[PROV][KMGMT][KEXCH][EC] Implement EC keymgtm and ECDH
authorNicola Tuveri <nic.tuv@gmail.com>
Sat, 14 Dec 2019 22:20:53 +0000 (00:20 +0200)
committerNicola Tuveri <nic.tuv@gmail.com>
Tue, 18 Feb 2020 17:11:10 +0000 (19:11 +0200)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10631)

22 files changed:
crypto/ec/build.info
crypto/ec/ec_ameth.c
crypto/ec/ec_asn1.c
crypto/ec/ec_evp_lib.c [new file with mode: 0644]
crypto/ec/ec_key.c
crypto/ec/ec_local.h
crypto/evp/evp_local.h
crypto/evp/exchange.c
crypto/evp/keymgmt_meth.c
crypto/evp/pmeth_lib.c
include/crypto/evp.h
include/openssl/core_names.h
include/openssl/core_numbers.h
include/openssl/ec.h
providers/defltprov.c
providers/implementations/exchange/build.info
providers/implementations/exchange/ecdh_exch.c [new file with mode: 0644]
providers/implementations/include/prov/implementations.h
providers/implementations/keymgmt/build.info
providers/implementations/keymgmt/ec_kmgmt.c [new file with mode: 0644]
providers/implementations/keymgmt/ec_kmgmt_imexport.inc [new file with mode: 0644]
util/libcrypto.num

index a8828c5..0e01d4a 100644 (file)
@@ -43,8 +43,6 @@ IF[{- !$disabled{asm} -}]
   ENDIF
 ENDIF
 
-LIBS=../../libcrypto
-
 $COMMON=ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c \
         ec_curve.c ec_check.c ec_print.c ec_key.c ec_asn1.c \
         ec2_smpl.c \
@@ -55,7 +53,7 @@ $COMMON=ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c \
         curve448/curve448_tables.c curve448/eddsa.c curve448/curve448.c \
         $ECASM
 SOURCE[../../libcrypto]=$COMMON ec_ameth.c ec_pmeth.c ecx_meth.c ecx_key.c \
-                        ec_err.c ecdh_kdf.c eck_prn.c
+                        ec_err.c ecdh_kdf.c eck_prn.c ec_evp_lib.c
 SOURCE[../../providers/libfips.a]=$COMMON
 
 # Implementations are now spread across several libraries, so the defines
index 602ff7c..c4e8177 100644 (file)
@@ -22,6 +22,8 @@
 #include <openssl/asn1t.h>
 #include "crypto/asn1.h"
 #include "crypto/evp.h"
+#include <openssl/core_names.h>
+#include "internal/param_build.h"
 #include "ec_local.h"
 
 #ifndef OPENSSL_NO_CMS
@@ -574,6 +576,126 @@ static int ec_pkey_param_check(const EVP_PKEY *pkey)
     return EC_GROUP_check(eckey->group, NULL);
 }
 
+static
+size_t ec_pkey_dirty_cnt(const EVP_PKEY *pkey)
+{
+    return pkey->pkey.ec->dirty_cnt;
+}
+
+static ossl_inline
+int ecparams_to_params(const EC_KEY *eckey, OSSL_PARAM_BLD *tmpl)
+{
+    const EC_GROUP *ecg;
+    int curve_nid;
+
+    if (eckey == NULL)
+        return 0;
+
+    ecg = EC_KEY_get0_group(eckey);
+    if (ecg == NULL)
+        return 0;
+
+    curve_nid = EC_GROUP_get_curve_name(ecg);
+
+    if (curve_nid == NID_undef) {
+        /* explicit parameters */
+
+        /*
+         * TODO(3.0): should we support explicit parameters curves?
+         */
+        return 0;
+    } else {
+        /* named curve */
+        const char *curve_name = NULL;
+
+        if ((curve_name = OBJ_nid2sn(curve_nid)) == NULL)
+            return 0;
+
+        if (!ossl_param_bld_push_utf8_string(tmpl, OSSL_PKEY_PARAM_EC_NAME, curve_name, 0))
+            return 0;
+    }
+
+    return 1;
+}
+
+static
+int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
+                      EVP_KEYMGMT *to_keymgmt)
+{
+    const EC_KEY *eckey = NULL;
+    const EC_GROUP *ecg = NULL;
+    unsigned char *pub_key_buf = NULL;
+    size_t pub_key_buflen;
+    OSSL_PARAM_BLD tmpl;
+    OSSL_PARAM *params = NULL;
+    const BIGNUM *priv_key = NULL;
+    const EC_POINT *pub_point = NULL;
+    int rv = 0;
+
+    if (from == NULL
+            || (eckey = from->pkey.ec) == NULL
+            || (ecg = EC_KEY_get0_group(eckey)) == NULL)
+        return 0;
+
+    ossl_param_bld_init(&tmpl);
+
+    /* export the domain parameters */
+    if (!ecparams_to_params(eckey, &tmpl))
+        return 0;
+
+    priv_key = EC_KEY_get0_private_key(eckey);
+    pub_point = EC_KEY_get0_public_key(eckey);
+
+    /* public_key must be present, priv_key is optional */
+    if (pub_point == NULL)
+        return 0;
+
+    /* convert pub_point to a octet string according to the SECG standard */
+    if ((pub_key_buflen = EC_POINT_point2buf(ecg, pub_point,
+                                             POINT_CONVERSION_COMPRESSED,
+                                             &pub_key_buf, NULL)) == 0)
+        return 0;
+
+    if (!ossl_param_bld_push_octet_string(&tmpl,
+                OSSL_PKEY_PARAM_PUB_KEY,
+                pub_key_buf,
+                pub_key_buflen))
+        goto err;
+
+    if (priv_key != NULL) {
+        /*
+         * The ECDH Cofactor Mode is defined only if the EC_KEY actually
+         * contains a private key, so we check for the flag and export it only
+         * in this case.
+         */
+        int ecdh_cofactor_mode =
+            (EC_KEY_get_flags(eckey) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
+
+        /* Export the actual private key */
+        if (!ossl_param_bld_push_BN(&tmpl,
+                                    OSSL_PKEY_PARAM_PRIV_KEY,
+                                    priv_key))
+            goto err;
+
+        /* Export the ECDH_COFACTOR_MODE parameter */
+        if (!ossl_param_bld_push_int(&tmpl,
+                                     OSSL_PKEY_PARAM_USE_COFACTOR_ECDH,
+                                     ecdh_cofactor_mode))
+            goto err;
+    }
+
+    params = ossl_param_bld_to_param(&tmpl);
+
+    /* We export, the provider imports */
+    rv = evp_keymgmt_import(to_keymgmt, to_keydata, OSSL_KEYMGMT_SELECT_ALL,
+                            params);
+
+ err:
+    ossl_param_bld_free(params);
+    OPENSSL_free(pub_key_buf);
+    return rv;
+}
+
 const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = {
     EVP_PKEY_EC,
     EVP_PKEY_EC,
@@ -611,7 +733,15 @@ const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = {
 
     ec_pkey_check,
     ec_pkey_public_check,
-    ec_pkey_param_check
+    ec_pkey_param_check,
+
+    0, /* set_priv_key */
+    0, /* set_pub_key */
+    0, /* get_priv_key */
+    0, /* get_pub_key */
+
+    ec_pkey_dirty_cnt,
+    ec_pkey_export_to
 };
 
 #if !defined(OPENSSL_NO_SM2)
index f61d886..4f7a76a 100644 (file)
@@ -1051,6 +1051,7 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
         *a = ret;
     EC_PRIVATEKEY_free(priv_key);
     *in = p;
+    ret->dirty_cnt++;
     return ret;
 
  err:
@@ -1162,8 +1163,11 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
         ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
         if (a == NULL || *a != ret)
              EC_KEY_free(ret);
+        else
+            ret->dirty_cnt++;
         return NULL;
     }
+    ret->dirty_cnt++;
 
     if (a)
         *a = ret;
@@ -1183,6 +1187,7 @@ EC_KEY *o2i_ECPublicKey(EC_KEY **a, const unsigned char **in, long len)
         return 0;
     }
     ret = *a;
+    /* EC_KEY_opt2key updates dirty_cnt */
     if (!EC_KEY_oct2key(ret, *in, len, NULL)) {
         ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_EC_LIB);
         return 0;
diff --git a/crypto/ec/ec_evp_lib.c b/crypto/ec/ec_evp_lib.c
new file mode 100644 (file)
index 0000000..e4d7815
--- /dev/null
@@ -0,0 +1,422 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+
+#include <openssl/err.h>
+#include <openssl/opensslv.h>
+
+#include <openssl/core_names.h>
+#include "crypto/evp.h"
+
+#include "ec_local.h"
+
+/*
+ * This file is meant to contain functions to provide EVP_PKEY support for EC
+ * keys.
+ */
+
+static ossl_inline
+int evp_pkey_ctx_getset_ecdh_param_checks(const EVP_PKEY_CTX *ctx)
+{
+    if (ctx == NULL || !EVP_PKEY_CTX_IS_DERIVE_OP(ctx)) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+        return -2;
+    }
+
+    /* If key type not EC return error */
+    if (ctx->pmeth != NULL && ctx->pmeth->pkey_id != EVP_PKEY_EC)
+        return -1;
+
+    return 1;
+}
+
+int EVP_PKEY_CTX_set_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx, int cofactor_mode)
+{
+    int ret;
+    OSSL_PARAM params[2], *p = params;
+
+    ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx);
+    if (ret != 1)
+        return ret;
+
+    /*
+     * Valid input values are:
+     *  * 0 for disable
+     *  * 1 for enable
+     *  * -1 for reset to default for associated priv key
+     */
+    if (cofactor_mode < -1 || cofactor_mode > 1) {
+        /* Uses the same return value of pkey_ec_ctrl() */
+        return -2;
+    }
+
+    /* TODO(3.0): Remove this eventually when no more legacy */
+    if (ctx->op.kex.exchprovctx == NULL)
+        return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC,
+                                 EVP_PKEY_OP_DERIVE,
+                                 EVP_PKEY_CTRL_EC_ECDH_COFACTOR,
+                                 cofactor_mode, NULL);
+
+    *p++ = OSSL_PARAM_construct_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE,
+                                    &cofactor_mode);
+    *p++ = OSSL_PARAM_construct_end();
+
+    ret = evp_pkey_ctx_set_params_strict(ctx, params);
+    if (ret == -2) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+        return -2;
+    }
+
+    return ret;
+}
+
+int EVP_PKEY_CTX_get_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx)
+{
+    int ret, mode;
+    OSSL_PARAM params[2], *p = params;
+
+    ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx);
+    if (ret != 1)
+        return ret;
+
+    /* TODO(3.0): Remove this eventually when no more legacy */
+    if (ctx->op.kex.exchprovctx == NULL)
+        return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC,
+                                 EVP_PKEY_OP_DERIVE,
+                                 EVP_PKEY_CTRL_EC_ECDH_COFACTOR, -2, NULL);
+
+    *p++ = OSSL_PARAM_construct_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE,
+                                    &mode);
+    *p++ = OSSL_PARAM_construct_end();
+
+    ret = evp_pkey_ctx_get_params_strict(ctx, params);
+    if (ret == -2) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+        return -2;
+    } else if (ret != 1) {
+        return -1;
+    }
+
+    if (mode < 0 || mode > 1) {
+        /*
+         * The provider should return either 0 or 1, any other value is a
+         * provider error.
+         */
+        return -1;
+    }
+
+    return mode;
+}
+
+int EVP_PKEY_CTX_set_ecdh_kdf_type(EVP_PKEY_CTX *ctx, int kdf)
+{
+    int ret;
+    const char *kdf_type;
+    OSSL_PARAM params[2], *p = params;
+
+    ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx);
+    if (ret != 1)
+        return ret;
+
+    switch (kdf) {
+        case EVP_PKEY_ECDH_KDF_NONE:
+            kdf_type = "";
+            break;
+        case EVP_PKEY_ECDH_KDF_X9_63:
+            kdf_type = OSSL_KDF_NAME_X963KDF;
+            break;
+        default:
+            return -2;
+    }
+
+    /* TODO(3.0): Remove this eventually when no more legacy */
+    if (ctx->op.kex.exchprovctx == NULL)
+        return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC,
+                                 EVP_PKEY_OP_DERIVE,
+                                 EVP_PKEY_CTRL_EC_KDF_TYPE, kdf, NULL);
+
+    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE,
+                                            /*
+                                             * Cast away the const. This is read
+                                             * only so should be safe
+                                             */
+                                            (char *)kdf_type, 0);
+    *p++ = OSSL_PARAM_construct_end();
+
+    ret = evp_pkey_ctx_set_params_strict(ctx, params);
+    if (ret == -2) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+        return -2;
+    }
+
+    return ret;
+}
+
+int EVP_PKEY_CTX_get_ecdh_kdf_type(EVP_PKEY_CTX *ctx)
+{
+    int ret;
+    /* 80 should be big enough */
+    char kdf_type[80];
+    OSSL_PARAM params[2], *p = params;
+
+    ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx);
+    if (ret != 1)
+        return ret;
+
+    /* TODO(3.0): Remove this eventually when no more legacy */
+    if (ctx->op.kex.exchprovctx == NULL)
+        return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC,
+                                 EVP_PKEY_OP_DERIVE,
+                                 EVP_PKEY_CTRL_EC_KDF_TYPE, -2, NULL);
+
+    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE,
+                                            kdf_type, sizeof(kdf_type));
+    *p++ = OSSL_PARAM_construct_end();
+
+    ret = evp_pkey_ctx_get_params_strict(ctx, params);
+    if (ret == -2) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+        return -2;
+    } else if (ret != 1) {
+        return -1;
+    }
+
+    if (kdf_type[0] == '\0')
+        return EVP_PKEY_ECDH_KDF_NONE;
+    else if (strcmp(kdf_type, OSSL_KDF_NAME_X963KDF) == 0)
+        return EVP_PKEY_ECDH_KDF_X9_63;
+
+    return -1;
+}
+
+int EVP_PKEY_CTX_set_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
+{
+    int ret;
+    OSSL_PARAM params[2], *p = params;
+    const char *md_name = NULL;
+
+    ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx);
+    if (ret != 1)
+        return ret;
+
+    /* TODO(3.0): Remove this eventually when no more legacy */
+    if (ctx->op.kex.exchprovctx == NULL)
+        return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC,
+                                 EVP_PKEY_OP_DERIVE,
+                                 EVP_PKEY_CTRL_EC_KDF_MD, 0, (void *)(md));
+
+    md_name = (md == NULL) ? "" : EVP_MD_name(md);
+
+    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST,
+                                            /*
+                                             * Cast away the const. This is read
+                                             * only so should be safe
+                                             */
+                                            (char *)md_name, 0);
+    *p++ = OSSL_PARAM_construct_end();
+
+    ret = evp_pkey_ctx_set_params_strict(ctx, params);
+    if (ret == -2) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+        return -2;
+    }
+    return ret;
+}
+
+int EVP_PKEY_CTX_get_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **pmd)
+{
+    /* 80 should be big enough */
+    char name[80] = "";
+    int ret;
+    OSSL_PARAM params[2], *p = params;
+
+    ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx);
+    if (ret != 1)
+        return ret;
+
+    /* TODO(3.0): Remove this eventually when no more legacy */
+    if (ctx->op.kex.exchprovctx == NULL)
+        return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC,
+                                 EVP_PKEY_OP_DERIVE,
+                                 EVP_PKEY_CTRL_GET_EC_KDF_MD, 0, (void *)(pmd));
+
+    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST,
+                                            name, sizeof(name));
+    *p++ = OSSL_PARAM_construct_end();
+
+    ret = evp_pkey_ctx_get_params_strict(ctx, params);
+    if (ret == -2) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+        return -2;
+    } else if (ret != 1) {
+        return -1;
+    }
+
+    /* May be NULL meaning "unknown" */
+    *pmd = EVP_get_digestbyname(name);
+
+    return 1;
+}
+
+int EVP_PKEY_CTX_set_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int in)
+{
+    int ret;
+    size_t len = in;
+    OSSL_PARAM params[2], *p = params;
+
+    ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx);
+    if (ret != 1)
+        return ret;
+
+    /* TODO(3.0): Remove this eventually when no more legacy */
+    if (ctx->op.kex.exchprovctx == NULL)
+        return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC,
+                                 EVP_PKEY_OP_DERIVE,
+                                 EVP_PKEY_CTRL_EC_KDF_OUTLEN, in, NULL);
+
+    if (in <= 0) {
+        /*
+         * This would ideally be -1 or 0, but we have to retain compatibility
+         * with legacy behaviour of EVP_PKEY_CTX_ctrl() which returned -2 if
+         * in <= 0
+         */
+        return -2;
+    }
+
+    *p++ = OSSL_PARAM_construct_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN,
+                                       &len);
+    *p++ = OSSL_PARAM_construct_end();
+
+    ret = evp_pkey_ctx_set_params_strict(ctx, params);
+    if (ret == -2) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+        return -2;
+    }
+    return ret;
+}
+
+int EVP_PKEY_CTX_get_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int *plen)
+{
+    size_t len = UINT_MAX;
+    int ret;
+    OSSL_PARAM params[2], *p = params;
+
+    ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx);
+    if (ret != 1)
+        return ret;
+
+    /* TODO(3.0): Remove this eventually when no more legacy */
+    if (ctx->op.kex.exchprovctx == NULL)
+        return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC,
+                                 EVP_PKEY_OP_DERIVE,
+                                 EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN, 0,
+                                 (void *)(plen));
+
+    *p++ = OSSL_PARAM_construct_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN,
+                                       &len);
+    *p++ = OSSL_PARAM_construct_end();
+
+    ret = evp_pkey_ctx_get_params_strict(ctx, params);
+    if (ret == -2) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+        return -2;
+    } else if (ret != 1) {
+        return -1;
+    }
+
+    if (len > INT_MAX)
+        return -1;
+
+    *plen = (int)len;
+
+    return 1;
+}
+
+int EVP_PKEY_CTX_set0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len)
+{
+    int ret;
+    OSSL_PARAM params[2], *p = params;
+
+    ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx);
+    if (ret != 1)
+        return ret;
+
+    /* TODO(3.0): Remove this eventually when no more legacy */
+    if (ctx->op.kex.exchprovctx == NULL)
+        return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC,
+                                 EVP_PKEY_OP_DERIVE,
+                                 EVP_PKEY_CTRL_EC_KDF_UKM, len, (void *)(ukm));
+
+    *p++ = OSSL_PARAM_construct_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM,
+                                            /*
+                                             * Cast away the const. This is read
+                                             * only so should be safe
+                                             */
+                                            (void *)ukm,
+                                            (size_t)len);
+    *p++ = OSSL_PARAM_construct_end();
+
+    ret = evp_pkey_ctx_set_params_strict(ctx, params);
+    if (ret == -2) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+        return -2;
+    }
+    if (ret == 1)
+        OPENSSL_free(ukm);
+    return ret;
+}
+
+int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **pukm)
+{
+    size_t ukmlen;
+    int ret;
+    OSSL_PARAM params[3], *p = params;
+
+    ret = evp_pkey_ctx_getset_ecdh_param_checks(ctx);
+    if (ret != 1)
+        return ret;
+
+    /* TODO(3.0): Remove this eventually when no more legacy */
+    if (ctx->op.kex.exchprovctx == NULL)
+        return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC,
+                                 EVP_PKEY_OP_DERIVE,
+                                 EVP_PKEY_CTRL_GET_EC_KDF_UKM, 0,
+                                 (void *)(pukm));
+
+    *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_EXCHANGE_PARAM_KDF_UKM,
+                                          (void **)pukm, 0);
+    *p++ = OSSL_PARAM_construct_size_t(OSSL_EXCHANGE_PARAM_KDF_UKM_LEN,
+                                       &ukmlen);
+    *p++ = OSSL_PARAM_construct_end();
+
+    ret = evp_pkey_ctx_get_params_strict(ctx, params);
+    if (ret == -2) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+        return -2;
+    } else if (ret != 1) {
+        return -1;
+    }
+
+    if (ukmlen > INT_MAX)
+        return -1;
+
+    return (int)ukmlen;
+}
index a0cd5b9..071801b 100644 (file)
@@ -169,6 +169,8 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
     if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0)
         return NULL;
 
+    dest->dirty_cnt++;
+
     return dest;
 }
 
@@ -209,15 +211,28 @@ int EC_KEY_generate_key(EC_KEY *eckey)
         ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
         return 0;
     }
-    if (eckey->meth->keygen != NULL)
-        return eckey->meth->keygen(eckey);
+    if (eckey->meth->keygen != NULL) {
+        int ret;
+
+        ret = eckey->meth->keygen(eckey);
+        if (ret == 1)
+            eckey->dirty_cnt++;
+
+        return ret;
+    }
     ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
     return 0;
 }
 
 int ossl_ec_key_gen(EC_KEY *eckey)
 {
-    return eckey->group->meth->keygen(eckey);
+    int ret;
+
+    ret = eckey->group->meth->keygen(eckey);
+
+    if (ret == 1)
+        eckey->dirty_cnt++;
+    return ret;
 }
 
 /*
@@ -287,6 +302,8 @@ int ec_key_simple_generate_key(EC_KEY *eckey)
     priv_key = NULL;
     pub_key = NULL;
 
+    eckey->dirty_cnt++;
+
     ok = 1;
 
 err:
@@ -305,12 +322,19 @@ err:
 
 int ec_key_simple_generate_public_key(EC_KEY *eckey)
 {
+    int ret;
+
     /*
      * See SP800-56AR3 5.6.1.2.2: Step (8)
      * pub_key = priv_key * G (where G is a point on the curve)
      */
-    return EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL,
-                        NULL, NULL);
+    ret = EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL,
+                       NULL, NULL);
+
+    if (ret == 1)
+        eckey->dirty_cnt++;
+
+    return ret;
 }
 
 int EC_KEY_check_key(const EC_KEY *eckey)
@@ -505,6 +529,7 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
         goto err;
     }
 
+    /* EC_KEY_set_public_key updates dirty_cnt */
     if (!EC_KEY_set_public_key(key, point))
         goto err;
 
@@ -532,6 +557,7 @@ int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group)
         return 0;
     EC_GROUP_free(key->group);
     key->group = EC_GROUP_dup(group);
+    key->dirty_cnt++;
     return (key->group == NULL) ? 0 : 1;
 }
 
@@ -552,6 +578,7 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
         return 0;
     BN_clear_free(key->priv_key);
     key->priv_key = BN_dup(priv_key);
+    key->dirty_cnt++;
     return (key->priv_key == NULL) ? 0 : 1;
 }
 
@@ -567,6 +594,7 @@ int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key)
         return 0;
     EC_POINT_free(key->pub_key);
     key->pub_key = EC_POINT_dup(pub_key, key->group);
+    key->dirty_cnt++;
     return (key->pub_key == NULL) ? 0 : 1;
 }
 
@@ -613,11 +641,13 @@ int EC_KEY_get_flags(const EC_KEY *key)
 void EC_KEY_set_flags(EC_KEY *key, int flags)
 {
     key->flags |= flags;
+    key->dirty_cnt++;
 }
 
 void EC_KEY_clear_flags(EC_KEY *key, int flags)
 {
     key->flags &= ~flags;
+    key->dirty_cnt++;
 }
 
 size_t EC_KEY_key2buf(const EC_KEY *key, point_conversion_form_t form,
@@ -639,6 +669,7 @@ int EC_KEY_oct2key(EC_KEY *key, const unsigned char *buf, size_t len,
         return 0;
     if (EC_POINT_oct2point(key->group, key->pub_key, buf, len, ctx) == 0)
         return 0;
+    key->dirty_cnt++;
     /*
      * Save the point conversion form.
      * For non-custom curves the first octet of the buffer (excluding
@@ -689,13 +720,18 @@ size_t ec_key_simple_priv2oct(const EC_KEY *eckey,
 
 int EC_KEY_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
 {
+    int ret;
+
     if (eckey->group == NULL || eckey->group->meth == NULL)
         return 0;
     if (eckey->group->meth->oct2priv == NULL) {
         ECerr(EC_F_EC_KEY_OCT2PRIV, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
         return 0;
     }
-    return eckey->group->meth->oct2priv(eckey, buf, len);
+    ret = eckey->group->meth->oct2priv(eckey, buf, len);
+    if (ret == 1)
+        eckey->dirty_cnt++;
+    return ret;
 }
 
 int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
@@ -711,6 +747,7 @@ int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
         ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_BN_LIB);
         return 0;
     }
+    eckey->dirty_cnt++;
     return 1;
 }
 
index c0eacc9..dacb2ca 100644 (file)
@@ -301,6 +301,9 @@ struct ec_key_st {
 #endif
     CRYPTO_RWLOCK *lock;
     OPENSSL_CTX *libctx;
+
+    /* Provider data */
+    size_t dirty_cnt; /* If any key material changes, increment this */
 };
 
 struct ec_point_st {
index 95dd1c0..ca1239d 100644 (file)
@@ -78,6 +78,8 @@ struct evp_keymgmt_st {
     OSSL_OP_keymgmt_free_fn *free;
     OSSL_OP_keymgmt_get_params_fn *get_params;
     OSSL_OP_keymgmt_gettable_params_fn *gettable_params;
+    OSSL_OP_keymgmt_set_params_fn *set_params;
+    OSSL_OP_keymgmt_settable_params_fn *settable_params;
 
     /* Key object checking */
     OSSL_OP_keymgmt_query_operation_name_fn *query_operation_name;
@@ -105,6 +107,8 @@ struct evp_keyexch_st {
     OSSL_OP_keyexch_dupctx_fn *dupctx;
     OSSL_OP_keyexch_set_ctx_params_fn *set_ctx_params;
     OSSL_OP_keyexch_settable_ctx_params_fn *settable_ctx_params;
+    OSSL_OP_keyexch_get_ctx_params_fn *get_ctx_params;
+    OSSL_OP_keyexch_gettable_ctx_params_fn *gettable_ctx_params;
 } /* EVP_KEYEXCH */;
 
 struct evp_signature_st {
index 14ed4db..901081d 100644 (file)
@@ -43,7 +43,7 @@ static void *evp_keyexch_from_dispatch(int name_id,
                                        OSSL_PROVIDER *prov)
 {
     EVP_KEYEXCH *exchange = NULL;
-    int fncnt = 0, paramfncnt = 0;
+    int fncnt = 0, sparamfncnt = 0, gparamfncnt = 0;
 
     if ((exchange = evp_keyexch_new(prov)) == NULL) {
         ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
@@ -88,28 +88,44 @@ static void *evp_keyexch_from_dispatch(int name_id,
                 break;
             exchange->dupctx = OSSL_get_OP_keyexch_dupctx(fns);
             break;
+        case OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS:
+            if (exchange->get_ctx_params != NULL)
+                break;
+            exchange->get_ctx_params = OSSL_get_OP_keyexch_get_ctx_params(fns);
+            gparamfncnt++;
+            break;
+        case OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS:
+            if (exchange->gettable_ctx_params != NULL)
+                break;
+            exchange->gettable_ctx_params
+                = OSSL_get_OP_keyexch_gettable_ctx_params(fns);
+            gparamfncnt++;
+            break;
         case OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS:
             if (exchange->set_ctx_params != NULL)
                 break;
             exchange->set_ctx_params = OSSL_get_OP_keyexch_set_ctx_params(fns);
-            paramfncnt++;
+            sparamfncnt++;
             break;
         case OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS:
             if (exchange->settable_ctx_params != NULL)
                 break;
             exchange->settable_ctx_params
                 = OSSL_get_OP_keyexch_settable_ctx_params(fns);
-            paramfncnt++;
+            sparamfncnt++;
             break;
         }
     }
-    if (fncnt != 4 || (paramfncnt != 0 && paramfncnt != 2)) {
+    if (fncnt != 4
+            || (gparamfncnt != 0 && gparamfncnt != 2)
+            || (sparamfncnt != 0 && sparamfncnt != 2)) {
         /*
          * In order to be a consistent set of functions we must have at least
          * a complete set of "exchange" functions: init, derive, newctx,
          * and freectx. The set_ctx_params and settable_ctx_params functions are
          * optional, but if one of them is present then the other one must also
-         * be present. The dupctx and set_peer functions are optional.
+         * be present. Same goes for get_ctx_params and gettable_ctx_params.
+         * The dupctx and set_peer functions are optional.
          */
         EVPerr(EVP_F_EVP_KEYEXCH_FROM_DISPATCH,
                EVP_R_INVALID_PROVIDER_FUNCTIONS);
index b239581..3fcc073 100644 (file)
@@ -38,7 +38,7 @@ static void *keymgmt_from_dispatch(int name_id,
                                    OSSL_PROVIDER *prov)
 {
     EVP_KEYMGMT *keymgmt = NULL;
-    int paramfncnt = 0, importfncnt = 0, exportfncnt = 0;
+    int setparamfncnt = 0, getparamfncnt = 0, importfncnt = 0, exportfncnt = 0;
 
     if ((keymgmt = keymgmt_new()) == NULL) {
         EVP_KEYMGMT_free(keymgmt);
@@ -58,17 +58,30 @@ static void *keymgmt_from_dispatch(int name_id,
             break;
         case OSSL_FUNC_KEYMGMT_GET_PARAMS:
             if (keymgmt->get_params == NULL) {
-                paramfncnt++;
+                getparamfncnt++;
                 keymgmt->get_params = OSSL_get_OP_keymgmt_get_params(fns);
             }
             break;
         case OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS:
             if (keymgmt->gettable_params == NULL) {
-                paramfncnt++;
+                getparamfncnt++;
                 keymgmt->gettable_params =
                     OSSL_get_OP_keymgmt_gettable_params(fns);
             }
             break;
+         case OSSL_FUNC_KEYMGMT_SET_PARAMS:
+            if (keymgmt->set_params == NULL) {
+                setparamfncnt++;
+                keymgmt->set_params = OSSL_get_OP_keymgmt_set_params(fns);
+            }
+            break;
+        case OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS:
+            if (keymgmt->settable_params == NULL) {
+                setparamfncnt++;
+                keymgmt->settable_params =
+                    OSSL_get_OP_keymgmt_settable_params(fns);
+            }
+            break;
         case OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME:
             if (keymgmt->query_operation_name == NULL)
                 keymgmt->query_operation_name =
@@ -119,7 +132,8 @@ static void *keymgmt_from_dispatch(int name_id,
     if (keymgmt->free == NULL
         || keymgmt->new == NULL
         || keymgmt->has == NULL
-        || (paramfncnt != 0 && paramfncnt != 2)
+        || (getparamfncnt != 0 && getparamfncnt != 2)
+        || (setparamfncnt != 0 && setparamfncnt != 2)
         || (importfncnt != 0 && importfncnt != 2)
         || (exportfncnt != 0 && exportfncnt != 2)) {
         EVP_KEYMGMT_free(keymgmt);
@@ -246,6 +260,21 @@ const OSSL_PARAM *evp_keymgmt_gettable_params(const EVP_KEYMGMT *keymgmt)
     return keymgmt->gettable_params();
 }
 
+int evp_keymgmt_set_params(const EVP_KEYMGMT *keymgmt, void *keydata,
+                           const OSSL_PARAM params[])
+{
+    if (keymgmt->set_params == NULL)
+        return 1;
+    return keymgmt->set_params(keydata, params);
+}
+
+const OSSL_PARAM *evp_keymgmt_settable_params(const EVP_KEYMGMT *keymgmt)
+{
+    if (keymgmt->settable_params == NULL)
+        return NULL;
+    return keymgmt->settable_params();
+}
+
 int evp_keymgmt_has(const EVP_KEYMGMT *keymgmt, void *keydata, int selection)
 {
     /* This is mandatory, no need to check for its presence */
index 3089d84..f4bc49f 100644 (file)
@@ -570,6 +570,12 @@ int EVP_PKEY_CTX_set_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params)
 #ifndef FIPS_MODE
 int EVP_PKEY_CTX_get_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params)
 {
+    if (EVP_PKEY_CTX_IS_DERIVE_OP(ctx)
+            && ctx->op.kex.exchprovctx != NULL
+            && ctx->op.kex.exchange != NULL
+            && ctx->op.kex.exchange->get_ctx_params != NULL)
+        return ctx->op.kex.exchange->get_ctx_params(ctx->op.kex.exchprovctx,
+                                                    params);
     if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
             && ctx->op.sig.sigprovctx != NULL
             && ctx->op.sig.signature != NULL
@@ -587,6 +593,10 @@ int EVP_PKEY_CTX_get_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params)
 
 const OSSL_PARAM *EVP_PKEY_CTX_gettable_params(EVP_PKEY_CTX *ctx)
 {
+    if (EVP_PKEY_CTX_IS_DERIVE_OP(ctx)
+            && ctx->op.kex.exchange != NULL
+            && ctx->op.kex.exchange->gettable_ctx_params != NULL)
+        return ctx->op.kex.exchange->gettable_ctx_params();
     if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
             && ctx->op.sig.signature != NULL
             && ctx->op.sig.signature->gettable_ctx_params != NULL)
@@ -618,6 +628,52 @@ const OSSL_PARAM *EVP_PKEY_CTX_settable_params(EVP_PKEY_CTX *ctx)
     return NULL;
 }
 
+/*
+ * Internal helpers for stricter EVP_PKEY_CTX_{set,get}_params().
+ *
+ * Return 1 on success, 0 or negative for errors.
+ *
+ * In particular they return -2 if any of the params is not supported.
+ *
+ * They are not available in FIPS_MODE as they depend on
+ *      - EVP_PKEY_CTX_{get,set}_params()
+ *      - EVP_PKEY_CTX_{gettable,settable}_params()
+ *
+ */
+int evp_pkey_ctx_set_params_strict(EVP_PKEY_CTX *ctx, OSSL_PARAM *params)
+{
+    const OSSL_PARAM *p;
+
+    if (ctx == NULL || params == NULL)
+        return 0;
+
+    for (p = params; p->key != NULL; p++) {
+        /* Check the ctx actually understands this parameter */
+        if (OSSL_PARAM_locate_const(EVP_PKEY_CTX_settable_params(ctx),
+                                    p->key) == NULL )
+            return -2;
+    }
+
+    return EVP_PKEY_CTX_set_params(ctx, params);
+}
+
+int evp_pkey_ctx_get_params_strict(EVP_PKEY_CTX *ctx, OSSL_PARAM *params)
+{
+    const OSSL_PARAM *p;
+
+    if (ctx == NULL || params == NULL)
+        return 0;
+
+    for (p = params; p->key != NULL; p++ ) {
+        /* Check the ctx actually understands this parameter */
+        if (OSSL_PARAM_locate_const(EVP_PKEY_CTX_gettable_params(ctx),
+                                    p->key) == NULL )
+            return -2;
+    }
+
+    return EVP_PKEY_CTX_get_params(ctx, params);
+}
+
 # ifndef OPENSSL_NO_DH
 int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad)
 {
@@ -713,42 +769,81 @@ int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
 static int legacy_ctrl_to_param(EVP_PKEY_CTX *ctx, int keytype, int optype,
                                 int cmd, int p1, void *p2)
 {
-    switch (cmd) {
 # ifndef OPENSSL_NO_DH
-    case EVP_PKEY_CTRL_DH_PAD:
-        return EVP_PKEY_CTX_set_dh_pad(ctx, p1);
+    if (keytype == EVP_PKEY_DH) {
+        switch (cmd) {
+            case EVP_PKEY_CTRL_DH_PAD:
+                return EVP_PKEY_CTX_set_dh_pad(ctx, p1);
+        }
+    }
+# endif
+# ifndef OPENSSL_NO_EC
+    if (keytype == EVP_PKEY_EC) {
+        switch (cmd) {
+            case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
+                if (p1 == -2) {
+                    return EVP_PKEY_CTX_get_ecdh_cofactor_mode(ctx);
+                } else if (p1 < -1 || p1 > 1) {
+                    /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+                    return -2;
+                } else {
+                    return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, p1);
+                }
+            case EVP_PKEY_CTRL_EC_KDF_TYPE:
+                if (p1 == -2) {
+                    return EVP_PKEY_CTX_get_ecdh_kdf_type(ctx);
+                } else {
+                    return EVP_PKEY_CTX_set_ecdh_kdf_type(ctx, p1);
+                }
+            case EVP_PKEY_CTRL_GET_EC_KDF_MD:
+                return EVP_PKEY_CTX_get_ecdh_kdf_md(ctx, p2);
+            case EVP_PKEY_CTRL_EC_KDF_MD:
+                return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, p2);
+            case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN:
+                return EVP_PKEY_CTX_get_ecdh_kdf_outlen(ctx, p2);
+            case EVP_PKEY_CTRL_EC_KDF_OUTLEN:
+                return EVP_PKEY_CTX_set_ecdh_kdf_outlen(ctx, p1);
+            case EVP_PKEY_CTRL_GET_EC_KDF_UKM:
+                return EVP_PKEY_CTX_get0_ecdh_kdf_ukm(ctx, p2);
+            case EVP_PKEY_CTRL_EC_KDF_UKM:
+                return EVP_PKEY_CTX_set0_ecdh_kdf_ukm(ctx, p2, p1);
+        }
+    }
 # endif
-    case EVP_PKEY_CTRL_MD:
-        return EVP_PKEY_CTX_set_signature_md(ctx, p2);
-    case EVP_PKEY_CTRL_GET_MD:
-        return EVP_PKEY_CTX_get_signature_md(ctx, p2);
-    case EVP_PKEY_CTRL_RSA_PADDING:
-        return EVP_PKEY_CTX_set_rsa_padding(ctx, p1);
-    case EVP_PKEY_CTRL_GET_RSA_PADDING:
-        return EVP_PKEY_CTX_get_rsa_padding(ctx, p2);
-    case EVP_PKEY_CTRL_RSA_OAEP_MD:
-        return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2);
-    case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
-        return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2);
-    case EVP_PKEY_CTRL_RSA_MGF1_MD:
-        return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2);
-    case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
-        return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2);
-    case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
-        return EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, p2, p1);
-    case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
-        return EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, (unsigned char **)p2);
-    case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
-    case EVP_PKEY_CTRL_PKCS7_DECRYPT:
+    if (keytype == -1) {
+        switch (cmd) {
+            case EVP_PKEY_CTRL_MD:
+                return EVP_PKEY_CTX_set_signature_md(ctx, p2);
+            case EVP_PKEY_CTRL_GET_MD:
+                return EVP_PKEY_CTX_get_signature_md(ctx, p2);
+            case EVP_PKEY_CTRL_RSA_PADDING:
+                return EVP_PKEY_CTX_set_rsa_padding(ctx, p1);
+            case EVP_PKEY_CTRL_GET_RSA_PADDING:
+                return EVP_PKEY_CTX_get_rsa_padding(ctx, p2);
+            case EVP_PKEY_CTRL_RSA_OAEP_MD:
+                return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2);
+            case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
+                return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2);
+            case EVP_PKEY_CTRL_RSA_MGF1_MD:
+                return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, p2);
+            case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
+                return EVP_PKEY_CTX_get_rsa_oaep_md(ctx, p2);
+            case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
+                return EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, p2, p1);
+            case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
+                return EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, (unsigned char **)p2);
+            case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
+            case EVP_PKEY_CTRL_PKCS7_DECRYPT:
 # ifndef OPENSSL_NO_CMS
-    case EVP_PKEY_CTRL_CMS_DECRYPT:
-    case EVP_PKEY_CTRL_CMS_ENCRYPT:
+            case EVP_PKEY_CTRL_CMS_DECRYPT:
+            case EVP_PKEY_CTRL_CMS_ENCRYPT:
 # endif
-        if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
-            return 1;
-        ERR_raise(ERR_LIB_EVP,
-                  EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
-        return -2;
+                if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
+                    return 1;
+                ERR_raise(ERR_LIB_EVP,
+                          EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
+                return -2;
+        }
     }
     return 0;
 }
@@ -821,6 +916,12 @@ static int legacy_ctrl_str_to_param(EVP_PKEY_CTX *ctx, const char *name,
     else if (strcmp(name, "dh_pad") == 0)
         name = OSSL_EXCHANGE_PARAM_PAD;
 # endif
+# ifndef OPENSSL_NO_EC
+    else if (strcmp(name, "ecdh_cofactor_mode") == 0)
+        name = OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE;
+    else if (strcmp(name, "ecdh_kdf_md") == 0)
+        name = OSSL_EXCHANGE_PARAM_KDF_TYPE;
+# endif
 
     {
         /*
index 65889ae..0f5e86b 100644 (file)
@@ -594,6 +594,9 @@ void evp_keymgmt_freedata(const EVP_KEYMGMT *keymgmt, void *keyddata);
 int evp_keymgmt_get_params(const EVP_KEYMGMT *keymgmt,
                            void *keydata, OSSL_PARAM params[]);
 const OSSL_PARAM *evp_keymgmt_gettable_params(const EVP_KEYMGMT *keymgmt);
+int evp_keymgmt_set_params(const EVP_KEYMGMT *keymgmt,
+                           void *keydata, const OSSL_PARAM params[]);
+const OSSL_PARAM *evp_keymgmt_settable_params(const EVP_KEYMGMT *keymgmt);
 
 
 int evp_keymgmt_has(const EVP_KEYMGMT *keymgmt, void *keyddata, int selection);
@@ -627,3 +630,19 @@ void evp_encode_ctx_set_flags(EVP_ENCODE_CTX *ctx, unsigned int flags);
 const EVP_CIPHER *evp_get_cipherbyname_ex(OPENSSL_CTX *libctx, const char *name);
 const EVP_MD *evp_get_digestbyname_ex(OPENSSL_CTX *libctx, const char *name);
 
+#ifndef FIPS_MODE
+/*
+ * Internal helpers for stricter EVP_PKEY_CTX_{set,get}_params().
+ *
+ * Return 1 on success, 0 or negative for errors.
+ *
+ * In particular they return -2 if any of the params is not supported.
+ *
+ * They are not available in FIPS_MODE as they depend on
+ *      - EVP_PKEY_CTX_{get,set}_params()
+ *      - EVP_PKEY_CTX_{gettable,settable}_params()
+ *
+ */
+int evp_pkey_ctx_set_params_strict(EVP_PKEY_CTX *ctx, OSSL_PARAM *params);
+int evp_pkey_ctx_get_params_strict(EVP_PKEY_CTX *ctx, OSSL_PARAM *params);
+#endif /* !defined(FIPS_MODE) */
index 84fbcf3..b2befd8 100644 (file)
@@ -179,6 +179,14 @@ extern "C" {
 #define OSSL_PKEY_PARAM_FFC_G        "g"
 #define OSSL_PKEY_PARAM_FFC_Q        "q"
 
+/* Elliptic Curve Domain Parameters */
+#define OSSL_PKEY_PARAM_EC_NAME      "curve-name"
+
+/* Elliptic Curve Key Parameters */
+#define OSSL_PKEY_PARAM_USE_COFACTOR_FLAG "use-cofactor-flag"
+#define OSSL_PKEY_PARAM_USE_COFACTOR_ECDH \
+    OSSL_PKEY_PARAM_USE_COFACTOR_FLAG
+
 /* RSA Keys */
 /*
  * n, e, d are the usual public and private key components
@@ -202,7 +210,27 @@ extern "C" {
 
 /* Key Exchange parameters */
 
-#define OSSL_EXCHANGE_PARAM_PAD      "pad" /* uint */
+#define OSSL_EXCHANGE_PARAM_PAD                   "pad" /* uint */
+#define OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE "ecdh-cofactor-mode" /* int */
+#define OSSL_EXCHANGE_PARAM_KDF_TYPE              "kdf-type" /* utf8_string */
+#define OSSL_EXCHANGE_PARAM_KDF_DIGEST            "kdf-digest" /* utf8_string */
+#define OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS      "kdf-digest-props" /* utf8_string */
+#define OSSL_EXCHANGE_PARAM_KDF_OUTLEN            "kdf-outlen" /* size_t */
+
+/*
+ * TODO(3.0): improve this pattern
+ *
+ * Currently the sole internal user of OSSL_EXCHANGE_PARAM_KDF_UKM is
+ * EVP_PKEY_CTX_{set0,get0}_ecdh_kdf_ukm():
+ *      OSSL_EXCHANGE_PARAM_KDF_UKM is handled as a octet_string on set0,
+ *      and as an octet_ptr on get0.
+ *
+ * This pattern is borrowed from the handling of
+ * OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL in
+ * EVP_PKEY_CTX_{set0,get0}_rsa_oaep_label().
+ */
+#define OSSL_EXCHANGE_PARAM_KDF_UKM               "kdf-ukm" /* see note above */
+#define OSSL_EXCHANGE_PARAM_KDF_UKM_LEN           "kdf-ukm-len" /* size_t */
 
 /* Signature parameters */
 #define OSSL_SIGNATURE_PARAM_ALGORITHM_ID       "algorithm-id"
index 547aeb5..3fd462a 100644 (file)
@@ -393,6 +393,12 @@ OSSL_CORE_MAKE_FUNC(int, OP_keymgmt_get_params,
                     (void *keydata, OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, OP_keymgmt_gettable_params, (void))
 
+#define OSSL_FUNC_KEYMGMT_SET_PARAMS                  12
+#define OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS             13
+OSSL_CORE_MAKE_FUNC(int, OP_keymgmt_set_params,
+                    (void *keydata, const OSSL_PARAM params[]))
+OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, OP_keymgmt_settable_params, (void))
+
 /* Key checks - discovery of supported operations */
 # define OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME       20
 OSSL_CORE_MAKE_FUNC(const char *, OP_keymgmt_query_operation_name,
@@ -431,6 +437,8 @@ OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, OP_keymgmt_export_types,
 # define OSSL_FUNC_KEYEXCH_DUPCTX                      6
 # define OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS              7
 # define OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS         8
+# define OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS              9
+# define OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS        10
 
 OSSL_CORE_MAKE_FUNC(void *, OP_keyexch_newctx, (void *provctx))
 OSSL_CORE_MAKE_FUNC(int, OP_keyexch_init, (void *ctx, void *provkey))
@@ -443,6 +451,10 @@ OSSL_CORE_MAKE_FUNC(int, OP_keyexch_set_ctx_params, (void *ctx,
                                                      const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, OP_keyexch_settable_ctx_params,
                     (void))
+OSSL_CORE_MAKE_FUNC(int, OP_keyexch_get_ctx_params, (void *ctx,
+                                                     OSSL_PARAM params[]))
+OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, OP_keyexch_gettable_ctx_params,
+                    (void))
 
 /* Signature */
 
index 0cca244..c5d5fc0 100644 (file)
@@ -1460,55 +1460,21 @@ DEPRECATEDIN_3_0(void EC_KEY_METHOD_get_verify
                           EVP_PKEY_OP_PARAMGEN|EVP_PKEY_OP_KEYGEN, \
                           EVP_PKEY_CTRL_EC_PARAM_ENC, flag, NULL)
 
-#  define EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, flag) \
-        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
-                          EVP_PKEY_OP_DERIVE, \
-                          EVP_PKEY_CTRL_EC_ECDH_COFACTOR, flag, NULL)
-
-#  define EVP_PKEY_CTX_get_ecdh_cofactor_mode(ctx) \
-        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
-                          EVP_PKEY_OP_DERIVE, \
-                          EVP_PKEY_CTRL_EC_ECDH_COFACTOR, -2, NULL)
-
-#  define EVP_PKEY_CTX_set_ecdh_kdf_type(ctx, kdf) \
-        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
-                          EVP_PKEY_OP_DERIVE, \
-                          EVP_PKEY_CTRL_EC_KDF_TYPE, kdf, NULL)
+int EVP_PKEY_CTX_set_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx, int cofactor_mode);
+int EVP_PKEY_CTX_get_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx);
 
-#  define EVP_PKEY_CTX_get_ecdh_kdf_type(ctx) \
-        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
-                          EVP_PKEY_OP_DERIVE, \
-                          EVP_PKEY_CTRL_EC_KDF_TYPE, -2, NULL)
+int EVP_PKEY_CTX_set_ecdh_kdf_type(EVP_PKEY_CTX *ctx, int kdf);
+int EVP_PKEY_CTX_get_ecdh_kdf_type(EVP_PKEY_CTX *ctx);
 
-#  define EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md) \
-        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
-                          EVP_PKEY_OP_DERIVE, \
-                          EVP_PKEY_CTRL_EC_KDF_MD, 0, (void *)(md))
+int EVP_PKEY_CTX_set_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
+int EVP_PKEY_CTX_get_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
 
-#  define EVP_PKEY_CTX_get_ecdh_kdf_md(ctx, pmd) \
-        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
-                          EVP_PKEY_OP_DERIVE, \
-                          EVP_PKEY_CTRL_GET_EC_KDF_MD, 0, (void *)(pmd))
+int EVP_PKEY_CTX_set_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int len);
+int EVP_PKEY_CTX_get_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len);
 
-#  define EVP_PKEY_CTX_set_ecdh_kdf_outlen(ctx, len) \
-        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
-                          EVP_PKEY_OP_DERIVE, \
-                          EVP_PKEY_CTRL_EC_KDF_OUTLEN, len, NULL)
-
-#  define EVP_PKEY_CTX_get_ecdh_kdf_outlen(ctx, plen) \
-        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
-                          EVP_PKEY_OP_DERIVE, \
-                          EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN, 0, (void *)(plen))
-
-#  define EVP_PKEY_CTX_set0_ecdh_kdf_ukm(ctx, p, plen) \
-        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
-                          EVP_PKEY_OP_DERIVE, \
-                          EVP_PKEY_CTRL_EC_KDF_UKM, plen, (void *)(p))
-
-#  define EVP_PKEY_CTX_get0_ecdh_kdf_ukm(ctx, p) \
-        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
-                          EVP_PKEY_OP_DERIVE, \
-                          EVP_PKEY_CTRL_GET_EC_KDF_UKM, 0, (void *)(p))
+int EVP_PKEY_CTX_set0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm,
+                                   int len);
+int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
 
 /* SM2 will skip the operation check so no need to pass operation here */
 #  define EVP_PKEY_CTX_set1_id(ctx, id, id_len) \
index 6740a8e..3819c61 100644 (file)
@@ -373,6 +373,7 @@ static const OSSL_ALGORITHM deflt_keyexch[] = {
     { "DH:dhKeyAgreement", "default=yes", dh_keyexch_functions },
 #endif
 #ifndef OPENSSL_NO_EC
+    { "ECDH:id-ecPublicKey", "default=yes", ecdh_keyexch_functions },
     { "X25519", "default=yes", x25519_keyexch_functions },
     { "X448", "default=yes", x448_keyexch_functions },
 #endif
@@ -400,6 +401,7 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
 #endif
     { "RSA:rsaEncryption", "default=yes", rsa_keymgmt_functions },
 #ifndef OPENSSL_NO_EC
+    { "EC:id-ecPublicKey", "default=yes", ec_keymgmt_functions },
     { "X25519", "default=yes", x25519_keymgmt_functions },
     { "X448", "default=yes", x448_keymgmt_functions },
 #endif
index 51d32fc..82b688d 100644 (file)
@@ -3,6 +3,7 @@
 
 $DH_GOAL=../../libimplementations.a
 $ECX_GOAL=../../libimplementations.a
+$ECDH_GOAL=../../libimplementations.a
 
 IF[{- !$disabled{dh} -}]
   SOURCE[$DH_GOAL]=dh_exch.c
@@ -21,4 +22,5 @@ ENDIF
 IF[{- !$disabled{ec} -}]
   SOURCE[$ECX_GOAL]=ecx_exch.c
   DEFINE[$ECX_GOAL]=$ECDEF
+  SOURCE[$ECDH_GOAL]=ecdh_exch.c
 ENDIF
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
new file mode 100644 (file)
index 0000000..bf353fa
--- /dev/null
@@ -0,0 +1,533 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * ECDH low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/core_numbers.h>
+#include <openssl/core_names.h>
+#include <openssl/ec.h>
+#include <openssl/params.h>
+#include <openssl/err.h>
+#include "prov/provider_ctx.h"
+#include "prov/implementations.h"
+#include "crypto/ec.h" /* ecdh_KDF_X9_63() */
+
+static OSSL_OP_keyexch_newctx_fn ecdh_newctx;
+static OSSL_OP_keyexch_init_fn ecdh_init;
+static OSSL_OP_keyexch_set_peer_fn ecdh_set_peer;
+static OSSL_OP_keyexch_derive_fn ecdh_derive;
+static OSSL_OP_keyexch_freectx_fn ecdh_freectx;
+static OSSL_OP_keyexch_dupctx_fn ecdh_dupctx;
+static OSSL_OP_keyexch_set_ctx_params_fn ecdh_set_ctx_params;
+static OSSL_OP_keyexch_settable_ctx_params_fn ecdh_settable_ctx_params;
+static OSSL_OP_keyexch_get_ctx_params_fn ecdh_get_ctx_params;
+static OSSL_OP_keyexch_gettable_ctx_params_fn ecdh_gettable_ctx_params;
+
+enum kdf_type {
+    PROV_ECDH_KDF_NONE = 0,
+    PROV_ECDH_KDF_X9_63
+};
+
+/*
+ * What's passed as an actual key is defined by the KEYMGMT interface.
+ * We happen to know that our KEYMGMT simply passes EC_KEY structures, so
+ * we use that here too.
+ */
+
+typedef struct {
+    OPENSSL_CTX *libctx;
+
+    EC_KEY *k;
+    EC_KEY *peerk;
+
+    /*
+     * ECDH cofactor mode:
+     *
+     *  . 0  disabled
+     *  . 1  enabled
+     *  . -1 use cofactor mode set for k
+     */
+    int cofactor_mode;
+
+    /************
+     * ECDH KDF *
+     ************/
+    /* KDF (if any) to use for ECDH */
+    enum kdf_type kdf_type;
+    /* Message digest to use for key derivation */
+    EVP_MD *kdf_md;
+    /* User key material */
+    unsigned char *kdf_ukm;
+    size_t kdf_ukmlen;
+    /* KDF output length */
+    size_t kdf_outlen;
+} PROV_ECDH_CTX;
+
+static
+void *ecdh_newctx(void *provctx)
+{
+    PROV_ECDH_CTX *pectx = OPENSSL_zalloc(sizeof(*pectx));
+
+    if (pectx == NULL)
+        return NULL;
+
+    pectx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
+    pectx->cofactor_mode = -1;
+    pectx->kdf_type = PROV_ECDH_KDF_NONE;
+
+    return (void *)pectx;
+}
+
+static
+int ecdh_init(void *vpecdhctx, void *vecdh)
+{
+    PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
+
+    if (pecdhctx == NULL || vecdh == NULL || !EC_KEY_up_ref(vecdh))
+        return 0;
+    EC_KEY_free(pecdhctx->k);
+    pecdhctx->k = vecdh;
+    pecdhctx->cofactor_mode = -1;
+    pecdhctx->kdf_type = PROV_ECDH_KDF_NONE;
+    return 1;
+}
+
+static
+int ecdh_set_peer(void *vpecdhctx, void *vecdh)
+{
+    PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
+
+    if (pecdhctx == NULL || vecdh == NULL || !EC_KEY_up_ref(vecdh))
+        return 0;
+    EC_KEY_free(pecdhctx->peerk);
+    pecdhctx->peerk = vecdh;
+    return 1;
+}
+
+static
+void ecdh_freectx(void *vpecdhctx)
+{
+    PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
+
+    EC_KEY_free(pecdhctx->k);
+    EC_KEY_free(pecdhctx->peerk);
+
+    EVP_MD_free(pecdhctx->kdf_md);
+    OPENSSL_clear_free(pecdhctx->kdf_ukm, pecdhctx->kdf_ukmlen);
+
+    OPENSSL_free(pecdhctx);
+}
+
+static
+void *ecdh_dupctx(void *vpecdhctx)
+{
+    PROV_ECDH_CTX *srcctx = (PROV_ECDH_CTX *)vpecdhctx;
+    PROV_ECDH_CTX *dstctx;
+
+    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
+    if (dstctx == NULL)
+        return NULL;
+
+    *dstctx = *srcctx;
+
+    /* clear all pointers */
+
+    dstctx->k= NULL;
+    dstctx->peerk = NULL;
+    dstctx->kdf_md = NULL;
+    dstctx->kdf_ukm = NULL;
+
+    /* up-ref all ref-counted objects referenced in dstctx */
+
+    if (srcctx->k != NULL && !EC_KEY_up_ref(srcctx->k))
+        goto err;
+    else
+        dstctx->k = srcctx->k;
+
+    if (srcctx->peerk != NULL && !EC_KEY_up_ref(srcctx->peerk))
+        goto err;
+    else
+        dstctx->peerk = srcctx->peerk;
+
+    if (srcctx->kdf_md != NULL && !EVP_MD_up_ref(srcctx->kdf_md))
+        goto err;
+    else
+        dstctx->kdf_md = srcctx->kdf_md;
+
+    /* Duplicate UKM data if present */
+    if (srcctx->kdf_ukm != NULL && srcctx->kdf_ukmlen > 0) {
+        dstctx->kdf_ukm = OPENSSL_memdup(srcctx->kdf_ukm,
+                                         srcctx->kdf_ukmlen);
+        if (dstctx->kdf_ukm == NULL)
+            goto err;
+    }
+
+    return dstctx;
+
+ err:
+    ecdh_freectx(dstctx);
+    return NULL;
+}
+
+static
+int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
+{
+    char name[80] = { '\0' }; /* should be big enough */
+    char *str = NULL;
+    PROV_ECDH_CTX *pectx = (PROV_ECDH_CTX *)vpecdhctx;
+    const OSSL_PARAM *p;
+
+    if (pectx == NULL || params == NULL)
+        return 0;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE);
+    if (p != NULL) {
+        int mode;
+
+        if (!OSSL_PARAM_get_int(p, &mode))
+            return 0;
+
+        if (mode < -1 || mode > 1)
+            return 0;
+
+        pectx->cofactor_mode = mode;
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
+    if (p != NULL) {
+        str = name;
+        if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
+            return 0;
+
+        if (name[0] == '\0')
+            pectx->kdf_type = PROV_ECDH_KDF_NONE;
+        else if (strcmp(name, OSSL_KDF_NAME_X963KDF) == 0)
+            pectx->kdf_type = PROV_ECDH_KDF_X9_63;
+        else
+            return 0;
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
+    if (p != NULL) {
+        char mdprops[80] = { '\0' }; /* should be big enough */
+
+        str = name;
+        if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
+            return 0;
+
+        str = mdprops;
+        p = OSSL_PARAM_locate_const(params,
+                                    OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS);
+
+        if (p != NULL) {
+            if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(mdprops)))
+                return 0;
+        }
+
+        EVP_MD_free(pectx->kdf_md);
+        pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
+
+        if (pectx->kdf_md == NULL)
+            return 0;
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
+    if (p != NULL) {
+        size_t outlen;
+
+        if (!OSSL_PARAM_get_size_t(p, &outlen))
+            return 0;
+        pectx->kdf_outlen = outlen;
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
+    if (p != NULL) {
+        void *tmp_ukm = NULL;
+        size_t tmp_ukmlen;
+
+        if (!OSSL_PARAM_get_octet_string(p, &tmp_ukm, 0, &tmp_ukmlen))
+            return 0;
+        OPENSSL_free(pectx->kdf_ukm);
+        pectx->kdf_ukm = tmp_ukm;
+        pectx->kdf_ukmlen = tmp_ukmlen;
+    }
+
+    return 1;
+}
+
+static const OSSL_PARAM known_settable_ctx_params[] = {
+    OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL),
+    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
+    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
+    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, NULL, 0),
+    OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
+    OSSL_PARAM_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, NULL, 0),
+    OSSL_PARAM_END
+};
+
+static
+const OSSL_PARAM *ecdh_settable_ctx_params(void)
+{
+    return known_settable_ctx_params;
+}
+
+static
+int ecdh_get_ctx_params(void *vpecdhctx, OSSL_PARAM params[])
+{
+    PROV_ECDH_CTX *pectx = (PROV_ECDH_CTX *)vpecdhctx;
+    OSSL_PARAM *p;
+
+    if (pectx == NULL || params == NULL)
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE);
+    if (p != NULL) {
+        int mode = pectx->cofactor_mode;
+
+        if (mode == -1) {
+            /* check what is the default for pecdhctx->k */
+            mode = EC_KEY_get_flags(pectx->k) & EC_FLAG_COFACTOR_ECDH ? 1 : 0;
+        }
+
+        if (!OSSL_PARAM_set_int(p, mode))
+            return 0;
+    }
+
+    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
+    if (p != NULL) {
+        const char *kdf_type = NULL;
+
+        switch (pectx->kdf_type) {
+            case PROV_ECDH_KDF_NONE:
+                kdf_type = "";
+                break;
+            case PROV_ECDH_KDF_X9_63:
+                kdf_type = OSSL_KDF_NAME_X963KDF;
+                break;
+            default:
+                return 0;
+        }
+
+        if (!OSSL_PARAM_set_utf8_string(p, kdf_type))
+            return 0;
+    }
+
+    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
+    if (p != NULL
+            && !OSSL_PARAM_set_utf8_string(p, pectx->kdf_md == NULL
+                                           ? ""
+                                           : EVP_MD_name(pectx->kdf_md))){
+        return 0;
+    }
+
+    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, pectx->kdf_outlen))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
+    if (p != NULL && !OSSL_PARAM_set_octet_ptr(p, pectx->kdf_ukm, 0))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM_LEN);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, pectx->kdf_ukmlen))
+        return 0;
+
+    return 1;
+}
+
+static const OSSL_PARAM known_gettable_ctx_params[] = {
+    OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, NULL),
+    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
+    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
+    OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
+    OSSL_PARAM_DEFN(OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR,
+                    NULL, 0),
+    OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_UKM_LEN, NULL),
+    OSSL_PARAM_END
+};
+
+static
+const OSSL_PARAM *ecdh_gettable_ctx_params(void)
+{
+    return known_gettable_ctx_params;
+}
+
+static ossl_inline
+size_t ecdh_size(const EC_KEY *k)
+{
+    size_t degree = 0;
+    const EC_GROUP *group;
+
+    if (k == NULL
+            || (group = EC_KEY_get0_group(k)) == NULL)
+        return 0;
+
+    degree = EC_GROUP_get_degree(group);
+
+    return (degree + 7) / 8;
+}
+
+static ossl_inline
+int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
+                      size_t *psecretlen, size_t outlen)
+{
+    PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
+    int retlen, ret = 0;
+    size_t ecdhsize, size;
+    const EC_POINT *ppubkey = NULL;
+    EC_KEY *privk = NULL;
+    const EC_GROUP *group;
+    const BIGNUM *cofactor;
+    int key_cofactor_mode;
+
+    if (pecdhctx->k == NULL || pecdhctx->peerk == NULL) {
+        ERR_raise(ERR_LIB_PROV, EC_R_KEYS_NOT_SET);
+        return 0;
+    }
+
+    ecdhsize = ecdh_size(pecdhctx->k);
+    if (secret == NULL) {
+        *psecretlen = ecdhsize;
+        return 1;
+    }
+
+    if ((group = EC_KEY_get0_group(pecdhctx->k)) == NULL
+            || (cofactor = EC_GROUP_get0_cofactor(group)) == NULL )
+        return 0;
+
+    /*
+     * NB: unlike PKCS#3 DH, if outlen is less than maximum size this is not
+     * an error, the result is truncated.
+     */
+    size = outlen < ecdhsize ? outlen : ecdhsize;
+
+    /*
+     * The ctx->cofactor_mode flag has precedence over the
+     * cofactor_mode flag set on ctx->k.
+     *
+     * - if ctx->cofactor_mode == -1, use ctx->k directly
+     * - if ctx->cofactor_mode == key_cofactor_mode, use ctx->k directly
+     * - if ctx->cofactor_mode != key_cofactor_mode:
+     *     - if ctx->k->cofactor == 1, the cofactor_mode flag is irrelevant, use
+     *          ctx->k directly
+     *     - if ctx->k->cofactor != 1, use a duplicate of ctx->k with the flag
+     *          set to ctx->cofactor_mode
+     */
+    key_cofactor_mode =
+        (EC_KEY_get_flags(pecdhctx->k) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
+    if (pecdhctx->cofactor_mode != -1
+            && pecdhctx->cofactor_mode != key_cofactor_mode
+            && !BN_is_one(cofactor)) {
+        if ((privk = EC_KEY_dup(pecdhctx->k)) == NULL)
+            return 0;
+
+        if (pecdhctx->cofactor_mode == 1)
+            EC_KEY_set_flags(privk, EC_FLAG_COFACTOR_ECDH);
+        else
+            EC_KEY_clear_flags(privk, EC_FLAG_COFACTOR_ECDH);
+    } else {
+        privk = pecdhctx->k;
+    }
+
+    ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
+
+    retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
+
+    if (retlen <= 0)
+        goto end;
+
+    *psecretlen = retlen;
+    ret = 1;
+
+ end:
+    if (privk != pecdhctx->k)
+        EC_KEY_free(privk);
+    return ret;
+}
+
+static ossl_inline
+int ecdh_X9_63_kdf_derive(void *vpecdhctx, unsigned char *secret,
+                          size_t *psecretlen, size_t outlen)
+{
+    PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
+    unsigned char *stmp = NULL;
+    size_t stmplen;
+    int ret = 0;
+
+    if (secret == NULL) {
+        *psecretlen = pecdhctx->kdf_outlen;
+        return 1;
+    }
+
+    if (pecdhctx->kdf_outlen > outlen)
+        return 0;
+    if (!ecdh_plain_derive(vpecdhctx, NULL, &stmplen, 0))
+        return 0;
+    if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL) {
+        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
+    if (!ecdh_plain_derive(vpecdhctx, stmp, &stmplen, stmplen))
+        goto err;
+
+    /* Do KDF stuff */
+    if (!ecdh_KDF_X9_63(secret, pecdhctx->kdf_outlen,
+                        stmp, stmplen,
+                        pecdhctx->kdf_ukm,
+                        pecdhctx->kdf_ukmlen,
+                        pecdhctx->kdf_md))
+        goto err;
+    *psecretlen = pecdhctx->kdf_outlen;
+    ret = 1;
+
+ err:
+    OPENSSL_secure_clear_free(stmp, stmplen);
+    return ret;
+}
+
+static
+int ecdh_derive(void *vpecdhctx, unsigned char *secret,
+                size_t *psecretlen, size_t outlen)
+{
+    PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
+
+    switch (pecdhctx->kdf_type) {
+        case PROV_ECDH_KDF_NONE:
+            return ecdh_plain_derive(vpecdhctx, secret, psecretlen, outlen);
+        case PROV_ECDH_KDF_X9_63:
+            return ecdh_X9_63_kdf_derive(vpecdhctx, secret, psecretlen, outlen);
+    }
+
+    return 0;
+}
+
+
+
+const OSSL_DISPATCH ecdh_keyexch_functions[] = {
+    { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))ecdh_newctx },
+    { OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))ecdh_init },
+    { OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))ecdh_derive },
+    { OSSL_FUNC_KEYEXCH_SET_PEER, (void (*)(void))ecdh_set_peer },
+    { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))ecdh_freectx },
+    { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))ecdh_dupctx },
+    { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))ecdh_set_ctx_params },
+    { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS,
+      (void (*)(void))ecdh_settable_ctx_params },
+    { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))ecdh_get_ctx_params },
+    { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS,
+      (void (*)(void))ecdh_gettable_ctx_params },
+    { 0, NULL }
+};
index f4e0dc9..ec0507d 100644 (file)
@@ -259,11 +259,13 @@ extern const OSSL_DISPATCH dsa_keymgmt_functions[];
 extern const OSSL_DISPATCH rsa_keymgmt_functions[];
 extern const OSSL_DISPATCH x25519_keymgmt_functions[];
 extern const OSSL_DISPATCH x448_keymgmt_functions[];
+extern const OSSL_DISPATCH ec_keymgmt_functions[];
 
 /* Key Exchange */
 extern const OSSL_DISPATCH dh_keyexch_functions[];
 extern const OSSL_DISPATCH x25519_keyexch_functions[];
 extern const OSSL_DISPATCH x448_keyexch_functions[];
+extern const OSSL_DISPATCH ecdh_keyexch_functions[];
 
 /* Signature */
 extern const OSSL_DISPATCH dsa_signature_functions[];
index 1e4146d..89d33e3 100644 (file)
@@ -3,6 +3,7 @@
 
 $DH_GOAL=../../libimplementations.a
 $DSA_GOAL=../../libimplementations.a
+$EC_GOAL=../../libimplementations.a
 $RSA_GOAL=../../libimplementations.a
 $ECX_GOAL=../../libimplementations.a
 
@@ -12,6 +13,9 @@ ENDIF
 IF[{- !$disabled{dsa} -}]
   SOURCE[$DSA_GOAL]=dsa_kmgmt.c
 ENDIF
+IF[{- !$disabled{ec} -}]
+  SOURCE[$EC_GOAL]=ec_kmgmt.c
+ENDIF
 SOURCE[$RSA_GOAL]=rsa_kmgmt.c
 IF[{- !$disabled{ec} -}]
   SOURCE[$ECX_GOAL]=ecx_kmgmt.c
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
new file mode 100644 (file)
index 0000000..8190747
--- /dev/null
@@ -0,0 +1,630 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * ECDH/ECDSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
+#include <openssl/core_numbers.h>
+#include <openssl/core_names.h>
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/objects.h>
+#include <openssl/params.h>
+#include "internal/param_build.h"
+#include "prov/implementations.h"
+#include "prov/providercommon.h"
+
+static OSSL_OP_keymgmt_new_fn ec_newdata;
+static OSSL_OP_keymgmt_free_fn ec_freedata;
+static OSSL_OP_keymgmt_get_params_fn ec_get_params;
+static OSSL_OP_keymgmt_gettable_params_fn ec_gettable_params;
+static OSSL_OP_keymgmt_set_params_fn ec_set_params;
+static OSSL_OP_keymgmt_settable_params_fn ec_settable_params;
+static OSSL_OP_keymgmt_has_fn ec_has;
+static OSSL_OP_keymgmt_import_fn ec_import;
+static OSSL_OP_keymgmt_import_types_fn ec_import_types;
+static OSSL_OP_keymgmt_export_fn ec_export;
+static OSSL_OP_keymgmt_export_types_fn ec_export_types;
+static OSSL_OP_keymgmt_query_operation_name_fn ec_query_operation_name;
+
+#define EC_POSSIBLE_SELECTIONS                 \
+    (OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS )
+
+static
+const char *ec_query_operation_name(int operation_id)
+{
+    switch (operation_id) {
+    case OSSL_OP_KEYEXCH:
+        return "ECDH";
+#if 0
+    case OSSL_OP_SIGNATURE:
+        return deflt_signature;
+#endif
+    }
+    return NULL;
+}
+
+static ossl_inline
+int params_to_domparams(EC_KEY *ec, const OSSL_PARAM params[])
+{
+    const OSSL_PARAM *param_ec_name;
+    EC_GROUP *ecg = NULL;
+    char *curve_name = NULL;
+    int ok = 0;
+
+    if (ec == NULL)
+        return 0;
+
+    param_ec_name = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_NAME);
+    if (param_ec_name == NULL) {
+        /* explicit parameters */
+
+        /*
+         * TODO(3.0): should we support explicit parameters curves?
+         */
+        return 0;
+    } else {
+        /* named curve */
+        int curve_nid;
+
+        if (!OSSL_PARAM_get_utf8_string(param_ec_name, &curve_name, 0)
+                || curve_name == NULL
+                || (curve_nid = OBJ_sn2nid(curve_name)) == NID_undef)
+            goto err;
+
+        if ((ecg = EC_GROUP_new_by_curve_name(curve_nid)) == NULL)
+            goto err;
+    }
+
+    if (!EC_KEY_set_group(ec, ecg))
+        goto err;
+
+    /*
+     * TODO(3.0): if the group has changed, should we invalidate the private and
+     * public key?
+     */
+
+    ok = 1;
+
+ err:
+    OPENSSL_free(curve_name);
+    EC_GROUP_free(ecg);
+    return ok;
+}
+
+static ossl_inline
+int domparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl)
+{
+    const EC_GROUP *ecg;
+    int curve_nid;
+
+    if (ec == NULL)
+        return 0;
+
+    ecg = EC_KEY_get0_group(ec);
+    if (ecg == NULL)
+        return 0;
+
+    curve_nid = EC_GROUP_get_curve_name(ecg);
+
+    if (curve_nid == NID_undef) {
+        /* explicit parameters */
+
+        /*
+         * TODO(3.0): should we support explicit parameters curves?
+         */
+        return 0;
+    } else {
+        /* named curve */
+        const char *curve_name = NULL;
+
+        if ((curve_name = OBJ_nid2sn(curve_nid)) == NULL)
+            return 0;
+
+        if (!ossl_param_bld_push_utf8_string(tmpl, OSSL_PKEY_PARAM_EC_NAME, curve_name, 0))
+            return 0;
+    }
+
+    return 1;
+}
+
+/*
+ * Callers of params_to_key MUST make sure that params_to_domparams has been
+ * called before!
+ *
+ * This function only imports the bare keypair, domain parameters and other
+ * parameters are imported separately, and domain parameters are required to
+ * define a keypair.
+ */
+static ossl_inline
+int params_to_key(EC_KEY *ec, const OSSL_PARAM params[], int include_private)
+{
+    const OSSL_PARAM *param_priv_key, *param_pub_key;
+    BIGNUM *priv_key = NULL;
+    unsigned char *pub_key = NULL;
+    size_t pub_key_len;
+    const EC_GROUP *ecg = NULL;
+    EC_POINT *pub_point = NULL;
+    int ok = 0;
+
+    ecg = EC_KEY_get0_group(ec);
+    if (ecg == NULL)
+        return 0;
+
+    param_priv_key =
+        OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);
+    param_pub_key =
+        OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);
+
+    /*
+     * We want to have at least a public key either way, so we end up
+     * requiring it unconditionally.
+     */
+    if (param_pub_key == NULL
+            || !OSSL_PARAM_get_octet_string(param_pub_key,
+                                            (void **)&pub_key, 0, &pub_key_len)
+            || (pub_point = EC_POINT_new(ecg)) == NULL
+            || !EC_POINT_oct2point(ecg, pub_point,
+                                   pub_key, pub_key_len, NULL))
+        goto err;
+
+    if (param_priv_key != NULL && include_private
+            && !OSSL_PARAM_get_BN(param_priv_key, &priv_key))
+        goto err;
+
+    if (priv_key != NULL
+            && !EC_KEY_set_private_key(ec, priv_key))
+        goto err;
+
+    if (!EC_KEY_set_public_key(ec, pub_point))
+        goto err;
+
+    ok = 1;
+
+ err:
+    BN_clear_free(priv_key);
+    OPENSSL_free(pub_key);
+    EC_POINT_free(pub_point);
+    return ok;
+}
+
+/*
+ * Callers of key_to_params MUST make sure that domparams_to_params is also
+ * called!
+ *
+ * This function only exports the bare keypair, domain parameters and other
+ * parameters are exported separately.
+ */
+static ossl_inline
+int key_to_params(const EC_KEY *eckey, OSSL_PARAM_BLD *tmpl, int include_private)
+{
+    const BIGNUM *priv_key = NULL;
+    const EC_POINT *pub_point = NULL;
+    const EC_GROUP *ecg = NULL;
+    unsigned char *pub_key = NULL;
+    size_t pub_key_len = 0;
+    int ret = 0;
+
+    if (eckey == NULL)
+        return 0;
+
+    ecg = EC_KEY_get0_group(eckey);
+    priv_key = EC_KEY_get0_private_key(eckey);
+    pub_point = EC_KEY_get0_public_key(eckey);
+
+    /* group and public_key must be present, priv_key is optional */
+    if (ecg == NULL || pub_point == NULL)
+        return 0;
+    if ((pub_key_len = EC_POINT_point2buf(ecg, pub_point,
+                                          POINT_CONVERSION_COMPRESSED,
+                                          &pub_key, NULL)) == 0)
+        return 0;
+
+    if (!ossl_param_bld_push_octet_string(tmpl,
+                                          OSSL_PKEY_PARAM_PUB_KEY,
+                                          pub_key, pub_key_len))
+        goto err;
+
+    if (priv_key != NULL && include_private
+            && !ossl_param_bld_push_BN(tmpl,
+                                       OSSL_PKEY_PARAM_PRIV_KEY,
+                                       priv_key))
+        goto err;
+
+    ret = 1;
+
+ err:
+    OPENSSL_free(pub_key);
+    return ret;
+}
+
+static ossl_inline
+int ec_set_param_ecdh_cofactor_mode(EC_KEY *ec, const OSSL_PARAM *p)
+{
+    const EC_GROUP *ecg = EC_KEY_get0_group(ec);
+    const BIGNUM *cofactor;
+    int mode;
+
+    if (!OSSL_PARAM_get_int(p, &mode))
+        return 0;
+
+    /*
+     * mode can be only 0 for disable, or 1 for enable here.
+     *
+     * This is in contrast with the same parameter on an ECDH EVP_PKEY_CTX that
+     * also supports mode == -1 with the meaning of "reset to the default for
+     * the associated key".
+     */
+    if (mode < 0 || mode > 1)
+        return 0;
+
+    if ((cofactor = EC_GROUP_get0_cofactor(ecg)) == NULL )
+        return 0;
+
+    /* ECDH cofactor mode has no effect if cofactor is 1 */
+    if (BN_is_one(cofactor))
+        return 1;
+
+    if (mode == 1)
+        EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH);
+    else if (mode == 0)
+        EC_KEY_clear_flags(ec, EC_FLAG_COFACTOR_ECDH);
+
+    return 1;
+}
+
+static ossl_inline
+int params_to_otherparams(EC_KEY *ec, const OSSL_PARAM params[])
+{
+    const OSSL_PARAM *p;
+
+    if (ec == NULL)
+        return 0;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH);
+    if (p != NULL && !ec_set_param_ecdh_cofactor_mode(ec, p))
+        return 0;
+
+    return 1;
+}
+
+static ossl_inline
+int otherparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl)
+{
+    int ecdh_cofactor_mode = 0;
+
+    if (ec == NULL)
+        return 0;
+
+    ecdh_cofactor_mode =
+        (EC_KEY_get_flags(ec) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
+    if (!ossl_param_bld_push_int(tmpl,
+                OSSL_PKEY_PARAM_USE_COFACTOR_ECDH,
+                ecdh_cofactor_mode))
+        return 0;
+
+    return 1;
+}
+
+static
+void *ec_newdata(void *provctx)
+{
+    return EC_KEY_new();
+}
+
+static
+void ec_freedata(void *keydata)
+{
+    EC_KEY_free(keydata);
+}
+
+static
+int ec_has(void *keydata, int selection)
+{
+    EC_KEY *ec = keydata;
+    int ok = 0;
+
+    if ((selection & EC_POSSIBLE_SELECTIONS) != 0)
+        ok = 1;
+
+    if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
+        ok = ok && (EC_KEY_get0_public_key(ec) != NULL);
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
+        ok = ok && (EC_KEY_get0_private_key(ec) != NULL);
+    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
+        ok = ok && (EC_KEY_get0_group(ec) != NULL);
+    /*
+     * We consider OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS to always be available,
+     * so no extra check is needed other than the previous one against
+     * EC_POSSIBLE_SELECTIONS.
+     */
+
+    return ok;
+}
+
+static
+int ec_import(void *keydata, int selection, const OSSL_PARAM params[])
+{
+    EC_KEY *ec = keydata;
+    int ok = 0;
+
+    if (ec == NULL)
+        return 0;
+
+    /*
+     * In this implementation, we can export/import only keydata in the
+     * following combinations:
+     *   - domain parameters only
+     *   - public key with associated domain parameters (+optional other params)
+     *   - private key with associated public key and domain parameters
+     *         (+optional other params)
+     *
+     * This means:
+     *   - domain parameters must always be requested
+     *   - private key must be requested alongside public key
+     *   - other parameters must be requested only alongside a key
+     */
+    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0)
+        return 0;
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
+            && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0)
+        return 0;
+    if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0
+            && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
+        return 0;
+
+    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
+        ok = ok && params_to_domparams(ec, params);
+    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
+        int include_private =
+            selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
+
+        ok = ok && params_to_key(ec, params, include_private);
+    }
+    if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
+        ok = ok && params_to_otherparams(ec, params);
+
+    return ok;
+}
+
+static
+int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
+              void *cbarg)
+{
+    EC_KEY *ec = keydata;
+    OSSL_PARAM_BLD tmpl;
+    OSSL_PARAM *params = NULL;
+    int ok = 1;
+
+    if (ec == NULL)
+        return 0;
+
+    /*
+     * In this implementation, we can export/import only keydata in the
+     * following combinations:
+     *   - domain parameters only
+     *   - public key with associated domain parameters (+optional other params)
+     *   - private key with associated public key and domain parameters
+     *         (+optional other params)
+     *
+     * This means:
+     *   - domain parameters must always be requested
+     *   - private key must be requested alongside public key
+     *   - other parameters must be requested only alongside a key
+     */
+    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0)
+        return 0;
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
+            && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0)
+        return 0;
+    if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0
+            && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
+        return 0;
+
+    ossl_param_bld_init(&tmpl);
+
+    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
+        ok = ok && domparams_to_params(ec, &tmpl);
+    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
+        int include_private =
+            selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
+
+        ok = ok && key_to_params(ec, &tmpl, include_private);
+    }
+    if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
+        ok = ok && otherparams_to_params(ec, &tmpl);
+
+    if (!ok
+        || (params = ossl_param_bld_to_param(&tmpl)) == NULL)
+        return 0;
+
+    ok = param_cb(params, cbarg);
+    ossl_param_bld_free(params);
+    return ok;
+}
+
+/* IMEXPORT = IMPORT + EXPORT */
+
+# define EC_IMEXPORTABLE_DOM_PARAMETERS                          \
+    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_EC_NAME, NULL, 0)
+# define EC_IMEXPORTABLE_PUBLIC_KEY                              \
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0)
+# define EC_IMEXPORTABLE_PRIVATE_KEY                             \
+    OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0)
+# define EC_IMEXPORTABLE_OTHER_PARAMETERS                        \
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL)
+
+/*
+ * Include all the possible combinations of OSSL_PARAM arrays for
+ * ec_imexport_types().
+ *
+ * They are in a separate file as it is ~100 lines of unreadable and
+ * uninteresting machine generated stuff.
+ *
+ * TODO(3.0): the generated list looks quite ugly, as to cover all possible
+ * combinations of the bits in `selection`, it also includes combinations that
+ * are not really useful: we might want to consider alternatives to this
+ * solution.
+ */
+#include "ec_kmgmt_imexport.inc"
+
+static ossl_inline
+const OSSL_PARAM *ec_imexport_types(int selection)
+{
+    int type_select = 0;
+
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
+        type_select += 1;
+    if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
+        type_select += 2;
+    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
+        type_select += 4;
+    if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
+        type_select += 8;
+    return ec_types[type_select];
+}
+
+static
+const OSSL_PARAM *ec_import_types(int selection)
+{
+    return ec_imexport_types(selection);
+}
+
+static
+const OSSL_PARAM *ec_export_types(int selection)
+{
+    return ec_imexport_types(selection);
+}
+
+static
+int ec_get_params(void *key, OSSL_PARAM params[])
+{
+    EC_KEY *eck = key;
+    const EC_GROUP *ecg = NULL;
+    OSSL_PARAM *p;
+
+    ecg = EC_KEY_get0_group(eck);
+    if (ecg == NULL)
+        return 0;
+
+    if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL
+        && !OSSL_PARAM_set_int(p, ECDSA_size(eck)))
+        return 0;
+    if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL
+        && !OSSL_PARAM_set_int(p, EC_GROUP_order_bits(ecg)))
+        return 0;
+    if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS)) != NULL) {
+        int ecbits, sec_bits;
+
+        ecbits = EC_GROUP_order_bits(ecg);
+
+        /*
+         * The following estimates are based on the values published
+         * in Table 2 of "NIST Special Publication 800-57 Part 1 Revision 4"
+         * at http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4 .
+         *
+         * Note that the above reference explicitly categorizes algorithms in a
+         * discrete set of values {80, 112, 128, 192, 256}, and that it is
+         * relevant only for NIST approved Elliptic Curves, while OpenSSL
+         * applies the same logic also to other curves.
+         *
+         * Classifications produced by other standardazing bodies might differ,
+         * so the results provided for "bits of security" by this provider are
+         * to be considered merely indicative, and it is the users'
+         * responsibility to compare these values against the normative
+         * references that may be relevant for their intent and purposes.
+         */
+        if (ecbits >= 512)
+            sec_bits = 256;
+        else if (ecbits >= 384)
+            sec_bits = 192;
+        else if (ecbits >= 256)
+            sec_bits = 128;
+        else if (ecbits >= 224)
+            sec_bits = 112;
+        else if (ecbits >= 160)
+            sec_bits = 80;
+        else
+            sec_bits = ecbits / 2;
+
+        if (!OSSL_PARAM_set_int(p, sec_bits))
+            return 0;
+    }
+
+    p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH);
+    if (p != NULL) {
+        int ecdh_cofactor_mode = 0;
+
+        ecdh_cofactor_mode =
+            (EC_KEY_get_flags(eck) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
+
+        if (!OSSL_PARAM_set_int(p, ecdh_cofactor_mode))
+            return 0;
+    }
+
+    return 1;
+}
+
+static const OSSL_PARAM ec_known_gettable_params[] = {
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL),
+    OSSL_PARAM_END
+};
+
+static
+const OSSL_PARAM *ec_gettable_params(void)
+{
+    return ec_known_gettable_params;
+}
+
+static const OSSL_PARAM ec_known_settable_params[] = {
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL),
+    OSSL_PARAM_END
+};
+
+static
+const OSSL_PARAM *ec_settable_params(void)
+{
+    return ec_known_settable_params;
+}
+
+static
+int ec_set_params(void *key, const OSSL_PARAM params[])
+{
+    EC_KEY *eck = key;
+    const OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH);
+    if (p != NULL && !ec_set_param_ecdh_cofactor_mode(eck, p))
+        return 0;
+
+    return 1;
+}
+
+const OSSL_DISPATCH ec_keymgmt_functions[] = {
+    { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))ec_newdata },
+    { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))ec_freedata },
+    { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))ec_get_params },
+    { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))ec_gettable_params },
+    { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*) (void))ec_set_params },
+    { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*) (void))ec_settable_params },
+    { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))ec_has },
+    { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ec_import },
+    { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))ec_import_types },
+    { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))ec_export },
+    { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))ec_export_types },
+    { OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME,
+        (void (*)(void))ec_query_operation_name },
+    { 0, NULL }
+};
diff --git a/providers/implementations/keymgmt/ec_kmgmt_imexport.inc b/providers/implementations/keymgmt/ec_kmgmt_imexport.inc
new file mode 100644 (file)
index 0000000..58eb09a
--- /dev/null
@@ -0,0 +1,100 @@
+/*
+ * This file is meant to be included from ec_kmgmt.c
+ */
+
+static const OSSL_PARAM ec_private_key_types[] = {
+    EC_IMEXPORTABLE_PRIVATE_KEY,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_public_key_types[] = {
+    EC_IMEXPORTABLE_PUBLIC_KEY,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_key_types[] = {
+    EC_IMEXPORTABLE_PRIVATE_KEY,
+    EC_IMEXPORTABLE_PUBLIC_KEY,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_dom_parameters_types[] = {
+    EC_IMEXPORTABLE_DOM_PARAMETERS,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_5_types[] = {
+    EC_IMEXPORTABLE_PRIVATE_KEY,
+    EC_IMEXPORTABLE_DOM_PARAMETERS,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_6_types[] = {
+    EC_IMEXPORTABLE_PUBLIC_KEY,
+    EC_IMEXPORTABLE_DOM_PARAMETERS,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_key_domp_types[] = {
+    EC_IMEXPORTABLE_PRIVATE_KEY,
+    EC_IMEXPORTABLE_PUBLIC_KEY,
+    EC_IMEXPORTABLE_DOM_PARAMETERS,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_other_parameters_types[] = {
+    EC_IMEXPORTABLE_OTHER_PARAMETERS,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_9_types[] = {
+    EC_IMEXPORTABLE_PRIVATE_KEY,
+    EC_IMEXPORTABLE_OTHER_PARAMETERS,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_10_types[] = {
+    EC_IMEXPORTABLE_PUBLIC_KEY,
+    EC_IMEXPORTABLE_OTHER_PARAMETERS,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_11_types[] = {
+    EC_IMEXPORTABLE_PRIVATE_KEY,
+    EC_IMEXPORTABLE_PUBLIC_KEY,
+    EC_IMEXPORTABLE_OTHER_PARAMETERS,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_all_parameters_types[] = {
+    EC_IMEXPORTABLE_DOM_PARAMETERS,
+    EC_IMEXPORTABLE_OTHER_PARAMETERS,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_13_types[] = {
+    EC_IMEXPORTABLE_PRIVATE_KEY,
+    EC_IMEXPORTABLE_DOM_PARAMETERS,
+    EC_IMEXPORTABLE_OTHER_PARAMETERS,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_14_types[] = {
+    EC_IMEXPORTABLE_PUBLIC_KEY,
+    EC_IMEXPORTABLE_DOM_PARAMETERS,
+    EC_IMEXPORTABLE_OTHER_PARAMETERS,
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM ec_all_types[] = {
+    EC_IMEXPORTABLE_PRIVATE_KEY,
+    EC_IMEXPORTABLE_PUBLIC_KEY,
+    EC_IMEXPORTABLE_DOM_PARAMETERS,
+    EC_IMEXPORTABLE_OTHER_PARAMETERS,
+    OSSL_PARAM_END
+};
+
+static const OSSL_PARAM *ec_types[] = {
+    NULL,
+    ec_private_key_types,
+    ec_public_key_types,
+    ec_key_types,
+    ec_dom_parameters_types,
+    ec_5_types,
+    ec_6_types,
+    ec_key_domp_types,
+    ec_other_parameters_types,
+    ec_9_types,
+    ec_10_types,
+    ec_11_types,
+    ec_all_parameters_types,
+    ec_13_types,
+    ec_14_types,
+    ec_all_types
+};
index 9029688..50f1f1f 100644 (file)
@@ -4935,3 +4935,13 @@ X509_STORE_get1_all_certs               ?        3_0_0   EXIST::FUNCTION:
 OSSL_CMP_validate_msg                   ?      3_0_0   EXIST::FUNCTION:CMP
 OSSL_CMP_validate_cert_path             ?      3_0_0   EXIST::FUNCTION:CMP
 OSSL_CMP_print_to_bio                   ?      3_0_0   EXIST::FUNCTION:CMP
+EVP_PKEY_CTX_set_ecdh_cofactor_mode     ?      3_0_0   EXIST::FUNCTION:EC
+EVP_PKEY_CTX_get_ecdh_cofactor_mode     ?      3_0_0   EXIST::FUNCTION:EC
+EVP_PKEY_CTX_set_ecdh_kdf_type          ?      3_0_0   EXIST::FUNCTION:EC
+EVP_PKEY_CTX_get_ecdh_kdf_type          ?      3_0_0   EXIST::FUNCTION:EC
+EVP_PKEY_CTX_set_ecdh_kdf_md            ?      3_0_0   EXIST::FUNCTION:EC
+EVP_PKEY_CTX_get_ecdh_kdf_md            ?      3_0_0   EXIST::FUNCTION:EC
+EVP_PKEY_CTX_set_ecdh_kdf_outlen        ?      3_0_0   EXIST::FUNCTION:EC
+EVP_PKEY_CTX_get_ecdh_kdf_outlen        ?      3_0_0   EXIST::FUNCTION:EC
+EVP_PKEY_CTX_set0_ecdh_kdf_ukm          ?      3_0_0   EXIST::FUNCTION:EC
+EVP_PKEY_CTX_get0_ecdh_kdf_ukm          ?      3_0_0   EXIST::FUNCTION:EC