kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5667 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 9978f0a865
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9978f0a865'
${ noResults }
boringssl/crypto/ec_extra/ec_asn1.c

563 lines
18 KiB
Raw Blame History 

  1. /* Written by Nils Larsch for the OpenSSL project. */

  2. /* ====================================================================

  3.  * Copyright (c) 2000-2003 The OpenSSL Project.  All rights reserved.

  4.  *

  5.  * Redistribution and use in source and binary forms, with or without

  6.  * modification, are permitted provided that the following conditions

  7.  * are met:

  8.  *

  9.  * 1. Redistributions of source code must retain the above copyright

  10.  *    notice, this list of conditions and the following disclaimer. 

  11.  *

  12.  * 2. Redistributions in binary form must reproduce the above copyright

  13.  *    notice, this list of conditions and the following disclaimer in

  14.  *    the documentation and/or other materials provided with the

  15.  *    distribution.

  16.  *

  17.  * 3. All advertising materials mentioning features or use of this

  18.  *    software must display the following acknowledgment:

  19.  *    "This product includes software developed by the OpenSSL Project

  20.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  21.  *

  22.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  23.  *    endorse or promote products derived from this software without

  24.  *    prior written permission. For written permission, please contact

  25.  *    licensing@OpenSSL.org.

  26.  *

  27.  * 5. Products derived from this software may not be called "OpenSSL"

  28.  *    nor may "OpenSSL" appear in their names without prior written

  29.  *    permission of the OpenSSL Project.

  30.  *

  31.  * 6. Redistributions of any form whatsoever must retain the following

  32.  *    acknowledgment:

  33.  *    "This product includes software developed by the OpenSSL Project

  34.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  35.  *

  36.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  37.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  38.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  39.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  40.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  41.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  42.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  43.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  44.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  45.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  46.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  47.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  48.  * ====================================================================

  49.  *

  50.  * This product includes cryptographic software written by Eric Young

  51.  * (eay@cryptsoft.com).  This product includes software written by Tim

  52.  * Hudson (tjh@cryptsoft.com). */

  53. 

  54. #include <openssl/ec.h>

  55. 

  56. #include <limits.h>

  57. #include <string.h>

  58. 

  59. #include <openssl/bytestring.h>

  60. #include <openssl/bn.h>

  61. #include <openssl/err.h>

  62. #include <openssl/mem.h>

  63. #include <openssl/nid.h>

  64. 

  65. #include "../fipsmodule/ec/internal.h"

  66. #include "../bytestring/internal.h"

  67. #include "../internal.h"

  68. 

  69. 

  70. static const unsigned kParametersTag =

  71.     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0;

  72. static const unsigned kPublicKeyTag =

  73.     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;

  74. 

  75. EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) {

  76.   CBS ec_private_key, private_key;

  77.   uint64_t version;

  78.   if (!CBS_get_asn1(cbs, &ec_private_key, CBS_ASN1_SEQUENCE) ||

  79.       !CBS_get_asn1_uint64(&ec_private_key, &version) ||

  80.       version != 1 ||

  81.       !CBS_get_asn1(&ec_private_key, &private_key, CBS_ASN1_OCTETSTRING)) {

  82.     OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);

  83.     return NULL;

  84.   }

  85. 

  86.   // Parse the optional parameters field.

  87.   EC_GROUP *inner_group = NULL;

  88.   EC_KEY *ret = NULL;

  89.   BIGNUM *priv_key = NULL;

  90.   if (CBS_peek_asn1_tag(&ec_private_key, kParametersTag)) {

  91.     // Per SEC 1, as an alternative to omitting it, one is allowed to specify

  92.     // this field and put in a NULL to mean inheriting this value. This was

  93.     // omitted in a previous version of this logic without problems, so leave it

  94.     // unimplemented.

  95.     CBS child;

  96.     if (!CBS_get_asn1(&ec_private_key, &child, kParametersTag)) {

  97.       OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);

  98.       goto err;

  99.     }

  100.     inner_group = EC_KEY_parse_parameters(&child);

  101.     if (inner_group == NULL) {

  102.       goto err;

  103.     }

  104.     if (group == NULL) {

  105.       group = inner_group;

  106.     } else if (EC_GROUP_cmp(group, inner_group, NULL) != 0) {

  107.       // If a group was supplied externally, it must match.

  108.       OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);

  109.       goto err;

  110.     }

  111.     if (CBS_len(&child) != 0) {

  112.       OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);

  113.       goto err;

  114.     }

  115.   }

  116. 

  117.   if (group == NULL) {

  118.     OPENSSL_PUT_ERROR(EC, EC_R_MISSING_PARAMETERS);

  119.     goto err;

  120.   }

  121. 

  122.   ret = EC_KEY_new();

  123.   if (ret == NULL || !EC_KEY_set_group(ret, group)) {

  124.     goto err;

  125.   }

  126. 

  127.   // Although RFC 5915 specifies the length of the key, OpenSSL historically

  128.   // got this wrong, so accept any length. See upstream's

  129.   // 30cd4ff294252c4b6a4b69cbef6a5b4117705d22.

  130.   priv_key = BN_bin2bn(CBS_data(&private_key), CBS_len(&private_key), NULL);

  131.   ret->pub_key = EC_POINT_new(group);

  132.   if (priv_key == NULL || ret->pub_key == NULL ||

  133.       !EC_KEY_set_private_key(ret, priv_key)) {

  134.     goto err;

  135.   }

  136. 

  137.   if (CBS_peek_asn1_tag(&ec_private_key, kPublicKeyTag)) {

  138.     CBS child, public_key;

  139.     uint8_t padding;

  140.     if (!CBS_get_asn1(&ec_private_key, &child, kPublicKeyTag) ||

  141.         !CBS_get_asn1(&child, &public_key, CBS_ASN1_BITSTRING) ||

  142.         // As in a SubjectPublicKeyInfo, the byte-encoded public key is then

  143.         // encoded as a BIT STRING with bits ordered as in the DER encoding.

  144.         !CBS_get_u8(&public_key, &padding) ||

  145.         padding != 0 ||

  146.         // Explicitly check |public_key| is non-empty to save the conversion

  147.         // form later.

  148.         CBS_len(&public_key) == 0 ||

  149.         !EC_POINT_oct2point(group, ret->pub_key, CBS_data(&public_key),

  150.                             CBS_len(&public_key), NULL) ||

  151.         CBS_len(&child) != 0) {

  152.       OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);

  153.       goto err;

  154.     }

  155. 

  156.     // Save the point conversion form.

  157.     // TODO(davidben): Consider removing this.

  158.     ret->conv_form =

  159.         (point_conversion_form_t)(CBS_data(&public_key)[0] & ~0x01);

  160.   } else {

  161.     // Compute the public key instead.

  162.     if (!ec_point_mul_scalar(group, &ret->pub_key->raw, &ret->priv_key->scalar,

  163.                              NULL, NULL)) {

  164.       goto err;

  165.     }

  166.     // Remember the original private-key-only encoding.

  167.     // TODO(davidben): Consider removing this.

  168.     ret->enc_flag |= EC_PKEY_NO_PUBKEY;

  169.   }

  170. 

  171.   if (CBS_len(&ec_private_key) != 0) {

  172.     OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);

  173.     goto err;

  174.   }

  175. 

  176.   // Ensure the resulting key is valid.

  177.   if (!EC_KEY_check_key(ret)) {

  178.     goto err;

  179.   }

  180. 

  181.   BN_free(priv_key);

  182.   EC_GROUP_free(inner_group);

  183.   return ret;

  184. 

  185. err:

  186.   EC_KEY_free(ret);

  187.   BN_free(priv_key);

  188.   EC_GROUP_free(inner_group);

  189.   return NULL;

  190. }

  191. 

  192. int EC_KEY_marshal_private_key(CBB *cbb, const EC_KEY *key,

  193.                                unsigned enc_flags) {

  194.   if (key == NULL || key->group == NULL || key->priv_key == NULL) {

  195.     OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);

  196.     return 0;

  197.   }

  198. 

  199.   CBB ec_private_key, private_key;

  200.   if (!CBB_add_asn1(cbb, &ec_private_key, CBS_ASN1_SEQUENCE) ||

  201.       !CBB_add_asn1_uint64(&ec_private_key, 1 /* version */) ||

  202.       !CBB_add_asn1(&ec_private_key, &private_key, CBS_ASN1_OCTETSTRING) ||

  203.       !BN_bn2cbb_padded(&private_key,

  204.                         BN_num_bytes(EC_GROUP_get0_order(key->group)),

  205.                         EC_KEY_get0_private_key(key))) {

  206.     OPENSSL_PUT_ERROR(EC, EC_R_ENCODE_ERROR);

  207.     return 0;

  208.   }

  209. 

  210.   if (!(enc_flags & EC_PKEY_NO_PARAMETERS)) {

  211.     CBB child;

  212.     if (!CBB_add_asn1(&ec_private_key, &child, kParametersTag) ||

  213.         !EC_KEY_marshal_curve_name(&child, key->group) ||

  214.         !CBB_flush(&ec_private_key)) {

  215.       OPENSSL_PUT_ERROR(EC, EC_R_ENCODE_ERROR);

  216.       return 0;

  217.     }

  218.   }

  219. 

  220.   // TODO(fork): replace this flexibility with sensible default?

  221.   if (!(enc_flags & EC_PKEY_NO_PUBKEY) && key->pub_key != NULL) {

  222.     CBB child, public_key;

  223.     if (!CBB_add_asn1(&ec_private_key, &child, kPublicKeyTag) ||

  224.         !CBB_add_asn1(&child, &public_key, CBS_ASN1_BITSTRING) ||

  225.         // As in a SubjectPublicKeyInfo, the byte-encoded public key is then

  226.         // encoded as a BIT STRING with bits ordered as in the DER encoding.

  227.         !CBB_add_u8(&public_key, 0 /* padding */) ||

  228.         !EC_POINT_point2cbb(&public_key, key->group, key->pub_key,

  229.                             key->conv_form, NULL) ||

  230.         !CBB_flush(&ec_private_key)) {

  231.       OPENSSL_PUT_ERROR(EC, EC_R_ENCODE_ERROR);

  232.       return 0;

  233.     }

  234.   }

  235. 

  236.   if (!CBB_flush(cbb)) {

  237.     OPENSSL_PUT_ERROR(EC, EC_R_ENCODE_ERROR);

  238.     return 0;

  239.   }

  240. 

  241.   return 1;

  242. }

  243. 

  244. // is_unsigned_integer returns one if |cbs| is a valid unsigned DER INTEGER and

  245. // zero otherwise.

  246. static int is_unsigned_integer(const CBS *cbs) {

  247.   if (CBS_len(cbs) == 0) {

  248.     return 0;

  249.   }

  250.   uint8_t byte = CBS_data(cbs)[0];

  251.   if ((byte & 0x80) ||

  252.       (byte == 0 && CBS_len(cbs) > 1 && (CBS_data(cbs)[1] & 0x80) == 0)) {

  253.     // Negative or not minimally-encoded.

  254.     return 0;

  255.   }

  256.   return 1;

  257. }

  258. 

  259. // kPrimeFieldOID is the encoding of 1.2.840.10045.1.1.

  260. static const uint8_t kPrimeField[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01};

  261. 

  262. static int parse_explicit_prime_curve(CBS *in, CBS *out_prime, CBS *out_a,

  263.                                       CBS *out_b, CBS *out_base_x,

  264.                                       CBS *out_base_y, CBS *out_order) {

  265.   // See RFC 3279, section 2.3.5. Note that RFC 3279 calls this structure an

  266.   // ECParameters while RFC 5480 calls it a SpecifiedECDomain.

  267.   CBS params, field_id, field_type, curve, base;

  268.   uint64_t version;

  269.   if (!CBS_get_asn1(in, &params, CBS_ASN1_SEQUENCE) ||

  270.       !CBS_get_asn1_uint64(&params, &version) ||

  271.       version != 1 ||

  272.       !CBS_get_asn1(&params, &field_id, CBS_ASN1_SEQUENCE) ||

  273.       !CBS_get_asn1(&field_id, &field_type, CBS_ASN1_OBJECT) ||

  274.       CBS_len(&field_type) != sizeof(kPrimeField) ||

  275.       OPENSSL_memcmp(CBS_data(&field_type), kPrimeField, sizeof(kPrimeField)) != 0 ||

  276.       !CBS_get_asn1(&field_id, out_prime, CBS_ASN1_INTEGER) ||

  277.       !is_unsigned_integer(out_prime) ||

  278.       CBS_len(&field_id) != 0 ||

  279.       !CBS_get_asn1(&params, &curve, CBS_ASN1_SEQUENCE) ||

  280.       !CBS_get_asn1(&curve, out_a, CBS_ASN1_OCTETSTRING) ||

  281.       !CBS_get_asn1(&curve, out_b, CBS_ASN1_OCTETSTRING) ||

  282.       // |curve| has an optional BIT STRING seed which we ignore.

  283.       !CBS_get_asn1(&params, &base, CBS_ASN1_OCTETSTRING) ||

  284.       !CBS_get_asn1(&params, out_order, CBS_ASN1_INTEGER) ||

  285.       !is_unsigned_integer(out_order)) {

  286.     OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);

  287.     return 0;

  288.   }

  289. 

  290.   // |params| has an optional cofactor which we ignore. With the optional seed

  291.   // in |curve|, a group already has arbitrarily many encodings. Parse enough to

  292.   // uniquely determine the curve.

  293. 

  294.   // Require that the base point use uncompressed form.

  295.   uint8_t form;

  296.   if (!CBS_get_u8(&base, &form) || form != POINT_CONVERSION_UNCOMPRESSED) {

  297.     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FORM);

  298.     return 0;

  299.   }

  300. 

  301.   if (CBS_len(&base) % 2 != 0) {

  302.     OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);

  303.     return 0;

  304.   }

  305.   size_t field_len = CBS_len(&base) / 2;

  306.   CBS_init(out_base_x, CBS_data(&base), field_len);

  307.   CBS_init(out_base_y, CBS_data(&base) + field_len, field_len);

  308. 

  309.   return 1;

  310. }

  311. 

  312. // integers_equal returns one if |a| and |b| are equal, up to leading zeros, and

  313. // zero otherwise.

  314. static int integers_equal(const CBS *a, const uint8_t *b, size_t b_len) {

  315.   // Remove leading zeros from |a| and |b|.

  316.   CBS a_copy = *a;

  317.   while (CBS_len(&a_copy) > 0 && CBS_data(&a_copy)[0] == 0) {

  318.     CBS_skip(&a_copy, 1);

  319.   }

  320.   while (b_len > 0 && b[0] == 0) {

  321.     b++;

  322.     b_len--;

  323.   }

  324.   return CBS_mem_equal(&a_copy, b, b_len);

  325. }

  326. 

  327. EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs) {

  328.   CBS named_curve;

  329.   if (!CBS_get_asn1(cbs, &named_curve, CBS_ASN1_OBJECT)) {

  330.     OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);

  331.     return NULL;

  332.   }

  333. 

  334.   // Look for a matching curve.

  335.   const struct built_in_curves *const curves = OPENSSL_built_in_curves();

  336.   for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) {

  337.     const struct built_in_curve *curve = &curves->curves[i];

  338.     if (CBS_len(&named_curve) == curve->oid_len &&

  339.         OPENSSL_memcmp(CBS_data(&named_curve), curve->oid, curve->oid_len) ==

  340.             0) {

  341.       return EC_GROUP_new_by_curve_name(curve->nid);

  342.     }

  343.   }

  344. 

  345.   OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);

  346.   return NULL;

  347. }

  348. 

  349. int EC_KEY_marshal_curve_name(CBB *cbb, const EC_GROUP *group) {

  350.   int nid = EC_GROUP_get_curve_name(group);

  351.   if (nid == NID_undef) {

  352.     OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);

  353.     return 0;

  354.   }

  355. 

  356.   const struct built_in_curves *const curves = OPENSSL_built_in_curves();

  357.   for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) {

  358.     const struct built_in_curve *curve = &curves->curves[i];

  359.     if (curve->nid == nid) {

  360.       CBB child;

  361.       return CBB_add_asn1(cbb, &child, CBS_ASN1_OBJECT) &&

  362.              CBB_add_bytes(&child, curve->oid, curve->oid_len) &&

  363.              CBB_flush(cbb);

  364.     }

  365.   }

  366. 

  367.   OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);

  368.   return 0;

  369. }

  370. 

  371. EC_GROUP *EC_KEY_parse_parameters(CBS *cbs) {

  372.   if (!CBS_peek_asn1_tag(cbs, CBS_ASN1_SEQUENCE)) {

  373.     return EC_KEY_parse_curve_name(cbs);

  374.   }

  375. 

  376.   // OpenSSL sometimes produces ECPrivateKeys with explicitly-encoded versions

  377.   // of named curves.

  378.   //

  379.   // TODO(davidben): Remove support for this.

  380.   CBS prime, a, b, base_x, base_y, order;

  381.   if (!parse_explicit_prime_curve(cbs, &prime, &a, &b, &base_x, &base_y,

  382.                                   &order)) {

  383.     return NULL;

  384.   }

  385. 

  386.   // Look for a matching prime curve.

  387.   const struct built_in_curves *const curves = OPENSSL_built_in_curves();

  388.   for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) {

  389.     const struct built_in_curve *curve = &curves->curves[i];

  390.     const unsigned param_len = curve->param_len;

  391.     // |curve->params| is ordered p, a, b, x, y, order, each component

  392.     // zero-padded up to the field length. Although SEC 1 states that the

  393.     // Field-Element-to-Octet-String conversion also pads, OpenSSL mis-encodes

  394.     // |a| and |b|, so this comparison must allow omitting leading zeros. (This

  395.     // is relevant for P-521 whose |b| has a leading 0.)

  396.     if (integers_equal(&prime, curve->params, param_len) &&

  397.         integers_equal(&a, curve->params + param_len, param_len) &&

  398.         integers_equal(&b, curve->params + param_len * 2, param_len) &&

  399.         integers_equal(&base_x, curve->params + param_len * 3, param_len) &&

  400.         integers_equal(&base_y, curve->params + param_len * 4, param_len) &&

  401.         integers_equal(&order, curve->params + param_len * 5, param_len)) {

  402.       return EC_GROUP_new_by_curve_name(curve->nid);

  403.     }

  404.   }

  405. 

  406.   OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);

  407.   return NULL;

  408. }

  409. 

  410. int EC_POINT_point2cbb(CBB *out, const EC_GROUP *group, const EC_POINT *point,

  411.                        point_conversion_form_t form, BN_CTX *ctx) {

  412.   size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, ctx);

  413.   if (len == 0) {

  414.     return 0;

  415.   }

  416.   uint8_t *p;

  417.   return CBB_add_space(out, &p, len) &&

  418.          EC_POINT_point2oct(group, point, form, p, len, ctx) == len;

  419. }

  420. 

  421. EC_KEY *d2i_ECPrivateKey(EC_KEY **out, const uint8_t **inp, long len) {

  422.   // This function treats its |out| parameter differently from other |d2i|

  423.   // functions. If supplied, take the group from |*out|.

  424.   const EC_GROUP *group = NULL;

  425.   if (out != NULL && *out != NULL) {

  426.     group = EC_KEY_get0_group(*out);

  427.   }

  428. 

  429.   if (len < 0) {

  430.     OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);

  431.     return NULL;

  432.   }

  433.   CBS cbs;

  434.   CBS_init(&cbs, *inp, (size_t)len);

  435.   EC_KEY *ret = EC_KEY_parse_private_key(&cbs, group);

  436.   if (ret == NULL) {

  437.     return NULL;

  438.   }

  439.   if (out != NULL) {

  440.     EC_KEY_free(*out);

  441.     *out = ret;

  442.   }

  443.   *inp = CBS_data(&cbs);

  444.   return ret;

  445. }

  446. 

  447. int i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp) {

  448.   CBB cbb;

  449.   if (!CBB_init(&cbb, 0) ||

  450.       !EC_KEY_marshal_private_key(&cbb, key, EC_KEY_get_enc_flags(key))) {

  451.     CBB_cleanup(&cbb);

  452.     return -1;

  453.   }

  454.   return CBB_finish_i2d(&cbb, outp);

  455. }

  456. 

  457. EC_KEY *d2i_ECParameters(EC_KEY **out_key, const uint8_t **inp, long len) {

  458.   if (len < 0) {

  459.     return NULL;

  460.   }

  461. 

  462.   CBS cbs;

  463.   CBS_init(&cbs, *inp, (size_t)len);

  464.   EC_GROUP *group = EC_KEY_parse_parameters(&cbs);

  465.   if (group == NULL) {

  466.     return NULL;

  467.   }

  468. 

  469.   EC_KEY *ret = EC_KEY_new();

  470.   if (ret == NULL || !EC_KEY_set_group(ret, group)) {

  471.     EC_GROUP_free(group);

  472.     EC_KEY_free(ret);

  473.     return NULL;

  474.   }

  475.   EC_GROUP_free(group);

  476. 

  477.   if (out_key != NULL) {

  478.     EC_KEY_free(*out_key);

  479.     *out_key = ret;

  480.   }

  481.   *inp = CBS_data(&cbs);

  482.   return ret;

  483. }

  484. 

  485. int i2d_ECParameters(const EC_KEY *key, uint8_t **outp) {

  486.   if (key == NULL || key->group == NULL) {

  487.     OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);

  488.     return -1;

  489.   }

  490. 

  491.   CBB cbb;

  492.   if (!CBB_init(&cbb, 0) ||

  493.       !EC_KEY_marshal_curve_name(&cbb, key->group)) {

  494.     CBB_cleanup(&cbb);

  495.     return -1;

  496.   }

  497.   return CBB_finish_i2d(&cbb, outp);

  498. }

  499. 

  500. EC_KEY *o2i_ECPublicKey(EC_KEY **keyp, const uint8_t **inp, long len) {

  501.   EC_KEY *ret = NULL;

  502. 

  503.   if (keyp == NULL || *keyp == NULL || (*keyp)->group == NULL) {

  504.     OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);

  505.     return NULL;

  506.   }

  507.   ret = *keyp;

  508.   if (ret->pub_key == NULL &&

  509.       (ret->pub_key = EC_POINT_new(ret->group)) == NULL) {

  510.     OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);

  511.     return NULL;

  512.   }

  513.   if (!EC_POINT_oct2point(ret->group, ret->pub_key, *inp, len, NULL)) {

  514.     OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);

  515.     return NULL;

  516.   }

  517.   // save the point conversion form

  518.   ret->conv_form = (point_conversion_form_t)(*inp[0] & ~0x01);

  519.   *inp += len;

  520.   return ret;

  521. }

  522. 

  523. int i2o_ECPublicKey(const EC_KEY *key, uint8_t **outp) {

  524.   size_t buf_len = 0;

  525.   int new_buffer = 0;

  526. 

  527.   if (key == NULL) {

  528.     OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);

  529.     return 0;

  530.   }

  531. 

  532.   buf_len = EC_POINT_point2oct(key->group, key->pub_key, key->conv_form, NULL,

  533.                                0, NULL);

  534. 

  535.   if (outp == NULL || buf_len == 0) {

  536.     // out == NULL => just return the length of the octet string

  537.     return buf_len;

  538.   }

  539. 

  540.   if (*outp == NULL) {

  541.     *outp = OPENSSL_malloc(buf_len);

  542.     if (*outp == NULL) {

  543.       OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);

  544.       return 0;

  545.     }

  546.     new_buffer = 1;

  547.   }

  548.   if (!EC_POINT_point2oct(key->group, key->pub_key, key->conv_form, *outp,

  549.                           buf_len, NULL)) {

  550.     OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);

  551.     if (new_buffer) {

  552.       OPENSSL_free(*outp);

  553.       *outp = NULL;

  554.     }

  555.     return 0;

  556.   }

  557. 

  558.   if (!new_buffer) {

  559.     *outp += buf_len;

  560.   }

  561.   return buf_len;

  562. }