include <openssl/asn1.h> 25 #include <openssl/asn1t.h> 26 #include <string.h> 27 28 typedef struct SM2_Ciphertext_st SM2_Ciphertext; 29 DECLARE_ASN1_FUNCTIONS(SM2_Ciphertext) 30 31 struct SM2_Ciphertext_st { 32 BIGNUM *C1x; 33 BIGNUM *C1y; 34 ASN1_OCTET_STRING *C3; 35 ASN1_OCTET_STRING *C2; 36 }; 37 38 ASN1_SEQUENCE(SM2_Ciphertext) = { 39 ASN1_SIMPLE(SM2_Ciphertext, C1x, BIGNUM), 40 ASN1_SIMPLE(SM2_Ciphertext, C1y, BIGNUM), 41 ASN1_SIMPLE(SM2_Ciphertext, C3, ASN1_OCTET_STRING), 42 ASN1_SIMPLE(SM2_Ciphertext, C2, ASN1_OCTET_STRING), 43 } ASN1_SEQUENCE_END(SM2_Ciphertext) 44 45 IMPLEMENT_ASN1_FUNCTIONS(SM2_Ciphertext) 46 47 static size_t ec_field_size(const EC_GROUP *group) 48 { 49 /* Is there some simpler way to do this? */ 50 BIGNUM *p = BN_new(); 51 BIGNUM *a = BN_new(); 52 BIGNUM *b = BN_new(); 53 size_t field_size = 0; 54 55 if (p == NULL || a == NULL || b == NULL) 56 goto done; 57 58 if (!EC_GROUP_get_curve(group, p, a, b, NULL)) 59 goto done; 60 field_size = (BN_num_bits(p) + 7) / 8; 61 62 done: 63 BN_free(p); 64 BN_free(a); 65 BN_free(b); 66 67 return field_size; 68 } 69 70 static int is_all_zeros(const unsigned char *msg, size_t msglen) 71 { 72 unsigned char re = 0; 73 size_t i; 74 75 for (i = 0; i < msglen; i++) { 76 re |= msg[i]; 77 } 78 79 return re == 0 ? 1 : 0; 80 } 81 82 int ossl_sm2_plaintext_size(const unsigned char *ct, size_t ct_size, 83 size_t *pt_size) 84 { 85 struct SM2_Ciphertext_st *sm2_ctext = NULL; 86 87 sm2_ctext = d2i_SM2_Ciphertext(NULL, &ct, ct_size); 88 89 if (sm2_ctext == NULL) { 90 ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING); 91 return 0; 92 } 93 94 *pt_size = sm2_ctext->C2->length; 95 SM2_Ciphertext_free(sm2_ctext); 96 97 return 1; 98 } 99 100 int ossl_sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, 101 size_t msg_len, size_t *ct_size) 102 { 103 const size_t field_size = ec_field_size(EC_KEY_get0_group(key)); 104 const int md_size = EVP_MD_get_size(digest); 105 size_t sz; 106 107 if (field_size == 0 || md_size < 0) 108 return 0; 109 110 /* Integer and string are simple type; set constructed = 0, means primitive and definite length encoding. */ 111 sz = 2 * ASN1_object_size(0, field_size + 1, V_ASN1_INTEGER) 112 + ASN1_object_size(0, md_size, V_ASN1_OCTET_STRING) 113 + ASN1_object_size(0, msg_len, V_ASN1_OCTET_STRING); 114 /* Sequence is structured type; set constructed = 1, means constructed and definite length encoding. */ 115 *ct_size = ASN1_object_size(1, sz, V_ASN1_SEQUENCE); 116 117 return 1; 118 } 119 120 int ossl_sm2_encrypt(const EC_KEY *key, 121 const EVP_MD *digest, 122 const uint8_t *msg, size_t msg_len, 123 uint8_t *ciphertext_buf, size_t *ciphertext_len) 124 { 125 int rc = 0, ciphertext_leni; 126 size_t i; 127 BN_CTX *ctx = NULL; 128 BIGNUM *k = NULL; 129 BIGNUM *x1 = NULL; 130 BIGNUM *y1 = NULL; 131 BIGNUM *x2 = NULL; 132 BIGNUM *y2 = NULL; 133 EVP_MD_CTX *hash = EVP_MD_CTX_new(); 134 struct SM2_Ciphertext_st ctext_struct; 135 const EC_GROUP *group = EC_KEY_get0_group(key); 136 const BIGNUM *order = EC_GROUP_get0_order(group); 137 const EC_POINT *P = EC_KEY_get0_public_key(key); 138 EC_POINT *kG = NULL; 139 EC_POINT *kP = NULL; 140 uint8_t *msg_mask = NULL; 141 uint8_t *x2y2 = NULL; 142 uint8_t *C3 = NULL; 143 size_t field_size; 144 const int C3_size = EVP_MD_get_size(digest); 145 EVP_MD *fetched_digest = NULL; 146 OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key); 147 const char *propq = ossl_ec_key_get0_propq(key); 148 149 /* NULL these before any "goto done" */ 150 ctext_struct.C2 = NULL; 151 ctext_struct.C3 = NULL; 152 153 if (hash == NULL || C3_size <= 0) { 154 ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); 155 goto done; 156 } 157 158 field_size = ec_field_size(group); 159 if (field_size == 0) { 160 ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); 161 goto done; 162 } 163 164 kG = EC_POINT_new(group); 165 kP = EC_POINT_new(group); 166 ctx = BN_CTX_new_ex(libctx); 167 if (kG == NULL || kP == NULL || ctx == NULL) { 168 ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); 169 goto done; 170 } 171 172 BN_CTX_start(ctx); 173 k = BN_CTX_get(ctx); 174 x1 = BN_CTX_get(ctx); 175 x2 = BN_CTX_get(ctx); 176 y1 = BN_CTX_get(ctx); 177 y2 = BN_CTX_get(ctx); 178 179 if (y2 == NULL) { 180 ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB); 181 goto done; 182 } 183 184 x2y2 = OPENSSL_zalloc(2 * field_size); 185 C3 = OPENSSL_zalloc(C3_size); 186 187 if (x2y2 == NULL || C3 == NULL) { 188 ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); 189 goto done; 190 } 191 192 memset(ciphertext_buf, 0, *ciphertext_len); 193 194 msg_mask = OPENSSL_zalloc(msg_len); 195 if (msg_mask == NULL) { 196 ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); 197 goto done; 198 } 199 200 again: 201 if (!BN_priv_rand_range_ex(k, order, 0, ctx)) { 202 ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); 203 goto done; 204 } 205 206 if (!EC_POINT_mul(group, kG, k, NULL, NULL, ctx) 207 || !EC_POINT_get_affine_coordinates(group, kG, x1, y1, ctx) 208 || !EC_POINT_mul(group, kP, NULL, P, k, ctx) 209 || !EC_POINT_get_affine_coordinates(group, kP, x2, y2, ctx)) { 210 ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB); 211 goto done; 212 } 213 214 if (BN_bn2binpad(x2, x2y2, field_size) < 0 215 || BN_bn2binpad(y2, x2y2 + field_size, field_size) < 0) { 216 ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); 217 goto done; 218 } 219 220 /* X9.63 with no salt happens to match the KDF used in SM2 */ 221 if (!ossl_ecdh_kdf_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, 222 digest, libctx, propq)) { 223 ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB); 224 goto done; 225 } 226 227 if (is_all_zeros(msg_mask, msg_len)) { 228 memset(x2y2, 0, 2 * field_size); 229 goto again; 230 } 231 232 for (i = 0; i != msg_len; ++i) 233 msg_mask[i] ^= msg[i]; 234 235 fetched_digest = EVP_MD_fetch(libctx, EVP_MD_get0_name(digest), propq); 236 if (fetched_digest == NULL) { 237 ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); 238 goto done; 239 } 240 if (EVP_DigestInit(hash, fetched_digest) == 0 241 || EVP_DigestUpdate(hash, x2y2, field_size) == 0 242 || EVP_DigestUpdate(hash, msg, msg_len) == 0 243 || EVP_DigestUpdate(hash, x2y2 + field_size, field_size) == 0 244 || EVP_DigestFinal(hash, C3, NULL) == 0) { 245 ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB); 246 goto done; 247 } 248 249 ctext_struct.C1x = x1; 250 ctext_struct.C1y = y1; 251 ctext_struct.C3 = ASN1_OCTET_STRING_new(); 252 ctext_struct.C2 = ASN1_OCTET_STRING_new(); 253 254 if (ctext_struct.C3 == NULL || ctext_struct.C2 == NULL) { 255 ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); 256 goto done; 257 } 258 if (!ASN1_OCTET_STRING_set(ctext_struct.C3, C3, C3_size) 259 || !ASN1_OCTET_STRING_set(ctext_struct.C2, msg_mask, msg_len)) { 260 ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); 261 goto done; 262 } 263 264 ciphertext_leni = i2d_SM2_Ciphertext(&ctext_struct, &ciphertext_buf); 265 /* Ensure cast to size_t is safe */ 266 if (ciphertext_leni < 0) { 267 ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); 268 goto done; 269 } 270 *ciphertext_len = (size_t)ciphertext_leni; 271 272 rc = 1; 273 274 done: 275 EVP_MD_free(fetched_digest); 276 ASN1_OCTET_STRING_free(ctext_struct.C2); 277 ASN1_OCTET_STRING_free(ctext_struct.C3); 278 OPENSSL_free(msg_mask); 279 OPENSSL_free(x2y2); 280 OPENSSL_free(C3); 281 EVP_MD_CTX_free(hash); 282 BN_CTX_free(ctx); 283 EC_POINT_free(kG); 284 EC_POINT_free(kP); 285 return rc; 286 } 287 288 int ossl_sm2_decrypt(const EC_KEY *key, 289 const EVP_MD *digest, 290 const uint8_t *ciphertext, size_t ciphertext_len, 291 uint8_t *ptext_buf, size_t *ptext_len) 292 { 293 int rc = 0; 294 int i; 295 BN_CTX *ctx = NULL; 296 const EC_GROUP *group = EC_KEY_get0_group(key); 297 EC_POINT *C1 = NULL; 298 struct SM2_Ciphertext_st *sm2_ctext = NULL; 299 BIGNUM *x2 = NULL; 300 BIGNUM *y2 = NULL; 301 uint8_t *x2y2 = NULL; 302 uint8_t *computed_C3 = NULL; 303 const size_t field_size = ec_field_size(group); 304 const int hash_size = EVP_MD_get_size(digest); 305 uint8_t *msg_mask = NULL; 306 const uint8_t *C2 = NULL; 307 const uint8_t *C3 = NULL; 308 int msg_len = 0; 309 EVP_MD_CTX *hash = NULL; 310 OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key); 311 const char *propq = ossl_ec_key_get0_propq(key); 312 313 if (field_size == 0 || hash_size <= 0) 314 goto done; 315 316 memset(ptext_buf, 0xFF, *ptext_len); 317 318 sm2_ctext = d2i_SM2_Ciphertext(NULL, &ciphertext, ciphertext_len); 319 320 if (sm2_ctext == NULL) { 321 ERR_raise(ERR_LIB_SM2, SM2_R_ASN1_ERROR); 322 goto done; 323 } 324 325 if (sm2_ctext->C3->length != hash_size) { 326 ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING); 327 goto done; 328 } 329 330 C2 = sm2_ctext->C2->data; 331 C3 = sm2_ctext->C3->data; 332 msg_len = sm2_ctext->C2->length; 333 if (*ptext_len < (size_t)msg_len) { 334 ERR_raise(ERR_LIB_SM2, SM2_R_BUFFER_TOO_SMALL); 335 goto done; 336 } 337 338 ctx = BN_CTX_new_ex(libctx); 339 if (ctx == NULL) { 340 ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); 341 goto done; 342 } 343 344 BN_CTX_start(ctx); 345 x2 = BN_CTX_get(ctx); 346 y2 = BN_CTX_get(ctx); 347 348 if (y2 == NULL) { 349 ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB); 350 goto done; 351 } 352 353 msg_mask = OPENSSL_zalloc(msg_len); 354 x2y2 = OPENSSL_zalloc(2 * field_size); 355 computed_C3 = OPENSSL_zalloc(hash_size); 356 357 if (msg_mask == NULL || x2y2 == NULL || computed_C3 == NULL) { 358 ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); 359 goto done; 360 } 361 362 C1 = EC_POINT_new(group); 363 if (C1 == NULL) { 364 ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); 365 goto done; 366 } 367 368 if (!EC_POINT_set_affine_coordinates(group, C1, sm2_ctext->C1x, 369 sm2_ctext->C1y, ctx) 370 || !EC_POINT_mul(group, C1, NULL, C1, EC_KEY_get0_private_key(key), 371 ctx) 372 || !EC_POINT_get_affine_coordinates(group, C1, x2, y2, ctx)) { 373 ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB); 374 goto done; 375 } 376 377 if (BN_bn2binpad(x2, x2y2, field_size) < 0 378 || BN_bn2binpad(y2, x2y2 + field_size, field_size) < 0 379 || !ossl_ecdh_kdf_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, 380 NULL, 0, digest, libctx, propq)) { 381 ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); 382 goto done; 383 } 384 385 if (is_all_zeros(msg_mask, msg_len)) { 386 ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING); 387 goto done; 388 } 389 390 for (i = 0; i != msg_len; ++i) 391 ptext_buf[i] = C2[i] ^ msg_mask[i]; 392 393 hash = EVP_MD_CTX_new(); 394 if (hash == NULL) { 395 ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); 396 goto done; 397 } 398 399 if (!EVP_DigestInit(hash, digest) 400 || !EVP_DigestUpdate(hash, x2y2, field_size) 401 || !EVP_DigestUpdate(hash, ptext_buf, msg_len) 402 || !EVP_DigestUpdate(hash, x2y2 + field_size, field_size) 403 || !EVP_DigestFinal(hash, computed_C3, NULL)) { 404 ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB); 405 goto done; 406 } 407 408 if (CRYPTO_memcmp(computed_C3, C3, hash_size) != 0) { 409 ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_DIGEST); 410 goto done; 411 } 412 413 rc = 1; 414 *ptext_len = msg_len; 415 416 done: 417 if (rc == 0) 418 memset(ptext_buf, 0, *ptext_len); 419 420 OPENSSL_free(msg_mask); 421 OPENSSL_free(x2y2); 422 OPENSSL_free(computed_C3); 423 EC_POINT_free(C1); 424 BN_CTX_free(ctx); 425 SM2_Ciphertext_free(sm2_ctext); 426 EVP_MD_CTX_free(hash); 427 428 return rc; 429 } 430