/*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include "crypto/asn1.h"
#include "crypto/evp.h"
#include <openssl/core_names.h>
-#include "internal/param_build.h"
+#include "openssl/param_build.h"
#include "ec_local.h"
#ifndef OPENSSL_NO_CMS
return 0;
}
-static EC_KEY *eckey_type2param(int ptype, const void *pval)
+static EC_KEY *eckey_type2param(int ptype, const void *pval,
+ OPENSSL_CTX *libctx, const char *propq)
{
EC_KEY *eckey = NULL;
EC_GROUP *group = NULL;
+ if ((eckey = EC_KEY_new_with_libctx(libctx, propq)) == NULL) {
+ ECerr(EC_F_ECKEY_TYPE2PARAM, ERR_R_MALLOC_FAILURE);
+ goto ecerr;
+ }
+
if (ptype == V_ASN1_SEQUENCE) {
const ASN1_STRING *pstr = pval;
const unsigned char *pm = pstr->data;
int pmlen = pstr->length;
- if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) {
+
+ if (d2i_ECParameters(&eckey, &pm, pmlen) == NULL) {
ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR);
goto ecerr;
}
/*
* type == V_ASN1_OBJECT => the parameters are given by an asn1 OID
*/
- if ((eckey = EC_KEY_new()) == NULL) {
- ECerr(EC_F_ECKEY_TYPE2PARAM, ERR_R_MALLOC_FAILURE);
- goto ecerr;
- }
- group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(poid));
+
+ group = EC_GROUP_new_by_curve_name_with_libctx(libctx, propq,
+ OBJ_obj2nid(poid));
if (group == NULL)
goto ecerr;
EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
return NULL;
}
-static int eckey_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
+static int eckey_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey)
{
const unsigned char *p = NULL;
const void *pval;
return 0;
X509_ALGOR_get0(NULL, &ptype, &pval, palg);
- eckey = eckey_type2param(ptype, pval);
+ eckey = eckey_type2param(ptype, pval, NULL, NULL);
if (!eckey) {
ECerr(EC_F_ECKEY_PUB_DECODE, ERR_R_EC_LIB);
return -2;
}
-static int eckey_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
+static int eckey_priv_decode_with_libctx(EVP_PKEY *pkey,
+ const PKCS8_PRIV_KEY_INFO *p8,
+ OPENSSL_CTX *libctx,
+ const char *propq)
{
const unsigned char *p = NULL;
const void *pval;
return 0;
X509_ALGOR_get0(NULL, &ptype, &pval, palg);
- eckey = eckey_type2param(ptype, pval);
+ eckey = eckey_type2param(ptype, pval, libctx, propq);
if (eckey == NULL)
goto ecliberr;
/* We have parameters now set private key */
if (!d2i_ECPrivateKey(&eckey, &p, pklen)) {
- ECerr(EC_F_ECKEY_PRIV_DECODE, EC_R_DECODE_ERROR);
+ ECerr(0, EC_R_DECODE_ERROR);
goto ecerr;
}
return 1;
ecliberr:
- ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB);
+ ECerr(0, ERR_R_EC_LIB);
ecerr:
EC_KEY_free(eckey);
return 0;
if ((curve_name = OBJ_nid2sn(curve_nid)) == NULL)
return 0;
- if (!ossl_param_bld_push_utf8_string(tmpl, OSSL_PKEY_PARAM_EC_NAME, curve_name, 0))
+ if (!OSSL_PARAM_BLD_push_utf8_string(tmpl, OSSL_PKEY_PARAM_GROUP_NAME, curve_name, 0))
return 0;
}
static
int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
- EVP_KEYMGMT *to_keymgmt)
+ EVP_KEYMGMT *to_keymgmt, OPENSSL_CTX *libctx,
+ const char *propq)
{
const EC_KEY *eckey = NULL;
const EC_GROUP *ecg = NULL;
unsigned char *pub_key_buf = NULL;
size_t pub_key_buflen;
- OSSL_PARAM_BLD tmpl;
+ OSSL_PARAM_BLD *tmpl;
OSSL_PARAM *params = NULL;
const BIGNUM *priv_key = NULL;
const EC_POINT *pub_point = NULL;
+ int selection = 0;
int rv = 0;
+ BN_CTX *bnctx = NULL;
if (from == NULL
|| (eckey = from->pkey.ec) == NULL
|| (ecg = EC_KEY_get0_group(eckey)) == NULL)
return 0;
- ossl_param_bld_init(&tmpl);
+ /*
+ * If the EC_KEY method is foreign, then we can't be sure of anything,
+ * and can therefore not export or pretend to export.
+ */
+ if (EC_KEY_get_method(eckey) != EC_KEY_OpenSSL())
+ return 0;
- /* export the domain parameters */
- if (!ecparams_to_params(eckey, &tmpl))
+ tmpl = OSSL_PARAM_BLD_new();
+ if (tmpl == NULL)
return 0;
+ /* export the domain parameters */
+ if (!ecparams_to_params(eckey, tmpl))
+ goto err;
+ selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
+
priv_key = EC_KEY_get0_private_key(eckey);
pub_point = EC_KEY_get0_public_key(eckey);
- /* public_key must be present, priv_key is optional */
- if (pub_point == NULL)
- return 0;
-
- /* convert pub_point to a octet string according to the SECG standard */
- if ((pub_key_buflen = EC_POINT_point2buf(ecg, pub_point,
- POINT_CONVERSION_COMPRESSED,
- &pub_key_buf, NULL)) == 0)
- return 0;
+ if (pub_point != NULL) {
+ /*
+ * EC_POINT_point2buf() can generate random numbers in some
+ * implementations so we need to ensure we use the correct libctx.
+ */
+ bnctx = BN_CTX_new_ex(libctx);
+ if (bnctx == NULL)
+ goto err;
- if (!ossl_param_bld_push_octet_string(&tmpl,
- OSSL_PKEY_PARAM_PUB_KEY,
- pub_key_buf,
- pub_key_buflen))
- goto err;
+ /* convert pub_point to a octet string according to the SECG standard */
+ if ((pub_key_buflen = EC_POINT_point2buf(ecg, pub_point,
+ POINT_CONVERSION_COMPRESSED,
+ &pub_key_buf, bnctx)) == 0
+ || !OSSL_PARAM_BLD_push_octet_string(tmpl,
+ OSSL_PKEY_PARAM_PUB_KEY,
+ pub_key_buf,
+ pub_key_buflen))
+ goto err;
+ selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+ }
if (priv_key != NULL) {
+ size_t sz;
+ int ecbits;
+ int ecdh_cofactor_mode;
+
+ /*
+ * Key import/export should never leak the bit length of the secret
+ * scalar in the key.
+ *
+ * For this reason, on export we use padded BIGNUMs with fixed length.
+ *
+ * When importing we also should make sure that, even if short lived,
+ * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as
+ * soon as possible, so that any processing of this BIGNUM might opt for
+ * constant time implementations in the backend.
+ *
+ * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
+ * to preallocate the BIGNUM internal buffer to a fixed public size big
+ * enough that operations performed during the processing never trigger
+ * a realloc which would leak the size of the scalar through memory
+ * accesses.
+ *
+ * Fixed Length
+ * ------------
+ *
+ * The order of the large prime subgroup of the curve is our choice for
+ * a fixed public size, as that is generally the upper bound for
+ * generating a private key in EC cryptosystems and should fit all valid
+ * secret scalars.
+ *
+ * For padding on export we just use the bit length of the order
+ * converted to bytes (rounding up).
+ *
+ * For preallocating the BIGNUM storage we look at the number of "words"
+ * required for the internal representation of the order, and we
+ * preallocate 2 extra "words" in case any of the subsequent processing
+ * might temporarily overflow the order length.
+ */
+ ecbits = EC_GROUP_order_bits(ecg);
+ if (ecbits <= 0)
+ goto err;
+
+ sz = (ecbits + 7 ) / 8;
+ if (!OSSL_PARAM_BLD_push_BN_pad(tmpl,
+ OSSL_PKEY_PARAM_PRIV_KEY,
+ priv_key, sz))
+ goto err;
+ selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
+
/*
* The ECDH Cofactor Mode is defined only if the EC_KEY actually
* contains a private key, so we check for the flag and export it only
* in this case.
*/
- int ecdh_cofactor_mode =
+ ecdh_cofactor_mode =
(EC_KEY_get_flags(eckey) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
- /* Export the actual private key */
- if (!ossl_param_bld_push_BN(&tmpl,
- OSSL_PKEY_PARAM_PRIV_KEY,
- priv_key))
- goto err;
-
/* Export the ECDH_COFACTOR_MODE parameter */
- if (!ossl_param_bld_push_int(&tmpl,
+ if (!OSSL_PARAM_BLD_push_int(tmpl,
OSSL_PKEY_PARAM_USE_COFACTOR_ECDH,
ecdh_cofactor_mode))
goto err;
+ selection |= OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS;
}
- params = ossl_param_bld_to_param(&tmpl);
+ params = OSSL_PARAM_BLD_to_param(tmpl);
/* We export, the provider imports */
- rv = evp_keymgmt_import(to_keymgmt, to_keydata, OSSL_KEYMGMT_SELECT_ALL,
- params);
+ rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params);
err:
- ossl_param_bld_free(params);
+ OSSL_PARAM_BLD_free(tmpl);
+ OSSL_PARAM_BLD_free_params(params);
OPENSSL_free(pub_key_buf);
+ BN_CTX_free(bnctx);
return rv;
}
+static int ec_pkey_import_from(const OSSL_PARAM params[], void *vpctx)
+{
+ EVP_PKEY_CTX *pctx = vpctx;
+ EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx);
+ EC_KEY *ec = EC_KEY_new_with_libctx(pctx->libctx, pctx->propquery);
+
+ if (ec == NULL) {
+ ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ if (!ec_key_domparams_fromdata(ec, params)
+ || !ec_key_otherparams_fromdata(ec, params)
+ || !ec_key_fromdata(ec, params, 1)
+ || !EVP_PKEY_assign_EC_KEY(pkey, ec)) {
+ EC_KEY_free(ec);
+ return 0;
+ }
+ return 1;
+}
+
const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = {
EVP_PKEY_EC,
EVP_PKEY_EC,
eckey_pub_cmp,
eckey_pub_print,
- eckey_priv_decode,
+ NULL,
eckey_priv_encode,
eckey_priv_print,
0, /* get_pub_key */
ec_pkey_dirty_cnt,
- ec_pkey_export_to
+ ec_pkey_export_to,
+ ec_pkey_import_from,
+ eckey_priv_decode_with_libctx
};
#if !defined(OPENSSL_NO_SM2)
if (!EC_KEY_set_group(ecpeer, grp))
goto err;
} else {
- ecpeer = eckey_type2param(atype, aval);
+ ecpeer = eckey_type2param(atype, aval, pctx->libctx, pctx->propquery);
if (!ecpeer)
goto err;
}