]> git.ipfire.org Git - thirdparty/openssl.git/blame - providers/implementations/exchange/dh_exch.c
Copyright year updates
[thirdparty/openssl.git] / providers / implementations / exchange / dh_exch.c
CommitLineData
89e29174 1/*
da1c088f 2 * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
89e29174
MC
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ada66e78
P
10/*
11 * DH low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#include "internal/deprecated.h"
15
116d2510 16#include <string.h>
89e29174 17#include <openssl/crypto.h>
23c48d94 18#include <openssl/core_dispatch.h>
89e29174
MC
19#include <openssl/core_names.h>
20#include <openssl/dh.h>
116d2510 21#include <openssl/err.h>
77b03f0e 22#include <openssl/proverr.h>
89e29174 23#include <openssl/params.h>
ca94057f 24#include "prov/providercommon.h"
af3e7e1b 25#include "prov/implementations.h"
62f49b90 26#include "prov/provider_ctx.h"
7a810fac 27#include "prov/securitycheck.h"
62f49b90 28#include "crypto/dh.h"
89e29174 29
363b1e5d
DMSP
30static OSSL_FUNC_keyexch_newctx_fn dh_newctx;
31static OSSL_FUNC_keyexch_init_fn dh_init;
32static OSSL_FUNC_keyexch_set_peer_fn dh_set_peer;
33static OSSL_FUNC_keyexch_derive_fn dh_derive;
34static OSSL_FUNC_keyexch_freectx_fn dh_freectx;
35static OSSL_FUNC_keyexch_dupctx_fn dh_dupctx;
36static OSSL_FUNC_keyexch_set_ctx_params_fn dh_set_ctx_params;
37static OSSL_FUNC_keyexch_settable_ctx_params_fn dh_settable_ctx_params;
116d2510
SL
38static OSSL_FUNC_keyexch_get_ctx_params_fn dh_get_ctx_params;
39static OSSL_FUNC_keyexch_gettable_ctx_params_fn dh_gettable_ctx_params;
40
41/*
42 * This type is only really used to handle some legacy related functionality.
43 * If you need to use other KDF's (such as SSKDF) just use PROV_DH_KDF_NONE
44 * here and then create and run a KDF after the key is derived.
45 * Note that X942 has 2 variants of key derivation:
46 * (1) DH_KDF_X9_42_ASN1 - which contains an ANS1 encoded object that has
47 * the counter embedded in it.
48 * (2) DH_KDF_X941_CONCAT - which is the same as ECDH_X963_KDF (which can be
49 * done by creating a "X963KDF".
50 */
51enum kdf_type {
52 PROV_DH_KDF_NONE = 0,
53 PROV_DH_KDF_X9_42_ASN1
54};
89e29174 55
8b84b075
RL
56/*
57 * What's passed as an actual key is defined by the KEYMGMT interface.
58 * We happen to know that our KEYMGMT simply passes DH structures, so
59 * we use that here too.
60 */
89e29174
MC
61
62typedef struct {
b4250010 63 OSSL_LIB_CTX *libctx;
89e29174
MC
64 DH *dh;
65 DH *dhpeer;
1c3ace68 66 unsigned int pad : 1;
116d2510
SL
67
68 /* DH KDF */
69 /* KDF (if any) to use for DH */
70 enum kdf_type kdf_type;
71 /* Message digest to use for key derivation */
72 EVP_MD *kdf_md;
73 /* User key material */
74 unsigned char *kdf_ukm;
75 size_t kdf_ukmlen;
76 /* KDF output length */
77 size_t kdf_outlen;
78 char *kdf_cekalg;
89e29174
MC
79} PROV_DH_CTX;
80
81static void *dh_newctx(void *provctx)
82{
ca94057f 83 PROV_DH_CTX *pdhctx;
62f49b90 84
ca94057f
P
85 if (!ossl_prov_is_running())
86 return NULL;
87
88 pdhctx = OPENSSL_zalloc(sizeof(PROV_DH_CTX));
62f49b90
SL
89 if (pdhctx == NULL)
90 return NULL;
a829b735 91 pdhctx->libctx = PROV_LIBCTX_OF(provctx);
116d2510 92 pdhctx->kdf_type = PROV_DH_KDF_NONE;
62f49b90 93 return pdhctx;
89e29174
MC
94}
95
2b2f4f9b 96static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[])
89e29174
MC
97{
98 PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
99
ca94057f
P
100 if (!ossl_prov_is_running()
101 || pdhctx == NULL
102 || vdh == NULL
103 || !DH_up_ref(vdh))
d753cc33 104 return 0;
89e29174 105 DH_free(pdhctx->dh);
8b84b075 106 pdhctx->dh = vdh;
116d2510 107 pdhctx->kdf_type = PROV_DH_KDF_NONE;
6ce58488
MC
108 return dh_set_ctx_params(pdhctx, params)
109 && ossl_dh_check_key(pdhctx->libctx, vdh);
89e29174
MC
110}
111
46eee710
SL
112/* The 2 parties must share the same domain parameters */
113static int dh_match_params(DH *priv, DH *peer)
114{
115 int ret;
116 FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv);
117 FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer);
118
119 ret = dhparams_priv != NULL
120 && dhparams_peer != NULL
121 && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1);
122 if (!ret)
123 ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
124 return ret;
125}
126
8b84b075 127static int dh_set_peer(void *vpdhctx, void *vdh)
89e29174
MC
128{
129 PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
130
ca94057f
P
131 if (!ossl_prov_is_running()
132 || pdhctx == NULL
133 || vdh == NULL
46eee710 134 || !dh_match_params(vdh, pdhctx->dh)
ca94057f 135 || !DH_up_ref(vdh))
d753cc33 136 return 0;
89e29174 137 DH_free(pdhctx->dhpeer);
8b84b075 138 pdhctx->dhpeer = vdh;
d753cc33 139 return 1;
89e29174
MC
140}
141
116d2510
SL
142static int dh_plain_derive(void *vpdhctx,
143 unsigned char *secret, size_t *secretlen,
01b18775 144 size_t outlen, unsigned int pad)
89e29174
MC
145{
146 PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
147 int ret;
148 size_t dhsize;
149 const BIGNUM *pub_key = NULL;
150
77b03f0e
TM
151 if (pdhctx->dh == NULL || pdhctx->dhpeer == NULL) {
152 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
89e29174 153 return 0;
77b03f0e 154 }
89e29174
MC
155
156 dhsize = (size_t)DH_size(pdhctx->dh);
59972370
MC
157 if (secret == NULL) {
158 *secretlen = dhsize;
89e29174
MC
159 return 1;
160 }
77b03f0e
TM
161 if (outlen < dhsize) {
162 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
89e29174 163 return 0;
77b03f0e 164 }
89e29174
MC
165
166 DH_get0_key(pdhctx->dhpeer, &pub_key, NULL);
01b18775 167 if (pad)
8083fd3a 168 ret = DH_compute_key_padded(secret, pub_key, pdhctx->dh);
62f49b90 169 else
8083fd3a 170 ret = DH_compute_key(secret, pub_key, pdhctx->dh);
89e29174
MC
171 if (ret <= 0)
172 return 0;
173
59972370 174 *secretlen = ret;
89e29174
MC
175 return 1;
176}
177
116d2510
SL
178static int dh_X9_42_kdf_derive(void *vpdhctx, unsigned char *secret,
179 size_t *secretlen, size_t outlen)
180{
181 PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
182 unsigned char *stmp = NULL;
183 size_t stmplen;
184 int ret = 0;
185
186 if (secret == NULL) {
187 *secretlen = pdhctx->kdf_outlen;
188 return 1;
189 }
190
77b03f0e
TM
191 if (pdhctx->kdf_outlen > outlen) {
192 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
116d2510 193 return 0;
77b03f0e 194 }
01b18775 195 if (!dh_plain_derive(pdhctx, NULL, &stmplen, 0, 1))
116d2510 196 return 0;
e077455e 197 if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL)
116d2510 198 return 0;
01b18775 199 if (!dh_plain_derive(pdhctx, stmp, &stmplen, stmplen, 1))
116d2510
SL
200 goto err;
201
202 /* Do KDF stuff */
203 if (pdhctx->kdf_type == PROV_DH_KDF_X9_42_ASN1) {
19dbb742
SL
204 if (!ossl_dh_kdf_X9_42_asn1(secret, pdhctx->kdf_outlen,
205 stmp, stmplen,
206 pdhctx->kdf_cekalg,
207 pdhctx->kdf_ukm,
208 pdhctx->kdf_ukmlen,
209 pdhctx->kdf_md,
210 pdhctx->libctx, NULL))
116d2510
SL
211 goto err;
212 }
213 *secretlen = pdhctx->kdf_outlen;
214 ret = 1;
215err:
216 OPENSSL_secure_clear_free(stmp, stmplen);
217 return ret;
218}
219
220static int dh_derive(void *vpdhctx, unsigned char *secret,
221 size_t *psecretlen, size_t outlen)
222{
223 PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
224
ca94057f
P
225 if (!ossl_prov_is_running())
226 return 0;
227
116d2510
SL
228 switch (pdhctx->kdf_type) {
229 case PROV_DH_KDF_NONE:
01b18775
TM
230 return dh_plain_derive(pdhctx, secret, psecretlen, outlen,
231 pdhctx->pad);
116d2510
SL
232 case PROV_DH_KDF_X9_42_ASN1:
233 return dh_X9_42_kdf_derive(pdhctx, secret, psecretlen, outlen);
234 default:
235 break;
236 }
237 return 0;
238}
239
89e29174
MC
240static void dh_freectx(void *vpdhctx)
241{
242 PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
243
116d2510 244 OPENSSL_free(pdhctx->kdf_cekalg);
89e29174
MC
245 DH_free(pdhctx->dh);
246 DH_free(pdhctx->dhpeer);
116d2510
SL
247 EVP_MD_free(pdhctx->kdf_md);
248 OPENSSL_clear_free(pdhctx->kdf_ukm, pdhctx->kdf_ukmlen);
89e29174
MC
249
250 OPENSSL_free(pdhctx);
251}
252
253static void *dh_dupctx(void *vpdhctx)
254{
255 PROV_DH_CTX *srcctx = (PROV_DH_CTX *)vpdhctx;
256 PROV_DH_CTX *dstctx;
257
ca94057f
P
258 if (!ossl_prov_is_running())
259 return NULL;
260
89e29174 261 dstctx = OPENSSL_zalloc(sizeof(*srcctx));
02c163ea
P
262 if (dstctx == NULL)
263 return NULL;
89e29174
MC
264
265 *dstctx = *srcctx;
116d2510
SL
266 dstctx->dh = NULL;
267 dstctx->dhpeer = NULL;
268 dstctx->kdf_md = NULL;
269 dstctx->kdf_ukm = NULL;
270 dstctx->kdf_cekalg = NULL;
89e29174 271
21a0d9f3 272 if (srcctx->dh != NULL && !DH_up_ref(srcctx->dh))
116d2510
SL
273 goto err;
274 else
275 dstctx->dh = srcctx->dh;
276
21a0d9f3 277 if (srcctx->dhpeer != NULL && !DH_up_ref(srcctx->dhpeer))
116d2510
SL
278 goto err;
279 else
280 dstctx->dhpeer = srcctx->dhpeer;
281
282 if (srcctx->kdf_md != NULL && !EVP_MD_up_ref(srcctx->kdf_md))
283 goto err;
284 else
285 dstctx->kdf_md = srcctx->kdf_md;
286
287 /* Duplicate UKM data if present */
288 if (srcctx->kdf_ukm != NULL && srcctx->kdf_ukmlen > 0) {
289 dstctx->kdf_ukm = OPENSSL_memdup(srcctx->kdf_ukm,
290 srcctx->kdf_ukmlen);
291 if (dstctx->kdf_ukm == NULL)
292 goto err;
89e29174 293 }
c920020f
JJ
294
295 if (srcctx->kdf_cekalg != NULL) {
296 dstctx->kdf_cekalg = OPENSSL_strdup(srcctx->kdf_cekalg);
297 if (dstctx->kdf_cekalg == NULL)
298 goto err;
299 }
89e29174
MC
300
301 return dstctx;
116d2510
SL
302err:
303 dh_freectx(dstctx);
304 return NULL;
89e29174
MC
305}
306
9c45222d 307static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
35aca9ec
MC
308{
309 PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
310 const OSSL_PARAM *p;
1c3ace68 311 unsigned int pad;
116d2510
SL
312 char name[80] = { '\0' }; /* should be big enough */
313 char *str = NULL;
35aca9ec 314
2b2f4f9b 315 if (pdhctx == NULL)
35aca9ec 316 return 0;
2b2f4f9b
P
317 if (params == NULL)
318 return 1;
35aca9ec 319
116d2510
SL
320 p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
321 if (p != NULL) {
322 str = name;
323 if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
324 return 0;
325
326 if (name[0] == '\0')
327 pdhctx->kdf_type = PROV_DH_KDF_NONE;
89cccbea 328 else if (strcmp(name, OSSL_KDF_NAME_X942KDF_ASN1) == 0)
116d2510
SL
329 pdhctx->kdf_type = PROV_DH_KDF_X9_42_ASN1;
330 else
331 return 0;
332 }
333 p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
334 if (p != NULL) {
335 char mdprops[80] = { '\0' }; /* should be big enough */
336
337 str = name;
338 if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
339 return 0;
340
341 str = mdprops;
342 p = OSSL_PARAM_locate_const(params,
343 OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS);
344
345 if (p != NULL) {
346 if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(mdprops)))
347 return 0;
348 }
349
350 EVP_MD_free(pdhctx->kdf_md);
351 pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
04e3ab64 352 if (pdhctx->kdf_md == NULL)
353 return 0;
6ce58488 354 if (!ossl_digest_is_allowed(pdhctx->libctx, pdhctx->kdf_md)) {
b8237707
SL
355 EVP_MD_free(pdhctx->kdf_md);
356 pdhctx->kdf_md = NULL;
116d2510 357 return 0;
04e3ab64 358 }
116d2510
SL
359 }
360
361 p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
362 if (p != NULL) {
363 size_t outlen;
364
365 if (!OSSL_PARAM_get_size_t(p, &outlen))
366 return 0;
367 pdhctx->kdf_outlen = outlen;
368 }
369
370 p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
371 if (p != NULL) {
372 void *tmp_ukm = NULL;
373 size_t tmp_ukmlen;
374
375 OPENSSL_free(pdhctx->kdf_ukm);
376 pdhctx->kdf_ukm = NULL;
377 pdhctx->kdf_ukmlen = 0;
378 /* ukm is an optional field so it can be NULL */
379 if (p->data != NULL && p->data_size != 0) {
380 if (!OSSL_PARAM_get_octet_string(p, &tmp_ukm, 0, &tmp_ukmlen))
381 return 0;
382 pdhctx->kdf_ukm = tmp_ukm;
383 pdhctx->kdf_ukmlen = tmp_ukmlen;
384 }
385 }
386
8b84b075 387 p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_PAD);
116d2510
SL
388 if (p != NULL) {
389 if (!OSSL_PARAM_get_uint(p, &pad))
390 return 0;
391 pdhctx->pad = pad ? 1 : 0;
392 }
393
394 p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG);
395 if (p != NULL) {
396 str = name;
c920020f
JJ
397
398 OPENSSL_free(pdhctx->kdf_cekalg);
399 pdhctx->kdf_cekalg = NULL;
400 if (p->data != NULL && p->data_size != 0) {
401 if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
402 return 0;
403 pdhctx->kdf_cekalg = OPENSSL_strdup(name);
404 if (pdhctx->kdf_cekalg == NULL)
405 return 0;
406 }
116d2510 407 }
35aca9ec
MC
408 return 1;
409}
410
9c45222d
MC
411static const OSSL_PARAM known_settable_ctx_params[] = {
412 OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_PAD, NULL),
116d2510
SL
413 OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
414 OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
415 OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, NULL, 0),
416 OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
417 OSSL_PARAM_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, NULL, 0),
418 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
9c45222d
MC
419 OSSL_PARAM_END
420};
421
fb67126e
TM
422static const OSSL_PARAM *dh_settable_ctx_params(ossl_unused void *vpdhctx,
423 ossl_unused void *provctx)
9c45222d
MC
424{
425 return known_settable_ctx_params;
426}
427
116d2510 428static const OSSL_PARAM known_gettable_ctx_params[] = {
116d2510
SL
429 OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
430 OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
431 OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
432 OSSL_PARAM_DEFN(OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR,
433 NULL, 0),
c1167f09 434 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
116d2510
SL
435 OSSL_PARAM_END
436};
437
fb67126e
TM
438static const OSSL_PARAM *dh_gettable_ctx_params(ossl_unused void *vpdhctx,
439 ossl_unused void *provctx)
116d2510
SL
440{
441 return known_gettable_ctx_params;
442}
443
444static int dh_get_ctx_params(void *vpdhctx, OSSL_PARAM params[])
445{
446 PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
447 OSSL_PARAM *p;
448
2b2f4f9b 449 if (pdhctx == NULL)
116d2510
SL
450 return 0;
451
452 p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
453 if (p != NULL) {
454 const char *kdf_type = NULL;
455
456 switch (pdhctx->kdf_type) {
457 case PROV_DH_KDF_NONE:
458 kdf_type = "";
459 break;
460 case PROV_DH_KDF_X9_42_ASN1:
89cccbea 461 kdf_type = OSSL_KDF_NAME_X942KDF_ASN1;
116d2510
SL
462 break;
463 default:
464 return 0;
465 }
466
467 if (!OSSL_PARAM_set_utf8_string(p, kdf_type))
468 return 0;
469 }
470
471 p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
472 if (p != NULL
473 && !OSSL_PARAM_set_utf8_string(p, pdhctx->kdf_md == NULL
474 ? ""
1287dabd 475 : EVP_MD_get0_name(pdhctx->kdf_md))) {
116d2510
SL
476 return 0;
477 }
478
479 p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
480 if (p != NULL && !OSSL_PARAM_set_size_t(p, pdhctx->kdf_outlen))
481 return 0;
482
483 p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
ba0a6d1d
RL
484 if (p != NULL
485 && !OSSL_PARAM_set_octet_ptr(p, pdhctx->kdf_ukm, pdhctx->kdf_ukmlen))
116d2510
SL
486 return 0;
487
488 p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_CEK_ALG);
489 if (p != NULL
490 && !OSSL_PARAM_set_utf8_string(p, pdhctx->kdf_cekalg == NULL
491 ? "" : pdhctx->kdf_cekalg))
492 return 0;
493
494 return 1;
495}
496
1be63951 497const OSSL_DISPATCH ossl_dh_keyexch_functions[] = {
89e29174
MC
498 { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))dh_newctx },
499 { OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))dh_init },
500 { OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))dh_derive },
501 { OSSL_FUNC_KEYEXCH_SET_PEER, (void (*)(void))dh_set_peer },
502 { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))dh_freectx },
503 { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))dh_dupctx },
9c45222d
MC
504 { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))dh_set_ctx_params },
505 { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS,
506 (void (*)(void))dh_settable_ctx_params },
116d2510
SL
507 { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))dh_get_ctx_params },
508 { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS,
509 (void (*)(void))dh_gettable_ctx_params },
1e6bd31e 510 OSSL_DISPATCH_END
89e29174 511};