]>
Commit | Line | Data |
---|---|---|
0f113f3e | 1 | /* |
33388b44 | 2 | * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. |
448be743 | 3 | * |
a7f182b7 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
aa6bb135 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
448be743 DSH |
8 | */ |
9 | ||
579422c8 P |
10 | /* |
11 | * ECDH and ECDSA low level APIs are deprecated for public use, but still ok | |
12 | * for internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
448be743 | 16 | #include <stdio.h> |
b39fc560 | 17 | #include "internal/cryptlib.h" |
448be743 DSH |
18 | #include <openssl/x509.h> |
19 | #include <openssl/ec.h> | |
1e26a8ba | 20 | #include <openssl/bn.h> |
3c27208f | 21 | #include <openssl/cms.h> |
88e20b85 | 22 | #include <openssl/asn1t.h> |
25f2138b DMSP |
23 | #include "crypto/asn1.h" |
24 | #include "crypto/evp.h" | |
4fe54d67 | 25 | #include <openssl/core_names.h> |
110bff61 | 26 | #include "openssl/param_build.h" |
706457b7 | 27 | #include "ec_local.h" |
448be743 | 28 | |
e968561d | 29 | #ifndef OPENSSL_NO_CMS |
88e20b85 DSH |
30 | static int ecdh_cms_decrypt(CMS_RecipientInfo *ri); |
31 | static int ecdh_cms_encrypt(CMS_RecipientInfo *ri); | |
e968561d | 32 | #endif |
88e20b85 | 33 | |
cd701de9 | 34 | static int eckey_param2type(int *pptype, void **ppval, const EC_KEY *ec_key) |
0f113f3e MC |
35 | { |
36 | const EC_GROUP *group; | |
37 | int nid; | |
38 | if (ec_key == NULL || (group = EC_KEY_get0_group(ec_key)) == NULL) { | |
39 | ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_PARAMETERS); | |
40 | return 0; | |
41 | } | |
42 | if (EC_GROUP_get_asn1_flag(group) | |
43 | && (nid = EC_GROUP_get_curve_name(group))) | |
44 | /* we have a 'named curve' => just set the OID */ | |
45 | { | |
46 | *ppval = OBJ_nid2obj(nid); | |
47 | *pptype = V_ASN1_OBJECT; | |
48 | } else { /* explicit parameters */ | |
49 | ||
50 | ASN1_STRING *pstr = NULL; | |
51 | pstr = ASN1_STRING_new(); | |
90945fa3 | 52 | if (pstr == NULL) |
0f113f3e MC |
53 | return 0; |
54 | pstr->length = i2d_ECParameters(ec_key, &pstr->data); | |
55 | if (pstr->length <= 0) { | |
56 | ASN1_STRING_free(pstr); | |
57 | ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB); | |
58 | return 0; | |
59 | } | |
60 | *ppval = pstr; | |
61 | *pptype = V_ASN1_SEQUENCE; | |
62 | } | |
63 | return 1; | |
64 | } | |
448be743 | 65 | |
6f81892e | 66 | static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) |
0f113f3e | 67 | { |
cd701de9 | 68 | const EC_KEY *ec_key = pkey->pkey.ec; |
0f113f3e MC |
69 | void *pval = NULL; |
70 | int ptype; | |
71 | unsigned char *penc = NULL, *p; | |
72 | int penclen; | |
73 | ||
74 | if (!eckey_param2type(&ptype, &pval, ec_key)) { | |
75 | ECerr(EC_F_ECKEY_PUB_ENCODE, ERR_R_EC_LIB); | |
76 | return 0; | |
77 | } | |
78 | penclen = i2o_ECPublicKey(ec_key, NULL); | |
79 | if (penclen <= 0) | |
80 | goto err; | |
81 | penc = OPENSSL_malloc(penclen); | |
90945fa3 | 82 | if (penc == NULL) |
0f113f3e MC |
83 | goto err; |
84 | p = penc; | |
85 | penclen = i2o_ECPublicKey(ec_key, &p); | |
86 | if (penclen <= 0) | |
87 | goto err; | |
88 | if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC), | |
89 | ptype, pval, penc, penclen)) | |
90 | return 1; | |
91 | err: | |
92 | if (ptype == V_ASN1_OBJECT) | |
93 | ASN1_OBJECT_free(pval); | |
94 | else | |
95 | ASN1_STRING_free(pval); | |
b548a1f1 | 96 | OPENSSL_free(penc); |
0f113f3e MC |
97 | return 0; |
98 | } | |
448be743 | 99 | |
ac4e2577 | 100 | static EC_KEY *eckey_type2param(int ptype, const void *pval) |
0f113f3e MC |
101 | { |
102 | EC_KEY *eckey = NULL; | |
037241bf RS |
103 | EC_GROUP *group = NULL; |
104 | ||
0f113f3e | 105 | if (ptype == V_ASN1_SEQUENCE) { |
ac4e2577 | 106 | const ASN1_STRING *pstr = pval; |
037241bf RS |
107 | const unsigned char *pm = pstr->data; |
108 | int pmlen = pstr->length; | |
109 | ||
75ebbd9a | 110 | if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) { |
0f113f3e MC |
111 | ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); |
112 | goto ecerr; | |
113 | } | |
114 | } else if (ptype == V_ASN1_OBJECT) { | |
ac4e2577 | 115 | const ASN1_OBJECT *poid = pval; |
0f113f3e MC |
116 | |
117 | /* | |
118 | * type == V_ASN1_OBJECT => the parameters are given by an asn1 OID | |
119 | */ | |
120 | if ((eckey = EC_KEY_new()) == NULL) { | |
121 | ECerr(EC_F_ECKEY_TYPE2PARAM, ERR_R_MALLOC_FAILURE); | |
122 | goto ecerr; | |
123 | } | |
124 | group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(poid)); | |
125 | if (group == NULL) | |
126 | goto ecerr; | |
127 | EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); | |
128 | if (EC_KEY_set_group(eckey, group) == 0) | |
129 | goto ecerr; | |
130 | EC_GROUP_free(group); | |
131 | } else { | |
132 | ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); | |
133 | goto ecerr; | |
134 | } | |
135 | ||
136 | return eckey; | |
137 | ||
138 | ecerr: | |
8fdc3734 | 139 | EC_KEY_free(eckey); |
037241bf | 140 | EC_GROUP_free(group); |
0f113f3e MC |
141 | return NULL; |
142 | } | |
448be743 | 143 | |
7674e923 | 144 | static int eckey_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey) |
0f113f3e MC |
145 | { |
146 | const unsigned char *p = NULL; | |
ac4e2577 | 147 | const void *pval; |
0f113f3e MC |
148 | int ptype, pklen; |
149 | EC_KEY *eckey = NULL; | |
150 | X509_ALGOR *palg; | |
151 | ||
152 | if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey)) | |
153 | return 0; | |
154 | X509_ALGOR_get0(NULL, &ptype, &pval, palg); | |
155 | ||
156 | eckey = eckey_type2param(ptype, pval); | |
157 | ||
158 | if (!eckey) { | |
159 | ECerr(EC_F_ECKEY_PUB_DECODE, ERR_R_EC_LIB); | |
160 | return 0; | |
161 | } | |
162 | ||
163 | /* We have parameters now set public key */ | |
164 | if (!o2i_ECPublicKey(&eckey, &p, pklen)) { | |
165 | ECerr(EC_F_ECKEY_PUB_DECODE, EC_R_DECODE_ERROR); | |
166 | goto ecerr; | |
167 | } | |
168 | ||
169 | EVP_PKEY_assign_EC_KEY(pkey, eckey); | |
170 | return 1; | |
171 | ||
172 | ecerr: | |
8fdc3734 | 173 | EC_KEY_free(eckey); |
0f113f3e MC |
174 | return 0; |
175 | } | |
448be743 | 176 | |
6f81892e | 177 | static int eckey_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) |
0f113f3e MC |
178 | { |
179 | int r; | |
180 | const EC_GROUP *group = EC_KEY_get0_group(b->pkey.ec); | |
181 | const EC_POINT *pa = EC_KEY_get0_public_key(a->pkey.ec), | |
182 | *pb = EC_KEY_get0_public_key(b->pkey.ec); | |
978ecbb0 DW |
183 | if (group == NULL || pa == NULL || pb == NULL) |
184 | return -2; | |
0f113f3e MC |
185 | r = EC_POINT_cmp(group, pa, pb, NULL); |
186 | if (r == 0) | |
187 | return 1; | |
188 | if (r == 1) | |
189 | return 0; | |
190 | return -2; | |
191 | } | |
6f81892e | 192 | |
245c6bc3 | 193 | static int eckey_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) |
0f113f3e MC |
194 | { |
195 | const unsigned char *p = NULL; | |
ac4e2577 | 196 | const void *pval; |
0f113f3e MC |
197 | int ptype, pklen; |
198 | EC_KEY *eckey = NULL; | |
245c6bc3 | 199 | const X509_ALGOR *palg; |
0f113f3e MC |
200 | |
201 | if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) | |
202 | return 0; | |
203 | X509_ALGOR_get0(NULL, &ptype, &pval, palg); | |
204 | ||
205 | eckey = eckey_type2param(ptype, pval); | |
206 | ||
12a765a5 | 207 | if (eckey == NULL) |
0f113f3e MC |
208 | goto ecliberr; |
209 | ||
210 | /* We have parameters now set private key */ | |
211 | if (!d2i_ECPrivateKey(&eckey, &p, pklen)) { | |
212 | ECerr(EC_F_ECKEY_PRIV_DECODE, EC_R_DECODE_ERROR); | |
213 | goto ecerr; | |
214 | } | |
215 | ||
0f113f3e MC |
216 | EVP_PKEY_assign_EC_KEY(pkey, eckey); |
217 | return 1; | |
218 | ||
219 | ecliberr: | |
220 | ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB); | |
221 | ecerr: | |
8fdc3734 | 222 | EC_KEY_free(eckey); |
0f113f3e MC |
223 | return 0; |
224 | } | |
448be743 | 225 | |
6f81892e | 226 | static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) |
448be743 | 227 | { |
b8a7bd83 | 228 | EC_KEY ec_key = *(pkey->pkey.ec); |
0f113f3e MC |
229 | unsigned char *ep, *p; |
230 | int eplen, ptype; | |
231 | void *pval; | |
b8a7bd83 | 232 | unsigned int old_flags; |
0f113f3e | 233 | |
b8a7bd83 | 234 | if (!eckey_param2type(&ptype, &pval, &ec_key)) { |
0f113f3e MC |
235 | ECerr(EC_F_ECKEY_PRIV_ENCODE, EC_R_DECODE_ERROR); |
236 | return 0; | |
237 | } | |
238 | ||
239 | /* set the private key */ | |
240 | ||
241 | /* | |
242 | * do not include the parameters in the SEC1 private key see PKCS#11 | |
243 | * 12.11 | |
244 | */ | |
b8a7bd83 RL |
245 | old_flags = EC_KEY_get_enc_flags(&ec_key); |
246 | EC_KEY_set_enc_flags(&ec_key, old_flags | EC_PKEY_NO_PARAMETERS); | |
247 | ||
248 | eplen = i2d_ECPrivateKey(&ec_key, NULL); | |
0f113f3e | 249 | if (!eplen) { |
0f113f3e MC |
250 | ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); |
251 | return 0; | |
252 | } | |
b196e7d9 | 253 | ep = OPENSSL_malloc(eplen); |
90945fa3 | 254 | if (ep == NULL) { |
0f113f3e MC |
255 | ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); |
256 | return 0; | |
257 | } | |
258 | p = ep; | |
b8a7bd83 | 259 | if (!i2d_ECPrivateKey(&ec_key, &p)) { |
0f113f3e MC |
260 | OPENSSL_free(ep); |
261 | ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); | |
262 | return 0; | |
263 | } | |
0f113f3e MC |
264 | |
265 | if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0, | |
e0670973 Y |
266 | ptype, pval, ep, eplen)) { |
267 | OPENSSL_free(ep); | |
0f113f3e | 268 | return 0; |
e0670973 | 269 | } |
0f113f3e MC |
270 | |
271 | return 1; | |
448be743 DSH |
272 | } |
273 | ||
6f81892e | 274 | static int int_ec_size(const EVP_PKEY *pkey) |
0f113f3e MC |
275 | { |
276 | return ECDSA_size(pkey->pkey.ec); | |
277 | } | |
6f81892e DSH |
278 | |
279 | static int ec_bits(const EVP_PKEY *pkey) | |
0f113f3e | 280 | { |
be2e334f | 281 | return EC_GROUP_order_bits(EC_KEY_get0_group(pkey->pkey.ec)); |
0f113f3e | 282 | } |
6f81892e | 283 | |
2514fa79 | 284 | static int ec_security_bits(const EVP_PKEY *pkey) |
0f113f3e MC |
285 | { |
286 | int ecbits = ec_bits(pkey); | |
287 | if (ecbits >= 512) | |
288 | return 256; | |
289 | if (ecbits >= 384) | |
290 | return 192; | |
291 | if (ecbits >= 256) | |
292 | return 128; | |
293 | if (ecbits >= 224) | |
294 | return 112; | |
295 | if (ecbits >= 160) | |
296 | return 80; | |
297 | return ecbits / 2; | |
298 | } | |
2514fa79 | 299 | |
6f81892e | 300 | static int ec_missing_parameters(const EVP_PKEY *pkey) |
0f113f3e | 301 | { |
f72f00d4 | 302 | if (pkey->pkey.ec == NULL || EC_KEY_get0_group(pkey->pkey.ec) == NULL) |
0f113f3e MC |
303 | return 1; |
304 | return 0; | |
305 | } | |
6f81892e | 306 | |
930b0c4b | 307 | static int ec_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) |
0f113f3e MC |
308 | { |
309 | EC_GROUP *group = EC_GROUP_dup(EC_KEY_get0_group(from->pkey.ec)); | |
188a9bd9 | 310 | |
0f113f3e MC |
311 | if (group == NULL) |
312 | return 0; | |
2986ecdc DSH |
313 | if (to->pkey.ec == NULL) { |
314 | to->pkey.ec = EC_KEY_new(); | |
315 | if (to->pkey.ec == NULL) | |
188a9bd9 | 316 | goto err; |
2986ecdc | 317 | } |
0f113f3e | 318 | if (EC_KEY_set_group(to->pkey.ec, group) == 0) |
188a9bd9 | 319 | goto err; |
0f113f3e MC |
320 | EC_GROUP_free(group); |
321 | return 1; | |
188a9bd9 BE |
322 | err: |
323 | EC_GROUP_free(group); | |
324 | return 0; | |
0f113f3e | 325 | } |
6f81892e | 326 | |
930b0c4b | 327 | static int ec_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) |
0f113f3e MC |
328 | { |
329 | const EC_GROUP *group_a = EC_KEY_get0_group(a->pkey.ec), | |
330 | *group_b = EC_KEY_get0_group(b->pkey.ec); | |
978ecbb0 DW |
331 | if (group_a == NULL || group_b == NULL) |
332 | return -2; | |
0f113f3e MC |
333 | if (EC_GROUP_cmp(group_a, group_b, NULL)) |
334 | return 0; | |
335 | else | |
336 | return 1; | |
337 | } | |
6f81892e DSH |
338 | |
339 | static void int_ec_free(EVP_PKEY *pkey) | |
0f113f3e MC |
340 | { |
341 | EC_KEY_free(pkey->pkey.ec); | |
342 | } | |
6f81892e | 343 | |
d6755bb6 DSH |
344 | typedef enum { |
345 | EC_KEY_PRINT_PRIVATE, | |
346 | EC_KEY_PRINT_PUBLIC, | |
347 | EC_KEY_PRINT_PARAM | |
348 | } ec_print_t; | |
349 | ||
350 | static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, ec_print_t ktype) | |
0f113f3e | 351 | { |
0f113f3e | 352 | const char *ecstr; |
7fc7d1a7 DSH |
353 | unsigned char *priv = NULL, *pub = NULL; |
354 | size_t privlen = 0, publen = 0; | |
355 | int ret = 0; | |
0f113f3e | 356 | const EC_GROUP *group; |
0f113f3e MC |
357 | |
358 | if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL) { | |
7fc7d1a7 DSH |
359 | ECerr(EC_F_DO_EC_KEY_PRINT, ERR_R_PASSED_NULL_PARAMETER); |
360 | return 0; | |
0f113f3e MC |
361 | } |
362 | ||
82f52631 | 363 | if (ktype != EC_KEY_PRINT_PARAM && EC_KEY_get0_public_key(x) != NULL) { |
7fc7d1a7 DSH |
364 | publen = EC_KEY_key2buf(x, EC_KEY_get_conv_form(x), &pub, NULL); |
365 | if (publen == 0) | |
366 | goto err; | |
0f113f3e MC |
367 | } |
368 | ||
d6755bb6 | 369 | if (ktype == EC_KEY_PRINT_PRIVATE && EC_KEY_get0_private_key(x) != NULL) { |
7fc7d1a7 DSH |
370 | privlen = EC_KEY_priv2buf(x, &priv); |
371 | if (privlen == 0) | |
d810700b | 372 | goto err; |
d810700b | 373 | } |
0f113f3e | 374 | |
d6755bb6 | 375 | if (ktype == EC_KEY_PRINT_PRIVATE) |
0f113f3e | 376 | ecstr = "Private-Key"; |
d6755bb6 | 377 | else if (ktype == EC_KEY_PRINT_PUBLIC) |
0f113f3e MC |
378 | ecstr = "Public-Key"; |
379 | else | |
380 | ecstr = "ECDSA-Parameters"; | |
381 | ||
382 | if (!BIO_indent(bp, off, 128)) | |
383 | goto err; | |
be2e334f DSH |
384 | if (BIO_printf(bp, "%s: (%d bit)\n", ecstr, |
385 | EC_GROUP_order_bits(group)) <= 0) | |
0f113f3e MC |
386 | goto err; |
387 | ||
7fc7d1a7 | 388 | if (privlen != 0) { |
d810700b DSH |
389 | if (BIO_printf(bp, "%*spriv:\n", off, "") <= 0) |
390 | goto err; | |
7fc7d1a7 | 391 | if (ASN1_buf_print(bp, priv, privlen, off + 4) == 0) |
d810700b DSH |
392 | goto err; |
393 | } | |
394 | ||
7fc7d1a7 | 395 | if (publen != 0) { |
d810700b DSH |
396 | if (BIO_printf(bp, "%*spub:\n", off, "") <= 0) |
397 | goto err; | |
7fc7d1a7 | 398 | if (ASN1_buf_print(bp, pub, publen, off + 4) == 0) |
d810700b DSH |
399 | goto err; |
400 | } | |
401 | ||
0f113f3e MC |
402 | if (!ECPKParameters_print(bp, group, off)) |
403 | goto err; | |
404 | ret = 1; | |
405 | err: | |
406 | if (!ret) | |
7fc7d1a7 DSH |
407 | ECerr(EC_F_DO_EC_KEY_PRINT, ERR_R_EC_LIB); |
408 | OPENSSL_clear_free(priv, privlen); | |
409 | OPENSSL_free(pub); | |
d810700b | 410 | return ret; |
0f113f3e | 411 | } |
35208f36 | 412 | |
3e4585c8 | 413 | static int eckey_param_decode(EVP_PKEY *pkey, |
0f113f3e MC |
414 | const unsigned char **pder, int derlen) |
415 | { | |
416 | EC_KEY *eckey; | |
75ebbd9a RS |
417 | |
418 | if ((eckey = d2i_ECParameters(NULL, pder, derlen)) == NULL) { | |
0f113f3e MC |
419 | ECerr(EC_F_ECKEY_PARAM_DECODE, ERR_R_EC_LIB); |
420 | return 0; | |
421 | } | |
422 | EVP_PKEY_assign_EC_KEY(pkey, eckey); | |
423 | return 1; | |
424 | } | |
3e4585c8 DSH |
425 | |
426 | static int eckey_param_encode(const EVP_PKEY *pkey, unsigned char **pder) | |
0f113f3e MC |
427 | { |
428 | return i2d_ECParameters(pkey->pkey.ec, pder); | |
429 | } | |
3e4585c8 | 430 | |
35208f36 | 431 | static int eckey_param_print(BIO *bp, const EVP_PKEY *pkey, int indent, |
0f113f3e MC |
432 | ASN1_PCTX *ctx) |
433 | { | |
d6755bb6 | 434 | return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PARAM); |
0f113f3e | 435 | } |
35208f36 DSH |
436 | |
437 | static int eckey_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, | |
0f113f3e MC |
438 | ASN1_PCTX *ctx) |
439 | { | |
d6755bb6 | 440 | return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PUBLIC); |
0f113f3e | 441 | } |
35208f36 DSH |
442 | |
443 | static int eckey_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, | |
0f113f3e MC |
444 | ASN1_PCTX *ctx) |
445 | { | |
d6755bb6 | 446 | return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PRIVATE); |
0f113f3e | 447 | } |
35208f36 | 448 | |
e4263314 | 449 | static int old_ec_priv_decode(EVP_PKEY *pkey, |
0f113f3e MC |
450 | const unsigned char **pder, int derlen) |
451 | { | |
452 | EC_KEY *ec; | |
75ebbd9a RS |
453 | |
454 | if ((ec = d2i_ECPrivateKey(NULL, pder, derlen)) == NULL) { | |
0f113f3e MC |
455 | ECerr(EC_F_OLD_EC_PRIV_DECODE, EC_R_DECODE_ERROR); |
456 | return 0; | |
457 | } | |
458 | EVP_PKEY_assign_EC_KEY(pkey, ec); | |
459 | return 1; | |
460 | } | |
e4263314 DSH |
461 | |
462 | static int old_ec_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) | |
0f113f3e MC |
463 | { |
464 | return i2d_ECPrivateKey(pkey->pkey.ec, pder); | |
465 | } | |
e4263314 | 466 | |
492a9e24 | 467 | static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) |
0f113f3e MC |
468 | { |
469 | switch (op) { | |
470 | case ASN1_PKEY_CTRL_PKCS7_SIGN: | |
471 | if (arg1 == 0) { | |
472 | int snid, hnid; | |
473 | X509_ALGOR *alg1, *alg2; | |
474 | PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2); | |
475 | if (alg1 == NULL || alg1->algorithm == NULL) | |
476 | return -1; | |
477 | hnid = OBJ_obj2nid(alg1->algorithm); | |
478 | if (hnid == NID_undef) | |
479 | return -1; | |
480 | if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) | |
481 | return -1; | |
482 | X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); | |
483 | } | |
484 | return 1; | |
8931b30d | 485 | #ifndef OPENSSL_NO_CMS |
0f113f3e MC |
486 | case ASN1_PKEY_CTRL_CMS_SIGN: |
487 | if (arg1 == 0) { | |
488 | int snid, hnid; | |
489 | X509_ALGOR *alg1, *alg2; | |
490 | CMS_SignerInfo_get0_algs(arg2, NULL, NULL, &alg1, &alg2); | |
491 | if (alg1 == NULL || alg1->algorithm == NULL) | |
492 | return -1; | |
493 | hnid = OBJ_obj2nid(alg1->algorithm); | |
494 | if (hnid == NID_undef) | |
495 | return -1; | |
496 | if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) | |
497 | return -1; | |
498 | X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); | |
499 | } | |
500 | return 1; | |
501 | ||
502 | case ASN1_PKEY_CTRL_CMS_ENVELOPE: | |
503 | if (arg1 == 1) | |
504 | return ecdh_cms_decrypt(arg2); | |
505 | else if (arg1 == 0) | |
506 | return ecdh_cms_encrypt(arg2); | |
507 | return -2; | |
508 | ||
509 | case ASN1_PKEY_CTRL_CMS_RI_TYPE: | |
510 | *(int *)arg2 = CMS_RECIPINFO_AGREE; | |
511 | return 1; | |
8931b30d | 512 | #endif |
492a9e24 | 513 | |
0f113f3e | 514 | case ASN1_PKEY_CTRL_DEFAULT_MD_NID: |
e766f4a0 PY |
515 | if (EVP_PKEY_id(pkey) == EVP_PKEY_SM2) { |
516 | /* For SM2, the only valid digest-alg is SM3 */ | |
517 | *(int *)arg2 = NID_sm3; | |
ef077ba0 | 518 | return 2; /* Make it mandatory */ |
e766f4a0 | 519 | } |
ef077ba0 | 520 | *(int *)arg2 = NID_sha256; |
eb7eb137 | 521 | return 1; |
492a9e24 | 522 | |
3bca6c27 DSH |
523 | case ASN1_PKEY_CTRL_SET1_TLS_ENCPT: |
524 | return EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(pkey), arg2, arg1, NULL); | |
525 | ||
526 | case ASN1_PKEY_CTRL_GET1_TLS_ENCPT: | |
527 | return EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(pkey), | |
528 | POINT_CONVERSION_UNCOMPRESSED, arg2, NULL); | |
529 | ||
0f113f3e MC |
530 | default: |
531 | return -2; | |
6f81892e | 532 | |
0f113f3e | 533 | } |
6f81892e | 534 | |
0f113f3e | 535 | } |
6f81892e | 536 | |
2aee35d3 PY |
537 | static int ec_pkey_check(const EVP_PKEY *pkey) |
538 | { | |
539 | EC_KEY *eckey = pkey->pkey.ec; | |
540 | ||
541 | /* stay consistent to what EVP_PKEY_check demands */ | |
542 | if (eckey->priv_key == NULL) { | |
6807b84e | 543 | ECerr(EC_F_EC_PKEY_CHECK, EC_R_MISSING_PRIVATE_KEY); |
2aee35d3 PY |
544 | return 0; |
545 | } | |
546 | ||
547 | return EC_KEY_check_key(eckey); | |
548 | } | |
549 | ||
b0004708 PY |
550 | static int ec_pkey_public_check(const EVP_PKEY *pkey) |
551 | { | |
552 | EC_KEY *eckey = pkey->pkey.ec; | |
553 | ||
554 | /* | |
555 | * Note: it unnecessary to check eckey->pub_key here since | |
556 | * it will be checked in EC_KEY_check_key(). In fact, the | |
557 | * EC_KEY_check_key() mainly checks the public key, and checks | |
558 | * the private key optionally (only if there is one). So if | |
559 | * someone passes a whole EC key (public + private), this | |
560 | * will also work... | |
561 | */ | |
562 | ||
563 | return EC_KEY_check_key(eckey); | |
564 | } | |
565 | ||
566 | static int ec_pkey_param_check(const EVP_PKEY *pkey) | |
567 | { | |
568 | EC_KEY *eckey = pkey->pkey.ec; | |
569 | ||
570 | /* stay consistent to what EVP_PKEY_check demands */ | |
571 | if (eckey->group == NULL) { | |
572 | ECerr(EC_F_EC_PKEY_PARAM_CHECK, EC_R_MISSING_PARAMETERS); | |
573 | return 0; | |
574 | } | |
575 | ||
576 | return EC_GROUP_check(eckey->group, NULL); | |
577 | } | |
578 | ||
4fe54d67 NT |
579 | static |
580 | size_t ec_pkey_dirty_cnt(const EVP_PKEY *pkey) | |
581 | { | |
582 | return pkey->pkey.ec->dirty_cnt; | |
583 | } | |
584 | ||
585 | static ossl_inline | |
586 | int ecparams_to_params(const EC_KEY *eckey, OSSL_PARAM_BLD *tmpl) | |
587 | { | |
588 | const EC_GROUP *ecg; | |
589 | int curve_nid; | |
590 | ||
591 | if (eckey == NULL) | |
592 | return 0; | |
593 | ||
594 | ecg = EC_KEY_get0_group(eckey); | |
595 | if (ecg == NULL) | |
596 | return 0; | |
597 | ||
598 | curve_nid = EC_GROUP_get_curve_name(ecg); | |
599 | ||
600 | if (curve_nid == NID_undef) { | |
601 | /* explicit parameters */ | |
602 | ||
603 | /* | |
604 | * TODO(3.0): should we support explicit parameters curves? | |
605 | */ | |
606 | return 0; | |
607 | } else { | |
608 | /* named curve */ | |
609 | const char *curve_name = NULL; | |
610 | ||
611 | if ((curve_name = OBJ_nid2sn(curve_nid)) == NULL) | |
612 | return 0; | |
613 | ||
11a1b341 | 614 | if (!OSSL_PARAM_BLD_push_utf8_string(tmpl, OSSL_PKEY_PARAM_GROUP_NAME, curve_name, 0)) |
4fe54d67 NT |
615 | return 0; |
616 | } | |
617 | ||
618 | return 1; | |
619 | } | |
620 | ||
621 | static | |
622 | int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata, | |
76e23fc5 MC |
623 | EVP_KEYMGMT *to_keymgmt, OPENSSL_CTX *libctx, |
624 | const char *propq) | |
4fe54d67 NT |
625 | { |
626 | const EC_KEY *eckey = NULL; | |
627 | const EC_GROUP *ecg = NULL; | |
628 | unsigned char *pub_key_buf = NULL; | |
629 | size_t pub_key_buflen; | |
6d4e6009 | 630 | OSSL_PARAM_BLD *tmpl; |
4fe54d67 NT |
631 | OSSL_PARAM *params = NULL; |
632 | const BIGNUM *priv_key = NULL; | |
633 | const EC_POINT *pub_point = NULL; | |
0996cff9 | 634 | int selection = 0; |
4fe54d67 | 635 | int rv = 0; |
76e23fc5 | 636 | BN_CTX *bnctx = NULL; |
4fe54d67 NT |
637 | |
638 | if (from == NULL | |
639 | || (eckey = from->pkey.ec) == NULL | |
640 | || (ecg = EC_KEY_get0_group(eckey)) == NULL) | |
641 | return 0; | |
642 | ||
df13defd RL |
643 | /* |
644 | * If the EC_KEY method is foreign, then we can't be sure of anything, | |
645 | * and can therefore not export or pretend to export. | |
646 | */ | |
647 | if (EC_KEY_get_method(eckey) != EC_KEY_OpenSSL()) | |
648 | return 0; | |
649 | ||
6d4e6009 P |
650 | tmpl = OSSL_PARAM_BLD_new(); |
651 | if (tmpl == NULL) | |
652 | return 0; | |
4fe54d67 NT |
653 | |
654 | /* export the domain parameters */ | |
6d4e6009 | 655 | if (!ecparams_to_params(eckey, tmpl)) |
0996cff9 RL |
656 | goto err; |
657 | selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS; | |
4fe54d67 NT |
658 | |
659 | priv_key = EC_KEY_get0_private_key(eckey); | |
660 | pub_point = EC_KEY_get0_public_key(eckey); | |
661 | ||
0996cff9 | 662 | if (pub_point != NULL) { |
76e23fc5 MC |
663 | /* |
664 | * EC_POINT_point2buf() can generate random numbers in some | |
665 | * implementations so we need to ensure we use the correct libctx. | |
666 | */ | |
667 | bnctx = BN_CTX_new_ex(libctx); | |
668 | if (bnctx == NULL) | |
669 | goto err; | |
670 | ||
0996cff9 RL |
671 | /* convert pub_point to a octet string according to the SECG standard */ |
672 | if ((pub_key_buflen = EC_POINT_point2buf(ecg, pub_point, | |
673 | POINT_CONVERSION_COMPRESSED, | |
76e23fc5 | 674 | &pub_key_buf, bnctx)) == 0 |
6d4e6009 | 675 | || !OSSL_PARAM_BLD_push_octet_string(tmpl, |
0996cff9 RL |
676 | OSSL_PKEY_PARAM_PUB_KEY, |
677 | pub_key_buf, | |
678 | pub_key_buflen)) | |
679 | goto err; | |
680 | selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY; | |
681 | } | |
4fe54d67 NT |
682 | |
683 | if (priv_key != NULL) { | |
a377871d NT |
684 | size_t sz; |
685 | int ecbits; | |
686 | int ecdh_cofactor_mode; | |
687 | ||
688 | /* | |
689 | * Key import/export should never leak the bit length of the secret | |
690 | * scalar in the key. | |
691 | * | |
692 | * For this reason, on export we use padded BIGNUMs with fixed length. | |
693 | * | |
694 | * When importing we also should make sure that, even if short lived, | |
695 | * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as | |
696 | * soon as possible, so that any processing of this BIGNUM might opt for | |
697 | * constant time implementations in the backend. | |
698 | * | |
699 | * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have | |
700 | * to preallocate the BIGNUM internal buffer to a fixed public size big | |
701 | * enough that operations performed during the processing never trigger | |
702 | * a realloc which would leak the size of the scalar through memory | |
703 | * accesses. | |
704 | * | |
705 | * Fixed Length | |
706 | * ------------ | |
707 | * | |
708 | * The order of the large prime subgroup of the curve is our choice for | |
709 | * a fixed public size, as that is generally the upper bound for | |
710 | * generating a private key in EC cryptosystems and should fit all valid | |
711 | * secret scalars. | |
712 | * | |
713 | * For padding on export we just use the bit length of the order | |
714 | * converted to bytes (rounding up). | |
715 | * | |
716 | * For preallocating the BIGNUM storage we look at the number of "words" | |
717 | * required for the internal representation of the order, and we | |
718 | * preallocate 2 extra "words" in case any of the subsequent processing | |
719 | * might temporarily overflow the order length. | |
720 | */ | |
721 | ecbits = EC_GROUP_order_bits(ecg); | |
722 | if (ecbits <= 0) | |
723 | goto err; | |
724 | ||
725 | sz = (ecbits + 7 ) / 8; | |
6d4e6009 | 726 | if (!OSSL_PARAM_BLD_push_BN_pad(tmpl, |
a377871d NT |
727 | OSSL_PKEY_PARAM_PRIV_KEY, |
728 | priv_key, sz)) | |
729 | goto err; | |
0996cff9 | 730 | selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY; |
a377871d | 731 | |
4fe54d67 NT |
732 | /* |
733 | * The ECDH Cofactor Mode is defined only if the EC_KEY actually | |
734 | * contains a private key, so we check for the flag and export it only | |
735 | * in this case. | |
736 | */ | |
a377871d | 737 | ecdh_cofactor_mode = |
4fe54d67 NT |
738 | (EC_KEY_get_flags(eckey) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0; |
739 | ||
4fe54d67 | 740 | /* Export the ECDH_COFACTOR_MODE parameter */ |
6d4e6009 | 741 | if (!OSSL_PARAM_BLD_push_int(tmpl, |
4fe54d67 NT |
742 | OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, |
743 | ecdh_cofactor_mode)) | |
744 | goto err; | |
0996cff9 | 745 | selection |= OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS; |
4fe54d67 NT |
746 | } |
747 | ||
6d4e6009 | 748 | params = OSSL_PARAM_BLD_to_param(tmpl); |
4fe54d67 NT |
749 | |
750 | /* We export, the provider imports */ | |
0996cff9 | 751 | rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params); |
4fe54d67 NT |
752 | |
753 | err: | |
6d4e6009 P |
754 | OSSL_PARAM_BLD_free(tmpl); |
755 | OSSL_PARAM_BLD_free_params(params); | |
4fe54d67 | 756 | OPENSSL_free(pub_key_buf); |
76e23fc5 | 757 | BN_CTX_free(bnctx); |
4fe54d67 NT |
758 | return rv; |
759 | } | |
760 | ||
629c72db | 761 | static int ec_pkey_import_from(const OSSL_PARAM params[], void *vpctx) |
0abae163 | 762 | { |
629c72db MC |
763 | EVP_PKEY_CTX *pctx = vpctx; |
764 | EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx); | |
765 | EC_KEY *ec = EC_KEY_new_ex(pctx->libctx); | |
0abae163 RL |
766 | |
767 | if (ec == NULL) { | |
768 | ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE); | |
769 | return 0; | |
770 | } | |
771 | ||
772 | if (!ec_key_domparams_fromdata(ec, params) | |
773 | || !ec_key_otherparams_fromdata(ec, params) | |
774 | || !ec_key_fromdata(ec, params, 1) | |
775 | || !EVP_PKEY_assign_EC_KEY(pkey, ec)) { | |
776 | EC_KEY_free(ec); | |
777 | return 0; | |
778 | } | |
779 | return 1; | |
780 | } | |
781 | ||
0f113f3e MC |
782 | const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = { |
783 | EVP_PKEY_EC, | |
784 | EVP_PKEY_EC, | |
785 | 0, | |
786 | "EC", | |
787 | "OpenSSL EC algorithm", | |
788 | ||
789 | eckey_pub_decode, | |
790 | eckey_pub_encode, | |
791 | eckey_pub_cmp, | |
792 | eckey_pub_print, | |
793 | ||
794 | eckey_priv_decode, | |
795 | eckey_priv_encode, | |
796 | eckey_priv_print, | |
797 | ||
798 | int_ec_size, | |
799 | ec_bits, | |
800 | ec_security_bits, | |
801 | ||
802 | eckey_param_decode, | |
803 | eckey_param_encode, | |
804 | ec_missing_parameters, | |
805 | ec_copy_parameters, | |
806 | ec_cmp_parameters, | |
807 | eckey_param_print, | |
808 | 0, | |
809 | ||
810 | int_ec_free, | |
811 | ec_pkey_ctrl, | |
812 | old_ec_priv_decode, | |
2aee35d3 PY |
813 | old_ec_priv_encode, |
814 | ||
815 | 0, 0, 0, | |
816 | ||
b0004708 PY |
817 | ec_pkey_check, |
818 | ec_pkey_public_check, | |
4fe54d67 NT |
819 | ec_pkey_param_check, |
820 | ||
821 | 0, /* set_priv_key */ | |
822 | 0, /* set_pub_key */ | |
823 | 0, /* get_priv_key */ | |
824 | 0, /* get_pub_key */ | |
825 | ||
826 | ec_pkey_dirty_cnt, | |
0abae163 RL |
827 | ec_pkey_export_to, |
828 | ec_pkey_import_from | |
0f113f3e | 829 | }; |
88e20b85 | 830 | |
ddb634fe JL |
831 | #if !defined(OPENSSL_NO_SM2) |
832 | const EVP_PKEY_ASN1_METHOD sm2_asn1_meth = { | |
833 | EVP_PKEY_SM2, | |
834 | EVP_PKEY_EC, | |
835 | ASN1_PKEY_ALIAS | |
836 | }; | |
837 | #endif | |
838 | ||
dca5eeb4 RS |
839 | int EC_KEY_print(BIO *bp, const EC_KEY *x, int off) |
840 | { | |
841 | int private = EC_KEY_get0_private_key(x) != NULL; | |
842 | ||
843 | return do_EC_KEY_print(bp, x, off, | |
a66069db | 844 | private ? EC_KEY_PRINT_PRIVATE : EC_KEY_PRINT_PUBLIC); |
dca5eeb4 RS |
845 | } |
846 | ||
847 | int ECParameters_print(BIO *bp, const EC_KEY *x) | |
848 | { | |
849 | return do_EC_KEY_print(bp, x, 4, EC_KEY_PRINT_PARAM); | |
850 | } | |
851 | ||
88e20b85 DSH |
852 | #ifndef OPENSSL_NO_CMS |
853 | ||
854 | static int ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx, | |
0f113f3e MC |
855 | X509_ALGOR *alg, ASN1_BIT_STRING *pubkey) |
856 | { | |
ac4e2577 | 857 | const ASN1_OBJECT *aoid; |
0f113f3e | 858 | int atype; |
ac4e2577 | 859 | const void *aval; |
0f113f3e MC |
860 | int rv = 0; |
861 | EVP_PKEY *pkpeer = NULL; | |
862 | EC_KEY *ecpeer = NULL; | |
863 | const unsigned char *p; | |
864 | int plen; | |
865 | X509_ALGOR_get0(&aoid, &atype, &aval, alg); | |
866 | if (OBJ_obj2nid(aoid) != NID_X9_62_id_ecPublicKey) | |
867 | goto err; | |
868 | /* If absent parameters get group from main key */ | |
869 | if (atype == V_ASN1_UNDEF || atype == V_ASN1_NULL) { | |
870 | const EC_GROUP *grp; | |
871 | EVP_PKEY *pk; | |
872 | pk = EVP_PKEY_CTX_get0_pkey(pctx); | |
12a765a5 | 873 | if (pk == NULL) |
0f113f3e MC |
874 | goto err; |
875 | grp = EC_KEY_get0_group(pk->pkey.ec); | |
876 | ecpeer = EC_KEY_new(); | |
90945fa3 | 877 | if (ecpeer == NULL) |
0f113f3e MC |
878 | goto err; |
879 | if (!EC_KEY_set_group(ecpeer, grp)) | |
880 | goto err; | |
881 | } else { | |
882 | ecpeer = eckey_type2param(atype, aval); | |
883 | if (!ecpeer) | |
884 | goto err; | |
885 | } | |
886 | /* We have parameters now set public key */ | |
887 | plen = ASN1_STRING_length(pubkey); | |
17ebf85a | 888 | p = ASN1_STRING_get0_data(pubkey); |
12a765a5 | 889 | if (p == NULL || plen == 0) |
0f113f3e MC |
890 | goto err; |
891 | if (!o2i_ECPublicKey(&ecpeer, &p, plen)) | |
892 | goto err; | |
893 | pkpeer = EVP_PKEY_new(); | |
90945fa3 | 894 | if (pkpeer == NULL) |
0f113f3e MC |
895 | goto err; |
896 | EVP_PKEY_set1_EC_KEY(pkpeer, ecpeer); | |
897 | if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0) | |
898 | rv = 1; | |
899 | err: | |
8fdc3734 | 900 | EC_KEY_free(ecpeer); |
c5ba2d99 | 901 | EVP_PKEY_free(pkpeer); |
0f113f3e MC |
902 | return rv; |
903 | } | |
904 | ||
88e20b85 DSH |
905 | /* Set KDF parameters based on KDF NID */ |
906 | static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid) | |
0f113f3e MC |
907 | { |
908 | int kdf_nid, kdfmd_nid, cofactor; | |
909 | const EVP_MD *kdf_md; | |
910 | if (eckdf_nid == NID_undef) | |
911 | return 0; | |
912 | ||
913 | /* Lookup KDF type, cofactor mode and digest */ | |
914 | if (!OBJ_find_sigid_algs(eckdf_nid, &kdfmd_nid, &kdf_nid)) | |
915 | return 0; | |
916 | ||
917 | if (kdf_nid == NID_dh_std_kdf) | |
918 | cofactor = 0; | |
919 | else if (kdf_nid == NID_dh_cofactor_kdf) | |
920 | cofactor = 1; | |
921 | else | |
922 | return 0; | |
923 | ||
924 | if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0) | |
925 | return 0; | |
926 | ||
ffd89124 | 927 | if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0) |
0f113f3e MC |
928 | return 0; |
929 | ||
930 | kdf_md = EVP_get_digestbynid(kdfmd_nid); | |
931 | if (!kdf_md) | |
932 | return 0; | |
933 | ||
934 | if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0) | |
935 | return 0; | |
936 | return 1; | |
937 | } | |
88e20b85 | 938 | |
88e20b85 | 939 | static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) |
0f113f3e MC |
940 | { |
941 | int rv = 0; | |
942 | ||
943 | X509_ALGOR *alg, *kekalg = NULL; | |
944 | ASN1_OCTET_STRING *ukm; | |
945 | const unsigned char *p; | |
946 | unsigned char *der = NULL; | |
947 | int plen, keylen; | |
948 | const EVP_CIPHER *kekcipher; | |
949 | EVP_CIPHER_CTX *kekctx; | |
950 | ||
951 | if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) | |
952 | return 0; | |
953 | ||
954 | if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) { | |
955 | ECerr(EC_F_ECDH_CMS_SET_SHARED_INFO, EC_R_KDF_PARAMETER_ERROR); | |
956 | return 0; | |
957 | } | |
958 | ||
959 | if (alg->parameter->type != V_ASN1_SEQUENCE) | |
960 | return 0; | |
961 | ||
962 | p = alg->parameter->value.sequence->data; | |
963 | plen = alg->parameter->value.sequence->length; | |
964 | kekalg = d2i_X509_ALGOR(NULL, &p, plen); | |
965 | if (!kekalg) | |
966 | goto err; | |
967 | kekctx = CMS_RecipientInfo_kari_get0_ctx(ri); | |
968 | if (!kekctx) | |
969 | goto err; | |
970 | kekcipher = EVP_get_cipherbyobj(kekalg->algorithm); | |
971 | if (!kekcipher || EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE) | |
972 | goto err; | |
973 | if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL)) | |
974 | goto err; | |
975 | if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0) | |
976 | goto err; | |
977 | ||
978 | keylen = EVP_CIPHER_CTX_key_length(kekctx); | |
979 | if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0) | |
980 | goto err; | |
981 | ||
982 | plen = CMS_SharedInfo_encode(&der, kekalg, ukm, keylen); | |
983 | ||
984 | if (!plen) | |
985 | goto err; | |
986 | ||
987 | if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, der, plen) <= 0) | |
988 | goto err; | |
989 | der = NULL; | |
990 | ||
991 | rv = 1; | |
992 | err: | |
222561fe RS |
993 | X509_ALGOR_free(kekalg); |
994 | OPENSSL_free(der); | |
0f113f3e MC |
995 | return rv; |
996 | } | |
88e20b85 DSH |
997 | |
998 | static int ecdh_cms_decrypt(CMS_RecipientInfo *ri) | |
0f113f3e MC |
999 | { |
1000 | EVP_PKEY_CTX *pctx; | |
1001 | pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); | |
1002 | if (!pctx) | |
1003 | return 0; | |
1004 | /* See if we need to set peer key */ | |
1005 | if (!EVP_PKEY_CTX_get0_peerkey(pctx)) { | |
1006 | X509_ALGOR *alg; | |
1007 | ASN1_BIT_STRING *pubkey; | |
1008 | if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey, | |
1009 | NULL, NULL, NULL)) | |
1010 | return 0; | |
1011 | if (!alg || !pubkey) | |
1012 | return 0; | |
1013 | if (!ecdh_cms_set_peerkey(pctx, alg, pubkey)) { | |
1014 | ECerr(EC_F_ECDH_CMS_DECRYPT, EC_R_PEER_KEY_ERROR); | |
1015 | return 0; | |
1016 | } | |
1017 | } | |
1018 | /* Set ECDH derivation parameters and initialise unwrap context */ | |
1019 | if (!ecdh_cms_set_shared_info(pctx, ri)) { | |
1020 | ECerr(EC_F_ECDH_CMS_DECRYPT, EC_R_SHARED_INFO_ERROR); | |
1021 | return 0; | |
1022 | } | |
1023 | return 1; | |
1024 | } | |
88e20b85 DSH |
1025 | |
1026 | static int ecdh_cms_encrypt(CMS_RecipientInfo *ri) | |
0f113f3e MC |
1027 | { |
1028 | EVP_PKEY_CTX *pctx; | |
1029 | EVP_PKEY *pkey; | |
1030 | EVP_CIPHER_CTX *ctx; | |
1031 | int keylen; | |
1032 | X509_ALGOR *talg, *wrap_alg = NULL; | |
ac4e2577 | 1033 | const ASN1_OBJECT *aoid; |
0f113f3e MC |
1034 | ASN1_BIT_STRING *pubkey; |
1035 | ASN1_STRING *wrap_str; | |
1036 | ASN1_OCTET_STRING *ukm; | |
1037 | unsigned char *penc = NULL; | |
1038 | int penclen; | |
1039 | int rv = 0; | |
1040 | int ecdh_nid, kdf_type, kdf_nid, wrap_nid; | |
1041 | const EVP_MD *kdf_md; | |
1042 | pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); | |
1043 | if (!pctx) | |
1044 | return 0; | |
1045 | /* Get ephemeral key */ | |
1046 | pkey = EVP_PKEY_CTX_get0_pkey(pctx); | |
1047 | if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey, | |
1048 | NULL, NULL, NULL)) | |
1049 | goto err; | |
1050 | X509_ALGOR_get0(&aoid, NULL, NULL, talg); | |
1051 | /* Is everything uninitialised? */ | |
1052 | if (aoid == OBJ_nid2obj(NID_undef)) { | |
1053 | ||
1054 | EC_KEY *eckey = pkey->pkey.ec; | |
1055 | /* Set the key */ | |
1056 | unsigned char *p; | |
1057 | ||
1058 | penclen = i2o_ECPublicKey(eckey, NULL); | |
1059 | if (penclen <= 0) | |
1060 | goto err; | |
1061 | penc = OPENSSL_malloc(penclen); | |
90945fa3 | 1062 | if (penc == NULL) |
0f113f3e MC |
1063 | goto err; |
1064 | p = penc; | |
1065 | penclen = i2o_ECPublicKey(eckey, &p); | |
1066 | if (penclen <= 0) | |
1067 | goto err; | |
1068 | ASN1_STRING_set0(pubkey, penc, penclen); | |
1069 | pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); | |
1070 | pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT; | |
1071 | ||
1072 | penc = NULL; | |
1073 | X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), | |
1074 | V_ASN1_UNDEF, NULL); | |
1075 | } | |
1076 | ||
0d4fb843 | 1077 | /* See if custom parameters set */ |
0f113f3e MC |
1078 | kdf_type = EVP_PKEY_CTX_get_ecdh_kdf_type(pctx); |
1079 | if (kdf_type <= 0) | |
1080 | goto err; | |
1081 | if (!EVP_PKEY_CTX_get_ecdh_kdf_md(pctx, &kdf_md)) | |
1082 | goto err; | |
1083 | ecdh_nid = EVP_PKEY_CTX_get_ecdh_cofactor_mode(pctx); | |
1084 | if (ecdh_nid < 0) | |
1085 | goto err; | |
1086 | else if (ecdh_nid == 0) | |
1087 | ecdh_nid = NID_dh_std_kdf; | |
1088 | else if (ecdh_nid == 1) | |
1089 | ecdh_nid = NID_dh_cofactor_kdf; | |
1090 | ||
1091 | if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) { | |
ffd89124 | 1092 | kdf_type = EVP_PKEY_ECDH_KDF_X9_63; |
0f113f3e MC |
1093 | if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0) |
1094 | goto err; | |
1095 | } else | |
0d4fb843 | 1096 | /* Unknown KDF */ |
0f113f3e MC |
1097 | goto err; |
1098 | if (kdf_md == NULL) { | |
1099 | /* Fixme later for better MD */ | |
1100 | kdf_md = EVP_sha1(); | |
1101 | if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0) | |
1102 | goto err; | |
1103 | } | |
1104 | ||
1105 | if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm)) | |
1106 | goto err; | |
1107 | ||
1108 | /* Lookup NID for KDF+cofactor+digest */ | |
1109 | ||
1110 | if (!OBJ_find_sigid_by_algs(&kdf_nid, EVP_MD_type(kdf_md), ecdh_nid)) | |
1111 | goto err; | |
1112 | /* Get wrap NID */ | |
1113 | ctx = CMS_RecipientInfo_kari_get0_ctx(ri); | |
1114 | wrap_nid = EVP_CIPHER_CTX_type(ctx); | |
1115 | keylen = EVP_CIPHER_CTX_key_length(ctx); | |
1116 | ||
1117 | /* Package wrap algorithm in an AlgorithmIdentifier */ | |
1118 | ||
1119 | wrap_alg = X509_ALGOR_new(); | |
90945fa3 | 1120 | if (wrap_alg == NULL) |
0f113f3e MC |
1121 | goto err; |
1122 | wrap_alg->algorithm = OBJ_nid2obj(wrap_nid); | |
1123 | wrap_alg->parameter = ASN1_TYPE_new(); | |
90945fa3 | 1124 | if (wrap_alg->parameter == NULL) |
0f113f3e MC |
1125 | goto err; |
1126 | if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0) | |
1127 | goto err; | |
1128 | if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) { | |
1129 | ASN1_TYPE_free(wrap_alg->parameter); | |
1130 | wrap_alg->parameter = NULL; | |
1131 | } | |
1132 | ||
1133 | if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0) | |
1134 | goto err; | |
1135 | ||
1136 | penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen); | |
1137 | ||
1138 | if (!penclen) | |
1139 | goto err; | |
1140 | ||
1141 | if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0) | |
1142 | goto err; | |
1143 | penc = NULL; | |
1144 | ||
1145 | /* | |
1146 | * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter | |
1147 | * of another AlgorithmIdentifier. | |
1148 | */ | |
1149 | penclen = i2d_X509_ALGOR(wrap_alg, &penc); | |
1150 | if (!penc || !penclen) | |
1151 | goto err; | |
1152 | wrap_str = ASN1_STRING_new(); | |
90945fa3 | 1153 | if (wrap_str == NULL) |
0f113f3e MC |
1154 | goto err; |
1155 | ASN1_STRING_set0(wrap_str, penc, penclen); | |
1156 | penc = NULL; | |
1157 | X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str); | |
1158 | ||
1159 | rv = 1; | |
1160 | ||
1161 | err: | |
222561fe RS |
1162 | OPENSSL_free(penc); |
1163 | X509_ALGOR_free(wrap_alg); | |
0f113f3e MC |
1164 | return rv; |
1165 | } | |
88e20b85 DSH |
1166 | |
1167 | #endif |