2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * ECDH/ECDSA low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
16 #include <openssl/core_numbers.h>
17 #include <openssl/core_names.h>
18 #include <openssl/bn.h>
19 #include <openssl/objects.h>
20 #include <openssl/params.h>
21 #include "crypto/bn.h"
22 #include "crypto/ec.h"
23 #include "internal/param_build.h"
24 #include "prov/implementations.h"
25 #include "prov/providercommon.h"
26 #include "prov/provider_ctx.h"
28 static OSSL_OP_keymgmt_new_fn ec_newdata;
29 static OSSL_OP_keymgmt_free_fn ec_freedata;
30 static OSSL_OP_keymgmt_get_params_fn ec_get_params;
31 static OSSL_OP_keymgmt_gettable_params_fn ec_gettable_params;
32 static OSSL_OP_keymgmt_set_params_fn ec_set_params;
33 static OSSL_OP_keymgmt_settable_params_fn ec_settable_params;
34 static OSSL_OP_keymgmt_has_fn ec_has;
35 static OSSL_OP_keymgmt_match_fn ec_match;
36 static OSSL_OP_keymgmt_validate_fn ec_validate;
37 static OSSL_OP_keymgmt_import_fn ec_import;
38 static OSSL_OP_keymgmt_import_types_fn ec_import_types;
39 static OSSL_OP_keymgmt_export_fn ec_export;
40 static OSSL_OP_keymgmt_export_types_fn ec_export_types;
41 static OSSL_OP_keymgmt_query_operation_name_fn ec_query_operation_name;
43 #define EC_POSSIBLE_SELECTIONS \
44 (OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS )
47 const char *ec_query_operation_name(int operation_id)
49 switch (operation_id) {
53 case OSSL_OP_SIGNATURE:
54 return deflt_signature;
61 int params_to_domparams(EC_KEY *ec, const OSSL_PARAM params[])
63 const OSSL_PARAM *param_ec_name;
65 char *curve_name = NULL;
71 param_ec_name = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_NAME);
72 if (param_ec_name == NULL) {
73 /* explicit parameters */
76 * TODO(3.0): should we support explicit parameters curves?
83 if (!OSSL_PARAM_get_utf8_string(param_ec_name, &curve_name, 0)
85 || (curve_nid = ec_curve_name2nid(curve_name)) == NID_undef)
88 if ((ecg = EC_GROUP_new_by_curve_name_ex(ec_key_get_libctx(ec),
93 if (!EC_KEY_set_group(ec, ecg))
97 * TODO(3.0): if the group has changed, should we invalidate the private and
104 OPENSSL_free(curve_name);
110 int domparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl)
118 ecg = EC_KEY_get0_group(ec);
122 curve_nid = EC_GROUP_get_curve_name(ecg);
124 if (curve_nid == NID_undef) {
125 /* explicit parameters */
128 * TODO(3.0): should we support explicit parameters curves?
133 const char *curve_name = NULL;
135 if ((curve_name = ec_curve_nid2name(curve_nid)) == NULL)
138 if (!ossl_param_bld_push_utf8_string(tmpl, OSSL_PKEY_PARAM_EC_NAME, curve_name, 0))
146 * Callers of params_to_key MUST make sure that params_to_domparams has been
149 * This function only imports the bare keypair, domain parameters and other
150 * parameters are imported separately, and domain parameters are required to
154 int params_to_key(EC_KEY *ec, const OSSL_PARAM params[], int include_private)
156 const OSSL_PARAM *param_priv_key, *param_pub_key;
158 BIGNUM *priv_key = NULL;
159 unsigned char *pub_key = NULL;
161 const EC_GROUP *ecg = NULL;
162 EC_POINT *pub_point = NULL;
165 ecg = EC_KEY_get0_group(ec);
170 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);
172 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);
174 ctx = BN_CTX_new_ex(ec_key_get_libctx(ec));
178 * We want to have at least a public key either way, so we end up
179 * requiring it unconditionally.
181 if (param_pub_key == NULL
182 || !OSSL_PARAM_get_octet_string(param_pub_key,
183 (void **)&pub_key, 0, &pub_key_len)
184 || (pub_point = EC_POINT_new(ecg)) == NULL
185 || !EC_POINT_oct2point(ecg, pub_point,
186 pub_key, pub_key_len, ctx))
189 if (param_priv_key != NULL && include_private) {
194 * Key import/export should never leak the bit length of the secret
197 * For this reason, on export we use padded BIGNUMs with fixed length.
199 * When importing we also should make sure that, even if short lived,
200 * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as
201 * soon as possible, so that any processing of this BIGNUM might opt for
202 * constant time implementations in the backend.
204 * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
205 * to preallocate the BIGNUM internal buffer to a fixed public size big
206 * enough that operations performed during the processing never trigger
207 * a realloc which would leak the size of the scalar through memory
213 * The order of the large prime subgroup of the curve is our choice for
214 * a fixed public size, as that is generally the upper bound for
215 * generating a private key in EC cryptosystems and should fit all valid
218 * For padding on export we just use the bit length of the order
219 * converted to bytes (rounding up).
221 * For preallocating the BIGNUM storage we look at the number of "words"
222 * required for the internal representation of the order, and we
223 * preallocate 2 extra "words" in case any of the subsequent processing
224 * might temporarily overflow the order length.
226 order = EC_GROUP_get0_order(ecg);
227 if (order == NULL || BN_is_zero(order))
230 fixed_top = bn_get_top(order) + 2;
232 if ((priv_key = BN_secure_new()) == NULL)
234 if (bn_wexpand(priv_key, fixed_top) == NULL)
236 BN_set_flags(priv_key, BN_FLG_CONSTTIME);
238 if (!OSSL_PARAM_get_BN(param_priv_key, &priv_key))
243 && !EC_KEY_set_private_key(ec, priv_key))
246 if (!EC_KEY_set_public_key(ec, pub_point))
253 BN_clear_free(priv_key);
254 OPENSSL_free(pub_key);
255 EC_POINT_free(pub_point);
260 * Callers of key_to_params MUST make sure that domparams_to_params is also
263 * This function only exports the bare keypair, domain parameters and other
264 * parameters are exported separately.
267 int key_to_params(const EC_KEY *eckey, OSSL_PARAM_BLD *tmpl, int include_private)
269 const BIGNUM *priv_key = NULL;
270 const EC_POINT *pub_point = NULL;
271 const EC_GROUP *ecg = NULL;
272 unsigned char *pub_key = NULL;
273 size_t pub_key_len = 0;
279 ecg = EC_KEY_get0_group(eckey);
280 priv_key = EC_KEY_get0_private_key(eckey);
281 pub_point = EC_KEY_get0_public_key(eckey);
283 /* group and public_key must be present, priv_key is optional */
284 if (ecg == NULL || pub_point == NULL)
286 if ((pub_key_len = EC_POINT_point2buf(ecg, pub_point,
287 POINT_CONVERSION_COMPRESSED,
288 &pub_key, NULL)) == 0)
291 if (!ossl_param_bld_push_octet_string(tmpl,
292 OSSL_PKEY_PARAM_PUB_KEY,
293 pub_key, pub_key_len))
296 if (priv_key != NULL && include_private) {
301 * Key import/export should never leak the bit length of the secret
304 * For this reason, on export we use padded BIGNUMs with fixed length.
306 * When importing we also should make sure that, even if short lived,
307 * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as
308 * soon as possible, so that any processing of this BIGNUM might opt for
309 * constant time implementations in the backend.
311 * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
312 * to preallocate the BIGNUM internal buffer to a fixed public size big
313 * enough that operations performed during the processing never trigger
314 * a realloc which would leak the size of the scalar through memory
320 * The order of the large prime subgroup of the curve is our choice for
321 * a fixed public size, as that is generally the upper bound for
322 * generating a private key in EC cryptosystems and should fit all valid
325 * For padding on export we just use the bit length of the order
326 * converted to bytes (rounding up).
328 * For preallocating the BIGNUM storage we look at the number of "words"
329 * required for the internal representation of the order, and we
330 * preallocate 2 extra "words" in case any of the subsequent processing
331 * might temporarily overflow the order length.
333 ecbits = EC_GROUP_order_bits(ecg);
336 sz = (ecbits + 7 ) / 8;
337 if (!ossl_param_bld_push_BN_pad(tmpl,
338 OSSL_PKEY_PARAM_PRIV_KEY,
346 OPENSSL_free(pub_key);
351 int ec_set_param_ecdh_cofactor_mode(EC_KEY *ec, const OSSL_PARAM *p)
353 const EC_GROUP *ecg = EC_KEY_get0_group(ec);
354 const BIGNUM *cofactor;
357 if (!OSSL_PARAM_get_int(p, &mode))
361 * mode can be only 0 for disable, or 1 for enable here.
363 * This is in contrast with the same parameter on an ECDH EVP_PKEY_CTX that
364 * also supports mode == -1 with the meaning of "reset to the default for
365 * the associated key".
367 if (mode < 0 || mode > 1)
370 if ((cofactor = EC_GROUP_get0_cofactor(ecg)) == NULL )
373 /* ECDH cofactor mode has no effect if cofactor is 1 */
374 if (BN_is_one(cofactor))
378 EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH);
380 EC_KEY_clear_flags(ec, EC_FLAG_COFACTOR_ECDH);
386 int params_to_otherparams(EC_KEY *ec, const OSSL_PARAM params[])
393 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH);
394 if (p != NULL && !ec_set_param_ecdh_cofactor_mode(ec, p))
401 int otherparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl)
403 int ecdh_cofactor_mode = 0;
409 (EC_KEY_get_flags(ec) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
410 if (!ossl_param_bld_push_int(tmpl,
411 OSSL_PKEY_PARAM_USE_COFACTOR_ECDH,
419 void *ec_newdata(void *provctx)
421 return EC_KEY_new_ex(PROV_LIBRARY_CONTEXT_OF(provctx));
425 void ec_freedata(void *keydata)
427 EC_KEY_free(keydata);
431 int ec_has(void *keydata, int selection)
433 EC_KEY *ec = keydata;
436 if ((selection & EC_POSSIBLE_SELECTIONS) != 0)
439 if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
440 ok = ok && (EC_KEY_get0_public_key(ec) != NULL);
441 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
442 ok = ok && (EC_KEY_get0_private_key(ec) != NULL);
443 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
444 ok = ok && (EC_KEY_get0_group(ec) != NULL);
446 * We consider OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS to always be available,
447 * so no extra check is needed other than the previous one against
448 * EC_POSSIBLE_SELECTIONS.
454 static int ec_match(const void *keydata1, const void *keydata2, int selection)
456 const EC_KEY *ec1 = keydata1;
457 const EC_KEY *ec2 = keydata2;
458 const EC_GROUP *group_a = EC_KEY_get0_group(ec1);
459 const EC_GROUP *group_b = EC_KEY_get0_group(ec2);
462 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
463 ok = ok && group_a != NULL && group_b != NULL
464 && EC_GROUP_cmp(group_a, group_b, NULL) == 0;
465 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
466 const BIGNUM *pa = EC_KEY_get0_private_key(ec1);
467 const BIGNUM *pb = EC_KEY_get0_private_key(ec2);
469 ok = ok && BN_cmp(pa, pb) == 0;
471 if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
472 const EC_POINT *pa = EC_KEY_get0_public_key(ec1);
473 const EC_POINT *pb = EC_KEY_get0_public_key(ec2);
475 ok = ok && EC_POINT_cmp(group_b, pa, pb, NULL);
481 int ec_import(void *keydata, int selection, const OSSL_PARAM params[])
483 EC_KEY *ec = keydata;
490 * In this implementation, we can export/import only keydata in the
491 * following combinations:
492 * - domain parameters only
493 * - public key with associated domain parameters (+optional other params)
494 * - private key with associated public key and domain parameters
495 * (+optional other params)
498 * - domain parameters must always be requested
499 * - private key must be requested alongside public key
500 * - other parameters must be requested only alongside a key
502 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0)
504 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
505 && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0)
507 if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0
508 && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
511 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
512 ok = ok && params_to_domparams(ec, params);
513 if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
514 int include_private =
515 selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
517 ok = ok && params_to_key(ec, params, include_private);
519 if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
520 ok = ok && params_to_otherparams(ec, params);
526 int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
529 EC_KEY *ec = keydata;
531 OSSL_PARAM *params = NULL;
538 * In this implementation, we can export/import only keydata in the
539 * following combinations:
540 * - domain parameters only
541 * - public key with associated domain parameters (+optional other params)
542 * - private key with associated public key and domain parameters
543 * (+optional other params)
546 * - domain parameters must always be requested
547 * - private key must be requested alongside public key
548 * - other parameters must be requested only alongside a key
550 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0)
552 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
553 && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0)
555 if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0
556 && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
559 ossl_param_bld_init(&tmpl);
561 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
562 ok = ok && domparams_to_params(ec, &tmpl);
563 if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
564 int include_private =
565 selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
567 ok = ok && key_to_params(ec, &tmpl, include_private);
569 if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
570 ok = ok && otherparams_to_params(ec, &tmpl);
573 || (params = ossl_param_bld_to_param(&tmpl)) == NULL)
576 ok = param_cb(params, cbarg);
577 ossl_param_bld_free(params);
581 /* IMEXPORT = IMPORT + EXPORT */
583 # define EC_IMEXPORTABLE_DOM_PARAMETERS \
584 OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_EC_NAME, NULL, 0)
585 # define EC_IMEXPORTABLE_PUBLIC_KEY \
586 OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0)
587 # define EC_IMEXPORTABLE_PRIVATE_KEY \
588 OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0)
589 # define EC_IMEXPORTABLE_OTHER_PARAMETERS \
590 OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL)
593 * Include all the possible combinations of OSSL_PARAM arrays for
594 * ec_imexport_types().
596 * They are in a separate file as it is ~100 lines of unreadable and
597 * uninteresting machine generated stuff.
599 * TODO(3.0): the generated list looks quite ugly, as to cover all possible
600 * combinations of the bits in `selection`, it also includes combinations that
601 * are not really useful: we might want to consider alternatives to this
604 #include "ec_kmgmt_imexport.inc"
607 const OSSL_PARAM *ec_imexport_types(int selection)
611 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
613 if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
615 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
617 if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
619 return ec_types[type_select];
623 const OSSL_PARAM *ec_import_types(int selection)
625 return ec_imexport_types(selection);
629 const OSSL_PARAM *ec_export_types(int selection)
631 return ec_imexport_types(selection);
635 int ec_get_params(void *key, OSSL_PARAM params[])
638 const EC_GROUP *ecg = NULL;
641 ecg = EC_KEY_get0_group(eck);
645 if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL
646 && !OSSL_PARAM_set_int(p, ECDSA_size(eck)))
648 if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL
649 && !OSSL_PARAM_set_int(p, EC_GROUP_order_bits(ecg)))
651 if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS)) != NULL) {
652 int ecbits, sec_bits;
654 ecbits = EC_GROUP_order_bits(ecg);
657 * The following estimates are based on the values published
658 * in Table 2 of "NIST Special Publication 800-57 Part 1 Revision 4"
659 * at http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4 .
661 * Note that the above reference explicitly categorizes algorithms in a
662 * discrete set of values {80, 112, 128, 192, 256}, and that it is
663 * relevant only for NIST approved Elliptic Curves, while OpenSSL
664 * applies the same logic also to other curves.
666 * Classifications produced by other standardazing bodies might differ,
667 * so the results provided for "bits of security" by this provider are
668 * to be considered merely indicative, and it is the users'
669 * responsibility to compare these values against the normative
670 * references that may be relevant for their intent and purposes.
674 else if (ecbits >= 384)
676 else if (ecbits >= 256)
678 else if (ecbits >= 224)
680 else if (ecbits >= 160)
683 sec_bits = ecbits / 2;
685 if (!OSSL_PARAM_set_int(p, sec_bits))
689 p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH);
691 int ecdh_cofactor_mode = 0;
694 (EC_KEY_get_flags(eck) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
696 if (!OSSL_PARAM_set_int(p, ecdh_cofactor_mode))
703 static const OSSL_PARAM ec_known_gettable_params[] = {
704 OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
705 OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
706 OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
707 OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL),
712 const OSSL_PARAM *ec_gettable_params(void)
714 return ec_known_gettable_params;
717 static const OSSL_PARAM ec_known_settable_params[] = {
718 OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL),
723 const OSSL_PARAM *ec_settable_params(void)
725 return ec_known_settable_params;
729 int ec_set_params(void *key, const OSSL_PARAM params[])
734 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH);
735 if (p != NULL && !ec_set_param_ecdh_cofactor_mode(eck, p))
742 int ec_validate(void *keydata, int selection)
744 EC_KEY *eck = keydata;
746 BN_CTX *ctx = BN_CTX_new_ex(ec_key_get_libctx(eck));
751 if ((selection & EC_POSSIBLE_SELECTIONS) != 0)
754 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
755 ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);
757 if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
758 ok = ok && ec_key_public_check(eck, ctx);
760 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
761 ok = ok && ec_key_private_check(eck);
763 if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR)
764 ok = ok && ec_key_pairwise_check(eck, ctx);
770 const OSSL_DISPATCH ec_keymgmt_functions[] = {
771 { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))ec_newdata },
772 { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))ec_freedata },
773 { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))ec_get_params },
774 { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))ec_gettable_params },
775 { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*) (void))ec_set_params },
776 { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*) (void))ec_settable_params },
777 { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))ec_has },
778 { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))ec_match },
779 { OSSL_FUNC_KEYMGMT_VALIDATE, (void (*)(void))ec_validate },
780 { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ec_import },
781 { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))ec_import_types },
782 { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))ec_export },
783 { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))ec_export_types },
784 { OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME,
785 (void (*)(void))ec_query_operation_name },