Path: blob/main/crypto/openssl/providers/implementations/kem/ec_kem.c
48383 views
/*1* Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.2*3* Licensed under the Apache License 2.0 (the "License"). You may not use4* this file except in compliance with the License. You can obtain a copy5* in the file LICENSE in the source distribution or at6* https://www.openssl.org/source/license.html7*/89/*10* The following implementation is part of RFC 9180 related to DHKEM using11* EC keys (i.e. P-256, P-384 and P-521)12* References to Sections in the comments below refer to RFC 9180.13*/1415#include "internal/deprecated.h"1617#include <openssl/crypto.h>18#include <openssl/evp.h>19#include <openssl/core_dispatch.h>20#include <openssl/core_names.h>21#include <openssl/ec.h>22#include <openssl/params.h>23#include <openssl/err.h>24#include <openssl/proverr.h>25#include <openssl/kdf.h>26#include <openssl/rand.h>27#include "prov/provider_ctx.h"28#include "prov/implementations.h"29#include "prov/securitycheck.h"30#include "prov/providercommon.h"3132#include <openssl/hpke.h>33#include "internal/hpke_util.h"34#include "crypto/ec.h"35#include "prov/ecx.h"36#include "eckem.h"3738typedef struct {39EC_KEY *recipient_key;40EC_KEY *sender_authkey;41OSSL_LIB_CTX *libctx;42char *propq;43unsigned int mode;44unsigned int op;45unsigned char *ikm;46size_t ikmlen;47const char *kdfname;48const OSSL_HPKE_KEM_INFO *info;49} PROV_EC_CTX;5051static OSSL_FUNC_kem_newctx_fn eckem_newctx;52static OSSL_FUNC_kem_encapsulate_init_fn eckem_encapsulate_init;53static OSSL_FUNC_kem_auth_encapsulate_init_fn eckem_auth_encapsulate_init;54static OSSL_FUNC_kem_encapsulate_fn eckem_encapsulate;55static OSSL_FUNC_kem_decapsulate_init_fn eckem_decapsulate_init;56static OSSL_FUNC_kem_auth_decapsulate_init_fn eckem_auth_decapsulate_init;57static OSSL_FUNC_kem_decapsulate_fn eckem_decapsulate;58static OSSL_FUNC_kem_freectx_fn eckem_freectx;59static OSSL_FUNC_kem_set_ctx_params_fn eckem_set_ctx_params;60static OSSL_FUNC_kem_settable_ctx_params_fn eckem_settable_ctx_params;6162/* ASCII: "KEM", in hex for EBCDIC compatibility */63static const char LABEL_KEM[] = "\x4b\x45\x4d";6465static int eckey_check(const EC_KEY *ec, int requires_privatekey)66{67int rv = 0;68BN_CTX *bnctx = NULL;69BIGNUM *rem = NULL;70const BIGNUM *priv = EC_KEY_get0_private_key(ec);71const EC_POINT *pub = EC_KEY_get0_public_key(ec);7273/* Keys always require a public component */74if (pub == NULL) {75ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PUBLIC_KEY);76return 0;77}78if (priv == NULL) {79return (requires_privatekey == 0);80} else {81/* If there is a private key, check that is non zero (mod order) */82const EC_GROUP *group = EC_KEY_get0_group(ec);83const BIGNUM *order = EC_GROUP_get0_order(group);8485bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));86rem = BN_new();8788if (order != NULL && rem != NULL && bnctx != NULL) {89rv = BN_mod(rem, priv, order, bnctx)90&& !BN_is_zero(rem);91}92}93BN_free(rem);94BN_CTX_free(bnctx);95return rv;96}9798/* Returns NULL if the curve is not supported */99static const char *ec_curvename_get0(const EC_KEY *ec)100{101const EC_GROUP *group = EC_KEY_get0_group(ec);102103return EC_curve_nid2nist(EC_GROUP_get_curve_name(group));104}105106/*107* Set the recipient key, and free any existing key.108* ec can be NULL.109* The ec key may have only a private or public component110* (but it must have a group).111*/112static int recipient_key_set(PROV_EC_CTX *ctx, EC_KEY *ec)113{114EC_KEY_free(ctx->recipient_key);115ctx->recipient_key = NULL;116117if (ec != NULL) {118const char *curve = ec_curvename_get0(ec);119120if (curve == NULL)121return -2;122ctx->info = ossl_HPKE_KEM_INFO_find_curve(curve);123if (ctx->info == NULL)124return -2;125if (!EC_KEY_up_ref(ec))126return 0;127ctx->recipient_key = ec;128ctx->kdfname = "HKDF";129}130return 1;131}132133/*134* Set the senders auth key, and free any existing auth key.135* ec can be NULL.136*/137static int sender_authkey_set(PROV_EC_CTX *ctx, EC_KEY *ec)138{139EC_KEY_free(ctx->sender_authkey);140ctx->sender_authkey = NULL;141142if (ec != NULL) {143if (!EC_KEY_up_ref(ec))144return 0;145ctx->sender_authkey = ec;146}147return 1;148}149150/*151* Serializes a encoded public key buffer into a EC public key.152* Params:153* in Contains the group.154* pubbuf The encoded public key buffer155* Returns: The created public EC key, or NULL if there is an error.156*/157static EC_KEY *eckey_frompub(EC_KEY *in,158const unsigned char *pubbuf, size_t pubbuflen)159{160EC_KEY *key;161162key = EC_KEY_new_ex(ossl_ec_key_get_libctx(in), ossl_ec_key_get0_propq(in));163if (key == NULL)164goto err;165if (!EC_KEY_set_group(key, EC_KEY_get0_group(in)))166goto err;167if (!EC_KEY_oct2key(key, pubbuf, pubbuflen, NULL))168goto err;169return key;170err:171EC_KEY_free(key);172return NULL;173}174175/*176* Deserialises a EC public key into a encoded byte array.177* Returns: 1 if successful or 0 otherwise.178*/179static int ecpubkey_todata(const EC_KEY *ec, unsigned char *out, size_t *outlen,180size_t maxoutlen)181{182const EC_POINT *pub;183const EC_GROUP *group;184185group = EC_KEY_get0_group(ec);186pub = EC_KEY_get0_public_key(ec);187*outlen = EC_POINT_point2oct(group, pub, POINT_CONVERSION_UNCOMPRESSED,188out, maxoutlen, NULL);189return *outlen != 0;190}191192static void *eckem_newctx(void *provctx)193{194PROV_EC_CTX *ctx = OPENSSL_zalloc(sizeof(PROV_EC_CTX));195196if (ctx == NULL)197return NULL;198ctx->libctx = PROV_LIBCTX_OF(provctx);199ctx->mode = KEM_MODE_DHKEM;200201return ctx;202}203204static void eckem_freectx(void *vectx)205{206PROV_EC_CTX *ctx = (PROV_EC_CTX *)vectx;207208OPENSSL_clear_free(ctx->ikm, ctx->ikmlen);209recipient_key_set(ctx, NULL);210sender_authkey_set(ctx, NULL);211OPENSSL_free(ctx);212}213214static int ossl_ec_match_params(const EC_KEY *key1, const EC_KEY *key2)215{216int ret;217BN_CTX *ctx = NULL;218const EC_GROUP *group1 = EC_KEY_get0_group(key1);219const EC_GROUP *group2 = EC_KEY_get0_group(key2);220221ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(key1));222if (ctx == NULL)223return 0;224225ret = group1 != NULL226&& group2 != NULL227&& EC_GROUP_cmp(group1, group2, ctx) == 0;228if (!ret)229ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);230BN_CTX_free(ctx);231return ret;232}233234static int eckem_init(void *vctx, int operation, void *vec, void *vauth,235const OSSL_PARAM params[])236{237int rv;238PROV_EC_CTX *ctx = (PROV_EC_CTX *)vctx;239EC_KEY *ec = vec;240EC_KEY *auth = vauth;241242if (!ossl_prov_is_running())243return 0;244245if (!eckey_check(ec, operation == EVP_PKEY_OP_DECAPSULATE))246return 0;247rv = recipient_key_set(ctx, ec);248if (rv <= 0)249return rv;250251if (auth != NULL) {252if (!ossl_ec_match_params(ec, auth)253|| !eckey_check(auth, operation == EVP_PKEY_OP_ENCAPSULATE)254|| !sender_authkey_set(ctx, auth))255return 0;256}257258ctx->op = operation;259return eckem_set_ctx_params(vctx, params);260}261262static int eckem_encapsulate_init(void *vctx, void *vec,263const OSSL_PARAM params[])264{265return eckem_init(vctx, EVP_PKEY_OP_ENCAPSULATE, vec, NULL, params);266}267268static int eckem_decapsulate_init(void *vctx, void *vec,269const OSSL_PARAM params[])270{271return eckem_init(vctx, EVP_PKEY_OP_DECAPSULATE, vec, NULL, params);272}273274static int eckem_auth_encapsulate_init(void *vctx, void *vecx, void *vauthpriv,275const OSSL_PARAM params[])276{277return eckem_init(vctx, EVP_PKEY_OP_ENCAPSULATE, vecx, vauthpriv, params);278}279280static int eckem_auth_decapsulate_init(void *vctx, void *vecx, void *vauthpub,281const OSSL_PARAM params[])282{283return eckem_init(vctx, EVP_PKEY_OP_DECAPSULATE, vecx, vauthpub, params);284}285286static int eckem_set_ctx_params(void *vctx, const OSSL_PARAM params[])287{288PROV_EC_CTX *ctx = (PROV_EC_CTX *)vctx;289const OSSL_PARAM *p;290int mode;291292if (ossl_param_is_empty(params))293return 1;294295p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_IKME);296if (p != NULL) {297void *tmp = NULL;298size_t tmplen = 0;299300if (p->data != NULL && p->data_size != 0) {301if (!OSSL_PARAM_get_octet_string(p, &tmp, 0, &tmplen))302return 0;303}304OPENSSL_clear_free(ctx->ikm, ctx->ikmlen);305/* Set the ephemeral seed */306ctx->ikm = tmp;307ctx->ikmlen = tmplen;308}309310p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION);311if (p != NULL) {312if (p->data_type != OSSL_PARAM_UTF8_STRING)313return 0;314mode = ossl_eckem_modename2id(p->data);315if (mode == KEM_MODE_UNDEFINED)316return 0;317ctx->mode = mode;318}319return 1;320}321322static const OSSL_PARAM known_settable_eckem_ctx_params[] = {323OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0),324OSSL_PARAM_octet_string(OSSL_KEM_PARAM_IKME, NULL, 0),325OSSL_PARAM_END326};327328static const OSSL_PARAM *eckem_settable_ctx_params(ossl_unused void *vctx,329ossl_unused void *provctx)330{331return known_settable_eckem_ctx_params;332}333334/*335* See Section 4.1 DH-Based KEM (DHKEM) ExtractAndExpand336*/337static int dhkem_extract_and_expand(EVP_KDF_CTX *kctx,338unsigned char *okm, size_t okmlen,339uint16_t kemid,340const unsigned char *dhkm, size_t dhkmlen,341const unsigned char *kemctx,342size_t kemctxlen)343{344uint8_t suiteid[2];345uint8_t prk[EVP_MAX_MD_SIZE];346size_t prklen = okmlen;347int ret;348349if (prklen > sizeof(prk))350return 0;351352suiteid[0] = (kemid >> 8) & 0xff;353suiteid[1] = kemid & 0xff;354355ret = ossl_hpke_labeled_extract(kctx, prk, prklen,356NULL, 0, LABEL_KEM, suiteid, sizeof(suiteid),357OSSL_DHKEM_LABEL_EAE_PRK, dhkm, dhkmlen)358&& ossl_hpke_labeled_expand(kctx, okm, okmlen, prk, prklen,359LABEL_KEM, suiteid, sizeof(suiteid),360OSSL_DHKEM_LABEL_SHARED_SECRET,361kemctx, kemctxlen);362OPENSSL_cleanse(prk, prklen);363return ret;364}365366/*367* See Section 7.1.3 DeriveKeyPair.368*369* This function is used by ec keygen.370* (For this reason it does not use any of the state stored in PROV_EC_CTX).371*372* Params:373* ec An initialized ec key.374* priv The buffer to store the generated private key into (it is assumed375* this is of length alg->encodedprivlen).376* ikm buffer containing the input key material (seed). This must be set.377* ikmlen size of the ikm buffer in bytes378* Returns:379* 1 if successful or 0 otherwise.380*/381int ossl_ec_dhkem_derive_private(EC_KEY *ec, BIGNUM *priv,382const unsigned char *ikm, size_t ikmlen)383{384int ret = 0;385EVP_KDF_CTX *kdfctx = NULL;386uint8_t suiteid[2];387unsigned char prk[OSSL_HPKE_MAX_SECRET];388unsigned char privbuf[OSSL_HPKE_MAX_PRIVATE];389const BIGNUM *order;390unsigned char counter = 0;391const char *curve = ec_curvename_get0(ec);392const OSSL_HPKE_KEM_INFO *info;393394if (curve == NULL)395return -2;396397info = ossl_HPKE_KEM_INFO_find_curve(curve);398if (info == NULL)399return -2;400401kdfctx = ossl_kdf_ctx_create("HKDF", info->mdname,402ossl_ec_key_get_libctx(ec),403ossl_ec_key_get0_propq(ec));404if (kdfctx == NULL)405return 0;406407/* ikmlen should have a length of at least Nsk */408if (ikmlen < info->Nsk) {409ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_INPUT_LENGTH,410"ikm length is :%zu, should be at least %zu",411ikmlen, info->Nsk);412goto err;413}414415suiteid[0] = info->kem_id / 256;416suiteid[1] = info->kem_id % 256;417418if (!ossl_hpke_labeled_extract(kdfctx, prk, info->Nsecret,419NULL, 0, LABEL_KEM, suiteid, sizeof(suiteid),420OSSL_DHKEM_LABEL_DKP_PRK, ikm, ikmlen))421goto err;422423order = EC_GROUP_get0_order(EC_KEY_get0_group(ec));424do {425if (!ossl_hpke_labeled_expand(kdfctx, privbuf, info->Nsk,426prk, info->Nsecret,427LABEL_KEM, suiteid, sizeof(suiteid),428OSSL_DHKEM_LABEL_CANDIDATE,429&counter, 1))430goto err;431privbuf[0] &= info->bitmask;432if (BN_bin2bn(privbuf, info->Nsk, priv) == NULL)433goto err;434if (counter == 0xFF) {435ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GENERATE_KEY);436goto err;437}438counter++;439} while (BN_is_zero(priv) || BN_cmp(priv, order) >= 0);440ret = 1;441err:442OPENSSL_cleanse(prk, sizeof(prk));443OPENSSL_cleanse(privbuf, sizeof(privbuf));444EVP_KDF_CTX_free(kdfctx);445return ret;446}447448/*449* Do a keygen operation without having to use EVP_PKEY.450* Params:451* ctx Context object452* ikm The seed material - if this is NULL, then a random seed is used.453* Returns:454* The generated EC key, or NULL on failure.455*/456static EC_KEY *derivekey(PROV_EC_CTX *ctx,457const unsigned char *ikm, size_t ikmlen)458{459int ret = 0;460EC_KEY *key;461unsigned char *seed = (unsigned char *)ikm;462size_t seedlen = ikmlen;463unsigned char tmpbuf[OSSL_HPKE_MAX_PRIVATE];464465key = EC_KEY_new_ex(ctx->libctx, ctx->propq);466if (key == NULL)467goto err;468if (!EC_KEY_set_group(key, EC_KEY_get0_group(ctx->recipient_key)))469goto err;470471/* Generate a random seed if there is no input ikm */472if (seed == NULL || seedlen == 0) {473seedlen = ctx->info->Nsk;474if (seedlen > sizeof(tmpbuf))475goto err;476if (RAND_priv_bytes_ex(ctx->libctx, tmpbuf, seedlen, 0) <= 0)477goto err;478seed = tmpbuf;479}480ret = ossl_ec_generate_key_dhkem(key, seed, seedlen);481err:482if (seed != ikm)483OPENSSL_cleanse(seed, seedlen);484if (ret <= 0) {485EC_KEY_free(key);486key = NULL;487}488return key;489}490491/*492* Before doing a key exchange the public key of the peer needs to be checked493* Note that the group check is not done here as we have already checked494* that it only uses one of the approved curve names when the key was set.495*496* Returns 1 if the public key is valid, or 0 if it fails.497*/498static int check_publickey(const EC_KEY *pub)499{500int ret = 0;501BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(pub));502503if (bnctx == NULL)504return 0;505ret = ossl_ec_key_public_check(pub, bnctx);506BN_CTX_free(bnctx);507508return ret;509}510511/*512* Do an ecdh key exchange.513* dhkm = DH(sender, peer)514*515* NOTE: Instead of using EVP_PKEY_derive() API's, we use EC_KEY operations516* to avoid messy conversions back to EVP_PKEY.517*518* Returns the size of the secret if successful, or 0 otherwise,519*/520static int generate_ecdhkm(const EC_KEY *sender, const EC_KEY *peer,521unsigned char *out, size_t maxout,522unsigned int secretsz)523{524const EC_GROUP *group = EC_KEY_get0_group(sender);525size_t secretlen = (EC_GROUP_get_degree(group) + 7) / 8;526527if (secretlen != secretsz || secretlen > maxout) {528ERR_raise_data(ERR_LIB_PROV, PROV_R_BAD_LENGTH, "secretsz invalid");529return 0;530}531532if (!check_publickey(peer))533return 0;534return ECDH_compute_key(out, secretlen, EC_KEY_get0_public_key(peer),535sender, NULL) > 0;536}537538/*539* Derive a secret using ECDH (code is shared by the encap and decap)540*541* dhkm = Concat(ecdh(privkey1, peerkey1), ecdh(privkey2, peerkey2)542* kemctx = Concat(sender_pub, recipient_pub, ctx->sender_authkey)543* secret = dhkem_extract_and_expand(kemid, dhkm, kemctx);544*545* Params:546* ctx Object that contains algorithm state and constants.547* secret The returned secret (with a length ctx->alg->secretlen bytes).548* privkey1 A private key used for ECDH key derivation.549* peerkey1 A public key used for ECDH key derivation with privkey1550* privkey2 A optional private key used for a second ECDH key derivation.551* It can be NULL.552* peerkey2 A optional public key used for a second ECDH key derivation553* with privkey2,. It can be NULL.554* sender_pub The senders public key in encoded form.555* recipient_pub The recipients public key in encoded form.556* Notes:557* The second ecdh() is only used for the HPKE auth modes when both privkey2558* and peerkey2 are non NULL (i.e. ctx->sender_authkey is not NULL).559*/560static int derive_secret(PROV_EC_CTX *ctx, unsigned char *secret,561const EC_KEY *privkey1, const EC_KEY *peerkey1,562const EC_KEY *privkey2, const EC_KEY *peerkey2,563const unsigned char *sender_pub,564const unsigned char *recipient_pub)565{566int ret = 0;567EVP_KDF_CTX *kdfctx = NULL;568unsigned char sender_authpub[OSSL_HPKE_MAX_PUBLIC];569unsigned char dhkm[OSSL_HPKE_MAX_PRIVATE * 2];570unsigned char kemctx[OSSL_HPKE_MAX_PUBLIC * 3];571size_t sender_authpublen;572size_t kemctxlen = 0, dhkmlen = 0;573const OSSL_HPKE_KEM_INFO *info = ctx->info;574size_t encodedpublen = info->Npk;575size_t encodedprivlen = info->Nsk;576int auth = ctx->sender_authkey != NULL;577578if (!generate_ecdhkm(privkey1, peerkey1, dhkm, sizeof(dhkm), encodedprivlen))579goto err;580dhkmlen = encodedprivlen;581kemctxlen = 2 * encodedpublen;582583/* Concat the optional second ECDH (used for Auth) */584if (auth) {585/* Get the public key of the auth sender in encoded form */586if (!ecpubkey_todata(ctx->sender_authkey, sender_authpub,587&sender_authpublen, sizeof(sender_authpub)))588goto err;589if (sender_authpublen != encodedpublen) {590ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,591"Invalid sender auth public key");592goto err;593}594if (!generate_ecdhkm(privkey2, peerkey2,595dhkm + dhkmlen, sizeof(dhkm) - dhkmlen,596encodedprivlen))597goto err;598dhkmlen += encodedprivlen;599kemctxlen += encodedpublen;600}601if (kemctxlen > sizeof(kemctx))602goto err;603604/* kemctx is the concat of both sides encoded public key */605memcpy(kemctx, sender_pub, info->Npk);606memcpy(kemctx + info->Npk, recipient_pub, info->Npk);607if (auth)608memcpy(kemctx + 2 * encodedpublen, sender_authpub, encodedpublen);609kdfctx = ossl_kdf_ctx_create(ctx->kdfname, info->mdname,610ctx->libctx, ctx->propq);611if (kdfctx == NULL)612goto err;613if (!dhkem_extract_and_expand(kdfctx, secret, info->Nsecret,614info->kem_id, dhkm, dhkmlen,615kemctx, kemctxlen))616goto err;617ret = 1;618err:619OPENSSL_cleanse(dhkm, dhkmlen);620EVP_KDF_CTX_free(kdfctx);621return ret;622}623624/*625* Do a DHKEM encapsulate operation.626*627* See Section 4.1 Encap() and AuthEncap()628*629* Params:630* ctx A context object holding the recipients public key and the631* optional senders auth private key.632* enc A buffer to return the senders ephemeral public key.633* Setting this to NULL allows the enclen and secretlen to return634* values, without calculating the secret.635* enclen Passes in the max size of the enc buffer and returns the636* encoded public key length.637* secret A buffer to return the calculated shared secret.638* secretlen Passes in the max size of the secret buffer and returns the639* secret length.640* Returns: 1 on success or 0 otherwise.641*/642static int dhkem_encap(PROV_EC_CTX *ctx,643unsigned char *enc, size_t *enclen,644unsigned char *secret, size_t *secretlen)645{646int ret = 0;647EC_KEY *sender_ephemkey = NULL;648unsigned char sender_pub[OSSL_HPKE_MAX_PUBLIC];649unsigned char recipient_pub[OSSL_HPKE_MAX_PUBLIC];650size_t sender_publen, recipient_publen;651const OSSL_HPKE_KEM_INFO *info = ctx->info;652653if (enc == NULL) {654if (enclen == NULL && secretlen == NULL)655return 0;656if (enclen != NULL)657*enclen = info->Nenc;658if (secretlen != NULL)659*secretlen = info->Nsecret;660return 1;661}662663if (*secretlen < info->Nsecret) {664ERR_raise_data(ERR_LIB_PROV, PROV_R_BAD_LENGTH, "*secretlen too small");665return 0;666}667if (*enclen < info->Nenc) {668ERR_raise_data(ERR_LIB_PROV, PROV_R_BAD_LENGTH, "*enclen too small");669return 0;670}671672/* Create an ephemeral key */673sender_ephemkey = derivekey(ctx, ctx->ikm, ctx->ikmlen);674if (sender_ephemkey == NULL)675goto err;676if (!ecpubkey_todata(sender_ephemkey, sender_pub, &sender_publen,677sizeof(sender_pub))678|| !ecpubkey_todata(ctx->recipient_key, recipient_pub,679&recipient_publen, sizeof(recipient_pub)))680goto err;681682if (sender_publen != info->Npk683|| recipient_publen != sender_publen) {684ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY, "Invalid public key");685goto err;686}687688if (!derive_secret(ctx, secret,689sender_ephemkey, ctx->recipient_key,690ctx->sender_authkey, ctx->recipient_key,691sender_pub, recipient_pub))692goto err;693694/* Return the senders ephemeral public key in encoded form */695memcpy(enc, sender_pub, sender_publen);696*enclen = sender_publen;697*secretlen = info->Nsecret;698ret = 1;699err:700EC_KEY_free(sender_ephemkey);701return ret;702}703704/*705* Do a DHKEM decapsulate operation.706* See Section 4.1 Decap() and Auth Decap()707*708* Params:709* ctx A context object holding the recipients private key and the710* optional senders auth public key.711* secret A buffer to return the calculated shared secret. Setting this to712* NULL can be used to return the secretlen.713* secretlen Passes in the max size of the secret buffer and returns the714* secret length.715* enc A buffer containing the senders ephemeral public key that was returned716* from dhkem_encap().717* enclen The length in bytes of enc.718* Returns: 1 If the shared secret is returned or 0 on error.719*/720static int dhkem_decap(PROV_EC_CTX *ctx,721unsigned char *secret, size_t *secretlen,722const unsigned char *enc, size_t enclen)723{724int ret = 0;725EC_KEY *sender_ephempubkey = NULL;726const OSSL_HPKE_KEM_INFO *info = ctx->info;727unsigned char recipient_pub[OSSL_HPKE_MAX_PUBLIC];728size_t recipient_publen;729size_t encodedpublen = info->Npk;730731if (secret == NULL) {732*secretlen = info->Nsecret;733return 1;734}735736if (*secretlen < info->Nsecret) {737ERR_raise_data(ERR_LIB_PROV, PROV_R_BAD_LENGTH, "*secretlen too small");738return 0;739}740if (enclen != encodedpublen) {741ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY, "Invalid enc public key");742return 0;743}744745sender_ephempubkey = eckey_frompub(ctx->recipient_key, enc, enclen);746if (sender_ephempubkey == NULL)747goto err;748if (!ecpubkey_todata(ctx->recipient_key, recipient_pub, &recipient_publen,749sizeof(recipient_pub)))750goto err;751if (recipient_publen != encodedpublen) {752ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY, "Invalid recipient public key");753goto err;754}755756if (!derive_secret(ctx, secret,757ctx->recipient_key, sender_ephempubkey,758ctx->recipient_key, ctx->sender_authkey,759enc, recipient_pub))760goto err;761*secretlen = info->Nsecret;762ret = 1;763err:764EC_KEY_free(sender_ephempubkey);765return ret;766}767768static int eckem_encapsulate(void *vctx, unsigned char *out, size_t *outlen,769unsigned char *secret, size_t *secretlen)770{771PROV_EC_CTX *ctx = (PROV_EC_CTX *)vctx;772773switch (ctx->mode) {774case KEM_MODE_DHKEM:775return dhkem_encap(ctx, out, outlen, secret, secretlen);776default:777ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);778return -2;779}780}781782static int eckem_decapsulate(void *vctx, unsigned char *out, size_t *outlen,783const unsigned char *in, size_t inlen)784{785PROV_EC_CTX *ctx = (PROV_EC_CTX *)vctx;786787switch (ctx->mode) {788case KEM_MODE_DHKEM:789return dhkem_decap(ctx, out, outlen, in, inlen);790default:791ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE);792return -2;793}794}795796const OSSL_DISPATCH ossl_ec_asym_kem_functions[] = {797{ OSSL_FUNC_KEM_NEWCTX, (void (*)(void))eckem_newctx },798{ OSSL_FUNC_KEM_ENCAPSULATE_INIT,799(void (*)(void))eckem_encapsulate_init },800{ OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))eckem_encapsulate },801{ OSSL_FUNC_KEM_DECAPSULATE_INIT,802(void (*)(void))eckem_decapsulate_init },803{ OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))eckem_decapsulate },804{ OSSL_FUNC_KEM_FREECTX, (void (*)(void))eckem_freectx },805{ OSSL_FUNC_KEM_SET_CTX_PARAMS,806(void (*)(void))eckem_set_ctx_params },807{ OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS,808(void (*)(void))eckem_settable_ctx_params },809{ OSSL_FUNC_KEM_AUTH_ENCAPSULATE_INIT,810(void (*)(void))eckem_auth_encapsulate_init },811{ OSSL_FUNC_KEM_AUTH_DECAPSULATE_INIT,812(void (*)(void))eckem_auth_decapsulate_init },813OSSL_DISPATCH_END814};815816817