X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fdh%2Fdh_pmeth.c;h=0d0b6a842f3b3f71fbdab2d38980bc7af3b9186c;hp=a760ff5390fc78f4d34a6475e581a55d52782097;hb=33388b44b67145af2181b1e9528c381c8ea0d1b6;hpb=7644a9aef8932ed4d1c3f25ed776c997702982be diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index a760ff5390..0d0b6a842f 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -1,73 +1,28 @@ /* - * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project - * 2006. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). + * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ +/* + * DH & DSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include #include "internal/cryptlib.h" #include #include #include -#include +#include "dh_local.h" #include -#ifndef OPENSSL_NO_DSA -# include -#endif +#include #include -#include "internal/evp_int.h" +#include "crypto/evp.h" /* DH pkey context structure */ @@ -75,11 +30,13 @@ typedef struct { /* Parameter gen parameters */ int prime_len; int generator; - int use_dsa; + int paramgen_type; int subprime_len; + int pad; /* message digest used for parameter generation */ const EVP_MD *md; int rfc5114_param; + int param_nid; /* Keygen callback info */ int gentmp[2]; /* KDF (if any) to use for DH */ @@ -99,10 +56,11 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx) { DH_PKEY_CTX *dctx; - dctx = OPENSSL_zalloc(sizeof(*dctx)); - if (dctx == NULL) + if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL) { + DHerr(DH_F_PKEY_DH_INIT, ERR_R_MALLOC_FAILURE); return 0; - dctx->prime_len = 1024; + } + dctx->prime_len = 2048; dctx->subprime_len = -1; dctx->generator = 2; dctx->kdf_type = EVP_PKEY_DH_KDF_NONE; @@ -114,9 +72,22 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx) return 1; } -static int pkey_dh_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) +static void pkey_dh_cleanup(EVP_PKEY_CTX *ctx) +{ + DH_PKEY_CTX *dctx = ctx->data; + + if (dctx != NULL) { + OPENSSL_free(dctx->kdf_ukm); + ASN1_OBJECT_free(dctx->kdf_oid); + OPENSSL_free(dctx); + } +} + + +static int pkey_dh_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) { DH_PKEY_CTX *dctx, *sctx; + if (!pkey_dh_init(dst)) return 0; sctx = src->data; @@ -124,33 +95,27 @@ static int pkey_dh_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) dctx->prime_len = sctx->prime_len; dctx->subprime_len = sctx->subprime_len; dctx->generator = sctx->generator; - dctx->use_dsa = sctx->use_dsa; + dctx->paramgen_type = sctx->paramgen_type; + dctx->pad = sctx->pad; dctx->md = sctx->md; dctx->rfc5114_param = sctx->rfc5114_param; + dctx->param_nid = sctx->param_nid; dctx->kdf_type = sctx->kdf_type; dctx->kdf_oid = OBJ_dup(sctx->kdf_oid); - if (!dctx->kdf_oid) + if (dctx->kdf_oid == NULL) return 0; dctx->kdf_md = sctx->kdf_md; - if (dctx->kdf_ukm) { + if (sctx->kdf_ukm != NULL) { dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen); + if (dctx->kdf_ukm == NULL) + return 0; dctx->kdf_ukmlen = sctx->kdf_ukmlen; } dctx->kdf_outlen = sctx->kdf_outlen; return 1; } -static void pkey_dh_cleanup(EVP_PKEY_CTX *ctx) -{ - DH_PKEY_CTX *dctx = ctx->data; - if (dctx) { - OPENSSL_free(dctx->kdf_ukm); - ASN1_OBJECT_free(dctx->kdf_oid); - OPENSSL_free(dctx); - } -} - static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { DH_PKEY_CTX *dctx = ctx->data; @@ -162,34 +127,44 @@ static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) return 1; case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN: - if (dctx->use_dsa == 0) + if (dctx->paramgen_type == DH_PARAMGEN_TYPE_GENERATOR) return -2; dctx->subprime_len = p1; return 1; + case EVP_PKEY_CTRL_DH_PAD: + dctx->pad = p1; + return 1; + case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR: - if (dctx->use_dsa) + if (dctx->paramgen_type != DH_PARAMGEN_TYPE_GENERATOR) return -2; dctx->generator = p1; return 1; case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE: #ifdef OPENSSL_NO_DSA - if (p1 != 0) + if (p1 != DH_PARAMGEN_TYPE_GENERATOR) return -2; #else if (p1 < 0 || p1 > 2) return -2; #endif - dctx->use_dsa = p1; + dctx->paramgen_type = p1; return 1; case EVP_PKEY_CTRL_DH_RFC5114: - if (p1 < 1 || p1 > 3) + if (p1 < 1 || p1 > 3 || dctx->param_nid != NID_undef) return -2; dctx->rfc5114_param = p1; return 1; + case EVP_PKEY_CTRL_DH_NID: + if (p1 <= 0 || dctx->rfc5114_param != 0) + return -2; + dctx->param_nid = p1; + return 1; + case EVP_PKEY_CTRL_PEER_KEY: /* Default behaviour is OK */ return 1; @@ -269,6 +244,17 @@ static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx, dctx->rfc5114_param = len; return 1; } + if (strcmp(type, "dh_param") == 0) { + DH_PKEY_CTX *dctx = ctx->data; + int nid = OBJ_sn2nid(value); + + if (nid == NID_undef) { + DHerr(DH_F_PKEY_DH_CTRL_STR, DH_R_INVALID_PARAMETER_NAME); + return -2; + } + dctx->param_nid = nid; + return 1; + } if (strcmp(type, "dh_paramgen_generator") == 0) { int len; len = atoi(value); @@ -284,36 +270,30 @@ static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx, typ = atoi(value); return EVP_PKEY_CTX_set_dh_paramgen_type(ctx, typ); } + if (strcmp(type, "dh_pad") == 0) { + int pad; + pad = atoi(value); + return EVP_PKEY_CTX_set_dh_pad(ctx, pad); + } return -2; } -#ifndef OPENSSL_NO_DSA - -extern int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - const EVP_MD *evpmd, - const unsigned char *seed_in, size_t seed_len, - unsigned char *seed_out, int *counter_ret, - unsigned long *h_ret, BN_GENCB *cb); - -extern int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, - const EVP_MD *evpmd, - const unsigned char *seed_in, - size_t seed_len, int idx, - unsigned char *seed_out, int *counter_ret, - unsigned long *h_ret, BN_GENCB *cb); - -static DSA *dsa_dh_generate(DH_PKEY_CTX *dctx, BN_GENCB *pcb) +static DH *ffc_params_generate(OPENSSL_CTX *libctx, DH_PKEY_CTX *dctx, + BN_GENCB *pcb) { - DSA *ret; + DH *ret; int rv = 0; + int res; int prime_len = dctx->prime_len; int subprime_len = dctx->subprime_len; const EVP_MD *md = dctx->md; - if (dctx->use_dsa > 2) + + if (dctx->paramgen_type > DH_PARAMGEN_TYPE_FIPS_186_4) return NULL; - ret = DSA_new(); + ret = DH_new(); if (ret == NULL) return NULL; + if (subprime_len == -1) { if (prime_len >= 2048) subprime_len = 256; @@ -326,27 +306,47 @@ static DSA *dsa_dh_generate(DH_PKEY_CTX *dctx, BN_GENCB *pcb) else md = EVP_sha1(); } - if (dctx->use_dsa == 1) - rv = dsa_builtin_paramgen(ret, prime_len, subprime_len, md, - NULL, 0, NULL, NULL, NULL, pcb); - else if (dctx->use_dsa == 2) - rv = dsa_builtin_paramgen2(ret, prime_len, subprime_len, md, - NULL, 0, -1, NULL, NULL, NULL, pcb); +# ifndef FIPS_MODE + if (dctx->paramgen_type == DH_PARAMGEN_TYPE_FIPS_186_2) + rv = ffc_params_FIPS186_2_generate(libctx, &ret->params, + FFC_PARAM_TYPE_DH, + prime_len, subprime_len, md, &res, + pcb); + else +# endif + /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */ + if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2) + rv = ffc_params_FIPS186_4_generate(libctx, &ret->params, + FFC_PARAM_TYPE_DH, + prime_len, subprime_len, md, &res, + pcb); if (rv <= 0) { - DSA_free(ret); + DH_free(ret); return NULL; } return ret; } -#endif - -static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) +static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, + EVP_PKEY *pkey) { DH *dh = NULL; DH_PKEY_CTX *dctx = ctx->data; - BN_GENCB *pcb; + BN_GENCB *pcb = NULL; int ret; + + /* + * Look for a safe prime group for key establishment. Which uses + * either RFC_3526 (modp_XXXX) or RFC_7919 (ffdheXXXX). + */ + if (dctx->param_nid != NID_undef) { + if ((dh = DH_new_by_nid(dctx->param_nid)) == NULL) + return 0; + EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh); + return 1; + } + +#ifndef FIPS_MODE if (dctx->rfc5114_param) { switch (dctx->rfc5114_param) { case 1: @@ -367,29 +367,25 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh); return 1; } +#endif /* FIPS_MODE */ - if (ctx->pkey_gencb) { + if (ctx->pkey_gencb != NULL) { pcb = BN_GENCB_new(); if (pcb == NULL) return 0; evp_pkey_set_cb_translate(pcb, ctx); - } else - pcb = NULL; -#ifndef OPENSSL_NO_DSA - if (dctx->use_dsa) { - DSA *dsa_dh; - dsa_dh = dsa_dh_generate(dctx, pcb); + } +# ifdef FIPS_MODE + dctx->paramgen_type = DH_PARAMGEN_TYPE_FIPS_186_4; +# endif /* FIPS_MODE */ + if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2) { + dh = ffc_params_generate(NULL, dctx, pcb); BN_GENCB_free(pcb); - if (dsa_dh == NULL) - return 0; - dh = DSA_dup_DH(dsa_dh); - DSA_free(dsa_dh); - if (!dh) + if (dh == NULL) return 0; EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh); return 1; } -#endif dh = DH_new(); if (dh == NULL) { BN_GENCB_free(pcb); @@ -407,17 +403,22 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) static int pkey_dh_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { + DH_PKEY_CTX *dctx = ctx->data; DH *dh = NULL; - if (ctx->pkey == NULL) { + + if (ctx->pkey == NULL && dctx->param_nid == NID_undef) { DHerr(DH_F_PKEY_DH_KEYGEN, DH_R_NO_PARAMETERS_SET); return 0; } - dh = DH_new(); + if (dctx->param_nid != NID_undef) + dh = DH_new_by_nid(dctx->param_nid); + else + dh = DH_new(); if (dh == NULL) return 0; EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, dh); /* Note: if error return, pkey is freed by parent routine */ - if (!EVP_PKEY_copy_parameters(pkey, ctx->pkey)) + if (ctx->pkey != NULL && !EVP_PKEY_copy_parameters(pkey, ctx->pkey)) return 0; return DH_generate_key(pkey->pkey.dh); } @@ -440,7 +441,10 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, *keylen = DH_size(dh); return 1; } - ret = DH_compute_key(key, dhpub, dh); + if (dctx->pad) + ret = DH_compute_key_padded(key, dhpub, dh); + else + ret = DH_compute_key(key, dhpub, dh); if (ret < 0) return ret; *keylen = ret; @@ -480,7 +484,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, return 0; } -const EVP_PKEY_METHOD dh_pkey_meth = { +static const EVP_PKEY_METHOD dh_pkey_meth = { EVP_PKEY_DH, 0, pkey_dh_init, @@ -514,7 +518,12 @@ const EVP_PKEY_METHOD dh_pkey_meth = { pkey_dh_ctrl_str }; -const EVP_PKEY_METHOD dhx_pkey_meth = { +const EVP_PKEY_METHOD *dh_pkey_method(void) +{ + return &dh_pkey_meth; +} + +static const EVP_PKEY_METHOD dhx_pkey_meth = { EVP_PKEY_DHX, 0, pkey_dh_init, @@ -547,3 +556,8 @@ const EVP_PKEY_METHOD dhx_pkey_meth = { pkey_dh_ctrl, pkey_dh_ctrl_str }; + +const EVP_PKEY_METHOD *dhx_pkey_method(void) +{ + return &dhx_pkey_meth; +}