CoCalc -- openssl.c

GitHub Repository: freebsd/freebsd-src
Path: blob/main/crypto/krb5/src/plugins/preauth/spake/openssl.c
³⁴⁹⁰⁷ views
1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2
/* plugins/preauth/spake/openssl.c - SPAKE implementations using OpenSSL */
3
/*
4
 * Copyright (C) 2015 by the Massachusetts Institute of Technology.
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 *
11
 * * Redistributions of source code must retain the above copyright
12
 *   notice, this list of conditions and the following disclaimer.
13
 *
14
 * * Redistributions in binary form must reproduce the above copyright
15
 *   notice, this list of conditions and the following disclaimer in
16
 *   the documentation and/or other materials provided with the
17
 *   distribution.
18
 *
19
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23
 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
24
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
28
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
30
 * OF THE POSSIBILITY OF SUCH DAMAGE.
31
 */
32

33
#include "k5-int.h"
34

35
#include "groups.h"
36
#include "iana.h"
37

38
#ifdef SPAKE_OPENSSL
39
#include <openssl/bn.h>
40
#include <openssl/ec.h>
41
#include <openssl/obj_mac.h>
42
#include <openssl/evp.h>
43

44
/* OpenSSL 1.1 standardizes constructor and destructor names, renaming
45
 * EVP_MD_CTX_create and EVP_MD_CTX_destroy. */
46
#if OPENSSL_VERSION_NUMBER < 0x10100000L
47
#define EVP_MD_CTX_new EVP_MD_CTX_create
48
#define EVP_MD_CTX_free EVP_MD_CTX_destroy
49
#endif
50

51
struct groupdata_st {
52
    const groupdef *gdef;
53
    EC_GROUP *group;
54
    BIGNUM *order;
55
    BN_CTX *ctx;
56
    EC_POINT *M;
57
    EC_POINT *N;
58
    const EVP_MD *md;
59
};
60

61
static void
62
ossl_fini(groupdata *gd)
63
{
64
    if (gd == NULL)
65
        return;
66

67
    EC_GROUP_free(gd->group);
68
    EC_POINT_free(gd->M);
69
    EC_POINT_free(gd->N);
70
    BN_CTX_free(gd->ctx);
71
    BN_free(gd->order);
72
    free(gd);
73
}
74

75
static krb5_error_code
76
ossl_init(krb5_context context, const groupdef *gdef, groupdata **gdata_out)
77
{
78
    const spake_iana *reg = gdef->reg;
79
    const EVP_MD *md;
80
    groupdata *gd;
81
    int nid;
82

83
    switch (reg->id) {
84
    case SPAKE_GROUP_P256:
85
        nid = NID_X9_62_prime256v1;
86
        md = EVP_sha256();
87
        break;
88
    case SPAKE_GROUP_P384:
89
        nid = NID_secp384r1;
90
        md = EVP_sha384();
91
        break;
92
    case SPAKE_GROUP_P521:
93
        nid = NID_secp521r1;
94
        md = EVP_sha512();
95
        break;
96
    default:
97
        return EINVAL;
98
    };
99

100
    gd = calloc(1, sizeof(*gd));
101
    if (gd == NULL)
102
        return ENOMEM;
103
    gd->gdef = gdef;
104

105
    gd->group = EC_GROUP_new_by_curve_name(nid);
106
    if (gd->group == NULL)
107
        goto error;
108

109
    gd->ctx = BN_CTX_new();
110
    if (gd->ctx == NULL)
111
        goto error;
112

113
    gd->order = BN_new();
114
    if (gd->order == NULL)
115
        goto error;
116
    if (!EC_GROUP_get_order(gd->group, gd->order, gd->ctx))
117
        goto error;
118

119
    gd->M = EC_POINT_new(gd->group);
120
    if (gd->M == NULL)
121
        goto error;
122
    if (!EC_POINT_oct2point(gd->group, gd->M, reg->m, reg->elem_len, gd->ctx))
123
        goto error;
124

125
    gd->N = EC_POINT_new(gd->group);
126
    if (gd->N == NULL)
127
        goto error;
128
    if (!EC_POINT_oct2point(gd->group, gd->N, reg->n, reg->elem_len, gd->ctx))
129
        goto error;
130

131
    gd->md = md;
132

133
    *gdata_out = gd;
134
    return 0;
135

136
error:
137
    ossl_fini(gd);
138
    return ENOMEM;
139
}
140

141
/* Convert pseudo-random bytes into a scalar value in constant time.
142
 * Return NULL on failure. */
143
static BIGNUM *
144
unmarshal_w(const groupdata *gdata, const uint8_t *wbytes)
145
{
146
    const spake_iana *reg = gdata->gdef->reg;
147
    BIGNUM *w = NULL;
148

149
    w = BN_new();
150
    if (w == NULL)
151
        return NULL;
152

153
    BN_set_flags(w, BN_FLG_CONSTTIME);
154

155
    if (BN_bin2bn(wbytes, reg->mult_len, w) &&
156
        BN_div(NULL, w, w, gdata->order, gdata->ctx))
157
        return w;
158

159
    BN_free(w);
160
    return NULL;
161
}
162

163
static krb5_error_code
164
ossl_keygen(krb5_context context, groupdata *gdata, const uint8_t *wbytes,
165
            krb5_boolean use_m, uint8_t *priv_out, uint8_t *pub_out)
166
{
167
    const spake_iana *reg = gdata->gdef->reg;
168
    const EC_POINT *constant = use_m ? gdata->M : gdata->N;
169
    krb5_boolean success = FALSE;
170
    EC_POINT *pub = NULL;
171
    BIGNUM *priv = NULL, *w = NULL;
172
    size_t len;
173

174
    w = unmarshal_w(gdata, wbytes);
175
    if (w == NULL)
176
        goto cleanup;
177

178
    pub = EC_POINT_new(gdata->group);
179
    if (pub == NULL)
180
        goto cleanup;
181

182
    priv = BN_new();
183
    if (priv == NULL)
184
        goto cleanup;
185

186
    if (!BN_rand_range(priv, gdata->order))
187
        goto cleanup;
188

189
    /* Compute priv*G + w*constant; EC_POINT_mul() does this in one call. */
190
    if (!EC_POINT_mul(gdata->group, pub, priv, constant, w, gdata->ctx))
191
        goto cleanup;
192

193
    /* Marshal priv into priv_out. */
194
    memset(priv_out, 0, reg->mult_len);
195
    BN_bn2bin(priv, &priv_out[reg->mult_len - BN_num_bytes(priv)]);
196

197
    /* Marshal pub into pub_out. */
198
    len = EC_POINT_point2oct(gdata->group, pub, POINT_CONVERSION_COMPRESSED,
199
                             pub_out, reg->elem_len, gdata->ctx);
200
    if (len != reg->elem_len)
201
        goto cleanup;
202

203
    success = TRUE;
204

205
cleanup:
206
    EC_POINT_free(pub);
207
    BN_clear_free(priv);
208
    BN_clear_free(w);
209
    return success ? 0 : ENOMEM;
210
}
211

212
static krb5_error_code
213
ossl_result(krb5_context context, groupdata *gdata, const uint8_t *wbytes,
214
            const uint8_t *ourpriv, const uint8_t *theirpub,
215
            krb5_boolean use_m, uint8_t *elem_out)
216
{
217
    const spake_iana *reg = gdata->gdef->reg;
218
    const EC_POINT *constant = use_m ? gdata->M : gdata->N;
219
    krb5_boolean success = FALSE, invalid = FALSE;
220
    EC_POINT *result = NULL, *pub = NULL;
221
    BIGNUM *priv = NULL, *w = NULL;
222
    size_t len;
223

224
    w = unmarshal_w(gdata, wbytes);
225
    if (w == NULL)
226
        goto cleanup;
227

228
    priv = BN_bin2bn(ourpriv, reg->mult_len, NULL);
229
    if (priv == NULL)
230
        goto cleanup;
231

232
    pub = EC_POINT_new(gdata->group);
233
    if (pub == NULL)
234
        goto cleanup;
235
    if (!EC_POINT_oct2point(gdata->group, pub, theirpub, reg->elem_len,
236
                            gdata->ctx)) {
237
        invalid = TRUE;
238
        goto cleanup;
239
    }
240

241
    /* Compute result = priv*(pub - w*constant), using result to hold the
242
     * intermediate steps. */
243
    result = EC_POINT_new(gdata->group);
244
    if (result == NULL)
245
        goto cleanup;
246
    if (!EC_POINT_mul(gdata->group, result, NULL, constant, w, gdata->ctx))
247
        goto cleanup;
248
    if (!EC_POINT_invert(gdata->group, result, gdata->ctx))
249
        goto cleanup;
250
    if (!EC_POINT_add(gdata->group, result, pub, result, gdata->ctx))
251
        goto cleanup;
252
    if (!EC_POINT_mul(gdata->group, result, NULL, result, priv, gdata->ctx))
253
        goto cleanup;
254

255
    /* Marshal result into elem_out. */
256
    len = EC_POINT_point2oct(gdata->group, result, POINT_CONVERSION_COMPRESSED,
257
                             elem_out, reg->elem_len, gdata->ctx);
258
    if (len != reg->elem_len)
259
        goto cleanup;
260

261
    success = TRUE;
262

263
cleanup:
264
    BN_clear_free(priv);
265
    BN_clear_free(w);
266
    EC_POINT_free(pub);
267
    EC_POINT_clear_free(result);
268
    return invalid ? EINVAL : (success ? 0 : ENOMEM);
269
}
270

271
static krb5_error_code
272
ossl_hash(krb5_context context, groupdata *gdata, const krb5_data *dlist,
273
          size_t ndata, uint8_t *result_out)
274
{
275
    EVP_MD_CTX *ctx;
276
    size_t i;
277
    int ok;
278

279
    ctx = EVP_MD_CTX_new();
280
    if (ctx == NULL)
281
        return ENOMEM;
282
    ok = EVP_DigestInit_ex(ctx, gdata->md, NULL);
283
    for (i = 0; i < ndata; i++)
284
        ok = ok && EVP_DigestUpdate(ctx, dlist[i].data, dlist[i].length);
285
    ok = ok && EVP_DigestFinal_ex(ctx, result_out, NULL);
286
    EVP_MD_CTX_free(ctx);
287
    return ok ? 0 : ENOMEM;
288
}
289

290
groupdef ossl_P256 = {
291
    .reg = &spake_iana_p256,
292
    .init = ossl_init,
293
    .fini = ossl_fini,
294
    .keygen = ossl_keygen,
295
    .result = ossl_result,
296
    .hash = ossl_hash,
297
};
298

299
groupdef ossl_P384 = {
300
    .reg = &spake_iana_p384,
301
    .init = ossl_init,
302
    .fini = ossl_fini,
303
    .keygen = ossl_keygen,
304
    .result = ossl_result,
305
    .hash = ossl_hash,
306
};
307

308
groupdef ossl_P521 = {
309
    .reg = &spake_iana_p521,
310
    .init = ossl_init,
311
    .fini = ossl_fini,
312
    .keygen = ossl_keygen,
313
    .result = ossl_result,
314
    .hash = ossl_hash,
315
};
316
#endif /* SPAKE_OPENSSL */
317

318
Product

Resources

Company
