Ensure EC private keys retain leading zeros

RFC 5915 requires the use of the I2OSP primitive as defined in RFC 3447 for encoding ECPrivateKey. Fix this and add a test. See also upstream's 30cd4ff294252c4b6a4b69cbef6a5b4117705d22, though it mixes up degree and order. Change-Id: I81ba14da3c8d69e3799422c669fab7f16956f322 Reviewed-on: https://boringssl-review.googlesource.com/4469 Reviewed-by: Adam Langley <agl@google.com>
author: David Benjamin <davidben@chromium.org> 2015-04-20 23:56:44 +0300
committer: Adam Langley <agl@google.com> 2015-04-29 00:03:27 +0300
commit: 7743c026cb7b2257c1f21a1e22f4bb46d6561633 (patch)
tree: 0e2b5548f19e68384293e165c58b675ac2830f48 /crypto/ec
parent: 67be048e1a3272fe5202c5571dc23d16cfa2ed04 (diff)
2 files changed, 95 insertions, 12 deletions
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 87e91e1f..c32ae131 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -409,14 +409,14 @@ int i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp) {
 
   priv_key->version = key->version;
 
-  buf_len = BN_num_bytes(key->priv_key);
+  buf_len = BN_num_bytes(&key->group->order);
   buffer = OPENSSL_malloc(buf_len);
   if (buffer == NULL) {
     OPENSSL_PUT_ERROR(EC, i2d_ECPrivateKey, ERR_R_MALLOC_FAILURE);
     goto err;
   }
 
-  if (!BN_bn2bin(key->priv_key, buffer)) {
+  if (!BN_bn2bin_padded(buffer, buf_len, key->priv_key)) {
     OPENSSL_PUT_ERROR(EC, i2d_ECPrivateKey, ERR_R_BN_LIB);
     goto err;
   }
diff --git a/crypto/ec/ec_test.cc b/crypto/ec/ec_test.cc
index 9b49a551..0c9eed67 100644
--- a/crypto/ec/ec_test.cc
+++ b/crypto/ec/ec_test.cc
@@ -27,6 +27,8 @@
 #include "internal.h"
 
 
+// kECKeyWithoutPublic is an ECPrivateKey with the optional publicKey field
+// omitted.
 static const uint8_t kECKeyWithoutPublic[] = {
   0x30, 0x31, 0x02, 0x01, 0x01, 0x04, 0x20, 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0,
   0x76, 0x61, 0xf8, 0x14, 0x2c, 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e,
@@ -34,26 +36,74 @@ static const uint8_t kECKeyWithoutPublic[] = {
   0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
 };
 
-bool Testd2i_ECPrivateKey(void) {
-  const uint8_t *inp = kECKeyWithoutPublic;
-  ScopedEC_KEY key(d2i_ECPrivateKey(NULL, &inp, sizeof(kECKeyWithoutPublic)));
+// kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where
+// the private key is one. The private key is incorrectly encoded without zero
+// padding.
+static const uint8_t kECKeyMissingZeros[] = {
+  0x30, 0x58, 0x02, 0x01, 0x01, 0x04, 0x01, 0x01, 0xa0, 0x0a, 0x06, 0x08, 0x2a,
+  0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04,
+  0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5, 0x63,
+  0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1,
+  0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f,
+  0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57,
+  0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
+};
+
+// kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where
+// the private key is one. The private key is encoded with the required zero
+// padding.
+static const uint8_t kECKeyWithZeros[] = {
+  0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+  0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1,
+  0x44, 0x03, 0x42, 0x00, 0x04, 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47,
+  0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d,
+  0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3,
+  0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e,
+  0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68,
+  0x37, 0xbf, 0x51, 0xf5,
+};
 
-  if (!key || inp != kECKeyWithoutPublic + sizeof(kECKeyWithoutPublic)) {
+// DecodeECPrivateKey decodes |in| as an ECPrivateKey structure and returns the
+// result or nullptr on error.
+static ScopedEC_KEY DecodeECPrivateKey(const uint8_t *in, size_t in_len) {
+  const uint8_t *inp = in;
+  ScopedEC_KEY ret(d2i_ECPrivateKey(NULL, &inp, in_len));
+  if (!ret || inp != in + in_len) {
+    return nullptr;
+  }
+  return ret;
+}
+
+// EncodeECPrivateKey encodes |key| as an ECPrivateKey structure into |*out|. It
+// returns true on success or false on error.
+static bool EncodeECPrivateKey(std::vector<uint8_t> *out, EC_KEY *key) {
+  int len = i2d_ECPrivateKey(key, NULL);
+  out->resize(len);
+  uint8_t *outp = bssl::vector_data(out);
+  return i2d_ECPrivateKey(key, &outp) == len;
+}
+
+bool Testd2i_ECPrivateKey() {
+  ScopedEC_KEY key = DecodeECPrivateKey(kECKeyWithoutPublic,
+                                        sizeof(kECKeyWithoutPublic));
+  if (!key) {
     fprintf(stderr, "Failed to parse private key.\n");
     ERR_print_errors_fp(stderr);
     return false;
   }
 
-  int len = i2d_ECPrivateKey(key.get(), NULL);
-  std::vector<uint8_t> out(len);
-  uint8_t *outp = bssl::vector_data(&out);
-  if (len != i2d_ECPrivateKey(key.get(), &outp)) {
+  std::vector<uint8_t> out;
+  if (!EncodeECPrivateKey(&out, key.get())) {
     fprintf(stderr, "Failed to serialize private key.\n");
     ERR_print_errors_fp(stderr);
     return false;
   }
 
-  if (0 != memcmp(bssl::vector_data(&out), kECKeyWithoutPublic, len)) {
+  if (std::vector<uint8_t>(kECKeyWithoutPublic,
+                           kECKeyWithoutPublic + sizeof(kECKeyWithoutPublic)) !=
+      out) {
     fprintf(stderr, "Serialisation of key doesn't match original.\n");
     return false;
   }
@@ -89,11 +139,44 @@ bool Testd2i_ECPrivateKey(void) {
   return true;
 }
 
+static bool TestZeroPadding() {
+  // Check that the correct encoding round-trips.
+  ScopedEC_KEY key = DecodeECPrivateKey(kECKeyWithZeros,
+                                        sizeof(kECKeyWithZeros));
+  std::vector<uint8_t> out;
+  if (!key || !EncodeECPrivateKey(&out, key.get())) {
+    ERR_print_errors_fp(stderr);
+    return false;
+  }
+
+  if (std::vector<uint8_t>(kECKeyWithZeros,
+                           kECKeyWithZeros + sizeof(kECKeyWithZeros)) != out) {
+    fprintf(stderr, "Serialisation of key was incorrect.\n");
+    return false;
+  }
+
+  // Keys without leading zeros also parse, but they encode correctly.
+  key = DecodeECPrivateKey(kECKeyMissingZeros, sizeof(kECKeyMissingZeros));
+  if (!key || !EncodeECPrivateKey(&out, key.get())) {
+    ERR_print_errors_fp(stderr);
+    return false;
+  }
+
+  if (std::vector<uint8_t>(kECKeyWithZeros,
+                           kECKeyWithZeros + sizeof(kECKeyWithZeros)) != out) {
+    fprintf(stderr, "Serialisation of key was incorrect.\n");
+    return false;
+  }
+
+  return true;
+}
+
 int main(void) {
   CRYPTO_library_init();
   ERR_load_crypto_strings();
 
-  if (!Testd2i_ECPrivateKey()) {
+  if (!Testd2i_ECPrivateKey() ||
+      !TestZeroPadding()) {
     fprintf(stderr, "failed\n");
     return 1;
   }
author	David Benjamin <davidben@chromium.org>	2015-04-20 23:56:44 +0300
committer	Adam Langley <agl@google.com>	2015-04-29 00:03:27 +0300
commit	7743c026cb7b2257c1f21a1e22f4bb46d6561633 (patch)
tree	0e2b5548f19e68384293e165c58b675ac2830f48 /crypto/ec
parent	67be048e1a3272fe5202c5571dc23d16cfa2ed04 (diff)