2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/x509.h>
13 #include <openssl/ec.h>
14 #include <openssl/rand.h>
15 #include "internal/asn1_int.h"
16 #include "internal/evp_int.h"
19 #define X25519_KEYLEN 32
20 #define X25519_BITS 253
21 #define X25519_SECURITY_BITS 128
23 #define ED25519_SIGSIZE 64
26 unsigned char pubkey[X25519_KEYLEN];
27 unsigned char *privkey;
36 /* Setup EVP_PKEY using public, private or generation */
37 static int ecx_key_op(EVP_PKEY *pkey, const X509_ALGOR *palg,
38 const unsigned char *p, int plen, ecx_key_op_t op)
42 if (op != X25519_KEYGEN) {
46 /* Algorithm parameters must be absent */
47 X509_ALGOR_get0(NULL, &ptype, NULL, palg);
48 if (ptype != V_ASN1_UNDEF) {
49 ECerr(EC_F_ECX_KEY_OP, EC_R_INVALID_ENCODING);
54 if (p == NULL || plen != X25519_KEYLEN) {
55 ECerr(EC_F_ECX_KEY_OP, EC_R_INVALID_ENCODING);
60 xkey = OPENSSL_zalloc(sizeof(*xkey));
62 ECerr(EC_F_ECX_KEY_OP, ERR_R_MALLOC_FAILURE);
66 if (op == X25519_PUBLIC) {
67 memcpy(xkey->pubkey, p, plen);
69 xkey->privkey = OPENSSL_secure_malloc(X25519_KEYLEN);
70 if (xkey->privkey == NULL) {
71 ECerr(EC_F_ECX_KEY_OP, ERR_R_MALLOC_FAILURE);
75 if (op == X25519_KEYGEN) {
76 if (RAND_bytes(xkey->privkey, X25519_KEYLEN) <= 0) {
77 OPENSSL_secure_free(xkey->privkey);
81 if (pkey->ameth->pkey_id == NID_X25519) {
82 xkey->privkey[0] &= 248;
83 xkey->privkey[31] &= 127;
84 xkey->privkey[31] |= 64;
87 memcpy(xkey->privkey, p, X25519_KEYLEN);
89 if (pkey->ameth->pkey_id == NID_X25519)
90 X25519_public_from_private(xkey->pubkey, xkey->privkey);
92 ED25519_public_from_private(xkey->pubkey, xkey->privkey);
95 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, xkey);
99 static int ecx_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
101 const X25519_KEY *xkey = pkey->pkey.ptr;
105 ECerr(EC_F_ECX_PUB_ENCODE, EC_R_INVALID_KEY);
109 penc = OPENSSL_memdup(xkey->pubkey, X25519_KEYLEN);
111 ECerr(EC_F_ECX_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
115 if (!X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
116 V_ASN1_UNDEF, NULL, penc, X25519_KEYLEN)) {
118 ECerr(EC_F_ECX_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
124 static int ecx_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
126 const unsigned char *p;
130 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey))
132 return ecx_key_op(pkey, palg, p, pklen, X25519_PUBLIC);
135 static int ecx_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
137 const X25519_KEY *akey = a->pkey.ptr;
138 const X25519_KEY *bkey = b->pkey.ptr;
140 if (akey == NULL || bkey == NULL)
142 return !CRYPTO_memcmp(akey->pubkey, bkey->pubkey, X25519_KEYLEN);
145 static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
147 const unsigned char *p;
149 ASN1_OCTET_STRING *oct = NULL;
150 const X509_ALGOR *palg;
153 if (!PKCS8_pkey_get0(NULL, &p, &plen, &palg, p8))
156 oct = d2i_ASN1_OCTET_STRING(NULL, &p, plen);
161 p = ASN1_STRING_get0_data(oct);
162 plen = ASN1_STRING_length(oct);
165 rv = ecx_key_op(pkey, palg, p, plen, X25519_PRIVATE);
166 ASN1_OCTET_STRING_free(oct);
170 static int ecx_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
172 const X25519_KEY *xkey = pkey->pkey.ptr;
173 ASN1_OCTET_STRING oct;
174 unsigned char *penc = NULL;
177 if (xkey == NULL || xkey->privkey == NULL) {
178 ECerr(EC_F_ECX_PRIV_ENCODE, EC_R_INVALID_PRIVATE_KEY);
182 oct.data = xkey->privkey;
183 oct.length = X25519_KEYLEN;
186 penclen = i2d_ASN1_OCTET_STRING(&oct, &penc);
188 ECerr(EC_F_ECX_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
192 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0,
193 V_ASN1_UNDEF, NULL, penc, penclen)) {
194 OPENSSL_clear_free(penc, penclen);
195 ECerr(EC_F_ECX_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
202 static int ecx_size(const EVP_PKEY *pkey)
204 return X25519_KEYLEN;
207 static int ecx_bits(const EVP_PKEY *pkey)
212 static int ecx_security_bits(const EVP_PKEY *pkey)
214 return X25519_SECURITY_BITS;
217 static void ecx_free(EVP_PKEY *pkey)
219 X25519_KEY *xkey = pkey->pkey.ptr;
222 OPENSSL_secure_free(xkey->privkey);
226 /* "parameters" are always equal */
227 static int ecx_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
232 static int ecx_key_print(BIO *bp, const EVP_PKEY *pkey, int indent,
233 ASN1_PCTX *ctx, ecx_key_op_t op)
235 const X25519_KEY *xkey = pkey->pkey.ptr;
237 const char *nm = OBJ_nid2ln(pkey->ameth->pkey_id);
239 if (op == X25519_PRIVATE) {
240 if (xkey == NULL || xkey->privkey == NULL) {
241 if (BIO_printf(bp, "%*s<INVALID PRIVATE KEY>\n", indent, "") <= 0)
245 if (BIO_printf(bp, "%*s%s Private-Key:\n", indent, "", nm) <= 0)
247 if (BIO_printf(bp, "%*spriv:\n", indent, "") <= 0)
249 if (ASN1_buf_print(bp, xkey->privkey, X25519_KEYLEN, indent + 4) == 0)
253 if (BIO_printf(bp, "%*s<INVALID PUBLIC KEY>\n", indent, "") <= 0)
257 if (BIO_printf(bp, "%*s%s Public-Key:\n", indent, "", nm) <= 0)
260 if (BIO_printf(bp, "%*spub:\n", indent, "") <= 0)
262 if (ASN1_buf_print(bp, xkey->pubkey, X25519_KEYLEN, indent + 4) == 0)
267 static int ecx_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
270 return ecx_key_print(bp, pkey, indent, ctx, X25519_PRIVATE);
273 static int ecx_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
276 return ecx_key_print(bp, pkey, indent, ctx, X25519_PUBLIC);
279 static int ecx_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
283 case ASN1_PKEY_CTRL_SET1_TLS_ENCPT:
284 return ecx_key_op(pkey, NULL, arg2, arg1, X25519_PUBLIC);
286 case ASN1_PKEY_CTRL_GET1_TLS_ENCPT:
287 if (pkey->pkey.ptr != NULL) {
288 const X25519_KEY *xkey = pkey->pkey.ptr;
289 unsigned char **ppt = arg2;
290 *ppt = OPENSSL_memdup(xkey->pubkey, X25519_KEYLEN);
292 return X25519_KEYLEN;
296 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
297 *(int *)arg2 = NID_sha256;
306 const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth = {
311 "OpenSSL X25519 algorithm",
336 static int ecd_size(const EVP_PKEY *pkey)
338 return ED25519_SIGSIZE;
341 const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
346 "OpenSSL ED25519 algorithm",
371 static int pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
373 return ecx_key_op(pkey, NULL, NULL, 0, X25519_KEYGEN);
376 static int pkey_ecx_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
379 const X25519_KEY *pkey, *peerkey;
381 if (ctx->pkey == NULL || ctx->peerkey == NULL) {
382 ECerr(EC_F_PKEY_ECX_DERIVE, EC_R_KEYS_NOT_SET);
385 pkey = ctx->pkey->pkey.ptr;
386 peerkey = ctx->peerkey->pkey.ptr;
387 if (pkey == NULL || pkey->privkey == NULL) {
388 ECerr(EC_F_PKEY_ECX_DERIVE, EC_R_INVALID_PRIVATE_KEY);
391 if (peerkey == NULL) {
392 ECerr(EC_F_PKEY_ECX_DERIVE, EC_R_INVALID_PEER_KEY);
395 *keylen = X25519_KEYLEN;
396 if (key != NULL && X25519(key, pkey->privkey, peerkey->pubkey) == 0)
401 static int pkey_ecx_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
403 /* Only need to handle peer key for derivation */
404 if (type == EVP_PKEY_CTRL_PEER_KEY)
409 const EVP_PKEY_METHOD ecx25519_pkey_meth = {
413 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,