]> git.ipfire.org Git - thirdparty/openssl.git/blob - providers/implementations/exchange/ecdh_exch.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Replaced '{ 0, NULL }' with OSSL_DISPATCH_END in OSSL_DISPATCH arrays
[thirdparty/openssl.git] / providers / implementations / exchange / ecdh_exch.c
1 /*
2 * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * ECDH low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <string.h>
17 #include <openssl/crypto.h>
18 #include <openssl/evp.h>
19 #include <openssl/core_dispatch.h>
20 #include <openssl/core_names.h>
21 #include <openssl/ec.h>
22 #include <openssl/params.h>
23 #include <openssl/err.h>
24 #include <openssl/proverr.h>
25 #include "prov/provider_ctx.h"
26 #include "prov/providercommon.h"
27 #include "prov/implementations.h"
28 #include "prov/securitycheck.h"
29 #include "crypto/ec.h" /* ossl_ecdh_kdf_X9_63() */
30
31 static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx;
32 static OSSL_FUNC_keyexch_init_fn ecdh_init;
33 static OSSL_FUNC_keyexch_set_peer_fn ecdh_set_peer;
34 static OSSL_FUNC_keyexch_derive_fn ecdh_derive;
35 static OSSL_FUNC_keyexch_freectx_fn ecdh_freectx;
36 static OSSL_FUNC_keyexch_dupctx_fn ecdh_dupctx;
37 static OSSL_FUNC_keyexch_set_ctx_params_fn ecdh_set_ctx_params;
38 static OSSL_FUNC_keyexch_settable_ctx_params_fn ecdh_settable_ctx_params;
39 static OSSL_FUNC_keyexch_get_ctx_params_fn ecdh_get_ctx_params;
40 static OSSL_FUNC_keyexch_gettable_ctx_params_fn ecdh_gettable_ctx_params;
41
42 enum kdf_type {
43 PROV_ECDH_KDF_NONE = 0,
44 PROV_ECDH_KDF_X9_63
45 };
46
47 /*
48 * What's passed as an actual key is defined by the KEYMGMT interface.
49 * We happen to know that our KEYMGMT simply passes EC_KEY structures, so
50 * we use that here too.
51 */
52
53 typedef struct {
54 OSSL_LIB_CTX *libctx;
55
56 EC_KEY *k;
57 EC_KEY *peerk;
58
59 /*
60 * ECDH cofactor mode:
61 *
62 * . 0 disabled
63 * . 1 enabled
64 * . -1 use cofactor mode set for k
65 */
66 int cofactor_mode;
67
68 /************
69 * ECDH KDF *
70 ************/
71 /* KDF (if any) to use for ECDH */
72 enum kdf_type kdf_type;
73 /* Message digest to use for key derivation */
74 EVP_MD *kdf_md;
75 /* User key material */
76 unsigned char *kdf_ukm;
77 size_t kdf_ukmlen;
78 /* KDF output length */
79 size_t kdf_outlen;
80 } PROV_ECDH_CTX;
81
82 static
83 void *ecdh_newctx(void *provctx)
84 {
85 PROV_ECDH_CTX *pectx;
86
87 if (!ossl_prov_is_running())
88 return NULL;
89
90 pectx = OPENSSL_zalloc(sizeof(*pectx));
91 if (pectx == NULL)
92 return NULL;
93
94 pectx->libctx = PROV_LIBCTX_OF(provctx);
95 pectx->cofactor_mode = -1;
96 pectx->kdf_type = PROV_ECDH_KDF_NONE;
97
98 return (void *)pectx;
99 }
100
101 static
102 int ecdh_init(void *vpecdhctx, void *vecdh, const OSSL_PARAM params[])
103 {
104 PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
105
106 if (!ossl_prov_is_running()
107 || pecdhctx == NULL
108 || vecdh == NULL
109 || !EC_KEY_up_ref(vecdh))
110 return 0;
111 EC_KEY_free(pecdhctx->k);
112 pecdhctx->k = vecdh;
113 pecdhctx->cofactor_mode = -1;
114 pecdhctx->kdf_type = PROV_ECDH_KDF_NONE;
115 return ecdh_set_ctx_params(pecdhctx, params)
116 && ossl_ec_check_key(pecdhctx->libctx, vecdh, 1);
117 }
118
119 static
120 int ecdh_match_params(const EC_KEY *priv, const EC_KEY *peer)
121 {
122 int ret;
123 BN_CTX *ctx = NULL;
124 const EC_GROUP *group_priv = EC_KEY_get0_group(priv);
125 const EC_GROUP *group_peer = EC_KEY_get0_group(peer);
126
127 ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(priv));
128 if (ctx == NULL) {
129 ERR_raise(ERR_LIB_PROV, ERR_R_BN_LIB);
130 return 0;
131 }
132 ret = group_priv != NULL
133 && group_peer != NULL
134 && EC_GROUP_cmp(group_priv, group_peer, ctx) == 0;
135 if (!ret)
136 ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
137 BN_CTX_free(ctx);
138 return ret;
139 }
140
141 static
142 int ecdh_set_peer(void *vpecdhctx, void *vecdh)
143 {
144 PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
145
146 if (!ossl_prov_is_running()
147 || pecdhctx == NULL
148 || vecdh == NULL
149 || !ecdh_match_params(pecdhctx->k, vecdh)
150 || !ossl_ec_check_key(pecdhctx->libctx, vecdh, 1)
151 || !EC_KEY_up_ref(vecdh))
152 return 0;
153
154 EC_KEY_free(pecdhctx->peerk);
155 pecdhctx->peerk = vecdh;
156 return 1;
157 }
158
159 static
160 void ecdh_freectx(void *vpecdhctx)
161 {
162 PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
163
164 EC_KEY_free(pecdhctx->k);
165 EC_KEY_free(pecdhctx->peerk);
166
167 EVP_MD_free(pecdhctx->kdf_md);
168 OPENSSL_clear_free(pecdhctx->kdf_ukm, pecdhctx->kdf_ukmlen);
169
170 OPENSSL_free(pecdhctx);
171 }
172
173 static
174 void *ecdh_dupctx(void *vpecdhctx)
175 {
176 PROV_ECDH_CTX *srcctx = (PROV_ECDH_CTX *)vpecdhctx;
177 PROV_ECDH_CTX *dstctx;
178
179 if (!ossl_prov_is_running())
180 return NULL;
181
182 dstctx = OPENSSL_zalloc(sizeof(*srcctx));
183 if (dstctx == NULL)
184 return NULL;
185
186 *dstctx = *srcctx;
187
188 /* clear all pointers */
189
190 dstctx->k= NULL;
191 dstctx->peerk = NULL;
192 dstctx->kdf_md = NULL;
193 dstctx->kdf_ukm = NULL;
194
195 /* up-ref all ref-counted objects referenced in dstctx */
196
197 if (srcctx->k != NULL && !EC_KEY_up_ref(srcctx->k))
198 goto err;
199 else
200 dstctx->k = srcctx->k;
201
202 if (srcctx->peerk != NULL && !EC_KEY_up_ref(srcctx->peerk))
203 goto err;
204 else
205 dstctx->peerk = srcctx->peerk;
206
207 if (srcctx->kdf_md != NULL && !EVP_MD_up_ref(srcctx->kdf_md))
208 goto err;
209 else
210 dstctx->kdf_md = srcctx->kdf_md;
211
212 /* Duplicate UKM data if present */
213 if (srcctx->kdf_ukm != NULL && srcctx->kdf_ukmlen > 0) {
214 dstctx->kdf_ukm = OPENSSL_memdup(srcctx->kdf_ukm,
215 srcctx->kdf_ukmlen);
216 if (dstctx->kdf_ukm == NULL)
217 goto err;
218 }
219
220 return dstctx;
221
222 err:
223 ecdh_freectx(dstctx);
224 return NULL;
225 }
226
227 static
228 int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
229 {
230 char name[80] = { '\0' }; /* should be big enough */
231 char *str = NULL;
232 PROV_ECDH_CTX *pectx = (PROV_ECDH_CTX *)vpecdhctx;
233 const OSSL_PARAM *p;
234
235 if (pectx == NULL)
236 return 0;
237 if (params == NULL)
238 return 1;
239
240 p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE);
241 if (p != NULL) {
242 int mode;
243
244 if (!OSSL_PARAM_get_int(p, &mode))
245 return 0;
246
247 if (mode < -1 || mode > 1)
248 return 0;
249
250 pectx->cofactor_mode = mode;
251 }
252
253 p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
254 if (p != NULL) {
255 str = name;
256 if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
257 return 0;
258
259 if (name[0] == '\0')
260 pectx->kdf_type = PROV_ECDH_KDF_NONE;
261 else if (strcmp(name, OSSL_KDF_NAME_X963KDF) == 0)
262 pectx->kdf_type = PROV_ECDH_KDF_X9_63;
263 else
264 return 0;
265 }
266
267 p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
268 if (p != NULL) {
269 char mdprops[80] = { '\0' }; /* should be big enough */
270
271 str = name;
272 if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
273 return 0;
274
275 str = mdprops;
276 p = OSSL_PARAM_locate_const(params,
277 OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS);
278
279 if (p != NULL) {
280 if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(mdprops)))
281 return 0;
282 }
283
284 EVP_MD_free(pectx->kdf_md);
285 pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
286 if (pectx->kdf_md == NULL)
287 return 0;
288 if (!ossl_digest_is_allowed(pectx->libctx, pectx->kdf_md)) {
289 EVP_MD_free(pectx->kdf_md);
290 pectx->kdf_md = NULL;
291 return 0;
292 }
293 }
294
295 p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
296 if (p != NULL) {
297 size_t outlen;
298
299 if (!OSSL_PARAM_get_size_t(p, &outlen))
300 return 0;
301 pectx->kdf_outlen = outlen;
302 }
303
304 p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
305 if (p != NULL) {
306 void *tmp_ukm = NULL;
307 size_t tmp_ukmlen;
308
309 if (!OSSL_PARAM_get_octet_string(p, &tmp_ukm, 0, &tmp_ukmlen))
310 return 0;
311 OPENSSL_free(pectx->kdf_ukm);
312 pectx->kdf_ukm = tmp_ukm;
313 pectx->kdf_ukmlen = tmp_ukmlen;
314 }
315
316 return 1;
317 }
318
319 static const OSSL_PARAM known_settable_ctx_params[] = {
320 OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL),
321 OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
322 OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
323 OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, NULL, 0),
324 OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
325 OSSL_PARAM_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, NULL, 0),
326 OSSL_PARAM_END
327 };
328
329 static
330 const OSSL_PARAM *ecdh_settable_ctx_params(ossl_unused void *vpecdhctx,
331 ossl_unused void *provctx)
332 {
333 return known_settable_ctx_params;
334 }
335
336 static
337 int ecdh_get_ctx_params(void *vpecdhctx, OSSL_PARAM params[])
338 {
339 PROV_ECDH_CTX *pectx = (PROV_ECDH_CTX *)vpecdhctx;
340 OSSL_PARAM *p;
341
342 if (pectx == NULL)
343 return 0;
344
345 p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE);
346 if (p != NULL) {
347 int mode = pectx->cofactor_mode;
348
349 if (mode == -1) {
350 /* check what is the default for pecdhctx->k */
351 mode = EC_KEY_get_flags(pectx->k) & EC_FLAG_COFACTOR_ECDH ? 1 : 0;
352 }
353
354 if (!OSSL_PARAM_set_int(p, mode))
355 return 0;
356 }
357
358 p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
359 if (p != NULL) {
360 const char *kdf_type = NULL;
361
362 switch (pectx->kdf_type) {
363 case PROV_ECDH_KDF_NONE:
364 kdf_type = "";
365 break;
366 case PROV_ECDH_KDF_X9_63:
367 kdf_type = OSSL_KDF_NAME_X963KDF;
368 break;
369 default:
370 return 0;
371 }
372
373 if (!OSSL_PARAM_set_utf8_string(p, kdf_type))
374 return 0;
375 }
376
377 p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
378 if (p != NULL
379 && !OSSL_PARAM_set_utf8_string(p, pectx->kdf_md == NULL
380 ? ""
381 : EVP_MD_get0_name(pectx->kdf_md))) {
382 return 0;
383 }
384
385 p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
386 if (p != NULL && !OSSL_PARAM_set_size_t(p, pectx->kdf_outlen))
387 return 0;
388
389 p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
390 if (p != NULL &&
391 !OSSL_PARAM_set_octet_ptr(p, pectx->kdf_ukm, pectx->kdf_ukmlen))
392 return 0;
393
394 return 1;
395 }
396
397 static const OSSL_PARAM known_gettable_ctx_params[] = {
398 OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL),
399 OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
400 OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
401 OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
402 OSSL_PARAM_DEFN(OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR,
403 NULL, 0),
404 OSSL_PARAM_END
405 };
406
407 static
408 const OSSL_PARAM *ecdh_gettable_ctx_params(ossl_unused void *vpecdhctx,
409 ossl_unused void *provctx)
410 {
411 return known_gettable_ctx_params;
412 }
413
414 static ossl_inline
415 size_t ecdh_size(const EC_KEY *k)
416 {
417 size_t degree = 0;
418 const EC_GROUP *group;
419
420 if (k == NULL
421 || (group = EC_KEY_get0_group(k)) == NULL)
422 return 0;
423
424 degree = EC_GROUP_get_degree(group);
425
426 return (degree + 7) / 8;
427 }
428
429 static ossl_inline
430 int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
431 size_t *psecretlen, size_t outlen)
432 {
433 PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
434 int retlen, ret = 0;
435 size_t ecdhsize, size;
436 const EC_POINT *ppubkey = NULL;
437 EC_KEY *privk = NULL;
438 const EC_GROUP *group;
439 const BIGNUM *cofactor;
440 int key_cofactor_mode;
441
442 if (pecdhctx->k == NULL || pecdhctx->peerk == NULL) {
443 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
444 return 0;
445 }
446
447 ecdhsize = ecdh_size(pecdhctx->k);
448 if (secret == NULL) {
449 *psecretlen = ecdhsize;
450 return 1;
451 }
452
453 if ((group = EC_KEY_get0_group(pecdhctx->k)) == NULL
454 || (cofactor = EC_GROUP_get0_cofactor(group)) == NULL)
455 return 0;
456
457 /*
458 * NB: unlike PKCS#3 DH, if outlen is less than maximum size this is not
459 * an error, the result is truncated.
460 */
461 size = outlen < ecdhsize ? outlen : ecdhsize;
462
463 /*
464 * The ctx->cofactor_mode flag has precedence over the
465 * cofactor_mode flag set on ctx->k.
466 *
467 * - if ctx->cofactor_mode == -1, use ctx->k directly
468 * - if ctx->cofactor_mode == key_cofactor_mode, use ctx->k directly
469 * - if ctx->cofactor_mode != key_cofactor_mode:
470 * - if ctx->k->cofactor == 1, the cofactor_mode flag is irrelevant, use
471 * ctx->k directly
472 * - if ctx->k->cofactor != 1, use a duplicate of ctx->k with the flag
473 * set to ctx->cofactor_mode
474 */
475 key_cofactor_mode =
476 (EC_KEY_get_flags(pecdhctx->k) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
477 if (pecdhctx->cofactor_mode != -1
478 && pecdhctx->cofactor_mode != key_cofactor_mode
479 && !BN_is_one(cofactor)) {
480 if ((privk = EC_KEY_dup(pecdhctx->k)) == NULL)
481 return 0;
482
483 if (pecdhctx->cofactor_mode == 1)
484 EC_KEY_set_flags(privk, EC_FLAG_COFACTOR_ECDH);
485 else
486 EC_KEY_clear_flags(privk, EC_FLAG_COFACTOR_ECDH);
487 } else {
488 privk = pecdhctx->k;
489 }
490
491 ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
492
493 retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
494
495 if (retlen <= 0)
496 goto end;
497
498 *psecretlen = retlen;
499 ret = 1;
500
501 end:
502 if (privk != pecdhctx->k)
503 EC_KEY_free(privk);
504 return ret;
505 }
506
507 static ossl_inline
508 int ecdh_X9_63_kdf_derive(void *vpecdhctx, unsigned char *secret,
509 size_t *psecretlen, size_t outlen)
510 {
511 PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
512 unsigned char *stmp = NULL;
513 size_t stmplen;
514 int ret = 0;
515
516 if (secret == NULL) {
517 *psecretlen = pecdhctx->kdf_outlen;
518 return 1;
519 }
520
521 if (pecdhctx->kdf_outlen > outlen) {
522 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
523 return 0;
524 }
525 if (!ecdh_plain_derive(vpecdhctx, NULL, &stmplen, 0))
526 return 0;
527 if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL)
528 return 0;
529 if (!ecdh_plain_derive(vpecdhctx, stmp, &stmplen, stmplen))
530 goto err;
531
532 /* Do KDF stuff */
533 if (!ossl_ecdh_kdf_X9_63(secret, pecdhctx->kdf_outlen,
534 stmp, stmplen,
535 pecdhctx->kdf_ukm,
536 pecdhctx->kdf_ukmlen,
537 pecdhctx->kdf_md,
538 pecdhctx->libctx, NULL))
539 goto err;
540 *psecretlen = pecdhctx->kdf_outlen;
541 ret = 1;
542
543 err:
544 OPENSSL_secure_clear_free(stmp, stmplen);
545 return ret;
546 }
547
548 static
549 int ecdh_derive(void *vpecdhctx, unsigned char *secret,
550 size_t *psecretlen, size_t outlen)
551 {
552 PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
553
554 switch (pecdhctx->kdf_type) {
555 case PROV_ECDH_KDF_NONE:
556 return ecdh_plain_derive(vpecdhctx, secret, psecretlen, outlen);
557 case PROV_ECDH_KDF_X9_63:
558 return ecdh_X9_63_kdf_derive(vpecdhctx, secret, psecretlen, outlen);
559 default:
560 break;
561 }
562 return 0;
563 }
564
565 const OSSL_DISPATCH ossl_ecdh_keyexch_functions[] = {
566 { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))ecdh_newctx },
567 { OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))ecdh_init },
568 { OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))ecdh_derive },
569 { OSSL_FUNC_KEYEXCH_SET_PEER, (void (*)(void))ecdh_set_peer },
570 { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))ecdh_freectx },
571 { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))ecdh_dupctx },
572 { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))ecdh_set_ctx_params },
573 { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS,
574 (void (*)(void))ecdh_settable_ctx_params },
575 { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))ecdh_get_ctx_params },
576 { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS,
577 (void (*)(void))ecdh_gettable_ctx_params },
578 OSSL_DISPATCH_END
579 };
A mirror of the official openssl repository