Coverage Report

Created: 2024-11-21 07:03

/src/openssl/crypto/sm2/sm2_sign.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright 2017 Ribose Inc. All Rights Reserved.
4
 * Ported from Ribose contributions from Botan.
5
 *
6
 * Licensed under the Apache License 2.0 (the "License").  You may not use
7
 * this file except in compliance with the License.  You can obtain a copy
8
 * in the file LICENSE in the source distribution or at
9
 * https://www.openssl.org/source/license.html
10
 */
11
12
#include "internal/deprecated.h"
13
14
#include "crypto/sm2.h"
15
#include "crypto/sm2err.h"
16
#include "crypto/ec.h" /* ossl_ec_group_do_inverse_ord() */
17
#include "internal/numbers.h"
18
#include <openssl/err.h>
19
#include <openssl/evp.h>
20
#include <openssl/bn.h>
21
#include <string.h>
22
23
int ossl_sm2_compute_z_digest(uint8_t *out,
24
                              const EVP_MD *digest,
25
                              const uint8_t *id,
26
                              const size_t id_len,
27
                              const EC_KEY *key)
28
0
{
29
0
    int rc = 0;
30
0
    const EC_GROUP *group = EC_KEY_get0_group(key);
31
0
    const EC_POINT *pubkey = EC_KEY_get0_public_key(key);
32
0
    BN_CTX *ctx = NULL;
33
0
    EVP_MD_CTX *hash = NULL;
34
0
    BIGNUM *p = NULL;
35
0
    BIGNUM *a = NULL;
36
0
    BIGNUM *b = NULL;
37
0
    BIGNUM *xG = NULL;
38
0
    BIGNUM *yG = NULL;
39
0
    BIGNUM *xA = NULL;
40
0
    BIGNUM *yA = NULL;
41
0
    int p_bytes = 0;
42
0
    uint8_t *buf = NULL;
43
0
    uint16_t entl = 0;
44
0
    uint8_t e_byte = 0;
45
46
    /* SM2 Signatures require a public key, check for it */
47
0
    if (pubkey == NULL) {
48
0
        ERR_raise(ERR_LIB_SM2, ERR_R_PASSED_NULL_PARAMETER);
49
0
        goto done;
50
0
    }
51
52
0
    hash = EVP_MD_CTX_new();
53
0
    if (hash == NULL) {
54
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
55
0
        goto done;
56
0
    }
57
0
    ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(key));
58
0
    if (ctx == NULL) {
59
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
60
0
        goto done;
61
0
    }
62
63
0
    p = BN_CTX_get(ctx);
64
0
    a = BN_CTX_get(ctx);
65
0
    b = BN_CTX_get(ctx);
66
0
    xG = BN_CTX_get(ctx);
67
0
    yG = BN_CTX_get(ctx);
68
0
    xA = BN_CTX_get(ctx);
69
0
    yA = BN_CTX_get(ctx);
70
71
0
    if (yA == NULL) {
72
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
73
0
        goto done;
74
0
    }
75
76
0
    if (!EVP_DigestInit(hash, digest)) {
77
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
78
0
        goto done;
79
0
    }
80
81
    /* Z = h(ENTL || ID || a || b || xG || yG || xA || yA) */
82
83
0
    if (id_len >= (UINT16_MAX / 8)) {
84
        /* too large */
85
0
        ERR_raise(ERR_LIB_SM2, SM2_R_ID_TOO_LARGE);
86
0
        goto done;
87
0
    }
88
89
0
    entl = (uint16_t)(8 * id_len);
90
91
0
    e_byte = entl >> 8;
92
0
    if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
93
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
94
0
        goto done;
95
0
    }
96
0
    e_byte = entl & 0xFF;
97
0
    if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
98
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
99
0
        goto done;
100
0
    }
101
102
0
    if (id_len > 0 && !EVP_DigestUpdate(hash, id, id_len)) {
103
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
104
0
        goto done;
105
0
    }
106
107
0
    if (!EC_GROUP_get_curve(group, p, a, b, ctx)) {
108
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
109
0
        goto done;
110
0
    }
111
112
0
    p_bytes = BN_num_bytes(p);
113
0
    buf = OPENSSL_zalloc(p_bytes);
114
0
    if (buf == NULL)
115
0
        goto done;
116
117
0
    if (BN_bn2binpad(a, buf, p_bytes) < 0
118
0
            || !EVP_DigestUpdate(hash, buf, p_bytes)
119
0
            || BN_bn2binpad(b, buf, p_bytes) < 0
120
0
            || !EVP_DigestUpdate(hash, buf, p_bytes)
121
0
            || !EC_POINT_get_affine_coordinates(group,
122
0
                                                EC_GROUP_get0_generator(group),
123
0
                                                xG, yG, ctx)
124
0
            || BN_bn2binpad(xG, buf, p_bytes) < 0
125
0
            || !EVP_DigestUpdate(hash, buf, p_bytes)
126
0
            || BN_bn2binpad(yG, buf, p_bytes) < 0
127
0
            || !EVP_DigestUpdate(hash, buf, p_bytes)
128
0
            || !EC_POINT_get_affine_coordinates(group,
129
0
                                                pubkey,
130
0
                                                xA, yA, ctx)
131
0
            || BN_bn2binpad(xA, buf, p_bytes) < 0
132
0
            || !EVP_DigestUpdate(hash, buf, p_bytes)
133
0
            || BN_bn2binpad(yA, buf, p_bytes) < 0
134
0
            || !EVP_DigestUpdate(hash, buf, p_bytes)
135
0
            || !EVP_DigestFinal(hash, out, NULL)) {
136
0
        ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
137
0
        goto done;
138
0
    }
139
140
0
    rc = 1;
141
142
0
 done:
143
0
    OPENSSL_free(buf);
144
0
    BN_CTX_free(ctx);
145
0
    EVP_MD_CTX_free(hash);
146
0
    return rc;
147
0
}
148
149
static BIGNUM *sm2_compute_msg_hash(const EVP_MD *digest,
150
                                    const EC_KEY *key,
151
                                    const uint8_t *id,
152
                                    const size_t id_len,
153
                                    const uint8_t *msg, size_t msg_len)
154
0
{
155
0
    EVP_MD_CTX *hash = EVP_MD_CTX_new();
156
0
    const int md_size = EVP_MD_get_size(digest);
157
0
    uint8_t *z = NULL;
158
0
    BIGNUM *e = NULL;
159
0
    EVP_MD *fetched_digest = NULL;
160
0
    OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
161
0
    const char *propq = ossl_ec_key_get0_propq(key);
162
163
0
    if (md_size <= 0) {
164
0
        ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_DIGEST);
165
0
        goto done;
166
0
    }
167
0
    if (hash == NULL) {
168
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
169
0
        goto done;
170
0
    }
171
172
0
    z = OPENSSL_zalloc(md_size);
173
0
    if (z == NULL)
174
0
        goto done;
175
176
0
    fetched_digest = EVP_MD_fetch(libctx, EVP_MD_get0_name(digest), propq);
177
0
    if (fetched_digest == NULL) {
178
0
        ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
179
0
        goto done;
180
0
    }
181
182
0
    if (!ossl_sm2_compute_z_digest(z, fetched_digest, id, id_len, key)) {
183
        /* SM2err already called */
184
0
        goto done;
185
0
    }
186
187
0
    if (!EVP_DigestInit(hash, fetched_digest)
188
0
            || !EVP_DigestUpdate(hash, z, md_size)
189
0
            || !EVP_DigestUpdate(hash, msg, msg_len)
190
               /* reuse z buffer to hold H(Z || M) */
191
0
            || !EVP_DigestFinal(hash, z, NULL)) {
192
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
193
0
        goto done;
194
0
    }
195
196
0
    e = BN_bin2bn(z, md_size, NULL);
197
0
    if (e == NULL)
198
0
        ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
199
200
0
 done:
201
0
    EVP_MD_free(fetched_digest);
202
0
    OPENSSL_free(z);
203
0
    EVP_MD_CTX_free(hash);
204
0
    return e;
205
0
}
206
207
static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e)
208
0
{
209
0
    const BIGNUM *dA = EC_KEY_get0_private_key(key);
210
0
    const EC_GROUP *group = EC_KEY_get0_group(key);
211
0
    const BIGNUM *order = EC_GROUP_get0_order(group);
212
0
    ECDSA_SIG *sig = NULL;
213
0
    EC_POINT *kG = NULL;
214
0
    BN_CTX *ctx = NULL;
215
0
    BIGNUM *k = NULL;
216
0
    BIGNUM *rk = NULL;
217
0
    BIGNUM *r = NULL;
218
0
    BIGNUM *s = NULL;
219
0
    BIGNUM *x1 = NULL;
220
0
    BIGNUM *tmp = NULL;
221
0
    OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
222
223
0
    kG = EC_POINT_new(group);
224
0
    if (kG == NULL) {
225
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
226
0
        goto done;
227
0
    }
228
0
    ctx = BN_CTX_new_ex(libctx);
229
0
    if (ctx == NULL) {
230
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
231
0
        goto done;
232
0
    }
233
234
0
    BN_CTX_start(ctx);
235
0
    k = BN_CTX_get(ctx);
236
0
    rk = BN_CTX_get(ctx);
237
0
    x1 = BN_CTX_get(ctx);
238
0
    tmp = BN_CTX_get(ctx);
239
0
    if (tmp == NULL) {
240
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
241
0
        goto done;
242
0
    }
243
244
    /*
245
     * These values are returned and so should not be allocated out of the
246
     * context
247
     */
248
0
    r = BN_new();
249
0
    s = BN_new();
250
251
0
    if (r == NULL || s == NULL) {
252
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
253
0
        goto done;
254
0
    }
255
256
    /*
257
     * A3: Generate a random number k in [1,n-1] using random number generators;
258
     * A4: Compute (x1,y1)=[k]G, and convert the type of data x1 to be integer
259
     *     as specified in clause 4.2.8 of GM/T 0003.1-2012;
260
     * A5: Compute r=(e+x1) mod n. If r=0 or r+k=n, then go to A3;
261
     * A6: Compute s=(1/(1+dA)*(k-r*dA)) mod n. If s=0, then go to A3;
262
     * A7: Convert the type of data (r,s) to be bit strings according to the details
263
     *     in clause 4.2.2 of GM/T 0003.1-2012. Then the signature of message M is (r,s).
264
     */
265
0
    for (;;) {
266
0
        if (!BN_priv_rand_range_ex(k, order, 0, ctx)) {
267
0
            ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
268
0
            goto done;
269
0
        }
270
271
0
        if (!EC_POINT_mul(group, kG, k, NULL, NULL, ctx)
272
0
                || !EC_POINT_get_affine_coordinates(group, kG, x1, NULL,
273
0
                                                    ctx)
274
0
                || !BN_mod_add(r, e, x1, order, ctx)) {
275
0
            ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
276
0
            goto done;
277
0
        }
278
279
        /* try again if r == 0 or r+k == n */
280
0
        if (BN_is_zero(r))
281
0
            continue;
282
283
0
        if (!BN_add(rk, r, k)) {
284
0
            ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
285
0
            goto done;
286
0
        }
287
288
0
        if (BN_cmp(rk, order) == 0)
289
0
            continue;
290
291
0
        if (!BN_add(s, dA, BN_value_one())
292
0
                || !ossl_ec_group_do_inverse_ord(group, s, s, ctx)
293
0
                || !BN_mod_mul(tmp, dA, r, order, ctx)
294
0
                || !BN_sub(tmp, k, tmp)
295
0
                || !BN_mod_mul(s, s, tmp, order, ctx)) {
296
0
            ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
297
0
            goto done;
298
0
        }
299
300
        /* try again if s == 0 */
301
0
        if (BN_is_zero(s))
302
0
            continue;
303
304
0
        sig = ECDSA_SIG_new();
305
0
        if (sig == NULL) {
306
0
            ERR_raise(ERR_LIB_SM2, ERR_R_ECDSA_LIB);
307
0
            goto done;
308
0
        }
309
310
         /* takes ownership of r and s */
311
0
        ECDSA_SIG_set0(sig, r, s);
312
0
        break;
313
0
    }
314
315
0
 done:
316
0
    if (sig == NULL) {
317
0
        BN_free(r);
318
0
        BN_free(s);
319
0
    }
320
321
0
    BN_CTX_free(ctx);
322
0
    EC_POINT_free(kG);
323
0
    return sig;
324
0
}
325
326
static int sm2_sig_verify(const EC_KEY *key, const ECDSA_SIG *sig,
327
                          const BIGNUM *e)
328
0
{
329
0
    int ret = 0;
330
0
    const EC_GROUP *group = EC_KEY_get0_group(key);
331
0
    const BIGNUM *order = EC_GROUP_get0_order(group);
332
0
    BN_CTX *ctx = NULL;
333
0
    EC_POINT *pt = NULL;
334
0
    BIGNUM *t = NULL;
335
0
    BIGNUM *x1 = NULL;
336
0
    const BIGNUM *r = NULL;
337
0
    const BIGNUM *s = NULL;
338
0
    OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
339
340
0
    ctx = BN_CTX_new_ex(libctx);
341
0
    pt = EC_POINT_new(group);
342
0
    if (ctx == NULL || pt == NULL) {
343
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
344
0
        goto done;
345
0
    }
346
347
0
    BN_CTX_start(ctx);
348
0
    t = BN_CTX_get(ctx);
349
0
    x1 = BN_CTX_get(ctx);
350
0
    if (x1 == NULL) {
351
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
352
0
        goto done;
353
0
    }
354
355
    /*
356
     * B1: verify whether r' in [1,n-1], verification failed if not
357
     * B2: verify whether s' in [1,n-1], verification failed if not
358
     * B3: set M'~=ZA || M'
359
     * B4: calculate e'=Hv(M'~)
360
     * B5: calculate t = (r' + s') modn, verification failed if t=0
361
     * B6: calculate the point (x1', y1')=[s']G + [t]PA
362
     * B7: calculate R=(e'+x1') modn, verification pass if yes, otherwise failed
363
     */
364
365
0
    ECDSA_SIG_get0(sig, &r, &s);
366
367
0
    if (BN_cmp(r, BN_value_one()) < 0
368
0
            || BN_cmp(s, BN_value_one()) < 0
369
0
            || BN_cmp(order, r) <= 0
370
0
            || BN_cmp(order, s) <= 0) {
371
0
        ERR_raise(ERR_LIB_SM2, SM2_R_BAD_SIGNATURE);
372
0
        goto done;
373
0
    }
374
375
0
    if (!BN_mod_add(t, r, s, order, ctx)) {
376
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
377
0
        goto done;
378
0
    }
379
380
0
    if (BN_is_zero(t)) {
381
0
        ERR_raise(ERR_LIB_SM2, SM2_R_BAD_SIGNATURE);
382
0
        goto done;
383
0
    }
384
385
0
    if (!EC_POINT_mul(group, pt, s, EC_KEY_get0_public_key(key), t, ctx)
386
0
            || !EC_POINT_get_affine_coordinates(group, pt, x1, NULL, ctx)) {
387
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
388
0
        goto done;
389
0
    }
390
391
0
    if (!BN_mod_add(t, e, x1, order, ctx)) {
392
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
393
0
        goto done;
394
0
    }
395
396
0
    if (BN_cmp(r, t) == 0)
397
0
        ret = 1;
398
399
0
 done:
400
0
    BN_CTX_end(ctx);
401
0
    EC_POINT_free(pt);
402
0
    BN_CTX_free(ctx);
403
0
    return ret;
404
0
}
405
406
ECDSA_SIG *ossl_sm2_do_sign(const EC_KEY *key,
407
                            const EVP_MD *digest,
408
                            const uint8_t *id,
409
                            const size_t id_len,
410
                            const uint8_t *msg, size_t msg_len)
411
0
{
412
0
    BIGNUM *e = NULL;
413
0
    ECDSA_SIG *sig = NULL;
414
415
0
    e = sm2_compute_msg_hash(digest, key, id, id_len, msg, msg_len);
416
0
    if (e == NULL) {
417
        /* SM2err already called */
418
0
        goto done;
419
0
    }
420
421
0
    sig = sm2_sig_gen(key, e);
422
423
0
 done:
424
0
    BN_free(e);
425
0
    return sig;
426
0
}
427
428
int ossl_sm2_do_verify(const EC_KEY *key,
429
                       const EVP_MD *digest,
430
                       const ECDSA_SIG *sig,
431
                       const uint8_t *id,
432
                       const size_t id_len,
433
                       const uint8_t *msg, size_t msg_len)
434
0
{
435
0
    BIGNUM *e = NULL;
436
0
    int ret = 0;
437
438
0
    e = sm2_compute_msg_hash(digest, key, id, id_len, msg, msg_len);
439
0
    if (e == NULL) {
440
        /* SM2err already called */
441
0
        goto done;
442
0
    }
443
444
0
    ret = sm2_sig_verify(key, sig, e);
445
446
0
 done:
447
0
    BN_free(e);
448
0
    return ret;
449
0
}
450
451
int ossl_sm2_internal_sign(const unsigned char *dgst, int dgstlen,
452
                           unsigned char *sig, unsigned int *siglen,
453
                           EC_KEY *eckey)
454
0
{
455
0
    BIGNUM *e = NULL;
456
0
    ECDSA_SIG *s = NULL;
457
0
    int sigleni;
458
0
    int ret = -1;
459
460
0
    if (sig == NULL) {
461
0
        ERR_raise(ERR_LIB_SM2, ERR_R_PASSED_NULL_PARAMETER);
462
0
        goto done;
463
0
    }
464
465
0
    e = BN_bin2bn(dgst, dgstlen, NULL);
466
0
    if (e == NULL) {
467
0
       ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
468
0
       goto done;
469
0
    }
470
471
0
    s = sm2_sig_gen(eckey, e);
472
0
    if (s == NULL) {
473
0
        ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
474
0
        goto done;
475
0
    }
476
477
0
    sigleni = i2d_ECDSA_SIG(s, &sig);
478
0
    if (sigleni < 0) {
479
0
       ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
480
0
       goto done;
481
0
    }
482
0
    *siglen = (unsigned int)sigleni;
483
484
0
    ret = 1;
485
486
0
 done:
487
0
    ECDSA_SIG_free(s);
488
0
    BN_free(e);
489
0
    return ret;
490
0
}
491
492
int ossl_sm2_internal_verify(const unsigned char *dgst, int dgstlen,
493
                             const unsigned char *sig, int sig_len,
494
                             EC_KEY *eckey)
495
0
{
496
0
    ECDSA_SIG *s = NULL;
497
0
    BIGNUM *e = NULL;
498
0
    const unsigned char *p = sig;
499
0
    unsigned char *der = NULL;
500
0
    int derlen = -1;
501
0
    int ret = -1;
502
503
0
    s = ECDSA_SIG_new();
504
0
    if (s == NULL) {
505
0
        ERR_raise(ERR_LIB_SM2, ERR_R_ECDSA_LIB);
506
0
        goto done;
507
0
    }
508
0
    if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) {
509
0
        ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING);
510
0
        goto done;
511
0
    }
512
    /* Ensure signature uses DER and doesn't have trailing garbage */
513
0
    derlen = i2d_ECDSA_SIG(s, &der);
514
0
    if (derlen != sig_len || memcmp(sig, der, derlen) != 0) {
515
0
        ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING);
516
0
        goto done;
517
0
    }
518
519
0
    e = BN_bin2bn(dgst, dgstlen, NULL);
520
0
    if (e == NULL) {
521
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
522
0
        goto done;
523
0
    }
524
525
0
    ret = sm2_sig_verify(eckey, s, e);
526
527
0
 done:
528
0
    OPENSSL_free(der);
529
0
    BN_free(e);
530
0
    ECDSA_SIG_free(s);
531
0
    return ret;
532
0
}