]>
Commit | Line | Data |
---|---|---|
4fe54d67 | 1 | /* |
a377871d | 2 | * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. |
4fe54d67 NT |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | /* | |
11 | * ECDH/ECDSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
16 | #include <openssl/core_numbers.h> | |
17 | #include <openssl/core_names.h> | |
18 | #include <openssl/bn.h> | |
1f185f51 | 19 | #include <openssl/err.h> |
4fe54d67 | 20 | #include <openssl/objects.h> |
a377871d | 21 | #include "crypto/bn.h" |
a173cc9c | 22 | #include "crypto/ec.h" |
4fe54d67 NT |
23 | #include "prov/implementations.h" |
24 | #include "prov/providercommon.h" | |
1f185f51 | 25 | #include "prov/providercommonerr.h" |
1c725f46 | 26 | #include "prov/provider_ctx.h" |
96ebe52e | 27 | #include "internal/param_build_set.h" |
4fe54d67 NT |
28 | |
29 | static OSSL_OP_keymgmt_new_fn ec_newdata; | |
1f185f51 RL |
30 | static OSSL_OP_keymgmt_gen_init_fn ec_gen_init; |
31 | static OSSL_OP_keymgmt_gen_set_template_fn ec_gen_set_template; | |
32 | static OSSL_OP_keymgmt_gen_set_params_fn ec_gen_set_params; | |
33 | static OSSL_OP_keymgmt_gen_settable_params_fn ec_gen_settable_params; | |
1f185f51 RL |
34 | static OSSL_OP_keymgmt_gen_fn ec_gen; |
35 | static OSSL_OP_keymgmt_gen_cleanup_fn ec_gen_cleanup; | |
4fe54d67 NT |
36 | static OSSL_OP_keymgmt_free_fn ec_freedata; |
37 | static OSSL_OP_keymgmt_get_params_fn ec_get_params; | |
38 | static OSSL_OP_keymgmt_gettable_params_fn ec_gettable_params; | |
39 | static OSSL_OP_keymgmt_set_params_fn ec_set_params; | |
40 | static OSSL_OP_keymgmt_settable_params_fn ec_settable_params; | |
41 | static OSSL_OP_keymgmt_has_fn ec_has; | |
2888fc15 | 42 | static OSSL_OP_keymgmt_match_fn ec_match; |
a173cc9c | 43 | static OSSL_OP_keymgmt_validate_fn ec_validate; |
4fe54d67 NT |
44 | static OSSL_OP_keymgmt_import_fn ec_import; |
45 | static OSSL_OP_keymgmt_import_types_fn ec_import_types; | |
46 | static OSSL_OP_keymgmt_export_fn ec_export; | |
47 | static OSSL_OP_keymgmt_export_types_fn ec_export_types; | |
48 | static OSSL_OP_keymgmt_query_operation_name_fn ec_query_operation_name; | |
49 | ||
aa45c4a9 | 50 | #define EC_DEFAULT_MD "SHA256" |
96ebe52e SL |
51 | #define EC_POSSIBLE_SELECTIONS \ |
52 | (OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) | |
4fe54d67 NT |
53 | |
54 | static | |
55 | const char *ec_query_operation_name(int operation_id) | |
56 | { | |
57 | switch (operation_id) { | |
58 | case OSSL_OP_KEYEXCH: | |
59 | return "ECDH"; | |
4fe54d67 | 60 | case OSSL_OP_SIGNATURE: |
edd3b7a3 | 61 | return "ECDSA"; |
4fe54d67 NT |
62 | } |
63 | return NULL; | |
64 | } | |
65 | ||
4fe54d67 | 66 | static ossl_inline |
96ebe52e SL |
67 | int domparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl, |
68 | OSSL_PARAM params[]) | |
4fe54d67 NT |
69 | { |
70 | const EC_GROUP *ecg; | |
71 | int curve_nid; | |
72 | ||
73 | if (ec == NULL) | |
74 | return 0; | |
75 | ||
76 | ecg = EC_KEY_get0_group(ec); | |
77 | if (ecg == NULL) | |
78 | return 0; | |
79 | ||
80 | curve_nid = EC_GROUP_get_curve_name(ecg); | |
81 | ||
82 | if (curve_nid == NID_undef) { | |
96ebe52e | 83 | /* TODO(3.0): should we support explicit parameters curves? */ |
4fe54d67 NT |
84 | return 0; |
85 | } else { | |
86 | /* named curve */ | |
87 | const char *curve_name = NULL; | |
88 | ||
1c725f46 | 89 | if ((curve_name = ec_curve_nid2name(curve_nid)) == NULL) |
4fe54d67 | 90 | return 0; |
96ebe52e | 91 | if (!ossl_param_build_set_utf8_string(tmpl, params, |
11a1b341 | 92 | OSSL_PKEY_PARAM_GROUP_NAME, |
96ebe52e | 93 | curve_name)) |
4fe54d67 | 94 | |
4fe54d67 NT |
95 | return 0; |
96 | } | |
97 | ||
98 | return 1; | |
99 | } | |
100 | ||
4fe54d67 NT |
101 | /* |
102 | * Callers of key_to_params MUST make sure that domparams_to_params is also | |
103 | * called! | |
104 | * | |
105 | * This function only exports the bare keypair, domain parameters and other | |
106 | * parameters are exported separately. | |
107 | */ | |
108 | static ossl_inline | |
96ebe52e SL |
109 | int key_to_params(const EC_KEY *eckey, OSSL_PARAM_BLD *tmpl, |
110 | OSSL_PARAM params[], int include_private, | |
111 | unsigned char **pub_key) | |
4fe54d67 | 112 | { |
4f2271d5 | 113 | BIGNUM *x = NULL, *y = NULL; |
4fe54d67 NT |
114 | const BIGNUM *priv_key = NULL; |
115 | const EC_POINT *pub_point = NULL; | |
116 | const EC_GROUP *ecg = NULL; | |
4fe54d67 NT |
117 | size_t pub_key_len = 0; |
118 | int ret = 0; | |
e395ba22 | 119 | BN_CTX *bnctx = NULL; |
4fe54d67 | 120 | |
9e2c0358 RL |
121 | if (eckey == NULL |
122 | || (ecg = EC_KEY_get0_group(eckey)) == NULL) | |
4fe54d67 NT |
123 | return 0; |
124 | ||
4fe54d67 NT |
125 | priv_key = EC_KEY_get0_private_key(eckey); |
126 | pub_point = EC_KEY_get0_public_key(eckey); | |
127 | ||
9e2c0358 | 128 | if (pub_point != NULL) { |
4f2271d5 | 129 | OSSL_PARAM *p = NULL, *px = NULL, *py = NULL; |
e395ba22 MC |
130 | /* |
131 | * EC_POINT_point2buf() can generate random numbers in some | |
132 | * implementations so we need to ensure we use the correct libctx. | |
133 | */ | |
134 | bnctx = BN_CTX_new_ex(ec_key_get_libctx(eckey)); | |
135 | if (bnctx == NULL) | |
136 | goto err; | |
137 | ||
4f2271d5 SL |
138 | |
139 | /* If we are doing a get then check first before decoding the point */ | |
140 | if (tmpl == NULL) { | |
141 | p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_PUB_KEY); | |
142 | px = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_EC_PUB_X); | |
143 | py = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_EC_PUB_Y); | |
144 | } | |
145 | ||
146 | if (p != NULL || tmpl != NULL) { | |
147 | /* convert pub_point to a octet string according to the SECG standard */ | |
148 | if ((pub_key_len = EC_POINT_point2buf(ecg, pub_point, | |
149 | POINT_CONVERSION_COMPRESSED, | |
150 | pub_key, bnctx)) == 0 | |
151 | || !ossl_param_build_set_octet_string(tmpl, p, | |
152 | OSSL_PKEY_PARAM_PUB_KEY, | |
153 | *pub_key, pub_key_len)) | |
154 | goto err; | |
155 | } | |
156 | if (px != NULL || py != NULL) { | |
157 | if (px != NULL) | |
158 | x = BN_CTX_get(bnctx); | |
159 | if (py != NULL) | |
160 | y = BN_CTX_get(bnctx); | |
161 | ||
162 | if (!EC_POINT_get_affine_coordinates(ecg, pub_point, x, y, bnctx)) | |
163 | goto err; | |
164 | if (px != NULL | |
165 | && !ossl_param_build_set_bn(tmpl, px, | |
166 | OSSL_PKEY_PARAM_EC_PUB_X, x)) | |
167 | goto err; | |
168 | if (py != NULL | |
169 | && !ossl_param_build_set_bn(tmpl, py, | |
170 | OSSL_PKEY_PARAM_EC_PUB_Y, y)) | |
171 | goto err; | |
172 | } | |
9e2c0358 | 173 | } |
4fe54d67 | 174 | |
a377871d NT |
175 | if (priv_key != NULL && include_private) { |
176 | size_t sz; | |
177 | int ecbits; | |
178 | ||
179 | /* | |
180 | * Key import/export should never leak the bit length of the secret | |
181 | * scalar in the key. | |
182 | * | |
183 | * For this reason, on export we use padded BIGNUMs with fixed length. | |
184 | * | |
185 | * When importing we also should make sure that, even if short lived, | |
186 | * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as | |
187 | * soon as possible, so that any processing of this BIGNUM might opt for | |
188 | * constant time implementations in the backend. | |
189 | * | |
190 | * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have | |
191 | * to preallocate the BIGNUM internal buffer to a fixed public size big | |
192 | * enough that operations performed during the processing never trigger | |
193 | * a realloc which would leak the size of the scalar through memory | |
194 | * accesses. | |
195 | * | |
196 | * Fixed Length | |
197 | * ------------ | |
198 | * | |
199 | * The order of the large prime subgroup of the curve is our choice for | |
200 | * a fixed public size, as that is generally the upper bound for | |
201 | * generating a private key in EC cryptosystems and should fit all valid | |
202 | * secret scalars. | |
203 | * | |
204 | * For padding on export we just use the bit length of the order | |
205 | * converted to bytes (rounding up). | |
206 | * | |
207 | * For preallocating the BIGNUM storage we look at the number of "words" | |
208 | * required for the internal representation of the order, and we | |
209 | * preallocate 2 extra "words" in case any of the subsequent processing | |
210 | * might temporarily overflow the order length. | |
211 | */ | |
212 | ecbits = EC_GROUP_order_bits(ecg); | |
213 | if (ecbits <= 0) | |
214 | goto err; | |
215 | sz = (ecbits + 7 ) / 8; | |
96ebe52e SL |
216 | |
217 | if (!ossl_param_build_set_bn_pad(tmpl, params, | |
218 | OSSL_PKEY_PARAM_PRIV_KEY, | |
219 | priv_key, sz)) | |
a377871d NT |
220 | goto err; |
221 | } | |
4fe54d67 | 222 | ret = 1; |
4fe54d67 | 223 | err: |
e395ba22 | 224 | BN_CTX_free(bnctx); |
4fe54d67 NT |
225 | return ret; |
226 | } | |
227 | ||
4fe54d67 | 228 | static ossl_inline |
96ebe52e SL |
229 | int otherparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl, |
230 | OSSL_PARAM params[]) | |
4fe54d67 NT |
231 | { |
232 | int ecdh_cofactor_mode = 0; | |
233 | ||
234 | if (ec == NULL) | |
235 | return 0; | |
236 | ||
237 | ecdh_cofactor_mode = | |
238 | (EC_KEY_get_flags(ec) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0; | |
96ebe52e SL |
239 | return ossl_param_build_set_int(tmpl, params, |
240 | OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, | |
241 | ecdh_cofactor_mode); | |
4fe54d67 NT |
242 | } |
243 | ||
244 | static | |
245 | void *ec_newdata(void *provctx) | |
246 | { | |
1c725f46 | 247 | return EC_KEY_new_ex(PROV_LIBRARY_CONTEXT_OF(provctx)); |
4fe54d67 NT |
248 | } |
249 | ||
250 | static | |
251 | void ec_freedata(void *keydata) | |
252 | { | |
253 | EC_KEY_free(keydata); | |
254 | } | |
255 | ||
256 | static | |
257 | int ec_has(void *keydata, int selection) | |
258 | { | |
259 | EC_KEY *ec = keydata; | |
260 | int ok = 0; | |
261 | ||
adc9f731 RL |
262 | if (ec != NULL) { |
263 | if ((selection & EC_POSSIBLE_SELECTIONS) != 0) | |
264 | ok = 1; | |
265 | ||
266 | if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) | |
267 | ok = ok && (EC_KEY_get0_public_key(ec) != NULL); | |
268 | if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) | |
269 | ok = ok && (EC_KEY_get0_private_key(ec) != NULL); | |
270 | if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) | |
271 | ok = ok && (EC_KEY_get0_group(ec) != NULL); | |
272 | /* | |
273 | * We consider OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS to always be | |
274 | * available, so no extra check is needed other than the previous one | |
275 | * against EC_POSSIBLE_SELECTIONS. | |
276 | */ | |
277 | } | |
4fe54d67 NT |
278 | return ok; |
279 | } | |
280 | ||
2888fc15 RL |
281 | static int ec_match(const void *keydata1, const void *keydata2, int selection) |
282 | { | |
283 | const EC_KEY *ec1 = keydata1; | |
284 | const EC_KEY *ec2 = keydata2; | |
285 | const EC_GROUP *group_a = EC_KEY_get0_group(ec1); | |
286 | const EC_GROUP *group_b = EC_KEY_get0_group(ec2); | |
287 | int ok = 1; | |
288 | ||
289 | if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) | |
290 | ok = ok && group_a != NULL && group_b != NULL | |
291 | && EC_GROUP_cmp(group_a, group_b, NULL) == 0; | |
292 | if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { | |
293 | const BIGNUM *pa = EC_KEY_get0_private_key(ec1); | |
294 | const BIGNUM *pb = EC_KEY_get0_private_key(ec2); | |
295 | ||
296 | ok = ok && BN_cmp(pa, pb) == 0; | |
297 | } | |
298 | if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { | |
299 | const EC_POINT *pa = EC_KEY_get0_public_key(ec1); | |
300 | const EC_POINT *pb = EC_KEY_get0_public_key(ec2); | |
301 | ||
302 | ok = ok && EC_POINT_cmp(group_b, pa, pb, NULL); | |
303 | } | |
304 | return ok; | |
305 | } | |
306 | ||
4fe54d67 NT |
307 | static |
308 | int ec_import(void *keydata, int selection, const OSSL_PARAM params[]) | |
309 | { | |
310 | EC_KEY *ec = keydata; | |
f552d900 | 311 | int ok = 1; |
4fe54d67 NT |
312 | |
313 | if (ec == NULL) | |
314 | return 0; | |
315 | ||
316 | /* | |
317 | * In this implementation, we can export/import only keydata in the | |
318 | * following combinations: | |
319 | * - domain parameters only | |
320 | * - public key with associated domain parameters (+optional other params) | |
321 | * - private key with associated public key and domain parameters | |
322 | * (+optional other params) | |
323 | * | |
324 | * This means: | |
325 | * - domain parameters must always be requested | |
326 | * - private key must be requested alongside public key | |
327 | * - other parameters must be requested only alongside a key | |
328 | */ | |
329 | if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0) | |
330 | return 0; | |
331 | if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0 | |
332 | && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0) | |
333 | return 0; | |
334 | if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0 | |
335 | && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) | |
336 | return 0; | |
337 | ||
338 | if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) | |
0abae163 | 339 | ok = ok && ec_key_domparams_fromdata(ec, params); |
4fe54d67 NT |
340 | if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { |
341 | int include_private = | |
342 | selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; | |
343 | ||
0abae163 | 344 | ok = ok && ec_key_fromdata(ec, params, include_private); |
4fe54d67 NT |
345 | } |
346 | if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0) | |
0abae163 | 347 | ok = ok && ec_key_otherparams_fromdata(ec, params); |
4fe54d67 NT |
348 | |
349 | return ok; | |
350 | } | |
351 | ||
352 | static | |
353 | int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, | |
354 | void *cbarg) | |
355 | { | |
356 | EC_KEY *ec = keydata; | |
6d4e6009 | 357 | OSSL_PARAM_BLD *tmpl; |
4fe54d67 | 358 | OSSL_PARAM *params = NULL; |
96ebe52e | 359 | unsigned char *pub_key = NULL; |
4fe54d67 NT |
360 | int ok = 1; |
361 | ||
362 | if (ec == NULL) | |
363 | return 0; | |
364 | ||
365 | /* | |
366 | * In this implementation, we can export/import only keydata in the | |
367 | * following combinations: | |
368 | * - domain parameters only | |
369 | * - public key with associated domain parameters (+optional other params) | |
370 | * - private key with associated public key and domain parameters | |
371 | * (+optional other params) | |
372 | * | |
373 | * This means: | |
374 | * - domain parameters must always be requested | |
375 | * - private key must be requested alongside public key | |
376 | * - other parameters must be requested only alongside a key | |
377 | */ | |
378 | if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0) | |
379 | return 0; | |
380 | if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0 | |
381 | && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0) | |
382 | return 0; | |
383 | if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0 | |
384 | && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) | |
385 | return 0; | |
386 | ||
6d4e6009 P |
387 | tmpl = OSSL_PARAM_BLD_new(); |
388 | if (tmpl == NULL) | |
389 | return 0; | |
4fe54d67 NT |
390 | |
391 | if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) | |
96ebe52e SL |
392 | ok = ok && domparams_to_params(ec, tmpl, NULL); |
393 | ||
4fe54d67 NT |
394 | if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { |
395 | int include_private = | |
396 | selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; | |
397 | ||
96ebe52e | 398 | ok = ok && key_to_params(ec, tmpl, NULL, include_private, &pub_key); |
4fe54d67 NT |
399 | } |
400 | if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0) | |
96ebe52e | 401 | ok = ok && otherparams_to_params(ec, tmpl, NULL); |
4fe54d67 | 402 | |
e3be0f43 RL |
403 | if (ok && (params = OSSL_PARAM_BLD_to_param(tmpl)) != NULL) |
404 | ok = param_cb(params, cbarg); | |
4fe54d67 | 405 | |
6d4e6009 | 406 | OSSL_PARAM_BLD_free_params(params); |
6d4e6009 | 407 | OSSL_PARAM_BLD_free(tmpl); |
96ebe52e | 408 | OPENSSL_free(pub_key); |
4fe54d67 NT |
409 | return ok; |
410 | } | |
411 | ||
412 | /* IMEXPORT = IMPORT + EXPORT */ | |
413 | ||
414 | # define EC_IMEXPORTABLE_DOM_PARAMETERS \ | |
11a1b341 | 415 | OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0) |
4fe54d67 NT |
416 | # define EC_IMEXPORTABLE_PUBLIC_KEY \ |
417 | OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0) | |
418 | # define EC_IMEXPORTABLE_PRIVATE_KEY \ | |
419 | OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0) | |
420 | # define EC_IMEXPORTABLE_OTHER_PARAMETERS \ | |
421 | OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL) | |
422 | ||
423 | /* | |
424 | * Include all the possible combinations of OSSL_PARAM arrays for | |
425 | * ec_imexport_types(). | |
426 | * | |
427 | * They are in a separate file as it is ~100 lines of unreadable and | |
428 | * uninteresting machine generated stuff. | |
429 | * | |
430 | * TODO(3.0): the generated list looks quite ugly, as to cover all possible | |
431 | * combinations of the bits in `selection`, it also includes combinations that | |
432 | * are not really useful: we might want to consider alternatives to this | |
433 | * solution. | |
434 | */ | |
435 | #include "ec_kmgmt_imexport.inc" | |
436 | ||
437 | static ossl_inline | |
438 | const OSSL_PARAM *ec_imexport_types(int selection) | |
439 | { | |
440 | int type_select = 0; | |
441 | ||
442 | if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) | |
443 | type_select += 1; | |
444 | if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) | |
445 | type_select += 2; | |
446 | if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) | |
447 | type_select += 4; | |
448 | if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0) | |
449 | type_select += 8; | |
450 | return ec_types[type_select]; | |
451 | } | |
452 | ||
453 | static | |
454 | const OSSL_PARAM *ec_import_types(int selection) | |
455 | { | |
456 | return ec_imexport_types(selection); | |
457 | } | |
458 | ||
459 | static | |
460 | const OSSL_PARAM *ec_export_types(int selection) | |
461 | { | |
462 | return ec_imexport_types(selection); | |
463 | } | |
464 | ||
465 | static | |
466 | int ec_get_params(void *key, OSSL_PARAM params[]) | |
467 | { | |
96ebe52e | 468 | int ret; |
4fe54d67 NT |
469 | EC_KEY *eck = key; |
470 | const EC_GROUP *ecg = NULL; | |
471 | OSSL_PARAM *p; | |
96ebe52e | 472 | unsigned char *pub_key = NULL; |
4fe54d67 NT |
473 | |
474 | ecg = EC_KEY_get0_group(eck); | |
475 | if (ecg == NULL) | |
476 | return 0; | |
477 | ||
478 | if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL | |
479 | && !OSSL_PARAM_set_int(p, ECDSA_size(eck))) | |
480 | return 0; | |
481 | if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL | |
482 | && !OSSL_PARAM_set_int(p, EC_GROUP_order_bits(ecg))) | |
483 | return 0; | |
484 | if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS)) != NULL) { | |
485 | int ecbits, sec_bits; | |
486 | ||
487 | ecbits = EC_GROUP_order_bits(ecg); | |
488 | ||
489 | /* | |
490 | * The following estimates are based on the values published | |
491 | * in Table 2 of "NIST Special Publication 800-57 Part 1 Revision 4" | |
492 | * at http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4 . | |
493 | * | |
494 | * Note that the above reference explicitly categorizes algorithms in a | |
495 | * discrete set of values {80, 112, 128, 192, 256}, and that it is | |
496 | * relevant only for NIST approved Elliptic Curves, while OpenSSL | |
497 | * applies the same logic also to other curves. | |
498 | * | |
499 | * Classifications produced by other standardazing bodies might differ, | |
500 | * so the results provided for "bits of security" by this provider are | |
501 | * to be considered merely indicative, and it is the users' | |
502 | * responsibility to compare these values against the normative | |
503 | * references that may be relevant for their intent and purposes. | |
504 | */ | |
505 | if (ecbits >= 512) | |
506 | sec_bits = 256; | |
507 | else if (ecbits >= 384) | |
508 | sec_bits = 192; | |
509 | else if (ecbits >= 256) | |
510 | sec_bits = 128; | |
511 | else if (ecbits >= 224) | |
512 | sec_bits = 112; | |
513 | else if (ecbits >= 160) | |
514 | sec_bits = 80; | |
515 | else | |
516 | sec_bits = ecbits / 2; | |
517 | ||
518 | if (!OSSL_PARAM_set_int(p, sec_bits)) | |
519 | return 0; | |
520 | } | |
521 | ||
aa45c4a9 RL |
522 | if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_DEFAULT_DIGEST)) != NULL |
523 | && !OSSL_PARAM_set_utf8_string(p, EC_DEFAULT_MD)) | |
524 | return 0; | |
525 | ||
4fe54d67 NT |
526 | p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH); |
527 | if (p != NULL) { | |
528 | int ecdh_cofactor_mode = 0; | |
529 | ||
530 | ecdh_cofactor_mode = | |
531 | (EC_KEY_get_flags(eck) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0; | |
532 | ||
533 | if (!OSSL_PARAM_set_int(p, ecdh_cofactor_mode)) | |
534 | return 0; | |
535 | } | |
6a9bd929 MC |
536 | if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_TLS_ENCODED_PT)) != NULL) { |
537 | BN_CTX *ctx = BN_CTX_new_ex(ec_key_get_libctx(key)); | |
538 | ||
539 | if (ctx == NULL) | |
540 | return 0; | |
541 | p->return_size = EC_POINT_point2oct(EC_KEY_get0_group(key), | |
542 | EC_KEY_get0_public_key(key), | |
543 | POINT_CONVERSION_UNCOMPRESSED, | |
544 | p->data, p->return_size, ctx); | |
545 | BN_CTX_free(ctx); | |
546 | if (p->return_size == 0) | |
547 | return 0; | |
548 | } | |
549 | ||
96ebe52e SL |
550 | ret = domparams_to_params(eck, NULL, params) |
551 | && key_to_params(eck, NULL, params, 1, &pub_key) | |
552 | && otherparams_to_params(eck, NULL, params); | |
553 | OPENSSL_free(pub_key); | |
554 | return ret; | |
4fe54d67 NT |
555 | } |
556 | ||
557 | static const OSSL_PARAM ec_known_gettable_params[] = { | |
558 | OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL), | |
559 | OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL), | |
560 | OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL), | |
6a9bd929 | 561 | OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT, NULL, 0), |
96ebe52e SL |
562 | EC_IMEXPORTABLE_DOM_PARAMETERS, |
563 | EC_IMEXPORTABLE_PUBLIC_KEY, | |
4f2271d5 SL |
564 | OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_EC_PUB_X, NULL, 0), |
565 | OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_EC_PUB_Y, NULL, 0), | |
96ebe52e SL |
566 | EC_IMEXPORTABLE_PRIVATE_KEY, |
567 | EC_IMEXPORTABLE_OTHER_PARAMETERS, | |
4fe54d67 NT |
568 | OSSL_PARAM_END |
569 | }; | |
570 | ||
571 | static | |
572 | const OSSL_PARAM *ec_gettable_params(void) | |
573 | { | |
574 | return ec_known_gettable_params; | |
575 | } | |
576 | ||
577 | static const OSSL_PARAM ec_known_settable_params[] = { | |
578 | OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL), | |
6a9bd929 | 579 | OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT, NULL, 0), |
4fe54d67 NT |
580 | OSSL_PARAM_END |
581 | }; | |
582 | ||
583 | static | |
584 | const OSSL_PARAM *ec_settable_params(void) | |
585 | { | |
586 | return ec_known_settable_params; | |
587 | } | |
588 | ||
589 | static | |
590 | int ec_set_params(void *key, const OSSL_PARAM params[]) | |
591 | { | |
592 | EC_KEY *eck = key; | |
6a9bd929 MC |
593 | const OSSL_PARAM *p; |
594 | ||
595 | p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_TLS_ENCODED_PT); | |
596 | if (p != NULL) { | |
597 | BN_CTX *ctx = BN_CTX_new_ex(ec_key_get_libctx(key)); | |
598 | int ret = 1; | |
599 | ||
600 | if (ctx == NULL | |
601 | || p->data_type != OSSL_PARAM_OCTET_STRING | |
602 | || !EC_KEY_oct2key(key, p->data, p->data_size, ctx)) | |
603 | ret = 0; | |
604 | BN_CTX_free(ctx); | |
605 | if (!ret) | |
606 | return 0; | |
607 | } | |
4fe54d67 | 608 | |
b8086652 | 609 | return ec_key_otherparams_fromdata(eck, params); |
4fe54d67 NT |
610 | } |
611 | ||
a173cc9c SL |
612 | static |
613 | int ec_validate(void *keydata, int selection) | |
614 | { | |
615 | EC_KEY *eck = keydata; | |
616 | int ok = 0; | |
617 | BN_CTX *ctx = BN_CTX_new_ex(ec_key_get_libctx(eck)); | |
618 | ||
619 | if (ctx == NULL) | |
620 | return 0; | |
621 | ||
622 | if ((selection & EC_POSSIBLE_SELECTIONS) != 0) | |
623 | ok = 1; | |
624 | ||
625 | if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) | |
626 | ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx); | |
627 | ||
628 | if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) | |
629 | ok = ok && ec_key_public_check(eck, ctx); | |
630 | ||
631 | if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) | |
632 | ok = ok && ec_key_private_check(eck); | |
633 | ||
634 | if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR) | |
635 | ok = ok && ec_key_pairwise_check(eck, ctx); | |
636 | ||
637 | BN_CTX_free(ctx); | |
638 | return ok; | |
639 | } | |
640 | ||
1f185f51 RL |
641 | struct ec_gen_ctx { |
642 | OPENSSL_CTX *libctx; | |
1f185f51 RL |
643 | EC_GROUP *gen_group; |
644 | int selection; | |
b8086652 | 645 | int ecdh_mode; |
1f185f51 RL |
646 | }; |
647 | ||
648 | static void *ec_gen_init(void *provctx, int selection) | |
649 | { | |
650 | OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx); | |
651 | struct ec_gen_ctx *gctx = NULL; | |
652 | ||
653 | if ((selection & (EC_POSSIBLE_SELECTIONS)) == 0) | |
654 | return NULL; | |
655 | ||
656 | if ((gctx = OPENSSL_zalloc(sizeof(*gctx))) != NULL) { | |
657 | gctx->libctx = libctx; | |
658 | gctx->gen_group = NULL; | |
659 | gctx->selection = selection; | |
b8086652 | 660 | gctx->ecdh_mode = 0; |
1f185f51 RL |
661 | } |
662 | return gctx; | |
663 | } | |
664 | ||
665 | static int ec_gen_set_group(void *genctx, int nid) | |
666 | { | |
667 | struct ec_gen_ctx *gctx = genctx; | |
668 | EC_GROUP *group; | |
669 | ||
670 | group = EC_GROUP_new_by_curve_name_ex(gctx->libctx, nid); | |
671 | if (group == NULL) { | |
672 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE); | |
673 | return 0; | |
674 | } | |
675 | EC_GROUP_free(gctx->gen_group); | |
676 | gctx->gen_group = group; | |
677 | return 1; | |
678 | } | |
679 | static int ec_gen_set_template(void *genctx, void *templ) | |
680 | { | |
681 | struct ec_gen_ctx *gctx = genctx; | |
682 | EC_KEY *ec = templ; | |
683 | const EC_GROUP *ec_group; | |
684 | ||
685 | if (gctx == NULL || ec == NULL) | |
686 | return 0; | |
687 | if ((ec_group = EC_KEY_get0_group(ec)) == NULL) | |
688 | return 0; | |
689 | return ec_gen_set_group(gctx, EC_GROUP_get_curve_name(ec_group)); | |
690 | } | |
691 | ||
692 | static int ec_gen_set_params(void *genctx, const OSSL_PARAM params[]) | |
693 | { | |
694 | struct ec_gen_ctx *gctx = genctx; | |
695 | const OSSL_PARAM *p; | |
696 | ||
b8086652 SL |
697 | if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH)) |
698 | != NULL) { | |
699 | if (!OSSL_PARAM_get_int(p, &gctx->ecdh_mode)) | |
700 | return 0; | |
701 | } | |
11a1b341 | 702 | if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME)) |
1f185f51 RL |
703 | != NULL) { |
704 | const char *curve_name = NULL; | |
705 | int ret = 0; | |
706 | ||
707 | switch (p->data_type) { | |
708 | case OSSL_PARAM_UTF8_STRING: | |
709 | /* The OSSL_PARAM functions have no support for this */ | |
710 | curve_name = p->data; | |
711 | ret = (curve_name != NULL); | |
712 | break; | |
713 | case OSSL_PARAM_UTF8_PTR: | |
714 | ret = OSSL_PARAM_get_utf8_ptr(p, &curve_name); | |
715 | break; | |
716 | } | |
717 | ||
718 | if (ret) { | |
719 | int nid = ec_curve_name2nid(curve_name); | |
720 | ||
721 | if (nid == NID_undef) { | |
722 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE); | |
723 | ret = 0; | |
724 | } else { | |
725 | ret = ec_gen_set_group(gctx, nid); | |
726 | } | |
727 | } | |
728 | return ret; | |
729 | } | |
730 | return 1; | |
731 | } | |
732 | ||
733 | static const OSSL_PARAM *ec_gen_settable_params(void *provctx) | |
734 | { | |
735 | static OSSL_PARAM settable[] = { | |
11a1b341 | 736 | OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0), |
b8086652 | 737 | OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL), |
1f185f51 RL |
738 | OSSL_PARAM_END |
739 | }; | |
740 | ||
741 | return settable; | |
742 | } | |
743 | ||
1f185f51 RL |
744 | static int ec_gen_assign_group(EC_KEY *ec, EC_GROUP *group) |
745 | { | |
746 | if (group == NULL) { | |
747 | ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET); | |
748 | return 0; | |
749 | } | |
750 | return EC_KEY_set_group(ec, group) > 0; | |
751 | } | |
752 | ||
753 | /* | |
754 | * The callback arguments (osslcb & cbarg) are not used by EC_KEY generation | |
755 | */ | |
756 | static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) | |
757 | { | |
758 | struct ec_gen_ctx *gctx = genctx; | |
759 | EC_KEY *ec = NULL; | |
760 | int ret = 1; /* Start optimistically */ | |
761 | ||
762 | if (gctx == NULL | |
763 | || (ec = EC_KEY_new_ex(gctx->libctx)) == NULL) | |
764 | return NULL; | |
765 | ||
766 | /* We must always assign a group, no matter what */ | |
767 | ret = ec_gen_assign_group(ec, gctx->gen_group); | |
768 | /* Whether you want it or not, you get a keypair, not just one half */ | |
769 | if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) | |
770 | ret = ret && EC_KEY_generate_key(ec); | |
771 | ||
b8086652 SL |
772 | if (gctx->ecdh_mode != -1) |
773 | ret = ret && ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); | |
774 | ||
1f185f51 RL |
775 | if (ret) |
776 | return ec; | |
777 | ||
778 | /* Something went wrong, throw the key away */ | |
779 | EC_KEY_free(ec); | |
780 | return NULL; | |
781 | } | |
782 | ||
783 | static void ec_gen_cleanup(void *genctx) | |
784 | { | |
785 | struct ec_gen_ctx *gctx = genctx; | |
786 | ||
787 | if (gctx == NULL) | |
788 | return; | |
789 | ||
790 | EC_GROUP_free(gctx->gen_group); | |
791 | OPENSSL_free(gctx); | |
792 | } | |
793 | ||
4fe54d67 NT |
794 | const OSSL_DISPATCH ec_keymgmt_functions[] = { |
795 | { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))ec_newdata }, | |
1f185f51 RL |
796 | { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))ec_gen_init }, |
797 | { OSSL_FUNC_KEYMGMT_GEN_SET_TEMPLATE, | |
798 | (void (*)(void))ec_gen_set_template }, | |
799 | { OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS, (void (*)(void))ec_gen_set_params }, | |
800 | { OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS, | |
801 | (void (*)(void))ec_gen_settable_params }, | |
1f185f51 RL |
802 | { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))ec_gen }, |
803 | { OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))ec_gen_cleanup }, | |
4fe54d67 NT |
804 | { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))ec_freedata }, |
805 | { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))ec_get_params }, | |
806 | { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))ec_gettable_params }, | |
807 | { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*) (void))ec_set_params }, | |
808 | { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*) (void))ec_settable_params }, | |
809 | { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))ec_has }, | |
2888fc15 | 810 | { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))ec_match }, |
a173cc9c | 811 | { OSSL_FUNC_KEYMGMT_VALIDATE, (void (*)(void))ec_validate }, |
4fe54d67 NT |
812 | { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ec_import }, |
813 | { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))ec_import_types }, | |
814 | { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))ec_export }, | |
815 | { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))ec_export_types }, | |
816 | { OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, | |
1f185f51 | 817 | (void (*)(void))ec_query_operation_name }, |
4fe54d67 NT |
818 | { 0, NULL } |
819 | }; |