/src/openssl/crypto/ec/ec_pmeth.c

Source
/*
 * Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * ECDH and ECDSA low level APIs are deprecated for public use, but still ok
 * for internal use.
 */
#include "internal/deprecated.h"

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include <openssl/ec.h>
#include "ec_local.h"
#include <openssl/evp.h>
#include "crypto/evp.h"

/* EC pkey context structure */

typedef struct {
    /* Key and paramgen group */
    EC_GROUP *gen_group;
    /* message digest */
    const EVP_MD *md;
    /* Duplicate key if custom cofactor needed */
    EC_KEY *co_key;
    /* Cofactor mode */
    signed char cofactor_mode;
    /* KDF (if any) to use for ECDH */
    char kdf_type;
    /* Message digest to use for key derivation */
    const EVP_MD *kdf_md;
    /* User key material */
    unsigned char *kdf_ukm;
    size_t kdf_ukmlen;
    /* KDF output length */
    size_t kdf_outlen;
} EC_PKEY_CTX;

static int pkey_ec_init(EVP_PKEY_CTX *ctx)
{
    EC_PKEY_CTX *dctx;

    if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL)
        return 0;

    dctx->cofactor_mode = -1;
    dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE;
    ctx->data = dctx;
    return 1;
}

static int pkey_ec_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
{
    EC_PKEY_CTX *dctx, *sctx;
    if (!pkey_ec_init(dst))
        return 0;
    sctx = src->data;
    dctx = dst->data;
    if (sctx->gen_group) {
        dctx->gen_group = EC_GROUP_dup(sctx->gen_group);
        if (!dctx->gen_group)
            return 0;
    }
    dctx->md = sctx->md;

    if (sctx->co_key) {
        dctx->co_key = EC_KEY_dup(sctx->co_key);
        if (!dctx->co_key)
            return 0;
    }
    dctx->kdf_type = sctx->kdf_type;
    dctx->kdf_md = sctx->kdf_md;
    dctx->kdf_outlen = sctx->kdf_outlen;
    if (sctx->kdf_ukm) {
        dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
        if (!dctx->kdf_ukm)
            return 0;
    } else
        dctx->kdf_ukm = NULL;
    dctx->kdf_ukmlen = sctx->kdf_ukmlen;
    return 1;
}

static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx)
{
    EC_PKEY_CTX *dctx = ctx->data;
    if (dctx != NULL) {
        EC_GROUP_free(dctx->gen_group);
        EC_KEY_free(dctx->co_key);
        OPENSSL_free(dctx->kdf_ukm);
        OPENSSL_free(dctx);
        ctx->data = NULL;
    }
}

static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
                        const unsigned char *tbs, size_t tbslen)
{
    int ret, type;
    unsigned int sltmp;
    EC_PKEY_CTX *dctx = ctx->data;
    /*
     * Discard const. Its marked as const because this may be a cached copy of
     * the "real" key. These calls don't make any modifications that need to
     * be reflected back in the "original" key.
     */
    EC_KEY *ec = (EC_KEY *)EVP_PKEY_get0_EC_KEY(ctx->pkey);
    const int sig_sz = ECDSA_size(ec);

    /* ensure cast to size_t is safe */
    if (!ossl_assert(sig_sz > 0))
        return 0;

    if (sig == NULL) {
        *siglen = (size_t)sig_sz;
        return 1;
    }

    if (*siglen < (size_t)sig_sz) {
        ERR_raise(ERR_LIB_EC, EC_R_BUFFER_TOO_SMALL);
        return 0;
    }

    type = (dctx->md != NULL) ? EVP_MD_get_type(dctx->md) : NID_sha1;

    ret = ECDSA_sign(type, tbs, (int)tbslen, sig, &sltmp, ec);

    if (ret <= 0)
        return ret;
    *siglen = (size_t)sltmp;
    return 1;
}

static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
                          const unsigned char *sig, size_t siglen,
                          const unsigned char *tbs, size_t tbslen)
{
    int ret, type;
    EC_PKEY_CTX *dctx = ctx->data;
    /*
     * Discard const. Its marked as const because this may be a cached copy of
     * the "real" key. These calls don't make any modifications that need to
     * be reflected back in the "original" key.
     */
    EC_KEY *ec = (EC_KEY *)EVP_PKEY_get0_EC_KEY(ctx->pkey);

    if (dctx->md)
        type = EVP_MD_get_type(dctx->md);
    else
        type = NID_sha1;

    ret = ECDSA_verify(type, tbs, (int)tbslen, sig, (int)siglen, ec);

    return ret;
}

#ifndef OPENSSL_NO_EC
static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
{
    int ret;
    size_t outlen;
    const EC_POINT *pubkey = NULL;
    EC_KEY *eckey;
    const EC_KEY *eckeypub;
    EC_PKEY_CTX *dctx = ctx->data;

    if (ctx->pkey == NULL || ctx->peerkey == NULL) {
        ERR_raise(ERR_LIB_EC, EC_R_KEYS_NOT_SET);
        return 0;
    }
    eckeypub = EVP_PKEY_get0_EC_KEY(ctx->peerkey);
    if (eckeypub == NULL) {
        ERR_raise(ERR_LIB_EC, EC_R_KEYS_NOT_SET);
        return 0;
    }

    eckey = dctx->co_key ? dctx->co_key
                         : (EC_KEY *)EVP_PKEY_get0_EC_KEY(ctx->pkey);

    if (!key) {
        const EC_GROUP *group;
        group = EC_KEY_get0_group(eckey);

        if (group == NULL)
            return 0;
        *keylen = (EC_GROUP_get_degree(group) + 7) / 8;
        return 1;
    }
    pubkey = EC_KEY_get0_public_key(eckeypub);

    /*
     * NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is not
     * an error, the result is truncated.
     */

    outlen = *keylen;

    ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);
    if (ret <= 0)
        return 0;
    *keylen = ret;
    return 1;
}

static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
                              unsigned char *key, size_t *keylen)
{
    EC_PKEY_CTX *dctx = ctx->data;
    unsigned char *ktmp = NULL;
    size_t ktmplen;
    int rv = 0;
    if (dctx->kdf_type == EVP_PKEY_ECDH_KDF_NONE)
        return pkey_ec_derive(ctx, key, keylen);
    if (!key) {
        *keylen = dctx->kdf_outlen;
        return 1;
    }
    if (*keylen != dctx->kdf_outlen)
        return 0;
    if (!pkey_ec_derive(ctx, NULL, &ktmplen))
        return 0;
    if ((ktmp = OPENSSL_malloc(ktmplen)) == NULL)
        return 0;
    if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
        goto err;
    /* Do KDF stuff */
    if (!ossl_ecdh_kdf_X9_63(key, *keylen, ktmp, ktmplen,
                             dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md,
                             ctx->libctx, ctx->propquery))
        goto err;
    rv = 1;

 err:
    OPENSSL_clear_free(ktmp, ktmplen);
    return rv;
}
#endif

static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
{
    EC_PKEY_CTX *dctx = ctx->data;
    EC_GROUP *group;
    switch (type) {
    case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID:
        group = EC_GROUP_new_by_curve_name(p1);
        if (group == NULL) {
            ERR_raise(ERR_LIB_EC, EC_R_INVALID_CURVE);
            return 0;
        }
        EC_GROUP_free(dctx->gen_group);
        dctx->gen_group = group;
        return 1;

    case EVP_PKEY_CTRL_EC_PARAM_ENC:
        if (!dctx->gen_group) {
            ERR_raise(ERR_LIB_EC, EC_R_NO_PARAMETERS_SET);
            return 0;
        }
        EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
        return 1;

#ifndef OPENSSL_NO_EC
    case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
        if (p1 == -2) {
            if (dctx->cofactor_mode != -1)
                return dctx->cofactor_mode;
            else {
                const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ctx->pkey);
                return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0;
            }
        } else if (p1 < -1 || p1 > 1)
            return -2;
        dctx->cofactor_mode = p1;
        if (p1 != -1) {
            EC_KEY *ec_key = (EC_KEY *)EVP_PKEY_get0_EC_KEY(ctx->pkey);

            /*
             * We discarded the "const" above. This will only work if the key is
             * a "real" legacy key, and not a cached copy of a provided key
             */
            if (evp_pkey_is_provided(ctx->pkey)) {
                ERR_raise(ERR_LIB_EC, ERR_R_UNSUPPORTED);
                return 0;
            }
            if (!ec_key->group)
                return -2;
            /* If cofactor is 1 cofactor mode does nothing */
            if (BN_is_one(ec_key->group->cofactor))
                return 1;
            if (!dctx->co_key) {
                dctx->co_key = EC_KEY_dup(ec_key);
                if (!dctx->co_key)
                    return 0;
            }
            if (p1)
                EC_KEY_set_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
            else
                EC_KEY_clear_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
        } else {
            EC_KEY_free(dctx->co_key);
            dctx->co_key = NULL;
        }
        return 1;
#endif

    case EVP_PKEY_CTRL_EC_KDF_TYPE:
        if (p1 == -2)
            return dctx->kdf_type;
        if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_63)
            return -2;
        dctx->kdf_type = p1;
        return 1;

    case EVP_PKEY_CTRL_EC_KDF_MD:
        dctx->kdf_md = p2;
        return 1;

    case EVP_PKEY_CTRL_GET_EC_KDF_MD:
        *(const EVP_MD **)p2 = dctx->kdf_md;
        return 1;

    case EVP_PKEY_CTRL_EC_KDF_OUTLEN:
        if (p1 <= 0)
            return -2;
        dctx->kdf_outlen = (size_t)p1;
        return 1;

    case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN:
        *(int *)p2 = (int)dctx->kdf_outlen;
        return 1;

    case EVP_PKEY_CTRL_EC_KDF_UKM:
        OPENSSL_free(dctx->kdf_ukm);
        dctx->kdf_ukm = p2;
        if (p2)
            dctx->kdf_ukmlen = p1;
        else
            dctx->kdf_ukmlen = 0;
        return 1;

    case EVP_PKEY_CTRL_GET_EC_KDF_UKM:
        *(unsigned char **)p2 = dctx->kdf_ukm;
        return (int)dctx->kdf_ukmlen;

    case EVP_PKEY_CTRL_MD:
        if (EVP_MD_get_type((const EVP_MD *)p2) != NID_sha1 &&
            EVP_MD_get_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
            EVP_MD_get_type((const EVP_MD *)p2) != NID_sha224 &&
            EVP_MD_get_type((const EVP_MD *)p2) != NID_sha256 &&
            EVP_MD_get_type((const EVP_MD *)p2) != NID_sha384 &&
            EVP_MD_get_type((const EVP_MD *)p2) != NID_sha512 &&
            EVP_MD_get_type((const EVP_MD *)p2) != NID_sha3_224 &&
            EVP_MD_get_type((const EVP_MD *)p2) != NID_sha3_256 &&
            EVP_MD_get_type((const EVP_MD *)p2) != NID_sha3_384 &&
            EVP_MD_get_type((const EVP_MD *)p2) != NID_sha3_512 &&
            EVP_MD_get_type((const EVP_MD *)p2) != NID_sm3) {
            ERR_raise(ERR_LIB_EC, EC_R_INVALID_DIGEST_TYPE);
            return 0;
        }
        dctx->md = p2;
        return 1;

    case EVP_PKEY_CTRL_GET_MD:
        *(const EVP_MD **)p2 = dctx->md;
        return 1;

    case EVP_PKEY_CTRL_PEER_KEY:
        /* Default behaviour is OK */
    case EVP_PKEY_CTRL_DIGESTINIT:
    case EVP_PKEY_CTRL_PKCS7_SIGN:
    case EVP_PKEY_CTRL_CMS_SIGN:
        return 1;

    default:
        return -2;

    }
}

static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx,
                            const char *type, const char *value)
{
    if (strcmp(type, "ec_paramgen_curve") == 0) {
        int nid;
        nid = EC_curve_nist2nid(value);
        if (nid == NID_undef)
            nid = OBJ_sn2nid(value);
        if (nid == NID_undef)
            nid = OBJ_ln2nid(value);
        if (nid == NID_undef) {
            ERR_raise(ERR_LIB_EC, EC_R_INVALID_CURVE);
            return 0;
        }
        return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
    } else if (strcmp(type, "ec_param_enc") == 0) {
        int param_enc;
        if (strcmp(value, "explicit") == 0)
            param_enc = 0;
        else if (strcmp(value, "named_curve") == 0)
            param_enc = OPENSSL_EC_NAMED_CURVE;
        else
            return -2;
        return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
    } else if (strcmp(type, "ecdh_kdf_md") == 0) {
        const EVP_MD *md;
        if ((md = EVP_get_digestbyname(value)) == NULL) {
            ERR_raise(ERR_LIB_EC, EC_R_INVALID_DIGEST);
            return 0;
        }
        return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md);
    } else if (strcmp(type, "ecdh_cofactor_mode") == 0) {
        int co_mode;
        co_mode = atoi(value);
        return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, co_mode);
    }

    return -2;
}

static int pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
    EC_KEY *ec = NULL;
    EC_PKEY_CTX *dctx = ctx->data;
    int ret;

    if (dctx->gen_group == NULL) {
        ERR_raise(ERR_LIB_EC, EC_R_NO_PARAMETERS_SET);
        return 0;
    }
    ec = EC_KEY_new();
    if (ec == NULL)
        return 0;
    if (!(ret = EC_KEY_set_group(ec, dctx->gen_group))
        || !ossl_assert(ret = EVP_PKEY_assign_EC_KEY(pkey, ec)))
        EC_KEY_free(ec);
    return ret;
}

static int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
    EC_KEY *ec = NULL;
    EC_PKEY_CTX *dctx = ctx->data;
    int ret;

    if (ctx->pkey == NULL && dctx->gen_group == NULL) {
        ERR_raise(ERR_LIB_EC, EC_R_NO_PARAMETERS_SET);
        return 0;
    }
    ec = EC_KEY_new();
    if (ec == NULL)
        return 0;
    if (!ossl_assert(EVP_PKEY_assign_EC_KEY(pkey, ec))) {
        EC_KEY_free(ec);
        return 0;
    }
    /* Note: if error is returned, we count on caller to free pkey->pkey.ec */
    if (ctx->pkey != NULL)
        ret = EVP_PKEY_copy_parameters(pkey, ctx->pkey);
    else
        ret = EC_KEY_set_group(ec, dctx->gen_group);

    return ret ? EC_KEY_generate_key(ec) : 0;
}

static const EVP_PKEY_METHOD ec_pkey_meth = {
    EVP_PKEY_EC,
    0,
    pkey_ec_init,
    pkey_ec_copy,
    pkey_ec_cleanup,

    0,
    pkey_ec_paramgen,

    0,
    pkey_ec_keygen,

    0,
    pkey_ec_sign,

    0,
    pkey_ec_verify,

    0, 0,

    0, 0, 0, 0,

    0,
    0,

    0,
    0,

    0,
#ifndef OPENSSL_NO_EC
    pkey_ec_kdf_derive,
#else
    0,
#endif
    pkey_ec_ctrl,
    pkey_ec_ctrl_str
};

const EVP_PKEY_METHOD *ossl_ec_pkey_method(void)
{
    return &ec_pkey_meth;
}

Coverage Report

Created: 2025-10-28 06:56

Line	Count	Source
1		/*
2		* Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* ECDH and ECDSA low level APIs are deprecated for public use, but still ok
12		* for internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <stdio.h>
17		#include "internal/cryptlib.h"
18		#include <openssl/asn1t.h>
19		#include <openssl/x509.h>
20		#include <openssl/ec.h>
21		#include "ec_local.h"
22		#include <openssl/evp.h>
23		#include "crypto/evp.h"
24
25		/* EC pkey context structure */
26
27		typedef struct {
28		/* Key and paramgen group */
29		EC_GROUP *gen_group;
30		/* message digest */
31		const EVP_MD *md;
32		/* Duplicate key if custom cofactor needed */
33		EC_KEY *co_key;
34		/* Cofactor mode */
35		signed char cofactor_mode;
36		/* KDF (if any) to use for ECDH */
37		char kdf_type;
38		/* Message digest to use for key derivation */
39		const EVP_MD *kdf_md;
40		/* User key material */
41		unsigned char *kdf_ukm;
42		size_t kdf_ukmlen;
43		/* KDF output length */
44		size_t kdf_outlen;
45		} EC_PKEY_CTX;
46
47		static int pkey_ec_init(EVP_PKEY_CTX *ctx)
48	0	{
49	0	EC_PKEY_CTX *dctx;
50
51	0	if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL)
52	0	return 0;
53
54	0	dctx->cofactor_mode = -1;
55	0	dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE;
56	0	ctx->data = dctx;
57	0	return 1;
58	0	}
59
60		static int pkey_ec_copy(EVP_PKEY_CTX dst, const EVP_PKEY_CTX src)
61	0	{
62	0	EC_PKEY_CTX dctx, sctx;
63	0	if (!pkey_ec_init(dst))
64	0	return 0;
65	0	sctx = src->data;
66	0	dctx = dst->data;
67	0	if (sctx->gen_group) {
68	0	dctx->gen_group = EC_GROUP_dup(sctx->gen_group);
69	0	if (!dctx->gen_group)
70	0	return 0;
71	0	}
72	0	dctx->md = sctx->md;
73
74	0	if (sctx->co_key) {
75	0	dctx->co_key = EC_KEY_dup(sctx->co_key);
76	0	if (!dctx->co_key)
77	0	return 0;
78	0	}
79	0	dctx->kdf_type = sctx->kdf_type;
80	0	dctx->kdf_md = sctx->kdf_md;
81	0	dctx->kdf_outlen = sctx->kdf_outlen;
82	0	if (sctx->kdf_ukm) {
83	0	dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
84	0	if (!dctx->kdf_ukm)
85	0	return 0;
86	0	} else
87	0	dctx->kdf_ukm = NULL;
88	0	dctx->kdf_ukmlen = sctx->kdf_ukmlen;
89	0	return 1;
90	0	}
91
92		static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx)
93	0	{
94	0	EC_PKEY_CTX *dctx = ctx->data;
95	0	if (dctx != NULL) {
96	0	EC_GROUP_free(dctx->gen_group);
97	0	EC_KEY_free(dctx->co_key);
98	0	OPENSSL_free(dctx->kdf_ukm);
99	0	OPENSSL_free(dctx);
100	0	ctx->data = NULL;
101	0	}
102	0	}
103
104		static int pkey_ec_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
105		const unsigned char *tbs, size_t tbslen)
106	0	{
107	0	int ret, type;
108	0	unsigned int sltmp;
109	0	EC_PKEY_CTX *dctx = ctx->data;
110		/*
111		* Discard const. Its marked as const because this may be a cached copy of
112		* the "real" key. These calls don't make any modifications that need to
113		* be reflected back in the "original" key.
114		*/
115	0	EC_KEY ec = (EC_KEY )EVP_PKEY_get0_EC_KEY(ctx->pkey);
116	0	const int sig_sz = ECDSA_size(ec);
117
118		/* ensure cast to size_t is safe */
119	0	if (!ossl_assert(sig_sz > 0))
120	0	return 0;
121
122	0	if (sig == NULL) {
123	0	*siglen = (size_t)sig_sz;
124	0	return 1;
125	0	}
126
127	0	if (*siglen < (size_t)sig_sz) {
128	0	ERR_raise(ERR_LIB_EC, EC_R_BUFFER_TOO_SMALL);
129	0	return 0;
130	0	}
131
132	0	type = (dctx->md != NULL) ? EVP_MD_get_type(dctx->md) : NID_sha1;
133
134	0	ret = ECDSA_sign(type, tbs, (int)tbslen, sig, &sltmp, ec);
135
136	0	if (ret <= 0)
137	0	return ret;
138	0	*siglen = (size_t)sltmp;
139	0	return 1;
140	0	}
141
142		static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
143		const unsigned char *sig, size_t siglen,
144		const unsigned char *tbs, size_t tbslen)
145	0	{
146	0	int ret, type;
147	0	EC_PKEY_CTX *dctx = ctx->data;
148		/*
149		* Discard const. Its marked as const because this may be a cached copy of
150		* the "real" key. These calls don't make any modifications that need to
151		* be reflected back in the "original" key.
152		*/
153	0	EC_KEY ec = (EC_KEY )EVP_PKEY_get0_EC_KEY(ctx->pkey);
154
155	0	if (dctx->md)
156	0	type = EVP_MD_get_type(dctx->md);
157	0	else
158	0	type = NID_sha1;
159
160	0	ret = ECDSA_verify(type, tbs, (int)tbslen, sig, (int)siglen, ec);
161
162	0	return ret;
163	0	}
164
165		#ifndef OPENSSL_NO_EC
166		static int pkey_ec_derive(EVP_PKEY_CTX ctx, unsigned char key, size_t *keylen)
167	0	{
168	0	int ret;
169	0	size_t outlen;
170	0	const EC_POINT *pubkey = NULL;
171	0	EC_KEY *eckey;
172	0	const EC_KEY *eckeypub;
173	0	EC_PKEY_CTX *dctx = ctx->data;
174
175	0	if (ctx->pkey == NULL \|\| ctx->peerkey == NULL) {
176	0	ERR_raise(ERR_LIB_EC, EC_R_KEYS_NOT_SET);
177	0	return 0;
178	0	}
179	0	eckeypub = EVP_PKEY_get0_EC_KEY(ctx->peerkey);
180	0	if (eckeypub == NULL) {
181	0	ERR_raise(ERR_LIB_EC, EC_R_KEYS_NOT_SET);
182	0	return 0;
183	0	}
184
185	0	eckey = dctx->co_key ? dctx->co_key
186	0	: (EC_KEY *)EVP_PKEY_get0_EC_KEY(ctx->pkey);
187
188	0	if (!key) {
189	0	const EC_GROUP *group;
190	0	group = EC_KEY_get0_group(eckey);
191
192	0	if (group == NULL)
193	0	return 0;
194	0	*keylen = (EC_GROUP_get_degree(group) + 7) / 8;
195	0	return 1;
196	0	}
197	0	pubkey = EC_KEY_get0_public_key(eckeypub);
198
199		/*
200		* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is not
201		* an error, the result is truncated.
202		*/
203
204	0	outlen = *keylen;
205
206	0	ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);
207	0	if (ret <= 0)
208	0	return 0;
209	0	*keylen = ret;
210	0	return 1;
211	0	}
212
213		static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
214		unsigned char key, size_t keylen)
215	0	{
216	0	EC_PKEY_CTX *dctx = ctx->data;
217	0	unsigned char *ktmp = NULL;
218	0	size_t ktmplen;
219	0	int rv = 0;
220	0	if (dctx->kdf_type == EVP_PKEY_ECDH_KDF_NONE)
221	0	return pkey_ec_derive(ctx, key, keylen);
222	0	if (!key) {
223	0	*keylen = dctx->kdf_outlen;
224	0	return 1;
225	0	}
226	0	if (*keylen != dctx->kdf_outlen)
227	0	return 0;
228	0	if (!pkey_ec_derive(ctx, NULL, &ktmplen))
229	0	return 0;
230	0	if ((ktmp = OPENSSL_malloc(ktmplen)) == NULL)
231	0	return 0;
232	0	if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
233	0	goto err;
234		/* Do KDF stuff */
235	0	if (!ossl_ecdh_kdf_X9_63(key, *keylen, ktmp, ktmplen,
236	0	dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md,
237	0	ctx->libctx, ctx->propquery))
238	0	goto err;
239	0	rv = 1;
240
241	0	err:
242	0	OPENSSL_clear_free(ktmp, ktmplen);
243	0	return rv;
244	0	}
245		#endif
246
247		static int pkey_ec_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
248	0	{
249	0	EC_PKEY_CTX *dctx = ctx->data;
250	0	EC_GROUP *group;
251	0	switch (type) {
252	0	case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID:
253	0	group = EC_GROUP_new_by_curve_name(p1);
254	0	if (group == NULL) {
255	0	ERR_raise(ERR_LIB_EC, EC_R_INVALID_CURVE);
256	0	return 0;
257	0	}
258	0	EC_GROUP_free(dctx->gen_group);
259	0	dctx->gen_group = group;
260	0	return 1;
261
262	0	case EVP_PKEY_CTRL_EC_PARAM_ENC:
263	0	if (!dctx->gen_group) {
264	0	ERR_raise(ERR_LIB_EC, EC_R_NO_PARAMETERS_SET);
265	0	return 0;
266	0	}
267	0	EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
268	0	return 1;
269
270	0	#ifndef OPENSSL_NO_EC
271	0	case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
272	0	if (p1 == -2) {
273	0	if (dctx->cofactor_mode != -1)
274	0	return dctx->cofactor_mode;
275	0	else {
276	0	const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ctx->pkey);
277	0	return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0;
278	0	}
279	0	} else if (p1 < -1 \|\| p1 > 1)
280	0	return -2;
281	0	dctx->cofactor_mode = p1;
282	0	if (p1 != -1) {
283	0	EC_KEY ec_key = (EC_KEY )EVP_PKEY_get0_EC_KEY(ctx->pkey);
284
285		/*
286		* We discarded the "const" above. This will only work if the key is
287		* a "real" legacy key, and not a cached copy of a provided key
288		*/
289	0	if (evp_pkey_is_provided(ctx->pkey)) {
290	0	ERR_raise(ERR_LIB_EC, ERR_R_UNSUPPORTED);
291	0	return 0;
292	0	}
293	0	if (!ec_key->group)
294	0	return -2;
295		/* If cofactor is 1 cofactor mode does nothing */
296	0	if (BN_is_one(ec_key->group->cofactor))
297	0	return 1;
298	0	if (!dctx->co_key) {
299	0	dctx->co_key = EC_KEY_dup(ec_key);
300	0	if (!dctx->co_key)
301	0	return 0;
302	0	}
303	0	if (p1)
304	0	EC_KEY_set_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
305	0	else
306	0	EC_KEY_clear_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
307	0	} else {
308	0	EC_KEY_free(dctx->co_key);
309	0	dctx->co_key = NULL;
310	0	}
311	0	return 1;
312	0	#endif
313
314	0	case EVP_PKEY_CTRL_EC_KDF_TYPE:
315	0	if (p1 == -2)
316	0	return dctx->kdf_type;
317	0	if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_63)
318	0	return -2;
319	0	dctx->kdf_type = p1;
320	0	return 1;
321
322	0	case EVP_PKEY_CTRL_EC_KDF_MD:
323	0	dctx->kdf_md = p2;
324	0	return 1;
325
326	0	case EVP_PKEY_CTRL_GET_EC_KDF_MD:
327	0	(const EVP_MD *)p2 = dctx->kdf_md;
328	0	return 1;
329
330	0	case EVP_PKEY_CTRL_EC_KDF_OUTLEN:
331	0	if (p1 <= 0)
332	0	return -2;
333	0	dctx->kdf_outlen = (size_t)p1;
334	0	return 1;
335
336	0	case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN:
337	0	(int )p2 = (int)dctx->kdf_outlen;
338	0	return 1;
339
340	0	case EVP_PKEY_CTRL_EC_KDF_UKM:
341	0	OPENSSL_free(dctx->kdf_ukm);
342	0	dctx->kdf_ukm = p2;
343	0	if (p2)
344	0	dctx->kdf_ukmlen = p1;
345	0	else
346	0	dctx->kdf_ukmlen = 0;
347	0	return 1;
348
349	0	case EVP_PKEY_CTRL_GET_EC_KDF_UKM:
350	0	(unsigned char *)p2 = dctx->kdf_ukm;
351	0	return (int)dctx->kdf_ukmlen;
352
353	0	case EVP_PKEY_CTRL_MD:
354	0	if (EVP_MD_get_type((const EVP_MD *)p2) != NID_sha1 &&
355	0	EVP_MD_get_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
356	0	EVP_MD_get_type((const EVP_MD *)p2) != NID_sha224 &&
357	0	EVP_MD_get_type((const EVP_MD *)p2) != NID_sha256 &&
358	0	EVP_MD_get_type((const EVP_MD *)p2) != NID_sha384 &&
359	0	EVP_MD_get_type((const EVP_MD *)p2) != NID_sha512 &&
360	0	EVP_MD_get_type((const EVP_MD *)p2) != NID_sha3_224 &&
361	0	EVP_MD_get_type((const EVP_MD *)p2) != NID_sha3_256 &&
362	0	EVP_MD_get_type((const EVP_MD *)p2) != NID_sha3_384 &&
363	0	EVP_MD_get_type((const EVP_MD *)p2) != NID_sha3_512 &&
364	0	EVP_MD_get_type((const EVP_MD *)p2) != NID_sm3) {
365	0	ERR_raise(ERR_LIB_EC, EC_R_INVALID_DIGEST_TYPE);
366	0	return 0;
367	0	}
368	0	dctx->md = p2;
369	0	return 1;
370
371	0	case EVP_PKEY_CTRL_GET_MD:
372	0	(const EVP_MD *)p2 = dctx->md;
373	0	return 1;
374
375	0	case EVP_PKEY_CTRL_PEER_KEY:
376		/* Default behaviour is OK */
377	0	case EVP_PKEY_CTRL_DIGESTINIT:
378	0	case EVP_PKEY_CTRL_PKCS7_SIGN:
379	0	case EVP_PKEY_CTRL_CMS_SIGN:
380	0	return 1;
381
382	0	default:
383	0	return -2;
384
385	0	}
386	0	}
387
388		static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx,
389		const char type, const char value)
390	0	{
391	0	if (strcmp(type, "ec_paramgen_curve") == 0) {
392	0	int nid;
393	0	nid = EC_curve_nist2nid(value);
394	0	if (nid == NID_undef)
395	0	nid = OBJ_sn2nid(value);
396	0	if (nid == NID_undef)
397	0	nid = OBJ_ln2nid(value);
398	0	if (nid == NID_undef) {
399	0	ERR_raise(ERR_LIB_EC, EC_R_INVALID_CURVE);
400	0	return 0;
401	0	}
402	0	return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
403	0	} else if (strcmp(type, "ec_param_enc") == 0) {
404	0	int param_enc;
405	0	if (strcmp(value, "explicit") == 0)
406	0	param_enc = 0;
407	0	else if (strcmp(value, "named_curve") == 0)
408	0	param_enc = OPENSSL_EC_NAMED_CURVE;
409	0	else
410	0	return -2;
411	0	return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
412	0	} else if (strcmp(type, "ecdh_kdf_md") == 0) {
413	0	const EVP_MD *md;
414	0	if ((md = EVP_get_digestbyname(value)) == NULL) {
415	0	ERR_raise(ERR_LIB_EC, EC_R_INVALID_DIGEST);
416	0	return 0;
417	0	}
418	0	return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md);
419	0	} else if (strcmp(type, "ecdh_cofactor_mode") == 0) {
420	0	int co_mode;
421	0	co_mode = atoi(value);
422	0	return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, co_mode);
423	0	}
424
425	0	return -2;
426	0	}
427
428		static int pkey_ec_paramgen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
429	0	{
430	0	EC_KEY *ec = NULL;
431	0	EC_PKEY_CTX *dctx = ctx->data;
432	0	int ret;
433
434	0	if (dctx->gen_group == NULL) {
435	0	ERR_raise(ERR_LIB_EC, EC_R_NO_PARAMETERS_SET);
436	0	return 0;
437	0	}
438	0	ec = EC_KEY_new();
439	0	if (ec == NULL)
440	0	return 0;
441	0	if (!(ret = EC_KEY_set_group(ec, dctx->gen_group))
442	0	\|\| !ossl_assert(ret = EVP_PKEY_assign_EC_KEY(pkey, ec)))
443	0	EC_KEY_free(ec);
444	0	return ret;
445	0	}
446
447		static int pkey_ec_keygen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
448	0	{
449	0	EC_KEY *ec = NULL;
450	0	EC_PKEY_CTX *dctx = ctx->data;
451	0	int ret;
452
453	0	if (ctx->pkey == NULL && dctx->gen_group == NULL) {
454	0	ERR_raise(ERR_LIB_EC, EC_R_NO_PARAMETERS_SET);
455	0	return 0;
456	0	}
457	0	ec = EC_KEY_new();
458	0	if (ec == NULL)
459	0	return 0;
460	0	if (!ossl_assert(EVP_PKEY_assign_EC_KEY(pkey, ec))) {
461	0	EC_KEY_free(ec);
462	0	return 0;
463	0	}
464		/* Note: if error is returned, we count on caller to free pkey->pkey.ec */
465	0	if (ctx->pkey != NULL)
466	0	ret = EVP_PKEY_copy_parameters(pkey, ctx->pkey);
467	0	else
468	0	ret = EC_KEY_set_group(ec, dctx->gen_group);
469
470	0	return ret ? EC_KEY_generate_key(ec) : 0;
471	0	}
472
473		static const EVP_PKEY_METHOD ec_pkey_meth = {
474		EVP_PKEY_EC,
475		0,
476		pkey_ec_init,
477		pkey_ec_copy,
478		pkey_ec_cleanup,
479
480		0,
481		pkey_ec_paramgen,
482
483		0,
484		pkey_ec_keygen,
485
486		0,
487		pkey_ec_sign,
488
489		0,
490		pkey_ec_verify,
491
492		0, 0,
493
494		0, 0, 0, 0,
495
496		0,
497		0,
498
499		0,
500		0,
501
502		0,
503		#ifndef OPENSSL_NO_EC
504		pkey_ec_kdf_derive,
505		#else
506		0,
507		#endif
508		pkey_ec_ctrl,
509		pkey_ec_ctrl_str
510		};
511
512		const EVP_PKEY_METHOD *ossl_ec_pkey_method(void)
513	0	{
514	0	return &ec_pkey_meth;
515	0	}