/src/nss/lib/freebl/ecl/ecp_secp256r1.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* P-256 from HACL* */ |
2 | | |
3 | | #ifdef FREEBL_NO_DEPEND |
4 | | #include "../stubs.h" |
5 | | #endif |
6 | | |
7 | | #include "ecl-priv.h" |
8 | | #include "secitem.h" |
9 | | #include "secerr.h" |
10 | | #include "secmpi.h" |
11 | | #include "../verified/Hacl_P256.h" |
12 | | |
13 | | /* |
14 | | * Point Validation for P-256. |
15 | | */ |
16 | | |
17 | | SECStatus |
18 | | ec_secp256r1_pt_validate(const SECItem *pt) |
19 | 0 | { |
20 | 0 | SECStatus res = SECSuccess; |
21 | 0 | if (!pt || !pt->data) { |
22 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
23 | 0 | res = SECFailure; |
24 | 0 | return res; |
25 | 0 | } |
26 | | |
27 | 0 | if (pt->len != 65) { |
28 | 0 | PORT_SetError(SEC_ERROR_BAD_KEY); |
29 | 0 | res = SECFailure; |
30 | 0 | return res; |
31 | 0 | } |
32 | | |
33 | 0 | if (pt->data[0] != EC_POINT_FORM_UNCOMPRESSED) { |
34 | 0 | PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); |
35 | 0 | res = SECFailure; |
36 | 0 | return res; |
37 | 0 | } |
38 | | |
39 | 0 | #ifndef UNSAFE_FUZZER_MODE |
40 | 0 | bool b = Hacl_P256_validate_public_key(pt->data + 1); |
41 | | #else |
42 | | bool b = PR_TRUE; |
43 | | #endif |
44 | |
|
45 | 0 | if (!b) { |
46 | 0 | PORT_SetError(SEC_ERROR_BAD_KEY); |
47 | 0 | res = SECFailure; |
48 | 0 | } |
49 | 0 | return res; |
50 | 0 | } |
51 | | |
52 | | /* |
53 | | * Scalar Validation for P-256. |
54 | | */ |
55 | | |
56 | | SECStatus |
57 | | ec_secp256r1_scalar_validate(const SECItem *scalar) |
58 | 0 | { |
59 | 0 | SECStatus res = SECSuccess; |
60 | 0 | if (!scalar || !scalar->data) { |
61 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
62 | 0 | res = SECFailure; |
63 | 0 | return res; |
64 | 0 | } |
65 | | |
66 | 0 | if (scalar->len != 32) { |
67 | 0 | PORT_SetError(SEC_ERROR_BAD_KEY); |
68 | 0 | res = SECFailure; |
69 | 0 | return res; |
70 | 0 | } |
71 | | |
72 | 0 | #ifndef UNSAFE_FUZZER_MODE |
73 | 0 | bool b = Hacl_P256_validate_private_key(scalar->data); |
74 | | #else |
75 | | bool b = PR_TRUE; |
76 | | #endif |
77 | |
|
78 | 0 | if (!b) { |
79 | 0 | PORT_SetError(SEC_ERROR_BAD_KEY); |
80 | 0 | res = SECFailure; |
81 | 0 | } |
82 | 0 | return res; |
83 | 0 | } |
84 | | |
85 | | /* |
86 | | * Scalar multiplication for P-256. |
87 | | * If P == NULL, the base point is used. |
88 | | * Returns X = k*P |
89 | | */ |
90 | | |
91 | | SECStatus |
92 | | ec_secp256r1_pt_mul(SECItem *X, SECItem *k, SECItem *P) |
93 | 0 | { |
94 | 0 | SECStatus res = SECSuccess; |
95 | 0 | if (!P) { |
96 | 0 | uint8_t derived[64] = { 0 }; |
97 | |
|
98 | 0 | if (!X || !k || !X->data || !k->data || |
99 | 0 | X->len < 65 || k->len != 32) { |
100 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
101 | 0 | res = SECFailure; |
102 | 0 | return res; |
103 | 0 | } |
104 | | |
105 | 0 | #ifndef UNSAFE_FUZZER_MODE |
106 | 0 | bool b = Hacl_P256_dh_initiator(derived, k->data); |
107 | | #else |
108 | | bool b = PR_TRUE; |
109 | | #endif |
110 | |
|
111 | 0 | if (!b) { |
112 | 0 | PORT_SetError(SEC_ERROR_BAD_KEY); |
113 | 0 | res = SECFailure; |
114 | 0 | return res; |
115 | 0 | } |
116 | | |
117 | 0 | X->len = 65; |
118 | 0 | X->data[0] = EC_POINT_FORM_UNCOMPRESSED; |
119 | 0 | memcpy(X->data + 1, derived, 64); |
120 | |
|
121 | 0 | } else { |
122 | 0 | uint8_t full_key[32] = { 0 }; |
123 | 0 | uint8_t *key; |
124 | 0 | uint8_t derived[64] = { 0 }; |
125 | |
|
126 | 0 | if (!X || !k || !P || !X->data || !k->data || !P->data || |
127 | 0 | X->len < 32 || P->len != 65 || |
128 | 0 | P->data[0] != EC_POINT_FORM_UNCOMPRESSED) { |
129 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
130 | 0 | res = SECFailure; |
131 | 0 | return res; |
132 | 0 | } |
133 | | |
134 | | /* We consider keys of up to size 32, or of size 33 with a single leading 0 */ |
135 | 0 | if (k->len < 32) { |
136 | 0 | memcpy(full_key + 32 - k->len, k->data, k->len); |
137 | 0 | key = full_key; |
138 | 0 | } else if (k->len == 32) { |
139 | 0 | key = k->data; |
140 | 0 | } else if (k->len == 33 && k->data[0] == 0) { |
141 | 0 | key = k->data + 1; |
142 | 0 | } else { |
143 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
144 | 0 | res = SECFailure; |
145 | 0 | return res; |
146 | 0 | } |
147 | | |
148 | 0 | bool b = Hacl_P256_dh_responder(derived, P->data + 1, key); |
149 | |
|
150 | 0 | if (!b) { |
151 | 0 | PORT_SetError(SEC_ERROR_BAD_KEY); |
152 | 0 | res = SECFailure; |
153 | 0 | return res; |
154 | 0 | } |
155 | | |
156 | 0 | X->len = 32; |
157 | 0 | memcpy(X->data, derived, 32); |
158 | 0 | } |
159 | | |
160 | 0 | return res; |
161 | 0 | } |
162 | | |
163 | | /* |
164 | | * ECDSA Signature for P-256 |
165 | | */ |
166 | | |
167 | | SECStatus |
168 | | ec_secp256r1_sign_digest(ECPrivateKey *ecPrivKey, SECItem *signature, |
169 | | const SECItem *digest, const unsigned char *kb, |
170 | | const unsigned int kblen) |
171 | 0 | { |
172 | 0 | SECStatus res = SECSuccess; |
173 | |
|
174 | 0 | if (!ecPrivKey || !signature || !digest || !kb || |
175 | 0 | !ecPrivKey->privateValue.data || |
176 | 0 | !signature->data || !digest->data || |
177 | 0 | ecPrivKey->ecParams.name != ECCurve_NIST_P256) { |
178 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
179 | 0 | res = SECFailure; |
180 | 0 | return res; |
181 | 0 | } |
182 | | |
183 | 0 | if (kblen == 0 || digest->len == 0 || signature->len < 64) { |
184 | 0 | PORT_SetError(SEC_ERROR_INPUT_LEN); |
185 | 0 | res = SECFailure; |
186 | 0 | return res; |
187 | 0 | } |
188 | | |
189 | | // Private keys should be 32 bytes, but some software trims leading zeros, |
190 | | // and some software produces 33 byte keys with a leading zero. We'll |
191 | | // accept these variants. |
192 | 0 | uint8_t padded_key_data[32] = { 0 }; |
193 | 0 | uint8_t *key; |
194 | 0 | SECItem *privKey = &ecPrivKey->privateValue; |
195 | 0 | if (privKey->len == 32) { |
196 | 0 | key = privKey->data; |
197 | 0 | } else if (privKey->len == 33 && privKey->data[0] == 0) { |
198 | 0 | key = privKey->data + 1; |
199 | 0 | } else if (privKey->len < 32) { |
200 | 0 | memcpy(padded_key_data + 32 - privKey->len, privKey->data, privKey->len); |
201 | 0 | key = padded_key_data; |
202 | 0 | } else { |
203 | 0 | PORT_SetError(SEC_ERROR_INPUT_LEN); |
204 | 0 | return SECFailure; |
205 | 0 | } |
206 | | |
207 | 0 | uint8_t hash[32] = { 0 }; |
208 | 0 | if (digest->len < 32) { |
209 | 0 | memcpy(hash + 32 - digest->len, digest->data, digest->len); |
210 | 0 | } else { |
211 | 0 | memcpy(hash, digest->data, 32); |
212 | 0 | } |
213 | |
|
214 | 0 | uint8_t nonce[32] = { 0 }; |
215 | 0 | if (kblen < 32) { |
216 | 0 | memcpy(nonce + 32 - kblen, kb, kblen); |
217 | 0 | } else { |
218 | 0 | memcpy(nonce, kb, 32); |
219 | 0 | } |
220 | |
|
221 | 0 | #ifndef UNSAFE_FUZZER_MODE |
222 | 0 | bool b = Hacl_P256_ecdsa_sign_p256_without_hash( |
223 | 0 | signature->data, 32, hash, key, nonce); |
224 | | #else |
225 | | bool b = key != NULL; /* Avoiding unused variable warnings */ |
226 | | #endif |
227 | |
|
228 | 0 | if (!b) { |
229 | 0 | PORT_SetError(SEC_ERROR_BAD_KEY); |
230 | 0 | res = SECFailure; |
231 | 0 | return res; |
232 | 0 | } |
233 | | |
234 | 0 | signature->len = 64; |
235 | 0 | return res; |
236 | 0 | } |
237 | | |
238 | | /* |
239 | | * ECDSA Signature Verification for P-256 |
240 | | */ |
241 | | |
242 | | SECStatus |
243 | | ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, |
244 | | const SECItem *digest) |
245 | 0 | { |
246 | 0 | SECStatus res = SECSuccess; |
247 | |
|
248 | 0 | unsigned char _padded_sig_data[64] = { 0 }; |
249 | 0 | unsigned char *sig_r, *sig_s; |
250 | |
|
251 | 0 | if (!key || !signature || !digest || |
252 | 0 | !key->publicValue.data || |
253 | 0 | !signature->data || !digest->data || |
254 | 0 | key->ecParams.name != ECCurve_NIST_P256) { |
255 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
256 | 0 | res = SECFailure; |
257 | 0 | return res; |
258 | 0 | } |
259 | | |
260 | 0 | unsigned int olen = key->ecParams.order.len; |
261 | 0 | if (signature->len == 0 || signature->len % 2 != 0 || |
262 | 0 | signature->len > 2 * olen || |
263 | 0 | digest->len == 0 || key->publicValue.len != 65) { |
264 | 0 | PORT_SetError(SEC_ERROR_INPUT_LEN); |
265 | 0 | res = SECFailure; |
266 | 0 | return res; |
267 | 0 | } |
268 | | |
269 | 0 | if (key->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) { |
270 | 0 | PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); |
271 | 0 | res = SECFailure; |
272 | 0 | return res; |
273 | 0 | } |
274 | | |
275 | | /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */ |
276 | 0 | if (signature->len != 64) { |
277 | 0 | unsigned split = signature->len / 2; |
278 | 0 | unsigned pad = 32 - split; |
279 | |
|
280 | 0 | unsigned char *o_sig = signature->data; |
281 | 0 | unsigned char *p_sig = _padded_sig_data; |
282 | |
|
283 | 0 | memcpy(p_sig + pad, o_sig, split); |
284 | 0 | memcpy(p_sig + 32 + pad, o_sig + split, split); |
285 | |
|
286 | 0 | sig_r = p_sig; |
287 | 0 | sig_s = p_sig + 32; |
288 | 0 | } else { |
289 | 0 | sig_r = signature->data; |
290 | 0 | sig_s = signature->data + 32; |
291 | 0 | } |
292 | |
|
293 | 0 | uint8_t hash[32] = { 0 }; |
294 | 0 | if (digest->len < 32) { |
295 | 0 | memcpy(hash + 32 - digest->len, digest->data, digest->len); |
296 | 0 | } else { |
297 | 0 | memcpy(hash, digest->data, 32); |
298 | 0 | } |
299 | |
|
300 | 0 | #ifndef UNSAFE_FUZZER_MODE |
301 | 0 | bool b = Hacl_P256_ecdsa_verif_without_hash( |
302 | 0 | 32, hash, |
303 | 0 | key->publicValue.data + 1, |
304 | 0 | sig_r, sig_s); |
305 | | #else |
306 | | bool b = (sig_r != NULL) && (sig_s != NULL); /* Avoiding unused variable warnings */ |
307 | | #endif |
308 | |
|
309 | 0 | if (!b) { |
310 | 0 | PORT_SetError(SEC_ERROR_BAD_SIGNATURE); |
311 | 0 | res = SECFailure; |
312 | 0 | return res; |
313 | 0 | } |
314 | | |
315 | 0 | return res; |
316 | 0 | } |