2 * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * DH low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
17 #include <openssl/x509.h>
18 #include <openssl/asn1.h>
19 #include <openssl/bn.h>
20 #include <openssl/core_names.h>
21 #include <openssl/param_build.h>
22 #include "internal/ffc.h"
23 #include "internal/cryptlib.h"
24 #include "crypto/asn1.h"
25 #include "crypto/dh.h"
26 #include "crypto/evp.h"
30 * i2d/d2i like DH parameter functions which use the appropriate routine for
31 * PKCS#3 DH or X9.42 DH.
34 static DH *d2i_dhp(const EVP_PKEY *pkey, const unsigned char **pp,
38 int is_dhx = (pkey->ameth == &dhx_asn1_meth);
41 dh = d2i_DHxparams(NULL, pp, length);
43 dh = d2i_DHparams(NULL, pp, length);
48 static int i2d_dhp(const EVP_PKEY *pkey, const DH *a, unsigned char **pp)
50 if (pkey->ameth == &dhx_asn1_meth)
51 return i2d_DHxparams(a, pp);
52 return i2d_DHparams(a, pp);
55 static void int_dh_free(EVP_PKEY *pkey)
57 DH_free(pkey->pkey.dh);
60 static int dh_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey)
62 const unsigned char *p, *pm;
66 const ASN1_STRING *pstr;
68 ASN1_INTEGER *public_key = NULL;
72 if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey))
74 X509_ALGOR_get0(NULL, &ptype, &pval, palg);
76 if (ptype != V_ASN1_SEQUENCE) {
77 ERR_raise(ERR_LIB_DH, DH_R_PARAMETER_ENCODING_ERROR);
85 if ((dh = d2i_dhp(pkey, &pm, pmlen)) == NULL) {
86 ERR_raise(ERR_LIB_DH, DH_R_DECODE_ERROR);
90 if ((public_key = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL) {
91 ERR_raise(ERR_LIB_DH, DH_R_DECODE_ERROR);
95 /* We have parameters now set public key */
96 if ((dh->pub_key = ASN1_INTEGER_to_BN(public_key, NULL)) == NULL) {
97 ERR_raise(ERR_LIB_DH, DH_R_BN_DECODE_ERROR);
101 ASN1_INTEGER_free(public_key);
102 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, dh);
106 ASN1_INTEGER_free(public_key);
111 static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
115 unsigned char *penc = NULL;
118 ASN1_INTEGER *pub_key = NULL;
122 str = ASN1_STRING_new();
124 ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
127 str->length = i2d_dhp(pkey, dh, &str->data);
128 if (str->length <= 0) {
129 ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
132 ptype = V_ASN1_SEQUENCE;
134 pub_key = BN_to_ASN1_INTEGER(dh->pub_key, NULL);
138 penclen = i2d_ASN1_INTEGER(pub_key, &penc);
140 ASN1_INTEGER_free(pub_key);
143 ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
147 if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
148 ptype, str, penc, penclen))
153 ASN1_STRING_free(str);
159 * PKCS#8 DH is defined in PKCS#11 of all places. It is similar to DH in that
160 * the AlgorithmIdentifier contains the parameters, the private key is
161 * explicitly included and the pubkey must be recalculated.
164 static int dh_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
166 const unsigned char *p, *pm;
170 const ASN1_STRING *pstr;
171 const X509_ALGOR *palg;
172 ASN1_INTEGER *privkey = NULL;
175 if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
178 X509_ALGOR_get0(NULL, &ptype, &pval, palg);
180 if (ptype != V_ASN1_SEQUENCE)
182 if ((privkey = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL)
187 pmlen = pstr->length;
188 if ((dh = d2i_dhp(pkey, &pm, pmlen)) == NULL)
191 /* We have parameters now set private key */
192 if ((dh->priv_key = BN_secure_new()) == NULL
193 || !ASN1_INTEGER_to_BN(privkey, dh->priv_key)) {
194 ERR_raise(ERR_LIB_DH, DH_R_BN_ERROR);
197 /* Calculate public key, increments dirty_cnt */
198 if (!DH_generate_key(dh))
201 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, dh);
203 ASN1_STRING_clear_free(privkey);
208 ERR_raise(ERR_LIB_DH, EVP_R_DECODE_ERROR);
211 ASN1_STRING_clear_free(privkey);
215 static int dh_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
217 ASN1_STRING *params = NULL;
218 ASN1_INTEGER *prkey = NULL;
219 unsigned char *dp = NULL;
222 params = ASN1_STRING_new();
224 if (params == NULL) {
225 ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
229 params->length = i2d_dhp(pkey, pkey->pkey.dh, ¶ms->data);
230 if (params->length <= 0) {
231 ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
234 params->type = V_ASN1_SEQUENCE;
236 /* Get private key into integer */
237 prkey = BN_to_ASN1_INTEGER(pkey->pkey.dh->priv_key, NULL);
240 ERR_raise(ERR_LIB_DH, DH_R_BN_ERROR);
244 dplen = i2d_ASN1_INTEGER(prkey, &dp);
246 ASN1_STRING_clear_free(prkey);
249 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0,
250 V_ASN1_SEQUENCE, params, dp, dplen))
257 ASN1_STRING_free(params);
258 ASN1_STRING_clear_free(prkey);
262 static int dh_param_decode(EVP_PKEY *pkey,
263 const unsigned char **pder, int derlen)
267 if ((dh = d2i_dhp(pkey, pder, derlen)) == NULL)
270 EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, dh);
274 static int dh_param_encode(const EVP_PKEY *pkey, unsigned char **pder)
276 return i2d_dhp(pkey, pkey->pkey.dh, pder);
279 static int do_dh_print(BIO *bp, const DH *x, int indent, int ptype)
281 int reason = ERR_R_BUF_LIB;
282 const char *ktype = NULL;
283 BIGNUM *priv_key, *pub_key;
286 priv_key = x->priv_key;
291 pub_key = x->pub_key;
295 if (x->params.p == NULL || (ptype == 2 && priv_key == NULL)
296 || (ptype > 0 && pub_key == NULL)) {
297 reason = ERR_R_PASSED_NULL_PARAMETER;
302 ktype = "DH Private-Key";
304 ktype = "DH Public-Key";
306 ktype = "DH Parameters";
308 if (!BIO_indent(bp, indent, 128)
309 || BIO_printf(bp, "%s: (%d bit)\n", ktype, DH_bits(x)) <= 0)
313 if (!ASN1_bn_print(bp, "private-key:", priv_key, NULL, indent))
315 if (!ASN1_bn_print(bp, "public-key:", pub_key, NULL, indent))
318 if (!ossl_ffc_params_print(bp, &x->params, indent))
321 if (x->length != 0) {
322 if (!BIO_indent(bp, indent, 128)
323 || BIO_printf(bp, "recommended-private-length: %d bits\n",
324 (int)x->length) <= 0)
331 ERR_raise(ERR_LIB_DH, reason);
335 static int int_dh_size(const EVP_PKEY *pkey)
337 return DH_size(pkey->pkey.dh);
340 static int dh_bits(const EVP_PKEY *pkey)
342 return DH_bits(pkey->pkey.dh);
345 static int dh_security_bits(const EVP_PKEY *pkey)
347 return DH_security_bits(pkey->pkey.dh);
350 static int dh_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
352 return ossl_ffc_params_cmp(&a->pkey.dh->params, &a->pkey.dh->params,
353 a->ameth != &dhx_asn1_meth);
356 static int int_dh_param_copy(DH *to, const DH *from, int is_x942)
359 is_x942 = (from->params.q != NULL);
360 if (!ossl_ffc_params_copy(&to->params, &from->params))
363 to->length = from->length;
368 DH *DHparams_dup(const DH *dh)
374 if (!int_dh_param_copy(ret, dh, -1)) {
381 static int dh_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
383 if (to->pkey.dh == NULL) {
384 to->pkey.dh = DH_new();
385 if (to->pkey.dh == NULL)
388 return int_dh_param_copy(to->pkey.dh, from->pkey.dh,
389 from->ameth == &dhx_asn1_meth);
392 static int dh_missing_parameters(const EVP_PKEY *a)
394 return a->pkey.dh == NULL
395 || a->pkey.dh->params.p == NULL
396 || a->pkey.dh->params.g == NULL;
399 static int dh_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
401 if (dh_cmp_parameters(a, b) == 0)
403 if (BN_cmp(b->pkey.dh->pub_key, a->pkey.dh->pub_key) != 0)
409 static int dh_param_print(BIO *bp, const EVP_PKEY *pkey, int indent,
412 return do_dh_print(bp, pkey->pkey.dh, indent, 0);
415 static int dh_public_print(BIO *bp, const EVP_PKEY *pkey, int indent,
418 return do_dh_print(bp, pkey->pkey.dh, indent, 1);
421 static int dh_private_print(BIO *bp, const EVP_PKEY *pkey, int indent,
424 return do_dh_print(bp, pkey->pkey.dh, indent, 2);
427 int DHparams_print(BIO *bp, const DH *x)
429 return do_dh_print(bp, x, 4, 0);
432 static int dh_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
435 case ASN1_PKEY_CTRL_SET1_TLS_ENCPT:
436 /* We should only be here if we have a legacy key */
437 if (!ossl_assert(evp_pkey_is_legacy(pkey)))
439 return ossl_dh_buf2key(evp_pkey_get0_DH_int(pkey), arg2, arg1);
440 case ASN1_PKEY_CTRL_GET1_TLS_ENCPT:
441 return ossl_dh_key2buf(EVP_PKEY_get0_DH(pkey), arg2, 0, 1);
447 static int dhx_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
456 static int dh_pkey_public_check(const EVP_PKEY *pkey)
458 DH *dh = pkey->pkey.dh;
460 if (dh->pub_key == NULL) {
461 ERR_raise(ERR_LIB_DH, DH_R_MISSING_PUBKEY);
465 return DH_check_pub_key_ex(dh, dh->pub_key);
468 static int dh_pkey_param_check(const EVP_PKEY *pkey)
470 DH *dh = pkey->pkey.dh;
472 return DH_check_ex(dh);
475 static size_t dh_pkey_dirty_cnt(const EVP_PKEY *pkey)
477 return pkey->pkey.dh->dirty_cnt;
480 static int dh_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
481 EVP_KEYMGMT *to_keymgmt, OSSL_LIB_CTX *libctx,
484 DH *dh = from->pkey.dh;
485 OSSL_PARAM_BLD *tmpl;
486 const BIGNUM *p = DH_get0_p(dh), *g = DH_get0_g(dh), *q = DH_get0_q(dh);
487 long l = DH_get_length(dh);
488 const BIGNUM *pub_key = DH_get0_pub_key(dh);
489 const BIGNUM *priv_key = DH_get0_priv_key(dh);
490 OSSL_PARAM *params = NULL;
495 * If the DH method is foreign, then we can't be sure of anything, and
496 * can therefore not export or pretend to export.
498 if (ossl_dh_get_method(dh) != DH_OpenSSL())
501 if (p == NULL || g == NULL)
504 tmpl = OSSL_PARAM_BLD_new();
507 if (!OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
508 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, g))
511 if (!OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_Q, q))
514 selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
516 if (!OSSL_PARAM_BLD_push_long(tmpl, OSSL_PKEY_PARAM_DH_PRIV_LEN, l))
518 selection |= OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS;
520 if (pub_key != NULL) {
521 if (!OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY, pub_key))
523 selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
525 if (priv_key != NULL) {
526 if (!OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PRIV_KEY,
529 selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
532 if ((params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL)
535 /* We export, the provider imports */
536 rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params);
538 OSSL_PARAM_BLD_free_params(params);
540 OSSL_PARAM_BLD_free(tmpl);
544 static int dh_pkey_import_from_type(const OSSL_PARAM params[], void *vpctx,
547 EVP_PKEY_CTX *pctx = vpctx;
548 EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pctx);
549 DH *dh = ossl_dh_new_ex(pctx->libctx);
552 ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
555 DH_clear_flags(dh, DH_FLAG_TYPE_MASK);
556 DH_set_flags(dh, type == EVP_PKEY_DH ? DH_FLAG_TYPE_DH : DH_FLAG_TYPE_DHX);
558 if (!ossl_dh_params_fromdata(dh, params)
559 || !ossl_dh_key_fromdata(dh, params)
560 || !EVP_PKEY_assign(pkey, type, dh)) {
567 static int dh_pkey_import_from(const OSSL_PARAM params[], void *vpctx)
569 return dh_pkey_import_from_type(params, vpctx, EVP_PKEY_DH);
572 static int dhx_pkey_import_from(const OSSL_PARAM params[], void *vpctx)
574 return dh_pkey_import_from_type(params, vpctx, EVP_PKEY_DHX);
577 const EVP_PKEY_ASN1_METHOD dh_asn1_meth = {
583 "OpenSSL PKCS#3 DH method",
600 dh_missing_parameters,
612 dh_pkey_public_check,
622 const EVP_PKEY_ASN1_METHOD dhx_asn1_meth = {
628 "OpenSSL X9.42 DH method",
645 dh_missing_parameters,
657 dh_pkey_public_check,
662 dhx_pkey_import_from,