1 /* Written by Nils Larsch for the OpenSSL project. */ 2 /* ==================================================================== 3 * Copyright (c) 2000-2003 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * licensing (at) OpenSSL.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 * 50 * This product includes cryptographic software written by Eric Young 51 * (eay (at) cryptsoft.com). This product includes software written by Tim 52 * Hudson (tjh (at) cryptsoft.com). */ 53 54 #include <openssl/ec.h> 55 56 #include <string.h> 57 58 #include <openssl/asn1.h> 59 #include <openssl/asn1t.h> 60 #include <openssl/bn.h> 61 #include <openssl/err.h> 62 #include <openssl/mem.h> 63 #include <openssl/obj.h> 64 65 #include "internal.h" 66 67 68 typedef struct x9_62_fieldid_st { 69 ASN1_OBJECT *fieldType; 70 union { 71 char *ptr; 72 /* NID_X9_62_prime_field */ 73 ASN1_INTEGER *prime; 74 /* anything else */ 75 ASN1_TYPE *other; 76 } p; 77 } X9_62_FIELDID; 78 79 ASN1_ADB_TEMPLATE(fieldID_def) = ASN1_SIMPLE(X9_62_FIELDID, p.other, ASN1_ANY); 80 81 ASN1_ADB(X9_62_FIELDID) = { 82 ADB_ENTRY(NID_X9_62_prime_field, ASN1_SIMPLE(X9_62_FIELDID, p.prime, ASN1_INTEGER)), 83 } ASN1_ADB_END(X9_62_FIELDID, 0, fieldType, 0, &fieldID_def_tt, NULL); 84 85 ASN1_SEQUENCE(X9_62_FIELDID) = { 86 ASN1_SIMPLE(X9_62_FIELDID, fieldType, ASN1_OBJECT), 87 ASN1_ADB_OBJECT(X9_62_FIELDID) 88 } ASN1_SEQUENCE_END(X9_62_FIELDID); 89 90 typedef struct x9_62_curve_st { 91 ASN1_OCTET_STRING *a; 92 ASN1_OCTET_STRING *b; 93 ASN1_BIT_STRING *seed; 94 } X9_62_CURVE; 95 96 ASN1_SEQUENCE(X9_62_CURVE) = { 97 ASN1_SIMPLE(X9_62_CURVE, a, ASN1_OCTET_STRING), 98 ASN1_SIMPLE(X9_62_CURVE, b, ASN1_OCTET_STRING), 99 ASN1_OPT(X9_62_CURVE, seed, ASN1_BIT_STRING) 100 } ASN1_SEQUENCE_END(X9_62_CURVE); 101 102 typedef struct ec_parameters_st { 103 long version; 104 X9_62_FIELDID *fieldID; 105 X9_62_CURVE *curve; 106 ASN1_OCTET_STRING *base; 107 ASN1_INTEGER *order; 108 ASN1_INTEGER *cofactor; 109 } ECPARAMETERS; 110 111 DECLARE_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS); 112 113 ASN1_SEQUENCE(ECPARAMETERS) = { 114 ASN1_SIMPLE(ECPARAMETERS, version, LONG), 115 ASN1_SIMPLE(ECPARAMETERS, fieldID, X9_62_FIELDID), 116 ASN1_SIMPLE(ECPARAMETERS, curve, X9_62_CURVE), 117 ASN1_SIMPLE(ECPARAMETERS, base, ASN1_OCTET_STRING), 118 ASN1_SIMPLE(ECPARAMETERS, order, ASN1_INTEGER), 119 ASN1_OPT(ECPARAMETERS, cofactor, ASN1_INTEGER) 120 } ASN1_SEQUENCE_END(ECPARAMETERS); 121 122 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS); 123 124 typedef struct ecpk_parameters_st { 125 int type; 126 union { 127 ASN1_OBJECT *named_curve; 128 ECPARAMETERS *parameters; 129 } value; 130 } ECPKPARAMETERS; 131 132 /* SEC1 ECPrivateKey */ 133 typedef struct ec_privatekey_st { 134 long version; 135 ASN1_OCTET_STRING *privateKey; 136 ECPKPARAMETERS *parameters; 137 ASN1_BIT_STRING *publicKey; 138 } EC_PRIVATEKEY; 139 140 DECLARE_ASN1_FUNCTIONS_const(ECPKPARAMETERS); 141 DECLARE_ASN1_ENCODE_FUNCTIONS_const(ECPKPARAMETERS, ECPKPARAMETERS); 142 143 ASN1_CHOICE(ECPKPARAMETERS) = { 144 ASN1_SIMPLE(ECPKPARAMETERS, value.named_curve, ASN1_OBJECT), 145 ASN1_SIMPLE(ECPKPARAMETERS, value.parameters, ECPARAMETERS), 146 } ASN1_CHOICE_END(ECPKPARAMETERS); 147 148 IMPLEMENT_ASN1_FUNCTIONS_const(ECPKPARAMETERS); 149 150 DECLARE_ASN1_FUNCTIONS_const(EC_PRIVATEKEY); 151 DECLARE_ASN1_ENCODE_FUNCTIONS_const(EC_PRIVATEKEY, EC_PRIVATEKEY); 152 153 ASN1_SEQUENCE(EC_PRIVATEKEY) = { 154 ASN1_SIMPLE(EC_PRIVATEKEY, version, LONG), 155 ASN1_SIMPLE(EC_PRIVATEKEY, privateKey, ASN1_OCTET_STRING), 156 ASN1_EXP_OPT(EC_PRIVATEKEY, parameters, ECPKPARAMETERS, 0), 157 ASN1_EXP_OPT(EC_PRIVATEKEY, publicKey, ASN1_BIT_STRING, 1), 158 } ASN1_SEQUENCE_END(EC_PRIVATEKEY); 159 160 IMPLEMENT_ASN1_FUNCTIONS_const(EC_PRIVATEKEY); 161 162 163 ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *group, 164 ECPKPARAMETERS *params) { 165 int ok = 0, nid; 166 ECPKPARAMETERS *ret = params; 167 168 if (ret == NULL) { 169 ret = ECPKPARAMETERS_new(); 170 if (ret == NULL) { 171 OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE); 172 return NULL; 173 } 174 } else { 175 ASN1_OBJECT_free(ret->value.named_curve); 176 } 177 178 /* use the ASN.1 OID to describe the the elliptic curve parameters. */ 179 nid = EC_GROUP_get_curve_name(group); 180 if (nid) { 181 ret->type = 0; 182 ret->value.named_curve = (ASN1_OBJECT*) OBJ_nid2obj(nid); 183 ok = ret->value.named_curve != NULL; 184 } 185 186 if (!ok) { 187 ECPKPARAMETERS_free(ret); 188 return NULL; 189 } 190 191 return ret; 192 } 193 194 EC_GROUP *ec_asn1_pkparameters2group(const ECPKPARAMETERS *params) { 195 EC_GROUP *ret = NULL; 196 int nid = NID_undef; 197 198 if (params == NULL) { 199 OPENSSL_PUT_ERROR(EC, EC_R_MISSING_PARAMETERS); 200 return NULL; 201 } 202 203 if (params->type == 0) { 204 nid = OBJ_obj2nid(params->value.named_curve); 205 } else if (params->type == 1) { 206 /* We don't support arbitary curves so we attempt to recognise it from the 207 * group order. */ 208 const ECPARAMETERS *ecparams = params->value.parameters; 209 unsigned i; 210 const struct built_in_curve *curve; 211 212 for (i = 0; OPENSSL_built_in_curves[i].nid != NID_undef; i++) { 213 curve = &OPENSSL_built_in_curves[i]; 214 const unsigned param_len = curve->data->param_len; 215 if ((unsigned) ecparams->order->length == param_len && 216 memcmp(ecparams->order->data, &curve->data->data[param_len * 5], 217 param_len) == 0) { 218 nid = curve->nid; 219 break; 220 } 221 } 222 } 223 224 if (nid == NID_undef) { 225 OPENSSL_PUT_ERROR(EC, EC_R_NON_NAMED_CURVE); 226 return NULL; 227 } 228 229 ret = EC_GROUP_new_by_curve_name(nid); 230 if (ret == NULL) { 231 OPENSSL_PUT_ERROR(EC, EC_R_EC_GROUP_NEW_BY_NAME_FAILURE); 232 return NULL; 233 } 234 235 return ret; 236 } 237 238 static EC_GROUP *d2i_ECPKParameters(EC_GROUP **groupp, const uint8_t **inp, 239 long len) { 240 EC_GROUP *group = NULL; 241 ECPKPARAMETERS *params = NULL; 242 const uint8_t *in = *inp; 243 244 params = d2i_ECPKPARAMETERS(NULL, &in, len); 245 if (params == NULL) { 246 OPENSSL_PUT_ERROR(EC, EC_R_D2I_ECPKPARAMETERS_FAILURE); 247 ECPKPARAMETERS_free(params); 248 return NULL; 249 } 250 251 group = ec_asn1_pkparameters2group(params); 252 if (group == NULL) { 253 OPENSSL_PUT_ERROR(EC, EC_R_PKPARAMETERS2GROUP_FAILURE); 254 ECPKPARAMETERS_free(params); 255 return NULL; 256 } 257 258 if (groupp) { 259 EC_GROUP_free(*groupp); 260 *groupp = group; 261 } 262 263 ECPKPARAMETERS_free(params); 264 *inp = in; 265 return group; 266 } 267 268 static int i2d_ECPKParameters(const EC_GROUP *group, uint8_t **outp) { 269 int ret = 0; 270 ECPKPARAMETERS *tmp = ec_asn1_group2pkparameters(group, NULL); 271 if (tmp == NULL) { 272 OPENSSL_PUT_ERROR(EC, EC_R_GROUP2PKPARAMETERS_FAILURE); 273 return 0; 274 } 275 ret = i2d_ECPKPARAMETERS(tmp, outp); 276 if (ret == 0) { 277 OPENSSL_PUT_ERROR(EC, EC_R_I2D_ECPKPARAMETERS_FAILURE); 278 ECPKPARAMETERS_free(tmp); 279 return 0; 280 } 281 ECPKPARAMETERS_free(tmp); 282 return ret; 283 } 284 285 EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const uint8_t **inp, long len) { 286 int ok = 0; 287 EC_KEY *ret = NULL; 288 EC_PRIVATEKEY *priv_key = NULL; 289 290 const uint8_t *in = *inp; 291 priv_key = d2i_EC_PRIVATEKEY(NULL, &in, len); 292 if (priv_key == NULL) { 293 OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); 294 return NULL; 295 } 296 297 if (a == NULL || *a == NULL) { 298 ret = EC_KEY_new(); 299 if (ret == NULL) { 300 OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE); 301 goto err; 302 } 303 } else { 304 ret = *a; 305 } 306 307 if (priv_key->parameters) { 308 EC_GROUP_free(ret->group); 309 ret->group = ec_asn1_pkparameters2group(priv_key->parameters); 310 } 311 312 if (ret->group == NULL) { 313 OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); 314 goto err; 315 } 316 317 ret->version = priv_key->version; 318 319 if (priv_key->privateKey) { 320 ret->priv_key = 321 BN_bin2bn(M_ASN1_STRING_data(priv_key->privateKey), 322 M_ASN1_STRING_length(priv_key->privateKey), ret->priv_key); 323 if (ret->priv_key == NULL) { 324 OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB); 325 goto err; 326 } 327 } else { 328 OPENSSL_PUT_ERROR(EC, EC_R_MISSING_PRIVATE_KEY); 329 goto err; 330 } 331 332 if (BN_cmp(ret->priv_key, EC_GROUP_get0_order(ret->group)) >= 0) { 333 OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER); 334 goto err; 335 } 336 337 EC_POINT_free(ret->pub_key); 338 ret->pub_key = EC_POINT_new(ret->group); 339 if (ret->pub_key == NULL) { 340 OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); 341 goto err; 342 } 343 344 if (priv_key->publicKey) { 345 const uint8_t *pub_oct; 346 int pub_oct_len; 347 348 pub_oct = M_ASN1_STRING_data(priv_key->publicKey); 349 pub_oct_len = M_ASN1_STRING_length(priv_key->publicKey); 350 /* The first byte (the point conversion form) must be present. */ 351 if (pub_oct_len <= 0) { 352 OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL); 353 goto err; 354 } 355 /* Save the point conversion form. */ 356 ret->conv_form = (point_conversion_form_t)(pub_oct[0] & ~0x01); 357 if (!EC_POINT_oct2point(ret->group, ret->pub_key, pub_oct, pub_oct_len, 358 NULL)) { 359 OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); 360 goto err; 361 } 362 } else { 363 if (!EC_POINT_mul(ret->group, ret->pub_key, ret->priv_key, NULL, NULL, 364 NULL)) { 365 OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); 366 goto err; 367 } 368 /* Remember the original private-key-only encoding. */ 369 ret->enc_flag |= EC_PKEY_NO_PUBKEY; 370 } 371 372 if (a) { 373 *a = ret; 374 } 375 *inp = in; 376 ok = 1; 377 378 err: 379 if (!ok) { 380 if (a == NULL || *a != ret) { 381 EC_KEY_free(ret); 382 } 383 ret = NULL; 384 } 385 386 EC_PRIVATEKEY_free(priv_key); 387 388 return ret; 389 } 390 391 int i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp) { 392 int ret = 0, ok = 0; 393 uint8_t *buffer = NULL; 394 size_t buf_len = 0, tmp_len; 395 EC_PRIVATEKEY *priv_key = NULL; 396 397 if (key == NULL || key->group == NULL || key->priv_key == NULL) { 398 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); 399 goto err; 400 } 401 402 priv_key = EC_PRIVATEKEY_new(); 403 if (priv_key == NULL) { 404 OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE); 405 goto err; 406 } 407 408 priv_key->version = key->version; 409 410 buf_len = BN_num_bytes(&key->group->order); 411 buffer = OPENSSL_malloc(buf_len); 412 if (buffer == NULL) { 413 OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE); 414 goto err; 415 } 416 417 if (!BN_bn2bin_padded(buffer, buf_len, key->priv_key)) { 418 OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB); 419 goto err; 420 } 421 422 if (!M_ASN1_OCTET_STRING_set(priv_key->privateKey, buffer, buf_len)) { 423 OPENSSL_PUT_ERROR(EC, ERR_R_ASN1_LIB); 424 goto err; 425 } 426 427 /* TODO(fork): replace this flexibility with key sensible default? */ 428 if (!(key->enc_flag & EC_PKEY_NO_PARAMETERS)) { 429 if ((priv_key->parameters = ec_asn1_group2pkparameters( 430 key->group, priv_key->parameters)) == NULL) { 431 OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); 432 goto err; 433 } 434 } 435 436 /* TODO(fork): replace this flexibility with key sensible default? */ 437 if (!(key->enc_flag & EC_PKEY_NO_PUBKEY) && key->pub_key != NULL) { 438 priv_key->publicKey = M_ASN1_BIT_STRING_new(); 439 if (priv_key->publicKey == NULL) { 440 OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE); 441 goto err; 442 } 443 444 tmp_len = EC_POINT_point2oct(key->group, key->pub_key, key->conv_form, NULL, 445 0, NULL); 446 447 if (tmp_len > buf_len) { 448 uint8_t *tmp_buffer = OPENSSL_realloc(buffer, tmp_len); 449 if (!tmp_buffer) { 450 OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE); 451 goto err; 452 } 453 buffer = tmp_buffer; 454 buf_len = tmp_len; 455 } 456 457 if (!EC_POINT_point2oct(key->group, key->pub_key, key->conv_form, buffer, 458 buf_len, NULL)) { 459 OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); 460 goto err; 461 } 462 463 priv_key->publicKey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); 464 priv_key->publicKey->flags |= ASN1_STRING_FLAG_BITS_LEFT; 465 if (!M_ASN1_BIT_STRING_set(priv_key->publicKey, buffer, buf_len)) { 466 OPENSSL_PUT_ERROR(EC, ERR_R_ASN1_LIB); 467 goto err; 468 } 469 } 470 471 ret = i2d_EC_PRIVATEKEY(priv_key, outp); 472 if (ret == 0) { 473 OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); 474 goto err; 475 } 476 ok = 1; 477 478 err: 479 OPENSSL_free(buffer); 480 EC_PRIVATEKEY_free(priv_key); 481 return (ok ? ret : 0); 482 } 483 484 int i2d_ECParameters(const EC_KEY *key, uint8_t **outp) { 485 if (key == NULL) { 486 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); 487 return 0; 488 } 489 return i2d_ECPKParameters(key->group, outp); 490 } 491 492 EC_KEY *d2i_ECParameters(EC_KEY **key, const uint8_t **inp, long len) { 493 EC_KEY *ret; 494 495 if (inp == NULL || *inp == NULL) { 496 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); 497 return NULL; 498 } 499 500 if (key == NULL || *key == NULL) { 501 ret = EC_KEY_new(); 502 if (ret == NULL) { 503 OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE); 504 return NULL; 505 } 506 } else { 507 ret = *key; 508 } 509 510 if (!d2i_ECPKParameters(&ret->group, inp, len)) { 511 OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); 512 if (key == NULL || *key == NULL) { 513 EC_KEY_free(ret); 514 } 515 return NULL; 516 } 517 518 if (key) { 519 *key = ret; 520 } 521 return ret; 522 } 523 524 EC_KEY *o2i_ECPublicKey(EC_KEY **keyp, const uint8_t **inp, long len) { 525 EC_KEY *ret = NULL; 526 527 if (keyp == NULL || *keyp == NULL || (*keyp)->group == NULL) { 528 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); 529 return 0; 530 } 531 ret = *keyp; 532 if (ret->pub_key == NULL && 533 (ret->pub_key = EC_POINT_new(ret->group)) == NULL) { 534 OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE); 535 return 0; 536 } 537 if (!EC_POINT_oct2point(ret->group, ret->pub_key, *inp, len, NULL)) { 538 OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); 539 return 0; 540 } 541 /* save the point conversion form */ 542 ret->conv_form = (point_conversion_form_t)(*inp[0] & ~0x01); 543 *inp += len; 544 return ret; 545 } 546 547 int i2o_ECPublicKey(const EC_KEY *key, uint8_t **outp) { 548 size_t buf_len = 0; 549 int new_buffer = 0; 550 551 if (key == NULL) { 552 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); 553 return 0; 554 } 555 556 buf_len = EC_POINT_point2oct(key->group, key->pub_key, key->conv_form, NULL, 557 0, NULL); 558 559 if (outp == NULL || buf_len == 0) { 560 /* out == NULL => just return the length of the octet string */ 561 return buf_len; 562 } 563 564 if (*outp == NULL) { 565 *outp = OPENSSL_malloc(buf_len); 566 if (*outp == NULL) { 567 OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE); 568 return 0; 569 } 570 new_buffer = 1; 571 } 572 if (!EC_POINT_point2oct(key->group, key->pub_key, key->conv_form, *outp, 573 buf_len, NULL)) { 574 OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); 575 if (new_buffer) { 576 OPENSSL_free(*outp); 577 *outp = NULL; 578 } 579 return 0; 580 } 581 582 if (!new_buffer) { 583 *outp += buf_len; 584 } 585 return buf_len; 586 } 587
