2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/asn1t.h>
13 #include <openssl/x509.h>
14 #include <openssl/evp.h>
16 #include <openssl/bn.h>
17 #include <openssl/dsa.h>
18 #include <openssl/objects.h>
19 #include "internal/evp_int.h"
21 /* DH pkey context structure */
24 /* Parameter gen parameters */
29 /* message digest used for parameter generation */
33 /* Keygen callback info */
35 /* KDF (if any) to use for DH */
37 /* OID to use for KDF */
39 /* Message digest to use for key derivation */
41 /* User key material */
42 unsigned char *kdf_ukm;
44 /* KDF output length */
48 static int pkey_dh_init(EVP_PKEY_CTX *ctx)
52 dctx = OPENSSL_zalloc(sizeof(*dctx));
55 dctx->prime_len = 1024;
56 dctx->subprime_len = -1;
58 dctx->kdf_type = EVP_PKEY_DH_KDF_NONE;
61 ctx->keygen_info = dctx->gentmp;
62 ctx->keygen_info_count = 2;
67 static void pkey_dh_cleanup(EVP_PKEY_CTX *ctx)
69 DH_PKEY_CTX *dctx = ctx->data;
71 OPENSSL_free(dctx->kdf_ukm);
72 ASN1_OBJECT_free(dctx->kdf_oid);
78 static int pkey_dh_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
80 DH_PKEY_CTX *dctx, *sctx;
81 if (!pkey_dh_init(dst))
85 dctx->prime_len = sctx->prime_len;
86 dctx->subprime_len = sctx->subprime_len;
87 dctx->generator = sctx->generator;
88 dctx->use_dsa = sctx->use_dsa;
90 dctx->rfc5114_param = sctx->rfc5114_param;
91 dctx->param_nid = sctx->param_nid;
93 dctx->kdf_type = sctx->kdf_type;
94 dctx->kdf_oid = OBJ_dup(sctx->kdf_oid);
95 if (dctx->kdf_oid == NULL)
97 dctx->kdf_md = sctx->kdf_md;
98 if (sctx->kdf_ukm != NULL) {
99 dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
100 if (dctx->kdf_ukm == NULL)
102 dctx->kdf_ukmlen = sctx->kdf_ukmlen;
104 dctx->kdf_outlen = sctx->kdf_outlen;
108 static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
110 DH_PKEY_CTX *dctx = ctx->data;
112 case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN:
115 dctx->prime_len = p1;
118 case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN:
119 if (dctx->use_dsa == 0)
121 dctx->subprime_len = p1;
124 case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR:
127 dctx->generator = p1;
130 case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE:
131 #ifdef OPENSSL_NO_DSA
135 if (p1 < 0 || p1 > 2)
141 case EVP_PKEY_CTRL_DH_RFC5114:
142 if (p1 < 1 || p1 > 3 || dctx->param_nid != NID_undef)
144 dctx->rfc5114_param = p1;
147 case EVP_PKEY_CTRL_DH_NID:
148 if (p1 <= 0 || dctx->rfc5114_param != 0)
150 dctx->param_nid = p1;
153 case EVP_PKEY_CTRL_PEER_KEY:
154 /* Default behaviour is OK */
157 case EVP_PKEY_CTRL_DH_KDF_TYPE:
159 return dctx->kdf_type;
160 #ifdef OPENSSL_NO_CMS
161 if (p1 != EVP_PKEY_DH_KDF_NONE)
163 if (p1 != EVP_PKEY_DH_KDF_NONE && p1 != EVP_PKEY_DH_KDF_X9_42)
169 case EVP_PKEY_CTRL_DH_KDF_MD:
173 case EVP_PKEY_CTRL_GET_DH_KDF_MD:
174 *(const EVP_MD **)p2 = dctx->kdf_md;
177 case EVP_PKEY_CTRL_DH_KDF_OUTLEN:
180 dctx->kdf_outlen = (size_t)p1;
183 case EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN:
184 *(int *)p2 = dctx->kdf_outlen;
187 case EVP_PKEY_CTRL_DH_KDF_UKM:
188 OPENSSL_free(dctx->kdf_ukm);
191 dctx->kdf_ukmlen = p1;
193 dctx->kdf_ukmlen = 0;
196 case EVP_PKEY_CTRL_GET_DH_KDF_UKM:
197 *(unsigned char **)p2 = dctx->kdf_ukm;
198 return dctx->kdf_ukmlen;
200 case EVP_PKEY_CTRL_DH_KDF_OID:
201 ASN1_OBJECT_free(dctx->kdf_oid);
205 case EVP_PKEY_CTRL_GET_DH_KDF_OID:
206 *(ASN1_OBJECT **)p2 = dctx->kdf_oid;
215 static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx,
216 const char *type, const char *value)
218 if (strcmp(type, "dh_paramgen_prime_len") == 0) {
221 return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len);
223 if (strcmp(type, "dh_rfc5114") == 0) {
224 DH_PKEY_CTX *dctx = ctx->data;
227 if (len < 0 || len > 3)
229 dctx->rfc5114_param = len;
232 if (strcmp(type, "dh_param") == 0) {
233 DH_PKEY_CTX *dctx = ctx->data;
234 int nid = OBJ_sn2nid(value);
236 if (nid == NID_undef) {
237 DHerr(DH_F_PKEY_DH_CTRL_STR, DH_R_INVALID_PARAMETER_NAME);
240 dctx->param_nid = nid;
243 if (strcmp(type, "dh_paramgen_generator") == 0) {
246 return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, len);
248 if (strcmp(type, "dh_paramgen_subprime_len") == 0) {
251 return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx, len);
253 if (strcmp(type, "dh_paramgen_type") == 0) {
256 return EVP_PKEY_CTX_set_dh_paramgen_type(ctx, typ);
261 #ifndef OPENSSL_NO_DSA
263 extern int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
265 const unsigned char *seed_in, size_t seed_len,
266 unsigned char *seed_out, int *counter_ret,
267 unsigned long *h_ret, BN_GENCB *cb);
269 extern int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
271 const unsigned char *seed_in,
272 size_t seed_len, int idx,
273 unsigned char *seed_out, int *counter_ret,
274 unsigned long *h_ret, BN_GENCB *cb);
276 static DSA *dsa_dh_generate(DH_PKEY_CTX *dctx, BN_GENCB *pcb)
280 int prime_len = dctx->prime_len;
281 int subprime_len = dctx->subprime_len;
282 const EVP_MD *md = dctx->md;
283 if (dctx->use_dsa > 2)
288 if (subprime_len == -1) {
289 if (prime_len >= 2048)
295 if (prime_len >= 2048)
300 if (dctx->use_dsa == 1)
301 rv = dsa_builtin_paramgen(ret, prime_len, subprime_len, md,
302 NULL, 0, NULL, NULL, NULL, pcb);
303 else if (dctx->use_dsa == 2)
304 rv = dsa_builtin_paramgen2(ret, prime_len, subprime_len, md,
305 NULL, 0, -1, NULL, NULL, NULL, pcb);
315 static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
318 DH_PKEY_CTX *dctx = ctx->data;
321 if (dctx->rfc5114_param) {
322 switch (dctx->rfc5114_param) {
324 dh = DH_get_1024_160();
328 dh = DH_get_2048_224();
332 dh = DH_get_2048_256();
338 EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh);
342 if (dctx->param_nid != 0) {
343 if ((dh = DH_new_by_nid(dctx->param_nid)) == NULL)
345 EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh);
349 if (ctx->pkey_gencb) {
350 pcb = BN_GENCB_new();
353 evp_pkey_set_cb_translate(pcb, ctx);
356 #ifndef OPENSSL_NO_DSA
359 dsa_dh = dsa_dh_generate(dctx, pcb);
363 dh = DSA_dup_DH(dsa_dh);
367 EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh);
376 ret = DH_generate_parameters_ex(dh,
377 dctx->prime_len, dctx->generator, pcb);
380 EVP_PKEY_assign_DH(pkey, dh);
386 static int pkey_dh_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
388 DH_PKEY_CTX *dctx = ctx->data;
391 if (ctx->pkey == NULL && dctx->param_nid == 0) {
392 DHerr(DH_F_PKEY_DH_KEYGEN, DH_R_NO_PARAMETERS_SET);
395 if (dctx->param_nid != 0)
396 dh = DH_new_by_nid(dctx->param_nid);
401 EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, dh);
402 /* Note: if error return, pkey is freed by parent routine */
403 if (ctx->pkey != NULL && !EVP_PKEY_copy_parameters(pkey, ctx->pkey))
405 return DH_generate_key(pkey->pkey.dh);
408 static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
413 DH_PKEY_CTX *dctx = ctx->data;
415 if (!ctx->pkey || !ctx->peerkey) {
416 DHerr(DH_F_PKEY_DH_DERIVE, DH_R_KEYS_NOT_SET);
419 dh = ctx->pkey->pkey.dh;
420 dhpub = ctx->peerkey->pkey.dh->pub_key;
421 if (dctx->kdf_type == EVP_PKEY_DH_KDF_NONE) {
423 *keylen = DH_size(dh);
426 ret = DH_compute_key(key, dhpub, dh);
432 #ifndef OPENSSL_NO_CMS
433 else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
435 unsigned char *Z = NULL;
437 if (!dctx->kdf_outlen || !dctx->kdf_oid)
440 *keylen = dctx->kdf_outlen;
443 if (*keylen != dctx->kdf_outlen)
447 Z = OPENSSL_malloc(Zlen);
451 if (DH_compute_key_padded(Z, dhpub, dh) <= 0)
453 if (!DH_KDF_X9_42(key, *keylen, Z, Zlen, dctx->kdf_oid,
454 dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
456 *keylen = dctx->kdf_outlen;
459 OPENSSL_clear_free(Z, Zlen);
466 const EVP_PKEY_METHOD dh_pkey_meth = {
500 const EVP_PKEY_METHOD dhx_pkey_meth = {