2 * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * DH & DSA low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
17 #include "internal/cryptlib.h"
18 #include <openssl/asn1t.h>
19 #include <openssl/x509.h>
20 #include <openssl/evp.h>
22 #include <openssl/bn.h>
23 #include <openssl/dsa.h>
24 #include <openssl/objects.h>
25 #include "crypto/evp.h"
27 /* DH pkey context structure */
30 /* Parameter gen parameters */
36 /* message digest used for parameter generation */
40 /* Keygen callback info */
42 /* KDF (if any) to use for DH */
44 /* OID to use for KDF */
46 /* Message digest to use for key derivation */
48 /* User key material */
49 unsigned char *kdf_ukm;
51 /* KDF output length */
55 static int pkey_dh_init(EVP_PKEY_CTX *ctx)
59 if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL) {
60 ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
63 dctx->prime_len = 2048;
64 dctx->subprime_len = -1;
66 dctx->kdf_type = EVP_PKEY_DH_KDF_NONE;
69 ctx->keygen_info = dctx->gentmp;
70 ctx->keygen_info_count = 2;
75 static void pkey_dh_cleanup(EVP_PKEY_CTX *ctx)
77 DH_PKEY_CTX *dctx = ctx->data;
80 OPENSSL_free(dctx->kdf_ukm);
81 ASN1_OBJECT_free(dctx->kdf_oid);
87 static int pkey_dh_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
89 DH_PKEY_CTX *dctx, *sctx;
91 if (!pkey_dh_init(dst))
95 dctx->prime_len = sctx->prime_len;
96 dctx->subprime_len = sctx->subprime_len;
97 dctx->generator = sctx->generator;
98 dctx->paramgen_type = sctx->paramgen_type;
99 dctx->pad = sctx->pad;
101 dctx->rfc5114_param = sctx->rfc5114_param;
102 dctx->param_nid = sctx->param_nid;
104 dctx->kdf_type = sctx->kdf_type;
105 dctx->kdf_oid = OBJ_dup(sctx->kdf_oid);
106 if (dctx->kdf_oid == NULL)
108 dctx->kdf_md = sctx->kdf_md;
109 if (sctx->kdf_ukm != NULL) {
110 dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
111 if (dctx->kdf_ukm == NULL)
113 dctx->kdf_ukmlen = sctx->kdf_ukmlen;
115 dctx->kdf_outlen = sctx->kdf_outlen;
119 static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
121 DH_PKEY_CTX *dctx = ctx->data;
123 case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN:
126 dctx->prime_len = p1;
129 case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN:
130 if (dctx->paramgen_type == DH_PARAMGEN_TYPE_GENERATOR)
132 dctx->subprime_len = p1;
135 case EVP_PKEY_CTRL_DH_PAD:
139 case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR:
140 if (dctx->paramgen_type != DH_PARAMGEN_TYPE_GENERATOR)
142 dctx->generator = p1;
145 case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE:
146 #ifdef OPENSSL_NO_DSA
147 if (p1 != DH_PARAMGEN_TYPE_GENERATOR)
150 if (p1 < 0 || p1 > 2)
153 dctx->paramgen_type = p1;
156 case EVP_PKEY_CTRL_DH_RFC5114:
157 if (p1 < 1 || p1 > 3 || dctx->param_nid != NID_undef)
159 dctx->rfc5114_param = p1;
162 case EVP_PKEY_CTRL_DH_NID:
163 if (p1 <= 0 || dctx->rfc5114_param != 0)
165 dctx->param_nid = p1;
168 case EVP_PKEY_CTRL_PEER_KEY:
169 /* Default behaviour is OK */
172 case EVP_PKEY_CTRL_DH_KDF_TYPE:
174 return dctx->kdf_type;
175 if (p1 != EVP_PKEY_DH_KDF_NONE && p1 != EVP_PKEY_DH_KDF_X9_42)
180 case EVP_PKEY_CTRL_DH_KDF_MD:
184 case EVP_PKEY_CTRL_GET_DH_KDF_MD:
185 *(const EVP_MD **)p2 = dctx->kdf_md;
188 case EVP_PKEY_CTRL_DH_KDF_OUTLEN:
191 dctx->kdf_outlen = (size_t)p1;
194 case EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN:
195 *(int *)p2 = dctx->kdf_outlen;
198 case EVP_PKEY_CTRL_DH_KDF_UKM:
199 OPENSSL_free(dctx->kdf_ukm);
202 dctx->kdf_ukmlen = p1;
204 dctx->kdf_ukmlen = 0;
207 case EVP_PKEY_CTRL_GET_DH_KDF_UKM:
208 *(unsigned char **)p2 = dctx->kdf_ukm;
209 return dctx->kdf_ukmlen;
211 case EVP_PKEY_CTRL_DH_KDF_OID:
212 ASN1_OBJECT_free(dctx->kdf_oid);
216 case EVP_PKEY_CTRL_GET_DH_KDF_OID:
217 *(ASN1_OBJECT **)p2 = dctx->kdf_oid;
226 static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx,
227 const char *type, const char *value)
229 if (strcmp(type, "dh_paramgen_prime_len") == 0) {
232 return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len);
234 if (strcmp(type, "dh_rfc5114") == 0) {
235 DH_PKEY_CTX *dctx = ctx->data;
238 if (len < 0 || len > 3)
240 dctx->rfc5114_param = len;
243 if (strcmp(type, "dh_param") == 0) {
244 DH_PKEY_CTX *dctx = ctx->data;
245 int nid = OBJ_sn2nid(value);
247 if (nid == NID_undef) {
248 ERR_raise(ERR_LIB_DH, DH_R_INVALID_PARAMETER_NAME);
251 dctx->param_nid = nid;
254 if (strcmp(type, "dh_paramgen_generator") == 0) {
257 return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, len);
259 if (strcmp(type, "dh_paramgen_subprime_len") == 0) {
262 return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx, len);
264 if (strcmp(type, "dh_paramgen_type") == 0) {
267 return EVP_PKEY_CTX_set_dh_paramgen_type(ctx, typ);
269 if (strcmp(type, "dh_pad") == 0) {
272 return EVP_PKEY_CTX_set_dh_pad(ctx, pad);
277 static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
283 int prime_len = dctx->prime_len;
284 int subprime_len = dctx->subprime_len;
286 if (dctx->paramgen_type > DH_PARAMGEN_TYPE_FIPS_186_4)
292 if (subprime_len == -1) {
293 if (prime_len >= 2048)
299 if (dctx->md != NULL)
300 ossl_ffc_set_digest(&ret->params, EVP_MD_name(dctx->md), NULL);
303 if (dctx->paramgen_type == DH_PARAMGEN_TYPE_FIPS_186_2)
304 rv = ossl_ffc_params_FIPS186_2_generate(libctx, &ret->params,
306 prime_len, subprime_len, &res,
310 /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
311 if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
312 rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
314 prime_len, subprime_len, &res,
323 static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx,
327 DH_PKEY_CTX *dctx = ctx->data;
328 BN_GENCB *pcb = NULL;
332 * Look for a safe prime group for key establishment. Which uses
333 * either RFC_3526 (modp_XXXX) or RFC_7919 (ffdheXXXX).
335 if (dctx->param_nid != NID_undef) {
336 if ((dh = DH_new_by_nid(dctx->param_nid)) == NULL)
338 EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh);
343 if (dctx->rfc5114_param) {
344 switch (dctx->rfc5114_param) {
346 dh = DH_get_1024_160();
350 dh = DH_get_2048_224();
354 dh = DH_get_2048_256();
360 EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh);
363 #endif /* FIPS_MODULE */
365 if (ctx->pkey_gencb != NULL) {
366 pcb = BN_GENCB_new();
369 evp_pkey_set_cb_translate(pcb, ctx);
372 dctx->paramgen_type = DH_PARAMGEN_TYPE_FIPS_186_4;
373 # endif /* FIPS_MODULE */
374 if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2) {
375 dh = ffc_params_generate(NULL, dctx, pcb);
379 EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh);
387 ret = DH_generate_parameters_ex(dh,
388 dctx->prime_len, dctx->generator, pcb);
391 EVP_PKEY_assign_DH(pkey, dh);
397 static int pkey_dh_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
399 DH_PKEY_CTX *dctx = ctx->data;
402 if (ctx->pkey == NULL && dctx->param_nid == NID_undef) {
403 ERR_raise(ERR_LIB_DH, DH_R_NO_PARAMETERS_SET);
406 if (dctx->param_nid != NID_undef)
407 dh = DH_new_by_nid(dctx->param_nid);
412 EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, dh);
413 /* Note: if error return, pkey is freed by parent routine */
414 if (ctx->pkey != NULL && !EVP_PKEY_copy_parameters(pkey, ctx->pkey))
416 return DH_generate_key(pkey->pkey.dh);
419 static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
425 DH_PKEY_CTX *dctx = ctx->data;
428 if (ctx->pkey == NULL || ctx->peerkey == NULL) {
429 ERR_raise(ERR_LIB_DH, DH_R_KEYS_NOT_SET);
432 dh = ctx->pkey->pkey.dh;
433 dhpub = EVP_PKEY_get0_DH(ctx->peerkey);
435 ERR_raise(ERR_LIB_DH, DH_R_KEYS_NOT_SET);
438 dhpubbn = dhpub->pub_key;
439 if (dctx->kdf_type == EVP_PKEY_DH_KDF_NONE) {
441 *keylen = DH_size(dh);
445 ret = DH_compute_key_padded(key, dhpubbn, dh);
447 ret = DH_compute_key(key, dhpubbn, dh);
453 else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
455 unsigned char *Z = NULL;
457 if (!dctx->kdf_outlen || !dctx->kdf_oid)
460 *keylen = dctx->kdf_outlen;
463 if (*keylen != dctx->kdf_outlen)
467 Z = OPENSSL_malloc(Zlen);
471 if (DH_compute_key_padded(Z, dhpubbn, dh) <= 0)
473 if (!DH_KDF_X9_42(key, *keylen, Z, Zlen, dctx->kdf_oid,
474 dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
476 *keylen = dctx->kdf_outlen;
479 OPENSSL_clear_free(Z, Zlen);
485 static const EVP_PKEY_METHOD dh_pkey_meth = {
519 const EVP_PKEY_METHOD *ossl_dh_pkey_method(void)
521 return &dh_pkey_meth;
524 static const EVP_PKEY_METHOD dhx_pkey_meth = {
558 const EVP_PKEY_METHOD *ossl_dhx_pkey_method(void)
560 return &dhx_pkey_meth;