2 * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * DH & DSA low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
17 #include "internal/cryptlib.h"
18 #include <openssl/asn1t.h>
19 #include <openssl/x509.h>
20 #include <openssl/evp.h>
22 #include <openssl/bn.h>
23 #include <openssl/dsa.h>
24 #include <openssl/objects.h>
25 #include "crypto/evp.h"
27 /* DH pkey context structure */
30 /* Parameter gen parameters */
36 /* message digest used for parameter generation */
40 /* Keygen callback info */
42 /* KDF (if any) to use for DH */
44 /* OID to use for KDF */
46 /* Message digest to use for key derivation */
48 /* User key material */
49 unsigned char *kdf_ukm
;
51 /* KDF output length */
55 static int pkey_dh_init(EVP_PKEY_CTX
*ctx
)
59 if ((dctx
= OPENSSL_zalloc(sizeof(*dctx
))) == NULL
) {
60 DHerr(DH_F_PKEY_DH_INIT
, ERR_R_MALLOC_FAILURE
);
63 dctx
->prime_len
= 2048;
64 dctx
->subprime_len
= -1;
66 dctx
->kdf_type
= EVP_PKEY_DH_KDF_NONE
;
69 ctx
->keygen_info
= dctx
->gentmp
;
70 ctx
->keygen_info_count
= 2;
75 static void pkey_dh_cleanup(EVP_PKEY_CTX
*ctx
)
77 DH_PKEY_CTX
*dctx
= ctx
->data
;
80 OPENSSL_free(dctx
->kdf_ukm
);
81 ASN1_OBJECT_free(dctx
->kdf_oid
);
87 static int pkey_dh_copy(EVP_PKEY_CTX
*dst
, const EVP_PKEY_CTX
*src
)
89 DH_PKEY_CTX
*dctx
, *sctx
;
91 if (!pkey_dh_init(dst
))
95 dctx
->prime_len
= sctx
->prime_len
;
96 dctx
->subprime_len
= sctx
->subprime_len
;
97 dctx
->generator
= sctx
->generator
;
98 dctx
->paramgen_type
= sctx
->paramgen_type
;
99 dctx
->pad
= sctx
->pad
;
101 dctx
->rfc5114_param
= sctx
->rfc5114_param
;
102 dctx
->param_nid
= sctx
->param_nid
;
104 dctx
->kdf_type
= sctx
->kdf_type
;
105 dctx
->kdf_oid
= OBJ_dup(sctx
->kdf_oid
);
106 if (dctx
->kdf_oid
== NULL
)
108 dctx
->kdf_md
= sctx
->kdf_md
;
109 if (sctx
->kdf_ukm
!= NULL
) {
110 dctx
->kdf_ukm
= OPENSSL_memdup(sctx
->kdf_ukm
, sctx
->kdf_ukmlen
);
111 if (dctx
->kdf_ukm
== NULL
)
113 dctx
->kdf_ukmlen
= sctx
->kdf_ukmlen
;
115 dctx
->kdf_outlen
= sctx
->kdf_outlen
;
119 static int pkey_dh_ctrl(EVP_PKEY_CTX
*ctx
, int type
, int p1
, void *p2
)
121 DH_PKEY_CTX
*dctx
= ctx
->data
;
123 case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN
:
126 dctx
->prime_len
= p1
;
129 case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN
:
130 if (dctx
->paramgen_type
== DH_PARAMGEN_TYPE_GENERATOR
)
132 dctx
->subprime_len
= p1
;
135 case EVP_PKEY_CTRL_DH_PAD
:
139 case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR
:
140 if (dctx
->paramgen_type
!= DH_PARAMGEN_TYPE_GENERATOR
)
142 dctx
->generator
= p1
;
145 case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE
:
146 #ifdef OPENSSL_NO_DSA
147 if (p1
!= DH_PARAMGEN_TYPE_GENERATOR
)
150 if (p1
< 0 || p1
> 2)
153 dctx
->paramgen_type
= p1
;
156 case EVP_PKEY_CTRL_DH_RFC5114
:
157 if (p1
< 1 || p1
> 3 || dctx
->param_nid
!= NID_undef
)
159 dctx
->rfc5114_param
= p1
;
162 case EVP_PKEY_CTRL_DH_NID
:
163 if (p1
<= 0 || dctx
->rfc5114_param
!= 0)
165 dctx
->param_nid
= p1
;
168 case EVP_PKEY_CTRL_PEER_KEY
:
169 /* Default behaviour is OK */
172 case EVP_PKEY_CTRL_DH_KDF_TYPE
:
174 return dctx
->kdf_type
;
175 #ifdef OPENSSL_NO_CMS
176 if (p1
!= EVP_PKEY_DH_KDF_NONE
)
178 if (p1
!= EVP_PKEY_DH_KDF_NONE
&& p1
!= EVP_PKEY_DH_KDF_X9_42
)
184 case EVP_PKEY_CTRL_DH_KDF_MD
:
188 case EVP_PKEY_CTRL_GET_DH_KDF_MD
:
189 *(const EVP_MD
**)p2
= dctx
->kdf_md
;
192 case EVP_PKEY_CTRL_DH_KDF_OUTLEN
:
195 dctx
->kdf_outlen
= (size_t)p1
;
198 case EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN
:
199 *(int *)p2
= dctx
->kdf_outlen
;
202 case EVP_PKEY_CTRL_DH_KDF_UKM
:
203 OPENSSL_free(dctx
->kdf_ukm
);
206 dctx
->kdf_ukmlen
= p1
;
208 dctx
->kdf_ukmlen
= 0;
211 case EVP_PKEY_CTRL_GET_DH_KDF_UKM
:
212 *(unsigned char **)p2
= dctx
->kdf_ukm
;
213 return dctx
->kdf_ukmlen
;
215 case EVP_PKEY_CTRL_DH_KDF_OID
:
216 ASN1_OBJECT_free(dctx
->kdf_oid
);
220 case EVP_PKEY_CTRL_GET_DH_KDF_OID
:
221 *(ASN1_OBJECT
**)p2
= dctx
->kdf_oid
;
230 static int pkey_dh_ctrl_str(EVP_PKEY_CTX
*ctx
,
231 const char *type
, const char *value
)
233 if (strcmp(type
, "dh_paramgen_prime_len") == 0) {
236 return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx
, len
);
238 if (strcmp(type
, "dh_rfc5114") == 0) {
239 DH_PKEY_CTX
*dctx
= ctx
->data
;
242 if (len
< 0 || len
> 3)
244 dctx
->rfc5114_param
= len
;
247 if (strcmp(type
, "dh_param") == 0) {
248 DH_PKEY_CTX
*dctx
= ctx
->data
;
249 int nid
= OBJ_sn2nid(value
);
251 if (nid
== NID_undef
) {
252 DHerr(DH_F_PKEY_DH_CTRL_STR
, DH_R_INVALID_PARAMETER_NAME
);
255 dctx
->param_nid
= nid
;
258 if (strcmp(type
, "dh_paramgen_generator") == 0) {
261 return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx
, len
);
263 if (strcmp(type
, "dh_paramgen_subprime_len") == 0) {
266 return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx
, len
);
268 if (strcmp(type
, "dh_paramgen_type") == 0) {
271 return EVP_PKEY_CTX_set_dh_paramgen_type(ctx
, typ
);
273 if (strcmp(type
, "dh_pad") == 0) {
276 return EVP_PKEY_CTX_set_dh_pad(ctx
, pad
);
281 static DH
*ffc_params_generate(OPENSSL_CTX
*libctx
, DH_PKEY_CTX
*dctx
,
287 int prime_len
= dctx
->prime_len
;
288 int subprime_len
= dctx
->subprime_len
;
289 const EVP_MD
*md
= dctx
->md
;
291 if (dctx
->paramgen_type
> DH_PARAMGEN_TYPE_FIPS_186_4
)
297 if (subprime_len
== -1) {
298 if (prime_len
>= 2048)
304 if (prime_len
>= 2048)
310 if (dctx
->paramgen_type
== DH_PARAMGEN_TYPE_FIPS_186_2
)
311 rv
= ffc_params_FIPS186_2_generate(libctx
, &ret
->params
,
313 prime_len
, subprime_len
, md
, &res
,
317 /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
318 if (dctx
->paramgen_type
>= DH_PARAMGEN_TYPE_FIPS_186_2
)
319 rv
= ffc_params_FIPS186_4_generate(libctx
, &ret
->params
,
321 prime_len
, subprime_len
, md
, &res
,
330 static int pkey_dh_paramgen(EVP_PKEY_CTX
*ctx
,
334 DH_PKEY_CTX
*dctx
= ctx
->data
;
335 BN_GENCB
*pcb
= NULL
;
339 * Look for a safe prime group for key establishment. Which uses
340 * either RFC_3526 (modp_XXXX) or RFC_7919 (ffdheXXXX).
342 if (dctx
->param_nid
!= NID_undef
) {
343 if ((dh
= DH_new_by_nid(dctx
->param_nid
)) == NULL
)
345 EVP_PKEY_assign(pkey
, EVP_PKEY_DH
, dh
);
350 if (dctx
->rfc5114_param
) {
351 switch (dctx
->rfc5114_param
) {
353 dh
= DH_get_1024_160();
357 dh
= DH_get_2048_224();
361 dh
= DH_get_2048_256();
367 EVP_PKEY_assign(pkey
, EVP_PKEY_DHX
, dh
);
370 #endif /* FIPS_MODE */
372 if (ctx
->pkey_gencb
!= NULL
) {
373 pcb
= BN_GENCB_new();
376 evp_pkey_set_cb_translate(pcb
, ctx
);
379 dctx
->paramgen_type
= DH_PARAMGEN_TYPE_FIPS_186_4
;
380 # endif /* FIPS_MODE */
381 if (dctx
->paramgen_type
>= DH_PARAMGEN_TYPE_FIPS_186_2
) {
382 dh
= ffc_params_generate(NULL
, dctx
, pcb
);
386 EVP_PKEY_assign(pkey
, EVP_PKEY_DHX
, dh
);
394 ret
= DH_generate_parameters_ex(dh
,
395 dctx
->prime_len
, dctx
->generator
, pcb
);
398 EVP_PKEY_assign_DH(pkey
, dh
);
404 static int pkey_dh_keygen(EVP_PKEY_CTX
*ctx
, EVP_PKEY
*pkey
)
406 DH_PKEY_CTX
*dctx
= ctx
->data
;
409 if (ctx
->pkey
== NULL
&& dctx
->param_nid
== NID_undef
) {
410 DHerr(DH_F_PKEY_DH_KEYGEN
, DH_R_NO_PARAMETERS_SET
);
413 if (dctx
->param_nid
!= NID_undef
)
414 dh
= DH_new_by_nid(dctx
->param_nid
);
419 EVP_PKEY_assign(pkey
, ctx
->pmeth
->pkey_id
, dh
);
420 /* Note: if error return, pkey is freed by parent routine */
421 if (ctx
->pkey
!= NULL
&& !EVP_PKEY_copy_parameters(pkey
, ctx
->pkey
))
423 return DH_generate_key(pkey
->pkey
.dh
);
426 static int pkey_dh_derive(EVP_PKEY_CTX
*ctx
, unsigned char *key
,
431 DH_PKEY_CTX
*dctx
= ctx
->data
;
433 if (!ctx
->pkey
|| !ctx
->peerkey
) {
434 DHerr(DH_F_PKEY_DH_DERIVE
, DH_R_KEYS_NOT_SET
);
437 dh
= ctx
->pkey
->pkey
.dh
;
438 dhpub
= ctx
->peerkey
->pkey
.dh
->pub_key
;
439 if (dctx
->kdf_type
== EVP_PKEY_DH_KDF_NONE
) {
441 *keylen
= DH_size(dh
);
445 ret
= DH_compute_key_padded(key
, dhpub
, dh
);
447 ret
= DH_compute_key(key
, dhpub
, dh
);
453 #ifndef OPENSSL_NO_CMS
454 else if (dctx
->kdf_type
== EVP_PKEY_DH_KDF_X9_42
) {
456 unsigned char *Z
= NULL
;
458 if (!dctx
->kdf_outlen
|| !dctx
->kdf_oid
)
461 *keylen
= dctx
->kdf_outlen
;
464 if (*keylen
!= dctx
->kdf_outlen
)
468 Z
= OPENSSL_malloc(Zlen
);
472 if (DH_compute_key_padded(Z
, dhpub
, dh
) <= 0)
474 if (!DH_KDF_X9_42(key
, *keylen
, Z
, Zlen
, dctx
->kdf_oid
,
475 dctx
->kdf_ukm
, dctx
->kdf_ukmlen
, dctx
->kdf_md
))
477 *keylen
= dctx
->kdf_outlen
;
480 OPENSSL_clear_free(Z
, Zlen
);
487 static const EVP_PKEY_METHOD dh_pkey_meth
= {
521 const EVP_PKEY_METHOD
*dh_pkey_method(void)
523 return &dh_pkey_meth
;
526 static const EVP_PKEY_METHOD dhx_pkey_meth
= {
560 const EVP_PKEY_METHOD
*dhx_pkey_method(void)
562 return &dhx_pkey_meth
;