2 * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * DH & DSA low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
17 #include "internal/cryptlib.h"
18 #include <openssl/asn1t.h>
19 #include <openssl/x509.h>
20 #include <openssl/evp.h>
22 #include <openssl/bn.h>
23 #include <openssl/dsa.h>
24 #include <openssl/objects.h>
25 #include "crypto/evp.h"
27 /* DH pkey context structure */
30 /* Parameter gen parameters */
36 /* message digest used for parameter generation */
40 /* Keygen callback info */
42 /* KDF (if any) to use for DH */
44 /* OID to use for KDF */
46 /* Message digest to use for key derivation */
48 /* User key material */
49 unsigned char *kdf_ukm
;
51 /* KDF output length */
55 static int pkey_dh_init(EVP_PKEY_CTX
*ctx
)
59 if ((dctx
= OPENSSL_zalloc(sizeof(*dctx
))) == NULL
) {
60 ERR_raise(ERR_LIB_DH
, ERR_R_MALLOC_FAILURE
);
63 dctx
->prime_len
= 2048;
64 dctx
->subprime_len
= -1;
66 dctx
->kdf_type
= EVP_PKEY_DH_KDF_NONE
;
69 ctx
->keygen_info
= dctx
->gentmp
;
70 ctx
->keygen_info_count
= 2;
75 static void pkey_dh_cleanup(EVP_PKEY_CTX
*ctx
)
77 DH_PKEY_CTX
*dctx
= ctx
->data
;
80 OPENSSL_free(dctx
->kdf_ukm
);
81 ASN1_OBJECT_free(dctx
->kdf_oid
);
87 static int pkey_dh_copy(EVP_PKEY_CTX
*dst
, const EVP_PKEY_CTX
*src
)
89 DH_PKEY_CTX
*dctx
, *sctx
;
91 if (!pkey_dh_init(dst
))
95 dctx
->prime_len
= sctx
->prime_len
;
96 dctx
->subprime_len
= sctx
->subprime_len
;
97 dctx
->generator
= sctx
->generator
;
98 dctx
->paramgen_type
= sctx
->paramgen_type
;
99 dctx
->pad
= sctx
->pad
;
101 dctx
->rfc5114_param
= sctx
->rfc5114_param
;
102 dctx
->param_nid
= sctx
->param_nid
;
104 dctx
->kdf_type
= sctx
->kdf_type
;
105 dctx
->kdf_oid
= OBJ_dup(sctx
->kdf_oid
);
106 if (dctx
->kdf_oid
== NULL
)
108 dctx
->kdf_md
= sctx
->kdf_md
;
109 if (sctx
->kdf_ukm
!= NULL
) {
110 dctx
->kdf_ukm
= OPENSSL_memdup(sctx
->kdf_ukm
, sctx
->kdf_ukmlen
);
111 if (dctx
->kdf_ukm
== NULL
)
113 dctx
->kdf_ukmlen
= sctx
->kdf_ukmlen
;
115 dctx
->kdf_outlen
= sctx
->kdf_outlen
;
119 static int pkey_dh_ctrl(EVP_PKEY_CTX
*ctx
, int type
, int p1
, void *p2
)
121 DH_PKEY_CTX
*dctx
= ctx
->data
;
123 case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN
:
126 dctx
->prime_len
= p1
;
129 case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN
:
130 if (dctx
->paramgen_type
== DH_PARAMGEN_TYPE_GENERATOR
)
132 dctx
->subprime_len
= p1
;
135 case EVP_PKEY_CTRL_DH_PAD
:
139 case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR
:
140 if (dctx
->paramgen_type
!= DH_PARAMGEN_TYPE_GENERATOR
)
142 dctx
->generator
= p1
;
145 case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE
:
146 #ifdef OPENSSL_NO_DSA
147 if (p1
!= DH_PARAMGEN_TYPE_GENERATOR
)
150 if (p1
< 0 || p1
> 2)
153 dctx
->paramgen_type
= p1
;
156 case EVP_PKEY_CTRL_DH_RFC5114
:
157 if (p1
< 1 || p1
> 3 || dctx
->param_nid
!= NID_undef
)
159 dctx
->rfc5114_param
= p1
;
162 case EVP_PKEY_CTRL_DH_NID
:
163 if (p1
<= 0 || dctx
->rfc5114_param
!= 0)
165 dctx
->param_nid
= p1
;
168 case EVP_PKEY_CTRL_PEER_KEY
:
169 /* Default behaviour is OK */
172 case EVP_PKEY_CTRL_DH_KDF_TYPE
:
174 return dctx
->kdf_type
;
175 if (p1
!= EVP_PKEY_DH_KDF_NONE
&& p1
!= EVP_PKEY_DH_KDF_X9_42
)
180 case EVP_PKEY_CTRL_DH_KDF_MD
:
184 case EVP_PKEY_CTRL_GET_DH_KDF_MD
:
185 *(const EVP_MD
**)p2
= dctx
->kdf_md
;
188 case EVP_PKEY_CTRL_DH_KDF_OUTLEN
:
191 dctx
->kdf_outlen
= (size_t)p1
;
194 case EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN
:
195 *(int *)p2
= dctx
->kdf_outlen
;
198 case EVP_PKEY_CTRL_DH_KDF_UKM
:
199 OPENSSL_free(dctx
->kdf_ukm
);
202 dctx
->kdf_ukmlen
= p1
;
204 dctx
->kdf_ukmlen
= 0;
207 case EVP_PKEY_CTRL_GET_DH_KDF_UKM
:
208 *(unsigned char **)p2
= dctx
->kdf_ukm
;
209 return dctx
->kdf_ukmlen
;
211 case EVP_PKEY_CTRL_DH_KDF_OID
:
212 ASN1_OBJECT_free(dctx
->kdf_oid
);
216 case EVP_PKEY_CTRL_GET_DH_KDF_OID
:
217 *(ASN1_OBJECT
**)p2
= dctx
->kdf_oid
;
226 static int pkey_dh_ctrl_str(EVP_PKEY_CTX
*ctx
,
227 const char *type
, const char *value
)
229 if (strcmp(type
, "dh_paramgen_prime_len") == 0) {
232 return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx
, len
);
234 if (strcmp(type
, "dh_rfc5114") == 0) {
235 DH_PKEY_CTX
*dctx
= ctx
->data
;
238 if (len
< 0 || len
> 3)
240 dctx
->rfc5114_param
= len
;
243 if (strcmp(type
, "dh_param") == 0) {
244 DH_PKEY_CTX
*dctx
= ctx
->data
;
245 int nid
= OBJ_sn2nid(value
);
247 if (nid
== NID_undef
) {
248 ERR_raise(ERR_LIB_DH
, DH_R_INVALID_PARAMETER_NAME
);
251 dctx
->param_nid
= nid
;
254 if (strcmp(type
, "dh_paramgen_generator") == 0) {
257 return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx
, len
);
259 if (strcmp(type
, "dh_paramgen_subprime_len") == 0) {
262 return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx
, len
);
264 if (strcmp(type
, "dh_paramgen_type") == 0) {
267 return EVP_PKEY_CTX_set_dh_paramgen_type(ctx
, typ
);
269 if (strcmp(type
, "dh_pad") == 0) {
272 return EVP_PKEY_CTX_set_dh_pad(ctx
, pad
);
277 static DH
*ffc_params_generate(OSSL_LIB_CTX
*libctx
, DH_PKEY_CTX
*dctx
,
283 int prime_len
= dctx
->prime_len
;
284 int subprime_len
= dctx
->subprime_len
;
286 if (dctx
->paramgen_type
> DH_PARAMGEN_TYPE_FIPS_186_4
)
292 if (subprime_len
== -1) {
293 if (prime_len
>= 2048)
299 if (dctx
->md
!= NULL
)
300 ossl_ffc_set_digest(&ret
->params
, EVP_MD_name(dctx
->md
), NULL
);
303 if (dctx
->paramgen_type
== DH_PARAMGEN_TYPE_FIPS_186_2
)
304 rv
= ossl_ffc_params_FIPS186_2_generate(libctx
, &ret
->params
,
306 prime_len
, subprime_len
, &res
,
310 /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
311 if (dctx
->paramgen_type
>= DH_PARAMGEN_TYPE_FIPS_186_2
)
312 rv
= ossl_ffc_params_FIPS186_4_generate(libctx
, &ret
->params
,
314 prime_len
, subprime_len
, &res
,
323 static int pkey_dh_paramgen(EVP_PKEY_CTX
*ctx
,
327 DH_PKEY_CTX
*dctx
= ctx
->data
;
328 BN_GENCB
*pcb
= NULL
;
332 * Look for a safe prime group for key establishment. Which uses
333 * either RFC_3526 (modp_XXXX) or RFC_7919 (ffdheXXXX).
335 if (dctx
->param_nid
!= NID_undef
) {
336 if ((dh
= DH_new_by_nid(dctx
->param_nid
)) == NULL
)
338 EVP_PKEY_assign(pkey
, EVP_PKEY_DH
, dh
);
343 if (dctx
->rfc5114_param
) {
344 switch (dctx
->rfc5114_param
) {
346 dh
= DH_get_1024_160();
350 dh
= DH_get_2048_224();
354 dh
= DH_get_2048_256();
360 EVP_PKEY_assign(pkey
, EVP_PKEY_DHX
, dh
);
363 #endif /* FIPS_MODULE */
365 if (ctx
->pkey_gencb
!= NULL
) {
366 pcb
= BN_GENCB_new();
369 evp_pkey_set_cb_translate(pcb
, ctx
);
372 dctx
->paramgen_type
= DH_PARAMGEN_TYPE_FIPS_186_4
;
373 # endif /* FIPS_MODULE */
374 if (dctx
->paramgen_type
>= DH_PARAMGEN_TYPE_FIPS_186_2
) {
375 dh
= ffc_params_generate(NULL
, dctx
, pcb
);
379 EVP_PKEY_assign(pkey
, EVP_PKEY_DHX
, dh
);
387 ret
= DH_generate_parameters_ex(dh
,
388 dctx
->prime_len
, dctx
->generator
, pcb
);
391 EVP_PKEY_assign_DH(pkey
, dh
);
397 static int pkey_dh_keygen(EVP_PKEY_CTX
*ctx
, EVP_PKEY
*pkey
)
399 DH_PKEY_CTX
*dctx
= ctx
->data
;
402 if (ctx
->pkey
== NULL
&& dctx
->param_nid
== NID_undef
) {
403 ERR_raise(ERR_LIB_DH
, DH_R_NO_PARAMETERS_SET
);
406 if (dctx
->param_nid
!= NID_undef
)
407 dh
= DH_new_by_nid(dctx
->param_nid
);
412 EVP_PKEY_assign(pkey
, ctx
->pmeth
->pkey_id
, dh
);
413 /* Note: if error return, pkey is freed by parent routine */
414 if (ctx
->pkey
!= NULL
&& !EVP_PKEY_copy_parameters(pkey
, ctx
->pkey
))
416 return DH_generate_key(pkey
->pkey
.dh
);
419 static int pkey_dh_derive(EVP_PKEY_CTX
*ctx
, unsigned char *key
,
425 DH_PKEY_CTX
*dctx
= ctx
->data
;
428 if (ctx
->pkey
== NULL
|| ctx
->peerkey
== NULL
) {
429 ERR_raise(ERR_LIB_DH
, DH_R_KEYS_NOT_SET
);
432 dh
= ctx
->pkey
->pkey
.dh
;
433 dhpub
= EVP_PKEY_get0_DH(ctx
->peerkey
);
435 ERR_raise(ERR_LIB_DH
, DH_R_KEYS_NOT_SET
);
438 dhpubbn
= dhpub
->pub_key
;
439 if (dctx
->kdf_type
== EVP_PKEY_DH_KDF_NONE
) {
441 *keylen
= DH_size(dh
);
445 ret
= DH_compute_key_padded(key
, dhpubbn
, dh
);
447 ret
= DH_compute_key(key
, dhpubbn
, dh
);
453 else if (dctx
->kdf_type
== EVP_PKEY_DH_KDF_X9_42
) {
455 unsigned char *Z
= NULL
;
457 if (!dctx
->kdf_outlen
|| !dctx
->kdf_oid
)
460 *keylen
= dctx
->kdf_outlen
;
463 if (*keylen
!= dctx
->kdf_outlen
)
466 if ((Zlen
= DH_size(dh
)) <= 0)
468 if ((Z
= OPENSSL_malloc(Zlen
)) == NULL
) {
469 ERR_raise(ERR_LIB_DH
, ERR_R_MALLOC_FAILURE
);
472 if (DH_compute_key_padded(Z
, dhpubbn
, dh
) <= 0)
474 if (!DH_KDF_X9_42(key
, *keylen
, Z
, Zlen
, dctx
->kdf_oid
,
475 dctx
->kdf_ukm
, dctx
->kdf_ukmlen
, dctx
->kdf_md
))
477 *keylen
= dctx
->kdf_outlen
;
480 OPENSSL_clear_free(Z
, Zlen
);
486 static const EVP_PKEY_METHOD dh_pkey_meth
= {
520 const EVP_PKEY_METHOD
*ossl_dh_pkey_method(void)
522 return &dh_pkey_meth
;
525 static const EVP_PKEY_METHOD dhx_pkey_meth
= {
559 const EVP_PKEY_METHOD
*ossl_dhx_pkey_method(void)
561 return &dhx_pkey_meth
;