Home Explore Help
Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 0
Files Issues 1 Wiki
Tree: 55ca75dd8f
Branches Tags
openssl
/
crypto
/
ec
/
ecdh_ossl.c

ecdh_ossl.c 4.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147 
  1. /*
    2. 

  2.  * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3.  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
    4. 

  4.  *
    5. 

  5.  * Licensed under the Apache License 2.0 (the "License").  You may not use
    6. 

  6.  * this file except in compliance with the License.  You can obtain a copy
    7. 

  7.  * in the file LICENSE in the source distribution or at
    8. 

  8.  * https://www.openssl.org/source/license.html
    9. 

  9.  */
    10. 

  10. 

  11. /*
    12. 

  12.  * ECDH low level APIs are deprecated for public use, but still ok for
    13. 

  13.  * internal use.
    14. 

  14.  */
    15. 

  15. #include "internal/deprecated.h"
    16. 

  16. 

  17. #include <string.h>
    18. 

  18. #include <limits.h>
    19. 

  19. 

  20. #include "internal/cryptlib.h"
    21. 

  21. 

  22. #include <openssl/err.h>
    23. 

  23. #include <openssl/bn.h>
    24. 

  24. #include <openssl/objects.h>
    25. 

  25. #include <openssl/ec.h>
    26. 

  26. #include "ec_local.h"
    27. 

  27. 

  28. int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
    29. 

  29.                           const EC_POINT *pub_key, const EC_KEY *ecdh)
    30. 

  30. {
    31. 

  31.     if (ecdh->group->meth->ecdh_compute_key == NULL) {
    32. 

  32.         ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH);
    33. 

  33.         return 0;
    34. 

  34.     }
    35. 

  35. 

  36.     return ecdh->group->meth->ecdh_compute_key(psec, pseclen, pub_key, ecdh);
    37. 

  37. }
    38. 

  38. 

  39. /*-
    40. 

  40.  * This implementation is based on the following primitives in the
    41. 

  41.  * IEEE 1363 standard:
    42. 

  42.  *  - ECKAS-DH1
    43. 

  43.  *  - ECSVDP-DH
    44. 

  44.  *
    45. 

  45.  * It also conforms to SP800-56A r3
    46. 

  46.  * See Section 5.7.1.2 "Elliptic Curve Cryptography Cofactor Diffie-Hellman
    47. 

  47.  * (ECC CDH) Primitive:". The steps listed below refer to SP800-56A.
    48. 

  48.  */
    49. 

  49. int ossl_ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
    50. 

  50.                                  const EC_POINT *pub_key, const EC_KEY *ecdh)
    51. 

  51. {
    52. 

  52.     BN_CTX *ctx;
    53. 

  53.     EC_POINT *tmp = NULL;
    54. 

  54.     BIGNUM *x = NULL;
    55. 

  55.     const BIGNUM *priv_key;
    56. 

  56.     const EC_GROUP *group;
    57. 

  57.     int ret = 0;
    58. 

  58.     size_t buflen, len;
    59. 

  59.     unsigned char *buf = NULL;
    60. 

  60. 

  61.     if ((ctx = BN_CTX_new_ex(ecdh->libctx)) == NULL)
    62. 

  62.         goto err;
    63. 

  63.     BN_CTX_start(ctx);
    64. 

  64.     x = BN_CTX_get(ctx);
    65. 

  65.     if (x == NULL) {
    66. 

  66.         ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
    67. 

  67.         goto err;
    68. 

  68.     }
    69. 

  69. 

  70.     priv_key = EC_KEY_get0_private_key(ecdh);
    71. 

  71.     if (priv_key == NULL) {
    72. 

  72.         ERR_raise(ERR_LIB_EC, EC_R_MISSING_PRIVATE_KEY);
    73. 

  73.         goto err;
    74. 

  74.     }
    75. 

  75. 

  76.     group = EC_KEY_get0_group(ecdh);
    77. 

  77. 

  78.     /*
    79. 

  79.      * Step(1) - Compute the point tmp = cofactor * owners_private_key
    80. 

  80.      *                                   * peer_public_key.
    81. 

  81.      */
    82. 

  82.     if (EC_KEY_get_flags(ecdh) & EC_FLAG_COFACTOR_ECDH) {
    83. 

  83.         if (!EC_GROUP_get_cofactor(group, x, NULL)) {
    84. 

  84.             ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
    85. 

  85.             goto err;
    86. 

  86.         }
    87. 

  87.         if (!BN_mul(x, x, priv_key, ctx)) {
    88. 

  88.             ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
    89. 

  89.             goto err;
    90. 

  90.         }
    91. 

  91.         priv_key = x;
    92. 

  92.     }
    93. 

  93. 

  94.     if ((tmp = EC_POINT_new(group)) == NULL) {
    95. 

  95.         ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
    96. 

  96.         goto err;
    97. 

  97.     }
    98. 

  98. 

  99.     if (!EC_POINT_mul(group, tmp, NULL, pub_key, priv_key, ctx)) {
    100. 

  100.         ERR_raise(ERR_LIB_EC, EC_R_POINT_ARITHMETIC_FAILURE);
    101. 

  101.         goto err;
    102. 

  102.     }
    103. 

  103. 

  104.     /*
    105. 

  105.      * Step(2) : If point tmp is at infinity then clear intermediate values and
    106. 

  106.      * exit. Note: getting affine coordinates returns 0 if point is at infinity.
    107. 

  107.      * Step(3a) : Get x-coordinate of point x = tmp.x
    108. 

  108.      */
    109. 

  109.     if (!EC_POINT_get_affine_coordinates(group, tmp, x, NULL, ctx)) {
    110. 

  110.         ERR_raise(ERR_LIB_EC, EC_R_POINT_ARITHMETIC_FAILURE);
    111. 

  111.         goto err;
    112. 

  112.     }
    113. 

  113. 

  114.     /*
    115. 

  115.      * Step(3b) : convert x to a byte string, using the field-element-to-byte
    116. 

  116.      * string conversion routine defined in Appendix C.2
    117. 

  117.      */
    118. 

  118.     buflen = (EC_GROUP_get_degree(group) + 7) / 8;
    119. 

  119.     len = BN_num_bytes(x);
    120. 

  120.     if (len > buflen) {
    121. 

  121.         ERR_raise(ERR_LIB_EC, ERR_R_INTERNAL_ERROR);
    122. 

  122.         goto err;
    123. 

  123.     }
    124. 

  124.     if ((buf = OPENSSL_malloc(buflen)) == NULL)
    125. 

  125.         goto err;
    126. 

  126. 

  127.     memset(buf, 0, buflen - len);
    128. 

  128.     if (len != (size_t)BN_bn2bin(x, buf + buflen - len)) {
    129. 

  129.         ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
    130. 

  130.         goto err;
    131. 

  131.     }
    132. 

  132. 

  133.     *pout = buf;
    134. 

  134.     *poutlen = buflen;
    135. 

  135.     buf = NULL;
    136. 

  136. 

  137.     ret = 1;
    138. 

  138. 

  139.  err:
    140. 

  140.     /* Step(4) : Destroy all intermediate calculations */
    141. 

  141.     BN_clear(x);
    142. 

  142.     EC_POINT_clear_free(tmp);
    143. 

  143.     BN_CTX_end(ctx);
    144. 

  144.     BN_CTX_free(ctx);
    145. 

  145.     OPENSSL_free(buf);
    146. 

  146.     return ret;
    147. 

  147. }
    148.