wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add support for X9.62 KDF.

Browse source 
Add X9.62 KDF to EC EVP_PKEY_METHOD.
(cherry picked from commit 25af7a5dbc)
This commit is contained in:
Dr. Stephen Henson 2013-07-17 15:01:08 +01:00
parent 8c798690ce
commit a119822b90
5 changed files with 364 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
crypto/ec/ec.h
View file

@ -971,8 +971,69 @@ int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off);
EVP_PKEY_OP_PARAMGEN|EVP_PKEY_OP_KEYGEN, \
EVP_PKEY_CTRL_EC_PARAM_ENC, flag, NULL)
#define EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, flag) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
EVP_PKEY_OP_DERIVE, \
EVP_PKEY_CTRL_EC_ECDH_COFACTOR, flag, NULL)
#define EVP_PKEY_CTX_get_ecdh_cofactor_mode(ctx) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
EVP_PKEY_OP_DERIVE, \
EVP_PKEY_CTRL_EC_ECDH_COFACTOR, -2, NULL)
#define EVP_PKEY_CTX_set_ecdh_kdf_type(ctx, kdf) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
EVP_PKEY_OP_DERIVE, \
EVP_PKEY_CTRL_EC_KDF_TYPE, kdf, NULL)
#define EVP_PKEY_CTX_get_ecdh_kdf_type(ctx) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
EVP_PKEY_OP_DERIVE, \
EVP_PKEY_CTRL_EC_KDF_TYPE, -2, NULL)
#define EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
EVP_PKEY_OP_DERIVE, \
EVP_PKEY_CTRL_EC_KDF_MD, 0, (void *)md)
#define EVP_PKEY_CTX_get_ecdh_kdf_md(ctx, pmd) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
EVP_PKEY_OP_DERIVE, \
EVP_PKEY_CTRL_GET_EC_KDF_MD, 0, (void *)pmd)
#define EVP_PKEY_CTX_set_ecdh_kdf_outlen(ctx, len) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
EVP_PKEY_OP_DERIVE, \
EVP_PKEY_CTRL_EC_KDF_OUTLEN, len, NULL)
#define EVP_PKEY_CTX_get_ecdh_kdf_outlen(ctx, plen) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
EVP_PKEY_OP_DERIVE, \
EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN, 0, (void *)plen)
#define EVP_PKEY_CTX_set0_ecdh_kdf_ukm(ctx, p, plen) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
EVP_PKEY_OP_DERIVE, \
EVP_PKEY_CTRL_EC_KDF_UKM, plen, (void *)p)
#define EVP_PKEY_CTX_get0_ecdh_kdf_ukm(ctx, p) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
EVP_PKEY_OP_DERIVE, \
EVP_PKEY_CTRL_GET_EC_KDF_UKM, 0, (void *)p)
#define EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID (EVP_PKEY_ALG_CTRL + 1)
#define EVP_PKEY_CTRL_EC_PARAM_ENC (EVP_PKEY_ALG_CTRL + 2)
#define EVP_PKEY_CTRL_EC_ECDH_COFACTOR (EVP_PKEY_ALG_CTRL + 3)
#define EVP_PKEY_CTRL_EC_KDF_TYPE (EVP_PKEY_ALG_CTRL + 4)
#define EVP_PKEY_CTRL_EC_KDF_MD (EVP_PKEY_ALG_CTRL + 5)
#define EVP_PKEY_CTRL_GET_EC_KDF_MD (EVP_PKEY_ALG_CTRL + 6)
#define EVP_PKEY_CTRL_EC_KDF_OUTLEN (EVP_PKEY_ALG_CTRL + 7)
#define EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN (EVP_PKEY_ALG_CTRL + 8)
#define EVP_PKEY_CTRL_EC_KDF_UKM (EVP_PKEY_ALG_CTRL + 9)
#define EVP_PKEY_CTRL_GET_EC_KDF_UKM (EVP_PKEY_ALG_CTRL + 10)
/* KDF types */
#define EVP_PKEY_ECDH_KDF_NONE 1
#define EVP_PKEY_ECDH_KDF_X9_62 2
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
@ -989,6 +1050,8 @@ void ERR_load_EC_strings(void);
#define EC_F_D2I_ECPKPARAMETERS 145
#define EC_F_D2I_ECPRIVATEKEY 146
#define EC_F_DO_EC_KEY_PRINT 221
#define EC_F_ECDH_CMS_DECRYPT 238
#define EC_F_ECDH_CMS_SET_SHARED_INFO 239
#define EC_F_ECKEY_PARAM2TYPE 223
#define EC_F_ECKEY_PARAM_DECODE 212
#define EC_F_ECKEY_PRIV_DECODE 213
@ -1147,6 +1210,7 @@ void ERR_load_EC_strings(void);
#define EC_R_INVALID_PENTANOMIAL_BASIS 132
#define EC_R_INVALID_PRIVATE_KEY 123
#define EC_R_INVALID_TRINOMIAL_BASIS 137
#define EC_R_KDF_PARAMETER_ERROR 148
#define EC_R_KEYS_NOT_SET 140
#define EC_R_MISSING_PARAMETERS 124
#define EC_R_MISSING_PRIVATE_KEY 125
@ -1157,9 +1221,11 @@ void ERR_load_EC_strings(void);
#define EC_R_NO_FIELD_MOD 133
#define EC_R_NO_PARAMETERS_SET 139
#define EC_R_PASSED_NULL_PARAMETER 134
#define EC_R_PEER_KEY_ERROR 149
#define EC_R_PKPARAMETERS2GROUP_FAILURE 127
#define EC_R_POINT_AT_INFINITY 106
#define EC_R_POINT_IS_NOT_ON_CURVE 107
#define EC_R_SHARED_INFO_ERROR 150
#define EC_R_SLOT_FULL 108
#define EC_R_UNDEFINED_GENERATOR 113
#define EC_R_UNDEFINED_ORDER 128

179
crypto/ec/ec_pmeth.c
View file

@ -60,6 +60,7 @@
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include <openssl/ec.h>
#include "ec_lcl.h"
#include <openssl/ecdsa.h>
#include <openssl/evp.h>
#include "evp_locl.h"
@ -72,6 +73,20 @@ typedef struct
EC_GROUP *gen_group;
/* message digest */
const EVP_MD *md;
/* Duplicate key if custom cofactor needed */
EC_KEY *co_key;
/* Cofactor mode */
char cofactor_mode;
/* KDF (if any) to use for ECDH */
char kdf_type;
/* Message digest to use for key derivation */
const EVP_MD *kdf_md;
/* User key material */
unsigned char *kdf_ukm;
size_t kdf_ukmlen;
/* KDF output length */
size_t kdf_outlen;
} EC_PKEY_CTX;
static int pkey_ec_init(EVP_PKEY_CTX *ctx)
@ -83,6 +98,14 @@ static int pkey_ec_init(EVP_PKEY_CTX *ctx)
dctx->gen_group = NULL;
dctx->md = NULL;
dctx->cofactor_mode = -1;
dctx->co_key = NULL;
dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE;
dctx->kdf_md = NULL;
dctx->kdf_outlen = 0;
dctx->kdf_ukm = NULL;
dctx->kdf_ukmlen = 0;
ctx->data = dctx;
return 1;
@ -102,6 +125,25 @@ static int pkey_ec_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
return 0;
}
dctx->md = sctx->md;
if (sctx->co_key)
{
dctx->co_key = EC_KEY_dup(sctx->co_key);
if (!dctx->co_key)
return 0;
}
dctx->kdf_type = sctx->kdf_type;
dctx->kdf_md = sctx->kdf_md;
dctx->kdf_outlen = sctx->kdf_outlen;
if (sctx->kdf_ukm)
{
dctx->kdf_ukm = BUF_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
if (!dctx->kdf_ukm)
return 0;
}
else
dctx->kdf_ukm = NULL;
dctx->kdf_ukmlen = sctx->kdf_ukmlen;
return 1;
}
@ -112,6 +154,10 @@ static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx)
{
if (dctx->gen_group)
EC_GROUP_free(dctx->gen_group);
if (dctx->co_key)
EC_KEY_free(dctx->co_key);
if (dctx->kdf_ukm)
OPENSSL_free(dctx->kdf_ukm);
OPENSSL_free(dctx);
}
}
@ -172,20 +218,23 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
int ret;
size_t outlen;
const EC_POINT *pubkey = NULL;
EC_KEY *eckey;
EC_PKEY_CTX *dctx = ctx->data;
if (!ctx->pkey || !ctx->peerkey)
{
ECerr(EC_F_PKEY_EC_DERIVE, EC_R_KEYS_NOT_SET);
return 0;
}
eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec;
if (!key)
{
const EC_GROUP *group;
group = EC_KEY_get0_group(ctx->pkey->pkey.ec);
group = EC_KEY_get0_group(eckey);
*keylen = (EC_GROUP_get_degree(group) + 7)/8;
return 1;
}
pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
/* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
@ -194,13 +243,52 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
outlen = *keylen;
ret = ECDH_compute_key(key, outlen, pubkey, ctx->pkey->pkey.ec, 0);
ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);
if (ret < 0)
return ret;
*keylen = ret;
return 1;
}
static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
unsigned char *key, size_t *keylen)
{
EC_PKEY_CTX *dctx = ctx->data;
unsigned char *ktmp = NULL;
size_t ktmplen;
int rv = 0;
if (dctx->kdf_type == EVP_PKEY_ECDH_KDF_NONE)
return pkey_ec_derive(ctx, key, keylen);
if (!key)
{
*keylen = dctx->kdf_outlen;
return 1;
}
if (*keylen != dctx->kdf_outlen)
return 0;
if (!pkey_ec_derive(ctx, NULL, &ktmplen))
return 0;
ktmp = OPENSSL_malloc(ktmplen);
if (!ktmp)
return 0;
if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
goto err;
/* Do KDF stuff */
if (!ECDH_KDF_X9_62(key, *keylen, ktmp, ktmplen,
dctx->kdf_ukm, dctx->kdf_ukmlen,
dctx->kdf_md))
goto err;
rv = 1;
err:
if (ktmp)
{
OPENSSL_cleanse(ktmp, ktmplen);
OPENSSL_free(ktmp);
}
return rv;
}
static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
{
EC_PKEY_CTX *dctx = ctx->data;
@ -228,6 +316,89 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
return 1;
case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
if (p1 == -2)
{
if (dctx->co_key)
return dctx->cofactor_mode;
else
{
EC_KEY *ec_key = ctx->pkey->pkey.ec;
return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0;
}
}
else if (p1 < -1 || p1 > 1)
return -2;
dctx->cofactor_mode = p1;
if (p1 != -1)
{
EC_KEY *ec_key = ctx->pkey->pkey.ec;
if (!ec_key->group)
return -2;
/* If cofactor is 1 cofactor mode does nothing */
if (BN_is_one(&ec_key->group->cofactor))
return 1;
if (!dctx->co_key)
{
dctx->co_key = EC_KEY_dup(ec_key);
if (!dctx->co_key)
return 0;
}
if (p1)
EC_KEY_set_flags(dctx->co_key,
EC_FLAG_COFACTOR_ECDH);
else
EC_KEY_clear_flags(dctx->co_key,
EC_FLAG_COFACTOR_ECDH);
}
else if (dctx->co_key)
{
EC_KEY_free(dctx->co_key);
dctx->co_key = NULL;
}
return 1;
case EVP_PKEY_CTRL_EC_KDF_TYPE:
if (p1 == -2)
return dctx->kdf_type;
if (p1 != EVP_PKEY_ECDH_KDF_NONE &&
p1 != EVP_PKEY_ECDH_KDF_X9_62)
return -2;
dctx->kdf_type = p1;
return 1;
case EVP_PKEY_CTRL_EC_KDF_MD:
dctx->kdf_md = p2;
return 1;
case EVP_PKEY_CTRL_GET_EC_KDF_MD:
*(const EVP_MD **)p2 = dctx->kdf_md;
return 1;
case EVP_PKEY_CTRL_EC_KDF_OUTLEN:
if (p1 <= 0)
return -2;
dctx->kdf_outlen = (size_t)p1;
return 1;
case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN:
*(int *)p2 = dctx->kdf_outlen;
return 1;
case EVP_PKEY_CTRL_EC_KDF_UKM:
if (dctx->kdf_ukm)
OPENSSL_free(dctx->kdf_ukm);
dctx->kdf_ukm = p2;
if (p2)
dctx->kdf_ukmlen = p1;
else
dctx->kdf_ukmlen = 0;
return 1;
case EVP_PKEY_CTRL_GET_EC_KDF_UKM:
*(unsigned char **)p2 = dctx->kdf_ukm;
return dctx->kdf_ukmlen;
case EVP_PKEY_CTRL_MD:
if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
@ -369,7 +540,7 @@ const EVP_PKEY_METHOD ec_pkey_meth =
0,0,
0,
pkey_ec_derive,
pkey_ec_kdf_derive,
pkey_ec_ctrl,
pkey_ec_ctrl_str

4
crypto/ecdh/Makefile
View file

@ -17,9 +17,9 @@ TEST=ecdhtest.c
APPS=
LIB=$(TOP)/libcrypto.a
LIBSRC= ech_lib.c ech_ossl.c ech_key.c ech_err.c
LIBSRC= ech_lib.c ech_ossl.c ech_key.c ech_err.c ech_kdf.c
LIBOBJ= ech_lib.o ech_ossl.o ech_key.o ech_err.o
LIBOBJ= ech_lib.o ech_ossl.o ech_key.o ech_err.o ech_kdf.o
SRC= $(LIBSRC)

5
crypto/ecdh/ecdh.h
View file

@ -99,6 +99,11 @@ int ECDH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new
int ECDH_set_ex_data(EC_KEY *d, int idx, void *arg);
void *ECDH_get_ex_data(EC_KEY *d, int idx);
int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
const unsigned char *Z, size_t Zlen,
const unsigned char *sinfo, size_t sinfolen,
const EVP_MD *md);
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes

116
crypto/ecdh/ech_kdf.c Normal file
View file

@ -0,0 +1,116 @@
/* crypto/ecdh/ec_kdf.c */
/*
* Written by Stephen Henson for the OpenSSL project.
*/
/* ====================================================================
* Copyright (c) 2013 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#define OPENSSL_FIPSAPI
#include <string.h>
#include <openssl/ecdh.h>
#include <openssl/evp.h>
/* Key derivation function from X9.62/SECG */
#define ECDH_KDF_MAX (1L << 31)
int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
const unsigned char *Z, size_t Zlen,
const unsigned char *sinfo, size_t sinfolen,
const EVP_MD *md)
{
EVP_MD_CTX mctx;
int rv = 0;
unsigned int i;
size_t mdlen;
unsigned char ctr[4];
if (sinfolen > ECDH_KDF_MAX || outlen > ECDH_KDF_MAX || Zlen > ECDH_KDF_MAX)
return 0;
mdlen = EVP_MD_size(md);
EVP_MD_CTX_init(&mctx);
for (i = 1;;i++)
{
unsigned char mtmp[EVP_MAX_MD_SIZE];
EVP_DigestInit_ex(&mctx, md, NULL);
ctr[3] = i & 0xFF;
ctr[2] = (i >> 8) & 0xFF;
ctr[1] = (i >> 16) & 0xFF;
ctr[0] = (i >> 24) & 0xFF;
if (!EVP_DigestUpdate(&mctx, Z, Zlen))
goto err;
if (!EVP_DigestUpdate(&mctx, ctr, sizeof(ctr)))
goto err;
if (!EVP_DigestUpdate(&mctx, sinfo, sinfolen))
goto err;
if (outlen > mdlen)
{
if (!EVP_DigestFinal(&mctx, out, NULL))
goto err;
outlen -= mdlen;
if (outlen == 0)
break;
out += mdlen;
}
else
{
if (!EVP_DigestFinal(&mctx, mtmp, NULL))
goto err;
memcpy(out, mtmp, outlen);
OPENSSL_cleanse(mtmp, mdlen);
break;
}
}
rv = 1;
err:
EVP_MD_CTX_cleanup(&mctx);
return rv;
}