[thirdparty/openssl.git] / providers / implementations / exchange / ecdh_exch.c

/*
 * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * ECDH low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <string.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/ec.h>
#include <openssl/params.h>
#include <openssl/err.h>
#include <openssl/proverr.h>
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/securitycheck.h"
#include "crypto/ec.h" /* ossl_ecdh_kdf_X9_63() */

static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx;
static OSSL_FUNC_keyexch_init_fn ecdh_init;
static OSSL_FUNC_keyexch_set_peer_fn ecdh_set_peer;
static OSSL_FUNC_keyexch_derive_fn ecdh_derive;
static OSSL_FUNC_keyexch_freectx_fn ecdh_freectx;
static OSSL_FUNC_keyexch_dupctx_fn ecdh_dupctx;
static OSSL_FUNC_keyexch_set_ctx_params_fn ecdh_set_ctx_params;
static OSSL_FUNC_keyexch_settable_ctx_params_fn ecdh_settable_ctx_params;
static OSSL_FUNC_keyexch_get_ctx_params_fn ecdh_get_ctx_params;
static OSSL_FUNC_keyexch_gettable_ctx_params_fn ecdh_gettable_ctx_params;

enum kdf_type {
    PROV_ECDH_KDF_NONE = 0,
    PROV_ECDH_KDF_X9_63
};

/*
 * What's passed as an actual key is defined by the KEYMGMT interface.
 * We happen to know that our KEYMGMT simply passes EC_KEY structures, so
 * we use that here too.
 */

typedef struct {
    OSSL_LIB_CTX *libctx;

    EC_KEY *k;
    EC_KEY *peerk;

    /*
     * ECDH cofactor mode:
     *
     *  . 0  disabled
     *  . 1  enabled
     *  . -1 use cofactor mode set for k
     */
    int cofactor_mode;

    /************
     * ECDH KDF *
     ************/
    /* KDF (if any) to use for ECDH */
    enum kdf_type kdf_type;
    /* Message digest to use for key derivation */
    EVP_MD *kdf_md;
    /* User key material */
    unsigned char *kdf_ukm;
    size_t kdf_ukmlen;
    /* KDF output length */
    size_t kdf_outlen;
} PROV_ECDH_CTX;

static
void *ecdh_newctx(void *provctx)
{
    PROV_ECDH_CTX *pectx;

    if (!ossl_prov_is_running())
        return NULL;

    pectx = OPENSSL_zalloc(sizeof(*pectx));
    if (pectx == NULL)
        return NULL;

    pectx->libctx = PROV_LIBCTX_OF(provctx);
    pectx->cofactor_mode = -1;
    pectx->kdf_type = PROV_ECDH_KDF_NONE;

    return (void *)pectx;
}

static
int ecdh_init(void *vpecdhctx, void *vecdh, const OSSL_PARAM params[])
{
    PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;

    if (!ossl_prov_is_running()
            || pecdhctx == NULL
            || vecdh == NULL
            || !EC_KEY_up_ref(vecdh))
        return 0;
    EC_KEY_free(pecdhctx->k);
    pecdhctx->k = vecdh;
    pecdhctx->cofactor_mode = -1;
    pecdhctx->kdf_type = PROV_ECDH_KDF_NONE;
    return ecdh_set_ctx_params(pecdhctx, params)
           && ossl_ec_check_key(pecdhctx->libctx, vecdh, 1);
}

static
int ecdh_match_params(const EC_KEY *priv, const EC_KEY *peer)
{
    int ret;
    BN_CTX *ctx = NULL;
    const EC_GROUP *group_priv = EC_KEY_get0_group(priv);
    const EC_GROUP *group_peer = EC_KEY_get0_group(peer);

    ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(priv));
    if (ctx == NULL) {
        ERR_raise(ERR_LIB_PROV, ERR_R_BN_LIB);
        return 0;
    }
    ret = group_priv != NULL
          && group_peer != NULL
          && EC_GROUP_cmp(group_priv, group_peer, ctx) == 0;
    if (!ret)
        ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
    BN_CTX_free(ctx);
    return ret;
}

static
int ecdh_set_peer(void *vpecdhctx, void *vecdh)
{
    PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;

    if (!ossl_prov_is_running()
            || pecdhctx == NULL
            || vecdh == NULL
            || !ecdh_match_params(pecdhctx->k, vecdh)
            || !ossl_ec_check_key(pecdhctx->libctx, vecdh, 1)
            || !EC_KEY_up_ref(vecdh))
        return 0;

    EC_KEY_free(pecdhctx->peerk);
    pecdhctx->peerk = vecdh;
    return 1;
}

static
void ecdh_freectx(void *vpecdhctx)
{
    PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;

    EC_KEY_free(pecdhctx->k);
    EC_KEY_free(pecdhctx->peerk);

    EVP_MD_free(pecdhctx->kdf_md);
    OPENSSL_clear_free(pecdhctx->kdf_ukm, pecdhctx->kdf_ukmlen);

    OPENSSL_free(pecdhctx);
}

static
void *ecdh_dupctx(void *vpecdhctx)
{
    PROV_ECDH_CTX *srcctx = (PROV_ECDH_CTX *)vpecdhctx;
    PROV_ECDH_CTX *dstctx;

    if (!ossl_prov_is_running())
        return NULL;

    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
    if (dstctx == NULL)
        return NULL;

    *dstctx = *srcctx;

    /* clear all pointers */

    dstctx->k= NULL;
    dstctx->peerk = NULL;
    dstctx->kdf_md = NULL;
    dstctx->kdf_ukm = NULL;

    /* up-ref all ref-counted objects referenced in dstctx */

    if (srcctx->k != NULL && !EC_KEY_up_ref(srcctx->k))
        goto err;
    else
        dstctx->k = srcctx->k;

    if (srcctx->peerk != NULL && !EC_KEY_up_ref(srcctx->peerk))
        goto err;
    else
        dstctx->peerk = srcctx->peerk;

    if (srcctx->kdf_md != NULL && !EVP_MD_up_ref(srcctx->kdf_md))
        goto err;
    else
        dstctx->kdf_md = srcctx->kdf_md;

    /* Duplicate UKM data if present */
    if (srcctx->kdf_ukm != NULL && srcctx->kdf_ukmlen > 0) {
        dstctx->kdf_ukm = OPENSSL_memdup(srcctx->kdf_ukm,
                                         srcctx->kdf_ukmlen);
        if (dstctx->kdf_ukm == NULL)
            goto err;
    }

    return dstctx;

 err:
    ecdh_freectx(dstctx);
    return NULL;
}

static
int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
{
    char name[80] = { '\0' }; /* should be big enough */
    char *str = NULL;
    PROV_ECDH_CTX *pectx = (PROV_ECDH_CTX *)vpecdhctx;
    const OSSL_PARAM *p;

    if (pectx == NULL)
        return 0;
    if (params == NULL)
        return 1;

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE);
    if (p != NULL) {
        int mode;

        if (!OSSL_PARAM_get_int(p, &mode))
            return 0;

        if (mode < -1 || mode > 1)
            return 0;

        pectx->cofactor_mode = mode;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
    if (p != NULL) {
        str = name;
        if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
            return 0;

        if (name[0] == '\0')
            pectx->kdf_type = PROV_ECDH_KDF_NONE;
        else if (strcmp(name, OSSL_KDF_NAME_X963KDF) == 0)
            pectx->kdf_type = PROV_ECDH_KDF_X9_63;
        else
            return 0;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
    if (p != NULL) {
        char mdprops[80] = { '\0' }; /* should be big enough */

        str = name;
        if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
            return 0;

        str = mdprops;
        p = OSSL_PARAM_locate_const(params,
                                    OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS);

        if (p != NULL) {
            if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(mdprops)))
                return 0;
        }

        EVP_MD_free(pectx->kdf_md);
        pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
        if (pectx->kdf_md == NULL)
            return 0;
        if (!ossl_digest_is_allowed(pectx->libctx, pectx->kdf_md)) {
            EVP_MD_free(pectx->kdf_md);
            pectx->kdf_md = NULL;
            return 0;
        }
    }

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
    if (p != NULL) {
        size_t outlen;

        if (!OSSL_PARAM_get_size_t(p, &outlen))
            return 0;
        pectx->kdf_outlen = outlen;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
    if (p != NULL) {
        void *tmp_ukm = NULL;
        size_t tmp_ukmlen;

        if (!OSSL_PARAM_get_octet_string(p, &tmp_ukm, 0, &tmp_ukmlen))
            return 0;
        OPENSSL_free(pectx->kdf_ukm);
        pectx->kdf_ukm = tmp_ukm;
        pectx->kdf_ukmlen = tmp_ukmlen;
    }

    return 1;
}

static const OSSL_PARAM known_settable_ctx_params[] = {
    OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, NULL, 0),
    OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
    OSSL_PARAM_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, NULL, 0),
    OSSL_PARAM_END
};

static
const OSSL_PARAM *ecdh_settable_ctx_params(ossl_unused void *vpecdhctx,
                                           ossl_unused void *provctx)
{
    return known_settable_ctx_params;
}

static
int ecdh_get_ctx_params(void *vpecdhctx, OSSL_PARAM params[])
{
    PROV_ECDH_CTX *pectx = (PROV_ECDH_CTX *)vpecdhctx;
    OSSL_PARAM *p;

    if (pectx == NULL)
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE);
    if (p != NULL) {
        int mode = pectx->cofactor_mode;

        if (mode == -1) {
            /* check what is the default for pecdhctx->k */
            mode = EC_KEY_get_flags(pectx->k) & EC_FLAG_COFACTOR_ECDH ? 1 : 0;
        }

        if (!OSSL_PARAM_set_int(p, mode))
            return 0;
    }

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
    if (p != NULL) {
        const char *kdf_type = NULL;

        switch (pectx->kdf_type) {
            case PROV_ECDH_KDF_NONE:
                kdf_type = "";
                break;
            case PROV_ECDH_KDF_X9_63:
                kdf_type = OSSL_KDF_NAME_X963KDF;
                break;
            default:
                return 0;
        }

        if (!OSSL_PARAM_set_utf8_string(p, kdf_type))
            return 0;
    }

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
    if (p != NULL
            && !OSSL_PARAM_set_utf8_string(p, pectx->kdf_md == NULL
                                           ? ""
                                           : EVP_MD_get0_name(pectx->kdf_md))) {
        return 0;
    }

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, pectx->kdf_outlen))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
    if (p != NULL &&
        !OSSL_PARAM_set_octet_ptr(p, pectx->kdf_ukm, pectx->kdf_ukmlen))
        return 0;

    return 1;
}

static const OSSL_PARAM known_gettable_ctx_params[] = {
    OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
    OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
    OSSL_PARAM_DEFN(OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR,
                    NULL, 0),
    OSSL_PARAM_END
};

static
const OSSL_PARAM *ecdh_gettable_ctx_params(ossl_unused void *vpecdhctx,
                                           ossl_unused void *provctx)
{
    return known_gettable_ctx_params;
}

static ossl_inline
size_t ecdh_size(const EC_KEY *k)
{
    size_t degree = 0;
    const EC_GROUP *group;

    if (k == NULL
            || (group = EC_KEY_get0_group(k)) == NULL)
        return 0;

    degree = EC_GROUP_get_degree(group);

    return (degree + 7) / 8;
}

static ossl_inline
int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
                      size_t *psecretlen, size_t outlen)
{
    PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
    int retlen, ret = 0;
    size_t ecdhsize, size;
    const EC_POINT *ppubkey = NULL;
    EC_KEY *privk = NULL;
    const EC_GROUP *group;
    const BIGNUM *cofactor;
    int key_cofactor_mode;

    if (pecdhctx->k == NULL || pecdhctx->peerk == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
        return 0;
    }

    ecdhsize = ecdh_size(pecdhctx->k);
    if (secret == NULL) {
        *psecretlen = ecdhsize;
        return 1;
    }

    if ((group = EC_KEY_get0_group(pecdhctx->k)) == NULL
            || (cofactor = EC_GROUP_get0_cofactor(group)) == NULL)
        return 0;

    /*
     * NB: unlike PKCS#3 DH, if outlen is less than maximum size this is not
     * an error, the result is truncated.
     */
    size = outlen < ecdhsize ? outlen : ecdhsize;

    /*
     * The ctx->cofactor_mode flag has precedence over the
     * cofactor_mode flag set on ctx->k.
     *
     * - if ctx->cofactor_mode == -1, use ctx->k directly
     * - if ctx->cofactor_mode == key_cofactor_mode, use ctx->k directly
     * - if ctx->cofactor_mode != key_cofactor_mode:
     *     - if ctx->k->cofactor == 1, the cofactor_mode flag is irrelevant, use
     *          ctx->k directly
     *     - if ctx->k->cofactor != 1, use a duplicate of ctx->k with the flag
     *          set to ctx->cofactor_mode
     */
    key_cofactor_mode =
        (EC_KEY_get_flags(pecdhctx->k) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
    if (pecdhctx->cofactor_mode != -1
            && pecdhctx->cofactor_mode != key_cofactor_mode
            && !BN_is_one(cofactor)) {
        if ((privk = EC_KEY_dup(pecdhctx->k)) == NULL)
            return 0;

        if (pecdhctx->cofactor_mode == 1)
            EC_KEY_set_flags(privk, EC_FLAG_COFACTOR_ECDH);
        else
            EC_KEY_clear_flags(privk, EC_FLAG_COFACTOR_ECDH);
    } else {
        privk = pecdhctx->k;
    }

    ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);

    retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);

    if (retlen <= 0)
        goto end;

    *psecretlen = retlen;
    ret = 1;

 end:
    if (privk != pecdhctx->k)
        EC_KEY_free(privk);
    return ret;
}

static ossl_inline
int ecdh_X9_63_kdf_derive(void *vpecdhctx, unsigned char *secret,
                          size_t *psecretlen, size_t outlen)
{
    PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
    unsigned char *stmp = NULL;
    size_t stmplen;
    int ret = 0;

    if (secret == NULL) {
        *psecretlen = pecdhctx->kdf_outlen;
        return 1;
    }

    if (pecdhctx->kdf_outlen > outlen) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }
    if (!ecdh_plain_derive(vpecdhctx, NULL, &stmplen, 0))
        return 0;
    if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL)
        return 0;
    if (!ecdh_plain_derive(vpecdhctx, stmp, &stmplen, stmplen))
        goto err;

    /* Do KDF stuff */
    if (!ossl_ecdh_kdf_X9_63(secret, pecdhctx->kdf_outlen,
                             stmp, stmplen,
                             pecdhctx->kdf_ukm,
                             pecdhctx->kdf_ukmlen,
                             pecdhctx->kdf_md,
                             pecdhctx->libctx, NULL))
        goto err;
    *psecretlen = pecdhctx->kdf_outlen;
    ret = 1;

 err:
    OPENSSL_secure_clear_free(stmp, stmplen);
    return ret;
}

static
int ecdh_derive(void *vpecdhctx, unsigned char *secret,
                size_t *psecretlen, size_t outlen)
{
    PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;

    switch (pecdhctx->kdf_type) {
        case PROV_ECDH_KDF_NONE:
            return ecdh_plain_derive(vpecdhctx, secret, psecretlen, outlen);
        case PROV_ECDH_KDF_X9_63:
            return ecdh_X9_63_kdf_derive(vpecdhctx, secret, psecretlen, outlen);
        default:
            break;
    }
    return 0;
}

const OSSL_DISPATCH ossl_ecdh_keyexch_functions[] = {
    { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))ecdh_newctx },
    { OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))ecdh_init },
    { OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))ecdh_derive },
    { OSSL_FUNC_KEYEXCH_SET_PEER, (void (*)(void))ecdh_set_peer },
    { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))ecdh_freectx },
    { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))ecdh_dupctx },
    { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))ecdh_set_ctx_params },
    { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS,
      (void (*)(void))ecdh_settable_ctx_params },
    { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))ecdh_get_ctx_params },
    { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS,
      (void (*)(void))ecdh_gettable_ctx_params },
    OSSL_DISPATCH_END
};
Commit	Line	Data
4fe54d67	1	/*
da1c088f	2	* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
4fe54d67 NT	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	/*
	11	* ECDH low level APIs are deprecated for public use, but still ok for
	12	* internal use.
	13	*/
	14	#include "internal/deprecated.h"
	15
	16	#include <string.h>
	17	#include <openssl/crypto.h>
	18	#include <openssl/evp.h>
23c48d94	19	#include <openssl/core_dispatch.h>
4fe54d67 NT	20	#include <openssl/core_names.h>
	21	#include <openssl/ec.h>
	22	#include <openssl/params.h>
	23	#include <openssl/err.h>
77b03f0e	24	#include <openssl/proverr.h>
4fe54d67	25	#include "prov/provider_ctx.h"
ca94057f	26	#include "prov/providercommon.h"
4fe54d67	27	#include "prov/implementations.h"
7a810fac	28	#include "prov/securitycheck.h"
32ab57cb	29	#include "crypto/ec.h" /* ossl_ecdh_kdf_X9_63() */
4fe54d67	30
363b1e5d DMSP	31	static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx;
	32	static OSSL_FUNC_keyexch_init_fn ecdh_init;
	33	static OSSL_FUNC_keyexch_set_peer_fn ecdh_set_peer;
	34	static OSSL_FUNC_keyexch_derive_fn ecdh_derive;
	35	static OSSL_FUNC_keyexch_freectx_fn ecdh_freectx;
	36	static OSSL_FUNC_keyexch_dupctx_fn ecdh_dupctx;
	37	static OSSL_FUNC_keyexch_set_ctx_params_fn ecdh_set_ctx_params;
	38	static OSSL_FUNC_keyexch_settable_ctx_params_fn ecdh_settable_ctx_params;
	39	static OSSL_FUNC_keyexch_get_ctx_params_fn ecdh_get_ctx_params;
	40	static OSSL_FUNC_keyexch_gettable_ctx_params_fn ecdh_gettable_ctx_params;
4fe54d67 NT	41
	42	enum kdf_type {
	43	PROV_ECDH_KDF_NONE = 0,
	44	PROV_ECDH_KDF_X9_63
	45	};
	46
	47	/*
	48	* What's passed as an actual key is defined by the KEYMGMT interface.
	49	* We happen to know that our KEYMGMT simply passes EC_KEY structures, so
	50	* we use that here too.
	51	*/
	52
	53	typedef struct {
b4250010	54	OSSL_LIB_CTX *libctx;
4fe54d67 NT	55
	56	EC_KEY *k;
	57	EC_KEY *peerk;
	58
	59	/*
	60	* ECDH cofactor mode:
	61	*
	62	* . 0 disabled
	63	* . 1 enabled
	64	* . -1 use cofactor mode set for k
	65	*/
	66	int cofactor_mode;
	67
	68	/************
	69	* ECDH KDF *
	70	************/
	71	/* KDF (if any) to use for ECDH */
	72	enum kdf_type kdf_type;
	73	/* Message digest to use for key derivation */
	74	EVP_MD *kdf_md;
	75	/* User key material */
	76	unsigned char *kdf_ukm;
	77	size_t kdf_ukmlen;
	78	/* KDF output length */
	79	size_t kdf_outlen;
	80	} PROV_ECDH_CTX;
	81
	82	static
	83	void ecdh_newctx(void provctx)
	84	{
ca94057f	85	PROV_ECDH_CTX *pectx;
4fe54d67	86
ca94057f P	87	if (!ossl_prov_is_running())
	88	return NULL;
	89
	90	pectx = OPENSSL_zalloc(sizeof(*pectx));
4fe54d67 NT	91	if (pectx == NULL)
	92	return NULL;
	93
a829b735	94	pectx->libctx = PROV_LIBCTX_OF(provctx);
4fe54d67 NT	95	pectx->cofactor_mode = -1;
	96	pectx->kdf_type = PROV_ECDH_KDF_NONE;
	97
	98	return (void *)pectx;
	99	}
	100
	101	static
2b2f4f9b	102	int ecdh_init(void vpecdhctx, void vecdh, const OSSL_PARAM params[])
4fe54d67 NT	103	{
	104	PROV_ECDH_CTX pecdhctx = (PROV_ECDH_CTX )vpecdhctx;
	105
ca94057f P	106	if (!ossl_prov_is_running()
	107	\|\| pecdhctx == NULL
	108	\|\| vecdh == NULL
	109	\|\| !EC_KEY_up_ref(vecdh))
4fe54d67 NT	110	return 0;
	111	EC_KEY_free(pecdhctx->k);
	112	pecdhctx->k = vecdh;
	113	pecdhctx->cofactor_mode = -1;
	114	pecdhctx->kdf_type = PROV_ECDH_KDF_NONE;
2b2f4f9b	115	return ecdh_set_ctx_params(pecdhctx, params)
6ce58488	116	&& ossl_ec_check_key(pecdhctx->libctx, vecdh, 1);
4fe54d67 NT	117	}
4fe54d67 NT	118
46eee710 SL	119	static
	120	int ecdh_match_params(const EC_KEY priv, const EC_KEY peer)
	121	{
	122	int ret;
	123	BN_CTX *ctx = NULL;
	124	const EC_GROUP *group_priv = EC_KEY_get0_group(priv);
	125	const EC_GROUP *group_peer = EC_KEY_get0_group(peer);
	126
	127	ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(priv));
	128	if (ctx == NULL) {
e077455e	129	ERR_raise(ERR_LIB_PROV, ERR_R_BN_LIB);
46eee710 SL	130	return 0;
	131	}
	132	ret = group_priv != NULL
	133	&& group_peer != NULL
	134	&& EC_GROUP_cmp(group_priv, group_peer, ctx) == 0;
	135	if (!ret)
	136	ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
	137	BN_CTX_free(ctx);
	138	return ret;
	139	}
	140
4fe54d67 NT	141	static
	142	int ecdh_set_peer(void vpecdhctx, void vecdh)
	143	{
	144	PROV_ECDH_CTX pecdhctx = (PROV_ECDH_CTX )vpecdhctx;
	145
ca94057f P	146	if (!ossl_prov_is_running()
	147	\|\| pecdhctx == NULL
	148	\|\| vecdh == NULL
46eee710	149	\|\| !ecdh_match_params(pecdhctx->k, vecdh)
6ce58488	150	\|\| !ossl_ec_check_key(pecdhctx->libctx, vecdh, 1)
ca94057f	151	\|\| !EC_KEY_up_ref(vecdh))
4fe54d67	152	return 0;
46eee710	153
4fe54d67 NT	154	EC_KEY_free(pecdhctx->peerk);
4fe54d67 NT	155	pecdhctx->peerk = vecdh;
46eee710	156	return 1;
4fe54d67 NT	157	}
	158
	159	static
	160	void ecdh_freectx(void *vpecdhctx)
	161	{
	162	PROV_ECDH_CTX pecdhctx = (PROV_ECDH_CTX )vpecdhctx;
	163
	164	EC_KEY_free(pecdhctx->k);
	165	EC_KEY_free(pecdhctx->peerk);
	166
	167	EVP_MD_free(pecdhctx->kdf_md);
	168	OPENSSL_clear_free(pecdhctx->kdf_ukm, pecdhctx->kdf_ukmlen);
	169
	170	OPENSSL_free(pecdhctx);
	171	}
	172
	173	static
	174	void ecdh_dupctx(void vpecdhctx)
	175	{
	176	PROV_ECDH_CTX srcctx = (PROV_ECDH_CTX )vpecdhctx;
	177	PROV_ECDH_CTX *dstctx;
	178
ca94057f P	179	if (!ossl_prov_is_running())
	180	return NULL;
	181
4fe54d67 NT	182	dstctx = OPENSSL_zalloc(sizeof(*srcctx));
	183	if (dstctx == NULL)
	184	return NULL;
	185
	186	dstctx = srcctx;
	187
	188	/* clear all pointers */
	189
	190	dstctx->k= NULL;
	191	dstctx->peerk = NULL;
	192	dstctx->kdf_md = NULL;
	193	dstctx->kdf_ukm = NULL;
	194
	195	/* up-ref all ref-counted objects referenced in dstctx */
	196
	197	if (srcctx->k != NULL && !EC_KEY_up_ref(srcctx->k))
	198	goto err;
	199	else
	200	dstctx->k = srcctx->k;
	201
	202	if (srcctx->peerk != NULL && !EC_KEY_up_ref(srcctx->peerk))
	203	goto err;
	204	else
	205	dstctx->peerk = srcctx->peerk;
	206
	207	if (srcctx->kdf_md != NULL && !EVP_MD_up_ref(srcctx->kdf_md))
	208	goto err;
	209	else
	210	dstctx->kdf_md = srcctx->kdf_md;
	211
	212	/* Duplicate UKM data if present */
	213	if (srcctx->kdf_ukm != NULL && srcctx->kdf_ukmlen > 0) {
	214	dstctx->kdf_ukm = OPENSSL_memdup(srcctx->kdf_ukm,
	215	srcctx->kdf_ukmlen);
	216	if (dstctx->kdf_ukm == NULL)
	217	goto err;
	218	}
	219
	220	return dstctx;
	221
	222	err:
	223	ecdh_freectx(dstctx);
	224	return NULL;
	225	}
	226
	227	static
	228	int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
	229	{
	230	char name[80] = { '\0' }; /* should be big enough */
	231	char *str = NULL;
	232	PROV_ECDH_CTX pectx = (PROV_ECDH_CTX )vpecdhctx;
	233	const OSSL_PARAM *p;
	234
2b2f4f9b	235	if (pectx == NULL)
4fe54d67	236	return 0;
2b2f4f9b P	237	if (params == NULL)
2b2f4f9b P	238	return 1;
4fe54d67 NT	239
	240	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE);
	241	if (p != NULL) {
	242	int mode;
	243
	244	if (!OSSL_PARAM_get_int(p, &mode))
	245	return 0;
	246
	247	if (mode < -1 \|\| mode > 1)
	248	return 0;
	249
	250	pectx->cofactor_mode = mode;
	251	}
	252
	253	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
	254	if (p != NULL) {
	255	str = name;
	256	if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
	257	return 0;
	258
	259	if (name[0] == '\0')
	260	pectx->kdf_type = PROV_ECDH_KDF_NONE;
	261	else if (strcmp(name, OSSL_KDF_NAME_X963KDF) == 0)
	262	pectx->kdf_type = PROV_ECDH_KDF_X9_63;
	263	else
	264	return 0;
	265	}
	266
	267	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
	268	if (p != NULL) {
	269	char mdprops[80] = { '\0' }; /* should be big enough */
	270
	271	str = name;
	272	if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
	273	return 0;
	274
	275	str = mdprops;
	276	p = OSSL_PARAM_locate_const(params,
	277	OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS);
	278
	279	if (p != NULL) {
	280	if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(mdprops)))
	281	return 0;
	282	}
	283
	284	EVP_MD_free(pectx->kdf_md);
	285	pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
04e3ab64	286	if (pectx->kdf_md == NULL)
04e3ab64	287	return 0;
6ce58488	288	if (!ossl_digest_is_allowed(pectx->libctx, pectx->kdf_md)) {
341c3e7f SL	289	EVP_MD_free(pectx->kdf_md);
341c3e7f SL	290	pectx->kdf_md = NULL;
4fe54d67	291	return 0;
04e3ab64	292	}
4fe54d67 NT	293	}
	294
	295	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
	296	if (p != NULL) {
	297	size_t outlen;
	298
	299	if (!OSSL_PARAM_get_size_t(p, &outlen))
	300	return 0;
	301	pectx->kdf_outlen = outlen;
	302	}
	303
	304	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
	305	if (p != NULL) {
	306	void *tmp_ukm = NULL;
	307	size_t tmp_ukmlen;
	308
	309	if (!OSSL_PARAM_get_octet_string(p, &tmp_ukm, 0, &tmp_ukmlen))
	310	return 0;
	311	OPENSSL_free(pectx->kdf_ukm);
	312	pectx->kdf_ukm = tmp_ukm;
	313	pectx->kdf_ukmlen = tmp_ukmlen;
	314	}
	315
	316	return 1;
	317	}
	318
	319	static const OSSL_PARAM known_settable_ctx_params[] = {
	320	OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL),
	321	OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
	322	OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
	323	OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, NULL, 0),
	324	OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
	325	OSSL_PARAM_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, NULL, 0),
	326	OSSL_PARAM_END
	327	};
	328
	329	static
fb67126e TM	330	const OSSL_PARAM ecdh_settable_ctx_params(ossl_unused void vpecdhctx,
fb67126e TM	331	ossl_unused void *provctx)
4fe54d67 NT	332	{
	333	return known_settable_ctx_params;
	334	}
	335
	336	static
	337	int ecdh_get_ctx_params(void *vpecdhctx, OSSL_PARAM params[])
	338	{
	339	PROV_ECDH_CTX pectx = (PROV_ECDH_CTX )vpecdhctx;
	340	OSSL_PARAM *p;
	341
2b2f4f9b	342	if (pectx == NULL)
4fe54d67 NT	343	return 0;
	344
	345	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE);
	346	if (p != NULL) {
	347	int mode = pectx->cofactor_mode;
	348
	349	if (mode == -1) {
	350	/* check what is the default for pecdhctx->k */
	351	mode = EC_KEY_get_flags(pectx->k) & EC_FLAG_COFACTOR_ECDH ? 1 : 0;
	352	}
	353
	354	if (!OSSL_PARAM_set_int(p, mode))
	355	return 0;
	356	}
	357
	358	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
	359	if (p != NULL) {
	360	const char *kdf_type = NULL;
	361
	362	switch (pectx->kdf_type) {
	363	case PROV_ECDH_KDF_NONE:
	364	kdf_type = "";
	365	break;
	366	case PROV_ECDH_KDF_X9_63:
	367	kdf_type = OSSL_KDF_NAME_X963KDF;
	368	break;
	369	default:
	370	return 0;
	371	}
	372
	373	if (!OSSL_PARAM_set_utf8_string(p, kdf_type))
	374	return 0;
	375	}
	376
	377	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
	378	if (p != NULL
	379	&& !OSSL_PARAM_set_utf8_string(p, pectx->kdf_md == NULL
	380	? ""
1287dabd	381	: EVP_MD_get0_name(pectx->kdf_md))) {
4fe54d67 NT	382	return 0;
	383	}
	384
	385	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
	386	if (p != NULL && !OSSL_PARAM_set_size_t(p, pectx->kdf_outlen))
	387	return 0;
	388
	389	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
ba0a6d1d RL	390	if (p != NULL &&
ba0a6d1d RL	391	!OSSL_PARAM_set_octet_ptr(p, pectx->kdf_ukm, pectx->kdf_ukmlen))
4fe54d67 NT	392	return 0;
	393
	394	return 1;
	395	}
	396
	397	static const OSSL_PARAM known_gettable_ctx_params[] = {
	398	OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL),
	399	OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
	400	OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
	401	OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
	402	OSSL_PARAM_DEFN(OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR,
	403	NULL, 0),
4fe54d67 NT	404	OSSL_PARAM_END
	405	};
	406
	407	static
fb67126e TM	408	const OSSL_PARAM ecdh_gettable_ctx_params(ossl_unused void vpecdhctx,
fb67126e TM	409	ossl_unused void *provctx)
4fe54d67 NT	410	{
	411	return known_gettable_ctx_params;
	412	}
	413
	414	static ossl_inline
	415	size_t ecdh_size(const EC_KEY *k)
	416	{
	417	size_t degree = 0;
	418	const EC_GROUP *group;
	419
	420	if (k == NULL
	421	\|\| (group = EC_KEY_get0_group(k)) == NULL)
	422	return 0;
	423
	424	degree = EC_GROUP_get_degree(group);
	425
	426	return (degree + 7) / 8;
	427	}
	428
	429	static ossl_inline
	430	int ecdh_plain_derive(void vpecdhctx, unsigned char secret,
	431	size_t *psecretlen, size_t outlen)
	432	{
	433	PROV_ECDH_CTX pecdhctx = (PROV_ECDH_CTX )vpecdhctx;
	434	int retlen, ret = 0;
	435	size_t ecdhsize, size;
	436	const EC_POINT *ppubkey = NULL;
	437	EC_KEY *privk = NULL;
	438	const EC_GROUP *group;
	439	const BIGNUM *cofactor;
	440	int key_cofactor_mode;
	441
	442	if (pecdhctx->k == NULL \|\| pecdhctx->peerk == NULL) {
77b03f0e	443	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
4fe54d67 NT	444	return 0;
	445	}
	446
	447	ecdhsize = ecdh_size(pecdhctx->k);
	448	if (secret == NULL) {
	449	*psecretlen = ecdhsize;
	450	return 1;
	451	}
	452
	453	if ((group = EC_KEY_get0_group(pecdhctx->k)) == NULL
1287dabd	454	\|\| (cofactor = EC_GROUP_get0_cofactor(group)) == NULL)
4fe54d67 NT	455	return 0;
	456
	457	/*
	458	* NB: unlike PKCS#3 DH, if outlen is less than maximum size this is not
	459	* an error, the result is truncated.
	460	*/
	461	size = outlen < ecdhsize ? outlen : ecdhsize;
	462
	463	/*
	464	* The ctx->cofactor_mode flag has precedence over the
	465	* cofactor_mode flag set on ctx->k.
	466	*
	467	* - if ctx->cofactor_mode == -1, use ctx->k directly
	468	* - if ctx->cofactor_mode == key_cofactor_mode, use ctx->k directly
	469	* - if ctx->cofactor_mode != key_cofactor_mode:
	470	* - if ctx->k->cofactor == 1, the cofactor_mode flag is irrelevant, use
	471	* ctx->k directly
	472	* - if ctx->k->cofactor != 1, use a duplicate of ctx->k with the flag
	473	* set to ctx->cofactor_mode
	474	*/
	475	key_cofactor_mode =
	476	(EC_KEY_get_flags(pecdhctx->k) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
	477	if (pecdhctx->cofactor_mode != -1
	478	&& pecdhctx->cofactor_mode != key_cofactor_mode
	479	&& !BN_is_one(cofactor)) {
	480	if ((privk = EC_KEY_dup(pecdhctx->k)) == NULL)
	481	return 0;
	482
	483	if (pecdhctx->cofactor_mode == 1)
	484	EC_KEY_set_flags(privk, EC_FLAG_COFACTOR_ECDH);
	485	else
	486	EC_KEY_clear_flags(privk, EC_FLAG_COFACTOR_ECDH);
	487	} else {
	488	privk = pecdhctx->k;
	489	}
	490
	491	ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
	492
	493	retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
	494
	495	if (retlen <= 0)
	496	goto end;
	497
	498	*psecretlen = retlen;
	499	ret = 1;
	500
	501	end:
	502	if (privk != pecdhctx->k)
	503	EC_KEY_free(privk);
	504	return ret;
	505	}
	506
	507	static ossl_inline
	508	int ecdh_X9_63_kdf_derive(void vpecdhctx, unsigned char secret,
	509	size_t *psecretlen, size_t outlen)
	510	{
	511	PROV_ECDH_CTX pecdhctx = (PROV_ECDH_CTX )vpecdhctx;
	512	unsigned char *stmp = NULL;
	513	size_t stmplen;
	514	int ret = 0;
	515
	516	if (secret == NULL) {
	517	*psecretlen = pecdhctx->kdf_outlen;
	518	return 1;
519	}
520
77b03f0e TM	521	if (pecdhctx->kdf_outlen > outlen) {
77b03f0e TM	522	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
4fe54d67	523	return 0;
77b03f0e	524	}
4fe54d67 NT	525	if (!ecdh_plain_derive(vpecdhctx, NULL, &stmplen, 0))
4fe54d67 NT	526	return 0;
e077455e	527	if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL)
4fe54d67	528	return 0;
4fe54d67 NT	529	if (!ecdh_plain_derive(vpecdhctx, stmp, &stmplen, stmplen))
	530	goto err;
	531
	532	/* Do KDF stuff */
32ab57cb SL	533	if (!ossl_ecdh_kdf_X9_63(secret, pecdhctx->kdf_outlen,
	534	stmp, stmplen,
	535	pecdhctx->kdf_ukm,
	536	pecdhctx->kdf_ukmlen,
	537	pecdhctx->kdf_md,
	538	pecdhctx->libctx, NULL))
4fe54d67 NT	539	goto err;
	540	*psecretlen = pecdhctx->kdf_outlen;
	541	ret = 1;
	542
	543	err:
	544	OPENSSL_secure_clear_free(stmp, stmplen);
	545	return ret;
	546	}
	547
	548	static
	549	int ecdh_derive(void vpecdhctx, unsigned char secret,
	550	size_t *psecretlen, size_t outlen)
	551	{
	552	PROV_ECDH_CTX pecdhctx = (PROV_ECDH_CTX )vpecdhctx;
	553
	554	switch (pecdhctx->kdf_type) {
	555	case PROV_ECDH_KDF_NONE:
	556	return ecdh_plain_derive(vpecdhctx, secret, psecretlen, outlen);
	557	case PROV_ECDH_KDF_X9_63:
	558	return ecdh_X9_63_kdf_derive(vpecdhctx, secret, psecretlen, outlen);
1c725f46 SL	559	default:
1c725f46 SL	560	break;
4fe54d67	561	}
4fe54d67 NT	562	return 0;
	563	}
	564
58f422f6	565	const OSSL_DISPATCH ossl_ecdh_keyexch_functions[] = {
4fe54d67 NT	566	{ OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))ecdh_newctx },
	567	{ OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))ecdh_init },
	568	{ OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))ecdh_derive },
	569	{ OSSL_FUNC_KEYEXCH_SET_PEER, (void (*)(void))ecdh_set_peer },
	570	{ OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))ecdh_freectx },
	571	{ OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))ecdh_dupctx },
	572	{ OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))ecdh_set_ctx_params },
	573	{ OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS,
	574	(void (*)(void))ecdh_settable_ctx_params },
	575	{ OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))ecdh_get_ctx_params },
	576	{ OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS,
	577	(void (*)(void))ecdh_gettable_ctx_params },
1e6bd31e	578	OSSL_DISPATCH_END
4fe54d67	579	};