2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/x509.h>
13 #include <openssl/ec.h>
14 #include <openssl/rand.h>
15 #include "internal/asn1_int.h"
16 #include "internal/evp_int.h"
19 #define X25519_KEYLEN 32
20 #define X25519_BITS 253
21 #define X25519_SECURITY_BITS 128
24 unsigned char pubkey
[X25519_KEYLEN
];
25 unsigned char *privkey
;
34 /* Setup EVP_PKEY using public, private or generation */
35 static int ecx_key_op(EVP_PKEY
*pkey
, X509_ALGOR
*palg
,
36 const unsigned char *p
, int plen
, ecx_key_op_t op
)
40 if (op
!= X25519_KEYGEN
) {
44 /* Algorithm parameters must be absent */
45 X509_ALGOR_get0(NULL
, &ptype
, NULL
, palg
);
46 if (ptype
!= V_ASN1_UNDEF
) {
47 ECerr(EC_F_ECX_KEY_OP
, EC_R_INVALID_ENCODING
);
52 if (p
== NULL
|| plen
!= X25519_KEYLEN
) {
53 ECerr(EC_F_ECX_KEY_OP
, EC_R_INVALID_ENCODING
);
58 xkey
= OPENSSL_zalloc(sizeof(*xkey
));
60 ECerr(EC_F_ECX_KEY_OP
, ERR_R_MALLOC_FAILURE
);
64 if (op
== X25519_PUBLIC
) {
65 memcpy(xkey
->pubkey
, p
, plen
);
67 xkey
->privkey
= OPENSSL_secure_malloc(X25519_KEYLEN
);
68 if (xkey
->privkey
== NULL
) {
69 ECerr(EC_F_ECX_KEY_OP
, ERR_R_MALLOC_FAILURE
);
73 if (op
== X25519_KEYGEN
) {
74 if (RAND_bytes(xkey
->privkey
, X25519_KEYLEN
) <= 0) {
75 OPENSSL_secure_free(xkey
->privkey
);
79 xkey
->privkey
[0] &= 248;
80 xkey
->privkey
[31] &= 127;
81 xkey
->privkey
[31] |= 64;
83 memcpy(xkey
->privkey
, p
, X25519_KEYLEN
);
85 X25519_public_from_private(xkey
->pubkey
, xkey
->privkey
);
88 EVP_PKEY_assign(pkey
, NID_X25519
, xkey
);
92 static int ecx_pub_encode(X509_PUBKEY
*pk
, const EVP_PKEY
*pkey
)
94 const X25519_KEY
*xkey
= pkey
->pkey
.ptr
;
98 ECerr(EC_F_ECX_PUB_ENCODE
, EC_R_INVALID_KEY
);
102 penc
= OPENSSL_memdup(xkey
->pubkey
, X25519_KEYLEN
);
104 ECerr(EC_F_ECX_PUB_ENCODE
, ERR_R_MALLOC_FAILURE
);
108 if (!X509_PUBKEY_set0_param(pk
, OBJ_nid2obj(NID_X25519
), V_ASN1_UNDEF
,
109 NULL
, penc
, X25519_KEYLEN
)) {
111 ECerr(EC_F_ECX_PUB_ENCODE
, ERR_R_MALLOC_FAILURE
);
117 static int ecx_pub_decode(EVP_PKEY
*pkey
, X509_PUBKEY
*pubkey
)
119 const unsigned char *p
;
123 if (!X509_PUBKEY_get0_param(NULL
, &p
, &pklen
, &palg
, pubkey
))
125 return ecx_key_op(pkey
, palg
, p
, pklen
, X25519_PUBLIC
);
128 static int ecx_pub_cmp(const EVP_PKEY
*a
, const EVP_PKEY
*b
)
130 const X25519_KEY
*akey
= a
->pkey
.ptr
;
131 const X25519_KEY
*bkey
= b
->pkey
.ptr
;
133 if (akey
== NULL
|| bkey
== NULL
)
135 return !CRYPTO_memcmp(akey
->pubkey
, bkey
->pubkey
, X25519_KEYLEN
);
138 static int ecx_priv_decode(EVP_PKEY
*pkey
, PKCS8_PRIV_KEY_INFO
*p8
)
140 const unsigned char *p
;
142 ASN1_OCTET_STRING
*oct
= NULL
;
146 if (!PKCS8_pkey_get0(NULL
, &p
, &plen
, &palg
, p8
))
149 oct
= d2i_ASN1_OCTET_STRING(NULL
, &p
, plen
);
154 p
= ASN1_STRING_get0_data(oct
);
155 plen
= ASN1_STRING_length(oct
);
158 rv
= ecx_key_op(pkey
, palg
, p
, plen
, X25519_PRIVATE
);
159 ASN1_OCTET_STRING_free(oct
);
163 static int ecx_priv_encode(PKCS8_PRIV_KEY_INFO
*p8
, const EVP_PKEY
*pkey
)
165 const X25519_KEY
*xkey
= pkey
->pkey
.ptr
;
166 ASN1_OCTET_STRING oct
;
167 unsigned char *penc
= NULL
;
170 if (xkey
== NULL
|| xkey
->privkey
== NULL
) {
171 ECerr(EC_F_ECX_PRIV_ENCODE
, EC_R_INVALID_PRIVATE_KEY
);
175 oct
.data
= xkey
->privkey
;
176 oct
.length
= X25519_KEYLEN
;
179 penclen
= i2d_ASN1_OCTET_STRING(&oct
, &penc
);
181 ECerr(EC_F_ECX_PRIV_ENCODE
, ERR_R_MALLOC_FAILURE
);
185 if (!PKCS8_pkey_set0(p8
, OBJ_nid2obj(NID_X25519
), 0,
186 V_ASN1_UNDEF
, NULL
, penc
, penclen
)) {
187 OPENSSL_clear_free(penc
, penclen
);
188 ECerr(EC_F_ECX_PRIV_ENCODE
, ERR_R_MALLOC_FAILURE
);
195 static int ecx_size(const EVP_PKEY
*pkey
)
197 return X25519_KEYLEN
;
200 static int ecx_bits(const EVP_PKEY
*pkey
)
205 static int ecx_security_bits(const EVP_PKEY
*pkey
)
207 return X25519_SECURITY_BITS
;
210 static void ecx_free(EVP_PKEY
*pkey
)
212 X25519_KEY
*xkey
= pkey
->pkey
.ptr
;
215 OPENSSL_secure_free(xkey
->privkey
);
219 /* "parameters" are always equal */
220 static int ecx_cmp_parameters(const EVP_PKEY
*a
, const EVP_PKEY
*b
)
225 static int ecx_key_print(BIO
*bp
, const EVP_PKEY
*pkey
, int indent
,
226 ASN1_PCTX
*ctx
, ecx_key_op_t op
)
228 const X25519_KEY
*xkey
= pkey
->pkey
.ptr
;
230 if (op
== X25519_PRIVATE
) {
231 if (xkey
== NULL
|| xkey
->privkey
== NULL
) {
232 if (BIO_printf(bp
, "%*s<INVALID PRIVATE KEY>\n", indent
, "") <= 0)
236 if (BIO_printf(bp
, "%*sX25519 Private-Key:\n", indent
, "") <= 0)
238 if (BIO_printf(bp
, "%*spriv:\n", indent
, "") <= 0)
240 if (ASN1_buf_print(bp
, xkey
->privkey
, X25519_KEYLEN
, indent
+ 4) == 0)
244 if (BIO_printf(bp
, "%*s<INVALID PUBLIC KEY>\n", indent
, "") <= 0)
248 if (BIO_printf(bp
, "%*sX25519 Public-Key:\n", indent
, "") <= 0)
251 if (BIO_printf(bp
, "%*spub:\n", indent
, "") <= 0)
253 if (ASN1_buf_print(bp
, xkey
->pubkey
, X25519_KEYLEN
, indent
+ 4) == 0)
258 static int ecx_priv_print(BIO
*bp
, const EVP_PKEY
*pkey
, int indent
,
261 return ecx_key_print(bp
, pkey
, indent
, ctx
, X25519_PRIVATE
);
264 static int ecx_pub_print(BIO
*bp
, const EVP_PKEY
*pkey
, int indent
,
267 return ecx_key_print(bp
, pkey
, indent
, ctx
, X25519_PUBLIC
);
270 static int ecx_ctrl(EVP_PKEY
*pkey
, int op
, long arg1
, void *arg2
)
274 case ASN1_PKEY_CTRL_SET1_TLS_ENCPT
:
275 return ecx_key_op(pkey
, NULL
, arg2
, arg1
, X25519_PUBLIC
);
277 case ASN1_PKEY_CTRL_GET1_TLS_ENCPT
:
278 if (pkey
->pkey
.ptr
!= NULL
) {
279 const X25519_KEY
*xkey
= pkey
->pkey
.ptr
;
280 unsigned char **ppt
= arg2
;
281 *ppt
= OPENSSL_memdup(xkey
->pubkey
, X25519_KEYLEN
);
283 return X25519_KEYLEN
;
287 case ASN1_PKEY_CTRL_DEFAULT_MD_NID
:
288 *(int *)arg2
= NID_sha256
;
297 const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth
= {
302 "OpenSSL X25519 algorithm",
327 static int pkey_ecx_keygen(EVP_PKEY_CTX
*ctx
, EVP_PKEY
*pkey
)
329 return ecx_key_op(pkey
, NULL
, NULL
, 0, X25519_KEYGEN
);
332 static int pkey_ecx_derive(EVP_PKEY_CTX
*ctx
, unsigned char *key
,
335 const X25519_KEY
*pkey
, *peerkey
;
337 if (ctx
->pkey
== NULL
|| ctx
->peerkey
== NULL
) {
338 ECerr(EC_F_PKEY_ECX_DERIVE
, EC_R_KEYS_NOT_SET
);
341 pkey
= ctx
->pkey
->pkey
.ptr
;
342 peerkey
= ctx
->peerkey
->pkey
.ptr
;
343 if (pkey
== NULL
|| pkey
->privkey
== NULL
) {
344 ECerr(EC_F_PKEY_ECX_DERIVE
, EC_R_INVALID_PRIVATE_KEY
);
347 if (peerkey
== NULL
) {
348 ECerr(EC_F_PKEY_ECX_DERIVE
, EC_R_INVALID_PEER_KEY
);
351 *keylen
= X25519_KEYLEN
;
352 if (key
!= NULL
&& X25519(key
, pkey
->privkey
, peerkey
->pubkey
) == 0)
357 static int pkey_ecx_ctrl(EVP_PKEY_CTX
*ctx
, int type
, int p1
, void *p2
)
359 /* Only need to handle peer key for derivation */
360 if (type
== EVP_PKEY_CTRL_PEER_KEY
)
365 const EVP_PKEY_METHOD ecx25519_pkey_meth
= {
369 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,