static int key_create_ecdsa(key_t *key) { EC_KEY *ec = NULL; ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (ec == NULL) { printf("Cannot create EC key\n"); goto err; } if (!EC_KEY_generate_key(ec)) { printf("Cannot generate EC key\n"); goto err; } EC_KEY_set_flags(ec, EC_PKEY_NO_PARAMETERS); EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE); if (!EVP_PKEY_assign_EC_KEY(key->key, ec)) { printf("Cannot assign EC key\n"); goto err; } return 1; err: EC_KEY_free(ec); return 0; }
static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { EC_PKEY_CTX *dctx = ctx->data; EC_GROUP *group; switch (type) { case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID: group = EC_GROUP_new_by_curve_name(p1); if (group == NULL) { ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_CURVE); return 0; } EC_GROUP_free(dctx->gen_group); dctx->gen_group = group; return 1; case EVP_PKEY_CTRL_EC_PARAM_ENC: if (!dctx->gen_group) { ECerr(EC_F_PKEY_EC_CTRL, EC_R_NO_PARAMETERS_SET); return 0; } EC_GROUP_set_asn1_flag(dctx->gen_group, p1); return 1; #ifndef OPENSSL_NO_EC case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: if (p1 == -2) { if (dctx->cofactor_mode != -1) return dctx->cofactor_mode; else { EC_KEY *ec_key = ctx->pkey->pkey.ec; return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0; } } else if (p1 < -1 || p1 > 1) return -2; dctx->cofactor_mode = p1; if (p1 != -1) { EC_KEY *ec_key = ctx->pkey->pkey.ec; if (!ec_key->group) return -2; /* If cofactor is 1 cofactor mode does nothing */ if (BN_is_one(ec_key->group->cofactor)) return 1; if (!dctx->co_key) { dctx->co_key = EC_KEY_dup(ec_key); if (!dctx->co_key) return 0; } if (p1) EC_KEY_set_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH); else EC_KEY_clear_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH); } else { EC_KEY_free(dctx->co_key); dctx->co_key = NULL; } return 1; #endif case EVP_PKEY_CTRL_EC_KDF_TYPE: if (p1 == -2) return dctx->kdf_type; if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62) return -2; dctx->kdf_type = p1; return 1; case EVP_PKEY_CTRL_EC_KDF_MD: dctx->kdf_md = p2; return 1; case EVP_PKEY_CTRL_GET_EC_KDF_MD: *(const EVP_MD **)p2 = dctx->kdf_md; return 1; case EVP_PKEY_CTRL_EC_KDF_OUTLEN: if (p1 <= 0) return -2; dctx->kdf_outlen = (size_t)p1; return 1; case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN: *(int *)p2 = dctx->kdf_outlen; return 1; case EVP_PKEY_CTRL_EC_KDF_UKM: OPENSSL_free(dctx->kdf_ukm); dctx->kdf_ukm = p2; if (p2) dctx->kdf_ukmlen = p1; else dctx->kdf_ukmlen = 0; return 1; case EVP_PKEY_CTRL_GET_EC_KDF_UKM: *(unsigned char **)p2 = dctx->kdf_ukm; return dctx->kdf_ukmlen; case EVP_PKEY_CTRL_MD: if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 && EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 && EVP_MD_type((const EVP_MD *)p2) != NID_sha224 && EVP_MD_type((const EVP_MD *)p2) != NID_sha256 && EVP_MD_type((const EVP_MD *)p2) != NID_sha384 && EVP_MD_type((const EVP_MD *)p2) != NID_sha512) { ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE); return 0; } dctx->md = p2; return 1; case EVP_PKEY_CTRL_GET_MD: *(const EVP_MD **)p2 = dctx->md; return 1; case EVP_PKEY_CTRL_PEER_KEY: /* Default behaviour is OK */ case EVP_PKEY_CTRL_DIGESTINIT: case EVP_PKEY_CTRL_PKCS7_SIGN: case EVP_PKEY_CTRL_CMS_SIGN: return 1; default: return -2; } }
/* * NIST SP800-56A co-factor ECDH tests. * KATs taken from NIST documents with parameters: * * - (QCAVSx,QCAVSy) is the public key for CAVS. * - dIUT is the private key for IUT. * - (QIUTx,QIUTy) is the public key for IUT. * - ZIUT is the shared secret KAT. * * CAVS: Cryptographic Algorithm Validation System * IUT: Implementation Under Test * * This function tests two things: * * 1. dIUT * G = (QIUTx,QIUTy) * i.e. public key for IUT computes correctly. * 2. x-coord of cofactor * dIUT * (QCAVSx,QCAVSy) = ZIUT * i.e. co-factor ECDH key computes correctly. * * returns zero on failure or unsupported curve. One otherwise. */ static int ecdh_cavs_kat(BIO *out, const ecdh_cavs_kat_t *kat) { int rv = 0, is_char_two = 0; EC_KEY *key1 = NULL; EC_POINT *pub = NULL; const EC_GROUP *group = NULL; BIGNUM *bnz = NULL, *x = NULL, *y = NULL; unsigned char *Ztmp = NULL, *Z = NULL; size_t Ztmplen, Zlen; BIO_puts(out, "Testing ECC CDH Primitive SP800-56A with "); BIO_puts(out, OBJ_nid2sn(kat->nid)); /* dIUT is IUT's private key */ if ((key1 = mk_eckey(kat->nid, kat->dIUT)) == NULL) goto err; /* these are cofactor ECDH KATs */ EC_KEY_set_flags(key1, EC_FLAG_COFACTOR_ECDH); if ((group = EC_KEY_get0_group(key1)) == NULL) goto err; if ((pub = EC_POINT_new(group)) == NULL) goto err; if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_characteristic_two_field) is_char_two = 1; /* (QIUTx, QIUTy) is IUT's public key */ if(!BN_hex2bn(&x, kat->QIUTx)) goto err; if(!BN_hex2bn(&y, kat->QIUTy)) goto err; if (is_char_two) { #ifdef OPENSSL_NO_EC2M goto err; #else if (!EC_POINT_set_affine_coordinates_GF2m(group, pub, x, y, NULL)) goto err; #endif } else { if (!EC_POINT_set_affine_coordinates_GFp(group, pub, x, y, NULL)) goto err; } /* dIUT * G = (QIUTx, QIUTy) should hold */ if (EC_POINT_cmp(group, EC_KEY_get0_public_key(key1), pub, NULL)) goto err; /* (QCAVSx, QCAVSy) is CAVS's public key */ if(!BN_hex2bn(&x, kat->QCAVSx)) goto err; if(!BN_hex2bn(&y, kat->QCAVSy)) goto err; if (is_char_two) { #ifdef OPENSSL_NO_EC2M goto err; #else if (!EC_POINT_set_affine_coordinates_GF2m(group, pub, x, y, NULL)) goto err; #endif } else { if (!EC_POINT_set_affine_coordinates_GFp(group, pub, x, y, NULL)) goto err; } /* ZIUT is the shared secret */ if(!BN_hex2bn(&bnz, kat->ZIUT)) goto err; Ztmplen = (EC_GROUP_get_degree(EC_KEY_get0_group(key1)) + 7) / 8; Zlen = BN_num_bytes(bnz); if (Zlen > Ztmplen) goto err; if((Ztmp = OPENSSL_zalloc(Ztmplen)) == NULL) goto err; if((Z = OPENSSL_zalloc(Ztmplen)) == NULL) goto err; if(!BN_bn2binpad(bnz, Z, Ztmplen)) goto err; if (!ECDH_compute_key(Ztmp, Ztmplen, pub, key1, 0)) goto err; /* shared secrets should be identical */ if (memcmp(Ztmp, Z, Ztmplen)) goto err; rv = 1; err: EC_KEY_free(key1); EC_POINT_free(pub); BN_free(bnz); BN_free(x); BN_free(y); OPENSSL_free(Ztmp); OPENSSL_free(Z); if (rv) { BIO_puts(out, " ok\n"); } else { fprintf(stderr, "Error in ECC CDH routines\n"); ERR_print_errors_fp(stderr); } return rv; }
int FIPS_selftest_ecdh(void) { EC_KEY *ec1 = NULL, *ec2 = NULL; const EC_POINT *ecp = NULL; BIGNUM *x = NULL, *y = NULL, *d = NULL; unsigned char *ztmp = NULL; int rv = 1; size_t i; for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) { ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i; if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0)) continue; ztmp = OPENSSL_malloc(ecd->zlen); x = BN_bin2bn(ecd->x1, ecd->x1len, x); y = BN_bin2bn(ecd->y1, ecd->y1len, y); d = BN_bin2bn(ecd->d1, ecd->d1len, d); if (!x || !y || !d || !ztmp) { rv = -1; goto err; } ec1 = EC_KEY_new_by_curve_name(ecd->curve); if (!ec1) { rv = -1; goto err; } EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { rv = -1; goto err; } if (!EC_KEY_set_private_key(ec1, d)) { rv = -1; goto err; } x = BN_bin2bn(ecd->x2, ecd->x2len, x); y = BN_bin2bn(ecd->y2, ecd->y2len, y); if (!x || !y) { rv = -1; goto err; } ec2 = EC_KEY_new_by_curve_name(ecd->curve); if (!ec2) { rv = -1; goto err; } EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { rv = -1; goto err; } ecp = EC_KEY_get0_public_key(ec2); if (!ecp) { rv = -1; goto err; } if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { rv = -1; goto err; } if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL)) ztmp[0] ^= 0x1; if (memcmp(ztmp, ecd->z, ecd->zlen)) { fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0); rv = 0; } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0)) goto err; EC_KEY_free(ec1); ec1 = NULL; EC_KEY_free(ec2); ec2 = NULL; OPENSSL_free(ztmp); ztmp = NULL; } err: if (x) BN_clear_free(x); if (y) BN_clear_free(y); if (d) BN_clear_free(d); if (ec1) EC_KEY_free(ec1); if (ec2) EC_KEY_free(ec2); if (ztmp) OPENSSL_free(ztmp); return rv; }
static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { EC_PKEY_CTX *dctx = ctx->data; EC_GROUP *group; switch (type) { case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID: group = EC_GROUP_new_by_curve_name(p1); if (group == NULL) { ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_CURVE); return 0; } EC_GROUP_free(dctx->gen_group); dctx->gen_group = group; return 1; case EVP_PKEY_CTRL_EC_PARAM_ENC: if (!dctx->gen_group) { ECerr(EC_F_PKEY_EC_CTRL, EC_R_NO_PARAMETERS_SET); return 0; } EC_GROUP_set_asn1_flag(dctx->gen_group, p1); return 1; #ifndef OPENSSL_NO_EC case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: if (p1 == -2) { if (dctx->cofactor_mode != -1) return dctx->cofactor_mode; else { EC_KEY *ec_key = ctx->pkey->pkey.ec; return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0; } } else if (p1 < -1 || p1 > 1) return -2; dctx->cofactor_mode = p1; if (p1 != -1) { EC_KEY *ec_key = ctx->pkey->pkey.ec; if (!ec_key->group) return -2; /* If cofactor is 1 cofactor mode does nothing */ if (BN_is_one(ec_key->group->cofactor)) return 1; if (!dctx->co_key) { dctx->co_key = EC_KEY_dup(ec_key); if (!dctx->co_key) return 0; } if (p1) EC_KEY_set_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH); else EC_KEY_clear_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH); } else { EC_KEY_free(dctx->co_key); dctx->co_key = NULL; } return 1; #endif case EVP_PKEY_CTRL_EC_KDF_TYPE: if (p1 == -2) return dctx->kdf_type; if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62) return -2; dctx->kdf_type = p1; return 1; #ifndef OPENSSL_NO_SM2 case EVP_PKEY_CTRL_EC_SCHEME: if (p1 == -2) { return dctx->ec_scheme; } if (p1 != NID_secg_scheme && p1 != NID_sm_scheme) { ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_EC_SCHEME); return 0; } dctx->ec_scheme = p1; return 1; case EVP_PKEY_CTRL_SIGNER_ID: if (!p2 || !strlen((char *)p2) || strlen((char *)p2) > SM2_MAX_ID_LENGTH) { ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_SIGNER_ID); return 0; } else { char *id = NULL; if (!(id = OPENSSL_strdup((char *)p2))) { ECerr(EC_F_PKEY_EC_CTRL, ERR_R_MALLOC_FAILURE); return 0; } if (dctx->signer_id) OPENSSL_free(dctx->signer_id); dctx->signer_id = id; if (dctx->ec_scheme == NID_sm_scheme) { EC_KEY *ec_key = ctx->pkey->pkey.ec; unsigned char zid[SM3_DIGEST_LENGTH]; size_t zidlen = SM3_DIGEST_LENGTH; if (!SM2_compute_id_digest(EVP_sm3(), dctx->signer_id, strlen(dctx->signer_id), zid, &zidlen, ec_key)) { ECerr(EC_F_PKEY_EC_CTRL, ERR_R_SM2_LIB); return 0; } if (!dctx->signer_zid) { if (!(dctx->signer_zid = OPENSSL_malloc(zidlen))) { ECerr(EC_F_PKEY_EC_CTRL, ERR_R_MALLOC_FAILURE); return 0; } } memcpy(dctx->signer_zid, zid, zidlen); } } return 1; case EVP_PKEY_CTRL_GET_SIGNER_ID: *(const char **)p2 = dctx->signer_id; return 1; case EVP_PKEY_CTRL_GET_SIGNER_ZID: if (dctx->ec_scheme != NID_sm_scheme) { *(const unsigned char **)p2 = NULL; return -2; } if (!dctx->signer_zid) { EC_KEY *ec_key = ctx->pkey->pkey.ec; unsigned char *zid; size_t zidlen = SM3_DIGEST_LENGTH; if (!(zid = OPENSSL_malloc(zidlen))) { ECerr(EC_F_PKEY_EC_CTRL, ERR_R_MALLOC_FAILURE); return 0; } if (!SM2_compute_id_digest(EVP_sm3(), SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, zid, &zidlen, ec_key)) { ECerr(EC_F_PKEY_EC_CTRL, ERR_R_SM2_LIB); OPENSSL_free(zid); return 0; } dctx->signer_zid = zid; } *(const unsigned char **)p2 = dctx->signer_zid; return 1; case EVP_PKEY_CTRL_EC_ENCRYPT_PARAM: if (p1 == -2) { return dctx->ec_encrypt_param; } dctx->ec_encrypt_param = p1; return 1; #endif case EVP_PKEY_CTRL_EC_KDF_MD: dctx->kdf_md = p2; return 1; case EVP_PKEY_CTRL_GET_EC_KDF_MD: *(const EVP_MD **)p2 = dctx->kdf_md; return 1; case EVP_PKEY_CTRL_EC_KDF_OUTLEN: if (p1 <= 0) return -2; dctx->kdf_outlen = (size_t)p1; return 1; case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN: *(int *)p2 = dctx->kdf_outlen; return 1; case EVP_PKEY_CTRL_EC_KDF_UKM: OPENSSL_free(dctx->kdf_ukm); dctx->kdf_ukm = p2; if (p2) dctx->kdf_ukmlen = p1; else dctx->kdf_ukmlen = 0; return 1; case EVP_PKEY_CTRL_GET_EC_KDF_UKM: *(unsigned char **)p2 = dctx->kdf_ukm; return dctx->kdf_ukmlen; case EVP_PKEY_CTRL_MD: if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 && #ifndef OPENSSL_NO_SM3 EVP_MD_type((const EVP_MD *)p2) != NID_sm3 && #endif EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 && EVP_MD_type((const EVP_MD *)p2) != NID_sha224 && EVP_MD_type((const EVP_MD *)p2) != NID_sha256 && EVP_MD_type((const EVP_MD *)p2) != NID_sha384 && EVP_MD_type((const EVP_MD *)p2) != NID_sha512) { ECerr(EC_F_PKEY_EC_CTRL, EC_R_INVALID_DIGEST_TYPE); return 0; } dctx->md = p2; return 1; case EVP_PKEY_CTRL_GET_MD: *(const EVP_MD **)p2 = dctx->md; return 1; case EVP_PKEY_CTRL_PEER_KEY: /* Default behaviour is OK */ case EVP_PKEY_CTRL_DIGESTINIT: case EVP_PKEY_CTRL_PKCS7_SIGN: case EVP_PKEY_CTRL_CMS_SIGN: return 1; default: return -2; } }