From 0caac28c1fa2d62dbf7c5a6c65346f6d3399d22c Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 15 Aug 2021 16:26:06 +0200
Subject: [PATCH 15/17] openssl: Convert deprecated ECDH_compute_key to
EVP_PKEY_derive
The EC_KEY functions are replaced by corresponding EVP_PKEY functions.
The tpm2_get_EC_public_key function is replaced by convert_pubkey_ECC
from lib/tpm2_convert.c.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
lib/tpm2_kdfe.c | 186 +++++++++++++++++++++++-------------------------
1 file changed, 89 insertions(+), 97 deletions(-)
diff --git a/lib/tpm2_kdfe.c b/lib/tpm2_kdfe.c
index 84718b9f..91027e32 100644
--- a/lib/tpm2_kdfe.c
+++ b/lib/tpm2_kdfe.c
@@ -5,12 +5,16 @@
#include <string.h>
#include <openssl/bn.h>
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
#include <openssl/ecdh.h>
-
+#else
+#include <openssl/core_names.h>
+#endif
#include <tss2/tss2_tpm2_types.h>
#include <tss2/tss2_mu.h>
#include "log.h"
+#include "tpm2_convert.h"
#include "tpm2_openssl.h"
#include "tpm2_alg_util.h"
#include "tpm2_util.h"
@@ -65,72 +69,18 @@ TSS2_RC tpm2_kdfe(
return rval;
}
-static EC_POINT * tpm2_get_EC_public_key(TPM2B_PUBLIC *public) {
- EC_POINT *q = NULL;
- BIGNUM *bn_qx, *bn_qy;
- EC_KEY *key;
- const EC_GROUP *group;
- bool rval;
- TPMS_ECC_PARMS *tpm_ecc = &public->publicArea.parameters.eccDetail;
- TPMS_ECC_POINT *tpm_point = &public->publicArea.unique.ecc;
-
- int nid = tpm2_ossl_curve_to_nid(tpm_ecc->curveID);
- if (nid < 0) {
- return NULL;
- }
-
- key = EC_KEY_new_by_curve_name(nid);
- if (!key) {
- LOG_ERR("Failed to create EC key from nid");
- return NULL;
- }
-
- bn_qx = BN_bin2bn(tpm_point->x.buffer, tpm_point->x.size, NULL);
- bn_qy = BN_bin2bn(tpm_point->y.buffer, tpm_point->y.size, NULL);
- if ((bn_qx == NULL) || (bn_qy == NULL)) {
- LOG_ERR("Could not convert EC public key to BN");
- goto out;
- }
- group = EC_KEY_get0_group(key);
- if (!group) {
- LOG_ERR("EC key missing group");
- goto out;
- }
- q = EC_POINT_new(group);
- if (q == NULL) {
- LOG_ERR("Could not allocate EC_POINT");
- goto out;
- }
-
- rval = EC_POINT_set_affine_coordinates_tss(group, q, bn_qx, bn_qy, NULL);
- if (rval == false) {
- LOG_ERR("Could not set affine_coordinates");
- EC_POINT_free(q);
- q = NULL;
- }
-
-out:
- if (bn_qx) {
- BN_free(bn_qx);
- }
- if (bn_qy) {
- BN_free(bn_qy);
- }
- if (key) {
- EC_KEY_free(key);
- }
-
- return q;
-}
-
-
-static bool get_public_key_from_ec_key(EC_KEY *key, TPMS_ECC_POINT *point) {
- BIGNUM *x = BN_new();
- BIGNUM *y = BN_new();
- const EC_POINT *pubkey = EC_KEY_get0_public_key(key);
+static bool get_public_key_from_ec_key(EVP_PKEY *pkey, TPMS_ECC_POINT *point) {
+ BIGNUM *x = NULL;
+ BIGNUM *y = NULL;
unsigned int nbx, nby;
bool result = false;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ EC_KEY *key = EVP_PKEY_get0_EC_KEY(pkey);
+ const EC_POINT *pubkey = EC_KEY_get0_public_key(key);
+
+ x = BN_new();
+ y = BN_new();
if ((x == NULL) || (y == NULL) || (pubkey == NULL)) {
LOG_ERR("Failed to allocate memory to store EC public key.");
goto out;
@@ -138,6 +88,18 @@ static bool get_public_key_from_ec_key(EC_KEY *key, TPMS_ECC_POINT *point) {
EC_POINT_get_affine_coordinates_tss(EC_KEY_get0_group(key),
pubkey, x, y, NULL);
+#else
+ int rc = EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_EC_PUB_X, &x);
+ if (!rc) {
+ LOG_ERR("Failed to get EC public key X.");
+ goto out;
+ }
+ rc = EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_EC_PUB_Y, &y);
+ if (!rc) {
+ LOG_ERR("Failed to get EC public key Y.");
+ goto out;
+ }
+#endif
nbx = BN_num_bytes(x);
nby = BN_num_bytes(y);
if ((nbx > sizeof(point->x.buffer))||
@@ -153,29 +115,41 @@ static bool get_public_key_from_ec_key(EC_KEY *key, TPMS_ECC_POINT *point) {
result = true;
out:
- if (x) {
- BN_free(x);
- }
- if (y) {
- BN_free(y);
- }
+ BN_free(x);
+ BN_free(y);
return result;
}
-static int get_ECDH_shared_secret(EC_KEY *key,
- const EC_POINT *p_pub, TPM2B_ECC_PARAMETER *secret) {
+static int get_ECDH_shared_secret(EVP_PKEY *pkey,
+ EVP_PKEY *p_pub, TPM2B_ECC_PARAMETER *secret) {
- int shared_secret_length;
+ EVP_PKEY_CTX *ctx;
+ int result = -1;
- shared_secret_length = EC_GROUP_get_degree(EC_KEY_get0_group(key));
- shared_secret_length = (shared_secret_length + 7) / 8;
- if ((size_t) shared_secret_length > sizeof(secret->buffer)) {
+ ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!ctx)
return -1;
- }
- secret->size = ECDH_compute_key(secret->buffer,
- shared_secret_length, p_pub, key, NULL);
- return secret->size;
+
+ int rc = EVP_PKEY_derive_init(ctx);
+ if (rc <= 0)
+ goto out;
+
+ rc = EVP_PKEY_derive_set_peer(ctx, p_pub);
+ if (rc <= 0)
+ goto out;
+
+ size_t shared_secret_length = sizeof(secret->buffer);
+ rc = EVP_PKEY_derive(ctx, secret->buffer, &shared_secret_length);
+ if (rc <= 0)
+ goto out;
+
+ secret->size = shared_secret_length;
+ result = secret->size;
+
+out:
+ EVP_PKEY_CTX_free(ctx);
+ return result;
}
@@ -190,25 +164,42 @@ bool ecdh_derive_seed_and_encrypted_seed(
TPMI_ALG_HASH parent_name_alg = parent_pub->publicArea.nameAlg;
UINT16 parent_hash_size = tpm2_alg_util_get_hash_size(parent_name_alg);
bool result = false;
- EC_KEY *key = NULL;
- EC_POINT *qsv = NULL;
+ EVP_PKEY_CTX *ctx;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY *qsv = NULL;
TPMS_ECC_POINT qeu;
bool qeu_is_valid;
TPM2B_ECC_PARAMETER ecc_secret;
// generate an ephemeral key
int nid = tpm2_ossl_curve_to_nid(tpm_ecc->curveID);
- if (nid >= 0) {
- key = EC_KEY_new_by_curve_name(nid);
- }
- if (key == NULL) {
- LOG_ERR("Failed to create EC key from curveID");
+
+ ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
+ if (!ctx) {
+ LOG_ERR("Failed to create key creation context");
return false;
}
- EC_KEY_generate_key(key);
+
+ int rc = EVP_PKEY_keygen_init(ctx);
+ if (rc <= 0) {
+ LOG_ERR("Failed to initialize key creation");
+ goto out;
+ }
+
+ rc = EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
+ if (rc <= 0) {
+ LOG_ERR("Failed to set EC curve NID %i", nid);
+ goto out;
+ }
+
+ rc = EVP_PKEY_keygen(ctx, &pkey);
+ if (rc <= 0) {
+ LOG_ERR("Failed to generate the ephemeral EC key");
+ goto out;
+ }
// get public key for the ephemeral key
- qeu_is_valid = get_public_key_from_ec_key(key, &qeu);
+ qeu_is_valid = get_public_key_from_ec_key(pkey, &qeu);
if (qeu_is_valid == false) {
LOG_ERR("Could not get the ECC public key");
goto out;
@@ -226,13 +217,17 @@ bool ecdh_derive_seed_and_encrypted_seed(
out_sym_seed->size = offset;
/* get parents public key */
- qsv = tpm2_get_EC_public_key(parent_pub);
+ qsv = convert_pubkey_ECC(&parent_pub->publicArea);
if (qsv == NULL) {
LOG_ERR("Could not get parent's public key");
goto out;
}
- get_ECDH_shared_secret(key, qsv, &ecc_secret);
+ rc = get_ECDH_shared_secret(pkey, qsv, &ecc_secret);
+ if (rc <= 0) {
+ LOG_ERR("Could not derive shared secret");
+ goto out;
+ }
/* derive seed using KDFe */
TPM2B_ECC_PARAMETER *party_u_info = &qeu.x;
@@ -244,11 +239,8 @@ bool ecdh_derive_seed_and_encrypted_seed(
result = true;
out:
- if (qsv) {
- EC_POINT_free(qsv);
- }
- if (key) {
- EC_KEY_free(key);
- }
+ EVP_PKEY_free(qsv);
+ EVP_PKEY_free(pkey);
+ EVP_PKEY_CTX_free(ctx);
return result;
}
--
2.31.1