2
0

ec_ameth.c 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964
  1. /*
  2. * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/x509.h>
  12. #include <openssl/ec.h>
  13. #include <openssl/bn.h>
  14. #include <openssl/cms.h>
  15. #include <openssl/asn1t.h>
  16. #include "crypto/asn1.h"
  17. #include "crypto/evp.h"
  18. #include "ec_local.h"
  19. #ifndef OPENSSL_NO_CMS
  20. static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
  21. static int ecdh_cms_encrypt(CMS_RecipientInfo *ri);
  22. #endif
  23. static int eckey_param2type(int *pptype, void **ppval, const EC_KEY *ec_key)
  24. {
  25. const EC_GROUP *group;
  26. int nid;
  27. if (ec_key == NULL || (group = EC_KEY_get0_group(ec_key)) == NULL) {
  28. ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_PARAMETERS);
  29. return 0;
  30. }
  31. if (EC_GROUP_get_asn1_flag(group)
  32. && (nid = EC_GROUP_get_curve_name(group)))
  33. /* we have a 'named curve' => just set the OID */
  34. {
  35. ASN1_OBJECT *asn1obj = OBJ_nid2obj(nid);
  36. if (asn1obj == NULL || OBJ_length(asn1obj) == 0) {
  37. ASN1_OBJECT_free(asn1obj);
  38. ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_OID);
  39. return 0;
  40. }
  41. *ppval = asn1obj;
  42. *pptype = V_ASN1_OBJECT;
  43. } else { /* explicit parameters */
  44. ASN1_STRING *pstr = NULL;
  45. pstr = ASN1_STRING_new();
  46. if (pstr == NULL)
  47. return 0;
  48. /*
  49. * The cast in the following line is intentional as the
  50. * `i2d_ECParameters` signature can't be constified (see discussion at
  51. * https://github.com/openssl/openssl/pull/9347 where related and
  52. * required constification backports were rejected).
  53. *
  54. * This cast should be safe anyway, because we can expect
  55. * `i2d_ECParameters()` to treat the first argument as if it was const.
  56. */
  57. pstr->length = i2d_ECParameters((EC_KEY *)ec_key, &pstr->data);
  58. if (pstr->length <= 0) {
  59. ASN1_STRING_free(pstr);
  60. ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB);
  61. return 0;
  62. }
  63. *ppval = pstr;
  64. *pptype = V_ASN1_SEQUENCE;
  65. }
  66. return 1;
  67. }
  68. static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
  69. {
  70. const EC_KEY *ec_key = pkey->pkey.ec;
  71. void *pval = NULL;
  72. int ptype;
  73. unsigned char *penc = NULL, *p;
  74. int penclen;
  75. if (!eckey_param2type(&ptype, &pval, ec_key)) {
  76. ECerr(EC_F_ECKEY_PUB_ENCODE, ERR_R_EC_LIB);
  77. return 0;
  78. }
  79. penclen = i2o_ECPublicKey(ec_key, NULL);
  80. if (penclen <= 0)
  81. goto err;
  82. penc = OPENSSL_malloc(penclen);
  83. if (penc == NULL)
  84. goto err;
  85. p = penc;
  86. penclen = i2o_ECPublicKey(ec_key, &p);
  87. if (penclen <= 0)
  88. goto err;
  89. if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC),
  90. ptype, pval, penc, penclen))
  91. return 1;
  92. err:
  93. if (ptype == V_ASN1_OBJECT)
  94. ASN1_OBJECT_free(pval);
  95. else
  96. ASN1_STRING_free(pval);
  97. OPENSSL_free(penc);
  98. return 0;
  99. }
  100. static EC_KEY *eckey_type2param(int ptype, const void *pval)
  101. {
  102. EC_KEY *eckey = NULL;
  103. EC_GROUP *group = NULL;
  104. if (ptype == V_ASN1_SEQUENCE) {
  105. const ASN1_STRING *pstr = pval;
  106. const unsigned char *pm = pstr->data;
  107. int pmlen = pstr->length;
  108. if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) {
  109. ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR);
  110. goto ecerr;
  111. }
  112. } else if (ptype == V_ASN1_OBJECT) {
  113. const ASN1_OBJECT *poid = pval;
  114. /*
  115. * type == V_ASN1_OBJECT => the parameters are given by an asn1 OID
  116. */
  117. if ((eckey = EC_KEY_new()) == NULL) {
  118. ECerr(EC_F_ECKEY_TYPE2PARAM, ERR_R_MALLOC_FAILURE);
  119. goto ecerr;
  120. }
  121. group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(poid));
  122. if (group == NULL)
  123. goto ecerr;
  124. EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
  125. if (EC_KEY_set_group(eckey, group) == 0)
  126. goto ecerr;
  127. EC_GROUP_free(group);
  128. } else {
  129. ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR);
  130. goto ecerr;
  131. }
  132. return eckey;
  133. ecerr:
  134. EC_KEY_free(eckey);
  135. EC_GROUP_free(group);
  136. return NULL;
  137. }
  138. static int eckey_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
  139. {
  140. const unsigned char *p = NULL;
  141. const void *pval;
  142. int ptype, pklen;
  143. EC_KEY *eckey = NULL;
  144. X509_ALGOR *palg;
  145. if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey))
  146. return 0;
  147. X509_ALGOR_get0(NULL, &ptype, &pval, palg);
  148. eckey = eckey_type2param(ptype, pval);
  149. if (!eckey) {
  150. ECerr(EC_F_ECKEY_PUB_DECODE, ERR_R_EC_LIB);
  151. return 0;
  152. }
  153. /* We have parameters now set public key */
  154. if (!o2i_ECPublicKey(&eckey, &p, pklen)) {
  155. ECerr(EC_F_ECKEY_PUB_DECODE, EC_R_DECODE_ERROR);
  156. goto ecerr;
  157. }
  158. EVP_PKEY_assign_EC_KEY(pkey, eckey);
  159. return 1;
  160. ecerr:
  161. EC_KEY_free(eckey);
  162. return 0;
  163. }
  164. static int eckey_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
  165. {
  166. int r;
  167. const EC_GROUP *group = EC_KEY_get0_group(b->pkey.ec);
  168. const EC_POINT *pa = EC_KEY_get0_public_key(a->pkey.ec),
  169. *pb = EC_KEY_get0_public_key(b->pkey.ec);
  170. if (group == NULL || pa == NULL || pb == NULL)
  171. return -2;
  172. r = EC_POINT_cmp(group, pa, pb, NULL);
  173. if (r == 0)
  174. return 1;
  175. if (r == 1)
  176. return 0;
  177. return -2;
  178. }
  179. static int eckey_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
  180. {
  181. const unsigned char *p = NULL;
  182. const void *pval;
  183. int ptype, pklen;
  184. EC_KEY *eckey = NULL;
  185. const X509_ALGOR *palg;
  186. if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
  187. return 0;
  188. X509_ALGOR_get0(NULL, &ptype, &pval, palg);
  189. eckey = eckey_type2param(ptype, pval);
  190. if (!eckey)
  191. goto ecliberr;
  192. /* We have parameters now set private key */
  193. if (!d2i_ECPrivateKey(&eckey, &p, pklen)) {
  194. ECerr(EC_F_ECKEY_PRIV_DECODE, EC_R_DECODE_ERROR);
  195. goto ecerr;
  196. }
  197. EVP_PKEY_assign_EC_KEY(pkey, eckey);
  198. return 1;
  199. ecliberr:
  200. ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB);
  201. ecerr:
  202. EC_KEY_free(eckey);
  203. return 0;
  204. }
  205. static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
  206. {
  207. EC_KEY ec_key = *(pkey->pkey.ec);
  208. unsigned char *ep, *p;
  209. int eplen, ptype;
  210. void *pval;
  211. unsigned int old_flags;
  212. if (!eckey_param2type(&ptype, &pval, &ec_key)) {
  213. ECerr(EC_F_ECKEY_PRIV_ENCODE, EC_R_DECODE_ERROR);
  214. return 0;
  215. }
  216. /* set the private key */
  217. /*
  218. * do not include the parameters in the SEC1 private key see PKCS#11
  219. * 12.11
  220. */
  221. old_flags = EC_KEY_get_enc_flags(&ec_key);
  222. EC_KEY_set_enc_flags(&ec_key, old_flags | EC_PKEY_NO_PARAMETERS);
  223. eplen = i2d_ECPrivateKey(&ec_key, NULL);
  224. if (!eplen) {
  225. ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB);
  226. return 0;
  227. }
  228. ep = OPENSSL_malloc(eplen);
  229. if (ep == NULL) {
  230. ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
  231. return 0;
  232. }
  233. p = ep;
  234. if (!i2d_ECPrivateKey(&ec_key, &p)) {
  235. OPENSSL_free(ep);
  236. ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB);
  237. return 0;
  238. }
  239. if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0,
  240. ptype, pval, ep, eplen)) {
  241. OPENSSL_free(ep);
  242. return 0;
  243. }
  244. return 1;
  245. }
  246. static int int_ec_size(const EVP_PKEY *pkey)
  247. {
  248. return ECDSA_size(pkey->pkey.ec);
  249. }
  250. static int ec_bits(const EVP_PKEY *pkey)
  251. {
  252. return EC_GROUP_order_bits(EC_KEY_get0_group(pkey->pkey.ec));
  253. }
  254. static int ec_security_bits(const EVP_PKEY *pkey)
  255. {
  256. int ecbits = ec_bits(pkey);
  257. if (ecbits >= 512)
  258. return 256;
  259. if (ecbits >= 384)
  260. return 192;
  261. if (ecbits >= 256)
  262. return 128;
  263. if (ecbits >= 224)
  264. return 112;
  265. if (ecbits >= 160)
  266. return 80;
  267. return ecbits / 2;
  268. }
  269. static int ec_missing_parameters(const EVP_PKEY *pkey)
  270. {
  271. if (pkey->pkey.ec == NULL || EC_KEY_get0_group(pkey->pkey.ec) == NULL)
  272. return 1;
  273. return 0;
  274. }
  275. static int ec_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
  276. {
  277. EC_GROUP *group = EC_GROUP_dup(EC_KEY_get0_group(from->pkey.ec));
  278. if (group == NULL)
  279. return 0;
  280. if (to->pkey.ec == NULL) {
  281. to->pkey.ec = EC_KEY_new();
  282. if (to->pkey.ec == NULL)
  283. goto err;
  284. }
  285. if (EC_KEY_set_group(to->pkey.ec, group) == 0)
  286. goto err;
  287. EC_GROUP_free(group);
  288. return 1;
  289. err:
  290. EC_GROUP_free(group);
  291. return 0;
  292. }
  293. static int ec_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
  294. {
  295. const EC_GROUP *group_a = EC_KEY_get0_group(a->pkey.ec),
  296. *group_b = EC_KEY_get0_group(b->pkey.ec);
  297. if (group_a == NULL || group_b == NULL)
  298. return -2;
  299. if (EC_GROUP_cmp(group_a, group_b, NULL))
  300. return 0;
  301. else
  302. return 1;
  303. }
  304. static void int_ec_free(EVP_PKEY *pkey)
  305. {
  306. EC_KEY_free(pkey->pkey.ec);
  307. }
  308. typedef enum {
  309. EC_KEY_PRINT_PRIVATE,
  310. EC_KEY_PRINT_PUBLIC,
  311. EC_KEY_PRINT_PARAM
  312. } ec_print_t;
  313. static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, ec_print_t ktype)
  314. {
  315. const char *ecstr;
  316. unsigned char *priv = NULL, *pub = NULL;
  317. size_t privlen = 0, publen = 0;
  318. int ret = 0;
  319. const EC_GROUP *group;
  320. if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL) {
  321. ECerr(EC_F_DO_EC_KEY_PRINT, ERR_R_PASSED_NULL_PARAMETER);
  322. return 0;
  323. }
  324. if (ktype != EC_KEY_PRINT_PARAM && EC_KEY_get0_public_key(x) != NULL) {
  325. publen = EC_KEY_key2buf(x, EC_KEY_get_conv_form(x), &pub, NULL);
  326. if (publen == 0)
  327. goto err;
  328. }
  329. if (ktype == EC_KEY_PRINT_PRIVATE && EC_KEY_get0_private_key(x) != NULL) {
  330. privlen = EC_KEY_priv2buf(x, &priv);
  331. if (privlen == 0)
  332. goto err;
  333. }
  334. if (ktype == EC_KEY_PRINT_PRIVATE)
  335. ecstr = "Private-Key";
  336. else if (ktype == EC_KEY_PRINT_PUBLIC)
  337. ecstr = "Public-Key";
  338. else
  339. ecstr = "ECDSA-Parameters";
  340. if (!BIO_indent(bp, off, 128))
  341. goto err;
  342. if (BIO_printf(bp, "%s: (%d bit)\n", ecstr,
  343. EC_GROUP_order_bits(group)) <= 0)
  344. goto err;
  345. if (privlen != 0) {
  346. if (BIO_printf(bp, "%*spriv:\n", off, "") <= 0)
  347. goto err;
  348. if (ASN1_buf_print(bp, priv, privlen, off + 4) == 0)
  349. goto err;
  350. }
  351. if (publen != 0) {
  352. if (BIO_printf(bp, "%*spub:\n", off, "") <= 0)
  353. goto err;
  354. if (ASN1_buf_print(bp, pub, publen, off + 4) == 0)
  355. goto err;
  356. }
  357. if (!ECPKParameters_print(bp, group, off))
  358. goto err;
  359. ret = 1;
  360. err:
  361. if (!ret)
  362. ECerr(EC_F_DO_EC_KEY_PRINT, ERR_R_EC_LIB);
  363. OPENSSL_clear_free(priv, privlen);
  364. OPENSSL_free(pub);
  365. return ret;
  366. }
  367. static int eckey_param_decode(EVP_PKEY *pkey,
  368. const unsigned char **pder, int derlen)
  369. {
  370. EC_KEY *eckey;
  371. if ((eckey = d2i_ECParameters(NULL, pder, derlen)) == NULL) {
  372. ECerr(EC_F_ECKEY_PARAM_DECODE, ERR_R_EC_LIB);
  373. return 0;
  374. }
  375. EVP_PKEY_assign_EC_KEY(pkey, eckey);
  376. return 1;
  377. }
  378. static int eckey_param_encode(const EVP_PKEY *pkey, unsigned char **pder)
  379. {
  380. return i2d_ECParameters(pkey->pkey.ec, pder);
  381. }
  382. static int eckey_param_print(BIO *bp, const EVP_PKEY *pkey, int indent,
  383. ASN1_PCTX *ctx)
  384. {
  385. return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PARAM);
  386. }
  387. static int eckey_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
  388. ASN1_PCTX *ctx)
  389. {
  390. return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PUBLIC);
  391. }
  392. static int eckey_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
  393. ASN1_PCTX *ctx)
  394. {
  395. return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PRIVATE);
  396. }
  397. static int old_ec_priv_decode(EVP_PKEY *pkey,
  398. const unsigned char **pder, int derlen)
  399. {
  400. EC_KEY *ec;
  401. if ((ec = d2i_ECPrivateKey(NULL, pder, derlen)) == NULL) {
  402. ECerr(EC_F_OLD_EC_PRIV_DECODE, EC_R_DECODE_ERROR);
  403. return 0;
  404. }
  405. EVP_PKEY_assign_EC_KEY(pkey, ec);
  406. return 1;
  407. }
  408. static int old_ec_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
  409. {
  410. return i2d_ECPrivateKey(pkey->pkey.ec, pder);
  411. }
  412. static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
  413. {
  414. switch (op) {
  415. case ASN1_PKEY_CTRL_PKCS7_SIGN:
  416. if (arg1 == 0) {
  417. int snid, hnid;
  418. X509_ALGOR *alg1, *alg2;
  419. PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2);
  420. if (alg1 == NULL || alg1->algorithm == NULL)
  421. return -1;
  422. hnid = OBJ_obj2nid(alg1->algorithm);
  423. if (hnid == NID_undef)
  424. return -1;
  425. if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
  426. return -1;
  427. X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
  428. }
  429. return 1;
  430. #ifndef OPENSSL_NO_CMS
  431. case ASN1_PKEY_CTRL_CMS_SIGN:
  432. if (arg1 == 0) {
  433. int snid, hnid;
  434. X509_ALGOR *alg1, *alg2;
  435. CMS_SignerInfo_get0_algs(arg2, NULL, NULL, &alg1, &alg2);
  436. if (alg1 == NULL || alg1->algorithm == NULL)
  437. return -1;
  438. hnid = OBJ_obj2nid(alg1->algorithm);
  439. if (hnid == NID_undef)
  440. return -1;
  441. if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
  442. return -1;
  443. X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
  444. }
  445. return 1;
  446. case ASN1_PKEY_CTRL_CMS_ENVELOPE:
  447. if (arg1 == 1)
  448. return ecdh_cms_decrypt(arg2);
  449. else if (arg1 == 0)
  450. return ecdh_cms_encrypt(arg2);
  451. return -2;
  452. case ASN1_PKEY_CTRL_CMS_RI_TYPE:
  453. *(int *)arg2 = CMS_RECIPINFO_AGREE;
  454. return 1;
  455. #endif
  456. case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
  457. if (EVP_PKEY_id(pkey) == EVP_PKEY_SM2) {
  458. /* For SM2, the only valid digest-alg is SM3 */
  459. *(int *)arg2 = NID_sm3;
  460. } else {
  461. *(int *)arg2 = NID_sha256;
  462. }
  463. return 1;
  464. case ASN1_PKEY_CTRL_SET1_TLS_ENCPT:
  465. return EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(pkey), arg2, arg1, NULL);
  466. case ASN1_PKEY_CTRL_GET1_TLS_ENCPT:
  467. return EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(pkey),
  468. POINT_CONVERSION_UNCOMPRESSED, arg2, NULL);
  469. default:
  470. return -2;
  471. }
  472. }
  473. static int ec_pkey_check(const EVP_PKEY *pkey)
  474. {
  475. EC_KEY *eckey = pkey->pkey.ec;
  476. /* stay consistent to what EVP_PKEY_check demands */
  477. if (eckey->priv_key == NULL) {
  478. ECerr(EC_F_EC_PKEY_CHECK, EC_R_MISSING_PRIVATE_KEY);
  479. return 0;
  480. }
  481. return EC_KEY_check_key(eckey);
  482. }
  483. static int ec_pkey_public_check(const EVP_PKEY *pkey)
  484. {
  485. EC_KEY *eckey = pkey->pkey.ec;
  486. /*
  487. * Note: it unnecessary to check eckey->pub_key here since
  488. * it will be checked in EC_KEY_check_key(). In fact, the
  489. * EC_KEY_check_key() mainly checks the public key, and checks
  490. * the private key optionally (only if there is one). So if
  491. * someone passes a whole EC key (public + private), this
  492. * will also work...
  493. */
  494. return EC_KEY_check_key(eckey);
  495. }
  496. static int ec_pkey_param_check(const EVP_PKEY *pkey)
  497. {
  498. EC_KEY *eckey = pkey->pkey.ec;
  499. /* stay consistent to what EVP_PKEY_check demands */
  500. if (eckey->group == NULL) {
  501. ECerr(EC_F_EC_PKEY_PARAM_CHECK, EC_R_MISSING_PARAMETERS);
  502. return 0;
  503. }
  504. return EC_GROUP_check(eckey->group, NULL);
  505. }
  506. const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = {
  507. EVP_PKEY_EC,
  508. EVP_PKEY_EC,
  509. 0,
  510. "EC",
  511. "OpenSSL EC algorithm",
  512. eckey_pub_decode,
  513. eckey_pub_encode,
  514. eckey_pub_cmp,
  515. eckey_pub_print,
  516. eckey_priv_decode,
  517. eckey_priv_encode,
  518. eckey_priv_print,
  519. int_ec_size,
  520. ec_bits,
  521. ec_security_bits,
  522. eckey_param_decode,
  523. eckey_param_encode,
  524. ec_missing_parameters,
  525. ec_copy_parameters,
  526. ec_cmp_parameters,
  527. eckey_param_print,
  528. 0,
  529. int_ec_free,
  530. ec_pkey_ctrl,
  531. old_ec_priv_decode,
  532. old_ec_priv_encode,
  533. 0, 0, 0,
  534. ec_pkey_check,
  535. ec_pkey_public_check,
  536. ec_pkey_param_check
  537. };
  538. #if !defined(OPENSSL_NO_SM2)
  539. const EVP_PKEY_ASN1_METHOD sm2_asn1_meth = {
  540. EVP_PKEY_SM2,
  541. EVP_PKEY_EC,
  542. ASN1_PKEY_ALIAS
  543. };
  544. #endif
  545. int EC_KEY_print(BIO *bp, const EC_KEY *x, int off)
  546. {
  547. int private = EC_KEY_get0_private_key(x) != NULL;
  548. return do_EC_KEY_print(bp, x, off,
  549. private ? EC_KEY_PRINT_PRIVATE : EC_KEY_PRINT_PUBLIC);
  550. }
  551. int ECParameters_print(BIO *bp, const EC_KEY *x)
  552. {
  553. return do_EC_KEY_print(bp, x, 4, EC_KEY_PRINT_PARAM);
  554. }
  555. #ifndef OPENSSL_NO_CMS
  556. static int ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
  557. X509_ALGOR *alg, ASN1_BIT_STRING *pubkey)
  558. {
  559. const ASN1_OBJECT *aoid;
  560. int atype;
  561. const void *aval;
  562. int rv = 0;
  563. EVP_PKEY *pkpeer = NULL;
  564. EC_KEY *ecpeer = NULL;
  565. const unsigned char *p;
  566. int plen;
  567. X509_ALGOR_get0(&aoid, &atype, &aval, alg);
  568. if (OBJ_obj2nid(aoid) != NID_X9_62_id_ecPublicKey)
  569. goto err;
  570. /* If absent parameters get group from main key */
  571. if (atype == V_ASN1_UNDEF || atype == V_ASN1_NULL) {
  572. const EC_GROUP *grp;
  573. EVP_PKEY *pk;
  574. pk = EVP_PKEY_CTX_get0_pkey(pctx);
  575. if (!pk)
  576. goto err;
  577. grp = EC_KEY_get0_group(pk->pkey.ec);
  578. ecpeer = EC_KEY_new();
  579. if (ecpeer == NULL)
  580. goto err;
  581. if (!EC_KEY_set_group(ecpeer, grp))
  582. goto err;
  583. } else {
  584. ecpeer = eckey_type2param(atype, aval);
  585. if (!ecpeer)
  586. goto err;
  587. }
  588. /* We have parameters now set public key */
  589. plen = ASN1_STRING_length(pubkey);
  590. p = ASN1_STRING_get0_data(pubkey);
  591. if (!p || !plen)
  592. goto err;
  593. if (!o2i_ECPublicKey(&ecpeer, &p, plen))
  594. goto err;
  595. pkpeer = EVP_PKEY_new();
  596. if (pkpeer == NULL)
  597. goto err;
  598. EVP_PKEY_set1_EC_KEY(pkpeer, ecpeer);
  599. if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
  600. rv = 1;
  601. err:
  602. EC_KEY_free(ecpeer);
  603. EVP_PKEY_free(pkpeer);
  604. return rv;
  605. }
  606. /* Set KDF parameters based on KDF NID */
  607. static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid)
  608. {
  609. int kdf_nid, kdfmd_nid, cofactor;
  610. const EVP_MD *kdf_md;
  611. if (eckdf_nid == NID_undef)
  612. return 0;
  613. /* Lookup KDF type, cofactor mode and digest */
  614. if (!OBJ_find_sigid_algs(eckdf_nid, &kdfmd_nid, &kdf_nid))
  615. return 0;
  616. if (kdf_nid == NID_dh_std_kdf)
  617. cofactor = 0;
  618. else if (kdf_nid == NID_dh_cofactor_kdf)
  619. cofactor = 1;
  620. else
  621. return 0;
  622. if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0)
  623. return 0;
  624. if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0)
  625. return 0;
  626. kdf_md = EVP_get_digestbynid(kdfmd_nid);
  627. if (!kdf_md)
  628. return 0;
  629. if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0)
  630. return 0;
  631. return 1;
  632. }
  633. static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
  634. {
  635. int rv = 0;
  636. X509_ALGOR *alg, *kekalg = NULL;
  637. ASN1_OCTET_STRING *ukm;
  638. const unsigned char *p;
  639. unsigned char *der = NULL;
  640. int plen, keylen;
  641. const EVP_CIPHER *kekcipher;
  642. EVP_CIPHER_CTX *kekctx;
  643. if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
  644. return 0;
  645. if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) {
  646. ECerr(EC_F_ECDH_CMS_SET_SHARED_INFO, EC_R_KDF_PARAMETER_ERROR);
  647. return 0;
  648. }
  649. if (alg->parameter->type != V_ASN1_SEQUENCE)
  650. return 0;
  651. p = alg->parameter->value.sequence->data;
  652. plen = alg->parameter->value.sequence->length;
  653. kekalg = d2i_X509_ALGOR(NULL, &p, plen);
  654. if (!kekalg)
  655. goto err;
  656. kekctx = CMS_RecipientInfo_kari_get0_ctx(ri);
  657. if (!kekctx)
  658. goto err;
  659. kekcipher = EVP_get_cipherbyobj(kekalg->algorithm);
  660. if (!kekcipher || EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
  661. goto err;
  662. if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL))
  663. goto err;
  664. if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0)
  665. goto err;
  666. keylen = EVP_CIPHER_CTX_key_length(kekctx);
  667. if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0)
  668. goto err;
  669. plen = CMS_SharedInfo_encode(&der, kekalg, ukm, keylen);
  670. if (!plen)
  671. goto err;
  672. if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, der, plen) <= 0)
  673. goto err;
  674. der = NULL;
  675. rv = 1;
  676. err:
  677. X509_ALGOR_free(kekalg);
  678. OPENSSL_free(der);
  679. return rv;
  680. }
  681. static int ecdh_cms_decrypt(CMS_RecipientInfo *ri)
  682. {
  683. EVP_PKEY_CTX *pctx;
  684. pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  685. if (!pctx)
  686. return 0;
  687. /* See if we need to set peer key */
  688. if (!EVP_PKEY_CTX_get0_peerkey(pctx)) {
  689. X509_ALGOR *alg;
  690. ASN1_BIT_STRING *pubkey;
  691. if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey,
  692. NULL, NULL, NULL))
  693. return 0;
  694. if (!alg || !pubkey)
  695. return 0;
  696. if (!ecdh_cms_set_peerkey(pctx, alg, pubkey)) {
  697. ECerr(EC_F_ECDH_CMS_DECRYPT, EC_R_PEER_KEY_ERROR);
  698. return 0;
  699. }
  700. }
  701. /* Set ECDH derivation parameters and initialise unwrap context */
  702. if (!ecdh_cms_set_shared_info(pctx, ri)) {
  703. ECerr(EC_F_ECDH_CMS_DECRYPT, EC_R_SHARED_INFO_ERROR);
  704. return 0;
  705. }
  706. return 1;
  707. }
  708. static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
  709. {
  710. EVP_PKEY_CTX *pctx;
  711. EVP_PKEY *pkey;
  712. EVP_CIPHER_CTX *ctx;
  713. int keylen;
  714. X509_ALGOR *talg, *wrap_alg = NULL;
  715. const ASN1_OBJECT *aoid;
  716. ASN1_BIT_STRING *pubkey;
  717. ASN1_STRING *wrap_str;
  718. ASN1_OCTET_STRING *ukm;
  719. unsigned char *penc = NULL;
  720. int penclen;
  721. int rv = 0;
  722. int ecdh_nid, kdf_type, kdf_nid, wrap_nid;
  723. const EVP_MD *kdf_md;
  724. pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  725. if (!pctx)
  726. return 0;
  727. /* Get ephemeral key */
  728. pkey = EVP_PKEY_CTX_get0_pkey(pctx);
  729. if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey,
  730. NULL, NULL, NULL))
  731. goto err;
  732. X509_ALGOR_get0(&aoid, NULL, NULL, talg);
  733. /* Is everything uninitialised? */
  734. if (aoid == OBJ_nid2obj(NID_undef)) {
  735. EC_KEY *eckey = pkey->pkey.ec;
  736. /* Set the key */
  737. unsigned char *p;
  738. penclen = i2o_ECPublicKey(eckey, NULL);
  739. if (penclen <= 0)
  740. goto err;
  741. penc = OPENSSL_malloc(penclen);
  742. if (penc == NULL)
  743. goto err;
  744. p = penc;
  745. penclen = i2o_ECPublicKey(eckey, &p);
  746. if (penclen <= 0)
  747. goto err;
  748. ASN1_STRING_set0(pubkey, penc, penclen);
  749. pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
  750. pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
  751. penc = NULL;
  752. X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
  753. V_ASN1_UNDEF, NULL);
  754. }
  755. /* See if custom parameters set */
  756. kdf_type = EVP_PKEY_CTX_get_ecdh_kdf_type(pctx);
  757. if (kdf_type <= 0)
  758. goto err;
  759. if (!EVP_PKEY_CTX_get_ecdh_kdf_md(pctx, &kdf_md))
  760. goto err;
  761. ecdh_nid = EVP_PKEY_CTX_get_ecdh_cofactor_mode(pctx);
  762. if (ecdh_nid < 0)
  763. goto err;
  764. else if (ecdh_nid == 0)
  765. ecdh_nid = NID_dh_std_kdf;
  766. else if (ecdh_nid == 1)
  767. ecdh_nid = NID_dh_cofactor_kdf;
  768. if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) {
  769. kdf_type = EVP_PKEY_ECDH_KDF_X9_63;
  770. if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0)
  771. goto err;
  772. } else
  773. /* Unknown KDF */
  774. goto err;
  775. if (kdf_md == NULL) {
  776. /* Fixme later for better MD */
  777. kdf_md = EVP_sha1();
  778. if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0)
  779. goto err;
  780. }
  781. if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm))
  782. goto err;
  783. /* Lookup NID for KDF+cofactor+digest */
  784. if (!OBJ_find_sigid_by_algs(&kdf_nid, EVP_MD_type(kdf_md), ecdh_nid))
  785. goto err;
  786. /* Get wrap NID */
  787. ctx = CMS_RecipientInfo_kari_get0_ctx(ri);
  788. wrap_nid = EVP_CIPHER_CTX_type(ctx);
  789. keylen = EVP_CIPHER_CTX_key_length(ctx);
  790. /* Package wrap algorithm in an AlgorithmIdentifier */
  791. wrap_alg = X509_ALGOR_new();
  792. if (wrap_alg == NULL)
  793. goto err;
  794. wrap_alg->algorithm = OBJ_nid2obj(wrap_nid);
  795. wrap_alg->parameter = ASN1_TYPE_new();
  796. if (wrap_alg->parameter == NULL)
  797. goto err;
  798. if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0)
  799. goto err;
  800. if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) {
  801. ASN1_TYPE_free(wrap_alg->parameter);
  802. wrap_alg->parameter = NULL;
  803. }
  804. if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0)
  805. goto err;
  806. penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen);
  807. if (!penclen)
  808. goto err;
  809. if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0)
  810. goto err;
  811. penc = NULL;
  812. /*
  813. * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter
  814. * of another AlgorithmIdentifier.
  815. */
  816. penclen = i2d_X509_ALGOR(wrap_alg, &penc);
  817. if (!penc || !penclen)
  818. goto err;
  819. wrap_str = ASN1_STRING_new();
  820. if (wrap_str == NULL)
  821. goto err;
  822. ASN1_STRING_set0(wrap_str, penc, penclen);
  823. penc = NULL;
  824. X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str);
  825. rv = 1;
  826. err:
  827. OPENSSL_free(penc);
  828. X509_ALGOR_free(wrap_alg);
  829. return rv;
  830. }
  831. #endif