[ec] Match built-in curves on EC_GROUP_new_from_ecparameters

[openssl.git] / crypto / ec / ec_asn1.c

diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 3a8128b75575083dfc3d4a0d839f6995c13cc893..e0d02bb01a45079bbd23f2a2f8164cee7df53268 100644 (file)
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -571,10 +571,12 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
 EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
 {
     int ok = 0, tmp;
 EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
 {
     int ok = 0, tmp;

-    EC_GROUP *ret = NULL;
+    EC_GROUP *ret = NULL, *dup = NULL;

     BIGNUM *p = NULL, *a = NULL, *b = NULL;
     EC_POINT *point = NULL;
     long field_bits;
     BIGNUM *p = NULL, *a = NULL, *b = NULL;
     EC_POINT *point = NULL;
     long field_bits;

+    int curve_name = NID_undef;
+    BN_CTX *ctx = NULL;

 
     if (!params->fieldID || !params->fieldID->fieldType ||
         !params->fieldID->p.ptr) {
 
     if (!params->fieldID || !params->fieldID->fieldType ||
         !params->fieldID->p.ptr) {


@@ -792,18 +794,79 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
         goto err;
     }
 
         goto err;
     }
 

+    /*
+     * Check if the explicit parameters group just created matches one of the
+     * built-in curves.
+     *
+     * We create a copy of the group just built, so that we can remove optional
+     * fields for the lookup: we do this to avoid the possibility that one of
+     * the optional parameters is used to force the library into using a less
+     * performant and less secure EC_METHOD instead of the specialized one.
+     * In any case, `seed` is not really used in any computation, while a
+     * cofactor different from the one in the built-in table is just
+     * mathematically wrong anyway and should not be used.
+     */
+    if ((ctx = BN_CTX_new()) == NULL) {
+        ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_BN_LIB);
+        goto err;
+    }
+    if ((dup = EC_GROUP_dup(ret)) == NULL
+            || EC_GROUP_set_seed(dup, NULL, 0) != 1
+            || !EC_GROUP_set_generator(dup, point, a, NULL)) {
+        ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
+        goto err;
+    }
+    if ((curve_name = ec_curve_nid_from_params(dup, ctx)) != NID_undef) {
+        /*
+         * The input explicit parameters successfully matched one of the
+         * built-in curves: often for built-in curves we have specialized
+         * methods with better performance and hardening.
+         *
+         * In this case we replace the `EC_GROUP` created through explicit
+         * parameters with one created from a named group.
+         */
+        EC_GROUP *named_group = NULL;
+
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+        /*
+         * NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for
+         * the same curve, we prefer the SECP nid when matching explicit
+         * parameters as that is associated with a specialized EC_METHOD.
+         */
+        if (curve_name == NID_wap_wsg_idm_ecid_wtls12)
+            curve_name = NID_secp224r1;
+#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
+
+        if ((named_group = EC_GROUP_new_by_curve_name(curve_name)) == NULL) {
+            ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
+            goto err;
+        }
+        EC_GROUP_free(ret);
+        ret = named_group;
+
+        /*
+         * Set the flag so that EC_GROUPs created from explicit parameters are
+         * serialized using explicit parameters by default.
+         */
+        EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE);
+    }
+

     ok = 1;
 
  err:
     if (!ok) {
     ok = 1;
 
  err:
     if (!ok) {

-        EC_GROUP_clear_free(ret);
+        EC_GROUP_free(ret);

         ret = NULL;
     }
         ret = NULL;
     }

+    EC_GROUP_free(dup);

 
     BN_free(p);
     BN_free(a);
     BN_free(b);
     EC_POINT_free(point);
 
     BN_free(p);
     BN_free(a);
     BN_free(b);
     EC_POINT_free(point);

+
+    BN_CTX_free(ctx);
+

     return ret;
 }
 
     return ret;
 }
 


@@ -864,7 +927,7 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
     }
 
     if (a) {
     }
 
     if (a) {

-        EC_GROUP_clear_free(*a);
+        EC_GROUP_free(*a);

         *a = group;
     }
 
         *a = group;
     }
 


@@ -912,7 +975,7 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
         ret = *a;
 
     if (priv_key->parameters) {
         ret = *a;
 
     if (priv_key->parameters) {

-        EC_GROUP_clear_free(ret->group);
+        EC_GROUP_free(ret->group);

         ret->group = EC_GROUP_new_from_ecpkparameters(priv_key->parameters);
     }
 
         ret->group = EC_GROUP_new_from_ecpkparameters(priv_key->parameters);
     }