diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2013-07-17 15:01:08 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2013-07-17 21:45:00 +0100 |
commit | 25af7a5dbc05c7359d1d7f472d50d65a9d876b7e (patch) | |
tree | 2cc91a776a11118aa68be08f77ddb55157d186b3 /crypto/ec/ec_pmeth.c | |
parent | 6af440ced43d766e418c2eb0cda1525eecd3e62b (diff) |
Add support for X9.62 KDF.
Add X9.62 KDF to EC EVP_PKEY_METHOD.
Diffstat (limited to 'crypto/ec/ec_pmeth.c')
-rw-r--r-- | crypto/ec/ec_pmeth.c | 179 |
1 files changed, 175 insertions, 4 deletions
diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index 4110d5e4f0..689a173468 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -60,6 +60,7 @@ #include <openssl/asn1t.h> #include <openssl/x509.h> #include <openssl/ec.h> +#include "ec_lcl.h" #include <openssl/ecdsa.h> #include <openssl/evp.h> #include "evp_locl.h" @@ -72,6 +73,20 @@ typedef struct EC_GROUP *gen_group; /* message digest */ const EVP_MD *md; + /* Duplicate key if custom cofactor needed */ + EC_KEY *co_key; + /* Cofactor mode */ + char cofactor_mode; + /* KDF (if any) to use for ECDH */ + char kdf_type; + /* Message digest to use for key derivation */ + const EVP_MD *kdf_md; + /* User key material */ + unsigned char *kdf_ukm; + size_t kdf_ukmlen; + /* KDF output length */ + size_t kdf_outlen; + } EC_PKEY_CTX; static int pkey_ec_init(EVP_PKEY_CTX *ctx) @@ -83,6 +98,14 @@ static int pkey_ec_init(EVP_PKEY_CTX *ctx) dctx->gen_group = NULL; dctx->md = NULL; + dctx->cofactor_mode = -1; + dctx->co_key = NULL; + dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE; + dctx->kdf_md = NULL; + dctx->kdf_outlen = 0; + dctx->kdf_ukm = NULL; + dctx->kdf_ukmlen = 0; + ctx->data = dctx; return 1; @@ -102,6 +125,25 @@ static int pkey_ec_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) return 0; } dctx->md = sctx->md; + + if (sctx->co_key) + { + dctx->co_key = EC_KEY_dup(sctx->co_key); + if (!dctx->co_key) + return 0; + } + dctx->kdf_type = sctx->kdf_type; + dctx->kdf_md = sctx->kdf_md; + dctx->kdf_outlen = sctx->kdf_outlen; + if (sctx->kdf_ukm) + { + dctx->kdf_ukm = BUF_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen); + if (!dctx->kdf_ukm) + return 0; + } + else + dctx->kdf_ukm = NULL; + dctx->kdf_ukmlen = sctx->kdf_ukmlen; return 1; } @@ -112,6 +154,10 @@ static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx) { if (dctx->gen_group) EC_GROUP_free(dctx->gen_group); + if (dctx->co_key) + EC_KEY_free(dctx->co_key); + if (dctx->kdf_ukm) + OPENSSL_free(dctx->kdf_ukm); OPENSSL_free(dctx); } } @@ -172,20 +218,23 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) int ret; size_t outlen; const EC_POINT *pubkey = NULL; + EC_KEY *eckey; + EC_PKEY_CTX *dctx = ctx->data; if (!ctx->pkey || !ctx->peerkey) { ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET); return 0; } + eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec; + if (!key) { const EC_GROUP *group; - group = EC_KEY_get0_group(ctx->pkey->pkey.ec); + group = EC_KEY_get0_group(eckey); *keylen = (EC_GROUP_get_degree(group) + 7)/8; return 1; } - pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec); /* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is @@ -194,13 +243,52 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) outlen = *keylen; - ret = ECDH_compute_key(key, outlen, pubkey, ctx->pkey->pkey.ec, 0); + ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0); if (ret < 0) return ret; *keylen = ret; return 1; } +static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx, + unsigned char *key, size_t *keylen) + { + EC_PKEY_CTX *dctx = ctx->data; + unsigned char *ktmp = NULL; + size_t ktmplen; + int rv = 0; + if (dctx->kdf_type == EVP_PKEY_ECDH_KDF_NONE) + return pkey_ec_derive(ctx, key, keylen); + if (!key) + { + *keylen = dctx->kdf_outlen; + return 1; + } + if (*keylen != dctx->kdf_outlen) + return 0; + if (!pkey_ec_derive(ctx, NULL, &ktmplen)) + return 0; + ktmp = OPENSSL_malloc(ktmplen); + if (!ktmp) + return 0; + if (!pkey_ec_derive(ctx, ktmp, &ktmplen)) + goto err; + /* Do KDF stuff */ + if (!ECDH_KDF_X9_62(key, *keylen, ktmp, ktmplen, + dctx->kdf_ukm, dctx->kdf_ukmlen, + dctx->kdf_md)) + goto err; + rv = 1; + + err: + if (ktmp) + { + OPENSSL_cleanse(ktmp, ktmplen); + OPENSSL_free(ktmp); + } + return rv; + } + static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { EC_PKEY_CTX *dctx = ctx->data; @@ -228,6 +316,89 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) EC_GROUP_set_asn1_flag(dctx->gen_group, p1); return 1; + case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: + if (p1 == -2) + { + if (dctx->co_key) + return dctx->cofactor_mode; + else + { + EC_KEY *ec_key = ctx->pkey->pkey.ec; + return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0; + } + } + else if (p1 < -1 || p1 > 1) + return -2; + dctx->cofactor_mode = p1; + if (p1 != -1) + { + EC_KEY *ec_key = ctx->pkey->pkey.ec; + if (!ec_key->group) + return -2; + /* If cofactor is 1 cofactor mode does nothing */ + if (BN_is_one(&ec_key->group->cofactor)) + return 1; + if (!dctx->co_key) + { + dctx->co_key = EC_KEY_dup(ec_key); + if (!dctx->co_key) + return 0; + } + if (p1) + EC_KEY_set_flags(dctx->co_key, + EC_FLAG_COFACTOR_ECDH); + else + EC_KEY_clear_flags(dctx->co_key, + EC_FLAG_COFACTOR_ECDH); + } + else if (dctx->co_key) + { + EC_KEY_free(dctx->co_key); + dctx->co_key = NULL; + } + return 1; + + case EVP_PKEY_CTRL_EC_KDF_TYPE: + if (p1 == -2) + return dctx->kdf_type; + if (p1 != EVP_PKEY_ECDH_KDF_NONE && + p1 != EVP_PKEY_ECDH_KDF_X9_62) + return -2; + dctx->kdf_type = p1; + return 1; + + case EVP_PKEY_CTRL_EC_KDF_MD: + dctx->kdf_md = p2; + return 1; + + case EVP_PKEY_CTRL_GET_EC_KDF_MD: + *(const EVP_MD **)p2 = dctx->kdf_md; + return 1; + + case EVP_PKEY_CTRL_EC_KDF_OUTLEN: + if (p1 <= 0) + return -2; + dctx->kdf_outlen = (size_t)p1; + return 1; + + case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN: + *(int *)p2 = dctx->kdf_outlen; + return 1; + + case EVP_PKEY_CTRL_EC_KDF_UKM: + if (dctx->kdf_ukm) + OPENSSL_free(dctx->kdf_ukm); + dctx->kdf_ukm = p2; + if (p2) + dctx->kdf_ukmlen = p1; + else + dctx->kdf_ukmlen = 0; + return 1; + + case EVP_PKEY_CTRL_GET_EC_KDF_UKM: + *(unsigned char **)p2 = dctx->kdf_ukm; + return dctx->kdf_ukmlen; + case EVP_PKEY_CTRL_MD: if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 && EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 && @@ -369,7 +540,7 @@ const EVP_PKEY_METHOD ec_pkey_meth = 0,0, 0, - pkey_ec_derive, + pkey_ec_kdf_derive, pkey_ec_ctrl, pkey_ec_ctrl_str |