From 3d328a445c2ad0eff2e9e843c384711be58a7c2f Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Wed, 24 Jan 2018 11:56:02 -0500 Subject: [PATCH] Add SM2 signature and ECIES schemes Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/4793) --- Configure | 2 +- apps/openssl.c | 3 + config | 2 +- crypto/ec/ec_curve.c | 39 +++ crypto/ec/ec_pmeth.c | 32 ++- crypto/err/err.c | 1 + crypto/err/openssl.ec | 1 + crypto/err/openssl.txt | 65 +++++ crypto/objects/obj_dat.h | 15 +- crypto/objects/obj_mac.num | 1 + crypto/objects/objects.txt | 14 +- crypto/sm2/build.info | 6 + crypto/sm2/sm2_crypt.c | 321 +++++++++++++++++++++ crypto/sm2/sm2_err.c | 129 +++++++++ crypto/sm2/sm2_sign.c | 324 ++++++++++++++++++++++ crypto/sm2/sm2_za.c | 132 +++++++++ fuzz/oids.txt | 1 + include/openssl/err.h | 2 + include/openssl/evp.h | 1 + include/openssl/obj_mac.h | 35 ++- include/openssl/sm2.h | 70 +++++ include/openssl/sm2err.h | 95 +++++++ openssl_sm2.pem | 5 + test/build.info | 9 + test/recipes/30-test_evp_data/evppkey.txt | 14 + test/sm2crypttest.c | 249 +++++++++++++++++ test/sm2sigtest.c | 238 ++++++++++++++++ util/libcrypto.num | 9 + 28 files changed, 1784 insertions(+), 31 deletions(-) create mode 100644 crypto/sm2/build.info create mode 100644 crypto/sm2/sm2_crypt.c create mode 100644 crypto/sm2/sm2_err.c create mode 100644 crypto/sm2/sm2_sign.c create mode 100644 crypto/sm2/sm2_za.c create mode 100644 include/openssl/sm2.h create mode 100644 include/openssl/sm2err.h create mode 100644 openssl_sm2.pem create mode 100644 test/sm2crypttest.c create mode 100644 test/sm2sigtest.c diff --git a/Configure b/Configure index 9b89f60790..e2c0604cb1 100755 --- a/Configure +++ b/Configure @@ -297,7 +297,7 @@ $config{sdirs} = [ "objects", "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3", "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes", - "bn", "ec", "rsa", "dsa", "dh", "dso", "engine", + "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine", "buffer", "bio", "stack", "lhash", "rand", "err", "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" diff --git a/apps/openssl.c b/apps/openssl.c index 39b4f2ce54..8224ae3d0f 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -762,6 +762,9 @@ static void list_disabled(void) #ifdef OPENSSL_NO_SEED BIO_puts(bio_out, "SEED\n"); #endif +#ifdef OPENSSL_NO_SM2 + BIO_puts(bio_out, "SM2\n"); +#endif #ifdef OPENSSL_NO_SM3 BIO_puts(bio_out, "SM3\n"); #endif diff --git a/config b/config index 92dfa4af7f..1f2f7450d1 100755 --- a/config +++ b/config @@ -886,7 +886,7 @@ case "$GUESSOS" in i386-*) options="$options 386" ;; esac -for i in aes aria bf camellia cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa seed sha sm3 sm4 +for i in aes aria bf camellia cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa seed sha sm2 sm3 sm4 do if [ ! -d $THERE/crypto/$i ] then diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index 75fc541101..01d56543db 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -2751,6 +2751,43 @@ static const struct { } }; +static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; +} _EC_sm2p256v1 = { + { + NID_X9_62_prime_field, 0, 32, 1 + }, + { + /* no seed */ + + /* p */ + 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + /* a */ + 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc, + /* b */ + 0x28, 0xe9, 0xfa, 0x9e, 0x9d, 0x9f, 0x5e, 0x34, 0x4d, 0x5a, 0x9e, 0x4b, + 0xcf, 0x65, 0x09, 0xa7, 0xf3, 0x97, 0x89, 0xf5, 0x15, 0xab, 0x8f, 0x92, + 0xdd, 0xbc, 0xbd, 0x41, 0x4d, 0x94, 0x0e, 0x93, + /* x */ + 0x32, 0xc4, 0xae, 0x2c, 0x1f, 0x19, 0x81, 0x19, 0x5f, 0x99, 0x04, 0x46, + 0x6a, 0x39, 0xc9, 0x94, 0x8f, 0xe3, 0x0b, 0xbf, 0xf2, 0x66, 0x0b, 0xe1, + 0x71, 0x5a, 0x45, 0x89, 0x33, 0x4c, 0x74, 0xc7, + /* y */ + 0xbc, 0x37, 0x36, 0xa2, 0xf4, 0xf6, 0x77, 0x9c, 0x59, 0xbd, 0xce, 0xe3, + 0x6b, 0x69, 0x21, 0x53, 0xd0, 0xa9, 0x87, 0x7c, 0xc6, 0x2a, 0x47, 0x40, + 0x02, 0xdf, 0x32, 0xe5, 0x21, 0x39, 0xf0, 0xa0, + /* order */ + 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0x72, 0x03, 0xdf, 0x6b, 0x21, 0xc6, 0x05, 0x2b, + 0x53, 0xbb, 0xf4, 0x09, 0x39, 0xd5, 0x41, 0x23, + } +}; + typedef struct _ec_list_element_st { int nid; const EC_CURVE_DATA *data; @@ -2960,6 +2997,8 @@ static const ec_list_element curve_list[] = { "RFC 5639 curve over a 512 bit prime field"}, {NID_brainpoolP512t1, &_EC_brainpoolP512t1.h, 0, "RFC 5639 curve over a 512 bit prime field"}, + {NID_sm2, &_EC_sm2p256v1.h, 0, + "SM2 curve over a 256 bit prime field"}, }; #define curve_list_length OSSL_NELEM(curve_list) diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index 68ff2bbccf..82a4ffabf9 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -16,6 +16,10 @@ #include #include "internal/evp_int.h" +#if !defined(OPENSSL_NO_SM2) + #include +#endif + /* EC pkey context structure */ typedef struct { @@ -102,6 +106,7 @@ static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, unsigned int sltmp; EC_PKEY_CTX *dctx = ctx->data; EC_KEY *ec = ctx->pkey->pkey.ec; + const int ec_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); if (!sig) { *siglen = ECDSA_size(ec); @@ -116,7 +121,16 @@ static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, else type = NID_sha1; - ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec); + if (ec_nid == NID_sm2) { +#if defined(OPENSSL_NO_SM2) + ret = -1; +#else + ret = SM2_sign(type, tbs, tbslen, sig, &sltmp, ec); +#endif + } + else { + ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec); + } if (ret <= 0) return ret; @@ -131,13 +145,24 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx, int ret, type; EC_PKEY_CTX *dctx = ctx->data; EC_KEY *ec = ctx->pkey->pkey.ec; + const int ec_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); if (dctx->md) type = EVP_MD_type(dctx->md); else type = NID_sha1; - ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec); + if (ec_nid == NID_sm2) { +#if defined(OPENSSL_NO_SM2) + ret = -1; +#else + ret = SM2_verify(type, tbs, tbslen, sig, siglen, ec); +#endif + } + else { + ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec); + } + return ret; } @@ -318,7 +343,8 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) EVP_MD_type((const EVP_MD *)p2) != NID_sha224 && EVP_MD_type((const EVP_MD *)p2) != NID_sha256 && EVP_MD_type((const EVP_MD *)p2) != NID_sha384 && - EVP_MD_type((const EVP_MD *)p2) != NID_sha512) { + EVP_MD_type((const EVP_MD *)p2) != NID_sha512 && + EVP_MD_type((const EVP_MD *)p2) != NID_sm3) { ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE); return 0; } diff --git a/crypto/err/err.c b/crypto/err/err.c index 68afa93ae8..c0a6b2b16f 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -60,6 +60,7 @@ static ERR_STRING_DATA ERR_str_libraries[] = { {ERR_PACK(ERR_LIB_ASYNC, 0, 0), "ASYNC routines"}, {ERR_PACK(ERR_LIB_KDF, 0, 0), "KDF routines"}, {ERR_PACK(ERR_LIB_OSSL_STORE, 0, 0), "STORE routines"}, + {ERR_PACK(ERR_LIB_SM2, 0, 0), "SM2 routines"}, {0, NULL}, }; diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index be84c7cb23..f45e230749 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -32,6 +32,7 @@ L CMS include/openssl/cms.h crypto/cms/cms_err.c L CT include/openssl/ct.h crypto/ct/ct_err.c L ASYNC include/openssl/async.h crypto/async/async_err.c L KDF include/openssl/kdf.h crypto/kdf/kdf_err.c +L SM2 include/openssl/sm2.h crypto/sm2/sm2_err.c L OSSL_STORE include/openssl/store.h crypto/store/store_err.c # additional header files to be scanned for function names diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 0052ddf2fe..bb8c157405 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -986,6 +986,11 @@ RSA_F_RSA_SIGN_ASN1_OCTET_STRING:118:RSA_sign_ASN1_OCTET_STRING RSA_F_RSA_VERIFY:119:RSA_verify RSA_F_RSA_VERIFY_ASN1_OCTET_STRING:120:RSA_verify_ASN1_OCTET_STRING RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1:126:RSA_verify_PKCS1_PSS_mgf1 +SM2_F_PKEY_SM2_CTRL:274:pkey_sm2_ctrl +SM2_F_PKEY_SM2_CTRL_STR:275:pkey_sm2_ctrl_str +SM2_F_PKEY_SM2_KEYGEN:276:pkey_sm2_keygen +SM2_F_PKEY_SM2_PARAMGEN:277:pkey_sm2_paramgen +SM2_F_PKEY_SM2_SIGN:278:pkey_sm2_sign SSL_F_ADD_CLIENT_KEY_SHARE_EXT:438:* SSL_F_ADD_KEY_SHARE:512:add_key_share SSL_F_BYTES_TO_CIPHER_LIST:519:bytes_to_cipher_list @@ -2394,6 +2399,66 @@ RSA_R_UNSUPPORTED_MASK_PARAMETER:154:unsupported mask parameter RSA_R_UNSUPPORTED_SIGNATURE_TYPE:155:unsupported signature type RSA_R_VALUE_MISSING:147:value missing RSA_R_WRONG_SIGNATURE_LENGTH:119:wrong signature length +SM2_R_ASN1_ERROR:115:asn1 error +SM2_R_ASN5_ERROR:1150:asn5 error +SM2_R_BAD_SIGNATURE:156:bad signature +SM2_R_BIGNUM_OUT_OF_RANGE:144:bignum out of range +SM2_R_BUFFER_TOO_SMALL:100:buffer too small +SM2_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range +SM2_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh +SM2_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing +SM2_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure +SM2_R_DECODE_ERROR:142:decode error +SM2_R_DISCRIMINANT_IS_ZERO:118:discriminant is zero +SM2_R_EC_GROUP_NEW_BY_NAME_FAILURE:119:ec group new by name failure +SM2_R_FIELD_TOO_LARGE:143:field too large +SM2_R_GF2M_NOT_SUPPORTED:147:gf2m not supported +SM2_R_GROUP2PKPARAMETERS_FAILURE:120:group2pkparameters failure +SM2_R_I2D_ECPKPARAMETERS_FAILURE:121:i2d ecpkparameters failure +SM2_R_INCOMPATIBLE_OBJECTS:101:incompatible objects +SM2_R_INVALID_ARGUMENT:112:invalid argument +SM2_R_INVALID_COMPRESSED_POINT:110:invalid compressed point +SM2_R_INVALID_COMPRESSION_BIT:109:invalid compression bit +SM2_R_INVALID_CURVE:141:invalid curve +SM2_R_INVALID_DIGEST:151:invalid digest +SM2_R_INVALID_DIGEST_TYPE:138:invalid digest type +SM2_R_INVALID_ENCODING:102:invalid encoding +SM2_R_INVALID_FIELD:103:invalid field +SM2_R_INVALID_FORM:104:invalid form +SM2_R_INVALID_GROUP_ORDER:122:invalid group order +SM2_R_INVALID_KEY:116:invalid key +SM2_R_INVALID_OUTPUT_LENGTH:161:invalid output length +SM2_R_INVALID_PEER_KEY:133:invalid peer key +SM2_R_INVALID_PENTANOMIAL_BASIS:132:invalid pentanomial basis +SM2_R_INVALID_PRIVATE_KEY:123:invalid private key +SM2_R_INVALID_TRINOMIAL_BASIS:137:invalid trinomial basis +SM2_R_KDF_PARAMETER_ERROR:148:kdf parameter error +SM2_R_KEYS_NOT_SET:140:keys not set +SM2_R_MISSING_PARAMETERS:124:missing parameters +SM2_R_MISSING_PRIVATE_KEY:125:missing private key +SM2_R_NEED_NEW_SETUP_VALUES:157:need new setup values +SM2_R_NOT_A_NIST_PRIME:135:not a NIST prime +SM2_R_NOT_IMPLEMENTED:126:not implemented +SM2_R_NOT_INITIALIZED:111:not initialized +SM2_R_NO_PARAMETERS_SET:139:no parameters set +SM2_R_NO_PRIVATE_VALUE:154:no private value +SM2_R_OPERATION_NOT_SUPPORTED:152:operation not supported +SM2_R_PASSED_NULL_PARAMETER:134:passed null parameter +SM2_R_PEER_KEY_ERROR:149:peer key error +SM2_R_PKPARAMETERS2GROUP_FAILURE:127:pkparameters2group failure +SM2_R_POINT_ARITHMETIC_FAILURE:155:point arithmetic failure +SM2_R_POINT_AT_INFINITY:106:point at infinity +SM2_R_POINT_IS_NOT_ON_CURVE:107:point is not on curve +SM2_R_RANDOM_NUMBER_GENERATION_FAILED:158:random number generation failed +SM2_R_SHARED_INFO_ERROR:150:shared info error +SM2_R_SLOT_FULL:108:slot full +SM2_R_UNDEFINED_GENERATOR:113:undefined generator +SM2_R_UNDEFINED_ORDER:128:undefined order +SM2_R_UNKNOWN_GROUP:129:unknown group +SM2_R_UNKNOWN_ORDER:114:unknown order +SM2_R_UNSUPPORTED_FIELD:131:unsupported field +SM2_R_WRONG_CURVE_PARAMETERS:145:wrong curve parameters +SM2_R_WRONG_ORDER:130:wrong order SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT:272:\ attempt to reuse session in different context diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index d392586380..60c3826799 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -10,7 +10,7 @@ */ /* Serialized OID's */ -static const unsigned char so[7618] = { +static const unsigned char so[7626] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -1059,9 +1059,10 @@ static const unsigned char so[7618] = { 0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x02,0x09, /* [ 7597] OBJ_uacurve9 */ 0x2B,0x6F, /* [ 7610] OBJ_ieee */ 0x2B,0x6F,0x02,0x8C,0x53, /* [ 7612] OBJ_ieee_siswg */ + 0x2A,0x81,0x1C,0xCF,0x55,0x01,0x82,0x2D, /* [ 7617] OBJ_sm2 */ }; -#define NUM_NID 1172 +#define NUM_NID 1173 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, @@ -2235,9 +2236,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { {"uacurve9", "DSTU curve 9", NID_uacurve9, 13, &so[7597]}, {"ieee", "ieee", NID_ieee, 2, &so[7610]}, {"ieee-siswg", "IEEE Security in Storage Working Group", NID_ieee_siswg, 5, &so[7612]}, + {"SM2", "sm2", NID_sm2, 8, &so[7617]}, }; -#define NUM_SN 1163 +#define NUM_SN 1164 static const unsigned int sn_objs[NUM_SN] = { 364, /* "AD_DVCS" */ 419, /* "AES-128-CBC" */ @@ -2502,6 +2504,7 @@ static const unsigned int sn_objs[NUM_SN] = { 1095, /* "SHA512-256" */ 1100, /* "SHAKE128" */ 1101, /* "SHAKE256" */ + 1172, /* "SM2" */ 1143, /* "SM3" */ 1134, /* "SM4-CBC" */ 1137, /* "SM4-CFB" */ @@ -3404,7 +3407,7 @@ static const unsigned int sn_objs[NUM_SN] = { 1093, /* "x509ExtAdmission" */ }; -#define NUM_LN 1163 +#define NUM_LN 1164 static const unsigned int ln_objs[NUM_LN] = { 363, /* "AD Time Stamping" */ 405, /* "ANSI X9.62" */ @@ -4514,6 +4517,7 @@ static const unsigned int ln_objs[NUM_LN] = { 496, /* "singleLevelQuality" */ 1062, /* "siphash" */ 1142, /* "sm-scheme" */ + 1172, /* "sm2" */ 1143, /* "sm3" */ 1144, /* "sm3WithRSAEncryption" */ 1134, /* "sm4-cbc" */ @@ -4571,7 +4575,7 @@ static const unsigned int ln_objs[NUM_LN] = { 125, /* "zlib compression" */ }; -#define NUM_OBJ 1054 +#define NUM_OBJ 1055 static const unsigned int obj_objs[NUM_OBJ] = { 0, /* OBJ_undef 0 */ 181, /* OBJ_iso 1 */ @@ -5037,6 +5041,7 @@ static const unsigned int obj_objs[NUM_OBJ] = { 1136, /* OBJ_sm4_cfb1 1 2 156 10197 1 104 5 */ 1138, /* OBJ_sm4_cfb8 1 2 156 10197 1 104 6 */ 1139, /* OBJ_sm4_ctr 1 2 156 10197 1 104 7 */ + 1172, /* OBJ_sm2 1 2 156 10197 1 301 */ 1143, /* OBJ_sm3 1 2 156 10197 1 401 */ 1144, /* OBJ_sm3WithRSAEncryption 1 2 156 10197 1 504 */ 776, /* OBJ_seed_ecb 1 2 410 200004 1 3 */ diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 228ee84fab..ca8fdfba48 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -1169,3 +1169,4 @@ uacurve8 1168 uacurve9 1169 ieee 1170 ieee_siswg 1171 +sm2 1172 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 2a9112967f..e565864a48 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -36,6 +36,10 @@ member-body 840 : ISO-US : ISO US Member Body ISO-US 10040 : X9-57 : X9.57 X9-57 4 : X9cm : X9.57 CM ? +member-body 156 : ISO-CN : ISO CN Member Body +ISO-CN 10197 : oscca +oscca 1 : sm-scheme + !Cname dsa X9cm 1 : DSA : dsaEncryption X9cm 3 : DSA-SHA1 : dsaWithSHA1 @@ -376,8 +380,10 @@ rsadsi 2 5 : MD5 : md5 rsadsi 2 6 : : hmacWithMD5 rsadsi 2 7 : : hmacWithSHA1 -member-body 156 10197 1 401 : SM3 : sm3 -member-body 156 10197 1 504 : RSA-SM3 : sm3WithRSAEncryption +sm-scheme 301 : SM2 : sm2 + +sm-scheme 401 : SM3 : sm3 +sm-scheme 504 : RSA-SM3 : sm3WithRSAEncryption # From RFC4231 rsadsi 2 8 : : hmacWithSHA224 @@ -1476,10 +1482,6 @@ kisa 1 6 : SEED-OFB : seed-ofb # Definitions for SM4 cipher -member-body 156 : ISO-CN : ISO CN Member Body -ISO-CN 10197 : oscca -oscca 1 : sm-scheme - sm-scheme 104 1 : SM4-ECB : sm4-ecb sm-scheme 104 2 : SM4-CBC : sm4-cbc !Cname sm4-ofb128 diff --git a/crypto/sm2/build.info b/crypto/sm2/build.info new file mode 100644 index 0000000000..fbf8dba10f --- /dev/null +++ b/crypto/sm2/build.info @@ -0,0 +1,6 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=\ + sm2_za.c sm2_sign.c sm2_crypt.c sm2_err.c + + + diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c new file mode 100644 index 0000000000..a450146a7b --- /dev/null +++ b/crypto/sm2/sm2_crypt.c @@ -0,0 +1,321 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017 Ribose Inc. All Rights Reserved. + * Ported from Ribose contributions from Botan. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include + +typedef struct SM2_Ciphertext_st SM2_Ciphertext; +DECLARE_ASN1_FUNCTIONS(SM2_Ciphertext) + +struct SM2_Ciphertext_st { + BIGNUM *C1x; + BIGNUM *C1y; + ASN1_OCTET_STRING *C3; + ASN1_OCTET_STRING *C2; +}; + +ASN1_SEQUENCE(SM2_Ciphertext) = { + ASN1_SIMPLE(SM2_Ciphertext, C1x, BIGNUM), + ASN1_SIMPLE(SM2_Ciphertext, C1y, BIGNUM), + ASN1_SIMPLE(SM2_Ciphertext, C3, ASN1_OCTET_STRING), + ASN1_SIMPLE(SM2_Ciphertext, C2, ASN1_OCTET_STRING), +} ASN1_SEQUENCE_END(SM2_Ciphertext) + +IMPLEMENT_ASN1_FUNCTIONS(SM2_Ciphertext) + +static size_t EC_field_size(const EC_GROUP *group) +{ + /* Is there some simpler way to do this? */ + BIGNUM *p = BN_new(); + BIGNUM *a = BN_new(); + BIGNUM *b = BN_new(); + size_t field_size = 0; + + if (p == NULL || a == NULL || b == NULL) + goto done; + + EC_GROUP_get_curve_GFp(group, p, a, b, NULL); + field_size = (BN_num_bits(p) + 7) / 8; + + done: + BN_free(p); + BN_free(a); + BN_free(b); + + return field_size; +} + +size_t SM2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len) +{ + return 10 + 2 * EC_field_size(EC_KEY_get0_group(key)) + + EVP_MD_size(digest) + msg_len; +} + +int SM2_encrypt(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *msg, + size_t msg_len, uint8_t *ciphertext_buf, size_t *ciphertext_len) +{ + int rc = 0; + size_t i; + BN_CTX *ctx = NULL; + BIGNUM *k = NULL; + BIGNUM *x1 = NULL; + BIGNUM *y1 = NULL; + BIGNUM *x2 = NULL; + BIGNUM *y2 = NULL; + + EVP_MD_CTX *hash = EVP_MD_CTX_new(); + + struct SM2_Ciphertext_st ctext_struct; + const EC_GROUP *group = EC_KEY_get0_group(key); + const BIGNUM *order = EC_GROUP_get0_order(group); + const EC_POINT *P = EC_KEY_get0_public_key(key); + EC_POINT *kG = NULL; + EC_POINT *kP = NULL; + uint8_t *msg_mask = NULL; + + uint8_t *x2y2 = NULL; + uint8_t *C3 = NULL; + + const size_t field_size = EC_field_size(group); + const size_t C3_size = EVP_MD_size(digest); + + if (field_size == 0 || C3_size == 0) + goto done; + + kG = EC_POINT_new(group); + kP = EC_POINT_new(group); + if (kG == NULL || kP == NULL) + goto done; + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto done; + + BN_CTX_start(ctx); + k = BN_CTX_get(ctx); + x1 = BN_CTX_get(ctx); + x2 = BN_CTX_get(ctx); + y1 = BN_CTX_get(ctx); + y2 = BN_CTX_get(ctx); + + if (y2 == NULL) + goto done; + + x2y2 = OPENSSL_zalloc(2 * field_size); + C3 = OPENSSL_zalloc(C3_size); + + if (x2y2 == NULL || C3 == NULL) + goto done; + + memset(ciphertext_buf, 0, *ciphertext_len); + + BN_priv_rand_range(k, order); + + if (EC_POINT_mul(group, kG, k, NULL, NULL, ctx) == 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, kG, x1, y1, ctx) == 0) + goto done; + + if (EC_POINT_mul(group, kP, NULL, P, k, ctx) == 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, kP, x2, y2, ctx) == 0) + goto done; + + BN_bn2binpad(x2, x2y2, field_size); + BN_bn2binpad(y2, x2y2 + field_size, field_size); + + msg_mask = OPENSSL_zalloc(msg_len); + if (msg_mask == NULL) + goto done; + + /* X9.63 with no salt happens to match the KDF used in SM2 */ + if (ECDH_KDF_X9_62(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, digest) + == 0) + goto done; + + for (i = 0; i != msg_len; ++i) + msg_mask[i] ^= msg[i]; + + if (EVP_DigestInit(hash, digest) == 0) + goto done; + + if (EVP_DigestUpdate(hash, x2y2, field_size) == 0) + goto done; + + if (EVP_DigestUpdate(hash, msg, msg_len) == 0) + goto done; + + if (EVP_DigestUpdate(hash, x2y2 + field_size, field_size) == 0) + goto done; + + if (EVP_DigestFinal(hash, C3, NULL) == 0) + goto done; + + ctext_struct.C1x = x1; + ctext_struct.C1y = y1; + ctext_struct.C3 = ASN1_OCTET_STRING_new(); + ASN1_OCTET_STRING_set(ctext_struct.C3, C3, C3_size); + ctext_struct.C2 = ASN1_OCTET_STRING_new(); + ASN1_OCTET_STRING_set(ctext_struct.C2, msg_mask, msg_len); + + *ciphertext_len = i2d_SM2_Ciphertext(&ctext_struct, &ciphertext_buf); + + ASN1_OCTET_STRING_free(ctext_struct.C2); + ASN1_OCTET_STRING_free(ctext_struct.C3); + + rc = 1; + + done: + OPENSSL_free(msg_mask); + OPENSSL_free(x2y2); + OPENSSL_free(C3); + EVP_MD_CTX_free(hash); + BN_CTX_free(ctx); + EC_POINT_free(kG); + EC_POINT_free(kP); + return rc; +} + +int SM2_decrypt(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *ciphertext, + size_t ciphertext_len, uint8_t *ptext_buf, size_t *ptext_len) +{ + int rc = 0; + int i; + + BN_CTX *ctx = NULL; + const EC_GROUP *group = EC_KEY_get0_group(key); + EC_POINT *C1 = NULL; + struct SM2_Ciphertext_st *sm2_ctext = NULL; + BIGNUM *x2 = NULL; + BIGNUM *y2 = NULL; + + uint8_t *x2y2 = NULL; + uint8_t *computed_C3 = NULL; + + const size_t field_size = EC_field_size(group); + const int hash_size = EVP_MD_size(digest); + + uint8_t *msg_mask = NULL; + const uint8_t *C2 = NULL; + const uint8_t *C3 = NULL; + int msg_len = 0; + EVP_MD_CTX *hash = NULL; + + if (field_size == 0 || hash_size == 0) + goto done; + + memset(ptext_buf, 0xFF, *ptext_len); + + sm2_ctext = d2i_SM2_Ciphertext(NULL, &ciphertext, ciphertext_len); + + if (sm2_ctext == NULL) + goto done; + + if (sm2_ctext->C3->length != hash_size) + goto done; + + C2 = sm2_ctext->C2->data; + C3 = sm2_ctext->C3->data; + msg_len = sm2_ctext->C2->length; + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto done; + + BN_CTX_start(ctx); + x2 = BN_CTX_get(ctx); + y2 = BN_CTX_get(ctx); + + if(y2 == NULL) + goto done; + + msg_mask = OPENSSL_zalloc(msg_len); + x2y2 = OPENSSL_zalloc(2 * field_size); + computed_C3 = OPENSSL_zalloc(hash_size); + + if(msg_mask == NULL || x2y2 == NULL || computed_C3 == NULL) + goto done; + + C1 = EC_POINT_new(group); + if (C1 == NULL) + goto done; + + if (EC_POINT_set_affine_coordinates_GFp + (group, C1, sm2_ctext->C1x, sm2_ctext->C1y, ctx) == 0) + goto done; + + if (EC_POINT_mul(group, C1, NULL, C1, EC_KEY_get0_private_key(key), ctx) == + 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, C1, x2, y2, ctx) == 0) + goto done; + + BN_bn2binpad(x2, x2y2, field_size); + BN_bn2binpad(y2, x2y2 + field_size, field_size); + + if (ECDH_KDF_X9_62(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, digest) + == 0) + goto done; + + for (i = 0; i != msg_len; ++i) + ptext_buf[i] = C2[i] ^ msg_mask[i]; + + hash = EVP_MD_CTX_new(); + + if (hash == NULL) + goto done; + + if (EVP_DigestInit(hash, digest) == 0) + goto done; + + if (EVP_DigestUpdate(hash, x2y2, field_size) == 0) + goto done; + + if (EVP_DigestUpdate(hash, ptext_buf, msg_len) == 0) + goto done; + + if (EVP_DigestUpdate(hash, x2y2 + field_size, field_size) == 0) + goto done; + + if (EVP_DigestFinal(hash, computed_C3, NULL) == 0) + goto done; + + if (memcmp(computed_C3, C3, hash_size) != 0) + goto done; + + rc = 1; + + done: + + if (rc == 0) + memset(ptext_buf, 0, *ptext_len); + + OPENSSL_free(msg_mask); + OPENSSL_free(x2y2); + OPENSSL_free(computed_C3); + EC_POINT_free(C1); + BN_CTX_free(ctx); + SM2_Ciphertext_free(sm2_ctext); + EVP_MD_CTX_free(hash); + + return rc; +} diff --git a/crypto/sm2/sm2_err.c b/crypto/sm2/sm2_err.c new file mode 100644 index 0000000000..acb4502b86 --- /dev/null +++ b/crypto/sm2/sm2_err.c @@ -0,0 +1,129 @@ +/* + * Generated by util/mkerr.pl DO NOT EDIT + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include + +#ifndef OPENSSL_NO_ERR + +static const ERR_STRING_DATA SM2_str_functs[] = { + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_CTRL, 0), "pkey_sm2_ctrl"}, + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_CTRL_STR, 0), "pkey_sm2_ctrl_str"}, + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_KEYGEN, 0), "pkey_sm2_keygen"}, + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_PARAMGEN, 0), "pkey_sm2_paramgen"}, + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_SIGN, 0), "pkey_sm2_sign"}, + {0, NULL} +}; + +static const ERR_STRING_DATA SM2_str_reasons[] = { + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_ASN1_ERROR), "asn1 error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_ASN5_ERROR), "asn5 error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_BAD_SIGNATURE), "bad signature"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_BIGNUM_OUT_OF_RANGE), + "bignum out of range"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_BUFFER_TOO_SMALL), "buffer too small"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_COORDINATES_OUT_OF_RANGE), + "coordinates out of range"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_CURVE_DOES_NOT_SUPPORT_ECDH), + "curve does not support ecdh"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_CURVE_DOES_NOT_SUPPORT_SIGNING), + "curve does not support signing"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_D2I_ECPKPARAMETERS_FAILURE), + "d2i ecpkparameters failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_DECODE_ERROR), "decode error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_DISCRIMINANT_IS_ZERO), + "discriminant is zero"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_EC_GROUP_NEW_BY_NAME_FAILURE), + "ec group new by name failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_FIELD_TOO_LARGE), "field too large"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_GF2M_NOT_SUPPORTED), "gf2m not supported"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_GROUP2PKPARAMETERS_FAILURE), + "group2pkparameters failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_I2D_ECPKPARAMETERS_FAILURE), + "i2d ecpkparameters failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INCOMPATIBLE_OBJECTS), + "incompatible objects"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_ARGUMENT), "invalid argument"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_COMPRESSED_POINT), + "invalid compressed point"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_COMPRESSION_BIT), + "invalid compression bit"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_CURVE), "invalid curve"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_DIGEST), "invalid digest"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_DIGEST_TYPE), + "invalid digest type"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_ENCODING), "invalid encoding"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_FIELD), "invalid field"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_FORM), "invalid form"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_GROUP_ORDER), + "invalid group order"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_KEY), "invalid key"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_OUTPUT_LENGTH), + "invalid output length"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_PEER_KEY), "invalid peer key"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_PENTANOMIAL_BASIS), + "invalid pentanomial basis"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_PRIVATE_KEY), + "invalid private key"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_TRINOMIAL_BASIS), + "invalid trinomial basis"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_KDF_PARAMETER_ERROR), + "kdf parameter error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_KEYS_NOT_SET), "keys not set"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_MISSING_PARAMETERS), "missing parameters"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_MISSING_PRIVATE_KEY), + "missing private key"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NEED_NEW_SETUP_VALUES), + "need new setup values"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NOT_A_NIST_PRIME), "not a NIST prime"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NOT_IMPLEMENTED), "not implemented"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NOT_INITIALIZED), "not initialized"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NO_PARAMETERS_SET), "no parameters set"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NO_PRIVATE_VALUE), "no private value"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_OPERATION_NOT_SUPPORTED), + "operation not supported"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_PASSED_NULL_PARAMETER), + "passed null parameter"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_PEER_KEY_ERROR), "peer key error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_PKPARAMETERS2GROUP_FAILURE), + "pkparameters2group failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_POINT_ARITHMETIC_FAILURE), + "point arithmetic failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_POINT_AT_INFINITY), "point at infinity"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_POINT_IS_NOT_ON_CURVE), + "point is not on curve"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_RANDOM_NUMBER_GENERATION_FAILED), + "random number generation failed"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_SHARED_INFO_ERROR), "shared info error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_SLOT_FULL), "slot full"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_UNDEFINED_GENERATOR), + "undefined generator"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_UNDEFINED_ORDER), "undefined order"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_UNKNOWN_GROUP), "unknown group"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_UNKNOWN_ORDER), "unknown order"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_UNSUPPORTED_FIELD), "unsupported field"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_WRONG_CURVE_PARAMETERS), + "wrong curve parameters"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_WRONG_ORDER), "wrong order"}, + {0, NULL} +}; + +#endif + +int ERR_load_SM2_strings(void) +{ +#ifndef OPENSSL_NO_ERR + if (ERR_func_error_string(SM2_str_functs[0].error) == NULL) { + ERR_load_strings_const(SM2_str_functs); + ERR_load_strings_const(SM2_str_reasons); + } +#endif + return 1; +} diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c new file mode 100644 index 0000000000..2d311d9046 --- /dev/null +++ b/crypto/sm2/sm2_sign.c @@ -0,0 +1,324 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017 Ribose Inc. All Rights Reserved. + * Ported from Ribose contributions from Botan. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include + +static BIGNUM *compute_msg_hash(const EVP_MD *digest, + const EC_KEY *key, + const char *user_id, + const uint8_t *msg, size_t msg_len) +{ + EVP_MD_CTX *hash = EVP_MD_CTX_new(); + const int md_size = EVP_MD_size(digest); + uint8_t *za = OPENSSL_zalloc(md_size); + BIGNUM *e = NULL; + + if (za == NULL) + goto done; + + if (hash == NULL) + goto done; + + if (SM2_compute_userid_digest(za, digest, user_id, key) == 0) + goto done; + + if (EVP_DigestInit(hash, digest) == 0) + goto done; + + if (EVP_DigestUpdate(hash, za, md_size) == 0) + goto done; + + if (EVP_DigestUpdate(hash, msg, msg_len) == 0) + goto done; + + /* reuse za buffer to hold H(ZA || M) */ + if (EVP_DigestFinal(hash, za, NULL) == 0) + goto done; + + e = BN_bin2bn(za, md_size, NULL); + + done: + OPENSSL_free(za); + EVP_MD_CTX_free(hash); + return e; +} + +static +ECDSA_SIG *SM2_sig_gen(const EC_KEY *key, const BIGNUM *e) +{ + const BIGNUM *dA = EC_KEY_get0_private_key(key); + const EC_GROUP *group = EC_KEY_get0_group(key); + const BIGNUM *order = EC_GROUP_get0_order(group); + + ECDSA_SIG *sig = NULL; + EC_POINT *kG = NULL; + BN_CTX *ctx = NULL; + BIGNUM *k = NULL; + BIGNUM *rk = NULL; + BIGNUM *r = NULL; + BIGNUM *s = NULL; + BIGNUM *x1 = NULL; + BIGNUM *tmp = NULL; + + kG = EC_POINT_new(group); + if (kG == NULL) + goto done; + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto done; + + BN_CTX_start(ctx); + + k = BN_CTX_get(ctx); + rk = BN_CTX_get(ctx); + x1 = BN_CTX_get(ctx); + tmp = BN_CTX_get(ctx); + + if (tmp == NULL) + goto done; + + /* These values are returned and so should not be allocated out of the context */ + r = BN_new(); + s = BN_new(); + + if (r == NULL || s == NULL) + goto done; + + for (;;) { + BN_priv_rand_range(k, order); + + if (EC_POINT_mul(group, kG, k, NULL, NULL, ctx) == 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, kG, x1, NULL, ctx) == 0) + goto done; + + if (BN_mod_add(r, e, x1, order, ctx) == 0) + goto done; + + /* try again if r == 0 or r+k == n */ + if (BN_is_zero(r)) + continue; + + BN_add(rk, r, k); + + if (BN_cmp(rk, order) == 0) + continue; + + BN_add(s, dA, BN_value_one()); + BN_mod_inverse(s, s, order, ctx); + + BN_mod_mul(tmp, dA, r, order, ctx); + BN_sub(tmp, k, tmp); + + BN_mod_mul(s, s, tmp, order, ctx); + + sig = ECDSA_SIG_new(); + + if (sig == NULL) + goto done; + + /* takes ownership of r and s */ + ECDSA_SIG_set0(sig, r, s); + break; + } + + done: + + if (sig == NULL) { + BN_free(r); + BN_free(s); + } + + BN_CTX_free(ctx); + EC_POINT_free(kG); + return sig; + +} + +static +int SM2_sig_verify(const EC_KEY *key, const ECDSA_SIG *sig, const BIGNUM *e) +{ + int ret = 0; + const EC_GROUP *group = EC_KEY_get0_group(key); + const BIGNUM *order = EC_GROUP_get0_order(group); + BN_CTX *ctx = NULL; + EC_POINT *pt = NULL; + + BIGNUM *t = NULL; + BIGNUM *x1 = NULL; + const BIGNUM *r = NULL; + const BIGNUM *s = NULL; + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto done; + pt = EC_POINT_new(group); + if (pt == NULL) + goto done; + + BN_CTX_start(ctx); + + t = BN_CTX_get(ctx); + x1 = BN_CTX_get(ctx); + + if (x1 == NULL) + goto done; + + /* + B1: verify whether r' in [1,n-1], verification failed if not + B2: vefify whether s' in [1,n-1], verification failed if not + B3: set M'~=ZA || M' + B4: calculate e'=Hv(M'~) + B5: calculate t = (r' + s') modn, verification failed if t=0 + B6: calculate the point (x1', y1')=[s']G + [t]PA + B7: calculate R=(e'+x1') modn, verfication pass if yes, otherwise failed + */ + + ECDSA_SIG_get0(sig, &r, &s); + + if (BN_cmp(r, BN_value_one()) < 0) + goto done; + if (BN_cmp(s, BN_value_one()) < 0) + goto done; + + if (BN_cmp(order, r) <= 0) + goto done; + if (BN_cmp(order, s) <= 0) + goto done; + + if (BN_mod_add(t, r, s, order, ctx) == 0) + goto done; + + if (BN_is_zero(t) == 1) + goto done; + + if (EC_POINT_mul(group, pt, s, EC_KEY_get0_public_key(key), t, ctx) == 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, pt, x1, NULL, ctx) == 0) + goto done; + + if (BN_mod_add(t, e, x1, order, ctx) == 0) + goto done; + + if (BN_cmp(r, t) == 0) + ret = 1; + + done: + EC_POINT_free(pt); + BN_CTX_free(ctx); + return ret; +} + +ECDSA_SIG *SM2_do_sign(const EC_KEY *key, + const EVP_MD *digest, + const char *user_id, const uint8_t *msg, size_t msg_len) +{ + BIGNUM *e = NULL; + ECDSA_SIG *sig = NULL; + + e = compute_msg_hash(digest, key, user_id, msg, msg_len); + if (e == NULL) + goto done; + + sig = SM2_sig_gen(key, e); + + done: + BN_free(e); + return sig; +} + +int SM2_do_verify(const EC_KEY *key, + const EVP_MD *digest, + const ECDSA_SIG *sig, + const char *user_id, const uint8_t *msg, size_t msg_len) +{ + BIGNUM *e = NULL; + int ret = -1; + + e = compute_msg_hash(digest, key, user_id, msg, msg_len); + if (e == NULL) + goto done; + + ret = SM2_sig_verify(key, sig, e); + + done: + BN_free(e); + return ret; +} + +int SM2_sign(int type, const unsigned char *dgst, int dgstlen, + unsigned char *sig, unsigned int *siglen, EC_KEY *eckey) +{ + BIGNUM *e = NULL; + ECDSA_SIG *s = NULL; + int ret = -1; + + if (type != NID_sm3) + goto done; + + if (dgstlen != 32) /* expected length of SM3 hash */ + goto done; + + e = BN_bin2bn(dgst, dgstlen, NULL); + + s = SM2_sig_gen(eckey, e); + + *siglen = i2d_ECDSA_SIG(s, &sig); + + ECDSA_SIG_free(s); + + ret = 0; + + done: + ECDSA_SIG_free(s); + BN_free(e); + return ret; +} + +int SM2_verify(int type, const unsigned char *dgst, int dgstlen, + const unsigned char *sig, int sig_len, EC_KEY *eckey) +{ + ECDSA_SIG *s = NULL; + BIGNUM *e = NULL; + const unsigned char *p = sig; + unsigned char *der = NULL; + int derlen = -1; + int ret = -1; + + if (type != NID_sm3) + goto done; + + s = ECDSA_SIG_new(); + if (s == NULL) + goto done; + if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) + goto done; + /* Ensure signature uses DER and doesn't have trailing garbage */ + derlen = i2d_ECDSA_SIG(s, &der); + if (derlen != sig_len || memcmp(sig, der, derlen) != 0) + goto done; + + e = BN_bin2bn(dgst, dgstlen, NULL); + + ret = SM2_sig_verify(eckey, s, e); + + done: + OPENSSL_free(der); + BN_free(e); + ECDSA_SIG_free(s); + return ret; +} diff --git a/crypto/sm2/sm2_za.c b/crypto/sm2/sm2_za.c new file mode 100644 index 0000000000..ea9d7663a6 --- /dev/null +++ b/crypto/sm2/sm2_za.c @@ -0,0 +1,132 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017 Ribose Inc. All Rights Reserved. + * Ported from Ribose contributions from Botan. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include + +int SM2_compute_userid_digest(uint8_t *out, + const EVP_MD *digest, + const char *user_id, + const EC_KEY *key) +{ + int rc = 0; + + const EC_GROUP *group = EC_KEY_get0_group(key); + + BN_CTX *ctx = NULL; + EVP_MD_CTX *hash = NULL; + + BIGNUM *p = NULL; + BIGNUM *a = NULL; + BIGNUM *b = NULL; + + BIGNUM *xG = NULL; + BIGNUM *yG = NULL; + BIGNUM *xA = NULL; + BIGNUM *yA = NULL; + + int p_bytes = 0; + uint8_t *buf = NULL; + size_t uid_len = 0; + uint16_t entla = 0; + uint8_t e_byte = 0; + + hash = EVP_MD_CTX_new(); + if (hash == NULL) + goto done; + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto done; + + p = BN_CTX_get(ctx); + a = BN_CTX_get(ctx); + b = BN_CTX_get(ctx); + xG = BN_CTX_get(ctx); + yG = BN_CTX_get(ctx); + xA = BN_CTX_get(ctx); + yA = BN_CTX_get(ctx); + + if (p == NULL || a == NULL || b == NULL || + xG == NULL || yG == NULL || xA == NULL || yA == NULL) + goto done; + + memset(out, 0, EVP_MD_size(digest)); + + if (EVP_DigestInit(hash, digest) == 0) + goto done; + + /* + ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) + */ + + uid_len = strlen(user_id); + + if (uid_len >= 8192) /* too large */ + goto done; + + entla = (unsigned short)(8 * uid_len); + + e_byte = entla >> 8; + if (EVP_DigestUpdate(hash, &e_byte, 1) == 0) + goto done; + e_byte = entla & 0xFF; + if (EVP_DigestUpdate(hash, &e_byte, 1) == 0) + goto done; + + if (EVP_DigestUpdate(hash, user_id, uid_len) == 0) + goto done; + + if (EC_GROUP_get_curve_GFp(group, p, a, b, ctx) == 0) + goto done; + + p_bytes = BN_num_bytes(p); + buf = OPENSSL_zalloc(p_bytes); + + BN_bn2binpad(a, buf, p_bytes); + if (EVP_DigestUpdate(hash, buf, p_bytes) == 0) + goto done; + BN_bn2binpad(b, buf, p_bytes); + if (EVP_DigestUpdate(hash, buf, p_bytes) == 0) + goto done; + EC_POINT_get_affine_coordinates_GFp(group, + EC_GROUP_get0_generator(group), + xG, yG, ctx); + BN_bn2binpad(xG, buf, p_bytes); + if (EVP_DigestUpdate(hash, buf, p_bytes) == 0) + goto done; + BN_bn2binpad(yG, buf, p_bytes); + if (EVP_DigestUpdate(hash, buf, p_bytes) == 0) + goto done; + + EC_POINT_get_affine_coordinates_GFp(group, + EC_KEY_get0_public_key(key), + xA, yA, ctx); + BN_bn2binpad(xA, buf, p_bytes); + if (EVP_DigestUpdate(hash, buf, p_bytes) == 0) + goto done; + BN_bn2binpad(yA, buf, p_bytes); + if (EVP_DigestUpdate(hash, buf, p_bytes) == 0) + goto done; + + if (EVP_DigestFinal(hash, out, NULL) == 0) + goto done; + + rc = 1; + + done: + OPENSSL_free(buf); + BN_CTX_free(ctx); + EVP_MD_CTX_free(hash); + return rc; +} diff --git a/fuzz/oids.txt b/fuzz/oids.txt index a5e75892d0..9251b55da8 100644 --- a/fuzz/oids.txt +++ b/fuzz/oids.txt @@ -1046,3 +1046,4 @@ OBJ_uacurve8="\x2A\x86\x24\x02\x01\x01\x01\x01\x03\x01\x01\x02\x08" OBJ_uacurve9="\x2A\x86\x24\x02\x01\x01\x01\x01\x03\x01\x01\x02\x09" OBJ_ieee="\x2B\x6F" OBJ_ieee_siswg="\x2B\x6F\x02\x8C\x53" +OBJ_sm2="\x2A\x81\x1C\xCF\x55\x01\x82\x2D" diff --git a/include/openssl/err.h b/include/openssl/err.h index 6d460be30c..e435b5e84a 100644 --- a/include/openssl/err.h +++ b/include/openssl/err.h @@ -93,6 +93,7 @@ typedef struct err_state_st { # define ERR_LIB_CT 50 # define ERR_LIB_ASYNC 51 # define ERR_LIB_KDF 52 +# define ERR_LIB_SM2 53 # define ERR_LIB_USER 128 @@ -131,6 +132,7 @@ typedef struct err_state_st { # define CTerr(f,r) ERR_PUT_error(ERR_LIB_CT,(f),(r),OPENSSL_FILE,OPENSSL_LINE) # define ASYNCerr(f,r) ERR_PUT_error(ERR_LIB_ASYNC,(f),(r),OPENSSL_FILE,OPENSSL_LINE) # define KDFerr(f,r) ERR_PUT_error(ERR_LIB_KDF,(f),(r),OPENSSL_FILE,OPENSSL_LINE) +# define SM2err(f,r) ERR_PUT_error(ERR_LIB_SM2,(f),(r),OPENSSL_FILE,OPENSSL_LINE) # define OSSL_STOREerr(f,r) ERR_PUT_error(ERR_LIB_OSSL_STORE,(f),(r),OPENSSL_FILE,OPENSSL_LINE) # define ERR_PACK(l,f,r) ( \ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 8b81b12362..29fd3e28fa 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -50,6 +50,7 @@ # define EVP_PKEY_DH NID_dhKeyAgreement # define EVP_PKEY_DHX NID_dhpublicnumber # define EVP_PKEY_EC NID_X9_62_id_ecPublicKey +# define EVP_PKEY_SM2 NID_sm2 # define EVP_PKEY_HMAC NID_hmac # define EVP_PKEY_CMAC NID_cmac # define EVP_PKEY_SCRYPT NID_id_scrypt diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index cc05f3f6e9..2078dc4995 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -109,6 +109,19 @@ #define NID_X9cm 185 #define OBJ_X9cm OBJ_X9_57,4L +#define SN_ISO_CN "ISO-CN" +#define LN_ISO_CN "ISO CN Member Body" +#define NID_ISO_CN 1140 +#define OBJ_ISO_CN OBJ_member_body,156L + +#define SN_oscca "oscca" +#define NID_oscca 1141 +#define OBJ_oscca OBJ_ISO_CN,10197L + +#define SN_sm_scheme "sm-scheme" +#define NID_sm_scheme 1142 +#define OBJ_sm_scheme OBJ_oscca,1L + #define SN_dsa "DSA" #define LN_dsa "dsaEncryption" #define NID_dsa 116 @@ -1151,15 +1164,20 @@ #define NID_hmacWithSHA1 163 #define OBJ_hmacWithSHA1 OBJ_rsadsi,2L,7L +#define SN_sm2 "SM2" +#define LN_sm2 "sm2" +#define NID_sm2 1172 +#define OBJ_sm2 OBJ_sm_scheme,301L + #define SN_sm3 "SM3" #define LN_sm3 "sm3" #define NID_sm3 1143 -#define OBJ_sm3 OBJ_member_body,156L,10197L,1L,401L +#define OBJ_sm3 OBJ_sm_scheme,401L #define SN_sm3WithRSAEncryption "RSA-SM3" #define LN_sm3WithRSAEncryption "sm3WithRSAEncryption" #define NID_sm3WithRSAEncryption 1144 -#define OBJ_sm3WithRSAEncryption OBJ_member_body,156L,10197L,1L,504L +#define OBJ_sm3WithRSAEncryption OBJ_sm_scheme,504L #define LN_hmacWithSHA224 "hmacWithSHA224" #define NID_hmacWithSHA224 798 @@ -4629,19 +4647,6 @@ #define NID_seed_ofb128 778 #define OBJ_seed_ofb128 OBJ_kisa,1L,6L -#define SN_ISO_CN "ISO-CN" -#define LN_ISO_CN "ISO CN Member Body" -#define NID_ISO_CN 1140 -#define OBJ_ISO_CN OBJ_member_body,156L - -#define SN_oscca "oscca" -#define NID_oscca 1141 -#define OBJ_oscca OBJ_ISO_CN,10197L - -#define SN_sm_scheme "sm-scheme" -#define NID_sm_scheme 1142 -#define OBJ_sm_scheme OBJ_oscca,1L - #define SN_sm4_ecb "SM4-ECB" #define LN_sm4_ecb "sm4-ecb" #define NID_sm4_ecb 1133 diff --git a/include/openssl/sm2.h b/include/openssl/sm2.h new file mode 100644 index 0000000000..d12dcadef2 --- /dev/null +++ b/include/openssl/sm2.h @@ -0,0 +1,70 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017 Ribose Inc. All Rights Reserved. + * Ported from Ribose contributions from Botan. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef HEADER_SM2_H +# define HEADER_SM2_H + +# include + +/* The default user id as specified in GM/T 0009-2012 */ +# define SM2_DEFAULT_USERID "1234567812345678" + +int SM2_compute_userid_digest(uint8_t *out, + const EVP_MD *digest, + const char *user_id, const EC_KEY *key); + +/* + * SM2 signature operation. Computes ZA (user id digest) and then signs + * H(ZA || msg) using SM2 + */ +ECDSA_SIG *SM2_do_sign(const EC_KEY *key, + const EVP_MD *digest, + const char *user_id, const uint8_t *msg, size_t msg_len); + +int SM2_do_verify(const EC_KEY *key, + const EVP_MD *digest, + const ECDSA_SIG *signature, + const char *user_id, const uint8_t *msg, size_t msg_len); + +/* + * SM2 signature generation. Assumes input is an SM3 digest + */ +int SM2_sign(int type, const unsigned char *dgst, int dgstlen, + unsigned char *sig, unsigned int *siglen, EC_KEY *eckey); + +/* + * SM2 signature verification. Assumes input is an SM3 digest + */ +int SM2_verify(int type, const unsigned char *dgst, int dgstlen, + const unsigned char *sig, int siglen, EC_KEY *eckey); + + +/* + * SM2 encryption + */ +size_t SM2_ciphertext_size(const EC_KEY *key, + const EVP_MD *digest, + size_t msg_len); + +int SM2_encrypt(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *msg, + size_t msg_len, + uint8_t *ciphertext_buf, size_t *ciphertext_len); + +int SM2_decrypt(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *ciphertext, + size_t ciphertext_len, uint8_t *ptext_buf, size_t *ptext_len); + +int ERR_load_SM2_strings(void); + +#endif diff --git a/include/openssl/sm2err.h b/include/openssl/sm2err.h new file mode 100644 index 0000000000..0c2dd1927e --- /dev/null +++ b/include/openssl/sm2err.h @@ -0,0 +1,95 @@ +/* + * Generated by util/mkerr.pl DO NOT EDIT + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef HEADER_SM2ERR_H +# define HEADER_SM2ERR_H + +# ifdef __cplusplus +extern "C" { +# endif +int ERR_load_SM2_strings(void); +# ifdef __cplusplus +} +# endif + +/* + * SM2 function codes. + */ +# define SM2_F_PKEY_SM2_CTRL 274 +# define SM2_F_PKEY_SM2_CTRL_STR 275 +# define SM2_F_PKEY_SM2_KEYGEN 276 +# define SM2_F_PKEY_SM2_PARAMGEN 277 +# define SM2_F_PKEY_SM2_SIGN 278 + +/* + * SM2 reason codes. + */ +# define SM2_R_ASN1_ERROR 115 +# define SM2_R_ASN5_ERROR 1150 +# define SM2_R_BAD_SIGNATURE 156 +# define SM2_R_BIGNUM_OUT_OF_RANGE 144 +# define SM2_R_BUFFER_TOO_SMALL 100 +# define SM2_R_COORDINATES_OUT_OF_RANGE 146 +# define SM2_R_CURVE_DOES_NOT_SUPPORT_ECDH 160 +# define SM2_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159 +# define SM2_R_D2I_ECPKPARAMETERS_FAILURE 117 +# define SM2_R_DECODE_ERROR 142 +# define SM2_R_DISCRIMINANT_IS_ZERO 118 +# define SM2_R_EC_GROUP_NEW_BY_NAME_FAILURE 119 +# define SM2_R_FIELD_TOO_LARGE 143 +# define SM2_R_GF2M_NOT_SUPPORTED 147 +# define SM2_R_GROUP2PKPARAMETERS_FAILURE 120 +# define SM2_R_I2D_ECPKPARAMETERS_FAILURE 121 +# define SM2_R_INCOMPATIBLE_OBJECTS 101 +# define SM2_R_INVALID_ARGUMENT 112 +# define SM2_R_INVALID_COMPRESSED_POINT 110 +# define SM2_R_INVALID_COMPRESSION_BIT 109 +# define SM2_R_INVALID_CURVE 141 +# define SM2_R_INVALID_DIGEST 151 +# define SM2_R_INVALID_DIGEST_TYPE 138 +# define SM2_R_INVALID_ENCODING 102 +# define SM2_R_INVALID_FIELD 103 +# define SM2_R_INVALID_FORM 104 +# define SM2_R_INVALID_GROUP_ORDER 122 +# define SM2_R_INVALID_KEY 116 +# define SM2_R_INVALID_OUTPUT_LENGTH 161 +# define SM2_R_INVALID_PEER_KEY 133 +# define SM2_R_INVALID_PENTANOMIAL_BASIS 132 +# define SM2_R_INVALID_PRIVATE_KEY 123 +# define SM2_R_INVALID_TRINOMIAL_BASIS 137 +# define SM2_R_KDF_PARAMETER_ERROR 148 +# define SM2_R_KEYS_NOT_SET 140 +# define SM2_R_MISSING_PARAMETERS 124 +# define SM2_R_MISSING_PRIVATE_KEY 125 +# define SM2_R_NEED_NEW_SETUP_VALUES 157 +# define SM2_R_NOT_A_NIST_PRIME 135 +# define SM2_R_NOT_IMPLEMENTED 126 +# define SM2_R_NOT_INITIALIZED 111 +# define SM2_R_NO_PARAMETERS_SET 139 +# define SM2_R_NO_PRIVATE_VALUE 154 +# define SM2_R_OPERATION_NOT_SUPPORTED 152 +# define SM2_R_PASSED_NULL_PARAMETER 134 +# define SM2_R_PEER_KEY_ERROR 149 +# define SM2_R_PKPARAMETERS2GROUP_FAILURE 127 +# define SM2_R_POINT_ARITHMETIC_FAILURE 155 +# define SM2_R_POINT_AT_INFINITY 106 +# define SM2_R_POINT_IS_NOT_ON_CURVE 107 +# define SM2_R_RANDOM_NUMBER_GENERATION_FAILED 158 +# define SM2_R_SHARED_INFO_ERROR 150 +# define SM2_R_SLOT_FULL 108 +# define SM2_R_UNDEFINED_GENERATOR 113 +# define SM2_R_UNDEFINED_ORDER 128 +# define SM2_R_UNKNOWN_GROUP 129 +# define SM2_R_UNKNOWN_ORDER 114 +# define SM2_R_UNSUPPORTED_FIELD 131 +# define SM2_R_WRONG_CURVE_PARAMETERS 145 +# define SM2_R_WRONG_ORDER 130 + +#endif diff --git a/openssl_sm2.pem b/openssl_sm2.pem new file mode 100644 index 0000000000..d8316243d1 --- /dev/null +++ b/openssl_sm2.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBG0wawIBAQQg0JFWczAXva2An9m7 +2MaT9gIwWTFptvlKrxyO4TjMmbWhRANCAAQ5OirZ4n5DrKqrhaGdO4VZHhRAYVcX +Wt3Te/d/8Mr57Tf886i09VwDhSMmH8pmNq/mp6+ioUgqYG9cs6GLLioe +-----END PRIVATE KEY----- diff --git a/test/build.info b/test/build.info index a4e6e78b60..45e3fddce1 100644 --- a/test/build.info +++ b/test/build.info @@ -27,6 +27,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN aborttest test_test \ sanitytest exdatatest bntest \ ectest ecstresstest ecdsatest gmdifftest pbelutest ideatest \ + sm2sigtest sm2crypttest \ md2test \ hmactest \ rc2test rc4test rc5test \ @@ -81,6 +82,14 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN INCLUDE[ecdsatest]=../include DEPEND[ecdsatest]=../libcrypto libtestutil.a + SOURCE[sm2sigtest]=sm2sigtest.c + INCLUDE[sm2sigtest]=../include + DEPEND[sm2sigtest]=../libcrypto libtestutil.a + + SOURCE[sm2crypttest]=sm2crypttest.c + INCLUDE[sm2crypttest]=../include + DEPEND[sm2crypttest]=../libcrypto libtestutil.a + SOURCE[gmdifftest]=gmdifftest.c INCLUDE[gmdifftest]=../include DEPEND[gmdifftest]=../libcrypto libtestutil.a diff --git a/test/recipes/30-test_evp_data/evppkey.txt b/test/recipes/30-test_evp_data/evppkey.txt index cc08398e5b..d29fbbe730 100644 --- a/test/recipes/30-test_evp_data/evppkey.txt +++ b/test/recipes/30-test_evp_data/evppkey.txt @@ -18369,3 +18369,17 @@ SharedSecret=4E48335CB2A508C3481729F42C49CFC0A9DA673F9FA4FBD968B3C5B78DBFA869529 Derive=ffdhe8192-2 PeerKey=ffdhe8192-1-pub SharedSecret=4E48335CB2A508C3481729F42C49CFC0A9DA673F9FA4FBD968B3C5B78DBFA8695295642D1337C54229370B33068481F6A6E1B021F8B09B7C6B3E4DB581AD4C7ACF5C230A1FD4107EAE55530A8376856A65E079DE1BDA41B050E9B53A088ACADB879CCBC683A13BB925D48497BF7021FEB9DA214DD77FCBB6D0D46EC2BB9C7A9AFB93FC236E4EB61CB0F0C8E025D8CF4AF8B3B0F28B3E2CFAE6E760DC7877C71046179154FBE1A50A315C4DBA6D9E06406D389B614B1FC422C72FBB958C0A2EE21694CD32136F9CF0A1205E0D3A4B10CC9C98B3B4524A0CDC9455D3021AC44057CEF4A97E85166068769E9E644CC447095243BB90368A1CE6F0E3C69CA180F5B9D51F590A812B1375460CF10A7E718A83A2F6B00D8E28BAB45CEAB8AF0EB02988ED9221416EC061C1C4081552D3D0849D243DB473EC7B90180C3891E768DD2D7002CF505D369700CAF02A4B9DD1F2828C4ACC1F2EB47100DC2DB5620ADA971D1B0B0FAC9F9E3492B591FC85AC3DCB3826A8DA5842F4AE145FE33BFCDD0B6CD15C9836A5862EDB3D87A0CDBD724AE19A79A55D4F0BFF7870019926181933C840EACFB70FBC0EF182057DC09E06798EB4C9AAC2285F22F5D907A432C6D00CC44D07D77E77D1ACC183A174146ECFBDA26FF922CEBD2FA288EF2D23F65C0AAAD0F05DBFB6CA12446082D1F5774877483C3858442E305CF2A9637CE0EBB702DB70FF336E5B0413F3E8791960F1F0A9877C9076213D40657283D546AE52B73FF4449E60F8B6FE30D4CC0BA1ACA7A7DC155EC73C48B21477983D004261267D710D8A5E8CBD0656F1A963F248E887E8C2BF87BCAE7A0D4891BF21FCF35893584B29E18E842A23EA329ADD3D6AD994B5CBFBBFAB5A26932E8F799B2B0FA7789DE7A4A5C4B7FA81971819EA7F33B5BF6577F917BDE9C3680BCC5B15F1EAB4524A1B6DEE96B9F108A77344269A1757685D0404C832E4E0C5A29F808CFA6290316C0EBB2EF0A7431F62A5FBCDC66527AD8A04C0F10AF88C7CE1F1F22C41B71CE278BB704E88145608C28AD78402487031F6B13604CC6687161EBB78E7AF7AA0BC3CCB9AD8B00D7C01980599904B71F5DBC06A691E5638566BE36522B7FED69E24C28F8EA798BA3E9CCEB8AB8CF5651379A21A38315B05C66205616BBC6A3DD5573C9C6FBA2E3488E055E5F36857016D9300BFCE9F38D7C7CCD07FCF1EF41F8347CADCB12C400536374CF269613B05069B6D94CADA3B1F4ACBB68FA1ED175B01D840D871B3B0CDB918CDF15C79169A398C189AEA78860081DB423C89D350587E26D6D77B4C762B4F2A030345679F724CFBB08DB03E8CEB4FF0B91422BD2EB5C1C356D209049CFA2D6447F69B1E1DF0850FFBB6BB9F8D5B147765C023F76524A808456DEBF6A9134E3364DF462D4807FE6D4D036A4E59A4D56F8A30D8A27F4DFA174940B713A7E4 + +Title = SM2 tests + +PrivateKey=SM2_key1 +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBG0wawIBAQQg0JFWczAXva2An9m7 +2MaT9gIwWTFptvlKrxyO4TjMmbWhRANCAAQ5OirZ4n5DrKqrhaGdO4VZHhRAYVcX +Wt3Te/d/8Mr57Tf886i09VwDhSMmH8pmNq/mp6+ioUgqYG9cs6GLLioe +-----END PRIVATE KEY----- + +Verify = SM2_key1 +Ctrl = digest:SM3 +Input = D7AD397F6FFA5D4F7F11E7217F241607DC30618C236D2C09C1B9EA8FDADEE2E8 +Output = 3046022100AB1DB64DE7C40EDBDE6651C9B8EBDB804673DB836E5D5C7FE15DCF9ED2725037022100EBA714451FF69B0BB930B379E192E7CD5FA6E3C41C7FBD8303B799AB54A54621 diff --git a/test/sm2crypttest.c b/test/sm2crypttest.c new file mode 100644 index 0000000000..e1e00d8aa4 --- /dev/null +++ b/test/sm2crypttest.c @@ -0,0 +1,249 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include "testutil.h" + +#ifndef OPENSSL_NO_SM2 + +# include + +static RAND_METHOD fake_rand; +static const RAND_METHOD *saved_rand; + +static uint8_t *fake_rand_bytes = NULL; +static size_t fake_rand_bytes_offset = 0; + +static int get_faked_bytes(unsigned char *buf, int num) +{ + int i; + + if (fake_rand_bytes == NULL) + return saved_rand->bytes(buf, num); + + for (i = 0; i != num; ++i) + buf[i] = fake_rand_bytes[fake_rand_bytes_offset + i]; + fake_rand_bytes_offset += num; + return 1; +} + +static int start_fake_rand(const char *hex_bytes) +{ + /* save old rand method */ + if (!TEST_ptr(saved_rand = RAND_get_rand_method())) + return 0; + + fake_rand = *saved_rand; + /* use own random function */ + fake_rand.bytes = get_faked_bytes; + + fake_rand_bytes = OPENSSL_hexstr2buf(hex_bytes, NULL); + fake_rand_bytes_offset = 0; + + /* set new RAND_METHOD */ + if (!TEST_true(RAND_set_rand_method(&fake_rand))) + return 0; + return 1; +} + +static int restore_rand(void) +{ + OPENSSL_free(fake_rand_bytes); + fake_rand_bytes = NULL; + fake_rand_bytes_offset = 0; + if (!TEST_true(RAND_set_rand_method(saved_rand))) + return 0; + return 1; +} + +static EC_GROUP *create_EC_group(const char *p_hex, const char *a_hex, + const char *b_hex, const char *x_hex, + const char *y_hex, const char *order_hex, + const char *cof_hex) +{ + BIGNUM *p = NULL; + BIGNUM *a = NULL; + BIGNUM *b = NULL; + BIGNUM *g_x = NULL; + BIGNUM *g_y = NULL; + BIGNUM *order = NULL; + BIGNUM *cof = NULL; + EC_POINT *generator = NULL; + EC_GROUP *group = NULL; + + BN_hex2bn(&p, p_hex); + BN_hex2bn(&a, a_hex); + BN_hex2bn(&b, b_hex); + + group = EC_GROUP_new_curve_GFp(p, a, b, NULL); + BN_free(p); + BN_free(a); + BN_free(b); + + if (group == NULL) + return NULL; + + generator = EC_POINT_new(group); + if (generator == NULL) + return NULL; + + BN_hex2bn(&g_x, x_hex); + BN_hex2bn(&g_y, y_hex); + + if (EC_POINT_set_affine_coordinates_GFp(group, generator, g_x, g_y, NULL) == + 0) + return NULL; + + BN_free(g_x); + BN_free(g_y); + + BN_hex2bn(&order, order_hex); + BN_hex2bn(&cof, cof_hex); + + if (EC_GROUP_set_generator(group, generator, order, cof) == 0) + return NULL; + + EC_POINT_free(generator); + BN_free(order); + BN_free(cof); + + return group; +} + +static int test_sm2(const EC_GROUP *group, + const EVP_MD *digest, + const char *privkey_hex, + const char *message, + const char *k_hex, const char *ctext_hex) +{ + const size_t msg_len = strlen(message); + + BIGNUM *priv = NULL; + EC_KEY *key = NULL; + EC_POINT *pt = NULL; + unsigned char *expected = OPENSSL_hexstr2buf(ctext_hex, NULL); + + size_t ctext_len = 0; + uint8_t *ctext = NULL; + uint8_t *recovered = NULL; + size_t recovered_len = msg_len; + + int rc = 0; + + BN_hex2bn(&priv, privkey_hex); + + key = EC_KEY_new(); + EC_KEY_set_group(key, group); + EC_KEY_set_private_key(key, priv); + + pt = EC_POINT_new(group); + EC_POINT_mul(group, pt, priv, NULL, NULL, NULL); + + EC_KEY_set_public_key(key, pt); + BN_free(priv); + EC_POINT_free(pt); + + ctext_len = SM2_ciphertext_size(key, digest, msg_len); + ctext = OPENSSL_zalloc(ctext_len); + if (ctext == NULL) + goto done; + + start_fake_rand(k_hex); + rc = SM2_encrypt(key, digest, + (const uint8_t *)message, msg_len, ctext, &ctext_len); + restore_rand(); + + TEST_mem_eq(ctext, ctext_len, expected, ctext_len); + if (rc == 0) + goto done; + + recovered = OPENSSL_zalloc(msg_len); + if (recovered == NULL) + goto done; + rc = SM2_decrypt(key, digest, ctext, ctext_len, recovered, &recovered_len); + + TEST_int_eq(recovered_len, msg_len); + TEST_mem_eq(recovered, recovered_len, message, msg_len); + if (rc == 0) + return 0; + + rc = 1; + done: + + OPENSSL_free(ctext); + OPENSSL_free(recovered); + OPENSSL_free(expected); + EC_KEY_free(key); + return rc; +} + +static int sm2_crypt_test(void) +{ + int rc; + EC_GROUP *test_group = + create_EC_group + ("8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3", + "787968B4FA32C3FD2417842E73BBFEFF2F3C848B6831D7E0EC65228B3937E498", + "63E4C6D3B23B0C849CF84241484BFE48F61D59A5B16BA06E6E12D1DA27C5249A", + "421DEBD61B62EAB6746434EBC3CC315E32220B3BADD50BDC4C4E6C147FEDD43D", + "0680512BCBB42C07D47349D2153B70C4E5D7FDFCBFA36EA1A85841B9E46E09A2", + "8542D69E4C044F18E8B92435BF6FF7DD297720630485628D5AE74EE7C32E79B7", + "1"); + + if (test_group == NULL) + return 0; + + rc = test_sm2(test_group, + EVP_sm3(), + "1649AB77A00637BD5E2EFE283FBF353534AA7F7CB89463F208DDBC2920BB0DA0", + "encryption standard", + "004C62EEFD6ECFC2B95B92FD6C3D9575148AFA17425546D49018E5388D49DD7B4F", + "307B0220245C26FB68B1DDDDB12C4B6BF9F2B6D5FE60A383B0D18D1C4144ABF1" + "7F6252E7022076CB9264C2A7E88E52B19903FDC47378F605E36811F5C07423A2" + "4B84400F01B804209C3D7360C30156FAB7C80A0276712DA9D8094A634B766D3A" + "285E07480653426D0413650053A89B41C418B0C3AAD00D886C00286467"); + + if (rc == 0) + return 0; + + /* Same test as above except using SHA-256 instead of SM3 */ + rc = test_sm2(test_group, + EVP_sha256(), + "1649AB77A00637BD5E2EFE283FBF353534AA7F7CB89463F208DDBC2920BB0DA0", + "encryption standard", + "004C62EEFD6ECFC2B95B92FD6C3D9575148AFA17425546D49018E5388D49DD7B4F", + "307B0220245C26FB68B1DDDDB12C4B6BF9F2B6D5FE60A383B0D18D1C4144ABF17F6252E7022076CB9264C2A7E88E52B19903FDC47378F605E36811F5C07423A24B84400F01B80420BE89139D07853100EFA763F60CBE30099EA3DF7F8F364F9D10A5E988E3C5AAFC0413229E6C9AEE2BB92CAD649FE2C035689785DA33"); + if (rc == 0) + return 0; + + EC_GROUP_free(test_group); + + return 1; +} + +#endif + +int setup_tests(void) +{ +#ifdef OPENSSL_NO_SM2 + TEST_note("SM2 is disabled."); +#else + ADD_TEST(sm2_crypt_test); +#endif + return 1; +} diff --git a/test/sm2sigtest.c b/test/sm2sigtest.c new file mode 100644 index 0000000000..5903b796f7 --- /dev/null +++ b/test/sm2sigtest.c @@ -0,0 +1,238 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017 Ribose Inc. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include "testutil.h" + +#ifndef OPENSSL_NO_SM2 + +# include + +static RAND_METHOD fake_rand; +static const RAND_METHOD *saved_rand; + +static uint8_t *fake_rand_bytes = NULL; +static size_t fake_rand_bytes_offset = 0; + +static int get_faked_bytes(unsigned char *buf, int num) +{ + int i; + + if (fake_rand_bytes == NULL) + return saved_rand->bytes(buf, num); + + for (i = 0; i != num; ++i) + buf[i] = fake_rand_bytes[fake_rand_bytes_offset + i]; + fake_rand_bytes_offset += num; + return 1; +} + +static int start_fake_rand(const char *hex_bytes) +{ + /* save old rand method */ + if (!TEST_ptr(saved_rand = RAND_get_rand_method())) + return 0; + + fake_rand = *saved_rand; + /* use own random function */ + fake_rand.bytes = get_faked_bytes; + + fake_rand_bytes = OPENSSL_hexstr2buf(hex_bytes, NULL); + fake_rand_bytes_offset = 0; + + /* set new RAND_METHOD */ + if (!TEST_true(RAND_set_rand_method(&fake_rand))) + return 0; + return 1; +} + +static int restore_rand(void) +{ + OPENSSL_free(fake_rand_bytes); + fake_rand_bytes = NULL; + fake_rand_bytes_offset = 0; + if (!TEST_true(RAND_set_rand_method(saved_rand))) + return 0; + return 1; +} + +static EC_GROUP *create_EC_group(const char *p_hex, const char *a_hex, + const char *b_hex, const char *x_hex, + const char *y_hex, const char *order_hex, + const char *cof_hex) +{ + BIGNUM *p = NULL; + BIGNUM *a = NULL; + BIGNUM *b = NULL; + BIGNUM *g_x = NULL; + BIGNUM *g_y = NULL; + BIGNUM *order = NULL; + BIGNUM *cof = NULL; + EC_POINT *generator = NULL; + EC_GROUP *group = NULL; + + BN_hex2bn(&p, p_hex); + BN_hex2bn(&a, a_hex); + BN_hex2bn(&b, b_hex); + + group = EC_GROUP_new_curve_GFp(p, a, b, NULL); + BN_free(p); + BN_free(a); + BN_free(b); + + if (group == NULL) + return NULL; + + generator = EC_POINT_new(group); + if (generator == NULL) + return NULL; + + BN_hex2bn(&g_x, x_hex); + BN_hex2bn(&g_y, y_hex); + + if (EC_POINT_set_affine_coordinates_GFp(group, generator, g_x, g_y, NULL) == + 0) + return NULL; + + BN_free(g_x); + BN_free(g_y); + + BN_hex2bn(&order, order_hex); + BN_hex2bn(&cof, cof_hex); + + if (EC_GROUP_set_generator(group, generator, order, cof) == 0) + return NULL; + + EC_POINT_free(generator); + BN_free(order); + BN_free(cof); + + return group; +} + + +static int test_sm2(const EC_GROUP *group, + const char *userid, + const char *privkey_hex, + const char *message, + const char *k_hex, const char *r_hex, const char *s_hex) +{ + const size_t msg_len = strlen(message); + int ok = -1; + BIGNUM *priv = NULL; + EC_POINT *pt = NULL; + EC_KEY *key = NULL; + ECDSA_SIG *sig = NULL; + const BIGNUM *sig_r = NULL; + const BIGNUM *sig_s = NULL; + BIGNUM *r = NULL; + BIGNUM *s = NULL; + + BN_hex2bn(&priv, privkey_hex); + + key = EC_KEY_new(); + EC_KEY_set_group(key, group); + EC_KEY_set_private_key(key, priv); + + pt = EC_POINT_new(group); + EC_POINT_mul(group, pt, priv, NULL, NULL, NULL); + EC_KEY_set_public_key(key, pt); + + start_fake_rand(k_hex); + sig = SM2_do_sign(key, EVP_sm3(), userid, (const uint8_t *)message, msg_len); + restore_rand(); + + if (sig == NULL) + return 0; + + ECDSA_SIG_get0(sig, &sig_r, &sig_s); + + BN_hex2bn(&r, r_hex); + BN_hex2bn(&s, s_hex); + + if (BN_cmp(r, sig_r) != 0) { + printf("Signature R mismatch: "); + BN_print_fp(stdout, r); + printf(" != "); + BN_print_fp(stdout, sig_r); + printf("\n"); + ok = 0; + } + if (BN_cmp(s, sig_s) != 0) { + printf("Signature S mismatch: "); + BN_print_fp(stdout, s); + printf(" != "); + BN_print_fp(stdout, sig_s); + printf("\n"); + ok = 0; + } + + ok = SM2_do_verify(key, EVP_sm3(), sig, userid, (const uint8_t *)message, msg_len); + + ECDSA_SIG_free(sig); + EC_POINT_free(pt); + EC_KEY_free(key); + BN_free(priv); + BN_free(r); + BN_free(s); + + return ok; +} + +static int sm2_sig_test(void) +{ + int rc = 0; + /* From draft-shen-sm2-ecdsa-02 */ + EC_GROUP *test_group = + create_EC_group + ("8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3", + "787968B4FA32C3FD2417842E73BBFEFF2F3C848B6831D7E0EC65228B3937E498", + "63E4C6D3B23B0C849CF84241484BFE48F61D59A5B16BA06E6E12D1DA27C5249A", + "421DEBD61B62EAB6746434EBC3CC315E32220B3BADD50BDC4C4E6C147FEDD43D", + "0680512BCBB42C07D47349D2153B70C4E5D7FDFCBFA36EA1A85841B9E46E09A2", + "8542D69E4C044F18E8B92435BF6FF7DD297720630485628D5AE74EE7C32E79B7", + "1"); + + if (test_group == NULL) + return 0; + + rc = test_sm2(test_group, + "ALICE123@YAHOO.COM", + "128B2FA8BD433C6C068C8D803DFF79792A519A55171B1B650C23661D15897263", + "message digest", + "006CB28D99385C175C94F94E934817663FC176D925DD72B727260DBAAE1FB2F96F", + "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1", + "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7"); + + EC_GROUP_free(test_group); + + return rc; +} + +#endif + +int setup_tests(void) +{ +#ifdef OPENSSL_NO_SM2 + TEST_note("SM2 is disabled."); +#else + ADD_TEST(sm2_sig_test); +#endif + return 1; +} diff --git a/util/libcrypto.num b/util/libcrypto.num index 16d19526bb..0dfb0cd661 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4514,3 +4514,12 @@ EVP_PKEY_new_CMAC_key 4455 1_1_1 EXIST::FUNCTION: EVP_PKEY_asn1_set_set_priv_key 4456 1_1_1 EXIST::FUNCTION: EVP_PKEY_asn1_set_set_pub_key 4457 1_1_1 EXIST::FUNCTION: RAND_DRBG_set_defaults 4458 1_1_1 EXIST::FUNCTION: +SM2_decrypt 4459 1_1_1 EXIST::FUNCTION: +SM2_do_sign 4460 1_1_1 EXIST::FUNCTION: +SM2_compute_userid_digest 4461 1_1_1 EXIST::FUNCTION: +SM2_encrypt 4462 1_1_1 EXIST::FUNCTION: +SM2_ciphertext_size 4463 1_1_1 EXIST::FUNCTION: +SM2_verify 4464 1_1_1 EXIST::FUNCTION: +SM2_do_verify 4465 1_1_1 EXIST::FUNCTION: +SM2_sign 4466 1_1_1 EXIST::FUNCTION: +ERR_load_SM2_strings 4467 1_1_1 EXIST::FUNCTION: -- 2.34.1