1*2139Sjp161948 /* crypto/ecdh/ech_ossl.c */
2*2139Sjp161948 /* ====================================================================
3*2139Sjp161948 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4*2139Sjp161948 *
5*2139Sjp161948 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
6*2139Sjp161948 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
7*2139Sjp161948 * to the OpenSSL project.
8*2139Sjp161948 *
9*2139Sjp161948 * The ECC Code is licensed pursuant to the OpenSSL open source
10*2139Sjp161948 * license provided below.
11*2139Sjp161948 *
12*2139Sjp161948 * The ECDH software is originally written by Douglas Stebila of
13*2139Sjp161948 * Sun Microsystems Laboratories.
14*2139Sjp161948 *
15*2139Sjp161948 */
16*2139Sjp161948 /* ====================================================================
17*2139Sjp161948 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
18*2139Sjp161948 *
19*2139Sjp161948 * Redistribution and use in source and binary forms, with or without
20*2139Sjp161948 * modification, are permitted provided that the following conditions
21*2139Sjp161948 * are met:
22*2139Sjp161948 *
23*2139Sjp161948 * 1. Redistributions of source code must retain the above copyright
24*2139Sjp161948 * notice, this list of conditions and the following disclaimer.
25*2139Sjp161948 *
26*2139Sjp161948 * 2. Redistributions in binary form must reproduce the above copyright
27*2139Sjp161948 * notice, this list of conditions and the following disclaimer in
28*2139Sjp161948 * the documentation and/or other materials provided with the
29*2139Sjp161948 * distribution.
30*2139Sjp161948 *
31*2139Sjp161948 * 3. All advertising materials mentioning features or use of this
32*2139Sjp161948 * software must display the following acknowledgment:
33*2139Sjp161948 * "This product includes software developed by the OpenSSL Project
34*2139Sjp161948 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
35*2139Sjp161948 *
36*2139Sjp161948 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
37*2139Sjp161948 * endorse or promote products derived from this software without
38*2139Sjp161948 * prior written permission. For written permission, please contact
39*2139Sjp161948 * openssl-core@OpenSSL.org.
40*2139Sjp161948 *
41*2139Sjp161948 * 5. Products derived from this software may not be called "OpenSSL"
42*2139Sjp161948 * nor may "OpenSSL" appear in their names without prior written
43*2139Sjp161948 * permission of the OpenSSL Project.
44*2139Sjp161948 *
45*2139Sjp161948 * 6. Redistributions of any form whatsoever must retain the following
46*2139Sjp161948 * acknowledgment:
47*2139Sjp161948 * "This product includes software developed by the OpenSSL Project
48*2139Sjp161948 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
49*2139Sjp161948 *
50*2139Sjp161948 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
51*2139Sjp161948 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
52*2139Sjp161948 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
53*2139Sjp161948 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
54*2139Sjp161948 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
55*2139Sjp161948 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
56*2139Sjp161948 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
57*2139Sjp161948 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58*2139Sjp161948 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
59*2139Sjp161948 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
60*2139Sjp161948 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
61*2139Sjp161948 * OF THE POSSIBILITY OF SUCH DAMAGE.
62*2139Sjp161948 * ====================================================================
63*2139Sjp161948 *
64*2139Sjp161948 * This product includes cryptographic software written by Eric Young
65*2139Sjp161948 * (eay@cryptsoft.com). This product includes software written by Tim
66*2139Sjp161948 * Hudson (tjh@cryptsoft.com).
67*2139Sjp161948 *
68*2139Sjp161948 */
69*2139Sjp161948
70*2139Sjp161948
71*2139Sjp161948 #include <string.h>
72*2139Sjp161948 #include <limits.h>
73*2139Sjp161948
74*2139Sjp161948 #include "cryptlib.h"
75*2139Sjp161948
76*2139Sjp161948 #include "ech_locl.h"
77*2139Sjp161948 #include <openssl/err.h>
78*2139Sjp161948 #include <openssl/sha.h>
79*2139Sjp161948 #include <openssl/obj_mac.h>
80*2139Sjp161948 #include <openssl/bn.h>
81*2139Sjp161948
82*2139Sjp161948 static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key,
83*2139Sjp161948 EC_KEY *ecdh,
84*2139Sjp161948 void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen));
85*2139Sjp161948
86*2139Sjp161948 static ECDH_METHOD openssl_ecdh_meth = {
87*2139Sjp161948 "OpenSSL ECDH method",
88*2139Sjp161948 ecdh_compute_key,
89*2139Sjp161948 #if 0
90*2139Sjp161948 NULL, /* init */
91*2139Sjp161948 NULL, /* finish */
92*2139Sjp161948 #endif
93*2139Sjp161948 0, /* flags */
94*2139Sjp161948 NULL /* app_data */
95*2139Sjp161948 };
96*2139Sjp161948
ECDH_OpenSSL(void)97*2139Sjp161948 const ECDH_METHOD *ECDH_OpenSSL(void)
98*2139Sjp161948 {
99*2139Sjp161948 return &openssl_ecdh_meth;
100*2139Sjp161948 }
101*2139Sjp161948
102*2139Sjp161948
103*2139Sjp161948 /* This implementation is based on the following primitives in the IEEE 1363 standard:
104*2139Sjp161948 * - ECKAS-DH1
105*2139Sjp161948 * - ECSVDP-DH
106*2139Sjp161948 * Finally an optional KDF is applied.
107*2139Sjp161948 */
ecdh_compute_key(void * out,size_t outlen,const EC_POINT * pub_key,EC_KEY * ecdh,void * (* KDF)(const void * in,size_t inlen,void * out,size_t * outlen))108*2139Sjp161948 static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
109*2139Sjp161948 EC_KEY *ecdh,
110*2139Sjp161948 void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))
111*2139Sjp161948 {
112*2139Sjp161948 BN_CTX *ctx;
113*2139Sjp161948 EC_POINT *tmp=NULL;
114*2139Sjp161948 BIGNUM *x=NULL, *y=NULL;
115*2139Sjp161948 const BIGNUM *priv_key;
116*2139Sjp161948 const EC_GROUP* group;
117*2139Sjp161948 int ret= -1;
118*2139Sjp161948 size_t buflen, len;
119*2139Sjp161948 unsigned char *buf=NULL;
120*2139Sjp161948
121*2139Sjp161948 if (outlen > INT_MAX)
122*2139Sjp161948 {
123*2139Sjp161948 ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); /* sort of, anyway */
124*2139Sjp161948 return -1;
125*2139Sjp161948 }
126*2139Sjp161948
127*2139Sjp161948 if ((ctx = BN_CTX_new()) == NULL) goto err;
128*2139Sjp161948 BN_CTX_start(ctx);
129*2139Sjp161948 x = BN_CTX_get(ctx);
130*2139Sjp161948 y = BN_CTX_get(ctx);
131*2139Sjp161948
132*2139Sjp161948 priv_key = EC_KEY_get0_private_key(ecdh);
133*2139Sjp161948 if (priv_key == NULL)
134*2139Sjp161948 {
135*2139Sjp161948 ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_NO_PRIVATE_VALUE);
136*2139Sjp161948 goto err;
137*2139Sjp161948 }
138*2139Sjp161948
139*2139Sjp161948 group = EC_KEY_get0_group(ecdh);
140*2139Sjp161948 if ((tmp=EC_POINT_new(group)) == NULL)
141*2139Sjp161948 {
142*2139Sjp161948 ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE);
143*2139Sjp161948 goto err;
144*2139Sjp161948 }
145*2139Sjp161948
146*2139Sjp161948 if (!EC_POINT_mul(group, tmp, NULL, pub_key, priv_key, ctx))
147*2139Sjp161948 {
148*2139Sjp161948 ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_POINT_ARITHMETIC_FAILURE);
149*2139Sjp161948 goto err;
150*2139Sjp161948 }
151*2139Sjp161948
152*2139Sjp161948 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
153*2139Sjp161948 {
154*2139Sjp161948 if (!EC_POINT_get_affine_coordinates_GFp(group, tmp, x, y, ctx))
155*2139Sjp161948 {
156*2139Sjp161948 ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_POINT_ARITHMETIC_FAILURE);
157*2139Sjp161948 goto err;
158*2139Sjp161948 }
159*2139Sjp161948 }
160*2139Sjp161948 else
161*2139Sjp161948 {
162*2139Sjp161948 if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp, x, y, ctx))
163*2139Sjp161948 {
164*2139Sjp161948 ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_POINT_ARITHMETIC_FAILURE);
165*2139Sjp161948 goto err;
166*2139Sjp161948 }
167*2139Sjp161948 }
168*2139Sjp161948
169*2139Sjp161948 buflen = (EC_GROUP_get_degree(group) + 7)/8;
170*2139Sjp161948 len = BN_num_bytes(x);
171*2139Sjp161948 if (len > buflen)
172*2139Sjp161948 {
173*2139Sjp161948 ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_INTERNAL_ERROR);
174*2139Sjp161948 goto err;
175*2139Sjp161948 }
176*2139Sjp161948 if ((buf = OPENSSL_malloc(buflen)) == NULL)
177*2139Sjp161948 {
178*2139Sjp161948 ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE);
179*2139Sjp161948 goto err;
180*2139Sjp161948 }
181*2139Sjp161948
182*2139Sjp161948 memset(buf, 0, buflen - len);
183*2139Sjp161948 if (len != (size_t)BN_bn2bin(x, buf + buflen - len))
184*2139Sjp161948 {
185*2139Sjp161948 ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_BN_LIB);
186*2139Sjp161948 goto err;
187*2139Sjp161948 }
188*2139Sjp161948
189*2139Sjp161948 if (KDF != 0)
190*2139Sjp161948 {
191*2139Sjp161948 if (KDF(buf, buflen, out, &outlen) == NULL)
192*2139Sjp161948 {
193*2139Sjp161948 ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_KDF_FAILED);
194*2139Sjp161948 goto err;
195*2139Sjp161948 }
196*2139Sjp161948 ret = outlen;
197*2139Sjp161948 }
198*2139Sjp161948 else
199*2139Sjp161948 {
200*2139Sjp161948 /* no KDF, just copy as much as we can */
201*2139Sjp161948 if (outlen > buflen)
202*2139Sjp161948 outlen = buflen;
203*2139Sjp161948 memcpy(out, buf, outlen);
204*2139Sjp161948 ret = outlen;
205*2139Sjp161948 }
206*2139Sjp161948
207*2139Sjp161948 err:
208*2139Sjp161948 if (tmp) EC_POINT_free(tmp);
209*2139Sjp161948 if (ctx) BN_CTX_end(ctx);
210*2139Sjp161948 if (ctx) BN_CTX_free(ctx);
211*2139Sjp161948 if (buf) OPENSSL_free(buf);
212*2139Sjp161948 return(ret);
213*2139Sjp161948 }
214