1 /* 2 * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include <openssl/x509.h> 13 #include <openssl/ec.h> 14 #include <openssl/bn.h> 15 #include <openssl/cms.h> 16 #include <openssl/asn1t.h> 17 #include "internal/asn1_int.h" 18 #include "internal/evp_int.h" 19 #include "ec_lcl.h" 20 21 #ifndef OPENSSL_NO_CMS 22 static int ecdh_cms_decrypt(CMS_RecipientInfo *ri); 23 static int ecdh_cms_encrypt(CMS_RecipientInfo *ri); 24 #endif 25 26 static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key) 27 { 28 const EC_GROUP *group; 29 int nid; 30 if (ec_key == NULL || (group = EC_KEY_get0_group(ec_key)) == NULL) { 31 ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_PARAMETERS); 32 return 0; 33 } 34 if (EC_GROUP_get_asn1_flag(group) 35 && (nid = EC_GROUP_get_curve_name(group))) 36 /* we have a 'named curve' => just set the OID */ 37 { 38 *ppval = OBJ_nid2obj(nid); 39 *pptype = V_ASN1_OBJECT; 40 } else { /* explicit parameters */ 41 42 ASN1_STRING *pstr = NULL; 43 pstr = ASN1_STRING_new(); 44 if (pstr == NULL) 45 return 0; 46 pstr->length = i2d_ECParameters(ec_key, &pstr->data); 47 if (pstr->length <= 0) { 48 ASN1_STRING_free(pstr); 49 ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB); 50 return 0; 51 } 52 *ppval = pstr; 53 *pptype = V_ASN1_SEQUENCE; 54 } 55 return 1; 56 } 57 58 static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 59 { 60 EC_KEY *ec_key = pkey->pkey.ec; 61 void *pval = NULL; 62 int ptype; 63 unsigned char *penc = NULL, *p; 64 int penclen; 65 66 if (!eckey_param2type(&ptype, &pval, ec_key)) { 67 ECerr(EC_F_ECKEY_PUB_ENCODE, ERR_R_EC_LIB); 68 return 0; 69 } 70 penclen = i2o_ECPublicKey(ec_key, NULL); 71 if (penclen <= 0) 72 goto err; 73 penc = OPENSSL_malloc(penclen); 74 if (penc == NULL) 75 goto err; 76 p = penc; 77 penclen = i2o_ECPublicKey(ec_key, &p); 78 if (penclen <= 0) 79 goto err; 80 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC), 81 ptype, pval, penc, penclen)) 82 return 1; 83 err: 84 if (ptype == V_ASN1_OBJECT) 85 ASN1_OBJECT_free(pval); 86 else 87 ASN1_STRING_free(pval); 88 OPENSSL_free(penc); 89 return 0; 90 } 91 92 static EC_KEY *eckey_type2param(int ptype, const void *pval) 93 { 94 EC_KEY *eckey = NULL; 95 EC_GROUP *group = NULL; 96 97 if (ptype == V_ASN1_SEQUENCE) { 98 const ASN1_STRING *pstr = pval; 99 const unsigned char *pm = pstr->data; 100 int pmlen = pstr->length; 101 102 if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) { 103 ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); 104 goto ecerr; 105 } 106 } else if (ptype == V_ASN1_OBJECT) { 107 const ASN1_OBJECT *poid = pval; 108 109 /* 110 * type == V_ASN1_OBJECT => the parameters are given by an asn1 OID 111 */ 112 if ((eckey = EC_KEY_new()) == NULL) { 113 ECerr(EC_F_ECKEY_TYPE2PARAM, ERR_R_MALLOC_FAILURE); 114 goto ecerr; 115 } 116 group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(poid)); 117 if (group == NULL) 118 goto ecerr; 119 EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); 120 if (EC_KEY_set_group(eckey, group) == 0) 121 goto ecerr; 122 EC_GROUP_free(group); 123 } else { 124 ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); 125 goto ecerr; 126 } 127 128 return eckey; 129 130 ecerr: 131 EC_KEY_free(eckey); 132 EC_GROUP_free(group); 133 return NULL; 134 } 135 136 static int eckey_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 137 { 138 const unsigned char *p = NULL; 139 const void *pval; 140 int ptype, pklen; 141 EC_KEY *eckey = NULL; 142 X509_ALGOR *palg; 143 144 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey)) 145 return 0; 146 X509_ALGOR_get0(NULL, &ptype, &pval, palg); 147 148 eckey = eckey_type2param(ptype, pval); 149 150 if (!eckey) { 151 ECerr(EC_F_ECKEY_PUB_DECODE, ERR_R_EC_LIB); 152 return 0; 153 } 154 155 /* We have parameters now set public key */ 156 if (!o2i_ECPublicKey(&eckey, &p, pklen)) { 157 ECerr(EC_F_ECKEY_PUB_DECODE, EC_R_DECODE_ERROR); 158 goto ecerr; 159 } 160 161 EVP_PKEY_assign_EC_KEY(pkey, eckey); 162 return 1; 163 164 ecerr: 165 EC_KEY_free(eckey); 166 return 0; 167 } 168 169 static int eckey_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 170 { 171 int r; 172 const EC_GROUP *group = EC_KEY_get0_group(b->pkey.ec); 173 const EC_POINT *pa = EC_KEY_get0_public_key(a->pkey.ec), 174 *pb = EC_KEY_get0_public_key(b->pkey.ec); 175 if (group == NULL || pa == NULL || pb == NULL) 176 return -2; 177 r = EC_POINT_cmp(group, pa, pb, NULL); 178 if (r == 0) 179 return 1; 180 if (r == 1) 181 return 0; 182 return -2; 183 } 184 185 static int eckey_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) 186 { 187 const unsigned char *p = NULL; 188 const void *pval; 189 int ptype, pklen; 190 EC_KEY *eckey = NULL; 191 const X509_ALGOR *palg; 192 193 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) 194 return 0; 195 X509_ALGOR_get0(NULL, &ptype, &pval, palg); 196 197 eckey = eckey_type2param(ptype, pval); 198 199 if (!eckey) 200 goto ecliberr; 201 202 /* We have parameters now set private key */ 203 if (!d2i_ECPrivateKey(&eckey, &p, pklen)) { 204 ECerr(EC_F_ECKEY_PRIV_DECODE, EC_R_DECODE_ERROR); 205 goto ecerr; 206 } 207 208 EVP_PKEY_assign_EC_KEY(pkey, eckey); 209 return 1; 210 211 ecliberr: 212 ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB); 213 ecerr: 214 EC_KEY_free(eckey); 215 return 0; 216 } 217 218 static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 219 { 220 EC_KEY ec_key = *(pkey->pkey.ec); 221 unsigned char *ep, *p; 222 int eplen, ptype; 223 void *pval; 224 unsigned int old_flags; 225 226 if (!eckey_param2type(&ptype, &pval, &ec_key)) { 227 ECerr(EC_F_ECKEY_PRIV_ENCODE, EC_R_DECODE_ERROR); 228 return 0; 229 } 230 231 /* set the private key */ 232 233 /* 234 * do not include the parameters in the SEC1 private key see PKCS#11 235 * 12.11 236 */ 237 old_flags = EC_KEY_get_enc_flags(&ec_key); 238 EC_KEY_set_enc_flags(&ec_key, old_flags | EC_PKEY_NO_PARAMETERS); 239 240 eplen = i2d_ECPrivateKey(&ec_key, NULL); 241 if (!eplen) { 242 ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); 243 return 0; 244 } 245 ep = OPENSSL_malloc(eplen); 246 if (ep == NULL) { 247 ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); 248 return 0; 249 } 250 p = ep; 251 if (!i2d_ECPrivateKey(&ec_key, &p)) { 252 OPENSSL_free(ep); 253 ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); 254 return 0; 255 } 256 257 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0, 258 ptype, pval, ep, eplen)) { 259 OPENSSL_free(ep); 260 return 0; 261 } 262 263 return 1; 264 } 265 266 static int int_ec_size(const EVP_PKEY *pkey) 267 { 268 return ECDSA_size(pkey->pkey.ec); 269 } 270 271 static int ec_bits(const EVP_PKEY *pkey) 272 { 273 return EC_GROUP_order_bits(EC_KEY_get0_group(pkey->pkey.ec)); 274 } 275 276 static int ec_security_bits(const EVP_PKEY *pkey) 277 { 278 int ecbits = ec_bits(pkey); 279 if (ecbits >= 512) 280 return 256; 281 if (ecbits >= 384) 282 return 192; 283 if (ecbits >= 256) 284 return 128; 285 if (ecbits >= 224) 286 return 112; 287 if (ecbits >= 160) 288 return 80; 289 return ecbits / 2; 290 } 291 292 static int ec_missing_parameters(const EVP_PKEY *pkey) 293 { 294 if (pkey->pkey.ec == NULL || EC_KEY_get0_group(pkey->pkey.ec) == NULL) 295 return 1; 296 return 0; 297 } 298 299 static int ec_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) 300 { 301 EC_GROUP *group = EC_GROUP_dup(EC_KEY_get0_group(from->pkey.ec)); 302 303 if (group == NULL) 304 return 0; 305 if (to->pkey.ec == NULL) { 306 to->pkey.ec = EC_KEY_new(); 307 if (to->pkey.ec == NULL) 308 goto err; 309 } 310 if (EC_KEY_set_group(to->pkey.ec, group) == 0) 311 goto err; 312 EC_GROUP_free(group); 313 return 1; 314 err: 315 EC_GROUP_free(group); 316 return 0; 317 } 318 319 static int ec_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) 320 { 321 const EC_GROUP *group_a = EC_KEY_get0_group(a->pkey.ec), 322 *group_b = EC_KEY_get0_group(b->pkey.ec); 323 if (group_a == NULL || group_b == NULL) 324 return -2; 325 if (EC_GROUP_cmp(group_a, group_b, NULL)) 326 return 0; 327 else 328 return 1; 329 } 330 331 static void int_ec_free(EVP_PKEY *pkey) 332 { 333 EC_KEY_free(pkey->pkey.ec); 334 } 335 336 typedef enum { 337 EC_KEY_PRINT_PRIVATE, 338 EC_KEY_PRINT_PUBLIC, 339 EC_KEY_PRINT_PARAM 340 } ec_print_t; 341 342 static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, ec_print_t ktype) 343 { 344 const char *ecstr; 345 unsigned char *priv = NULL, *pub = NULL; 346 size_t privlen = 0, publen = 0; 347 int ret = 0; 348 const EC_GROUP *group; 349 350 if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL) { 351 ECerr(EC_F_DO_EC_KEY_PRINT, ERR_R_PASSED_NULL_PARAMETER); 352 return 0; 353 } 354 355 if (ktype != EC_KEY_PRINT_PARAM && EC_KEY_get0_public_key(x) != NULL) { 356 publen = EC_KEY_key2buf(x, EC_KEY_get_conv_form(x), &pub, NULL); 357 if (publen == 0) 358 goto err; 359 } 360 361 if (ktype == EC_KEY_PRINT_PRIVATE && EC_KEY_get0_private_key(x) != NULL) { 362 privlen = EC_KEY_priv2buf(x, &priv); 363 if (privlen == 0) 364 goto err; 365 } 366 367 if (ktype == EC_KEY_PRINT_PRIVATE) 368 ecstr = "Private-Key"; 369 else if (ktype == EC_KEY_PRINT_PUBLIC) 370 ecstr = "Public-Key"; 371 else 372 ecstr = "ECDSA-Parameters"; 373 374 if (!BIO_indent(bp, off, 128)) 375 goto err; 376 if (BIO_printf(bp, "%s: (%d bit)\n", ecstr, 377 EC_GROUP_order_bits(group)) <= 0) 378 goto err; 379 380 if (privlen != 0) { 381 if (BIO_printf(bp, "%*spriv:\n", off, "") <= 0) 382 goto err; 383 if (ASN1_buf_print(bp, priv, privlen, off + 4) == 0) 384 goto err; 385 } 386 387 if (publen != 0) { 388 if (BIO_printf(bp, "%*spub:\n", off, "") <= 0) 389 goto err; 390 if (ASN1_buf_print(bp, pub, publen, off + 4) == 0) 391 goto err; 392 } 393 394 if (!ECPKParameters_print(bp, group, off)) 395 goto err; 396 ret = 1; 397 err: 398 if (!ret) 399 ECerr(EC_F_DO_EC_KEY_PRINT, ERR_R_EC_LIB); 400 OPENSSL_clear_free(priv, privlen); 401 OPENSSL_free(pub); 402 return ret; 403 } 404 405 static int eckey_param_decode(EVP_PKEY *pkey, 406 const unsigned char **pder, int derlen) 407 { 408 EC_KEY *eckey; 409 410 if ((eckey = d2i_ECParameters(NULL, pder, derlen)) == NULL) { 411 ECerr(EC_F_ECKEY_PARAM_DECODE, ERR_R_EC_LIB); 412 return 0; 413 } 414 EVP_PKEY_assign_EC_KEY(pkey, eckey); 415 return 1; 416 } 417 418 static int eckey_param_encode(const EVP_PKEY *pkey, unsigned char **pder) 419 { 420 return i2d_ECParameters(pkey->pkey.ec, pder); 421 } 422 423 static int eckey_param_print(BIO *bp, const EVP_PKEY *pkey, int indent, 424 ASN1_PCTX *ctx) 425 { 426 return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PARAM); 427 } 428 429 static int eckey_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, 430 ASN1_PCTX *ctx) 431 { 432 return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PUBLIC); 433 } 434 435 static int eckey_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, 436 ASN1_PCTX *ctx) 437 { 438 return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PRIVATE); 439 } 440 441 static int old_ec_priv_decode(EVP_PKEY *pkey, 442 const unsigned char **pder, int derlen) 443 { 444 EC_KEY *ec; 445 446 if ((ec = d2i_ECPrivateKey(NULL, pder, derlen)) == NULL) { 447 ECerr(EC_F_OLD_EC_PRIV_DECODE, EC_R_DECODE_ERROR); 448 return 0; 449 } 450 EVP_PKEY_assign_EC_KEY(pkey, ec); 451 return 1; 452 } 453 454 static int old_ec_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 455 { 456 return i2d_ECPrivateKey(pkey->pkey.ec, pder); 457 } 458 459 static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 460 { 461 switch (op) { 462 case ASN1_PKEY_CTRL_PKCS7_SIGN: 463 if (arg1 == 0) { 464 int snid, hnid; 465 X509_ALGOR *alg1, *alg2; 466 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2); 467 if (alg1 == NULL || alg1->algorithm == NULL) 468 return -1; 469 hnid = OBJ_obj2nid(alg1->algorithm); 470 if (hnid == NID_undef) 471 return -1; 472 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) 473 return -1; 474 X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); 475 } 476 return 1; 477 #ifndef OPENSSL_NO_CMS 478 case ASN1_PKEY_CTRL_CMS_SIGN: 479 if (arg1 == 0) { 480 int snid, hnid; 481 X509_ALGOR *alg1, *alg2; 482 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, &alg1, &alg2); 483 if (alg1 == NULL || alg1->algorithm == NULL) 484 return -1; 485 hnid = OBJ_obj2nid(alg1->algorithm); 486 if (hnid == NID_undef) 487 return -1; 488 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) 489 return -1; 490 X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); 491 } 492 return 1; 493 494 case ASN1_PKEY_CTRL_CMS_ENVELOPE: 495 if (arg1 == 1) 496 return ecdh_cms_decrypt(arg2); 497 else if (arg1 == 0) 498 return ecdh_cms_encrypt(arg2); 499 return -2; 500 501 case ASN1_PKEY_CTRL_CMS_RI_TYPE: 502 *(int *)arg2 = CMS_RECIPINFO_AGREE; 503 return 1; 504 #endif 505 506 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 507 *(int *)arg2 = NID_sha256; 508 return 2; 509 510 case ASN1_PKEY_CTRL_SET1_TLS_ENCPT: 511 return EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(pkey), arg2, arg1, NULL); 512 513 case ASN1_PKEY_CTRL_GET1_TLS_ENCPT: 514 return EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(pkey), 515 POINT_CONVERSION_UNCOMPRESSED, arg2, NULL); 516 517 default: 518 return -2; 519 520 } 521 522 } 523 524 static int ec_pkey_check(const EVP_PKEY *pkey) 525 { 526 EC_KEY *eckey = pkey->pkey.ec; 527 528 /* stay consistent to what EVP_PKEY_check demands */ 529 if (eckey->priv_key == NULL) { 530 ECerr(EC_F_EC_PKEY_CHECK, EC_R_MISSING_PRIVATE_KEY); 531 return 0; 532 } 533 534 return EC_KEY_check_key(eckey); 535 } 536 537 static int ec_pkey_public_check(const EVP_PKEY *pkey) 538 { 539 EC_KEY *eckey = pkey->pkey.ec; 540 541 /* 542 * Note: it unnecessary to check eckey->pub_key here since 543 * it will be checked in EC_KEY_check_key(). In fact, the 544 * EC_KEY_check_key() mainly checks the public key, and checks 545 * the private key optionally (only if there is one). So if 546 * someone passes a whole EC key (public + private), this 547 * will also work... 548 */ 549 550 return EC_KEY_check_key(eckey); 551 } 552 553 static int ec_pkey_param_check(const EVP_PKEY *pkey) 554 { 555 EC_KEY *eckey = pkey->pkey.ec; 556 557 /* stay consistent to what EVP_PKEY_check demands */ 558 if (eckey->group == NULL) { 559 ECerr(EC_F_EC_PKEY_PARAM_CHECK, EC_R_MISSING_PARAMETERS); 560 return 0; 561 } 562 563 return EC_GROUP_check(eckey->group, NULL); 564 } 565 566 const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = { 567 EVP_PKEY_EC, 568 EVP_PKEY_EC, 569 0, 570 "EC", 571 "OpenSSL EC algorithm", 572 573 eckey_pub_decode, 574 eckey_pub_encode, 575 eckey_pub_cmp, 576 eckey_pub_print, 577 578 eckey_priv_decode, 579 eckey_priv_encode, 580 eckey_priv_print, 581 582 int_ec_size, 583 ec_bits, 584 ec_security_bits, 585 586 eckey_param_decode, 587 eckey_param_encode, 588 ec_missing_parameters, 589 ec_copy_parameters, 590 ec_cmp_parameters, 591 eckey_param_print, 592 0, 593 594 int_ec_free, 595 ec_pkey_ctrl, 596 old_ec_priv_decode, 597 old_ec_priv_encode, 598 599 0, 0, 0, 600 601 ec_pkey_check, 602 ec_pkey_public_check, 603 ec_pkey_param_check 604 }; 605 606 #if !defined(OPENSSL_NO_SM2) 607 const EVP_PKEY_ASN1_METHOD sm2_asn1_meth = { 608 EVP_PKEY_SM2, 609 EVP_PKEY_EC, 610 ASN1_PKEY_ALIAS 611 }; 612 #endif 613 614 int EC_KEY_print(BIO *bp, const EC_KEY *x, int off) 615 { 616 int private = EC_KEY_get0_private_key(x) != NULL; 617 618 return do_EC_KEY_print(bp, x, off, 619 private ? EC_KEY_PRINT_PRIVATE : EC_KEY_PRINT_PUBLIC); 620 } 621 622 int ECParameters_print(BIO *bp, const EC_KEY *x) 623 { 624 return do_EC_KEY_print(bp, x, 4, EC_KEY_PRINT_PARAM); 625 } 626 627 #ifndef OPENSSL_NO_CMS 628 629 static int ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx, 630 X509_ALGOR *alg, ASN1_BIT_STRING *pubkey) 631 { 632 const ASN1_OBJECT *aoid; 633 int atype; 634 const void *aval; 635 int rv = 0; 636 EVP_PKEY *pkpeer = NULL; 637 EC_KEY *ecpeer = NULL; 638 const unsigned char *p; 639 int plen; 640 X509_ALGOR_get0(&aoid, &atype, &aval, alg); 641 if (OBJ_obj2nid(aoid) != NID_X9_62_id_ecPublicKey) 642 goto err; 643 /* If absent parameters get group from main key */ 644 if (atype == V_ASN1_UNDEF || atype == V_ASN1_NULL) { 645 const EC_GROUP *grp; 646 EVP_PKEY *pk; 647 pk = EVP_PKEY_CTX_get0_pkey(pctx); 648 if (!pk) 649 goto err; 650 grp = EC_KEY_get0_group(pk->pkey.ec); 651 ecpeer = EC_KEY_new(); 652 if (ecpeer == NULL) 653 goto err; 654 if (!EC_KEY_set_group(ecpeer, grp)) 655 goto err; 656 } else { 657 ecpeer = eckey_type2param(atype, aval); 658 if (!ecpeer) 659 goto err; 660 } 661 /* We have parameters now set public key */ 662 plen = ASN1_STRING_length(pubkey); 663 p = ASN1_STRING_get0_data(pubkey); 664 if (!p || !plen) 665 goto err; 666 if (!o2i_ECPublicKey(&ecpeer, &p, plen)) 667 goto err; 668 pkpeer = EVP_PKEY_new(); 669 if (pkpeer == NULL) 670 goto err; 671 EVP_PKEY_set1_EC_KEY(pkpeer, ecpeer); 672 if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0) 673 rv = 1; 674 err: 675 EC_KEY_free(ecpeer); 676 EVP_PKEY_free(pkpeer); 677 return rv; 678 } 679 680 /* Set KDF parameters based on KDF NID */ 681 static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid) 682 { 683 int kdf_nid, kdfmd_nid, cofactor; 684 const EVP_MD *kdf_md; 685 if (eckdf_nid == NID_undef) 686 return 0; 687 688 /* Lookup KDF type, cofactor mode and digest */ 689 if (!OBJ_find_sigid_algs(eckdf_nid, &kdfmd_nid, &kdf_nid)) 690 return 0; 691 692 if (kdf_nid == NID_dh_std_kdf) 693 cofactor = 0; 694 else if (kdf_nid == NID_dh_cofactor_kdf) 695 cofactor = 1; 696 else 697 return 0; 698 699 if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0) 700 return 0; 701 702 if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0) 703 return 0; 704 705 kdf_md = EVP_get_digestbynid(kdfmd_nid); 706 if (!kdf_md) 707 return 0; 708 709 if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0) 710 return 0; 711 return 1; 712 } 713 714 static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) 715 { 716 int rv = 0; 717 718 X509_ALGOR *alg, *kekalg = NULL; 719 ASN1_OCTET_STRING *ukm; 720 const unsigned char *p; 721 unsigned char *der = NULL; 722 int plen, keylen; 723 const EVP_CIPHER *kekcipher; 724 EVP_CIPHER_CTX *kekctx; 725 726 if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) 727 return 0; 728 729 if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) { 730 ECerr(EC_F_ECDH_CMS_SET_SHARED_INFO, EC_R_KDF_PARAMETER_ERROR); 731 return 0; 732 } 733 734 if (alg->parameter->type != V_ASN1_SEQUENCE) 735 return 0; 736 737 p = alg->parameter->value.sequence->data; 738 plen = alg->parameter->value.sequence->length; 739 kekalg = d2i_X509_ALGOR(NULL, &p, plen); 740 if (!kekalg) 741 goto err; 742 kekctx = CMS_RecipientInfo_kari_get0_ctx(ri); 743 if (!kekctx) 744 goto err; 745 kekcipher = EVP_get_cipherbyobj(kekalg->algorithm); 746 if (!kekcipher || EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE) 747 goto err; 748 if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL)) 749 goto err; 750 if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0) 751 goto err; 752 753 keylen = EVP_CIPHER_CTX_key_length(kekctx); 754 if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0) 755 goto err; 756 757 plen = CMS_SharedInfo_encode(&der, kekalg, ukm, keylen); 758 759 if (!plen) 760 goto err; 761 762 if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, der, plen) <= 0) 763 goto err; 764 der = NULL; 765 766 rv = 1; 767 err: 768 X509_ALGOR_free(kekalg); 769 OPENSSL_free(der); 770 return rv; 771 } 772 773 static int ecdh_cms_decrypt(CMS_RecipientInfo *ri) 774 { 775 EVP_PKEY_CTX *pctx; 776 pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 777 if (!pctx) 778 return 0; 779 /* See if we need to set peer key */ 780 if (!EVP_PKEY_CTX_get0_peerkey(pctx)) { 781 X509_ALGOR *alg; 782 ASN1_BIT_STRING *pubkey; 783 if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey, 784 NULL, NULL, NULL)) 785 return 0; 786 if (!alg || !pubkey) 787 return 0; 788 if (!ecdh_cms_set_peerkey(pctx, alg, pubkey)) { 789 ECerr(EC_F_ECDH_CMS_DECRYPT, EC_R_PEER_KEY_ERROR); 790 return 0; 791 } 792 } 793 /* Set ECDH derivation parameters and initialise unwrap context */ 794 if (!ecdh_cms_set_shared_info(pctx, ri)) { 795 ECerr(EC_F_ECDH_CMS_DECRYPT, EC_R_SHARED_INFO_ERROR); 796 return 0; 797 } 798 return 1; 799 } 800 801 static int ecdh_cms_encrypt(CMS_RecipientInfo *ri) 802 { 803 EVP_PKEY_CTX *pctx; 804 EVP_PKEY *pkey; 805 EVP_CIPHER_CTX *ctx; 806 int keylen; 807 X509_ALGOR *talg, *wrap_alg = NULL; 808 const ASN1_OBJECT *aoid; 809 ASN1_BIT_STRING *pubkey; 810 ASN1_STRING *wrap_str; 811 ASN1_OCTET_STRING *ukm; 812 unsigned char *penc = NULL; 813 int penclen; 814 int rv = 0; 815 int ecdh_nid, kdf_type, kdf_nid, wrap_nid; 816 const EVP_MD *kdf_md; 817 pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 818 if (!pctx) 819 return 0; 820 /* Get ephemeral key */ 821 pkey = EVP_PKEY_CTX_get0_pkey(pctx); 822 if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey, 823 NULL, NULL, NULL)) 824 goto err; 825 X509_ALGOR_get0(&aoid, NULL, NULL, talg); 826 /* Is everything uninitialised? */ 827 if (aoid == OBJ_nid2obj(NID_undef)) { 828 829 EC_KEY *eckey = pkey->pkey.ec; 830 /* Set the key */ 831 unsigned char *p; 832 833 penclen = i2o_ECPublicKey(eckey, NULL); 834 if (penclen <= 0) 835 goto err; 836 penc = OPENSSL_malloc(penclen); 837 if (penc == NULL) 838 goto err; 839 p = penc; 840 penclen = i2o_ECPublicKey(eckey, &p); 841 if (penclen <= 0) 842 goto err; 843 ASN1_STRING_set0(pubkey, penc, penclen); 844 pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); 845 pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT; 846 847 penc = NULL; 848 X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 849 V_ASN1_UNDEF, NULL); 850 } 851 852 /* See if custom parameters set */ 853 kdf_type = EVP_PKEY_CTX_get_ecdh_kdf_type(pctx); 854 if (kdf_type <= 0) 855 goto err; 856 if (!EVP_PKEY_CTX_get_ecdh_kdf_md(pctx, &kdf_md)) 857 goto err; 858 ecdh_nid = EVP_PKEY_CTX_get_ecdh_cofactor_mode(pctx); 859 if (ecdh_nid < 0) 860 goto err; 861 else if (ecdh_nid == 0) 862 ecdh_nid = NID_dh_std_kdf; 863 else if (ecdh_nid == 1) 864 ecdh_nid = NID_dh_cofactor_kdf; 865 866 if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) { 867 kdf_type = EVP_PKEY_ECDH_KDF_X9_63; 868 if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0) 869 goto err; 870 } else 871 /* Unknown KDF */ 872 goto err; 873 if (kdf_md == NULL) { 874 /* Fixme later for better MD */ 875 kdf_md = EVP_sha1(); 876 if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0) 877 goto err; 878 } 879 880 if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm)) 881 goto err; 882 883 /* Lookup NID for KDF+cofactor+digest */ 884 885 if (!OBJ_find_sigid_by_algs(&kdf_nid, EVP_MD_type(kdf_md), ecdh_nid)) 886 goto err; 887 /* Get wrap NID */ 888 ctx = CMS_RecipientInfo_kari_get0_ctx(ri); 889 wrap_nid = EVP_CIPHER_CTX_type(ctx); 890 keylen = EVP_CIPHER_CTX_key_length(ctx); 891 892 /* Package wrap algorithm in an AlgorithmIdentifier */ 893 894 wrap_alg = X509_ALGOR_new(); 895 if (wrap_alg == NULL) 896 goto err; 897 wrap_alg->algorithm = OBJ_nid2obj(wrap_nid); 898 wrap_alg->parameter = ASN1_TYPE_new(); 899 if (wrap_alg->parameter == NULL) 900 goto err; 901 if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0) 902 goto err; 903 if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) { 904 ASN1_TYPE_free(wrap_alg->parameter); 905 wrap_alg->parameter = NULL; 906 } 907 908 if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0) 909 goto err; 910 911 penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen); 912 913 if (!penclen) 914 goto err; 915 916 if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0) 917 goto err; 918 penc = NULL; 919 920 /* 921 * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter 922 * of another AlgorithmIdentifier. 923 */ 924 penclen = i2d_X509_ALGOR(wrap_alg, &penc); 925 if (!penc || !penclen) 926 goto err; 927 wrap_str = ASN1_STRING_new(); 928 if (wrap_str == NULL) 929 goto err; 930 ASN1_STRING_set0(wrap_str, penc, penclen); 931 penc = NULL; 932 X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str); 933 934 rv = 1; 935 936 err: 937 OPENSSL_free(penc); 938 X509_ALGOR_free(wrap_alg); 939 return rv; 940 } 941 942 #endif 943