From 8dcfdbf510085fd5740abe78f1f8ca120b475f05 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 2 Feb 2016 14:50:10 +0000 Subject: [PATCH] Add new EC_METHOD for X25519. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Reviewed-by: Rich Salz Reviewed-by: Emilia Käsper --- crypto/ec/Makefile.in | 5 +- crypto/ec/build.info | 3 +- crypto/ec/ec_25519.c | 381 ++++++++++++++++++++++++++++++++++++++++++ crypto/ec/ec_lcl.h | 7 + 4 files changed, 393 insertions(+), 3 deletions(-) create mode 100644 crypto/ec/ec_25519.c diff --git a/crypto/ec/Makefile.in b/crypto/ec/Makefile.in index 1aa22d4962..decc1740aa 100644 --- a/crypto/ec/Makefile.in +++ b/crypto/ec/Makefile.in @@ -22,14 +22,15 @@ LIBSRC= ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c\ ec2_smpl.c ec2_mult.c ec_ameth.c ec_pmeth.c eck_prn.c \ ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c \ ecp_oct.c ec2_oct.c ec_oct.c ec_kmeth.c ecdh_ossl.c ecdh_kdf.c \ - ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c + ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c ec_25519.c curve25519.c LIBOBJ= ec_lib.o ecp_smpl.o ecp_mont.o ecp_nist.o ec_cvt.o ec_mult.o\ ec_err.o ec_curve.o ec_check.o ec_print.o ec_asn1.o ec_key.o\ ec2_smpl.o ec2_mult.o ec_ameth.o ec_pmeth.o eck_prn.o \ ecp_nistp224.o ecp_nistp256.o ecp_nistp521.o ecp_nistputil.o \ ecp_oct.o ec2_oct.o ec_oct.o ec_kmeth.o ecdh_ossl.o ecdh_kdf.o \ - ecdsa_ossl.o ecdsa_sign.o ecdsa_vrf.o $(EC_ASM) + ecdsa_ossl.o ecdsa_sign.o ecdsa_vrf.o ec_25519.o curve25519.o \ + $(EC_ASM) SRC= $(LIBSRC) diff --git a/crypto/ec/build.info b/crypto/ec/build.info index 63ad9a4fda..39a9f4754c 100644 --- a/crypto/ec/build.info +++ b/crypto/ec/build.info @@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\ ec2_smpl.c ec2_mult.c ec_ameth.c ec_pmeth.c eck_prn.c \ ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c \ ecp_oct.c ec2_oct.c ec_oct.c ec_kmeth.c ecdh_ossl.c ecdh_kdf.c \ - ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c {- $target{ec_asm_src} -} + ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c ec_25519.c curve25519.c \ + {- $target{ec_asm_src} -} BEGINRAW[Makefile] {- $builddir -}/ecp_nistz256-x86.s: {- $sourcedir -}/asm/ecp_nistz256-x86.pl diff --git a/crypto/ec/ec_25519.c b/crypto/ec/ec_25519.c new file mode 100644 index 0000000000..539a8e1af7 --- /dev/null +++ b/crypto/ec/ec_25519.c @@ -0,0 +1,381 @@ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2016 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include "ec_lcl.h" + +/* Length of Curve 25519 keys */ +#define EC_X25519_KEYLEN 32 +/* Group degree and order bits */ +#define EC_X25519_BITS 253 + +/* Copy Curve25519 public key buffer, allocating is necessary */ +static int x25519_init_public(EC_POINT *pub, const void *src) +{ + if (pub->custom_data == NULL) { + pub->custom_data = OPENSSL_malloc(EC_X25519_KEYLEN); + if (pub->custom_data == NULL) + return 0; + } + if (src != NULL) + memcpy(pub->custom_data, src, EC_X25519_KEYLEN); + return 1; +} + +/* Copy Curve25519 private key buffer, allocating is necessary */ +static int x25519_init_private(EC_KEY *dst, const void *src) +{ + if (dst->custom_data == NULL) { + dst->custom_data = OPENSSL_secure_malloc(EC_X25519_KEYLEN); + if (dst->custom_data == NULL) + return 0; + } + if (src != NULL) + memcpy(dst->custom_data, src, EC_X25519_KEYLEN); + return 1; +} + +static int x25519_group_init(EC_GROUP *grp) +{ + return 1; +} + +static int x25519_group_copy(EC_GROUP *dst, const EC_GROUP *src) +{ + return 1; +} + +static int x25519_group_get_degree(const EC_GROUP *src) +{ + return EC_X25519_BITS; +} + +static int x25519_group_order_bits(const EC_GROUP *src) +{ + return EC_X25519_BITS; +} + +static int x25519_set_private(EC_KEY *eckey, const BIGNUM *priv_key) +{ + if (BN_num_bytes(priv_key) > EC_X25519_KEYLEN) + return 0; + if (x25519_init_private(eckey, NULL)) + return 0; + /* Convert BIGNUM form private key to internal format */ + if (BN_bn2lebinpad(priv_key, eckey->custom_data, EC_X25519_KEYLEN) + != EC_X25519_KEYLEN) + return 0; + return 1; +} + +static int x25519_keycheck(const EC_KEY *eckey) +{ + const char *pubkey; + if (eckey->pub_key == NULL) + return 0; + pubkey = eckey->pub_key->custom_data; + if (pubkey == NULL) + return 0; + if (eckey->custom_data != NULL) { + uint8_t tmp[EC_X25519_KEYLEN]; + /* Check eckey->priv_key exists and matches eckey->custom_data */ + if (eckey->priv_key == NULL) + return 0; + if (BN_bn2lebinpad(eckey->priv_key, tmp, EC_X25519_KEYLEN) + != EC_X25519_KEYLEN + || CRYPTO_memcmp(tmp, eckey->custom_data, + EC_X25519_KEYLEN) != 0) { + OPENSSL_cleanse(tmp, EC_X25519_KEYLEN); + return 0; + } + X25519_public_from_private(tmp, eckey->custom_data); + if (CRYPTO_memcmp(pubkey, tmp, EC_X25519_KEYLEN) == 0) + return 1; + return 0; + } else { + return 1; + } +} + +static int x25519_keygenpub(EC_KEY *eckey) +{ + X25519_public_from_private(eckey->pub_key->custom_data, + eckey->custom_data); + return 1; +} + +static int x25519_keygen(EC_KEY *eckey) +{ + unsigned char *key; + if (x25519_init_private(eckey, NULL) == 0) + return 0; + key = eckey->custom_data; + if (RAND_bytes(key, EC_X25519_KEYLEN) <= 0) + return 0; + key[0] &= 248; + key[31] &= 127; + key[31] |= 64; + /* + * Although the private key is kept as an array in eckey->custom_data + * Set eckey->priv_key too so existing code which uses + * EC_KEY_get0_private_key() still works. + */ + if (eckey->priv_key == NULL) + eckey->priv_key = BN_secure_new(); + if (eckey->priv_key == NULL) + return 0; + if (BN_lebin2bn(eckey->custom_data, EC_X25519_KEYLEN, eckey->priv_key) == + NULL) + return 0; + if (eckey->pub_key == NULL) + eckey->pub_key = EC_POINT_new(eckey->group); + if (eckey->pub_key == NULL) + return 0; + return x25519_keygenpub(eckey); +} + +static void x25519_keyfinish(EC_KEY *eckey) +{ + OPENSSL_secure_free(eckey->custom_data); + eckey->custom_data = NULL; +} + +static int x25519_keycopy(EC_KEY *dest, const EC_KEY *src) +{ + if (src->custom_data == NULL) + return 0; + return x25519_init_private(dest, src->custom_data); +} + +static int x25519_oct2priv(EC_KEY *eckey, unsigned char *buf, size_t len) +{ + if (len != EC_X25519_KEYLEN) + return 0; + if (x25519_init_private(eckey, buf) == 0) + return 0; + /* + * Although the private key is kept as an array in eckey->custom_data + * Set eckey->priv_key too so existing code which uses + * EC_KEY_get0_private_key() still works. + */ + if (eckey->priv_key == NULL) + eckey->priv_key = BN_secure_new(); + if (eckey->priv_key == NULL) + return 0; + if (BN_lebin2bn(buf, EC_X25519_KEYLEN, eckey->priv_key) == NULL) + return 0; + return 1; +} + +static size_t x25519_priv2oct(const EC_KEY *eckey, + unsigned char *buf, size_t len) +{ + size_t keylen = EC_X25519_KEYLEN; + if (eckey->custom_data == NULL) + return 0; + if (buf != NULL) { + if (len < keylen) + return 0; + memcpy(buf, eckey->custom_data, keylen); + } + return keylen; +} + +static int x25519_point_init(EC_POINT *pt) +{ + return x25519_init_public(pt, NULL); +} + +static void x25519_point_finish(EC_POINT *pt) +{ + OPENSSL_free(pt->custom_data); + pt->custom_data = NULL; +} + +static void x25519_point_clear_finish(EC_POINT *pt) +{ + OPENSSL_clear_free(pt->custom_data, EC_X25519_KEYLEN); + pt->custom_data = NULL; +} + +static int x25519_point_copy(EC_POINT *dst, const EC_POINT *src) +{ + memcpy(dst->custom_data, src->custom_data, EC_X25519_KEYLEN); + return 1; +} + +static size_t x25519_point2oct(const EC_GROUP *grp, const EC_POINT *pt, + point_conversion_form_t form, + unsigned char *buf, size_t len, BN_CTX *ctx) +{ + if (buf != NULL) { + if (len < EC_X25519_KEYLEN) + return 0; + memcpy(buf, pt->custom_data, EC_X25519_KEYLEN); + } + return EC_X25519_KEYLEN; +} + +static int x25519_oct2point(const EC_GROUP *grp, EC_POINT *pt, + const unsigned char *buf, size_t len, BN_CTX *ctx) +{ + unsigned char *pubkey = pt->custom_data; + if (len != EC_X25519_KEYLEN) + return 0; + memcpy(pubkey, buf, EC_X25519_KEYLEN); + /* Mask off MSB */ + pubkey[EC_X25519_KEYLEN - 1] &= 0x7F; + return 1; +} + +static int x25519_point_cmp(const EC_GROUP *group, const EC_POINT *a, + const EC_POINT *b, BN_CTX *ctx) +{ + /* Shouldn't happen as initialised to non-zero */ + if (a->custom_data == NULL || b->custom_data == NULL) + return -1; + + if (CRYPTO_memcmp(a->custom_data, b->custom_data, EC_X25519_KEYLEN) == 0) + return 0; + + return 1; +} + +static int x25519_compute_key(void *out, size_t outlen, + const EC_POINT *pub_key, const EC_KEY *ecdh, + void *(*KDF) (const void *in, size_t inlen, + void *out, size_t *outlen)) +{ + unsigned char *key; + int ret = -1; + if (ecdh->custom_data == NULL) + return -1; + key = OPENSSL_malloc(EC_X25519_KEYLEN); + if (key == NULL) + return -1; + if (X25519(key, ecdh->custom_data, pub_key->custom_data) == 0) + goto err; + if (KDF) { + if (KDF(key, EC_X25519_KEYLEN, out, &outlen) == NULL) + goto err; + ret = outlen; + } else { + if (outlen > EC_X25519_KEYLEN) + outlen = EC_X25519_KEYLEN; + memcpy(out, key, outlen); + ret = outlen; + } + + err: + OPENSSL_clear_free(key, EC_X25519_KEYLEN); + return ret; +} + +const EC_METHOD *ec_x25519_meth(void) +{ + static const EC_METHOD ret = { + EC_FLAGS_CUSTOM_CURVE, + NID_undef, + x25519_group_init, /* group_init */ + 0, /* group_finish */ + 0, /* group_clear_finish */ + x25519_group_copy, /* group_copy */ + 0, /* group_set_curve */ + 0, /* group_get_curve */ + x25519_group_get_degree, + x25519_group_order_bits, + 0, /* group_check_discriminant */ + x25519_point_init, + x25519_point_finish, + x25519_point_clear_finish, + x25519_point_copy, + 0, /* point_set_to_infinity */ + 0, /* set_Jprojective_coordinates_GFp */ + 0, /* get_Jprojective_coordinates_GFp */ + 0, /* point_set_affine_coordinates */ + 0, /* point_get_affine_coordinates */ + 0, /* point_set_compressed_coordinates */ + x25519_point2oct, + x25519_oct2point, + 0, /* simple_add */ + 0, /* simple_dbl */ + 0, /* simple_invert */ + 0, /* simple_is_at_infinity */ + 0, /* simple_is_on_curve */ + x25519_point_cmp, + 0, /* simple_make_affine */ + 0, /* simple_points_make_affine */ + 0, /* points_mul */ + 0, /* precompute_mult */ + 0, /* have_precompute_mult */ + 0, /* field_mul */ + 0, /* field_sqr */ + 0, /* field_div */ + 0, /* field_encode */ + 0, /* field_decode */ + 0, /* field_set_to_one */ + x25519_priv2oct, + x25519_oct2priv, + x25519_set_private, + x25519_keygen, + x25519_keycheck, + x25519_keygenpub, + x25519_keycopy, + x25519_keyfinish, + x25519_compute_key + }; + + return &ret; +} diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index 3143b4659b..efdfabe1e1 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -650,3 +650,10 @@ int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey); + +const EC_METHOD *ec_x25519_meth(void); + +int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32], + const uint8_t peer_public_value[32]); +void X25519_public_from_private(uint8_t out_public_value[32], + const uint8_t private_key[32]); -- 2.40.0