Remove ECDH_KDF_X9_62 and associated EVP glue. Removes a bit of unused code. This effectively reverts upstream's 25af7a5dbc05c7359d1d7f472d50d65a9d876b7e. It's new with OpenSSL 1.0.2 so nothing can be using it yet. We can restore it with tests if we end up wanting it later. (Also I think it might be misnamed. The KDF seems to be defined in X9.63, not X9.62.) Change-Id: I482daf681e0cf5c3bbdc72c57793f91448deaee8 Reviewed-on: https://boringssl-review.googlesource.com/2846 Reviewed-by: Adam Langley <agl@google.com>

commit: 1681d79ddfd5083a35ab52ddeeb510fd1a8e55b2 [log] [tgz]
author: David Benjamin <davidben@chromium.org> Tue Dec 30 06:46:52 2014 -0500
committer: Adam Langley <agl@google.com> Wed Jan 14 21:52:52 2015 +0000
tree: 67a444980d9df2b8d809f4154cd09dea2cf11f24
parent: c61517cb5a7fe72ccbc8c8e9f51055d69ed14e88 [diff]
diff --git a/crypto/ecdh/ecdh.c b/crypto/ecdh/ecdh.c
index 0d05653..6f9d0de 100644
--- a/crypto/ecdh/ecdh.c
+++ b/crypto/ecdh/ecdh.c

@@ -153,60 +153,3 @@
     OPENSSL_free(buf);
   return ret;
 }
-
-/* Key derivation function from X9.62/SECG */
-/* Way more than we will ever need */
-#define ECDH_KDF_MAX	(1 << 30)
-
-int ECDH_KDF_X9_62(uint8_t *out, size_t outlen, const uint8_t *Z,
-                   size_t Zlen, const uint8_t *sinfo, size_t sinfolen,
-                   const EVP_MD *md) {
-  EVP_MD_CTX mctx;
-  int rv = 0;
-  unsigned int i;
-  size_t mdlen;
-  uint8_t ctr[4];
-
-  if (sinfolen > ECDH_KDF_MAX || outlen > ECDH_KDF_MAX || Zlen > ECDH_KDF_MAX) {
-    return 0;
-  }
-  mdlen = EVP_MD_size(md);
-  EVP_MD_CTX_init(&mctx);
-
-  for (i = 1;; i++) {
-    uint8_t mtmp[EVP_MAX_MD_SIZE];
-    EVP_DigestInit_ex(&mctx, md, NULL);
-    ctr[3] = i & 0xFF;
-    ctr[2] = (i >> 8) & 0xFF;
-    ctr[1] = (i >> 16) & 0xFF;
-    ctr[0] = (i >> 24) & 0xFF;
-    if (!EVP_DigestUpdate(&mctx, Z, Zlen) ||
-        !EVP_DigestUpdate(&mctx, ctr, sizeof(ctr)) ||
-        !EVP_DigestUpdate(&mctx, sinfo, sinfolen)) {
-      goto err;
-    }
-
-    if (outlen >= mdlen) {
-      if (!EVP_DigestFinal(&mctx, out, NULL)) {
-        goto err;
-      }
-      outlen -= mdlen;
-      if (outlen == 0) {
-        break;
-      }
-      out += mdlen;
-    } else {
-      if (!EVP_DigestFinal(&mctx, mtmp, NULL)) {
-        goto err;
-      }
-      memcpy(out, mtmp, outlen);
-      OPENSSL_cleanse(mtmp, mdlen);
-      break;
-    }
-  }
-  rv = 1;
-
-err:
-  EVP_MD_CTX_cleanup(&mctx);
-  return rv;
-}

diff --git a/crypto/evp/p_ec.c b/crypto/evp/p_ec.c
index e429f77..fd9685f 100644
--- a/crypto/evp/p_ec.c
+++ b/crypto/evp/p_ec.c

@@ -76,19 +76,6 @@
   EC_GROUP *gen_group;
   /* message digest */
   const EVP_MD *md;
-  /* Duplicate key if custom cofactor needed */
-  EC_KEY *co_key;
-  /* Cofactor mode */
-  signed char cofactor_mode;
-  /* KDF (if any) to use for ECDH */
-  char kdf_type;
-  /* Message digest to use for key derivation */
-  const EVP_MD *kdf_md;
-  /* User key material */
-  unsigned char *kdf_ukm;
-  size_t kdf_ukmlen;
-  /* KDF output length */
-  size_t kdf_outlen;
 } EC_PKEY_CTX;
 
 
@@ -99,8 +86,6 @@
     return 0;
   }
   memset(dctx, 0, sizeof(EC_PKEY_CTX));
-  dctx->cofactor_mode = -1;
-  dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE;
 
   ctx->data = dctx;
 
@@ -123,24 +108,6 @@
   }
   dctx->md = sctx->md;
 
-  if (sctx->co_key) {
-    dctx->co_key = EC_KEY_dup(sctx->co_key);
-    if (!dctx->co_key) {
-      return 0;
-    }
-  }
-  dctx->kdf_type = sctx->kdf_type;
-  dctx->kdf_md = sctx->kdf_md;
-  dctx->kdf_outlen = sctx->kdf_outlen;
-  if (sctx->kdf_ukm) {
-    dctx->kdf_ukm = BUF_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
-    if (!dctx->kdf_ukm) {
-      return 0;
-    }
-  } else {
-    dctx->kdf_ukm = NULL;
-  }
-  dctx->kdf_ukmlen = sctx->kdf_ukmlen;
   return 1;
 }
 
@@ -153,12 +120,6 @@
   if (dctx->gen_group) {
     EC_GROUP_free(dctx->gen_group);
   }
-  if (dctx->co_key) {
-    EC_KEY_free(dctx->co_key);
-  }
-  if (dctx->kdf_ukm) {
-    OPENSSL_free(dctx->kdf_ukm);
-  }
   OPENSSL_free(dctx);
 }
 
@@ -209,14 +170,13 @@
   size_t outlen;
   const EC_POINT *pubkey = NULL;
   EC_KEY *eckey;
-  EC_PKEY_CTX *dctx = ctx->data;
 
   if (!ctx->pkey || !ctx->peerkey) {
     OPENSSL_PUT_ERROR(EVP, pkey_ec_derive, EVP_R_KEYS_NOT_SET);
     return 0;
   }
 
-  eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec;
+  eckey = ctx->pkey->pkey.ec;
 
   if (!key) {
     const EC_GROUP *group;
@@ -239,46 +199,6 @@
   return 1;
 }
 
-static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx, uint8_t *key,
-                              size_t *keylen) {
-  EC_PKEY_CTX *dctx = ctx->data;
-  uint8_t *ktmp = NULL;
-  size_t ktmplen;
-  int rv = 0;
-
-  if (dctx->kdf_type == EVP_PKEY_ECDH_KDF_NONE) {
-    return pkey_ec_derive(ctx, key, keylen);
-  }
-  if (!key) {
-    *keylen = dctx->kdf_outlen;
-    return 1;
-  }
-  if (*keylen != dctx->kdf_outlen ||
-      !pkey_ec_derive(ctx, NULL, &ktmplen)) {
-    return 0;
-  }
-  ktmp = OPENSSL_malloc(ktmplen);
-  if (!ktmp) {
-    return 0;
-  }
-  if (!pkey_ec_derive(ctx, ktmp, &ktmplen)) {
-    goto err;
-  }
-
-  if (!ECDH_KDF_X9_62(key, *keylen, ktmp, ktmplen, dctx->kdf_ukm,
-                      dctx->kdf_ukmlen, dctx->kdf_md)) {
-    goto err;
-  }
-  rv = 1;
-
-err:
-  if (ktmp) {
-    OPENSSL_cleanse(ktmp, ktmplen);
-    OPENSSL_free(ktmp);
-  }
-  return rv;
-}
-
 static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
   EC_PKEY_CTX *dctx = ctx->data;
   EC_GROUP *group;
@@ -295,46 +215,6 @@
       dctx->gen_group = group;
       return 1;
 
-    case EVP_PKEY_CTRL_EC_KDF_TYPE:
-      if (p1 == -2)
-        return dctx->kdf_type;
-      if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62)
-        return -2;
-      dctx->kdf_type = p1;
-      return 1;
-
-    case EVP_PKEY_CTRL_EC_KDF_MD:
-      dctx->kdf_md = p2;
-      return 1;
-
-    case EVP_PKEY_CTRL_GET_EC_KDF_MD:
-      *(const EVP_MD **)p2 = dctx->kdf_md;
-      return 1;
-
-    case EVP_PKEY_CTRL_EC_KDF_OUTLEN:
-      if (p1 <= 0)
-        return -2;
-      dctx->kdf_outlen = (size_t)p1;
-      return 1;
-
-    case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN:
-      *(int *)p2 = dctx->kdf_outlen;
-      return 1;
-
-    case EVP_PKEY_CTRL_EC_KDF_UKM:
-      if (dctx->kdf_ukm)
-        OPENSSL_free(dctx->kdf_ukm);
-      dctx->kdf_ukm = p2;
-      if (p2)
-        dctx->kdf_ukmlen = p1;
-      else
-        dctx->kdf_ukmlen = 0;
-      return 1;
-
-    case EVP_PKEY_CTRL_GET_EC_KDF_UKM:
-      *(unsigned char **)p2 = dctx->kdf_ukm;
-      return dctx->kdf_ukmlen;
-
     case EVP_PKEY_CTRL_MD:
       if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
           EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
@@ -417,5 +297,5 @@
     pkey_ec_verify,         0 /* signctx_init */, 0 /* signctx */,
     0 /* verifyctx_init */, 0 /* verifyctx */,    0 /* encrypt_init */,
     0 /* encrypt */,        0 /* decrypt_init */, 0 /* decrypt */,
-    0 /* derive_init */,    pkey_ec_kdf_derive,   pkey_ec_ctrl,
+    0 /* derive_init */,    pkey_ec_derive,       pkey_ec_ctrl,
 };

diff --git a/include/openssl/ecdh.h b/include/openssl/ecdh.h
index 04cd38a..46cf839 100644
--- a/include/openssl/ecdh.h
+++ b/include/openssl/ecdh.h

@@ -90,13 +90,6 @@
                                     void *(*KDF)(const void *in, size_t inlen,
                                                  void *out, size_t *outlen));
 
-/* ECDH_KDF_X9_62 writes |outlen| bytes to |out| using the KDF from X9.62
- * applied to |Z| and |sinfo| and using the hash |md|. It returns one on
- * success and zero otherwise. */
-OPENSSL_EXPORT int ECDH_KDF_X9_62(uint8_t *out, size_t outlen, const uint8_t *Z,
-                                  size_t Zlen, const uint8_t *sinfo,
-                                  size_t sinfolen, const EVP_MD *md);
-
 
 #if defined(__cplusplus)
 }  /* extern C */

diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 9c2cf1f..4859b8a 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h

@@ -707,18 +707,6 @@
 /* EC specific */
 
 #define EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID		(EVP_PKEY_ALG_CTRL + 1)
-#define EVP_PKEY_CTRL_EC_PARAM_ENC			(EVP_PKEY_ALG_CTRL + 2)
-#define EVP_PKEY_CTRL_EC_ECDH_COFACTOR			(EVP_PKEY_ALG_CTRL + 3)
-#define EVP_PKEY_CTRL_EC_KDF_TYPE			(EVP_PKEY_ALG_CTRL + 4)
-#define EVP_PKEY_CTRL_EC_KDF_MD				(EVP_PKEY_ALG_CTRL + 5)
-#define EVP_PKEY_CTRL_GET_EC_KDF_MD			(EVP_PKEY_ALG_CTRL + 6)
-#define EVP_PKEY_CTRL_EC_KDF_OUTLEN			(EVP_PKEY_ALG_CTRL + 7)
-#define EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN			(EVP_PKEY_ALG_CTRL + 8)
-#define EVP_PKEY_CTRL_EC_KDF_UKM			(EVP_PKEY_ALG_CTRL + 9)
-#define EVP_PKEY_CTRL_GET_EC_KDF_UKM			(EVP_PKEY_ALG_CTRL + 10)
-
-#define EVP_PKEY_ECDH_KDF_NONE 1
-#define EVP_PKEY_ECDH_KDF_X9_62 2
 
 
 /* Private functions */
commit	1681d79ddfd5083a35ab52ddeeb510fd1a8e55b2	[log] [tgz]
author	David Benjamin <davidben@chromium.org>	Tue Dec 30 06:46:52 2014 -0500
committer	Adam Langley <agl@google.com>	Wed Jan 14 21:52:52 2015 +0000
tree	67a444980d9df2b8d809f4154cd09dea2cf11f24
parent	c61517cb5a7fe72ccbc8c8e9f51055d69ed14e88 [diff]