X-Git-Url: http://wagner.pp.ru/gitweb/?a=blobdiff_plain;f=gost_ec_keyx.c;h=7a6ebe7e12ea5e8f587ea1b0648a387377b96eac;hb=8751d1538fd893488d90ef5cb7997c58e54f8059;hp=973ab06e3e3e46b4d0c2f0b0cc8b653ed50aa3a4;hpb=dbc8f4780fa78d66a68174f78f9ae9aa9cdad53c;p=openssl-gost%2Fengine.git diff --git a/gost_ec_keyx.c b/gost_ec_keyx.c index 973ab06..7a6ebe7 100644 --- a/gost_ec_keyx.c +++ b/gost_ec_keyx.c @@ -1,9 +1,15 @@ /********************************************************************** * gost_ec_keyx.c * + * * * Copyright (c) 2005-2013 Cryptocom LTD * + * Copyright (c) 2018,2020 Dmitry Belyavskiy * + * Copyright (c) 2020 Billy Brumley * + * * * This file is distributed under the same license as OpenSSL * * * - * VK0 34.10-2001 key exchange and GOST R 34.10-2001 * + * VK0 R 50.1.113-2016 / RFC 7836 * + * KEG R 1323565.1.020-2018 * + * VK0 34.10-2001 key exchange and GOST R 34.10-2001 (RFC 4357) * * based PKCS7/SMIME support * * Requires OpenSSL 0.9.9 for compilation * **********************************************************************/ @@ -24,7 +30,7 @@ int VKO_compute_key(unsigned char *shared_key, const int vko_dgst_nid) { unsigned char *databuf = NULL; - BIGNUM *scalar = NULL, *X = NULL, *Y = NULL; + BIGNUM *scalar = NULL, *X = NULL, *Y = NULL, *order = NULL; const EC_GROUP *grp = NULL; EC_POINT *pnt = NULL; BN_CTX *ctx = NULL; @@ -45,9 +51,11 @@ int VKO_compute_key(unsigned char *shared_key, goto err; } + order = BN_CTX_get(ctx); grp = EC_KEY_get0_group(priv_key); scalar = BN_CTX_get(ctx); X = BN_CTX_get(ctx); + EC_GROUP_get_order(grp, order, ctx); if ((Y = BN_CTX_get(ctx)) == NULL || (pnt = EC_POINT_new(grp)) == NULL @@ -65,7 +73,7 @@ int VKO_compute_key(unsigned char *shared_key, break; } - if (!EC_POINT_mul(grp, pnt, NULL, pub_key, scalar, ctx)) { + if (!gost_ec_point_mul(grp, pnt, NULL, pub_key, scalar, ctx)) { GOSTerr(GOST_F_VKO_COMPUTE_KEY, GOST_R_ERROR_POINT_MUL); goto err; } @@ -74,7 +82,7 @@ int VKO_compute_key(unsigned char *shared_key, goto err; } - half_len = BN_num_bytes(EC_GROUP_get0_field(grp)); + half_len = BN_num_bytes(order); buf_len = 2 * half_len; if ((databuf = OPENSSL_malloc(buf_len)) == NULL) { GOSTerr(GOST_F_VKO_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); @@ -114,6 +122,7 @@ int VKO_compute_key(unsigned char *shared_key, } /* + * KEG Algorithm described in R 1323565.1.020-2018 6.4.5.1. * keyout expected to be 64 bytes * */ static int gost_keg(const unsigned char *ukm_source, int pkey_nid, @@ -165,10 +174,145 @@ static int gost_keg(const unsigned char *ukm_source, int pkey_nid, } } +int pkey_gost_ec_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, + const EC_KEY *eckey) +{ + BN_CTX *ctx; + EC_POINT *tmp = NULL; + BIGNUM *x = NULL; + const BIGNUM *priv_key; + const EC_GROUP *group; + int ret = 0; + size_t buflen,len; + unsigned char *buf = NULL; + int nid; + + if (outlen > INT_MAX) { + GOSTerr(GOST_F_PKEY_GOST_EC_COMPUTE_KEY, EC_R_INVALID_OUTPUT_LENGTH); + return 0; + } + + if ((ctx = BN_CTX_new()) == NULL) + goto err; + BN_CTX_start(ctx); + x = BN_CTX_get(ctx); + if (x == NULL) { + GOSTerr(GOST_F_PKEY_GOST_EC_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); + goto err; + } + + priv_key = EC_KEY_get0_private_key(eckey); + if (priv_key == NULL) { + GOSTerr(GOST_F_PKEY_GOST_EC_COMPUTE_KEY, EC_R_MISSING_PRIVATE_KEY); + goto err; + } + + group = EC_KEY_get0_group(eckey); + + nid = EC_GROUP_get_curve_name(group); + if (nid == NID_id_tc26_gost_3410_2012_256_paramSetA + || nid == NID_id_tc26_gost_3410_2012_512_paramSetC) { + if (!EC_GROUP_get_cofactor(group, x, NULL) || + // or use BN_mul(...) + !BN_mod_mul(x, x, priv_key, EC_GROUP_get0_order(group), ctx)) { + GOSTerr(GOST_F_PKEY_GOST_EC_COMPUTE_KEY, ERR_R_INTERNAL_ERROR); + goto err; + } + priv_key = x; + } + + if ((tmp = EC_POINT_new(group)) == NULL) { + GOSTerr(GOST_F_PKEY_GOST_EC_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); + goto err; + } + + if (!gost_ec_point_mul(group, tmp, NULL, pub_key, priv_key, ctx)) { + GOSTerr(GOST_F_PKEY_GOST_EC_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE); + goto err; + } + + if (!EC_POINT_get_affine_coordinates(group, tmp, x, NULL, ctx)) { + GOSTerr(GOST_F_PKEY_GOST_EC_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE); + goto err; + } + + buflen = (EC_GROUP_get_degree(group) + 7) / 8; + len = BN_num_bytes(x); + if (len > buflen) { + GOSTerr(GOST_F_PKEY_GOST_EC_COMPUTE_KEY, ERR_R_INTERNAL_ERROR); + goto err; + } + if ((buf = OPENSSL_malloc(buflen)) == NULL) { + GOSTerr(GOST_F_PKEY_GOST_EC_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); + goto err; + } + + if (buflen != BN_bn2lebinpad(x, buf, buflen)) { + GOSTerr(GOST_F_PKEY_GOST_EC_COMPUTE_KEY, ERR_R_BN_LIB); + goto err; + } + + if (outlen > buflen) + outlen = buflen; + memcpy(out, buf, outlen); + OPENSSL_clear_free(buf, buflen); + + ret = outlen; + + err: + EC_POINT_clear_free(tmp); + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return ret; +} + +int pkey_gost_ec_2020_derive(EVP_PKEY_CTX *ctx, unsigned char *key, + size_t *keylen) +{ + int ret; + size_t outlen; + const EC_POINT *pubkey = NULL; + EC_KEY *eckey; + EVP_PKEY *my_key = EVP_PKEY_CTX_get0_pkey(ctx); + EVP_PKEY *peer_key = EVP_PKEY_CTX_get0_peerkey(ctx); + + if (!my_key || !peer_key) { + GOSTerr(GOST_F_PKEY_GOST_EC_2020_DERIVE, EC_R_KEYS_NOT_SET); + return 0; + } + + eckey = EVP_PKEY_get0(my_key); + + if (!key) { + const EC_GROUP *group; + group = EC_KEY_get0_group(eckey); + *keylen = (EC_GROUP_get_degree(group) + 7) / 8; + return 1; + } + pubkey = EC_KEY_get0_public_key(EVP_PKEY_get0(peer_key)); + + /* + * if *outlen is less than maximum size, the result is truncated. + * (is it error or not?) + */ + + outlen = *keylen; + + ret = pkey_gost_ec_compute_key(key, outlen, pubkey, eckey); + if (ret <= 0) + return 0; + *keylen = ret; + return 1; +} + /* * EVP_PKEY_METHOD callback derive. * Implements VKO R 34.10-2001/2012 algorithms */ +/* + * Backend for EVP_PKEY_derive() + * It have KEG mode (default) and VKO mode (enable by EVP_PKEY_CTRL_SET_VKO). + */ int pkey_gost_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) { /* @@ -182,14 +326,28 @@ int pkey_gost_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) int dgst_nid = NID_undef; if (!data || data->shared_ukm_size == 0) { - GOSTerr(GOST_F_PKEY_GOST_EC_DERIVE, GOST_R_UKM_NOT_SET); - return 0; + return pkey_gost_ec_2020_derive(ctx, key, keylen); } + + /* VKO */ + if (data->vko_dgst_nid) { + if (!key) { + *keylen = data->vko_dgst_nid == NID_id_GostR3411_2012_256? 32 : 64; + return 1; + } + *keylen = VKO_compute_key(key, + EC_KEY_get0_public_key(EVP_PKEY_get0(peer_key)), + (EC_KEY *)EVP_PKEY_get0(my_key), + data->shared_ukm, data->shared_ukm_size, + data->vko_dgst_nid); + return (*keylen) ? 1 : 0; + } + /* * shared_ukm_size = 8 stands for pre-2018 cipher suites * It means 32 bytes of key length, 8 byte UKM, 32-bytes hash * - * shared_ukm_size = 32 stands for pre-2018 cipher suites + * shared_ukm_size = 32 stands for post-2018 cipher suites * It means 64 bytes of shared_key, 16 bytes of UKM and either * 64 bytes of hash or 64 bytes of TLSTREE output * */ @@ -201,7 +359,6 @@ int pkey_gost_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) *keylen = 32; return 1; } - EVP_PKEY_get_default_digest_nid(my_key, &dgst_nid); if (dgst_nid == NID_id_GostR3411_2012_512) dgst_nid = NID_id_GostR3411_2012_256; @@ -251,7 +408,7 @@ static int pkey_GOST_ECcp_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out, EVP_PKEY *pubk = EVP_PKEY_CTX_get0_pkey(pctx); struct gost_pmeth_data *data = EVP_PKEY_CTX_get_data(pctx); int pkey_nid = EVP_PKEY_base_id(pubk); - ASN1_OBJECT *crypt_params_obj = (pkey_nid == NID_id_GostR3410_2001) ? + ASN1_OBJECT *crypt_params_obj = (pkey_nid == NID_id_GostR3410_2001 || pkey_nid == NID_id_GostR3410_2001DH) ? OBJ_nid2obj(NID_id_Gost28147_89_CryptoPro_A_ParamSet) : OBJ_nid2obj(NID_id_tc26_gost_28147_param_Z); const struct gost_cipher_info *param = @@ -261,6 +418,8 @@ static int pkey_GOST_ECcp_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out, int key_is_ephemeral = 1; gost_ctx cctx; EVP_PKEY *sec_key = EVP_PKEY_CTX_get0_peerkey(pctx); + int res_len = 0; + if (data->shared_ukm_size) { memcpy(ukm, data->shared_ukm, 8); } else { @@ -342,8 +501,26 @@ static int pkey_GOST_ECcp_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out, goto err; } } - if ((*out_len = i2d_GOST_KEY_TRANSPORT(gkt, out ? &out : NULL)) > 0) + res_len = i2d_GOST_KEY_TRANSPORT(gkt, NULL); + if (res_len <= 0) { + GOSTerr(GOST_F_PKEY_GOST_ECCP_ENCRYPT, ERR_R_ASN1_LIB); + goto err; + } + + if (out == NULL) { + *out_len = res_len; ret = 1; + } else { + if ((size_t)res_len > *out_len) { + GOSTerr(GOST_F_PKEY_GOST_ECCP_ENCRYPT, GOST_R_INVALID_BUFFER_SIZE); + goto err; + } + if ((*out_len = i2d_GOST_KEY_TRANSPORT(gkt, &out)) > 0) + ret = 1; + else + GOSTerr(GOST_F_PKEY_GOST_ECCP_ENCRYPT, ERR_R_ASN1_LIB); + } + OPENSSL_cleanse(shared_key, sizeof(shared_key)); GOST_KEY_TRANSPORT_free(gkt); return ret; @@ -375,6 +552,7 @@ static int pkey_gost2018_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out, int exp_len = 0, iv_len = 0; unsigned char *exp_buf = NULL; int key_is_ephemeral = 0; + int res_len = 0; switch (data->cipher_nid) { case NID_magma_ctr: @@ -468,8 +646,26 @@ static int pkey_gost2018_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out, goto err; } - if ((*out_len = i2d_PSKeyTransport_gost(pst, out ? &out : NULL)) > 0) + res_len = i2d_PSKeyTransport_gost(pst, NULL); + if (res_len <= 0) { + GOSTerr(GOST_F_PKEY_GOST2018_ENCRYPT, ERR_R_ASN1_LIB); + goto err; + } + + if (out == NULL) { + *out_len = res_len; ret = 1; + } else { + if ((size_t)res_len > *out_len) { + GOSTerr(GOST_F_PKEY_GOST2018_ENCRYPT, GOST_R_INVALID_BUFFER_SIZE); + goto err; + } + if ((*out_len = i2d_PSKeyTransport_gost(pst, &out)) > 0) + ret = 1; + else + GOSTerr(GOST_F_PKEY_GOST2018_ENCRYPT, ERR_R_ASN1_LIB); + } + err: OPENSSL_cleanse(expkeys, sizeof(expkeys)); if (key_is_ephemeral) @@ -519,10 +715,6 @@ static int pkey_GOST_ECcp_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, EVP_PKEY *eph_key = NULL, *peerkey = NULL; int dgst_nid = NID_undef; - if (!key) { - *key_len = 32; - return 1; - } gkt = d2i_GOST_KEY_TRANSPORT(NULL, (const unsigned char **)&p, in_len); if (!gkt) { GOSTerr(GOST_F_PKEY_GOST_ECCP_DECRYPT, @@ -582,6 +774,7 @@ static int pkey_GOST_ECcp_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, goto err; } + *key_len = 32; ret = 1; err: OPENSSL_cleanse(sharedKey, sizeof(sharedKey)); @@ -623,10 +816,6 @@ static int pkey_gost2018_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, return -1; break; } - if (!key) { - *key_len = 32; - return 1; - } pst = d2i_PSKeyTransport_gost(NULL, (const unsigned char **)&p, in_len); if (!pst) { @@ -647,6 +836,13 @@ static int pkey_gost2018_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, o q * Q_eph is not equal to zero point. */ + if (eph_key == NULL || priv == NULL || data == NULL) { + GOSTerr(GOST_F_PKEY_GOST2018_DECRYPT, + GOST_R_ERROR_COMPUTING_EXPORT_KEYS); + ret = 0; + goto err; + } + if (data->shared_ukm_size == 0 && pst->ukm != NULL) { if (EVP_PKEY_CTX_ctrl(pctx, -1, -1, EVP_PKEY_CTRL_SET_IV, ASN1_STRING_length(pst->ukm), (void *)ASN1_STRING_get0_data(pst->ukm)) < 0) { @@ -671,6 +867,7 @@ static int pkey_gost2018_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, goto err; } + *key_len = 32; ret = 1; err: OPENSSL_cleanse(expkeys, sizeof(expkeys)); @@ -683,6 +880,17 @@ int pkey_gost_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, size_t *key_len, const unsigned char *in, size_t in_len) { struct gost_pmeth_data *gctx = EVP_PKEY_CTX_get_data(pctx); + + if (key == NULL) { + *key_len = 32; + return 1; + } + + if (key != NULL && *key_len < 32) { + GOSTerr(GOST_F_PKEY_GOST2018_ENCRYPT, GOST_R_INVALID_BUFFER_SIZE); + return 0; + } + switch (gctx->cipher_nid) { case NID_id_Gost28147_89: @@ -696,3 +904,4 @@ int pkey_gost_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, return -1; } } +/* vim: set expandtab cinoptions=\:0,l1,t0,g0,(0 sw=4 : */