diff options
| author | Nicola Tuveri <nic.tuv@gmail.com> | 2019-12-15 00:20:53 +0200 |
|---|---|---|
| committer | Nicola Tuveri <nic.tuv@gmail.com> | 2020-02-18 19:11:10 +0200 |
| commit | 4fe54d674f14e7964f982285d1aeb86698a33c3c (patch) | |
| tree | 22b2e7ef133ef38ba551719538d68422f2d0b500 /providers | |
| parent | cf6404b14198b96a882affe917bb337e2626136c (diff) | |
[PROV][KMGMT][KEXCH][EC] Implement EC keymgtm and ECDH
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10631)
Diffstat (limited to 'providers')
| -rw-r--r-- | providers/defltprov.c | 2 | ||||
| -rw-r--r-- | providers/implementations/exchange/build.info | 2 | ||||
| -rw-r--r-- | providers/implementations/exchange/ecdh_exch.c | 533 | ||||
| -rw-r--r-- | providers/implementations/include/prov/implementations.h | 2 | ||||
| -rw-r--r-- | providers/implementations/keymgmt/build.info | 4 | ||||
| -rw-r--r-- | providers/implementations/keymgmt/ec_kmgmt.c | 630 | ||||
| -rw-r--r-- | providers/implementations/keymgmt/ec_kmgmt_imexport.inc | 100 |
7 files changed, 1273 insertions, 0 deletions
diff --git a/providers/defltprov.c b/providers/defltprov.c index 6740a8e58f..3819c61659 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -373,6 +373,7 @@ static const OSSL_ALGORITHM deflt_keyexch[] = { { "DH:dhKeyAgreement", "default=yes", dh_keyexch_functions }, #endif #ifndef OPENSSL_NO_EC + { "ECDH:id-ecPublicKey", "default=yes", ecdh_keyexch_functions }, { "X25519", "default=yes", x25519_keyexch_functions }, { "X448", "default=yes", x448_keyexch_functions }, #endif @@ -400,6 +401,7 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = { #endif { "RSA:rsaEncryption", "default=yes", rsa_keymgmt_functions }, #ifndef OPENSSL_NO_EC + { "EC:id-ecPublicKey", "default=yes", ec_keymgmt_functions }, { "X25519", "default=yes", x25519_keymgmt_functions }, { "X448", "default=yes", x448_keymgmt_functions }, #endif diff --git a/providers/implementations/exchange/build.info b/providers/implementations/exchange/build.info index 51d32fc090..82b688def3 100644 --- a/providers/implementations/exchange/build.info +++ b/providers/implementations/exchange/build.info @@ -3,6 +3,7 @@ $DH_GOAL=../../libimplementations.a $ECX_GOAL=../../libimplementations.a +$ECDH_GOAL=../../libimplementations.a IF[{- !$disabled{dh} -}] SOURCE[$DH_GOAL]=dh_exch.c @@ -21,4 +22,5 @@ ENDIF IF[{- !$disabled{ec} -}] SOURCE[$ECX_GOAL]=ecx_exch.c DEFINE[$ECX_GOAL]=$ECDEF + SOURCE[$ECDH_GOAL]=ecdh_exch.c ENDIF diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c new file mode 100644 index 0000000000..bf353fa175 --- /dev/null +++ b/providers/implementations/exchange/ecdh_exch.c @@ -0,0 +1,533 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * ECDH low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include <string.h> +#include <openssl/crypto.h> +#include <openssl/evp.h> +#include <openssl/core_numbers.h> +#include <openssl/core_names.h> +#include <openssl/ec.h> +#include <openssl/params.h> +#include <openssl/err.h> +#include "prov/provider_ctx.h" +#include "prov/implementations.h" +#include "crypto/ec.h" /* ecdh_KDF_X9_63() */ + +static OSSL_OP_keyexch_newctx_fn ecdh_newctx; +static OSSL_OP_keyexch_init_fn ecdh_init; +static OSSL_OP_keyexch_set_peer_fn ecdh_set_peer; +static OSSL_OP_keyexch_derive_fn ecdh_derive; +static OSSL_OP_keyexch_freectx_fn ecdh_freectx; +static OSSL_OP_keyexch_dupctx_fn ecdh_dupctx; +static OSSL_OP_keyexch_set_ctx_params_fn ecdh_set_ctx_params; +static OSSL_OP_keyexch_settable_ctx_params_fn ecdh_settable_ctx_params; +static OSSL_OP_keyexch_get_ctx_params_fn ecdh_get_ctx_params; +static OSSL_OP_keyexch_gettable_ctx_params_fn ecdh_gettable_ctx_params; + +enum kdf_type { + PROV_ECDH_KDF_NONE = 0, + PROV_ECDH_KDF_X9_63 +}; + +/* + * What's passed as an actual key is defined by the KEYMGMT interface. + * We happen to know that our KEYMGMT simply passes EC_KEY structures, so + * we use that here too. + */ + +typedef struct { + OPENSSL_CTX *libctx; + + EC_KEY *k; + EC_KEY *peerk; + + /* + * ECDH cofactor mode: + * + * . 0 disabled + * . 1 enabled + * . -1 use cofactor mode set for k + */ + int cofactor_mode; + + /************ + * ECDH KDF * + ************/ + /* KDF (if any) to use for ECDH */ + enum kdf_type kdf_type; + /* Message digest to use for key derivation */ + EVP_MD *kdf_md; + /* User key material */ + unsigned char *kdf_ukm; + size_t kdf_ukmlen; + /* KDF output length */ + size_t kdf_outlen; +} PROV_ECDH_CTX; + +static +void *ecdh_newctx(void *provctx) +{ + PROV_ECDH_CTX *pectx = OPENSSL_zalloc(sizeof(*pectx)); + + if (pectx == NULL) + return NULL; + + pectx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx); + pectx->cofactor_mode = -1; + pectx->kdf_type = PROV_ECDH_KDF_NONE; + + return (void *)pectx; +} + +static +int ecdh_init(void *vpecdhctx, void *vecdh) +{ + PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; + + if (pecdhctx == NULL || vecdh == NULL || !EC_KEY_up_ref(vecdh)) + return 0; + EC_KEY_free(pecdhctx->k); + pecdhctx->k = vecdh; + pecdhctx->cofactor_mode = -1; + pecdhctx->kdf_type = PROV_ECDH_KDF_NONE; + return 1; +} + +static +int ecdh_set_peer(void *vpecdhctx, void *vecdh) +{ + PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; + + if (pecdhctx == NULL || vecdh == NULL || !EC_KEY_up_ref(vecdh)) + return 0; + EC_KEY_free(pecdhctx->peerk); + pecdhctx->peerk = vecdh; + return 1; +} + +static +void ecdh_freectx(void *vpecdhctx) +{ + PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; + + EC_KEY_free(pecdhctx->k); + EC_KEY_free(pecdhctx->peerk); + + EVP_MD_free(pecdhctx->kdf_md); + OPENSSL_clear_free(pecdhctx->kdf_ukm, pecdhctx->kdf_ukmlen); + + OPENSSL_free(pecdhctx); +} + +static +void *ecdh_dupctx(void *vpecdhctx) +{ + PROV_ECDH_CTX *srcctx = (PROV_ECDH_CTX *)vpecdhctx; + PROV_ECDH_CTX *dstctx; + + dstctx = OPENSSL_zalloc(sizeof(*srcctx)); + if (dstctx == NULL) + return NULL; + + *dstctx = *srcctx; + + /* clear all pointers */ + + dstctx->k= NULL; + dstctx->peerk = NULL; + dstctx->kdf_md = NULL; + dstctx->kdf_ukm = NULL; + + /* up-ref all ref-counted objects referenced in dstctx */ + + if (srcctx->k != NULL && !EC_KEY_up_ref(srcctx->k)) + goto err; + else + dstctx->k = srcctx->k; + + if (srcctx->peerk != NULL && !EC_KEY_up_ref(srcctx->peerk)) + goto err; + else + dstctx->peerk = srcctx->peerk; + + if (srcctx->kdf_md != NULL && !EVP_MD_up_ref(srcctx->kdf_md)) + goto err; + else + dstctx->kdf_md = srcctx->kdf_md; + + /* Duplicate UKM data if present */ + if (srcctx->kdf_ukm != NULL && srcctx->kdf_ukmlen > 0) { + dstctx->kdf_ukm = OPENSSL_memdup(srcctx->kdf_ukm, + srcctx->kdf_ukmlen); + if (dstctx->kdf_ukm == NULL) + goto err; + } + + return dstctx; + + err: + ecdh_freectx(dstctx); + return NULL; +} + +static +int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[]) +{ + char name[80] = { '\0' }; /* should be big enough */ + char *str = NULL; + PROV_ECDH_CTX *pectx = (PROV_ECDH_CTX *)vpecdhctx; + const OSSL_PARAM *p; + + if (pectx == NULL || params == NULL) + return 0; + + p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE); + if (p != NULL) { + int mode; + + if (!OSSL_PARAM_get_int(p, &mode)) + return 0; + + if (mode < -1 || mode > 1) + return 0; + + pectx->cofactor_mode = mode; + } + + p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_TYPE); + if (p != NULL) { + str = name; + if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name))) + return 0; + + if (name[0] == '\0') + pectx->kdf_type = PROV_ECDH_KDF_NONE; + else if (strcmp(name, OSSL_KDF_NAME_X963KDF) == 0) + pectx->kdf_type = PROV_ECDH_KDF_X9_63; + else + return 0; + } + + p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST); + if (p != NULL) { + char mdprops[80] = { '\0' }; /* should be big enough */ + + str = name; + if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name))) + return 0; + + str = mdprops; + p = OSSL_PARAM_locate_const(params, + OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS); + + if (p != NULL) { + if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(mdprops))) + return 0; + } + + EVP_MD_free(pectx->kdf_md); + pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops); + + if (pectx->kdf_md == NULL) + return 0; + } + + p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN); + if (p != NULL) { + size_t outlen; + + if (!OSSL_PARAM_get_size_t(p, &outlen)) + return 0; + pectx->kdf_outlen = outlen; + } + + p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_UKM); + if (p != NULL) { + void *tmp_ukm = NULL; + size_t tmp_ukmlen; + + if (!OSSL_PARAM_get_octet_string(p, &tmp_ukm, 0, &tmp_ukmlen)) + return 0; + OPENSSL_free(pectx->kdf_ukm); + pectx->kdf_ukm = tmp_ukm; + pectx->kdf_ukmlen = tmp_ukmlen; + } + + return 1; +} + +static const OSSL_PARAM known_settable_ctx_params[] = { + OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL), + OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, NULL, 0), + OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL), + OSSL_PARAM_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, NULL, 0), + OSSL_PARAM_END +}; + +static +const OSSL_PARAM *ecdh_settable_ctx_params(void) +{ + return known_settable_ctx_params; +} + +static +int ecdh_get_ctx_params(void *vpecdhctx, OSSL_PARAM params[]) +{ + PROV_ECDH_CTX *pectx = (PROV_ECDH_CTX *)vpecdhctx; + OSSL_PARAM *p; + + if (pectx == NULL || params == NULL) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE); + if (p != NULL) { + int mode = pectx->cofactor_mode; + + if (mode == -1) { + /* check what is the default for pecdhctx->k */ + mode = EC_KEY_get_flags(pectx->k) & EC_FLAG_COFACTOR_ECDH ? 1 : 0; + } + + if (!OSSL_PARAM_set_int(p, mode)) + return 0; + } + + p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_TYPE); + if (p != NULL) { + const char *kdf_type = NULL; + + switch (pectx->kdf_type) { + case PROV_ECDH_KDF_NONE: + kdf_type = ""; + break; + case PROV_ECDH_KDF_X9_63: + kdf_type = OSSL_KDF_NAME_X963KDF; + break; + default: + return 0; + } + + if (!OSSL_PARAM_set_utf8_string(p, kdf_type)) + return 0; + } + + p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST); + if (p != NULL + && !OSSL_PARAM_set_utf8_string(p, pectx->kdf_md == NULL + ? "" + : EVP_MD_name(pectx->kdf_md))){ + return 0; + } + + p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN); + if (p != NULL && !OSSL_PARAM_set_size_t(p, pectx->kdf_outlen)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM); + if (p != NULL && !OSSL_PARAM_set_octet_ptr(p, pectx->kdf_ukm, 0)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM_LEN); + if (p != NULL && !OSSL_PARAM_set_size_t(p, pectx->kdf_ukmlen)) + return 0; + + return 1; +} + +static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL), + OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0), + OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL), + OSSL_PARAM_DEFN(OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR, + NULL, 0), + OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_UKM_LEN, NULL), + OSSL_PARAM_END +}; + +static +const OSSL_PARAM *ecdh_gettable_ctx_params(void) +{ + return known_gettable_ctx_params; +} + +static ossl_inline +size_t ecdh_size(const EC_KEY *k) +{ + size_t degree = 0; + const EC_GROUP *group; + + if (k == NULL + || (group = EC_KEY_get0_group(k)) == NULL) + return 0; + + degree = EC_GROUP_get_degree(group); + + return (degree + 7) / 8; +} + +static ossl_inline +int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret, + size_t *psecretlen, size_t outlen) +{ + PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; + int retlen, ret = 0; + size_t ecdhsize, size; + const EC_POINT *ppubkey = NULL; + EC_KEY *privk = NULL; + const EC_GROUP *group; + const BIGNUM *cofactor; + int key_cofactor_mode; + + if (pecdhctx->k == NULL || pecdhctx->peerk == NULL) { + ERR_raise(ERR_LIB_PROV, EC_R_KEYS_NOT_SET); + return 0; + } + + ecdhsize = ecdh_size(pecdhctx->k); + if (secret == NULL) { + *psecretlen = ecdhsize; + return 1; + } + + if ((group = EC_KEY_get0_group(pecdhctx->k)) == NULL + || (cofactor = EC_GROUP_get0_cofactor(group)) == NULL ) + return 0; + + /* + * NB: unlike PKCS#3 DH, if outlen is less than maximum size this is not + * an error, the result is truncated. + */ + size = outlen < ecdhsize ? outlen : ecdhsize; + + /* + * The ctx->cofactor_mode flag has precedence over the + * cofactor_mode flag set on ctx->k. + * + * - if ctx->cofactor_mode == -1, use ctx->k directly + * - if ctx->cofactor_mode == key_cofactor_mode, use ctx->k directly + * - if ctx->cofactor_mode != key_cofactor_mode: + * - if ctx->k->cofactor == 1, the cofactor_mode flag is irrelevant, use + * ctx->k directly + * - if ctx->k->cofactor != 1, use a duplicate of ctx->k with the flag + * set to ctx->cofactor_mode + */ + key_cofactor_mode = + (EC_KEY_get_flags(pecdhctx->k) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0; + if (pecdhctx->cofactor_mode != -1 + && pecdhctx->cofactor_mode != key_cofactor_mode + && !BN_is_one(cofactor)) { + if ((privk = EC_KEY_dup(pecdhctx->k)) == NULL) + return 0; + + if (pecdhctx->cofactor_mode == 1) + EC_KEY_set_flags(privk, EC_FLAG_COFACTOR_ECDH); + else + EC_KEY_clear_flags(privk, EC_FLAG_COFACTOR_ECDH); + } else { + privk = pecdhctx->k; + } + + ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk); + + retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); + + if (retlen <= 0) + goto end; + + *psecretlen = retlen; + ret = 1; + + end: + if (privk != pecdhctx->k) + EC_KEY_free(privk); + return ret; +} + +static ossl_inline +int ecdh_X9_63_kdf_derive(void *vpecdhctx, unsigned char *secret, + size_t *psecretlen, size_t outlen) +{ + PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; + unsigned char *stmp = NULL; + size_t stmplen; + int ret = 0; + + if (secret == NULL) { + *psecretlen = pecdhctx->kdf_outlen; + return 1; + } + + if (pecdhctx->kdf_outlen > outlen) + return 0; + if (!ecdh_plain_derive(vpecdhctx, NULL, &stmplen, 0)) + return 0; + if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + return 0; + } + if (!ecdh_plain_derive(vpecdhctx, stmp, &stmplen, stmplen)) + goto err; + + /* Do KDF stuff */ + if (!ecdh_KDF_X9_63(secret, pecdhctx->kdf_outlen, + stmp, stmplen, + pecdhctx->kdf_ukm, + pecdhctx->kdf_ukmlen, + pecdhctx->kdf_md)) + goto err; + *psecretlen = pecdhctx->kdf_outlen; + ret = 1; + + err: + OPENSSL_secure_clear_free(stmp, stmplen); + return ret; +} + +static +int ecdh_derive(void *vpecdhctx, unsigned char *secret, + size_t *psecretlen, size_t outlen) +{ + PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; + + switch (pecdhctx->kdf_type) { + case PROV_ECDH_KDF_NONE: + return ecdh_plain_derive(vpecdhctx, secret, psecretlen, outlen); + case PROV_ECDH_KDF_X9_63: + return ecdh_X9_63_kdf_derive(vpecdhctx, secret, psecretlen, outlen); + } + + return 0; +} + + + +const OSSL_DISPATCH ecdh_keyexch_functions[] = { + { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))ecdh_newctx }, + { OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))ecdh_init }, + { OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))ecdh_derive }, + { OSSL_FUNC_KEYEXCH_SET_PEER, (void (*)(void))ecdh_set_peer }, + { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))ecdh_freectx }, + { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))ecdh_dupctx }, + { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))ecdh_set_ctx_params }, + { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, + (void (*)(void))ecdh_settable_ctx_params }, + { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))ecdh_get_ctx_params }, + { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, + (void (*)(void))ecdh_gettable_ctx_params }, + { 0, NULL } +}; diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index f4e0dc9b02..ec0507d86b 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -259,11 +259,13 @@ extern const OSSL_DISPATCH dsa_keymgmt_functions[]; extern const OSSL_DISPATCH rsa_keymgmt_functions[]; extern const OSSL_DISPATCH x25519_keymgmt_functions[]; extern const OSSL_DISPATCH x448_keymgmt_functions[]; +extern const OSSL_DISPATCH ec_keymgmt_functions[]; /* Key Exchange */ extern const OSSL_DISPATCH dh_keyexch_functions[]; extern const OSSL_DISPATCH x25519_keyexch_functions[]; extern const OSSL_DISPATCH x448_keyexch_functions[]; +extern const OSSL_DISPATCH ecdh_keyexch_functions[]; /* Signature */ extern const OSSL_DISPATCH dsa_signature_functions[]; diff --git a/providers/implementations/keymgmt/build.info b/providers/implementations/keymgmt/build.info index 1e4146d15a..89d33e32f0 100644 --- a/providers/implementations/keymgmt/build.info +++ b/providers/implementations/keymgmt/build.info @@ -3,6 +3,7 @@ $DH_GOAL=../../libimplementations.a $DSA_GOAL=../../libimplementations.a +$EC_GOAL=../../libimplementations.a $RSA_GOAL=../../libimplementations.a $ECX_GOAL=../../libimplementations.a @@ -12,6 +13,9 @@ ENDIF IF[{- !$disabled{dsa} -}] SOURCE[$DSA_GOAL]=dsa_kmgmt.c ENDIF +IF[{- !$disabled{ec} -}] + SOURCE[$EC_GOAL]=ec_kmgmt.c +ENDIF SOURCE[$RSA_GOAL]=rsa_kmgmt.c IF[{- !$disabled{ec} -}] SOURCE[$ECX_GOAL]=ecx_kmgmt.c diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c new file mode 100644 index 0000000000..81907476d9 --- /dev/null +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -0,0 +1,630 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * ECDH/ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include <openssl/core_numbers.h> +#include <openssl/core_names.h> +#include <openssl/bn.h> +#include <openssl/ec.h> +#include <openssl/objects.h> +#include <openssl/params.h> +#include "internal/param_build.h" +#include "prov/implementations.h" +#include "prov/providercommon.h" + +static OSSL_OP_keymgmt_new_fn ec_newdata; +static OSSL_OP_keymgmt_free_fn ec_freedata; +static OSSL_OP_keymgmt_get_params_fn ec_get_params; +static OSSL_OP_keymgmt_gettable_params_fn ec_gettable_params; +static OSSL_OP_keymgmt_set_params_fn ec_set_params; +static OSSL_OP_keymgmt_settable_params_fn ec_settable_params; +static OSSL_OP_keymgmt_has_fn ec_has; +static OSSL_OP_keymgmt_import_fn ec_import; +static OSSL_OP_keymgmt_import_types_fn ec_import_types; +static OSSL_OP_keymgmt_export_fn ec_export; +static OSSL_OP_keymgmt_export_types_fn ec_export_types; +static OSSL_OP_keymgmt_query_operation_name_fn ec_query_operation_name; + +#define EC_POSSIBLE_SELECTIONS \ + (OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS ) + +static +const char *ec_query_operation_name(int operation_id) +{ + switch (operation_id) { + case OSSL_OP_KEYEXCH: + return "ECDH"; +#if 0 + case OSSL_OP_SIGNATURE: + return deflt_signature; +#endif + } + return NULL; +} + +static ossl_inline +int params_to_domparams(EC_KEY *ec, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *param_ec_name; + EC_GROUP *ecg = NULL; + char *curve_name = NULL; + int ok = 0; + + if (ec == NULL) + return 0; + + param_ec_name = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_NAME); + if (param_ec_name == NULL) { + /* explicit parameters */ + + /* + * TODO(3.0): should we support explicit parameters curves? + */ + return 0; + } else { + /* named curve */ + int curve_nid; + + if (!OSSL_PARAM_get_utf8_string(param_ec_name, &curve_name, 0) + || curve_name == NULL + || (curve_nid = OBJ_sn2nid(curve_name)) == NID_undef) + goto err; + + if ((ecg = EC_GROUP_new_by_curve_name(curve_nid)) == NULL) + goto err; + } + + if (!EC_KEY_set_group(ec, ecg)) + goto err; + + /* + * TODO(3.0): if the group has changed, should we invalidate the private and + * public key? + */ + + ok = 1; + + err: + OPENSSL_free(curve_name); + EC_GROUP_free(ecg); + return ok; +} + +static ossl_inline +int domparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl) +{ + const EC_GROUP *ecg; + int curve_nid; + + if (ec == NULL) + return 0; + + ecg = EC_KEY_get0_group(ec); + if (ecg == NULL) + return 0; + + curve_nid = EC_GROUP_get_curve_name(ecg); + + if (curve_nid == NID_undef) { + /* explicit parameters */ + + /* + * TODO(3.0): should we support explicit parameters curves? + */ + return 0; + } else { + /* named curve */ + const char *curve_name = NULL; + + if ((curve_name = OBJ_nid2sn(curve_nid)) == NULL) + return 0; + + if (!ossl_param_bld_push_utf8_string(tmpl, OSSL_PKEY_PARAM_EC_NAME, curve_name, 0)) + return 0; + } + + return 1; +} + +/* + * Callers of params_to_key MUST make sure that params_to_domparams has been + * called before! + * + * This function only imports the bare keypair, domain parameters and other + * parameters are imported separately, and domain parameters are required to + * define a keypair. + */ +static ossl_inline +int params_to_key(EC_KEY *ec, const OSSL_PARAM params[], int include_private) +{ + const OSSL_PARAM *param_priv_key, *param_pub_key; + BIGNUM *priv_key = NULL; + unsigned char *pub_key = NULL; + size_t pub_key_len; + const EC_GROUP *ecg = NULL; + EC_POINT *pub_point = NULL; + int ok = 0; + + ecg = EC_KEY_get0_group(ec); + if (ecg == NULL) + return 0; + + param_priv_key = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); + param_pub_key = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY); + + /* + * We want to have at least a public key either way, so we end up + * requiring it unconditionally. + */ + if (param_pub_key == NULL + || !OSSL_PARAM_get_octet_string(param_pub_key, + (void **)&pub_key, 0, &pub_key_len) + || (pub_point = EC_POINT_new(ecg)) == NULL + || !EC_POINT_oct2point(ecg, pub_point, + pub_key, pub_key_len, NULL)) + goto err; + + if (param_priv_key != NULL && include_private + && !OSSL_PARAM_get_BN(param_priv_key, &priv_key)) + goto err; + + if (priv_key != NULL + && !EC_KEY_set_private_key(ec, priv_key)) + goto err; + + if (!EC_KEY_set_public_key(ec, pub_point)) + goto err; + + ok = 1; + + err: + BN_clear_free(priv_key); + OPENSSL_free(pub_key); + EC_POINT_free(pub_point); + return ok; +} + +/* + * Callers of key_to_params MUST make sure that domparams_to_params is also + * called! + * + * This function only exports the bare keypair, domain parameters and other + * parameters are exported separately. + */ +static ossl_inline +int key_to_params(const EC_KEY *eckey, OSSL_PARAM_BLD *tmpl, int include_private) +{ + const BIGNUM *priv_key = NULL; + const EC_POINT *pub_point = NULL; + const EC_GROUP *ecg = NULL; + unsigned char *pub_key = NULL; + size_t pub_key_len = 0; + int ret = 0; + + if (eckey == NULL) + return 0; + + ecg = EC_KEY_get0_group(eckey); + priv_key = EC_KEY_get0_private_key(eckey); + pub_point = EC_KEY_get0_public_key(eckey); + + /* group and public_key must be present, priv_key is optional */ + if (ecg == NULL || pub_point == NULL) + return 0; + if ((pub_key_len = EC_POINT_point2buf(ecg, pub_point, + POINT_CONVERSION_COMPRESSED, + &pub_key, NULL)) == 0) + return 0; + + if (!ossl_param_bld_push_octet_string(tmpl, + OSSL_PKEY_PARAM_PUB_KEY, + pub_key, pub_key_len)) + goto err; + + if (priv_key != NULL && include_private + && !ossl_param_bld_push_BN(tmpl, + OSSL_PKEY_PARAM_PRIV_KEY, + priv_key)) + goto err; + + ret = 1; + + err: + OPENSSL_free(pub_key); + return ret; +} + +static ossl_inline +int ec_set_param_ecdh_cofactor_mode(EC_KEY *ec, const OSSL_PARAM *p) +{ + const EC_GROUP *ecg = EC_KEY_get0_group(ec); + const BIGNUM *cofactor; + int mode; + + if (!OSSL_PARAM_get_int(p, &mode)) + return 0; + + /* + * mode can be only 0 for disable, or 1 for enable here. + * + * This is in contrast with the same parameter on an ECDH EVP_PKEY_CTX that + * also supports mode == -1 with the meaning of "reset to the default for + * the associated key". + */ + if (mode < 0 || mode > 1) + return 0; + + if ((cofactor = EC_GROUP_get0_cofactor(ecg)) == NULL ) + return 0; + + /* ECDH cofactor mode has no effect if cofactor is 1 */ + if (BN_is_one(cofactor)) + return 1; + + if (mode == 1) + EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH); + else if (mode == 0) + EC_KEY_clear_flags(ec, EC_FLAG_COFACTOR_ECDH); + + return 1; +} + +static ossl_inline +int params_to_otherparams(EC_KEY *ec, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + + if (ec == NULL) + return 0; + + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH); + if (p != NULL && !ec_set_param_ecdh_cofactor_mode(ec, p)) + return 0; + + return 1; +} + +static ossl_inline +int otherparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl) +{ + int ecdh_cofactor_mode = 0; + + if (ec == NULL) + return 0; + + ecdh_cofactor_mode = + (EC_KEY_get_flags(ec) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0; + if (!ossl_param_bld_push_int(tmpl, + OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, + ecdh_cofactor_mode)) + return 0; + + return 1; +} + +static +void *ec_newdata(void *provctx) +{ + return EC_KEY_new(); +} + +static +void ec_freedata(void *keydata) +{ + EC_KEY_free(keydata); +} + +static +int ec_has(void *keydata, int selection) +{ + EC_KEY *ec = keydata; + int ok = 0; + + if ((selection & EC_POSSIBLE_SELECTIONS) != 0) + ok = 1; + + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) + ok = ok && (EC_KEY_get0_public_key(ec) != NULL); + if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) + ok = ok && (EC_KEY_get0_private_key(ec) != NULL); + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) + ok = ok && (EC_KEY_get0_group(ec) != NULL); + /* + * We consider OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS to always be available, + * so no extra check is needed other than the previous one against + * EC_POSSIBLE_SELECTIONS. + */ + + return ok; +} + +static +int ec_import(void *keydata, int selection, const OSSL_PARAM params[]) +{ + EC_KEY *ec = keydata; + int ok = 0; + + if (ec == NULL) + return 0; + + /* + * In this implementation, we can export/import only keydata in the + * following combinations: + * - domain parameters only + * - public key with associated domain parameters (+optional other params) + * - private key with associated public key and domain parameters + * (+optional other params) + * + * This means: + * - domain parameters must always be requested + * - private key must be requested alongside public key + * - other parameters must be requested only alongside a key + */ + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0) + return 0; + if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0 + && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0) + return 0; + if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0 + && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) + return 0; + + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) + ok = ok && params_to_domparams(ec, params); + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int include_private = + selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; + + ok = ok && params_to_key(ec, params, include_private); + } + if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0) + ok = ok && params_to_otherparams(ec, params); + + return ok; +} + +static +int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, + void *cbarg) +{ + EC_KEY *ec = keydata; + OSSL_PARAM_BLD tmpl; + OSSL_PARAM *params = NULL; |