openssl加密

凯87

1294人浏览 · 2021-10-21 14:27:38

凯87 · 2021-10-21 14:27:38 发布

#define EVP_PKEY_get0_EC_KEY(pKey) (((pKey) != NULL) ? ((pKey)->pkey.ec) : (EC_KEY*)NULL)

/* libp11, a simple layer on to of PKCS#11 API

Copyright © 2005 Olaf Kirch okir@lst.de
Copyright © 2011, 2013 Douglas E. Engert deengert@anl.gov
Copyright © 2014, 2016 Douglas E. Engert deengert@gmail.com
Copyright © 2016-2018 Michał Trojnara Michal.Trojnara@stunnel.org
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

This file implements the handling of EC keys stored on a
PKCS11 token
*/

#include “libp11-int.h”
#include <string.h>

#ifndef OPENSSL_NO_EC
#include <openssl/ec.h>
#include <openssl/bn.h>
#endif
#ifndef OPENSSL_NO_ECDSA
#include <openssl/ecdsa.h>
#endif
#ifndef OPENSSL_NO_ECDH
#include <openssl/ecdh.h>
#endif

#ifndef OPENSSL_NO_EC

#if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
typedef int (*compute_key_fn)(unsigned char **, size_t *,
const EC_POINT *, const EC_KEY *);
#else
typedef int (*compute_key_fn)(void *, size_t,
const EC_POINT *, const EC_KEY *,
void ()(const void *, size_t, void *, size_t *));
#endif
static compute_key_fn ossl_ecdh_compute_key;

static int ec_ex_index = 0;

/********** Missing ECDSA_METHOD functions for OpenSSL < 1.1.0 */

typedef ECDSA_SIG *(*sign_sig_fn)(const unsigned char *, int,
const BIGNUM *, const BIGNUM *, EC_KEY *);

#if OPENSSL_VERSION_NUMBER < 0x10100000L

/* ecdsa_method maintains unchanged layout between 0.9.8 and 1.0.2 */

/* Data pointers and function pointers may have different sizes on some

architectures */
struct ecdsa_method {
char *name;
sign_sig_fn ecdsa_do_sign;
void (*ecdsa_sign_setup)();
void (*ecdsa_do_verify)();
int flags;
char *app_data;
};

#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */

#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)

/* Define missing functions */

ECDSA_METHOD *ECDSA_METHOD_new(const ECDSA_METHOD *m)
{
ECDSA_METHOD *out;
out = OPENSSL_malloc(sizeof(ECDSA_METHOD));
if (!out)
return NULL;
if (m)
memcpy(out, m, sizeof(ECDSA_METHOD));
else
memset(out, 0, sizeof(ECDSA_METHOD));
return out;
}

void ECDSA_METHOD_free(ECDSA_METHOD *m)
{
OPENSSL_free(m);
}

void ECDSA_METHOD_set_sign(ECDSA_METHOD *m, sign_sig_fn f)
{
m->ecdsa_do_sign = f;
}

#endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */

/********** Missing ECDH_METHOD functions for OpenSSL < 1.1.0 */

#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

/* ecdh_method maintains unchanged layout between 0.9.8 and 1.0.2 */

/* Data pointers and function pointers may have different sizes on some

architectures */
struct ecdh_method {
char *name;
compute_key_fn compute_key;
int flags;
char *data;
};

/* Define missing functions */

ECDH_METHOD *ECDH_METHOD_new(const ECDH_METHOD *m)
{
ECDH_METHOD *out;
out = OPENSSL_malloc(sizeof(ECDH_METHOD));
if (!out)
return NULL;
if (m)
memcpy(out, m, sizeof(ECDH_METHOD));
else
memset(out, 0, sizeof(ECDH_METHOD));
return out;
}

void ECDH_METHOD_free(ECDH_METHOD *m)
{
OPENSSL_free(m);
}

void ECDH_METHOD_get_compute_key(ECDH_METHOD *m, compute_key_fn *f)
{
*f = m->compute_key;
}

void ECDH_METHOD_set_compute_key(ECDH_METHOD *m, compute_key_fn f)
{
m->compute_key = f;
}

#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */

/********** Manage EC ex_data */

/* NOTE: ECDH also uses ECDSA ex_data and not ECDH ex_data /
static void alloc_ec_ex_index()
{
if (ec_ex_index == 0) {
while (ec_ex_index == 0) / Workaround for OpenSSL RT3710 /
#if OPENSSL_VERSION_NUMBER >= 0x10100002L && !defined(LIBRESSL_VERSION_NUMBER)
ec_ex_index = EC_KEY_get_ex_new_index(0, “libp11 ec_key”,
NULL, NULL, NULL);
#else
ec_ex_index = ECDSA_get_ex_new_index(0, “libp11 ecdsa”,
NULL, NULL, NULL);
#endif
if (ec_ex_index < 0)
ec_ex_index = 0; / Fallback to app_data */
}
}

#if 0
/* TODO: Free the indexes on unload /
static void free_ec_ex_index()
{
if (ec_ex_index > 0) {
#if OPENSSL_VERSION_NUMBER >= 0x10100002L
/ CRYPTO_free_ex_index requires OpenSSL version >= 1.1.0-pre1 */
CRYPTO_free_ex_index(CRYPTO_EX_INDEX_EC_KEY, ec_ex_index);
#endif
ec_ex_index = 0;
}
}
#endif

/********** EVP_PKEY retrieval */

/* Retrieve EC parameters from key into ec

return nonzero on error */
static int pkcs11_get_params(EC_KEY *ec, PKCS11_KEY *key, CK_SESSION_HANDLE session)
{
CK_BYTE *params;
size_t params_len = 0;
const unsigned char *a;
int rv;

if (pkcs11_getattr_alloc(KEY2CTX(key), session, PRIVKEY(key)->object,
CKA_EC_PARAMS, &params, &params_len))
return -1;

a = params;
rv = d2i_ECParameters(&ec, &a, (long)params_len) == NULL;
OPENSSL_free(params);
return rv;
}

/* Retrieve EC point from key into ec

return nonzero on error */
static int pkcs11_get_point_key(EC_KEY *ec, PKCS11_KEY *key, CK_SESSION_HANDLE session)
{
CK_BYTE *point;
size_t point_len = 0;
const unsigned char *a;
ASN1_OCTET_STRING *os;
int rv = -1;

if (!key || pkcs11_getattr_alloc(KEY2CTX(key), session, PRIVKEY(key)->object,
CKA_EC_POINT, &point, &point_len))
return -1;

/* PKCS#11-compliant modules should return ASN1_OCTET_STRING /
a = point;
os = d2i_ASN1_OCTET_STRING(NULL, &a, (long)point_len);
if (os) {
a = os->data;
rv = o2i_ECPublicKey(&ec, &a, os->length) == NULL;
ASN1_STRING_free(os);
}
if (rv) { / Workaround for broken PKCS#11 modules */
a = point;
rv = o2i_ECPublicKey(&ec, &a, (long)point_len) == NULL;
}
OPENSSL_free(point);
return rv;
}

/* Retrieve EC point from cert into ec

return nonzero on error */
static int pkcs11_get_point_cert(EC_KEY *ec, PKCS11_CERT *cert)
{
EVP_PKEY *pubkey = NULL;
EC_KEY *pubkey_ec;
const EC_POINT *point;
int rv = -1;

if (!cert)
goto error;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
pubkey = X509_get0_pubkey(cert->x509);
#else
pubkey = X509_get_pubkey(cert->x509);
#endif
if (!pubkey)
goto error;
pubkey_ec = EVP_PKEY_get0_EC_KEY(pubkey);
if (!pubkey_ec)
goto error;
point = EC_KEY_get0_public_key(pubkey_ec);
if (!point)
goto error;
if (EC_KEY_set_public_key(ec, point) == 0)
goto error;
rv = 0;
error:
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
EVP_PKEY_free(pubkey);
#endif
return rv;
}

static EC_KEY *pkcs11_get_ec(PKCS11_KEY *key)
{
PKCS11_SLOT *slot = KEY2SLOT(key);
CK_SESSION_HANDLE session;
EC_KEY *ec;
int no_params, no_point;

ec = EC_KEY_new();
if (!ec)
	return NULL;

/* For OpenSSL req we need at least the
 * EC_KEY_get0_group(ec_key)) to return the group.
 * Continue even if it fails, as the sign operation does not need
 * it if the PKCS#11 module or the hardware can figure this out
 */
if (pkcs11_get_session(slot, 0, &session)) {
	EC_KEY_free(ec);
	return NULL;
}
no_params = pkcs11_get_params(ec, key, session);
no_point = pkcs11_get_point_key(ec, key, session);
if (no_point && key->isPrivate) /* Retry with the public key */
	no_point = pkcs11_get_point_key(ec, pkcs11_find_key_from_key(key), session);
if (no_point && key->isPrivate) /* Retry with the certificate */
	no_point = pkcs11_get_point_cert(ec, pkcs11_find_certificate(key));
pkcs11_put_session(slot, session);

if (key->isPrivate && EC_KEY_get0_private_key(ec) == NULL) {
	BIGNUM *bn = BN_new();
	EC_KEY_set_private_key(ec, bn);
	BN_free(bn);
}

/* A public keys requires both the params and the point to be present */
if (!key->isPrivate && (no_params || no_point)) {
	EC_KEY_free(ec);
	return NULL;
}

return ec;

}

PKCS11_KEY *pkcs11_get_ex_data_ec(const EC_KEY *ec)
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
return EC_KEY_get_ex_data(ec, ec_ex_index);
#else
return ECDSA_get_ex_data((EC_KEY *)ec, ec_ex_index);
#endif
}

static void pkcs11_set_ex_data_ec(EC_KEY *ec, PKCS11_KEY *key)
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
EC_KEY_set_ex_data(ec, ec_ex_index, key);
#else
ECDSA_set_ex_data(ec, ec_ex_index, key);
#endif
}

static void pkcs11_update_ex_data_ec(PKCS11_KEY *key)
{
EVP_PKEY *evp = key->evp_key;
EC_KEY *ec;
if (!evp)
return;
if (EVP_PKEY_base_id(evp) != EVP_PKEY_EC)
return;

ec = EVP_PKEY_get1_EC_KEY(evp);
pkcs11_set_ex_data_ec(ec, key);
EC_KEY_free(ec);

}

Get EC key material and stash pointer in ex_data
Note we get called twice, once for private key, and once for public
We need to get the EC_PARAMS and EC_POINT into both,
as lib11 dates from RSA only where all the pub key components
were also part of the private key. With EC the point
is not in the private key, and the params may or may not be.

*/
static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
{
EVP_PKEY *pk;
EC_KEY *ec;

ec = pkcs11_get_ec(key);
if (!ec)
	return NULL;
pk = EVP_PKEY_new();
if (!pk) {
	EC_KEY_free(ec);
	return NULL;
}

if (key->isPrivate) {

#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
EC_KEY_set_method(ec, PKCS11_get_ec_key_method());
#else
ECDSA_set_method(ec, PKCS11_get_ecdsa_method());
ECDH_set_method(ec, PKCS11_get_ecdh_method());
#endif
}
/* TODO: Retrieve the ECDSA private key object attributes instead,
* unless the key has the “sensitive” attribute set */

pkcs11_set_ex_data_ec(ec, key);
EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
EC_KEY_free(ec); /* Drops our reference to it */
return pk;

}

/********** ECDSA signing */

/* Signature size is the issue, will assume the caller has a big buffer! /
/ No padding or other stuff needed. We can call PKCS11 from here */
static int pkcs11_ecdsa_sign(const unsigned char *msg, unsigned int msg_len,
unsigned char *sigret, unsigned int *siglen, PKCS11_KEY *key)
{
int rv;
PKCS11_SLOT *slot = KEY2SLOT(key);
PKCS11_CTX *ctx = KEY2CTX(key);
PKCS11_KEY_private *kpriv = PRIVKEY(key);
CK_SESSION_HANDLE session;
CK_MECHANISM mechanism;
CK_ULONG ck_sigsize;

ck_sigsize = *siglen;

memset(&mechanism, 0, sizeof(mechanism));
mechanism.mechanism = CKM_ECDSA;

if (pkcs11_get_session(slot, 0, &session))
	return -1;

rv = CRYPTOKI_call(ctx,
	C_SignInit(session, &mechanism, kpriv->object));
if (!rv && kpriv->always_authenticate == CK_TRUE)
	rv = pkcs11_authenticate(key, session);
if (!rv)
	rv = CRYPTOKI_call(ctx,
		C_Sign(session, (CK_BYTE *)msg, msg_len, sigret, &ck_sigsize));
pkcs11_put_session(slot, session);

if (rv) {
	CKRerr(CKR_F_PKCS11_ECDSA_SIGN, rv);
	return -1;
}
*siglen = ck_sigsize;

return ck_sigsize;

}

/**

ECDSA signing method (replaces ossl_ecdsa_sign_sig)
@param dgst hash value to sign
@param dlen length of the hash value
@param kinv precomputed inverse k (from the sign_setup method)
@param rp precomputed rp (from the sign_setup method)
@param ec private EC signing key
@return pointer to a ECDSA_SIG structure or NULL if an error occurred
*/
static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
const BIGNUM *kinv, const BIGNUM *rp, EC_KEY ec)
{
unsigned char sigret[512]; / HACK for now */
ECDSA_SIG *sig;
PKCS11_KEY *key;
unsigned int siglen;
BIGNUM *r, *s, *order;

(void)kinv; /* Precomputed values are not used for PKCS#11 /
(void)rp; / Precomputed values are not used for PKCS#11 */

key = pkcs11_get_ex_data_ec(ec);
if (check_key_fork(key) < 0) {
sign_sig_fn orig_sign_sig;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
const EC_KEY_METHOD *meth = EC_KEY_OpenSSL();
EC_KEY_METHOD_get_sign((EC_KEY_METHOD *)meth,
NULL, NULL, &orig_sign_sig);
#else
const ECDSA_METHOD *meth = ECDSA_OpenSSL();
orig_sign_sig = meth->ecdsa_do_sign;
#endif
return orig_sign_sig(dgst, dlen, kinv, rp, ec);
}

/* Truncate digest if its byte size is longer than needed */
order = BN_new();
if (order) {
const EC_GROUP group = EC_KEY_get0_group(ec);
if (group && EC_GROUP_get_order(group, order, NULL)) {
int klen = BN_num_bits(order);
if (klen < 8dlen)
dlen = (klen+7)/8;
}
BN_free(order);
}

siglen = sizeof sigret;
if (pkcs11_ecdsa_sign(dgst, dlen, sigret, &siglen, key) <= 0)
return NULL;

r = BN_bin2bn(sigret, siglen/2, NULL);
s = BN_bin2bn(sigret + siglen/2, siglen/2, NULL);
sig = ECDSA_SIG_new();
if (!sig)
return NULL;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
ECDSA_SIG_set0(sig, r, s);
#else
BN_free(sig->r);
sig->r = r;
BN_free(sig->s);
sig->s = s;
#endif
return sig;
}

/********** ECDH key derivation */

static CK_ECDH1_DERIVE_PARAMS *pkcs11_ecdh_params_alloc(
const EC_GROUP *group, const EC_POINT *point)
{
CK_ECDH1_DERIVE_PARAMS *parms;
size_t len;
unsigned char *buf = NULL;

if (!group || !point)
	return NULL;
len = EC_POINT_point2oct(group, point,
	POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
if (len == 0)
	return NULL;
buf = OPENSSL_malloc(len);
if (!buf)
	return NULL;
len = EC_POINT_point2oct(group, point,
	POINT_CONVERSION_UNCOMPRESSED, buf, len, NULL);
if (len == 0) {
	OPENSSL_free(buf);
	return NULL;
}

parms = OPENSSL_malloc(sizeof(CK_ECDH1_DERIVE_PARAMS));
if (!parms) {
	OPENSSL_free(buf);
	return NULL;
}
parms->kdf = CKD_NULL;
parms->pSharedData = NULL;
parms->ulSharedDataLen = 0;
parms->pPublicData = buf;
parms->ulPublicDataLen = len;
return parms;

}

static void pkcs11_ecdh_params_free(CK_ECDH1_DERIVE_PARAMS *parms)
{
OPENSSL_free(parms->pPublicData);
OPENSSL_free(parms);
}

/* initial code will only support what is needed for pkcs11_ec_ckey

i.e. CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE
and CK_EC_KDF_TYPE supported by token
The secret key object is deleted
In future CKM_ECMQV_DERIVE with CK_ECMQV_DERIVE_PARAMS
could also be supported, and the secret key object could be returned.
*/
static int pkcs11_ecdh_derive(unsigned char **out, size_t *outlen,
const int key_len,
const unsigned long ecdh_mechanism,
const void *ec_params,
void *outnewkey,
PKCS11_KEY *key)
{
PKCS11_SLOT *slot = KEY2SLOT(key);
PKCS11_CTX *ctx = KEY2CTX(key);
PKCS11_KEY_private *kpriv = PRIVKEY(key);
CK_SESSION_HANDLE session;
CK_MECHANISM mechanism;
int rv;

CK_BBOOL true = TRUE;
CK_BBOOL false = FALSE;
CK_OBJECT_HANDLE newkey = CK_INVALID_HANDLE;
CK_OBJECT_CLASS newkey_class= CKO_SECRET_KEY;
CK_KEY_TYPE newkey_type = CKK_GENERIC_SECRET;
CK_ULONG newkey_len = key_len;
CK_OBJECT_HANDLE *tmpnewkey = (CK_OBJECT_HANDLE )outnewkey;
CK_ATTRIBUTE newkey_template[] = {
{CKA_TOKEN, &false, sizeof(false)}, / session only object */
{CKA_CLASS, &newkey_class, sizeof(newkey_class)},
{CKA_KEY_TYPE, &newkey_type, sizeof(newkey_type)},
{CKA_VALUE_LEN, &newkey_len, sizeof(newkey_len)},
{CKA_SENSITIVE, &false, sizeof(false) },
{CKA_EXTRACTABLE, &true, sizeof(true) },
{CKA_ENCRYPT, &true, sizeof(true)},
{CKA_DECRYPT, &true, sizeof(true)}
};

memset(&mechanism, 0, sizeof(mechanism));
mechanism.mechanism = ecdh_mechanism;
mechanism.pParameter = (void*)ec_params;
switch (ecdh_mechanism) {
case CKM_ECDH1_DERIVE:
case CKM_ECDH1_COFACTOR_DERIVE:
mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS);
break;
#if 0
/* TODO */
case CK_ECMQV_DERIVE_PARAMS:
mechanism.ulParameterLen = sizeof(CK_ECMQV_DERIVE_PARAMS);
break;
#endif
default:
P11err(P11_F_PKCS11_ECDH_DERIVE, P11_R_NOT_SUPPORTED);
return -1;
}

if (pkcs11_get_session(slot, 0, &session))
return -1;

rv = CRYPTOKI_call(ctx, C_DeriveKey(session, &mechanism, kpriv->object,
newkey_template, sizeof(newkey_template)/sizeof(*newkey_template), &newkey));
if (rv != CKR_OK)
goto error;

/* Return the value of the secret key and/or the object handle of the secret key /
if (out && outlen) { / pkcs11_ec_ckey only asks for the value /
if (pkcs11_getattr_alloc(ctx, session, newkey, CKA_VALUE, out, outlen)) {
CRYPTOKI_call(ctx, C_DestroyObject(session, newkey));
goto error;
}
}
if (tmpnewkey) / For future use (not used by pkcs11_ec_ckey) */
tmpnewkey = newkey;
else / Destroy the temporary key */
CRYPTOKI_call(ctx, C_DestroyObject(session, newkey));

pkcs11_put_session(slot, session);

return 0;
error:
pkcs11_put_session(slot, session);
CKRerr(CKR_F_PKCS11_ECDH_DERIVE, rv);
return -1;
}

static int pkcs11_ecdh_compute_key(unsigned char **buf, size_t *buflen,
const EC_POINT *peer_point, const EC_KEY *ecdh, PKCS11_KEY *key)
{
const EC_GROUP group = EC_KEY_get0_group(ecdh);
const int key_len = (EC_GROUP_get_degree(group) + 7) / 8;
/ both peer and ecdh use same group parameters */
CK_ECDH1_DERIVE_PARAMS *parms = pkcs11_ecdh_params_alloc(group, peer_point);
int rv;

if (!parms)
	return -1;
rv = pkcs11_ecdh_derive(buf, buflen, key_len, CKM_ECDH1_DERIVE, parms, NULL, key);
pkcs11_ecdh_params_free(parms);
return rv;

}

#if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)

/**

ECDH key derivation method (replaces ossl_ecdh_compute_key)
Implementation for OpenSSL 1.1.0-pre4 and later
@param out derived key
@param outlen derived key length
@param peer_point public key point
@param ecdh private key
@return 1 on success or 0 on error
*/
static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen,
const EC_POINT *peer_point, const EC_KEY *ecdh)
{
PKCS11_KEY *key;
unsigned char *buf = NULL;
size_t buflen;

key = pkcs11_get_ex_data_ec(ecdh);
if (check_key_fork(key) < 0)
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh);
if (pkcs11_ecdh_compute_key(&buf, &buflen, peer_point, ecdh, key) < 0)
return 0;
*out = buf;
*outlen = buflen;
return 1;
}

#else

/**

ECDH key derivation method (replaces ossl_ecdh_compute_key)
Implementation for OpenSSL 1.1.0-pre3 and earlier
@param out derived key
@param outlen derived key length
@param peer_point public key point
@param ecdh private key
@param KCF key derivation function
@return the length of the derived key or -1 if an error occurred
*/
static int pkcs11_ec_ckey(void *out, size_t outlen,
const EC_POINT *peer_point, const EC_KEY *ecdh,
void *(*KDF)(const void *, size_t, void *, size_t *))
{
PKCS11_KEY *key;
unsigned char *buf = NULL;
size_t buflen;

key = pkcs11_get_ex_data_ec(ecdh);
if (check_key_fork(key) < 0)
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh, KDF);
if (pkcs11_ecdh_compute_key(&buf, &buflen, peer_point, ecdh, key) < 0)
return -1;
if (KDF) {
if (KDF(buf, buflen, out, &outlen) == NULL) {
OPENSSL_free(buf);
return -1;
}
} else {
if (outlen > buflen)
outlen = buflen;
memcpy(out, buf, outlen);
}
OPENSSL_free(buf);
return outlen;
}

#endif

/********** Set OpenSSL EC methods */

Overload the default OpenSSL methods for ECDSA
If OpenSSL supports ECDSA_METHOD_new we will use it.
First introduced in 1.0.2, changed in 1.1-pre
*/

/* New way to allocate an ECDSA_METOD object /
/ OpenSSL 1.1 has single method EC_KEY_METHOD for ECDSA and ECDH */

#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)

EC_KEY_METHOD *PKCS11_get_ec_key_method(void)
{
static EC_KEY_METHOD *ops = NULL;
int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;

alloc_ec_ex_index();
if (!ops) {
	ops = EC_KEY_METHOD_new((EC_KEY_METHOD *)EC_KEY_OpenSSL());
	EC_KEY_METHOD_get_sign(ops, &orig_sign, NULL, NULL);
	EC_KEY_METHOD_set_sign(ops, orig_sign, NULL, pkcs11_ecdsa_sign_sig);
	EC_KEY_METHOD_get_compute_key(ops, &ossl_ecdh_compute_key);
	EC_KEY_METHOD_set_compute_key(ops, pkcs11_ec_ckey);
}
return ops;

}

/* define old way to keep old engines working without ECDSA */
void *PKCS11_get_ecdsa_method(void)
{
return NULL;
}

void *PKCS11_get_ecdh_method(void)
{
return NULL;
}

#else /* OPENSSL_VERSION_NUMBER */

/* define new way to keep new engines from crashing with older libp11 */
void *PKCS11_get_ec_key_method(void)
{
return NULL;
}

ECDSA_METHOD *PKCS11_get_ecdsa_method(void)
{
static ECDSA_METHOD *ops = NULL;

if (!ops) {
	alloc_ec_ex_index();
	ops = ECDSA_METHOD_new((ECDSA_METHOD *)ECDSA_OpenSSL());
	ECDSA_METHOD_set_sign(ops, pkcs11_ecdsa_sign_sig);
}
return ops;

}

ECDH_METHOD *PKCS11_get_ecdh_method(void)
{
static ECDH_METHOD *ops = NULL;

if (!ops) {
	alloc_ec_ex_index();
	ops = ECDH_METHOD_new((ECDH_METHOD *)ECDH_OpenSSL());
	ECDH_METHOD_get_compute_key(ops, &ossl_ecdh_compute_key);
	ECDH_METHOD_set_compute_key(ops, pkcs11_ec_ckey);
}
return ops;

}

#endif /* OPENSSL_VERSION_NUMBER */

PKCS11_KEY_ops pkcs11_ec_ops_s = {
EVP_PKEY_EC,
pkcs11_get_evp_key_ec,
pkcs11_update_ex_data_ec,
};
PKCS11_KEY_ops *pkcs11_ec_ops = {&pkcs11_ec_ops_s};

#else /* OPENSSL_NO_EC */

PKCS11_KEY_ops *pkcs11_ec_ops = {NULL};

/* if not built with EC or OpenSSL does not support ECDSA