/src/openssl/crypto/ec/ecdh_ossl.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved |
4 | | * |
5 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
6 | | * this file except in compliance with the License. You can obtain a copy |
7 | | * in the file LICENSE in the source distribution or at |
8 | | * https://www.openssl.org/source/license.html |
9 | | */ |
10 | | |
11 | | /* |
12 | | * ECDH low level APIs are deprecated for public use, but still ok for |
13 | | * internal use. |
14 | | */ |
15 | | #include "internal/deprecated.h" |
16 | | |
17 | | #include <string.h> |
18 | | #include <limits.h> |
19 | | |
20 | | #include "internal/cryptlib.h" |
21 | | |
22 | | #include <openssl/err.h> |
23 | | #include <openssl/bn.h> |
24 | | #include <openssl/objects.h> |
25 | | #include <openssl/ec.h> |
26 | | #include "ec_local.h" |
27 | | |
28 | | int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen, |
29 | | const EC_POINT *pub_key, const EC_KEY *ecdh) |
30 | 0 | { |
31 | 0 | if (ecdh->group->meth->ecdh_compute_key == NULL) { |
32 | 0 | ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH); |
33 | 0 | return 0; |
34 | 0 | } |
35 | | |
36 | 0 | return ecdh->group->meth->ecdh_compute_key(psec, pseclen, pub_key, ecdh); |
37 | 0 | } |
38 | | |
39 | | /*- |
40 | | * This implementation is based on the following primitives in the |
41 | | * IEEE 1363 standard: |
42 | | * - ECKAS-DH1 |
43 | | * - ECSVDP-DH |
44 | | * |
45 | | * It also conforms to SP800-56A r3 |
46 | | * See Section 5.7.1.2 "Elliptic Curve Cryptography Cofactor Diffie-Hellman |
47 | | * (ECC CDH) Primitive:". The steps listed below refer to SP800-56A. |
48 | | */ |
49 | | int ossl_ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, |
50 | | const EC_POINT *pub_key, const EC_KEY *ecdh) |
51 | 0 | { |
52 | 0 | BN_CTX *ctx; |
53 | 0 | EC_POINT *tmp = NULL; |
54 | 0 | BIGNUM *x = NULL; |
55 | 0 | const BIGNUM *priv_key; |
56 | 0 | const EC_GROUP *group; |
57 | 0 | int ret = 0; |
58 | 0 | size_t buflen, len; |
59 | 0 | unsigned char *buf = NULL; |
60 | |
|
61 | 0 | if ((ctx = BN_CTX_new_ex(ecdh->libctx)) == NULL) |
62 | 0 | goto err; |
63 | 0 | BN_CTX_start(ctx); |
64 | 0 | x = BN_CTX_get(ctx); |
65 | 0 | if (x == NULL) { |
66 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); |
67 | 0 | goto err; |
68 | 0 | } |
69 | | |
70 | 0 | priv_key = EC_KEY_get0_private_key(ecdh); |
71 | 0 | if (priv_key == NULL) { |
72 | 0 | ERR_raise(ERR_LIB_EC, EC_R_MISSING_PRIVATE_KEY); |
73 | 0 | goto err; |
74 | 0 | } |
75 | | |
76 | 0 | group = EC_KEY_get0_group(ecdh); |
77 | | |
78 | | /* |
79 | | * Step(1) - Compute the point tmp = cofactor * owners_private_key |
80 | | * * peer_public_key. |
81 | | */ |
82 | 0 | if (EC_KEY_get_flags(ecdh) & EC_FLAG_COFACTOR_ECDH) { |
83 | 0 | if (!EC_GROUP_get_cofactor(group, x, NULL)) { |
84 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); |
85 | 0 | goto err; |
86 | 0 | } |
87 | 0 | if (!BN_mul(x, x, priv_key, ctx)) { |
88 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); |
89 | 0 | goto err; |
90 | 0 | } |
91 | 0 | priv_key = x; |
92 | 0 | } |
93 | | |
94 | 0 | if ((tmp = EC_POINT_new(group)) == NULL) { |
95 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); |
96 | 0 | goto err; |
97 | 0 | } |
98 | | |
99 | 0 | if (!EC_POINT_mul(group, tmp, NULL, pub_key, priv_key, ctx)) { |
100 | 0 | ERR_raise(ERR_LIB_EC, EC_R_POINT_ARITHMETIC_FAILURE); |
101 | 0 | goto err; |
102 | 0 | } |
103 | | |
104 | | /* |
105 | | * Step(2) : If point tmp is at infinity then clear intermediate values and |
106 | | * exit. Note: getting affine coordinates returns 0 if point is at infinity. |
107 | | * Step(3a) : Get x-coordinate of point x = tmp.x |
108 | | */ |
109 | 0 | if (!EC_POINT_get_affine_coordinates(group, tmp, x, NULL, ctx)) { |
110 | 0 | ERR_raise(ERR_LIB_EC, EC_R_POINT_ARITHMETIC_FAILURE); |
111 | 0 | goto err; |
112 | 0 | } |
113 | | |
114 | | /* |
115 | | * Step(3b) : convert x to a byte string, using the field-element-to-byte |
116 | | * string conversion routine defined in Appendix C.2 |
117 | | */ |
118 | 0 | buflen = (EC_GROUP_get_degree(group) + 7) / 8; |
119 | 0 | len = BN_num_bytes(x); |
120 | 0 | if (len > buflen) { |
121 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_INTERNAL_ERROR); |
122 | 0 | goto err; |
123 | 0 | } |
124 | 0 | if ((buf = OPENSSL_malloc(buflen)) == NULL) |
125 | 0 | goto err; |
126 | | |
127 | 0 | memset(buf, 0, buflen - len); |
128 | 0 | if (len != (size_t)BN_bn2bin(x, buf + buflen - len)) { |
129 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); |
130 | 0 | goto err; |
131 | 0 | } |
132 | | |
133 | 0 | *pout = buf; |
134 | 0 | *poutlen = buflen; |
135 | 0 | buf = NULL; |
136 | |
|
137 | 0 | ret = 1; |
138 | |
|
139 | 0 | err: |
140 | | /* Step(4) : Destroy all intermediate calculations */ |
141 | 0 | BN_clear(x); |
142 | 0 | EC_POINT_clear_free(tmp); |
143 | 0 | BN_CTX_end(ctx); |
144 | 0 | BN_CTX_free(ctx); |
145 | 0 | OPENSSL_free(buf); |
146 | 0 | return ret; |
147 | 0 | } |