X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=apps%2Fdhparam.c;h=3e5f4095a9eb28132d14437069ab1293980794e1;hb=a96e6c347bc1da9964ffe941608b11cf030320ef;hp=28ae6c30f0dbd1f275ea1009742f42c9bc13df5d;hpb=3ee1eac27a2e3120fbdc60e12db091c082b8de21;p=openssl.git diff --git a/apps/dhparam.c b/apps/dhparam.c index 28ae6c30f0..3e5f4095a9 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -1,67 +1,83 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ +#ifndef OPENSSL_NO_DEPRECATED_3_0 +/* We need to use some deprecated APIs */ +# define OPENSSL_SUPPRESS_DEPRECATED +#endif #include -#ifdef OPENSSL_NO_DH -NON_EMPTY_TRANSLATION_UNIT -#else - -# include -# include -# include -# include -# include "apps.h" -# include -# include -# include -# include -# include -# include - -# ifndef OPENSSL_NO_DSA -# include -# endif -# define DEFBITS 2048 +#include +#include +#include +#include +#include "apps.h" +#include "progs.h" +#include +#include +#include +#include +#include +#include + +#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) +# include +#endif + +#define DEFBITS 2048 +#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) static int dh_cb(int p, int n, BN_GENCB *cb); +#endif +static int gendh_cb(EVP_PKEY_CTX *ctx); typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT, - OPT_DSAPARAM, OPT_C, OPT_2, OPT_5, - OPT_R_ENUM + OPT_DSAPARAM, OPT_C, OPT_2, OPT_3, OPT_5, + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS dhparam_options[] = { - {OPT_HELP_STR, 1, '-', "Usage: %s [flags] [numbits]\n"}, - {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits]\n"}, + + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + {"check", OPT_CHECK, '-', "Check the DH parameters"}, +#ifndef OPENSSL_NO_DSA + {"dsaparam", OPT_DSAPARAM, '-', + "Read or generate DSA parameters, convert to DH"}, +#endif +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +#endif + + OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, {"inform", OPT_INFORM, 'F', "Input format, DER or PEM"}, - {"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"}, + + OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output file"}, - {"check", OPT_CHECK, '-', "Check the DH parameters"}, + {"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"}, {"text", OPT_TEXT, '-', "Print a text form of the DH parameters"}, {"noout", OPT_NOOUT, '-', "Don't output any DH parameters"}, - OPT_R_OPTIONS, {"C", OPT_C, '-', "Print C code"}, {"2", OPT_2, '-', "Generate parameters using 2 as the generator value"}, + {"3", OPT_3, '-', "Generate parameters using 3 as the generator value"}, {"5", OPT_5, '-', "Generate parameters using 5 as the generator value"}, -# ifndef OPENSSL_NO_DSA - {"dsaparam", OPT_DSAPARAM, '-', - "Read or generate DSA parameters, convert to DH"}, -# endif -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -# endif + + OPT_R_OPTIONS, + OPT_PROV_OPTIONS, + + OPT_PARAMETERS(), + {"numbits", 0, 0, "Number of bits if generating parameters (optional)"}, {NULL} }; @@ -69,9 +85,11 @@ int dhparam_main(int argc, char **argv) { BIO *in = NULL, *out = NULL; DH *dh = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; char *infile = NULL, *outfile = NULL, *prog; ENGINE *e = NULL; -#ifndef OPENSSL_NO_DSA +#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) int dsaparam = 0; #endif int i, text = 0, C = 0, ret = 1, num = 0, g = 0; @@ -115,7 +133,11 @@ int dhparam_main(int argc, char **argv) break; case OPT_DSAPARAM: #ifndef OPENSSL_NO_DSA +# ifdef OPENSSL_NO_DEPRECATED_3_0 + BIO_printf(bio_err, "The dsaparam option is deprecated.\n"); +# else dsaparam = 1; +# endif #endif break; case OPT_C: @@ -124,6 +146,9 @@ int dhparam_main(int argc, char **argv) case OPT_2: g = 2; break; + case OPT_3: + g = 3; + break; case OPT_5: g = 5; break; @@ -134,6 +159,10 @@ int dhparam_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); @@ -145,31 +174,36 @@ int dhparam_main(int argc, char **argv) if (g && !num) num = DEFBITS; -# ifndef OPENSSL_NO_DSA +#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (dsaparam && g) { BIO_printf(bio_err, "generator may not be chosen for DSA parameters\n"); goto end; } -# endif +#endif + + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; + /* DH parameters */ if (num && !g) g = 2; if (num) { - BN_GENCB *cb; - cb = BN_GENCB_new(); - if (cb == NULL) { - ERR_print_errors(bio_err); - goto end; - } - - BN_GENCB_set(cb, dh_cb, bio_err); -# ifndef OPENSSL_NO_DSA +#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (dsaparam) { DSA *dsa = DSA_new(); + BN_GENCB *cb = BN_GENCB_new(); + + if (cb == NULL) { + ERR_print_errors(bio_err); + goto end; + } + + BN_GENCB_set(cb, dh_cb, bio_err); BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n", num); @@ -184,34 +218,51 @@ int dhparam_main(int argc, char **argv) dh = DSA_dup_DH(dsa); DSA_free(dsa); + BN_GENCB_free(cb); if (dh == NULL) { - BN_GENCB_free(cb); ERR_print_errors(bio_err); goto end; } } else -# endif +#endif { - dh = DH_new(); + ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); + if (ctx == NULL) { + ERR_print_errors(bio_err); + BIO_printf(bio_err, + "Error, DH key generation context allocation failed\n"); + goto end; + } + EVP_PKEY_CTX_set_cb(ctx, gendh_cb); + EVP_PKEY_CTX_set_app_data(ctx, bio_err); BIO_printf(bio_err, "Generating DH parameters, %d bit long safe prime, generator %d\n", num, g); BIO_printf(bio_err, "This is going to take a long time\n"); - if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) { - BN_GENCB_free(cb); + if (!EVP_PKEY_paramgen_init(ctx)) { + BIO_printf(bio_err, + "Error, unable to initialise DH param generation\n"); ERR_print_errors(bio_err); goto end; } - } - BN_GENCB_free(cb); + if (!EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, num)) { + BIO_printf(bio_err, "Error, unable to set DH prime length\n"); + ERR_print_errors(bio_err); + goto end; + } + if (!EVP_PKEY_paramgen(ctx, &pkey)) { + BIO_printf(bio_err, "Error, DH generation failed\n"); + ERR_print_errors(bio_err); + goto end; + } + } } else { - in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; -# ifndef OPENSSL_NO_DSA +#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (dsaparam) { DSA *dsa; @@ -233,17 +284,17 @@ int dhparam_main(int argc, char **argv) goto end; } } else -# endif +#endif { if (informat == FORMAT_ASN1) { /* * We have no PEM header to determine what type of DH params it * is. We'll just try both. */ - dh = d2i_DHparams_bio(in, NULL); + dh = ASN1_d2i_bio_of(DH, DH_new, d2i_DHparams, in, NULL); /* BIO_reset() returns 0 for success for file BIOs only!!! */ if (dh == NULL && BIO_reset(in) == 0) - dh = d2i_DHxparams_bio(in, NULL); + dh = ASN1_d2i_bio_of(DH, DH_new, d2i_DHxparams, in, NULL); } else { /* informat == FORMAT_PEM */ dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); @@ -255,41 +306,20 @@ int dhparam_main(int argc, char **argv) goto end; } } - /* dh != NULL */ } - out = bio_open_default(outfile, 'w', outformat); - if (out == NULL) - goto end; - - if (text) { - DHparams_print(out, dh); - } + if (text) + EVP_PKEY_print_params(out, pkey, 4, NULL); if (check) { - if (!DH_check(dh, &i)) { + if (!EVP_PKEY_param_check(ctx) /* DH_check(dh, &i) */) { ERR_print_errors(bio_err); + BIO_printf(bio_err, "ERROR: Invalid parameters generated\n"); goto end; } - if (i & DH_CHECK_P_NOT_PRIME) - BIO_printf(bio_err, "WARNING: p value is not prime\n"); - if (i & DH_CHECK_P_NOT_SAFE_PRIME) - BIO_printf(bio_err, "WARNING: p value is not a safe prime\n"); - if (i & DH_CHECK_Q_NOT_PRIME) - BIO_printf(bio_err, "WARNING: q value is not a prime\n"); - if (i & DH_CHECK_INVALID_Q_VALUE) - BIO_printf(bio_err, "WARNING: q value is invalid\n"); - if (i & DH_CHECK_INVALID_J_VALUE) - BIO_printf(bio_err, "WARNING: j value is invalid\n"); - if (i & DH_UNABLE_TO_CHECK_GENERATOR) - BIO_printf(bio_err, - "WARNING: unable to check the generator value\n"); - if (i & DH_NOT_SUITABLE_GENERATOR) - BIO_printf(bio_err, "WARNING: the g value is not a generator\n"); - if (i == 0) - BIO_printf(bio_err, "DH parameters appear to be ok.\n"); - if (num != 0 && i != 0) { + BIO_printf(bio_err, "DH parameters appear to be ok.\n"); + if (num != 0) { /* * We have generated parameters but DH_check() indicates they are * invalid! This should never happen! @@ -303,37 +333,36 @@ int dhparam_main(int argc, char **argv) int len, bits; const BIGNUM *pbn, *gbn; - len = DH_size(dh); - bits = DH_bits(dh); + dh = EVP_PKEY_get0_DH(pkey); + len = EVP_PKEY_size(pkey); + bits = EVP_PKEY_size(pkey); DH_get0_pqg(dh, &pbn, NULL, &gbn); data = app_malloc(len, "print a BN"); - BIO_printf(out, "#ifndef HEADER_DH_H\n" - "# include \n" - "#endif\n" - "\n"); - BIO_printf(out, "DH *get_dh%d()\n{\n", bits); + + BIO_printf(out, "static DH *get_dh%d(void)\n{\n", bits); print_bignum_var(out, pbn, "dhp", bits, data); print_bignum_var(out, gbn, "dhg", bits, data); BIO_printf(out, " DH *dh = DH_new();\n" - " BIGNUM *dhp_bn, *dhg_bn;\n" + " BIGNUM *p, *g;\n" "\n" " if (dh == NULL)\n" " return NULL;\n"); - BIO_printf(out, " dhp_bn = BN_bin2bn(dhp_%d, sizeof (dhp_%d), NULL);\n", + BIO_printf(out, " p = BN_bin2bn(dhp_%d, sizeof(dhp_%d), NULL);\n", bits, bits); - BIO_printf(out, " dhg_bn = BN_bin2bn(dhg_%d, sizeof (dhg_%d), NULL);\n", + BIO_printf(out, " g = BN_bin2bn(dhg_%d, sizeof(dhg_%d), NULL);\n", bits, bits); - BIO_printf(out, " if (dhp_bn == NULL || dhg_bn == NULL\n" - " || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {\n" + BIO_printf(out, " if (p == NULL || g == NULL\n" + " || !DH_set0_pqg(dh, p, NULL, g)) {\n" " DH_free(dh);\n" - " BN_free(dhp_bn);\n" - " BN_free(dhg_bn);\n" + " BN_free(p);\n" + " BN_free(g);\n" " return NULL;\n" " }\n"); if (DH_get_length(dh) > 0) BIO_printf(out, " if (!DH_set_length(dh, %ld)) {\n" " DH_free(dh);\n" + " return NULL;\n" " }\n", DH_get_length(dh)); BIO_printf(out, " return dh;\n}\n"); OPENSSL_free(data); @@ -344,9 +373,9 @@ int dhparam_main(int argc, char **argv) DH_get0_pqg(dh, NULL, &q, NULL); if (outformat == FORMAT_ASN1) { if (q != NULL) - i = i2d_DHxparams_bio(out, dh); + i = ASN1_i2d_bio_of(DH, i2d_DHxparams, out, dh); else - i = i2d_DHparams_bio(out, dh); + i = ASN1_i2d_bio_of(DH, i2d_DHparams, out, dh); } else if (q != NULL) { i = PEM_write_bio_DHxparams(out, dh); } else { @@ -362,25 +391,31 @@ int dhparam_main(int argc, char **argv) end: BIO_free(in); BIO_free_all(out); - DH_free(dh); + EVP_PKEY_free(pkey); + EVP_PKEY_CTX_free(ctx); release_engine(e); - return (ret); + return ret; } -static int dh_cb(int p, int n, BN_GENCB *cb) +static int common_dh_cb(int p, BIO *b) { - char c = '*'; - - if (p == 0) - c = '.'; - if (p == 1) - c = '+'; - if (p == 2) - c = '*'; - if (p == 3) - c = '\n'; - BIO_write(BN_GENCB_get_arg(cb), &c, 1); - (void)BIO_flush(BN_GENCB_get_arg(cb)); + static const char symbols[] = ".+*\n"; + char c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?'; + + BIO_write(b, &c, 1); + (void)BIO_flush(b); return 1; } + +#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0) +static int dh_cb(int p, int n, BN_GENCB *cb) +{ + return common_dh_cb(p, BN_GENCB_get_arg(cb)); +} #endif + +static int gendh_cb(EVP_PKEY_CTX *ctx) +{ + return common_dh_cb(EVP_PKEY_CTX_get_keygen_info(ctx, 0), + EVP_PKEY_CTX_get_app_data(ctx)); +}