diff options
author | David Benjamin <davidben@chromium.org> | 2015-04-20 23:56:44 +0300 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2015-04-29 00:03:27 +0300 |
commit | 7743c026cb7b2257c1f21a1e22f4bb46d6561633 (patch) | |
tree | 0e2b5548f19e68384293e165c58b675ac2830f48 /crypto/ec | |
parent | 67be048e1a3272fe5202c5571dc23d16cfa2ed04 (diff) |
Ensure EC private keys retain leading zeros
RFC 5915 requires the use of the I2OSP primitive as defined in RFC 3447
for encoding ECPrivateKey. Fix this and add a test.
See also upstream's 30cd4ff294252c4b6a4b69cbef6a5b4117705d22, though it mixes
up degree and order.
Change-Id: I81ba14da3c8d69e3799422c669fab7f16956f322
Reviewed-on: https://boringssl-review.googlesource.com/4469
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'crypto/ec')
-rw-r--r-- | crypto/ec/ec_asn1.c | 4 | ||||
-rw-r--r-- | crypto/ec/ec_test.cc | 103 |
2 files changed, 95 insertions, 12 deletions
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 87e91e1f..c32ae131 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -409,14 +409,14 @@ int i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp) { priv_key->version = key->version; - buf_len = BN_num_bytes(key->priv_key); + buf_len = BN_num_bytes(&key->group->order); buffer = OPENSSL_malloc(buf_len); if (buffer == NULL) { OPENSSL_PUT_ERROR(EC, i2d_ECPrivateKey, ERR_R_MALLOC_FAILURE); goto err; } - if (!BN_bn2bin(key->priv_key, buffer)) { + if (!BN_bn2bin_padded(buffer, buf_len, key->priv_key)) { OPENSSL_PUT_ERROR(EC, i2d_ECPrivateKey, ERR_R_BN_LIB); goto err; } diff --git a/crypto/ec/ec_test.cc b/crypto/ec/ec_test.cc index 9b49a551..0c9eed67 100644 --- a/crypto/ec/ec_test.cc +++ b/crypto/ec/ec_test.cc @@ -27,6 +27,8 @@ #include "internal.h" +// kECKeyWithoutPublic is an ECPrivateKey with the optional publicKey field +// omitted. static const uint8_t kECKeyWithoutPublic[] = { 0x30, 0x31, 0x02, 0x01, 0x01, 0x04, 0x20, 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c, 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, @@ -34,26 +36,74 @@ static const uint8_t kECKeyWithoutPublic[] = { 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, }; -bool Testd2i_ECPrivateKey(void) { - const uint8_t *inp = kECKeyWithoutPublic; - ScopedEC_KEY key(d2i_ECPrivateKey(NULL, &inp, sizeof(kECKeyWithoutPublic))); +// kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where +// the private key is one. The private key is incorrectly encoded without zero +// padding. +static const uint8_t kECKeyMissingZeros[] = { + 0x30, 0x58, 0x02, 0x01, 0x01, 0x04, 0x01, 0x01, 0xa0, 0x0a, 0x06, 0x08, 0x2a, + 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, + 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5, 0x63, + 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, + 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, + 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, + 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5, +}; + +// kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where +// the private key is one. The private key is encoded with the required zero +// padding. +static const uint8_t kECKeyWithZeros[] = { + 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1, + 0x44, 0x03, 0x42, 0x00, 0x04, 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, + 0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, + 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, + 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, + 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, + 0x37, 0xbf, 0x51, 0xf5, +}; - if (!key || inp != kECKeyWithoutPublic + sizeof(kECKeyWithoutPublic)) { +// DecodeECPrivateKey decodes |in| as an ECPrivateKey structure and returns the +// result or nullptr on error. +static ScopedEC_KEY DecodeECPrivateKey(const uint8_t *in, size_t in_len) { + const uint8_t *inp = in; + ScopedEC_KEY ret(d2i_ECPrivateKey(NULL, &inp, in_len)); + if (!ret || inp != in + in_len) { + return nullptr; + } + return ret; +} + +// EncodeECPrivateKey encodes |key| as an ECPrivateKey structure into |*out|. It +// returns true on success or false on error. +static bool EncodeECPrivateKey(std::vector<uint8_t> *out, EC_KEY *key) { + int len = i2d_ECPrivateKey(key, NULL); + out->resize(len); + uint8_t *outp = bssl::vector_data(out); + return i2d_ECPrivateKey(key, &outp) == len; +} + +bool Testd2i_ECPrivateKey() { + ScopedEC_KEY key = DecodeECPrivateKey(kECKeyWithoutPublic, + sizeof(kECKeyWithoutPublic)); + if (!key) { fprintf(stderr, "Failed to parse private key.\n"); ERR_print_errors_fp(stderr); return false; } - int len = i2d_ECPrivateKey(key.get(), NULL); - std::vector<uint8_t> out(len); - uint8_t *outp = bssl::vector_data(&out); - if (len != i2d_ECPrivateKey(key.get(), &outp)) { + std::vector<uint8_t> out; + if (!EncodeECPrivateKey(&out, key.get())) { fprintf(stderr, "Failed to serialize private key.\n"); ERR_print_errors_fp(stderr); return false; } - if (0 != memcmp(bssl::vector_data(&out), kECKeyWithoutPublic, len)) { + if (std::vector<uint8_t>(kECKeyWithoutPublic, + kECKeyWithoutPublic + sizeof(kECKeyWithoutPublic)) != + out) { fprintf(stderr, "Serialisation of key doesn't match original.\n"); return false; } @@ -89,11 +139,44 @@ bool Testd2i_ECPrivateKey(void) { return true; } +static bool TestZeroPadding() { + // Check that the correct encoding round-trips. + ScopedEC_KEY key = DecodeECPrivateKey(kECKeyWithZeros, + sizeof(kECKeyWithZeros)); + std::vector<uint8_t> out; + if (!key || !EncodeECPrivateKey(&out, key.get())) { + ERR_print_errors_fp(stderr); + return false; + } + + if (std::vector<uint8_t>(kECKeyWithZeros, + kECKeyWithZeros + sizeof(kECKeyWithZeros)) != out) { + fprintf(stderr, "Serialisation of key was incorrect.\n"); + return false; + } + + // Keys without leading zeros also parse, but they encode correctly. + key = DecodeECPrivateKey(kECKeyMissingZeros, sizeof(kECKeyMissingZeros)); + if (!key || !EncodeECPrivateKey(&out, key.get())) { + ERR_print_errors_fp(stderr); + return false; + } + + if (std::vector<uint8_t>(kECKeyWithZeros, + kECKeyWithZeros + sizeof(kECKeyWithZeros)) != out) { + fprintf(stderr, "Serialisation of key was incorrect.\n"); + return false; + } + + return true; +} + int main(void) { CRYPTO_library_init(); ERR_load_crypto_strings(); - if (!Testd2i_ECPrivateKey()) { + if (!Testd2i_ECPrivateKey() || + !TestZeroPadding()) { fprintf(stderr, "failed\n"); return 1; } |