]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | /* | |
11 | * ECDSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
16 | #include "internal/cryptlib.h" | |
17 | #include <openssl/asn1t.h> | |
18 | #include <openssl/ec.h> | |
19 | #include <openssl/evp.h> | |
20 | #include "crypto/evp.h" | |
21 | #include "crypto/sm2.h" | |
22 | #include "crypto/sm2err.h" | |
23 | ||
24 | /* EC pkey context structure */ | |
25 | ||
26 | typedef struct { | |
27 | /* message digest */ | |
28 | const EVP_MD *md; | |
29 | /* Distinguishing Identifier, ISO/IEC 15946-3, FIPS 196 */ | |
30 | uint8_t *id; | |
31 | size_t id_len; | |
32 | /* id_set indicates if the 'id' field is set (1) or not (0) */ | |
33 | int id_set; | |
34 | } SM2_PKEY_CTX; | |
35 | ||
36 | static int pkey_sm2_init(EVP_PKEY_CTX *ctx) | |
37 | { | |
38 | SM2_PKEY_CTX *smctx; | |
39 | ||
40 | if ((smctx = OPENSSL_zalloc(sizeof(*smctx))) == NULL) { | |
41 | SM2err(SM2_F_PKEY_SM2_INIT, ERR_R_MALLOC_FAILURE); | |
42 | return 0; | |
43 | } | |
44 | ||
45 | ctx->data = smctx; | |
46 | return 1; | |
47 | } | |
48 | ||
49 | static void pkey_sm2_cleanup(EVP_PKEY_CTX *ctx) | |
50 | { | |
51 | SM2_PKEY_CTX *smctx = ctx->data; | |
52 | ||
53 | if (smctx != NULL) { | |
54 | OPENSSL_free(smctx->id); | |
55 | OPENSSL_free(smctx); | |
56 | ctx->data = NULL; | |
57 | } | |
58 | } | |
59 | ||
60 | static int pkey_sm2_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) | |
61 | { | |
62 | SM2_PKEY_CTX *dctx, *sctx; | |
63 | ||
64 | if (!pkey_sm2_init(dst)) | |
65 | return 0; | |
66 | sctx = src->data; | |
67 | dctx = dst->data; | |
68 | if (sctx->id != NULL) { | |
69 | dctx->id = OPENSSL_malloc(sctx->id_len); | |
70 | if (dctx->id == NULL) { | |
71 | SM2err(SM2_F_PKEY_SM2_COPY, ERR_R_MALLOC_FAILURE); | |
72 | pkey_sm2_cleanup(dst); | |
73 | return 0; | |
74 | } | |
75 | memcpy(dctx->id, sctx->id, sctx->id_len); | |
76 | } | |
77 | dctx->id_len = sctx->id_len; | |
78 | dctx->id_set = sctx->id_set; | |
79 | dctx->md = sctx->md; | |
80 | ||
81 | return 1; | |
82 | } | |
83 | ||
84 | static int pkey_sm2_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, | |
85 | const unsigned char *tbs, size_t tbslen) | |
86 | { | |
87 | int ret; | |
88 | unsigned int sltmp; | |
89 | EC_KEY *ec = ctx->pkey->pkey.ec; | |
90 | const int sig_sz = ECDSA_size(ctx->pkey->pkey.ec); | |
91 | ||
92 | if (sig_sz <= 0) { | |
93 | return 0; | |
94 | } | |
95 | ||
96 | if (sig == NULL) { | |
97 | *siglen = (size_t)sig_sz; | |
98 | return 1; | |
99 | } | |
100 | ||
101 | if (*siglen < (size_t)sig_sz) { | |
102 | SM2err(SM2_F_PKEY_SM2_SIGN, SM2_R_BUFFER_TOO_SMALL); | |
103 | return 0; | |
104 | } | |
105 | ||
106 | ret = sm2_sign(tbs, tbslen, sig, &sltmp, ec); | |
107 | ||
108 | if (ret <= 0) | |
109 | return ret; | |
110 | *siglen = (size_t)sltmp; | |
111 | return 1; | |
112 | } | |
113 | ||
114 | static int pkey_sm2_verify(EVP_PKEY_CTX *ctx, | |
115 | const unsigned char *sig, size_t siglen, | |
116 | const unsigned char *tbs, size_t tbslen) | |
117 | { | |
118 | EC_KEY *ec = ctx->pkey->pkey.ec; | |
119 | ||
120 | return sm2_verify(tbs, tbslen, sig, siglen, ec); | |
121 | } | |
122 | ||
123 | static int pkey_sm2_encrypt(EVP_PKEY_CTX *ctx, | |
124 | unsigned char *out, size_t *outlen, | |
125 | const unsigned char *in, size_t inlen) | |
126 | { | |
127 | EC_KEY *ec = ctx->pkey->pkey.ec; | |
128 | SM2_PKEY_CTX *dctx = ctx->data; | |
129 | const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md; | |
130 | ||
131 | if (out == NULL) { | |
132 | if (!sm2_ciphertext_size(ec, md, inlen, outlen)) | |
133 | return -1; | |
134 | else | |
135 | return 1; | |
136 | } | |
137 | ||
138 | return sm2_encrypt(ec, md, in, inlen, out, outlen); | |
139 | } | |
140 | ||
141 | static int pkey_sm2_decrypt(EVP_PKEY_CTX *ctx, | |
142 | unsigned char *out, size_t *outlen, | |
143 | const unsigned char *in, size_t inlen) | |
144 | { | |
145 | EC_KEY *ec = ctx->pkey->pkey.ec; | |
146 | SM2_PKEY_CTX *dctx = ctx->data; | |
147 | const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md; | |
148 | ||
149 | if (out == NULL) { | |
150 | if (!sm2_plaintext_size(ec, md, inlen, outlen)) | |
151 | return -1; | |
152 | else | |
153 | return 1; | |
154 | } | |
155 | ||
156 | return sm2_decrypt(ec, md, in, inlen, out, outlen); | |
157 | } | |
158 | ||
159 | static int pkey_sm2_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) | |
160 | { | |
161 | SM2_PKEY_CTX *smctx = ctx->data; | |
162 | uint8_t *tmp_id; | |
163 | ||
164 | switch (type) { | |
165 | case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID: | |
166 | /* | |
167 | * This control could be removed, which would signal it being | |
168 | * unsupported. However, that means that when the caller uses | |
169 | * the correct curve, it may interpret the unsupported signal | |
170 | * as an error, so it's better to accept the control, check the | |
171 | * value and return a corresponding value. | |
172 | */ | |
173 | if (p1 != NID_sm2) { | |
174 | SM2err(SM2_F_PKEY_SM2_CTRL, SM2_R_INVALID_CURVE); | |
175 | return 0; | |
176 | } | |
177 | return 1; | |
178 | ||
179 | case EVP_PKEY_CTRL_MD: | |
180 | smctx->md = p2; | |
181 | return 1; | |
182 | ||
183 | case EVP_PKEY_CTRL_GET_MD: | |
184 | *(const EVP_MD **)p2 = smctx->md; | |
185 | return 1; | |
186 | ||
187 | case EVP_PKEY_CTRL_SET1_ID: | |
188 | if (p1 > 0) { | |
189 | tmp_id = OPENSSL_malloc(p1); | |
190 | if (tmp_id == NULL) { | |
191 | SM2err(SM2_F_PKEY_SM2_CTRL, ERR_R_MALLOC_FAILURE); | |
192 | return 0; | |
193 | } | |
194 | memcpy(tmp_id, p2, p1); | |
195 | OPENSSL_free(smctx->id); | |
196 | smctx->id = tmp_id; | |
197 | } else { | |
198 | /* set null-ID */ | |
199 | OPENSSL_free(smctx->id); | |
200 | smctx->id = NULL; | |
201 | } | |
202 | smctx->id_len = (size_t)p1; | |
203 | smctx->id_set = 1; | |
204 | return 1; | |
205 | ||
206 | case EVP_PKEY_CTRL_GET1_ID: | |
207 | memcpy(p2, smctx->id, smctx->id_len); | |
208 | return 1; | |
209 | ||
210 | case EVP_PKEY_CTRL_GET1_ID_LEN: | |
211 | *(size_t *)p2 = smctx->id_len; | |
212 | return 1; | |
213 | ||
214 | case EVP_PKEY_CTRL_DIGESTINIT: | |
215 | /* nothing to be inited, this is to suppress the error... */ | |
216 | return 1; | |
217 | ||
218 | default: | |
219 | return -2; | |
220 | } | |
221 | } | |
222 | ||
223 | static int pkey_sm2_ctrl_str(EVP_PKEY_CTX *ctx, | |
224 | const char *type, const char *value) | |
225 | { | |
226 | uint8_t *hex_id; | |
227 | long hex_len = 0; | |
228 | int ret = 0; | |
229 | ||
230 | if (strcmp(type, "ec_paramgen_curve") == 0) { | |
231 | int nid = NID_undef; | |
232 | ||
233 | if (((nid = EC_curve_nist2nid(value)) == NID_undef) | |
234 | && ((nid = OBJ_sn2nid(value)) == NID_undef) | |
235 | && ((nid = OBJ_ln2nid(value)) == NID_undef)) { | |
236 | SM2err(SM2_F_PKEY_SM2_CTRL_STR, SM2_R_INVALID_CURVE); | |
237 | return 0; | |
238 | } | |
239 | return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid); | |
240 | } else if (strcmp(type, "ec_param_enc") == 0) { | |
241 | int param_enc; | |
242 | ||
243 | if (strcmp(value, "explicit") == 0) | |
244 | param_enc = 0; | |
245 | else if (strcmp(value, "named_curve") == 0) | |
246 | param_enc = OPENSSL_EC_NAMED_CURVE; | |
247 | else | |
248 | return -2; | |
249 | return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc); | |
250 | } else if (strcmp(type, "distid") == 0) { | |
251 | return pkey_sm2_ctrl(ctx, EVP_PKEY_CTRL_SET1_ID, | |
252 | (int)strlen(value), (void *)value); | |
253 | } else if (strcmp(type, "hexdistid") == 0) { | |
254 | hex_id = OPENSSL_hexstr2buf((const char *)value, &hex_len); | |
255 | if (hex_id == NULL) { | |
256 | SM2err(SM2_F_PKEY_SM2_CTRL_STR, ERR_R_PASSED_INVALID_ARGUMENT); | |
257 | return 0; | |
258 | } | |
259 | ret = pkey_sm2_ctrl(ctx, EVP_PKEY_CTRL_SET1_ID, (int)hex_len, | |
260 | (void *)hex_id); | |
261 | OPENSSL_free(hex_id); | |
262 | return ret; | |
263 | } | |
264 | ||
265 | return -2; | |
266 | } | |
267 | ||
268 | static int pkey_sm2_digest_custom(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx) | |
269 | { | |
270 | uint8_t z[EVP_MAX_MD_SIZE]; | |
271 | SM2_PKEY_CTX *smctx = ctx->data; | |
272 | EC_KEY *ec = ctx->pkey->pkey.ec; | |
273 | const EVP_MD *md = EVP_MD_CTX_md(mctx); | |
274 | int mdlen = EVP_MD_size(md); | |
275 | ||
276 | if (!smctx->id_set) { | |
277 | /* | |
278 | * An ID value must be set. The specifications are not clear whether a | |
279 | * NULL is allowed. We only allow it if set explicitly for maximum | |
280 | * flexibility. | |
281 | */ | |
282 | SM2err(SM2_F_PKEY_SM2_DIGEST_CUSTOM, SM2_R_ID_NOT_SET); | |
283 | return 0; | |
284 | } | |
285 | ||
286 | if (mdlen < 0) { | |
287 | SM2err(SM2_F_PKEY_SM2_DIGEST_CUSTOM, SM2_R_INVALID_DIGEST); | |
288 | return 0; | |
289 | } | |
290 | ||
291 | /* get hashed prefix 'z' of tbs message */ | |
292 | if (!sm2_compute_z_digest(z, md, smctx->id, smctx->id_len, ec)) | |
293 | return 0; | |
294 | ||
295 | return EVP_DigestUpdate(mctx, z, (size_t)mdlen); | |
296 | } | |
297 | ||
298 | static int pkey_sm2_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) | |
299 | { | |
300 | EC_KEY *ec = NULL; | |
301 | int ret; | |
302 | ||
303 | ec = EC_KEY_new_by_curve_name(NID_sm2); | |
304 | if (ec == NULL) | |
305 | return 0; | |
306 | if (!ossl_assert(ret = EVP_PKEY_assign_EC_KEY(pkey, ec))) | |
307 | EC_KEY_free(ec); | |
308 | return ret; | |
309 | } | |
310 | ||
311 | static int pkey_sm2_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) | |
312 | { | |
313 | EC_KEY *ec = NULL; | |
314 | ||
315 | ec = EC_KEY_new_by_curve_name(NID_sm2); | |
316 | if (ec == NULL) | |
317 | return 0; | |
318 | if (!ossl_assert(EVP_PKEY_assign_EC_KEY(pkey, ec))) { | |
319 | EC_KEY_free(ec); | |
320 | return 0; | |
321 | } | |
322 | /* Note: if error is returned, we count on caller to free pkey->pkey.ec */ | |
323 | if (ctx->pkey != NULL | |
324 | && !EVP_PKEY_copy_parameters(pkey, ctx->pkey)) | |
325 | return 0; | |
326 | ||
327 | return EC_KEY_generate_key(ec); | |
328 | } | |
329 | ||
330 | static const EVP_PKEY_METHOD sm2_pkey_meth = { | |
331 | EVP_PKEY_SM2, | |
332 | 0, | |
333 | pkey_sm2_init, | |
334 | pkey_sm2_copy, | |
335 | pkey_sm2_cleanup, | |
336 | ||
337 | 0, | |
338 | pkey_sm2_paramgen, | |
339 | ||
340 | 0, | |
341 | pkey_sm2_keygen, | |
342 | ||
343 | 0, | |
344 | pkey_sm2_sign, | |
345 | ||
346 | 0, | |
347 | pkey_sm2_verify, | |
348 | ||
349 | 0, 0, | |
350 | ||
351 | 0, 0, 0, 0, | |
352 | ||
353 | 0, | |
354 | pkey_sm2_encrypt, | |
355 | ||
356 | 0, | |
357 | pkey_sm2_decrypt, | |
358 | ||
359 | 0, | |
360 | 0, | |
361 | pkey_sm2_ctrl, | |
362 | pkey_sm2_ctrl_str, | |
363 | ||
364 | 0, 0, | |
365 | ||
366 | 0, 0, 0, | |
367 | ||
368 | pkey_sm2_digest_custom | |
369 | }; | |
370 | ||
371 | const EVP_PKEY_METHOD *sm2_pkey_method(void) | |
372 | { | |
373 | return &sm2_pkey_meth; | |
374 | } |