summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/sm2
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/sm2')
-rw-r--r--src/lib/libcrypto/sm2/sm2.h138
-rw-r--r--src/lib/libcrypto/sm2/sm2_crypt.c631
-rw-r--r--src/lib/libcrypto/sm2/sm2_err.c105
-rw-r--r--src/lib/libcrypto/sm2/sm2_local.h41
-rw-r--r--src/lib/libcrypto/sm2/sm2_pmeth.c316
-rw-r--r--src/lib/libcrypto/sm2/sm2_sign.c465
-rw-r--r--src/lib/libcrypto/sm2/sm2_za.c161
7 files changed, 0 insertions, 1857 deletions
diff --git a/src/lib/libcrypto/sm2/sm2.h b/src/lib/libcrypto/sm2/sm2.h
deleted file mode 100644
index b5195a73e1..0000000000
--- a/src/lib/libcrypto/sm2/sm2.h
+++ /dev/null
@@ -1,138 +0,0 @@
1/* $OpenBSD: sm2.h,v 1.4 2025/01/25 17:59:44 tb Exp $ */
2/*
3 * Copyright (c) 2017, 2019 Ribose Inc
4 *
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#ifndef HEADER_SM2_H
19#define HEADER_SM2_H
20
21#include <openssl/opensslconf.h>
22
23#include <openssl/ec.h>
24
25#ifdef __cplusplus
26extern "C" {
27#endif
28
29/*
30 * SM2 signature generation.
31 */
32int SM2_sign(const unsigned char *dgst, int dgstlen, unsigned char *sig,
33 unsigned int *siglen, EC_KEY *eckey);
34
35/*
36 * SM2 signature verification. Assumes input is an SM3 digest
37 */
38int SM2_verify(const unsigned char *dgst, int dgstlen, const unsigned char *sig,
39 int siglen, EC_KEY *eckey);
40
41/*
42 * SM2 encryption
43 */
44int SM2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
45 size_t *c_size);
46
47int SM2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
48 size_t *pl_size);
49
50int SM2_encrypt(const EC_KEY *key, const EVP_MD *digest, const uint8_t *msg,
51 size_t msg_len, uint8_t *ciphertext_buf, size_t *ciphertext_len);
52
53int SM2_decrypt(const EC_KEY *key, const EVP_MD *digest,
54 const uint8_t *ciphertext, size_t ciphertext_len, uint8_t *ptext_buf,
55 size_t *ptext_len);
56
57void ERR_load_SM2_strings(void);
58
59/* Error codes for the SM2 functions. */
60
61/* Function codes. */
62# define SM2_F_PKEY_SM2_CTRL 274
63# define SM2_F_PKEY_SM2_CTRL_STR 275
64# define SM2_F_PKEY_SM2_KEYGEN 276
65# define SM2_F_PKEY_SM2_PARAMGEN 277
66# define SM2_F_PKEY_SM2_SIGN 278
67# define SM2_F_PKEY_SM2_VERIFY 279
68# define SM2_F_PKEY_SM2_ENCRYPT 280
69# define SM2_F_PKEY_SM2_DECRYPT 281
70
71/* Reason codes. */
72# define SM2_R_ASN1_ERROR 115
73# define SM2_R_ASN5_ERROR 1150
74# define SM2_R_BAD_SIGNATURE 156
75# define SM2_R_BIGNUM_OUT_OF_RANGE 144
76# define SM2_R_BUFFER_TOO_SMALL 100
77# define SM2_R_COORDINATES_OUT_OF_RANGE 146
78# define SM2_R_CURVE_DOES_NOT_SUPPORT_ECDH 160
79# define SM2_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159
80# define SM2_R_D2I_ECPKPARAMETERS_FAILURE 117
81# define SM2_R_DECODE_ERROR 142
82# define SM2_R_DIGEST_FAILURE 163
83# define SM2_R_DISCRIMINANT_IS_ZERO 118
84# define SM2_R_EC_GROUP_NEW_BY_NAME_FAILURE 119
85# define SM2_R_FIELD_TOO_LARGE 143
86# define SM2_R_GF2M_NOT_SUPPORTED 147
87# define SM2_R_GROUP2PKPARAMETERS_FAILURE 120
88# define SM2_R_I2D_ECPKPARAMETERS_FAILURE 121
89# define SM2_R_INCOMPATIBLE_OBJECTS 101
90# define SM2_R_INVALID_ARGUMENT 112
91# define SM2_R_INVALID_COMPRESSED_POINT 110
92# define SM2_R_INVALID_COMPRESSION_BIT 109
93# define SM2_R_INVALID_CURVE 141
94# define SM2_R_INVALID_DIGEST 151
95# define SM2_R_INVALID_DIGEST_TYPE 138
96# define SM2_R_INVALID_ENCODING 102
97# define SM2_R_INVALID_FIELD 103
98# define SM2_R_INVALID_FORM 104
99# define SM2_R_INVALID_GROUP_ORDER 122
100# define SM2_R_INVALID_KEY 116
101# define SM2_R_INVALID_OUTPUT_LENGTH 161
102# define SM2_R_INVALID_PEER_KEY 133
103# define SM2_R_INVALID_PENTANOMIAL_BASIS 132
104# define SM2_R_INVALID_PRIVATE_KEY 123
105# define SM2_R_INVALID_TRINOMIAL_BASIS 137
106# define SM2_R_KDF_FAILURE 162
107# define SM2_R_KDF_PARAMETER_ERROR 148
108# define SM2_R_KEYS_NOT_SET 140
109# define SM2_R_MISSING_PARAMETERS 124
110# define SM2_R_MISSING_PRIVATE_KEY 125
111# define SM2_R_NEED_NEW_SETUP_VALUES 157
112# define SM2_R_NOT_A_NIST_PRIME 135
113# define SM2_R_NOT_IMPLEMENTED 126
114# define SM2_R_NOT_INITIALIZED 111
115# define SM2_R_NO_PARAMETERS_SET 139
116# define SM2_R_NO_PRIVATE_VALUE 154
117# define SM2_R_OPERATION_NOT_SUPPORTED 152
118# define SM2_R_PASSED_NULL_PARAMETER 134
119# define SM2_R_PEER_KEY_ERROR 149
120# define SM2_R_PKPARAMETERS2GROUP_FAILURE 127
121# define SM2_R_POINT_ARITHMETIC_FAILURE 155
122# define SM2_R_POINT_AT_INFINITY 106
123# define SM2_R_POINT_IS_NOT_ON_CURVE 107
124# define SM2_R_RANDOM_NUMBER_GENERATION_FAILED 158
125# define SM2_R_SHARED_INFO_ERROR 150
126# define SM2_R_SLOT_FULL 108
127# define SM2_R_UNDEFINED_GENERATOR 113
128# define SM2_R_UNDEFINED_ORDER 128
129# define SM2_R_UNKNOWN_GROUP 129
130# define SM2_R_UNKNOWN_ORDER 114
131# define SM2_R_UNSUPPORTED_FIELD 131
132# define SM2_R_WRONG_CURVE_PARAMETERS 145
133# define SM2_R_WRONG_ORDER 130
134
135#ifdef __cplusplus
136}
137#endif
138#endif
diff --git a/src/lib/libcrypto/sm2/sm2_crypt.c b/src/lib/libcrypto/sm2/sm2_crypt.c
deleted file mode 100644
index 63fe1e6ab9..0000000000
--- a/src/lib/libcrypto/sm2/sm2_crypt.c
+++ /dev/null
@@ -1,631 +0,0 @@
1/* $OpenBSD: sm2_crypt.c,v 1.3 2024/02/09 07:43:52 tb Exp $ */
2/*
3 * Copyright (c) 2017, 2019 Ribose Inc
4 *
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#ifndef OPENSSL_NO_SM2
19
20#include <string.h>
21
22#include <openssl/asn1.h>
23#include <openssl/asn1t.h>
24#include <openssl/bn.h>
25#include <openssl/err.h>
26#include <openssl/evp.h>
27#include <openssl/sm2.h>
28
29#include "sm2_local.h"
30
31typedef struct SM2_Ciphertext_st SM2_Ciphertext;
32
33SM2_Ciphertext *SM2_Ciphertext_new(void);
34void SM2_Ciphertext_free(SM2_Ciphertext *a);
35SM2_Ciphertext *d2i_SM2_Ciphertext(SM2_Ciphertext **a, const unsigned char **in,
36 long len);
37int i2d_SM2_Ciphertext(SM2_Ciphertext *a, unsigned char **out);
38
39struct SM2_Ciphertext_st {
40 BIGNUM *C1x;
41 BIGNUM *C1y;
42 ASN1_OCTET_STRING *C3;
43 ASN1_OCTET_STRING *C2;
44};
45
46static const ASN1_TEMPLATE SM2_Ciphertext_seq_tt[] = {
47 {
48 .flags = 0,
49 .tag = 0,
50 .offset = offsetof(SM2_Ciphertext, C1x),
51 .field_name = "C1x",
52 .item = &BIGNUM_it,
53 },
54 {
55 .flags = 0,
56 .tag = 0,
57 .offset = offsetof(SM2_Ciphertext, C1y),
58 .field_name = "C1y",
59 .item = &BIGNUM_it,
60 },
61 {
62 .flags = 0,
63 .tag = 0,
64 .offset = offsetof(SM2_Ciphertext, C3),
65 .field_name = "C3",
66 .item = &ASN1_OCTET_STRING_it,
67 },
68 {
69 .flags = 0,
70 .tag = 0,
71 .offset = offsetof(SM2_Ciphertext, C2),
72 .field_name = "C2",
73 .item = &ASN1_OCTET_STRING_it,
74 },
75};
76
77const ASN1_ITEM SM2_Ciphertext_it = {
78 .itype = ASN1_ITYPE_SEQUENCE,
79 .utype = V_ASN1_SEQUENCE,
80 .templates = SM2_Ciphertext_seq_tt,
81 .tcount = sizeof(SM2_Ciphertext_seq_tt) / sizeof(ASN1_TEMPLATE),
82 .funcs = NULL,
83 .size = sizeof(SM2_Ciphertext),
84 .sname = "SM2_Ciphertext",
85};
86
87SM2_Ciphertext *
88d2i_SM2_Ciphertext(SM2_Ciphertext **a, const unsigned char **in, long len)
89{
90 return (SM2_Ciphertext *) ASN1_item_d2i((ASN1_VALUE **)a, in, len,
91 &SM2_Ciphertext_it);
92}
93
94int
95i2d_SM2_Ciphertext(SM2_Ciphertext *a, unsigned char **out)
96{
97 return ASN1_item_i2d((ASN1_VALUE *)a, out, &SM2_Ciphertext_it);
98}
99
100SM2_Ciphertext *
101SM2_Ciphertext_new(void)
102{
103 return (SM2_Ciphertext *)ASN1_item_new(&SM2_Ciphertext_it);
104}
105
106void
107SM2_Ciphertext_free(SM2_Ciphertext *a)
108{
109 ASN1_item_free((ASN1_VALUE *)a, &SM2_Ciphertext_it);
110}
111
112static size_t
113ec_field_size(const EC_GROUP *group)
114{
115 /* Is there some simpler way to do this? */
116 BIGNUM *p;
117 size_t field_size = 0;
118
119 if ((p = BN_new()) == NULL)
120 goto err;
121 if (!EC_GROUP_get_curve(group, p, NULL, NULL, NULL))
122 goto err;
123 field_size = BN_num_bytes(p);
124 err:
125 BN_free(p);
126 return field_size;
127}
128
129int
130SM2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
131 size_t *pl_size)
132{
133 size_t field_size, overhead;
134 int md_size;
135
136 if ((field_size = ec_field_size(EC_KEY_get0_group(key))) == 0) {
137 SM2error(SM2_R_INVALID_FIELD);
138 return 0;
139 }
140
141 if ((md_size = EVP_MD_size(digest)) < 0) {
142 SM2error(SM2_R_INVALID_DIGEST);
143 return 0;
144 }
145
146 overhead = 10 + 2 * field_size + md_size;
147 if (msg_len <= overhead) {
148 SM2error(SM2_R_INVALID_ARGUMENT);
149 return 0;
150 }
151
152 *pl_size = msg_len - overhead;
153 return 1;
154}
155
156int
157SM2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
158 size_t *c_size)
159{
160 size_t asn_size, field_size;
161 int md_size;
162
163 if ((field_size = ec_field_size(EC_KEY_get0_group(key))) == 0) {
164 SM2error(SM2_R_INVALID_FIELD);
165 return 0;
166 }
167
168 if ((md_size = EVP_MD_size(digest)) < 0) {
169 SM2error(SM2_R_INVALID_DIGEST);
170 return 0;
171 }
172
173 asn_size = 2 * ASN1_object_size(0, field_size + 1, V_ASN1_INTEGER) +
174 ASN1_object_size(0, md_size, V_ASN1_OCTET_STRING) +
175 ASN1_object_size(0, msg_len, V_ASN1_OCTET_STRING);
176
177 *c_size = ASN1_object_size(1, asn_size, V_ASN1_SEQUENCE);
178 return 1;
179}
180
181int
182sm2_kdf(uint8_t *key, size_t key_len, uint8_t *secret, size_t secret_len,
183 const EVP_MD *digest)
184{
185 EVP_MD_CTX *hash;
186 uint8_t *hash_buf = NULL;
187 uint32_t ctr = 1;
188 uint8_t ctr_buf[4] = {0};
189 size_t hadd, hlen;
190 int rc = 0;
191
192 if ((hash = EVP_MD_CTX_new()) == NULL) {
193 SM2error(ERR_R_MALLOC_FAILURE);
194 goto err;
195 }
196
197 if ((hlen = EVP_MD_size(digest)) < 0) {
198 SM2error(SM2_R_INVALID_DIGEST);
199 goto err;
200 }
201 if ((hash_buf = malloc(hlen)) == NULL) {
202 SM2error(ERR_R_MALLOC_FAILURE);
203 goto err;
204 }
205
206 while ((key_len > 0) && (ctr != 0)) {
207 if (!EVP_DigestInit_ex(hash, digest, NULL)) {
208 SM2error(ERR_R_EVP_LIB);
209 goto err;
210 }
211 if (!EVP_DigestUpdate(hash, secret, secret_len)) {
212 SM2error(ERR_R_EVP_LIB);
213 goto err;
214 }
215
216 /* big-endian counter representation */
217 ctr_buf[0] = (ctr >> 24) & 0xff;
218 ctr_buf[1] = (ctr >> 16) & 0xff;
219 ctr_buf[2] = (ctr >> 8) & 0xff;
220 ctr_buf[3] = ctr & 0xff;
221 ctr++;
222
223 if (!EVP_DigestUpdate(hash, ctr_buf, 4)) {
224 SM2error(ERR_R_EVP_LIB);
225 goto err;
226 }
227 if (!EVP_DigestFinal(hash, hash_buf, NULL)) {
228 SM2error(ERR_R_EVP_LIB);
229 goto err;
230 }
231
232 hadd = key_len > hlen ? hlen : key_len;
233 memcpy(key, hash_buf, hadd);
234 memset(hash_buf, 0, hlen);
235 key_len -= hadd;
236 key += hadd;
237 }
238
239 rc = 1;
240 err:
241 free(hash_buf);
242 EVP_MD_CTX_free(hash);
243 return rc;
244}
245
246int
247SM2_encrypt(const EC_KEY *key, const EVP_MD *digest, const uint8_t *msg,
248 size_t msg_len, uint8_t *ciphertext_buf, size_t *ciphertext_len)
249{
250 SM2_Ciphertext ctext_struct;
251 EVP_MD_CTX *hash = NULL;
252 BN_CTX *ctx = NULL;
253 BIGNUM *order = NULL;
254 BIGNUM *k, *x1, *y1, *x2, *y2;
255 const EC_GROUP *group;
256 const EC_POINT *P;
257 EC_POINT *kG = NULL, *kP = NULL;
258 uint8_t *msg_mask = NULL, *x2y2 = NULL, *C3 = NULL;
259 size_t C3_size, field_size, i, x2size, y2size;
260 int rc = 0;
261 int clen;
262
263 ctext_struct.C2 = NULL;
264 ctext_struct.C3 = NULL;
265
266 if ((hash = EVP_MD_CTX_new()) == NULL) {
267 SM2error(ERR_R_MALLOC_FAILURE);
268 goto err;
269 }
270
271 if ((group = EC_KEY_get0_group(key)) == NULL) {
272 SM2error(SM2_R_INVALID_KEY);
273 goto err;
274 }
275
276 if ((order = BN_new()) == NULL) {
277 SM2error(ERR_R_MALLOC_FAILURE);
278 goto err;
279 }
280
281 if (!EC_GROUP_get_order(group, order, NULL)) {
282 SM2error(SM2_R_INVALID_GROUP_ORDER);
283 goto err;
284 }
285
286 if ((P = EC_KEY_get0_public_key(key)) == NULL) {
287 SM2error(SM2_R_INVALID_KEY);
288 goto err;
289 }
290
291 if ((field_size = ec_field_size(group)) == 0) {
292 SM2error(SM2_R_INVALID_FIELD);
293 goto err;
294 }
295
296 if ((C3_size = EVP_MD_size(digest)) < 0) {
297 SM2error(SM2_R_INVALID_DIGEST);
298 goto err;
299 }
300
301 if ((kG = EC_POINT_new(group)) == NULL) {
302 SM2error(ERR_R_MALLOC_FAILURE);
303 goto err;
304 }
305 if ((kP = EC_POINT_new(group)) == NULL) {
306 SM2error(ERR_R_MALLOC_FAILURE);
307 goto err;
308 }
309
310 if ((ctx = BN_CTX_new()) == NULL) {
311 SM2error(ERR_R_MALLOC_FAILURE);
312 goto err;
313 }
314
315 BN_CTX_start(ctx);
316 if ((k = BN_CTX_get(ctx)) == NULL) {
317 SM2error(ERR_R_BN_LIB);
318 goto err;
319 }
320 if ((x1 = BN_CTX_get(ctx)) == NULL) {
321 SM2error(ERR_R_BN_LIB);
322 goto err;
323 }
324 if ((x2 = BN_CTX_get(ctx)) == NULL) {
325 SM2error(ERR_R_BN_LIB);
326 goto err;
327 }
328 if ((y1 = BN_CTX_get(ctx)) == NULL) {
329 SM2error(ERR_R_BN_LIB);
330 goto err;
331 }
332 if ((y2 = BN_CTX_get(ctx)) == NULL) {
333 SM2error(ERR_R_BN_LIB);
334 goto err;
335 }
336
337 if ((x2y2 = calloc(2, field_size)) == NULL) {
338 SM2error(ERR_R_MALLOC_FAILURE);
339 goto err;
340 }
341
342 if ((C3 = calloc(1, C3_size)) == NULL) {
343 SM2error(ERR_R_MALLOC_FAILURE);
344 goto err;
345 }
346
347 memset(ciphertext_buf, 0, *ciphertext_len);
348
349 if (!BN_rand_range(k, order)) {
350 SM2error(SM2_R_RANDOM_NUMBER_GENERATION_FAILED);
351 goto err;
352 }
353
354 if (!EC_POINT_mul(group, kG, k, NULL, NULL, ctx)) {
355 SM2error(ERR_R_EC_LIB);
356 goto err;
357 }
358
359 if (!EC_POINT_get_affine_coordinates(group, kG, x1, y1, ctx)) {
360 SM2error(ERR_R_EC_LIB);
361 goto err;
362 }
363
364 if (!EC_POINT_mul(group, kP, NULL, P, k, ctx)) {
365 SM2error(ERR_R_EC_LIB);
366 goto err;
367 }
368
369 if (!EC_POINT_get_affine_coordinates(group, kP, x2, y2, ctx)) {
370 SM2error(ERR_R_EC_LIB);
371 goto err;
372 }
373
374 if ((x2size = BN_num_bytes(x2)) > field_size ||
375 (y2size = BN_num_bytes(y2)) > field_size) {
376 SM2error(SM2_R_BIGNUM_OUT_OF_RANGE);
377 goto err;
378 }
379
380 BN_bn2bin(x2, x2y2 + field_size - x2size);
381 BN_bn2bin(y2, x2y2 + 2 * field_size - y2size);
382
383 if ((msg_mask = calloc(1, msg_len)) == NULL) {
384 SM2error(ERR_R_MALLOC_FAILURE);
385 goto err;
386 }
387
388 if (!sm2_kdf(msg_mask, msg_len, x2y2, 2 * field_size, digest)) {
389 SM2error(SM2_R_KDF_FAILURE);
390 goto err;
391 }
392
393 for (i = 0; i != msg_len; i++)
394 msg_mask[i] ^= msg[i];
395
396 if (!EVP_DigestInit(hash, digest)) {
397 SM2error(ERR_R_EVP_LIB);
398 goto err;
399 }
400
401 if (!EVP_DigestUpdate(hash, x2y2, field_size)) {
402 SM2error(ERR_R_EVP_LIB);
403 goto err;
404 }
405
406 if (!EVP_DigestUpdate(hash, msg, msg_len)) {
407 SM2error(ERR_R_EVP_LIB);
408 goto err;
409 }
410
411 if (!EVP_DigestUpdate(hash, x2y2 + field_size, field_size)) {
412 SM2error(ERR_R_EVP_LIB);
413 goto err;
414 }
415
416 if (!EVP_DigestFinal(hash, C3, NULL)) {
417 SM2error(ERR_R_EVP_LIB);
418 goto err;
419 }
420
421 ctext_struct.C1x = x1;
422 ctext_struct.C1y = y1;
423 if ((ctext_struct.C3 = ASN1_OCTET_STRING_new()) == NULL) {
424 SM2error(ERR_R_MALLOC_FAILURE);
425 goto err;
426 }
427 if ((ctext_struct.C2 = ASN1_OCTET_STRING_new()) == NULL) {
428 SM2error(ERR_R_MALLOC_FAILURE);
429 goto err;
430 }
431 if (!ASN1_OCTET_STRING_set(ctext_struct.C3, C3, C3_size)) {
432 SM2error(ERR_R_INTERNAL_ERROR);
433 goto err;
434 }
435 if (!ASN1_OCTET_STRING_set(ctext_struct.C2, msg_mask, msg_len)) {
436 SM2error(ERR_R_INTERNAL_ERROR);
437 goto err;
438 }
439
440 if ((clen = i2d_SM2_Ciphertext(&ctext_struct, &ciphertext_buf)) < 0) {
441 SM2error(ERR_R_INTERNAL_ERROR);
442 goto err;
443 }
444
445 *ciphertext_len = clen;
446 rc = 1;
447
448 err:
449 ASN1_OCTET_STRING_free(ctext_struct.C2);
450 ASN1_OCTET_STRING_free(ctext_struct.C3);
451 free(msg_mask);
452 free(x2y2);
453 free(C3);
454 EVP_MD_CTX_free(hash);
455 BN_CTX_end(ctx);
456 BN_CTX_free(ctx);
457 EC_POINT_free(kG);
458 EC_POINT_free(kP);
459 BN_free(order);
460 return rc;
461}
462
463int
464SM2_decrypt(const EC_KEY *key, const EVP_MD *digest, const uint8_t *ciphertext,
465 size_t ciphertext_len, uint8_t *ptext_buf, size_t *ptext_len)
466{
467 SM2_Ciphertext *sm2_ctext = NULL;
468 EVP_MD_CTX *hash = NULL;
469 BN_CTX *ctx = NULL;
470 BIGNUM *x2, *y2;
471 const EC_GROUP *group;
472 EC_POINT *C1 = NULL;
473 const uint8_t *C2, *C3;
474 uint8_t *computed_C3 = NULL, *msg_mask = NULL, *x2y2 = NULL;
475 size_t field_size, x2size, y2size;
476 int msg_len = 0, rc = 0;
477 int hash_size, i;
478
479 if ((group = EC_KEY_get0_group(key)) == NULL) {
480 SM2error(SM2_R_INVALID_KEY);
481 goto err;
482 }
483
484 if ((field_size = ec_field_size(group)) == 0) {
485 SM2error(SM2_R_INVALID_FIELD);
486 goto err;
487 }
488
489 if ((hash_size = EVP_MD_size(digest)) < 0) {
490 SM2error(SM2_R_INVALID_DIGEST);
491 goto err;
492 }
493
494 memset(ptext_buf, 0xFF, *ptext_len);
495
496 if ((sm2_ctext = d2i_SM2_Ciphertext(NULL, &ciphertext,
497 ciphertext_len)) == NULL) {
498 SM2error(SM2_R_ASN1_ERROR);
499 goto err;
500 }
501
502 if (sm2_ctext->C3->length != hash_size) {
503 SM2error(SM2_R_INVALID_ENCODING);
504 goto err;
505 }
506
507 C2 = sm2_ctext->C2->data;
508 C3 = sm2_ctext->C3->data;
509 msg_len = sm2_ctext->C2->length;
510
511 if ((ctx = BN_CTX_new()) == NULL) {
512 SM2error(ERR_R_MALLOC_FAILURE);
513 goto err;
514 }
515
516 BN_CTX_start(ctx);
517 if ((x2 = BN_CTX_get(ctx)) == NULL) {
518 SM2error(ERR_R_BN_LIB);
519 goto err;
520 }
521 if ((y2 = BN_CTX_get(ctx)) == NULL) {
522 SM2error(ERR_R_BN_LIB);
523 goto err;
524 }
525
526 if ((msg_mask = calloc(1, msg_len)) == NULL) {
527 SM2error(ERR_R_MALLOC_FAILURE);
528 goto err;
529 }
530 if ((x2y2 = calloc(2, field_size)) == NULL) {
531 SM2error(ERR_R_MALLOC_FAILURE);
532 goto err;
533 }
534 if ((computed_C3 = calloc(1, hash_size)) == NULL) {
535 SM2error(ERR_R_MALLOC_FAILURE);
536 goto err;
537 }
538
539 if ((C1 = EC_POINT_new(group)) == NULL) {
540 SM2error(ERR_R_MALLOC_FAILURE);
541 goto err;
542 }
543
544 if (!EC_POINT_set_affine_coordinates(group, C1, sm2_ctext->C1x,
545 sm2_ctext->C1y, ctx))
546 {
547 SM2error(ERR_R_EC_LIB);
548 goto err;
549 }
550
551 if (!EC_POINT_mul(group, C1, NULL, C1, EC_KEY_get0_private_key(key),
552 ctx)) {
553 SM2error(ERR_R_EC_LIB);
554 goto err;
555 }
556
557 if (!EC_POINT_get_affine_coordinates(group, C1, x2, y2, ctx)) {
558 SM2error(ERR_R_EC_LIB);
559 goto err;
560 }
561
562 if ((x2size = BN_num_bytes(x2)) > field_size ||
563 (y2size = BN_num_bytes(y2)) > field_size) {
564 SM2error(SM2_R_BIGNUM_OUT_OF_RANGE);
565 goto err;
566 }
567
568 BN_bn2bin(x2, x2y2 + field_size - x2size);
569 BN_bn2bin(y2, x2y2 + 2 * field_size - y2size);
570
571 if (!sm2_kdf(msg_mask, msg_len, x2y2, 2 * field_size, digest)) {
572 SM2error(SM2_R_KDF_FAILURE);
573 goto err;
574 }
575
576 for (i = 0; i != msg_len; ++i)
577 ptext_buf[i] = C2[i] ^ msg_mask[i];
578
579 if ((hash = EVP_MD_CTX_new()) == NULL) {
580 SM2error(ERR_R_EVP_LIB);
581 goto err;
582 }
583
584 if (!EVP_DigestInit(hash, digest)) {
585 SM2error(ERR_R_EVP_LIB);
586 goto err;
587 }
588
589 if (!EVP_DigestUpdate(hash, x2y2, field_size)) {
590 SM2error(ERR_R_EVP_LIB);
591 goto err;
592 }
593
594 if (!EVP_DigestUpdate(hash, ptext_buf, msg_len)) {
595 SM2error(ERR_R_EVP_LIB);
596 goto err;
597 }
598
599 if (!EVP_DigestUpdate(hash, x2y2 + field_size, field_size)) {
600 SM2error(ERR_R_EVP_LIB);
601 goto err;
602 }
603
604 if (!EVP_DigestFinal(hash, computed_C3, NULL)) {
605 SM2error(ERR_R_EVP_LIB);
606 goto err;
607 }
608
609 if (memcmp(computed_C3, C3, hash_size) != 0)
610 goto err;
611
612 rc = 1;
613 *ptext_len = msg_len;
614
615 err:
616 if (rc == 0)
617 memset(ptext_buf, 0, *ptext_len);
618
619 free(msg_mask);
620 free(x2y2);
621 free(computed_C3);
622 EC_POINT_free(C1);
623 BN_CTX_end(ctx);
624 BN_CTX_free(ctx);
625 SM2_Ciphertext_free(sm2_ctext);
626 EVP_MD_CTX_free(hash);
627
628 return rc;
629}
630
631#endif /* OPENSSL_NO_SM2 */
diff --git a/src/lib/libcrypto/sm2/sm2_err.c b/src/lib/libcrypto/sm2/sm2_err.c
deleted file mode 100644
index a7dc1e0d9e..0000000000
--- a/src/lib/libcrypto/sm2/sm2_err.c
+++ /dev/null
@@ -1,105 +0,0 @@
1/* $OpenBSD: sm2_err.c,v 1.2 2022/07/12 14:42:50 kn Exp $ */
2/*
3 * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
4 *
5 * Licensed under the OpenSSL license (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11#ifndef OPENSSL_NO_SM2
12
13#include <openssl/err.h>
14#include <openssl/sm2.h>
15
16#ifndef OPENSSL_NO_ERR
17
18#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SM2,func,0)
19#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SM2,0,reason)
20
21static ERR_STRING_DATA SM2_str_functs[] = {
22 {ERR_FUNC(0xfff), "CRYPTO_internal"},
23 {0, NULL}
24};
25
26static ERR_STRING_DATA SM2_str_reasons[] = {
27 {ERR_REASON(SM2_R_ASN1_ERROR), "asn1 error"},
28 {ERR_REASON(SM2_R_ASN5_ERROR), "asn5 error"},
29 {ERR_REASON(SM2_R_BAD_SIGNATURE), "bad signature"},
30 {ERR_REASON(SM2_R_BIGNUM_OUT_OF_RANGE), "bignum out of range"},
31 {ERR_REASON(SM2_R_BUFFER_TOO_SMALL), "buffer too small"},
32 {ERR_REASON(SM2_R_COORDINATES_OUT_OF_RANGE), "coordinates out of range"},
33 {ERR_REASON(SM2_R_CURVE_DOES_NOT_SUPPORT_ECDH), "curve does not support ecdh"},
34 {ERR_REASON(SM2_R_CURVE_DOES_NOT_SUPPORT_SIGNING), "curve does not support signing"},
35 {ERR_REASON(SM2_R_D2I_ECPKPARAMETERS_FAILURE), "d2i ecpkparameters failure"},
36 {ERR_REASON(SM2_R_DECODE_ERROR), "decode error"},
37 {ERR_REASON(SM2_R_DIGEST_FAILURE), "digest calculation failure"},
38 {ERR_REASON(SM2_R_DISCRIMINANT_IS_ZERO), "discriminant is zero"},
39 {ERR_REASON(SM2_R_EC_GROUP_NEW_BY_NAME_FAILURE), "ec group new by name failure"},
40 {ERR_REASON(SM2_R_FIELD_TOO_LARGE), "field too large"},
41 {ERR_REASON(SM2_R_GF2M_NOT_SUPPORTED), "gf2m not supported"},
42 {ERR_REASON(SM2_R_GROUP2PKPARAMETERS_FAILURE), "group2pkparameters failure"},
43 {ERR_REASON(SM2_R_I2D_ECPKPARAMETERS_FAILURE), "i2d ecpkparameters failure"},
44 {ERR_REASON(SM2_R_INCOMPATIBLE_OBJECTS), "incompatible objects"},
45 {ERR_REASON(SM2_R_INVALID_ARGUMENT), "invalid argument"},
46 {ERR_REASON(SM2_R_INVALID_COMPRESSED_POINT), "invalid compressed point"},
47 {ERR_REASON(SM2_R_INVALID_COMPRESSION_BIT), "invalid compression bit"},
48 {ERR_REASON(SM2_R_INVALID_CURVE), "invalid curve"},
49 {ERR_REASON(SM2_R_INVALID_DIGEST), "invalid digest"},
50 {ERR_REASON(SM2_R_INVALID_DIGEST_TYPE), "invalid digest type"},
51 {ERR_REASON(SM2_R_INVALID_ENCODING), "invalid encoding"},
52 {ERR_REASON(SM2_R_INVALID_FIELD), "invalid field"},
53 {ERR_REASON(SM2_R_INVALID_FORM), "invalid form"},
54 {ERR_REASON(SM2_R_INVALID_GROUP_ORDER), "invalid group order"},
55 {ERR_REASON(SM2_R_INVALID_KEY), "invalid key"},
56 {ERR_REASON(SM2_R_INVALID_OUTPUT_LENGTH), "invalid output length"},
57 {ERR_REASON(SM2_R_INVALID_PEER_KEY), "invalid peer key"},
58 {ERR_REASON(SM2_R_INVALID_PENTANOMIAL_BASIS), "invalid pentanomial basis"},
59 {ERR_REASON(SM2_R_INVALID_PRIVATE_KEY), "invalid private key"},
60 {ERR_REASON(SM2_R_INVALID_TRINOMIAL_BASIS), "invalid trinomial basis"},
61 {ERR_REASON(SM2_R_KDF_FAILURE), "kdf calculation failure"},
62 {ERR_REASON(SM2_R_KDF_PARAMETER_ERROR), "kdf parameter error"},
63 {ERR_REASON(SM2_R_KEYS_NOT_SET), "keys not set"},
64 {ERR_REASON(SM2_R_MISSING_PARAMETERS), "missing parameters"},
65 {ERR_REASON(SM2_R_MISSING_PRIVATE_KEY), "missing private key"},
66 {ERR_REASON(SM2_R_NEED_NEW_SETUP_VALUES), "need new setup values"},
67 {ERR_REASON(SM2_R_NOT_A_NIST_PRIME), "not a NIST prime"},
68 {ERR_REASON(SM2_R_NOT_IMPLEMENTED), "not implemented"},
69 {ERR_REASON(SM2_R_NOT_INITIALIZED), "not initialized"},
70 {ERR_REASON(SM2_R_NO_PARAMETERS_SET), "no parameters set"},
71 {ERR_REASON(SM2_R_NO_PRIVATE_VALUE), "no private value"},
72 {ERR_REASON(SM2_R_OPERATION_NOT_SUPPORTED), "operation not supported"},
73 {ERR_REASON(SM2_R_PASSED_NULL_PARAMETER), "passed null parameter"},
74 {ERR_REASON(SM2_R_PEER_KEY_ERROR), "peer key error"},
75 {ERR_REASON(SM2_R_PKPARAMETERS2GROUP_FAILURE), "pkparameters2group failure"},
76 {ERR_REASON(SM2_R_POINT_ARITHMETIC_FAILURE), "point arithmetic failure"},
77 {ERR_REASON(SM2_R_POINT_AT_INFINITY), "point at infinity"},
78 {ERR_REASON(SM2_R_POINT_IS_NOT_ON_CURVE), "point is not on curve"},
79 {ERR_REASON(SM2_R_RANDOM_NUMBER_GENERATION_FAILED), "random number generation failed"},
80 {ERR_REASON(SM2_R_SHARED_INFO_ERROR), "shared info error"},
81 {ERR_REASON(SM2_R_SLOT_FULL), "slot full"},
82 {ERR_REASON(SM2_R_UNDEFINED_GENERATOR), "undefined generator"},
83 {ERR_REASON(SM2_R_UNDEFINED_ORDER), "undefined order"},
84 {ERR_REASON(SM2_R_UNKNOWN_GROUP), "unknown group"},
85 {ERR_REASON(SM2_R_UNKNOWN_ORDER), "unknown order"},
86 {ERR_REASON(SM2_R_UNSUPPORTED_FIELD), "unsupported field"},
87 {ERR_REASON(SM2_R_WRONG_CURVE_PARAMETERS), "wrong curve parameters"},
88 {ERR_REASON(SM2_R_WRONG_ORDER), "wrong order"},
89 {0, NULL}
90};
91
92#endif
93
94void
95ERR_load_SM2_strings(void)
96{
97#ifndef OPENSSL_NO_ERR
98 if (ERR_func_error_string(SM2_str_functs[0].error) == NULL) {
99 ERR_load_strings(0, SM2_str_functs);
100 ERR_load_strings(0, SM2_str_reasons);
101 }
102#endif
103}
104
105#endif /* OPENSSL_NO_SM2 */
diff --git a/src/lib/libcrypto/sm2/sm2_local.h b/src/lib/libcrypto/sm2/sm2_local.h
deleted file mode 100644
index 388c468ef2..0000000000
--- a/src/lib/libcrypto/sm2/sm2_local.h
+++ /dev/null
@@ -1,41 +0,0 @@
1/* $OpenBSD: sm2_local.h,v 1.3 2023/07/28 15:50:33 tb Exp $ */
2/*
3 * Copyright (c) 2017, 2019 Ribose Inc
4 *
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#ifndef HEADER_SM2_LOCAL_H
19#define HEADER_SM2_LOCAL_H
20
21#include <openssl/ec.h>
22
23__BEGIN_HIDDEN_DECLS
24
25int sm2_compute_userid_digest(uint8_t *out, const EVP_MD *digest,
26 const uint8_t *uid, size_t uid_len, const EC_KEY *key);
27
28/*
29 * SM2 signature operation. Computes ZA (user id digest) and then signs
30 * H(ZA || msg) using SM2
31 */
32ECDSA_SIG *sm2_do_sign(const EC_KEY *key, const EVP_MD *digest,
33 const uint8_t *uid, size_t uid_len, const uint8_t *msg, size_t msg_len);
34
35int sm2_do_verify(const EC_KEY *key, const EVP_MD *digest,
36 const ECDSA_SIG *signature, const uint8_t *uid, size_t uid_len,
37 const uint8_t *msg, size_t msg_len);
38
39__END_HIDDEN_DECLS
40
41#endif /* !HEADER_SM2_LOCAL_H */
diff --git a/src/lib/libcrypto/sm2/sm2_pmeth.c b/src/lib/libcrypto/sm2/sm2_pmeth.c
deleted file mode 100644
index 441f5475d1..0000000000
--- a/src/lib/libcrypto/sm2/sm2_pmeth.c
+++ /dev/null
@@ -1,316 +0,0 @@
1/* $OpenBSD: sm2_pmeth.c,v 1.2 2022/11/26 16:08:54 tb Exp $ */
2/*
3 * Copyright (c) 2017, 2019 Ribose Inc
4 *
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#ifndef OPENSSL_NO_SM2
19
20#include <string.h>
21
22#include <openssl/sm2.h>
23#include <openssl/asn1t.h>
24#include <openssl/x509.h>
25#include <openssl/err.h>
26#include <openssl/evp.h>
27
28#include "evp_local.h"
29#include "sm2_local.h"
30
31/* SM2 pkey context structure */
32
33typedef struct {
34 /* key and paramgen group */
35 EC_GROUP *gen_group;
36 /* message digest */
37 const EVP_MD *md;
38 EVP_MD_CTX *md_ctx;
39 /* personalization string */
40 uint8_t* uid;
41 size_t uid_len;
42} SM2_PKEY_CTX;
43
44static int
45pkey_sm2_init(EVP_PKEY_CTX *ctx)
46{
47 SM2_PKEY_CTX *dctx;
48
49 if ((dctx = calloc(1, sizeof(*dctx))) == NULL) {
50 SM2error(ERR_R_MALLOC_FAILURE);
51 return 0;
52 }
53 ctx->data = dctx;
54 return 1;
55}
56
57static void
58pkey_sm2_cleanup(EVP_PKEY_CTX *ctx)
59{
60 SM2_PKEY_CTX *dctx = ctx->data;
61
62 if (ctx == NULL || ctx->data == NULL)
63 return;
64
65 EC_GROUP_free(dctx->gen_group);
66 free(dctx->uid);
67 free(dctx);
68 ctx->data = NULL;
69}
70
71static int
72pkey_sm2_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
73{
74 SM2_PKEY_CTX *dctx, *sctx;
75
76 if (!pkey_sm2_init(dst))
77 return 0;
78 sctx = src->data;
79 dctx = dst->data;
80 if (sctx->gen_group) {
81 if ((dctx->gen_group = EC_GROUP_dup(sctx->gen_group)) == NULL) {
82 SM2error(ERR_R_MALLOC_FAILURE);
83 goto err;
84 }
85 }
86
87 if (sctx->uid != NULL) {
88 if ((dctx->uid = malloc(sctx->uid_len)) == NULL) {
89 SM2error(ERR_R_MALLOC_FAILURE);
90 goto err;
91 }
92 memcpy(dctx->uid, sctx->uid, sctx->uid_len);
93 dctx->uid_len = sctx->uid_len;
94 }
95
96 dctx->md = sctx->md;
97
98 if (!EVP_MD_CTX_copy(dctx->md_ctx, sctx->md_ctx))
99 goto err;
100
101 return 1;
102
103 err:
104 pkey_sm2_cleanup(dst);
105 return 0;
106}
107
108static int
109pkey_sm2_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
110 const unsigned char *tbs, size_t tbslen)
111{
112 unsigned int sltmp;
113 int ret, sig_sz;
114
115 if ((sig_sz = ECDSA_size(ctx->pkey->pkey.ec)) <= 0)
116 return 0;
117
118 if (sig == NULL) {
119 *siglen = sig_sz;
120 return 1;
121 }
122
123 if (*siglen < (size_t)sig_sz) {
124 SM2error(SM2_R_BUFFER_TOO_SMALL);
125 return 0;
126 }
127
128 if ((ret = SM2_sign(tbs, tbslen, sig, &sltmp, ctx->pkey->pkey.ec)) <= 0)
129 return ret;
130
131 *siglen = (size_t)sltmp;
132 return 1;
133}
134
135static int
136pkey_sm2_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
137 const unsigned char *tbs, size_t tbslen)
138{
139 return SM2_verify(tbs, tbslen, sig, siglen, ctx->pkey->pkey.ec);
140}
141
142static int
143pkey_sm2_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
144 const unsigned char *in, size_t inlen)
145{
146 SM2_PKEY_CTX *dctx = ctx->data;
147 const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md;
148
149 if (out == NULL) {
150 if (!SM2_ciphertext_size(ctx->pkey->pkey.ec, md, inlen, outlen))
151 return -1;
152 else
153 return 1;
154 }
155
156 return SM2_encrypt(ctx->pkey->pkey.ec, md, in, inlen, out, outlen);
157}
158
159static int
160pkey_sm2_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
161 const unsigned char *in, size_t inlen)
162{
163 SM2_PKEY_CTX *dctx = ctx->data;
164 const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md;
165
166 if (out == NULL) {
167 if (!SM2_plaintext_size(ctx->pkey->pkey.ec, md, inlen, outlen))
168 return -1;
169 else
170 return 1;
171 }
172
173 return SM2_decrypt(ctx->pkey->pkey.ec, md, in, inlen, out, outlen);
174}
175
176static int
177pkey_sm2_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
178{
179 SM2_PKEY_CTX *dctx = ctx->data;
180 EC_GROUP *group = NULL;
181
182 switch (type) {
183 case EVP_PKEY_CTRL_DIGESTINIT:
184 dctx->md_ctx = p2;
185 return 1;
186
187 case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID:
188 if ((group = EC_GROUP_new_by_curve_name(p1)) == NULL) {
189 SM2error(SM2_R_INVALID_CURVE);
190 return 0;
191 }
192 EC_GROUP_free(dctx->gen_group);
193 dctx->gen_group = group;
194 return 1;
195
196 case EVP_PKEY_CTRL_SM2_SET_UID:
197 if ((p1 < 0) || ((p1 == 0) && (p2 != NULL))) {
198 SM2error(SM2_R_INVALID_ARGUMENT);
199 return 0;
200 }
201 if ((p1 > 0) && (p2 == NULL)) {
202 SM2error(ERR_R_PASSED_NULL_PARAMETER);
203 return 0;
204 }
205 free(dctx->uid);
206 if (p2 == NULL) {
207 dctx->uid = NULL;
208 dctx->uid_len = 0;
209 return 1;
210 }
211
212 if ((dctx->uid = malloc(p1)) == NULL) {
213 SM2error(ERR_R_MALLOC_FAILURE);
214 return 1;
215 }
216 memcpy(dctx->uid, p2, p1);
217 dctx->uid_len = p1;
218 return 1;
219
220 case EVP_PKEY_CTRL_SM2_HASH_UID:
221 {
222 const EVP_MD* md;
223 uint8_t za[EVP_MAX_MD_SIZE] = {0};
224 int md_len;
225
226 if (dctx->uid == NULL) {
227 SM2error(SM2_R_INVALID_ARGUMENT);
228 return 0;
229 }
230
231 if ((md = EVP_MD_CTX_md(dctx->md_ctx)) == NULL) {
232 SM2error(ERR_R_EVP_LIB);
233 return 0;
234 }
235
236 if ((md_len = EVP_MD_size(md)) < 0) {
237 SM2error(SM2_R_INVALID_DIGEST);
238 return 0;
239 }
240
241 if (sm2_compute_userid_digest(za, md, dctx->uid, dctx->uid_len,
242 ctx->pkey->pkey.ec) != 1) {
243 SM2error(SM2_R_DIGEST_FAILURE);
244 return 0;
245 }
246 return EVP_DigestUpdate(dctx->md_ctx, za, md_len);
247 }
248
249 case EVP_PKEY_CTRL_SM2_GET_UID_LEN:
250 if (p2 == NULL) {
251 SM2error(ERR_R_PASSED_NULL_PARAMETER);
252 return 0;
253 }
254 *(size_t *)p2 = dctx->uid_len;
255 return 1;
256
257 case EVP_PKEY_CTRL_SM2_GET_UID:
258 if (p2 == NULL) {
259 SM2error(ERR_R_PASSED_NULL_PARAMETER);
260 return 0;
261 }
262 if (dctx->uid_len == 0) {
263 return 1;
264 }
265 memcpy(p2, dctx->uid, dctx->uid_len);
266 return 1;
267
268 case EVP_PKEY_CTRL_MD:
269 dctx->md = p2;
270 return 1;
271
272 default:
273 return -2;
274 }
275}
276
277static int
278pkey_sm2_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
279{
280 int nid;
281
282 if (strcmp(type, "ec_paramgen_curve") == 0) {
283 if (((nid = EC_curve_nist2nid(value)) == NID_undef) &&
284 ((nid = OBJ_sn2nid(value)) == NID_undef) &&
285 ((nid = OBJ_ln2nid(value)) == NID_undef)) {
286 SM2error(SM2_R_INVALID_CURVE);
287 return 0;
288 }
289 return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
290 } else if (strcmp(type, "sm2_uid") == 0) {
291 return EVP_PKEY_CTX_set_sm2_uid(ctx, (void*) value,
292 (int)strlen(value));
293 }
294
295 return -2;
296}
297
298const EVP_PKEY_METHOD sm2_pkey_meth = {
299 .pkey_id = EVP_PKEY_SM2,
300 .init = pkey_sm2_init,
301 .copy = pkey_sm2_copy,
302 .cleanup = pkey_sm2_cleanup,
303
304 .sign = pkey_sm2_sign,
305
306 .verify = pkey_sm2_verify,
307
308 .encrypt = pkey_sm2_encrypt,
309
310 .decrypt = pkey_sm2_decrypt,
311
312 .ctrl = pkey_sm2_ctrl,
313 .ctrl_str = pkey_sm2_ctrl_str
314};
315
316#endif /* OPENSSL_NO_SM2 */
diff --git a/src/lib/libcrypto/sm2/sm2_sign.c b/src/lib/libcrypto/sm2/sm2_sign.c
deleted file mode 100644
index a5e3a8aee5..0000000000
--- a/src/lib/libcrypto/sm2/sm2_sign.c
+++ /dev/null
@@ -1,465 +0,0 @@
1/* $OpenBSD: sm2_sign.c,v 1.4 2023/07/05 17:36:19 tb Exp $ */
2/*
3 * Copyright (c) 2017, 2019 Ribose Inc
4 *
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#ifndef OPENSSL_NO_SM2
19
20#include <string.h>
21
22#include <openssl/sm2.h>
23#include <openssl/evp.h>
24#include <openssl/err.h>
25#include <openssl/bn.h>
26
27#include "bn_local.h"
28#include "sm2_local.h"
29
30static BIGNUM *
31sm2_compute_msg_hash(const EVP_MD *digest, const EC_KEY *key,
32 const uint8_t *uid, size_t uid_len, const uint8_t *msg, size_t msg_len)
33{
34 EVP_MD_CTX *hash;
35 BIGNUM *e = NULL;
36 int md_size;
37 uint8_t *za = NULL;
38
39 if ((hash = EVP_MD_CTX_new()) == NULL) {
40 SM2error(ERR_R_MALLOC_FAILURE);
41 goto err;
42 }
43
44 if ((md_size = EVP_MD_size(digest)) < 0) {
45 SM2error(SM2_R_INVALID_DIGEST);
46 goto err;
47 }
48
49 if ((za = calloc(1, md_size)) == NULL) {
50 SM2error(ERR_R_MALLOC_FAILURE);
51 goto err;
52 }
53
54 if (!sm2_compute_userid_digest(za, digest, uid, uid_len, key)) {
55 SM2error(SM2_R_DIGEST_FAILURE);
56 goto err;
57 }
58
59 if (!EVP_DigestInit(hash, digest)) {
60 SM2error(ERR_R_EVP_LIB);
61 goto err;
62 }
63
64 if (!EVP_DigestUpdate(hash, za, md_size)) {
65 SM2error(ERR_R_EVP_LIB);
66 goto err;
67 }
68
69 if (!EVP_DigestUpdate(hash, msg, msg_len)) {
70 SM2error(ERR_R_EVP_LIB);
71 goto err;
72 }
73
74 /* reuse za buffer to hold H(ZA || M) */
75 if (!EVP_DigestFinal(hash, za, NULL)) {
76 SM2error(ERR_R_EVP_LIB);
77 goto err;
78 }
79
80 e = BN_bin2bn(za, md_size, NULL);
81
82 err:
83 free(za);
84 EVP_MD_CTX_free(hash);
85 return e;
86}
87
88static ECDSA_SIG *
89sm2_sig_gen(const EC_KEY *key, const BIGNUM *e)
90{
91 ECDSA_SIG *sig = NULL;
92 const EC_GROUP *group;
93 EC_POINT *kG = NULL;
94 BN_CTX *ctx = NULL;
95 const BIGNUM *dA;
96 BIGNUM *order = NULL, *r = NULL, *s = NULL;
97 BIGNUM *k, *rk, *tmp, *x1;
98
99 if ((dA = EC_KEY_get0_private_key(key)) == NULL) {
100 SM2error(SM2_R_INVALID_FIELD);
101 goto err;
102 }
103
104 if ((group = EC_KEY_get0_group(key)) == NULL) {
105 SM2error(SM2_R_INVALID_FIELD);
106 goto err;
107 }
108
109 if ((order = BN_new()) == NULL) {
110 SM2error(ERR_R_MALLOC_FAILURE);
111 goto err;
112 }
113
114 if (!EC_GROUP_get_order(group, order, NULL)) {
115 SM2error(ERR_R_EC_LIB);
116 goto err;
117 }
118
119 if ((kG = EC_POINT_new(group)) == NULL) {
120 SM2error(ERR_R_MALLOC_FAILURE);
121 goto err;
122 }
123
124 if ((ctx = BN_CTX_new()) == NULL) {
125 SM2error(ERR_R_MALLOC_FAILURE);
126 goto err;
127 }
128
129 BN_CTX_start(ctx);
130
131 if ((k = BN_CTX_get(ctx)) == NULL) {
132 SM2error(ERR_R_BN_LIB);
133 goto err;
134 }
135 if ((rk = BN_CTX_get(ctx)) == NULL) {
136 SM2error(ERR_R_BN_LIB);
137 goto err;
138 }
139 if ((x1 = BN_CTX_get(ctx)) == NULL) {
140 SM2error(ERR_R_BN_LIB);
141 goto err;
142 }
143 if ((tmp = BN_CTX_get(ctx)) == NULL) {
144 SM2error(ERR_R_BN_LIB);
145 goto err;
146 }
147
148 /* r and s are returned as part of sig, so they can't be part of ctx. */
149 if ((r = BN_new()) == NULL) {
150 SM2error(ERR_R_MALLOC_FAILURE);
151 goto err;
152 }
153 if ((s = BN_new()) == NULL) {
154 SM2error(ERR_R_MALLOC_FAILURE);
155 goto err;
156 }
157
158 for (;;) {
159 if (!BN_rand_range(k, order)) {
160 SM2error(SM2_R_RANDOM_NUMBER_GENERATION_FAILED);
161 goto err;
162 }
163
164 if (!EC_POINT_mul(group, kG, k, NULL, NULL, ctx)) {
165 SM2error(ERR_R_EC_LIB);
166 goto err;
167 }
168
169 if (!EC_POINT_get_affine_coordinates(group, kG, x1, NULL,
170 ctx)) {
171 SM2error(ERR_R_EC_LIB);
172 goto err;
173 }
174
175 if (!BN_mod_add(r, e, x1, order, ctx)) {
176 SM2error(ERR_R_BN_LIB);
177 goto err;
178 }
179
180 /* try again if r == 0 or r + k == n */
181 if (BN_is_zero(r))
182 continue;
183
184 if (!BN_add(rk, r, k)) {
185 SM2error(ERR_R_BN_LIB);
186 goto err;
187 }
188
189 if (BN_cmp(rk, order) == 0)
190 continue;
191
192 if (!BN_add(s, dA, BN_value_one())) {
193 SM2error(ERR_R_BN_LIB);
194 goto err;
195 }
196
197 if (BN_mod_inverse_ct(s, s, order, ctx) == NULL) {
198 SM2error(ERR_R_BN_LIB);
199 goto err;
200 }
201
202 if (!BN_mod_mul(tmp, dA, r, order, ctx)) {
203 SM2error(ERR_R_BN_LIB);
204 goto err;
205 }
206
207 if (!BN_sub(tmp, k, tmp)) {
208 SM2error(ERR_R_BN_LIB);
209 goto err;
210 }
211
212 if (!BN_mod_mul(s, s, tmp, order, ctx)) {
213 SM2error(ERR_R_BN_LIB);
214 goto err;
215 }
216
217 if ((sig = ECDSA_SIG_new()) == NULL) {
218 SM2error(ERR_R_MALLOC_FAILURE);
219 goto err;
220 }
221
222 /* sig takes ownership of r and s */
223 if (!ECDSA_SIG_set0(sig, r, s)) {
224 SM2error(ERR_R_INTERNAL_ERROR);
225 goto err;
226 }
227 break;
228 }
229
230 err:
231 if (sig == NULL) {
232 BN_free(r);
233 BN_free(s);
234 }
235
236 BN_free(order);
237 BN_CTX_end(ctx);
238 BN_CTX_free(ctx);
239 EC_POINT_free(kG);
240 return sig;
241}
242
243static int
244sm2_sig_verify(const EC_KEY *key, const ECDSA_SIG *sig, const BIGNUM *e)
245{
246 const EC_GROUP *group;
247 EC_POINT *pt = NULL;
248 const BIGNUM *r = NULL, *s = NULL;
249 BN_CTX *ctx = NULL;
250 BIGNUM *order, *t, *x1;
251 int ret = 0;
252
253 if ((group = EC_KEY_get0_group(key)) == NULL) {
254 SM2error(SM2_R_INVALID_FIELD);
255 goto err;
256 }
257
258 if ((ctx = BN_CTX_new()) == NULL) {
259 SM2error(ERR_R_MALLOC_FAILURE);
260 goto err;
261 }
262
263 BN_CTX_start(ctx);
264
265 if ((order = BN_CTX_get(ctx)) == NULL) {
266 SM2error(ERR_R_MALLOC_FAILURE);
267 goto err;
268 }
269
270 if (!EC_GROUP_get_order(group, order, NULL)) {
271 SM2error(ERR_R_EC_LIB);
272 goto err;
273 }
274
275 if ((pt = EC_POINT_new(group)) == NULL) {
276 SM2error(ERR_R_MALLOC_FAILURE);
277 goto err;
278 }
279
280 if ((t = BN_CTX_get(ctx)) == NULL) {
281 SM2error(ERR_R_MALLOC_FAILURE);
282 goto err;
283 }
284 if ((x1 = BN_CTX_get(ctx)) == NULL) {
285 SM2error(ERR_R_MALLOC_FAILURE);
286 goto err;
287 }
288
289 /*
290 * Section 5.3.1 in https://tools.ietf.org/html/draft-shen-sm2-ecdsa-00
291 *
292 * B1: verify that r' is in [1, n-1]
293 * B2: verify that s' is in [1, n-1]
294 * B3: set M' ~= ZA || M'
295 * B4: calculate e' = Hv(M'~)
296 * B5: verify that t = r' + s' (mod n) is not zero
297 * B6: calculate the point (x1', y1') = [s']G + [t]PA
298 * B7: verify that r' == e' + x1' (mod n)
299 */
300
301 ECDSA_SIG_get0(sig, &r, &s);
302
303 /* B1: verify that r' is in [1, n-1] */
304 if (BN_cmp(r, BN_value_one()) < 0 || BN_cmp(order, r) <= 0) {
305 SM2error(SM2_R_BAD_SIGNATURE);
306 goto err;
307 }
308
309 /* B2: verify that s' is in [1, n-1] */
310 if (BN_cmp(s, BN_value_one()) < 0 || BN_cmp(order, s) <= 0) {
311 SM2error(SM2_R_BAD_SIGNATURE);
312 goto err;
313 }
314
315 /* B5: verify that t = r + s is not zero */
316 if (!BN_mod_add(t, r, s, order, ctx)) {
317 SM2error(ERR_R_BN_LIB);
318 goto err;
319 }
320 if (BN_is_zero(t)) {
321 SM2error(SM2_R_BAD_SIGNATURE);
322 goto err;
323 }
324
325 /* B6: calculate pt = (x1', y1') = [s']G + [t]PA */
326 if (!EC_POINT_mul(group, pt, s, EC_KEY_get0_public_key(key), t, ctx)) {
327 SM2error(ERR_R_EC_LIB);
328 goto err;
329 }
330
331 if (!EC_POINT_get_affine_coordinates(group, pt, x1, NULL, ctx)) {
332 SM2error(ERR_R_EC_LIB);
333 goto err;
334 }
335
336 /* B7: verify that r' == e' + x1' (mod n) */
337 if (!BN_mod_add(t, e, x1, order, ctx)) {
338 SM2error(ERR_R_BN_LIB);
339 goto err;
340 }
341 if (BN_cmp(r, t) == 0)
342 ret = 1;
343
344 err:
345 EC_POINT_free(pt);
346 BN_CTX_end(ctx);
347 BN_CTX_free(ctx);
348 return ret;
349}
350
351ECDSA_SIG *
352sm2_do_sign(const EC_KEY *key, const EVP_MD *digest, const uint8_t *uid,
353 size_t uid_len, const uint8_t *msg, size_t msg_len)
354{
355 ECDSA_SIG *sig = NULL;
356 BIGNUM *e;
357
358 e = sm2_compute_msg_hash(digest, key, uid, uid_len, msg, msg_len);
359 if (e == NULL) {
360 SM2error(SM2_R_DIGEST_FAILURE);
361 goto err;
362 }
363
364 sig = sm2_sig_gen(key, e);
365
366 err:
367 BN_free(e);
368 return sig;
369}
370
371int
372sm2_do_verify(const EC_KEY *key, const EVP_MD *digest, const ECDSA_SIG *sig,
373 const uint8_t *uid, size_t uid_len, const uint8_t *msg, size_t msg_len)
374{
375 BIGNUM *e;
376 int ret = -1;
377
378 e = sm2_compute_msg_hash(digest, key, uid, uid_len, msg, msg_len);
379 if (e == NULL) {
380 SM2error(SM2_R_DIGEST_FAILURE);
381 goto err;
382 }
383
384 ret = sm2_sig_verify(key, sig, e);
385
386 err:
387 BN_free(e);
388 return ret;
389}
390
391int
392SM2_sign(const unsigned char *dgst, int dgstlen, unsigned char *sig,
393 unsigned int *siglen, EC_KEY *eckey)
394{
395 BIGNUM *e;
396 ECDSA_SIG *s = NULL;
397 int outlen = 0;
398 int ret = -1;
399
400 if ((e = BN_bin2bn(dgst, dgstlen, NULL)) == NULL) {
401 SM2error(ERR_R_MALLOC_FAILURE);
402 goto err;
403 }
404
405 if ((s = sm2_sig_gen(eckey, e)) == NULL) {
406 goto err;
407 }
408
409 if ((outlen = i2d_ECDSA_SIG(s, &sig)) < 0) {
410 SM2error(SM2_R_ASN1_ERROR);
411 goto err;
412 }
413
414 *siglen = outlen;
415 ret = 1;
416
417 err:
418 ECDSA_SIG_free(s);
419 BN_free(e);
420 return ret;
421}
422
423int
424SM2_verify(const unsigned char *dgst, int dgstlen, const unsigned char *sig,
425 int sig_len, EC_KEY *eckey)
426{
427 ECDSA_SIG *s;
428 BIGNUM *e = NULL;
429 const unsigned char *p = sig;
430 unsigned char *der = NULL;
431 int derlen = -1;
432 int ret = -1;
433
434 if ((s = ECDSA_SIG_new()) == NULL) {
435 SM2error(ERR_R_MALLOC_FAILURE);
436 goto err;
437 }
438
439 if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) {
440 SM2error(SM2_R_INVALID_ENCODING);
441 goto err;
442 }
443
444 /* Ensure signature uses DER and doesn't have trailing garbage */
445 derlen = i2d_ECDSA_SIG(s, &der);
446 if (derlen != sig_len || memcmp(sig, der, derlen) != 0) {
447 SM2error(SM2_R_INVALID_ENCODING);
448 goto err;
449 }
450
451 if ((e = BN_bin2bn(dgst, dgstlen, NULL)) == NULL) {
452 SM2error(ERR_R_BN_LIB);
453 goto err;
454 }
455
456 ret = sm2_sig_verify(eckey, s, e);
457
458 err:
459 free(der);
460 BN_free(e);
461 ECDSA_SIG_free(s);
462 return ret;
463}
464
465#endif /* OPENSSL_NO_SM2 */
diff --git a/src/lib/libcrypto/sm2/sm2_za.c b/src/lib/libcrypto/sm2/sm2_za.c
deleted file mode 100644
index 2a7f2846ec..0000000000
--- a/src/lib/libcrypto/sm2/sm2_za.c
+++ /dev/null
@@ -1,161 +0,0 @@
1/* $OpenBSD: sm2_za.c,v 1.1.1.1 2021/08/18 16:04:32 tb Exp $ */
2/*
3 * Copyright (c) 2017, 2019 Ribose Inc
4 *
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#ifndef OPENSSL_NO_SM2
19
20#include <openssl/sm2.h>
21#include <openssl/evp.h>
22#include <openssl/bn.h>
23#include <string.h>
24
25int
26sm2_compute_userid_digest(uint8_t *out, const EVP_MD *digest, uint8_t *uid,
27 size_t uid_len, const EC_KEY *key)
28{
29 const EC_GROUP *group;
30 EVP_MD_CTX *hash = NULL;
31 BN_CTX *ctx = NULL;
32 BIGNUM *p, *a, *b, *xG, *yG, *xA, *yA;
33 uint8_t *buf = NULL;
34 uint16_t entla;
35 uint8_t e_byte;
36 int bytes, p_bytes;
37 int rc = 0;
38
39 if ((group = EC_KEY_get0_group(key)) == NULL)
40 goto err;
41
42 if ((hash = EVP_MD_CTX_new()) == NULL)
43 goto err;
44
45 if ((ctx = BN_CTX_new()) == NULL)
46 goto err;
47
48 if ((p = BN_CTX_get(ctx)) == NULL)
49 goto err;
50 if ((a = BN_CTX_get(ctx)) == NULL)
51 goto err;
52 if ((b = BN_CTX_get(ctx)) == NULL)
53 goto err;
54 if ((xG = BN_CTX_get(ctx)) == NULL)
55 goto err;
56 if ((yG = BN_CTX_get(ctx)) == NULL)
57 goto err;
58 if ((xA = BN_CTX_get(ctx)) == NULL)
59 goto err;
60 if ((yA = BN_CTX_get(ctx)) == NULL)
61 goto err;
62
63 memset(out, 0, EVP_MD_size(digest));
64
65 if (!EVP_DigestInit(hash, digest))
66 goto err;
67
68 /*
69 * ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
70 */
71
72 if (uid_len >= 8192)
73 goto err;
74
75 entla = (unsigned short)(8 * uid_len);
76
77 e_byte = entla >> 8;
78 if (!EVP_DigestUpdate(hash, &e_byte, 1))
79 goto err;
80
81 e_byte = entla & 0xFF;
82 if (!EVP_DigestUpdate(hash, &e_byte, 1))
83 goto err;
84
85 if (!EVP_DigestUpdate(hash, uid, uid_len))
86 goto err;
87
88 if (!EC_GROUP_get_curve(group, p, a, b, ctx))
89 goto err;
90
91 p_bytes = BN_num_bytes(p);
92
93 if ((buf = calloc(1, p_bytes)) == NULL)
94 goto err;
95
96 if ((bytes = BN_num_bytes(a)) > p_bytes)
97 goto err;
98 BN_bn2bin(a, buf + p_bytes - bytes);
99 if (!EVP_DigestUpdate(hash, buf, p_bytes))
100 goto err;
101
102 if ((bytes = BN_num_bytes(b)) > p_bytes)
103 goto err;
104 memset(buf, 0, p_bytes - bytes);
105 BN_bn2bin(b, buf + p_bytes - bytes);
106 if (!EVP_DigestUpdate(hash, buf, p_bytes))
107 goto err;
108
109 if (!EC_POINT_get_affine_coordinates(group,
110 EC_GROUP_get0_generator(group), xG, yG, ctx))
111 goto err;
112
113 if ((bytes = BN_num_bytes(xG)) > p_bytes)
114 goto err;
115 memset(buf, 0, p_bytes - bytes);
116 BN_bn2bin(xG, buf + p_bytes - bytes);
117
118 if (!EVP_DigestUpdate(hash, buf, p_bytes))
119 goto err;
120
121 if ((bytes = BN_num_bytes(yG)) > p_bytes)
122 goto err;
123 memset(buf, 0, p_bytes - bytes);
124 BN_bn2bin(yG, buf + p_bytes - bytes);
125
126 if (!EVP_DigestUpdate(hash, buf, p_bytes))
127 goto err;
128
129 if (!EC_POINT_get_affine_coordinates(group,
130 EC_KEY_get0_public_key(key), xA, yA, ctx))
131 goto err;
132
133 if ((bytes = BN_num_bytes(xA)) > p_bytes)
134 goto err;
135 memset(buf, 0, p_bytes - bytes);
136 BN_bn2bin(xA, buf + p_bytes - bytes);
137
138 if (!EVP_DigestUpdate(hash, buf, p_bytes))
139 goto err;
140
141 if ((bytes = BN_num_bytes(yA)) > p_bytes)
142 goto err;
143 memset(buf, 0, p_bytes - bytes);
144 BN_bn2bin(yA, buf + p_bytes - bytes);
145
146 if (!EVP_DigestUpdate(hash, buf, p_bytes))
147 goto err;
148
149 if (!EVP_DigestFinal(hash, out, NULL))
150 goto err;
151
152 rc = 1;
153
154 err:
155 free(buf);
156 BN_CTX_free(ctx);
157 EVP_MD_CTX_free(hash);
158 return rc;
159}
160
161#endif /* OPENSSL_NO_SM2 */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-06 19:48:51 +0000