289 lines
7.6 KiB
C
289 lines
7.6 KiB
C
// Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project 2006.
|
|
// Copyright (c) 2006 The OpenSSL Project. All rights reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
#include <openssl/evp.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <openssl/bn.h>
|
|
#include <openssl/digest.h>
|
|
#include <openssl/ec.h>
|
|
#include <openssl/ec_key.h>
|
|
#include <openssl/ecdh.h>
|
|
#include <openssl/ecdsa.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/mem.h>
|
|
#include <openssl/nid.h>
|
|
|
|
#include "internal.h"
|
|
#include "../ec/internal.h"
|
|
#include "../../internal.h"
|
|
|
|
|
|
typedef struct {
|
|
// message digest
|
|
const EVP_MD *md;
|
|
const EC_GROUP *gen_group;
|
|
} EC_PKEY_CTX;
|
|
|
|
|
|
static int pkey_ec_init(EVP_PKEY_CTX *ctx) {
|
|
EC_PKEY_CTX *dctx;
|
|
dctx = OPENSSL_zalloc(sizeof(EC_PKEY_CTX));
|
|
if (!dctx) {
|
|
return 0;
|
|
}
|
|
|
|
ctx->data = dctx;
|
|
|
|
return 1;
|
|
}
|
|
|
|
static int pkey_ec_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {
|
|
if (!pkey_ec_init(dst)) {
|
|
return 0;
|
|
}
|
|
|
|
const EC_PKEY_CTX *sctx = src->data;
|
|
EC_PKEY_CTX *dctx = dst->data;
|
|
dctx->md = sctx->md;
|
|
dctx->gen_group = sctx->gen_group;
|
|
return 1;
|
|
}
|
|
|
|
static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx) {
|
|
EC_PKEY_CTX *dctx = ctx->data;
|
|
if (!dctx) {
|
|
return;
|
|
}
|
|
|
|
OPENSSL_free(dctx);
|
|
}
|
|
|
|
static int pkey_ec_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,
|
|
const uint8_t *tbs, size_t tbslen) {
|
|
unsigned int sltmp;
|
|
EC_KEY *ec = ctx->pkey->pkey.ec;
|
|
|
|
if (!sig) {
|
|
*siglen = ECDSA_size(ec);
|
|
return 1;
|
|
} else if (*siglen < (size_t)ECDSA_size(ec)) {
|
|
OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
|
|
return 0;
|
|
}
|
|
|
|
if (!ECDSA_sign(0, tbs, tbslen, sig, &sltmp, ec)) {
|
|
return 0;
|
|
}
|
|
*siglen = (size_t)sltmp;
|
|
return 1;
|
|
}
|
|
|
|
static int pkey_ec_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen,
|
|
const uint8_t *tbs, size_t tbslen) {
|
|
return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->pkey->pkey.ec);
|
|
}
|
|
|
|
static int pkey_ec_derive(EVP_PKEY_CTX *ctx, uint8_t *key,
|
|
size_t *keylen) {
|
|
const EC_POINT *pubkey = NULL;
|
|
EC_KEY *eckey;
|
|
uint8_t buf[EC_MAX_BYTES];
|
|
size_t buflen = sizeof(buf);
|
|
|
|
if (!ctx->pkey || !ctx->peerkey) {
|
|
OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET);
|
|
return 0;
|
|
}
|
|
|
|
eckey = ctx->pkey->pkey.ec;
|
|
|
|
if (!key) {
|
|
// This only outputs the expected |keylen| and does no actual crypto.
|
|
const EC_GROUP *group;
|
|
group = EC_KEY_get0_group(eckey);
|
|
*keylen = (EC_GROUP_get_degree(group) + 7) / 8;
|
|
return 1;
|
|
}
|
|
pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
|
|
|
|
// NB: unlike PKCS#3 DH, if the returned buflen is less than
|
|
// the requested size in *keylen, this is not an error;
|
|
// the result is truncated.
|
|
// Note: This is an internal function which will not update
|
|
// the service indicator.
|
|
if (!ECDH_compute_shared_secret(buf, &buflen, pubkey, eckey)) {
|
|
return 0;
|
|
}
|
|
|
|
if (buflen < *keylen) {
|
|
*keylen = buflen;
|
|
}
|
|
OPENSSL_memcpy(key, buf, *keylen);
|
|
|
|
// Insert service indicator check here because the pointer address cannot be
|
|
// referenced from the higher level function |EVP_PKEY_derive|. |EC_KEY| is
|
|
// is the only possible key that can do derivations.
|
|
ECDH_verify_service_indicator(eckey);
|
|
return 1;
|
|
}
|
|
|
|
static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
|
|
EC_PKEY_CTX *dctx = ctx->data;
|
|
|
|
switch (type) {
|
|
case EVP_PKEY_CTRL_MD: {
|
|
const EVP_MD *md = p2;
|
|
int md_type = EVP_MD_type(md);
|
|
if (md_type != NID_sha1 && md_type != NID_sha224 &&
|
|
md_type != NID_sha256 && md_type != NID_sha384 &&
|
|
md_type != NID_sha512 && md_type != NID_sha512_224 &&
|
|
md_type != NID_sha512_256 && md_type != NID_sha3_224 &&
|
|
md_type != NID_sha3_256 && md_type != NID_sha3_384 &&
|
|
md_type != NID_sha3_512
|
|
) {
|
|
OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_TYPE);
|
|
return 0;
|
|
}
|
|
dctx->md = md;
|
|
return 1;
|
|
}
|
|
|
|
case EVP_PKEY_CTRL_GET_MD:
|
|
*(const EVP_MD **)p2 = dctx->md;
|
|
return 1;
|
|
|
|
case EVP_PKEY_CTRL_PEER_KEY:
|
|
// Default behaviour is OK
|
|
return 1;
|
|
|
|
case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID: {
|
|
const EC_GROUP *group = EC_GROUP_new_by_curve_name(p1);
|
|
if (group == NULL) {
|
|
return 0;
|
|
}
|
|
dctx->gen_group = group;
|
|
return 1;
|
|
}
|
|
|
|
default:
|
|
OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
|
|
const char *value) {
|
|
if (strcmp(type, "ec_paramgen_curve") == 0) {
|
|
int nid;
|
|
nid = EC_curve_nist2nid(value);
|
|
if (nid == NID_undef) {
|
|
nid = OBJ_sn2nid(value);
|
|
}
|
|
if (nid == NID_undef) {
|
|
nid = OBJ_ln2nid(value);
|
|
}
|
|
if (nid == NID_undef) {
|
|
OPENSSL_PUT_ERROR(EVP, EC_R_INVALID_ENCODING);
|
|
return 0;
|
|
}
|
|
return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
|
|
}
|
|
if (strcmp(type, "ec_param_enc") == 0) {
|
|
int param_enc;
|
|
// We don't support "explicit"
|
|
if (strcmp(value, "named_curve") == 0) {
|
|
param_enc = OPENSSL_EC_NAMED_CURVE;
|
|
} else {
|
|
return -2;
|
|
}
|
|
return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
|
|
}
|
|
|
|
// We don't support "ecdh_kdf_md" nor "ecdh_cofactor_mode"
|
|
|
|
return -2;
|
|
}
|
|
|
|
static int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
|
|
int ret = 0;
|
|
EC_PKEY_CTX *dctx = ctx->data;
|
|
const EC_GROUP *group = dctx->gen_group;
|
|
if (group == NULL) {
|
|
if (ctx->pkey == NULL) {
|
|
OPENSSL_PUT_ERROR(EVP, EVP_R_NO_PARAMETERS_SET);
|
|
return 0;
|
|
}
|
|
group = EC_KEY_get0_group(ctx->pkey->pkey.ec);
|
|
}
|
|
EC_KEY *ec = EC_KEY_new();
|
|
// In FIPS build, |EC_KEY_generate_key_fips| updates the service indicator so lock it here
|
|
FIPS_service_indicator_lock_state();
|
|
if (ec == NULL ||
|
|
!EC_KEY_set_group(ec, group) ||
|
|
(!is_fips_build() && !EC_KEY_generate_key(ec)) ||
|
|
( is_fips_build() && !EC_KEY_generate_key_fips(ec))) {
|
|
EC_KEY_free(ec);
|
|
goto end;
|
|
}
|
|
|
|
EVP_PKEY_assign_EC_KEY(pkey, ec);
|
|
ret = 1;
|
|
end:
|
|
FIPS_service_indicator_unlock_state();
|
|
return ret;
|
|
}
|
|
|
|
static int pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
|
|
EC_PKEY_CTX *dctx = ctx->data;
|
|
if (dctx->gen_group == NULL) {
|
|
OPENSSL_PUT_ERROR(EVP, EVP_R_NO_PARAMETERS_SET);
|
|
return 0;
|
|
}
|
|
EC_KEY *ec = EC_KEY_new();
|
|
if (ec == NULL ||
|
|
!EC_KEY_set_group(ec, dctx->gen_group)) {
|
|
EC_KEY_free(ec);
|
|
return 0;
|
|
}
|
|
EVP_PKEY_assign_EC_KEY(pkey, ec);
|
|
return 1;
|
|
}
|
|
|
|
DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_ec_pkey_meth) {
|
|
out->pkey_id = EVP_PKEY_EC;
|
|
out->init = pkey_ec_init;
|
|
out->copy = pkey_ec_copy;
|
|
out->cleanup = pkey_ec_cleanup;
|
|
out->keygen = pkey_ec_keygen;
|
|
out->sign_init = NULL; /* sign_init */
|
|
out->sign = pkey_ec_sign;
|
|
out->sign_message = NULL; /* sign_message */
|
|
out->verify_init = NULL; /* verify_init */
|
|
out->verify = pkey_ec_verify;
|
|
out->verify_message = NULL; /* verify_message */
|
|
out->verify_recover = NULL; /* verify_recover */
|
|
out->encrypt = NULL; /* encrypt */
|
|
out->decrypt = NULL; /* decrypt */
|
|
out->derive = pkey_ec_derive;
|
|
out->paramgen = pkey_ec_paramgen;
|
|
out->ctrl = pkey_ec_ctrl;
|
|
out->ctrl_str = pkey_ec_ctrl_str;
|
|
}
|
|
|
|
int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid) {
|
|
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_TYPE_GEN,
|
|
EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, nid, NULL);
|
|
}
|
|
|
|
int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int encoding) {
|
|
// BoringSSL only supports named curve syntax.
|
|
if (encoding != OPENSSL_EC_NAMED_CURVE) {
|
|
OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PARAMETERS);
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|