2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/core_names.h>
11 #include <openssl/objects.h>
12 #include <openssl/params.h>
13 #include "crypto/bn.h"
14 #include "crypto/ec.h"
17 * The intention with the "backend" source file is to offer backend support
18 * for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider
19 * implementations alike.
22 int ec_set_param_ecdh_cofactor_mode(EC_KEY *ec, const OSSL_PARAM *p)
24 const EC_GROUP *ecg = EC_KEY_get0_group(ec);
25 const BIGNUM *cofactor;
28 if (!OSSL_PARAM_get_int(p, &mode))
32 * mode can be only 0 for disable, or 1 for enable here.
34 * This is in contrast with the same parameter on an ECDH EVP_PKEY_CTX that
35 * also supports mode == -1 with the meaning of "reset to the default for
36 * the associated key".
38 if (mode < 0 || mode > 1)
41 if ((cofactor = EC_GROUP_get0_cofactor(ecg)) == NULL )
44 /* ECDH cofactor mode has no effect if cofactor is 1 */
45 if (BN_is_one(cofactor))
49 EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH);
51 EC_KEY_clear_flags(ec, EC_FLAG_COFACTOR_ECDH);
57 * Callers of ec_key_fromdata MUST make sure that ec_key_params_fromdata has
60 * This function only gets the bare keypair, domain parameters and other
61 * parameters are treated separately, and domain parameters are required to
64 int ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_private)
66 const OSSL_PARAM *param_priv_key = NULL, *param_pub_key = NULL;
68 BIGNUM *priv_key = NULL;
69 unsigned char *pub_key = NULL;
71 const EC_GROUP *ecg = NULL;
72 EC_POINT *pub_point = NULL;
75 ecg = EC_KEY_get0_group(ec);
80 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);
83 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);
85 ctx = BN_CTX_new_ex(ec_key_get_libctx(ec));
89 /* OpenSSL decree: If there's a private key, there must be a public key */
90 if (param_priv_key != NULL && param_pub_key == NULL)
93 if (param_pub_key != NULL)
94 if (!OSSL_PARAM_get_octet_string(param_pub_key,
95 (void **)&pub_key, 0, &pub_key_len)
96 || (pub_point = EC_POINT_new(ecg)) == NULL
97 || !EC_POINT_oct2point(ecg, pub_point, pub_key, pub_key_len, ctx))
100 if (param_priv_key != NULL && include_private) {
105 * Key import/export should never leak the bit length of the secret
108 * For this reason, on export we use padded BIGNUMs with fixed length.
110 * When importing we also should make sure that, even if short lived,
111 * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as
112 * soon as possible, so that any processing of this BIGNUM might opt for
113 * constant time implementations in the backend.
115 * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
116 * to preallocate the BIGNUM internal buffer to a fixed public size big
117 * enough that operations performed during the processing never trigger
118 * a realloc which would leak the size of the scalar through memory
124 * The order of the large prime subgroup of the curve is our choice for
125 * a fixed public size, as that is generally the upper bound for
126 * generating a private key in EC cryptosystems and should fit all valid
129 * For padding on export we just use the bit length of the order
130 * converted to bytes (rounding up).
132 * For preallocating the BIGNUM storage we look at the number of "words"
133 * required for the internal representation of the order, and we
134 * preallocate 2 extra "words" in case any of the subsequent processing
135 * might temporarily overflow the order length.
137 order = EC_GROUP_get0_order(ecg);
138 if (order == NULL || BN_is_zero(order))
141 fixed_words = bn_get_top(order) + 2;
143 if ((priv_key = BN_secure_new()) == NULL)
145 if (bn_wexpand(priv_key, fixed_words) == NULL)
147 BN_set_flags(priv_key, BN_FLG_CONSTTIME);
149 if (!OSSL_PARAM_get_BN(param_priv_key, &priv_key))
154 && !EC_KEY_set_private_key(ec, priv_key))
157 if (pub_point != NULL
158 && !EC_KEY_set_public_key(ec, pub_point))
165 BN_clear_free(priv_key);
166 OPENSSL_free(pub_key);
167 EC_POINT_free(pub_point);
171 int ec_key_domparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
173 const OSSL_PARAM *param_ec_name;
174 EC_GROUP *ecg = NULL;
175 char *curve_name = NULL;
181 param_ec_name = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_NAME);
182 if (param_ec_name == NULL) {
183 /* explicit parameters */
186 * TODO(3.0): should we support explicit parameters curves?
193 if (!OSSL_PARAM_get_utf8_string(param_ec_name, &curve_name, 0)
194 || curve_name == NULL
195 || (curve_nid = ec_curve_name2nid(curve_name)) == NID_undef)
198 if ((ecg = EC_GROUP_new_by_curve_name_ex(ec_key_get_libctx(ec),
203 if (!EC_KEY_set_group(ec, ecg))
207 * TODO(3.0): if the group has changed, should we invalidate the private and
214 OPENSSL_free(curve_name);
219 int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
226 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH);
227 if (p != NULL && !ec_set_param_ecdh_cofactor_mode(ec, p))