Skip to content

Commit 87b964a

Browse files
LinuxJediLinuxJedi
committed
Make ECC curve lookup internal
In FIPSv5, `wc_ecc_get_curve_id_from_oid` is broken. With certain build configurations the OIDs are the wrong type too. Also with FIPSv5 the `ecc_sets` list is not available. So, this PR brings the lookup in-house.
1 parent c96d0c1 commit 87b964a

File tree

1 file changed

+60
-30
lines changed

1 file changed

+60
-30
lines changed

src/internal.c

Lines changed: 60 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -510,6 +510,50 @@ struct WP11_Slot {
510510
#endif
511511
};
512512

513+
#if defined(HAVE_FIPS) && FIPS_VERSION_LT(6,0)
514+
#define USE_LOCAL_CURVE_OID_LOOKUP
515+
typedef struct WP11_Ecc_Curve
516+
{
517+
ecc_curve_id curve_id;
518+
byte curve_oid[9];
519+
CK_LONG curve_size;
520+
} WP11_Ecc_Curve;
521+
522+
const WP11_Ecc_Curve DefinedCurves[] = {
523+
{ ECC_SECP192R1, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x01}, 8 },
524+
{ ECC_PRIME192V2, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x02}, 8 },
525+
{ ECC_PRIME192V3, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x03}, 8 },
526+
{ ECC_PRIME239V1, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x04}, 8 },
527+
{ ECC_PRIME239V2, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x05}, 8 },
528+
{ ECC_PRIME239V3, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06}, 8 },
529+
{ ECC_SECP256R1, {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07}, 8 },
530+
531+
{ ECC_SECP112R1, {0x2B,0x81,0x04,0x00,0x06}, 5 },
532+
{ ECC_SECP112R2, {0x2B,0x81,0x04,0x00,0x07}, 5 },
533+
{ ECC_SECP128R1, {0x2B,0x81,0x04,0x00,0x1C}, 5 },
534+
{ ECC_SECP128R2, {0x2B,0x81,0x04,0x00,0x1D}, 5 },
535+
{ ECC_SECP160R1, {0x2B,0x81,0x04,0x00,0x08}, 5 },
536+
{ ECC_SECP160R2, {0x2B,0x81,0x04,0x00,0x1E}, 5 },
537+
{ ECC_SECP224R1, {0x2B,0x81,0x04,0x00,0x21}, 5 },
538+
{ ECC_SECP384R1, {0x2B,0x81,0x04,0x00,0x22}, 5 },
539+
{ ECC_SECP521R1, {0x2B,0x81,0x04,0x00,0x23}, 5 },
540+
541+
{ ECC_SECP160K1, {0x2B,0x81,0x04,0x00,0x09}, 5 },
542+
{ ECC_SECP192K1, {0x2B,0x81,0x04,0x00,0x1F}, 5 },
543+
{ ECC_SECP224K1, {0x2B,0x81,0x04,0x00,0x20}, 5 },
544+
{ ECC_SECP256K1, {0x2B,0x81,0x04,0x00,0x0A}, 5 },
545+
546+
{ ECC_BRAINPOOLP160R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x01}, 9 },
547+
{ ECC_BRAINPOOLP192R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x03}, 9 },
548+
{ ECC_BRAINPOOLP224R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x05}, 9 },
549+
{ ECC_BRAINPOOLP256R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07}, 9 },
550+
{ ECC_BRAINPOOLP320R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x09}, 9 },
551+
{ ECC_BRAINPOOLP384R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0B}, 9 },
552+
{ ECC_BRAINPOOLP512R1, {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0D}, 9 },
553+
554+
{ ECC_CURVE_MAX, { 0x0 }, 0 }
555+
};
556+
#endif
513557

514558
/* Number of slots. */
515559
#define slotCnt 1
@@ -7489,38 +7533,21 @@ int WP11_Object_SetRsaKey(WP11_Object* object, unsigned char** data,
74897533
#endif
74907534

74917535
#ifdef HAVE_ECC
7492-
7493-
#if defined(HAVE_FIPS) && \
7494-
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION <= 2))
7495-
#define USE_LOCAL_CURVE_OID_LOOKUP
7496-
/* This function is not in the FIPS 140-2 version */
7497-
/* ecc_sets is exposed in ecc.h */
7498-
static int ecc_get_curve_id_from_oid(const byte* oid, word32 len)
7536+
#ifdef USE_LOCAL_CURVE_OID_LOOKUP
7537+
static int ecc_lookup_curve(const byte* oid, word32 len)
74997538
{
7500-
int curve_idx;
7539+
const WP11_Ecc_Curve* curve;
75017540

7502-
if (oid == NULL)
7503-
return BAD_FUNC_ARG;
7504-
7505-
for (curve_idx = 0; ecc_sets[curve_idx].size != 0; curve_idx++) {
7506-
if (
7507-
#ifndef WOLFSSL_ECC_CURVE_STATIC
7508-
ecc_sets[curve_idx].oid &&
7509-
#endif
7510-
ecc_sets[curve_idx].oidSz == len &&
7511-
XMEMCMP(ecc_sets[curve_idx].oid, oid, len) == 0
7512-
) {
7513-
break;
7541+
for (curve = DefinedCurves; curve->curve_id < ECC_CURVE_MAX; curve++)
7542+
{
7543+
if (XMEMCMP(oid, curve->curve_oid, MIN(len, curve->curve_size)) == 0) {
7544+
return curve->curve_id;
75147545
}
75157546
}
7516-
if (ecc_sets[curve_idx].size == 0) {
7517-
return ECC_CURVE_INVALID;
7518-
}
7519-
7520-
return ecc_sets[curve_idx].id;
7547+
return ECC_CURVE_INVALID;
75217548
}
7522-
75237549
#endif
7550+
75247551
/**
75257552
* Set the EC Parameters based on the DER encoding of the OID.
75267553
*
@@ -7546,12 +7573,15 @@ static int EcSetParams(ecc_key* key, byte* der, int len)
75467573
if (ret == 0 && der[1] != len - 2)
75477574
ret = BUFFER_E;
75487575
if (ret == 0) {
7576+
#ifdef USE_LOCAL_CURVE_OID_LOOKUP
75497577
/* Find the curve matching the OID. */
7550-
#ifdef USE_LOCAL_CURVE_OID_LOOKUP
7551-
curveId = ecc_get_curve_id_from_oid(der + 2, der[1]);
7552-
#else
7578+
/* wc_ecc_get_curve_id_from_oid() is broken in FIPSv5 and ecc_sets is
7579+
* not accessible in FIPS, so we have our own lookup.
7580+
*/
7581+
curveId = ecc_lookup_curve(der +2, der[1]);
7582+
#else
75537583
curveId = wc_ecc_get_curve_id_from_oid(der + 2, der[1]);
7554-
#endif
7584+
#endif
75557585
if (curveId == ECC_CURVE_INVALID)
75567586
ret = BAD_FUNC_ARG;
75577587
}

0 commit comments

Comments
 (0)