2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * ECDH/ECDSA low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
16 #include <openssl/core_numbers.h>
17 #include <openssl/core_names.h>
18 #include <openssl/bn.h>
19 #include <openssl/ec.h>
20 #include <openssl/objects.h>
21 #include <openssl/params.h>
22 #include "crypto/bn.h"
23 #include "internal/param_build.h"
24 #include "prov/implementations.h"
25 #include "prov/providercommon.h"
27 static OSSL_OP_keymgmt_new_fn ec_newdata;
28 static OSSL_OP_keymgmt_free_fn ec_freedata;
29 static OSSL_OP_keymgmt_get_params_fn ec_get_params;
30 static OSSL_OP_keymgmt_gettable_params_fn ec_gettable_params;
31 static OSSL_OP_keymgmt_set_params_fn ec_set_params;
32 static OSSL_OP_keymgmt_settable_params_fn ec_settable_params;
33 static OSSL_OP_keymgmt_has_fn ec_has;
34 static OSSL_OP_keymgmt_import_fn ec_import;
35 static OSSL_OP_keymgmt_import_types_fn ec_import_types;
36 static OSSL_OP_keymgmt_export_fn ec_export;
37 static OSSL_OP_keymgmt_export_types_fn ec_export_types;
38 static OSSL_OP_keymgmt_query_operation_name_fn ec_query_operation_name;
40 #define EC_POSSIBLE_SELECTIONS \
41 (OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS )
44 const char *ec_query_operation_name(int operation_id)
46 switch (operation_id) {
50 case OSSL_OP_SIGNATURE:
51 return deflt_signature;
58 int params_to_domparams(EC_KEY *ec, const OSSL_PARAM params[])
60 const OSSL_PARAM *param_ec_name;
62 char *curve_name = NULL;
68 param_ec_name = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_NAME);
69 if (param_ec_name == NULL) {
70 /* explicit parameters */
73 * TODO(3.0): should we support explicit parameters curves?
80 if (!OSSL_PARAM_get_utf8_string(param_ec_name, &curve_name, 0)
82 || (curve_nid = OBJ_sn2nid(curve_name)) == NID_undef)
85 if ((ecg = EC_GROUP_new_by_curve_name(curve_nid)) == NULL)
89 if (!EC_KEY_set_group(ec, ecg))
93 * TODO(3.0): if the group has changed, should we invalidate the private and
100 OPENSSL_free(curve_name);
106 int domparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl)
114 ecg = EC_KEY_get0_group(ec);
118 curve_nid = EC_GROUP_get_curve_name(ecg);
120 if (curve_nid == NID_undef) {
121 /* explicit parameters */
124 * TODO(3.0): should we support explicit parameters curves?
129 const char *curve_name = NULL;
131 if ((curve_name = OBJ_nid2sn(curve_nid)) == NULL)
134 if (!ossl_param_bld_push_utf8_string(tmpl, OSSL_PKEY_PARAM_EC_NAME, curve_name, 0))
142 * Callers of params_to_key MUST make sure that params_to_domparams has been
145 * This function only imports the bare keypair, domain parameters and other
146 * parameters are imported separately, and domain parameters are required to
150 int params_to_key(EC_KEY *ec, const OSSL_PARAM params[], int include_private)
152 const OSSL_PARAM *param_priv_key, *param_pub_key;
153 BIGNUM *priv_key = NULL;
154 unsigned char *pub_key = NULL;
156 const EC_GROUP *ecg = NULL;
157 EC_POINT *pub_point = NULL;
160 ecg = EC_KEY_get0_group(ec);
165 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);
167 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);
170 * We want to have at least a public key either way, so we end up
171 * requiring it unconditionally.
173 if (param_pub_key == NULL
174 || !OSSL_PARAM_get_octet_string(param_pub_key,
175 (void **)&pub_key, 0, &pub_key_len)
176 || (pub_point = EC_POINT_new(ecg)) == NULL
177 || !EC_POINT_oct2point(ecg, pub_point,
178 pub_key, pub_key_len, NULL))
181 if (param_priv_key != NULL && include_private) {
186 * Key import/export should never leak the bit length of the secret
189 * For this reason, on export we use padded BIGNUMs with fixed length.
191 * When importing we also should make sure that, even if short lived,
192 * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as
193 * soon as possible, so that any processing of this BIGNUM might opt for
194 * constant time implementations in the backend.
196 * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
197 * to preallocate the BIGNUM internal buffer to a fixed public size big
198 * enough that operations performed during the processing never trigger
199 * a realloc which would leak the size of the scalar through memory
205 * The order of the large prime subgroup of the curve is our choice for
206 * a fixed public size, as that is generally the upper bound for
207 * generating a private key in EC cryptosystems and should fit all valid
210 * For padding on export we just use the bit length of the order
211 * converted to bytes (rounding up).
213 * For preallocating the BIGNUM storage we look at the number of "words"
214 * required for the internal representation of the order, and we
215 * preallocate 2 extra "words" in case any of the subsequent processing
216 * might temporarily overflow the order length.
218 order = EC_GROUP_get0_order(ecg);
219 if (order == NULL || BN_is_zero(order))
222 fixed_top = bn_get_top(order) + 2;
224 if ((priv_key = BN_new()) == NULL)
226 if (bn_wexpand(priv_key, fixed_top) == NULL)
228 BN_set_flags(priv_key, BN_FLG_CONSTTIME);
230 if (!OSSL_PARAM_get_BN(param_priv_key, &priv_key))
235 && !EC_KEY_set_private_key(ec, priv_key))
238 if (!EC_KEY_set_public_key(ec, pub_point))
244 BN_clear_free(priv_key);
245 OPENSSL_free(pub_key);
246 EC_POINT_free(pub_point);
251 * Callers of key_to_params MUST make sure that domparams_to_params is also
254 * This function only exports the bare keypair, domain parameters and other
255 * parameters are exported separately.
258 int key_to_params(const EC_KEY *eckey, OSSL_PARAM_BLD *tmpl, int include_private)
260 const BIGNUM *priv_key = NULL;
261 const EC_POINT *pub_point = NULL;
262 const EC_GROUP *ecg = NULL;
263 unsigned char *pub_key = NULL;
264 size_t pub_key_len = 0;
270 ecg = EC_KEY_get0_group(eckey);
271 priv_key = EC_KEY_get0_private_key(eckey);
272 pub_point = EC_KEY_get0_public_key(eckey);
274 /* group and public_key must be present, priv_key is optional */
275 if (ecg == NULL || pub_point == NULL)
277 if ((pub_key_len = EC_POINT_point2buf(ecg, pub_point,
278 POINT_CONVERSION_COMPRESSED,
279 &pub_key, NULL)) == 0)
282 if (!ossl_param_bld_push_octet_string(tmpl,
283 OSSL_PKEY_PARAM_PUB_KEY,
284 pub_key, pub_key_len))
287 if (priv_key != NULL && include_private) {
292 * Key import/export should never leak the bit length of the secret
295 * For this reason, on export we use padded BIGNUMs with fixed length.
297 * When importing we also should make sure that, even if short lived,
298 * the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as
299 * soon as possible, so that any processing of this BIGNUM might opt for
300 * constant time implementations in the backend.
302 * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
303 * to preallocate the BIGNUM internal buffer to a fixed public size big
304 * enough that operations performed during the processing never trigger
305 * a realloc which would leak the size of the scalar through memory
311 * The order of the large prime subgroup of the curve is our choice for
312 * a fixed public size, as that is generally the upper bound for
313 * generating a private key in EC cryptosystems and should fit all valid
316 * For padding on export we just use the bit length of the order
317 * converted to bytes (rounding up).
319 * For preallocating the BIGNUM storage we look at the number of "words"
320 * required for the internal representation of the order, and we
321 * preallocate 2 extra "words" in case any of the subsequent processing
322 * might temporarily overflow the order length.
324 ecbits = EC_GROUP_order_bits(ecg);
327 sz = (ecbits + 7 ) / 8;
328 if (!ossl_param_bld_push_BN_pad(tmpl,
329 OSSL_PKEY_PARAM_PRIV_KEY,
337 OPENSSL_free(pub_key);
342 int ec_set_param_ecdh_cofactor_mode(EC_KEY *ec, const OSSL_PARAM *p)
344 const EC_GROUP *ecg = EC_KEY_get0_group(ec);
345 const BIGNUM *cofactor;
348 if (!OSSL_PARAM_get_int(p, &mode))
352 * mode can be only 0 for disable, or 1 for enable here.
354 * This is in contrast with the same parameter on an ECDH EVP_PKEY_CTX that
355 * also supports mode == -1 with the meaning of "reset to the default for
356 * the associated key".
358 if (mode < 0 || mode > 1)
361 if ((cofactor = EC_GROUP_get0_cofactor(ecg)) == NULL )
364 /* ECDH cofactor mode has no effect if cofactor is 1 */
365 if (BN_is_one(cofactor))
369 EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH);
371 EC_KEY_clear_flags(ec, EC_FLAG_COFACTOR_ECDH);
377 int params_to_otherparams(EC_KEY *ec, const OSSL_PARAM params[])
384 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH);
385 if (p != NULL && !ec_set_param_ecdh_cofactor_mode(ec, p))
392 int otherparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl)
394 int ecdh_cofactor_mode = 0;
400 (EC_KEY_get_flags(ec) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
401 if (!ossl_param_bld_push_int(tmpl,
402 OSSL_PKEY_PARAM_USE_COFACTOR_ECDH,
410 void *ec_newdata(void *provctx)
416 void ec_freedata(void *keydata)
418 EC_KEY_free(keydata);
422 int ec_has(void *keydata, int selection)
424 EC_KEY *ec = keydata;
427 if ((selection & EC_POSSIBLE_SELECTIONS) != 0)
430 if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
431 ok = ok && (EC_KEY_get0_public_key(ec) != NULL);
432 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
433 ok = ok && (EC_KEY_get0_private_key(ec) != NULL);
434 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
435 ok = ok && (EC_KEY_get0_group(ec) != NULL);
437 * We consider OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS to always be available,
438 * so no extra check is needed other than the previous one against
439 * EC_POSSIBLE_SELECTIONS.
446 int ec_import(void *keydata, int selection, const OSSL_PARAM params[])
448 EC_KEY *ec = keydata;
455 * In this implementation, we can export/import only keydata in the
456 * following combinations:
457 * - domain parameters only
458 * - public key with associated domain parameters (+optional other params)
459 * - private key with associated public key and domain parameters
460 * (+optional other params)
463 * - domain parameters must always be requested
464 * - private key must be requested alongside public key
465 * - other parameters must be requested only alongside a key
467 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0)
469 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
470 && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0)
472 if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0
473 && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
476 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
477 ok = ok && params_to_domparams(ec, params);
478 if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
479 int include_private =
480 selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
482 ok = ok && params_to_key(ec, params, include_private);
484 if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
485 ok = ok && params_to_otherparams(ec, params);
491 int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
494 EC_KEY *ec = keydata;
496 OSSL_PARAM *params = NULL;
503 * In this implementation, we can export/import only keydata in the
504 * following combinations:
505 * - domain parameters only
506 * - public key with associated domain parameters (+optional other params)
507 * - private key with associated public key and domain parameters
508 * (+optional other params)
511 * - domain parameters must always be requested
512 * - private key must be requested alongside public key
513 * - other parameters must be requested only alongside a key
515 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) == 0)
517 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
518 && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0)
520 if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0
521 && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
524 ossl_param_bld_init(&tmpl);
526 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
527 ok = ok && domparams_to_params(ec, &tmpl);
528 if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
529 int include_private =
530 selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
532 ok = ok && key_to_params(ec, &tmpl, include_private);
534 if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
535 ok = ok && otherparams_to_params(ec, &tmpl);
538 || (params = ossl_param_bld_to_param(&tmpl)) == NULL)
541 ok = param_cb(params, cbarg);
542 ossl_param_bld_free(params);
546 /* IMEXPORT = IMPORT + EXPORT */
548 # define EC_IMEXPORTABLE_DOM_PARAMETERS \
549 OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_EC_NAME, NULL, 0)
550 # define EC_IMEXPORTABLE_PUBLIC_KEY \
551 OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0)
552 # define EC_IMEXPORTABLE_PRIVATE_KEY \
553 OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0)
554 # define EC_IMEXPORTABLE_OTHER_PARAMETERS \
555 OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL)
558 * Include all the possible combinations of OSSL_PARAM arrays for
559 * ec_imexport_types().
561 * They are in a separate file as it is ~100 lines of unreadable and
562 * uninteresting machine generated stuff.
564 * TODO(3.0): the generated list looks quite ugly, as to cover all possible
565 * combinations of the bits in `selection`, it also includes combinations that
566 * are not really useful: we might want to consider alternatives to this
569 #include "ec_kmgmt_imexport.inc"
572 const OSSL_PARAM *ec_imexport_types(int selection)
576 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
578 if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
580 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
582 if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
584 return ec_types[type_select];
588 const OSSL_PARAM *ec_import_types(int selection)
590 return ec_imexport_types(selection);
594 const OSSL_PARAM *ec_export_types(int selection)
596 return ec_imexport_types(selection);
600 int ec_get_params(void *key, OSSL_PARAM params[])
603 const EC_GROUP *ecg = NULL;
606 ecg = EC_KEY_get0_group(eck);
610 if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL
611 && !OSSL_PARAM_set_int(p, ECDSA_size(eck)))
613 if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL
614 && !OSSL_PARAM_set_int(p, EC_GROUP_order_bits(ecg)))
616 if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS)) != NULL) {
617 int ecbits, sec_bits;
619 ecbits = EC_GROUP_order_bits(ecg);
622 * The following estimates are based on the values published
623 * in Table 2 of "NIST Special Publication 800-57 Part 1 Revision 4"
624 * at http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4 .
626 * Note that the above reference explicitly categorizes algorithms in a
627 * discrete set of values {80, 112, 128, 192, 256}, and that it is
628 * relevant only for NIST approved Elliptic Curves, while OpenSSL
629 * applies the same logic also to other curves.
631 * Classifications produced by other standardazing bodies might differ,
632 * so the results provided for "bits of security" by this provider are
633 * to be considered merely indicative, and it is the users'
634 * responsibility to compare these values against the normative
635 * references that may be relevant for their intent and purposes.
639 else if (ecbits >= 384)
641 else if (ecbits >= 256)
643 else if (ecbits >= 224)
645 else if (ecbits >= 160)
648 sec_bits = ecbits / 2;
650 if (!OSSL_PARAM_set_int(p, sec_bits))
654 p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH);
656 int ecdh_cofactor_mode = 0;
659 (EC_KEY_get_flags(eck) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
661 if (!OSSL_PARAM_set_int(p, ecdh_cofactor_mode))
668 static const OSSL_PARAM ec_known_gettable_params[] = {
669 OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
670 OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
671 OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
672 OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL),
677 const OSSL_PARAM *ec_gettable_params(void)
679 return ec_known_gettable_params;
682 static const OSSL_PARAM ec_known_settable_params[] = {
683 OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL),
688 const OSSL_PARAM *ec_settable_params(void)
690 return ec_known_settable_params;
694 int ec_set_params(void *key, const OSSL_PARAM params[])
699 p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH);
700 if (p != NULL && !ec_set_param_ecdh_cofactor_mode(eck, p))
706 const OSSL_DISPATCH ec_keymgmt_functions[] = {
707 { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))ec_newdata },
708 { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))ec_freedata },
709 { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))ec_get_params },
710 { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))ec_gettable_params },
711 { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*) (void))ec_set_params },
712 { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*) (void))ec_settable_params },
713 { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))ec_has },
714 { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ec_import },
715 { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))ec_import_types },
716 { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))ec_export },
717 { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))ec_export_types },
718 { OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME,
719 (void (*)(void))ec_query_operation_name },