1 /* 2 * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include <openssl/x509.h> 13 #include <openssl/ec.h> 14 #include <openssl/bn.h> 15 #include <openssl/cms.h> 16 #include <openssl/asn1t.h> 17 #include "crypto/asn1.h" 18 #include "crypto/evp.h" 19 #include "ec_local.h" 20 21 #ifndef OPENSSL_NO_CMS 22 static int ecdh_cms_decrypt(CMS_RecipientInfo *ri); 23 static int ecdh_cms_encrypt(CMS_RecipientInfo *ri); 24 #endif 25 26 static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key) 27 { 28 const EC_GROUP *group; 29 int nid; 30 if (ec_key == NULL || (group = EC_KEY_get0_group(ec_key)) == NULL) { 31 ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_PARAMETERS); 32 return 0; 33 } 34 if (EC_GROUP_get_asn1_flag(group) 35 && (nid = EC_GROUP_get_curve_name(group))) 36 /* we have a 'named curve' => just set the OID */ 37 { 38 *ppval = OBJ_nid2obj(nid); 39 *pptype = V_ASN1_OBJECT; 40 } else { /* explicit parameters */ 41 42 ASN1_STRING *pstr = NULL; 43 pstr = ASN1_STRING_new(); 44 if (pstr == NULL) 45 return 0; 46 pstr->length = i2d_ECParameters(ec_key, &pstr->data); 47 if (pstr->length <= 0) { 48 ASN1_STRING_free(pstr); 49 ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB); 50 return 0; 51 } 52 *ppval = pstr; 53 *pptype = V_ASN1_SEQUENCE; 54 } 55 return 1; 56 } 57 58 static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) 59 { 60 EC_KEY *ec_key = pkey->pkey.ec; 61 void *pval = NULL; 62 int ptype; 63 unsigned char *penc = NULL, *p; 64 int penclen; 65 66 if (!eckey_param2type(&ptype, &pval, ec_key)) { 67 ECerr(EC_F_ECKEY_PUB_ENCODE, ERR_R_EC_LIB); 68 return 0; 69 } 70 penclen = i2o_ECPublicKey(ec_key, NULL); 71 if (penclen <= 0) 72 goto err; 73 penc = OPENSSL_malloc(penclen); 74 if (penc == NULL) 75 goto err; 76 p = penc; 77 penclen = i2o_ECPublicKey(ec_key, &p); 78 if (penclen <= 0) 79 goto err; 80 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC), 81 ptype, pval, penc, penclen)) 82 return 1; 83 err: 84 if (ptype == V_ASN1_OBJECT) 85 ASN1_OBJECT_free(pval); 86 else 87 ASN1_STRING_free(pval); 88 OPENSSL_free(penc); 89 return 0; 90 } 91 92 static EC_KEY *eckey_type2param(int ptype, const void *pval) 93 { 94 EC_KEY *eckey = NULL; 95 EC_GROUP *group = NULL; 96 97 if (ptype == V_ASN1_SEQUENCE) { 98 const ASN1_STRING *pstr = pval; 99 const unsigned char *pm = pstr->data; 100 int pmlen = pstr->length; 101 102 if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) { 103 ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); 104 goto ecerr; 105 } 106 } else if (ptype == V_ASN1_OBJECT) { 107 const ASN1_OBJECT *poid = pval; 108 109 /* 110 * type == V_ASN1_OBJECT => the parameters are given by an asn1 OID 111 */ 112 if ((eckey = EC_KEY_new()) == NULL) { 113 ECerr(EC_F_ECKEY_TYPE2PARAM, ERR_R_MALLOC_FAILURE); 114 goto ecerr; 115 } 116 group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(poid)); 117 if (group == NULL) 118 goto ecerr; 119 EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); 120 if (EC_KEY_set_group(eckey, group) == 0) 121 goto ecerr; 122 EC_GROUP_free(group); 123 } else { 124 ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); 125 goto ecerr; 126 } 127 128 return eckey; 129 130 ecerr: 131 EC_KEY_free(eckey); 132 EC_GROUP_free(group); 133 return NULL; 134 } 135 136 static int eckey_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) 137 { 138 const unsigned char *p = NULL; 139 const void *pval; 140 int ptype, pklen; 141 EC_KEY *eckey = NULL; 142 X509_ALGOR *palg; 143 144 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey)) 145 return 0; 146 X509_ALGOR_get0(NULL, &ptype, &pval, palg); 147 148 eckey = eckey_type2param(ptype, pval); 149 150 if (!eckey) { 151 ECerr(EC_F_ECKEY_PUB_DECODE, ERR_R_EC_LIB); 152 return 0; 153 } 154 155 /* We have parameters now set public key */ 156 if (!o2i_ECPublicKey(&eckey, &p, pklen)) { 157 ECerr(EC_F_ECKEY_PUB_DECODE, EC_R_DECODE_ERROR); 158 goto ecerr; 159 } 160 161 EVP_PKEY_assign_EC_KEY(pkey, eckey); 162 return 1; 163 164 ecerr: 165 EC_KEY_free(eckey); 166 return 0; 167 } 168 169 static int eckey_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) 170 { 171 int r; 172 const EC_GROUP *group = EC_KEY_get0_group(b->pkey.ec); 173 const EC_POINT *pa = EC_KEY_get0_public_key(a->pkey.ec), 174 *pb = EC_KEY_get0_public_key(b->pkey.ec); 175 if (group == NULL || pa == NULL || pb == NULL) 176 return -2; 177 r = EC_POINT_cmp(group, pa, pb, NULL); 178 if (r == 0) 179 return 1; 180 if (r == 1) 181 return 0; 182 return -2; 183 } 184 185 static int eckey_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) 186 { 187 const unsigned char *p = NULL; 188 const void *pval; 189 int ptype, pklen; 190 EC_KEY *eckey = NULL; 191 const X509_ALGOR *palg; 192 193 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) 194 return 0; 195 X509_ALGOR_get0(NULL, &ptype, &pval, palg); 196 197 eckey = eckey_type2param(ptype, pval); 198 199 if (!eckey) 200 goto ecliberr; 201 202 /* We have parameters now set private key */ 203 if (!d2i_ECPrivateKey(&eckey, &p, pklen)) { 204 ECerr(EC_F_ECKEY_PRIV_DECODE, EC_R_DECODE_ERROR); 205 goto ecerr; 206 } 207 208 EVP_PKEY_assign_EC_KEY(pkey, eckey); 209 return 1; 210 211 ecliberr: 212 ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB); 213 ecerr: 214 EC_KEY_free(eckey); 215 return 0; 216 } 217 218 static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) 219 { 220 EC_KEY ec_key = *(pkey->pkey.ec); 221 unsigned char *ep, *p; 222 int eplen, ptype; 223 void *pval; 224 unsigned int old_flags; 225 226 if (!eckey_param2type(&ptype, &pval, &ec_key)) { 227 ECerr(EC_F_ECKEY_PRIV_ENCODE, EC_R_DECODE_ERROR); 228 return 0; 229 } 230 231 /* set the private key */ 232 233 /* 234 * do not include the parameters in the SEC1 private key see PKCS#11 235 * 12.11 236 */ 237 old_flags = EC_KEY_get_enc_flags(&ec_key); 238 EC_KEY_set_enc_flags(&ec_key, old_flags | EC_PKEY_NO_PARAMETERS); 239 240 eplen = i2d_ECPrivateKey(&ec_key, NULL); 241 if (!eplen) { 242 ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); 243 return 0; 244 } 245 ep = OPENSSL_malloc(eplen); 246 if (ep == NULL) { 247 ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); 248 return 0; 249 } 250 p = ep; 251 if (!i2d_ECPrivateKey(&ec_key, &p)) { 252 OPENSSL_free(ep); 253 ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); 254 return 0; 255 } 256 257 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0, 258 ptype, pval, ep, eplen)) { 259 OPENSSL_free(ep); 260 return 0; 261 } 262 263 return 1; 264 } 265 266 static int int_ec_size(const EVP_PKEY *pkey) 267 { 268 return ECDSA_size(pkey->pkey.ec); 269 } 270 271 static int ec_bits(const EVP_PKEY *pkey) 272 { 273 return EC_GROUP_order_bits(EC_KEY_get0_group(pkey->pkey.ec)); 274 } 275 276 static int ec_security_bits(const EVP_PKEY *pkey) 277 { 278 int ecbits = ec_bits(pkey); 279 if (ecbits >= 512) 280 return 256; 281 if (ecbits >= 384) 282 return 192; 283 if (ecbits >= 256) 284 return 128; 285 if (ecbits >= 224) 286 return 112; 287 if (ecbits >= 160) 288 return 80; 289 return ecbits / 2; 290 } 291 292 static int ec_missing_parameters(const EVP_PKEY *pkey) 293 { 294 if (pkey->pkey.ec == NULL || EC_KEY_get0_group(pkey->pkey.ec) == NULL) 295 return 1; 296 return 0; 297 } 298 299 static int ec_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) 300 { 301 EC_GROUP *group = EC_GROUP_dup(EC_KEY_get0_group(from->pkey.ec)); 302 303 if (group == NULL) 304 return 0; 305 if (to->pkey.ec == NULL) { 306 to->pkey.ec = EC_KEY_new(); 307 if (to->pkey.ec == NULL) 308 goto err; 309 } 310 if (EC_KEY_set_group(to->pkey.ec, group) == 0) 311 goto err; 312 EC_GROUP_free(group); 313 return 1; 314 err: 315 EC_GROUP_free(group); 316 return 0; 317 } 318 319 static int ec_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) 320 { 321 const EC_GROUP *group_a = EC_KEY_get0_group(a->pkey.ec), 322 *group_b = EC_KEY_get0_group(b->pkey.ec); 323 if (group_a == NULL || group_b == NULL) 324 return -2; 325 if (EC_GROUP_cmp(group_a, group_b, NULL)) 326 return 0; 327 else 328 return 1; 329 } 330 331 static void int_ec_free(EVP_PKEY *pkey) 332 { 333 EC_KEY_free(pkey->pkey.ec); 334 } 335 336 typedef enum { 337 EC_KEY_PRINT_PRIVATE, 338 EC_KEY_PRINT_PUBLIC, 339 EC_KEY_PRINT_PARAM 340 } ec_print_t; 341 342 static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, ec_print_t ktype) 343 { 344 const char *ecstr; 345 unsigned char *priv = NULL, *pub = NULL; 346 size_t privlen = 0, publen = 0; 347 int ret = 0; 348 const EC_GROUP *group; 349 350 if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL) { 351 ECerr(EC_F_DO_EC_KEY_PRINT, ERR_R_PASSED_NULL_PARAMETER); 352 return 0; 353 } 354 355 if (ktype != EC_KEY_PRINT_PARAM && EC_KEY_get0_public_key(x) != NULL) { 356 publen = EC_KEY_key2buf(x, EC_KEY_get_conv_form(x), &pub, NULL); 357 if (publen == 0) 358 goto err; 359 } 360 361 if (ktype == EC_KEY_PRINT_PRIVATE && EC_KEY_get0_private_key(x) != NULL) { 362 privlen = EC_KEY_priv2buf(x, &priv); 363 if (privlen == 0) 364 goto err; 365 } 366 367 if (ktype == EC_KEY_PRINT_PRIVATE) 368 ecstr = "Private-Key"; 369 else if (ktype == EC_KEY_PRINT_PUBLIC) 370 ecstr = "Public-Key"; 371 else 372 ecstr = "ECDSA-Parameters"; 373 374 if (!BIO_indent(bp, off, 128)) 375 goto err; 376 if (BIO_printf(bp, "%s: (%d bit)\n", ecstr, 377 EC_GROUP_order_bits(group)) <= 0) 378 goto err; 379 380 if (privlen != 0) { 381 if (BIO_printf(bp, "%*spriv:\n", off, "") <= 0) 382 goto err; 383 if (ASN1_buf_print(bp, priv, privlen, off + 4) == 0) 384 goto err; 385 } 386 387 if (publen != 0) { 388 if (BIO_printf(bp, "%*spub:\n", off, "") <= 0) 389 goto err; 390 if (ASN1_buf_print(bp, pub, publen, off + 4) == 0) 391 goto err; 392 } 393 394 if (!ECPKParameters_print(bp, group, off)) 395 goto err; 396 ret = 1; 397 err: 398 if (!ret) 399 ECerr(EC_F_DO_EC_KEY_PRINT, ERR_R_EC_LIB); 400 OPENSSL_clear_free(priv, privlen); 401 OPENSSL_free(pub); 402 return ret; 403 } 404 405 static int eckey_param_decode(EVP_PKEY *pkey, 406 const unsigned char **pder, int derlen) 407 { 408 EC_KEY *eckey; 409 410 if ((eckey = d2i_ECParameters(NULL, pder, derlen)) == NULL) { 411 ECerr(EC_F_ECKEY_PARAM_DECODE, ERR_R_EC_LIB); 412 return 0; 413 } 414 EVP_PKEY_assign_EC_KEY(pkey, eckey); 415 return 1; 416 } 417 418 static int eckey_param_encode(const EVP_PKEY *pkey, unsigned char **pder) 419 { 420 return i2d_ECParameters(pkey->pkey.ec, pder); 421 } 422 423 static int eckey_param_print(BIO *bp, const EVP_PKEY *pkey, int indent, 424 ASN1_PCTX *ctx) 425 { 426 return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PARAM); 427 } 428 429 static int eckey_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, 430 ASN1_PCTX *ctx) 431 { 432 return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PUBLIC); 433 } 434 435 static int eckey_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, 436 ASN1_PCTX *ctx) 437 { 438 return do_EC_KEY_print(bp, pkey->pkey.ec, indent, EC_KEY_PRINT_PRIVATE); 439 } 440 441 static int old_ec_priv_decode(EVP_PKEY *pkey, 442 const unsigned char **pder, int derlen) 443 { 444 EC_KEY *ec; 445 446 if ((ec = d2i_ECPrivateKey(NULL, pder, derlen)) == NULL) { 447 ECerr(EC_F_OLD_EC_PRIV_DECODE, EC_R_DECODE_ERROR); 448 return 0; 449 } 450 EVP_PKEY_assign_EC_KEY(pkey, ec); 451 return 1; 452 } 453 454 static int old_ec_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) 455 { 456 return i2d_ECPrivateKey(pkey->pkey.ec, pder); 457 } 458 459 static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) 460 { 461 switch (op) { 462 case ASN1_PKEY_CTRL_PKCS7_SIGN: 463 if (arg1 == 0) { 464 int snid, hnid; 465 X509_ALGOR *alg1, *alg2; 466 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2); 467 if (alg1 == NULL || alg1->algorithm == NULL) 468 return -1; 469 hnid = OBJ_obj2nid(alg1->algorithm); 470 if (hnid == NID_undef) 471 return -1; 472 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) 473 return -1; 474 X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); 475 } 476 return 1; 477 #ifndef OPENSSL_NO_CMS 478 case ASN1_PKEY_CTRL_CMS_SIGN: 479 if (arg1 == 0) { 480 int snid, hnid; 481 X509_ALGOR *alg1, *alg2; 482 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, &alg1, &alg2); 483 if (alg1 == NULL || alg1->algorithm == NULL) 484 return -1; 485 hnid = OBJ_obj2nid(alg1->algorithm); 486 if (hnid == NID_undef) 487 return -1; 488 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) 489 return -1; 490 X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); 491 } 492 return 1; 493 494 case ASN1_PKEY_CTRL_CMS_ENVELOPE: 495 if (arg1 == 1) 496 return ecdh_cms_decrypt(arg2); 497 else if (arg1 == 0) 498 return ecdh_cms_encrypt(arg2); 499 return -2; 500 501 case ASN1_PKEY_CTRL_CMS_RI_TYPE: 502 *(int *)arg2 = CMS_RECIPINFO_AGREE; 503 return 1; 504 #endif 505 506 case ASN1_PKEY_CTRL_DEFAULT_MD_NID: 507 if (EVP_PKEY_id(pkey) == EVP_PKEY_SM2) { 508 /* For SM2, the only valid digest-alg is SM3 */ 509 *(int *)arg2 = NID_sm3; 510 } else { 511 *(int *)arg2 = NID_sha256; 512 } 513 return 1; 514 515 case ASN1_PKEY_CTRL_SET1_TLS_ENCPT: 516 return EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(pkey), arg2, arg1, NULL); 517 518 case ASN1_PKEY_CTRL_GET1_TLS_ENCPT: 519 return EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(pkey), 520 POINT_CONVERSION_UNCOMPRESSED, arg2, NULL); 521 522 default: 523 return -2; 524 525 } 526 527 } 528 529 static int ec_pkey_check(const EVP_PKEY *pkey) 530 { 531 EC_KEY *eckey = pkey->pkey.ec; 532 533 /* stay consistent to what EVP_PKEY_check demands */ 534 if (eckey->priv_key == NULL) { 535 ECerr(EC_F_EC_PKEY_CHECK, EC_R_MISSING_PRIVATE_KEY); 536 return 0; 537 } 538 539 return EC_KEY_check_key(eckey); 540 } 541 542 static int ec_pkey_public_check(const EVP_PKEY *pkey) 543 { 544 EC_KEY *eckey = pkey->pkey.ec; 545 546 /* 547 * Note: it unnecessary to check eckey->pub_key here since 548 * it will be checked in EC_KEY_check_key(). In fact, the 549 * EC_KEY_check_key() mainly checks the public key, and checks 550 * the private key optionally (only if there is one). So if 551 * someone passes a whole EC key (public + private), this 552 * will also work... 553 */ 554 555 return EC_KEY_check_key(eckey); 556 } 557 558 static int ec_pkey_param_check(const EVP_PKEY *pkey) 559 { 560 EC_KEY *eckey = pkey->pkey.ec; 561 562 /* stay consistent to what EVP_PKEY_check demands */ 563 if (eckey->group == NULL) { 564 ECerr(EC_F_EC_PKEY_PARAM_CHECK, EC_R_MISSING_PARAMETERS); 565 return 0; 566 } 567 568 return EC_GROUP_check(eckey->group, NULL); 569 } 570 571 const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = { 572 EVP_PKEY_EC, 573 EVP_PKEY_EC, 574 0, 575 "EC", 576 "OpenSSL EC algorithm", 577 578 eckey_pub_decode, 579 eckey_pub_encode, 580 eckey_pub_cmp, 581 eckey_pub_print, 582 583 eckey_priv_decode, 584 eckey_priv_encode, 585 eckey_priv_print, 586 587 int_ec_size, 588 ec_bits, 589 ec_security_bits, 590 591 eckey_param_decode, 592 eckey_param_encode, 593 ec_missing_parameters, 594 ec_copy_parameters, 595 ec_cmp_parameters, 596 eckey_param_print, 597 0, 598 599 int_ec_free, 600 ec_pkey_ctrl, 601 old_ec_priv_decode, 602 old_ec_priv_encode, 603 604 0, 0, 0, 605 606 ec_pkey_check, 607 ec_pkey_public_check, 608 ec_pkey_param_check 609 }; 610 611 #if !defined(OPENSSL_NO_SM2) 612 const EVP_PKEY_ASN1_METHOD sm2_asn1_meth = { 613 EVP_PKEY_SM2, 614 EVP_PKEY_EC, 615 ASN1_PKEY_ALIAS 616 }; 617 #endif 618 619 int EC_KEY_print(BIO *bp, const EC_KEY *x, int off) 620 { 621 int private = EC_KEY_get0_private_key(x) != NULL; 622 623 return do_EC_KEY_print(bp, x, off, 624 private ? EC_KEY_PRINT_PRIVATE : EC_KEY_PRINT_PUBLIC); 625 } 626 627 int ECParameters_print(BIO *bp, const EC_KEY *x) 628 { 629 return do_EC_KEY_print(bp, x, 4, EC_KEY_PRINT_PARAM); 630 } 631 632 #ifndef OPENSSL_NO_CMS 633 634 static int ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx, 635 X509_ALGOR *alg, ASN1_BIT_STRING *pubkey) 636 { 637 const ASN1_OBJECT *aoid; 638 int atype; 639 const void *aval; 640 int rv = 0; 641 EVP_PKEY *pkpeer = NULL; 642 EC_KEY *ecpeer = NULL; 643 const unsigned char *p; 644 int plen; 645 X509_ALGOR_get0(&aoid, &atype, &aval, alg); 646 if (OBJ_obj2nid(aoid) != NID_X9_62_id_ecPublicKey) 647 goto err; 648 /* If absent parameters get group from main key */ 649 if (atype == V_ASN1_UNDEF || atype == V_ASN1_NULL) { 650 const EC_GROUP *grp; 651 EVP_PKEY *pk; 652 pk = EVP_PKEY_CTX_get0_pkey(pctx); 653 if (!pk) 654 goto err; 655 grp = EC_KEY_get0_group(pk->pkey.ec); 656 ecpeer = EC_KEY_new(); 657 if (ecpeer == NULL) 658 goto err; 659 if (!EC_KEY_set_group(ecpeer, grp)) 660 goto err; 661 } else { 662 ecpeer = eckey_type2param(atype, aval); 663 if (!ecpeer) 664 goto err; 665 } 666 /* We have parameters now set public key */ 667 plen = ASN1_STRING_length(pubkey); 668 p = ASN1_STRING_get0_data(pubkey); 669 if (!p || !plen) 670 goto err; 671 if (!o2i_ECPublicKey(&ecpeer, &p, plen)) 672 goto err; 673 pkpeer = EVP_PKEY_new(); 674 if (pkpeer == NULL) 675 goto err; 676 EVP_PKEY_set1_EC_KEY(pkpeer, ecpeer); 677 if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0) 678 rv = 1; 679 err: 680 EC_KEY_free(ecpeer); 681 EVP_PKEY_free(pkpeer); 682 return rv; 683 } 684 685 /* Set KDF parameters based on KDF NID */ 686 static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid) 687 { 688 int kdf_nid, kdfmd_nid, cofactor; 689 const EVP_MD *kdf_md; 690 if (eckdf_nid == NID_undef) 691 return 0; 692 693 /* Lookup KDF type, cofactor mode and digest */ 694 if (!OBJ_find_sigid_algs(eckdf_nid, &kdfmd_nid, &kdf_nid)) 695 return 0; 696 697 if (kdf_nid == NID_dh_std_kdf) 698 cofactor = 0; 699 else if (kdf_nid == NID_dh_cofactor_kdf) 700 cofactor = 1; 701 else 702 return 0; 703 704 if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0) 705 return 0; 706 707 if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0) 708 return 0; 709 710 kdf_md = EVP_get_digestbynid(kdfmd_nid); 711 if (!kdf_md) 712 return 0; 713 714 if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0) 715 return 0; 716 return 1; 717 } 718 719 static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) 720 { 721 int rv = 0; 722 723 X509_ALGOR *alg, *kekalg = NULL; 724 ASN1_OCTET_STRING *ukm; 725 const unsigned char *p; 726 unsigned char *der = NULL; 727 int plen, keylen; 728 const EVP_CIPHER *kekcipher; 729 EVP_CIPHER_CTX *kekctx; 730 731 if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) 732 return 0; 733 734 if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) { 735 ECerr(EC_F_ECDH_CMS_SET_SHARED_INFO, EC_R_KDF_PARAMETER_ERROR); 736 return 0; 737 } 738 739 if (alg->parameter->type != V_ASN1_SEQUENCE) 740 return 0; 741 742 p = alg->parameter->value.sequence->data; 743 plen = alg->parameter->value.sequence->length; 744 kekalg = d2i_X509_ALGOR(NULL, &p, plen); 745 if (!kekalg) 746 goto err; 747 kekctx = CMS_RecipientInfo_kari_get0_ctx(ri); 748 if (!kekctx) 749 goto err; 750 kekcipher = EVP_get_cipherbyobj(kekalg->algorithm); 751 if (!kekcipher || EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE) 752 goto err; 753 if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL)) 754 goto err; 755 if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0) 756 goto err; 757 758 keylen = EVP_CIPHER_CTX_key_length(kekctx); 759 if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0) 760 goto err; 761 762 plen = CMS_SharedInfo_encode(&der, kekalg, ukm, keylen); 763 764 if (!plen) 765 goto err; 766 767 if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, der, plen) <= 0) 768 goto err; 769 der = NULL; 770 771 rv = 1; 772 err: 773 X509_ALGOR_free(kekalg); 774 OPENSSL_free(der); 775 return rv; 776 } 777 778 static int ecdh_cms_decrypt(CMS_RecipientInfo *ri) 779 { 780 EVP_PKEY_CTX *pctx; 781 pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 782 if (!pctx) 783 return 0; 784 /* See if we need to set peer key */ 785 if (!EVP_PKEY_CTX_get0_peerkey(pctx)) { 786 X509_ALGOR *alg; 787 ASN1_BIT_STRING *pubkey; 788 if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey, 789 NULL, NULL, NULL)) 790 return 0; 791 if (!alg || !pubkey) 792 return 0; 793 if (!ecdh_cms_set_peerkey(pctx, alg, pubkey)) { 794 ECerr(EC_F_ECDH_CMS_DECRYPT, EC_R_PEER_KEY_ERROR); 795 return 0; 796 } 797 } 798 /* Set ECDH derivation parameters and initialise unwrap context */ 799 if (!ecdh_cms_set_shared_info(pctx, ri)) { 800 ECerr(EC_F_ECDH_CMS_DECRYPT, EC_R_SHARED_INFO_ERROR); 801 return 0; 802 } 803 return 1; 804 } 805 806 static int ecdh_cms_encrypt(CMS_RecipientInfo *ri) 807 { 808 EVP_PKEY_CTX *pctx; 809 EVP_PKEY *pkey; 810 EVP_CIPHER_CTX *ctx; 811 int keylen; 812 X509_ALGOR *talg, *wrap_alg = NULL; 813 const ASN1_OBJECT *aoid; 814 ASN1_BIT_STRING *pubkey; 815 ASN1_STRING *wrap_str; 816 ASN1_OCTET_STRING *ukm; 817 unsigned char *penc = NULL; 818 int penclen; 819 int rv = 0; 820 int ecdh_nid, kdf_type, kdf_nid, wrap_nid; 821 const EVP_MD *kdf_md; 822 pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 823 if (!pctx) 824 return 0; 825 /* Get ephemeral key */ 826 pkey = EVP_PKEY_CTX_get0_pkey(pctx); 827 if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey, 828 NULL, NULL, NULL)) 829 goto err; 830 X509_ALGOR_get0(&aoid, NULL, NULL, talg); 831 /* Is everything uninitialised? */ 832 if (aoid == OBJ_nid2obj(NID_undef)) { 833 834 EC_KEY *eckey = pkey->pkey.ec; 835 /* Set the key */ 836 unsigned char *p; 837 838 penclen = i2o_ECPublicKey(eckey, NULL); 839 if (penclen <= 0) 840 goto err; 841 penc = OPENSSL_malloc(penclen); 842 if (penc == NULL) 843 goto err; 844 p = penc; 845 penclen = i2o_ECPublicKey(eckey, &p); 846 if (penclen <= 0) 847 goto err; 848 ASN1_STRING_set0(pubkey, penc, penclen); 849 pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); 850 pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT; 851 852 penc = NULL; 853 X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 854 V_ASN1_UNDEF, NULL); 855 } 856 857 /* See if custom parameters set */ 858 kdf_type = EVP_PKEY_CTX_get_ecdh_kdf_type(pctx); 859 if (kdf_type <= 0) 860 goto err; 861 if (!EVP_PKEY_CTX_get_ecdh_kdf_md(pctx, &kdf_md)) 862 goto err; 863 ecdh_nid = EVP_PKEY_CTX_get_ecdh_cofactor_mode(pctx); 864 if (ecdh_nid < 0) 865 goto err; 866 else if (ecdh_nid == 0) 867 ecdh_nid = NID_dh_std_kdf; 868 else if (ecdh_nid == 1) 869 ecdh_nid = NID_dh_cofactor_kdf; 870 871 if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) { 872 kdf_type = EVP_PKEY_ECDH_KDF_X9_63; 873 if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0) 874 goto err; 875 } else 876 /* Unknown KDF */ 877 goto err; 878 if (kdf_md == NULL) { 879 /* Fixme later for better MD */ 880 kdf_md = EVP_sha1(); 881 if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0) 882 goto err; 883 } 884 885 if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm)) 886 goto err; 887 888 /* Lookup NID for KDF+cofactor+digest */ 889 890 if (!OBJ_find_sigid_by_algs(&kdf_nid, EVP_MD_type(kdf_md), ecdh_nid)) 891 goto err; 892 /* Get wrap NID */ 893 ctx = CMS_RecipientInfo_kari_get0_ctx(ri); 894 wrap_nid = EVP_CIPHER_CTX_type(ctx); 895 keylen = EVP_CIPHER_CTX_key_length(ctx); 896 897 /* Package wrap algorithm in an AlgorithmIdentifier */ 898 899 wrap_alg = X509_ALGOR_new(); 900 if (wrap_alg == NULL) 901 goto err; 902 wrap_alg->algorithm = OBJ_nid2obj(wrap_nid); 903 wrap_alg->parameter = ASN1_TYPE_new(); 904 if (wrap_alg->parameter == NULL) 905 goto err; 906 if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0) 907 goto err; 908 if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) { 909 ASN1_TYPE_free(wrap_alg->parameter); 910 wrap_alg->parameter = NULL; 911 } 912 913 if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0) 914 goto err; 915 916 penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen); 917 918 if (!penclen) 919 goto err; 920 921 if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0) 922 goto err; 923 penc = NULL; 924 925 /* 926 * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter 927 * of another AlgorithmIdentifier. 928 */ 929 penclen = i2d_X509_ALGOR(wrap_alg, &penc); 930 if (!penc || !penclen) 931 goto err; 932 wrap_str = ASN1_STRING_new(); 933 if (wrap_str == NULL) 934 goto err; 935 ASN1_STRING_set0(wrap_str, penc, penclen); 936 penc = NULL; 937 X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str); 938 939 rv = 1; 940 941 err: 942 OPENSSL_free(penc); 943 X509_ALGOR_free(wrap_alg); 944 return rv; 945 } 946 947 #endif 948