[thirdparty/openssl.git] / crypto / ec / ec_pmeth.c

/*
 * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include <openssl/ec.h>
#include "ec_local.h"
#include <openssl/evp.h>
#include "crypto/evp.h"

/* EC pkey context structure */

typedef struct {
    /* Key and paramgen group */
    EC_GROUP *gen_group;
    /* message digest */
    const EVP_MD *md;
    /* Duplicate key if custom cofactor needed */
    EC_KEY *co_key;
    /* Cofactor mode */
    signed char cofactor_mode;
    /* KDF (if any) to use for ECDH */
    char kdf_type;
    /* Message digest to use for key derivation */
    const EVP_MD *kdf_md;
    /* User key material */
    unsigned char *kdf_ukm;
    size_t kdf_ukmlen;
    /* KDF output length */
    size_t kdf_outlen;
} EC_PKEY_CTX;

static int pkey_ec_init(EVP_PKEY_CTX *ctx)
{
    EC_PKEY_CTX *dctx;

    if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL) {
        ECerr(EC_F_PKEY_EC_INIT, ERR_R_MALLOC_FAILURE);
        return 0;
    }

    dctx->cofactor_mode = -1;
    dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE;
    ctx->data = dctx;
    return 1;
}

static int pkey_ec_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
{
    EC_PKEY_CTX *dctx, *sctx;
    if (!pkey_ec_init(dst))
        return 0;
    sctx = src->data;
    dctx = dst->data;
    if (sctx->gen_group) {
        dctx->gen_group = EC_GROUP_dup(sctx->gen_group);
        if (!dctx->gen_group)
            return 0;
    }
    dctx->md = sctx->md;

    if (sctx->co_key) {
        dctx->co_key = EC_KEY_dup(sctx->co_key);
        if (!dctx->co_key)
            return 0;
    }
    dctx->kdf_type = sctx->kdf_type;
    dctx->kdf_md = sctx->kdf_md;
    dctx->kdf_outlen = sctx->kdf_outlen;
    if (sctx->kdf_ukm) {
        dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
        if (!dctx->kdf_ukm)
            return 0;
    } else
        dctx->kdf_ukm = NULL;
    dctx->kdf_ukmlen = sctx->kdf_ukmlen;
    return 1;
}

static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx)
{
    EC_PKEY_CTX *dctx = ctx->data;
    if (dctx != NULL) {
        EC_GROUP_free(dctx->gen_group);
        EC_KEY_free(dctx->co_key);
        OPENSSL_free(dctx->kdf_ukm);
        OPENSSL_free(dctx);
        ctx->data = NULL;
    }
}

static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
                        const unsigned char *tbs, size_t tbslen)
{
    int ret, type;
    unsigned int sltmp;
    EC_PKEY_CTX *dctx = ctx->data;
    EC_KEY *ec = ctx->pkey->pkey.ec;
    const int sig_sz = ECDSA_size(ec);

    /* ensure cast to size_t is safe */
    if (!ossl_assert(sig_sz > 0))
        return 0;

    if (sig == NULL) {
        *siglen = (size_t)sig_sz;
        return 1;
    }

    if (*siglen < (size_t)sig_sz) {
        ECerr(EC_F_PKEY_EC_SIGN, EC_R_BUFFER_TOO_SMALL);
        return 0;
    }

    type = (dctx->md != NULL) ? EVP_MD_type(dctx->md) : NID_sha1;

    ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec);

    if (ret <= 0)
        return ret;
    *siglen = (size_t)sltmp;
    return 1;
}

static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
                          const unsigned char *sig, size_t siglen,
                          const unsigned char *tbs, size_t tbslen)
{
    int ret, type;
    EC_PKEY_CTX *dctx = ctx->data;
    EC_KEY *ec = ctx->pkey->pkey.ec;

    if (dctx->md)
        type = EVP_MD_type(dctx->md);
    else
        type = NID_sha1;

    ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec);

    return ret;
}

#ifndef OPENSSL_NO_EC
static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
{
    int ret;
    size_t outlen;
    const EC_POINT *pubkey = NULL;
    EC_KEY *eckey;
    EC_PKEY_CTX *dctx = ctx->data;
    if (!ctx->pkey || !ctx->peerkey) {
        ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET);
        return 0;
    }

    eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec;

    if (!key) {
        const EC_GROUP *group;
        group = EC_KEY_get0_group(eckey);
        *keylen = (EC_GROUP_get_degree(group) + 7) / 8;
        return 1;
    }
    pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);

    /*
     * NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is not
     * an error, the result is truncated.
     */

    outlen = *keylen;

    ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);
    if (ret <= 0)
        return 0;
    *keylen = ret;
    return 1;
}

static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
                              unsigned char *key, size_t *keylen)
{
    EC_PKEY_CTX *dctx = ctx->data;
    unsigned char *ktmp = NULL;
    size_t ktmplen;
    int rv = 0;
    if (dctx->kdf_type == EVP_PKEY_ECDH_KDF_NONE)
        return pkey_ec_derive(ctx, key, keylen);
    if (!key) {
        *keylen = dctx->kdf_outlen;
        return 1;
    }
    if (*keylen != dctx->kdf_outlen)
        return 0;
    if (!pkey_ec_derive(ctx, NULL, &ktmplen))
        return 0;
    if ((ktmp = OPENSSL_malloc(ktmplen)) == NULL) {
        ECerr(EC_F_PKEY_EC_KDF_DERIVE, ERR_R_MALLOC_FAILURE);
        return 0;
    }
    if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
        goto err;
    /* Do KDF stuff */
    if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen,
                        dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
        goto err;
    rv = 1;

 err:
    OPENSSL_clear_free(ktmp, ktmplen);
    return rv;
}
#endif

static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
{
    EC_PKEY_CTX *dctx = ctx->data;
    EC_GROUP *group;
    switch (type) {
    case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID:
        group = EC_GROUP_new_by_curve_name(p1);
        if (group == NULL) {
            ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_CURVE);
            return 0;
        }
        EC_GROUP_free(dctx->gen_group);
        dctx->gen_group = group;
        return 1;

    case EVP_PKEY_CTRL_EC_PARAM_ENC:
        if (!dctx->gen_group) {
            ECerr(EC_F_PKEY_EC_CTRL, EC_R_NO_PARAMETERS_SET);
            return 0;
        }
        EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
        return 1;

#ifndef OPENSSL_NO_EC
    case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
        if (p1 == -2) {
            if (dctx->cofactor_mode != -1)
                return dctx->cofactor_mode;
            else {
                EC_KEY *ec_key = ctx->pkey->pkey.ec;
                return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0;
            }
        } else if (p1 < -1 || p1 > 1)
            return -2;
        dctx->cofactor_mode = p1;
        if (p1 != -1) {
            EC_KEY *ec_key = ctx->pkey->pkey.ec;
            if (!ec_key->group)
                return -2;
            /* If cofactor is 1 cofactor mode does nothing */
            if (BN_is_one(ec_key->group->cofactor))
                return 1;
            if (!dctx->co_key) {
                dctx->co_key = EC_KEY_dup(ec_key);
                if (!dctx->co_key)
                    return 0;
            }
            if (p1)
                EC_KEY_set_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
            else
                EC_KEY_clear_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
        } else {
            EC_KEY_free(dctx->co_key);
            dctx->co_key = NULL;
        }
        return 1;
#endif

    case EVP_PKEY_CTRL_EC_KDF_TYPE:
        if (p1 == -2)
            return dctx->kdf_type;
        if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_63)
            return -2;
        dctx->kdf_type = p1;
        return 1;

    case EVP_PKEY_CTRL_EC_KDF_MD:
        dctx->kdf_md = p2;
        return 1;

    case EVP_PKEY_CTRL_GET_EC_KDF_MD:
        *(const EVP_MD **)p2 = dctx->kdf_md;
        return 1;

    case EVP_PKEY_CTRL_EC_KDF_OUTLEN:
        if (p1 <= 0)
            return -2;
        dctx->kdf_outlen = (size_t)p1;
        return 1;

    case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN:
        *(int *)p2 = dctx->kdf_outlen;
        return 1;

    case EVP_PKEY_CTRL_EC_KDF_UKM:
        OPENSSL_free(dctx->kdf_ukm);
        dctx->kdf_ukm = p2;
        if (p2)
            dctx->kdf_ukmlen = p1;
        else
            dctx->kdf_ukmlen = 0;
        return 1;

    case EVP_PKEY_CTRL_GET_EC_KDF_UKM:
        *(unsigned char **)p2 = dctx->kdf_ukm;
        return dctx->kdf_ukmlen;

    case EVP_PKEY_CTRL_MD:
        if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sha256 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sha384 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sha512 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sha3_224 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sha3_256 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sha3_384 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sha3_512 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sm3) {
            ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE);
            return 0;
        }
        dctx->md = p2;
        return 1;

    case EVP_PKEY_CTRL_GET_MD:
        *(const EVP_MD **)p2 = dctx->md;
        return 1;

    case EVP_PKEY_CTRL_PEER_KEY:
        /* Default behaviour is OK */
    case EVP_PKEY_CTRL_DIGESTINIT:
    case EVP_PKEY_CTRL_PKCS7_SIGN:
    case EVP_PKEY_CTRL_CMS_SIGN:
        return 1;

    default:
        return -2;

    }
}

static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx,
                            const char *type, const char *value)
{
    if (strcmp(type, "ec_paramgen_curve") == 0) {
        int nid;
        nid = EC_curve_nist2nid(value);
        if (nid == NID_undef)
            nid = OBJ_sn2nid(value);
        if (nid == NID_undef)
            nid = OBJ_ln2nid(value);
        if (nid == NID_undef) {
            ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_CURVE);
            return 0;
        }
        return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
    } else if (strcmp(type, "ec_param_enc") == 0) {
        int param_enc;
        if (strcmp(value, "explicit") == 0)
            param_enc = 0;
        else if (strcmp(value, "named_curve") == 0)
            param_enc = OPENSSL_EC_NAMED_CURVE;
        else
            return -2;
        return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
    } else if (strcmp(type, "ecdh_kdf_md") == 0) {
        const EVP_MD *md;
        if ((md = EVP_get_digestbyname(value)) == NULL) {
            ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_DIGEST);
            return 0;
        }
        return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md);
    } else if (strcmp(type, "ecdh_cofactor_mode") == 0) {
        int co_mode;
        co_mode = atoi(value);
        return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, co_mode);
    }

    return -2;
}

static int pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
    EC_KEY *ec = NULL;
    EC_PKEY_CTX *dctx = ctx->data;
    int ret;

    if (dctx->gen_group == NULL) {
        ECerr(EC_F_PKEY_EC_PARAMGEN, EC_R_NO_PARAMETERS_SET);
        return 0;
    }
    ec = EC_KEY_new();
    if (ec == NULL)
        return 0;
    if (!(ret = EC_KEY_set_group(ec, dctx->gen_group))
        || !ossl_assert(ret = EVP_PKEY_assign_EC_KEY(pkey, ec)))
        EC_KEY_free(ec);
    return ret;
}

static int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
    EC_KEY *ec = NULL;
    EC_PKEY_CTX *dctx = ctx->data;
    int ret;

    if (ctx->pkey == NULL && dctx->gen_group == NULL) {
        ECerr(EC_F_PKEY_EC_KEYGEN, EC_R_NO_PARAMETERS_SET);
        return 0;
    }
    ec = EC_KEY_new();
    if (ec == NULL)
        return 0;
    if (!ossl_assert(EVP_PKEY_assign_EC_KEY(pkey, ec))) {
        EC_KEY_free(ec);
        return 0;
    }
    /* Note: if error is returned, we count on caller to free pkey->pkey.ec */
    if (ctx->pkey != NULL)
        ret = EVP_PKEY_copy_parameters(pkey, ctx->pkey);
    else
        ret = EC_KEY_set_group(ec, dctx->gen_group);

    return ret ? EC_KEY_generate_key(ec) : 0;
}

static const EVP_PKEY_METHOD ec_pkey_meth = {
    EVP_PKEY_EC,
    0,
    pkey_ec_init,
    pkey_ec_copy,
    pkey_ec_cleanup,

    0,
    pkey_ec_paramgen,

    0,
    pkey_ec_keygen,

    0,
    pkey_ec_sign,

    0,
    pkey_ec_verify,

    0, 0,

    0, 0, 0, 0,

    0,
    0,

    0,
    0,

    0,
#ifndef OPENSSL_NO_EC
    pkey_ec_kdf_derive,
#else
    0,
#endif
    pkey_ec_ctrl,
    pkey_ec_ctrl_str
};

const EVP_PKEY_METHOD *ec_pkey_method(void)
{
    return &ec_pkey_meth;
}
Commit	Line	Data
0f113f3e	1	/*
b0edda11	2	* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
9ca7047d	3	*
a7f182b7	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
aa6bb135 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
9ca7047d DSH	8	*/
	9
	10	#include <stdio.h>
b39fc560	11	#include "internal/cryptlib.h"
9ca7047d DSH	12	#include <openssl/asn1t.h>
	13	#include <openssl/x509.h>
	14	#include <openssl/ec.h>
706457b7	15	#include "ec_local.h"
9ca7047d	16	#include <openssl/evp.h>
25f2138b	17	#include "crypto/evp.h"
9ca7047d DSH	18
	19	/* EC pkey context structure */
	20
0f113f3e MC	21	typedef struct {
	22	/* Key and paramgen group */
	23	EC_GROUP *gen_group;
	24	/* message digest */
	25	const EVP_MD *md;
	26	/* Duplicate key if custom cofactor needed */
	27	EC_KEY *co_key;
	28	/* Cofactor mode */
	29	signed char cofactor_mode;
	30	/* KDF (if any) to use for ECDH */
	31	char kdf_type;
	32	/* Message digest to use for key derivation */
	33	const EVP_MD *kdf_md;
	34	/* User key material */
	35	unsigned char *kdf_ukm;
	36	size_t kdf_ukmlen;
	37	/* KDF output length */
	38	size_t kdf_outlen;
	39	} EC_PKEY_CTX;
9ca7047d DSH	40
9ca7047d DSH	41	static int pkey_ec_init(EVP_PKEY_CTX *ctx)
0f113f3e MC	42	{
0f113f3e MC	43	EC_PKEY_CTX *dctx;
b4faea50	44
cdb10bae RS	45	if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL) {
cdb10bae RS	46	ECerr(EC_F_PKEY_EC_INIT, ERR_R_MALLOC_FAILURE);
0f113f3e	47	return 0;
cdb10bae	48	}
0f113f3e MC	49
0f113f3e MC	50	dctx->cofactor_mode = -1;
0f113f3e	51	dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE;
0f113f3e	52	ctx->data = dctx;
0f113f3e MC	53	return 1;
0f113f3e MC	54	}
9ca7047d	55
9fdcc21f	56	static int pkey_ec_copy(EVP_PKEY_CTX dst, const EVP_PKEY_CTX src)
0f113f3e MC	57	{
	58	EC_PKEY_CTX dctx, sctx;
	59	if (!pkey_ec_init(dst))
	60	return 0;
	61	sctx = src->data;
	62	dctx = dst->data;
	63	if (sctx->gen_group) {
	64	dctx->gen_group = EC_GROUP_dup(sctx->gen_group);
	65	if (!dctx->gen_group)
	66	return 0;
	67	}
	68	dctx->md = sctx->md;
	69
	70	if (sctx->co_key) {
	71	dctx->co_key = EC_KEY_dup(sctx->co_key);
	72	if (!dctx->co_key)
	73	return 0;
	74	}
	75	dctx->kdf_type = sctx->kdf_type;
	76	dctx->kdf_md = sctx->kdf_md;
	77	dctx->kdf_outlen = sctx->kdf_outlen;
	78	if (sctx->kdf_ukm) {
7644a9ae	79	dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
0f113f3e MC	80	if (!dctx->kdf_ukm)
	81	return 0;
	82	} else
	83	dctx->kdf_ukm = NULL;
	84	dctx->kdf_ukmlen = sctx->kdf_ukmlen;
	85	return 1;
	86	}
8bdcef40	87
9ca7047d	88	static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx)
0f113f3e MC	89	{
0f113f3e MC	90	EC_PKEY_CTX *dctx = ctx->data;
95a37057	91	if (dctx != NULL) {
8fdc3734 RS	92	EC_GROUP_free(dctx->gen_group);
8fdc3734 RS	93	EC_KEY_free(dctx->co_key);
b548a1f1	94	OPENSSL_free(dctx->kdf_ukm);
0f113f3e	95	OPENSSL_free(dctx);
95a37057	96	ctx->data = NULL;
0f113f3e MC	97	}
0f113f3e MC	98	}
9ca7047d	99
eaff5a14	100	static int pkey_ec_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
0f113f3e MC	101	const unsigned char *tbs, size_t tbslen)
	102	{
	103	int ret, type;
	104	unsigned int sltmp;
	105	EC_PKEY_CTX *dctx = ctx->data;
	106	EC_KEY *ec = ctx->pkey->pkey.ec;
95a37057	107	const int sig_sz = ECDSA_size(ec);
0f113f3e	108
95a37057 AP	109	/* ensure cast to size_t is safe */
	110	if (!ossl_assert(sig_sz > 0))
	111	return 0;
	112
	113	if (sig == NULL) {
	114	*siglen = (size_t)sig_sz;
0f113f3e	115	return 1;
95a37057 AP	116	}
	117
	118	if (*siglen < (size_t)sig_sz) {
0f113f3e MC	119	ECerr(EC_F_PKEY_EC_SIGN, EC_R_BUFFER_TOO_SMALL);
	120	return 0;
	121	}
	122
95a37057	123	type = (dctx->md != NULL) ? EVP_MD_type(dctx->md) : NID_sha1;
0f113f3e	124
ddb634fe	125	ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec);
0f113f3e MC	126
	127	if (ret <= 0)
	128	return ret;
	129	*siglen = (size_t)sltmp;
	130	return 1;
	131	}
9ca7047d DSH	132
9ca7047d DSH	133	static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
0f113f3e MC	134	const unsigned char *sig, size_t siglen,
	135	const unsigned char *tbs, size_t tbslen)
	136	{
	137	int ret, type;
	138	EC_PKEY_CTX *dctx = ctx->data;
	139	EC_KEY *ec = ctx->pkey->pkey.ec;
9ca7047d	140
0f113f3e MC	141	if (dctx->md)
	142	type = EVP_MD_type(dctx->md);
	143	else
	144	type = NID_sha1;
9ca7047d	145
ddb634fe	146	ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec);
9ca7047d	147
0f113f3e MC	148	return ret;
0f113f3e MC	149	}
9ca7047d	150
10bf4fc2	151	#ifndef OPENSSL_NO_EC
dceb99a5	152	static int pkey_ec_derive(EVP_PKEY_CTX ctx, unsigned char key, size_t *keylen)
0f113f3e MC	153	{
	154	int ret;
	155	size_t outlen;
	156	const EC_POINT *pubkey = NULL;
	157	EC_KEY *eckey;
	158	EC_PKEY_CTX *dctx = ctx->data;
	159	if (!ctx->pkey \|\| !ctx->peerkey) {
	160	ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET);
	161	return 0;
	162	}
	163
	164	eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec;
	165
	166	if (!key) {
	167	const EC_GROUP *group;
	168	group = EC_KEY_get0_group(eckey);
	169	*keylen = (EC_GROUP_get_degree(group) + 7) / 8;
	170	return 1;
	171	}
	172	pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
	173
	174	/*
	175	* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is not
	176	* an error, the result is truncated.
	177	*/
	178
	179	outlen = *keylen;
	180
	181	ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);
	182	if (ret <= 0)
	183	return 0;
	184	*keylen = ret;
	185	return 1;
	186	}
9ca7047d	187
25af7a5d	188	static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
0f113f3e MC	189	unsigned char key, size_t keylen)
	190	{
	191	EC_PKEY_CTX *dctx = ctx->data;
	192	unsigned char *ktmp = NULL;
	193	size_t ktmplen;
	194	int rv = 0;
	195	if (dctx->kdf_type == EVP_PKEY_ECDH_KDF_NONE)
	196	return pkey_ec_derive(ctx, key, keylen);
	197	if (!key) {
	198	*keylen = dctx->kdf_outlen;
	199	return 1;
	200	}
	201	if (*keylen != dctx->kdf_outlen)
	202	return 0;
	203	if (!pkey_ec_derive(ctx, NULL, &ktmplen))
	204	return 0;
cdb10bae RS	205	if ((ktmp = OPENSSL_malloc(ktmplen)) == NULL) {
cdb10bae RS	206	ECerr(EC_F_PKEY_EC_KDF_DERIVE, ERR_R_MALLOC_FAILURE);
0f113f3e	207	return 0;
cdb10bae	208	}
0f113f3e MC	209	if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
	210	goto err;
	211	/* Do KDF stuff */
ffd89124	212	if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen,
0f113f3e MC	213	dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
	214	goto err;
	215	rv = 1;
	216
	217	err:
4b45c6e5	218	OPENSSL_clear_free(ktmp, ktmplen);
0f113f3e MC	219	return rv;
0f113f3e MC	220	}
af6e2d51	221	#endif
25af7a5d	222
9ca7047d	223	static int pkey_ec_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
0f113f3e MC	224	{
	225	EC_PKEY_CTX *dctx = ctx->data;
	226	EC_GROUP *group;
	227	switch (type) {
	228	case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID:
	229	group = EC_GROUP_new_by_curve_name(p1);
	230	if (group == NULL) {
	231	ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_CURVE);
	232	return 0;
	233	}
8fdc3734	234	EC_GROUP_free(dctx->gen_group);
0f113f3e MC	235	dctx->gen_group = group;
	236	return 1;
	237
	238	case EVP_PKEY_CTRL_EC_PARAM_ENC:
	239	if (!dctx->gen_group) {
	240	ECerr(EC_F_PKEY_EC_CTRL, EC_R_NO_PARAMETERS_SET);
	241	return 0;
	242	}
	243	EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
	244	return 1;
24edfa9d	245
10bf4fc2	246	#ifndef OPENSSL_NO_EC
0f113f3e MC	247	case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
	248	if (p1 == -2) {
	249	if (dctx->cofactor_mode != -1)
	250	return dctx->cofactor_mode;
	251	else {
	252	EC_KEY *ec_key = ctx->pkey->pkey.ec;
dceb99a5	253	return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0;
0f113f3e MC	254	}
	255	} else if (p1 < -1 \|\| p1 > 1)
	256	return -2;
	257	dctx->cofactor_mode = p1;
	258	if (p1 != -1) {
	259	EC_KEY *ec_key = ctx->pkey->pkey.ec;
	260	if (!ec_key->group)
	261	return -2;
	262	/* If cofactor is 1 cofactor mode does nothing */
	263	if (BN_is_one(ec_key->group->cofactor))
	264	return 1;
	265	if (!dctx->co_key) {
	266	dctx->co_key = EC_KEY_dup(ec_key);
	267	if (!dctx->co_key)
	268	return 0;
	269	}
	270	if (p1)
	271	EC_KEY_set_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
	272	else
	273	EC_KEY_clear_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
8fdc3734	274	} else {
0f113f3e MC	275	EC_KEY_free(dctx->co_key);
	276	dctx->co_key = NULL;
	277	}
	278	return 1;
af6e2d51	279	#endif
25af7a5d	280
0f113f3e MC	281	case EVP_PKEY_CTRL_EC_KDF_TYPE:
	282	if (p1 == -2)
	283	return dctx->kdf_type;
ffd89124	284	if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_63)
0f113f3e MC	285	return -2;
	286	dctx->kdf_type = p1;
	287	return 1;
	288
	289	case EVP_PKEY_CTRL_EC_KDF_MD:
	290	dctx->kdf_md = p2;
	291	return 1;
	292
	293	case EVP_PKEY_CTRL_GET_EC_KDF_MD:
	294	(const EVP_MD *)p2 = dctx->kdf_md;
	295	return 1;
	296
	297	case EVP_PKEY_CTRL_EC_KDF_OUTLEN:
	298	if (p1 <= 0)
	299	return -2;
	300	dctx->kdf_outlen = (size_t)p1;
	301	return 1;
	302
	303	case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN:
	304	(int )p2 = dctx->kdf_outlen;
	305	return 1;
	306
	307	case EVP_PKEY_CTRL_EC_KDF_UKM:
b548a1f1	308	OPENSSL_free(dctx->kdf_ukm);
0f113f3e MC	309	dctx->kdf_ukm = p2;
	310	if (p2)
	311	dctx->kdf_ukmlen = p1;
	312	else
	313	dctx->kdf_ukmlen = 0;
	314	return 1;
	315
	316	case EVP_PKEY_CTRL_GET_EC_KDF_UKM:
	317	(unsigned char *)p2 = dctx->kdf_ukm;
	318	return dctx->kdf_ukmlen;
	319
	320	case EVP_PKEY_CTRL_MD:
	321	if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
	322	EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
	323	EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
	324	EVP_MD_type((const EVP_MD *)p2) != NID_sha256 &&
	325	EVP_MD_type((const EVP_MD *)p2) != NID_sha384 &&
e8d0678d PS	326	EVP_MD_type((const EVP_MD *)p2) != NID_sha512 &&
	327	EVP_MD_type((const EVP_MD *)p2) != NID_sha3_224 &&
	328	EVP_MD_type((const EVP_MD *)p2) != NID_sha3_256 &&
	329	EVP_MD_type((const EVP_MD *)p2) != NID_sha3_384 &&
bc42bd62 PY	330	EVP_MD_type((const EVP_MD *)p2) != NID_sha3_512 &&
bc42bd62 PY	331	EVP_MD_type((const EVP_MD *)p2) != NID_sm3) {
0f113f3e MC	332	ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE);
	333	return 0;
	334	}
	335	dctx->md = p2;
	336	return 1;
	337
	338	case EVP_PKEY_CTRL_GET_MD:
	339	(const EVP_MD *)p2 = dctx->md;
	340	return 1;
	341
	342	case EVP_PKEY_CTRL_PEER_KEY:
	343	/* Default behaviour is OK */
	344	case EVP_PKEY_CTRL_DIGESTINIT:
	345	case EVP_PKEY_CTRL_PKCS7_SIGN:
	346	case EVP_PKEY_CTRL_CMS_SIGN:
	347	return 1;
	348
	349	default:
	350	return -2;
	351
	352	}
	353	}
	354
9ca7047d	355	static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx,
0f113f3e MC	356	const char type, const char value)
0f113f3e MC	357	{
86885c28	358	if (strcmp(type, "ec_paramgen_curve") == 0) {
0f113f3e MC	359	int nid;
	360	nid = EC_curve_nist2nid(value);
	361	if (nid == NID_undef)
	362	nid = OBJ_sn2nid(value);
	363	if (nid == NID_undef)
	364	nid = OBJ_ln2nid(value);
	365	if (nid == NID_undef) {
	366	ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_CURVE);
	367	return 0;
	368	}
	369	return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
86885c28	370	} else if (strcmp(type, "ec_param_enc") == 0) {
0f113f3e	371	int param_enc;
86885c28	372	if (strcmp(value, "explicit") == 0)
0f113f3e	373	param_enc = 0;
86885c28	374	else if (strcmp(value, "named_curve") == 0)
0f113f3e MC	375	param_enc = OPENSSL_EC_NAMED_CURVE;
	376	else
	377	return -2;
	378	return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
86885c28	379	} else if (strcmp(type, "ecdh_kdf_md") == 0) {
0f113f3e	380	const EVP_MD *md;
75ebbd9a	381	if ((md = EVP_get_digestbyname(value)) == NULL) {
0f113f3e MC	382	ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_DIGEST);
	383	return 0;
	384	}
	385	return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md);
86885c28	386	} else if (strcmp(type, "ecdh_cofactor_mode") == 0) {
0f113f3e MC	387	int co_mode;
	388	co_mode = atoi(value);
	389	return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, co_mode);
	390	}
	391
	392	return -2;
	393	}
9ca7047d DSH	394
9ca7047d DSH	395	static int pkey_ec_paramgen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
0f113f3e MC	396	{
	397	EC_KEY *ec = NULL;
	398	EC_PKEY_CTX *dctx = ctx->data;
95a37057 AP	399	int ret;
95a37057 AP	400
0f113f3e MC	401	if (dctx->gen_group == NULL) {
	402	ECerr(EC_F_PKEY_EC_PARAMGEN, EC_R_NO_PARAMETERS_SET);
	403	return 0;
	404	}
	405	ec = EC_KEY_new();
90945fa3	406	if (ec == NULL)
0f113f3e	407	return 0;
95a37057 AP	408	if (!(ret = EC_KEY_set_group(ec, dctx->gen_group))
95a37057 AP	409	\|\| !ossl_assert(ret = EVP_PKEY_assign_EC_KEY(pkey, ec)))
0f113f3e MC	410	EC_KEY_free(ec);
	411	return ret;
	412	}
9ca7047d DSH	413
9ca7047d DSH	414	static int pkey_ec_keygen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
0f113f3e MC	415	{
	416	EC_KEY *ec = NULL;
	417	EC_PKEY_CTX *dctx = ctx->data;
95a37057 AP	418	int ret;
95a37057 AP	419
0f113f3e MC	420	if (ctx->pkey == NULL && dctx->gen_group == NULL) {
	421	ECerr(EC_F_PKEY_EC_KEYGEN, EC_R_NO_PARAMETERS_SET);
	422	return 0;
	423	}
	424	ec = EC_KEY_new();
95a37057 AP	425	if (ec == NULL)
	426	return 0;
	427	if (!ossl_assert(EVP_PKEY_assign_EC_KEY(pkey, ec))) {
	428	EC_KEY_free(ec);
0f113f3e	429	return 0;
0f113f3e	430	}
95a37057 AP	431	/* Note: if error is returned, we count on caller to free pkey->pkey.ec */
	432	if (ctx->pkey != NULL)
	433	ret = EVP_PKEY_copy_parameters(pkey, ctx->pkey);
	434	else
	435	ret = EC_KEY_set_group(ec, dctx->gen_group);
	436
	437	return ret ? EC_KEY_generate_key(ec) : 0;
0f113f3e MC	438	}
0f113f3e MC	439
19bd1fa1	440	static const EVP_PKEY_METHOD ec_pkey_meth = {
0f113f3e	441	EVP_PKEY_EC,
4e664750	442	0,
0f113f3e MC	443	pkey_ec_init,
	444	pkey_ec_copy,
	445	pkey_ec_cleanup,
	446
	447	0,
	448	pkey_ec_paramgen,
	449
	450	0,
	451	pkey_ec_keygen,
	452
	453	0,
	454	pkey_ec_sign,
	455
	456	0,
	457	pkey_ec_verify,
	458
	459	0, 0,
	460
	461	0, 0, 0, 0,
	462
dceb99a5	463	0,
ddb634fe	464	0,
0f113f3e	465
dceb99a5	466	0,
ddb634fe	467	0,
0f113f3e MC	468
0f113f3e MC	469	0,
10bf4fc2	470	#ifndef OPENSSL_NO_EC
0f113f3e	471	pkey_ec_kdf_derive,
af6e2d51	472	#else
0f113f3e	473	0,
af6e2d51	474	#endif
0f113f3e MC	475	pkey_ec_ctrl,
	476	pkey_ec_ctrl_str
	477	};
19bd1fa1 PS	478
	479	const EVP_PKEY_METHOD *ec_pkey_method(void)
	480	{
	481	return &ec_pkey_meth;
	482	}