diff options
author | Jack Lloyd <jack.lloyd@ribose.com> | 2018-01-24 11:56:02 -0500 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2018-03-19 14:33:25 +0100 |
commit | 3d328a445c2ad0eff2e9e843c384711be58a7c2f (patch) | |
tree | 888d7dee8ebe744a5fd6a62a6b12c7b6b72bee83 /crypto/sm2 | |
parent | df3a15512bd0f5ddd9f0dd74f0a058ee55b33904 (diff) | |
download | openssl-3d328a445c2ad0eff2e9e843c384711be58a7c2f.zip openssl-3d328a445c2ad0eff2e9e843c384711be58a7c2f.tar.gz openssl-3d328a445c2ad0eff2e9e843c384711be58a7c2f.tar.bz2 |
Add SM2 signature and ECIES schemes
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4793)
Diffstat (limited to 'crypto/sm2')
-rw-r--r-- | crypto/sm2/build.info | 6 | ||||
-rw-r--r-- | crypto/sm2/sm2_crypt.c | 321 | ||||
-rw-r--r-- | crypto/sm2/sm2_err.c | 129 | ||||
-rw-r--r-- | crypto/sm2/sm2_sign.c | 324 | ||||
-rw-r--r-- | crypto/sm2/sm2_za.c | 132 |
5 files changed, 912 insertions, 0 deletions
diff --git a/crypto/sm2/build.info b/crypto/sm2/build.info new file mode 100644 index 0000000..fbf8dba --- /dev/null +++ b/crypto/sm2/build.info @@ -0,0 +1,6 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=\ + sm2_za.c sm2_sign.c sm2_crypt.c sm2_err.c + + + diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c new file mode 100644 index 0000000..a450146 --- /dev/null +++ b/crypto/sm2/sm2_crypt.c @@ -0,0 +1,321 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017 Ribose Inc. All Rights Reserved. + * Ported from Ribose contributions from Botan. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/sm2.h> +#include <openssl/evp.h> +#include <openssl/bn.h> +#include <openssl/asn1.h> +#include <openssl/asn1t.h> +#include <string.h> + +typedef struct SM2_Ciphertext_st SM2_Ciphertext; +DECLARE_ASN1_FUNCTIONS(SM2_Ciphertext) + +struct SM2_Ciphertext_st { + BIGNUM *C1x; + BIGNUM *C1y; + ASN1_OCTET_STRING *C3; + ASN1_OCTET_STRING *C2; +}; + +ASN1_SEQUENCE(SM2_Ciphertext) = { + ASN1_SIMPLE(SM2_Ciphertext, C1x, BIGNUM), + ASN1_SIMPLE(SM2_Ciphertext, C1y, BIGNUM), + ASN1_SIMPLE(SM2_Ciphertext, C3, ASN1_OCTET_STRING), + ASN1_SIMPLE(SM2_Ciphertext, C2, ASN1_OCTET_STRING), +} ASN1_SEQUENCE_END(SM2_Ciphertext) + +IMPLEMENT_ASN1_FUNCTIONS(SM2_Ciphertext) + +static size_t EC_field_size(const EC_GROUP *group) +{ + /* Is there some simpler way to do this? */ + BIGNUM *p = BN_new(); + BIGNUM *a = BN_new(); + BIGNUM *b = BN_new(); + size_t field_size = 0; + + if (p == NULL || a == NULL || b == NULL) + goto done; + + EC_GROUP_get_curve_GFp(group, p, a, b, NULL); + field_size = (BN_num_bits(p) + 7) / 8; + + done: + BN_free(p); + BN_free(a); + BN_free(b); + + return field_size; +} + +size_t SM2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len) +{ + return 10 + 2 * EC_field_size(EC_KEY_get0_group(key)) + + EVP_MD_size(digest) + msg_len; +} + +int SM2_encrypt(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *msg, + size_t msg_len, uint8_t *ciphertext_buf, size_t *ciphertext_len) +{ + int rc = 0; + size_t i; + BN_CTX *ctx = NULL; + BIGNUM *k = NULL; + BIGNUM *x1 = NULL; + BIGNUM *y1 = NULL; + BIGNUM *x2 = NULL; + BIGNUM *y2 = NULL; + + EVP_MD_CTX *hash = EVP_MD_CTX_new(); + + struct SM2_Ciphertext_st ctext_struct; + const EC_GROUP *group = EC_KEY_get0_group(key); + const BIGNUM *order = EC_GROUP_get0_order(group); + const EC_POINT *P = EC_KEY_get0_public_key(key); + EC_POINT *kG = NULL; + EC_POINT *kP = NULL; + uint8_t *msg_mask = NULL; + + uint8_t *x2y2 = NULL; + uint8_t *C3 = NULL; + + const size_t field_size = EC_field_size(group); + const size_t C3_size = EVP_MD_size(digest); + + if (field_size == 0 || C3_size == 0) + goto done; + + kG = EC_POINT_new(group); + kP = EC_POINT_new(group); + if (kG == NULL || kP == NULL) + goto done; + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto done; + + BN_CTX_start(ctx); + k = BN_CTX_get(ctx); + x1 = BN_CTX_get(ctx); + x2 = BN_CTX_get(ctx); + y1 = BN_CTX_get(ctx); + y2 = BN_CTX_get(ctx); + + if (y2 == NULL) + goto done; + + x2y2 = OPENSSL_zalloc(2 * field_size); + C3 = OPENSSL_zalloc(C3_size); + + if (x2y2 == NULL || C3 == NULL) + goto done; + + memset(ciphertext_buf, 0, *ciphertext_len); + + BN_priv_rand_range(k, order); + + if (EC_POINT_mul(group, kG, k, NULL, NULL, ctx) == 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, kG, x1, y1, ctx) == 0) + goto done; + + if (EC_POINT_mul(group, kP, NULL, P, k, ctx) == 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, kP, x2, y2, ctx) == 0) + goto done; + + BN_bn2binpad(x2, x2y2, field_size); + BN_bn2binpad(y2, x2y2 + field_size, field_size); + + msg_mask = OPENSSL_zalloc(msg_len); + if (msg_mask == NULL) + goto done; + + /* X9.63 with no salt happens to match the KDF used in SM2 */ + if (ECDH_KDF_X9_62(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, digest) + == 0) + goto done; + + for (i = 0; i != msg_len; ++i) + msg_mask[i] ^= msg[i]; + + if (EVP_DigestInit(hash, digest) == 0) + goto done; + + if (EVP_DigestUpdate(hash, x2y2, field_size) == 0) + goto done; + + if (EVP_DigestUpdate(hash, msg, msg_len) == 0) + goto done; + + if (EVP_DigestUpdate(hash, x2y2 + field_size, field_size) == 0) + goto done; + + if (EVP_DigestFinal(hash, C3, NULL) == 0) + goto done; + + ctext_struct.C1x = x1; + ctext_struct.C1y = y1; + ctext_struct.C3 = ASN1_OCTET_STRING_new(); + ASN1_OCTET_STRING_set(ctext_struct.C3, C3, C3_size); + ctext_struct.C2 = ASN1_OCTET_STRING_new(); + ASN1_OCTET_STRING_set(ctext_struct.C2, msg_mask, msg_len); + + *ciphertext_len = i2d_SM2_Ciphertext(&ctext_struct, &ciphertext_buf); + + ASN1_OCTET_STRING_free(ctext_struct.C2); + ASN1_OCTET_STRING_free(ctext_struct.C3); + + rc = 1; + + done: + OPENSSL_free(msg_mask); + OPENSSL_free(x2y2); + OPENSSL_free(C3); + EVP_MD_CTX_free(hash); + BN_CTX_free(ctx); + EC_POINT_free(kG); + EC_POINT_free(kP); + return rc; +} + +int SM2_decrypt(const EC_KEY *key, + const EVP_MD *digest, + const uint8_t *ciphertext, + size_t ciphertext_len, uint8_t *ptext_buf, size_t *ptext_len) +{ + int rc = 0; + int i; + + BN_CTX *ctx = NULL; + const EC_GROUP *group = EC_KEY_get0_group(key); + EC_POINT *C1 = NULL; + struct SM2_Ciphertext_st *sm2_ctext = NULL; + BIGNUM *x2 = NULL; + BIGNUM *y2 = NULL; + + uint8_t *x2y2 = NULL; + uint8_t *computed_C3 = NULL; + + const size_t field_size = EC_field_size(group); + const int hash_size = EVP_MD_size(digest); + + uint8_t *msg_mask = NULL; + const uint8_t *C2 = NULL; + const uint8_t *C3 = NULL; + int msg_len = 0; + EVP_MD_CTX *hash = NULL; + + if (field_size == 0 || hash_size == 0) + goto done; + + memset(ptext_buf, 0xFF, *ptext_len); + + sm2_ctext = d2i_SM2_Ciphertext(NULL, &ciphertext, ciphertext_len); + + if (sm2_ctext == NULL) + goto done; + + if (sm2_ctext->C3->length != hash_size) + goto done; + + C2 = sm2_ctext->C2->data; + C3 = sm2_ctext->C3->data; + msg_len = sm2_ctext->C2->length; + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto done; + + BN_CTX_start(ctx); + x2 = BN_CTX_get(ctx); + y2 = BN_CTX_get(ctx); + + if(y2 == NULL) + goto done; + + msg_mask = OPENSSL_zalloc(msg_len); + x2y2 = OPENSSL_zalloc(2 * field_size); + computed_C3 = OPENSSL_zalloc(hash_size); + + if(msg_mask == NULL || x2y2 == NULL || computed_C3 == NULL) + goto done; + + C1 = EC_POINT_new(group); + if (C1 == NULL) + goto done; + + if (EC_POINT_set_affine_coordinates_GFp + (group, C1, sm2_ctext->C1x, sm2_ctext->C1y, ctx) == 0) + goto done; + + if (EC_POINT_mul(group, C1, NULL, C1, EC_KEY_get0_private_key(key), ctx) == + 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, C1, x2, y2, ctx) == 0) + goto done; + + BN_bn2binpad(x2, x2y2, field_size); + BN_bn2binpad(y2, x2y2 + field_size, field_size); + + if (ECDH_KDF_X9_62(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, digest) + == 0) + goto done; + + for (i = 0; i != msg_len; ++i) + ptext_buf[i] = C2[i] ^ msg_mask[i]; + + hash = EVP_MD_CTX_new(); + + if (hash == NULL) + goto done; + + if (EVP_DigestInit(hash, digest) == 0) + goto done; + + if (EVP_DigestUpdate(hash, x2y2, field_size) == 0) + goto done; + + if (EVP_DigestUpdate(hash, ptext_buf, msg_len) == 0) + goto done; + + if (EVP_DigestUpdate(hash, x2y2 + field_size, field_size) == 0) + goto done; + + if (EVP_DigestFinal(hash, computed_C3, NULL) == 0) + goto done; + + if (memcmp(computed_C3, C3, hash_size) != 0) + goto done; + + rc = 1; + + done: + + if (rc == 0) + memset(ptext_buf, 0, *ptext_len); + + OPENSSL_free(msg_mask); + OPENSSL_free(x2y2); + OPENSSL_free(computed_C3); + EC_POINT_free(C1); + BN_CTX_free(ctx); + SM2_Ciphertext_free(sm2_ctext); + EVP_MD_CTX_free(hash); + + return rc; +} diff --git a/crypto/sm2/sm2_err.c b/crypto/sm2/sm2_err.c new file mode 100644 index 0000000..acb4502 --- /dev/null +++ b/crypto/sm2/sm2_err.c @@ -0,0 +1,129 @@ +/* + * Generated by util/mkerr.pl DO NOT EDIT + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/err.h> +#include <openssl/sm2err.h> + +#ifndef OPENSSL_NO_ERR + +static const ERR_STRING_DATA SM2_str_functs[] = { + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_CTRL, 0), "pkey_sm2_ctrl"}, + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_CTRL_STR, 0), "pkey_sm2_ctrl_str"}, + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_KEYGEN, 0), "pkey_sm2_keygen"}, + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_PARAMGEN, 0), "pkey_sm2_paramgen"}, + {ERR_PACK(ERR_LIB_SM2, SM2_F_PKEY_SM2_SIGN, 0), "pkey_sm2_sign"}, + {0, NULL} +}; + +static const ERR_STRING_DATA SM2_str_reasons[] = { + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_ASN1_ERROR), "asn1 error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_ASN5_ERROR), "asn5 error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_BAD_SIGNATURE), "bad signature"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_BIGNUM_OUT_OF_RANGE), + "bignum out of range"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_BUFFER_TOO_SMALL), "buffer too small"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_COORDINATES_OUT_OF_RANGE), + "coordinates out of range"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_CURVE_DOES_NOT_SUPPORT_ECDH), + "curve does not support ecdh"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_CURVE_DOES_NOT_SUPPORT_SIGNING), + "curve does not support signing"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_D2I_ECPKPARAMETERS_FAILURE), + "d2i ecpkparameters failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_DECODE_ERROR), "decode error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_DISCRIMINANT_IS_ZERO), + "discriminant is zero"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_EC_GROUP_NEW_BY_NAME_FAILURE), + "ec group new by name failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_FIELD_TOO_LARGE), "field too large"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_GF2M_NOT_SUPPORTED), "gf2m not supported"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_GROUP2PKPARAMETERS_FAILURE), + "group2pkparameters failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_I2D_ECPKPARAMETERS_FAILURE), + "i2d ecpkparameters failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INCOMPATIBLE_OBJECTS), + "incompatible objects"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_ARGUMENT), "invalid argument"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_COMPRESSED_POINT), + "invalid compressed point"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_COMPRESSION_BIT), + "invalid compression bit"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_CURVE), "invalid curve"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_DIGEST), "invalid digest"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_DIGEST_TYPE), + "invalid digest type"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_ENCODING), "invalid encoding"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_FIELD), "invalid field"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_FORM), "invalid form"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_GROUP_ORDER), + "invalid group order"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_KEY), "invalid key"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_OUTPUT_LENGTH), + "invalid output length"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_PEER_KEY), "invalid peer key"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_PENTANOMIAL_BASIS), + "invalid pentanomial basis"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_PRIVATE_KEY), + "invalid private key"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_TRINOMIAL_BASIS), + "invalid trinomial basis"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_KDF_PARAMETER_ERROR), + "kdf parameter error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_KEYS_NOT_SET), "keys not set"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_MISSING_PARAMETERS), "missing parameters"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_MISSING_PRIVATE_KEY), + "missing private key"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NEED_NEW_SETUP_VALUES), + "need new setup values"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NOT_A_NIST_PRIME), "not a NIST prime"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NOT_IMPLEMENTED), "not implemented"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NOT_INITIALIZED), "not initialized"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NO_PARAMETERS_SET), "no parameters set"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NO_PRIVATE_VALUE), "no private value"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_OPERATION_NOT_SUPPORTED), + "operation not supported"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_PASSED_NULL_PARAMETER), + "passed null parameter"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_PEER_KEY_ERROR), "peer key error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_PKPARAMETERS2GROUP_FAILURE), + "pkparameters2group failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_POINT_ARITHMETIC_FAILURE), + "point arithmetic failure"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_POINT_AT_INFINITY), "point at infinity"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_POINT_IS_NOT_ON_CURVE), + "point is not on curve"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_RANDOM_NUMBER_GENERATION_FAILED), + "random number generation failed"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_SHARED_INFO_ERROR), "shared info error"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_SLOT_FULL), "slot full"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_UNDEFINED_GENERATOR), + "undefined generator"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_UNDEFINED_ORDER), "undefined order"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_UNKNOWN_GROUP), "unknown group"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_UNKNOWN_ORDER), "unknown order"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_UNSUPPORTED_FIELD), "unsupported field"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_WRONG_CURVE_PARAMETERS), + "wrong curve parameters"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_WRONG_ORDER), "wrong order"}, + {0, NULL} +}; + +#endif + +int ERR_load_SM2_strings(void) +{ +#ifndef OPENSSL_NO_ERR + if (ERR_func_error_string(SM2_str_functs[0].error) == NULL) { + ERR_load_strings_const(SM2_str_functs); + ERR_load_strings_const(SM2_str_reasons); + } +#endif + return 1; +} diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c new file mode 100644 index 0000000..2d311d9 --- /dev/null +++ b/crypto/sm2/sm2_sign.c @@ -0,0 +1,324 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017 Ribose Inc. All Rights Reserved. + * Ported from Ribose contributions from Botan. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/sm2.h> +#include <openssl/evp.h> +#include <openssl/bn.h> +#include <string.h> + +static BIGNUM *compute_msg_hash(const EVP_MD *digest, + const EC_KEY *key, + const char *user_id, + const uint8_t *msg, size_t msg_len) +{ + EVP_MD_CTX *hash = EVP_MD_CTX_new(); + const int md_size = EVP_MD_size(digest); + uint8_t *za = OPENSSL_zalloc(md_size); + BIGNUM *e = NULL; + + if (za == NULL) + goto done; + + if (hash == NULL) + goto done; + + if (SM2_compute_userid_digest(za, digest, user_id, key) == 0) + goto done; + + if (EVP_DigestInit(hash, digest) == 0) + goto done; + + if (EVP_DigestUpdate(hash, za, md_size) == 0) + goto done; + + if (EVP_DigestUpdate(hash, msg, msg_len) == 0) + goto done; + + /* reuse za buffer to hold H(ZA || M) */ + if (EVP_DigestFinal(hash, za, NULL) == 0) + goto done; + + e = BN_bin2bn(za, md_size, NULL); + + done: + OPENSSL_free(za); + EVP_MD_CTX_free(hash); + return e; +} + +static +ECDSA_SIG *SM2_sig_gen(const EC_KEY *key, const BIGNUM *e) +{ + const BIGNUM *dA = EC_KEY_get0_private_key(key); + const EC_GROUP *group = EC_KEY_get0_group(key); + const BIGNUM *order = EC_GROUP_get0_order(group); + + ECDSA_SIG *sig = NULL; + EC_POINT *kG = NULL; + BN_CTX *ctx = NULL; + BIGNUM *k = NULL; + BIGNUM *rk = NULL; + BIGNUM *r = NULL; + BIGNUM *s = NULL; + BIGNUM *x1 = NULL; + BIGNUM *tmp = NULL; + + kG = EC_POINT_new(group); + if (kG == NULL) + goto done; + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto done; + + BN_CTX_start(ctx); + + k = BN_CTX_get(ctx); + rk = BN_CTX_get(ctx); + x1 = BN_CTX_get(ctx); + tmp = BN_CTX_get(ctx); + + if (tmp == NULL) + goto done; + + /* These values are returned and so should not be allocated out of the context */ + r = BN_new(); + s = BN_new(); + + if (r == NULL || s == NULL) + goto done; + + for (;;) { + BN_priv_rand_range(k, order); + + if (EC_POINT_mul(group, kG, k, NULL, NULL, ctx) == 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, kG, x1, NULL, ctx) == 0) + goto done; + + if (BN_mod_add(r, e, x1, order, ctx) == 0) + goto done; + + /* try again if r == 0 or r+k == n */ + if (BN_is_zero(r)) + continue; + + BN_add(rk, r, k); + + if (BN_cmp(rk, order) == 0) + continue; + + BN_add(s, dA, BN_value_one()); + BN_mod_inverse(s, s, order, ctx); + + BN_mod_mul(tmp, dA, r, order, ctx); + BN_sub(tmp, k, tmp); + + BN_mod_mul(s, s, tmp, order, ctx); + + sig = ECDSA_SIG_new(); + + if (sig == NULL) + goto done; + + /* takes ownership of r and s */ + ECDSA_SIG_set0(sig, r, s); + break; + } + + done: + + if (sig == NULL) { + BN_free(r); + BN_free(s); + } + + BN_CTX_free(ctx); + EC_POINT_free(kG); + return sig; + +} + +static +int SM2_sig_verify(const EC_KEY *key, const ECDSA_SIG *sig, const BIGNUM *e) +{ + int ret = 0; + const EC_GROUP *group = EC_KEY_get0_group(key); + const BIGNUM *order = EC_GROUP_get0_order(group); + BN_CTX *ctx = NULL; + EC_POINT *pt = NULL; + + BIGNUM *t = NULL; + BIGNUM *x1 = NULL; + const BIGNUM *r = NULL; + const BIGNUM *s = NULL; + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto done; + pt = EC_POINT_new(group); + if (pt == NULL) + goto done; + + BN_CTX_start(ctx); + + t = BN_CTX_get(ctx); + x1 = BN_CTX_get(ctx); + + if (x1 == NULL) + goto done; + + /* + B1: verify whether r' in [1,n-1], verification failed if not + B2: vefify whether s' in [1,n-1], verification failed if not + B3: set M'~=ZA || M' + B4: calculate e'=Hv(M'~) + B5: calculate t = (r' + s') modn, verification failed if t=0 + B6: calculate the point (x1', y1')=[s']G + [t]PA + B7: calculate R=(e'+x1') modn, verfication pass if yes, otherwise failed + */ + + ECDSA_SIG_get0(sig, &r, &s); + + if (BN_cmp(r, BN_value_one()) < 0) + goto done; + if (BN_cmp(s, BN_value_one()) < 0) + goto done; + + if (BN_cmp(order, r) <= 0) + goto done; + if (BN_cmp(order, s) <= 0) + goto done; + + if (BN_mod_add(t, r, s, order, ctx) == 0) + goto done; + + if (BN_is_zero(t) == 1) + goto done; + + if (EC_POINT_mul(group, pt, s, EC_KEY_get0_public_key(key), t, ctx) == 0) + goto done; + + if (EC_POINT_get_affine_coordinates_GFp(group, pt, x1, NULL, ctx) == 0) + goto done; + + if (BN_mod_add(t, e, x1, order, ctx) == 0) + goto done; + + if (BN_cmp(r, t) == 0) + ret = 1; + + done: + EC_POINT_free(pt); + BN_CTX_free(ctx); + return ret; +} + +ECDSA_SIG *SM2_do_sign(const EC_KEY *key, + const EVP_MD *digest, + const char *user_id, const uint8_t *msg, size_t msg_len) +{ + BIGNUM *e = NULL; + ECDSA_SIG *sig = NULL; + + e = compute_msg_hash(digest, key, user_id, msg, msg_len); + if (e == NULL) + goto done; + + sig = SM2_sig_gen(key, e); + + done: + BN_free(e); + return sig; +} + +int SM2_do_verify(const EC_KEY *key, + const EVP_MD *digest, + const ECDSA_SIG *sig, + const char *user_id, const uint8_t *msg, size_t msg_len) +{ + BIGNUM *e = NULL; + int ret = -1; + + e = compute_msg_hash(digest, key, user_id, msg, msg_len); + if (e == NULL) + goto done; + + ret = SM2_sig_verify(key, sig, e); + + done: + BN_free(e); + return ret; +} + +int SM2_sign(int type, const unsigned char *dgst, int dgstlen, + unsigned char *sig, unsigned int *siglen, EC_KEY *eckey) +{ + BIGNUM *e = NULL; + ECDSA_SIG *s = NULL; + int ret = -1; + + if (type != NID_sm3) + goto done; + + if (dgstlen != 32) /* expected length of SM3 hash */ + goto done; + + e = BN_bin2bn(dgst, dgstlen, NULL); + + s = SM2_sig_gen(eckey, e); + + *siglen = i2d_ECDSA_SIG(s, &sig); + + ECDSA_SIG_free(s); + + ret = 0; + + done: + ECDSA_SIG_free(s); + BN_free(e); + return ret; +} + +int SM2_verify(int type, const unsigned char *dgst, int dgstlen, + const unsigned char *sig, int sig_len, EC_KEY *eckey) +{ + ECDSA_SIG *s = NULL; + BIGNUM *e = NULL; + const unsigned char *p = sig; + unsigned char *der = NULL; + int derlen = -1; + int ret = -1; + + if (type != NID_sm3) + goto done; + + s = ECDSA_SIG_new(); + if (s == NULL) + goto done; + if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) + goto done; + /* Ensure signature uses DER and doesn't have trailing garbage */ + derlen = i2d_ECDSA_SIG(s, &der); + if (derlen != sig_len || memcmp(sig, der, derlen) != 0) + goto done; + + e = BN_bin2bn(dgst, dgstlen, NULL); + + ret = SM2_sig_verify(eckey, s, e); + + done: + OPENSSL_free(der); + BN_free(e); + ECDSA_SIG_free(s); + return ret; +} diff --git a/crypto/sm2/sm2_za.c b/crypto/sm2/sm2_za.c new file mode 100644 index 0000000..ea9d766 --- /dev/null +++ b/crypto/sm2/sm2_za.c @@ -0,0 +1,132 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017 Ribose Inc. All Rights Reserved. + * Ported from Ribose contributions from Botan. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/sm2.h> +#include <openssl/evp.h> +#include <openssl/bn.h> +#include <string.h> + +int SM2_compute_userid_digest(uint8_t *out, + const EVP_MD *digest, + const char *user_id, + const EC_KEY *key) +{ + int rc = 0; + + const EC_GROUP *group = EC_KEY_get0_group(key); + + BN_CTX *ctx = NULL; + EVP_MD_CTX *hash = NULL; + + BIGNUM *p = NULL; + BIGNUM *a = NULL; + BIGNUM *b = NULL; + + BIGNUM *xG = NULL; + BIGNUM *yG = NULL; + BIGNUM *xA = NULL; + BIGNUM *yA = NULL; + + int p_bytes = 0; + uint8_t *buf = NULL; + size_t uid_len = 0; + uint16_t entla = 0; + uint8_t e_byte = 0; + + hash = EVP_MD_CTX_new(); + if (hash == NULL) + goto done; + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto done; + + p = BN_CTX_get(ctx); + a = BN_CTX_get(ctx); + b = BN_CTX_get(ctx); + xG = BN_CTX_get(ctx); + yG = BN_CTX_get(ctx); + xA = BN_CTX_get(ctx); + yA = BN_CTX_get(ctx); + + if (p == NULL || a == NULL || b == NULL || + xG == NULL || yG == NULL || xA == NULL || yA == NULL) + goto done; + + memset(out, 0, EVP_MD_size(digest)); + + if (EVP_DigestInit(hash, digest) == 0) + goto done; + + /* + ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) + */ + + uid_len = strlen(user_id); + + if (uid_len >= 8192) /* too large */ + goto done; + + entla = (unsigned short)(8 * uid_len); + + e_byte = entla >> 8; + if (EVP_DigestUpdate(hash, &e_byte, 1) == 0) + goto done; + e_byte = entla & 0xFF; + if (EVP_DigestUpdate(hash, &e_byte, 1) == 0) + goto done; + + if (EVP_DigestUpdate(hash, user_id, uid_len) == 0) + goto done; + + if (EC_GROUP_get_curve_GFp(group, p, a, b, ctx) == 0) + goto done; + + p_bytes = BN_num_bytes(p); + buf = OPENSSL_zalloc(p_bytes); + + BN_bn2binpad(a, buf, p_bytes); + if (EVP_DigestUpdate(hash, buf, p_bytes) == 0) + goto done; + BN_bn2binpad(b, buf, p_bytes); + if (EVP_DigestUpdate(hash, buf, p_bytes) == 0) + goto done; + EC_POINT_get_affine_coordinates_GFp(group, + EC_GROUP_get0_generator(group), + xG, yG, ctx); + BN_bn2binpad(xG, buf, p_bytes); + if (EVP_DigestUpdate(hash, buf, p_bytes) == 0) + goto done; + BN_bn2binpad(yG, buf, p_bytes); + if (EVP_DigestUpdate(hash, buf, p_bytes) == 0) + goto done; + + EC_POINT_get_affine_coordinates_GFp(group, + EC_KEY_get0_public_key(key), + xA, yA, ctx); + BN_bn2binpad(xA, buf, p_bytes); + if (EVP_DigestUpdate(hash, buf, p_bytes) == 0) + goto done; + BN_bn2binpad(yA, buf, p_bytes); + if (EVP_DigestUpdate(hash, buf, p_bytes) == 0) + goto done; + + if (EVP_DigestFinal(hash, out, NULL) == 0) + goto done; + + rc = 1; + + done: + OPENSSL_free(buf); + BN_CTX_free(ctx); + EVP_MD_CTX_free(hash); + return rc; +} |