crypto/ec_extra/ec_derive.c - third_party/boringssl/boringssl - Git at Google

 /* Copyright (c) 2019, Google Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

 #include <openssl/ec_key.h>

 #include <string.h>

 #include <openssl/ec.h>
 #include <openssl/err.h>
 #include <openssl/digest.h>
 #include <openssl/hkdf.h>
 #include <openssl/mem.h>

 #include "../fipsmodule/ec/internal.h"


 EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, const uint8_t *secret,
                                   size_t secret_len) {
 #define EC_KEY_DERIVE_MAX_NAME_LEN 16
   const char *name = EC_curve_nid2nist(EC_GROUP_get_curve_name(group));
   if (name == NULL || strlen(name) > EC_KEY_DERIVE_MAX_NAME_LEN) {
     OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);
     return NULL;
   }

   // Assemble a label string to provide some key separation in case |secret| is
   // misused, but ultimately it's on the caller to ensure |secret| is suitably
   // separated.
   static const char kLabel[] = "derive EC key ";
   char info[sizeof(kLabel) + EC_KEY_DERIVE_MAX_NAME_LEN];
   OPENSSL_strlcpy(info, kLabel, sizeof(info));
   OPENSSL_strlcat(info, name, sizeof(info));

   // Generate 128 bits beyond the group order so the bias is at most 2^-128.
 #define EC_KEY_DERIVE_EXTRA_BITS 128
 #define EC_KEY_DERIVE_EXTRA_BYTES (EC_KEY_DERIVE_EXTRA_BITS / 8)

   if (EC_GROUP_order_bits(group) <= EC_KEY_DERIVE_EXTRA_BITS + 8) {
     // The reduction strategy below requires the group order be large enough.
     // (The actual bound is a bit tighter, but our curves are much larger than
     // 128-bit.)
     OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
     return NULL;
   }

   uint8_t derived[EC_KEY_DERIVE_EXTRA_BYTES + EC_MAX_BYTES];
   size_t derived_len = BN_num_bytes(&group->order) + EC_KEY_DERIVE_EXTRA_BYTES;
   assert(derived_len <= sizeof(derived));
   if (!HKDF(derived, derived_len, EVP_sha256(), secret, secret_len,
             /*salt=*/NULL, /*salt_len=*/0, (const uint8_t *)info,
             strlen(info))) {
     return NULL;
   }

   EC_KEY *key = EC_KEY_new();
   BN_CTX *ctx = BN_CTX_new();
   BIGNUM *priv = BN_bin2bn(derived, derived_len, NULL);
   EC_POINT *pub = EC_POINT_new(group);
   if (key == NULL || ctx == NULL || priv == NULL || pub == NULL ||
       // Reduce |priv| with Montgomery reduction. First, convert "from"
       // Montgomery form to compute |priv| * R^-1 mod |order|. This requires
       // |priv| be under order * R, which is true if the group order is large
       // enough. 2^(num_bytes(order)) < 2^8 * order, so:
       //
       //    priv < 2^8 * order * 2^128 < order * order < order * R
       !BN_from_montgomery(priv, priv, group->order_mont, ctx) ||
       // Multiply by R^2 and do another Montgomery reduction to compute
       // priv * R^-1 * R^2 * R^-1 = priv mod order.
       !BN_to_montgomery(priv, priv, group->order_mont, ctx) ||
       !EC_POINT_mul(group, pub, priv, NULL, NULL, ctx) ||
       !EC_KEY_set_group(key, group) || !EC_KEY_set_public_key(key, pub) ||
       !EC_KEY_set_private_key(key, priv)) {
     EC_KEY_free(key);
     key = NULL;
     goto err;
   }

 err:
   OPENSSL_cleanse(derived, sizeof(derived));
   BN_CTX_free(ctx);
   BN_free(priv);
   EC_POINT_free(pub);
   return key;
 }
	/* Copyright (c) 2019, Google Inc.
	*
	* Permission to use, copy, modify, and/or distribute this software for any
	* purpose with or without fee is hereby granted, provided that the above
	* copyright notice and this permission notice appear in all copies.
	*
	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

	#include <openssl/ec_key.h>

	#include <string.h>

	#include <openssl/ec.h>
	#include <openssl/err.h>
	#include <openssl/digest.h>
	#include <openssl/hkdf.h>
	#include <openssl/mem.h>

	#include "../fipsmodule/ec/internal.h"


	EC_KEY EC_KEY_derive_from_secret(const EC_GROUP group, const uint8_t *secret,
	size_t secret_len) {
	#define EC_KEY_DERIVE_MAX_NAME_LEN 16
	const char *name = EC_curve_nid2nist(EC_GROUP_get_curve_name(group));
	if (name == NULL \|\| strlen(name) > EC_KEY_DERIVE_MAX_NAME_LEN) {
	OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);
	return NULL;
	}

	// Assemble a label string to provide some key separation in case \|secret\| is
	// misused, but ultimately it's on the caller to ensure \|secret\| is suitably
	// separated.
	static const char kLabel[] = "derive EC key ";
	char info[sizeof(kLabel) + EC_KEY_DERIVE_MAX_NAME_LEN];
	OPENSSL_strlcpy(info, kLabel, sizeof(info));
	OPENSSL_strlcat(info, name, sizeof(info));

	// Generate 128 bits beyond the group order so the bias is at most 2^-128.
	#define EC_KEY_DERIVE_EXTRA_BITS 128
	#define EC_KEY_DERIVE_EXTRA_BYTES (EC_KEY_DERIVE_EXTRA_BITS / 8)

	if (EC_GROUP_order_bits(group) <= EC_KEY_DERIVE_EXTRA_BITS + 8) {
	// The reduction strategy below requires the group order be large enough.
	// (The actual bound is a bit tighter, but our curves are much larger than
	// 128-bit.)
	OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
	return NULL;
	}

	uint8_t derived[EC_KEY_DERIVE_EXTRA_BYTES + EC_MAX_BYTES];
	size_t derived_len = BN_num_bytes(&group->order) + EC_KEY_DERIVE_EXTRA_BYTES;
	assert(derived_len <= sizeof(derived));
	if (!HKDF(derived, derived_len, EVP_sha256(), secret, secret_len,
	/salt=/NULL, /salt_len=/0, (const uint8_t *)info,
	strlen(info))) {
	return NULL;
	}

	EC_KEY *key = EC_KEY_new();
	BN_CTX *ctx = BN_CTX_new();
	BIGNUM *priv = BN_bin2bn(derived, derived_len, NULL);
	EC_POINT *pub = EC_POINT_new(group);
	if (key == NULL \|\| ctx == NULL \|\| priv == NULL \|\| pub == NULL \|\|
	// Reduce \|priv\| with Montgomery reduction. First, convert "from"
	// Montgomery form to compute \|priv\| * R^-1 mod \|order\|. This requires
	// \|priv\| be under order * R, which is true if the group order is large
	// enough. 2^(num_bytes(order)) < 2^8 * order, so:
	//
	// priv < 2^8 * order * 2^128 < order * order < order * R
	!BN_from_montgomery(priv, priv, group->order_mont, ctx) \|\|
	// Multiply by R^2 and do another Montgomery reduction to compute
	// priv * R^-1 * R^2 * R^-1 = priv mod order.
	!BN_to_montgomery(priv, priv, group->order_mont, ctx) \|\|
	!EC_POINT_mul(group, pub, priv, NULL, NULL, ctx) \|\|
	!EC_KEY_set_group(key, group) \|\| !EC_KEY_set_public_key(key, pub) \|\|
	!EC_KEY_set_private_key(key, priv)) {
	EC_KEY_free(key);
	key = NULL;
	goto err;
	}

	err:
	OPENSSL_cleanse(derived, sizeof(derived));
	BN_CTX_free(ctx);
	BN_free(priv);
	EC_POINT_free(pub);
	return key;
	}