]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/ec/ec_backend.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Deprecate EC_KEY + Update ec apps to use EVP_PKEY
[thirdparty/openssl.git] / crypto / ec / ec_backend.c
1 /*
2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * Low level APIs related to EC_KEY are deprecated for public use,
12 * but still ok for internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <openssl/core_names.h>
17 #include <openssl/objects.h>
18 #include <openssl/params.h>
19 #include <openssl/err.h>
20 #include "crypto/bn.h"
21 #include "crypto/ec.h"
22 #include "ec_local.h"
23 #include "e_os.h"
24 #include "internal/param_build_set.h"
25
26 /* Mapping between a flag and a name */
27 static const OSSL_ITEM encoding_nameid_map[] = {
28 { OPENSSL_EC_EXPLICIT_CURVE, OSSL_PKEY_EC_ENCODING_EXPLICIT },
29 { OPENSSL_EC_NAMED_CURVE, OSSL_PKEY_EC_ENCODING_GROUP },
30 };
31
32 static const OSSL_ITEM check_group_type_nameid_map[] = {
33 { 0, OSSL_PKEY_EC_GROUP_CHECK_DEFAULT },
34 { EC_FLAG_CHECK_NAMED_GROUP, OSSL_PKEY_EC_GROUP_CHECK_NAMED },
35 { EC_FLAG_CHECK_NAMED_GROUP_NIST, OSSL_PKEY_EC_GROUP_CHECK_NAMED_NIST },
36 };
37
38 static const OSSL_ITEM format_nameid_map[] = {
39 { (int)POINT_CONVERSION_UNCOMPRESSED, OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_UNCOMPRESSED },
40 { (int)POINT_CONVERSION_COMPRESSED, OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED },
41 { (int)POINT_CONVERSION_HYBRID, OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_HYBRID },
42 };
43
44 int ec_encoding_name2id(const char *name)
45 {
46 size_t i, sz;
47
48 /* Return the default value if there is no name */
49 if (name == NULL)
50 return OPENSSL_EC_NAMED_CURVE;
51
52 for (i = 0, sz = OSSL_NELEM(encoding_nameid_map); i < sz; i++) {
53 if (strcasecmp(name, encoding_nameid_map[i].ptr) == 0)
54 return encoding_nameid_map[i].id;
55 }
56 return -1;
57 }
58
59 static char *ec_param_encoding_id2name(int id)
60 {
61 size_t i, sz;
62
63 for (i = 0, sz = OSSL_NELEM(encoding_nameid_map); i < sz; i++) {
64 if (id == (int)encoding_nameid_map[i].id)
65 return encoding_nameid_map[i].ptr;
66 }
67 return NULL;
68 }
69
70 char *ec_check_group_type_id2name(int id)
71 {
72 size_t i, sz;
73
74 for (i = 0, sz = OSSL_NELEM(check_group_type_nameid_map); i < sz; i++) {
75 if (id == (int)check_group_type_nameid_map[i].id)
76 return check_group_type_nameid_map[i].ptr;
77 }
78 return NULL;
79 }
80
81 static int ec_check_group_type_name2id(const char *name)
82 {
83 size_t i, sz;
84
85 /* Return the default value if there is no name */
86 if (name == NULL)
87 return 0;
88
89 for (i = 0, sz = OSSL_NELEM(check_group_type_nameid_map); i < sz; i++) {
90 if (strcasecmp(name, check_group_type_nameid_map[i].ptr) == 0)
91 return check_group_type_nameid_map[i].id;
92 }
93 return -1;
94 }
95
96 int ec_set_check_group_type_from_name(EC_KEY *ec, const char *name)
97 {
98 int flags = ec_check_group_type_name2id(name);
99
100 if (flags == -1)
101 return 0;
102 EC_KEY_clear_flags(ec, EC_FLAG_CHECK_NAMED_GROUP_MASK);
103 EC_KEY_set_flags(ec, flags);
104 return 1;
105 }
106
107 static int ec_set_check_group_type_from_param(EC_KEY *ec, const OSSL_PARAM *p)
108 {
109 const char *name = NULL;
110 int status = 0;
111
112 switch (p->data_type) {
113 case OSSL_PARAM_UTF8_STRING:
114 name = p->data;
115 status = (name != NULL);
116 break;
117 case OSSL_PARAM_UTF8_PTR:
118 status = OSSL_PARAM_get_utf8_ptr(p, &name);
119 break;
120 }
121 if (status)
122 return ec_set_check_group_type_from_name(ec, name);
123 return 0;
124 }
125
126 int ec_pt_format_name2id(const char *name)
127 {
128 size_t i, sz;
129
130 /* Return the default value if there is no name */
131 if (name == NULL)
132 return (int)POINT_CONVERSION_UNCOMPRESSED;
133
134 for (i = 0, sz = OSSL_NELEM(format_nameid_map); i < sz; i++) {
135 if (strcasecmp(name, format_nameid_map[i].ptr) == 0)
136 return format_nameid_map[i].id;
137 }
138 return -1;
139 }
140
141 char *ec_pt_format_id2name(int id)
142 {
143 size_t i, sz;
144
145 for (i = 0, sz = OSSL_NELEM(format_nameid_map); i < sz; i++) {
146 if (id == (int)format_nameid_map[i].id)
147 return format_nameid_map[i].ptr;
148 }
149 return NULL;
150 }
151
152 int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl,
153 OSSL_PARAM params[], OSSL_LIB_CTX *libctx,
154 const char *propq,
155 BN_CTX *bnctx, unsigned char **genbuf)
156 {
157 int ret = 0, curve_nid, encoding_flag;
158 const char *field_type, *encoding_name, *pt_form_name;
159 const BIGNUM *cofactor, *order;
160 BIGNUM *p = NULL, *a = NULL, *b = NULL;
161 point_conversion_form_t genform;
162 const EC_POINT *genpt;
163 unsigned char *seed = NULL;
164 size_t genbuf_len, seed_len;
165
166 if (group == NULL) {
167 ERR_raise(ERR_LIB_EC,EC_R_PASSED_NULL_PARAMETER);
168 return 0;
169 }
170
171 genform = EC_GROUP_get_point_conversion_form(group);
172 pt_form_name = ec_pt_format_id2name(genform);
173 if (pt_form_name == NULL
174 || !ossl_param_build_set_utf8_string(
175 tmpl, params,
176 OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT, pt_form_name)) {
177 ECerr(0, EC_R_INVALID_FORM);
178 return 0;
179 }
180 encoding_flag = EC_GROUP_get_asn1_flag(group) & OPENSSL_EC_NAMED_CURVE;
181 encoding_name = ec_param_encoding_id2name(encoding_flag);
182 if (encoding_name == NULL
183 || !ossl_param_build_set_utf8_string(tmpl, params,
184 OSSL_PKEY_PARAM_EC_ENCODING,
185 encoding_name)) {
186 ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING);
187 return 0;
188 }
189
190 curve_nid = EC_GROUP_get_curve_name(group);
191 if (curve_nid == NID_undef) {
192 /* explicit curve */
193 int fid = EC_GROUP_get_field_type(group);
194
195 if (fid == NID_X9_62_prime_field) {
196 field_type = SN_X9_62_prime_field;
197 } else if (fid == NID_X9_62_characteristic_two_field) {
198 field_type = SN_X9_62_characteristic_two_field;
199 } else {
200 ERR_raise(ERR_LIB_EC, EC_R_INVALID_FIELD);
201 return 0;
202 }
203
204 p = BN_CTX_get(bnctx);
205 a = BN_CTX_get(bnctx);
206 b = BN_CTX_get(bnctx);
207 if (b == NULL) {
208 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
209 goto err;
210 }
211
212 if (!EC_GROUP_get_curve(group, p, a, b, bnctx)) {
213 ERR_raise(ERR_LIB_EC, EC_R_INVALID_CURVE);
214 goto err;
215 }
216
217 order = EC_GROUP_get0_order(group);
218 if (order == NULL) {
219 ERR_raise(ERR_LIB_EC, EC_R_INVALID_GROUP_ORDER);
220 goto err;
221 }
222 genpt = EC_GROUP_get0_generator(group);
223 if (genpt == NULL) {
224 ERR_raise(ERR_LIB_EC, EC_R_INVALID_GENERATOR);
225 goto err;
226 }
227 genbuf_len = EC_POINT_point2buf(group, genpt, genform, genbuf, bnctx);
228 if (genbuf_len == 0) {
229 ERR_raise(ERR_LIB_EC, EC_R_INVALID_GENERATOR);
230 goto err;
231 }
232
233 if (!ossl_param_build_set_utf8_string(tmpl, params,
234 OSSL_PKEY_PARAM_EC_FIELD_TYPE,
235 field_type)
236 || !ossl_param_build_set_bn(tmpl, params, OSSL_PKEY_PARAM_EC_P, p)
237 || !ossl_param_build_set_bn(tmpl, params, OSSL_PKEY_PARAM_EC_A, a)
238 || !ossl_param_build_set_bn(tmpl, params, OSSL_PKEY_PARAM_EC_B, b)
239 || !ossl_param_build_set_bn(tmpl, params, OSSL_PKEY_PARAM_EC_ORDER,
240 order)
241 || !ossl_param_build_set_octet_string(tmpl, params,
242 OSSL_PKEY_PARAM_EC_GENERATOR,
243 *genbuf, genbuf_len)) {
244 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
245 goto err;
246 }
247
248 cofactor = EC_GROUP_get0_cofactor(group);
249 if (cofactor != NULL
250 && !ossl_param_build_set_bn(tmpl, params,
251 OSSL_PKEY_PARAM_EC_COFACTOR, cofactor)) {
252 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
253 goto err;
254 }
255
256 seed = EC_GROUP_get0_seed(group);
257 seed_len = EC_GROUP_get_seed_len(group);
258 if (seed != NULL
259 && seed_len > 0
260 && !ossl_param_build_set_octet_string(tmpl, params,
261 OSSL_PKEY_PARAM_EC_SEED,
262 seed, seed_len)) {
263 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
264 goto err;
265 }
266 #ifdef OPENSSL_NO_EC2M
267 if (fid == NID_X9_62_characteristic_two_field) {
268 ERR_raise(ERR_LIB_EC, EC_R_GF2M_NOT_SUPPORTED);
269 goto err;
270 }
271 #endif
272 } else {
273 /* named curve */
274 const char *curve_name = ec_curve_nid2name(curve_nid);
275
276 if (curve_name == NULL
277 || !ossl_param_build_set_utf8_string(tmpl, params,
278 OSSL_PKEY_PARAM_GROUP_NAME,
279 curve_name)) {
280 ERR_raise(ERR_LIB_EC, EC_R_INVALID_CURVE);
281 goto err;
282 }
283 }
284 ret = 1;
285 err:
286 return ret;
287 }
288
289 /*
290 * The intention with the "backend" source file is to offer backend support
291 * for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider
292 * implementations alike.
293 */
294 int ec_set_ecdh_cofactor_mode(EC_KEY *ec, int mode)
295 {
296 const EC_GROUP *ecg = EC_KEY_get0_group(ec);
297 const BIGNUM *cofactor;
298 /*
299 * mode can be only 0 for disable, or 1 for enable here.
300 *
301 * This is in contrast with the same parameter on an ECDH EVP_PKEY_CTX that
302 * also supports mode == -1 with the meaning of "reset to the default for
303 * the associated key".
304 */
305 if (mode < 0 || mode > 1)
306 return 0;
307
308 if ((cofactor = EC_GROUP_get0_cofactor(ecg)) == NULL )
309 return 0;
310
311 /* ECDH cofactor mode has no effect if cofactor is 1 */
312 if (BN_is_one(cofactor))
313 return 1;
314
315 if (mode == 1)
316 EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH);
317 else if (mode == 0)
318 EC_KEY_clear_flags(ec, EC_FLAG_COFACTOR_ECDH);
319
320 return 1;
321 }
322
323 /*
324 * Callers of ec_key_fromdata MUST make sure that ec_key_params_fromdata has
325 * been called before!
326 *
327 * This function only gets the bare keypair, domain parameters and other
328 * parameters are treated separately, and domain parameters are required to
329 * define a keypair.
330 */
331 int ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_private)
332 {
333 const OSSL_PARAM *param_priv_key = NULL, *param_pub_key = NULL;
334 BN_CTX *ctx = NULL;
335 BIGNUM *priv_key = NULL;
336 unsigned char *pub_key = NULL;
337 size_t pub_key_len;
338 const EC_GROUP *ecg = NULL;
339 EC_POINT *pub_point = NULL;
340 int ok = 0;
341
342 ecg = EC_KEY_get0_group(ec);
343 if (ecg == NULL)
344 return 0;
345
346 param_pub_key =
347 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);
348 if (include_private)
349 param_priv_key =
350 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);
351
352 ctx = BN_CTX_new_ex(ec_key_get_libctx(ec));
353 if (ctx == NULL)
354 goto err;
355
356 if (param_pub_key != NULL)
357 if (!OSSL_PARAM_get_octet_string(param_pub_key,
358 (void **)&pub_key, 0, &pub_key_len)
359 || (pub_point = EC_POINT_new(ecg)) == NULL
360 || !EC_POINT_oct2point(ecg, pub_point, pub_key, pub_key_len, ctx))
361 goto err;
362
363 if (param_priv_key != NULL && include_private) {
364 int fixed_words;
365 const BIGNUM *order;
366
367 /*
368 * Key import/export should never leak the bit length of the secret
369 * scalar in the key.
370 *
371 * For this reason, on export we use padded BIGNUMs with fixed length.
372 *
373 * When importing we also should make sure that, even if short lived,
374 * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as
375 * soon as possible, so that any processing of this BIGNUM might opt for
376 * constant time implementations in the backend.
377 *
378 * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
379 * to preallocate the BIGNUM internal buffer to a fixed public size big
380 * enough that operations performed during the processing never trigger
381 * a realloc which would leak the size of the scalar through memory
382 * accesses.
383 *
384 * Fixed Length
385 * ------------
386 *
387 * The order of the large prime subgroup of the curve is our choice for
388 * a fixed public size, as that is generally the upper bound for
389 * generating a private key in EC cryptosystems and should fit all valid
390 * secret scalars.
391 *
392 * For padding on export we just use the bit length of the order
393 * converted to bytes (rounding up).
394 *
395 * For preallocating the BIGNUM storage we look at the number of "words"
396 * required for the internal representation of the order, and we
397 * preallocate 2 extra "words" in case any of the subsequent processing
398 * might temporarily overflow the order length.
399 */
400 order = EC_GROUP_get0_order(ecg);
401 if (order == NULL || BN_is_zero(order))
402 goto err;
403
404 fixed_words = bn_get_top(order) + 2;
405
406 if ((priv_key = BN_secure_new()) == NULL)
407 goto err;
408 if (bn_wexpand(priv_key, fixed_words) == NULL)
409 goto err;
410 BN_set_flags(priv_key, BN_FLG_CONSTTIME);
411
412 if (!OSSL_PARAM_get_BN(param_priv_key, &priv_key))
413 goto err;
414 }
415
416 if (priv_key != NULL
417 && !EC_KEY_set_private_key(ec, priv_key))
418 goto err;
419
420 if (pub_point != NULL
421 && !EC_KEY_set_public_key(ec, pub_point))
422 goto err;
423
424 ok = 1;
425
426 err:
427 BN_CTX_free(ctx);
428 BN_clear_free(priv_key);
429 OPENSSL_free(pub_key);
430 EC_POINT_free(pub_point);
431 return ok;
432 }
433
434 int ec_group_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
435 {
436 int ok = 0;
437 EC_GROUP *group = NULL;
438
439 if (ec == NULL)
440 return 0;
441
442 group = EC_GROUP_new_from_params(params, ec_key_get_libctx(ec),
443 ec_key_get0_propq(ec));
444
445 if (!EC_KEY_set_group(ec, group))
446 goto err;
447 ok = 1;
448 err:
449 EC_GROUP_free(group);
450 return ok;
451 }
452
453 static int ec_key_point_format_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
454 {
455 const OSSL_PARAM *p;
456 int format = -1;
457
458 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT);
459 if (p != NULL) {
460 if (!ec_pt_format_param2id(p, &format)) {
461 ECerr(0, EC_R_INVALID_FORM);
462 return 0;
463 }
464 EC_KEY_set_conv_form(ec, format);
465 }
466 return 1;
467 }
468
469 static int ec_key_group_check_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
470 {
471 const OSSL_PARAM *p;
472
473 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE);
474 if (p != NULL)
475 return ec_set_check_group_type_from_param(ec, p);
476 return 1;
477 }
478
479 static int ec_set_include_public(EC_KEY *ec, int include)
480 {
481 int flags = EC_KEY_get_enc_flags(ec);
482
483 if (!include)
484 flags |= EC_PKEY_NO_PUBKEY;
485 else
486 flags &= ~EC_PKEY_NO_PUBKEY;
487 EC_KEY_set_enc_flags(ec, flags);
488 return 1;
489 }
490
491 int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
492 {
493 const OSSL_PARAM *p;
494
495 if (ec == NULL)
496 return 0;
497
498 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH);
499 if (p != NULL) {
500 int mode;
501
502 if (!OSSL_PARAM_get_int(p, &mode)
503 || !ec_set_ecdh_cofactor_mode(ec, mode))
504 return 0;
505 }
506
507 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC);
508 if (p != NULL) {
509 int include = 1;
510
511 if (!OSSL_PARAM_get_int(p, &include)
512 || !ec_set_include_public(ec, include))
513 return 0;
514 }
515 if (!ec_key_point_format_fromdata(ec, params))
516 return 0;
517 if (!ec_key_group_check_fromdata(ec, params))
518 return 0;
519 return 1;
520 }
521
522 int ec_encoding_param2id(const OSSL_PARAM *p, int *id)
523 {
524 const char *name = NULL;
525 int status = 0;
526
527 switch (p->data_type) {
528 case OSSL_PARAM_UTF8_STRING:
529 /* The OSSL_PARAM functions have no support for this */
530 name = p->data;
531 status = (name != NULL);
532 break;
533 case OSSL_PARAM_UTF8_PTR:
534 status = OSSL_PARAM_get_utf8_ptr(p, &name);
535 break;
536 }
537 if (status) {
538 int i = ec_encoding_name2id(name);
539
540 if (i >= 0) {
541 *id = i;
542 return 1;
543 }
544 }
545 return 0;
546 }
547
548 int ec_pt_format_param2id(const OSSL_PARAM *p, int *id)
549 {
550 const char *name = NULL;
551 int status = 0;
552
553 switch (p->data_type) {
554 case OSSL_PARAM_UTF8_STRING:
555 /* The OSSL_PARAM functions have no support for this */
556 name = p->data;
557 status = (name != NULL);
558 break;
559 case OSSL_PARAM_UTF8_PTR:
560 status = OSSL_PARAM_get_utf8_ptr(p, &name);
561 break;
562 }
563 if (status) {
564 int i = ec_pt_format_name2id(name);
565
566 if (i >= 0) {
567 *id = i;
568 return 1;
569 }
570 }
571 return 0;
572 }
A mirror of the official openssl repository