/src/openssl/crypto/sm2/sm2_crypt.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright 2017 Ribose Inc. All Rights Reserved. |
4 | | * Ported from Ribose contributions from Botan. |
5 | | * |
6 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
7 | | * this file except in compliance with the License. You can obtain a copy |
8 | | * in the file LICENSE in the source distribution or at |
9 | | * https://www.openssl.org/source/license.html |
10 | | */ |
11 | | |
12 | | /* |
13 | | * ECDSA low level APIs are deprecated for public use, but still ok for |
14 | | * internal use. |
15 | | */ |
16 | | #include "internal/deprecated.h" |
17 | | |
18 | | #include "crypto/sm2.h" |
19 | | #include "crypto/sm2err.h" |
20 | | #include "crypto/ec.h" /* ossl_ecdh_kdf_X9_63() */ |
21 | | #include <openssl/err.h> |
22 | | #include <openssl/evp.h> |
23 | | #include <openssl/bn.h> |
24 | | #include <openssl/asn1.h> |
25 | | #include <openssl/asn1t.h> |
26 | | #include <string.h> |
27 | | |
28 | | typedef struct SM2_Ciphertext_st SM2_Ciphertext; |
29 | | DECLARE_ASN1_FUNCTIONS(SM2_Ciphertext) |
30 | | |
31 | | struct SM2_Ciphertext_st { |
32 | | BIGNUM *C1x; |
33 | | BIGNUM *C1y; |
34 | | ASN1_OCTET_STRING *C3; |
35 | | ASN1_OCTET_STRING *C2; |
36 | | }; |
37 | | |
38 | | ASN1_SEQUENCE(SM2_Ciphertext) = { |
39 | | ASN1_SIMPLE(SM2_Ciphertext, C1x, BIGNUM), |
40 | | ASN1_SIMPLE(SM2_Ciphertext, C1y, BIGNUM), |
41 | | ASN1_SIMPLE(SM2_Ciphertext, C3, ASN1_OCTET_STRING), |
42 | | ASN1_SIMPLE(SM2_Ciphertext, C2, ASN1_OCTET_STRING), |
43 | | } ASN1_SEQUENCE_END(SM2_Ciphertext) |
44 | | |
45 | | IMPLEMENT_ASN1_FUNCTIONS(SM2_Ciphertext) |
46 | | |
47 | | static size_t ec_field_size(const EC_GROUP *group) |
48 | 0 | { |
49 | 0 | const BIGNUM *p = EC_GROUP_get0_field(group); |
50 | |
|
51 | 0 | if (p == NULL) |
52 | 0 | return 0; |
53 | | |
54 | 0 | return BN_num_bytes(p); |
55 | 0 | } |
56 | | |
57 | | int ossl_sm2_plaintext_size(const unsigned char *ct, size_t ct_size, |
58 | | size_t *pt_size) |
59 | 0 | { |
60 | 0 | struct SM2_Ciphertext_st *sm2_ctext = NULL; |
61 | |
|
62 | 0 | sm2_ctext = d2i_SM2_Ciphertext(NULL, &ct, ct_size); |
63 | |
|
64 | 0 | if (sm2_ctext == NULL) { |
65 | 0 | ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING); |
66 | 0 | return 0; |
67 | 0 | } |
68 | | |
69 | 0 | *pt_size = sm2_ctext->C2->length; |
70 | 0 | SM2_Ciphertext_free(sm2_ctext); |
71 | |
|
72 | 0 | return 1; |
73 | 0 | } |
74 | | |
75 | | int ossl_sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, |
76 | | size_t msg_len, size_t *ct_size) |
77 | 0 | { |
78 | 0 | const size_t field_size = ec_field_size(EC_KEY_get0_group(key)); |
79 | 0 | const int md_size = EVP_MD_get_size(digest); |
80 | 0 | size_t sz; |
81 | |
|
82 | 0 | if (field_size == 0 || md_size < 0) |
83 | 0 | return 0; |
84 | | |
85 | | /* Integer and string are simple type; set constructed = 0, means primitive and definite length encoding. */ |
86 | 0 | sz = 2 * ASN1_object_size(0, field_size + 1, V_ASN1_INTEGER) |
87 | 0 | + ASN1_object_size(0, md_size, V_ASN1_OCTET_STRING) |
88 | 0 | + ASN1_object_size(0, msg_len, V_ASN1_OCTET_STRING); |
89 | | /* Sequence is structured type; set constructed = 1, means constructed and definite length encoding. */ |
90 | 0 | *ct_size = ASN1_object_size(1, sz, V_ASN1_SEQUENCE); |
91 | |
|
92 | 0 | return 1; |
93 | 0 | } |
94 | | |
95 | | int ossl_sm2_encrypt(const EC_KEY *key, |
96 | | const EVP_MD *digest, |
97 | | const uint8_t *msg, size_t msg_len, |
98 | | uint8_t *ciphertext_buf, size_t *ciphertext_len) |
99 | 0 | { |
100 | 0 | int rc = 0, ciphertext_leni; |
101 | 0 | size_t i; |
102 | 0 | BN_CTX *ctx = NULL; |
103 | 0 | BIGNUM *k = NULL; |
104 | 0 | BIGNUM *x1 = NULL; |
105 | 0 | BIGNUM *y1 = NULL; |
106 | 0 | BIGNUM *x2 = NULL; |
107 | 0 | BIGNUM *y2 = NULL; |
108 | 0 | EVP_MD_CTX *hash = EVP_MD_CTX_new(); |
109 | 0 | struct SM2_Ciphertext_st ctext_struct; |
110 | 0 | const EC_GROUP *group = EC_KEY_get0_group(key); |
111 | 0 | const BIGNUM *order = EC_GROUP_get0_order(group); |
112 | 0 | const EC_POINT *P = EC_KEY_get0_public_key(key); |
113 | 0 | EC_POINT *kG = NULL; |
114 | 0 | EC_POINT *kP = NULL; |
115 | 0 | uint8_t *msg_mask = NULL; |
116 | 0 | uint8_t *x2y2 = NULL; |
117 | 0 | uint8_t *C3 = NULL; |
118 | 0 | size_t field_size; |
119 | 0 | const int C3_size = EVP_MD_get_size(digest); |
120 | 0 | EVP_MD *fetched_digest = NULL; |
121 | 0 | OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key); |
122 | 0 | const char *propq = ossl_ec_key_get0_propq(key); |
123 | | |
124 | | /* NULL these before any "goto done" */ |
125 | 0 | ctext_struct.C2 = NULL; |
126 | 0 | ctext_struct.C3 = NULL; |
127 | |
|
128 | 0 | if (hash == NULL || C3_size <= 0) { |
129 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); |
130 | 0 | goto done; |
131 | 0 | } |
132 | | |
133 | 0 | field_size = ec_field_size(group); |
134 | 0 | if (field_size == 0) { |
135 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); |
136 | 0 | goto done; |
137 | 0 | } |
138 | | |
139 | 0 | kG = EC_POINT_new(group); |
140 | 0 | kP = EC_POINT_new(group); |
141 | 0 | if (kG == NULL || kP == NULL) { |
142 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB); |
143 | 0 | goto done; |
144 | 0 | } |
145 | 0 | ctx = BN_CTX_new_ex(libctx); |
146 | 0 | if (ctx == NULL) { |
147 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB); |
148 | 0 | goto done; |
149 | 0 | } |
150 | | |
151 | 0 | BN_CTX_start(ctx); |
152 | 0 | k = BN_CTX_get(ctx); |
153 | 0 | x1 = BN_CTX_get(ctx); |
154 | 0 | x2 = BN_CTX_get(ctx); |
155 | 0 | y1 = BN_CTX_get(ctx); |
156 | 0 | y2 = BN_CTX_get(ctx); |
157 | |
|
158 | 0 | if (y2 == NULL) { |
159 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB); |
160 | 0 | goto done; |
161 | 0 | } |
162 | | |
163 | 0 | x2y2 = OPENSSL_zalloc(2 * field_size); |
164 | 0 | C3 = OPENSSL_zalloc(C3_size); |
165 | |
|
166 | 0 | if (x2y2 == NULL || C3 == NULL) |
167 | 0 | goto done; |
168 | | |
169 | 0 | memset(ciphertext_buf, 0, *ciphertext_len); |
170 | |
|
171 | 0 | if (!BN_priv_rand_range_ex(k, order, 0, ctx)) { |
172 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); |
173 | 0 | goto done; |
174 | 0 | } |
175 | | |
176 | 0 | if (!EC_POINT_mul(group, kG, k, NULL, NULL, ctx) |
177 | 0 | || !EC_POINT_get_affine_coordinates(group, kG, x1, y1, ctx) |
178 | 0 | || !EC_POINT_mul(group, kP, NULL, P, k, ctx) |
179 | 0 | || !EC_POINT_get_affine_coordinates(group, kP, x2, y2, ctx)) { |
180 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB); |
181 | 0 | goto done; |
182 | 0 | } |
183 | | |
184 | 0 | if (BN_bn2binpad(x2, x2y2, field_size) < 0 |
185 | 0 | || BN_bn2binpad(y2, x2y2 + field_size, field_size) < 0) { |
186 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); |
187 | 0 | goto done; |
188 | 0 | } |
189 | | |
190 | 0 | msg_mask = OPENSSL_zalloc(msg_len); |
191 | 0 | if (msg_mask == NULL) |
192 | 0 | goto done; |
193 | | |
194 | | /* X9.63 with no salt happens to match the KDF used in SM2 */ |
195 | 0 | if (!ossl_ecdh_kdf_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, |
196 | 0 | digest, libctx, propq)) { |
197 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB); |
198 | 0 | goto done; |
199 | 0 | } |
200 | | |
201 | 0 | for (i = 0; i != msg_len; ++i) |
202 | 0 | msg_mask[i] ^= msg[i]; |
203 | |
|
204 | 0 | fetched_digest = EVP_MD_fetch(libctx, EVP_MD_get0_name(digest), propq); |
205 | 0 | if (fetched_digest == NULL) { |
206 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); |
207 | 0 | goto done; |
208 | 0 | } |
209 | 0 | if (EVP_DigestInit(hash, fetched_digest) == 0 |
210 | 0 | || EVP_DigestUpdate(hash, x2y2, field_size) == 0 |
211 | 0 | || EVP_DigestUpdate(hash, msg, msg_len) == 0 |
212 | 0 | || EVP_DigestUpdate(hash, x2y2 + field_size, field_size) == 0 |
213 | 0 | || EVP_DigestFinal(hash, C3, NULL) == 0) { |
214 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB); |
215 | 0 | goto done; |
216 | 0 | } |
217 | | |
218 | 0 | ctext_struct.C1x = x1; |
219 | 0 | ctext_struct.C1y = y1; |
220 | 0 | ctext_struct.C3 = ASN1_OCTET_STRING_new(); |
221 | 0 | ctext_struct.C2 = ASN1_OCTET_STRING_new(); |
222 | |
|
223 | 0 | if (ctext_struct.C3 == NULL || ctext_struct.C2 == NULL) { |
224 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_ASN1_LIB); |
225 | 0 | goto done; |
226 | 0 | } |
227 | 0 | if (!ASN1_OCTET_STRING_set(ctext_struct.C3, C3, C3_size) |
228 | 0 | || !ASN1_OCTET_STRING_set(ctext_struct.C2, msg_mask, msg_len)) { |
229 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); |
230 | 0 | goto done; |
231 | 0 | } |
232 | | |
233 | 0 | ciphertext_leni = i2d_SM2_Ciphertext(&ctext_struct, &ciphertext_buf); |
234 | | /* Ensure cast to size_t is safe */ |
235 | 0 | if (ciphertext_leni < 0) { |
236 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); |
237 | 0 | goto done; |
238 | 0 | } |
239 | 0 | *ciphertext_len = (size_t)ciphertext_leni; |
240 | |
|
241 | 0 | rc = 1; |
242 | |
|
243 | 0 | done: |
244 | 0 | EVP_MD_free(fetched_digest); |
245 | 0 | ASN1_OCTET_STRING_free(ctext_struct.C2); |
246 | 0 | ASN1_OCTET_STRING_free(ctext_struct.C3); |
247 | 0 | OPENSSL_free(msg_mask); |
248 | 0 | OPENSSL_free(x2y2); |
249 | 0 | OPENSSL_free(C3); |
250 | 0 | EVP_MD_CTX_free(hash); |
251 | 0 | BN_CTX_free(ctx); |
252 | 0 | EC_POINT_free(kG); |
253 | 0 | EC_POINT_free(kP); |
254 | 0 | return rc; |
255 | 0 | } |
256 | | |
257 | | int ossl_sm2_decrypt(const EC_KEY *key, |
258 | | const EVP_MD *digest, |
259 | | const uint8_t *ciphertext, size_t ciphertext_len, |
260 | | uint8_t *ptext_buf, size_t *ptext_len) |
261 | 0 | { |
262 | 0 | int rc = 0; |
263 | 0 | int i; |
264 | 0 | BN_CTX *ctx = NULL; |
265 | 0 | const EC_GROUP *group = EC_KEY_get0_group(key); |
266 | 0 | EC_POINT *C1 = NULL; |
267 | 0 | struct SM2_Ciphertext_st *sm2_ctext = NULL; |
268 | 0 | BIGNUM *x2 = NULL; |
269 | 0 | BIGNUM *y2 = NULL; |
270 | 0 | uint8_t *x2y2 = NULL; |
271 | 0 | uint8_t *computed_C3 = NULL; |
272 | 0 | const size_t field_size = ec_field_size(group); |
273 | 0 | const int hash_size = EVP_MD_get_size(digest); |
274 | 0 | uint8_t *msg_mask = NULL; |
275 | 0 | const uint8_t *C2 = NULL; |
276 | 0 | const uint8_t *C3 = NULL; |
277 | 0 | int msg_len = 0; |
278 | 0 | EVP_MD_CTX *hash = NULL; |
279 | 0 | OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key); |
280 | 0 | const char *propq = ossl_ec_key_get0_propq(key); |
281 | |
|
282 | 0 | if (field_size == 0 || hash_size <= 0) |
283 | 0 | goto done; |
284 | | |
285 | 0 | memset(ptext_buf, 0xFF, *ptext_len); |
286 | |
|
287 | 0 | sm2_ctext = d2i_SM2_Ciphertext(NULL, &ciphertext, ciphertext_len); |
288 | |
|
289 | 0 | if (sm2_ctext == NULL) { |
290 | 0 | ERR_raise(ERR_LIB_SM2, SM2_R_ASN1_ERROR); |
291 | 0 | goto done; |
292 | 0 | } |
293 | | |
294 | 0 | if (sm2_ctext->C3->length != hash_size) { |
295 | 0 | ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING); |
296 | 0 | goto done; |
297 | 0 | } |
298 | | |
299 | 0 | C2 = sm2_ctext->C2->data; |
300 | 0 | C3 = sm2_ctext->C3->data; |
301 | 0 | msg_len = sm2_ctext->C2->length; |
302 | 0 | if (*ptext_len < (size_t)msg_len) { |
303 | 0 | ERR_raise(ERR_LIB_SM2, SM2_R_BUFFER_TOO_SMALL); |
304 | 0 | goto done; |
305 | 0 | } |
306 | | |
307 | 0 | ctx = BN_CTX_new_ex(libctx); |
308 | 0 | if (ctx == NULL) { |
309 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB); |
310 | 0 | goto done; |
311 | 0 | } |
312 | | |
313 | 0 | BN_CTX_start(ctx); |
314 | 0 | x2 = BN_CTX_get(ctx); |
315 | 0 | y2 = BN_CTX_get(ctx); |
316 | |
|
317 | 0 | if (y2 == NULL) { |
318 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB); |
319 | 0 | goto done; |
320 | 0 | } |
321 | | |
322 | 0 | msg_mask = OPENSSL_zalloc(msg_len); |
323 | 0 | x2y2 = OPENSSL_zalloc(2 * field_size); |
324 | 0 | computed_C3 = OPENSSL_zalloc(hash_size); |
325 | |
|
326 | 0 | if (msg_mask == NULL || x2y2 == NULL || computed_C3 == NULL) |
327 | 0 | goto done; |
328 | | |
329 | 0 | C1 = EC_POINT_new(group); |
330 | 0 | if (C1 == NULL) { |
331 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB); |
332 | 0 | goto done; |
333 | 0 | } |
334 | | |
335 | 0 | if (!EC_POINT_set_affine_coordinates(group, C1, sm2_ctext->C1x, |
336 | 0 | sm2_ctext->C1y, ctx) |
337 | 0 | || !EC_POINT_mul(group, C1, NULL, C1, EC_KEY_get0_private_key(key), |
338 | 0 | ctx) |
339 | 0 | || !EC_POINT_get_affine_coordinates(group, C1, x2, y2, ctx)) { |
340 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB); |
341 | 0 | goto done; |
342 | 0 | } |
343 | | |
344 | 0 | if (BN_bn2binpad(x2, x2y2, field_size) < 0 |
345 | 0 | || BN_bn2binpad(y2, x2y2 + field_size, field_size) < 0 |
346 | 0 | || !ossl_ecdh_kdf_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, |
347 | 0 | NULL, 0, digest, libctx, propq)) { |
348 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); |
349 | 0 | goto done; |
350 | 0 | } |
351 | | |
352 | 0 | for (i = 0; i != msg_len; ++i) |
353 | 0 | ptext_buf[i] = C2[i] ^ msg_mask[i]; |
354 | |
|
355 | 0 | hash = EVP_MD_CTX_new(); |
356 | 0 | if (hash == NULL) { |
357 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB); |
358 | 0 | goto done; |
359 | 0 | } |
360 | | |
361 | 0 | if (!EVP_DigestInit(hash, digest) |
362 | 0 | || !EVP_DigestUpdate(hash, x2y2, field_size) |
363 | 0 | || !EVP_DigestUpdate(hash, ptext_buf, msg_len) |
364 | 0 | || !EVP_DigestUpdate(hash, x2y2 + field_size, field_size) |
365 | 0 | || !EVP_DigestFinal(hash, computed_C3, NULL)) { |
366 | 0 | ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB); |
367 | 0 | goto done; |
368 | 0 | } |
369 | | |
370 | 0 | if (CRYPTO_memcmp(computed_C3, C3, hash_size) != 0) { |
371 | 0 | ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_DIGEST); |
372 | 0 | goto done; |
373 | 0 | } |
374 | | |
375 | 0 | rc = 1; |
376 | 0 | *ptext_len = msg_len; |
377 | |
|
378 | 0 | done: |
379 | 0 | if (rc == 0) |
380 | 0 | memset(ptext_buf, 0, *ptext_len); |
381 | |
|
382 | 0 | OPENSSL_free(msg_mask); |
383 | 0 | OPENSSL_free(x2y2); |
384 | 0 | OPENSSL_free(computed_C3); |
385 | 0 | EC_POINT_free(C1); |
386 | 0 | BN_CTX_free(ctx); |
387 | 0 | SM2_Ciphertext_free(sm2_ctext); |
388 | 0 | EVP_MD_CTX_free(hash); |
389 | |
|
390 | 0 | return rc; |
391 | 0 | } |