Skip to content

Commit 5474dc5

Browse files
LinuxJediLinuxJedi
committed
Make ECC curve lookup internal
In FIPSv5, `wc_ecc_get_curve_id_from_oid` is broken. With certain build configurations the OIDs are the wrong type too. Also with FIPSv5 the `ecc_sets` list is not available. So, this PR brings the lookup in-house.
1 parent 816f397 commit 5474dc5

File tree

1 file changed

+54
-32
lines changed

1 file changed

+54
-32
lines changed

src/internal.c

Lines changed: 54 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -490,6 +490,48 @@ struct WP11_Slot {
490490
};
491491

492492

493+
typedef struct WP11_Ecc_Curve
494+
{
495+
ecc_curve_id curve_id;
496+
byte curve_oid[9];
497+
CK_LONG curve_size;
498+
} WP11_Ecc_Curve;
499+
500+
const WP11_Ecc_Curve DefinedCurves[] = {
501+
{ ECC_SECP192R1, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x01}, 8 },
502+
{ ECC_PRIME192V2, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x02}, 8 },
503+
{ ECC_PRIME192V3, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x03}, 8 },
504+
{ ECC_PRIME239V1, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x04}, 8 },
505+
{ ECC_PRIME239V2, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x05}, 8 },
506+
{ ECC_PRIME239V3, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06}, 8 },
507+
{ ECC_SECP256R1, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07}, 8 },
508+
509+
{ ECC_SECP112R1, {0x2B,0x81,0x04,0x00,0x06}, 5 },
510+
{ ECC_SECP112R2, {0x2B,0x81,0x04,0x00,0x07}, 5 },
511+
{ ECC_SECP128R1, {0x2B,0x81,0x04,0x00,0x1C}, 5 },
512+
{ ECC_SECP128R2, {0x2B,0x81,0x04,0x00,0x1D}, 5 },
513+
{ ECC_SECP160R1, {0x2B,0x81,0x04,0x00,0x08}, 5 },
514+
{ ECC_SECP160R2, {0x2B,0x81,0x04,0x00,0x1E}, 5 },
515+
{ ECC_SECP224R1, {0x2B,0x81,0x04,0x00,0x21}, 5 },
516+
{ ECC_SECP384R1, {0x2B,0x81,0x04,0x00,0x22}, 5 },
517+
{ ECC_SECP521R1, {0x2B,0x81,0x04,0x00,0x23}, 5 },
518+
519+
{ ECC_SECP160K1, {0x2B,0x81,0x04,0x00,0x09}, 5 },
520+
{ ECC_SECP192K1, {0x2B,0x81,0x04,0x00,0x1F}, 5 },
521+
{ ECC_SECP224K1, {0x2B,0x81,0x04,0x00,0x20}, 5 },
522+
{ ECC_SECP256K1, {0x2B,0x81,0x04,0x00,0x0A}, 5 },
523+
524+
{ ECC_BRAINPOOLP160R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x01}, 9 },
525+
{ ECC_BRAINPOOLP192R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x03}, 9 },
526+
{ ECC_BRAINPOOLP224R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x05}, 9 },
527+
{ ECC_BRAINPOOLP256R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07}, 9 },
528+
{ ECC_BRAINPOOLP320R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x09}, 9 },
529+
{ ECC_BRAINPOOLP384R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0B}, 9 },
530+
{ ECC_BRAINPOOLP512R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0D}, 9 },
531+
532+
{ ECC_CURVE_MAX, { 0x0 }, 0 }
533+
};
534+
493535
/* Number of slots. */
494536
static int slotCnt = 1;
495537
/* List of slot objects. */
@@ -4256,7 +4298,7 @@ static int wp11_Object_Unstore(WP11_Object* object, int tokenId, int objId)
42564298
{
42574299
int ret;
42584300
int storeObjType = -1;
4259-
4301+
42604302
if (objId < 0) {
42614303
return BAD_FUNC_ARG;
42624304
}
@@ -7009,38 +7051,19 @@ int WP11_Object_SetRsaKey(WP11_Object* object, unsigned char** data,
70097051
#endif
70107052

70117053
#ifdef HAVE_ECC
7012-
7013-
#if defined(HAVE_FIPS) && \
7014-
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION <= 2))
7015-
#define USE_LOCAL_CURVE_OID_LOOKUP
7016-
/* This function is not in the FIPS 140-2 version */
7017-
/* ecc_sets is exposed in ecc.h */
7018-
static int ecc_get_curve_id_from_oid(const byte* oid, word32 len)
7054+
static int ecc_lookup_curve(const byte* oid, word32 len)
70197055
{
7020-
int curve_idx;
7056+
const WP11_Ecc_Curve* curve;
70217057

7022-
if (oid == NULL)
7023-
return BAD_FUNC_ARG;
7024-
7025-
for (curve_idx = 0; ecc_sets[curve_idx].size != 0; curve_idx++) {
7026-
if (
7027-
#ifndef WOLFSSL_ECC_CURVE_STATIC
7028-
ecc_sets[curve_idx].oid &&
7029-
#endif
7030-
ecc_sets[curve_idx].oidSz == len &&
7031-
XMEMCMP(ecc_sets[curve_idx].oid, oid, len) == 0
7032-
) {
7033-
break;
7058+
for (curve = DefinedCurves; curve->curve_id < ECC_CURVE_MAX; curve++)
7059+
{
7060+
if (XMEMCMP(oid, curve->curve_oid, MIN(len, curve->curve_size)) == 0) {
7061+
return curve->curve_id;
70347062
}
70357063
}
7036-
if (ecc_sets[curve_idx].size == 0) {
7037-
return ECC_CURVE_INVALID;
7038-
}
7039-
7040-
return ecc_sets[curve_idx].id;
7064+
return ECC_CURVE_INVALID;
70417065
}
70427066

7043-
#endif
70447067
/**
70457068
* Set the EC Parameters based on the DER encoding of the OID.
70467069
*
@@ -7067,11 +7090,10 @@ static int EcSetParams(ecc_key* key, byte* der, int len)
70677090
ret = BUFFER_E;
70687091
if (ret == 0) {
70697092
/* Find the curve matching the OID. */
7070-
#ifdef USE_LOCAL_CURVE_OID_LOOKUP
7071-
curveId = ecc_get_curve_id_from_oid(der + 2, der[1]);
7072-
#else
7073-
curveId = wc_ecc_get_curve_id_from_oid(der + 2, der[1]);
7074-
#endif
7093+
/* wc_ecc_get_curve_id_from_oid() is broken in FIPSv5 and ecc_sets is
7094+
* not accessible in FIPS, so we have our own lookup.
7095+
*/
7096+
curveId = ecc_lookup_curve(der +2, der[1]);
70757097
if (curveId == ECC_CURVE_INVALID)
70767098
ret = BAD_FUNC_ARG;
70777099
}

0 commit comments

Comments
 (0)