crypto/ec/ec_backend.c

   1 /*
   2  * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/core_names.h>
  11 #include <openssl/objects.h>
  12 #include <openssl/params.h>
  13 #include "crypto/bn.h"
  14 #include "crypto/ec.h"
  15
  16 /*
  17  * The intention with the "backend" source file is to offer backend support
  18  * for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider
  19  * implementations alike.
  20  */
  21
  22 int ec_set_ecdh_cofactor_mode(EC_KEY *ec, int mode)
  23 {
  24     const EC_GROUP *ecg = EC_KEY_get0_group(ec);
  25     const BIGNUM *cofactor;
  26     /*
  27      * mode can be only 0 for disable, or 1 for enable here.
  28      *
  29      * This is in contrast with the same parameter on an ECDH EVP_PKEY_CTX that
  30      * also supports mode == -1 with the meaning of "reset to the default for
  31      * the associated key".
  32      */
  33     if (mode < 0 || mode > 1)
  34         return 0;
  35
  36     if ((cofactor = EC_GROUP_get0_cofactor(ecg)) == NULL )
  37         return 0;
  38
  39     /* ECDH cofactor mode has no effect if cofactor is 1 */
  40     if (BN_is_one(cofactor))
  41         return 1;
  42
  43     if (mode == 1)
  44         EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH);
  45     else if (mode == 0)
  46         EC_KEY_clear_flags(ec, EC_FLAG_COFACTOR_ECDH);
  47
  48     return 1;
  49 }
  50
  51 /*
  52  * Callers of ec_key_fromdata MUST make sure that ec_key_params_fromdata has
  53  * been called before!
  54  *
  55  * This function only gets the bare keypair, domain parameters and other
  56  * parameters are treated separately, and domain parameters are required to
  57  * define a keypair.
  58  */
  59 int ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_private)
  60 {
  61     const OSSL_PARAM *param_priv_key = NULL, *param_pub_key = NULL;
  62     BN_CTX *ctx = NULL;
  63     BIGNUM *priv_key = NULL;
  64     unsigned char *pub_key = NULL;
  65     size_t pub_key_len;
  66     const EC_GROUP *ecg = NULL;
  67     EC_POINT *pub_point = NULL;
  68     int ok = 0;
  69
  70     ecg = EC_KEY_get0_group(ec);
  71     if (ecg == NULL)
  72         return 0;
  73
  74     param_pub_key =
  75         OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);
  76     if (include_private)
  77         param_priv_key =
  78             OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);
  79
  80     ctx = BN_CTX_new_ex(ec_key_get_libctx(ec));
  81     if (ctx == NULL)
  82         goto err;
  83
  84     /* OpenSSL decree: If there's a private key, there must be a public key */
  85     if (param_priv_key != NULL && param_pub_key == NULL)
  86         goto err;
  87
  88     if (param_pub_key != NULL)
  89         if (!OSSL_PARAM_get_octet_string(param_pub_key,
  90                                          (void **)&pub_key, 0, &pub_key_len)
  91             || (pub_point = EC_POINT_new(ecg)) == NULL
  92             || !EC_POINT_oct2point(ecg, pub_point, pub_key, pub_key_len, ctx))
  93         goto err;
  94
  95     if (param_priv_key != NULL && include_private) {
  96         int fixed_words;
  97         const BIGNUM *order;
  98
  99         /*
 100          * Key import/export should never leak the bit length of the secret
 101          * scalar in the key.
 102          *
 103          * For this reason, on export we use padded BIGNUMs with fixed length.
 104          *
 105          * When importing we also should make sure that, even if short lived,
 106          * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as
 107          * soon as possible, so that any processing of this BIGNUM might opt for
 108          * constant time implementations in the backend.
 109          *
 110          * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
 111          * to preallocate the BIGNUM internal buffer to a fixed public size big
 112          * enough that operations performed during the processing never trigger
 113          * a realloc which would leak the size of the scalar through memory
 114          * accesses.
 115          *
 116          * Fixed Length
 117          * ------------
 118          *
 119          * The order of the large prime subgroup of the curve is our choice for
 120          * a fixed public size, as that is generally the upper bound for
 121          * generating a private key in EC cryptosystems and should fit all valid
 122          * secret scalars.
 123          *
 124          * For padding on export we just use the bit length of the order
 125          * converted to bytes (rounding up).
 126          *
 127          * For preallocating the BIGNUM storage we look at the number of "words"
 128          * required for the internal representation of the order, and we
 129          * preallocate 2 extra "words" in case any of the subsequent processing
 130          * might temporarily overflow the order length.
 131          */
 132         order = EC_GROUP_get0_order(ecg);
 133         if (order == NULL || BN_is_zero(order))
 134             goto err;
 135
 136         fixed_words = bn_get_top(order) + 2;
 137
 138         if ((priv_key = BN_secure_new()) == NULL)
 139             goto err;
 140         if (bn_wexpand(priv_key, fixed_words) == NULL)
 141             goto err;
 142         BN_set_flags(priv_key, BN_FLG_CONSTTIME);
 143
 144         if (!OSSL_PARAM_get_BN(param_priv_key, &priv_key))
 145             goto err;
 146     }
 147
 148     if (priv_key != NULL
 149         && !EC_KEY_set_private_key(ec, priv_key))
 150         goto err;
 151
 152     if (pub_point != NULL
 153         && !EC_KEY_set_public_key(ec, pub_point))
 154         goto err;
 155
 156     ok = 1;
 157
 158  err:
 159     BN_CTX_free(ctx);
 160     BN_clear_free(priv_key);
 161     OPENSSL_free(pub_key);
 162     EC_POINT_free(pub_point);
 163     return ok;
 164 }
 165
 166 int ec_key_domparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
 167 {
 168     const OSSL_PARAM *param_ec_name;
 169     EC_GROUP *ecg = NULL;
 170     char *curve_name = NULL;
 171     int ok = 0;
 172
 173     if (ec == NULL)
 174         return 0;
 175
 176     param_ec_name = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_NAME);
 177     if (param_ec_name == NULL) {
 178         /* explicit parameters */
 179
 180         /*
 181          * TODO(3.0): should we support explicit parameters curves?
 182          */
 183         return 0;
 184     } else {
 185         /* named curve */
 186         int curve_nid;
 187
 188         if (!OSSL_PARAM_get_utf8_string(param_ec_name, &curve_name, 0)
 189                 || curve_name == NULL
 190                 || (curve_nid = ec_curve_name2nid(curve_name)) == NID_undef)
 191             goto err;
 192
 193         if ((ecg = EC_GROUP_new_by_curve_name_ex(ec_key_get_libctx(ec),
 194                                                  curve_nid)) == NULL)
 195             goto err;
 196     }
 197
 198     if (!EC_KEY_set_group(ec, ecg))
 199         goto err;
 200
 201     /*
 202      * TODO(3.0): if the group has changed, should we invalidate the private and
 203      * public key?
 204      */
 205
 206     ok = 1;
 207
 208  err:
 209     OPENSSL_free(curve_name);
 210     EC_GROUP_free(ecg);
 211     return ok;
 212 }
 213
 214 int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
 215 {
 216     const OSSL_PARAM *p;
 217
 218     if (ec == NULL)
 219         return 0;
 220
 221     p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH);
 222     if (p != NULL) {
 223         int mode;
 224
 225         if (!OSSL_PARAM_get_int(p, &mode)
 226             || !ec_set_ecdh_cofactor_mode(ec, mode))
 227             return 0;
 228     }
 229     return 1;
 230 }