]>
Commit | Line | Data |
---|---|---|
4fe54d67 | 1 | /* |
da1c088f | 2 | * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. |
4fe54d67 NT |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | /* | |
11 | * ECDH low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
16 | #include <string.h> | |
17 | #include <openssl/crypto.h> | |
18 | #include <openssl/evp.h> | |
23c48d94 | 19 | #include <openssl/core_dispatch.h> |
4fe54d67 NT |
20 | #include <openssl/core_names.h> |
21 | #include <openssl/ec.h> | |
22 | #include <openssl/params.h> | |
23 | #include <openssl/err.h> | |
77b03f0e | 24 | #include <openssl/proverr.h> |
4fe54d67 | 25 | #include "prov/provider_ctx.h" |
ca94057f | 26 | #include "prov/providercommon.h" |
4fe54d67 | 27 | #include "prov/implementations.h" |
7a810fac | 28 | #include "prov/securitycheck.h" |
32ab57cb | 29 | #include "crypto/ec.h" /* ossl_ecdh_kdf_X9_63() */ |
4fe54d67 | 30 | |
363b1e5d DMSP |
31 | static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx; |
32 | static OSSL_FUNC_keyexch_init_fn ecdh_init; | |
33 | static OSSL_FUNC_keyexch_set_peer_fn ecdh_set_peer; | |
34 | static OSSL_FUNC_keyexch_derive_fn ecdh_derive; | |
35 | static OSSL_FUNC_keyexch_freectx_fn ecdh_freectx; | |
36 | static OSSL_FUNC_keyexch_dupctx_fn ecdh_dupctx; | |
37 | static OSSL_FUNC_keyexch_set_ctx_params_fn ecdh_set_ctx_params; | |
38 | static OSSL_FUNC_keyexch_settable_ctx_params_fn ecdh_settable_ctx_params; | |
39 | static OSSL_FUNC_keyexch_get_ctx_params_fn ecdh_get_ctx_params; | |
40 | static OSSL_FUNC_keyexch_gettable_ctx_params_fn ecdh_gettable_ctx_params; | |
4fe54d67 NT |
41 | |
42 | enum kdf_type { | |
43 | PROV_ECDH_KDF_NONE = 0, | |
44 | PROV_ECDH_KDF_X9_63 | |
45 | }; | |
46 | ||
47 | /* | |
48 | * What's passed as an actual key is defined by the KEYMGMT interface. | |
49 | * We happen to know that our KEYMGMT simply passes EC_KEY structures, so | |
50 | * we use that here too. | |
51 | */ | |
52 | ||
53 | typedef struct { | |
b4250010 | 54 | OSSL_LIB_CTX *libctx; |
4fe54d67 NT |
55 | |
56 | EC_KEY *k; | |
57 | EC_KEY *peerk; | |
58 | ||
59 | /* | |
60 | * ECDH cofactor mode: | |
61 | * | |
62 | * . 0 disabled | |
63 | * . 1 enabled | |
64 | * . -1 use cofactor mode set for k | |
65 | */ | |
66 | int cofactor_mode; | |
67 | ||
68 | /************ | |
69 | * ECDH KDF * | |
70 | ************/ | |
71 | /* KDF (if any) to use for ECDH */ | |
72 | enum kdf_type kdf_type; | |
73 | /* Message digest to use for key derivation */ | |
74 | EVP_MD *kdf_md; | |
75 | /* User key material */ | |
76 | unsigned char *kdf_ukm; | |
77 | size_t kdf_ukmlen; | |
78 | /* KDF output length */ | |
79 | size_t kdf_outlen; | |
80 | } PROV_ECDH_CTX; | |
81 | ||
82 | static | |
83 | void *ecdh_newctx(void *provctx) | |
84 | { | |
ca94057f | 85 | PROV_ECDH_CTX *pectx; |
4fe54d67 | 86 | |
ca94057f P |
87 | if (!ossl_prov_is_running()) |
88 | return NULL; | |
89 | ||
90 | pectx = OPENSSL_zalloc(sizeof(*pectx)); | |
4fe54d67 NT |
91 | if (pectx == NULL) |
92 | return NULL; | |
93 | ||
a829b735 | 94 | pectx->libctx = PROV_LIBCTX_OF(provctx); |
4fe54d67 NT |
95 | pectx->cofactor_mode = -1; |
96 | pectx->kdf_type = PROV_ECDH_KDF_NONE; | |
97 | ||
98 | return (void *)pectx; | |
99 | } | |
100 | ||
101 | static | |
2b2f4f9b | 102 | int ecdh_init(void *vpecdhctx, void *vecdh, const OSSL_PARAM params[]) |
4fe54d67 NT |
103 | { |
104 | PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; | |
105 | ||
ca94057f P |
106 | if (!ossl_prov_is_running() |
107 | || pecdhctx == NULL | |
108 | || vecdh == NULL | |
109 | || !EC_KEY_up_ref(vecdh)) | |
4fe54d67 NT |
110 | return 0; |
111 | EC_KEY_free(pecdhctx->k); | |
112 | pecdhctx->k = vecdh; | |
113 | pecdhctx->cofactor_mode = -1; | |
114 | pecdhctx->kdf_type = PROV_ECDH_KDF_NONE; | |
2b2f4f9b | 115 | return ecdh_set_ctx_params(pecdhctx, params) |
6ce58488 | 116 | && ossl_ec_check_key(pecdhctx->libctx, vecdh, 1); |
4fe54d67 NT |
117 | } |
118 | ||
46eee710 SL |
119 | static |
120 | int ecdh_match_params(const EC_KEY *priv, const EC_KEY *peer) | |
121 | { | |
122 | int ret; | |
123 | BN_CTX *ctx = NULL; | |
124 | const EC_GROUP *group_priv = EC_KEY_get0_group(priv); | |
125 | const EC_GROUP *group_peer = EC_KEY_get0_group(peer); | |
126 | ||
127 | ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(priv)); | |
128 | if (ctx == NULL) { | |
e077455e | 129 | ERR_raise(ERR_LIB_PROV, ERR_R_BN_LIB); |
46eee710 SL |
130 | return 0; |
131 | } | |
132 | ret = group_priv != NULL | |
133 | && group_peer != NULL | |
134 | && EC_GROUP_cmp(group_priv, group_peer, ctx) == 0; | |
135 | if (!ret) | |
136 | ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS); | |
137 | BN_CTX_free(ctx); | |
138 | return ret; | |
139 | } | |
140 | ||
4fe54d67 NT |
141 | static |
142 | int ecdh_set_peer(void *vpecdhctx, void *vecdh) | |
143 | { | |
144 | PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; | |
145 | ||
ca94057f P |
146 | if (!ossl_prov_is_running() |
147 | || pecdhctx == NULL | |
148 | || vecdh == NULL | |
46eee710 | 149 | || !ecdh_match_params(pecdhctx->k, vecdh) |
6ce58488 | 150 | || !ossl_ec_check_key(pecdhctx->libctx, vecdh, 1) |
ca94057f | 151 | || !EC_KEY_up_ref(vecdh)) |
4fe54d67 | 152 | return 0; |
46eee710 | 153 | |
4fe54d67 NT |
154 | EC_KEY_free(pecdhctx->peerk); |
155 | pecdhctx->peerk = vecdh; | |
46eee710 | 156 | return 1; |
4fe54d67 NT |
157 | } |
158 | ||
159 | static | |
160 | void ecdh_freectx(void *vpecdhctx) | |
161 | { | |
162 | PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; | |
163 | ||
164 | EC_KEY_free(pecdhctx->k); | |
165 | EC_KEY_free(pecdhctx->peerk); | |
166 | ||
167 | EVP_MD_free(pecdhctx->kdf_md); | |
168 | OPENSSL_clear_free(pecdhctx->kdf_ukm, pecdhctx->kdf_ukmlen); | |
169 | ||
170 | OPENSSL_free(pecdhctx); | |
171 | } | |
172 | ||
173 | static | |
174 | void *ecdh_dupctx(void *vpecdhctx) | |
175 | { | |
176 | PROV_ECDH_CTX *srcctx = (PROV_ECDH_CTX *)vpecdhctx; | |
177 | PROV_ECDH_CTX *dstctx; | |
178 | ||
ca94057f P |
179 | if (!ossl_prov_is_running()) |
180 | return NULL; | |
181 | ||
4fe54d67 NT |
182 | dstctx = OPENSSL_zalloc(sizeof(*srcctx)); |
183 | if (dstctx == NULL) | |
184 | return NULL; | |
185 | ||
186 | *dstctx = *srcctx; | |
187 | ||
188 | /* clear all pointers */ | |
189 | ||
190 | dstctx->k= NULL; | |
191 | dstctx->peerk = NULL; | |
192 | dstctx->kdf_md = NULL; | |
193 | dstctx->kdf_ukm = NULL; | |
194 | ||
195 | /* up-ref all ref-counted objects referenced in dstctx */ | |
196 | ||
197 | if (srcctx->k != NULL && !EC_KEY_up_ref(srcctx->k)) | |
198 | goto err; | |
199 | else | |
200 | dstctx->k = srcctx->k; | |
201 | ||
202 | if (srcctx->peerk != NULL && !EC_KEY_up_ref(srcctx->peerk)) | |
203 | goto err; | |
204 | else | |
205 | dstctx->peerk = srcctx->peerk; | |
206 | ||
207 | if (srcctx->kdf_md != NULL && !EVP_MD_up_ref(srcctx->kdf_md)) | |
208 | goto err; | |
209 | else | |
210 | dstctx->kdf_md = srcctx->kdf_md; | |
211 | ||
212 | /* Duplicate UKM data if present */ | |
213 | if (srcctx->kdf_ukm != NULL && srcctx->kdf_ukmlen > 0) { | |
214 | dstctx->kdf_ukm = OPENSSL_memdup(srcctx->kdf_ukm, | |
215 | srcctx->kdf_ukmlen); | |
216 | if (dstctx->kdf_ukm == NULL) | |
217 | goto err; | |
218 | } | |
219 | ||
220 | return dstctx; | |
221 | ||
222 | err: | |
223 | ecdh_freectx(dstctx); | |
224 | return NULL; | |
225 | } | |
226 | ||
227 | static | |
228 | int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[]) | |
229 | { | |
230 | char name[80] = { '\0' }; /* should be big enough */ | |
231 | char *str = NULL; | |
232 | PROV_ECDH_CTX *pectx = (PROV_ECDH_CTX *)vpecdhctx; | |
233 | const OSSL_PARAM *p; | |
234 | ||
2b2f4f9b | 235 | if (pectx == NULL) |
4fe54d67 | 236 | return 0; |
2b2f4f9b P |
237 | if (params == NULL) |
238 | return 1; | |
4fe54d67 NT |
239 | |
240 | p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE); | |
241 | if (p != NULL) { | |
242 | int mode; | |
243 | ||
244 | if (!OSSL_PARAM_get_int(p, &mode)) | |
245 | return 0; | |
246 | ||
247 | if (mode < -1 || mode > 1) | |
248 | return 0; | |
249 | ||
250 | pectx->cofactor_mode = mode; | |
251 | } | |
252 | ||
253 | p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_TYPE); | |
254 | if (p != NULL) { | |
255 | str = name; | |
256 | if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name))) | |
257 | return 0; | |
258 | ||
259 | if (name[0] == '\0') | |
260 | pectx->kdf_type = PROV_ECDH_KDF_NONE; | |
261 | else if (strcmp(name, OSSL_KDF_NAME_X963KDF) == 0) | |
262 | pectx->kdf_type = PROV_ECDH_KDF_X9_63; | |
263 | else | |
264 | return 0; | |
265 | } | |
266 | ||
267 | p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST); | |
268 | if (p != NULL) { | |
269 | char mdprops[80] = { '\0' }; /* should be big enough */ | |
270 | ||
271 | str = name; | |
272 | if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name))) | |
273 | return 0; | |
274 | ||
275 | str = mdprops; | |
276 | p = OSSL_PARAM_locate_const(params, | |
277 | OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS); | |
278 | ||
279 | if (p != NULL) { | |
280 | if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(mdprops))) | |
281 | return 0; | |
282 | } | |
283 | ||
284 | EVP_MD_free(pectx->kdf_md); | |
285 | pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops); | |
04e3ab64 | 286 | if (pectx->kdf_md == NULL) |
287 | return 0; | |
6ce58488 | 288 | if (!ossl_digest_is_allowed(pectx->libctx, pectx->kdf_md)) { |
341c3e7f SL |
289 | EVP_MD_free(pectx->kdf_md); |
290 | pectx->kdf_md = NULL; | |
4fe54d67 | 291 | return 0; |
04e3ab64 | 292 | } |
4fe54d67 NT |
293 | } |
294 | ||
295 | p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN); | |
296 | if (p != NULL) { | |
297 | size_t outlen; | |
298 | ||
299 | if (!OSSL_PARAM_get_size_t(p, &outlen)) | |
300 | return 0; | |
301 | pectx->kdf_outlen = outlen; | |
302 | } | |
303 | ||
304 | p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_UKM); | |
305 | if (p != NULL) { | |
306 | void *tmp_ukm = NULL; | |
307 | size_t tmp_ukmlen; | |
308 | ||
309 | if (!OSSL_PARAM_get_octet_string(p, &tmp_ukm, 0, &tmp_ukmlen)) | |
310 | return 0; | |
311 | OPENSSL_free(pectx->kdf_ukm); | |
312 | pectx->kdf_ukm = tmp_ukm; | |
313 | pectx->kdf_ukmlen = tmp_ukmlen; | |
314 | } | |
315 | ||
316 | return 1; | |
317 | } | |
318 | ||
319 | static const OSSL_PARAM known_settable_ctx_params[] = { | |
320 | OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL), | |
321 | OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0), | |
322 | OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0), | |
323 | OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, NULL, 0), | |
324 | OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL), | |
325 | OSSL_PARAM_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, NULL, 0), | |
326 | OSSL_PARAM_END | |
327 | }; | |
328 | ||
329 | static | |
fb67126e TM |
330 | const OSSL_PARAM *ecdh_settable_ctx_params(ossl_unused void *vpecdhctx, |
331 | ossl_unused void *provctx) | |
4fe54d67 NT |
332 | { |
333 | return known_settable_ctx_params; | |
334 | } | |
335 | ||
336 | static | |
337 | int ecdh_get_ctx_params(void *vpecdhctx, OSSL_PARAM params[]) | |
338 | { | |
339 | PROV_ECDH_CTX *pectx = (PROV_ECDH_CTX *)vpecdhctx; | |
340 | OSSL_PARAM *p; | |
341 | ||
2b2f4f9b | 342 | if (pectx == NULL) |
4fe54d67 NT |
343 | return 0; |
344 | ||
345 | p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE); | |
346 | if (p != NULL) { | |
347 | int mode = pectx->cofactor_mode; | |
348 | ||
349 | if (mode == -1) { | |
350 | /* check what is the default for pecdhctx->k */ | |
351 | mode = EC_KEY_get_flags(pectx->k) & EC_FLAG_COFACTOR_ECDH ? 1 : 0; | |
352 | } | |
353 | ||
354 | if (!OSSL_PARAM_set_int(p, mode)) | |
355 | return 0; | |
356 | } | |
357 | ||
358 | p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_TYPE); | |
359 | if (p != NULL) { | |
360 | const char *kdf_type = NULL; | |
361 | ||
362 | switch (pectx->kdf_type) { | |
363 | case PROV_ECDH_KDF_NONE: | |
364 | kdf_type = ""; | |
365 | break; | |
366 | case PROV_ECDH_KDF_X9_63: | |
367 | kdf_type = OSSL_KDF_NAME_X963KDF; | |
368 | break; | |
369 | default: | |
370 | return 0; | |
371 | } | |
372 | ||
373 | if (!OSSL_PARAM_set_utf8_string(p, kdf_type)) | |
374 | return 0; | |
375 | } | |
376 | ||
377 | p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST); | |
378 | if (p != NULL | |
379 | && !OSSL_PARAM_set_utf8_string(p, pectx->kdf_md == NULL | |
380 | ? "" | |
1287dabd | 381 | : EVP_MD_get0_name(pectx->kdf_md))) { |
4fe54d67 NT |
382 | return 0; |
383 | } | |
384 | ||
385 | p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN); | |
386 | if (p != NULL && !OSSL_PARAM_set_size_t(p, pectx->kdf_outlen)) | |
387 | return 0; | |
388 | ||
389 | p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM); | |
ba0a6d1d RL |
390 | if (p != NULL && |
391 | !OSSL_PARAM_set_octet_ptr(p, pectx->kdf_ukm, pectx->kdf_ukmlen)) | |
4fe54d67 NT |
392 | return 0; |
393 | ||
394 | return 1; | |
395 | } | |
396 | ||
397 | static const OSSL_PARAM known_gettable_ctx_params[] = { | |
398 | OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL), | |
399 | OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0), | |
400 | OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0), | |
401 | OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL), | |
402 | OSSL_PARAM_DEFN(OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR, | |
403 | NULL, 0), | |
4fe54d67 NT |
404 | OSSL_PARAM_END |
405 | }; | |
406 | ||
407 | static | |
fb67126e TM |
408 | const OSSL_PARAM *ecdh_gettable_ctx_params(ossl_unused void *vpecdhctx, |
409 | ossl_unused void *provctx) | |
4fe54d67 NT |
410 | { |
411 | return known_gettable_ctx_params; | |
412 | } | |
413 | ||
414 | static ossl_inline | |
415 | size_t ecdh_size(const EC_KEY *k) | |
416 | { | |
417 | size_t degree = 0; | |
418 | const EC_GROUP *group; | |
419 | ||
420 | if (k == NULL | |
421 | || (group = EC_KEY_get0_group(k)) == NULL) | |
422 | return 0; | |
423 | ||
424 | degree = EC_GROUP_get_degree(group); | |
425 | ||
426 | return (degree + 7) / 8; | |
427 | } | |
428 | ||
429 | static ossl_inline | |
430 | int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret, | |
431 | size_t *psecretlen, size_t outlen) | |
432 | { | |
433 | PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; | |
434 | int retlen, ret = 0; | |
435 | size_t ecdhsize, size; | |
436 | const EC_POINT *ppubkey = NULL; | |
437 | EC_KEY *privk = NULL; | |
438 | const EC_GROUP *group; | |
439 | const BIGNUM *cofactor; | |
440 | int key_cofactor_mode; | |
441 | ||
442 | if (pecdhctx->k == NULL || pecdhctx->peerk == NULL) { | |
77b03f0e | 443 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); |
4fe54d67 NT |
444 | return 0; |
445 | } | |
446 | ||
447 | ecdhsize = ecdh_size(pecdhctx->k); | |
448 | if (secret == NULL) { | |
449 | *psecretlen = ecdhsize; | |
450 | return 1; | |
451 | } | |
452 | ||
453 | if ((group = EC_KEY_get0_group(pecdhctx->k)) == NULL | |
1287dabd | 454 | || (cofactor = EC_GROUP_get0_cofactor(group)) == NULL) |
4fe54d67 NT |
455 | return 0; |
456 | ||
457 | /* | |
458 | * NB: unlike PKCS#3 DH, if outlen is less than maximum size this is not | |
459 | * an error, the result is truncated. | |
460 | */ | |
461 | size = outlen < ecdhsize ? outlen : ecdhsize; | |
462 | ||
463 | /* | |
464 | * The ctx->cofactor_mode flag has precedence over the | |
465 | * cofactor_mode flag set on ctx->k. | |
466 | * | |
467 | * - if ctx->cofactor_mode == -1, use ctx->k directly | |
468 | * - if ctx->cofactor_mode == key_cofactor_mode, use ctx->k directly | |
469 | * - if ctx->cofactor_mode != key_cofactor_mode: | |
470 | * - if ctx->k->cofactor == 1, the cofactor_mode flag is irrelevant, use | |
471 | * ctx->k directly | |
472 | * - if ctx->k->cofactor != 1, use a duplicate of ctx->k with the flag | |
473 | * set to ctx->cofactor_mode | |
474 | */ | |
475 | key_cofactor_mode = | |
476 | (EC_KEY_get_flags(pecdhctx->k) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0; | |
477 | if (pecdhctx->cofactor_mode != -1 | |
478 | && pecdhctx->cofactor_mode != key_cofactor_mode | |
479 | && !BN_is_one(cofactor)) { | |
480 | if ((privk = EC_KEY_dup(pecdhctx->k)) == NULL) | |
481 | return 0; | |
482 | ||
483 | if (pecdhctx->cofactor_mode == 1) | |
484 | EC_KEY_set_flags(privk, EC_FLAG_COFACTOR_ECDH); | |
485 | else | |
486 | EC_KEY_clear_flags(privk, EC_FLAG_COFACTOR_ECDH); | |
487 | } else { | |
488 | privk = pecdhctx->k; | |
489 | } | |
490 | ||
491 | ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk); | |
492 | ||
493 | retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); | |
494 | ||
495 | if (retlen <= 0) | |
496 | goto end; | |
497 | ||
498 | *psecretlen = retlen; | |
499 | ret = 1; | |
500 | ||
501 | end: | |
502 | if (privk != pecdhctx->k) | |
503 | EC_KEY_free(privk); | |
504 | return ret; | |
505 | } | |
506 | ||
507 | static ossl_inline | |
508 | int ecdh_X9_63_kdf_derive(void *vpecdhctx, unsigned char *secret, | |
509 | size_t *psecretlen, size_t outlen) | |
510 | { | |
511 | PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; | |
512 | unsigned char *stmp = NULL; | |
513 | size_t stmplen; | |
514 | int ret = 0; | |
515 | ||
516 | if (secret == NULL) { | |
517 | *psecretlen = pecdhctx->kdf_outlen; | |
518 | return 1; | |
519 | } | |
520 | ||
77b03f0e TM |
521 | if (pecdhctx->kdf_outlen > outlen) { |
522 | ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); | |
4fe54d67 | 523 | return 0; |
77b03f0e | 524 | } |
4fe54d67 NT |
525 | if (!ecdh_plain_derive(vpecdhctx, NULL, &stmplen, 0)) |
526 | return 0; | |
e077455e | 527 | if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL) |
4fe54d67 | 528 | return 0; |
4fe54d67 NT |
529 | if (!ecdh_plain_derive(vpecdhctx, stmp, &stmplen, stmplen)) |
530 | goto err; | |
531 | ||
532 | /* Do KDF stuff */ | |
32ab57cb SL |
533 | if (!ossl_ecdh_kdf_X9_63(secret, pecdhctx->kdf_outlen, |
534 | stmp, stmplen, | |
535 | pecdhctx->kdf_ukm, | |
536 | pecdhctx->kdf_ukmlen, | |
537 | pecdhctx->kdf_md, | |
538 | pecdhctx->libctx, NULL)) | |
4fe54d67 NT |
539 | goto err; |
540 | *psecretlen = pecdhctx->kdf_outlen; | |
541 | ret = 1; | |
542 | ||
543 | err: | |
544 | OPENSSL_secure_clear_free(stmp, stmplen); | |
545 | return ret; | |
546 | } | |
547 | ||
548 | static | |
549 | int ecdh_derive(void *vpecdhctx, unsigned char *secret, | |
550 | size_t *psecretlen, size_t outlen) | |
551 | { | |
552 | PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; | |
553 | ||
554 | switch (pecdhctx->kdf_type) { | |
555 | case PROV_ECDH_KDF_NONE: | |
556 | return ecdh_plain_derive(vpecdhctx, secret, psecretlen, outlen); | |
557 | case PROV_ECDH_KDF_X9_63: | |
558 | return ecdh_X9_63_kdf_derive(vpecdhctx, secret, psecretlen, outlen); | |
1c725f46 SL |
559 | default: |
560 | break; | |
4fe54d67 | 561 | } |
4fe54d67 NT |
562 | return 0; |
563 | } | |
564 | ||
58f422f6 | 565 | const OSSL_DISPATCH ossl_ecdh_keyexch_functions[] = { |
4fe54d67 NT |
566 | { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))ecdh_newctx }, |
567 | { OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))ecdh_init }, | |
568 | { OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))ecdh_derive }, | |
569 | { OSSL_FUNC_KEYEXCH_SET_PEER, (void (*)(void))ecdh_set_peer }, | |
570 | { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))ecdh_freectx }, | |
571 | { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))ecdh_dupctx }, | |
572 | { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))ecdh_set_ctx_params }, | |
573 | { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, | |
574 | (void (*)(void))ecdh_settable_ctx_params }, | |
575 | { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))ecdh_get_ctx_params }, | |
576 | { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, | |
577 | (void (*)(void))ecdh_gettable_ctx_params }, | |
1e6bd31e | 578 | OSSL_DISPATCH_END |
4fe54d67 | 579 | }; |