X-Git-Url: http://wagner.pp.ru/gitweb/?a=blobdiff_plain;f=gost_ec_keyx.c;h=2053d0d55eab70ac51d42017db58c4c8a71b32e3;hb=c4e68c4e124ec29bd3c9c88fd8fdca77e6292f38;hp=409d8e19e07a480c2bb545fe4cdc12b3d62589c0;hpb=06eb03a547f646080830d2cd5572844e19909b97;p=openssl-gost%2Fengine.git diff --git a/gost_ec_keyx.c b/gost_ec_keyx.c index 409d8e1..2053d0d 100644 --- a/gost_ec_keyx.c +++ b/gost_ec_keyx.c @@ -18,13 +18,13 @@ #include "gost_lcl.h" /* Implementation of CryptoPro VKO 34.10-2001/2012 algorithm */ -static int VKO_compute_key(unsigned char *shared_key, size_t shared_key_size, - const EC_POINT *pub_key, EC_KEY *priv_key, - const unsigned char *ukm, size_t ukm_size, - int vko_dgst_nid) +int VKO_compute_key(unsigned char *shared_key, + const EC_POINT *pub_key, const EC_KEY *priv_key, + const unsigned char *ukm, const size_t ukm_size, + const int vko_dgst_nid) { unsigned char *databuf = NULL; - BIGNUM *UKM = NULL, *p = NULL, *order = NULL, *X = NULL, *Y = NULL; + BIGNUM *UKM = NULL, *p = NULL, *order = NULL, *X = NULL, *Y = NULL, *cofactor = NULL; const BIGNUM *key = EC_KEY_get0_private_key(priv_key); EC_POINT *pnt = EC_POINT_new(EC_KEY_get0_group(priv_key)); BN_CTX *ctx = BN_CTX_new(); @@ -48,16 +48,22 @@ static int VKO_compute_key(unsigned char *shared_key, size_t shared_key_size, UKM = hashsum2bn(ukm, ukm_size); p = BN_CTX_get(ctx); order = BN_CTX_get(ctx); + cofactor = BN_CTX_get(ctx); X = BN_CTX_get(ctx); Y = BN_CTX_get(ctx); EC_GROUP_get_order(EC_KEY_get0_group(priv_key), order, ctx); + EC_GROUP_get_cofactor(EC_KEY_get0_group(priv_key), cofactor, ctx); + BN_mod_mul(UKM, UKM, cofactor, order, ctx); BN_mod_mul(p, key, UKM, order, ctx); if (!EC_POINT_mul(EC_KEY_get0_group(priv_key), pnt, NULL, pub_key, p, ctx)) { GOSTerr(GOST_F_VKO_COMPUTE_KEY, GOST_R_ERROR_POINT_MUL); goto err; } - EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(priv_key), - pnt, X, Y, ctx); + if (!EC_POINT_get_affine_coordinates(EC_KEY_get0_group(priv_key), + pnt, X, Y, ctx)) { + GOSTerr(GOST_F_VKO_COMPUTE_KEY, ERR_R_EC_LIB); + goto err; + } half_len = BN_num_bytes(order); buf_len = 2 * half_len; @@ -104,23 +110,25 @@ static int VKO_compute_key(unsigned char *shared_key, size_t shared_key_size, * keyout expected to be 64 bytes * */ static int gost_keg(const unsigned char *ukm_source, int pkey_nid, - const EC_POINT *pub_key, EC_KEY *priv_key, + const EC_POINT *pub_key, const EC_KEY *priv_key, unsigned char *keyout) { /* Adjust UKM */ unsigned char real_ukm[16]; - size_t keylen; + size_t keylen = 0; memset(real_ukm, 0, 16); if (memcmp(ukm_source, real_ukm, 16) == 0) real_ukm[15] = 1; - else + else { memcpy(real_ukm, ukm_source, 16); + BUF_reverse(real_ukm, NULL, 16); + } switch (pkey_nid) { case NID_id_GostR3410_2012_512: keylen = - VKO_compute_key(keyout, 64, pub_key, priv_key, real_ukm, 16, + VKO_compute_key(keyout, pub_key, priv_key, real_ukm, 16, NID_id_GostR3411_2012_512); return (keylen) ? keylen : 0; break; @@ -129,8 +137,8 @@ static int gost_keg(const unsigned char *ukm_source, int pkey_nid, { unsigned char tmpkey[32]; keylen = - VKO_compute_key(tmpkey, 32, pub_key, priv_key, real_ukm, 16, - NID_id_GostR3411_2012_256); + VKO_compute_key(tmpkey, pub_key, priv_key, real_ukm, 16, + NID_id_GostR3411_2012_256); if (keylen == 0) return 0; @@ -193,7 +201,7 @@ int pkey_gost_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) dgst_nid = NID_id_GostR3411_2012_256; *keylen = - VKO_compute_key(key, 32, + VKO_compute_key(key, EC_KEY_get0_public_key(EVP_PKEY_get0(peer_key)), (EC_KEY *)EVP_PKEY_get0(my_key), data->shared_ukm, 8, dgst_nid); @@ -249,13 +257,14 @@ static int pkey_GOST_ECcp_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out, EVP_PKEY *sec_key = EVP_PKEY_CTX_get0_peerkey(pctx); if (data->shared_ukm) { memcpy(ukm, data->shared_ukm, 8); - } else if (out) { - + } else { if (RAND_bytes(ukm, 8) <= 0) { GOSTerr(GOST_F_PKEY_GOST_ECCP_ENCRYPT, GOST_R_RNG_ERROR); return 0; } } + if (!param) + goto err; /* Check for private key in the peer_key of context */ if (sec_key) { key_is_ephemeral = 0; @@ -277,17 +286,13 @@ static int pkey_GOST_ECcp_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out, } } } - if (!get_gost_engine_param(GOST_PARAM_CRYPT_PARAMS) - && param == gost_cipher_list) { - param = gost_cipher_list; - } if (out) { int dgst_nid = NID_undef; EVP_PKEY_get_default_digest_nid(pubk, &dgst_nid); if (dgst_nid == NID_id_GostR3411_2012_512) dgst_nid = NID_id_GostR3411_2012_256; - if (!VKO_compute_key(shared_key, 32, + if (!VKO_compute_key(shared_key, EC_KEY_get0_public_key(EVP_PKEY_get0(pubk)), EVP_PKEY_get0(sec_key), ukm, 8, dgst_nid)) { GOSTerr(GOST_F_PKEY_GOST_ECCP_ENCRYPT, @@ -361,6 +366,7 @@ static int pkey_gost2018_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out, size_t mac_len = 0; int exp_len = 0, iv_len = 0; unsigned char *exp_buf = NULL; + int key_is_ephemeral = 0; switch (data->cipher_nid) { case NID_magma_ctr: @@ -385,13 +391,23 @@ static int pkey_gost2018_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out, return -1; } - sec_key = EVP_PKEY_new(); - if (!EVP_PKEY_assign(sec_key, EVP_PKEY_base_id(pubk), EC_KEY_new()) - || !EVP_PKEY_copy_parameters(sec_key, pubk) - || !gost_ec_keygen(EVP_PKEY_get0(sec_key))) { + sec_key = EVP_PKEY_CTX_get0_peerkey(pctx); + if (!sec_key) + { + sec_key = EVP_PKEY_new(); + if (sec_key == NULL) { + GOSTerr(GOST_F_PKEY_GOST2018_ENCRYPT, ERR_R_MALLOC_FAILURE ); + goto err; + } + + if (!EVP_PKEY_assign(sec_key, EVP_PKEY_base_id(pubk), EC_KEY_new()) + || !EVP_PKEY_copy_parameters(sec_key, pubk) + || !gost_ec_keygen(EVP_PKEY_get0(sec_key))) { GOSTerr(GOST_F_PKEY_GOST2018_ENCRYPT, - GOST_R_ERROR_COMPUTING_SHARED_KEY); + GOST_R_ERROR_COMPUTING_SHARED_KEY); goto err; + } + key_is_ephemeral = 1; } if (gost_keg(data->shared_ukm, pkey_nid, @@ -425,11 +441,12 @@ static int pkey_gost2018_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out, goto err; } - EVP_PKEY_free(sec_key); - if ((*out_len = i2d_PSKeyTransport_gost(pst, out ? &out : NULL)) > 0) ret = 1; err: + if (key_is_ephemeral) + EVP_PKEY_free(sec_key); + PSKeyTransport_gost_free(pst); OPENSSL_free(exp_buf); return ret; @@ -518,7 +535,7 @@ static int pkey_GOST_ECcp_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, if (dgst_nid == NID_id_GostR3411_2012_512) dgst_nid = NID_id_GostR3411_2012_256; - if (!VKO_compute_key(sharedKey, 32, + if (!VKO_compute_key(sharedKey, EC_KEY_get0_public_key(EVP_PKEY_get0(peerkey)), EVP_PKEY_get0(priv), wrappedKey, 8, dgst_nid)) { GOSTerr(GOST_F_PKEY_GOST_ECCP_DECRYPT, @@ -553,7 +570,7 @@ static int pkey_gost2018_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, int ret = 0; unsigned char expkeys[64]; EVP_PKEY *eph_key = NULL; - int pkey_nid = EVP_PKEY_base_id(eph_key); + int pkey_nid = EVP_PKEY_base_id(priv); int mac_nid = NID_undef; int iv_len = 0; @@ -584,7 +601,17 @@ static int pkey_gost2018_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, } eph_key = X509_PUBKEY_get(pst->ephem_key); +/* + * TODO beldmit + 1. Checks the next three conditions fulfilling and terminates the + connection with fatal error if not. + + o Q_eph is on the same curve as server public key; + + o Q_eph is not equal to zero point; + o q * Q_eph is not equal to zero point. +*/ if (gost_keg(data->shared_ukm, pkey_nid, EC_KEY_get0_public_key(EVP_PKEY_get0(eph_key)), EVP_PKEY_get0(priv), expkeys) <= 0) { @@ -597,7 +624,7 @@ static int pkey_gost2018_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, ASN1_STRING_length(pst->psexp), data->cipher_nid, expkeys + 32, mac_nid, expkeys + 0, data->shared_ukm + 24, iv_len, key) <= 0) { - GOSTerr(GOST_F_PKEY_GOST2018_DECRYPT, GOST_R_CANNOT_PACK_EPHEMERAL_KEY); + GOSTerr(GOST_F_PKEY_GOST2018_DECRYPT, GOST_R_CANNOT_UNPACK_EPHEMERAL_KEY); goto err; }