Handle KDF internally.

Handle KDF in ECDH_compute_key instead of requiring each implementation
support it. This modifies the compute_key method: now it allocates and
populates a buffer containing the shared secret.
Reviewed-by: NRich Salz <rsalz@openssl.org>

crypto/ec/ec_25519.c

@@ -293,10 +293,8 @@ static int x25519_point_cmp(const EC_GROUP *group, const EC_POINT *a,
     return 1;
 }
 
-static int x25519_compute_key(void *out, size_t outlen,
-                              const EC_POINT *pub_key, const EC_KEY *ecdh,
-                              void *(*KDF) (const void *in, size_t inlen,
-                                            void *out, size_t *outlen))
+static int x25519_compute_key(unsigned char **psec, size_t *pseclen,
+                              const EC_POINT *pub_key, const EC_KEY *ecdh)
 {
     unsigned char *key;
     int ret = -1;
@@ -304,19 +302,12 @@ static int x25519_compute_key(void *out, size_t outlen,
         return -1;
     key = OPENSSL_malloc(EC_X25519_KEYLEN);
     if (key == NULL)
-        return -1;
+        return 0;
     if (X25519(key, ecdh->custom_data, pub_key->custom_data) == 0)
         goto err;
-    if (KDF) {
-        if (KDF(key, EC_X25519_KEYLEN, out, &outlen) == NULL)
-            goto err;
-        ret = outlen;
-    } else {
-        if (outlen > EC_X25519_KEYLEN)
-            outlen = EC_X25519_KEYLEN;
-        memcpy(out, key, outlen);
-        ret = outlen;
-    }
+    *psec = key;
+    *pseclen = EC_X25519_KEYLEN;
+    return 1;
 
  err:
     OPENSSL_clear_free(key, EC_X25519_KEYLEN);

crypto/ec/ec_kmeth.c

@@ -51,6 +51,7 @@
  * ====================================================================
  */
 
+#include <string.h>
 #include <openssl/ec.h>
 #ifndef OPENSSL_NO_ENGINE
 # include <openssl/engine.h>
@@ -165,10 +166,27 @@ int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
                      void *(*KDF) (const void *in, size_t inlen, void *out,
                                    size_t *outlen))
 {
-    if (eckey->meth->compute_key != NULL)
-        return eckey->meth->compute_key(out, outlen, pub_key, eckey, KDF);
-    ECerr(EC_F_ECDH_COMPUTE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
-    return 0;
+    unsigned char *sec = NULL;
+    size_t seclen;
+    if (eckey->meth->compute_key == NULL) {
+        ECerr(EC_F_ECDH_COMPUTE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
+        return 0;
+    }
+    if (outlen > INT_MAX) {
+        ECerr(EC_F_ECDH_COMPUTE_KEY, EC_R_INVALID_OUTPUT_LENGTH);
+        return 0;
+    }
+    if (!eckey->meth->compute_key(&sec, &seclen, pub_key, eckey))
+        return 0;
+    if (KDF != NULL) {
+        KDF(sec, seclen, out, &outlen);
+    } else {
+        if (outlen > seclen)
+            outlen = seclen;
+        memcpy(out, sec, outlen);
+    }
+    OPENSSL_clear_free(sec, seclen);
+    return outlen;
 }
 
 EC_KEY_METHOD *EC_KEY_METHOD_new(const EC_KEY_METHOD *meth)
@@ -214,14 +232,10 @@ void EC_KEY_METHOD_set_keygen(EC_KEY_METHOD *meth,
 }
 
 void EC_KEY_METHOD_set_compute_key(EC_KEY_METHOD *meth,
-                                   int (*ckey)(void *out,
-                                               size_t outlen,
+                                   int (*ckey)(unsigned char **psec,
+                                               size_t *pseclen,
                                                const EC_POINT *pub_key,
-                                               const EC_KEY *ecdh,
-                                               void *(*KDF) (const void *in,
-                                                             size_t inlen,
-                                                             void *out,
-                                                             size_t *outlen)))
+                                               const EC_KEY *ecdh))
 {
     meth->compute_key = ckey;
 }
@@ -292,14 +306,10 @@ void EC_KEY_METHOD_get_keygen(EC_KEY_METHOD *meth,
 }
 
 void EC_KEY_METHOD_get_compute_key(EC_KEY_METHOD *meth,
-                                   int (**pck)(void *out,
-                                               size_t outlen,
+                                   int (**pck)(unsigned char **pout,
+                                               size_t *poutlen,
                                                const EC_POINT *pub_key,
-                                               const EC_KEY *ecdh,
-                                               void *(*KDF) (const void *in,
-                                                             size_t inlen,
-                                                             void *out,
-                                                             size_t *outlen)))
+                                               const EC_KEY *ecdh))
 {
     if (pck != NULL)
         *pck = meth->compute_key;

crypto/ec/ec_lcl.h

@@ -212,10 +212,8 @@ struct ec_method_st {
     int (*keycopy)(EC_KEY *dst, const EC_KEY *src);
     void (*keyfinish)(EC_KEY *eckey);
     /* custom ECDH operation */
-    int (*ecdh_compute_key)(void *out, size_t outlen, const EC_POINT *pub_key,
-                            const EC_KEY *ecdh,
-                            void *(*KDF) (const void *in, size_t inlen,
-                                          void *out, size_t *outlen));
+    int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,
+                            const EC_POINT *pub_key, const EC_KEY *ecdh);
 } /* EC_METHOD */ ;
 
 /*
@@ -616,11 +614,8 @@ struct ec_key_method_st {
     int (*set_private)(EC_KEY *key, const BIGNUM *priv_key);
     int (*set_public)(EC_KEY *key, const EC_POINT *pub_key);
     int (*keygen)(EC_KEY *key);
-    int (*compute_key)(void *out, size_t outlen, const EC_POINT *pub_key,
-                       const EC_KEY *ecdh,
-                       void *(*KDF) (const void *in, size_t inlen,
-                                     void *out, size_t *outlen));
-
+    int (*compute_key)(unsigned char **pout, size_t *poutlen,
+                       const EC_POINT *pub_key, const EC_KEY *ecdh);
     int (*sign)(int type, const unsigned char *dgst, int dlen, unsigned char
                 *sig, unsigned int *siglen, const BIGNUM *kinv,
                 const BIGNUM *r, EC_KEY *eckey);
@@ -639,14 +634,10 @@ struct ec_key_method_st {
 #define EC_KEY_METHOD_DYNAMIC   1
 
 int ossl_ec_key_gen(EC_KEY *eckey);
-int ossl_ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
-                          const EC_KEY *ecdh,
-                          void *(*KDF) (const void *in, size_t inlen,
-                                        void *out, size_t *outlen));
-int ecdh_simple_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
-                            const EC_KEY *ecdh,
-                            void *(*KDF) (const void *in, size_t inlen,
-                                          void *out, size_t *outlen));
+int ossl_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
+                          const EC_POINT *pub_key, const EC_KEY *ecdh);
+int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
+                            const EC_POINT *pub_key, const EC_KEY *ecdh);
 
 struct ECDSA_SIG_st {
     BIGNUM *r;

crypto/ec/ecdh_ossl.c

@@ -77,46 +77,34 @@
 #include <openssl/ec.h>
 #include "ec_lcl.h"
 
-int ossl_ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
-                          const EC_KEY *ecdh,
-                          void *(*KDF) (const void *in, size_t inlen,
-                                        void *out, size_t *outlen))
+int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
+                          const EC_POINT *pub_key, const EC_KEY *ecdh)
 {
     if (ecdh->group->meth->ecdh_compute_key == NULL) {
         ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH);
         return -1;
     }
 
-    return ecdh->group->meth->ecdh_compute_key(out, outlen, pub_key, ecdh,
-                                               KDF);
+    return ecdh->group->meth->ecdh_compute_key(psec, pseclen, pub_key, ecdh);
 }
 
 /*-
  * This implementation is based on the following primitives in the IEEE 1363 standard:
  *  - ECKAS-DH1
  *  - ECSVDP-DH
- * Finally an optional KDF is applied.
  */
-int ecdh_simple_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
-                            const EC_KEY *ecdh,
-                            void *(*KDF) (const void *in, size_t inlen,
-                                          void *out, size_t *outlen))
+int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
+                            const EC_POINT *pub_key, const EC_KEY *ecdh)
 {
     BN_CTX *ctx;
     EC_POINT *tmp = NULL;
     BIGNUM *x = NULL, *y = NULL;
     const BIGNUM *priv_key;
     const EC_GROUP *group;
-    int ret = -1;
+    int ret = 0;
     size_t buflen, len;
     unsigned char *buf = NULL;
 
-    if (outlen > INT_MAX) {
-        /* sort of, anyway */
-        ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);
-        return -1;
-    }
-
     if ((ctx = BN_CTX_new()) == NULL)
         goto err;
     BN_CTX_start(ctx);
@@ -183,19 +171,11 @@ int ecdh_simple_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
         goto err;
     }
 
-    if (KDF != 0) {
-        if (KDF(buf, buflen, out, &outlen) == NULL) {
-            ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, EC_R_KDF_FAILED);
-            goto err;
-        }
-        ret = outlen;
-    } else {
-        /* no KDF, just copy as much as we can */
-        if (outlen > buflen)
-            outlen = buflen;
-        memcpy(out, buf, outlen);
-        ret = outlen;
-    }
+    *pout = buf;
+    *poutlen = buflen;
+    buf = NULL;
+
+    ret = 1;
 
  err:
     EC_POINT_free(tmp);
@@ -203,5 +183,5 @@ int ecdh_simple_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
         BN_CTX_end(ctx);
     BN_CTX_free(ctx);
     OPENSSL_free(buf);
-    return (ret);
+    return ret;
 }

include/openssl/ec.h

@@ -1231,14 +1231,10 @@ void EC_KEY_METHOD_set_keygen(EC_KEY_METHOD *meth,
                               int (*keygen)(EC_KEY *key));
 
 void EC_KEY_METHOD_set_compute_key(EC_KEY_METHOD *meth,
-                                   int (*ckey)(void *out,
-                                               size_t outlen,
+                                   int (*ckey)(unsigned char **psec,
+                                               size_t *pseclen,
                                                const EC_POINT *pub_key,
-                                               const EC_KEY *ecdh,
-                                               void *(*KDF) (const void *in,
-                                                             size_t inlen,
-                                                             void *out,
-                                                             size_t *outlen)));
+                                               const EC_KEY *ecdh));
 
 void EC_KEY_METHOD_set_sign(EC_KEY_METHOD *meth,
                             int (*sign)(int type, const unsigned char *dgst,
@@ -1279,14 +1275,10 @@ void EC_KEY_METHOD_get_keygen(EC_KEY_METHOD *meth,
                               int (**pkeygen)(EC_KEY *key));
 
 void EC_KEY_METHOD_get_compute_key(EC_KEY_METHOD *meth,
-                                   int (**pck)(void *out,
-                                               size_t outlen,
+                                   int (**pck)(unsigned char **psec,
+                                               size_t *pseclen,
                                                const EC_POINT *pub_key,
-                                               const EC_KEY *ecdh,
-                                               void *(*KDF) (const void *in,
-                                                             size_t inlen,
-                                                             void *out,
-                                                             size_t *outlen)));
+                                               const EC_KEY *ecdh));
 
 void EC_KEY_METHOD_get_sign(EC_KEY_METHOD *meth,
                             int (**psign)(int type, const unsigned char *dgst,