int SM2_do_decrypt(const EVP_MD *kdf_md, const EVP_MD *mac_md,
const SM2_CIPHERTEXT_VALUE *cv, unsigned char *out, size_t *outlen,
EC_KEY *ec_key)
{
int ret = 0;
const EC_GROUP *ec_group = EC_KEY_get0_group(ec_key);
const BIGNUM *pri_key = EC_KEY_get0_private_key(ec_key);
KDF_FUNC kdf = KDF_get_x9_63(kdf_md);
EC_POINT *point = NULL;
BIGNUM *n = NULL;
BIGNUM *h = NULL;
BN_CTX *bn_ctx = NULL;
EVP_MD_CTX *md_ctx = NULL;
unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];
unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int maclen;
int nbytes;
size_t size;
int i;
OPENSSL_assert(kdf_md && mac_md && cv && ec_key);
OPENSSL_assert(cv->ephem_point && cv->ciphertext);
if (!ec_group || !pri_key) {
goto end;
}
if (!kdf) {
goto end;
}
if (!out) {
*outlen = cv->ciphertext_size;
return 1;
}
if (*outlen < cv->ciphertext_size) {
goto end;
}
/* init vars */
point = EC_POINT_new(ec_group);
n = BN_new();
h = BN_new();
bn_ctx = BN_CTX_new();
md_ctx = EVP_MD_CTX_create();
if (!point || !n || !h || !bn_ctx || !md_ctx) {
goto end;
}
/* init ec domain parameters */
if (!EC_GROUP_get_order(ec_group, n, bn_ctx)) {
goto end;
}
if (!EC_GROUP_get_cofactor(ec_group, h, bn_ctx)) {
goto end;
}
nbytes = (EC_GROUP_get_degree(ec_group) + 7) / 8;
//OPENSSL_assert(nbytes == BN_num_bytes(n));
#if 0
/* check sm2 curve and md is 256 bits */
OPENSSL_assert(nbytes == 32);
OPENSSL_assert(EVP_MD_size(kdf_md) == 32);
OPENSSL_assert(EVP_MD_size(mac_md) == 32);
#endif
/* B2: check [h]C1 != O */
if (!EC_POINT_mul(ec_group, point, NULL, cv->ephem_point, h, bn_ctx)) {
goto end;
}
if (EC_POINT_is_at_infinity(ec_group, point)) {
goto end;
}
/* B3: compute ECDH [d]C1 = (x2, y2) */
if (!EC_POINT_mul(ec_group, point, NULL, cv->ephem_point, pri_key, bn_ctx)) {
goto end;
}
if (!(size = EC_POINT_point2oct(ec_group, point,
POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {
goto end;
}
OPENSSL_assert(size == 1 + nbytes * 2);
/* B4: compute t = KDF(x2 || y2, clen) */
*outlen = cv->ciphertext_size; //FIXME: duplicated code
kdf(buf + 1, size - 1, out, outlen);
/* B5: compute M = C2 xor t */
for (i = 0; i < cv->ciphertext_size; i++) {
out[i] ^= cv->ciphertext[i];
}
*outlen = cv->ciphertext_size;
/* B6: check Hash(x2 || M || y2) == C3 */
if (!EVP_DigestInit_ex(md_ctx, mac_md, NULL)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, buf + 1, nbytes)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, out, *outlen)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, buf + 1 + nbytes, nbytes)) {
goto end;
}
if (!EVP_DigestFinal_ex(md_ctx, mac, &maclen)) {
goto end;
}
if (cv->mactag_size != maclen ||
memcmp(cv->mactag, mac, maclen)) {
goto end;
}
ret = 1;
end:
if (point) EC_POINT_free(point);
if (n) BN_free(n);
if (h) BN_free(h);
if (bn_ctx) BN_CTX_free(bn_ctx);
if (md_ctx) EVP_MD_CTX_destroy(md_ctx);
return ret;
}
static void timings(EC_GROUP *group, int type, BN_CTX *ctx)
{
clock_t clck;
int i, j;
BIGNUM *s;
BIGNUM *r[10], *r0[10];
EC_POINT *P;
s = BN_new();
if (s == NULL) ABORT;
fprintf(stdout, "Timings for %d-bit field, ", EC_GROUP_get_degree(group));
if (!EC_GROUP_get_order(group, s, ctx)) ABORT;
fprintf(stdout, "%d-bit scalars ", (int)BN_num_bits(s));
fflush(stdout);
P = EC_POINT_new(group);
if (P == NULL) ABORT;
EC_POINT_copy(P, EC_GROUP_get0_generator(group));
for (i = 0; i < 10; i++)
{
if ((r[i] = BN_new()) == NULL) ABORT;
if (!BN_pseudo_rand(r[i], BN_num_bits(s), 0, 0)) ABORT;
if (type != TIMING_BASE_PT)
{
if ((r0[i] = BN_new()) == NULL) ABORT;
if (!BN_pseudo_rand(r0[i], BN_num_bits(s), 0, 0)) ABORT;
}
}
clck = clock();
for (i = 0; i < 10; i++)
{
for (j = 0; j < 10; j++)
{
if (!EC_POINT_mul(group, P, (type != TIMING_RAND_PT) ? r[i] : NULL,
(type != TIMING_BASE_PT) ? P : NULL, (type != TIMING_BASE_PT) ? r0[i] : NULL, ctx)) ABORT;
}
}
clck = clock() - clck;
fprintf(stdout, "\n");
#ifdef CLOCKS_PER_SEC
/* "To determine the time in seconds, the value returned
* by the clock function should be divided by the value
* of the macro CLOCKS_PER_SEC."
* -- ISO/IEC 9899 */
# define UNIT "s"
#else
/* "`CLOCKS_PER_SEC' undeclared (first use this function)"
* -- cc on NeXTstep/OpenStep */
# define UNIT "units"
# define CLOCKS_PER_SEC 1
#endif
if (type == TIMING_BASE_PT) {
fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
"base point multiplications", (double)clck/CLOCKS_PER_SEC);
} else if (type == TIMING_RAND_PT) {
fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
"random point multiplications", (double)clck/CLOCKS_PER_SEC);
} else if (type == TIMING_SIMUL) {
fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
"s*P+t*Q operations", (double)clck/CLOCKS_PER_SEC);
}
fprintf(stdout, "average: %.4f " UNIT "\n", (double)clck/(CLOCKS_PER_SEC*i*j));
EC_POINT_free(P);
BN_free(s);
for (i = 0; i < 10; i++)
{
BN_free(r[i]);
if (type != TIMING_BASE_PT) BN_free(r0[i]);
}
}
// unsigned char *pM 输出,明文
// unsigned char *pPDKey 私钥
// unsigned char *pC 密文
// unsigned long Clen 密文长度
unsigned char eccDecrypt(unsigned char *pM, unsigned char *pPDKey, unsigned char *pC, unsigned long Clen)
{
EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_sm2p256v1);
EC_GROUP *ec_group = EC_GROUP_new_by_curve_name(NID_sm2p256v1);
KDF_FUNC kdf = KDF_get_x9_63(EVP_sm3());
// 设置私钥
BIGNUM *pri_key = BN_new();
BN_bin2bn(pPDKey, 32, pri_key);
EC_KEY_set_private_key(ec_key, pri_key);
int ret = 1;
EC_POINT *point = NULL;
BIGNUM *n = NULL;
BIGNUM *h = NULL;
BN_CTX *bn_ctx = NULL;
EVP_MD_CTX *md_ctx = NULL;
unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];
unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int maclen;
int nbytes;
size_t size;
size_t i;
if (!ec_group || !pri_key) {
goto end;
}
if (!kdf) {
goto end;
}
EC_POINT *ephem_point = EC_POINT_new(ec_group);
EC_POINT_oct2point(ec_group, ephem_point, pC, 65, NULL);
/* init vars */
point = EC_POINT_new(ec_group);
n = BN_new();
h = BN_new();
bn_ctx = BN_CTX_new();
md_ctx = EVP_MD_CTX_create();
if (!point || !n || !h || !bn_ctx || !md_ctx) {
goto end;
}
/* init ec domain parameters */
if (!EC_GROUP_get_order(ec_group, n, bn_ctx)) {
goto end;
}
if (!EC_GROUP_get_cofactor(ec_group, h, bn_ctx)) {
goto end;
}
nbytes = (EC_GROUP_get_degree(ec_group) + 7) / 8;
/* B2: check [h]C1 != O */
if (!EC_POINT_mul(ec_group, point, NULL, ephem_point, h, bn_ctx)) {
goto end;
}
if (EC_POINT_is_at_infinity(ec_group, point)) {
goto end;
}
/* B3: compute ECDH [d]C1 = (x2, y2) */
if (!EC_POINT_mul(ec_group, point, NULL, ephem_point, pri_key, bn_ctx)) {
goto end;
}
if (!(size = EC_POINT_point2oct(ec_group, point,
POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {
goto end;
}
OPENSSL_assert(size == 1 + nbytes * 2);
/* B4: compute t = KDF(x2 || y2, clen) */
size_t len = 0;
size_t *outlen = &len;
*outlen = Clen - 97; //FIXME: duplicated code
unsigned char *out = (unsigned char *)OPENSSL_malloc(*outlen);
kdf(buf + 1, size - 1, out, outlen);
unsigned char *ciphertext = pC + 65;
/* B5: compute M = C2 xor t */
for (i = 0; i < len; i++) {
out[i] ^= ciphertext[i];
}
*outlen = len;
if (1) {
/* B6: check Hash(x2 || M || y2) == C3 */
if (!EVP_DigestInit_ex(md_ctx, EVP_sm3(), NULL)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, buf + 1, nbytes)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, out, *outlen)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, buf + 1 + nbytes, nbytes)) {
goto end;
}
if (!EVP_DigestFinal_ex(md_ctx, mac, &maclen)) {
goto end;
}
/* GmSSL specific */
if (memcmp(mac, pC + 129, 32)) {
goto end;
}
}
for (i = 0; i < len; i++) {
pM[i] = out[i] ;
}
ret = 0;
end:
if (point) EC_POINT_free(point);
if (n) BN_free(n);
if (h) BN_free(h);
if (bn_ctx) BN_CTX_free(bn_ctx);
if (md_ctx) EVP_MD_CTX_destroy(md_ctx);
return ret;
}
SM2_CIPHERTEXT_VALUE *SM2_do_encrypt(const EVP_MD *kdf_md, const EVP_MD *mac_md,
const unsigned char *in, size_t inlen, EC_KEY *ec_key)
{
int ok = 0;
SM2_CIPHERTEXT_VALUE *cv = NULL;
const EC_GROUP *ec_group = EC_KEY_get0_group(ec_key);
const EC_POINT *pub_key = EC_KEY_get0_public_key(ec_key);
KDF_FUNC kdf = KDF_get_x9_63(kdf_md);
EC_POINT *point = NULL;
BIGNUM *n = NULL;
BIGNUM *h = NULL;
BIGNUM *k = NULL;
BN_CTX *bn_ctx = NULL;
EVP_MD_CTX *md_ctx = NULL;
unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];
int nbytes;
size_t len;
int i;
if (!ec_group || !pub_key) {
goto end;
}
if (!kdf) {
goto end;
}
/* init ciphertext_value */
if (!(cv = OPENSSL_malloc(sizeof(SM2_CIPHERTEXT_VALUE)))) {
goto end;
}
bzero(cv, sizeof(SM2_CIPHERTEXT_VALUE));
cv->ephem_point = EC_POINT_new(ec_group);
cv->ciphertext = OPENSSL_malloc(inlen);
cv->ciphertext_size = inlen;
if (!cv->ephem_point || !cv->ciphertext) {
goto end;
}
point = EC_POINT_new(ec_group);
n = BN_new();
h = BN_new();
k = BN_new();
bn_ctx = BN_CTX_new();
md_ctx = EVP_MD_CTX_create();
if (!point || !n || !h || !k || !bn_ctx || !md_ctx) {
goto end;
}
/* init ec domain parameters */
if (!EC_GROUP_get_order(ec_group, n, bn_ctx)) {
goto end;
}
if (!EC_GROUP_get_cofactor(ec_group, h, bn_ctx)) {
goto end;
}
nbytes = (EC_GROUP_get_degree(ec_group) + 7) / 8;
//OPENSSL_assert(nbytes == BN_num_bytes(n));
#if 0
/* check sm2 curve and md is 256 bits */
OPENSSL_assert(nbytes == 32);
OPENSSL_assert(EVP_MD_size(kdf_md) == 32);
OPENSSL_assert(EVP_MD_size(mac_md) == 32);
#endif
do
{
/* A1: rand k in [1, n-1] */
do {
BN_rand_range(k, n);
} while (BN_is_zero(k));
/* A2: C1 = [k]G = (x1, y1) */
if (!EC_POINT_mul(ec_group, cv->ephem_point, k, NULL, NULL, bn_ctx)) {
goto end;
}
/* A3: check [h]P_B != O */
if (!EC_POINT_mul(ec_group, point, NULL, pub_key, h, bn_ctx)) {
goto end;
}
if (EC_POINT_is_at_infinity(ec_group, point)) {
goto end;
}
/* A4: compute ECDH [k]P_B = (x2, y2) */
if (!EC_POINT_mul(ec_group, point, NULL, pub_key, k, bn_ctx)) {
goto end;
}
if (!(len = EC_POINT_point2oct(ec_group, point,
POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {
goto end;
}
OPENSSL_assert(len == nbytes * 2 + 1);
/* A5: t = KDF(x2 || y2, klen) */
kdf(buf + 1, len - 1, cv->ciphertext, &cv->ciphertext_size);
for (i = 0; i < cv->ciphertext_size; i++) {
if (cv->ciphertext[i]) {
break;
}
}
if (i == cv->ciphertext_size) {
continue;
}
break;
} while (1);
/* A6: C2 = M xor t */
for (i = 0; i < inlen; i++) {
cv->ciphertext[i] ^= in[i];
}
/* A7: C3 = Hash(x2 || M || y2) */
if (!EVP_DigestInit_ex(md_ctx, mac_md, NULL)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, buf + 1, nbytes)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, in, inlen)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, buf + 1 + nbytes, nbytes)) {
goto end;
}
if (!EVP_DigestFinal_ex(md_ctx, cv->mactag, &cv->mactag_size)) {
goto end;
}
ok = 1;
end:
if (!ok && cv) {
SM2_CIPHERTEXT_VALUE_free(cv);
cv = NULL;
}
if (point) EC_POINT_free(point);
if (n) BN_free(n);
if (h) BN_free(h);
if (k) BN_free(k);
if (bn_ctx) BN_CTX_free(bn_ctx);
if (md_ctx) EVP_MD_CTX_destroy(md_ctx);
return cv;
}
int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
const EC_KEY *priv_key,
void *(*kdf)(const void *in, size_t inlen, void *out,
size_t *outlen)) {
if (priv_key->priv_key == NULL) {
OPENSSL_PUT_ERROR(ECDH, ECDH_R_NO_PRIVATE_VALUE);
return -1;
}
const EC_SCALAR *const priv = &priv_key->priv_key->scalar;
BN_CTX *ctx = BN_CTX_new();
if (ctx == NULL) {
return -1;
}
BN_CTX_start(ctx);
int ret = -1;
size_t buflen = 0;
uint8_t *buf = NULL;
const EC_GROUP *const group = EC_KEY_get0_group(priv_key);
EC_POINT *tmp = EC_POINT_new(group);
if (tmp == NULL) {
OPENSSL_PUT_ERROR(ECDH, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!ec_point_mul_scalar(group, tmp, NULL, pub_key, priv, ctx)) {
OPENSSL_PUT_ERROR(ECDH, ECDH_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
BIGNUM *x = BN_CTX_get(ctx);
if (!x) {
OPENSSL_PUT_ERROR(ECDH, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_get_affine_coordinates_GFp(group, tmp, x, NULL, ctx)) {
OPENSSL_PUT_ERROR(ECDH, ECDH_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
buflen = (EC_GROUP_get_degree(group) + 7) / 8;
buf = OPENSSL_malloc(buflen);
if (buf == NULL) {
OPENSSL_PUT_ERROR(ECDH, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!BN_bn2bin_padded(buf, buflen, x)) {
OPENSSL_PUT_ERROR(ECDH, ERR_R_INTERNAL_ERROR);
goto err;
}
if (kdf != NULL) {
if (kdf(buf, buflen, out, &outlen) == NULL) {
OPENSSL_PUT_ERROR(ECDH, ECDH_R_KDF_FAILED);
goto err;
}
} else {
// no KDF, just copy as much as we can
if (buflen < outlen) {
outlen = buflen;
}
OPENSSL_memcpy(out, buf, outlen);
}
if (outlen > INT_MAX) {
OPENSSL_PUT_ERROR(ECDH, ERR_R_OVERFLOW);
goto err;
}
ret = (int)outlen;
err:
OPENSSL_free(buf);
EC_POINT_free(tmp);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ret;
}
int test_builtin(BIO *out)
{
EC_builtin_curve *curves = NULL;
size_t crv_len = 0, n = 0;
EC_KEY *eckey = NULL, *wrong_eckey = NULL;
EC_GROUP *group;
ECDSA_SIG *ecdsa_sig = NULL;
unsigned char digest[20], wrong_digest[20];
unsigned char *signature = NULL;
const unsigned char *sig_ptr;
unsigned char *sig_ptr2;
unsigned char *raw_buf = NULL;
unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len;
int nid, ret = 0;
/* fill digest values with some random data */
if (RAND_bytes(digest, 20) <= 0 || RAND_bytes(wrong_digest, 20) <= 0) {
BIO_printf(out, "ERROR: unable to get random data\n");
goto builtin_err;
}
/*
* create and verify a ecdsa signature with every availble curve (with )
*/
BIO_printf(out, "\ntesting ECDSA_sign() and ECDSA_verify() "
"with some internal curves:\n");
/* get a list of all internal curves */
crv_len = EC_get_builtin_curves(NULL, 0);
curves = OPENSSL_malloc(sizeof(*curves) * crv_len);
if (curves == NULL) {
BIO_printf(out, "malloc error\n");
goto builtin_err;
}
if (!EC_get_builtin_curves(curves, crv_len)) {
BIO_printf(out, "unable to get internal curves\n");
goto builtin_err;
}
/* now create and verify a signature for every curve */
for (n = 0; n < crv_len; n++) {
unsigned char dirt, offset;
nid = curves[n].nid;
if (nid == NID_ipsec4)
continue;
/* create new ecdsa key (== EC_KEY) */
if ((eckey = EC_KEY_new()) == NULL)
goto builtin_err;
group = EC_GROUP_new_by_curve_name(nid);
if (group == NULL)
goto builtin_err;
if (EC_KEY_set_group(eckey, group) == 0)
goto builtin_err;
EC_GROUP_free(group);
degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
if (degree < 160) {
/* drop the curve */
EC_KEY_free(eckey);
eckey = NULL;
continue;
}
BIO_printf(out, "%s: ", OBJ_nid2sn(nid));
/* create key */
if (!EC_KEY_generate_key(eckey)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
/* create second key */
if ((wrong_eckey = EC_KEY_new()) == NULL)
goto builtin_err;
group = EC_GROUP_new_by_curve_name(nid);
if (group == NULL)
goto builtin_err;
if (EC_KEY_set_group(wrong_eckey, group) == 0)
goto builtin_err;
EC_GROUP_free(group);
if (!EC_KEY_generate_key(wrong_eckey)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* check key */
if (!EC_KEY_check_key(eckey)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* create signature */
sig_len = ECDSA_size(eckey);
if ((signature = OPENSSL_malloc(sig_len)) == NULL)
goto builtin_err;
if (!ECDSA_sign(0, digest, 20, signature, &sig_len, eckey)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* verify signature */
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* verify signature with the wrong key */
if (ECDSA_verify(0, digest, 20, signature, sig_len, wrong_eckey) == 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* wrong digest */
if (ECDSA_verify(0, wrong_digest, 20, signature, sig_len, eckey) == 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* wrong length */
if (ECDSA_verify(0, digest, 20, signature, sig_len - 1, eckey) == 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/*
* Modify a single byte of the signature: to ensure we don't garble
* the ASN1 structure, we read the raw signature and modify a byte in
* one of the bignums directly.
*/
sig_ptr = signature;
if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)) == NULL) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
/* Store the two BIGNUMs in raw_buf. */
r_len = BN_num_bytes(ecdsa_sig->r);
s_len = BN_num_bytes(ecdsa_sig->s);
bn_len = (degree + 7) / 8;
if ((r_len > bn_len) || (s_len > bn_len)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
buf_len = 2 * bn_len;
if ((raw_buf = OPENSSL_zalloc(buf_len)) == NULL)
goto builtin_err;
BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len);
BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len);
/* Modify a single byte in the buffer. */
offset = raw_buf[10] % buf_len;
dirt = raw_buf[11] ? raw_buf[11] : 1;
raw_buf[offset] ^= dirt;
/* Now read the BIGNUMs back in from raw_buf. */
if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
(BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
goto builtin_err;
sig_ptr2 = signature;
sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
/*
* Sanity check: undo the modification and verify signature.
*/
raw_buf[offset] ^= dirt;
if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
(BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
goto builtin_err;
sig_ptr2 = signature;
sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
BIO_printf(out, " ok\n");
/* cleanup */
/* clean bogus errors */
ERR_clear_error();
OPENSSL_free(signature);
signature = NULL;
EC_KEY_free(eckey);
eckey = NULL;
EC_KEY_free(wrong_eckey);
wrong_eckey = NULL;
ECDSA_SIG_free(ecdsa_sig);
ecdsa_sig = NULL;
OPENSSL_free(raw_buf);
raw_buf = NULL;
}
ret = 1;
builtin_err:
EC_KEY_free(eckey);
EC_KEY_free(wrong_eckey);
ECDSA_SIG_free(ecdsa_sig);
OPENSSL_free(signature);
OPENSSL_free(raw_buf);
OPENSSL_free(curves);
return ret;
}
int test_builtin(BIO *out) {
size_t n = 0;
EC_KEY *eckey = NULL, *wrong_eckey = NULL;
EC_GROUP *group;
ECDSA_SIG *ecdsa_sig = NULL;
unsigned char digest[20], wrong_digest[20];
unsigned char *signature = NULL;
const unsigned char *sig_ptr;
unsigned char *sig_ptr2;
unsigned char *raw_buf = NULL;
unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len;
int nid, ret = 0;
/* fill digest values with some random data */
if (!RAND_pseudo_bytes(digest, 20) || !RAND_pseudo_bytes(wrong_digest, 20)) {
BIO_printf(out, "ERROR: unable to get random data\n");
goto builtin_err;
}
/* create and verify a ecdsa signature with every availble curve
* (with ) */
BIO_printf(out,
"\ntesting ECDSA_sign() and ECDSA_verify() "
"with some internal curves:\n");
static const int kCurveNIDs[] = {NID_secp224r1, NID_X9_62_prime256v1,
NID_secp384r1, NID_secp521r1, NID_undef};
/* now create and verify a signature for every curve */
for (n = 0; kCurveNIDs[n] != NID_undef; n++) {
unsigned char dirt, offset;
nid = kCurveNIDs[n];
/* create new ecdsa key (== EC_KEY) */
eckey = EC_KEY_new();
if (eckey == NULL) {
goto builtin_err;
}
group = EC_GROUP_new_by_curve_name(nid);
if (group == NULL) {
goto builtin_err;
}
if (!EC_KEY_set_group(eckey, group)) {
goto builtin_err;
}
EC_GROUP_free(group);
degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
if (degree < 160) {
/* Too small to test. */
EC_KEY_free(eckey);
eckey = NULL;
continue;
}
BIO_printf(out, "%s: ", OBJ_nid2sn(nid));
/* create key */
if (!EC_KEY_generate_key(eckey)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
/* create second key */
wrong_eckey = EC_KEY_new();
if (wrong_eckey == NULL) {
goto builtin_err;
}
group = EC_GROUP_new_by_curve_name(nid);
if (group == NULL) {
goto builtin_err;
}
if (EC_KEY_set_group(wrong_eckey, group) == 0) {
goto builtin_err;
}
EC_GROUP_free(group);
if (!EC_KEY_generate_key(wrong_eckey)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* check key */
if (!EC_KEY_check_key(eckey)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* create signature */
sig_len = ECDSA_size(eckey);
signature = OPENSSL_malloc(sig_len);
if (signature == NULL) {
goto builtin_err;
}
if (!ECDSA_sign(0, digest, 20, signature, &sig_len, eckey)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* verify signature */
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* verify signature with the wrong key */
if (ECDSA_verify(0, digest, 20, signature, sig_len, wrong_eckey) == 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* wrong digest */
if (ECDSA_verify(0, wrong_digest, 20, signature, sig_len, eckey) == 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* wrong length */
if (ECDSA_verify(0, digest, 20, signature, sig_len - 1, eckey) == 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* Modify a single byte of the signature: to ensure we don't
* garble the ASN1 structure, we read the raw signature and
* modify a byte in one of the bignums directly. */
sig_ptr = signature;
ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len);
if (ecdsa_sig == NULL) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
/* Store the two BIGNUMs in raw_buf. */
r_len = BN_num_bytes(ecdsa_sig->r);
s_len = BN_num_bytes(ecdsa_sig->s);
bn_len = (degree + 7) / 8;
if (r_len > bn_len || s_len > bn_len) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
buf_len = 2 * bn_len;
raw_buf = OPENSSL_malloc(buf_len);
if (raw_buf == NULL) {
goto builtin_err;
}
/* Pad the bignums with leading zeroes. */
memset(raw_buf, 0, buf_len);
BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len);
BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len);
/* Modify a single byte in the buffer. */
offset = raw_buf[10] % buf_len;
dirt = raw_buf[11] ? raw_buf[11] : 1;
raw_buf[offset] ^= dirt;
/* Now read the BIGNUMs back in from raw_buf. */
if (BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL ||
BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL) {
goto builtin_err;
}
sig_ptr2 = signature;
sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
/* Sanity check: undo the modification and verify signature. */
raw_buf[offset] ^= dirt;
if (BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL ||
BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL) {
goto builtin_err;
}
sig_ptr2 = signature;
sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
BIO_printf(out, " ok\n");
/* cleanup */
/* clean bogus errors */
ERR_clear_error();
OPENSSL_free(signature);
signature = NULL;
EC_KEY_free(eckey);
eckey = NULL;
EC_KEY_free(wrong_eckey);
wrong_eckey = NULL;
ECDSA_SIG_free(ecdsa_sig);
ecdsa_sig = NULL;
OPENSSL_free(raw_buf);
raw_buf = NULL;
}
ret = 1;
builtin_err:
if (eckey)
EC_KEY_free(eckey);
if (wrong_eckey)
EC_KEY_free(wrong_eckey);
if (ecdsa_sig)
ECDSA_SIG_free(ecdsa_sig);
if (signature)
OPENSSL_free(signature);
if (raw_buf)
OPENSSL_free(raw_buf);
return ret;
}
static int ssl_ec_point_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
size_t *out_secret_len, uint8_t *out_alert,
const uint8_t *peer_key, size_t peer_key_len) {
BIGNUM *private_key = (BIGNUM *)ctx->data;
assert(private_key != NULL);
*out_alert = SSL_AD_INTERNAL_ERROR;
/* Set up a shared |BN_CTX| for all operations. */
BN_CTX *bn_ctx = BN_CTX_new();
if (bn_ctx == NULL) {
return 0;
}
BN_CTX_start(bn_ctx);
int ret = 0;
EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid);
EC_POINT *peer_point = NULL, *result = NULL;
uint8_t *secret = NULL;
if (group == NULL) {
goto err;
}
/* Compute the x-coordinate of |peer_key| * |private_key|. */
peer_point = EC_POINT_new(group);
result = EC_POINT_new(group);
if (peer_point == NULL || result == NULL) {
goto err;
}
BIGNUM *x = BN_CTX_get(bn_ctx);
if (x == NULL) {
goto err;
}
if (!EC_POINT_oct2point(group, peer_point, peer_key, peer_key_len, bn_ctx)) {
*out_alert = SSL_AD_DECODE_ERROR;
goto err;
}
if (!EC_POINT_mul(group, result, NULL, peer_point, private_key, bn_ctx) ||
!EC_POINT_get_affine_coordinates_GFp(group, result, x, NULL, bn_ctx)) {
goto err;
}
/* Encode the x-coordinate left-padded with zeros. */
size_t secret_len = (EC_GROUP_get_degree(group) + 7) / 8;
secret = OPENSSL_malloc(secret_len);
if (secret == NULL || !BN_bn2bin_padded(secret, secret_len, x)) {
goto err;
}
*out_secret = secret;
*out_secret_len = secret_len;
secret = NULL;
ret = 1;
err:
EC_GROUP_free(group);
EC_POINT_free(peer_point);
EC_POINT_free(result);
BN_CTX_end(bn_ctx);
BN_CTX_free(bn_ctx);
OPENSSL_free(secret);
return ret;
}
int jwt_verify_sha_pem(jwt_t *jwt, const char *head, const char *sig_b64)
{
unsigned char *sig = NULL;
EVP_MD_CTX *mdctx = NULL;
ECDSA_SIG *ec_sig = NULL;
BIGNUM *ec_sig_r = NULL;
BIGNUM *ec_sig_s = NULL;
EVP_PKEY *pkey = NULL;
const EVP_MD *alg;
int type;
int pkey_type;
BIO *bufkey = NULL;
int ret = 0;
int slen;
switch (jwt->alg) {
/* RSA */
case JWT_ALG_RS256:
alg = EVP_sha256();
type = EVP_PKEY_RSA;
break;
case JWT_ALG_RS384:
alg = EVP_sha384();
type = EVP_PKEY_RSA;
break;
case JWT_ALG_RS512:
alg = EVP_sha512();
type = EVP_PKEY_RSA;
break;
/* ECC */
case JWT_ALG_ES256:
alg = EVP_sha256();
type = EVP_PKEY_EC;
break;
case JWT_ALG_ES384:
alg = EVP_sha384();
type = EVP_PKEY_EC;
break;
case JWT_ALG_ES512:
alg = EVP_sha512();
type = EVP_PKEY_EC;
break;
default:
return EINVAL;
}
sig = jwt_b64_decode(sig_b64, &slen);
if (sig == NULL)
VERIFY_ERROR(EINVAL);
bufkey = BIO_new_mem_buf(jwt->key, jwt->key_len);
if (bufkey == NULL)
VERIFY_ERROR(ENOMEM);
/* This uses OpenSSL's default passphrase callback if needed. The
* library caller can override this in many ways, all of which are
* outside of the scope of LibJWT and this is documented in jwt.h. */
pkey = PEM_read_bio_PUBKEY(bufkey, NULL, NULL, NULL);
if (pkey == NULL)
VERIFY_ERROR(EINVAL);
pkey_type = EVP_PKEY_id(pkey);
if (pkey_type != type)
VERIFY_ERROR(EINVAL);
/* Convert EC sigs back to ASN1. */
if (pkey_type == EVP_PKEY_EC) {
unsigned int degree, bn_len;
unsigned char *p;
EC_KEY *ec_key;
ec_sig = ECDSA_SIG_new();
if (ec_sig == NULL)
VERIFY_ERROR(ENOMEM);
/* Get the actual ec_key */
ec_key = EVP_PKEY_get1_EC_KEY(pkey);
if (ec_key == NULL)
VERIFY_ERROR(ENOMEM);
degree = EC_GROUP_get_degree(EC_KEY_get0_group(ec_key));
EC_KEY_free(ec_key);
bn_len = (degree + 7) / 8;
if ((bn_len * 2) != slen)
VERIFY_ERROR(EINVAL);
ec_sig_r = BN_bin2bn(sig, bn_len, NULL);
ec_sig_s = BN_bin2bn(sig + bn_len, bn_len, NULL);
if (ec_sig_r == NULL || ec_sig_s == NULL)
VERIFY_ERROR(EINVAL);
ECDSA_SIG_set0(ec_sig, ec_sig_r, ec_sig_s);
free(sig);
slen = i2d_ECDSA_SIG(ec_sig, NULL);
sig = malloc(slen);
if (sig == NULL)
VERIFY_ERROR(ENOMEM);
p = sig;
slen = i2d_ECDSA_SIG(ec_sig, &p);
if (slen == 0)
VERIFY_ERROR(EINVAL);
}
mdctx = EVP_MD_CTX_create();
if (mdctx == NULL)
VERIFY_ERROR(ENOMEM);
/* Initialize the DigestVerify operation using alg */
if (EVP_DigestVerifyInit(mdctx, NULL, alg, NULL, pkey) != 1)
VERIFY_ERROR(EINVAL);
/* Call update with the message */
if (EVP_DigestVerifyUpdate(mdctx, head, strlen(head)) != 1)
VERIFY_ERROR(EINVAL);
/* Now check the sig for validity. */
if (EVP_DigestVerifyFinal(mdctx, sig, slen) != 1)
VERIFY_ERROR(EINVAL);
jwt_verify_sha_pem_done:
if (bufkey)
BIO_free(bufkey);
if (pkey)
EVP_PKEY_free(pkey);
if (mdctx)
EVP_MD_CTX_destroy(mdctx);
if (sig)
free(sig);
if (ec_sig)
ECDSA_SIG_free(ec_sig);
return ret;
}
static int
input_kex_ecdh_reply(int type, u_int32_t seq, struct ssh *ssh)
{
struct kex *kex = ssh->kex;
const EC_GROUP *group;
EC_POINT *server_public = NULL;
EC_KEY *client_key;
BIGNUM *shared_secret = NULL;
struct sshkey *server_host_key = NULL;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf = NULL;
u_char hash[SSH_DIGEST_MAX_LENGTH];
size_t slen, sbloblen;
size_t klen = 0, hashlen;
int r;
if (kex->verify_host_key == NULL) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
group = kex->ec_group;
client_key = kex->ec_client_key;
/* hostkey */
if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
&sbloblen)) != 0 ||
(r = sshkey_from_blob(server_host_key_blob, sbloblen,
&server_host_key)) != 0)
goto out;
if (server_host_key->type != kex->hostkey_type ||
(kex->hostkey_type == KEY_ECDSA &&
server_host_key->ecdsa_nid != kex->hostkey_nid)) {
r = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
if (kex->verify_host_key(server_host_key, ssh) == -1) {
r = SSH_ERR_SIGNATURE_INVALID;
goto out;
}
/* Q_S, server public key */
/* signed H */
if ((server_public = EC_POINT_new(group)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshpkt_get_ec(ssh, server_public, group)) != 0 ||
(r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
#ifdef DEBUG_KEXECDH
fputs("server public key:\n", stderr);
sshkey_dump_ec_point(group, server_public);
#endif
if (sshkey_ec_validate_public(group, server_public) != 0) {
sshpkt_disconnect(ssh, "invalid server public key");
r = SSH_ERR_MESSAGE_INCOMPLETE;
goto out;
}
klen = (EC_GROUP_get_degree(group) + 7) / 8;
if ((kbuf = malloc(klen)) == NULL ||
(shared_secret = BN_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (ECDH_compute_key(kbuf, klen, server_public,
client_key, NULL) != (int)klen ||
BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
#endif
/* calc and verify H */
hashlen = sizeof(hash);
if ((r = kex_ecdh_hash(
kex->hash_alg,
group,
kex->client_version_string,
kex->server_version_string,
sshbuf_ptr(kex->my), sshbuf_len(kex->my),
sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
server_host_key_blob, sbloblen,
EC_KEY_get0_public_key(client_key),
server_public,
shared_secret,
hash, &hashlen)) != 0)
goto out;
if ((r = sshkey_verify(server_host_key, signature, slen, hash,
hashlen, ssh->compat)) != 0)
goto out;
/* save session id */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = malloc(kex->session_id_len);
if (kex->session_id == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(kex->session_id, hash, kex->session_id_len);
}
if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
r = kex_send_newkeys(ssh);
out:
explicit_bzero(hash, sizeof(hash));
if (kex->ec_client_key) {
EC_KEY_free(kex->ec_client_key);
kex->ec_client_key = NULL;
}
if (server_public)
EC_POINT_clear_free(server_public);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
if (shared_secret)
BN_clear_free(shared_secret);
sshkey_free(server_host_key);
free(server_host_key_blob);
free(signature);
return r;
}
int jwt_sign_sha_pem(jwt_t *jwt, char **out, unsigned int *len,
const char *str)
{
EVP_MD_CTX *mdctx = NULL;
ECDSA_SIG *ec_sig = NULL;
const BIGNUM *ec_sig_r = NULL;
const BIGNUM *ec_sig_s = NULL;
BIO *bufkey = NULL;
const EVP_MD *alg;
int type;
EVP_PKEY *pkey = NULL;
int pkey_type;
unsigned char *sig;
int ret = 0;
size_t slen;
switch (jwt->alg) {
/* RSA */
case JWT_ALG_RS256:
alg = EVP_sha256();
type = EVP_PKEY_RSA;
break;
case JWT_ALG_RS384:
alg = EVP_sha384();
type = EVP_PKEY_RSA;
break;
case JWT_ALG_RS512:
alg = EVP_sha512();
type = EVP_PKEY_RSA;
break;
/* ECC */
case JWT_ALG_ES256:
alg = EVP_sha256();
type = EVP_PKEY_EC;
break;
case JWT_ALG_ES384:
alg = EVP_sha384();
type = EVP_PKEY_EC;
break;
case JWT_ALG_ES512:
alg = EVP_sha512();
type = EVP_PKEY_EC;
break;
default:
return EINVAL;
}
bufkey = BIO_new_mem_buf(jwt->key, jwt->key_len);
if (bufkey == NULL)
SIGN_ERROR(ENOMEM);
/* This uses OpenSSL's default passphrase callback if needed. The
* library caller can override this in many ways, all of which are
* outside of the scope of LibJWT and this is documented in jwt.h. */
pkey = PEM_read_bio_PrivateKey(bufkey, NULL, NULL, NULL);
if (pkey == NULL)
SIGN_ERROR(EINVAL);
pkey_type = EVP_PKEY_id(pkey);
if (pkey_type != type)
SIGN_ERROR(EINVAL);
mdctx = EVP_MD_CTX_create();
if (mdctx == NULL)
SIGN_ERROR(ENOMEM);
/* Initialize the DigestSign operation using alg */
if (EVP_DigestSignInit(mdctx, NULL, alg, NULL, pkey) != 1)
SIGN_ERROR(EINVAL);
/* Call update with the message */
if (EVP_DigestSignUpdate(mdctx, str, strlen(str)) != 1)
SIGN_ERROR(EINVAL);
/* First, call EVP_DigestSignFinal with a NULL sig parameter to get length
* of sig. Length is returned in slen */
if (EVP_DigestSignFinal(mdctx, NULL, &slen) != 1)
SIGN_ERROR(EINVAL);
/* Allocate memory for signature based on returned size */
sig = alloca(slen);
if (sig == NULL)
SIGN_ERROR(ENOMEM);
/* Get the signature */
if (EVP_DigestSignFinal(mdctx, sig, &slen) != 1)
SIGN_ERROR(EINVAL);
if (pkey_type != EVP_PKEY_EC) {
*out = malloc(slen);
if (*out == NULL)
SIGN_ERROR(ENOMEM);
memcpy(*out, sig, slen);
*len = slen;
} else {
unsigned int degree, bn_len, r_len, s_len, buf_len;
unsigned char *raw_buf;
EC_KEY *ec_key;
/* For EC we need to convert to a raw format of R/S. */
/* Get the actual ec_key */
ec_key = EVP_PKEY_get1_EC_KEY(pkey);
if (ec_key == NULL)
SIGN_ERROR(ENOMEM);
degree = EC_GROUP_get_degree(EC_KEY_get0_group(ec_key));
EC_KEY_free(ec_key);
/* Get the sig from the DER encoded version. */
ec_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&sig, slen);
if (ec_sig == NULL)
SIGN_ERROR(ENOMEM);
ECDSA_SIG_get0(ec_sig, &ec_sig_r, &ec_sig_s);
r_len = BN_num_bytes(ec_sig_r);
s_len = BN_num_bytes(ec_sig_s);
bn_len = (degree + 7) / 8;
if ((r_len > bn_len) || (s_len > bn_len))
SIGN_ERROR(EINVAL);
buf_len = 2 * bn_len;
raw_buf = alloca(buf_len);
if (raw_buf == NULL)
SIGN_ERROR(ENOMEM);
/* Pad the bignums with leading zeroes. */
memset(raw_buf, 0, buf_len);
BN_bn2bin(ec_sig_r, raw_buf + bn_len - r_len);
BN_bn2bin(ec_sig_s, raw_buf + buf_len - s_len);
*out = malloc(buf_len);
if (*out == NULL)
SIGN_ERROR(ENOMEM);
memcpy(*out, raw_buf, buf_len);
*len = buf_len;
}
jwt_sign_sha_pem_done:
if (bufkey)
BIO_free(bufkey);
if (pkey)
EVP_PKEY_free(pkey);
if (mdctx)
EVP_MD_CTX_destroy(mdctx);
if (ec_sig)
ECDSA_SIG_free(ec_sig);
return ret;
}
SM2CiphertextValue *SM2_do_encrypt(const EVP_MD *md,
const unsigned char *in, size_t inlen, EC_KEY *ec_key)
{
SM2CiphertextValue *ret = NULL;
SM2CiphertextValue *cv = NULL;
const EC_GROUP *group;
const EC_POINT *pub_key;
KDF_FUNC kdf;
EC_POINT *ephem_point = NULL;
EC_POINT *share_point = NULL;
BIGNUM *n = NULL;
BIGNUM *h = NULL;
BIGNUM *k = NULL;
BN_CTX *bn_ctx = NULL;
EVP_MD_CTX *md_ctx = NULL;
unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];
int nbytes;
size_t len;
size_t i;
unsigned int hashlen;
/* check arguments */
if (!md || !in || !ec_key) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (inlen < SM2_MIN_PLAINTEXT_LENGTH || inlen > SM2_MAX_PLAINTEXT_LENGTH) {
SM2err(SM2_F_SM2_DO_ENCRYPT, SM2_R_INVALID_PLAINTEXT_LENGTH);
return 0;
}
if (!(kdf = KDF_get_x9_63(md))) {
SM2err(SM2_F_SM2_DO_ENCRYPT, SM2_R_INVALID_DIGEST_ALGOR);
return 0;
}
if (!(group = EC_KEY_get0_group(ec_key))
|| !(pub_key = EC_KEY_get0_public_key(ec_key))) {
SM2err(SM2_F_SM2_DO_ENCRYPT, SM2_R_INVALID_EC_KEY);
return 0;
}
/* malloc */
if (!(cv = SM2CiphertextValue_new())
|| !(ephem_point = EC_POINT_new(group))
|| !(share_point = EC_POINT_new(group))
|| !(n = BN_new())
|| !(h = BN_new())
|| !(k = BN_new())
|| !(bn_ctx = BN_CTX_new())
|| !(md_ctx = EVP_MD_CTX_new())) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_MALLOC_FAILURE);
goto end;
}
if (!ASN1_OCTET_STRING_set(cv->ciphertext, NULL, (int)inlen)
|| !ASN1_OCTET_STRING_set(cv->hash, NULL, EVP_MD_size(md))) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_ASN1_LIB);
goto end;
}
/* init ec domain parameters */
if (!EC_GROUP_get_order(group, n, bn_ctx)) {
ECerr(EC_F_SM2_DO_ENCRYPT, EC_R_ERROR);
goto end;
}
if (!EC_GROUP_get_cofactor(group, h, bn_ctx)) {
ECerr(EC_F_SM2_DO_ENCRYPT, EC_R_ERROR);
goto end;
}
nbytes = (EC_GROUP_get_degree(group) + 7) / 8;
/* check [h]P_B != O */
if (!EC_POINT_mul(group, share_point, NULL, pub_key, h, bn_ctx)) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_EC_LIB);
goto end;
}
if (EC_POINT_is_at_infinity(group, share_point)) {
SM2err(SM2_F_SM2_DO_ENCRYPT, SM2_R_INVALID_PUBLIC_KEY);
goto end;
}
do
{
size_t size;
/* rand k in [1, n-1] */
do {
BN_rand_range(k, n);
} while (BN_is_zero(k));
/* compute ephem_point [k]G = (x1, y1) */
if (!EC_POINT_mul(group, ephem_point, k, NULL, NULL, bn_ctx)) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_EC_LIB);
goto end;
}
/* compute ECDH share_point [k]P_B = (x2, y2) */
if (!EC_POINT_mul(group, share_point, NULL, pub_key, k, bn_ctx)) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_EC_LIB);
goto end;
}
/* compute t = KDF(x2 || y2, klen) */
if (!(len = EC_POINT_point2oct(group, share_point,
POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_EC_LIB);
goto end;
}
size = cv->ciphertext->length;
kdf(buf + 1, len - 1, cv->ciphertext->data, &size);
if (size != inlen) {
SM2err(SM2_F_SM2_DO_ENCRYPT, SM2_R_KDF_FAILURE);
goto end;
}
/* ASN1_OCTET_STRING_is_zero in asn1.h and a_octet.c */
} while (ASN1_OCTET_STRING_is_zero(cv->ciphertext));
/* set x/yCoordinates as (x1, y1) */
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp(group, ephem_point,
cv->xCoordinate, cv->yCoordinate, bn_ctx)) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_EC_LIB);
goto end;
}
} else {
if (!EC_POINT_get_affine_coordinates_GF2m(group, ephem_point,
cv->xCoordinate, cv->yCoordinate, bn_ctx)) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_EC_LIB);
goto end;
}
}
/* ciphertext = t xor in */
for (i = 0; i < inlen; i++) {
cv->ciphertext->data[i] ^= in[i];
}
/* generate hash = Hash(x2 || M || y2) */
hashlen = cv->hash->length;
if (!EVP_DigestInit_ex(md_ctx, md, NULL)
|| !EVP_DigestUpdate(md_ctx, buf + 1, nbytes)
|| !EVP_DigestUpdate(md_ctx, in, inlen)
|| !EVP_DigestUpdate(md_ctx, buf + 1 + nbytes, nbytes)
|| !EVP_DigestFinal_ex(md_ctx, cv->hash->data, &hashlen)) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_EVP_LIB);
goto end;
}
ret = cv;
cv = NULL;
end:
SM2CiphertextValue_free(cv);
EC_POINT_free(share_point);
EC_POINT_free(ephem_point);
BN_free(n);
BN_free(h);
BN_clear_free(k);
BN_CTX_free(bn_ctx);
EVP_MD_CTX_free(md_ctx);
return ret;
}
int SM2_do_decrypt(const EVP_MD *md, const SM2CiphertextValue *cv,
unsigned char *out, size_t *outlen, EC_KEY *ec_key)
{
int ret = 0;
const EC_GROUP *group;
const BIGNUM *pri_key;
KDF_FUNC kdf;
EC_POINT *point = NULL;
EC_POINT *tmp_point = NULL;
BIGNUM *n = NULL;
BIGNUM *h = NULL;
BN_CTX *bn_ctx = NULL;
EVP_MD_CTX *md_ctx = NULL;
unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];
unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int maclen = sizeof(mac);
int nbytes, len, i;
/* check arguments */
if (!md || !cv || !outlen || !ec_key) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (!(kdf = KDF_get_x9_63(md))) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_DIGEST_ALGOR);
return 0;
}
if (!cv->xCoordinate || !cv->yCoordinate || !cv->hash || !cv->ciphertext) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_CIPHERTEXT);
return 0;
}
if (cv->hash->length != EVP_MD_size(md)) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_CIPHERTEXT);
return 0;
}
if (cv->ciphertext->length < SM2_MIN_PLAINTEXT_LENGTH
|| cv->ciphertext->length > SM2_MAX_PLAINTEXT_LENGTH) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_CIPHERTEXT);
return 0;
}
if (!(group = EC_KEY_get0_group(ec_key))
|| !(pri_key = EC_KEY_get0_private_key(ec_key))) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_EC_KEY);
return 0;
}
if (!out) {
*outlen = cv->ciphertext->length;
return 1;
}
if (*outlen < cv->ciphertext->length) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_BUFFER_TOO_SMALL);
return 0;
}
/* malloc */
point = EC_POINT_new(group);
tmp_point = EC_POINT_new(group);
n = BN_new();
h = BN_new();
bn_ctx = BN_CTX_new();
md_ctx = EVP_MD_CTX_new();
if (!point || !n || !h || !bn_ctx || !md_ctx) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_MALLOC_FAILURE);
goto end;
}
/* init ec domain parameters */
if (!EC_GROUP_get_order(group, n, bn_ctx)) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_EC_LIB);
goto end;
}
if (!EC_GROUP_get_cofactor(group, h, bn_ctx)) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_EC_LIB);
goto end;
}
nbytes = (EC_GROUP_get_degree(group) + 7) / 8;
/* get x/yCoordinates as C1 = (x1, y1) */
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) {
if (!EC_POINT_set_affine_coordinates_GFp(group, point,
cv->xCoordinate, cv->yCoordinate, bn_ctx)) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_CIPHERTEXT);
goto end;
}
} else {
if (!EC_POINT_set_affine_coordinates_GF2m(group, point,
cv->xCoordinate, cv->yCoordinate, bn_ctx)) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_CIPHERTEXT);
goto end;
}
}
/* check [h]C1 != O */
if (!EC_POINT_mul(group, tmp_point, NULL, point, h, bn_ctx)) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_EC_LIB);
goto end;
}
if (EC_POINT_is_at_infinity(group, tmp_point)) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_CIPHERTEXT);
goto end;
}
/* compute ECDH [d]C1 = (x2, y2) */
if (!EC_POINT_mul(group, point, NULL, point, pri_key, bn_ctx)) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_EC_LIB);
goto end;
}
if (!(len = EC_POINT_point2oct(group, point,
POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_EC_LIB);
goto end;
}
/* compute t = KDF(x2 || y2, clen) */
*outlen = cv->ciphertext->length;
kdf(buf + 1, len - 1, out, outlen);
/* compute M = C2 xor t */
for (i = 0; i < cv->ciphertext->length; i++) {
out[i] ^= cv->ciphertext->data[i];
}
/* check hash == Hash(x2 || M || y2) */
if (!EVP_DigestInit_ex(md_ctx, md, NULL)
|| !EVP_DigestUpdate(md_ctx, buf + 1, nbytes)
|| !EVP_DigestUpdate(md_ctx, out, *outlen)
|| !EVP_DigestUpdate(md_ctx, buf + 1 + nbytes, nbytes)
|| !EVP_DigestFinal_ex(md_ctx, mac, &maclen)) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_EVP_LIB);
goto end;
}
if (OPENSSL_memcmp(cv->hash->data, mac, maclen) != 0) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_CIPHERTEXT);
goto end;
}
ret = 1;
end:
EC_POINT_free(point);
EC_POINT_free(tmp_point);
BN_free(n);
BN_free(h);
BN_CTX_free(bn_ctx);
EVP_MD_CTX_free(md_ctx);
return ret;
}
void prime_field_tests()
{
BN_CTX *ctx = NULL;
BIGNUM *p, *a, *b;
EC_GROUP *group;
EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
EC_POINT *P, *Q, *R;
BIGNUM *x, *y, *z;
unsigned char buf[100];
size_t i, len;
int k;
#if 1 /* optional */
ctx = BN_CTX_new();
if (!ctx) ABORT;
#endif
p = BN_new();
a = BN_new();
b = BN_new();
if (!p || !a || !b) ABORT;
if (!BN_hex2bn(&p, "17")) ABORT;
if (!BN_hex2bn(&a, "1")) ABORT;
if (!BN_hex2bn(&b, "1")) ABORT;
group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use EC_GROUP_new_curve_GFp
* so that the library gets to choose the EC_METHOD */
if (!group) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
{
EC_GROUP *tmp;
tmp = EC_GROUP_new(EC_GROUP_method_of(group));
if (!tmp) ABORT;
if (!EC_GROUP_copy(tmp, group)) ABORT;
EC_GROUP_free(group);
group = tmp;
}
if (!EC_GROUP_get_curve_GFp(group, p, a, b, ctx)) ABORT;
fprintf(stdout, "Curve defined by Weierstrass equation\n y^2 = x^3 + a*x + b (mod 0x");
BN_print_fp(stdout, p);
fprintf(stdout, ")\n a = 0x");
BN_print_fp(stdout, a);
fprintf(stdout, "\n b = 0x");
BN_print_fp(stdout, b);
fprintf(stdout, "\n");
P = EC_POINT_new(group);
Q = EC_POINT_new(group);
R = EC_POINT_new(group);
if (!P || !Q || !R) ABORT;
if (!EC_POINT_set_to_infinity(group, P)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
buf[0] = 0;
if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) ABORT;
if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
x = BN_new();
y = BN_new();
z = BN_new();
if (!x || !y || !z) ABORT;
if (!BN_hex2bn(&x, "D")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, Q, ctx))
{
if (!EC_POINT_get_affine_coordinates_GFp(group, Q, x, y, ctx)) ABORT;
fprintf(stderr, "Point is not on curve: x = 0x");
BN_print_fp(stderr, x);
fprintf(stderr, ", y = 0x");
BN_print_fp(stderr, y);
fprintf(stderr, "\n");
ABORT;
}
fprintf(stdout, "A cyclic subgroup:\n");
k = 100;
do
{
if (k-- == 0) ABORT;
if (EC_POINT_is_at_infinity(group, P))
fprintf(stdout, " point at infinity\n");
else
{
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, " x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, ", y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
}
if (!EC_POINT_copy(R, P)) ABORT;
if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
#if 0 /* optional */
{
EC_POINT *points[3];
points[0] = R;
points[1] = Q;
points[2] = P;
if (!EC_POINTs_make_affine(group, 2, points, ctx)) ABORT;
}
#endif
}
while (!EC_POINT_is_at_infinity(group, P));
if (!EC_POINT_add(group, P, Q, R, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, sizeof buf, ctx);
if (len == 0) ABORT;
if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
fprintf(stdout, "Generator as octect string, compressed form:\n ");
for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof buf, ctx);
if (len == 0) ABORT;
if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
fprintf(stdout, "\nGenerator as octect string, uncompressed form:\n ");
for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof buf, ctx);
if (len == 0) ABORT;
if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
fprintf(stdout, "\nGenerator as octect string, hybrid form:\n ");
for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
if (!EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z, ctx)) ABORT;
fprintf(stdout, "\nA representation of the inverse of that generator in\nJacobian projective coordinates:\n X = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, ", Y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, ", Z = 0x");
BN_print_fp(stdout, z);
fprintf(stdout, "\n");
if (!EC_POINT_invert(group, P, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
/* Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, 2000)
* -- not a NIST curve, but commonly used */
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "4A96B5688EF573284664698968C38BB913CBFC82")) ABORT;
if (!BN_hex2bn(&y, "23a628553168947d59dcc912042351377ac5fb32")) ABORT;
if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "0100000000000000000001F4C8F927AED3CA752257")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nSEC2 curve secp160r1 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "23a628553168947d59dcc912042351377ac5fb32")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 160) ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_160 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_160, group)) ABORT;
/* Curve P-192 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-192 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 192) ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
#if 0
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
#endif
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_192, group)) ABORT;
/* Curve P-224 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001")) ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) ABORT;
if (!BN_hex2bn(&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-224 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 224) ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
#if 0
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
#endif
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_224, group)) ABORT;
/* Curve P-256 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
"84F3B9CAC2FC632551")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 256) ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
#if 0
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
#endif
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_256, group)) ABORT;
/* Curve P-384 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
"120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B"
"9859F741E082542A385502F25DBF55296C3A545E3872760AB7")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14"
"7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 384) ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
#if 0
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
#endif
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_384, group)) ABORT;
/* Curve P-521 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B"
"315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573"
"DF883D2C34F1EF451FD46B503F00")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F"
"B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B"
"3C1856A429BF97E7E31C2E5BD66")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
"C9B8899C47AEBB6FB71E91386409")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579"
"B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C"
"7086A272C24088BE94769FD16650")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 521) ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
#if 0
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
#endif
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_521, group)) ABORT;
/* more tests using the last curve */
if (!EC_POINT_copy(Q, P)) ABORT;
if (EC_POINT_is_at_infinity(group, Q)) ABORT;
if (!EC_POINT_dbl(group, P, P, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */
if (!EC_POINT_add(group, R, P, Q, ctx)) ABORT;
if (!EC_POINT_add(group, R, R, Q, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, R)) ABORT; /* R = P + 2Q */
{
const EC_POINT *points[3];
const BIGNUM *scalars[3];
if (EC_POINT_is_at_infinity(group, Q)) ABORT;
points[0] = Q;
points[1] = Q;
points[2] = Q;
if (!BN_add(y, z, BN_value_one())) ABORT;
if (BN_is_odd(y)) ABORT;
if (!BN_rshift1(y, y)) ABORT;
scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
scalars[1] = y;
fprintf(stdout, "combined multiplication ...");
fflush(stdout);
/* z is still the group order */
if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
if (!BN_add(z, z, y)) ABORT;
BN_set_negative(z, 1);
scalars[0] = y;
scalars[1] = z; /* z = -(order + y) */
if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) ABORT;
if (!BN_add(z, x, y)) ABORT;
BN_set_negative(z, 1);
scalars[0] = x;
scalars[1] = y;
scalars[2] = z; /* z = -(x+y) */
if (!EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
fprintf(stdout, " ok\n\n");
}
#if 0
timings(P_160, TIMING_BASE_PT, ctx);
timings(P_160, TIMING_RAND_PT, ctx);
timings(P_160, TIMING_SIMUL, ctx);
timings(P_192, TIMING_BASE_PT, ctx);
timings(P_192, TIMING_RAND_PT, ctx);
timings(P_192, TIMING_SIMUL, ctx);
timings(P_224, TIMING_BASE_PT, ctx);
timings(P_224, TIMING_RAND_PT, ctx);
timings(P_224, TIMING_SIMUL, ctx);
timings(P_256, TIMING_BASE_PT, ctx);
timings(P_256, TIMING_RAND_PT, ctx);
timings(P_256, TIMING_SIMUL, ctx);
timings(P_384, TIMING_BASE_PT, ctx);
timings(P_384, TIMING_RAND_PT, ctx);
timings(P_384, TIMING_SIMUL, ctx);
timings(P_521, TIMING_BASE_PT, ctx);
timings(P_521, TIMING_RAND_PT, ctx);
timings(P_521, TIMING_SIMUL, ctx);
#endif
if (ctx)
BN_CTX_free(ctx);
BN_free(p); BN_free(a); BN_free(b);
EC_GROUP_free(group);
EC_POINT_free(P);
EC_POINT_free(Q);
EC_POINT_free(R);
BN_free(x); BN_free(y); BN_free(z);
if (P_160) EC_GROUP_free(P_160);
if (P_192) EC_GROUP_free(P_192);
if (P_224) EC_GROUP_free(P_224);
if (P_256) EC_GROUP_free(P_256);
if (P_384) EC_GROUP_free(P_384);
if (P_521) EC_GROUP_free(P_521);
}
/* This implementation is based on the following primitives in the IEEE 1363 standard:
* - ECKAS-DH1
* - ECSVDP-DH
* Finally an optional KDF is applied.
*/
static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
EC_KEY *ecdh,
void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))
{
BN_CTX *ctx;
EC_POINT *tmp=NULL;
BIGNUM *x=NULL, *y=NULL;
const BIGNUM *priv_key;
const EC_GROUP* group;
int ret= -1;
size_t buflen, len;
unsigned char *buf=NULL;
if (outlen > INT_MAX)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); /* sort of, anyway */
return -1;
}
if ((ctx = BN_CTX_new()) == NULL) goto err;
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
priv_key = EC_KEY_get0_private_key(ecdh);
if (priv_key == NULL)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_NO_PRIVATE_VALUE);
goto err;
}
group = EC_KEY_get0_group(ecdh);
if ((tmp=EC_POINT_new(group)) == NULL)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_mul(group, tmp, NULL, pub_key, priv_key, ctx))
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
{
if (!EC_POINT_get_affine_coordinates_GFp(group, tmp, x, y, ctx))
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
}
else
{
if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp, x, y, ctx))
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
}
buflen = (EC_GROUP_get_degree(group) + 7)/8;
len = BN_num_bytes(x);
if (len > buflen)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_INTERNAL_ERROR);
goto err;
}
if ((buf = (unsigned char*)OPENSSL_malloc(buflen)) == NULL)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE);
goto err;
}
TINYCLR_SSL_MEMSET(buf, 0, buflen - len);
if (len != (size_t)BN_bn2bin(x, buf + buflen - len))
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_BN_LIB);
goto err;
}
if (KDF != 0)
{
if (KDF(buf, buflen, out, &outlen) == NULL)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_KDF_FAILED);
goto err;
}
ret = outlen;
}
else
{
/* no KDF, just copy as much as we can */
if (outlen > buflen)
outlen = buflen;
TINYCLR_SSL_MEMCPY(out, buf, outlen);
ret = outlen;
}
err:
if (tmp) EC_POINT_free(tmp);
if (ctx) BN_CTX_end(ctx);
if (ctx) BN_CTX_free(ctx);
if (buf) OPENSSL_free(buf);
return(ret);
}
void
kexecdh_server(Kex *kex)
{
EC_POINT *client_public;
EC_KEY *server_key;
const EC_GROUP *group;
BIGNUM *shared_secret;
Key *server_host_private, *server_host_public;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
u_int klen, slen, sbloblen, hashlen;
if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL)
fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
if (EC_KEY_generate_key(server_key) != 1)
fatal("%s: EC_KEY_generate_key failed", __func__);
group = EC_KEY_get0_group(server_key);
#ifdef DEBUG_KEXECDH
fputs("server private key:\n", stderr);
key_dump_ec_key(server_key);
#endif
if (kex->load_host_public_key == NULL ||
kex->load_host_private_key == NULL)
fatal("Cannot load hostkey");
server_host_public = kex->load_host_public_key(kex->hostkey_type);
if (server_host_public == NULL)
fatal("Unsupported hostkey type %d", kex->hostkey_type);
server_host_private = kex->load_host_private_key(kex->hostkey_type);
if (server_host_private == NULL)
fatal("Missing private key for hostkey type %d",
kex->hostkey_type);
debug("expecting SSH2_MSG_KEX_ECDH_INIT");
packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);
if ((client_public = EC_POINT_new(group)) == NULL)
fatal("%s: EC_POINT_new failed", __func__);
packet_get_ecpoint(group, client_public);
packet_check_eom();
if (key_ec_validate_public(group, client_public) != 0)
fatal("%s: invalid client public key", __func__);
#ifdef DEBUG_KEXECDH
fputs("client public key:\n", stderr);
key_dump_ec_point(group, client_public);
#endif
/* Calculate shared_secret */
klen = (EC_GROUP_get_degree(group) + 7) / 8;
kbuf = xmalloc(klen);
if (ECDH_compute_key(kbuf, klen, client_public,
server_key, NULL) != (int)klen)
fatal("%s: ECDH_compute_key failed", __func__);
#ifdef DEBUG_KEXDH
dump_digest("shared secret", kbuf, klen);
#endif
if ((shared_secret = BN_new()) == NULL)
fatal("%s: BN_new failed", __func__);
if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
fatal("%s: BN_bin2bn failed", __func__);
memset(kbuf, 0, klen);
free(kbuf);
/* calc H */
key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
kex_ecdh_hash(
kex->evp_md,
group,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
buffer_ptr(&kex->my), buffer_len(&kex->my),
server_host_key_blob, sbloblen,
client_public,
EC_KEY_get0_public_key(server_key),
shared_secret,
&hash, &hashlen
);
EC_POINT_clear_free(client_public);
/* save session id := H */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
if (PRIVSEP(key_sign(server_host_private, &signature, &slen,
hash, hashlen)) < 0)
fatal("kexdh_server: key_sign failed");
/* destroy_sensitive_data(); */
/* send server hostkey, ECDH pubkey 'Q_S' and signed H */
packet_start(SSH2_MSG_KEX_ECDH_REPLY);
packet_put_string(server_host_key_blob, sbloblen);
packet_put_ecpoint(group, EC_KEY_get0_public_key(server_key));
packet_put_string(signature, slen);
packet_send();
free(signature);
free(server_host_key_blob);
/* have keys, free server key */
EC_KEY_free(server_key);
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
static int ecdh_build_k(ssh_session session) {
const EC_GROUP *group = EC_KEY_get0_group(session->next_crypto->ecdh_privkey);
EC_POINT *pubkey;
void *buffer;
int rc;
int len = (EC_GROUP_get_degree(group) + 7) / 8;
bignum_CTX ctx = bignum_ctx_new();
if (ctx == NULL) {
return -1;
}
session->next_crypto->k = bignum_new();
if (session->next_crypto->k == NULL) {
bignum_ctx_free(ctx);
return -1;
}
pubkey = EC_POINT_new(group);
if (pubkey == NULL) {
bignum_ctx_free(ctx);
return -1;
}
if (session->server) {
rc = EC_POINT_oct2point(group,
pubkey,
ssh_string_data(session->next_crypto->ecdh_client_pubkey),
ssh_string_len(session->next_crypto->ecdh_client_pubkey),
ctx);
} else {
rc = EC_POINT_oct2point(group,
pubkey,
ssh_string_data(session->next_crypto->ecdh_server_pubkey),
ssh_string_len(session->next_crypto->ecdh_server_pubkey),
ctx);
}
bignum_ctx_free(ctx);
if (rc <= 0) {
EC_POINT_clear_free(pubkey);
return -1;
}
buffer = malloc(len);
if (buffer == NULL) {
EC_POINT_clear_free(pubkey);
return -1;
}
rc = ECDH_compute_key(buffer,
len,
pubkey,
session->next_crypto->ecdh_privkey,
NULL);
EC_POINT_clear_free(pubkey);
if (rc <= 0) {
free(buffer);
return -1;
}
bignum_bin2bn(buffer, len, session->next_crypto->k);
free(buffer);
EC_KEY_free(session->next_crypto->ecdh_privkey);
session->next_crypto->ecdh_privkey = NULL;
#ifdef DEBUG_CRYPTO
ssh_print_hexa("Session server cookie",
session->next_crypto->server_kex.cookie, 16);
ssh_print_hexa("Session client cookie",
session->next_crypto->client_kex.cookie, 16);
ssh_print_bignum("Shared secret key", session->next_crypto->k);
#endif
return 0;
}
/*-
* This implementation is based on the following primitives in the IEEE 1363 standard:
* - ECKAS-DH1
* - ECSVDP-DH
* Finally an optional KDF is applied.
*/
int ossl_ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
const EC_KEY *ecdh,
void *(*KDF) (const void *in, size_t inlen,
void *out, size_t *outlen))
{
BN_CTX *ctx;
EC_POINT *tmp = NULL;
BIGNUM *x = NULL, *y = NULL;
const BIGNUM *priv_key;
const EC_GROUP *group;
int ret = -1;
size_t buflen, len;
unsigned char *buf = NULL;
if (outlen > INT_MAX) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); /* sort of,
* anyway */
return -1;
}
if (ecdh->group->meth->ecdh_compute_key != 0)
return ecdh->group->meth->ecdh_compute_key(out, outlen, pub_key, ecdh,
KDF);
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
priv_key = EC_KEY_get0_private_key(ecdh);
if (priv_key == NULL) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_NO_PRIVATE_VALUE);
goto err;
}
group = EC_KEY_get0_group(ecdh);
if (EC_KEY_get_flags(ecdh) & EC_FLAG_COFACTOR_ECDH) {
if (!EC_GROUP_get_cofactor(group, x, NULL) ||
!BN_mul(x, x, priv_key, ctx)) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);
goto err;
}
priv_key = x;
}
if ((tmp = EC_POINT_new(group)) == NULL) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_mul(group, tmp, NULL, pub_key, priv_key, ctx)) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp(group, tmp, x, y, ctx)) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
}
#ifndef OPENSSL_NO_EC2M
else {
if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp, x, y, ctx)) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
}
#endif
buflen = (EC_GROUP_get_degree(group) + 7) / 8;
len = BN_num_bytes(x);
if (len > buflen) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_INTERNAL_ERROR);
goto err;
}
if ((buf = OPENSSL_malloc(buflen)) == NULL) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);
goto err;
}
memset(buf, 0, buflen - len);
if (len != (size_t)BN_bn2bin(x, buf + buflen - len)) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_BN_LIB);
goto err;
}
if (KDF != 0) {
if (KDF(buf, buflen, out, &outlen) == NULL) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_KDF_FAILED);
goto err;
}
ret = outlen;
} else {
/* no KDF, just copy as much as we can */
if (outlen > buflen)
outlen = buflen;
memcpy(out, buf, outlen);
ret = outlen;
}
err:
EC_POINT_free(tmp);
if (ctx)
BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_free(buf);
return (ret);
}
/*
* NIST SP800-56A co-factor ECDH tests.
* KATs taken from NIST documents with parameters:
*
* - (QCAVSx,QCAVSy) is the public key for CAVS.
* - dIUT is the private key for IUT.
* - (QIUTx,QIUTy) is the public key for IUT.
* - ZIUT is the shared secret KAT.
*
* CAVS: Cryptographic Algorithm Validation System
* IUT: Implementation Under Test
*
* This function tests two things:
*
* 1. dIUT * G = (QIUTx,QIUTy)
* i.e. public key for IUT computes correctly.
* 2. x-coord of cofactor * dIUT * (QCAVSx,QCAVSy) = ZIUT
* i.e. co-factor ECDH key computes correctly.
*
* returns zero on failure or unsupported curve. One otherwise.
*/
static int ecdh_cavs_kat(BIO *out, const ecdh_cavs_kat_t *kat)
{
int rv = 0, is_char_two = 0;
EC_KEY *key1 = NULL;
EC_POINT *pub = NULL;
const EC_GROUP *group = NULL;
BIGNUM *bnz = NULL, *x = NULL, *y = NULL;
unsigned char *Ztmp = NULL, *Z = NULL;
size_t Ztmplen, Zlen;
BIO_puts(out, "Testing ECC CDH Primitive SP800-56A with ");
BIO_puts(out, OBJ_nid2sn(kat->nid));
/* dIUT is IUT's private key */
if ((key1 = mk_eckey(kat->nid, kat->dIUT)) == NULL)
goto err;
/* these are cofactor ECDH KATs */
EC_KEY_set_flags(key1, EC_FLAG_COFACTOR_ECDH);
if ((group = EC_KEY_get0_group(key1)) == NULL)
goto err;
if ((pub = EC_POINT_new(group)) == NULL)
goto err;
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_characteristic_two_field)
is_char_two = 1;
/* (QIUTx, QIUTy) is IUT's public key */
if(!BN_hex2bn(&x, kat->QIUTx))
goto err;
if(!BN_hex2bn(&y, kat->QIUTy))
goto err;
if (is_char_two) {
#ifdef OPENSSL_NO_EC2M
goto err;
#else
if (!EC_POINT_set_affine_coordinates_GF2m(group, pub, x, y, NULL))
goto err;
#endif
}
else {
if (!EC_POINT_set_affine_coordinates_GFp(group, pub, x, y, NULL))
goto err;
}
/* dIUT * G = (QIUTx, QIUTy) should hold */
if (EC_POINT_cmp(group, EC_KEY_get0_public_key(key1), pub, NULL))
goto err;
/* (QCAVSx, QCAVSy) is CAVS's public key */
if(!BN_hex2bn(&x, kat->QCAVSx))
goto err;
if(!BN_hex2bn(&y, kat->QCAVSy))
goto err;
if (is_char_two) {
#ifdef OPENSSL_NO_EC2M
goto err;
#else
if (!EC_POINT_set_affine_coordinates_GF2m(group, pub, x, y, NULL))
goto err;
#endif
}
else {
if (!EC_POINT_set_affine_coordinates_GFp(group, pub, x, y, NULL))
goto err;
}
/* ZIUT is the shared secret */
if(!BN_hex2bn(&bnz, kat->ZIUT))
goto err;
Ztmplen = (EC_GROUP_get_degree(EC_KEY_get0_group(key1)) + 7) / 8;
Zlen = BN_num_bytes(bnz);
if (Zlen > Ztmplen)
goto err;
if((Ztmp = OPENSSL_zalloc(Ztmplen)) == NULL)
goto err;
if((Z = OPENSSL_zalloc(Ztmplen)) == NULL)
goto err;
if(!BN_bn2binpad(bnz, Z, Ztmplen))
goto err;
if (!ECDH_compute_key(Ztmp, Ztmplen, pub, key1, 0))
goto err;
/* shared secrets should be identical */
if (memcmp(Ztmp, Z, Ztmplen))
goto err;
rv = 1;
err:
EC_KEY_free(key1);
EC_POINT_free(pub);
BN_free(bnz);
BN_free(x);
BN_free(y);
OPENSSL_free(Ztmp);
OPENSSL_free(Z);
if (rv) {
BIO_puts(out, " ok\n");
}
else {
fprintf(stderr, "Error in ECC CDH routines\n");
ERR_print_errors_fp(stderr);
}
return rv;
}
static krb5_error_code
generate_dh_keyblock(krb5_context context,
pk_client_params *client_params,
krb5_enctype enctype)
{
unsigned char *dh_gen_key = NULL;
krb5_keyblock key;
krb5_error_code ret;
size_t dh_gen_keylen, size;
memset(&key, 0, sizeof(key));
if (client_params->keyex == USE_DH) {
if (client_params->u.dh.public_key == NULL) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "public_key");
goto out;
}
if (!DH_generate_key(client_params->u.dh.key)) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Can't generate Diffie-Hellman keys");
goto out;
}
size = DH_size(client_params->u.dh.key);
dh_gen_key = malloc(size);
if (dh_gen_key == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key);
if (dh_gen_keylen == (size_t)-1) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Can't compute Diffie-Hellman key");
goto out;
}
if (dh_gen_keylen < size) {
size -= dh_gen_keylen;
memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen);
memset(dh_gen_key, 0, size);
}
ret = 0;
#ifdef HAVE_OPENSSL
} else if (client_params->keyex == USE_ECDH) {
if (client_params->u.ecdh.public_key == NULL) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "public_key");
goto out;
}
client_params->u.ecdh.key = EC_KEY_new();
if (client_params->u.ecdh.key == NULL) {
ret = ENOMEM;
goto out;
}
EC_KEY_set_group(client_params->u.ecdh.key,
EC_KEY_get0_group(client_params->u.ecdh.public_key));
if (EC_KEY_generate_key(client_params->u.ecdh.key) != 1) {
ret = ENOMEM;
goto out;
}
size = (EC_GROUP_get_degree(EC_KEY_get0_group(client_params->u.ecdh.key)) + 7) / 8;
dh_gen_key = malloc(size);
if (dh_gen_key == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto out;
}
dh_gen_keylen = ECDH_compute_key(dh_gen_key, size,
EC_KEY_get0_public_key(client_params->u.ecdh.public_key),
client_params->u.ecdh.key, NULL);
#endif /* HAVE_OPENSSL */
} else {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Diffie-Hellman not selected keys");
goto out;
}
ret = _krb5_pk_octetstring2key(context,
enctype,
dh_gen_key, dh_gen_keylen,
NULL, NULL,
&client_params->reply_key);
out:
if (dh_gen_key)
free(dh_gen_key);
if (key.keyvalue.data)
krb5_free_keyblock_contents(context, &key);
return ret;
}
int
MKEMParams_init(MKEMParams *params)
{
const mk_curve_params *p = &mk_curves[MK_CURVE_163_0];
BIGNUM *maxu = 0;
size_t bitsize, bytesize, bitcap, k;
memset(params, 0, sizeof(MKEMParams));
FAILZ(params->ctx = BN_CTX_new());
FAILZ(params->m = BN_bin2bn(p->m, p->L_m, 0));
FAILZ(params->b = BN_bin2bn(p->b, p->L_b, 0));
FAILZ(params->a0 = BN_new()); FAILZ(BN_zero((BIGNUM *)params->a0));
FAILZ(params->a1 = BN_value_one());
FAILZ(params->p0 = BN_bin2bn(p->p0, p->L_p0, 0));
FAILZ(params->p1 = BN_bin2bn(p->p1, p->L_p1, 0));
FAILZ(params->n0 = BN_bin2bn(p->n0, p->L_n0, 0));
FAILZ(params->n1 = BN_bin2bn(p->n1, p->L_n1, 0));
FAILZ(params->c0 = EC_GROUP_new_curve_GF2m(params->m, params->a0, params->b,
params->ctx));
FAILZ(params->c1 = EC_GROUP_new_curve_GF2m(params->m, params->a1, params->b,
params->ctx));
FAILZ(params->g0 = EC_POINT_new(params->c0));
FAILZ(EC_POINT_oct2point(params->c0, (EC_POINT *)params->g0, p->g0, p->L_g0,
params->ctx));
FAILZ(params->g1 = EC_POINT_new(params->c1));
FAILZ(EC_POINT_oct2point(params->c1, (EC_POINT *)params->g1, p->g1, p->L_g1,
params->ctx));
/* Calculate the upper limit for the random integer U input to
MKEM_generate_message_u.
The paper calls for us to choose between curve 0 and curve 1 with
probability proportional to the number of points on that curve, and
then choose a random integer in the range 0 < u < n{curve}. The
easiest way to do this accurately is to choose a random integer in the
range [1, n0 + n1 - 2]. If it is less than n0, MKEM_generate_message_u
will use it unmodified with curve 0. If it is greater than or equal
to n0, MKEM_generate_message_u will subtract n0-1, leaving a number in
the range [1, n1-1], and use that with curve 1. */
FAILZ(maxu = BN_dup(params->n0));
FAILZ(BN_add(maxu, maxu, params->n1));
FAILZ(BN_sub(maxu, maxu, BN_value_one()));
FAILZ(BN_sub(maxu, maxu, BN_value_one()));
params->maxu = maxu; maxu = 0;
/* Calculate the maximum size of a message and the padding mask applied
to the high byte of each message. See MKEM_generate_message_u for
further exposition. */
bitsize = EC_GROUP_get_degree(params->c0);
if ((size_t)EC_GROUP_get_degree(params->c1) != bitsize)
goto fail;
bytesize = (bitsize + 7) / 8;
bitcap = bytesize * 8;
k = bitcap - bitsize;
if (k == 0)
goto fail;
params->msgsize = bytesize;
params->pad_bits = k - 1;
params->pad_mask = ~((1 << (8 - params->pad_bits)) - 1);
params->curve_bit = 1 << (8 - k);
return 0;
fail:
if (maxu) BN_free(maxu);
MKEMParams_teardown(params);
return -1;
}
// Perform ECDSA key recovery (see SEC1 4.1.6) for curves over (mod p)-fields
// recid selects which key is recovered
// if check is nonzero, additional checks are performed
int ECDSA_SIG_recover_key_GFp(EC_KEY *eckey, ECDSA_SIG *ecsig, const unsigned char *msg, int msglen, int recid, int check)
{
if (!eckey) return 0;
int ret = 0;
BN_CTX *ctx = NULL;
BIGNUM *x = NULL;
BIGNUM *e = NULL;
BIGNUM *order = NULL;
BIGNUM *sor = NULL;
BIGNUM *eor = NULL;
BIGNUM *field = NULL;
EC_POINT *R = NULL;
EC_POINT *O = NULL;
EC_POINT *Q = NULL;
BIGNUM *rr = NULL;
BIGNUM *zero = NULL;
int n = 0;
int i = recid / 2;
const EC_GROUP *group = EC_KEY_get0_group(eckey);
if ((ctx = BN_CTX_new()) == NULL) { ret = -1; goto err; }
BN_CTX_start(ctx);
order = BN_CTX_get(ctx);
if (!EC_GROUP_get_order(group, order, ctx)) { ret = -2; goto err; }
x = BN_CTX_get(ctx);
if (!BN_copy(x, order)) { ret=-1; goto err; }
if (!BN_mul_word(x, i)) { ret=-1; goto err; }
if (!BN_add(x, x, ecsig->r)) { ret=-1; goto err; }
field = BN_CTX_get(ctx);
if (!EC_GROUP_get_curve_GFp(group, field, NULL, NULL, ctx)) { ret=-2; goto err; }
if (BN_cmp(x, field) >= 0) { ret=0; goto err; }
if ((R = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }
if (!EC_POINT_set_compressed_coordinates_GFp(group, R, x, recid % 2, ctx)) { ret=0; goto err; }
if (check)
{
if ((O = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }
if (!EC_POINT_mul(group, O, NULL, R, order, ctx)) { ret=-2; goto err; }
if (!EC_POINT_is_at_infinity(group, O)) { ret = 0; goto err; }
}
if ((Q = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }
n = EC_GROUP_get_degree(group);
e = BN_CTX_get(ctx);
if (!BN_bin2bn(msg, msglen, e)) { ret=-1; goto err; }
if (8*msglen > n) BN_rshift(e, e, 8-(n & 7));
zero = BN_CTX_get(ctx);
if (!BN_zero(zero)) { ret=-1; goto err; }
if (!BN_mod_sub(e, zero, e, order, ctx)) { ret=-1; goto err; }
rr = BN_CTX_get(ctx);
if (!BN_mod_inverse(rr, ecsig->r, order, ctx)) { ret=-1; goto err; }
sor = BN_CTX_get(ctx);
if (!BN_mod_mul(sor, ecsig->s, rr, order, ctx)) { ret=-1; goto err; }
eor = BN_CTX_get(ctx);
if (!BN_mod_mul(eor, e, rr, order, ctx)) { ret=-1; goto err; }
if (!EC_POINT_mul(group, Q, eor, R, sor, ctx)) { ret=-2; goto err; }
if (!EC_KEY_set_public_key(eckey, Q)) { ret=-2; goto err; }
ret = 1;
err:
if (ctx) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
if (R != NULL) EC_POINT_free(R);
if (O != NULL) EC_POINT_free(O);
if (Q != NULL) EC_POINT_free(Q);
return ret;
}
// unsigned char *pC 输出,密文
// unsigned char *pPxKey, unsigned char *pPyKey 公钥
// unsigned char *pM 明文
// unsigned long MLen 明文长度
unsigned char eccEncrypt(unsigned char *pC,
unsigned char *pPxKey, unsigned char *pPyKey,
unsigned char *pM, unsigned long MLen)
{
// NID_sm2p256v1
EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_sm2p256v1);
//// 相当于
//EC_KEY *ret = EC_KEY_new();
EC_GROUP *ec_group = EC_GROUP_new_by_curve_name(NID_sm2p256v1);
KDF_FUNC kdf = KDF_get_x9_63(EVP_sm3());;
EC_POINT *point = NULL;
//// 设置私钥
//BIGNUM *d = NULL;
//BN_hex2bn(&d, pPDKey);
//EC_KEY_set_private_key(ec_key, d);
int ret = 1;
BIGNUM *x = BN_new();;
BIGNUM *y = BN_new();;
if (!BN_bin2bn(pPxKey, 32, x)) {
goto end;
}
if (!BN_bin2bn(pPyKey, 32, y)) {
goto end;
}
if (!EC_KEY_set_public_key_affine_coordinates(ec_key, x, y)) {
goto end;
}
const EC_POINT *pub_key = EC_KEY_get0_public_key(ec_key);
/* init ec domain parameters */
BIGNUM *n = NULL;
BIGNUM *h = NULL;
BIGNUM *k = NULL;
n = BN_new();
h = BN_new();
k = BN_new();
BN_CTX *bn_ctx = NULL;
bn_ctx = BN_CTX_new();
if (!EC_GROUP_get_order(ec_group, n, bn_ctx)) {
goto end;
}
if (!EC_GROUP_get_cofactor(ec_group, h, bn_ctx)) {
goto end;
}
int nbytes = (EC_GROUP_get_degree(ec_group) + 7) / 8;
EC_POINT *ec_point = EC_POINT_new(ec_group);
point = EC_POINT_new(ec_group);
unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];
size_t len;
char *ciphertext = (char *)OPENSSL_malloc(MLen);
size_t ciphertext_size = MLen;
do
{
/* A1: rand k in [1, n-1] */
do {
BN_rand_range(k, n);
} while (BN_is_zero(k));
/* A2: C1 = [k]G = (x1, y1) */
if (!EC_POINT_mul(ec_group, ec_point, k, NULL, NULL, bn_ctx)) {
goto end;
}
#if 1
if (!(len = EC_POINT_point2oct(ec_group, ec_point,
POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {
goto end;
}
BN_bin2bn(buf, 65, n);
printf(BN_bn2hex(n));
printf("\n");
printf(BN_bn2hex(k));
#endif
/* A3: check [h]P_B != O */
if (!EC_POINT_mul(ec_group, point, NULL, pub_key, h, bn_ctx)) {
goto end;
}
if (EC_POINT_is_at_infinity(ec_group, point)) {
goto end;
}
/* A4: compute ECDH [k]P_B = (x2, y2) */
if (!EC_POINT_mul(ec_group, point, NULL, pub_key, k, bn_ctx)) {
goto end;
}
if (!(len = EC_POINT_point2oct(ec_group, point,
POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {
goto end;
}
OPENSSL_assert(len == nbytes * 2 + 1);
/* A5: t = KDF(x2 || y2, klen) */
kdf(buf + 1, len - 1, (unsigned char *)ciphertext, &ciphertext_size);
// 防止全0
size_t i = 0;
for (i = 0; i < ciphertext_size; i++) {
if (ciphertext[i]) {
break;
}
}
if (i == ciphertext_size) {
continue;
}
break;
} while (1);
/* A6: C2 = M xor t */
for (size_t i = 0; i < MLen; i++) {
ciphertext[i] ^= pM[i];
}
unsigned char dgst[EVP_MAX_MD_SIZE];
unsigned int dgstlen;
EVP_MD_CTX *md_ctx = EVP_MD_CTX_create();
if (1) {
/* A7: C3 = Hash(x2 || M || y2) */
if (!EVP_DigestInit_ex(md_ctx, EVP_sm3(), NULL)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, buf + 1, nbytes)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, pM, MLen)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, buf + 1 + nbytes, nbytes)) {
goto end;
}
if (!EVP_DigestFinal_ex(md_ctx, dgst, &dgstlen)) {
goto end;
}
}
EC_POINT_point2oct(ec_group, point, POINT_CONVERSION_UNCOMPRESSED, pC, 65, NULL);
memcpy(&pC[65], ciphertext, MLen);
memcpy(&pC[65 + MLen], dgst, dgstlen);
ret = 0;
end:
if (point) EC_POINT_free(point);
if (n) BN_free(n);
if (h) BN_free(h);
if (k) BN_free(k);
if (bn_ctx) BN_CTX_free(bn_ctx);
if (md_ctx) EVP_MD_CTX_destroy(md_ctx);
return ret;
}