Add support for X9.62 KDF.

Add X9.62 KDF to EC EVP_PKEY_METHOD.
author: Dr. Stephen Henson <steve@openssl.org> 2013-07-17 15:01:08 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2013-07-17 21:45:00 +0100
commit: 25af7a5dbc05c7359d1d7f472d50d65a9d876b7e (patch)
tree: 2cc91a776a11118aa68be08f77ddb55157d186b3 /crypto/ec/ec_pmeth.c
parent: 6af440ced43d766e418c2eb0cda1525eecd3e62b (diff)
download: openssl-25af7a5dbc05c7359d1d7f472d50d65a9d876b7e.tar.gz
1 files changed, 175 insertions, 4 deletions
diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index 4110d5e4f0..689a173468 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -60,6 +60,7 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include <openssl/ec.h>
+#include "ec_lcl.h"
 #include <openssl/ecdsa.h>
 #include <openssl/evp.h>
 #include "evp_locl.h"
@@ -72,6 +73,20 @@ typedef struct
 	EC_GROUP *gen_group;
 	/* message digest */
 	const EVP_MD *md;
+	/* Duplicate key if custom cofactor needed */
+	EC_KEY *co_key;
+	/* Cofactor mode */
+	char cofactor_mode;
+	/* KDF (if any) to use for ECDH */
+	char kdf_type;
+	/* Message digest to use for key derivation */
+	const EVP_MD *kdf_md;
+	/* User key material */
+	unsigned char *kdf_ukm;
+	size_t kdf_ukmlen;
+	/* KDF output length */
+	size_t kdf_outlen;
+
 	} EC_PKEY_CTX;
 
 static int pkey_ec_init(EVP_PKEY_CTX *ctx)
@@ -83,6 +98,14 @@ static int pkey_ec_init(EVP_PKEY_CTX *ctx)
 	dctx->gen_group = NULL;
 	dctx->md = NULL;
 
+	dctx->cofactor_mode = -1;
+	dctx->co_key = NULL;
+	dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE;
+	dctx->kdf_md = NULL;
+	dctx->kdf_outlen = 0;
+	dctx->kdf_ukm = NULL;
+	dctx->kdf_ukmlen = 0;
+
 	ctx->data = dctx;
 
 	return 1;
@@ -102,6 +125,25 @@ static int pkey_ec_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
 			return 0;
 		}
 	dctx->md = sctx->md;
+
+	if (sctx->co_key)
+		{
+		dctx->co_key = EC_KEY_dup(sctx->co_key);
+		if (!dctx->co_key)
+			return 0;
+		}
+	dctx->kdf_type = sctx->kdf_type;
+	dctx->kdf_md = sctx->kdf_md;
+	dctx->kdf_outlen = sctx->kdf_outlen;
+	if (sctx->kdf_ukm)
+		{
+		dctx->kdf_ukm = BUF_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
+		if (!dctx->kdf_ukm)
+			return 0;
+		}
+	else
+		dctx->kdf_ukm = NULL;
+	dctx->kdf_ukmlen = sctx->kdf_ukmlen;
 	return 1;
 	}
 
@@ -112,6 +154,10 @@ static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx)
 		{
 		if (dctx->gen_group)
 			EC_GROUP_free(dctx->gen_group);
+		if (dctx->co_key)
+			EC_KEY_free(dctx->co_key);
+		if (dctx->kdf_ukm)
+			OPENSSL_free(dctx->kdf_ukm);
 		OPENSSL_free(dctx);
 		}
 	}
@@ -172,20 +218,23 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 	int ret;
 	size_t outlen;
 	const EC_POINT *pubkey = NULL;
+	EC_KEY *eckey;
+	EC_PKEY_CTX *dctx = ctx->data;
 	if (!ctx->pkey || !ctx->peerkey)
 		{
 		ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET);
 		return 0;
 		}
 
+	eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec;
+
 	if (!key)
 		{
 		const EC_GROUP *group;
-		group = EC_KEY_get0_group(ctx->pkey->pkey.ec);
+		group = EC_KEY_get0_group(eckey);
 		*keylen = (EC_GROUP_get_degree(group) + 7)/8;
 		return 1;
 		}
-
 	pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
 
 	/* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
@@ -194,13 +243,52 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 
 	outlen = *keylen;
 		
-	ret = ECDH_compute_key(key, outlen, pubkey, ctx->pkey->pkey.ec, 0);
+	ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);
 	if (ret < 0)
 		return ret;
 	*keylen = ret;
 	return 1;
 	}
 
+static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
+				unsigned char *key, size_t *keylen)
+	{
+	EC_PKEY_CTX *dctx = ctx->data;
+	unsigned char *ktmp = NULL;
+	size_t ktmplen;
+	int rv = 0;
+	if (dctx->kdf_type == EVP_PKEY_ECDH_KDF_NONE)
+		return pkey_ec_derive(ctx, key, keylen);
+	if (!key)
+		{
+		*keylen = dctx->kdf_outlen;
+		return 1;
+		}
+	if (*keylen != dctx->kdf_outlen)
+		return 0;
+	if (!pkey_ec_derive(ctx, NULL, &ktmplen))
+		return 0;
+	ktmp = OPENSSL_malloc(ktmplen);
+	if (!ktmp)
+		return 0;
+	if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
+		goto err;
+	/* Do KDF stuff */
+	if (!ECDH_KDF_X9_62(key, *keylen, ktmp, ktmplen, 
+				dctx->kdf_ukm, dctx->kdf_ukmlen,
+				dctx->kdf_md))
+		goto err;
+	rv = 1;
+
+	err:
+	if (ktmp)
+		{
+		OPENSSL_cleanse(ktmp, ktmplen);
+		OPENSSL_free(ktmp);
+		}
+	return rv;
+	}
+
 static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 	{
 	EC_PKEY_CTX *dctx = ctx->data;
@@ -228,6 +316,89 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 		EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
 		return 1;
 
+		case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
+		if (p1 == -2)
+			{
+			if (dctx->co_key)
+				return dctx->cofactor_mode;
+			else
+				{
+				EC_KEY *ec_key = ctx->pkey->pkey.ec;
+				return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0;
+				}
+			}
+		else if (p1 < -1 || p1 > 1)
+			return -2;
+		dctx->cofactor_mode = p1;
+		if (p1 != -1)
+			{
+			EC_KEY *ec_key = ctx->pkey->pkey.ec;
+			if (!ec_key->group)
+				return -2;
+			/* If cofactor is 1 cofactor mode does nothing */
+			if (BN_is_one(&ec_key->group->cofactor))
+				return 1;
+			if (!dctx->co_key)
+				{
+				dctx->co_key = EC_KEY_dup(ec_key);
+				if (!dctx->co_key)
+					return 0;
+				}
+			if (p1)
+				EC_KEY_set_flags(dctx->co_key,
+							EC_FLAG_COFACTOR_ECDH);
+			else
+				EC_KEY_clear_flags(dctx->co_key,
+							EC_FLAG_COFACTOR_ECDH);
+			}
+		else if (dctx->co_key)
+			{
+			EC_KEY_free(dctx->co_key);
+			dctx->co_key = NULL;
+			}
+		return 1;
+
+		case EVP_PKEY_CTRL_EC_KDF_TYPE:
+		if (p1 == -2)
+			return dctx->kdf_type;
+		if (p1 != EVP_PKEY_ECDH_KDF_NONE &&
+		    p1 != EVP_PKEY_ECDH_KDF_X9_62)
+			return -2;
+		dctx->kdf_type = p1;
+		return 1;
+
+		case EVP_PKEY_CTRL_EC_KDF_MD:
+		dctx->kdf_md = p2;
+		return 1;
+
+		case EVP_PKEY_CTRL_GET_EC_KDF_MD:
+		*(const EVP_MD **)p2 = dctx->kdf_md;
+		return 1;
+
+		case EVP_PKEY_CTRL_EC_KDF_OUTLEN:
+		if (p1 <= 0)
+			return -2;
+		dctx->kdf_outlen = (size_t)p1;
+		return 1;
+
+		case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN:
+		*(int *)p2 = dctx->kdf_outlen;
+		return 1;
+
+		case EVP_PKEY_CTRL_EC_KDF_UKM:
+		if (dctx->kdf_ukm)
+			OPENSSL_free(dctx->kdf_ukm);
+		dctx->kdf_ukm = p2;
+		if (p2)
+			dctx->kdf_ukmlen = p1;
+		else
+			dctx->kdf_ukmlen = 0;
+		return 1;
+
+		case EVP_PKEY_CTRL_GET_EC_KDF_UKM:
+		*(unsigned char **)p2 = dctx->kdf_ukm;
+		return dctx->kdf_ukmlen;
+
 		case EVP_PKEY_CTRL_MD:
 		if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
 		    EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
@@ -369,7 +540,7 @@ const EVP_PKEY_METHOD ec_pkey_meth =
 	0,0,
 
 	0,
-	pkey_ec_derive,
+	pkey_ec_kdf_derive,
 
 	pkey_ec_ctrl,
 	pkey_ec_ctrl_str
author	Dr. Stephen Henson <steve@openssl.org>	2013-07-17 15:01:08 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2013-07-17 21:45:00 +0100
commit	25af7a5dbc05c7359d1d7f472d50d65a9d876b7e (patch)
tree	2cc91a776a11118aa68be08f77ddb55157d186b3 /crypto/ec/ec_pmeth.c
parent	6af440ced43d766e418c2eb0cda1525eecd3e62b (diff)
download	openssl-25af7a5dbc05c7359d1d7f472d50d65a9d876b7e.tar.gz