1 /* $OpenBSD: ec_key.c,v 1.46 2024/11/08 22:10:18 tb Exp $ */
2 /*
3 * Written by Nils Larsch for the OpenSSL project.
4 */
5 /* ====================================================================
6 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58 /* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * Portions originally developed by SUN MICROSYSTEMS, INC., and
61 * contributed to the OpenSSL project.
62 */
63
64 #include <string.h>
65
66 #include <openssl/opensslconf.h>
67
68 #include <openssl/err.h>
69
70 #include "bn_local.h"
71 #include "ec_local.h"
72
73 EC_KEY *
EC_KEY_new(void)74 EC_KEY_new(void)
75 {
76 return EC_KEY_new_method(NULL);
77 }
78 LCRYPTO_ALIAS(EC_KEY_new);
79
80 EC_KEY *
EC_KEY_new_by_curve_name(int nid)81 EC_KEY_new_by_curve_name(int nid)
82 {
83 EC_KEY *ec_key;
84
85 if ((ec_key = EC_KEY_new()) == NULL)
86 goto err;
87
88 if ((ec_key->group = EC_GROUP_new_by_curve_name(nid)) == NULL)
89 goto err;
90
91 /* XXX - do we want an ec_key_set0_group()? */
92 if (ec_key->meth->set_group != NULL) {
93 if (!ec_key->meth->set_group(ec_key, ec_key->group))
94 goto err;
95 }
96
97 return ec_key;
98
99 err:
100 EC_KEY_free(ec_key);
101
102 return NULL;
103 }
104 LCRYPTO_ALIAS(EC_KEY_new_by_curve_name);
105
106 void
EC_KEY_free(EC_KEY * ec_key)107 EC_KEY_free(EC_KEY *ec_key)
108 {
109 if (ec_key == NULL)
110 return;
111
112 if (CRYPTO_add(&ec_key->references, -1, CRYPTO_LOCK_EC) > 0)
113 return;
114
115 if (ec_key->meth != NULL && ec_key->meth->finish != NULL)
116 ec_key->meth->finish(ec_key);
117
118 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, ec_key, &ec_key->ex_data);
119
120 EC_GROUP_free(ec_key->group);
121 EC_POINT_free(ec_key->pub_key);
122 BN_free(ec_key->priv_key);
123
124 freezero(ec_key, sizeof(*ec_key));
125 }
126 LCRYPTO_ALIAS(EC_KEY_free);
127
128 EC_KEY *
EC_KEY_copy(EC_KEY * dest,const EC_KEY * src)129 EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
130 {
131 if (dest == NULL || src == NULL) {
132 ECerror(ERR_R_PASSED_NULL_PARAMETER);
133 return NULL;
134 }
135
136 if (src->meth != dest->meth) {
137 if (dest->meth != NULL && dest->meth->finish != NULL)
138 dest->meth->finish(dest);
139 }
140
141 if (src->group != NULL) {
142 EC_GROUP_free(dest->group);
143 if ((dest->group = EC_GROUP_dup(src->group)) == NULL)
144 return NULL;
145 if (src->pub_key != NULL) {
146 EC_POINT_free(dest->pub_key);
147 if ((dest->pub_key = EC_POINT_dup(src->pub_key,
148 src->group)) == NULL)
149 return NULL;
150 }
151 }
152
153 /*
154 * XXX - if there's no priv_key on src, dest retains its probably
155 * invalid priv_key. This makes no sense. Can we change this?
156 */
157 if (src->priv_key != NULL) {
158 BN_free(dest->priv_key);
159 if ((dest->priv_key = BN_dup(src->priv_key)) == NULL)
160 return NULL;
161 }
162
163 dest->enc_flag = src->enc_flag;
164 dest->conv_form = src->conv_form;
165 dest->version = src->version;
166 dest->flags = src->flags;
167
168 /*
169 * The fun part about being a toolkit implementer is that the rest of
170 * the world gets to live with your terrible API design choices for
171 * eternity. (To be fair: the signature was changed in OpenSSL 3).
172 */
173 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY, &dest->ex_data,
174 &((EC_KEY *)src)->ex_data)) /* XXX const */
175 return NULL;
176
177 dest->meth = src->meth;
178
179 if (src->meth != NULL && src->meth->copy != NULL) {
180 if (!src->meth->copy(dest, src))
181 return NULL;
182 }
183
184 return dest;
185 }
186 LCRYPTO_ALIAS(EC_KEY_copy);
187
188 EC_KEY *
EC_KEY_dup(const EC_KEY * in_ec_key)189 EC_KEY_dup(const EC_KEY *in_ec_key)
190 {
191 EC_KEY *ec_key;
192
193 /* XXX - Pass NULL - so we're perhaps not running the right init()? */
194 if ((ec_key = EC_KEY_new_method(NULL)) == NULL)
195 goto err;
196 if (EC_KEY_copy(ec_key, in_ec_key) == NULL)
197 goto err;
198
199 return ec_key;
200
201 err:
202 EC_KEY_free(ec_key);
203
204 return NULL;
205 }
206 LCRYPTO_ALIAS(EC_KEY_dup);
207
208 int
EC_KEY_up_ref(EC_KEY * r)209 EC_KEY_up_ref(EC_KEY *r)
210 {
211 return CRYPTO_add(&r->references, 1, CRYPTO_LOCK_EC) > 1;
212 }
213 LCRYPTO_ALIAS(EC_KEY_up_ref);
214
215 int
EC_KEY_set_ex_data(EC_KEY * r,int idx,void * arg)216 EC_KEY_set_ex_data(EC_KEY *r, int idx, void *arg)
217 {
218 return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
219 }
220 LCRYPTO_ALIAS(EC_KEY_set_ex_data);
221
222 void *
EC_KEY_get_ex_data(const EC_KEY * r,int idx)223 EC_KEY_get_ex_data(const EC_KEY *r, int idx)
224 {
225 return CRYPTO_get_ex_data(&r->ex_data, idx);
226 }
227 LCRYPTO_ALIAS(EC_KEY_get_ex_data);
228
229 int
EC_KEY_generate_key(EC_KEY * eckey)230 EC_KEY_generate_key(EC_KEY *eckey)
231 {
232 if (eckey->meth->keygen != NULL)
233 return eckey->meth->keygen(eckey);
234 ECerror(EC_R_NOT_IMPLEMENTED);
235 return 0;
236 }
237 LCRYPTO_ALIAS(EC_KEY_generate_key);
238
239 int
ec_key_gen(EC_KEY * eckey)240 ec_key_gen(EC_KEY *eckey)
241 {
242 BIGNUM *priv_key = NULL;
243 EC_POINT *pub_key = NULL;
244 const BIGNUM *order;
245 int ret = 0;
246
247 if (eckey == NULL || eckey->group == NULL) {
248 ECerror(ERR_R_PASSED_NULL_PARAMETER);
249 goto err;
250 }
251
252 if ((priv_key = BN_new()) == NULL)
253 goto err;
254 if ((pub_key = EC_POINT_new(eckey->group)) == NULL)
255 goto err;
256
257 if ((order = EC_GROUP_get0_order(eckey->group)) == NULL)
258 goto err;
259 if (!bn_rand_interval(priv_key, 1, order))
260 goto err;
261 if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, NULL))
262 goto err;
263
264 BN_free(eckey->priv_key);
265 eckey->priv_key = priv_key;
266 priv_key = NULL;
267
268 EC_POINT_free(eckey->pub_key);
269 eckey->pub_key = pub_key;
270 pub_key = NULL;
271
272 ret = 1;
273
274 err:
275 EC_POINT_free(pub_key);
276 BN_free(priv_key);
277
278 return ret;
279 }
280
281 int
EC_KEY_check_key(const EC_KEY * eckey)282 EC_KEY_check_key(const EC_KEY *eckey)
283 {
284 BN_CTX *ctx = NULL;
285 EC_POINT *point = NULL;
286 const BIGNUM *order;
287 int ret = 0;
288
289 if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) {
290 ECerror(ERR_R_PASSED_NULL_PARAMETER);
291 goto err;
292 }
293
294 if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key)) {
295 ECerror(EC_R_POINT_AT_INFINITY);
296 goto err;
297 }
298
299 if ((ctx = BN_CTX_new()) == NULL)
300 goto err;
301
302 if ((point = EC_POINT_new(eckey->group)) == NULL)
303 goto err;
304
305 /* Ensure public key is on the elliptic curve. */
306 if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) {
307 ECerror(EC_R_POINT_IS_NOT_ON_CURVE);
308 goto err;
309 }
310
311 /* Ensure public key multiplied by the order is the point at infinity. */
312 if ((order = EC_GROUP_get0_order(eckey->group)) == NULL) {
313 ECerror(EC_R_INVALID_GROUP_ORDER);
314 goto err;
315 }
316 if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) {
317 ECerror(ERR_R_EC_LIB);
318 goto err;
319 }
320 if (!EC_POINT_is_at_infinity(eckey->group, point)) {
321 ECerror(EC_R_WRONG_ORDER);
322 goto err;
323 }
324
325 /*
326 * If the private key is present, ensure that the private key multiplied
327 * by the generator matches the public key.
328 */
329 if (eckey->priv_key != NULL) {
330 if (BN_cmp(eckey->priv_key, order) >= 0) {
331 ECerror(EC_R_WRONG_ORDER);
332 goto err;
333 }
334 if (!EC_POINT_mul(eckey->group, point, eckey->priv_key, NULL,
335 NULL, ctx)) {
336 ECerror(ERR_R_EC_LIB);
337 goto err;
338 }
339 if (EC_POINT_cmp(eckey->group, point, eckey->pub_key,
340 ctx) != 0) {
341 ECerror(EC_R_INVALID_PRIVATE_KEY);
342 goto err;
343 }
344 }
345
346 ret = 1;
347
348 err:
349 BN_CTX_free(ctx);
350 EC_POINT_free(point);
351
352 return ret;
353 }
354 LCRYPTO_ALIAS(EC_KEY_check_key);
355
356 int
EC_KEY_set_public_key_affine_coordinates(EC_KEY * key,BIGNUM * x,BIGNUM * y)357 EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y)
358 {
359 BN_CTX *ctx = NULL;
360 EC_POINT *point = NULL;
361 BIGNUM *tx, *ty;
362 int ret = 0;
363
364 if (key == NULL || key->group == NULL || x == NULL || y == NULL) {
365 ECerror(ERR_R_PASSED_NULL_PARAMETER);
366 goto err;
367 }
368
369 if ((ctx = BN_CTX_new()) == NULL)
370 goto err;
371
372 BN_CTX_start(ctx);
373
374 if ((tx = BN_CTX_get(ctx)) == NULL)
375 goto err;
376 if ((ty = BN_CTX_get(ctx)) == NULL)
377 goto err;
378
379 if ((point = EC_POINT_new(key->group)) == NULL)
380 goto err;
381
382 if (!EC_POINT_set_affine_coordinates(key->group, point, x, y, ctx))
383 goto err;
384 if (!EC_POINT_get_affine_coordinates(key->group, point, tx, ty, ctx))
385 goto err;
386
387 /*
388 * Check if retrieved coordinates match originals: if not values are
389 * out of range.
390 */
391 if (BN_cmp(x, tx) != 0 || BN_cmp(y, ty) != 0) {
392 ECerror(EC_R_COORDINATES_OUT_OF_RANGE);
393 goto err;
394 }
395 if (!EC_KEY_set_public_key(key, point))
396 goto err;
397 if (EC_KEY_check_key(key) == 0)
398 goto err;
399
400 ret = 1;
401
402 err:
403 BN_CTX_end(ctx);
404 BN_CTX_free(ctx);
405 EC_POINT_free(point);
406
407 return ret;
408 }
409 LCRYPTO_ALIAS(EC_KEY_set_public_key_affine_coordinates);
410
411 const EC_GROUP *
EC_KEY_get0_group(const EC_KEY * key)412 EC_KEY_get0_group(const EC_KEY *key)
413 {
414 return key->group;
415 }
416 LCRYPTO_ALIAS(EC_KEY_get0_group);
417
418 int
EC_KEY_set_group(EC_KEY * key,const EC_GROUP * group)419 EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group)
420 {
421 if (key->meth->set_group != NULL &&
422 key->meth->set_group(key, group) == 0)
423 return 0;
424 EC_GROUP_free(key->group);
425 key->group = EC_GROUP_dup(group);
426 return (key->group == NULL) ? 0 : 1;
427 }
428 LCRYPTO_ALIAS(EC_KEY_set_group);
429
430 const BIGNUM *
EC_KEY_get0_private_key(const EC_KEY * key)431 EC_KEY_get0_private_key(const EC_KEY *key)
432 {
433 return key->priv_key;
434 }
435 LCRYPTO_ALIAS(EC_KEY_get0_private_key);
436
437 int
EC_KEY_set_private_key(EC_KEY * key,const BIGNUM * priv_key)438 EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
439 {
440 if (key->meth->set_private != NULL &&
441 key->meth->set_private(key, priv_key) == 0)
442 return 0;
443
444 BN_free(key->priv_key);
445 if ((key->priv_key = BN_dup(priv_key)) == NULL)
446 return 0;
447
448 return 1;
449 }
450 LCRYPTO_ALIAS(EC_KEY_set_private_key);
451
452 const EC_POINT *
EC_KEY_get0_public_key(const EC_KEY * key)453 EC_KEY_get0_public_key(const EC_KEY *key)
454 {
455 return key->pub_key;
456 }
457 LCRYPTO_ALIAS(EC_KEY_get0_public_key);
458
459 int
EC_KEY_set_public_key(EC_KEY * key,const EC_POINT * pub_key)460 EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key)
461 {
462 if (key->meth->set_public != NULL &&
463 key->meth->set_public(key, pub_key) == 0)
464 return 0;
465
466 EC_POINT_free(key->pub_key);
467 if ((key->pub_key = EC_POINT_dup(pub_key, key->group)) == NULL)
468 return 0;
469
470 return 1;
471 }
472 LCRYPTO_ALIAS(EC_KEY_set_public_key);
473
474 unsigned int
EC_KEY_get_enc_flags(const EC_KEY * key)475 EC_KEY_get_enc_flags(const EC_KEY *key)
476 {
477 return key->enc_flag;
478 }
479 LCRYPTO_ALIAS(EC_KEY_get_enc_flags);
480
481 void
EC_KEY_set_enc_flags(EC_KEY * key,unsigned int flags)482 EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags)
483 {
484 key->enc_flag = flags;
485 }
486 LCRYPTO_ALIAS(EC_KEY_set_enc_flags);
487
488 point_conversion_form_t
EC_KEY_get_conv_form(const EC_KEY * key)489 EC_KEY_get_conv_form(const EC_KEY *key)
490 {
491 return key->conv_form;
492 }
493 LCRYPTO_ALIAS(EC_KEY_get_conv_form);
494
495 void
EC_KEY_set_conv_form(EC_KEY * key,point_conversion_form_t cform)496 EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform)
497 {
498 key->conv_form = cform;
499 if (key->group != NULL)
500 EC_GROUP_set_point_conversion_form(key->group, cform);
501 }
502 LCRYPTO_ALIAS(EC_KEY_set_conv_form);
503
504 void
EC_KEY_set_asn1_flag(EC_KEY * key,int flag)505 EC_KEY_set_asn1_flag(EC_KEY *key, int flag)
506 {
507 if (key->group != NULL)
508 EC_GROUP_set_asn1_flag(key->group, flag);
509 }
510 LCRYPTO_ALIAS(EC_KEY_set_asn1_flag);
511
512 int
EC_KEY_precompute_mult(EC_KEY * key,BN_CTX * ctx)513 EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx)
514 {
515 if (key->group == NULL)
516 return 0;
517 return EC_GROUP_precompute_mult(key->group, ctx);
518 }
519 LCRYPTO_ALIAS(EC_KEY_precompute_mult);
520
521 int
EC_KEY_get_flags(const EC_KEY * key)522 EC_KEY_get_flags(const EC_KEY *key)
523 {
524 return key->flags;
525 }
526 LCRYPTO_ALIAS(EC_KEY_get_flags);
527
528 void
EC_KEY_set_flags(EC_KEY * key,int flags)529 EC_KEY_set_flags(EC_KEY *key, int flags)
530 {
531 key->flags |= flags;
532 }
533 LCRYPTO_ALIAS(EC_KEY_set_flags);
534
535 void
EC_KEY_clear_flags(EC_KEY * key,int flags)536 EC_KEY_clear_flags(EC_KEY *key, int flags)
537 {
538 key->flags &= ~flags;
539 }
540 LCRYPTO_ALIAS(EC_KEY_clear_flags);
541