static int key_create_ecdsa(key_t *key)
{
EC_KEY *ec = NULL;
ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ec == NULL) {
printf("Cannot create EC key\n");
goto err;
}
if (!EC_KEY_generate_key(ec)) {
printf("Cannot generate EC key\n");
goto err;
}
EC_KEY_set_flags(ec, EC_PKEY_NO_PARAMETERS);
EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
if (!EVP_PKEY_assign_EC_KEY(key->key, ec)) {
printf("Cannot assign EC key\n");
goto err;
}
return 1;
err:
EC_KEY_free(ec);
return 0;
}
static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
{
EC_PKEY_CTX *dctx = ctx->data;
EC_GROUP *group;
switch (type) {
case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID:
group = EC_GROUP_new_by_curve_name(p1);
if (group == NULL) {
ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_CURVE);
return 0;
}
EC_GROUP_free(dctx->gen_group);
dctx->gen_group = group;
return 1;
case EVP_PKEY_CTRL_EC_PARAM_ENC:
if (!dctx->gen_group) {
ECerr(EC_F_PKEY_EC_CTRL, EC_R_NO_PARAMETERS_SET);
return 0;
}
EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
return 1;
#ifndef OPENSSL_NO_EC
case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
if (p1 == -2) {
if (dctx->cofactor_mode != -1)
return dctx->cofactor_mode;
else {
EC_KEY *ec_key = ctx->pkey->pkey.ec;
return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 :
0;
}
} else if (p1 < -1 || p1 > 1)
return -2;
dctx->cofactor_mode = p1;
if (p1 != -1) {
EC_KEY *ec_key = ctx->pkey->pkey.ec;
if (!ec_key->group)
return -2;
/* If cofactor is 1 cofactor mode does nothing */
if (BN_is_one(ec_key->group->cofactor))
return 1;
if (!dctx->co_key) {
dctx->co_key = EC_KEY_dup(ec_key);
if (!dctx->co_key)
return 0;
}
if (p1)
EC_KEY_set_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
else
EC_KEY_clear_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
} else {
EC_KEY_free(dctx->co_key);
dctx->co_key = NULL;
}
return 1;
#endif
case EVP_PKEY_CTRL_EC_KDF_TYPE:
if (p1 == -2)
return dctx->kdf_type;
if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62)
return -2;
dctx->kdf_type = p1;
return 1;
case EVP_PKEY_CTRL_EC_KDF_MD:
dctx->kdf_md = p2;
return 1;
case EVP_PKEY_CTRL_GET_EC_KDF_MD:
*(const EVP_MD **)p2 = dctx->kdf_md;
return 1;
case EVP_PKEY_CTRL_EC_KDF_OUTLEN:
if (p1 <= 0)
return -2;
dctx->kdf_outlen = (size_t)p1;
return 1;
case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN:
*(int *)p2 = dctx->kdf_outlen;
return 1;
case EVP_PKEY_CTRL_EC_KDF_UKM:
OPENSSL_free(dctx->kdf_ukm);
dctx->kdf_ukm = p2;
if (p2)
dctx->kdf_ukmlen = p1;
else
dctx->kdf_ukmlen = 0;
return 1;
case EVP_PKEY_CTRL_GET_EC_KDF_UKM:
*(unsigned char **)p2 = dctx->kdf_ukm;
return dctx->kdf_ukmlen;
case EVP_PKEY_CTRL_MD:
if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
EVP_MD_type((const EVP_MD *)p2) != NID_sha256 &&
EVP_MD_type((const EVP_MD *)p2) != NID_sha384 &&
EVP_MD_type((const EVP_MD *)p2) != NID_sha512) {
ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE);
return 0;
}
dctx->md = p2;
return 1;
case EVP_PKEY_CTRL_GET_MD:
*(const EVP_MD **)p2 = dctx->md;
return 1;
case EVP_PKEY_CTRL_PEER_KEY:
/* Default behaviour is OK */
case EVP_PKEY_CTRL_DIGESTINIT:
case EVP_PKEY_CTRL_PKCS7_SIGN:
case EVP_PKEY_CTRL_CMS_SIGN:
return 1;
default:
return -2;
}
}
/*
* NIST SP800-56A co-factor ECDH tests.
* KATs taken from NIST documents with parameters:
*
* - (QCAVSx,QCAVSy) is the public key for CAVS.
* - dIUT is the private key for IUT.
* - (QIUTx,QIUTy) is the public key for IUT.
* - ZIUT is the shared secret KAT.
*
* CAVS: Cryptographic Algorithm Validation System
* IUT: Implementation Under Test
*
* This function tests two things:
*
* 1. dIUT * G = (QIUTx,QIUTy)
* i.e. public key for IUT computes correctly.
* 2. x-coord of cofactor * dIUT * (QCAVSx,QCAVSy) = ZIUT
* i.e. co-factor ECDH key computes correctly.
*
* returns zero on failure or unsupported curve. One otherwise.
*/
static int ecdh_cavs_kat(BIO *out, const ecdh_cavs_kat_t *kat)
{
int rv = 0, is_char_two = 0;
EC_KEY *key1 = NULL;
EC_POINT *pub = NULL;
const EC_GROUP *group = NULL;
BIGNUM *bnz = NULL, *x = NULL, *y = NULL;
unsigned char *Ztmp = NULL, *Z = NULL;
size_t Ztmplen, Zlen;
BIO_puts(out, "Testing ECC CDH Primitive SP800-56A with ");
BIO_puts(out, OBJ_nid2sn(kat->nid));
/* dIUT is IUT's private key */
if ((key1 = mk_eckey(kat->nid, kat->dIUT)) == NULL)
goto err;
/* these are cofactor ECDH KATs */
EC_KEY_set_flags(key1, EC_FLAG_COFACTOR_ECDH);
if ((group = EC_KEY_get0_group(key1)) == NULL)
goto err;
if ((pub = EC_POINT_new(group)) == NULL)
goto err;
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_characteristic_two_field)
is_char_two = 1;
/* (QIUTx, QIUTy) is IUT's public key */
if(!BN_hex2bn(&x, kat->QIUTx))
goto err;
if(!BN_hex2bn(&y, kat->QIUTy))
goto err;
if (is_char_two) {
#ifdef OPENSSL_NO_EC2M
goto err;
#else
if (!EC_POINT_set_affine_coordinates_GF2m(group, pub, x, y, NULL))
goto err;
#endif
}
else {
if (!EC_POINT_set_affine_coordinates_GFp(group, pub, x, y, NULL))
goto err;
}
/* dIUT * G = (QIUTx, QIUTy) should hold */
if (EC_POINT_cmp(group, EC_KEY_get0_public_key(key1), pub, NULL))
goto err;
/* (QCAVSx, QCAVSy) is CAVS's public key */
if(!BN_hex2bn(&x, kat->QCAVSx))
goto err;
if(!BN_hex2bn(&y, kat->QCAVSy))
goto err;
if (is_char_two) {
#ifdef OPENSSL_NO_EC2M
goto err;
#else
if (!EC_POINT_set_affine_coordinates_GF2m(group, pub, x, y, NULL))
goto err;
#endif
}
else {
if (!EC_POINT_set_affine_coordinates_GFp(group, pub, x, y, NULL))
goto err;
}
/* ZIUT is the shared secret */
if(!BN_hex2bn(&bnz, kat->ZIUT))
goto err;
Ztmplen = (EC_GROUP_get_degree(EC_KEY_get0_group(key1)) + 7) / 8;
Zlen = BN_num_bytes(bnz);
if (Zlen > Ztmplen)
goto err;
if((Ztmp = OPENSSL_zalloc(Ztmplen)) == NULL)
goto err;
if((Z = OPENSSL_zalloc(Ztmplen)) == NULL)
goto err;
if(!BN_bn2binpad(bnz, Z, Ztmplen))
goto err;
if (!ECDH_compute_key(Ztmp, Ztmplen, pub, key1, 0))
goto err;
/* shared secrets should be identical */
if (memcmp(Ztmp, Z, Ztmplen))
goto err;
rv = 1;
err:
EC_KEY_free(key1);
EC_POINT_free(pub);
BN_free(bnz);
BN_free(x);
BN_free(y);
OPENSSL_free(Ztmp);
OPENSSL_free(Z);
if (rv) {
BIO_puts(out, " ok\n");
}
else {
fprintf(stderr, "Error in ECC CDH routines\n");
ERR_print_errors_fp(stderr);
}
return rv;
}
int FIPS_selftest_ecdh(void)
{
EC_KEY *ec1 = NULL, *ec2 = NULL;
const EC_POINT *ecp = NULL;
BIGNUM *x = NULL, *y = NULL, *d = NULL;
unsigned char *ztmp = NULL;
int rv = 1;
size_t i;
for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) {
ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i;
if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0))
continue;
ztmp = OPENSSL_malloc(ecd->zlen);
x = BN_bin2bn(ecd->x1, ecd->x1len, x);
y = BN_bin2bn(ecd->y1, ecd->y1len, y);
d = BN_bin2bn(ecd->d1, ecd->d1len, d);
if (!x || !y || !d || !ztmp) {
rv = -1;
goto err;
}
ec1 = EC_KEY_new_by_curve_name(ecd->curve);
if (!ec1) {
rv = -1;
goto err;
}
EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) {
rv = -1;
goto err;
}
if (!EC_KEY_set_private_key(ec1, d)) {
rv = -1;
goto err;
}
x = BN_bin2bn(ecd->x2, ecd->x2len, x);
y = BN_bin2bn(ecd->y2, ecd->y2len, y);
if (!x || !y) {
rv = -1;
goto err;
}
ec2 = EC_KEY_new_by_curve_name(ecd->curve);
if (!ec2) {
rv = -1;
goto err;
}
EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) {
rv = -1;
goto err;
}
ecp = EC_KEY_get0_public_key(ec2);
if (!ecp) {
rv = -1;
goto err;
}
if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) {
rv = -1;
goto err;
}
if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL))
ztmp[0] ^= 0x1;
if (memcmp(ztmp, ecd->z, ecd->zlen)) {
fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0);
rv = 0;
} else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0))
goto err;
EC_KEY_free(ec1);
ec1 = NULL;
EC_KEY_free(ec2);
ec2 = NULL;
OPENSSL_free(ztmp);
ztmp = NULL;
}
err:
if (x)
BN_clear_free(x);
if (y)
BN_clear_free(y);
if (d)
BN_clear_free(d);
if (ec1)
EC_KEY_free(ec1);
if (ec2)
EC_KEY_free(ec2);
if (ztmp)
OPENSSL_free(ztmp);
return rv;
}
static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
{
EC_PKEY_CTX *dctx = ctx->data;
EC_GROUP *group;
switch (type) {
case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID:
group = EC_GROUP_new_by_curve_name(p1);
if (group == NULL) {
ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_CURVE);
return 0;
}
EC_GROUP_free(dctx->gen_group);
dctx->gen_group = group;
return 1;
case EVP_PKEY_CTRL_EC_PARAM_ENC:
if (!dctx->gen_group) {
ECerr(EC_F_PKEY_EC_CTRL, EC_R_NO_PARAMETERS_SET);
return 0;
}
EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
return 1;
#ifndef OPENSSL_NO_EC
case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
if (p1 == -2) {
if (dctx->cofactor_mode != -1)
return dctx->cofactor_mode;
else {
EC_KEY *ec_key = ctx->pkey->pkey.ec;
return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 :
0;
}
} else if (p1 < -1 || p1 > 1)
return -2;
dctx->cofactor_mode = p1;
if (p1 != -1) {
EC_KEY *ec_key = ctx->pkey->pkey.ec;
if (!ec_key->group)
return -2;
/* If cofactor is 1 cofactor mode does nothing */
if (BN_is_one(ec_key->group->cofactor))
return 1;
if (!dctx->co_key) {
dctx->co_key = EC_KEY_dup(ec_key);
if (!dctx->co_key)
return 0;
}
if (p1)
EC_KEY_set_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
else
EC_KEY_clear_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH);
} else {
EC_KEY_free(dctx->co_key);
dctx->co_key = NULL;
}
return 1;
#endif
case EVP_PKEY_CTRL_EC_KDF_TYPE:
if (p1 == -2)
return dctx->kdf_type;
if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62)
return -2;
dctx->kdf_type = p1;
return 1;
#ifndef OPENSSL_NO_SM2
case EVP_PKEY_CTRL_EC_SCHEME:
if (p1 == -2) {
return dctx->ec_scheme;
}
if (p1 != NID_secg_scheme && p1 != NID_sm_scheme) {
ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_EC_SCHEME);
return 0;
}
dctx->ec_scheme = p1;
return 1;
case EVP_PKEY_CTRL_SIGNER_ID:
if (!p2 || !strlen((char *)p2) || strlen((char *)p2) > SM2_MAX_ID_LENGTH) {
ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_SIGNER_ID);
return 0;
} else {
char *id = NULL;
if (!(id = OPENSSL_strdup((char *)p2))) {
ECerr(EC_F_PKEY_EC_CTRL, ERR_R_MALLOC_FAILURE);
return 0;
}
if (dctx->signer_id)
OPENSSL_free(dctx->signer_id);
dctx->signer_id = id;
if (dctx->ec_scheme == NID_sm_scheme) {
EC_KEY *ec_key = ctx->pkey->pkey.ec;
unsigned char zid[SM3_DIGEST_LENGTH];
size_t zidlen = SM3_DIGEST_LENGTH;
if (!SM2_compute_id_digest(EVP_sm3(), dctx->signer_id,
strlen(dctx->signer_id), zid, &zidlen, ec_key)) {
ECerr(EC_F_PKEY_EC_CTRL, ERR_R_SM2_LIB);
return 0;
}
if (!dctx->signer_zid) {
if (!(dctx->signer_zid = OPENSSL_malloc(zidlen))) {
ECerr(EC_F_PKEY_EC_CTRL, ERR_R_MALLOC_FAILURE);
return 0;
}
}
memcpy(dctx->signer_zid, zid, zidlen);
}
}
return 1;
case EVP_PKEY_CTRL_GET_SIGNER_ID:
*(const char **)p2 = dctx->signer_id;
return 1;
case EVP_PKEY_CTRL_GET_SIGNER_ZID:
if (dctx->ec_scheme != NID_sm_scheme) {
*(const unsigned char **)p2 = NULL;
return -2;
}
if (!dctx->signer_zid) {
EC_KEY *ec_key = ctx->pkey->pkey.ec;
unsigned char *zid;
size_t zidlen = SM3_DIGEST_LENGTH;
if (!(zid = OPENSSL_malloc(zidlen))) {
ECerr(EC_F_PKEY_EC_CTRL, ERR_R_MALLOC_FAILURE);
return 0;
}
if (!SM2_compute_id_digest(EVP_sm3(), SM2_DEFAULT_ID,
SM2_DEFAULT_ID_LENGTH, zid, &zidlen, ec_key)) {
ECerr(EC_F_PKEY_EC_CTRL, ERR_R_SM2_LIB);
OPENSSL_free(zid);
return 0;
}
dctx->signer_zid = zid;
}
*(const unsigned char **)p2 = dctx->signer_zid;
return 1;
case EVP_PKEY_CTRL_EC_ENCRYPT_PARAM:
if (p1 == -2) {
return dctx->ec_encrypt_param;
}
dctx->ec_encrypt_param = p1;
return 1;
#endif
case EVP_PKEY_CTRL_EC_KDF_MD:
dctx->kdf_md = p2;
return 1;
case EVP_PKEY_CTRL_GET_EC_KDF_MD:
*(const EVP_MD **)p2 = dctx->kdf_md;
return 1;
case EVP_PKEY_CTRL_EC_KDF_OUTLEN:
if (p1 <= 0)
return -2;
dctx->kdf_outlen = (size_t)p1;
return 1;
case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN:
*(int *)p2 = dctx->kdf_outlen;
return 1;
case EVP_PKEY_CTRL_EC_KDF_UKM:
OPENSSL_free(dctx->kdf_ukm);
dctx->kdf_ukm = p2;
if (p2)
dctx->kdf_ukmlen = p1;
else
dctx->kdf_ukmlen = 0;
return 1;
case EVP_PKEY_CTRL_GET_EC_KDF_UKM:
*(unsigned char **)p2 = dctx->kdf_ukm;
return dctx->kdf_ukmlen;
case EVP_PKEY_CTRL_MD:
if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
#ifndef OPENSSL_NO_SM3
EVP_MD_type((const EVP_MD *)p2) != NID_sm3 &&
#endif
EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
EVP_MD_type((const EVP_MD *)p2) != NID_sha256 &&
EVP_MD_type((const EVP_MD *)p2) != NID_sha384 &&
EVP_MD_type((const EVP_MD *)p2) != NID_sha512) {
ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE);
return 0;
}
dctx->md = p2;
return 1;
case EVP_PKEY_CTRL_GET_MD:
*(const EVP_MD **)p2 = dctx->md;
return 1;
case EVP_PKEY_CTRL_PEER_KEY:
/* Default behaviour is OK */
case EVP_PKEY_CTRL_DIGESTINIT:
case EVP_PKEY_CTRL_PKCS7_SIGN:
case EVP_PKEY_CTRL_CMS_SIGN:
return 1;
default:
return -2;
}
}
