]>
Commit | Line | Data |
---|---|---|
ddb634fe | 1 | /* |
33388b44 | 2 | * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. |
ddb634fe | 3 | * |
f9f859ad | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
ddb634fe JL |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
579422c8 P |
10 | /* |
11 | * ECDSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
ddb634fe JL |
16 | #include "internal/cryptlib.h" |
17 | #include <openssl/asn1t.h> | |
18 | #include <openssl/ec.h> | |
19 | #include <openssl/evp.h> | |
25f2138b DMSP |
20 | #include "crypto/evp.h" |
21 | #include "crypto/sm2.h" | |
22 | #include "crypto/sm2err.h" | |
ddb634fe JL |
23 | |
24 | /* EC pkey context structure */ | |
25 | ||
26 | typedef struct { | |
ddb634fe JL |
27 | /* message digest */ |
28 | const EVP_MD *md; | |
123c2fef | 29 | /* Distinguishing Identifier, ISO/IEC 15946-3, FIPS 196 */ |
00433bad PY |
30 | uint8_t *id; |
31 | size_t id_len; | |
4803717f PY |
32 | /* id_set indicates if the 'id' field is set (1) or not (0) */ |
33 | int id_set; | |
ddb634fe JL |
34 | } SM2_PKEY_CTX; |
35 | ||
36 | static int pkey_sm2_init(EVP_PKEY_CTX *ctx) | |
37 | { | |
4803717f | 38 | SM2_PKEY_CTX *smctx; |
ddb634fe | 39 | |
4803717f | 40 | if ((smctx = OPENSSL_zalloc(sizeof(*smctx))) == NULL) { |
ddb634fe JL |
41 | SM2err(SM2_F_PKEY_SM2_INIT, ERR_R_MALLOC_FAILURE); |
42 | return 0; | |
43 | } | |
44 | ||
4803717f | 45 | ctx->data = smctx; |
ddb634fe JL |
46 | return 1; |
47 | } | |
48 | ||
49 | static void pkey_sm2_cleanup(EVP_PKEY_CTX *ctx) | |
50 | { | |
4803717f | 51 | SM2_PKEY_CTX *smctx = ctx->data; |
ddb634fe | 52 | |
4803717f | 53 | if (smctx != NULL) { |
4803717f PY |
54 | OPENSSL_free(smctx->id); |
55 | OPENSSL_free(smctx); | |
ddb634fe JL |
56 | ctx->data = NULL; |
57 | } | |
58 | } | |
59 | ||
9fdcc21f | 60 | static int pkey_sm2_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) |
ddb634fe JL |
61 | { |
62 | SM2_PKEY_CTX *dctx, *sctx; | |
63 | ||
64 | if (!pkey_sm2_init(dst)) | |
65 | return 0; | |
66 | sctx = src->data; | |
67 | dctx = dst->data; | |
4803717f PY |
68 | if (sctx->id != NULL) { |
69 | dctx->id = OPENSSL_malloc(sctx->id_len); | |
70 | if (dctx->id == NULL) { | |
f922dac8 | 71 | SM2err(SM2_F_PKEY_SM2_COPY, ERR_R_MALLOC_FAILURE); |
4803717f PY |
72 | pkey_sm2_cleanup(dst); |
73 | return 0; | |
74 | } | |
75 | memcpy(dctx->id, sctx->id, sctx->id_len); | |
76 | } | |
77 | dctx->id_len = sctx->id_len; | |
78 | dctx->id_set = sctx->id_set; | |
ddb634fe JL |
79 | dctx->md = sctx->md; |
80 | ||
81 | return 1; | |
82 | } | |
83 | ||
84 | static int pkey_sm2_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, | |
85 | const unsigned char *tbs, size_t tbslen) | |
86 | { | |
87 | int ret; | |
88 | unsigned int sltmp; | |
89 | EC_KEY *ec = ctx->pkey->pkey.ec; | |
90 | const int sig_sz = ECDSA_size(ctx->pkey->pkey.ec); | |
91 | ||
92 | if (sig_sz <= 0) { | |
93 | return 0; | |
94 | } | |
95 | ||
96 | if (sig == NULL) { | |
97 | *siglen = (size_t)sig_sz; | |
98 | return 1; | |
99 | } | |
100 | ||
101 | if (*siglen < (size_t)sig_sz) { | |
102 | SM2err(SM2_F_PKEY_SM2_SIGN, SM2_R_BUFFER_TOO_SMALL); | |
103 | return 0; | |
104 | } | |
105 | ||
106 | ret = sm2_sign(tbs, tbslen, sig, &sltmp, ec); | |
107 | ||
108 | if (ret <= 0) | |
109 | return ret; | |
110 | *siglen = (size_t)sltmp; | |
111 | return 1; | |
112 | } | |
113 | ||
114 | static int pkey_sm2_verify(EVP_PKEY_CTX *ctx, | |
115 | const unsigned char *sig, size_t siglen, | |
116 | const unsigned char *tbs, size_t tbslen) | |
117 | { | |
118 | EC_KEY *ec = ctx->pkey->pkey.ec; | |
119 | ||
120 | return sm2_verify(tbs, tbslen, sig, siglen, ec); | |
121 | } | |
122 | ||
123 | static int pkey_sm2_encrypt(EVP_PKEY_CTX *ctx, | |
124 | unsigned char *out, size_t *outlen, | |
125 | const unsigned char *in, size_t inlen) | |
126 | { | |
127 | EC_KEY *ec = ctx->pkey->pkey.ec; | |
128 | SM2_PKEY_CTX *dctx = ctx->data; | |
129 | const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md; | |
130 | ||
131 | if (out == NULL) { | |
132 | if (!sm2_ciphertext_size(ec, md, inlen, outlen)) | |
133 | return -1; | |
134 | else | |
135 | return 1; | |
136 | } | |
137 | ||
138 | return sm2_encrypt(ec, md, in, inlen, out, outlen); | |
139 | } | |
140 | ||
141 | static int pkey_sm2_decrypt(EVP_PKEY_CTX *ctx, | |
142 | unsigned char *out, size_t *outlen, | |
143 | const unsigned char *in, size_t inlen) | |
144 | { | |
145 | EC_KEY *ec = ctx->pkey->pkey.ec; | |
146 | SM2_PKEY_CTX *dctx = ctx->data; | |
147 | const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md; | |
148 | ||
149 | if (out == NULL) { | |
150 | if (!sm2_plaintext_size(ec, md, inlen, outlen)) | |
151 | return -1; | |
152 | else | |
153 | return 1; | |
154 | } | |
155 | ||
156 | return sm2_decrypt(ec, md, in, inlen, out, outlen); | |
157 | } | |
158 | ||
159 | static int pkey_sm2_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) | |
160 | { | |
4803717f | 161 | SM2_PKEY_CTX *smctx = ctx->data; |
675f4cee | 162 | uint8_t *tmp_id; |
ddb634fe JL |
163 | |
164 | switch (type) { | |
165 | case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID: | |
0943d5dd RL |
166 | /* |
167 | * This control could be removed, which would signal it being | |
168 | * unsupported. However, that means that when the caller uses | |
169 | * the correct curve, it may interpret the unsupported signal | |
170 | * as an error, so it's better to accept the control, check the | |
171 | * value and return a corresponding value. | |
172 | */ | |
173 | if (p1 != NID_sm2) { | |
ddb634fe JL |
174 | SM2err(SM2_F_PKEY_SM2_CTRL, SM2_R_INVALID_CURVE); |
175 | return 0; | |
176 | } | |
ddb634fe JL |
177 | return 1; |
178 | ||
179 | case EVP_PKEY_CTRL_MD: | |
4803717f | 180 | smctx->md = p2; |
ddb634fe JL |
181 | return 1; |
182 | ||
183 | case EVP_PKEY_CTRL_GET_MD: | |
4803717f PY |
184 | *(const EVP_MD **)p2 = smctx->md; |
185 | return 1; | |
186 | ||
187 | case EVP_PKEY_CTRL_SET1_ID: | |
4803717f | 188 | if (p1 > 0) { |
675f4cee | 189 | tmp_id = OPENSSL_malloc(p1); |
f922dac8 PY |
190 | if (tmp_id == NULL) { |
191 | SM2err(SM2_F_PKEY_SM2_CTRL, ERR_R_MALLOC_FAILURE); | |
4803717f | 192 | return 0; |
f922dac8 | 193 | } |
675f4cee PY |
194 | memcpy(tmp_id, p2, p1); |
195 | OPENSSL_free(smctx->id); | |
196 | smctx->id = tmp_id; | |
4803717f PY |
197 | } else { |
198 | /* set null-ID */ | |
675f4cee | 199 | OPENSSL_free(smctx->id); |
4803717f PY |
200 | smctx->id = NULL; |
201 | } | |
202 | smctx->id_len = (size_t)p1; | |
203 | smctx->id_set = 1; | |
204 | return 1; | |
205 | ||
206 | case EVP_PKEY_CTRL_GET1_ID: | |
207 | memcpy(p2, smctx->id, smctx->id_len); | |
208 | return 1; | |
209 | ||
210 | case EVP_PKEY_CTRL_GET1_ID_LEN: | |
211 | *(size_t *)p2 = smctx->id_len; | |
ddb634fe JL |
212 | return 1; |
213 | ||
8267becb | 214 | case EVP_PKEY_CTRL_DIGESTINIT: |
215 | /* nothing to be inited, this is to suppress the error... */ | |
216 | return 1; | |
217 | ||
ddb634fe JL |
218 | default: |
219 | return -2; | |
ddb634fe JL |
220 | } |
221 | } | |
222 | ||
223 | static int pkey_sm2_ctrl_str(EVP_PKEY_CTX *ctx, | |
224 | const char *type, const char *value) | |
225 | { | |
a45eb7e8 PY |
226 | uint8_t *hex_id; |
227 | long hex_len = 0; | |
228 | int ret = 0; | |
229 | ||
ddb634fe JL |
230 | if (strcmp(type, "ec_paramgen_curve") == 0) { |
231 | int nid = NID_undef; | |
232 | ||
233 | if (((nid = EC_curve_nist2nid(value)) == NID_undef) | |
234 | && ((nid = OBJ_sn2nid(value)) == NID_undef) | |
235 | && ((nid = OBJ_ln2nid(value)) == NID_undef)) { | |
236 | SM2err(SM2_F_PKEY_SM2_CTRL_STR, SM2_R_INVALID_CURVE); | |
237 | return 0; | |
238 | } | |
239 | return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid); | |
240 | } else if (strcmp(type, "ec_param_enc") == 0) { | |
241 | int param_enc; | |
242 | ||
243 | if (strcmp(value, "explicit") == 0) | |
244 | param_enc = 0; | |
245 | else if (strcmp(value, "named_curve") == 0) | |
246 | param_enc = OPENSSL_EC_NAMED_CURVE; | |
247 | else | |
248 | return -2; | |
249 | return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc); | |
123c2fef | 250 | } else if (strcmp(type, "distid") == 0) { |
a7cef52f PY |
251 | return pkey_sm2_ctrl(ctx, EVP_PKEY_CTRL_SET1_ID, |
252 | (int)strlen(value), (void *)value); | |
123c2fef | 253 | } else if (strcmp(type, "hexdistid") == 0) { |
a45eb7e8 PY |
254 | hex_id = OPENSSL_hexstr2buf((const char *)value, &hex_len); |
255 | if (hex_id == NULL) { | |
256 | SM2err(SM2_F_PKEY_SM2_CTRL_STR, ERR_R_PASSED_INVALID_ARGUMENT); | |
257 | return 0; | |
258 | } | |
259 | ret = pkey_sm2_ctrl(ctx, EVP_PKEY_CTRL_SET1_ID, (int)hex_len, | |
260 | (void *)hex_id); | |
261 | OPENSSL_free(hex_id); | |
262 | return ret; | |
ddb634fe JL |
263 | } |
264 | ||
265 | return -2; | |
266 | } | |
267 | ||
00433bad PY |
268 | static int pkey_sm2_digest_custom(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx) |
269 | { | |
270 | uint8_t z[EVP_MAX_MD_SIZE]; | |
4803717f | 271 | SM2_PKEY_CTX *smctx = ctx->data; |
00433bad PY |
272 | EC_KEY *ec = ctx->pkey->pkey.ec; |
273 | const EVP_MD *md = EVP_MD_CTX_md(mctx); | |
d689f313 | 274 | int mdlen = EVP_MD_size(md); |
00433bad | 275 | |
4803717f PY |
276 | if (!smctx->id_set) { |
277 | /* | |
278 | * An ID value must be set. The specifications are not clear whether a | |
279 | * NULL is allowed. We only allow it if set explicitly for maximum | |
280 | * flexibility. | |
00433bad | 281 | */ |
675f4cee | 282 | SM2err(SM2_F_PKEY_SM2_DIGEST_CUSTOM, SM2_R_ID_NOT_SET); |
00433bad PY |
283 | return 0; |
284 | } | |
285 | ||
d689f313 MC |
286 | if (mdlen < 0) { |
287 | SM2err(SM2_F_PKEY_SM2_DIGEST_CUSTOM, SM2_R_INVALID_DIGEST); | |
288 | return 0; | |
289 | } | |
290 | ||
4803717f PY |
291 | /* get hashed prefix 'z' of tbs message */ |
292 | if (!sm2_compute_z_digest(z, md, smctx->id, smctx->id_len, ec)) | |
00433bad PY |
293 | return 0; |
294 | ||
d689f313 | 295 | return EVP_DigestUpdate(mctx, z, (size_t)mdlen); |
00433bad PY |
296 | } |
297 | ||
0943d5dd RL |
298 | static int pkey_sm2_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) |
299 | { | |
300 | EC_KEY *ec = NULL; | |
301 | int ret; | |
302 | ||
303 | ec = EC_KEY_new_by_curve_name(NID_sm2); | |
304 | if (ec == NULL) | |
305 | return 0; | |
306 | if (!ossl_assert(ret = EVP_PKEY_assign_EC_KEY(pkey, ec))) | |
307 | EC_KEY_free(ec); | |
308 | return ret; | |
309 | } | |
310 | ||
311 | static int pkey_sm2_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) | |
312 | { | |
313 | EC_KEY *ec = NULL; | |
314 | ||
315 | ec = EC_KEY_new_by_curve_name(NID_sm2); | |
316 | if (ec == NULL) | |
317 | return 0; | |
318 | if (!ossl_assert(EVP_PKEY_assign_EC_KEY(pkey, ec))) { | |
319 | EC_KEY_free(ec); | |
320 | return 0; | |
321 | } | |
322 | /* Note: if error is returned, we count on caller to free pkey->pkey.ec */ | |
323 | if (ctx->pkey != NULL | |
324 | && !EVP_PKEY_copy_parameters(pkey, ctx->pkey)) | |
325 | return 0; | |
326 | ||
327 | return EC_KEY_generate_key(ec); | |
328 | } | |
329 | ||
19bd1fa1 | 330 | static const EVP_PKEY_METHOD sm2_pkey_meth = { |
ddb634fe JL |
331 | EVP_PKEY_SM2, |
332 | 0, | |
333 | pkey_sm2_init, | |
334 | pkey_sm2_copy, | |
335 | pkey_sm2_cleanup, | |
336 | ||
337 | 0, | |
0943d5dd | 338 | pkey_sm2_paramgen, |
ddb634fe JL |
339 | |
340 | 0, | |
0943d5dd | 341 | pkey_sm2_keygen, |
ddb634fe JL |
342 | |
343 | 0, | |
344 | pkey_sm2_sign, | |
345 | ||
346 | 0, | |
347 | pkey_sm2_verify, | |
348 | ||
349 | 0, 0, | |
350 | ||
351 | 0, 0, 0, 0, | |
352 | ||
353 | 0, | |
354 | pkey_sm2_encrypt, | |
355 | ||
356 | 0, | |
357 | pkey_sm2_decrypt, | |
358 | ||
359 | 0, | |
360 | 0, | |
361 | pkey_sm2_ctrl, | |
00433bad PY |
362 | pkey_sm2_ctrl_str, |
363 | ||
364 | 0, 0, | |
365 | ||
366 | 0, 0, 0, | |
367 | ||
368 | pkey_sm2_digest_custom | |
ddb634fe | 369 | }; |
19bd1fa1 PS |
370 | |
371 | const EVP_PKEY_METHOD *sm2_pkey_method(void) | |
372 | { | |
373 | return &sm2_pkey_meth; | |
374 | } |