2 * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/asn1t.h>
13 #include <openssl/x509.h>
14 #include <openssl/evp.h>
16 #include <openssl/bn.h>
17 #include <openssl/dsa.h>
18 #include <openssl/objects.h>
19 #include "crypto/evp.h"
21 /* DH pkey context structure */
24 /* Parameter gen parameters */
30 /* message digest used for parameter generation */
34 /* Keygen callback info */
36 /* KDF (if any) to use for DH */
38 /* OID to use for KDF */
40 /* Message digest to use for key derivation */
42 /* User key material */
43 unsigned char *kdf_ukm
;
45 /* KDF output length */
49 static int pkey_dh_init(EVP_PKEY_CTX
*ctx
)
53 if ((dctx
= OPENSSL_zalloc(sizeof(*dctx
))) == NULL
) {
54 DHerr(DH_F_PKEY_DH_INIT
, ERR_R_MALLOC_FAILURE
);
57 dctx
->prime_len
= 2048;
58 dctx
->subprime_len
= -1;
60 dctx
->kdf_type
= EVP_PKEY_DH_KDF_NONE
;
63 ctx
->keygen_info
= dctx
->gentmp
;
64 ctx
->keygen_info_count
= 2;
69 static void pkey_dh_cleanup(EVP_PKEY_CTX
*ctx
)
71 DH_PKEY_CTX
*dctx
= ctx
->data
;
74 OPENSSL_free(dctx
->kdf_ukm
);
75 ASN1_OBJECT_free(dctx
->kdf_oid
);
81 static int pkey_dh_copy(EVP_PKEY_CTX
*dst
, const EVP_PKEY_CTX
*src
)
83 DH_PKEY_CTX
*dctx
, *sctx
;
85 if (!pkey_dh_init(dst
))
89 dctx
->prime_len
= sctx
->prime_len
;
90 dctx
->subprime_len
= sctx
->subprime_len
;
91 dctx
->generator
= sctx
->generator
;
92 dctx
->paramgen_type
= sctx
->paramgen_type
;
93 dctx
->pad
= sctx
->pad
;
95 dctx
->rfc5114_param
= sctx
->rfc5114_param
;
96 dctx
->param_nid
= sctx
->param_nid
;
98 dctx
->kdf_type
= sctx
->kdf_type
;
99 dctx
->kdf_oid
= OBJ_dup(sctx
->kdf_oid
);
100 if (dctx
->kdf_oid
== NULL
)
102 dctx
->kdf_md
= sctx
->kdf_md
;
103 if (sctx
->kdf_ukm
!= NULL
) {
104 dctx
->kdf_ukm
= OPENSSL_memdup(sctx
->kdf_ukm
, sctx
->kdf_ukmlen
);
105 if (dctx
->kdf_ukm
== NULL
)
107 dctx
->kdf_ukmlen
= sctx
->kdf_ukmlen
;
109 dctx
->kdf_outlen
= sctx
->kdf_outlen
;
113 static int pkey_dh_ctrl(EVP_PKEY_CTX
*ctx
, int type
, int p1
, void *p2
)
115 DH_PKEY_CTX
*dctx
= ctx
->data
;
117 case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN
:
120 dctx
->prime_len
= p1
;
123 case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN
:
124 if (dctx
->paramgen_type
== DH_PARAMGEN_TYPE_GENERATOR
)
126 dctx
->subprime_len
= p1
;
129 case EVP_PKEY_CTRL_DH_PAD
:
133 case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR
:
134 if (dctx
->paramgen_type
!= DH_PARAMGEN_TYPE_GENERATOR
)
136 dctx
->generator
= p1
;
139 case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE
:
140 #ifdef OPENSSL_NO_DSA
141 if (p1
!= DH_PARAMGEN_TYPE_GENERATOR
)
144 if (p1
< 0 || p1
> 2)
147 dctx
->paramgen_type
= p1
;
150 case EVP_PKEY_CTRL_DH_RFC5114
:
151 if (p1
< 1 || p1
> 3 || dctx
->param_nid
!= NID_undef
)
153 dctx
->rfc5114_param
= p1
;
156 case EVP_PKEY_CTRL_DH_NID
:
157 if (p1
<= 0 || dctx
->rfc5114_param
!= 0)
159 dctx
->param_nid
= p1
;
162 case EVP_PKEY_CTRL_PEER_KEY
:
163 /* Default behaviour is OK */
166 case EVP_PKEY_CTRL_DH_KDF_TYPE
:
168 return dctx
->kdf_type
;
169 #ifdef OPENSSL_NO_CMS
170 if (p1
!= EVP_PKEY_DH_KDF_NONE
)
172 if (p1
!= EVP_PKEY_DH_KDF_NONE
&& p1
!= EVP_PKEY_DH_KDF_X9_42
)
178 case EVP_PKEY_CTRL_DH_KDF_MD
:
182 case EVP_PKEY_CTRL_GET_DH_KDF_MD
:
183 *(const EVP_MD
**)p2
= dctx
->kdf_md
;
186 case EVP_PKEY_CTRL_DH_KDF_OUTLEN
:
189 dctx
->kdf_outlen
= (size_t)p1
;
192 case EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN
:
193 *(int *)p2
= dctx
->kdf_outlen
;
196 case EVP_PKEY_CTRL_DH_KDF_UKM
:
197 OPENSSL_free(dctx
->kdf_ukm
);
200 dctx
->kdf_ukmlen
= p1
;
202 dctx
->kdf_ukmlen
= 0;
205 case EVP_PKEY_CTRL_GET_DH_KDF_UKM
:
206 *(unsigned char **)p2
= dctx
->kdf_ukm
;
207 return dctx
->kdf_ukmlen
;
209 case EVP_PKEY_CTRL_DH_KDF_OID
:
210 ASN1_OBJECT_free(dctx
->kdf_oid
);
214 case EVP_PKEY_CTRL_GET_DH_KDF_OID
:
215 *(ASN1_OBJECT
**)p2
= dctx
->kdf_oid
;
224 static int pkey_dh_ctrl_str(EVP_PKEY_CTX
*ctx
,
225 const char *type
, const char *value
)
227 if (strcmp(type
, "dh_paramgen_prime_len") == 0) {
230 return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx
, len
);
232 if (strcmp(type
, "dh_rfc5114") == 0) {
233 DH_PKEY_CTX
*dctx
= ctx
->data
;
236 if (len
< 0 || len
> 3)
238 dctx
->rfc5114_param
= len
;
241 if (strcmp(type
, "dh_param") == 0) {
242 DH_PKEY_CTX
*dctx
= ctx
->data
;
243 int nid
= OBJ_sn2nid(value
);
245 if (nid
== NID_undef
) {
246 DHerr(DH_F_PKEY_DH_CTRL_STR
, DH_R_INVALID_PARAMETER_NAME
);
249 dctx
->param_nid
= nid
;
252 if (strcmp(type
, "dh_paramgen_generator") == 0) {
255 return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx
, len
);
257 if (strcmp(type
, "dh_paramgen_subprime_len") == 0) {
260 return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx
, len
);
262 if (strcmp(type
, "dh_paramgen_type") == 0) {
265 return EVP_PKEY_CTX_set_dh_paramgen_type(ctx
, typ
);
267 if (strcmp(type
, "dh_pad") == 0) {
270 return EVP_PKEY_CTX_set_dh_pad(ctx
, pad
);
275 static DH
*ffc_params_generate(OPENSSL_CTX
*libctx
, DH_PKEY_CTX
*dctx
,
281 int prime_len
= dctx
->prime_len
;
282 int subprime_len
= dctx
->subprime_len
;
283 const EVP_MD
*md
= dctx
->md
;
285 if (dctx
->paramgen_type
> DH_PARAMGEN_TYPE_FIPS_186_4
)
291 if (subprime_len
== -1) {
292 if (prime_len
>= 2048)
298 if (prime_len
>= 2048)
304 if (dctx
->paramgen_type
== DH_PARAMGEN_TYPE_FIPS_186_2
)
305 rv
= ffc_params_FIPS186_2_generate(libctx
, &ret
->params
,
307 prime_len
, subprime_len
, md
, &res
,
311 /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
312 if (dctx
->paramgen_type
>= DH_PARAMGEN_TYPE_FIPS_186_2
)
313 rv
= ffc_params_FIPS186_4_generate(libctx
, &ret
->params
,
315 prime_len
, subprime_len
, md
, &res
,
324 static int pkey_dh_paramgen(EVP_PKEY_CTX
*ctx
,
328 DH_PKEY_CTX
*dctx
= ctx
->data
;
329 BN_GENCB
*pcb
= NULL
;
333 * Look for a safe prime group for key establishment. Which uses
334 * either RFC_3526 (modp_XXXX) or RFC_7919 (ffdheXXXX).
336 if (dctx
->param_nid
!= NID_undef
) {
337 if ((dh
= DH_new_by_nid(dctx
->param_nid
)) == NULL
)
339 EVP_PKEY_assign(pkey
, EVP_PKEY_DH
, dh
);
344 if (dctx
->rfc5114_param
) {
345 switch (dctx
->rfc5114_param
) {
347 dh
= DH_get_1024_160();
351 dh
= DH_get_2048_224();
355 dh
= DH_get_2048_256();
361 EVP_PKEY_assign(pkey
, EVP_PKEY_DHX
, dh
);
364 #endif /* FIPS_MODE */
366 if (ctx
->pkey_gencb
!= NULL
) {
367 pcb
= BN_GENCB_new();
370 evp_pkey_set_cb_translate(pcb
, ctx
);
373 dctx
->paramgen_type
= DH_PARAMGEN_TYPE_FIPS_186_4
;
374 # endif /* FIPS_MODE */
375 if (dctx
->paramgen_type
>= DH_PARAMGEN_TYPE_FIPS_186_2
) {
376 dh
= ffc_params_generate(NULL
, dctx
, pcb
);
380 EVP_PKEY_assign(pkey
, EVP_PKEY_DHX
, dh
);
388 ret
= DH_generate_parameters_ex(dh
,
389 dctx
->prime_len
, dctx
->generator
, pcb
);
392 EVP_PKEY_assign_DH(pkey
, dh
);
398 static int pkey_dh_keygen(EVP_PKEY_CTX
*ctx
, EVP_PKEY
*pkey
)
400 DH_PKEY_CTX
*dctx
= ctx
->data
;
403 if (ctx
->pkey
== NULL
&& dctx
->param_nid
== NID_undef
) {
404 DHerr(DH_F_PKEY_DH_KEYGEN
, DH_R_NO_PARAMETERS_SET
);
407 if (dctx
->param_nid
!= NID_undef
)
408 dh
= DH_new_by_nid(dctx
->param_nid
);
413 EVP_PKEY_assign(pkey
, ctx
->pmeth
->pkey_id
, dh
);
414 /* Note: if error return, pkey is freed by parent routine */
415 if (ctx
->pkey
!= NULL
&& !EVP_PKEY_copy_parameters(pkey
, ctx
->pkey
))
417 return DH_generate_key(pkey
->pkey
.dh
);
420 static int pkey_dh_derive(EVP_PKEY_CTX
*ctx
, unsigned char *key
,
425 DH_PKEY_CTX
*dctx
= ctx
->data
;
427 if (!ctx
->pkey
|| !ctx
->peerkey
) {
428 DHerr(DH_F_PKEY_DH_DERIVE
, DH_R_KEYS_NOT_SET
);
431 dh
= ctx
->pkey
->pkey
.dh
;
432 dhpub
= ctx
->peerkey
->pkey
.dh
->pub_key
;
433 if (dctx
->kdf_type
== EVP_PKEY_DH_KDF_NONE
) {
435 *keylen
= DH_size(dh
);
439 ret
= DH_compute_key_padded(key
, dhpub
, dh
);
441 ret
= DH_compute_key(key
, dhpub
, dh
);
447 #ifndef OPENSSL_NO_CMS
448 else if (dctx
->kdf_type
== EVP_PKEY_DH_KDF_X9_42
) {
450 unsigned char *Z
= NULL
;
452 if (!dctx
->kdf_outlen
|| !dctx
->kdf_oid
)
455 *keylen
= dctx
->kdf_outlen
;
458 if (*keylen
!= dctx
->kdf_outlen
)
462 Z
= OPENSSL_malloc(Zlen
);
466 if (DH_compute_key_padded(Z
, dhpub
, dh
) <= 0)
468 if (!DH_KDF_X9_42(key
, *keylen
, Z
, Zlen
, dctx
->kdf_oid
,
469 dctx
->kdf_ukm
, dctx
->kdf_ukmlen
, dctx
->kdf_md
))
471 *keylen
= dctx
->kdf_outlen
;
474 OPENSSL_clear_free(Z
, Zlen
);
481 static const EVP_PKEY_METHOD dh_pkey_meth
= {
515 const EVP_PKEY_METHOD
*dh_pkey_method(void)
517 return &dh_pkey_meth
;
520 static const EVP_PKEY_METHOD dhx_pkey_meth
= {
554 const EVP_PKEY_METHOD
*dhx_pkey_method(void)
556 return &dhx_pkey_meth
;