]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/ec/ec_key.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Run the withlibctx.pl script
[thirdparty/openssl.git] / crypto / ec / ec_key.c
1 /*
2 * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 /*
12 * ECDSA low level APIs are deprecated for public use, but still ok for
13 * internal use.
14 */
15 #include "internal/deprecated.h"
16
17 #include "internal/cryptlib.h"
18 #include <string.h>
19 #include "ec_local.h"
20 #include "internal/refcount.h"
21 #include <openssl/err.h>
22 #include <openssl/engine.h>
23 #include <openssl/self_test.h>
24 #include "prov/providercommon.h"
25 #include "crypto/bn.h"
26
27 static int ecdsa_keygen_pairwise_test(EC_KEY *eckey, OSSL_CALLBACK *cb,
28 void *cbarg);
29
30 #ifndef FIPS_MODULE
31 EC_KEY *EC_KEY_new(void)
32 {
33 return ec_key_new_method_int(NULL, NULL, NULL);
34 }
35 #endif
36
37 EC_KEY *EC_KEY_new_ex(OPENSSL_CTX *ctx, const char *propq)
38 {
39 return ec_key_new_method_int(ctx, propq, NULL);
40 }
41
42 EC_KEY *EC_KEY_new_by_curve_name_ex(OPENSSL_CTX *ctx, const char *propq,
43 int nid)
44 {
45 EC_KEY *ret = EC_KEY_new_ex(ctx, propq);
46 if (ret == NULL)
47 return NULL;
48 ret->group = EC_GROUP_new_by_curve_name_ex(ctx, propq, nid);
49 if (ret->group == NULL) {
50 EC_KEY_free(ret);
51 return NULL;
52 }
53 if (ret->meth->set_group != NULL
54 && ret->meth->set_group(ret, ret->group) == 0) {
55 EC_KEY_free(ret);
56 return NULL;
57 }
58 return ret;
59 }
60
61 #ifndef FIPS_MODULE
62 EC_KEY *EC_KEY_new_by_curve_name(int nid)
63 {
64 return EC_KEY_new_by_curve_name_ex(NULL, NULL, nid);
65 }
66 #endif
67
68 void EC_KEY_free(EC_KEY *r)
69 {
70 int i;
71
72 if (r == NULL)
73 return;
74
75 CRYPTO_DOWN_REF(&r->references, &i, r->lock);
76 REF_PRINT_COUNT("EC_KEY", r);
77 if (i > 0)
78 return;
79 REF_ASSERT_ISNT(i < 0);
80
81 if (r->meth != NULL && r->meth->finish != NULL)
82 r->meth->finish(r);
83
84 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
85 ENGINE_finish(r->engine);
86 #endif
87
88 if (r->group && r->group->meth->keyfinish)
89 r->group->meth->keyfinish(r);
90
91 #ifndef FIPS_MODULE
92 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, r, &r->ex_data);
93 #endif
94 CRYPTO_THREAD_lock_free(r->lock);
95 EC_GROUP_free(r->group);
96 EC_POINT_free(r->pub_key);
97 BN_clear_free(r->priv_key);
98 OPENSSL_free(r->propq);
99
100 OPENSSL_clear_free((void *)r, sizeof(EC_KEY));
101 }
102
103 EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
104 {
105 if (dest == NULL || src == NULL) {
106 ECerr(EC_F_EC_KEY_COPY, ERR_R_PASSED_NULL_PARAMETER);
107 return NULL;
108 }
109 if (src->meth != dest->meth) {
110 if (dest->meth->finish != NULL)
111 dest->meth->finish(dest);
112 if (dest->group && dest->group->meth->keyfinish)
113 dest->group->meth->keyfinish(dest);
114 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
115 if (ENGINE_finish(dest->engine) == 0)
116 return 0;
117 dest->engine = NULL;
118 #endif
119 }
120 dest->libctx = src->libctx;
121 /* copy the parameters */
122 if (src->group != NULL) {
123 /* clear the old group */
124 EC_GROUP_free(dest->group);
125 dest->group = ec_group_new_ex(src->libctx, src->propq, src->group->meth);
126 if (dest->group == NULL)
127 return NULL;
128 if (!EC_GROUP_copy(dest->group, src->group))
129 return NULL;
130
131 /* copy the public key */
132 if (src->pub_key != NULL) {
133 EC_POINT_free(dest->pub_key);
134 dest->pub_key = EC_POINT_new(src->group);
135 if (dest->pub_key == NULL)
136 return NULL;
137 if (!EC_POINT_copy(dest->pub_key, src->pub_key))
138 return NULL;
139 }
140 /* copy the private key */
141 if (src->priv_key != NULL) {
142 if (dest->priv_key == NULL) {
143 dest->priv_key = BN_new();
144 if (dest->priv_key == NULL)
145 return NULL;
146 }
147 if (!BN_copy(dest->priv_key, src->priv_key))
148 return NULL;
149 if (src->group->meth->keycopy
150 && src->group->meth->keycopy(dest, src) == 0)
151 return NULL;
152 }
153 }
154
155
156 /* copy the rest */
157 dest->enc_flag = src->enc_flag;
158 dest->conv_form = src->conv_form;
159 dest->version = src->version;
160 dest->flags = src->flags;
161 #ifndef FIPS_MODULE
162 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY,
163 &dest->ex_data, &src->ex_data))
164 return NULL;
165 #endif
166
167 if (src->meth != dest->meth) {
168 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
169 if (src->engine != NULL && ENGINE_init(src->engine) == 0)
170 return NULL;
171 dest->engine = src->engine;
172 #endif
173 dest->meth = src->meth;
174 }
175
176 if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0)
177 return NULL;
178
179 dest->dirty_cnt++;
180
181 return dest;
182 }
183
184 EC_KEY *EC_KEY_dup(const EC_KEY *ec_key)
185 {
186 EC_KEY *ret = ec_key_new_method_int(ec_key->libctx, ec_key->propq,
187 ec_key->engine);
188
189 if (ret == NULL)
190 return NULL;
191
192 if (EC_KEY_copy(ret, ec_key) == NULL) {
193 EC_KEY_free(ret);
194 return NULL;
195 }
196 return ret;
197 }
198
199 int EC_KEY_up_ref(EC_KEY *r)
200 {
201 int i;
202
203 if (CRYPTO_UP_REF(&r->references, &i, r->lock) <= 0)
204 return 0;
205
206 REF_PRINT_COUNT("EC_KEY", r);
207 REF_ASSERT_ISNT(i < 2);
208 return ((i > 1) ? 1 : 0);
209 }
210
211 ENGINE *EC_KEY_get0_engine(const EC_KEY *eckey)
212 {
213 return eckey->engine;
214 }
215
216 int EC_KEY_generate_key(EC_KEY *eckey)
217 {
218 if (eckey == NULL || eckey->group == NULL) {
219 ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
220 return 0;
221 }
222 if (eckey->meth->keygen != NULL) {
223 int ret;
224
225 ret = eckey->meth->keygen(eckey);
226 if (ret == 1)
227 eckey->dirty_cnt++;
228
229 return ret;
230 }
231 ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
232 return 0;
233 }
234
235 int ossl_ec_key_gen(EC_KEY *eckey)
236 {
237 int ret;
238
239 ret = eckey->group->meth->keygen(eckey);
240
241 if (ret == 1)
242 eckey->dirty_cnt++;
243 return ret;
244 }
245
246 /*
247 * ECC Key generation.
248 * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates"
249 *
250 * Params:
251 * libctx A context containing an optional self test callback.
252 * eckey An EC key object that contains domain params. The generated keypair
253 * is stored in this object.
254 * pairwise_test Set to non zero to perform a pairwise test. If the test
255 * fails then the keypair is not generated,
256 * Returns 1 if the keypair was generated or 0 otherwise.
257 */
258 static int ec_generate_key(EC_KEY *eckey, int pairwise_test)
259 {
260 int ok = 0;
261 BIGNUM *priv_key = NULL;
262 const BIGNUM *tmp = NULL;
263 BIGNUM *order = NULL;
264 EC_POINT *pub_key = NULL;
265 const EC_GROUP *group = eckey->group;
266 BN_CTX *ctx = BN_CTX_secure_new_ex(eckey->libctx);
267 int sm2 = EC_KEY_get_flags(eckey) & EC_FLAG_SM2_RANGE ? 1 : 0;
268
269 if (ctx == NULL)
270 goto err;
271
272 if (eckey->priv_key == NULL) {
273 priv_key = BN_secure_new();
274 if (priv_key == NULL)
275 goto err;
276 } else
277 priv_key = eckey->priv_key;
278
279 /*
280 * Steps (1-2): Check domain parameters and security strength.
281 * These steps must be done by the user. This would need to be
282 * stated in the security policy.
283 */
284
285 tmp = EC_GROUP_get0_order(group);
286 if (tmp == NULL)
287 goto err;
288
289 /*
290 * Steps (3-7): priv_key = DRBG_RAND(order_n_bits) (range [1, n-1]).
291 * Although this is slightly different from the standard, it is effectively
292 * equivalent as it gives an unbiased result ranging from 1..n-1. It is also
293 * faster as the standard needs to retry more often. Also doing
294 * 1 + rand[0..n-2] would effect the way that tests feed dummy entropy into
295 * rand so the simpler backward compatible method has been used here.
296 */
297
298 /* range of SM2 private key is [1, n-1) */
299 if (sm2) {
300 order = BN_new();
301 if (order == NULL || !BN_sub(order, tmp, BN_value_one()))
302 goto err;
303 } else {
304 order = BN_dup(tmp);
305 if (order == NULL)
306 goto err;
307 }
308
309 do
310 if (!BN_priv_rand_range_ex(priv_key, order, ctx))
311 goto err;
312 while (BN_is_zero(priv_key)) ;
313
314 if (eckey->pub_key == NULL) {
315 pub_key = EC_POINT_new(group);
316 if (pub_key == NULL)
317 goto err;
318 } else
319 pub_key = eckey->pub_key;
320
321 /* Step (8) : pub_key = priv_key * G (where G is a point on the curve) */
322 if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx))
323 goto err;
324
325 eckey->priv_key = priv_key;
326 eckey->pub_key = pub_key;
327 priv_key = NULL;
328 pub_key = NULL;
329
330 eckey->dirty_cnt++;
331
332 #ifdef FIPS_MODULE
333 pairwise_test = 1;
334 #endif /* FIPS_MODULE */
335
336 ok = 1;
337 if (pairwise_test) {
338 OSSL_CALLBACK *cb = NULL;
339 void *cbarg = NULL;
340
341 OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg);
342 ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg);
343 }
344 err:
345 /* Step (9): If there is an error return an invalid keypair. */
346 if (!ok) {
347 ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
348 BN_clear(eckey->priv_key);
349 if (eckey->pub_key != NULL)
350 EC_POINT_set_to_infinity(group, eckey->pub_key);
351 }
352
353 EC_POINT_free(pub_key);
354 BN_clear_free(priv_key);
355 BN_CTX_free(ctx);
356 BN_free(order);
357 return ok;
358 }
359
360 int ec_key_simple_generate_key(EC_KEY *eckey)
361 {
362 return ec_generate_key(eckey, 0);
363 }
364
365 int ec_key_simple_generate_public_key(EC_KEY *eckey)
366 {
367 int ret;
368 BN_CTX *ctx = BN_CTX_new_ex(eckey->libctx);
369
370 if (ctx == NULL)
371 return 0;
372
373 /*
374 * See SP800-56AR3 5.6.1.2.2: Step (8)
375 * pub_key = priv_key * G (where G is a point on the curve)
376 */
377 ret = EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL,
378 NULL, ctx);
379
380 BN_CTX_free(ctx);
381 if (ret == 1)
382 eckey->dirty_cnt++;
383
384 return ret;
385 }
386
387 int EC_KEY_check_key(const EC_KEY *eckey)
388 {
389 if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) {
390 ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER);
391 return 0;
392 }
393
394 if (eckey->group->meth->keycheck == NULL) {
395 ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
396 return 0;
397 }
398
399 return eckey->group->meth->keycheck(eckey);
400 }
401
402 /*
403 * Check the range of the EC public key.
404 * See SP800-56A R3 Section 5.6.2.3.3 (Part 2)
405 * i.e.
406 * - If q = odd prime p: Verify that xQ and yQ are integers in the
407 * interval[0, p - 1], OR
408 * - If q = 2m: Verify that xQ and yQ are bit strings of length m bits.
409 * Returns 1 if the public key has a valid range, otherwise it returns 0.
410 */
411 static int ec_key_public_range_check(BN_CTX *ctx, const EC_KEY *key)
412 {
413 int ret = 0;
414 BIGNUM *x, *y;
415
416 BN_CTX_start(ctx);
417 x = BN_CTX_get(ctx);
418 y = BN_CTX_get(ctx);
419 if (y == NULL)
420 goto err;
421
422 if (!EC_POINT_get_affine_coordinates(key->group, key->pub_key, x, y, ctx))
423 goto err;
424
425 if (EC_GROUP_get_field_type(key->group) == NID_X9_62_prime_field) {
426 if (BN_is_negative(x)
427 || BN_cmp(x, key->group->field) >= 0
428 || BN_is_negative(y)
429 || BN_cmp(y, key->group->field) >= 0) {
430 goto err;
431 }
432 } else {
433 int m = EC_GROUP_get_degree(key->group);
434 if (BN_num_bits(x) > m || BN_num_bits(y) > m) {
435 goto err;
436 }
437 }
438 ret = 1;
439 err:
440 BN_CTX_end(ctx);
441 return ret;
442 }
443
444 /*
445 * ECC Key validation as specified in SP800-56A R3.
446 * Section 5.6.2.3.3 ECC Full Public-Key Validation.
447 */
448 int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx)
449 {
450 int ret = 0;
451 EC_POINT *point = NULL;
452 const BIGNUM *order = NULL;
453
454 if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) {
455 ECerr(0, ERR_R_PASSED_NULL_PARAMETER);
456 return 0;
457 }
458
459 /* 5.6.2.3.3 (Step 1): Q != infinity */
460 if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key)) {
461 ECerr(0, EC_R_POINT_AT_INFINITY);
462 return 0;
463 }
464
465 point = EC_POINT_new(eckey->group);
466 if (point == NULL)
467 return 0;
468
469 /* 5.6.2.3.3 (Step 2) Test if the public key is in range */
470 if (!ec_key_public_range_check(ctx, eckey)) {
471 ECerr(0, EC_R_COORDINATES_OUT_OF_RANGE);
472 goto err;
473 }
474
475 /* 5.6.2.3.3 (Step 3) is the pub_key on the elliptic curve */
476 if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) {
477 ECerr(0, EC_R_POINT_IS_NOT_ON_CURVE);
478 goto err;
479 }
480
481 order = eckey->group->order;
482 if (BN_is_zero(order)) {
483 ECerr(0, EC_R_INVALID_GROUP_ORDER);
484 goto err;
485 }
486 /* 5.6.2.3.3 (Step 4) : pub_key * order is the point at infinity. */
487 if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) {
488 ECerr(0, ERR_R_EC_LIB);
489 goto err;
490 }
491 if (!EC_POINT_is_at_infinity(eckey->group, point)) {
492 ECerr(0, EC_R_WRONG_ORDER);
493 goto err;
494 }
495 ret = 1;
496 err:
497 EC_POINT_free(point);
498 return ret;
499 }
500
501 /*
502 * ECC Key validation as specified in SP800-56A R3.
503 * Section 5.6.2.1.2 Owner Assurance of Private-Key Validity
504 * The private key is in the range [1, order-1]
505 */
506 int ec_key_private_check(const EC_KEY *eckey)
507 {
508 if (eckey == NULL || eckey->group == NULL || eckey->priv_key == NULL) {
509 ECerr(0, ERR_R_PASSED_NULL_PARAMETER);
510 return 0;
511 }
512 if (BN_cmp(eckey->priv_key, BN_value_one()) < 0
513 || BN_cmp(eckey->priv_key, eckey->group->order) >= 0) {
514 ECerr(0, EC_R_INVALID_PRIVATE_KEY);
515 return 0;
516 }
517 return 1;
518 }
519
520 /*
521 * ECC Key validation as specified in SP800-56A R3.
522 * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency (b)
523 * Check if generator * priv_key = pub_key
524 */
525 int ec_key_pairwise_check(const EC_KEY *eckey, BN_CTX *ctx)
526 {
527 int ret = 0;
528 EC_POINT *point = NULL;
529
530 if (eckey == NULL
531 || eckey->group == NULL
532 || eckey->pub_key == NULL
533 || eckey->priv_key == NULL) {
534 ECerr(0, ERR_R_PASSED_NULL_PARAMETER);
535 return 0;
536 }
537
538 point = EC_POINT_new(eckey->group);
539 if (point == NULL)
540 goto err;
541
542
543 if (!EC_POINT_mul(eckey->group, point, eckey->priv_key, NULL, NULL, ctx)) {
544 ECerr(0, ERR_R_EC_LIB);
545 goto err;
546 }
547 if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, ctx) != 0) {
548 ECerr(0, EC_R_INVALID_PRIVATE_KEY);
549 goto err;
550 }
551 ret = 1;
552 err:
553 EC_POINT_free(point);
554 return ret;
555 }
556
557
558 /*
559 * ECC Key validation as specified in SP800-56A R3.
560 * Section 5.6.2.3.3 ECC Full Public-Key Validation
561 * Section 5.6.2.1.2 Owner Assurance of Private-Key Validity
562 * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency
563 * NOTES:
564 * Before calling this method in fips mode, there should be an assurance that
565 * an approved elliptic-curve group is used.
566 * Returns 1 if the key is valid, otherwise it returns 0.
567 */
568 int ec_key_simple_check_key(const EC_KEY *eckey)
569 {
570 int ok = 0;
571 BN_CTX *ctx = NULL;
572
573 if (eckey == NULL) {
574 ECerr(0, ERR_R_PASSED_NULL_PARAMETER);
575 return 0;
576 }
577 if ((ctx = BN_CTX_new_ex(eckey->libctx)) == NULL)
578 return 0;
579
580 if (!ec_key_public_check(eckey, ctx))
581 goto err;
582
583 if (eckey->priv_key != NULL) {
584 if (!ec_key_private_check(eckey)
585 || !ec_key_pairwise_check(eckey, ctx))
586 goto err;
587 }
588 ok = 1;
589 err:
590 BN_CTX_free(ctx);
591 return ok;
592 }
593
594 int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
595 BIGNUM *y)
596 {
597 BN_CTX *ctx = NULL;
598 BIGNUM *tx, *ty;
599 EC_POINT *point = NULL;
600 int ok = 0;
601
602 if (key == NULL || key->group == NULL || x == NULL || y == NULL) {
603 ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
604 ERR_R_PASSED_NULL_PARAMETER);
605 return 0;
606 }
607 ctx = BN_CTX_new_ex(key->libctx);
608 if (ctx == NULL)
609 return 0;
610
611 BN_CTX_start(ctx);
612 point = EC_POINT_new(key->group);
613
614 if (point == NULL)
615 goto err;
616
617 tx = BN_CTX_get(ctx);
618 ty = BN_CTX_get(ctx);
619 if (ty == NULL)
620 goto err;
621
622 if (!EC_POINT_set_affine_coordinates(key->group, point, x, y, ctx))
623 goto err;
624 if (!EC_POINT_get_affine_coordinates(key->group, point, tx, ty, ctx))
625 goto err;
626
627 /*
628 * Check if retrieved coordinates match originals. The range check is done
629 * inside EC_KEY_check_key().
630 */
631 if (BN_cmp(x, tx) || BN_cmp(y, ty)) {
632 ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
633 EC_R_COORDINATES_OUT_OF_RANGE);
634 goto err;
635 }
636
637 /* EC_KEY_set_public_key updates dirty_cnt */
638 if (!EC_KEY_set_public_key(key, point))
639 goto err;
640
641 if (EC_KEY_check_key(key) == 0)
642 goto err;
643
644 ok = 1;
645
646 err:
647 BN_CTX_end(ctx);
648 BN_CTX_free(ctx);
649 EC_POINT_free(point);
650 return ok;
651
652 }
653
654 OPENSSL_CTX *ec_key_get_libctx(const EC_KEY *key)
655 {
656 return key->libctx;
657 }
658
659 const char *ec_key_get0_propq(const EC_KEY *key)
660 {
661 return key->propq;
662 }
663
664 const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key)
665 {
666 return key->group;
667 }
668
669 int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group)
670 {
671 if (key->meth->set_group != NULL && key->meth->set_group(key, group) == 0)
672 return 0;
673 EC_GROUP_free(key->group);
674 key->group = EC_GROUP_dup(group);
675 key->dirty_cnt++;
676 return (key->group == NULL) ? 0 : 1;
677 }
678
679 const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key)
680 {
681 return key->priv_key;
682 }
683
684 int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
685 {
686 int fixed_top;
687 const BIGNUM *order = NULL;
688 BIGNUM *tmp_key = NULL;
689
690 if (key->group == NULL || key->group->meth == NULL)
691 return 0;
692
693 /*
694 * Not only should key->group be set, but it should also be in a valid
695 * fully initialized state.
696 *
697 * Specifically, to operate in constant time, we need that the group order
698 * is set, as we use its length as the fixed public size of any scalar used
699 * as an EC private key.
700 */
701 order = EC_GROUP_get0_order(key->group);
702 if (order == NULL || BN_is_zero(order))
703 return 0; /* This should never happen */
704
705 if (key->group->meth->set_private != NULL
706 && key->group->meth->set_private(key, priv_key) == 0)
707 return 0;
708 if (key->meth->set_private != NULL
709 && key->meth->set_private(key, priv_key) == 0)
710 return 0;
711
712 /*
713 * We should never leak the bit length of the secret scalar in the key,
714 * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
715 * holding the secret scalar.
716 *
717 * This is important also because `BN_dup()` (and `BN_copy()`) do not
718 * propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and
719 * this brings an extra risk of inadvertently losing the flag, even when
720 * the caller specifically set it.
721 *
722 * The propagation has been turned on and off a few times in the past
723 * years because in some conditions has shown unintended consequences in
724 * some code paths, so at the moment we can't fix this in the BN layer.
725 *
726 * In `EC_KEY_set_private_key()` we can work around the propagation by
727 * manually setting the flag after `BN_dup()` as we know for sure that
728 * inside the EC module the `BN_FLG_CONSTTIME` is always treated
729 * correctly and should not generate unintended consequences.
730 *
731 * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
732 * to preallocate the BIGNUM internal buffer to a fixed public size big
733 * enough that operations performed during the processing never trigger
734 * a realloc which would leak the size of the scalar through memory
735 * accesses.
736 *
737 * Fixed Length
738 * ------------
739 *
740 * The order of the large prime subgroup of the curve is our choice for
741 * a fixed public size, as that is generally the upper bound for
742 * generating a private key in EC cryptosystems and should fit all valid
743 * secret scalars.
744 *
745 * For preallocating the BIGNUM storage we look at the number of "words"
746 * required for the internal representation of the order, and we
747 * preallocate 2 extra "words" in case any of the subsequent processing
748 * might temporarily overflow the order length.
749 */
750 tmp_key = BN_dup(priv_key);
751 if (tmp_key == NULL)
752 return 0;
753
754 BN_set_flags(tmp_key, BN_FLG_CONSTTIME);
755
756 fixed_top = bn_get_top(order) + 2;
757 if (bn_wexpand(tmp_key, fixed_top) == NULL) {
758 BN_clear_free(tmp_key);
759 return 0;
760 }
761
762 BN_clear_free(key->priv_key);
763 key->priv_key = tmp_key;
764 key->dirty_cnt++;
765
766 return 1;
767 }
768
769 const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key)
770 {
771 return key->pub_key;
772 }
773
774 int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key)
775 {
776 if (key->meth->set_public != NULL
777 && key->meth->set_public(key, pub_key) == 0)
778 return 0;
779 EC_POINT_free(key->pub_key);
780 key->pub_key = EC_POINT_dup(pub_key, key->group);
781 key->dirty_cnt++;
782 return (key->pub_key == NULL) ? 0 : 1;
783 }
784
785 unsigned int EC_KEY_get_enc_flags(const EC_KEY *key)
786 {
787 return key->enc_flag;
788 }
789
790 void EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags)
791 {
792 key->enc_flag = flags;
793 }
794
795 point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key)
796 {
797 return key->conv_form;
798 }
799
800 void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform)
801 {
802 key->conv_form = cform;
803 if (key->group != NULL)
804 EC_GROUP_set_point_conversion_form(key->group, cform);
805 }
806
807 void EC_KEY_set_asn1_flag(EC_KEY *key, int flag)
808 {
809 if (key->group != NULL)
810 EC_GROUP_set_asn1_flag(key->group, flag);
811 }
812
813 #ifndef OPENSSL_NO_DEPRECATED_3_0
814 int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx)
815 {
816 if (key->group == NULL)
817 return 0;
818 return EC_GROUP_precompute_mult(key->group, ctx);
819 }
820 #endif
821
822 int EC_KEY_get_flags(const EC_KEY *key)
823 {
824 return key->flags;
825 }
826
827 void EC_KEY_set_flags(EC_KEY *key, int flags)
828 {
829 key->flags |= flags;
830 key->dirty_cnt++;
831 }
832
833 void EC_KEY_clear_flags(EC_KEY *key, int flags)
834 {
835 key->flags &= ~flags;
836 key->dirty_cnt++;
837 }
838
839 int EC_KEY_decoded_from_explicit_params(const EC_KEY *key)
840 {
841 if (key == NULL || key->group == NULL)
842 return -1;
843 return key->group->decoded_from_explicit_params;
844 }
845
846 size_t EC_KEY_key2buf(const EC_KEY *key, point_conversion_form_t form,
847 unsigned char **pbuf, BN_CTX *ctx)
848 {
849 if (key == NULL || key->pub_key == NULL || key->group == NULL)
850 return 0;
851 return EC_POINT_point2buf(key->group, key->pub_key, form, pbuf, ctx);
852 }
853
854 int EC_KEY_oct2key(EC_KEY *key, const unsigned char *buf, size_t len,
855 BN_CTX *ctx)
856 {
857 if (key == NULL || key->group == NULL)
858 return 0;
859 if (key->pub_key == NULL)
860 key->pub_key = EC_POINT_new(key->group);
861 if (key->pub_key == NULL)
862 return 0;
863 if (EC_POINT_oct2point(key->group, key->pub_key, buf, len, ctx) == 0)
864 return 0;
865 key->dirty_cnt++;
866 /*
867 * Save the point conversion form.
868 * For non-custom curves the first octet of the buffer (excluding
869 * the last significant bit) contains the point conversion form.
870 * EC_POINT_oct2point() has already performed sanity checking of
871 * the buffer so we know it is valid.
872 */
873 if ((key->group->meth->flags & EC_FLAGS_CUSTOM_CURVE) == 0)
874 key->conv_form = (point_conversion_form_t)(buf[0] & ~0x01);
875 return 1;
876 }
877
878 size_t EC_KEY_priv2oct(const EC_KEY *eckey,
879 unsigned char *buf, size_t len)
880 {
881 if (eckey->group == NULL || eckey->group->meth == NULL)
882 return 0;
883 if (eckey->group->meth->priv2oct == NULL) {
884 ECerr(EC_F_EC_KEY_PRIV2OCT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
885 return 0;
886 }
887
888 return eckey->group->meth->priv2oct(eckey, buf, len);
889 }
890
891 size_t ec_key_simple_priv2oct(const EC_KEY *eckey,
892 unsigned char *buf, size_t len)
893 {
894 size_t buf_len;
895
896 buf_len = (EC_GROUP_order_bits(eckey->group) + 7) / 8;
897 if (eckey->priv_key == NULL)
898 return 0;
899 if (buf == NULL)
900 return buf_len;
901 else if (len < buf_len)
902 return 0;
903
904 /* Octetstring may need leading zeros if BN is to short */
905
906 if (BN_bn2binpad(eckey->priv_key, buf, buf_len) == -1) {
907 ECerr(EC_F_EC_KEY_SIMPLE_PRIV2OCT, EC_R_BUFFER_TOO_SMALL);
908 return 0;
909 }
910
911 return buf_len;
912 }
913
914 int EC_KEY_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
915 {
916 int ret;
917
918 if (eckey->group == NULL || eckey->group->meth == NULL)
919 return 0;
920 if (eckey->group->meth->oct2priv == NULL) {
921 ECerr(EC_F_EC_KEY_OCT2PRIV, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
922 return 0;
923 }
924 ret = eckey->group->meth->oct2priv(eckey, buf, len);
925 if (ret == 1)
926 eckey->dirty_cnt++;
927 return ret;
928 }
929
930 int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
931 {
932 if (eckey->priv_key == NULL)
933 eckey->priv_key = BN_secure_new();
934 if (eckey->priv_key == NULL) {
935 ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_MALLOC_FAILURE);
936 return 0;
937 }
938 eckey->priv_key = BN_bin2bn(buf, len, eckey->priv_key);
939 if (eckey->priv_key == NULL) {
940 ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_BN_LIB);
941 return 0;
942 }
943 eckey->dirty_cnt++;
944 return 1;
945 }
946
947 size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf)
948 {
949 size_t len;
950 unsigned char *buf;
951
952 len = EC_KEY_priv2oct(eckey, NULL, 0);
953 if (len == 0)
954 return 0;
955 if ((buf = OPENSSL_malloc(len)) == NULL) {
956 ECerr(EC_F_EC_KEY_PRIV2BUF, ERR_R_MALLOC_FAILURE);
957 return 0;
958 }
959 len = EC_KEY_priv2oct(eckey, buf, len);
960 if (len == 0) {
961 OPENSSL_free(buf);
962 return 0;
963 }
964 *pbuf = buf;
965 return len;
966 }
967
968 int EC_KEY_can_sign(const EC_KEY *eckey)
969 {
970 if (eckey->group == NULL || eckey->group->meth == NULL
971 || (eckey->group->meth->flags & EC_FLAGS_NO_SIGN))
972 return 0;
973 return 1;
974 }
975
976 /*
977 * FIPS 140-2 IG 9.9 AS09.33
978 * Perform a sign/verify operation.
979 *
980 * NOTE: When generating keys for key-agreement schemes - FIPS 140-2 IG 9.9
981 * states that no additional pairwise tests are required (apart from the tests
982 * specified in SP800-56A) when generating keys. Hence pairwise ECDH tests are
983 * omitted here.
984 */
985 static int ecdsa_keygen_pairwise_test(EC_KEY *eckey, OSSL_CALLBACK *cb,
986 void *cbarg)
987 {
988 int ret = 0;
989 unsigned char dgst[16] = {0};
990 int dgst_len = (int)sizeof(dgst);
991 ECDSA_SIG *sig = NULL;
992 OSSL_SELF_TEST *st = NULL;
993
994 st = OSSL_SELF_TEST_new(cb, cbarg);
995 if (st == NULL)
996 return 0;
997
998 OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
999 OSSL_SELF_TEST_DESC_PCT_ECDSA);
1000
1001 sig = ECDSA_do_sign(dgst, dgst_len, eckey);
1002 if (sig == NULL)
1003 goto err;
1004
1005 OSSL_SELF_TEST_oncorrupt_byte(st, dgst);
1006
1007 if (ECDSA_do_verify(dgst, dgst_len, sig, eckey) != 1)
1008 goto err;
1009
1010 ret = 1;
1011 err:
1012 OSSL_SELF_TEST_onend(st, ret);
1013 OSSL_SELF_TEST_free(st);
1014 ECDSA_SIG_free(sig);
1015 return ret;
1016 }
A mirror of the official openssl repository