]>
Commit | Line | Data |
---|---|---|
0f113f3e | 1 | /* |
fd38836b | 2 | * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. |
448be743 | 3 | * |
a7f182b7 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
aa6bb135 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
448be743 DSH |
8 | */ |
9 | ||
579422c8 P |
10 | /* |
11 | * ECDH and ECDSA low level APIs are deprecated for public use, but still ok | |
12 | * for internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
448be743 | 16 | #include <stdio.h> |
b39fc560 | 17 | #include "internal/cryptlib.h" |
448be743 DSH |
18 | #include <openssl/x509.h> |
19 | #include <openssl/ec.h> | |
1e26a8ba | 20 | #include <openssl/bn.h> |
3c27208f | 21 | #include <openssl/cms.h> |
88e20b85 | 22 | #include <openssl/asn1t.h> |
25f2138b DMSP |
23 | #include "crypto/asn1.h" |
24 | #include "crypto/evp.h" | |
4fe54d67 NT |
25 | #include <openssl/core_names.h> |
26 | #include "internal/param_build.h" | |
706457b7 | 27 | #include "ec_local.h" |
448be743 | 28 | |
e968561d | 29 | #ifndef OPENSSL_NO_CMS |
88e20b85 DSH |
30 | static int ecdh_cms_decrypt(CMS_RecipientInfo *ri); |
31 | static int ecdh_cms_encrypt(CMS_RecipientInfo *ri); | |
e968561d | 32 | #endif |
88e20b85 | 33 | |
cd701de9 | 34 | static int eckey_param2type(int *pptype, void **ppval, const EC_KEY *ec_key) |
0f113f3e MC |
35 | { |
36 | const EC_GROUP *group; | |
37 | int nid; | |
38 | if (ec_key == NULL || (group = EC_KEY_get0_group(ec_key)) == NULL) { | |
39 | ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_PARAMETERS); | |
40 | return 0; | |
41 | } | |
42 | if (EC_GROUP_get_asn1_flag(group) | |
43 | && (nid = EC_GROUP_get_curve_name(group))) | |
44 | /* we have a 'named curve' => just set the OID */ | |
45 | { | |
46 | *ppval = OBJ_nid2obj(nid); | |
47 | *pptype = V_ASN1_OBJECT; | |
48 | } else { /* explicit parameters */ | |
49 | ||
50 | ASN1_STRING *pstr = NULL; | |
51 | pstr = ASN1_STRING_new(); | |
90945fa3 | 52 | if (pstr == NULL) |
0f113f3e MC |
53 | return 0; |
54 | pstr->length = i2d_ECParameters(ec_key, &pstr->data); | |
55 | if (pstr->length <= 0) { | |
56 | ASN1_STRING_free(pstr); | |
57 | ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB); | |
58 | return 0; | |
59 | } | |
60 | *ppval = pstr; | |
61 | *pptype = V_ASN1_SEQUENCE; | |
62 | } | |
63 | return 1; | |
64 | } | |
448be743 | 65 | |
6f81892e | 66 | static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) |
0f113f3e | 67 | { |
cd701de9 | 68 | const EC_KEY *ec_key = pkey->pkey.ec; |
0f113f3e MC |
69 | void *pval = NULL; |
70 | int ptype; | |
71 | unsigned char *penc = NULL, *p; | |
72 | int penclen; | |
73 | ||
74 | if (!eckey_param2type(&ptype, &pval, ec_key)) { | |
75 | ECerr(EC_F_ECKEY_PUB_ENCODE, ERR_R_EC_LIB); | |
76 | return 0; | |
77 | } | |
78 | penclen = i2o_ECPublicKey(ec_key, NULL); | |
79 | if (penclen <= 0) | |
80 | goto err; | |
81 | penc = OPENSSL_malloc(penclen); | |
90945fa3 | 82 | if (penc == NULL) |
0f113f3e MC |
83 | goto err; |
84 | p = penc; | |
85 | penclen = i2o_ECPublicKey(ec_key, &p); | |
86 | if (penclen <= 0) | |
87 | goto err; | |
88 | if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC), | |
89 | ptype, pval, penc, penclen)) | |
90 | return 1; | |
91 | err: | |
92 | if (ptype == V_ASN1_OBJECT) | |
93 | ASN1_OBJECT_free(pval); | |
94 | else | |
95 | ASN1_STRING_free(pval); | |
b548a1f1 | 96 | OPENSSL_free(penc); |
0f113f3e MC |
97 | return 0; |
98 | } | |
448be743 | 99 | |
ac4e2577 | 100 | static EC_KEY *eckey_type2param(int ptype, const void *pval) |
0f113f3e MC |
101 | { |
102 | EC_KEY *eckey = NULL; | |
037241bf RS |
103 | EC_GROUP *group = NULL; |
104 | ||
0f113f3e | 105 | if (ptype == V_ASN1_SEQUENCE) { |
ac4e2577 | 106 | const ASN1_STRING *pstr = pval; |
037241bf RS |
107 | const unsigned char *pm = pstr->data; |
108 | int pmlen = pstr->length; | |
109 | ||
75ebbd9a | 110 | if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) { |
0f113f3e MC |
111 | ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); |
112 | goto ecerr; | |
113 | } | |
114 | } else if (ptype == V_ASN1_OBJECT) { | |
ac4e2577 | 115 | const ASN1_OBJECT *poid = pval; |
0f113f3e MC |
116 | |
117 | /* | |
118 | * type == V_ASN1_OBJECT => the parameters are given by an asn1 OID | |
119 | */ | |
120 | if ((eckey = EC_KEY_new()) == NULL) { | |
121 | ECerr(EC_F_ECKEY_TYPE2PARAM, ERR_R_MALLOC_FAILURE); | |
122 | goto ecerr; | |
123 | } | |
124 | group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(poid)); | |
125 | if (group == NULL) | |
126 | goto ecerr; | |
127 | EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); | |
128 | if (EC_KEY_set_group(eckey, group) == 0) | |
129 | goto ecerr; | |
130 | EC_GROUP_free(group); | |
131 | } else { | |
132 | ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); | |
133 | goto ecerr; | |
134 | } | |
135 | ||
136 | return eckey; | |
137 | ||
138 | ecerr: | |
8fdc3734 | 139 | EC_KEY_free(eckey); |
037241bf | 140 | EC_GROUP_free(group); |
0f113f3e MC |
141 | return NULL; |
142 | } | |
448be743 DSH |
143 | |
144 | static int eckey_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) | |
0f113f3e MC |
145 | { |
146 | const unsigned char *p = NULL; | |
ac4e2577 | 147 | const void *pval; |
0f113f3e MC |
148 | int ptype, pklen; |
149 | EC_KEY *eckey = NULL; | |
150 | X509_ALGOR *palg; | |
151 | ||
152 | if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey)) | |
153 | return 0; | |
154 | X509_ALGOR_get0(NULL, &ptype, &pval, palg); | |
155 | ||
156 | eckey = eckey_type2param(ptype, pval); | |
157 | ||
158 | if (!eckey) { | |
159 | ECerr(EC_F_ECKEY_PUB_DECODE, ERR_R_EC_LIB); | |
160 | return 0; | |
161 | } | |
162 | ||
163 | /* We have parameters now set public key */ | |
164 | if (!o2i_ECPublicKey(&eckey, &p, pklen)) { | |
165 | ECerr(EC_F_ECKEY_PUB_DECODE, EC_R_DECODE_ERROR); | |
166 | goto ecerr; | |
167 | } | |
168 | ||
169 | EVP_PKEY_assign_EC_KEY(pkey, eckey); | |
170 | return 1; | |
171 | ||
172 | ecerr: | |
8fdc3734 | 173 | EC_KEY_free(eckey); |
0f113f3e MC |
174 | return 0; |
175 | } | |
448be743 | 176 | |
6f81892e | 177 | static int eckey_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) |
0f113f3e MC |
178 | { |
179 | int r; | |
180 | const EC_GROUP *group = EC_KEY_get0_group(b->pkey.ec); | |
181 | const EC_POINT *pa = EC_KEY_get0_public_key(a->pkey.ec), | |
182 | *pb = EC_KEY_get0_public_key(b->pkey.ec); | |
978ecbb0 DW |
183 | if (group == NULL || pa == NULL || pb == NULL) |
184 | return -2; | |
0f113f3e MC |
185 | r = EC_POINT_cmp(group, pa, pb, NULL); |
186 | if (r == 0) | |
187 | return 1; | |
188 | if (r == 1) | |
189 | return 0; | |
190 | return -2; | |
191 | } | |
6f81892e | 192 | |
245c6bc3 | 193 | static int eckey_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) |
0f113f3e MC |
194 | { |
195 | const unsigned char *p = NULL; | |
ac4e2577 | 196 | const void *pval; |
0f113f3e MC |
197 | int ptype, pklen; |
198 | EC_KEY *eckey = NULL; | |
245c6bc3 | 199 | const X509_ALGOR *palg; |
0f113f3e MC |
200 | |
201 | if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) | |
202 | return 0; | |
203 | X509_ALGOR_get0(NULL, &ptype, &pval, palg); | |
204 | ||
205 | eckey = eckey_type2param(ptype, pval); | |
206 | ||
12a765a5 | 207 | if (eckey == NULL) |
0f113f3e MC |
208 | goto ecliberr; |
209 | ||
210 | /* We have parameters now set private key */ | |
211 | if (!d2i_ECPrivateKey(&eckey, &p, pklen)) { | |
212 | ECerr(EC_F_ECKEY_PRIV_DECODE, EC_R_DECODE_ERROR); | |
213 | goto ecerr; | |
214 | } | |
215 | ||
0f113f3e MC |
216 | EVP_PKEY_assign_EC_KEY(pkey, eckey); |
217 | return 1; | |
218 | ||
219 | ecliberr: | |
220 | ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB); | |
221 | ecerr: | |
8fdc3734 | 222 | EC_KEY_free(eckey); |
0f113f3e MC |
223 | return 0; |
224 | } | |
448be743 | 225 | |
6f81892e | 226 | static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) |
448be743 | 227 | { |
b8a7bd83 | 228 | EC_KEY ec_key = *(pkey->pkey.ec); |
0f113f3e MC |
229 | unsigned char *ep, *p; |
230 | int eplen, ptype; | |
231 | void *pval; | |
b8a7bd83 | 232 | unsigned int old_flags; |
0f113f3e | 233 | |
b8a7bd83 | 234 | if (!eckey_param2type(&ptype, &pval, &ec_key)) { |
0f113f3e MC |
235 | ECerr(EC_F_ECKEY_PRIV_ENCODE, EC_R_DECODE_ERROR); |
236 | return 0; | |
237 | } | |
238 | ||
239 | /* set the private key */ | |
240 | ||
241 | /* | |
242 | * do not include the parameters in the SEC1 private key see PKCS#11 | |
243 | * 12.11 | |
244 | */ | |
b8a7bd83 RL |
245 | old_flags = EC_KEY_get_enc_flags(&ec_key); |
246 | EC_KEY_set_enc_flags(&ec_key, old_flags | EC_PKEY_NO_PARAMETERS); | |
247 | ||
248 | eplen = i2d_ECPrivateKey(&ec_key, NULL); | |
0f113f3e | 249 | if (!eplen) { |
0f113f3e MC |
250 | ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); |
251 | return 0; | |
252 | } | |
b196e7d9 | 253 | ep = OPENSSL_malloc(eplen); |
90945fa3 | 254 | if (ep == NULL) { |
0f113f3e MC |
255 | ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); |
256 | return 0; | |
257 | } | |
258 | p = ep; | |
b8a7bd83 | 259 | if (!i2d_ECPrivateKey(&ec_key, &p)) { |
0f113f3e MC |
260 | OPENSSL_free(ep); |
261 | ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); | |
262 | return 0; | |
263 | } | |
0f113f3e MC |
264 | |
265 | if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0, | |
e0670973 Y |
266 | ptype, pval, ep, eplen)) { |
267 | OPENSSL_free(ep); | |
0f113f3e | 268 | return 0; |
e0670973 | 269 | } |
0f113f3e MC |
270 | |
271 | return 1; | |
448be743 DSH |
272 | } |
273 | ||
6f81892e | 274 | static int int_ec_size(const EVP_PKEY *pkey) |
0f113f3e MC |
275 | { |
276 | return ECDSA_size(pkey->pkey.ec); | |
277 | } | |
6f81892e DSH |
278 | |
279 | static int ec_bits(const EVP_PKEY *pkey) | |
0f113f3e | 280 | { |
be2e334f | 281 | return EC_GROUP_order_bits(EC_KEY_get0_group(pkey->pkey.ec)); |
0f113f3e | 282 | } |
6f81892e | 283 | |
2514fa79 | 284 | static int ec_security_bits(const EVP_PKEY *pkey) |
0f113f3e MC |
285 | { |
286 | int ecbits = ec_bits(pkey); | |
287 | if (ecbits >= 512) | |
288 | return 256; | |
289 | if (ecbits >= 384) | |
290 | return 192; | |
291 | if (ecbits >= 256) | |
292 | return 128; | |
293 | if (ecbits >= 224) | |
294 | return 112; | |
295 | if (ecbits >= 160) | |
296 | return 80; | |
297 | return ecbits / 2; | |
298 | } | |
2514fa79 | 299 | |
6f81892e | 300 | static int ec_missing_parameters(const EVP_PKEY *pkey) |
0f113f3e | 301 | { |
f72f00d4 | 302 | if (pkey->pkey.ec == NULL || EC_KEY_get0_group(pkey->pkey.ec) == NULL) |
0f113f3e MC |
303 | return 1; |
304 | return 0; | |
305 | } | |
6f81892e | 306 | |
930b0c4b | 307 | static int ec_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) |
0f113f3e MC |
308 | { |
309 | EC_GROUP *group = EC_GROUP_dup(EC_KEY_get0_group(from->pkey.ec)); | |
188a9bd9 | 310 | |
0f113f3e MC |
311 | if (group == NULL) |
312 | return 0; | |
2986ecdc DSH |
313 | if (to->pkey.ec == NULL) { |
314 | to->pkey.ec = EC_KEY_new(); | |
315 | if (to->pkey.ec == NULL) | |
188a9bd9 | 316 | goto err; |
2986ecdc | 317 | } |
0f113f3e | 318 | if (EC_KEY_set_group(to->pkey.ec, group) == 0) |
188a9bd9 | 319 | goto err; |
0f113f3e MC |
320 | EC_GROUP_free(group); |
321 | return 1; | |
188a9bd9 BE |
322 | err: |
323 | EC_GROUP_free(group); | |
324 | return 0; | |
0f113f3e | 325 | } |
6f81892e | 326 | |
930b0c4b | 327 | static int ec_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) |
0f113f3e MC |
328 | { |
329 | const EC_GROUP *group_a = EC_KEY_get0_group(a->pkey.ec), | |
330 | *group_b = EC_KEY_get0_group(b->pkey.ec); | |
978ecbb0 DW |
331 | if (group_a == NULL || group_b == NULL) |
332 | return -2; | |
0f113f3e MC |
333 | if (EC_GROUP_cmp(group_a, group_b, NULL)) |
334 | return 0; | |
335 | else | |
336 | return 1; | |
337 | } | |
6f81892e DSH |
338 | |
339 | static void int_ec_free(EVP_PKEY *pkey) | |
0f113f3e MC |
340 | { |
341 | EC_KEY_free(pkey->pkey.ec); | |
342 | } | |
6f81892e | 343 | |
d6755bb6 DSH |
344 | typedef enum { |
345 | EC_KEY_PRINT_PRIVATE, | |
346 | EC_KEY_PRINT_PUBLIC, | |
347 | EC_KEY_PRINT_PARAM | |
348 | } ec_print_t; | |
349 | ||
350 | static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, ec_print_t ktype) | |
0f113f3e | 351 | { |
0f113f3e | 352 | const char *ecstr; |
7fc7d1a7 DSH |
353 | unsigned char *priv = NULL, *pub = NULL; |
354 | size_t privlen = 0, publen = 0; | |
355 | int ret = 0; | |
0f113f3e | 356 | const EC_GROUP *group; |
0f113f3e MC |
357 | |
358 | if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL) { | |
7fc7d1a7 DSH |
359 | ECerr(EC_F_DO_EC_KEY_PRINT, ERR_R_PASSED_NULL_PARAMETER); |
360 | return 0; | |
0f113f3e MC |
361 | } |
362 | ||
82f52631 | 363 | if (ktype != EC_KEY_PRINT_PARAM && EC_KEY_get0_public_key(x) != NULL) { |
7fc7d1a7 DSH |
364 | publen = EC_KEY_key2buf(x, EC_KEY_get_conv_form(x), &pub, NULL); |
365 | if (publen == 0) | |
366 | goto err; | |
0f113f3e MC |
367 | } |
368 | ||
d6755bb6 | 369 | if (ktype == EC_KEY_PRINT_PRIVATE && EC_KEY_get0_private_key(x) != NULL) { |
7fc7d1a7 DSH |
370 | privlen = EC_KEY_priv2buf(x, &priv); |
371 | if (privlen == 0) | |
d810700b | 372 | goto err; |
d810700b | 373 | } |
0f113f3e | 374 | |
d6755bb6 | 375 | if (ktype == EC_KEY_PRINT_PRIVATE) |
0f113f3e | 376 | ecstr = "Private-Key"; |
d6755bb6 | 377 | else if (ktype == EC_KEY_PRINT_PUBLIC) |
0f113f3e MC |
378 | ecstr = "Public-Key"; |
379 | else | |
380 | ecstr = "ECDSA-Parameters"; | |
381 | ||
382 | if (!BIO_indent(bp, off, 128)) | |
383 | goto err; | |
be2e334f DSH |
384 | if (BIO_printf(bp, "%s: (%d bit)\n", ecstr, |
385 | EC_GROUP_order_bits(group)) <= 0) | |
0f113f3e MC |
386 | goto err; |
387 | ||
7fc7d1a7 | 388 | if (privlen != 0) { |
d810700b DSH |
389 | if (BIO_printf(bp, "%*spriv:\n", off, "") <= 0) |
390 | goto err; | |
7fc7d1a7 | 391 | if (ASN1_buf_print(bp, priv, privlen, off + 4) == 0) |
d810700b DSH |
392 | goto err; |
393 | } | |
394 | ||
7fc7d1a7 | 395 | if (publen != 0) { |
d810700b DSH |
396 | if (BIO_printf(bp, "%*spub:\n", off, "") <= 0) |
397 | goto err; | |
7fc7d1a7 | 398 | if (ASN1_buf_print(bp, pub, publen, off + 4) == 0) |
d810700b DSH |
399 | goto err; |
400 | } | |
401 | ||
0f113f3e MC |
402 | if (!ECPKParameters_print(bp, group, off)) |
403 | goto err; | |
404 | ret = 1; | |
405 | err: | |
406 | if (!ret) | |
7fc7d1a7 DSH |
407 | ECerr(EC_F_DO_EC_KEY_PRINT, ERR_R_EC_LIB); |
408 | OPENSSL_clear_free(priv, privlen); | |
409 | OPENSSL_free(pub); | |
d810700b | 410 | return ret; |
0f113f3e | 411 | } |
35208f36 | 412 | |
3e4585c8 | 413 | static int eckey_param_decode(EVP_PKEY *pkey, |
0f113f3e MC |
414 | const unsigned char **pder, int derlen) |
415 | { | |
416 | EC_KEY *eckey; | |
75ebbd9a RS |
417 | |
418 | if ((eckey = d2i_ECParameters(NULL, pder, derlen)) == NULL) { | |
0f113f3e MC |
419 | ECerr(EC_F_ECKEY_PARAM_DECODE, ERR_R_EC_LIB); |
420 | return 0; | |
421 | } | |
422 | EVP_PKEY_assign_EC_KEY(pkey, eckey); | |
423 | return 1; | |
424 | } | |
3e4585c8 DSH |
425 | |
426 | static int eckey_param_encode(const EVP_PKEY *pkey, unsigned char **pder) | |
0f113f3e MC |
427 | { |
428 | return i2d_ECParameters(pkey->pkey.ec, pder); | |
429 | } | |
3e4585c8 | 430 | |
35208f36 | 431 | static int eckey_param_print(BIO *bp, const EVP_PKEY *pkey, int indent, |
0f113f3e MC |
432 | ASN1_PCTX *ctx) |
433 | { | |
d6755bb6 | 434 | return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PARAM); |
0f113f3e | 435 | } |
35208f36 DSH |
436 | |
437 | static int eckey_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, | |
0f113f3e MC |
438 | ASN1_PCTX *ctx) |
439 | { | |
d6755bb6 | 440 | return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PUBLIC); |
0f113f3e | 441 | } |
35208f36 DSH |
442 | |
443 | static int eckey_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, | |
0f113f3e MC |
444 | ASN1_PCTX *ctx) |
445 | { | |
d6755bb6 | 446 | return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PRIVATE); |
0f113f3e | 447 | } |
35208f36 | 448 | |
e4263314 | 449 | static int old_ec_priv_decode(EVP_PKEY *pkey, |
0f113f3e MC |
450 | const unsigned char **pder, int derlen) |
451 | { | |
452 | EC_KEY *ec; | |
75ebbd9a RS |
453 | |
454 | if ((ec = d2i_ECPrivateKey(NULL, pder, derlen)) == NULL) { | |
0f113f3e MC |
455 | ECerr(EC_F_OLD_EC_PRIV_DECODE, EC_R_DECODE_ERROR); |
456 | return 0; | |
457 | } | |
458 | EVP_PKEY_assign_EC_KEY(pkey, ec); | |
459 | return 1; | |
460 | } | |
e4263314 DSH |
461 | |
462 | static int old_ec_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) | |
0f113f3e MC |
463 | { |
464 | return i2d_ECPrivateKey(pkey->pkey.ec, pder); | |
465 | } | |
e4263314 | 466 | |
492a9e24 | 467 | static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) |
0f113f3e MC |
468 | { |
469 | switch (op) { | |
470 | case ASN1_PKEY_CTRL_PKCS7_SIGN: | |
471 | if (arg1 == 0) { | |
472 | int snid, hnid; | |
473 | X509_ALGOR *alg1, *alg2; | |
474 | PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2); | |
475 | if (alg1 == NULL || alg1->algorithm == NULL) | |
476 | return -1; | |
477 | hnid = OBJ_obj2nid(alg1->algorithm); | |
478 | if (hnid == NID_undef) | |
479 | return -1; | |
480 | if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) | |
481 | return -1; | |
482 | X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); | |
483 | } | |
484 | return 1; | |
8931b30d | 485 | #ifndef OPENSSL_NO_CMS |
0f113f3e MC |
486 | case ASN1_PKEY_CTRL_CMS_SIGN: |
487 | if (arg1 == 0) { | |
488 | int snid, hnid; | |
489 | X509_ALGOR *alg1, *alg2; | |
490 | CMS_SignerInfo_get0_algs(arg2, NULL, NULL, &alg1, &alg2); | |
491 | if (alg1 == NULL || alg1->algorithm == NULL) | |
492 | return -1; | |
493 | hnid = OBJ_obj2nid(alg1->algorithm); | |
494 | if (hnid == NID_undef) | |
495 | return -1; | |
496 | if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) | |
497 | return -1; | |
498 | X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); | |
499 | } | |
500 | return 1; | |
501 | ||
502 | case ASN1_PKEY_CTRL_CMS_ENVELOPE: | |
503 | if (arg1 == 1) | |
504 | return ecdh_cms_decrypt(arg2); | |
505 | else if (arg1 == 0) | |
506 | return ecdh_cms_encrypt(arg2); | |
507 | return -2; | |
508 | ||
509 | case ASN1_PKEY_CTRL_CMS_RI_TYPE: | |
510 | *(int *)arg2 = CMS_RECIPINFO_AGREE; | |
511 | return 1; | |
8931b30d | 512 | #endif |
492a9e24 | 513 | |
0f113f3e | 514 | case ASN1_PKEY_CTRL_DEFAULT_MD_NID: |
e766f4a0 PY |
515 | if (EVP_PKEY_id(pkey) == EVP_PKEY_SM2) { |
516 | /* For SM2, the only valid digest-alg is SM3 */ | |
517 | *(int *)arg2 = NID_sm3; | |
ef077ba0 | 518 | return 2; /* Make it mandatory */ |
e766f4a0 | 519 | } |
ef077ba0 | 520 | *(int *)arg2 = NID_sha256; |
eb7eb137 | 521 | return 1; |
492a9e24 | 522 | |
3bca6c27 DSH |
523 | case ASN1_PKEY_CTRL_SET1_TLS_ENCPT: |
524 | return EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(pkey), arg2, arg1, NULL); | |
525 | ||
526 | case ASN1_PKEY_CTRL_GET1_TLS_ENCPT: | |
527 | return EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(pkey), | |
528 | POINT_CONVERSION_UNCOMPRESSED, arg2, NULL); | |
529 | ||
0f113f3e MC |
530 | default: |
531 | return -2; | |
6f81892e | 532 | |
0f113f3e | 533 | } |
6f81892e | 534 | |
0f113f3e | 535 | } |
6f81892e | 536 | |
2aee35d3 PY |
537 | static int ec_pkey_check(const EVP_PKEY *pkey) |
538 | { | |
539 | EC_KEY *eckey = pkey->pkey.ec; | |
540 | ||
541 | /* stay consistent to what EVP_PKEY_check demands */ | |
542 | if (eckey->priv_key == NULL) { | |
6807b84e | 543 | ECerr(EC_F_EC_PKEY_CHECK, EC_R_MISSING_PRIVATE_KEY); |
2aee35d3 PY |
544 | return 0; |
545 | } | |
546 | ||
547 | return EC_KEY_check_key(eckey); | |
548 | } | |
549 | ||
b0004708 PY |
550 | static int ec_pkey_public_check(const EVP_PKEY *pkey) |
551 | { | |
552 | EC_KEY *eckey = pkey->pkey.ec; | |
553 | ||
554 | /* | |
555 | * Note: it unnecessary to check eckey->pub_key here since | |
556 | * it will be checked in EC_KEY_check_key(). In fact, the | |
557 | * EC_KEY_check_key() mainly checks the public key, and checks | |
558 | * the private key optionally (only if there is one). So if | |
559 | * someone passes a whole EC key (public + private), this | |
560 | * will also work... | |
561 | */ | |
562 | ||
563 | return EC_KEY_check_key(eckey); | |
564 | } | |
565 | ||
566 | static int ec_pkey_param_check(const EVP_PKEY *pkey) | |
567 | { | |
568 | EC_KEY *eckey = pkey->pkey.ec; | |
569 | ||
570 | /* stay consistent to what EVP_PKEY_check demands */ | |
571 | if (eckey->group == NULL) { | |
572 | ECerr(EC_F_EC_PKEY_PARAM_CHECK, EC_R_MISSING_PARAMETERS); | |
573 | return 0; | |
574 | } | |
575 | ||
576 | return EC_GROUP_check(eckey->group, NULL); | |
577 | } | |
578 | ||
4fe54d67 NT |
579 | static |
580 | size_t ec_pkey_dirty_cnt(const EVP_PKEY *pkey) | |
581 | { | |
582 | return pkey->pkey.ec->dirty_cnt; | |
583 | } | |
584 | ||
585 | static ossl_inline | |
586 | int ecparams_to_params(const EC_KEY *eckey, OSSL_PARAM_BLD *tmpl) | |
587 | { | |
588 | const EC_GROUP *ecg; | |
589 | int curve_nid; | |
590 | ||
591 | if (eckey == NULL) | |
592 | return 0; | |
593 | ||
594 | ecg = EC_KEY_get0_group(eckey); | |
595 | if (ecg == NULL) | |
596 | return 0; | |
597 | ||
598 | curve_nid = EC_GROUP_get_curve_name(ecg); | |
599 | ||
600 | if (curve_nid == NID_undef) { | |
601 | /* explicit parameters */ | |
602 | ||
603 | /* | |
604 | * TODO(3.0): should we support explicit parameters curves? | |
605 | */ | |
606 | return 0; | |
607 | } else { | |
608 | /* named curve */ | |
609 | const char *curve_name = NULL; | |
610 | ||
611 | if ((curve_name = OBJ_nid2sn(curve_nid)) == NULL) | |
612 | return 0; | |
613 | ||
614 | if (!ossl_param_bld_push_utf8_string(tmpl, OSSL_PKEY_PARAM_EC_NAME, curve_name, 0)) | |
615 | return 0; | |
616 | } | |
617 | ||
618 | return 1; | |
619 | } | |
620 | ||
621 | static | |
622 | int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata, | |
623 | EVP_KEYMGMT *to_keymgmt) | |
624 | { | |
625 | const EC_KEY *eckey = NULL; | |
626 | const EC_GROUP *ecg = NULL; | |
627 | unsigned char *pub_key_buf = NULL; | |
628 | size_t pub_key_buflen; | |
629 | OSSL_PARAM_BLD tmpl; | |
630 | OSSL_PARAM *params = NULL; | |
631 | const BIGNUM *priv_key = NULL; | |
632 | const EC_POINT *pub_point = NULL; | |
0996cff9 | 633 | int selection = 0; |
4fe54d67 NT |
634 | int rv = 0; |
635 | ||
636 | if (from == NULL | |
637 | || (eckey = from->pkey.ec) == NULL | |
638 | || (ecg = EC_KEY_get0_group(eckey)) == NULL) | |
639 | return 0; | |
640 | ||
df13defd RL |
641 | /* |
642 | * If the EC_KEY method is foreign, then we can't be sure of anything, | |
643 | * and can therefore not export or pretend to export. | |
644 | */ | |
645 | if (EC_KEY_get_method(eckey) != EC_KEY_OpenSSL()) | |
646 | return 0; | |
647 | ||
4fe54d67 NT |
648 | ossl_param_bld_init(&tmpl); |
649 | ||
650 | /* export the domain parameters */ | |
651 | if (!ecparams_to_params(eckey, &tmpl)) | |
0996cff9 RL |
652 | goto err; |
653 | selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS; | |
4fe54d67 NT |
654 | |
655 | priv_key = EC_KEY_get0_private_key(eckey); | |
656 | pub_point = EC_KEY_get0_public_key(eckey); | |
657 | ||
0996cff9 RL |
658 | if (pub_point != NULL) { |
659 | /* convert pub_point to a octet string according to the SECG standard */ | |
660 | if ((pub_key_buflen = EC_POINT_point2buf(ecg, pub_point, | |
661 | POINT_CONVERSION_COMPRESSED, | |
662 | &pub_key_buf, NULL)) == 0 | |
663 | || !ossl_param_bld_push_octet_string(&tmpl, | |
664 | OSSL_PKEY_PARAM_PUB_KEY, | |
665 | pub_key_buf, | |
666 | pub_key_buflen)) | |
667 | goto err; | |
668 | selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY; | |
669 | } | |
4fe54d67 NT |
670 | |
671 | if (priv_key != NULL) { | |
a377871d NT |
672 | size_t sz; |
673 | int ecbits; | |
674 | int ecdh_cofactor_mode; | |
675 | ||
676 | /* | |
677 | * Key import/export should never leak the bit length of the secret | |
678 | * scalar in the key. | |
679 | * | |
680 | * For this reason, on export we use padded BIGNUMs with fixed length. | |
681 | * | |
682 | * When importing we also should make sure that, even if short lived, | |
683 | * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as | |
684 | * soon as possible, so that any processing of this BIGNUM might opt for | |
685 | * constant time implementations in the backend. | |
686 | * | |
687 | * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have | |
688 | * to preallocate the BIGNUM internal buffer to a fixed public size big | |
689 | * enough that operations performed during the processing never trigger | |
690 | * a realloc which would leak the size of the scalar through memory | |
691 | * accesses. | |
692 | * | |
693 | * Fixed Length | |
694 | * ------------ | |
695 | * | |
696 | * The order of the large prime subgroup of the curve is our choice for | |
697 | * a fixed public size, as that is generally the upper bound for | |
698 | * generating a private key in EC cryptosystems and should fit all valid | |
699 | * secret scalars. | |
700 | * | |
701 | * For padding on export we just use the bit length of the order | |
702 | * converted to bytes (rounding up). | |
703 | * | |
704 | * For preallocating the BIGNUM storage we look at the number of "words" | |
705 | * required for the internal representation of the order, and we | |
706 | * preallocate 2 extra "words" in case any of the subsequent processing | |
707 | * might temporarily overflow the order length. | |
708 | */ | |
709 | ecbits = EC_GROUP_order_bits(ecg); | |
710 | if (ecbits <= 0) | |
711 | goto err; | |
712 | ||
713 | sz = (ecbits + 7 ) / 8; | |
714 | if (!ossl_param_bld_push_BN_pad(&tmpl, | |
715 | OSSL_PKEY_PARAM_PRIV_KEY, | |
716 | priv_key, sz)) | |
717 | goto err; | |
0996cff9 | 718 | selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY; |
a377871d | 719 | |
4fe54d67 NT |
720 | /* |
721 | * The ECDH Cofactor Mode is defined only if the EC_KEY actually | |
722 | * contains a private key, so we check for the flag and export it only | |
723 | * in this case. | |
724 | */ | |
a377871d | 725 | ecdh_cofactor_mode = |
4fe54d67 NT |
726 | (EC_KEY_get_flags(eckey) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0; |
727 | ||
4fe54d67 NT |
728 | /* Export the ECDH_COFACTOR_MODE parameter */ |
729 | if (!ossl_param_bld_push_int(&tmpl, | |
730 | OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, | |
731 | ecdh_cofactor_mode)) | |
732 | goto err; | |
0996cff9 | 733 | selection |= OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS; |
4fe54d67 NT |
734 | } |
735 | ||
736 | params = ossl_param_bld_to_param(&tmpl); | |
737 | ||
738 | /* We export, the provider imports */ | |
0996cff9 | 739 | rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params); |
4fe54d67 NT |
740 | |
741 | err: | |
742 | ossl_param_bld_free(params); | |
743 | OPENSSL_free(pub_key_buf); | |
744 | return rv; | |
745 | } | |
746 | ||
0abae163 RL |
747 | static int ec_pkey_import_from(const OSSL_PARAM params[], void *key) |
748 | { | |
749 | EVP_PKEY *pkey = key; | |
750 | EC_KEY *ec = EC_KEY_new(); | |
751 | ||
752 | if (ec == NULL) { | |
753 | ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE); | |
754 | return 0; | |
755 | } | |
756 | ||
757 | if (!ec_key_domparams_fromdata(ec, params) | |
758 | || !ec_key_otherparams_fromdata(ec, params) | |
759 | || !ec_key_fromdata(ec, params, 1) | |
760 | || !EVP_PKEY_assign_EC_KEY(pkey, ec)) { | |
761 | EC_KEY_free(ec); | |
762 | return 0; | |
763 | } | |
764 | return 1; | |
765 | } | |
766 | ||
0f113f3e MC |
767 | const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = { |
768 | EVP_PKEY_EC, | |
769 | EVP_PKEY_EC, | |
770 | 0, | |
771 | "EC", | |
772 | "OpenSSL EC algorithm", | |
773 | ||
774 | eckey_pub_decode, | |
775 | eckey_pub_encode, | |
776 | eckey_pub_cmp, | |
777 | eckey_pub_print, | |
778 | ||
779 | eckey_priv_decode, | |
780 | eckey_priv_encode, | |
781 | eckey_priv_print, | |
782 | ||
783 | int_ec_size, | |
784 | ec_bits, | |
785 | ec_security_bits, | |
786 | ||
787 | eckey_param_decode, | |
788 | eckey_param_encode, | |
789 | ec_missing_parameters, | |
790 | ec_copy_parameters, | |
791 | ec_cmp_parameters, | |
792 | eckey_param_print, | |
793 | 0, | |
794 | ||
795 | int_ec_free, | |
796 | ec_pkey_ctrl, | |
797 | old_ec_priv_decode, | |
2aee35d3 PY |
798 | old_ec_priv_encode, |
799 | ||
800 | 0, 0, 0, | |
801 | ||
b0004708 PY |
802 | ec_pkey_check, |
803 | ec_pkey_public_check, | |
4fe54d67 NT |
804 | ec_pkey_param_check, |
805 | ||
806 | 0, /* set_priv_key */ | |
807 | 0, /* set_pub_key */ | |
808 | 0, /* get_priv_key */ | |
809 | 0, /* get_pub_key */ | |
810 | ||
811 | ec_pkey_dirty_cnt, | |
0abae163 RL |
812 | ec_pkey_export_to, |
813 | ec_pkey_import_from | |
0f113f3e | 814 | }; |
88e20b85 | 815 | |
ddb634fe JL |
816 | #if !defined(OPENSSL_NO_SM2) |
817 | const EVP_PKEY_ASN1_METHOD sm2_asn1_meth = { | |
818 | EVP_PKEY_SM2, | |
819 | EVP_PKEY_EC, | |
820 | ASN1_PKEY_ALIAS | |
821 | }; | |
822 | #endif | |
823 | ||
dca5eeb4 RS |
824 | int EC_KEY_print(BIO *bp, const EC_KEY *x, int off) |
825 | { | |
826 | int private = EC_KEY_get0_private_key(x) != NULL; | |
827 | ||
828 | return do_EC_KEY_print(bp, x, off, | |
a66069db | 829 | private ? EC_KEY_PRINT_PRIVATE : EC_KEY_PRINT_PUBLIC); |
dca5eeb4 RS |
830 | } |
831 | ||
832 | int ECParameters_print(BIO *bp, const EC_KEY *x) | |
833 | { | |
834 | return do_EC_KEY_print(bp, x, 4, EC_KEY_PRINT_PARAM); | |
835 | } | |
836 | ||
88e20b85 DSH |
837 | #ifndef OPENSSL_NO_CMS |
838 | ||
839 | static int ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx, | |
0f113f3e MC |
840 | X509_ALGOR *alg, ASN1_BIT_STRING *pubkey) |
841 | { | |
ac4e2577 | 842 | const ASN1_OBJECT *aoid; |
0f113f3e | 843 | int atype; |
ac4e2577 | 844 | const void *aval; |
0f113f3e MC |
845 | int rv = 0; |
846 | EVP_PKEY *pkpeer = NULL; | |
847 | EC_KEY *ecpeer = NULL; | |
848 | const unsigned char *p; | |
849 | int plen; | |
850 | X509_ALGOR_get0(&aoid, &atype, &aval, alg); | |
851 | if (OBJ_obj2nid(aoid) != NID_X9_62_id_ecPublicKey) | |
852 | goto err; | |
853 | /* If absent parameters get group from main key */ | |
854 | if (atype == V_ASN1_UNDEF || atype == V_ASN1_NULL) { | |
855 | const EC_GROUP *grp; | |
856 | EVP_PKEY *pk; | |
857 | pk = EVP_PKEY_CTX_get0_pkey(pctx); | |
12a765a5 | 858 | if (pk == NULL) |
0f113f3e MC |
859 | goto err; |
860 | grp = EC_KEY_get0_group(pk->pkey.ec); | |
861 | ecpeer = EC_KEY_new(); | |
90945fa3 | 862 | if (ecpeer == NULL) |
0f113f3e MC |
863 | goto err; |
864 | if (!EC_KEY_set_group(ecpeer, grp)) | |
865 | goto err; | |
866 | } else { | |
867 | ecpeer = eckey_type2param(atype, aval); | |
868 | if (!ecpeer) | |
869 | goto err; | |
870 | } | |
871 | /* We have parameters now set public key */ | |
872 | plen = ASN1_STRING_length(pubkey); | |
17ebf85a | 873 | p = ASN1_STRING_get0_data(pubkey); |
12a765a5 | 874 | if (p == NULL || plen == 0) |
0f113f3e MC |
875 | goto err; |
876 | if (!o2i_ECPublicKey(&ecpeer, &p, plen)) | |
877 | goto err; | |
878 | pkpeer = EVP_PKEY_new(); | |
90945fa3 | 879 | if (pkpeer == NULL) |
0f113f3e MC |
880 | goto err; |
881 | EVP_PKEY_set1_EC_KEY(pkpeer, ecpeer); | |
882 | if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0) | |
883 | rv = 1; | |
884 | err: | |
8fdc3734 | 885 | EC_KEY_free(ecpeer); |
c5ba2d99 | 886 | EVP_PKEY_free(pkpeer); |
0f113f3e MC |
887 | return rv; |
888 | } | |
889 | ||
88e20b85 DSH |
890 | /* Set KDF parameters based on KDF NID */ |
891 | static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid) | |
0f113f3e MC |
892 | { |
893 | int kdf_nid, kdfmd_nid, cofactor; | |
894 | const EVP_MD *kdf_md; | |
895 | if (eckdf_nid == NID_undef) | |
896 | return 0; | |
897 | ||
898 | /* Lookup KDF type, cofactor mode and digest */ | |
899 | if (!OBJ_find_sigid_algs(eckdf_nid, &kdfmd_nid, &kdf_nid)) | |
900 | return 0; | |
901 | ||
902 | if (kdf_nid == NID_dh_std_kdf) | |
903 | cofactor = 0; | |
904 | else if (kdf_nid == NID_dh_cofactor_kdf) | |
905 | cofactor = 1; | |
906 | else | |
907 | return 0; | |
908 | ||
909 | if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0) | |
910 | return 0; | |
911 | ||
ffd89124 | 912 | if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0) |
0f113f3e MC |
913 | return 0; |
914 | ||
915 | kdf_md = EVP_get_digestbynid(kdfmd_nid); | |
916 | if (!kdf_md) | |
917 | return 0; | |
918 | ||
919 | if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0) | |
920 | return 0; | |
921 | return 1; | |
922 | } | |
88e20b85 | 923 | |
88e20b85 | 924 | static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) |
0f113f3e MC |
925 | { |
926 | int rv = 0; | |
927 | ||
928 | X509_ALGOR *alg, *kekalg = NULL; | |
929 | ASN1_OCTET_STRING *ukm; | |
930 | const unsigned char *p; | |
931 | unsigned char *der = NULL; | |
932 | int plen, keylen; | |
933 | const EVP_CIPHER *kekcipher; | |
934 | EVP_CIPHER_CTX *kekctx; | |
935 | ||
936 | if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) | |
937 | return 0; | |
938 | ||
939 | if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) { | |
940 | ECerr(EC_F_ECDH_CMS_SET_SHARED_INFO, EC_R_KDF_PARAMETER_ERROR); | |
941 | return 0; | |
942 | } | |
943 | ||
944 | if (alg->parameter->type != V_ASN1_SEQUENCE) | |
945 | return 0; | |
946 | ||
947 | p = alg->parameter->value.sequence->data; | |
948 | plen = alg->parameter->value.sequence->length; | |
949 | kekalg = d2i_X509_ALGOR(NULL, &p, plen); | |
950 | if (!kekalg) | |
951 | goto err; | |
952 | kekctx = CMS_RecipientInfo_kari_get0_ctx(ri); | |
953 | if (!kekctx) | |
954 | goto err; | |
955 | kekcipher = EVP_get_cipherbyobj(kekalg->algorithm); | |
956 | if (!kekcipher || EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE) | |
957 | goto err; | |
958 | if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL)) | |
959 | goto err; | |
960 | if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0) | |
961 | goto err; | |
962 | ||
963 | keylen = EVP_CIPHER_CTX_key_length(kekctx); | |
964 | if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0) | |
965 | goto err; | |
966 | ||
967 | plen = CMS_SharedInfo_encode(&der, kekalg, ukm, keylen); | |
968 | ||
969 | if (!plen) | |
970 | goto err; | |
971 | ||
972 | if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, der, plen) <= 0) | |
973 | goto err; | |
974 | der = NULL; | |
975 | ||
976 | rv = 1; | |
977 | err: | |
222561fe RS |
978 | X509_ALGOR_free(kekalg); |
979 | OPENSSL_free(der); | |
0f113f3e MC |
980 | return rv; |
981 | } | |
88e20b85 DSH |
982 | |
983 | static int ecdh_cms_decrypt(CMS_RecipientInfo *ri) | |
0f113f3e MC |
984 | { |
985 | EVP_PKEY_CTX *pctx; | |
986 | pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); | |
987 | if (!pctx) | |
988 | return 0; | |
989 | /* See if we need to set peer key */ | |
990 | if (!EVP_PKEY_CTX_get0_peerkey(pctx)) { | |
991 | X509_ALGOR *alg; | |
992 | ASN1_BIT_STRING *pubkey; | |
993 | if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey, | |
994 | NULL, NULL, NULL)) | |
995 | return 0; | |
996 | if (!alg || !pubkey) | |
997 | return 0; | |
998 | if (!ecdh_cms_set_peerkey(pctx, alg, pubkey)) { | |
999 | ECerr(EC_F_ECDH_CMS_DECRYPT, EC_R_PEER_KEY_ERROR); | |
1000 | return 0; | |
1001 | } | |
1002 | } | |
1003 | /* Set ECDH derivation parameters and initialise unwrap context */ | |
1004 | if (!ecdh_cms_set_shared_info(pctx, ri)) { | |
1005 | ECerr(EC_F_ECDH_CMS_DECRYPT, EC_R_SHARED_INFO_ERROR); | |
1006 | return 0; | |
1007 | } | |
1008 | return 1; | |
1009 | } | |
88e20b85 DSH |
1010 | |
1011 | static int ecdh_cms_encrypt(CMS_RecipientInfo *ri) | |
0f113f3e MC |
1012 | { |
1013 | EVP_PKEY_CTX *pctx; | |
1014 | EVP_PKEY *pkey; | |
1015 | EVP_CIPHER_CTX *ctx; | |
1016 | int keylen; | |
1017 | X509_ALGOR *talg, *wrap_alg = NULL; | |
ac4e2577 | 1018 | const ASN1_OBJECT *aoid; |
0f113f3e MC |
1019 | ASN1_BIT_STRING *pubkey; |
1020 | ASN1_STRING *wrap_str; | |
1021 | ASN1_OCTET_STRING *ukm; | |
1022 | unsigned char *penc = NULL; | |
1023 | int penclen; | |
1024 | int rv = 0; | |
1025 | int ecdh_nid, kdf_type, kdf_nid, wrap_nid; | |
1026 | const EVP_MD *kdf_md; | |
1027 | pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); | |
1028 | if (!pctx) | |
1029 | return 0; | |
1030 | /* Get ephemeral key */ | |
1031 | pkey = EVP_PKEY_CTX_get0_pkey(pctx); | |
1032 | if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey, | |
1033 | NULL, NULL, NULL)) | |
1034 | goto err; | |
1035 | X509_ALGOR_get0(&aoid, NULL, NULL, talg); | |
1036 | /* Is everything uninitialised? */ | |
1037 | if (aoid == OBJ_nid2obj(NID_undef)) { | |
1038 | ||
1039 | EC_KEY *eckey = pkey->pkey.ec; | |
1040 | /* Set the key */ | |
1041 | unsigned char *p; | |
1042 | ||
1043 | penclen = i2o_ECPublicKey(eckey, NULL); | |
1044 | if (penclen <= 0) | |
1045 | goto err; | |
1046 | penc = OPENSSL_malloc(penclen); | |
90945fa3 | 1047 | if (penc == NULL) |
0f113f3e MC |
1048 | goto err; |
1049 | p = penc; | |
1050 | penclen = i2o_ECPublicKey(eckey, &p); | |
1051 | if (penclen <= 0) | |
1052 | goto err; | |
1053 | ASN1_STRING_set0(pubkey, penc, penclen); | |
1054 | pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); | |
1055 | pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT; | |
1056 | ||
1057 | penc = NULL; | |
1058 | X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), | |
1059 | V_ASN1_UNDEF, NULL); | |
1060 | } | |
1061 | ||
0d4fb843 | 1062 | /* See if custom parameters set */ |
0f113f3e MC |
1063 | kdf_type = EVP_PKEY_CTX_get_ecdh_kdf_type(pctx); |
1064 | if (kdf_type <= 0) | |
1065 | goto err; | |
1066 | if (!EVP_PKEY_CTX_get_ecdh_kdf_md(pctx, &kdf_md)) | |
1067 | goto err; | |
1068 | ecdh_nid = EVP_PKEY_CTX_get_ecdh_cofactor_mode(pctx); | |
1069 | if (ecdh_nid < 0) | |
1070 | goto err; | |
1071 | else if (ecdh_nid == 0) | |
1072 | ecdh_nid = NID_dh_std_kdf; | |
1073 | else if (ecdh_nid == 1) | |
1074 | ecdh_nid = NID_dh_cofactor_kdf; | |
1075 | ||
1076 | if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) { | |
ffd89124 | 1077 | kdf_type = EVP_PKEY_ECDH_KDF_X9_63; |
0f113f3e MC |
1078 | if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0) |
1079 | goto err; | |
1080 | } else | |
0d4fb843 | 1081 | /* Unknown KDF */ |
0f113f3e MC |
1082 | goto err; |
1083 | if (kdf_md == NULL) { | |
1084 | /* Fixme later for better MD */ | |
1085 | kdf_md = EVP_sha1(); | |
1086 | if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0) | |
1087 | goto err; | |
1088 | } | |
1089 | ||
1090 | if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm)) | |
1091 | goto err; | |
1092 | ||
1093 | /* Lookup NID for KDF+cofactor+digest */ | |
1094 | ||
1095 | if (!OBJ_find_sigid_by_algs(&kdf_nid, EVP_MD_type(kdf_md), ecdh_nid)) | |
1096 | goto err; | |
1097 | /* Get wrap NID */ | |
1098 | ctx = CMS_RecipientInfo_kari_get0_ctx(ri); | |
1099 | wrap_nid = EVP_CIPHER_CTX_type(ctx); | |
1100 | keylen = EVP_CIPHER_CTX_key_length(ctx); | |
1101 | ||
1102 | /* Package wrap algorithm in an AlgorithmIdentifier */ | |
1103 | ||
1104 | wrap_alg = X509_ALGOR_new(); | |
90945fa3 | 1105 | if (wrap_alg == NULL) |
0f113f3e MC |
1106 | goto err; |
1107 | wrap_alg->algorithm = OBJ_nid2obj(wrap_nid); | |
1108 | wrap_alg->parameter = ASN1_TYPE_new(); | |
90945fa3 | 1109 | if (wrap_alg->parameter == NULL) |
0f113f3e MC |
1110 | goto err; |
1111 | if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0) | |
1112 | goto err; | |
1113 | if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) { | |
1114 | ASN1_TYPE_free(wrap_alg->parameter); | |
1115 | wrap_alg->parameter = NULL; | |
1116 | } | |
1117 | ||
1118 | if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0) | |
1119 | goto err; | |
1120 | ||
1121 | penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen); | |
1122 | ||
1123 | if (!penclen) | |
1124 | goto err; | |
1125 | ||
1126 | if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0) | |
1127 | goto err; | |
1128 | penc = NULL; | |
1129 | ||
1130 | /* | |
1131 | * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter | |
1132 | * of another AlgorithmIdentifier. | |
1133 | */ | |
1134 | penclen = i2d_X509_ALGOR(wrap_alg, &penc); | |
1135 | if (!penc || !penclen) | |
1136 | goto err; | |
1137 | wrap_str = ASN1_STRING_new(); | |
90945fa3 | 1138 | if (wrap_str == NULL) |
0f113f3e MC |
1139 | goto err; |
1140 | ASN1_STRING_set0(wrap_str, penc, penclen); | |
1141 | penc = NULL; | |
1142 | X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str); | |
1143 | ||
1144 | rv = 1; | |
1145 | ||
1146 | err: | |
222561fe RS |
1147 | OPENSSL_free(penc); |
1148 | X509_ALGOR_free(wrap_alg); | |
0f113f3e MC |
1149 | return rv; |
1150 | } | |
88e20b85 DSH |
1151 | |
1152 | #endif |