/* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ /* ==================================================================== * Copyright (c) 2016 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== */ #include #include #include #include "ec_lcl.h" /* Length of Curve 25519 keys */ #define EC_X25519_KEYLEN 32 /* Group degree and order bits */ #define EC_X25519_BITS 253 /* Copy Curve25519 public key buffer, allocating is necessary */ static int x25519_init_public(EC_POINT *pub, const void *src) { if (pub->custom_data == NULL) { pub->custom_data = OPENSSL_malloc(EC_X25519_KEYLEN); if (pub->custom_data == NULL) return 0; } if (src != NULL) memcpy(pub->custom_data, src, EC_X25519_KEYLEN); return 1; } /* Copy Curve25519 private key buffer, allocating is necessary */ static int x25519_init_private(EC_KEY *dst, const void *src) { if (dst->custom_data == NULL) { dst->custom_data = OPENSSL_secure_malloc(EC_X25519_KEYLEN); if (dst->custom_data == NULL) return 0; } if (src != NULL) memcpy(dst->custom_data, src, EC_X25519_KEYLEN); return 1; } static int x25519_group_init(EC_GROUP *grp) { return 1; } static int x25519_group_copy(EC_GROUP *dst, const EC_GROUP *src) { return 1; } static int x25519_group_get_degree(const EC_GROUP *src) { return EC_X25519_BITS; } static int x25519_group_order_bits(const EC_GROUP *src) { return EC_X25519_BITS; } static int x25519_set_private(EC_KEY *eckey, const BIGNUM *priv_key) { if (BN_num_bytes(priv_key) > EC_X25519_KEYLEN) return 0; if (x25519_init_private(eckey, NULL)) return 0; /* Convert BIGNUM form private key to internal format */ if (BN_bn2lebinpad(priv_key, eckey->custom_data, EC_X25519_KEYLEN) != EC_X25519_KEYLEN) return 0; return 1; } static int x25519_keycheck(const EC_KEY *eckey) { const char *pubkey; if (eckey->pub_key == NULL) return 0; pubkey = eckey->pub_key->custom_data; if (pubkey == NULL) return 0; if (eckey->custom_data != NULL) { uint8_t tmp[EC_X25519_KEYLEN]; /* Check eckey->priv_key exists and matches eckey->custom_data */ if (eckey->priv_key == NULL) return 0; if (BN_bn2lebinpad(eckey->priv_key, tmp, EC_X25519_KEYLEN) != EC_X25519_KEYLEN || CRYPTO_memcmp(tmp, eckey->custom_data, EC_X25519_KEYLEN) != 0) { OPENSSL_cleanse(tmp, EC_X25519_KEYLEN); return 0; } X25519_public_from_private(tmp, eckey->custom_data); if (CRYPTO_memcmp(pubkey, tmp, EC_X25519_KEYLEN) == 0) return 1; return 0; } else { return 1; } } static int x25519_keygenpub(EC_KEY *eckey) { X25519_public_from_private(eckey->pub_key->custom_data, eckey->custom_data); return 1; } static int x25519_keygen(EC_KEY *eckey) { unsigned char *key; if (x25519_init_private(eckey, NULL) == 0) return 0; key = eckey->custom_data; if (RAND_bytes(key, EC_X25519_KEYLEN) <= 0) return 0; key[0] &= 248; key[31] &= 127; key[31] |= 64; /* * Although the private key is kept as an array in eckey->custom_data * Set eckey->priv_key too so existing code which uses * EC_KEY_get0_private_key() still works. */ if (eckey->priv_key == NULL) eckey->priv_key = BN_secure_new(); if (eckey->priv_key == NULL) return 0; if (BN_lebin2bn(eckey->custom_data, EC_X25519_KEYLEN, eckey->priv_key) == NULL) return 0; if (eckey->pub_key == NULL) eckey->pub_key = EC_POINT_new(eckey->group); if (eckey->pub_key == NULL) return 0; return x25519_keygenpub(eckey); } static void x25519_keyfinish(EC_KEY *eckey) { OPENSSL_secure_free(eckey->custom_data); eckey->custom_data = NULL; } static int x25519_keycopy(EC_KEY *dest, const EC_KEY *src) { if (src->custom_data == NULL) return 0; return x25519_init_private(dest, src->custom_data); } static int x25519_oct2priv(EC_KEY *eckey, unsigned char *buf, size_t len) { if (len != EC_X25519_KEYLEN) return 0; if (x25519_init_private(eckey, buf) == 0) return 0; /* * Although the private key is kept as an array in eckey->custom_data * Set eckey->priv_key too so existing code which uses * EC_KEY_get0_private_key() still works. */ if (eckey->priv_key == NULL) eckey->priv_key = BN_secure_new(); if (eckey->priv_key == NULL) return 0; if (BN_lebin2bn(buf, EC_X25519_KEYLEN, eckey->priv_key) == NULL) return 0; return 1; } static size_t x25519_priv2oct(const EC_KEY *eckey, unsigned char *buf, size_t len) { size_t keylen = EC_X25519_KEYLEN; if (eckey->custom_data == NULL) return 0; if (buf != NULL) { if (len < keylen) return 0; memcpy(buf, eckey->custom_data, keylen); } return keylen; } static int x25519_point_init(EC_POINT *pt) { return x25519_init_public(pt, NULL); } static void x25519_point_finish(EC_POINT *pt) { OPENSSL_free(pt->custom_data); pt->custom_data = NULL; } static void x25519_point_clear_finish(EC_POINT *pt) { OPENSSL_clear_free(pt->custom_data, EC_X25519_KEYLEN); pt->custom_data = NULL; } static int x25519_point_copy(EC_POINT *dst, const EC_POINT *src) { memcpy(dst->custom_data, src->custom_data, EC_X25519_KEYLEN); return 1; } static size_t x25519_point2oct(const EC_GROUP *grp, const EC_POINT *pt, point_conversion_form_t form, unsigned char *buf, size_t len, BN_CTX *ctx) { if (buf != NULL) { if (len < EC_X25519_KEYLEN) return 0; memcpy(buf, pt->custom_data, EC_X25519_KEYLEN); } return EC_X25519_KEYLEN; } static int x25519_oct2point(const EC_GROUP *grp, EC_POINT *pt, const unsigned char *buf, size_t len, BN_CTX *ctx) { unsigned char *pubkey = pt->custom_data; if (len != EC_X25519_KEYLEN) return 0; memcpy(pubkey, buf, EC_X25519_KEYLEN); /* Mask off MSB */ pubkey[EC_X25519_KEYLEN - 1] &= 0x7F; return 1; } static int x25519_point_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) { /* Shouldn't happen as initialised to non-zero */ if (a->custom_data == NULL || b->custom_data == NULL) return -1; if (CRYPTO_memcmp(a->custom_data, b->custom_data, EC_X25519_KEYLEN) == 0) return 0; return 1; } static int x25519_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, const EC_KEY *ecdh, void *(*KDF) (const void *in, size_t inlen, void *out, size_t *outlen)) { unsigned char *key; int ret = -1; if (ecdh->custom_data == NULL) return -1; key = OPENSSL_malloc(EC_X25519_KEYLEN); if (key == NULL) return -1; if (X25519(key, ecdh->custom_data, pub_key->custom_data) == 0) goto err; if (KDF) { if (KDF(key, EC_X25519_KEYLEN, out, &outlen) == NULL) goto err; ret = outlen; } else { if (outlen > EC_X25519_KEYLEN) outlen = EC_X25519_KEYLEN; memcpy(out, key, outlen); ret = outlen; } err: OPENSSL_clear_free(key, EC_X25519_KEYLEN); return ret; } const EC_METHOD *ec_x25519_meth(void) { static const EC_METHOD ret = { EC_FLAGS_CUSTOM_CURVE, NID_undef, x25519_group_init, /* group_init */ 0, /* group_finish */ 0, /* group_clear_finish */ x25519_group_copy, /* group_copy */ 0, /* group_set_curve */ 0, /* group_get_curve */ x25519_group_get_degree, x25519_group_order_bits, 0, /* group_check_discriminant */ x25519_point_init, x25519_point_finish, x25519_point_clear_finish, x25519_point_copy, 0, /* point_set_to_infinity */ 0, /* set_Jprojective_coordinates_GFp */ 0, /* get_Jprojective_coordinates_GFp */ 0, /* point_set_affine_coordinates */ 0, /* point_get_affine_coordinates */ 0, /* point_set_compressed_coordinates */ x25519_point2oct, x25519_oct2point, 0, /* simple_add */ 0, /* simple_dbl */ 0, /* simple_invert */ 0, /* simple_is_at_infinity */ 0, /* simple_is_on_curve */ x25519_point_cmp, 0, /* simple_make_affine */ 0, /* simple_points_make_affine */ 0, /* points_mul */ 0, /* precompute_mult */ 0, /* have_precompute_mult */ 0, /* field_mul */ 0, /* field_sqr */ 0, /* field_div */ 0, /* field_encode */ 0, /* field_decode */ 0, /* field_set_to_one */ x25519_priv2oct, x25519_oct2priv, x25519_set_private, x25519_keygen, x25519_keycheck, x25519_keygenpub, x25519_keycopy, x25519_keyfinish, x25519_compute_key }; return &ret; }