[thirdparty/openssl.git] / crypto / dh / dh_pmeth.c

/*
 * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include <openssl/evp.h>
#include "dh_local.h"
#include <openssl/bn.h>
#include <openssl/dsa.h>
#include <openssl/objects.h>
#include "crypto/evp.h"

/* DH pkey context structure */

typedef struct {
    /* Parameter gen parameters */
    int prime_len;
    int generator;
    int use_dsa;
    int subprime_len;
    int pad;
    /* message digest used for parameter generation */
    const EVP_MD *md;
    int rfc5114_param;
    int param_nid;
    /* Keygen callback info */
    int gentmp[2];
    /* KDF (if any) to use for DH */
    char kdf_type;
    /* OID to use for KDF */
    ASN1_OBJECT *kdf_oid;
    /* Message digest to use for key derivation */
    const EVP_MD *kdf_md;
    /* User key material */
    unsigned char *kdf_ukm;
    size_t kdf_ukmlen;
    /* KDF output length */
    size_t kdf_outlen;
} DH_PKEY_CTX;

static int pkey_dh_init(EVP_PKEY_CTX *ctx)
{
    DH_PKEY_CTX *dctx;

    if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL) {
        DHerr(DH_F_PKEY_DH_INIT, ERR_R_MALLOC_FAILURE);
        return 0;
    }
    dctx->prime_len = 2048;
    dctx->subprime_len = -1;
    dctx->generator = 2;
    dctx->kdf_type = EVP_PKEY_DH_KDF_NONE;

    ctx->data = dctx;
    ctx->keygen_info = dctx->gentmp;
    ctx->keygen_info_count = 2;

    return 1;
}

static void pkey_dh_cleanup(EVP_PKEY_CTX *ctx)
{
    DH_PKEY_CTX *dctx = ctx->data;
    if (dctx != NULL) {
        OPENSSL_free(dctx->kdf_ukm);
        ASN1_OBJECT_free(dctx->kdf_oid);
        OPENSSL_free(dctx);
    }
}


static int pkey_dh_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
{
    DH_PKEY_CTX *dctx, *sctx;

    if (!pkey_dh_init(dst))
        return 0;
    sctx = src->data;
    dctx = dst->data;
    dctx->prime_len = sctx->prime_len;
    dctx->subprime_len = sctx->subprime_len;
    dctx->generator = sctx->generator;
    dctx->use_dsa = sctx->use_dsa;
    dctx->pad = sctx->pad;
    dctx->md = sctx->md;
    dctx->rfc5114_param = sctx->rfc5114_param;
    dctx->param_nid = sctx->param_nid;

    dctx->kdf_type = sctx->kdf_type;
    dctx->kdf_oid = OBJ_dup(sctx->kdf_oid);
    if (dctx->kdf_oid == NULL)
        return 0;
    dctx->kdf_md = sctx->kdf_md;
    if (sctx->kdf_ukm != NULL) {
        dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
        if (dctx->kdf_ukm == NULL)
          return 0;
        dctx->kdf_ukmlen = sctx->kdf_ukmlen;
    }
    dctx->kdf_outlen = sctx->kdf_outlen;
    return 1;
}

static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
{
    DH_PKEY_CTX *dctx = ctx->data;
    switch (type) {
    case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN:
        if (p1 < 256)
            return -2;
        dctx->prime_len = p1;
        return 1;

    case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN:
        if (dctx->use_dsa == 0)
            return -2;
        dctx->subprime_len = p1;
        return 1;

    case EVP_PKEY_CTRL_DH_PAD:
        dctx->pad = p1;
        return 1;

    case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR:
        if (dctx->use_dsa)
            return -2;
        dctx->generator = p1;
        return 1;

    case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE:
#ifdef OPENSSL_NO_DSA
        if (p1 != 0)
            return -2;
#else
        if (p1 < 0 || p1 > 2)
            return -2;
#endif
        dctx->use_dsa = p1;
        return 1;

    case EVP_PKEY_CTRL_DH_RFC5114:
        if (p1 < 1 || p1 > 3 || dctx->param_nid != NID_undef)
            return -2;
        dctx->rfc5114_param = p1;
        return 1;

    case EVP_PKEY_CTRL_DH_NID:
        if (p1 <= 0 || dctx->rfc5114_param != 0)
            return -2;
        dctx->param_nid = p1;
        return 1;

    case EVP_PKEY_CTRL_PEER_KEY:
        /* Default behaviour is OK */
        return 1;

    case EVP_PKEY_CTRL_DH_KDF_TYPE:
        if (p1 == -2)
            return dctx->kdf_type;
#ifdef OPENSSL_NO_CMS
        if (p1 != EVP_PKEY_DH_KDF_NONE)
#else
        if (p1 != EVP_PKEY_DH_KDF_NONE && p1 != EVP_PKEY_DH_KDF_X9_42)
#endif
            return -2;
        dctx->kdf_type = p1;
        return 1;

    case EVP_PKEY_CTRL_DH_KDF_MD:
        dctx->kdf_md = p2;
        return 1;

    case EVP_PKEY_CTRL_GET_DH_KDF_MD:
        *(const EVP_MD **)p2 = dctx->kdf_md;
        return 1;

    case EVP_PKEY_CTRL_DH_KDF_OUTLEN:
        if (p1 <= 0)
            return -2;
        dctx->kdf_outlen = (size_t)p1;
        return 1;

    case EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN:
        *(int *)p2 = dctx->kdf_outlen;
        return 1;

    case EVP_PKEY_CTRL_DH_KDF_UKM:
        OPENSSL_free(dctx->kdf_ukm);
        dctx->kdf_ukm = p2;
        if (p2)
            dctx->kdf_ukmlen = p1;
        else
            dctx->kdf_ukmlen = 0;
        return 1;

    case EVP_PKEY_CTRL_GET_DH_KDF_UKM:
        *(unsigned char **)p2 = dctx->kdf_ukm;
        return dctx->kdf_ukmlen;

    case EVP_PKEY_CTRL_DH_KDF_OID:
        ASN1_OBJECT_free(dctx->kdf_oid);
        dctx->kdf_oid = p2;
        return 1;

    case EVP_PKEY_CTRL_GET_DH_KDF_OID:
        *(ASN1_OBJECT **)p2 = dctx->kdf_oid;
        return 1;

    default:
        return -2;

    }
}

static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx,
                            const char *type, const char *value)
{
    if (strcmp(type, "dh_paramgen_prime_len") == 0) {
        int len;
        len = atoi(value);
        return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len);
    }
    if (strcmp(type, "dh_rfc5114") == 0) {
        DH_PKEY_CTX *dctx = ctx->data;
        int len;
        len = atoi(value);
        if (len < 0 || len > 3)
            return -2;
        dctx->rfc5114_param = len;
        return 1;
    }
    if (strcmp(type, "dh_param") == 0) {
        DH_PKEY_CTX *dctx = ctx->data;
        int nid = OBJ_sn2nid(value);

        if (nid == NID_undef) {
            DHerr(DH_F_PKEY_DH_CTRL_STR, DH_R_INVALID_PARAMETER_NAME);
            return -2;
        }
        dctx->param_nid = nid;
        return 1;
    }
    if (strcmp(type, "dh_paramgen_generator") == 0) {
        int len;
        len = atoi(value);
        return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, len);
    }
    if (strcmp(type, "dh_paramgen_subprime_len") == 0) {
        int len;
        len = atoi(value);
        return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx, len);
    }
    if (strcmp(type, "dh_paramgen_type") == 0) {
        int typ;
        typ = atoi(value);
        return EVP_PKEY_CTX_set_dh_paramgen_type(ctx, typ);
    }
    if (strcmp(type, "dh_pad") == 0) {
        int pad;
        pad = atoi(value);
        return EVP_PKEY_CTX_set_dh_pad(ctx, pad);
    }
    return -2;
}

#ifndef OPENSSL_NO_DSA

extern int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
                                const EVP_MD *evpmd,
                                const unsigned char *seed_in, size_t seed_len,
                                unsigned char *seed_out, int *counter_ret,
                                unsigned long *h_ret, BN_GENCB *cb);

extern int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
                                 const EVP_MD *evpmd,
                                 const unsigned char *seed_in,
                                 size_t seed_len, int idx,
                                 unsigned char *seed_out, int *counter_ret,
                                 unsigned long *h_ret, BN_GENCB *cb);

static DSA *dsa_dh_generate(DH_PKEY_CTX *dctx, BN_GENCB *pcb)
{
    DSA *ret;
    int rv = 0;
    int prime_len = dctx->prime_len;
    int subprime_len = dctx->subprime_len;
    const EVP_MD *md = dctx->md;
    if (dctx->use_dsa > 2)
        return NULL;
    ret = DSA_new();
    if (ret == NULL)
        return NULL;
    if (subprime_len == -1) {
        if (prime_len >= 2048)
            subprime_len = 256;
        else
            subprime_len = 160;
    }
    if (md == NULL) {
        if (prime_len >= 2048)
            md = EVP_sha256();
        else
            md = EVP_sha1();
    }
    if (dctx->use_dsa == 1)
        rv = dsa_builtin_paramgen(ret, prime_len, subprime_len, md,
                                  NULL, 0, NULL, NULL, NULL, pcb);
    else if (dctx->use_dsa == 2)
        rv = dsa_builtin_paramgen2(ret, prime_len, subprime_len, md,
                                   NULL, 0, -1, NULL, NULL, NULL, pcb);
    if (rv <= 0) {
        DSA_free(ret);
        return NULL;
    }
    return ret;
}

#endif

static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
    DH *dh = NULL;
    DH_PKEY_CTX *dctx = ctx->data;
    BN_GENCB *pcb = NULL;
    int ret;

    /*
     * Look for a safe prime group for key establishment. Which uses
     * either RFC_3526 (modp_XXXX) or RFC_7919 (ffdheXXXX).
     */
    if (dctx->param_nid != NID_undef) {
        if ((dh = DH_new_by_nid(dctx->param_nid)) == NULL)
            return 0;
        EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh);
        return 1;
    }

#ifndef FIPS_MODE
    if (dctx->rfc5114_param) {
        switch (dctx->rfc5114_param) {
        case 1:
            dh = DH_get_1024_160();
            break;

        case 2:
            dh = DH_get_2048_224();
            break;

        case 3:
            dh = DH_get_2048_256();
            break;

        default:
            return -2;
        }
        EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh);
        return 1;
    }
#endif /* FIPS_MODE */

    if (ctx->pkey_gencb != NULL) {
        pcb = BN_GENCB_new();
        if (pcb == NULL)
            return 0;
        evp_pkey_set_cb_translate(pcb, ctx);
    }
#ifndef OPENSSL_NO_DSA
    if (dctx->use_dsa) {
        DSA *dsa_dh;

        dsa_dh = dsa_dh_generate(dctx, pcb);
        BN_GENCB_free(pcb);
        if (dsa_dh == NULL)
            return 0;
        dh = DSA_dup_DH(dsa_dh);
        DSA_free(dsa_dh);
        if (!dh)
            return 0;
        EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh);
        return 1;
    }
#endif
    dh = DH_new();
    if (dh == NULL) {
        BN_GENCB_free(pcb);
        return 0;
    }
    ret = DH_generate_parameters_ex(dh,
                                    dctx->prime_len, dctx->generator, pcb);
    BN_GENCB_free(pcb);
    if (ret)
        EVP_PKEY_assign_DH(pkey, dh);
    else
        DH_free(dh);
    return ret;
}

static int pkey_dh_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
    DH_PKEY_CTX *dctx = ctx->data;
    DH *dh = NULL;

    if (ctx->pkey == NULL && dctx->param_nid == NID_undef) {
        DHerr(DH_F_PKEY_DH_KEYGEN, DH_R_NO_PARAMETERS_SET);
        return 0;
    }
    if (dctx->param_nid != NID_undef)
        dh = DH_new_by_nid(dctx->param_nid);
    else
        dh = DH_new();
    if (dh == NULL)
        return 0;
    EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, dh);
    /* Note: if error return, pkey is freed by parent routine */
    if (ctx->pkey != NULL && !EVP_PKEY_copy_parameters(pkey, ctx->pkey))
        return 0;
    return DH_generate_key(pkey->pkey.dh);
}

static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
                          size_t *keylen)
{
    int ret;
    DH *dh;
    DH_PKEY_CTX *dctx = ctx->data;
    BIGNUM *dhpub;
    if (!ctx->pkey || !ctx->peerkey) {
        DHerr(DH_F_PKEY_DH_DERIVE, DH_R_KEYS_NOT_SET);
        return 0;
    }
    dh = ctx->pkey->pkey.dh;
    dhpub = ctx->peerkey->pkey.dh->pub_key;
    if (dctx->kdf_type == EVP_PKEY_DH_KDF_NONE) {
        if (key == NULL) {
            *keylen = DH_size(dh);
            return 1;
        }
        if (dctx->pad)
            ret = DH_compute_key_padded(key, dhpub, dh);
        else
            ret = DH_compute_key(key, dhpub, dh);
        if (ret < 0)
            return ret;
        *keylen = ret;
        return 1;
    }
#ifndef OPENSSL_NO_CMS
    else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {

        unsigned char *Z = NULL;
        size_t Zlen = 0;
        if (!dctx->kdf_outlen || !dctx->kdf_oid)
            return 0;
        if (key == NULL) {
            *keylen = dctx->kdf_outlen;
            return 1;
        }
        if (*keylen != dctx->kdf_outlen)
            return 0;
        ret = 0;
        Zlen = DH_size(dh);
        Z = OPENSSL_malloc(Zlen);
        if (Z == NULL) {
            goto err;
        }
        if (DH_compute_key_padded(Z, dhpub, dh) <= 0)
            goto err;
        if (!DH_KDF_X9_42(key, *keylen, Z, Zlen, dctx->kdf_oid,
                          dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
            goto err;
        *keylen = dctx->kdf_outlen;
        ret = 1;
 err:
        OPENSSL_clear_free(Z, Zlen);
        return ret;
    }
#endif
    return 0;
}

static const EVP_PKEY_METHOD dh_pkey_meth = {
    EVP_PKEY_DH,
    0,
    pkey_dh_init,
    pkey_dh_copy,
    pkey_dh_cleanup,

    0,
    pkey_dh_paramgen,

    0,
    pkey_dh_keygen,

    0,
    0,

    0,
    0,

    0, 0,

    0, 0, 0, 0,

    0, 0,

    0, 0,

    0,
    pkey_dh_derive,

    pkey_dh_ctrl,
    pkey_dh_ctrl_str
};

const EVP_PKEY_METHOD *dh_pkey_method(void)
{
    return &dh_pkey_meth;
}

static const EVP_PKEY_METHOD dhx_pkey_meth = {
    EVP_PKEY_DHX,
    0,
    pkey_dh_init,
    pkey_dh_copy,
    pkey_dh_cleanup,

    0,
    pkey_dh_paramgen,

    0,
    pkey_dh_keygen,

    0,
    0,

    0,
    0,

    0, 0,

    0, 0, 0, 0,

    0, 0,

    0, 0,

    0,
    pkey_dh_derive,

    pkey_dh_ctrl,
    pkey_dh_ctrl_str
};

const EVP_PKEY_METHOD *dhx_pkey_method(void)
{
    return &dhx_pkey_meth;
}
Commit	Line	Data
0f113f3e	1	/*
28428130	2	* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
3ba0885a	3	*
e38873f5	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
aa6bb135 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
3ba0885a DSH	8	*/
	9
	10	#include <stdio.h>
b39fc560	11	#include "internal/cryptlib.h"
3ba0885a DSH	12	#include <openssl/asn1t.h>
3ba0885a DSH	13	#include <openssl/x509.h>
3ba0885a	14	#include <openssl/evp.h>
706457b7	15	#include "dh_local.h"
1e26a8ba	16	#include <openssl/bn.h>
3c27208f	17	#include <openssl/dsa.h>
bd59f2b9	18	#include <openssl/objects.h>
25f2138b	19	#include "crypto/evp.h"
3ba0885a DSH	20
	21	/* DH pkey context structure */
	22
0f113f3e MC	23	typedef struct {
	24	/* Parameter gen parameters */
	25	int prime_len;
	26	int generator;
	27	int use_dsa;
	28	int subprime_len;
f4403a1f	29	int pad;
0f113f3e MC	30	/* message digest used for parameter generation */
	31	const EVP_MD *md;
	32	int rfc5114_param;
d59d853a	33	int param_nid;
0f113f3e MC	34	/* Keygen callback info */
	35	int gentmp[2];
	36	/* KDF (if any) to use for DH */
	37	char kdf_type;
	38	/* OID to use for KDF */
	39	ASN1_OBJECT *kdf_oid;
	40	/* Message digest to use for key derivation */
	41	const EVP_MD *kdf_md;
	42	/* User key material */
	43	unsigned char *kdf_ukm;
	44	size_t kdf_ukmlen;
	45	/* KDF output length */
	46	size_t kdf_outlen;
	47	} DH_PKEY_CTX;
3ba0885a DSH	48
3ba0885a DSH	49	static int pkey_dh_init(EVP_PKEY_CTX *ctx)
0f113f3e MC	50	{
0f113f3e MC	51	DH_PKEY_CTX *dctx;
64b25758	52
cdb10bae RS	53	if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL) {
cdb10bae RS	54	DHerr(DH_F_PKEY_DH_INIT, ERR_R_MALLOC_FAILURE);
0f113f3e	55	return 0;
cdb10bae	56	}
70b0b977	57	dctx->prime_len = 2048;
0f113f3e MC	58	dctx->subprime_len = -1;
0f113f3e MC	59	dctx->generator = 2;
0f113f3e	60	dctx->kdf_type = EVP_PKEY_DH_KDF_NONE;
0f113f3e MC	61
	62	ctx->data = dctx;
	63	ctx->keygen_info = dctx->gentmp;
	64	ctx->keygen_info_count = 2;
	65
	66	return 1;
	67	}
3ba0885a	68
edeb3fd2 IY	69	static void pkey_dh_cleanup(EVP_PKEY_CTX *ctx)
	70	{
	71	DH_PKEY_CTX *dctx = ctx->data;
	72	if (dctx != NULL) {
	73	OPENSSL_free(dctx->kdf_ukm);
	74	ASN1_OBJECT_free(dctx->kdf_oid);
	75	OPENSSL_free(dctx);
	76	}
	77	}
	78
	79
9fdcc21f	80	static int pkey_dh_copy(EVP_PKEY_CTX dst, const EVP_PKEY_CTX src)
0f113f3e MC	81	{
0f113f3e MC	82	DH_PKEY_CTX dctx, sctx;
12a765a5	83
0f113f3e MC	84	if (!pkey_dh_init(dst))
	85	return 0;
	86	sctx = src->data;
	87	dctx = dst->data;
	88	dctx->prime_len = sctx->prime_len;
	89	dctx->subprime_len = sctx->subprime_len;
	90	dctx->generator = sctx->generator;
	91	dctx->use_dsa = sctx->use_dsa;
f4403a1f	92	dctx->pad = sctx->pad;
0f113f3e MC	93	dctx->md = sctx->md;
0f113f3e MC	94	dctx->rfc5114_param = sctx->rfc5114_param;
d59d853a	95	dctx->param_nid = sctx->param_nid;
0f113f3e MC	96
	97	dctx->kdf_type = sctx->kdf_type;
	98	dctx->kdf_oid = OBJ_dup(sctx->kdf_oid);
edeb3fd2	99	if (dctx->kdf_oid == NULL)
0f113f3e MC	100	return 0;
0f113f3e MC	101	dctx->kdf_md = sctx->kdf_md;
edeb3fd2	102	if (sctx->kdf_ukm != NULL) {
7644a9ae	103	dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
edeb3fd2 IY	104	if (dctx->kdf_ukm == NULL)
edeb3fd2 IY	105	return 0;
0f113f3e MC	106	dctx->kdf_ukmlen = sctx->kdf_ukmlen;
	107	}
	108	dctx->kdf_outlen = sctx->kdf_outlen;
	109	return 1;
	110	}
8bdcef40	111
3ba0885a	112	static int pkey_dh_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)
0f113f3e MC	113	{
	114	DH_PKEY_CTX *dctx = ctx->data;
	115	switch (type) {
	116	case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN:
	117	if (p1 < 256)
	118	return -2;
	119	dctx->prime_len = p1;
	120	return 1;
	121
	122	case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN:
	123	if (dctx->use_dsa == 0)
	124	return -2;
	125	dctx->subprime_len = p1;
	126	return 1;
	127
f4403a1f DSH	128	case EVP_PKEY_CTRL_DH_PAD:
	129	dctx->pad = p1;
	130	return 1;
	131
0f113f3e MC	132	case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR:
	133	if (dctx->use_dsa)
	134	return -2;
	135	dctx->generator = p1;
	136	return 1;
	137
	138	case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE:
39090878	139	#ifdef OPENSSL_NO_DSA
0f113f3e MC	140	if (p1 != 0)
0f113f3e MC	141	return -2;
39090878	142	#else
0f113f3e MC	143	if (p1 < 0 \|\| p1 > 2)
0f113f3e MC	144	return -2;
39090878	145	#endif
0f113f3e MC	146	dctx->use_dsa = p1;
	147	return 1;
	148
	149	case EVP_PKEY_CTRL_DH_RFC5114:
d59d853a	150	if (p1 < 1 \|\| p1 > 3 \|\| dctx->param_nid != NID_undef)
0f113f3e MC	151	return -2;
	152	dctx->rfc5114_param = p1;
	153	return 1;
	154
d59d853a DSH	155	case EVP_PKEY_CTRL_DH_NID:
	156	if (p1 <= 0 \|\| dctx->rfc5114_param != 0)
	157	return -2;
	158	dctx->param_nid = p1;
	159	return 1;
	160
0f113f3e MC	161	case EVP_PKEY_CTRL_PEER_KEY:
	162	/* Default behaviour is OK */
	163	return 1;
	164
	165	case EVP_PKEY_CTRL_DH_KDF_TYPE:
	166	if (p1 == -2)
	167	return dctx->kdf_type;
e968561d DB	168	#ifdef OPENSSL_NO_CMS
	169	if (p1 != EVP_PKEY_DH_KDF_NONE)
	170	#else
0f113f3e	171	if (p1 != EVP_PKEY_DH_KDF_NONE && p1 != EVP_PKEY_DH_KDF_X9_42)
e968561d	172	#endif
0f113f3e MC	173	return -2;
	174	dctx->kdf_type = p1;
	175	return 1;
	176
	177	case EVP_PKEY_CTRL_DH_KDF_MD:
	178	dctx->kdf_md = p2;
	179	return 1;
	180
	181	case EVP_PKEY_CTRL_GET_DH_KDF_MD:
	182	(const EVP_MD *)p2 = dctx->kdf_md;
	183	return 1;
	184
	185	case EVP_PKEY_CTRL_DH_KDF_OUTLEN:
	186	if (p1 <= 0)
	187	return -2;
	188	dctx->kdf_outlen = (size_t)p1;
	189	return 1;
	190
	191	case EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN:
	192	(int )p2 = dctx->kdf_outlen;
	193	return 1;
	194
	195	case EVP_PKEY_CTRL_DH_KDF_UKM:
b548a1f1	196	OPENSSL_free(dctx->kdf_ukm);
0f113f3e MC	197	dctx->kdf_ukm = p2;
	198	if (p2)
	199	dctx->kdf_ukmlen = p1;
	200	else
	201	dctx->kdf_ukmlen = 0;
	202	return 1;
	203
	204	case EVP_PKEY_CTRL_GET_DH_KDF_UKM:
	205	(unsigned char *)p2 = dctx->kdf_ukm;
	206	return dctx->kdf_ukmlen;
	207
	208	case EVP_PKEY_CTRL_DH_KDF_OID:
0dfb9398	209	ASN1_OBJECT_free(dctx->kdf_oid);
0f113f3e MC	210	dctx->kdf_oid = p2;
	211	return 1;
	212
	213	case EVP_PKEY_CTRL_GET_DH_KDF_OID:
	214	(ASN1_OBJECT *)p2 = dctx->kdf_oid;
	215	return 1;
	216
	217	default:
	218	return -2;
	219
	220	}
	221	}
39090878	222
3ba0885a	223	static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx,
0f113f3e MC	224	const char type, const char value)
0f113f3e MC	225	{
86885c28	226	if (strcmp(type, "dh_paramgen_prime_len") == 0) {
0f113f3e MC	227	int len;
	228	len = atoi(value);
	229	return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len);
	230	}
86885c28	231	if (strcmp(type, "dh_rfc5114") == 0) {
0f113f3e MC	232	DH_PKEY_CTX *dctx = ctx->data;
	233	int len;
	234	len = atoi(value);
	235	if (len < 0 \|\| len > 3)
	236	return -2;
	237	dctx->rfc5114_param = len;
	238	return 1;
	239	}
d59d853a DSH	240	if (strcmp(type, "dh_param") == 0) {
	241	DH_PKEY_CTX *dctx = ctx->data;
	242	int nid = OBJ_sn2nid(value);
	243
	244	if (nid == NID_undef) {
	245	DHerr(DH_F_PKEY_DH_CTRL_STR, DH_R_INVALID_PARAMETER_NAME);
	246	return -2;
	247	}
	248	dctx->param_nid = nid;
	249	return 1;
	250	}
86885c28	251	if (strcmp(type, "dh_paramgen_generator") == 0) {
0f113f3e MC	252	int len;
	253	len = atoi(value);
	254	return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, len);
	255	}
86885c28	256	if (strcmp(type, "dh_paramgen_subprime_len") == 0) {
0f113f3e MC	257	int len;
	258	len = atoi(value);
	259	return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx, len);
	260	}
86885c28	261	if (strcmp(type, "dh_paramgen_type") == 0) {
0f113f3e MC	262	int typ;
	263	typ = atoi(value);
	264	return EVP_PKEY_CTX_set_dh_paramgen_type(ctx, typ);
	265	}
f4403a1f DSH	266	if (strcmp(type, "dh_pad") == 0) {
	267	int pad;
	268	pad = atoi(value);
	269	return EVP_PKEY_CTX_set_dh_pad(ctx, pad);
	270	}
0f113f3e MC	271	return -2;
0f113f3e MC	272	}
3ba0885a	273
39090878 DSH	274	#ifndef OPENSSL_NO_DSA
	275
	276	extern int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
0f113f3e MC	277	const EVP_MD *evpmd,
	278	const unsigned char *seed_in, size_t seed_len,
	279	unsigned char seed_out, int counter_ret,
	280	unsigned long h_ret, BN_GENCB cb);
39090878 DSH	281
39090878 DSH	282	extern int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
0f113f3e MC	283	const EVP_MD *evpmd,
	284	const unsigned char *seed_in,
	285	size_t seed_len, int idx,
	286	unsigned char seed_out, int counter_ret,
	287	unsigned long h_ret, BN_GENCB cb);
39090878 DSH	288
39090878 DSH	289	static DSA dsa_dh_generate(DH_PKEY_CTX dctx, BN_GENCB *pcb)
0f113f3e MC	290	{
	291	DSA *ret;
	292	int rv = 0;
	293	int prime_len = dctx->prime_len;
	294	int subprime_len = dctx->subprime_len;
	295	const EVP_MD *md = dctx->md;
	296	if (dctx->use_dsa > 2)
	297	return NULL;
	298	ret = DSA_new();
90945fa3	299	if (ret == NULL)
0f113f3e MC	300	return NULL;
	301	if (subprime_len == -1) {
	302	if (prime_len >= 2048)
	303	subprime_len = 256;
	304	else
	305	subprime_len = 160;
	306	}
	307	if (md == NULL) {
	308	if (prime_len >= 2048)
	309	md = EVP_sha256();
	310	else
	311	md = EVP_sha1();
	312	}
	313	if (dctx->use_dsa == 1)
	314	rv = dsa_builtin_paramgen(ret, prime_len, subprime_len, md,
	315	NULL, 0, NULL, NULL, NULL, pcb);
	316	else if (dctx->use_dsa == 2)
	317	rv = dsa_builtin_paramgen2(ret, prime_len, subprime_len, md,
	318	NULL, 0, -1, NULL, NULL, NULL, pcb);
	319	if (rv <= 0) {
	320	DSA_free(ret);
	321	return NULL;
	322	}
	323	return ret;
	324	}
39090878 DSH	325
	326	#endif
	327
3ba0885a	328	static int pkey_dh_paramgen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
0f113f3e MC	329	{
	330	DH *dh = NULL;
	331	DH_PKEY_CTX *dctx = ctx->data;
ca2bf555	332	BN_GENCB *pcb = NULL;
0f113f3e	333	int ret;
ca2bf555 SL	334
	335	/*
	336	* Look for a safe prime group for key establishment. Which uses
	337	* either RFC_3526 (modp_XXXX) or RFC_7919 (ffdheXXXX).
	338	*/
	339	if (dctx->param_nid != NID_undef) {
	340	if ((dh = DH_new_by_nid(dctx->param_nid)) == NULL)
	341	return 0;
	342	EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh);
	343	return 1;
	344	}
	345
	346	#ifndef FIPS_MODE
0f113f3e MC	347	if (dctx->rfc5114_param) {
	348	switch (dctx->rfc5114_param) {
	349	case 1:
	350	dh = DH_get_1024_160();
	351	break;
	352
	353	case 2:
	354	dh = DH_get_2048_224();
	355	break;
	356
	357	case 3:
	358	dh = DH_get_2048_256();
	359	break;
	360
	361	default:
	362	return -2;
	363	}
	364	EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh);
	365	return 1;
	366	}
ca2bf555	367	#endif /* FIPS_MODE */
0f113f3e	368
ca2bf555	369	if (ctx->pkey_gencb != NULL) {
0f113f3e	370	pcb = BN_GENCB_new();
90945fa3 MC	371	if (pcb == NULL)
90945fa3 MC	372	return 0;
0f113f3e	373	evp_pkey_set_cb_translate(pcb, ctx);
ca2bf555	374	}
39090878	375	#ifndef OPENSSL_NO_DSA
0f113f3e MC	376	if (dctx->use_dsa) {
0f113f3e MC	377	DSA *dsa_dh;
ca2bf555	378
0f113f3e	379	dsa_dh = dsa_dh_generate(dctx, pcb);
23a1d5e9	380	BN_GENCB_free(pcb);
90945fa3	381	if (dsa_dh == NULL)
0f113f3e MC	382	return 0;
	383	dh = DSA_dup_DH(dsa_dh);
	384	DSA_free(dsa_dh);
	385	if (!dh)
	386	return 0;
	387	EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh);
	388	return 1;
	389	}
39090878	390	#endif
0f113f3e	391	dh = DH_new();
90945fa3	392	if (dh == NULL) {
23a1d5e9	393	BN_GENCB_free(pcb);
0f113f3e MC	394	return 0;
	395	}
	396	ret = DH_generate_parameters_ex(dh,
	397	dctx->prime_len, dctx->generator, pcb);
23a1d5e9	398	BN_GENCB_free(pcb);
0f113f3e MC	399	if (ret)
	400	EVP_PKEY_assign_DH(pkey, dh);
	401	else
	402	DH_free(dh);
	403	return ret;
	404	}
3ba0885a DSH	405
3ba0885a DSH	406	static int pkey_dh_keygen(EVP_PKEY_CTX ctx, EVP_PKEY pkey)
0f113f3e	407	{
d59d853a	408	DH_PKEY_CTX *dctx = ctx->data;
0f113f3e	409	DH *dh = NULL;
d59d853a	410
ca2bf555	411	if (ctx->pkey == NULL && dctx->param_nid == NID_undef) {
0f113f3e MC	412	DHerr(DH_F_PKEY_DH_KEYGEN, DH_R_NO_PARAMETERS_SET);
	413	return 0;
	414	}
ca2bf555	415	if (dctx->param_nid != NID_undef)
d59d853a DSH	416	dh = DH_new_by_nid(dctx->param_nid);
	417	else
	418	dh = DH_new();
90945fa3	419	if (dh == NULL)
0f113f3e MC	420	return 0;
	421	EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, dh);
	422	/* Note: if error return, pkey is freed by parent routine */
d59d853a	423	if (ctx->pkey != NULL && !EVP_PKEY_copy_parameters(pkey, ctx->pkey))
0f113f3e MC	424	return 0;
	425	return DH_generate_key(pkey->pkey.dh);
	426	}
	427
	428	static int pkey_dh_derive(EVP_PKEY_CTX ctx, unsigned char key,
	429	size_t *keylen)
	430	{
	431	int ret;
	432	DH *dh;
	433	DH_PKEY_CTX *dctx = ctx->data;
	434	BIGNUM *dhpub;
	435	if (!ctx->pkey \|\| !ctx->peerkey) {
	436	DHerr(DH_F_PKEY_DH_DERIVE, DH_R_KEYS_NOT_SET);
	437	return 0;
	438	}
	439	dh = ctx->pkey->pkey.dh;
	440	dhpub = ctx->peerkey->pkey.dh->pub_key;
	441	if (dctx->kdf_type == EVP_PKEY_DH_KDF_NONE) {
	442	if (key == NULL) {
	443	*keylen = DH_size(dh);
	444	return 1;
	445	}
f4403a1f DSH	446	if (dctx->pad)
	447	ret = DH_compute_key_padded(key, dhpub, dh);
	448	else
	449	ret = DH_compute_key(key, dhpub, dh);
0f113f3e MC	450	if (ret < 0)
	451	return ret;
	452	*keylen = ret;
	453	return 1;
e968561d DB	454	}
	455	#ifndef OPENSSL_NO_CMS
	456	else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
	457
0f113f3e MC	458	unsigned char *Z = NULL;
	459	size_t Zlen = 0;
	460	if (!dctx->kdf_outlen \|\| !dctx->kdf_oid)
	461	return 0;
	462	if (key == NULL) {
	463	*keylen = dctx->kdf_outlen;
	464	return 1;
	465	}
	466	if (*keylen != dctx->kdf_outlen)
	467	return 0;
	468	ret = 0;
	469	Zlen = DH_size(dh);
	470	Z = OPENSSL_malloc(Zlen);
90945fa3	471	if (Z == NULL) {
918bb865 MC	472	goto err;
918bb865 MC	473	}
0f113f3e MC	474	if (DH_compute_key_padded(Z, dhpub, dh) <= 0)
	475	goto err;
	476	if (!DH_KDF_X9_42(key, *keylen, Z, Zlen, dctx->kdf_oid,
	477	dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
	478	goto err;
	479	*keylen = dctx->kdf_outlen;
	480	ret = 1;
	481	err:
4b45c6e5	482	OPENSSL_clear_free(Z, Zlen);
0f113f3e MC	483	return ret;
0f113f3e MC	484	}
e968561d DB	485	#endif
e968561d DB	486	return 0;
0f113f3e MC	487	}
0f113f3e MC	488
19bd1fa1	489	static const EVP_PKEY_METHOD dh_pkey_meth = {
0f113f3e MC	490	EVP_PKEY_DH,
	491	0,
	492	pkey_dh_init,
	493	pkey_dh_copy,
	494	pkey_dh_cleanup,
	495
	496	0,
	497	pkey_dh_paramgen,
	498
	499	0,
	500	pkey_dh_keygen,
	501
	502	0,
	503	0,
	504
	505	0,
	506	0,
	507
	508	0, 0,
	509
	510	0, 0, 0, 0,
	511
	512	0, 0,
	513
	514	0, 0,
	515
	516	0,
	517	pkey_dh_derive,
	518
	519	pkey_dh_ctrl,
	520	pkey_dh_ctrl_str
	521	};
	522
19bd1fa1 PS	523	const EVP_PKEY_METHOD *dh_pkey_method(void)
	524	{
	525	return &dh_pkey_meth;
	526	}
	527
	528	static const EVP_PKEY_METHOD dhx_pkey_meth = {
0f113f3e MC	529	EVP_PKEY_DHX,
	530	0,
	531	pkey_dh_init,
	532	pkey_dh_copy,
	533	pkey_dh_cleanup,
	534
	535	0,
	536	pkey_dh_paramgen,
	537
	538	0,
	539	pkey_dh_keygen,
	540
	541	0,
	542	0,
	543
	544	0,
	545	0,
	546
	547	0, 0,
	548
	549	0, 0, 0, 0,
	550
	551	0, 0,
	552
	553	0, 0,
	554
	555	0,
	556	pkey_dh_derive,
	557
	558	pkey_dh_ctrl,
	559	pkey_dh_ctrl_str
	560	};
19bd1fa1 PS	561
	562	const EVP_PKEY_METHOD *dhx_pkey_method(void)
	563	{
	564	return &dhx_pkey_meth;
	565	}