]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/ec/ec_key.c
projects / thirdparty / openssl.git / blob
? search:


30c524726d007dda75e5ffc42286860d7ddd5ef1
[thirdparty/openssl.git] / crypto / ec / ec_key.c
1 /*
2 * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 /*
12 * EC_KEY low level APIs are deprecated for public use, but still ok for
13 * internal use.
14 */
15 #include "internal/deprecated.h"
16
17 #include "internal/cryptlib.h"
18 #include <string.h>
19 #include "ec_local.h"
20 #include "internal/refcount.h"
21 #include <openssl/err.h>
22 #include <openssl/engine.h>
23 #include <openssl/self_test.h>
24 #include "prov/providercommon.h"
25 #include "crypto/bn.h"
26
27 static int ecdsa_keygen_pairwise_test(EC_KEY *eckey, OSSL_CALLBACK *cb,
28 void *cbarg);
29
30 #ifndef FIPS_MODULE
31 EC_KEY *EC_KEY_new(void)
32 {
33 return ec_key_new_method_int(NULL, NULL, NULL);
34 }
35 #endif
36
37 EC_KEY *EC_KEY_new_ex(OSSL_LIB_CTX *ctx, const char *propq)
38 {
39 return ec_key_new_method_int(ctx, propq, NULL);
40 }
41
42 EC_KEY *EC_KEY_new_by_curve_name_ex(OSSL_LIB_CTX *ctx, const char *propq,
43 int nid)
44 {
45 EC_KEY *ret = EC_KEY_new_ex(ctx, propq);
46 if (ret == NULL)
47 return NULL;
48 ret->group = EC_GROUP_new_by_curve_name_ex(ctx, propq, nid);
49 if (ret->group == NULL) {
50 EC_KEY_free(ret);
51 return NULL;
52 }
53 if (ret->meth->set_group != NULL
54 && ret->meth->set_group(ret, ret->group) == 0) {
55 EC_KEY_free(ret);
56 return NULL;
57 }
58 return ret;
59 }
60
61 #ifndef FIPS_MODULE
62 EC_KEY *EC_KEY_new_by_curve_name(int nid)
63 {
64 return EC_KEY_new_by_curve_name_ex(NULL, NULL, nid);
65 }
66 #endif
67
68 void EC_KEY_free(EC_KEY *r)
69 {
70 int i;
71
72 if (r == NULL)
73 return;
74
75 CRYPTO_DOWN_REF(&r->references, &i, r->lock);
76 REF_PRINT_COUNT("EC_KEY", r);
77 if (i > 0)
78 return;
79 REF_ASSERT_ISNT(i < 0);
80
81 if (r->meth != NULL && r->meth->finish != NULL)
82 r->meth->finish(r);
83
84 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
85 ENGINE_finish(r->engine);
86 #endif
87
88 if (r->group && r->group->meth->keyfinish)
89 r->group->meth->keyfinish(r);
90
91 #ifndef FIPS_MODULE
92 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, r, &r->ex_data);
93 #endif
94 CRYPTO_THREAD_lock_free(r->lock);
95 EC_GROUP_free(r->group);
96 EC_POINT_free(r->pub_key);
97 BN_clear_free(r->priv_key);
98 OPENSSL_free(r->propq);
99
100 OPENSSL_clear_free((void *)r, sizeof(EC_KEY));
101 }
102
103 EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
104 {
105 if (dest == NULL || src == NULL) {
106 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
107 return NULL;
108 }
109 if (src->meth != dest->meth) {
110 if (dest->meth->finish != NULL)
111 dest->meth->finish(dest);
112 if (dest->group && dest->group->meth->keyfinish)
113 dest->group->meth->keyfinish(dest);
114 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
115 if (ENGINE_finish(dest->engine) == 0)
116 return 0;
117 dest->engine = NULL;
118 #endif
119 }
120 dest->libctx = src->libctx;
121 /* copy the parameters */
122 if (src->group != NULL) {
123 /* clear the old group */
124 EC_GROUP_free(dest->group);
125 dest->group = ec_group_new_ex(src->libctx, src->propq, src->group->meth);
126 if (dest->group == NULL)
127 return NULL;
128 if (!EC_GROUP_copy(dest->group, src->group))
129 return NULL;
130
131 /* copy the public key */
132 if (src->pub_key != NULL) {
133 EC_POINT_free(dest->pub_key);
134 dest->pub_key = EC_POINT_new(src->group);
135 if (dest->pub_key == NULL)
136 return NULL;
137 if (!EC_POINT_copy(dest->pub_key, src->pub_key))
138 return NULL;
139 }
140 /* copy the private key */
141 if (src->priv_key != NULL) {
142 if (dest->priv_key == NULL) {
143 dest->priv_key = BN_new();
144 if (dest->priv_key == NULL)
145 return NULL;
146 }
147 if (!BN_copy(dest->priv_key, src->priv_key))
148 return NULL;
149 if (src->group->meth->keycopy
150 && src->group->meth->keycopy(dest, src) == 0)
151 return NULL;
152 }
153 }
154
155
156 /* copy the rest */
157 dest->enc_flag = src->enc_flag;
158 dest->conv_form = src->conv_form;
159 dest->version = src->version;
160 dest->flags = src->flags;
161 #ifndef FIPS_MODULE
162 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY,
163 &dest->ex_data, &src->ex_data))
164 return NULL;
165 #endif
166
167 if (src->meth != dest->meth) {
168 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
169 if (src->engine != NULL && ENGINE_init(src->engine) == 0)
170 return NULL;
171 dest->engine = src->engine;
172 #endif
173 dest->meth = src->meth;
174 }
175
176 if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0)
177 return NULL;
178
179 dest->dirty_cnt++;
180
181 return dest;
182 }
183
184 EC_KEY *EC_KEY_dup(const EC_KEY *ec_key)
185 {
186 EC_KEY *ret = ec_key_new_method_int(ec_key->libctx, ec_key->propq,
187 ec_key->engine);
188
189 if (ret == NULL)
190 return NULL;
191
192 if (EC_KEY_copy(ret, ec_key) == NULL) {
193 EC_KEY_free(ret);
194 return NULL;
195 }
196 return ret;
197 }
198
199 int EC_KEY_up_ref(EC_KEY *r)
200 {
201 int i;
202
203 if (CRYPTO_UP_REF(&r->references, &i, r->lock) <= 0)
204 return 0;
205
206 REF_PRINT_COUNT("EC_KEY", r);
207 REF_ASSERT_ISNT(i < 2);
208 return ((i > 1) ? 1 : 0);
209 }
210
211 ENGINE *EC_KEY_get0_engine(const EC_KEY *eckey)
212 {
213 return eckey->engine;
214 }
215
216 int EC_KEY_generate_key(EC_KEY *eckey)
217 {
218 if (eckey == NULL || eckey->group == NULL) {
219 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
220 return 0;
221 }
222 if (eckey->meth->keygen != NULL) {
223 int ret;
224
225 ret = eckey->meth->keygen(eckey);
226 if (ret == 1)
227 eckey->dirty_cnt++;
228
229 return ret;
230 }
231 ERR_raise(ERR_LIB_EC, EC_R_OPERATION_NOT_SUPPORTED);
232 return 0;
233 }
234
235 int ossl_ec_key_gen(EC_KEY *eckey)
236 {
237 int ret;
238
239 ret = eckey->group->meth->keygen(eckey);
240
241 if (ret == 1)
242 eckey->dirty_cnt++;
243 return ret;
244 }
245
246 /*
247 * ECC Key generation.
248 * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates"
249 *
250 * Params:
251 * libctx A context containing an optional self test callback.
252 * eckey An EC key object that contains domain params. The generated keypair
253 * is stored in this object.
254 * pairwise_test Set to non zero to perform a pairwise test. If the test
255 * fails then the keypair is not generated,
256 * Returns 1 if the keypair was generated or 0 otherwise.
257 */
258 static int ec_generate_key(EC_KEY *eckey, int pairwise_test)
259 {
260 int ok = 0;
261 BIGNUM *priv_key = NULL;
262 const BIGNUM *tmp = NULL;
263 BIGNUM *order = NULL;
264 EC_POINT *pub_key = NULL;
265 const EC_GROUP *group = eckey->group;
266 BN_CTX *ctx = BN_CTX_secure_new_ex(eckey->libctx);
267 int sm2 = EC_KEY_get_flags(eckey) & EC_FLAG_SM2_RANGE ? 1 : 0;
268
269 if (ctx == NULL)
270 goto err;
271
272 if (eckey->priv_key == NULL) {
273 priv_key = BN_secure_new();
274 if (priv_key == NULL)
275 goto err;
276 } else
277 priv_key = eckey->priv_key;
278
279 /*
280 * Steps (1-2): Check domain parameters and security strength.
281 * These steps must be done by the user. This would need to be
282 * stated in the security policy.
283 */
284
285 tmp = EC_GROUP_get0_order(group);
286 if (tmp == NULL)
287 goto err;
288
289 /*
290 * Steps (3-7): priv_key = DRBG_RAND(order_n_bits) (range [1, n-1]).
291 * Although this is slightly different from the standard, it is effectively
292 * equivalent as it gives an unbiased result ranging from 1..n-1. It is also
293 * faster as the standard needs to retry more often. Also doing
294 * 1 + rand[0..n-2] would effect the way that tests feed dummy entropy into
295 * rand so the simpler backward compatible method has been used here.
296 */
297
298 /* range of SM2 private key is [1, n-1) */
299 if (sm2) {
300 order = BN_new();
301 if (order == NULL || !BN_sub(order, tmp, BN_value_one()))
302 goto err;
303 } else {
304 order = BN_dup(tmp);
305 if (order == NULL)
306 goto err;
307 }
308
309 do
310 if (!BN_priv_rand_range_ex(priv_key, order, ctx))
311 goto err;
312 while (BN_is_zero(priv_key)) ;
313
314 if (eckey->pub_key == NULL) {
315 pub_key = EC_POINT_new(group);
316 if (pub_key == NULL)
317 goto err;
318 } else
319 pub_key = eckey->pub_key;
320
321 /* Step (8) : pub_key = priv_key * G (where G is a point on the curve) */
322 if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx))
323 goto err;
324
325 eckey->priv_key = priv_key;
326 eckey->pub_key = pub_key;
327 priv_key = NULL;
328 pub_key = NULL;
329
330 eckey->dirty_cnt++;
331
332 #ifdef FIPS_MODULE
333 pairwise_test = 1;
334 #endif /* FIPS_MODULE */
335
336 ok = 1;
337 if (pairwise_test) {
338 OSSL_CALLBACK *cb = NULL;
339 void *cbarg = NULL;
340
341 OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg);
342 ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg);
343 }
344 err:
345 /* Step (9): If there is an error return an invalid keypair. */
346 if (!ok) {
347 ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
348 BN_clear(eckey->priv_key);
349 if (eckey->pub_key != NULL)
350 EC_POINT_set_to_infinity(group, eckey->pub_key);
351 }
352
353 EC_POINT_free(pub_key);
354 BN_clear_free(priv_key);
355 BN_CTX_free(ctx);
356 BN_free(order);
357 return ok;
358 }
359
360 int ec_key_simple_generate_key(EC_KEY *eckey)
361 {
362 return ec_generate_key(eckey, 0);
363 }
364
365 int ec_key_simple_generate_public_key(EC_KEY *eckey)
366 {
367 int ret;
368 BN_CTX *ctx = BN_CTX_new_ex(eckey->libctx);
369
370 if (ctx == NULL)
371 return 0;
372
373 /*
374 * See SP800-56AR3 5.6.1.2.2: Step (8)
375 * pub_key = priv_key * G (where G is a point on the curve)
376 */
377 ret = EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL,
378 NULL, ctx);
379
380 BN_CTX_free(ctx);
381 if (ret == 1)
382 eckey->dirty_cnt++;
383
384 return ret;
385 }
386
387 int EC_KEY_check_key(const EC_KEY *eckey)
388 {
389 if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) {
390 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
391 return 0;
392 }
393
394 if (eckey->group->meth->keycheck == NULL) {
395 ERR_raise(ERR_LIB_EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
396 return 0;
397 }
398
399 return eckey->group->meth->keycheck(eckey);
400 }
401
402 /*
403 * Check the range of the EC public key.
404 * See SP800-56A R3 Section 5.6.2.3.3 (Part 2)
405 * i.e.
406 * - If q = odd prime p: Verify that xQ and yQ are integers in the
407 * interval[0, p - 1], OR
408 * - If q = 2m: Verify that xQ and yQ are bit strings of length m bits.
409 * Returns 1 if the public key has a valid range, otherwise it returns 0.
410 */
411 static int ec_key_public_range_check(BN_CTX *ctx, const EC_KEY *key)
412 {
413 int ret = 0;
414 BIGNUM *x, *y;
415
416 BN_CTX_start(ctx);
417 x = BN_CTX_get(ctx);
418 y = BN_CTX_get(ctx);
419 if (y == NULL)
420 goto err;
421
422 if (!EC_POINT_get_affine_coordinates(key->group, key->pub_key, x, y, ctx))
423 goto err;
424
425 if (EC_GROUP_get_field_type(key->group) == NID_X9_62_prime_field) {
426 if (BN_is_negative(x)
427 || BN_cmp(x, key->group->field) >= 0
428 || BN_is_negative(y)
429 || BN_cmp(y, key->group->field) >= 0) {
430 goto err;
431 }
432 } else {
433 int m = EC_GROUP_get_degree(key->group);
434 if (BN_num_bits(x) > m || BN_num_bits(y) > m) {
435 goto err;
436 }
437 }
438 ret = 1;
439 err:
440 BN_CTX_end(ctx);
441 return ret;
442 }
443
444 /*
445 * ECC Partial Public-Key Validation as specified in SP800-56A R3
446 * Section 5.6.2.3.4 ECC Partial Public-Key Validation Routine.
447 */
448 int ec_key_public_check_quick(const EC_KEY *eckey, BN_CTX *ctx)
449 {
450 if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) {
451 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
452 return 0;
453 }
454
455 /* 5.6.2.3.3 (Step 1): Q != infinity */
456 if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key)) {
457 ERR_raise(ERR_LIB_EC, EC_R_POINT_AT_INFINITY);
458 return 0;
459 }
460
461 /* 5.6.2.3.3 (Step 2) Test if the public key is in range */
462 if (!ec_key_public_range_check(ctx, eckey)) {
463 ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
464 return 0;
465 }
466
467 /* 5.6.2.3.3 (Step 3) is the pub_key on the elliptic curve */
468 if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) {
469 ERR_raise(ERR_LIB_EC, EC_R_POINT_IS_NOT_ON_CURVE);
470 return 0;
471 }
472 return 1;
473 }
474
475 /*
476 * ECC Key validation as specified in SP800-56A R3.
477 * Section 5.6.2.3.3 ECC Full Public-Key Validation Routine.
478 */
479 int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx)
480 {
481 int ret = 0;
482 EC_POINT *point = NULL;
483 const BIGNUM *order = NULL;
484
485 if (!ec_key_public_check_quick(eckey, ctx))
486 return 0;
487
488 point = EC_POINT_new(eckey->group);
489 if (point == NULL)
490 return 0;
491
492 order = eckey->group->order;
493 if (BN_is_zero(order)) {
494 ERR_raise(ERR_LIB_EC, EC_R_INVALID_GROUP_ORDER);
495 goto err;
496 }
497 /* 5.6.2.3.3 (Step 4) : pub_key * order is the point at infinity. */
498 if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) {
499 ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
500 goto err;
501 }
502 if (!EC_POINT_is_at_infinity(eckey->group, point)) {
503 ERR_raise(ERR_LIB_EC, EC_R_WRONG_ORDER);
504 goto err;
505 }
506 ret = 1;
507 err:
508 EC_POINT_free(point);
509 return ret;
510 }
511
512 /*
513 * ECC Key validation as specified in SP800-56A R3.
514 * Section 5.6.2.1.2 Owner Assurance of Private-Key Validity
515 * The private key is in the range [1, order-1]
516 */
517 int ec_key_private_check(const EC_KEY *eckey)
518 {
519 if (eckey == NULL || eckey->group == NULL || eckey->priv_key == NULL) {
520 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
521 return 0;
522 }
523 if (BN_cmp(eckey->priv_key, BN_value_one()) < 0
524 || BN_cmp(eckey->priv_key, eckey->group->order) >= 0) {
525 ERR_raise(ERR_LIB_EC, EC_R_INVALID_PRIVATE_KEY);
526 return 0;
527 }
528 return 1;
529 }
530
531 /*
532 * ECC Key validation as specified in SP800-56A R3.
533 * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency (b)
534 * Check if generator * priv_key = pub_key
535 */
536 int ec_key_pairwise_check(const EC_KEY *eckey, BN_CTX *ctx)
537 {
538 int ret = 0;
539 EC_POINT *point = NULL;
540
541 if (eckey == NULL
542 || eckey->group == NULL
543 || eckey->pub_key == NULL
544 || eckey->priv_key == NULL) {
545 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
546 return 0;
547 }
548
549 point = EC_POINT_new(eckey->group);
550 if (point == NULL)
551 goto err;
552
553
554 if (!EC_POINT_mul(eckey->group, point, eckey->priv_key, NULL, NULL, ctx)) {
555 ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
556 goto err;
557 }
558 if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, ctx) != 0) {
559 ERR_raise(ERR_LIB_EC, EC_R_INVALID_PRIVATE_KEY);
560 goto err;
561 }
562 ret = 1;
563 err:
564 EC_POINT_free(point);
565 return ret;
566 }
567
568
569 /*
570 * ECC Key validation as specified in SP800-56A R3.
571 * Section 5.6.2.3.3 ECC Full Public-Key Validation
572 * Section 5.6.2.1.2 Owner Assurance of Private-Key Validity
573 * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency
574 * NOTES:
575 * Before calling this method in fips mode, there should be an assurance that
576 * an approved elliptic-curve group is used.
577 * Returns 1 if the key is valid, otherwise it returns 0.
578 */
579 int ec_key_simple_check_key(const EC_KEY *eckey)
580 {
581 int ok = 0;
582 BN_CTX *ctx = NULL;
583
584 if (eckey == NULL) {
585 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
586 return 0;
587 }
588 if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL)
589 return 0;
590
591 if (!ec_key_public_check(eckey, ctx))
592 goto err;
593
594 if (eckey->priv_key != NULL) {
595 if (!ec_key_private_check(eckey)
596 || !ec_key_pairwise_check(eckey, ctx))
597 goto err;
598 }
599 ok = 1;
600 err:
601 BN_CTX_free(ctx);
602 return ok;
603 }
604
605 int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
606 BIGNUM *y)
607 {
608 BN_CTX *ctx = NULL;
609 BIGNUM *tx, *ty;
610 EC_POINT *point = NULL;
611 int ok = 0;
612
613 if (key == NULL || key->group == NULL || x == NULL || y == NULL) {
614 ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER);
615 return 0;
616 }
617 ctx = BN_CTX_new_ex(key->libctx);
618 if (ctx == NULL)
619 return 0;
620
621 BN_CTX_start(ctx);
622 point = EC_POINT_new(key->group);
623
624 if (point == NULL)
625 goto err;
626
627 tx = BN_CTX_get(ctx);
628 ty = BN_CTX_get(ctx);
629 if (ty == NULL)
630 goto err;
631
632 if (!EC_POINT_set_affine_coordinates(key->group, point, x, y, ctx))
633 goto err;
634 if (!EC_POINT_get_affine_coordinates(key->group, point, tx, ty, ctx))
635 goto err;
636
637 /*
638 * Check if retrieved coordinates match originals. The range check is done
639 * inside EC_KEY_check_key().
640 */
641 if (BN_cmp(x, tx) || BN_cmp(y, ty)) {
642 ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
643 goto err;
644 }
645
646 /* EC_KEY_set_public_key updates dirty_cnt */
647 if (!EC_KEY_set_public_key(key, point))
648 goto err;
649
650 if (EC_KEY_check_key(key) == 0)
651 goto err;
652
653 ok = 1;
654
655 err:
656 BN_CTX_end(ctx);
657 BN_CTX_free(ctx);
658 EC_POINT_free(point);
659 return ok;
660
661 }
662
663 OSSL_LIB_CTX *ec_key_get_libctx(const EC_KEY *key)
664 {
665 return key->libctx;
666 }
667
668 const char *ec_key_get0_propq(const EC_KEY *key)
669 {
670 return key->propq;
671 }
672
673 void ec_key_set0_libctx(EC_KEY *key, OSSL_LIB_CTX *libctx)
674 {
675 key->libctx = libctx;
676 /* Do we need to propagate this to the group? */
677 }
678
679 const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key)
680 {
681 return key->group;
682 }
683
684 int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group)
685 {
686 if (key->meth->set_group != NULL && key->meth->set_group(key, group) == 0)
687 return 0;
688 EC_GROUP_free(key->group);
689 key->group = EC_GROUP_dup(group);
690 key->dirty_cnt++;
691 return (key->group == NULL) ? 0 : 1;
692 }
693
694 const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key)
695 {
696 return key->priv_key;
697 }
698
699 int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
700 {
701 int fixed_top;
702 const BIGNUM *order = NULL;
703 BIGNUM *tmp_key = NULL;
704
705 if (key->group == NULL || key->group->meth == NULL)
706 return 0;
707
708 /*
709 * Not only should key->group be set, but it should also be in a valid
710 * fully initialized state.
711 *
712 * Specifically, to operate in constant time, we need that the group order
713 * is set, as we use its length as the fixed public size of any scalar used
714 * as an EC private key.
715 */
716 order = EC_GROUP_get0_order(key->group);
717 if (order == NULL || BN_is_zero(order))
718 return 0; /* This should never happen */
719
720 if (key->group->meth->set_private != NULL
721 && key->group->meth->set_private(key, priv_key) == 0)
722 return 0;
723 if (key->meth->set_private != NULL
724 && key->meth->set_private(key, priv_key) == 0)
725 return 0;
726
727 /*
728 * We should never leak the bit length of the secret scalar in the key,
729 * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
730 * holding the secret scalar.
731 *
732 * This is important also because `BN_dup()` (and `BN_copy()`) do not
733 * propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and
734 * this brings an extra risk of inadvertently losing the flag, even when
735 * the caller specifically set it.
736 *
737 * The propagation has been turned on and off a few times in the past
738 * years because in some conditions has shown unintended consequences in
739 * some code paths, so at the moment we can't fix this in the BN layer.
740 *
741 * In `EC_KEY_set_private_key()` we can work around the propagation by
742 * manually setting the flag after `BN_dup()` as we know for sure that
743 * inside the EC module the `BN_FLG_CONSTTIME` is always treated
744 * correctly and should not generate unintended consequences.
745 *
746 * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
747 * to preallocate the BIGNUM internal buffer to a fixed public size big
748 * enough that operations performed during the processing never trigger
749 * a realloc which would leak the size of the scalar through memory
750 * accesses.
751 *
752 * Fixed Length
753 * ------------
754 *
755 * The order of the large prime subgroup of the curve is our choice for
756 * a fixed public size, as that is generally the upper bound for
757 * generating a private key in EC cryptosystems and should fit all valid
758 * secret scalars.
759 *
760 * For preallocating the BIGNUM storage we look at the number of "words"
761 * required for the internal representation of the order, and we
762 * preallocate 2 extra "words" in case any of the subsequent processing
763 * might temporarily overflow the order length.
764 */
765 tmp_key = BN_dup(priv_key);
766 if (tmp_key == NULL)
767 return 0;
768
769 BN_set_flags(tmp_key, BN_FLG_CONSTTIME);
770
771 fixed_top = bn_get_top(order) + 2;
772 if (bn_wexpand(tmp_key, fixed_top) == NULL) {
773 BN_clear_free(tmp_key);
774 return 0;
775 }
776
777 BN_clear_free(key->priv_key);
778 key->priv_key = tmp_key;
779 key->dirty_cnt++;
780
781 return 1;
782 }
783
784 const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key)
785 {
786 return key->pub_key;
787 }
788
789 int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key)
790 {
791 if (key->meth->set_public != NULL
792 && key->meth->set_public(key, pub_key) == 0)
793 return 0;
794 EC_POINT_free(key->pub_key);
795 key->pub_key = EC_POINT_dup(pub_key, key->group);
796 key->dirty_cnt++;
797 return (key->pub_key == NULL) ? 0 : 1;
798 }
799
800 unsigned int EC_KEY_get_enc_flags(const EC_KEY *key)
801 {
802 return key->enc_flag;
803 }
804
805 void EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags)
806 {
807 key->enc_flag = flags;
808 }
809
810 point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key)
811 {
812 return key->conv_form;
813 }
814
815 void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform)
816 {
817 key->conv_form = cform;
818 if (key->group != NULL)
819 EC_GROUP_set_point_conversion_form(key->group, cform);
820 }
821
822 void EC_KEY_set_asn1_flag(EC_KEY *key, int flag)
823 {
824 if (key->group != NULL)
825 EC_GROUP_set_asn1_flag(key->group, flag);
826 }
827
828 #ifndef OPENSSL_NO_DEPRECATED_3_0
829 int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx)
830 {
831 if (key->group == NULL)
832 return 0;
833 return EC_GROUP_precompute_mult(key->group, ctx);
834 }
835 #endif
836
837 int EC_KEY_get_flags(const EC_KEY *key)
838 {
839 return key->flags;
840 }
841
842 void EC_KEY_set_flags(EC_KEY *key, int flags)
843 {
844 key->flags |= flags;
845 key->dirty_cnt++;
846 }
847
848 void EC_KEY_clear_flags(EC_KEY *key, int flags)
849 {
850 key->flags &= ~flags;
851 key->dirty_cnt++;
852 }
853
854 int EC_KEY_decoded_from_explicit_params(const EC_KEY *key)
855 {
856 if (key == NULL || key->group == NULL)
857 return -1;
858 return key->group->decoded_from_explicit_params;
859 }
860
861 size_t EC_KEY_key2buf(const EC_KEY *key, point_conversion_form_t form,
862 unsigned char **pbuf, BN_CTX *ctx)
863 {
864 if (key == NULL || key->pub_key == NULL || key->group == NULL)
865 return 0;
866 return EC_POINT_point2buf(key->group, key->pub_key, form, pbuf, ctx);
867 }
868
869 int EC_KEY_oct2key(EC_KEY *key, const unsigned char *buf, size_t len,
870 BN_CTX *ctx)
871 {
872 if (key == NULL || key->group == NULL)
873 return 0;
874 if (key->pub_key == NULL)
875 key->pub_key = EC_POINT_new(key->group);
876 if (key->pub_key == NULL)
877 return 0;
878 if (EC_POINT_oct2point(key->group, key->pub_key, buf, len, ctx) == 0)
879 return 0;
880 key->dirty_cnt++;
881 /*
882 * Save the point conversion form.
883 * For non-custom curves the first octet of the buffer (excluding
884 * the last significant bit) contains the point conversion form.
885 * EC_POINT_oct2point() has already performed sanity checking of
886 * the buffer so we know it is valid.
887 */
888 if ((key->group->meth->flags & EC_FLAGS_CUSTOM_CURVE) == 0)
889 key->conv_form = (point_conversion_form_t)(buf[0] & ~0x01);
890 return 1;
891 }
892
893 size_t EC_KEY_priv2oct(const EC_KEY *eckey,
894 unsigned char *buf, size_t len)
895 {
896 if (eckey->group == NULL || eckey->group->meth == NULL)
897 return 0;
898 if (eckey->group->meth->priv2oct == NULL) {
899 ERR_raise(ERR_LIB_EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
900 return 0;
901 }
902
903 return eckey->group->meth->priv2oct(eckey, buf, len);
904 }
905
906 size_t ec_key_simple_priv2oct(const EC_KEY *eckey,
907 unsigned char *buf, size_t len)
908 {
909 size_t buf_len;
910
911 buf_len = (EC_GROUP_order_bits(eckey->group) + 7) / 8;
912 if (eckey->priv_key == NULL)
913 return 0;
914 if (buf == NULL)
915 return buf_len;
916 else if (len < buf_len)
917 return 0;
918
919 /* Octetstring may need leading zeros if BN is to short */
920
921 if (BN_bn2binpad(eckey->priv_key, buf, buf_len) == -1) {
922 ERR_raise(ERR_LIB_EC, EC_R_BUFFER_TOO_SMALL);
923 return 0;
924 }
925
926 return buf_len;
927 }
928
929 int EC_KEY_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
930 {
931 int ret;
932
933 if (eckey->group == NULL || eckey->group->meth == NULL)
934 return 0;
935 if (eckey->group->meth->oct2priv == NULL) {
936 ERR_raise(ERR_LIB_EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
937 return 0;
938 }
939 ret = eckey->group->meth->oct2priv(eckey, buf, len);
940 if (ret == 1)
941 eckey->dirty_cnt++;
942 return ret;
943 }
944
945 int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
946 {
947 if (eckey->priv_key == NULL)
948 eckey->priv_key = BN_secure_new();
949 if (eckey->priv_key == NULL) {
950 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
951 return 0;
952 }
953 eckey->priv_key = BN_bin2bn(buf, len, eckey->priv_key);
954 if (eckey->priv_key == NULL) {
955 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
956 return 0;
957 }
958 eckey->dirty_cnt++;
959 return 1;
960 }
961
962 size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf)
963 {
964 size_t len;
965 unsigned char *buf;
966
967 len = EC_KEY_priv2oct(eckey, NULL, 0);
968 if (len == 0)
969 return 0;
970 if ((buf = OPENSSL_malloc(len)) == NULL) {
971 ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
972 return 0;
973 }
974 len = EC_KEY_priv2oct(eckey, buf, len);
975 if (len == 0) {
976 OPENSSL_free(buf);
977 return 0;
978 }
979 *pbuf = buf;
980 return len;
981 }
982
983 int EC_KEY_can_sign(const EC_KEY *eckey)
984 {
985 if (eckey->group == NULL || eckey->group->meth == NULL
986 || (eckey->group->meth->flags & EC_FLAGS_NO_SIGN))
987 return 0;
988 return 1;
989 }
990
991 /*
992 * FIPS 140-2 IG 9.9 AS09.33
993 * Perform a sign/verify operation.
994 *
995 * NOTE: When generating keys for key-agreement schemes - FIPS 140-2 IG 9.9
996 * states that no additional pairwise tests are required (apart from the tests
997 * specified in SP800-56A) when generating keys. Hence pairwise ECDH tests are
998 * omitted here.
999 */
1000 static int ecdsa_keygen_pairwise_test(EC_KEY *eckey, OSSL_CALLBACK *cb,
1001 void *cbarg)
1002 {
1003 int ret = 0;
1004 unsigned char dgst[16] = {0};
1005 int dgst_len = (int)sizeof(dgst);
1006 ECDSA_SIG *sig = NULL;
1007 OSSL_SELF_TEST *st = NULL;
1008
1009 st = OSSL_SELF_TEST_new(cb, cbarg);
1010 if (st == NULL)
1011 return 0;
1012
1013 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
1014 OSSL_SELF_TEST_DESC_PCT_ECDSA);
1015
1016 sig = ECDSA_do_sign(dgst, dgst_len, eckey);
1017 if (sig == NULL)
1018 goto err;
1019
1020 OSSL_SELF_TEST_oncorrupt_byte(st, dgst);
1021
1022 if (ECDSA_do_verify(dgst, dgst_len, sig, eckey) != 1)
1023 goto err;
1024
1025 ret = 1;
1026 err:
1027 OSSL_SELF_TEST_onend(st, ret);
1028 OSSL_SELF_TEST_free(st);
1029 ECDSA_SIG_free(sig);
1030 return ret;
1031 }
A mirror of the official openssl repository