2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/core_names.h>
11 #include <openssl/objects.h>
12 #include <openssl/params.h>
13 #include "crypto/bn.h"
14 #include "crypto/ec.h"
17 * The intention with the "backend" source file is to offer backend support
18 * for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider
19 * implementations alike.
22 int ec_set_ecdh_cofactor_mode(EC_KEY
*ec
, int mode
)
24 const EC_GROUP
*ecg
= EC_KEY_get0_group(ec
);
25 const BIGNUM
*cofactor
;
27 * mode can be only 0 for disable, or 1 for enable here.
29 * This is in contrast with the same parameter on an ECDH EVP_PKEY_CTX that
30 * also supports mode == -1 with the meaning of "reset to the default for
31 * the associated key".
33 if (mode
< 0 || mode
> 1)
36 if ((cofactor
= EC_GROUP_get0_cofactor(ecg
)) == NULL
)
39 /* ECDH cofactor mode has no effect if cofactor is 1 */
40 if (BN_is_one(cofactor
))
44 EC_KEY_set_flags(ec
, EC_FLAG_COFACTOR_ECDH
);
46 EC_KEY_clear_flags(ec
, EC_FLAG_COFACTOR_ECDH
);
52 * Callers of ec_key_fromdata MUST make sure that ec_key_params_fromdata has
55 * This function only gets the bare keypair, domain parameters and other
56 * parameters are treated separately, and domain parameters are required to
59 int ec_key_fromdata(EC_KEY
*ec
, const OSSL_PARAM params
[], int include_private
)
61 const OSSL_PARAM
*param_priv_key
= NULL
, *param_pub_key
= NULL
;
63 BIGNUM
*priv_key
= NULL
;
64 unsigned char *pub_key
= NULL
;
66 const EC_GROUP
*ecg
= NULL
;
67 EC_POINT
*pub_point
= NULL
;
70 ecg
= EC_KEY_get0_group(ec
);
75 OSSL_PARAM_locate_const(params
, OSSL_PKEY_PARAM_PUB_KEY
);
78 OSSL_PARAM_locate_const(params
, OSSL_PKEY_PARAM_PRIV_KEY
);
80 ctx
= BN_CTX_new_ex(ec_key_get_libctx(ec
));
84 /* OpenSSL decree: If there's a private key, there must be a public key */
85 if (param_priv_key
!= NULL
&& param_pub_key
== NULL
)
88 if (param_pub_key
!= NULL
)
89 if (!OSSL_PARAM_get_octet_string(param_pub_key
,
90 (void **)&pub_key
, 0, &pub_key_len
)
91 || (pub_point
= EC_POINT_new(ecg
)) == NULL
92 || !EC_POINT_oct2point(ecg
, pub_point
, pub_key
, pub_key_len
, ctx
))
95 if (param_priv_key
!= NULL
&& include_private
) {
100 * Key import/export should never leak the bit length of the secret
103 * For this reason, on export we use padded BIGNUMs with fixed length.
105 * When importing we also should make sure that, even if short lived,
106 * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as
107 * soon as possible, so that any processing of this BIGNUM might opt for
108 * constant time implementations in the backend.
110 * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
111 * to preallocate the BIGNUM internal buffer to a fixed public size big
112 * enough that operations performed during the processing never trigger
113 * a realloc which would leak the size of the scalar through memory
119 * The order of the large prime subgroup of the curve is our choice for
120 * a fixed public size, as that is generally the upper bound for
121 * generating a private key in EC cryptosystems and should fit all valid
124 * For padding on export we just use the bit length of the order
125 * converted to bytes (rounding up).
127 * For preallocating the BIGNUM storage we look at the number of "words"
128 * required for the internal representation of the order, and we
129 * preallocate 2 extra "words" in case any of the subsequent processing
130 * might temporarily overflow the order length.
132 order
= EC_GROUP_get0_order(ecg
);
133 if (order
== NULL
|| BN_is_zero(order
))
136 fixed_words
= bn_get_top(order
) + 2;
138 if ((priv_key
= BN_secure_new()) == NULL
)
140 if (bn_wexpand(priv_key
, fixed_words
) == NULL
)
142 BN_set_flags(priv_key
, BN_FLG_CONSTTIME
);
144 if (!OSSL_PARAM_get_BN(param_priv_key
, &priv_key
))
149 && !EC_KEY_set_private_key(ec
, priv_key
))
152 if (pub_point
!= NULL
153 && !EC_KEY_set_public_key(ec
, pub_point
))
160 BN_clear_free(priv_key
);
161 OPENSSL_free(pub_key
);
162 EC_POINT_free(pub_point
);
166 int ec_key_domparams_fromdata(EC_KEY
*ec
, const OSSL_PARAM params
[])
168 const OSSL_PARAM
*param_ec_name
;
169 EC_GROUP
*ecg
= NULL
;
170 char *curve_name
= NULL
;
176 param_ec_name
= OSSL_PARAM_locate_const(params
, OSSL_PKEY_PARAM_EC_NAME
);
177 if (param_ec_name
== NULL
) {
178 /* explicit parameters */
181 * TODO(3.0): should we support explicit parameters curves?
188 if (!OSSL_PARAM_get_utf8_string(param_ec_name
, &curve_name
, 0)
189 || curve_name
== NULL
190 || (curve_nid
= ec_curve_name2nid(curve_name
)) == NID_undef
)
193 if ((ecg
= EC_GROUP_new_by_curve_name_ex(ec_key_get_libctx(ec
),
198 if (!EC_KEY_set_group(ec
, ecg
))
202 * TODO(3.0): if the group has changed, should we invalidate the private and
209 OPENSSL_free(curve_name
);
214 int ec_key_otherparams_fromdata(EC_KEY
*ec
, const OSSL_PARAM params
[])
221 p
= OSSL_PARAM_locate_const(params
, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH
);
225 if (!OSSL_PARAM_get_int(p
, &mode
)
226 || !ec_set_ecdh_cofactor_mode(ec
, mode
))