1 /* 2 * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright 2017 Ribose Inc. All Rights Reserved. 4 * Ported from Ribose contributions from Botan. 5 * 6 * Licensed under the OpenSSL license (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 #include "crypto/sm2.h" 13 #include "crypto/sm2err.h" 14 #include "crypto/ec.h" /* ecdh_KDF_X9_63() */ 15 #include <openssl/err.h> 16 #include <openssl/evp.h> 17 #include <openssl/bn.h> 18 #include <openssl/asn1.h> 19 #include <openssl/asn1t.h> 20 #include <string.h> 21 22 typedef struct SM2_Ciphertext_st SM2_Ciphertext; 23 DECLARE_ASN1_FUNCTIONS(SM2_Ciphertext) 24 25 struct SM2_Ciphertext_st { 26 BIGNUM *C1x; 27 BIGNUM *C1y; 28 ASN1_OCTET_STRING *C3; 29 ASN1_OCTET_STRING *C2; 30 }; 31 32 ASN1_SEQUENCE(SM2_Ciphertext) = { 33 ASN1_SIMPLE(SM2_Ciphertext, C1x, BIGNUM), 34 ASN1_SIMPLE(SM2_Ciphertext, C1y, BIGNUM), 35 ASN1_SIMPLE(SM2_Ciphertext, C3, ASN1_OCTET_STRING), 36 ASN1_SIMPLE(SM2_Ciphertext, C2, ASN1_OCTET_STRING), 37 } ASN1_SEQUENCE_END(SM2_Ciphertext) 38 39 IMPLEMENT_ASN1_FUNCTIONS(SM2_Ciphertext) 40 41 static size_t ec_field_size(const EC_GROUP *group) 42 { 43 /* Is there some simpler way to do this? */ 44 BIGNUM *p = BN_new(); 45 BIGNUM *a = BN_new(); 46 BIGNUM *b = BN_new(); 47 size_t field_size = 0; 48 49 if (p == NULL || a == NULL || b == NULL) 50 goto done; 51 52 if (!EC_GROUP_get_curve(group, p, a, b, NULL)) 53 goto done; 54 field_size = (BN_num_bits(p) + 7) / 8; 55 56 done: 57 BN_free(p); 58 BN_free(a); 59 BN_free(b); 60 61 return field_size; 62 } 63 64 int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size) 65 { 66 struct SM2_Ciphertext_st *sm2_ctext = NULL; 67 68 sm2_ctext = d2i_SM2_Ciphertext(NULL, &ct, ct_size); 69 70 if (sm2_ctext == NULL) { 71 SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_ENCODING); 72 return 0; 73 } 74 75 *pt_size = sm2_ctext->C2->length; 76 SM2_Ciphertext_free(sm2_ctext); 77 78 return 1; 79 } 80 81 int sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, 82 size_t *ct_size) 83 { 84 const size_t field_size = ec_field_size(EC_KEY_get0_group(key)); 85 const int md_size = EVP_MD_size(digest); 86 size_t sz; 87 88 if (field_size == 0 || md_size < 0) 89 return 0; 90 91 /* Integer and string are simple type; set constructed = 0, means primitive and definite length encoding. */ 92 sz = 2 * ASN1_object_size(0, field_size + 1, V_ASN1_INTEGER) 93 + ASN1_object_size(0, md_size, V_ASN1_OCTET_STRING) 94 + ASN1_object_size(0, msg_len, V_ASN1_OCTET_STRING); 95 /* Sequence is structured type; set constructed = 1, means constructed and definite length encoding. */ 96 *ct_size = ASN1_object_size(1, sz, V_ASN1_SEQUENCE); 97 98 return 1; 99 } 100 101 int sm2_encrypt(const EC_KEY *key, 102 const EVP_MD *digest, 103 const uint8_t *msg, 104 size_t msg_len, uint8_t *ciphertext_buf, size_t *ciphertext_len) 105 { 106 int rc = 0, ciphertext_leni; 107 size_t i; 108 BN_CTX *ctx = NULL; 109 BIGNUM *k = NULL; 110 BIGNUM *x1 = NULL; 111 BIGNUM *y1 = NULL; 112 BIGNUM *x2 = NULL; 113 BIGNUM *y2 = NULL; 114 EVP_MD_CTX *hash = EVP_MD_CTX_new(); 115 struct SM2_Ciphertext_st ctext_struct; 116 const EC_GROUP *group = EC_KEY_get0_group(key); 117 const BIGNUM *order = EC_GROUP_get0_order(group); 118 const EC_POINT *P = EC_KEY_get0_public_key(key); 119 EC_POINT *kG = NULL; 120 EC_POINT *kP = NULL; 121 uint8_t *msg_mask = NULL; 122 uint8_t *x2y2 = NULL; 123 uint8_t *C3 = NULL; 124 size_t field_size; 125 const int C3_size = EVP_MD_size(digest); 126 127 /* NULL these before any "goto done" */ 128 ctext_struct.C2 = NULL; 129 ctext_struct.C3 = NULL; 130 131 if (hash == NULL || C3_size <= 0) { 132 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_INTERNAL_ERROR); 133 goto done; 134 } 135 136 field_size = ec_field_size(group); 137 if (field_size == 0) { 138 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_INTERNAL_ERROR); 139 goto done; 140 } 141 142 kG = EC_POINT_new(group); 143 kP = EC_POINT_new(group); 144 ctx = BN_CTX_new(); 145 if (kG == NULL || kP == NULL || ctx == NULL) { 146 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_MALLOC_FAILURE); 147 goto done; 148 } 149 150 BN_CTX_start(ctx); 151 k = BN_CTX_get(ctx); 152 x1 = BN_CTX_get(ctx); 153 x2 = BN_CTX_get(ctx); 154 y1 = BN_CTX_get(ctx); 155 y2 = BN_CTX_get(ctx); 156 157 if (y2 == NULL) { 158 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_BN_LIB); 159 goto done; 160 } 161 162 x2y2 = OPENSSL_zalloc(2 * field_size); 163 C3 = OPENSSL_zalloc(C3_size); 164 165 if (x2y2 == NULL || C3 == NULL) { 166 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_MALLOC_FAILURE); 167 goto done; 168 } 169 170 memset(ciphertext_buf, 0, *ciphertext_len); 171 172 if (!BN_priv_rand_range(k, order)) { 173 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_INTERNAL_ERROR); 174 goto done; 175 } 176 177 if (!EC_POINT_mul(group, kG, k, NULL, NULL, ctx) 178 || !EC_POINT_get_affine_coordinates(group, kG, x1, y1, ctx) 179 || !EC_POINT_mul(group, kP, NULL, P, k, ctx) 180 || !EC_POINT_get_affine_coordinates(group, kP, x2, y2, ctx)) { 181 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_EC_LIB); 182 goto done; 183 } 184 185 if (BN_bn2binpad(x2, x2y2, field_size) < 0 186 || BN_bn2binpad(y2, x2y2 + field_size, field_size) < 0) { 187 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_INTERNAL_ERROR); 188 goto done; 189 } 190 191 msg_mask = OPENSSL_zalloc(msg_len); 192 if (msg_mask == NULL) { 193 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_MALLOC_FAILURE); 194 goto done; 195 } 196 197 /* X9.63 with no salt happens to match the KDF used in SM2 */ 198 if (!ecdh_KDF_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, 199 digest)) { 200 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_EVP_LIB); 201 goto done; 202 } 203 204 for (i = 0; i != msg_len; ++i) 205 msg_mask[i] ^= msg[i]; 206 207 if (EVP_DigestInit(hash, digest) == 0 208 || EVP_DigestUpdate(hash, x2y2, field_size) == 0 209 || EVP_DigestUpdate(hash, msg, msg_len) == 0 210 || EVP_DigestUpdate(hash, x2y2 + field_size, field_size) == 0 211 || EVP_DigestFinal(hash, C3, NULL) == 0) { 212 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_EVP_LIB); 213 goto done; 214 } 215 216 ctext_struct.C1x = x1; 217 ctext_struct.C1y = y1; 218 ctext_struct.C3 = ASN1_OCTET_STRING_new(); 219 ctext_struct.C2 = ASN1_OCTET_STRING_new(); 220 221 if (ctext_struct.C3 == NULL || ctext_struct.C2 == NULL) { 222 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_MALLOC_FAILURE); 223 goto done; 224 } 225 if (!ASN1_OCTET_STRING_set(ctext_struct.C3, C3, C3_size) 226 || !ASN1_OCTET_STRING_set(ctext_struct.C2, msg_mask, msg_len)) { 227 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_INTERNAL_ERROR); 228 goto done; 229 } 230 231 ciphertext_leni = i2d_SM2_Ciphertext(&ctext_struct, &ciphertext_buf); 232 /* Ensure cast to size_t is safe */ 233 if (ciphertext_leni < 0) { 234 SM2err(SM2_F_SM2_ENCRYPT, ERR_R_INTERNAL_ERROR); 235 goto done; 236 } 237 *ciphertext_len = (size_t)ciphertext_leni; 238 239 rc = 1; 240 241 done: 242 ASN1_OCTET_STRING_free(ctext_struct.C2); 243 ASN1_OCTET_STRING_free(ctext_struct.C3); 244 OPENSSL_free(msg_mask); 245 OPENSSL_free(x2y2); 246 OPENSSL_free(C3); 247 EVP_MD_CTX_free(hash); 248 BN_CTX_free(ctx); 249 EC_POINT_free(kG); 250 EC_POINT_free(kP); 251 return rc; 252 } 253 254 int sm2_decrypt(const EC_KEY *key, 255 const EVP_MD *digest, 256 const uint8_t *ciphertext, 257 size_t ciphertext_len, uint8_t *ptext_buf, size_t *ptext_len) 258 { 259 int rc = 0; 260 int i; 261 BN_CTX *ctx = NULL; 262 const EC_GROUP *group = EC_KEY_get0_group(key); 263 EC_POINT *C1 = NULL; 264 struct SM2_Ciphertext_st *sm2_ctext = NULL; 265 BIGNUM *x2 = NULL; 266 BIGNUM *y2 = NULL; 267 uint8_t *x2y2 = NULL; 268 uint8_t *computed_C3 = NULL; 269 const size_t field_size = ec_field_size(group); 270 const int hash_size = EVP_MD_size(digest); 271 uint8_t *msg_mask = NULL; 272 const uint8_t *C2 = NULL; 273 const uint8_t *C3 = NULL; 274 int msg_len = 0; 275 EVP_MD_CTX *hash = NULL; 276 277 if (field_size == 0 || hash_size <= 0) 278 goto done; 279 280 memset(ptext_buf, 0xFF, *ptext_len); 281 282 sm2_ctext = d2i_SM2_Ciphertext(NULL, &ciphertext, ciphertext_len); 283 284 if (sm2_ctext == NULL) { 285 SM2err(SM2_F_SM2_DECRYPT, SM2_R_ASN1_ERROR); 286 goto done; 287 } 288 289 if (sm2_ctext->C3->length != hash_size) { 290 SM2err(SM2_F_SM2_DECRYPT, SM2_R_INVALID_ENCODING); 291 goto done; 292 } 293 294 C2 = sm2_ctext->C2->data; 295 C3 = sm2_ctext->C3->data; 296 msg_len = sm2_ctext->C2->length; 297 if (*ptext_len < (size_t)msg_len) { 298 SM2err(SM2_F_SM2_DECRYPT, SM2_R_BUFFER_TOO_SMALL); 299 goto done; 300 } 301 302 ctx = BN_CTX_new(); 303 if (ctx == NULL) { 304 SM2err(SM2_F_SM2_DECRYPT, ERR_R_MALLOC_FAILURE); 305 goto done; 306 } 307 308 BN_CTX_start(ctx); 309 x2 = BN_CTX_get(ctx); 310 y2 = BN_CTX_get(ctx); 311 312 if (y2 == NULL) { 313 SM2err(SM2_F_SM2_DECRYPT, ERR_R_BN_LIB); 314 goto done; 315 } 316 317 msg_mask = OPENSSL_zalloc(msg_len); 318 x2y2 = OPENSSL_zalloc(2 * field_size); 319 computed_C3 = OPENSSL_zalloc(hash_size); 320 321 if (msg_mask == NULL || x2y2 == NULL || computed_C3 == NULL) { 322 SM2err(SM2_F_SM2_DECRYPT, ERR_R_MALLOC_FAILURE); 323 goto done; 324 } 325 326 C1 = EC_POINT_new(group); 327 if (C1 == NULL) { 328 SM2err(SM2_F_SM2_DECRYPT, ERR_R_MALLOC_FAILURE); 329 goto done; 330 } 331 332 if (!EC_POINT_set_affine_coordinates(group, C1, sm2_ctext->C1x, 333 sm2_ctext->C1y, ctx) 334 || !EC_POINT_mul(group, C1, NULL, C1, EC_KEY_get0_private_key(key), 335 ctx) 336 || !EC_POINT_get_affine_coordinates(group, C1, x2, y2, ctx)) { 337 SM2err(SM2_F_SM2_DECRYPT, ERR_R_EC_LIB); 338 goto done; 339 } 340 341 if (BN_bn2binpad(x2, x2y2, field_size) < 0 342 || BN_bn2binpad(y2, x2y2 + field_size, field_size) < 0 343 || !ecdh_KDF_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, 344 digest)) { 345 SM2err(SM2_F_SM2_DECRYPT, ERR_R_INTERNAL_ERROR); 346 goto done; 347 } 348 349 for (i = 0; i != msg_len; ++i) 350 ptext_buf[i] = C2[i] ^ msg_mask[i]; 351 352 hash = EVP_MD_CTX_new(); 353 if (hash == NULL) { 354 SM2err(SM2_F_SM2_DECRYPT, ERR_R_MALLOC_FAILURE); 355 goto done; 356 } 357 358 if (!EVP_DigestInit(hash, digest) 359 || !EVP_DigestUpdate(hash, x2y2, field_size) 360 || !EVP_DigestUpdate(hash, ptext_buf, msg_len) 361 || !EVP_DigestUpdate(hash, x2y2 + field_size, field_size) 362 || !EVP_DigestFinal(hash, computed_C3, NULL)) { 363 SM2err(SM2_F_SM2_DECRYPT, ERR_R_EVP_LIB); 364 goto done; 365 } 366 367 if (CRYPTO_memcmp(computed_C3, C3, hash_size) != 0) { 368 SM2err(SM2_F_SM2_DECRYPT, SM2_R_INVALID_DIGEST); 369 goto done; 370 } 371 372 rc = 1; 373 *ptext_len = msg_len; 374 375 done: 376 if (rc == 0) 377 memset(ptext_buf, 0, *ptext_len); 378 379 OPENSSL_free(msg_mask); 380 OPENSSL_free(x2y2); 381 OPENSSL_free(computed_C3); 382 EC_POINT_free(C1); 383 BN_CTX_free(ctx); 384 SM2_Ciphertext_free(sm2_ctext); 385 EVP_MD_CTX_free(hash); 386 387 return rc; 388 } 389