/src/openssl/crypto/ec/ec_pmeth.c

Source (jump to first uncovered line)
/*
 * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include <openssl/ec.h>
#include "ec_lcl.h"
#include <openssl/evp.h>
#include "internal/evp_int.h"

/* EC pkey context structure */

typedef struct {
    /* Key and paramgen group */
    EC_GROUP *gen_group;
    /* message digest */
    const EVP_MD *md;
    /* Duplicate key if custom cofactor needed */
    EC_KEY *co_key;
    /* Cofactor mode */
    signed char cofactor_mode;
    /* KDF (if any) to use for ECDH */
    char kdf_type;
    /* Message digest to use for key derivation */
    const EVP_MD *kdf_md;
    /* User key material */
    unsigned char *kdf_ukm;
    size_t kdf_ukmlen;
    /* KDF output length */
    size_t kdf_outlen;
} EC_PKEY_CTX;

static int pkey_ec_init(EVP_PKEY_CTX *ctx)
{
    EC_PKEY_CTX *dctx;

    if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL) {
        ECerr(EC_F_PKEY_EC_INIT, ERR_R_MALLOC_FAILURE);
        return 0;
    }

    dctx->cofactor_mode = -1;
    dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE;
    ctx->data = dctx;
    return 1;
}

static int pkey_ec_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
{
    EC_PKEY_CTX *dctx, *sctx;
    if (!pkey_ec_init(dst))
        return 0;
    sctx = src->data;
    dctx = dst->data;
    if (sctx->gen_group) {
        dctx->gen_group = EC_GROUP_dup(sctx->gen_group);
        if (!dctx->gen_group)
            return 0;
    }
    dctx->md = sctx->md;

    if (sctx->co_key) {
        dctx->co_key = EC_KEY_dup(sctx->co_key);
        if (!dctx->co_key)
            return 0;
    }
    dctx->kdf_type = sctx->kdf_type;
    dctx->kdf_md = sctx->kdf_md;
    dctx->kdf_outlen = sctx->kdf_outlen;
    if (sctx->kdf_ukm) {
        dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
        if (!dctx->kdf_ukm)
            return 0;
    } else
        dctx->kdf_ukm = NULL;
    dctx->kdf_ukmlen = sctx->kdf_ukmlen;
    return 1;
}

static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx)
{
    EC_PKEY_CTX *dctx = ctx->data;
    if (dctx != NULL) {
        EC_GROUP_free(dctx->gen_group);
        EC_KEY_free(dctx->co_key);
        OPENSSL_free(dctx->kdf_ukm);
        OPENSSL_free(dctx);
        ctx->data = NULL;
    }
}

static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
                        const unsigned char *tbs, size_t tbslen)
{
    int ret, type;
    unsigned int sltmp;
    EC_PKEY_CTX *dctx = ctx->data;
    EC_KEY *ec = ctx->pkey->pkey.ec;
    const int sig_sz = ECDSA_size(ec);

    /* ensure cast to size_t is safe */
    if (!ossl_assert(sig_sz > 0))
        return 0;

    if (sig == NULL) {
        *siglen = (size_t)sig_sz;
        return 1;
    }

    if (*siglen < (size_t)sig_sz) {
        ECerr(EC_F_PKEY_EC_SIGN, EC_R_BUFFER_TOO_SMALL);
        return 0;
    }

    type = (dctx->md != NULL) ? EVP_MD_type(dctx->md) : NID_sha1;

    ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec);

    if (ret <= 0)
        return ret;
    *siglen = (size_t)sltmp;
    return 1;
}

static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
                          const unsigned char *sig, size_t siglen,
                          const unsigned char *tbs, size_t tbslen)
{
    int ret, type;
    EC_PKEY_CTX *dctx = ctx->data;
    EC_KEY *ec = ctx->pkey->pkey.ec;

    if (dctx->md)
        type = EVP_MD_type(dctx->md);
    else
        type = NID_sha1;

    ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec);

    return ret;
}

#ifndef OPENSSL_NO_EC
static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
{
    int ret;
    size_t outlen;
    const EC_POINT *pubkey = NULL;
    EC_KEY *eckey;
    EC_PKEY_CTX *dctx = ctx->data;
    if (!ctx->pkey || !ctx->peerkey) {
        ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET);
        return 0;
    }

    eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec;

    if (!key) {
        const EC_GROUP *group;
        group = EC_KEY_get0_group(eckey);
        *keylen = (EC_GROUP_get_degree(group) + 7) / 8;
        return 1;
    }
    pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);

    /*
     * NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is not
     * an error, the result is truncated.
     */

    outlen = *keylen;

    ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);
    if (ret <= 0)
        return 0;
    *keylen = ret;
    return 1;
}

static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
                              unsigned char *key, size_t *keylen)
{
    EC_PKEY_CTX *dctx = ctx->data;
    unsigned char *ktmp = NULL;
    size_t ktmplen;
    int rv = 0;
    if (dctx->kdf_type == EVP_PKEY_ECDH_KDF_NONE)
        return pkey_ec_derive(ctx, key, keylen);
    if (!key) {
        *keylen = dctx->kdf_outlen;
        return 1;
    }
    if (*keylen != dctx->kdf_outlen)
        return 0;
    if (!pkey_ec_derive(ctx, NULL, &ktmplen))
        return 0;
    if ((ktmp = OPENSSL_malloc(ktmplen)) == NULL) {
        ECerr(EC_F_PKEY_EC_KDF_DERIVE, ERR_R_MALLOC_FAILURE);
        return 0;
    }
    if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
        goto err;
    /* Do KDF stuff */
    if (!ECDH_KDF_X9_62(key, *keylen, ktmp, ktmplen,
                        dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
        goto err;
    rv = 1;

 err:
    OPENSSL_clear_free(ktmp, ktmplen);
    return rv;
}
#endif

static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
{
    EC_PKEY_CTX *dctx = ctx->data;
    EC_GROUP *group;
    switch (type) {
    case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID:
        group = EC_GROUP_new_by_curve_name(p1);
        if (group == NULL) {
            ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_CURVE);
            return 0;
        }
        EC_GROUP_free(dctx->gen_group);
        dctx->gen_group = group;
        return 1;

    case EVP_PKEY_CTRL_EC_PARAM_ENC:
        if (!dctx->gen_group) {
            ECerr(EC_F_PKEY_EC_CTRL, EC_R_NO_PARAMETERS_SET);
            return 0;
        }
        EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
        return 1;

#ifndef OPENSSL_NO_EC
    case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
        if (p1 == -2) {
            if (dctx->cofactor_mode != -1)
                return dctx->cofactor_mode;
            else {
                EC_KEY *ec_key = ctx->pkey->pkey.ec;
                return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0;
            }
        } else if (p1 < -1 || p1 > 1)
            return -2;
        dctx->cofactor_mode = p1;
        if (p1 != -1) {
            EC_KEY *ec_key = ctx->pkey->pkey.ec;
            if (!ec_key->group)
                return -2;
            /* If cofactor is 1 cofactor mode does nothing */
            if (BN_is_one(ec_key->group->cofactor))
                return 1;
            if (!dctx->co_key) {
                dctx->co_key = EC_KEY_dup(ec_key);
                if (!dctx->co_key)
                    return 0;
            }
            if (p1)
                EC_KEY_set_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
            else
                EC_KEY_clear_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
        } else {
            EC_KEY_free(dctx->co_key);
            dctx->co_key = NULL;
        }
        return 1;
#endif

    case EVP_PKEY_CTRL_EC_KDF_TYPE:
        if (p1 == -2)
            return dctx->kdf_type;
        if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62)
            return -2;
        dctx->kdf_type = p1;
        return 1;

    case EVP_PKEY_CTRL_EC_KDF_MD:
        dctx->kdf_md = p2;
        return 1;

    case EVP_PKEY_CTRL_GET_EC_KDF_MD:
        *(const EVP_MD **)p2 = dctx->kdf_md;
        return 1;

    case EVP_PKEY_CTRL_EC_KDF_OUTLEN:
        if (p1 <= 0)
            return -2;
        dctx->kdf_outlen = (size_t)p1;
        return 1;

    case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN:
        *(int *)p2 = dctx->kdf_outlen;
        return 1;

    case EVP_PKEY_CTRL_EC_KDF_UKM:
        OPENSSL_free(dctx->kdf_ukm);
        dctx->kdf_ukm = p2;
        if (p2)
            dctx->kdf_ukmlen = p1;
        else
            dctx->kdf_ukmlen = 0;
        return 1;

    case EVP_PKEY_CTRL_GET_EC_KDF_UKM:
        *(unsigned char **)p2 = dctx->kdf_ukm;
        return dctx->kdf_ukmlen;

    case EVP_PKEY_CTRL_MD:
        if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sha256 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sha384 &&
            EVP_MD_type((const EVP_MD *)p2) != NID_sha512) {
            ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE);
            return 0;
        }
        dctx->md = p2;
        return 1;

    case EVP_PKEY_CTRL_GET_MD:
        *(const EVP_MD **)p2 = dctx->md;
        return 1;

    case EVP_PKEY_CTRL_PEER_KEY:
        /* Default behaviour is OK */
    case EVP_PKEY_CTRL_DIGESTINIT:
    case EVP_PKEY_CTRL_PKCS7_SIGN:
    case EVP_PKEY_CTRL_CMS_SIGN:
        return 1;

    default:
        return -2;

    }
}

static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx,
                            const char *type, const char *value)
{
    if (strcmp(type, "ec_paramgen_curve") == 0) {
        int nid;
        nid = EC_curve_nist2nid(value);
        if (nid == NID_undef)
            nid = OBJ_sn2nid(value);
        if (nid == NID_undef)
            nid = OBJ_ln2nid(value);
        if (nid == NID_undef) {
            ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_CURVE);
            return 0;
        }
        return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
    } else if (strcmp(type, "ec_param_enc") == 0) {
        int param_enc;
        if (strcmp(value, "explicit") == 0)
            param_enc = 0;
        else if (strcmp(value, "named_curve") == 0)
            param_enc = OPENSSL_EC_NAMED_CURVE;
        else
            return -2;
        return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
    } else if (strcmp(type, "ecdh_kdf_md") == 0) {
        const EVP_MD *md;
        if ((md = EVP_get_digestbyname(value)) == NULL) {
            ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_DIGEST);
            return 0;
        }
        return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md);
    } else if (strcmp(type, "ecdh_cofactor_mode") == 0) {
        int co_mode;
        co_mode = atoi(value);
        return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, co_mode);
    }

    return -2;
}

static int pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
    EC_KEY *ec = NULL;
    EC_PKEY_CTX *dctx = ctx->data;
    int ret;

    if (dctx->gen_group == NULL) {
        ECerr(EC_F_PKEY_EC_PARAMGEN, EC_R_NO_PARAMETERS_SET);
        return 0;
    }
    ec = EC_KEY_new();
    if (ec == NULL)
        return 0;
    if (!(ret = EC_KEY_set_group(ec, dctx->gen_group))
        || !ossl_assert(ret = EVP_PKEY_assign_EC_KEY(pkey, ec)))
        EC_KEY_free(ec);
    return ret;
}

static int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
    EC_KEY *ec = NULL;
    EC_PKEY_CTX *dctx = ctx->data;
    int ret;

    if (ctx->pkey == NULL && dctx->gen_group == NULL) {
        ECerr(EC_F_PKEY_EC_KEYGEN, EC_R_NO_PARAMETERS_SET);
        return 0;
    }
    ec = EC_KEY_new();
    if (ec == NULL)
        return 0;
    if (!ossl_assert(EVP_PKEY_assign_EC_KEY(pkey, ec))) {
        EC_KEY_free(ec);
        return 0;
    }
    /* Note: if error is returned, we count on caller to free pkey->pkey.ec */
    if (ctx->pkey != NULL)
        ret = EVP_PKEY_copy_parameters(pkey, ctx->pkey);
    else
        ret = EC_KEY_set_group(ec, dctx->gen_group);

    return ret ? EC_KEY_generate_key(ec) : 0;
}

const EVP_PKEY_METHOD ec_pkey_meth = {
    EVP_PKEY_EC,
    0,
    pkey_ec_init,
    pkey_ec_copy,
    pkey_ec_cleanup,

    0,
    pkey_ec_paramgen,

    0,
    pkey_ec_keygen,

    0,
    pkey_ec_sign,

    0,
    pkey_ec_verify,

    0, 0,

    0, 0, 0, 0,

    0,
    0,

    0,
    0,

    0,
#ifndef OPENSSL_NO_EC
    pkey_ec_kdf_derive,
#else
    0,
#endif
    pkey_ec_ctrl,
    pkey_ec_ctrl_str
};

Coverage Report

Created: 2018-08-29 13:53

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the OpenSSL license (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <stdio.h>
11		#include "internal/cryptlib.h"
12		#include <openssl/asn1t.h>
13		#include <openssl/x509.h>
14		#include <openssl/ec.h>
15		#include "ec_lcl.h"
16		#include <openssl/evp.h>
17		#include "internal/evp_int.h"
18
19		/* EC pkey context structure */
20
21		typedef struct {
22		/* Key and paramgen group */
23		EC_GROUP *gen_group;
24		/* message digest */
25		const EVP_MD *md;
26		/* Duplicate key if custom cofactor needed */
27		EC_KEY *co_key;
28		/* Cofactor mode */
29		signed char cofactor_mode;
30		/* KDF (if any) to use for ECDH */
31		char kdf_type;
32		/* Message digest to use for key derivation */
33		const EVP_MD *kdf_md;
34		/* User key material */
35		unsigned char *kdf_ukm;
36		size_t kdf_ukmlen;
37		/* KDF output length */
38		size_t kdf_outlen;
39		} EC_PKEY_CTX;
40
41		static int pkey_ec_init(EVP_PKEY_CTX *ctx)
42	0	{
43	0	EC_PKEY_CTX *dctx;
44	0
45	0	if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL) {
46	0	ECerr(EC_F_PKEY_EC_INIT, ERR_R_MALLOC_FAILURE);
47	0	return 0;
48	0	}
49	0
50	0	dctx->cofactor_mode = -1;
51	0	dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE;
52	0	ctx->data = dctx;
53	0	return 1;
54	0	}
55
56		static int pkey_ec_copy(EVP_PKEY_CTX dst, EVP_PKEY_CTX src)
57	0	{
58	0	EC_PKEY_CTX dctx, sctx;
59	0	if (!pkey_ec_init(dst))
60	0	return 0;
61	0	sctx = src->data;
62	0	dctx = dst->data;
63	0	if (sctx->gen_group) {
64	0	dctx->gen_group = EC_GROUP_dup(sctx->gen_group);
65	0	if (!dctx->gen_group)
66	0	return 0;
67	0	}
68	0	dctx->md = sctx->md;
69	0
70	0	if (sctx->co_key) {
71	0	dctx->co_key = EC_KEY_dup(sctx->co_key);
72	0	if (!dctx->co_key)
73	0	return 0;
74	0	}
75	0	dctx->kdf_type = sctx->kdf_type;
76	0	dctx->kdf_md = sctx->kdf_md;
77	0	dctx->kdf_outlen = sctx->kdf_outlen;
78	0	if (sctx->kdf_ukm) {
79	0	dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
80	0	if (!dctx->kdf_ukm)
81	0	return 0;
82	0	} else
83	0	dctx->kdf_ukm = NULL;
84	0	dctx->kdf_ukmlen = sctx->kdf_ukmlen;
85	0	return 1;
86	0	}
87
88		static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx)
89	0	{
90	0	EC_PKEY_CTX *dctx = ctx->data;
91	0	if (dctx != NULL) {
92	0	EC_GROUP_free(dctx->gen_group);
93	0	EC_KEY_free(dctx->co_key);
94	0	OPENSSL_free(dctx->kdf_ukm);
95	0	OPENSSL_free(dctx);
96	0	ctx->data = NULL;
97	0	}
98	0	}
99
100		static int pkey_ec_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
101		const unsigned char *tbs, size_t tbslen)
102	0	{
103	0	int ret, type;
104	0	unsigned int sltmp;
105	0	EC_PKEY_CTX *dctx = ctx->data;
106	0	EC_KEY *ec = ctx->pkey->pkey.ec;
107	0	const int sig_sz = ECDSA_size(ec);
108	0
109	0	/* ensure cast to size_t is safe */
110	0	if (!ossl_assert(sig_sz > 0))
111	0	return 0;
112	0
113	0	if (sig == NULL) {
114	0	*siglen = (size_t)sig_sz;
115	0	return 1;
116	0	}
117	0
118	0	if (*siglen < (size_t)sig_sz) {
119	0	ECerr(EC_F_PKEY_EC_SIGN, EC_R_BUFFER_TOO_SMALL);
120	0	return 0;
121	0	}
122	0
123	0	type = (dctx->md != NULL) ? EVP_MD_type(dctx->md) : NID_sha1;
124	0
125	0	ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec);
126	0
127	0	if (ret <= 0)
128	0	return ret;
129	0	*siglen = (size_t)sltmp;
130	0	return 1;
131	0	}
132
133		static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
134		const unsigned char *sig, size_t siglen,
135		const unsigned char *tbs, size_t tbslen)
136	0	{
137	0	int ret, type;
138	0	EC_PKEY_CTX *dctx = ctx->data;
139	0	EC_KEY *ec = ctx->pkey->pkey.ec;
140	0
141	0	if (dctx->md)
142	0	type = EVP_MD_type(dctx->md);
143	0	else
144	0	type = NID_sha1;
145	0
146	0	ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec);
147	0
148	0	return ret;
149	0	}
150
151		#ifndef OPENSSL_NO_EC
152		static int pkey_ec_derive(EVP_PKEY_CTX ctx, unsigned char key, size_t *keylen)
153	0	{
154	0	int ret;
155	0	size_t outlen;
156	0	const EC_POINT *pubkey = NULL;
157	0	EC_KEY *eckey;
158	0	EC_PKEY_CTX *dctx = ctx->data;
159	0	if (!ctx->pkey \|\| !ctx->peerkey) {
160	0	ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET);
161	0	return 0;
162	0	}
163	0
164	0	eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec;
165	0
166	0	if (!key) {
167	0	const EC_GROUP *group;
168	0	group = EC_KEY_get0_group(eckey);
169	0	*keylen = (EC_GROUP_get_degree(group) + 7) / 8;
170	0	return 1;
171	0	}
172	0	pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
173	0
174	0	/*
175	0	* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is not
176	0	* an error, the result is truncated.
177	0	*/
178	0
179	0	outlen = *keylen;
180	0
181	0	ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);
182	0	if (ret <= 0)
183	0	return 0;
184	0	*keylen = ret;
185	0	return 1;
186	0	}
187
188		static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
189		unsigned char key, size_t keylen)
190	0	{
191	0	EC_PKEY_CTX *dctx = ctx->data;
192	0	unsigned char *ktmp = NULL;
193	0	size_t ktmplen;
194	0	int rv = 0;
195	0	if (dctx->kdf_type == EVP_PKEY_ECDH_KDF_NONE)
196	0	return pkey_ec_derive(ctx, key, keylen);
197	0	if (!key) {
198	0	*keylen = dctx->kdf_outlen;
199	0	return 1;
200	0	}
201	0	if (*keylen != dctx->kdf_outlen)
202	0	return 0;
203	0	if (!pkey_ec_derive(ctx, NULL, &ktmplen))
204	0	return 0;
205	0	if ((ktmp = OPENSSL_malloc(ktmplen)) == NULL) {
206	0	ECerr(EC_F_PKEY_EC_KDF_DERIVE, ERR_R_MALLOC_FAILURE);
207	0	return 0;
208	0	}
209	0	if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
210	0	goto err;
211	0	/* Do KDF stuff */
212	0	if (!ECDH_KDF_X9_62(key, *keylen, ktmp, ktmplen,
213	0	dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
214	0	goto err;
215	0	rv = 1;
216	0
217	0	err:
218	0	OPENSSL_clear_free(ktmp, ktmplen);
219	0	return rv;
220	0	}
221		#endif
222
223		static int pkey_ec_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
224	0	{
225	0	EC_PKEY_CTX *dctx = ctx->data;
226	0	EC_GROUP *group;
227	0	switch (type) {
228	0	case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID:
229	0	group = EC_GROUP_new_by_curve_name(p1);
230	0	if (group == NULL) {
231	0	ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_CURVE);
232	0	return 0;
233	0	}
234	0	EC_GROUP_free(dctx->gen_group);
235	0	dctx->gen_group = group;
236	0	return 1;
237	0
238	0	case EVP_PKEY_CTRL_EC_PARAM_ENC:
239	0	if (!dctx->gen_group) {
240	0	ECerr(EC_F_PKEY_EC_CTRL, EC_R_NO_PARAMETERS_SET);
241	0	return 0;
242	0	}
243	0	EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
244	0	return 1;
245	0
246	0	#ifndef OPENSSL_NO_EC
247	0	case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
248	0	if (p1 == -2) {
249	0	if (dctx->cofactor_mode != -1)
250	0	return dctx->cofactor_mode;
251	0	else {
252	0	EC_KEY *ec_key = ctx->pkey->pkey.ec;
253	0	return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0;
254	0	}
255	0	} else if (p1 < -1 \|\| p1 > 1)
256	0	return -2;
257	0	dctx->cofactor_mode = p1;
258	0	if (p1 != -1) {
259	0	EC_KEY *ec_key = ctx->pkey->pkey.ec;
260	0	if (!ec_key->group)
261	0	return -2;
262	0	/* If cofactor is 1 cofactor mode does nothing */
263	0	if (BN_is_one(ec_key->group->cofactor))
264	0	return 1;
265	0	if (!dctx->co_key) {
266	0	dctx->co_key = EC_KEY_dup(ec_key);
267	0	if (!dctx->co_key)
268	0	return 0;
269	0	}
270	0	if (p1)
271	0	EC_KEY_set_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
272	0	else
273	0	EC_KEY_clear_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
274	0	} else {
275	0	EC_KEY_free(dctx->co_key);
276	0	dctx->co_key = NULL;
277	0	}
278	0	return 1;
279	0	#endif
280	0
281	0	case EVP_PKEY_CTRL_EC_KDF_TYPE:
282	0	if (p1 == -2)
283	0	return dctx->kdf_type;
284	0	if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62)
285	0	return -2;
286	0	dctx->kdf_type = p1;
287	0	return 1;
288	0
289	0	case EVP_PKEY_CTRL_EC_KDF_MD:
290	0	dctx->kdf_md = p2;
291	0	return 1;
292	0
293	0	case EVP_PKEY_CTRL_GET_EC_KDF_MD:
294	0	(const EVP_MD *)p2 = dctx->kdf_md;
295	0	return 1;
296	0
297	0	case EVP_PKEY_CTRL_EC_KDF_OUTLEN:
298	0	if (p1 <= 0)
299	0	return -2;
300	0	dctx->kdf_outlen = (size_t)p1;
301	0	return 1;
302	0
303	0	case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN:
304	0	(int )p2 = dctx->kdf_outlen;
305	0	return 1;
306	0
307	0	case EVP_PKEY_CTRL_EC_KDF_UKM:
308	0	OPENSSL_free(dctx->kdf_ukm);
309	0	dctx->kdf_ukm = p2;
310	0	if (p2)
311	0	dctx->kdf_ukmlen = p1;
312	0	else
313	0	dctx->kdf_ukmlen = 0;
314	0	return 1;
315	0
316	0	case EVP_PKEY_CTRL_GET_EC_KDF_UKM:
317	0	(unsigned char *)p2 = dctx->kdf_ukm;
318	0	return dctx->kdf_ukmlen;
319	0
320	0	case EVP_PKEY_CTRL_MD:
321	0	if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
322	0	EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
323	0	EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
324	0	EVP_MD_type((const EVP_MD *)p2) != NID_sha256 &&
325	0	EVP_MD_type((const EVP_MD *)p2) != NID_sha384 &&
326	0	EVP_MD_type((const EVP_MD *)p2) != NID_sha512) {
327	0	ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE);
328	0	return 0;
329	0	}
330	0	dctx->md = p2;
331	0	return 1;
332	0
333	0	case EVP_PKEY_CTRL_GET_MD:
334	0	(const EVP_MD *)p2 = dctx->md;
335	0	return 1;
336	0
337	0	case EVP_PKEY_CTRL_PEER_KEY:
338	0	/* Default behaviour is OK */
339	0	case EVP_PKEY_CTRL_DIGESTINIT:
340	0	case EVP_PKEY_CTRL_PKCS7_SIGN:
341	0	case EVP_PKEY_CTRL_CMS_SIGN:
342	0	return 1;
343	0
344	0	default:
345	0	return -2;
346	0
347	0	}
348	0	}
349
350		static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx,
351		const char type, const char value)
352		{
353		if (strcmp(type, "ec_paramgen_curve") == 0) {
354		int nid;
355		nid = EC_curve_nist2nid(value);
356		if (nid == NID_undef)
357		nid = OBJ_sn2nid(value);
358		if (nid == NID_undef)
359		nid = OBJ_ln2nid(value);
360		if (nid == NID_undef) {
361		ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_CURVE);
362		return 0;
363		}
364		return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
365		} else if (strcmp(type, "ec_param_enc") == 0) {
366		int param_enc;
367		if (strcmp(value, "explicit") == 0)
368		param_enc = 0;
369		else if (strcmp(value, "named_curve") == 0)
370		param_enc = OPENSSL_EC_NAMED_CURVE;
371		else
372		return -2;
373		return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
374		} else if (strcmp(type, "ecdh_kdf_md") == 0) {
375		const EVP_MD *md;
376		if ((md = EVP_get_digestbyname(value)) == NULL) {
377		ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_DIGEST);
378		return 0;
379		}
380		return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md);
381		} else if (strcmp(type, "ecdh_cofactor_mode") == 0) {
382		int co_mode;
383		co_mode = atoi(value);
384		return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, co_mode);
385		}
386
387		return -2;
388		}
389
390		static int pkey_ec_paramgen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
391	0	{
392	0	EC_KEY *ec = NULL;
393	0	EC_PKEY_CTX *dctx = ctx->data;
394	0	int ret;
395	0
396	0	if (dctx->gen_group == NULL) {
397	0	ECerr(EC_F_PKEY_EC_PARAMGEN, EC_R_NO_PARAMETERS_SET);
398	0	return 0;
399	0	}
400	0	ec = EC_KEY_new();
401	0	if (ec == NULL)
402	0	return 0;
403	0	if (!(ret = EC_KEY_set_group(ec, dctx->gen_group))
404	0	\|\| !ossl_assert(ret = EVP_PKEY_assign_EC_KEY(pkey, ec)))
405	0	EC_KEY_free(ec);
406	0	return ret;
407	0	}
408
409		static int pkey_ec_keygen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
410	0	{
411	0	EC_KEY *ec = NULL;
412	0	EC_PKEY_CTX *dctx = ctx->data;
413	0	int ret;
414	0
415	0	if (ctx->pkey == NULL && dctx->gen_group == NULL) {
416	0	ECerr(EC_F_PKEY_EC_KEYGEN, EC_R_NO_PARAMETERS_SET);
417	0	return 0;
418	0	}
419	0	ec = EC_KEY_new();
420	0	if (ec == NULL)
421	0	return 0;
422	0	if (!ossl_assert(EVP_PKEY_assign_EC_KEY(pkey, ec))) {
423	0	EC_KEY_free(ec);
424	0	return 0;
425	0	}
426	0	/* Note: if error is returned, we count on caller to free pkey->pkey.ec */
427	0	if (ctx->pkey != NULL)
428	0	ret = EVP_PKEY_copy_parameters(pkey, ctx->pkey);
429	0	else
430	0	ret = EC_KEY_set_group(ec, dctx->gen_group);
431	0
432	0	return ret ? EC_KEY_generate_key(ec) : 0;
433	0	}
434
435		const EVP_PKEY_METHOD ec_pkey_meth = {
436		EVP_PKEY_EC,
437		0,
438		pkey_ec_init,
439		pkey_ec_copy,
440		pkey_ec_cleanup,
441
442		0,
443		pkey_ec_paramgen,
444
445		0,
446		pkey_ec_keygen,
447
448		0,
449		pkey_ec_sign,
450
451		0,
452		pkey_ec_verify,
453
454		0, 0,
455
456		0, 0, 0, 0,
457
458		0,
459		0,
460
461		0,
462		0,
463
464		0,
465		#ifndef OPENSSL_NO_EC
466		pkey_ec_kdf_derive,
467		#else
468		0,
469		#endif
470		pkey_ec_ctrl,
471		pkey_ec_ctrl_str
472		};