1 /* Copyright (c) 2019, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ec_key.h>
16
17 #include <string.h>
18
19 #include <openssl/buf.h>
20 #include <openssl/ec.h>
21 #include <openssl/err.h>
22 #include <openssl/digest.h>
23 #include <openssl/hkdf.h>
24 #include <openssl/mem.h>
25
26 #include "../fipsmodule/ec/internal.h"
27
28
EC_KEY_derive_from_secret(const EC_GROUP * group,const uint8_t * secret,size_t secret_len)29 EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, const uint8_t *secret,
30 size_t secret_len) {
31 #define EC_KEY_DERIVE_MAX_NAME_LEN 16
32 const char *name = EC_curve_nid2nist(EC_GROUP_get_curve_name(group));
33 if (name == NULL || strlen(name) > EC_KEY_DERIVE_MAX_NAME_LEN) {
34 OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);
35 return NULL;
36 }
37
38 // Assemble a label string to provide some key separation in case |secret| is
39 // misused, but ultimately it's on the caller to ensure |secret| is suitably
40 // separated.
41 static const char kLabel[] = "derive EC key ";
42 char info[sizeof(kLabel) + EC_KEY_DERIVE_MAX_NAME_LEN];
43 BUF_strlcpy(info, kLabel, sizeof(info));
44 BUF_strlcat(info, name, sizeof(info));
45
46 // Generate 128 bits beyond the group order so the bias is at most 2^-128.
47 #define EC_KEY_DERIVE_EXTRA_BITS 128
48 #define EC_KEY_DERIVE_EXTRA_BYTES (EC_KEY_DERIVE_EXTRA_BITS / 8)
49
50 if (EC_GROUP_order_bits(group) <= EC_KEY_DERIVE_EXTRA_BITS + 8) {
51 // The reduction strategy below requires the group order be large enough.
52 // (The actual bound is a bit tighter, but our curves are much larger than
53 // 128-bit.)
54 OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
55 return NULL;
56 }
57
58 uint8_t derived[EC_KEY_DERIVE_EXTRA_BYTES + EC_MAX_BYTES];
59 size_t derived_len = BN_num_bytes(&group->order) + EC_KEY_DERIVE_EXTRA_BYTES;
60 assert(derived_len <= sizeof(derived));
61 if (!HKDF(derived, derived_len, EVP_sha256(), secret, secret_len,
62 /*salt=*/NULL, /*salt_len=*/0, (const uint8_t *)info,
63 strlen(info))) {
64 return NULL;
65 }
66
67 EC_KEY *key = EC_KEY_new();
68 BN_CTX *ctx = BN_CTX_new();
69 BIGNUM *priv = BN_bin2bn(derived, derived_len, NULL);
70 EC_POINT *pub = EC_POINT_new(group);
71 if (key == NULL || ctx == NULL || priv == NULL || pub == NULL ||
72 // Reduce |priv| with Montgomery reduction. First, convert "from"
73 // Montgomery form to compute |priv| * R^-1 mod |order|. This requires
74 // |priv| be under order * R, which is true if the group order is large
75 // enough. 2^(num_bytes(order)) < 2^8 * order, so:
76 //
77 // priv < 2^8 * order * 2^128 < order * order < order * R
78 !BN_from_montgomery(priv, priv, group->order_mont, ctx) ||
79 // Multiply by R^2 and do another Montgomery reduction to compute
80 // priv * R^-1 * R^2 * R^-1 = priv mod order.
81 !BN_to_montgomery(priv, priv, group->order_mont, ctx) ||
82 !EC_POINT_mul(group, pub, priv, NULL, NULL, ctx) ||
83 !EC_KEY_set_group(key, group) || !EC_KEY_set_public_key(key, pub) ||
84 !EC_KEY_set_private_key(key, priv)) {
85 EC_KEY_free(key);
86 key = NULL;
87 goto err;
88 }
89
90 err:
91 OPENSSL_cleanse(derived, sizeof(derived));
92 BN_CTX_free(ctx);
93 BN_free(priv);
94 EC_POINT_free(pub);
95 return key;
96 }
97