From: Vitaly Chikunov <vt@altlinux.org>
Date: Mon, 17 Feb 2020 21:35:10 +0000 (+0300)
Subject: ec: Use BN_{CTX_,}secure_new memory API for priv keys
X-Git-Tag: v3.0.0~192
X-Git-Url: http://www.wagner.pp.ru/gitweb/?p=openssl-gost%2Fengine.git;a=commitdiff_plain;h=f3e7c24d4733bb1c096e43345602d3258e994e3c

ec: Use BN_{CTX_,}secure_new memory API for priv keys

OpenSSL suggests to use (and internally itself uses)
`BN_{CTX_,}secure_new' primitives to work with private keys.

These are using `OPENSSL_secure_malloc' et al. calls, which use
special 'secure heap' memory.

Along, optimize out `hashsum2bn' with `BN_lebin2bn'.
---

diff --git a/gost_ameth.c b/gost_ameth.c
index 7fe05c8..92cfc41 100644
--- a/gost_ameth.c
+++ b/gost_ameth.c
@@ -310,7 +310,7 @@ static BIGNUM *unmask_priv_key(EVP_PKEY *pk,
     const EC_KEY *key_ptr = (pk) ? EVP_PKEY_get0(pk) : NULL;
     const EC_GROUP *group = (key_ptr) ? EC_KEY_get0_group(key_ptr) : NULL;
 
-    pknum_masked = hashsum2bn(buf, len);
+    pknum_masked = BN_lebin2bn(buf, len, BN_secure_new());
     if (!pknum_masked)
         return NULL;
 
@@ -328,8 +328,8 @@ static BIGNUM *unmask_priv_key(EVP_PKEY *pk,
         }
 
         for (; p != buf; p -= len) {
-            BIGNUM *mask = hashsum2bn(p, len);
-            BN_CTX *ctx = BN_CTX_new();
+            BIGNUM *mask = BN_lebin2bn(p, len, BN_secure_new());
+            BN_CTX *ctx = BN_CTX_secure_new();
 
             BN_mod_mul(pknum_masked, pknum_masked, mask, q, ctx);
 
@@ -381,7 +381,7 @@ static int priv_decode_gost(EVP_PKEY *pk,
             GOSTerr(GOST_F_PRIV_DECODE_GOST, EVP_R_DECODE_ERROR);
             return 0;
         }
-        pk_num = hashsum2bn(s->data, s->length);
+        pk_num = BN_lebin2bn(s->data, s->length, BN_secure_new());
         ASN1_STRING_free(s);
     } else if (V_ASN1_INTEGER == *p) {
         priv_key = d2i_ASN1_INTEGER(NULL, &p, priv_len);
@@ -389,7 +389,7 @@ static int priv_decode_gost(EVP_PKEY *pk,
             GOSTerr(GOST_F_PRIV_DECODE_GOST, EVP_R_DECODE_ERROR);
             return 0;
         }
-        pk_num = ASN1_INTEGER_to_BN(priv_key, NULL);
+        pk_num = ASN1_INTEGER_to_BN(priv_key, BN_secure_new());
         ASN1_INTEGER_free(priv_key);
     } else if ((V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED) == *p) {
         MASKED_GOST_KEY *mgk = NULL;
@@ -437,18 +437,18 @@ static int priv_encode_gost(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk)
     const char *pk_format = get_gost_engine_param(GOST_PARAM_PK_FORMAT);
 
     key_len = (key_len < 0) ? 0 : key_len / 8;
-    if (key_len == 0 || !(buf = OPENSSL_malloc(key_len))) {
+    if (key_len == 0 || !(buf = OPENSSL_secure_malloc(key_len))) {
         return 0;
     }
 
     if (!store_bignum(gost_get0_priv_key(pk), buf, key_len)) {
-        OPENSSL_free(buf);
+        OPENSSL_secure_free(buf);
         return 0;
     }
 
     params = encode_gost_algor_params(pk);
     if (!params) {
-        OPENSSL_free(buf);
+        OPENSSL_secure_free(buf);
         return 0;
     }
 
@@ -467,12 +467,12 @@ static int priv_encode_gost(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk)
         if (!octet || !ASN1_OCTET_STRING_set(octet, buf, key_len)) {
             ASN1_STRING_free(octet);
             ASN1_STRING_free(params);
-            OPENSSL_free(buf);
+            OPENSSL_secure_free(buf);
             return 0;
         }
         priv_len = i2d_ASN1_OCTET_STRING(octet, &priv_buf);
         ASN1_STRING_free(octet);
-        OPENSSL_free(buf);
+        OPENSSL_secure_free(buf);
 
         return PKCS8_pkey_set0(p8, algobj, 0, V_ASN1_SEQUENCE, params,
                                priv_buf, priv_len);
diff --git a/gost_ec_keyx.c b/gost_ec_keyx.c
index 2053d0d..faa0265 100644
--- a/gost_ec_keyx.c
+++ b/gost_ec_keyx.c
@@ -27,7 +27,7 @@ int VKO_compute_key(unsigned char *shared_key,
     BIGNUM *UKM = NULL, *p = NULL, *order = NULL, *X = NULL, *Y = NULL, *cofactor = NULL;
     const BIGNUM *key = EC_KEY_get0_private_key(priv_key);
     EC_POINT *pnt = EC_POINT_new(EC_KEY_get0_group(priv_key));
-    BN_CTX *ctx = BN_CTX_new();
+    BN_CTX *ctx = BN_CTX_secure_new();
     EVP_MD_CTX *mdctx = NULL;
     const EVP_MD *md = NULL;
     int buf_len, half_len;
@@ -45,7 +45,7 @@ int VKO_compute_key(unsigned char *shared_key,
         goto err;
     }
 
-    UKM = hashsum2bn(ukm, ukm_size);
+    UKM = BN_lebin2bn(ukm, ukm_size, NULL);
     p = BN_CTX_get(ctx);
     order = BN_CTX_get(ctx);
 		cofactor = BN_CTX_get(ctx);
diff --git a/gost_ec_sign.c b/gost_ec_sign.c
index 3db118a..df489ae 100644
--- a/gost_ec_sign.c
+++ b/gost_ec_sign.c
@@ -23,21 +23,6 @@ void dump_dsa_sig(const char *message, ECDSA_SIG *sig);
 # define dump_dsa_sig(a,b)
 #endif
 
-/* Convert little-endian byte array into bignum */
-BIGNUM *hashsum2bn(const unsigned char *dgst, int len)
-{
-    unsigned char buf[64];
-    int i;
-
-    if (len > sizeof(buf))
-        return NULL;
-
-    for (i = 0; i < len; i++) {
-        buf[len - i - 1] = dgst[i];
-    }
-    return BN_bin2bn(buf, len, NULL);
-}
-
 static R3410_ec_params *gost_nid2params(int nid)
 {
     R3410_ec_params *params;
@@ -183,14 +168,14 @@ ECDSA_SIG *gost_ec_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey)
 
     OPENSSL_assert(dgst != NULL && eckey != NULL);
 
-    if (!(ctx = BN_CTX_new())) {
+    if (!(ctx = BN_CTX_secure_new())) {
         GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
 
     BN_CTX_start(ctx);
     OPENSSL_assert(dlen == 32 || dlen == 64);
-    md = hashsum2bn(dgst, dlen);
+    md = BN_lebin2bn(dgst, dlen, NULL);
     newsig = ECDSA_SIG_new();
     if (!newsig || !md) {
         GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
@@ -367,7 +352,7 @@ int gost_ec_verify(const unsigned char *dgst, int dgst_len,
     }
 
     OPENSSL_assert(dgst_len == 32 || dgst_len == 64);
-    md = hashsum2bn(dgst, dgst_len);
+    md = BN_lebin2bn(dgst, dgst_len, NULL);
     if (!md || !BN_mod(e, md, order, ctx)) {
         GOSTerr(GOST_F_GOST_EC_VERIFY, ERR_R_INTERNAL_ERROR);
         goto err;
@@ -454,7 +439,7 @@ int gost_ec_compute_public(EC_KEY *ec)
         return 0;
     }
 
-    ctx = BN_CTX_new();
+    ctx = BN_CTX_secure_new();
     if (!ctx) {
         GOSTerr(GOST_F_GOST_EC_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE);
         return 0;
@@ -508,7 +493,7 @@ int gost_ec_keygen(EC_KEY *ec)
     }
 
     order = BN_new();
-    d = BN_new();
+    d = BN_secure_new();
     if (!order || !d) {
         GOSTerr(GOST_F_GOST_EC_KEYGEN, ERR_R_MALLOC_FAILURE);
         goto end;
diff --git a/gost_lcl.h b/gost_lcl.h
index b590bf5..4eba354 100644
--- a/gost_lcl.h
+++ b/gost_lcl.h
@@ -292,9 +292,6 @@ int gost_kimp15(const unsigned char *expkey, const size_t expkeylen,
                 const unsigned char *iv, const size_t ivlen,
                 unsigned char *shared_key);
 /*============== miscellaneous functions============================= */
-/* from gost_sign.c */
-/* Convert GOST R 34.11 hash sum to bignum according to standard */
-BIGNUM *hashsum2bn(const unsigned char *dgst, int len);
 /*
  * Store bignum in byte array of given length, prepending by zeros if
  * nesseccary