/*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* https://www.openssl.org/source/license.html
*/
+/*
+ * ECDSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/x509.h>
#include <openssl/ec.h>
#include <openssl/rand.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
-#include "ec_lcl.h"
-
-#define X25519_BITS 253
-#define X25519_SECURITY_BITS 128
-
-#define ED25519_SIGSIZE 64
-
-#define X448_BITS 448
-#define ED448_BITS 456
-#define X448_SECURITY_BITS 224
-
-#define ED448_SIGSIZE 114
-
-#define ISX448(id) ((id) == EVP_PKEY_X448)
-#define IS25519(id) ((id) == EVP_PKEY_X25519 || (id) == EVP_PKEY_ED25519)
-#define KEYLENID(id) (IS25519(id) ? X25519_KEYLEN \
- : ((id) == EVP_PKEY_X448 ? X448_KEYLEN \
- : ED448_KEYLEN))
-#define KEYLEN(p) KEYLENID((p)->ameth->pkey_id)
-
+#include <openssl/core_names.h>
+#include "openssl/param_build.h"
+#include "crypto/asn1.h"
+#include "crypto/evp.h"
+#include "crypto/ecx.h"
+#include "ec_local.h"
+#include "curve448/curve448_local.h"
+#include "ecx_backend.h"
typedef enum {
KEY_OP_PUBLIC,
/* Setup EVP_PKEY using public, private or generation */
static int ecx_key_op(EVP_PKEY *pkey, int id, const X509_ALGOR *palg,
- const unsigned char *p, int plen, ecx_key_op_t op)
+ const unsigned char *p, int plen, ecx_key_op_t op,
+ OPENSSL_CTX *libctx, const char *propq)
{
ECX_KEY *key = NULL;
unsigned char *privkey, *pubkey;
}
}
- key = OPENSSL_zalloc(sizeof(*key));
+ key = ecx_key_new(libctx, KEYNID2TYPE(id), 1);
if (key == NULL) {
ECerr(EC_F_ECX_KEY_OP, ERR_R_MALLOC_FAILURE);
return 0;
if (op == KEY_OP_PUBLIC) {
memcpy(pubkey, p, plen);
} else {
- privkey = key->privkey = OPENSSL_secure_malloc(KEYLENID(id));
+ privkey = ecx_key_allocate_privkey(key);
if (privkey == NULL) {
ECerr(EC_F_ECX_KEY_OP, ERR_R_MALLOC_FAILURE);
goto err;
}
if (op == KEY_OP_KEYGEN) {
- if (RAND_priv_bytes(privkey, KEYLENID(id)) <= 0) {
- OPENSSL_secure_free(privkey);
- key->privkey = NULL;
+ if (RAND_priv_bytes(privkey, KEYLENID(id)) <= 0)
goto err;
- }
if (id == EVP_PKEY_X25519) {
privkey[0] &= 248;
privkey[X25519_KEYLEN - 1] &= 127;
} else {
memcpy(privkey, p, KEYLENID(id));
}
- switch (id) {
- case EVP_PKEY_X25519:
- X25519_public_from_private(pubkey, privkey);
- break;
- case EVP_PKEY_ED25519:
- ED25519_public_from_private(pubkey, privkey);
- break;
- case EVP_PKEY_X448:
- X448_public_from_private(pubkey, privkey);
- break;
- case EVP_PKEY_ED448:
- ED448_public_from_private(pubkey, privkey);
- break;
+ if (!ecx_public_from_private(key)) {
+ ECerr(EC_F_ECX_KEY_OP, EC_R_FAILED_MAKING_PUBLIC_KEY);
+ goto err;
}
}
EVP_PKEY_assign(pkey, id, key);
return 1;
err:
- OPENSSL_free(key);
+ ecx_key_free(key);
return 0;
}
return 1;
}
-static int ecx_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
+static int ecx_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey)
{
const unsigned char *p;
int pklen;
if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey))
return 0;
return ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, pklen,
- KEY_OP_PUBLIC);
+ KEY_OP_PUBLIC, NULL, NULL);
}
static int ecx_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
return CRYPTO_memcmp(akey->pubkey, bkey->pubkey, KEYLEN(a)) == 0;
}
-static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
+static int ecx_priv_decode_with_libctx(EVP_PKEY *pkey,
+ const PKCS8_PRIV_KEY_INFO *p8,
+ OPENSSL_CTX *libctx, const char *propq)
{
const unsigned char *p;
int plen;
plen = ASN1_STRING_length(oct);
}
- rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, KEY_OP_PRIVATE);
- ASN1_OCTET_STRING_free(oct);
+ rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, KEY_OP_PRIVATE,
+ libctx, propq);
+ ASN1_STRING_clear_free(oct);
return rv;
}
static void ecx_free(EVP_PKEY *pkey)
{
- if (pkey->pkey.ecx != NULL)
- OPENSSL_secure_clear_free(pkey->pkey.ecx->privkey, KEYLEN(pkey));
- OPENSSL_free(pkey->pkey.ecx);
+ ecx_key_free(pkey->pkey.ecx);
}
/* "parameters" are always equal */
case ASN1_PKEY_CTRL_SET1_TLS_ENCPT:
return ecx_key_op(pkey, pkey->ameth->pkey_id, NULL, arg2, arg1,
- KEY_OP_PUBLIC);
+ KEY_OP_PUBLIC, NULL, NULL);
case ASN1_PKEY_CTRL_GET1_TLS_ENCPT:
if (pkey->pkey.ecx != NULL) {
static int ecx_set_priv_key(EVP_PKEY *pkey, const unsigned char *priv,
size_t len)
{
+ /* TODO(3.0): We should pass a libctx here */
return ecx_key_op(pkey, pkey->ameth->pkey_id, NULL, priv, len,
- KEY_OP_PRIVATE);
+ KEY_OP_PRIVATE, NULL, NULL);
}
static int ecx_set_pub_key(EVP_PKEY *pkey, const unsigned char *pub, size_t len)
{
return ecx_key_op(pkey, pkey->ameth->pkey_id, NULL, pub, len,
- KEY_OP_PUBLIC);
+ KEY_OP_PUBLIC, NULL, NULL);
}
static int ecx_get_priv_key(const EVP_PKEY *pkey, unsigned char *priv,
return 1;
}
+static size_t ecx_pkey_dirty_cnt(const EVP_PKEY *pkey)
+{
+ /*
+ * We provide no mechanism to "update" an ECX key once it has been set,
+ * therefore we do not have to maintain a dirty count.
+ */
+ return 1;
+}
+
+static int ecx_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
+ EVP_KEYMGMT *to_keymgmt, OPENSSL_CTX *libctx,
+ const char *propq)
+{
+ const ECX_KEY *key = from->pkey.ecx;
+ OSSL_PARAM_BLD *tmpl = OSSL_PARAM_BLD_new();
+ OSSL_PARAM *params = NULL;
+ int selection = 0;
+ int rv = 0;
+
+ if (tmpl == NULL)
+ return 0;
+
+ /* A key must at least have a public part */
+ if (!OSSL_PARAM_BLD_push_octet_string(tmpl, OSSL_PKEY_PARAM_PUB_KEY,
+ key->pubkey, key->keylen))
+ goto err;
+ selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+
+ if (key->privkey != NULL) {
+ if (!OSSL_PARAM_BLD_push_octet_string(tmpl,
+ OSSL_PKEY_PARAM_PRIV_KEY,
+ key->privkey, key->keylen))
+ goto err;
+ selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
+ }
+
+ params = OSSL_PARAM_BLD_to_param(tmpl);
+
+ /* We export, the provider imports */
+ rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params);
+
+ err:
+ OSSL_PARAM_BLD_free(tmpl);
+ OSSL_PARAM_BLD_free_params(params);
+ return rv;
+}
+
+static int ecx_generic_import_from(const OSSL_PARAM params[], void *vpctx,
+ int keytype)
+{
+ EVP_PKEY_CTX *pctx = vpctx;
+ EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx);
+ ECX_KEY *ecx = ecx_key_new(pctx->libctx, KEYNID2TYPE(keytype), 0);
+
+ if (ecx == NULL) {
+ ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ if (!ecx_key_fromdata(ecx, params, 1)
+ || !EVP_PKEY_assign(pkey, keytype, ecx)) {
+ ecx_key_free(ecx);
+ return 0;
+ }
+ return 1;
+}
+
+static int x25519_import_from(const OSSL_PARAM params[], void *vpctx)
+{
+ return ecx_generic_import_from(params, vpctx, EVP_PKEY_X25519);
+}
+
const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth = {
EVP_PKEY_X25519,
EVP_PKEY_X25519,
ecx_pub_cmp,
ecx_pub_print,
- ecx_priv_decode,
+ NULL,
ecx_priv_encode,
ecx_priv_print,
ecx_set_pub_key,
ecx_get_priv_key,
ecx_get_pub_key,
+ ecx_pkey_dirty_cnt,
+ ecx_pkey_export_to,
+ x25519_import_from,
+
+ ecx_priv_decode_with_libctx
};
+static int x448_import_from(const OSSL_PARAM params[], void *vpctx)
+{
+ return ecx_generic_import_from(params, vpctx, EVP_PKEY_X448);
+}
+
const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth = {
EVP_PKEY_X448,
EVP_PKEY_X448,
ecx_pub_cmp,
ecx_pub_print,
- ecx_priv_decode,
+ NULL,
ecx_priv_encode,
ecx_priv_print,
ecx_set_pub_key,
ecx_get_priv_key,
ecx_get_pub_key,
+ ecx_pkey_dirty_cnt,
+ ecx_pkey_export_to,
+ x448_import_from,
+
+ ecx_priv_decode_with_libctx
};
static int ecd_size25519(const EVP_PKEY *pkey)
X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
if (alg2)
X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
- /* Algorithm idetifiers set: carry on as normal */
+ /* Algorithm identifiers set: carry on as normal */
return 3;
}
return 1;
}
+static int ed25519_import_from(const OSSL_PARAM params[], void *vpctx)
+{
+ return ecx_generic_import_from(params, vpctx, EVP_PKEY_ED25519);
+}
const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
EVP_PKEY_ED25519,
ecx_pub_cmp,
ecx_pub_print,
- ecx_priv_decode,
+ NULL,
ecx_priv_encode,
ecx_priv_print,
ecx_set_pub_key,
ecx_get_priv_key,
ecx_get_pub_key,
+ ecx_pkey_dirty_cnt,
+ ecx_pkey_export_to,
+ ed25519_import_from,
+
+ ecx_priv_decode_with_libctx
};
+static int ed448_import_from(const OSSL_PARAM params[], void *vpctx)
+{
+ return ecx_generic_import_from(params, vpctx, EVP_PKEY_ED448);
+}
+
const EVP_PKEY_ASN1_METHOD ed448_asn1_meth = {
EVP_PKEY_ED448,
EVP_PKEY_ED448,
ecx_pub_cmp,
ecx_pub_print,
- ecx_priv_decode,
+ NULL,
ecx_priv_encode,
ecx_priv_print,
ecx_set_pub_key,
ecx_get_priv_key,
ecx_get_pub_key,
+ ecx_pkey_dirty_cnt,
+ ecx_pkey_export_to,
+ ed448_import_from,
+
+ ecx_priv_decode_with_libctx
};
static int pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
- return ecx_key_op(pkey, ctx->pmeth->pkey_id, NULL, NULL, 0, KEY_OP_KEYGEN);
+ return ecx_key_op(pkey, ctx->pmeth->pkey_id, NULL, NULL, 0, KEY_OP_KEYGEN,
+ NULL, NULL);
}
static int validate_ecx_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
return -2;
}
-const EVP_PKEY_METHOD ecx25519_pkey_meth = {
+static const EVP_PKEY_METHOD ecx25519_pkey_meth = {
EVP_PKEY_X25519,
0, 0, 0, 0, 0, 0, 0,
pkey_ecx_keygen,
0
};
-const EVP_PKEY_METHOD ecx448_pkey_meth = {
+static const EVP_PKEY_METHOD ecx448_pkey_meth = {
EVP_PKEY_X448,
0, 0, 0, 0, 0, 0, 0,
pkey_ecx_keygen,
return 0;
}
- if (ED25519_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey) == 0)
+ if (ED25519_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey, NULL,
+ NULL) == 0)
return 0;
*siglen = ED25519_SIGSIZE;
return 1;
return 0;
}
- if (ED448_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey, NULL,
- 0) == 0)
+ /*
+ * TODO(3.0): We use NULL for the library context for now. Will need to
+ * change later.
+ */
+ if (ED448_sign(NULL, sig, tbs, tbslen, edkey->pubkey, edkey->privkey,
+ NULL, 0) == 0)
return 0;
*siglen = ED448_SIGSIZE;
return 1;
if (siglen != ED25519_SIGSIZE)
return 0;
- return ED25519_verify(tbs, tbslen, sig, edkey->pubkey);
+ return ED25519_verify(tbs, tbslen, sig, edkey->pubkey, NULL, NULL);
}
static int pkey_ecd_digestverify448(EVP_MD_CTX *ctx, const unsigned char *sig,
if (siglen != ED448_SIGSIZE)
return 0;
- return ED448_verify(tbs, tbslen, sig, edkey->pubkey, NULL, 0);
+ /*
+ * TODO(3.0): We send NULL for the OPENSSL_CTX for now. This will need to
+ * change.
+ */
+ return ED448_verify(NULL, tbs, tbslen, sig, edkey->pubkey, NULL, 0);
}
static int pkey_ecd_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
return -2;
}
-const EVP_PKEY_METHOD ed25519_pkey_meth = {
+static const EVP_PKEY_METHOD ed25519_pkey_meth = {
EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
0, 0, 0, 0, 0, 0,
pkey_ecx_keygen,
pkey_ecd_digestverify25519
};
-const EVP_PKEY_METHOD ed448_pkey_meth = {
+static const EVP_PKEY_METHOD ed448_pkey_meth = {
EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
0, 0, 0, 0, 0, 0,
pkey_ecx_keygen,
pkey_ecd_digestsign448,
pkey_ecd_digestverify448
};
+
+#ifdef S390X_EC_ASM
+# include "s390x_arch.h"
+
+static int s390x_pkey_ecx_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+{
+ static const unsigned char generator[] = {
+ 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ };
+ ECX_KEY *key = ecx_key_new(ctx->libctx, ECX_KEY_TYPE_X25519, 1);
+ unsigned char *privkey = NULL, *pubkey;
+
+ if (key == NULL) {
+ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ pubkey = key->pubkey;
+
+ privkey = ecx_key_allocate_privkey(key);
+ if (privkey == NULL) {
+ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (RAND_priv_bytes(privkey, X25519_KEYLEN) <= 0)
+ goto err;
+
+ privkey[0] &= 248;
+ privkey[31] &= 127;
+ privkey[31] |= 64;
+
+ if (s390x_x25519_mul(pubkey, generator, privkey) != 1)
+ goto err;
+
+ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
+ return 1;
+ err:
+ ecx_key_free(key);
+ return 0;
+}
+
+static int s390x_pkey_ecx_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+{
+ static const unsigned char generator[] = {
+ 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ };
+ ECX_KEY *key = ecx_key_new(ctx->libctx, ECX_KEY_TYPE_X448, 1);
+ unsigned char *privkey = NULL, *pubkey;
+
+ if (key == NULL) {
+ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ pubkey = key->pubkey;
+
+ privkey = ecx_key_allocate_privkey(key);
+ if (privkey == NULL) {
+ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (RAND_priv_bytes(privkey, X448_KEYLEN) <= 0)
+ goto err;
+
+ privkey[0] &= 252;
+ privkey[55] |= 128;
+
+ if (s390x_x448_mul(pubkey, generator, privkey) != 1)
+ goto err;
+
+ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
+ return 1;
+ err:
+ ecx_key_free(key);
+ return 0;
+}
+
+static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+{
+ static const unsigned char generator_x[] = {
+ 0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,
+ 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
+ 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21
+ };
+ static const unsigned char generator_y[] = {
+ 0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+ 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+ 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+ };
+ unsigned char x_dst[32], buff[SHA512_DIGEST_LENGTH];
+ ECX_KEY *key = ecx_key_new(ctx->libctx, ECX_KEY_TYPE_ED25519, 1);
+ unsigned char *privkey = NULL, *pubkey;
+ unsigned int sz;
+
+ if (key == NULL) {
+ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ pubkey = key->pubkey;
+
+ privkey = ecx_key_allocate_privkey(key);
+ if (privkey == NULL) {
+ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (RAND_priv_bytes(privkey, ED25519_KEYLEN) <= 0)
+ goto err;
+
+ if (!EVP_Digest(privkey, 32, buff, &sz, EVP_sha512(), NULL))
+ goto err;
+
+ buff[0] &= 248;
+ buff[31] &= 63;
+ buff[31] |= 64;
+
+ if (s390x_ed25519_mul(x_dst, pubkey,
+ generator_x, generator_y, buff) != 1)
+ goto err;
+
+ pubkey[31] |= ((x_dst[0] & 0x01) << 7);
+
+ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
+ return 1;
+ err:
+ ecx_key_free(key);
+ return 0;
+}
+
+static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+{
+ static const unsigned char generator_x[] = {
+ 0x5e, 0xc0, 0x0c, 0xc7, 0x2b, 0xa8, 0x26, 0x26, 0x8e, 0x93, 0x00, 0x8b,
+ 0xe1, 0x80, 0x3b, 0x43, 0x11, 0x65, 0xb6, 0x2a, 0xf7, 0x1a, 0xae, 0x12,
+ 0x64, 0xa4, 0xd3, 0xa3, 0x24, 0xe3, 0x6d, 0xea, 0x67, 0x17, 0x0f, 0x47,
+ 0x70, 0x65, 0x14, 0x9e, 0xda, 0x36, 0xbf, 0x22, 0xa6, 0x15, 0x1d, 0x22,
+ 0xed, 0x0d, 0xed, 0x6b, 0xc6, 0x70, 0x19, 0x4f, 0x00
+ };
+ static const unsigned char generator_y[] = {
+ 0x14, 0xfa, 0x30, 0xf2, 0x5b, 0x79, 0x08, 0x98, 0xad, 0xc8, 0xd7, 0x4e,
+ 0x2c, 0x13, 0xbd, 0xfd, 0xc4, 0x39, 0x7c, 0xe6, 0x1c, 0xff, 0xd3, 0x3a,
+ 0xd7, 0xc2, 0xa0, 0x05, 0x1e, 0x9c, 0x78, 0x87, 0x40, 0x98, 0xa3, 0x6c,
+ 0x73, 0x73, 0xea, 0x4b, 0x62, 0xc7, 0xc9, 0x56, 0x37, 0x20, 0x76, 0x88,
+ 0x24, 0xbc, 0xb6, 0x6e, 0x71, 0x46, 0x3f, 0x69, 0x00
+ };
+ unsigned char x_dst[57], buff[114];
+ ECX_KEY *key = ecx_key_new(ctx->libctx, ECX_KEY_TYPE_ED448, 1);
+ unsigned char *privkey = NULL, *pubkey;
+ EVP_MD_CTX *hashctx = NULL;
+
+ if (key == NULL) {
+ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ pubkey = key->pubkey;
+
+ privkey = ecx_key_allocate_privkey(key);
+ if (privkey == NULL) {
+ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (RAND_priv_bytes(privkey, ED448_KEYLEN) <= 0)
+ goto err;
+
+ hashctx = EVP_MD_CTX_new();
+ if (hashctx == NULL)
+ goto err;
+ if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1)
+ goto err;
+ if (EVP_DigestUpdate(hashctx, privkey, 57) != 1)
+ goto err;
+ if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1)
+ goto err;
+
+ buff[0] &= -4;
+ buff[55] |= 0x80;
+ buff[56] = 0;
+
+ if (s390x_ed448_mul(x_dst, pubkey,
+ generator_x, generator_y, buff) != 1)
+ goto err;
+
+ pubkey[56] |= ((x_dst[0] & 0x01) << 7);
+
+ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
+ EVP_MD_CTX_free(hashctx);
+ return 1;
+ err:
+ ecx_key_free(key);
+ EVP_MD_CTX_free(hashctx);
+ return 0;
+}
+
+static int s390x_pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key,
+ size_t *keylen)
+{
+ const unsigned char *privkey, *pubkey;
+
+ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey))
+ return 0;
+
+ if (key != NULL)
+ return s390x_x25519_mul(key, pubkey, privkey);
+
+ *keylen = X25519_KEYLEN;
+ return 1;
+}
+
+static int s390x_pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key,
+ size_t *keylen)
+{
+ const unsigned char *privkey, *pubkey;
+
+ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey))
+ return 0;
+
+ if (key != NULL)
+ return s390x_x448_mul(key, pubkey, privkey);
+
+ *keylen = X448_KEYLEN;
+ return 1;
+}
+
+static int s390x_pkey_ecd_digestsign25519(EVP_MD_CTX *ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs,
+ size_t tbslen)
+{
+ union {
+ struct {
+ unsigned char sig[64];
+ unsigned char priv[32];
+ } ed25519;
+ unsigned long long buff[512];
+ } param;
+ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
+ int rc;
+
+ if (sig == NULL) {
+ *siglen = ED25519_SIGSIZE;
+ return 1;
+ }
+
+ if (*siglen < ED25519_SIGSIZE) {
+ ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ memset(¶m, 0, sizeof(param));
+ memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv));
+
+ rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, ¶m.ed25519, tbs, tbslen);
+ OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv));
+ if (rc != 0)
+ return 0;
+
+ s390x_flip_endian32(sig, param.ed25519.sig);
+ s390x_flip_endian32(sig + 32, param.ed25519.sig + 32);
+
+ *siglen = ED25519_SIGSIZE;
+ return 1;
+}
+
+static int s390x_pkey_ecd_digestsign448(EVP_MD_CTX *ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs,
+ size_t tbslen)
+{
+ union {
+ struct {
+ unsigned char sig[128];
+ unsigned char priv[64];
+ } ed448;
+ unsigned long long buff[512];
+ } param;
+ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
+ int rc;
+
+ if (sig == NULL) {
+ *siglen = ED448_SIGSIZE;
+ return 1;
+ }
+
+ if (*siglen < ED448_SIGSIZE) {
+ ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ memset(¶m, 0, sizeof(param));
+ memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57);
+
+ rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, ¶m.ed448, tbs, tbslen);
+ OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv));
+ if (rc != 0)
+ return 0;
+
+ s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
+ s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
+ memcpy(sig, param.ed448.sig, 57);
+ memcpy(sig + 57, param.ed448.sig + 64, 57);
+
+ *siglen = ED448_SIGSIZE;
+ return 1;
+}
+
+static int s390x_pkey_ecd_digestverify25519(EVP_MD_CTX *ctx,
+ const unsigned char *sig,
+ size_t siglen,
+ const unsigned char *tbs,
+ size_t tbslen)
+{
+ union {
+ struct {
+ unsigned char sig[64];
+ unsigned char pub[32];
+ } ed25519;
+ unsigned long long buff[512];
+ } param;
+ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
+
+ if (siglen != ED25519_SIGSIZE)
+ return 0;
+
+ memset(¶m, 0, sizeof(param));
+ s390x_flip_endian32(param.ed25519.sig, sig);
+ s390x_flip_endian32(param.ed25519.sig + 32, sig + 32);
+ s390x_flip_endian32(param.ed25519.pub, edkey->pubkey);
+
+ return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519,
+ ¶m.ed25519, tbs, tbslen) == 0 ? 1 : 0;
+}
+
+static int s390x_pkey_ecd_digestverify448(EVP_MD_CTX *ctx,
+ const unsigned char *sig,
+ size_t siglen,
+ const unsigned char *tbs,
+ size_t tbslen)
+{
+ union {
+ struct {
+ unsigned char sig[128];
+ unsigned char pub[64];
+ } ed448;
+ unsigned long long buff[512];
+ } param;
+ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
+
+ if (siglen != ED448_SIGSIZE)
+ return 0;
+
+ memset(¶m, 0, sizeof(param));
+ memcpy(param.ed448.sig, sig, 57);
+ s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
+ memcpy(param.ed448.sig + 64, sig + 57, 57);
+ s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
+ memcpy(param.ed448.pub, edkey->pubkey, 57);
+ s390x_flip_endian64(param.ed448.pub, param.ed448.pub);
+
+ return s390x_kdsa(S390X_EDDSA_VERIFY_ED448,
+ ¶m.ed448, tbs, tbslen) == 0 ? 1 : 0;
+}
+
+static const EVP_PKEY_METHOD ecx25519_s390x_pkey_meth = {
+ EVP_PKEY_X25519,
+ 0, 0, 0, 0, 0, 0, 0,
+ s390x_pkey_ecx_keygen25519,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ s390x_pkey_ecx_derive25519,
+ pkey_ecx_ctrl,
+ 0
+};
+
+static const EVP_PKEY_METHOD ecx448_s390x_pkey_meth = {
+ EVP_PKEY_X448,
+ 0, 0, 0, 0, 0, 0, 0,
+ s390x_pkey_ecx_keygen448,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ s390x_pkey_ecx_derive448,
+ pkey_ecx_ctrl,
+ 0
+};
+static const EVP_PKEY_METHOD ed25519_s390x_pkey_meth = {
+ EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
+ 0, 0, 0, 0, 0, 0,
+ s390x_pkey_ecd_keygen25519,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ pkey_ecd_ctrl,
+ 0,
+ s390x_pkey_ecd_digestsign25519,
+ s390x_pkey_ecd_digestverify25519
+};
+
+static const EVP_PKEY_METHOD ed448_s390x_pkey_meth = {
+ EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
+ 0, 0, 0, 0, 0, 0,
+ s390x_pkey_ecd_keygen448,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ pkey_ecd_ctrl,
+ 0,
+ s390x_pkey_ecd_digestsign448,
+ s390x_pkey_ecd_digestverify448
+};
+#endif
+
+const EVP_PKEY_METHOD *ecx25519_pkey_method(void)
+{
+#ifdef S390X_EC_ASM
+ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519))
+ return &ecx25519_s390x_pkey_meth;
+#endif
+ return &ecx25519_pkey_meth;
+}
+
+const EVP_PKEY_METHOD *ecx448_pkey_method(void)
+{
+#ifdef S390X_EC_ASM
+ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448))
+ return &ecx448_s390x_pkey_meth;
+#endif
+ return &ecx448_pkey_meth;
+}
+
+const EVP_PKEY_METHOD *ed25519_pkey_method(void)
+{
+#ifdef S390X_EC_ASM
+ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519)
+ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519)
+ && OPENSSL_s390xcap_P.kdsa[0]
+ & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519))
+ return &ed25519_s390x_pkey_meth;
+#endif
+ return &ed25519_pkey_meth;
+}
+
+const EVP_PKEY_METHOD *ed448_pkey_method(void)
+{
+#ifdef S390X_EC_ASM
+ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448)
+ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED448)
+ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448))
+ return &ed448_s390x_pkey_meth;
+#endif
+ return &ed448_pkey_meth;
+}
projects / openssl.git / blobdiff