1 /* 2 * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * Low level APIs are deprecated for public use, but still ok for internal use. 12 */ 13 #include "internal/deprecated.h" 14 15 #include <stdio.h> 16 #include <stdlib.h> 17 #include <string.h> 18 19 #include <openssl/bio.h> 20 #include <openssl/evp.h> 21 #include <openssl/bn.h> 22 #include <openssl/crypto.h> 23 #include <openssl/err.h> 24 #include <openssl/rand.h> 25 #include "testutil.h" 26 27 #ifndef OPENSSL_NO_SM2 28 29 # include "crypto/sm2.h" 30 31 static fake_random_generate_cb get_faked_bytes; 32 33 static OSSL_PROVIDER *fake_rand = NULL; 34 static uint8_t *fake_rand_bytes = NULL; 35 static size_t fake_rand_bytes_offset = 0; 36 static size_t fake_rand_size = 0; 37 38 static int get_faked_bytes(unsigned char *buf, size_t num, 39 ossl_unused const char *name, 40 ossl_unused EVP_RAND_CTX *ctx) 41 { 42 if (!TEST_ptr(fake_rand_bytes) || !TEST_size_t_gt(fake_rand_size, 0)) 43 return 0; 44 45 while (num-- > 0) { 46 if (fake_rand_bytes_offset >= fake_rand_size) 47 fake_rand_bytes_offset = 0; 48 *buf++ = fake_rand_bytes[fake_rand_bytes_offset++]; 49 } 50 51 return 1; 52 } 53 54 static int start_fake_rand(const char *hex_bytes) 55 { 56 OPENSSL_free(fake_rand_bytes); 57 fake_rand_bytes_offset = 0; 58 fake_rand_size = strlen(hex_bytes) / 2; 59 if (!TEST_ptr(fake_rand_bytes = OPENSSL_hexstr2buf(hex_bytes, NULL))) 60 return 0; 61 62 /* use own random function */ 63 fake_rand_set_public_private_callbacks(NULL, get_faked_bytes); 64 return 1; 65 66 } 67 68 static void restore_rand(void) 69 { 70 fake_rand_set_public_private_callbacks(NULL, NULL); 71 OPENSSL_free(fake_rand_bytes); 72 fake_rand_bytes = NULL; 73 fake_rand_bytes_offset = 0; 74 } 75 76 static EC_GROUP *create_EC_group(const char *p_hex, const char *a_hex, 77 const char *b_hex, const char *x_hex, 78 const char *y_hex, const char *order_hex, 79 const char *cof_hex) 80 { 81 BIGNUM *p = NULL; 82 BIGNUM *a = NULL; 83 BIGNUM *b = NULL; 84 BIGNUM *g_x = NULL; 85 BIGNUM *g_y = NULL; 86 BIGNUM *order = NULL; 87 BIGNUM *cof = NULL; 88 EC_POINT *generator = NULL; 89 EC_GROUP *group = NULL; 90 int ok = 0; 91 92 if (!TEST_true(BN_hex2bn(&p, p_hex)) 93 || !TEST_true(BN_hex2bn(&a, a_hex)) 94 || !TEST_true(BN_hex2bn(&b, b_hex))) 95 goto done; 96 97 group = EC_GROUP_new_curve_GFp(p, a, b, NULL); 98 if (!TEST_ptr(group)) 99 goto done; 100 101 generator = EC_POINT_new(group); 102 if (!TEST_ptr(generator)) 103 goto done; 104 105 if (!TEST_true(BN_hex2bn(&g_x, x_hex)) 106 || !TEST_true(BN_hex2bn(&g_y, y_hex)) 107 || !TEST_true(EC_POINT_set_affine_coordinates(group, generator, g_x, 108 g_y, NULL))) 109 goto done; 110 111 if (!TEST_true(BN_hex2bn(&order, order_hex)) 112 || !TEST_true(BN_hex2bn(&cof, cof_hex)) 113 || !TEST_true(EC_GROUP_set_generator(group, generator, order, cof))) 114 goto done; 115 116 ok = 1; 117 done: 118 BN_free(p); 119 BN_free(a); 120 BN_free(b); 121 BN_free(g_x); 122 BN_free(g_y); 123 EC_POINT_free(generator); 124 BN_free(order); 125 BN_free(cof); 126 if (!ok) { 127 EC_GROUP_free(group); 128 group = NULL; 129 } 130 131 return group; 132 } 133 134 static int test_sm2_crypt(const EC_GROUP *group, 135 const EVP_MD *digest, 136 const char *privkey_hex, 137 const char *message, 138 const char *k_hex, const char *ctext_hex) 139 { 140 const size_t msg_len = strlen(message); 141 BIGNUM *priv = NULL; 142 EC_KEY *key = NULL; 143 EC_POINT *pt = NULL; 144 unsigned char *expected = OPENSSL_hexstr2buf(ctext_hex, NULL); 145 size_t ctext_len = 0; 146 size_t ptext_len = 0; 147 uint8_t *ctext = NULL; 148 uint8_t *recovered = NULL; 149 size_t recovered_len = msg_len; 150 int rc = 0; 151 152 if (!TEST_ptr(expected) 153 || !TEST_true(BN_hex2bn(&priv, privkey_hex))) 154 goto done; 155 156 key = EC_KEY_new(); 157 if (!TEST_ptr(key) 158 || !TEST_true(EC_KEY_set_group(key, group)) 159 || !TEST_true(EC_KEY_set_private_key(key, priv))) 160 goto done; 161 162 pt = EC_POINT_new(group); 163 if (!TEST_ptr(pt) 164 || !TEST_true(EC_POINT_mul(group, pt, priv, NULL, NULL, NULL)) 165 || !TEST_true(EC_KEY_set_public_key(key, pt)) 166 || !TEST_true(ossl_sm2_ciphertext_size(key, digest, msg_len, 167 &ctext_len))) 168 goto done; 169 170 ctext = OPENSSL_zalloc(ctext_len); 171 if (!TEST_ptr(ctext)) 172 goto done; 173 174 start_fake_rand(k_hex); 175 if (!TEST_true(ossl_sm2_encrypt(key, digest, 176 (const uint8_t *)message, msg_len, 177 ctext, &ctext_len))) { 178 restore_rand(); 179 goto done; 180 } 181 restore_rand(); 182 183 if (!TEST_mem_eq(ctext, ctext_len, expected, ctext_len)) 184 goto done; 185 186 if (!TEST_true(ossl_sm2_plaintext_size(ctext, ctext_len, &ptext_len)) 187 || !TEST_int_eq(ptext_len, msg_len)) 188 goto done; 189 190 recovered = OPENSSL_zalloc(ptext_len); 191 if (!TEST_ptr(recovered) 192 || !TEST_true(ossl_sm2_decrypt(key, digest, ctext, ctext_len, 193 recovered, &recovered_len)) 194 || !TEST_int_eq(recovered_len, msg_len) 195 || !TEST_mem_eq(recovered, recovered_len, message, msg_len)) 196 goto done; 197 198 rc = 1; 199 done: 200 BN_free(priv); 201 EC_POINT_free(pt); 202 OPENSSL_free(ctext); 203 OPENSSL_free(recovered); 204 OPENSSL_free(expected); 205 EC_KEY_free(key); 206 return rc; 207 } 208 209 static int sm2_crypt_test(void) 210 { 211 int testresult = 0; 212 EC_GROUP *gm_group = NULL; 213 EC_GROUP *test_group = 214 create_EC_group 215 ("8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3", 216 "787968B4FA32C3FD2417842E73BBFEFF2F3C848B6831D7E0EC65228B3937E498", 217 "63E4C6D3B23B0C849CF84241484BFE48F61D59A5B16BA06E6E12D1DA27C5249A", 218 "421DEBD61B62EAB6746434EBC3CC315E32220B3BADD50BDC4C4E6C147FEDD43D", 219 "0680512BCBB42C07D47349D2153B70C4E5D7FDFCBFA36EA1A85841B9E46E09A2", 220 "8542D69E4C044F18E8B92435BF6FF7DD297720630485628D5AE74EE7C32E79B7", 221 "1"); 222 223 if (!TEST_ptr(test_group)) 224 goto done; 225 226 if (!test_sm2_crypt( 227 test_group, 228 EVP_sm3(), 229 "1649AB77A00637BD5E2EFE283FBF353534AA7F7CB89463F208DDBC2920BB0DA0", 230 "encryption standard", 231 "004C62EEFD6ECFC2B95B92FD6C3D9575148AFA17425546D49018E5388D49DD7B4F" 232 "0092e8ff62146873c258557548500ab2df2a365e0609ab67640a1f6d57d7b17820" 233 "008349312695a3e1d2f46905f39a766487f2432e95d6be0cb009fe8c69fd8825a7", 234 "307B0220245C26FB68B1DDDDB12C4B6BF9F2B6D5FE60A383B0D18D1C4144ABF1" 235 "7F6252E7022076CB9264C2A7E88E52B19903FDC47378F605E36811F5C07423A2" 236 "4B84400F01B804209C3D7360C30156FAB7C80A0276712DA9D8094A634B766D3A" 237 "285E07480653426D0413650053A89B41C418B0C3AAD00D886C00286467")) 238 goto done; 239 240 /* Same test as above except using SHA-256 instead of SM3 */ 241 if (!test_sm2_crypt( 242 test_group, 243 EVP_sha256(), 244 "1649AB77A00637BD5E2EFE283FBF353534AA7F7CB89463F208DDBC2920BB0DA0", 245 "encryption standard", 246 "004C62EEFD6ECFC2B95B92FD6C3D9575148AFA17425546D49018E5388D49DD7B4F" 247 "003da18008784352192d70f22c26c243174a447ba272fec64163dd4742bae8bc98" 248 "00df17605cf304e9dd1dfeb90c015e93b393a6f046792f790a6fa4228af67d9588", 249 "307B0220245C26FB68B1DDDDB12C4B6BF9F2B6D5FE60A383B0D18D1C4144ABF17F" 250 "6252E7022076CB9264C2A7E88E52B19903FDC47378F605E36811F5C07423A24B84" 251 "400F01B80420BE89139D07853100EFA763F60CBE30099EA3DF7F8F364F9D10A5E9" 252 "88E3C5AAFC0413229E6C9AEE2BB92CAD649FE2C035689785DA33")) 253 goto done; 254 255 /* From Annex C in both GM/T0003.5-2012 and GB/T 32918.5-2016.*/ 256 gm_group = create_EC_group( 257 "fffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff", 258 "fffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc", 259 "28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93", 260 "32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7", 261 "bc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0", 262 "fffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123", 263 "1"); 264 265 if (!TEST_ptr(gm_group)) 266 goto done; 267 268 if (!test_sm2_crypt( 269 gm_group, 270 EVP_sm3(), 271 /* privkey (from which the encrypting public key is derived) */ 272 "3945208F7B2144B13F36E38AC6D39F95889393692860B51A42FB81EF4DF7C5B8", 273 /* plaintext message */ 274 "encryption standard", 275 /* ephemeral nonce k */ 276 "59276E27D506861A16680F3AD9C02DCCEF3CC1FA3CDBE4CE6D54B80DEAC1BC21", 277 /* 278 * expected ciphertext, the field values are from GM/T 0003.5-2012 279 * (Annex C), but serialized following the ASN.1 format specified 280 * in GM/T 0009-2012 (Sec. 7.2). 281 */ 282 "307C" /* SEQUENCE, 0x7c bytes */ 283 "0220" /* INTEGER, 0x20 bytes */ 284 "04EBFC718E8D1798620432268E77FEB6415E2EDE0E073C0F4F640ECD2E149A73" 285 "0221" /* INTEGER, 0x21 bytes */ 286 "00" /* leading 00 due to DER for pos. int with topmost bit set */ 287 "E858F9D81E5430A57B36DAAB8F950A3C64E6EE6A63094D99283AFF767E124DF0" 288 "0420" /* OCTET STRING, 0x20 bytes */ 289 "59983C18F809E262923C53AEC295D30383B54E39D609D160AFCB1908D0BD8766" 290 "0413" /* OCTET STRING, 0x13 bytes */ 291 "21886CA989CA9C7D58087307CA93092D651EFA")) 292 goto done; 293 294 testresult = 1; 295 done: 296 EC_GROUP_free(test_group); 297 EC_GROUP_free(gm_group); 298 299 return testresult; 300 } 301 302 static int test_sm2_sign(const EC_GROUP *group, 303 const char *userid, 304 const char *privkey_hex, 305 const char *message, 306 const char *k_hex, 307 const char *r_hex, 308 const char *s_hex) 309 { 310 const size_t msg_len = strlen(message); 311 int ok = 0; 312 BIGNUM *priv = NULL; 313 EC_POINT *pt = NULL; 314 EC_KEY *key = NULL; 315 ECDSA_SIG *sig = NULL; 316 const BIGNUM *sig_r = NULL; 317 const BIGNUM *sig_s = NULL; 318 BIGNUM *r = NULL; 319 BIGNUM *s = NULL; 320 321 if (!TEST_true(BN_hex2bn(&priv, privkey_hex))) 322 goto done; 323 324 key = EC_KEY_new(); 325 if (!TEST_ptr(key) 326 || !TEST_true(EC_KEY_set_group(key, group)) 327 || !TEST_true(EC_KEY_set_private_key(key, priv))) 328 goto done; 329 330 pt = EC_POINT_new(group); 331 if (!TEST_ptr(pt) 332 || !TEST_true(EC_POINT_mul(group, pt, priv, NULL, NULL, NULL)) 333 || !TEST_true(EC_KEY_set_public_key(key, pt))) 334 goto done; 335 336 start_fake_rand(k_hex); 337 sig = ossl_sm2_do_sign(key, EVP_sm3(), (const uint8_t *)userid, 338 strlen(userid), (const uint8_t *)message, msg_len); 339 if (!TEST_ptr(sig)) { 340 restore_rand(); 341 goto done; 342 } 343 restore_rand(); 344 345 ECDSA_SIG_get0(sig, &sig_r, &sig_s); 346 347 if (!TEST_true(BN_hex2bn(&r, r_hex)) 348 || !TEST_true(BN_hex2bn(&s, s_hex)) 349 || !TEST_BN_eq(r, sig_r) 350 || !TEST_BN_eq(s, sig_s)) 351 goto done; 352 353 ok = ossl_sm2_do_verify(key, EVP_sm3(), sig, (const uint8_t *)userid, 354 strlen(userid), (const uint8_t *)message, msg_len); 355 356 /* We goto done whether this passes or fails */ 357 TEST_true(ok); 358 359 done: 360 ECDSA_SIG_free(sig); 361 EC_POINT_free(pt); 362 EC_KEY_free(key); 363 BN_free(priv); 364 BN_free(r); 365 BN_free(s); 366 367 return ok; 368 } 369 370 static int sm2_sig_test(void) 371 { 372 int testresult = 0; 373 /* From draft-shen-sm2-ecdsa-02 */ 374 EC_GROUP *test_group = 375 create_EC_group 376 ("8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3", 377 "787968B4FA32C3FD2417842E73BBFEFF2F3C848B6831D7E0EC65228B3937E498", 378 "63E4C6D3B23B0C849CF84241484BFE48F61D59A5B16BA06E6E12D1DA27C5249A", 379 "421DEBD61B62EAB6746434EBC3CC315E32220B3BADD50BDC4C4E6C147FEDD43D", 380 "0680512BCBB42C07D47349D2153B70C4E5D7FDFCBFA36EA1A85841B9E46E09A2", 381 "8542D69E4C044F18E8B92435BF6FF7DD297720630485628D5AE74EE7C32E79B7", 382 "1"); 383 384 if (!TEST_ptr(test_group)) 385 goto done; 386 387 if (!TEST_true(test_sm2_sign( 388 test_group, 389 "ALICE123@YAHOO.COM", 390 "128B2FA8BD433C6C068C8D803DFF79792A519A55171B1B650C23661D15897263", 391 "message digest", 392 "006CB28D99385C175C94F94E934817663FC176D925DD72B727260DBAAE1FB2F96F" 393 "007c47811054c6f99613a578eb8453706ccb96384fe7df5c171671e760bfa8be3a", 394 "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1", 395 "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7"))) 396 goto done; 397 398 testresult = 1; 399 400 done: 401 EC_GROUP_free(test_group); 402 403 return testresult; 404 } 405 406 #endif 407 408 int setup_tests(void) 409 { 410 #ifdef OPENSSL_NO_SM2 411 TEST_note("SM2 is disabled."); 412 #else 413 fake_rand = fake_rand_start(NULL); 414 if (fake_rand == NULL) 415 return 0; 416 417 ADD_TEST(sm2_crypt_test); 418 ADD_TEST(sm2_sig_test); 419 #endif 420 return 1; 421 } 422 423 void cleanup_tests(void) 424 { 425 #ifndef OPENSSL_NO_SM2 426 fake_rand_finish(fake_rand); 427 #endif 428 } 429