yuezonghe | 824eb0c | 2024-06-27 02:32:26 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * |
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use |
| 5 | * this file except in compliance with the License. You can obtain a copy |
| 6 | * in the file LICENSE in the source distribution or at |
| 7 | * https://www.openssl.org/source/license.html |
| 8 | */ |
| 9 | |
| 10 | #include <stdio.h> |
| 11 | #include "internal/cryptlib.h" |
| 12 | #include <openssl/asn1t.h> |
| 13 | #include <openssl/x509.h> |
| 14 | #include <openssl/evp.h> |
| 15 | #include "dh_local.h" |
| 16 | #include <openssl/bn.h> |
| 17 | #include <openssl/dsa.h> |
| 18 | #include <openssl/objects.h> |
| 19 | #include "crypto/evp.h" |
| 20 | |
| 21 | /* DH pkey context structure */ |
| 22 | |
| 23 | typedef struct { |
| 24 | /* Parameter gen parameters */ |
| 25 | int prime_len; |
| 26 | int generator; |
| 27 | int use_dsa; |
| 28 | int subprime_len; |
| 29 | int pad; |
| 30 | /* message digest used for parameter generation */ |
| 31 | const EVP_MD *md; |
| 32 | int rfc5114_param; |
| 33 | int param_nid; |
| 34 | /* Keygen callback info */ |
| 35 | int gentmp[2]; |
| 36 | /* KDF (if any) to use for DH */ |
| 37 | char kdf_type; |
| 38 | /* OID to use for KDF */ |
| 39 | ASN1_OBJECT *kdf_oid; |
| 40 | /* Message digest to use for key derivation */ |
| 41 | const EVP_MD *kdf_md; |
| 42 | /* User key material */ |
| 43 | unsigned char *kdf_ukm; |
| 44 | size_t kdf_ukmlen; |
| 45 | /* KDF output length */ |
| 46 | size_t kdf_outlen; |
| 47 | } DH_PKEY_CTX; |
| 48 | |
| 49 | static int pkey_dh_init(EVP_PKEY_CTX *ctx) |
| 50 | { |
| 51 | DH_PKEY_CTX *dctx; |
| 52 | |
| 53 | if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL) { |
| 54 | DHerr(DH_F_PKEY_DH_INIT, ERR_R_MALLOC_FAILURE); |
| 55 | return 0; |
| 56 | } |
| 57 | dctx->prime_len = 2048; |
| 58 | dctx->subprime_len = -1; |
| 59 | dctx->generator = 2; |
| 60 | dctx->kdf_type = EVP_PKEY_DH_KDF_NONE; |
| 61 | |
| 62 | ctx->data = dctx; |
| 63 | ctx->keygen_info = dctx->gentmp; |
| 64 | ctx->keygen_info_count = 2; |
| 65 | |
| 66 | return 1; |
| 67 | } |
| 68 | |
| 69 | static void pkey_dh_cleanup(EVP_PKEY_CTX *ctx) |
| 70 | { |
| 71 | DH_PKEY_CTX *dctx = ctx->data; |
| 72 | if (dctx != NULL) { |
| 73 | OPENSSL_free(dctx->kdf_ukm); |
| 74 | ASN1_OBJECT_free(dctx->kdf_oid); |
| 75 | OPENSSL_free(dctx); |
| 76 | } |
| 77 | } |
| 78 | |
| 79 | |
| 80 | static int pkey_dh_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) |
| 81 | { |
| 82 | DH_PKEY_CTX *dctx, *sctx; |
| 83 | if (!pkey_dh_init(dst)) |
| 84 | return 0; |
| 85 | sctx = src->data; |
| 86 | dctx = dst->data; |
| 87 | dctx->prime_len = sctx->prime_len; |
| 88 | dctx->subprime_len = sctx->subprime_len; |
| 89 | dctx->generator = sctx->generator; |
| 90 | dctx->use_dsa = sctx->use_dsa; |
| 91 | dctx->pad = sctx->pad; |
| 92 | dctx->md = sctx->md; |
| 93 | dctx->rfc5114_param = sctx->rfc5114_param; |
| 94 | dctx->param_nid = sctx->param_nid; |
| 95 | |
| 96 | dctx->kdf_type = sctx->kdf_type; |
| 97 | dctx->kdf_oid = OBJ_dup(sctx->kdf_oid); |
| 98 | if (dctx->kdf_oid == NULL) |
| 99 | return 0; |
| 100 | dctx->kdf_md = sctx->kdf_md; |
| 101 | if (sctx->kdf_ukm != NULL) { |
| 102 | dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen); |
| 103 | if (dctx->kdf_ukm == NULL) |
| 104 | return 0; |
| 105 | dctx->kdf_ukmlen = sctx->kdf_ukmlen; |
| 106 | } |
| 107 | dctx->kdf_outlen = sctx->kdf_outlen; |
| 108 | return 1; |
| 109 | } |
| 110 | |
| 111 | static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) |
| 112 | { |
| 113 | DH_PKEY_CTX *dctx = ctx->data; |
| 114 | switch (type) { |
| 115 | case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN: |
| 116 | if (p1 < 256) |
| 117 | return -2; |
| 118 | dctx->prime_len = p1; |
| 119 | return 1; |
| 120 | |
| 121 | case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN: |
| 122 | if (dctx->use_dsa == 0) |
| 123 | return -2; |
| 124 | dctx->subprime_len = p1; |
| 125 | return 1; |
| 126 | |
| 127 | case EVP_PKEY_CTRL_DH_PAD: |
| 128 | dctx->pad = p1; |
| 129 | return 1; |
| 130 | |
| 131 | case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR: |
| 132 | if (dctx->use_dsa) |
| 133 | return -2; |
| 134 | dctx->generator = p1; |
| 135 | return 1; |
| 136 | |
| 137 | case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE: |
| 138 | #ifdef OPENSSL_NO_DSA |
| 139 | if (p1 != 0) |
| 140 | return -2; |
| 141 | #else |
| 142 | if (p1 < 0 || p1 > 2) |
| 143 | return -2; |
| 144 | #endif |
| 145 | dctx->use_dsa = p1; |
| 146 | return 1; |
| 147 | |
| 148 | case EVP_PKEY_CTRL_DH_RFC5114: |
| 149 | if (p1 < 1 || p1 > 3 || dctx->param_nid != NID_undef) |
| 150 | return -2; |
| 151 | dctx->rfc5114_param = p1; |
| 152 | return 1; |
| 153 | |
| 154 | case EVP_PKEY_CTRL_DH_NID: |
| 155 | if (p1 <= 0 || dctx->rfc5114_param != 0) |
| 156 | return -2; |
| 157 | dctx->param_nid = p1; |
| 158 | return 1; |
| 159 | |
| 160 | case EVP_PKEY_CTRL_PEER_KEY: |
| 161 | /* Default behaviour is OK */ |
| 162 | return 1; |
| 163 | |
| 164 | case EVP_PKEY_CTRL_DH_KDF_TYPE: |
| 165 | if (p1 == -2) |
| 166 | return dctx->kdf_type; |
| 167 | #ifdef OPENSSL_NO_CMS |
| 168 | if (p1 != EVP_PKEY_DH_KDF_NONE) |
| 169 | #else |
| 170 | if (p1 != EVP_PKEY_DH_KDF_NONE && p1 != EVP_PKEY_DH_KDF_X9_42) |
| 171 | #endif |
| 172 | return -2; |
| 173 | dctx->kdf_type = p1; |
| 174 | return 1; |
| 175 | |
| 176 | case EVP_PKEY_CTRL_DH_KDF_MD: |
| 177 | dctx->kdf_md = p2; |
| 178 | return 1; |
| 179 | |
| 180 | case EVP_PKEY_CTRL_GET_DH_KDF_MD: |
| 181 | *(const EVP_MD **)p2 = dctx->kdf_md; |
| 182 | return 1; |
| 183 | |
| 184 | case EVP_PKEY_CTRL_DH_KDF_OUTLEN: |
| 185 | if (p1 <= 0) |
| 186 | return -2; |
| 187 | dctx->kdf_outlen = (size_t)p1; |
| 188 | return 1; |
| 189 | |
| 190 | case EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN: |
| 191 | *(int *)p2 = dctx->kdf_outlen; |
| 192 | return 1; |
| 193 | |
| 194 | case EVP_PKEY_CTRL_DH_KDF_UKM: |
| 195 | OPENSSL_free(dctx->kdf_ukm); |
| 196 | dctx->kdf_ukm = p2; |
| 197 | if (p2) |
| 198 | dctx->kdf_ukmlen = p1; |
| 199 | else |
| 200 | dctx->kdf_ukmlen = 0; |
| 201 | return 1; |
| 202 | |
| 203 | case EVP_PKEY_CTRL_GET_DH_KDF_UKM: |
| 204 | *(unsigned char **)p2 = dctx->kdf_ukm; |
| 205 | return dctx->kdf_ukmlen; |
| 206 | |
| 207 | case EVP_PKEY_CTRL_DH_KDF_OID: |
| 208 | ASN1_OBJECT_free(dctx->kdf_oid); |
| 209 | dctx->kdf_oid = p2; |
| 210 | return 1; |
| 211 | |
| 212 | case EVP_PKEY_CTRL_GET_DH_KDF_OID: |
| 213 | *(ASN1_OBJECT **)p2 = dctx->kdf_oid; |
| 214 | return 1; |
| 215 | |
| 216 | default: |
| 217 | return -2; |
| 218 | |
| 219 | } |
| 220 | } |
| 221 | |
| 222 | static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx, |
| 223 | const char *type, const char *value) |
| 224 | { |
| 225 | if (strcmp(type, "dh_paramgen_prime_len") == 0) { |
| 226 | int len; |
| 227 | len = atoi(value); |
| 228 | return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len); |
| 229 | } |
| 230 | if (strcmp(type, "dh_rfc5114") == 0) { |
| 231 | DH_PKEY_CTX *dctx = ctx->data; |
| 232 | int len; |
| 233 | len = atoi(value); |
| 234 | if (len < 0 || len > 3) |
| 235 | return -2; |
| 236 | dctx->rfc5114_param = len; |
| 237 | return 1; |
| 238 | } |
| 239 | if (strcmp(type, "dh_param") == 0) { |
| 240 | DH_PKEY_CTX *dctx = ctx->data; |
| 241 | int nid = OBJ_sn2nid(value); |
| 242 | |
| 243 | if (nid == NID_undef) { |
| 244 | DHerr(DH_F_PKEY_DH_CTRL_STR, DH_R_INVALID_PARAMETER_NAME); |
| 245 | return -2; |
| 246 | } |
| 247 | dctx->param_nid = nid; |
| 248 | return 1; |
| 249 | } |
| 250 | if (strcmp(type, "dh_paramgen_generator") == 0) { |
| 251 | int len; |
| 252 | len = atoi(value); |
| 253 | return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, len); |
| 254 | } |
| 255 | if (strcmp(type, "dh_paramgen_subprime_len") == 0) { |
| 256 | int len; |
| 257 | len = atoi(value); |
| 258 | return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx, len); |
| 259 | } |
| 260 | if (strcmp(type, "dh_paramgen_type") == 0) { |
| 261 | int typ; |
| 262 | typ = atoi(value); |
| 263 | return EVP_PKEY_CTX_set_dh_paramgen_type(ctx, typ); |
| 264 | } |
| 265 | if (strcmp(type, "dh_pad") == 0) { |
| 266 | int pad; |
| 267 | pad = atoi(value); |
| 268 | return EVP_PKEY_CTX_set_dh_pad(ctx, pad); |
| 269 | } |
| 270 | return -2; |
| 271 | } |
| 272 | |
| 273 | #ifndef OPENSSL_NO_DSA |
| 274 | |
| 275 | extern int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, |
| 276 | const EVP_MD *evpmd, |
| 277 | const unsigned char *seed_in, size_t seed_len, |
| 278 | unsigned char *seed_out, int *counter_ret, |
| 279 | unsigned long *h_ret, BN_GENCB *cb); |
| 280 | |
| 281 | extern int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, |
| 282 | const EVP_MD *evpmd, |
| 283 | const unsigned char *seed_in, |
| 284 | size_t seed_len, int idx, |
| 285 | unsigned char *seed_out, int *counter_ret, |
| 286 | unsigned long *h_ret, BN_GENCB *cb); |
| 287 | |
| 288 | static DSA *dsa_dh_generate(DH_PKEY_CTX *dctx, BN_GENCB *pcb) |
| 289 | { |
| 290 | DSA *ret; |
| 291 | int rv = 0; |
| 292 | int prime_len = dctx->prime_len; |
| 293 | int subprime_len = dctx->subprime_len; |
| 294 | const EVP_MD *md = dctx->md; |
| 295 | if (dctx->use_dsa > 2) |
| 296 | return NULL; |
| 297 | ret = DSA_new(); |
| 298 | if (ret == NULL) |
| 299 | return NULL; |
| 300 | if (subprime_len == -1) { |
| 301 | if (prime_len >= 2048) |
| 302 | subprime_len = 256; |
| 303 | else |
| 304 | subprime_len = 160; |
| 305 | } |
| 306 | if (md == NULL) { |
| 307 | if (prime_len >= 2048) |
| 308 | md = EVP_sha256(); |
| 309 | else |
| 310 | md = EVP_sha1(); |
| 311 | } |
| 312 | if (dctx->use_dsa == 1) |
| 313 | rv = dsa_builtin_paramgen(ret, prime_len, subprime_len, md, |
| 314 | NULL, 0, NULL, NULL, NULL, pcb); |
| 315 | else if (dctx->use_dsa == 2) |
| 316 | rv = dsa_builtin_paramgen2(ret, prime_len, subprime_len, md, |
| 317 | NULL, 0, -1, NULL, NULL, NULL, pcb); |
| 318 | if (rv <= 0) { |
| 319 | DSA_free(ret); |
| 320 | return NULL; |
| 321 | } |
| 322 | return ret; |
| 323 | } |
| 324 | |
| 325 | #endif |
| 326 | |
| 327 | static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) |
| 328 | { |
| 329 | DH *dh = NULL; |
| 330 | DH_PKEY_CTX *dctx = ctx->data; |
| 331 | BN_GENCB *pcb; |
| 332 | int ret; |
| 333 | if (dctx->rfc5114_param) { |
| 334 | switch (dctx->rfc5114_param) { |
| 335 | case 1: |
| 336 | dh = DH_get_1024_160(); |
| 337 | break; |
| 338 | |
| 339 | case 2: |
| 340 | dh = DH_get_2048_224(); |
| 341 | break; |
| 342 | |
| 343 | case 3: |
| 344 | dh = DH_get_2048_256(); |
| 345 | break; |
| 346 | |
| 347 | default: |
| 348 | return -2; |
| 349 | } |
| 350 | EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh); |
| 351 | return 1; |
| 352 | } |
| 353 | |
| 354 | if (dctx->param_nid != 0) { |
| 355 | if ((dh = DH_new_by_nid(dctx->param_nid)) == NULL) |
| 356 | return 0; |
| 357 | EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh); |
| 358 | return 1; |
| 359 | } |
| 360 | |
| 361 | if (ctx->pkey_gencb) { |
| 362 | pcb = BN_GENCB_new(); |
| 363 | if (pcb == NULL) |
| 364 | return 0; |
| 365 | evp_pkey_set_cb_translate(pcb, ctx); |
| 366 | } else |
| 367 | pcb = NULL; |
| 368 | #ifndef OPENSSL_NO_DSA |
| 369 | if (dctx->use_dsa) { |
| 370 | DSA *dsa_dh; |
| 371 | dsa_dh = dsa_dh_generate(dctx, pcb); |
| 372 | BN_GENCB_free(pcb); |
| 373 | if (dsa_dh == NULL) |
| 374 | return 0; |
| 375 | dh = DSA_dup_DH(dsa_dh); |
| 376 | DSA_free(dsa_dh); |
| 377 | if (!dh) |
| 378 | return 0; |
| 379 | EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh); |
| 380 | return 1; |
| 381 | } |
| 382 | #endif |
| 383 | dh = DH_new(); |
| 384 | if (dh == NULL) { |
| 385 | BN_GENCB_free(pcb); |
| 386 | return 0; |
| 387 | } |
| 388 | ret = DH_generate_parameters_ex(dh, |
| 389 | dctx->prime_len, dctx->generator, pcb); |
| 390 | BN_GENCB_free(pcb); |
| 391 | if (ret) |
| 392 | EVP_PKEY_assign_DH(pkey, dh); |
| 393 | else |
| 394 | DH_free(dh); |
| 395 | return ret; |
| 396 | } |
| 397 | |
| 398 | static int pkey_dh_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) |
| 399 | { |
| 400 | DH_PKEY_CTX *dctx = ctx->data; |
| 401 | DH *dh = NULL; |
| 402 | |
| 403 | if (ctx->pkey == NULL && dctx->param_nid == 0) { |
| 404 | DHerr(DH_F_PKEY_DH_KEYGEN, DH_R_NO_PARAMETERS_SET); |
| 405 | return 0; |
| 406 | } |
| 407 | if (dctx->param_nid != 0) |
| 408 | dh = DH_new_by_nid(dctx->param_nid); |
| 409 | else |
| 410 | dh = DH_new(); |
| 411 | if (dh == NULL) |
| 412 | return 0; |
| 413 | EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, dh); |
| 414 | /* Note: if error return, pkey is freed by parent routine */ |
| 415 | if (ctx->pkey != NULL && !EVP_PKEY_copy_parameters(pkey, ctx->pkey)) |
| 416 | return 0; |
| 417 | return DH_generate_key(pkey->pkey.dh); |
| 418 | } |
| 419 | |
| 420 | static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, |
| 421 | size_t *keylen) |
| 422 | { |
| 423 | int ret; |
| 424 | DH *dh; |
| 425 | DH_PKEY_CTX *dctx = ctx->data; |
| 426 | BIGNUM *dhpub; |
| 427 | if (!ctx->pkey || !ctx->peerkey) { |
| 428 | DHerr(DH_F_PKEY_DH_DERIVE, DH_R_KEYS_NOT_SET); |
| 429 | return 0; |
| 430 | } |
| 431 | dh = ctx->pkey->pkey.dh; |
| 432 | dhpub = ctx->peerkey->pkey.dh->pub_key; |
| 433 | if (dctx->kdf_type == EVP_PKEY_DH_KDF_NONE) { |
| 434 | if (key == NULL) { |
| 435 | *keylen = DH_size(dh); |
| 436 | return 1; |
| 437 | } |
| 438 | if (dctx->pad) |
| 439 | ret = DH_compute_key_padded(key, dhpub, dh); |
| 440 | else |
| 441 | ret = DH_compute_key(key, dhpub, dh); |
| 442 | if (ret < 0) |
| 443 | return ret; |
| 444 | *keylen = ret; |
| 445 | return 1; |
| 446 | } |
| 447 | #ifndef OPENSSL_NO_CMS |
| 448 | else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) { |
| 449 | |
| 450 | unsigned char *Z = NULL; |
| 451 | size_t Zlen = 0; |
| 452 | if (!dctx->kdf_outlen || !dctx->kdf_oid) |
| 453 | return 0; |
| 454 | if (key == NULL) { |
| 455 | *keylen = dctx->kdf_outlen; |
| 456 | return 1; |
| 457 | } |
| 458 | if (*keylen != dctx->kdf_outlen) |
| 459 | return 0; |
| 460 | ret = 0; |
| 461 | Zlen = DH_size(dh); |
| 462 | Z = OPENSSL_malloc(Zlen); |
| 463 | if (Z == NULL) { |
| 464 | goto err; |
| 465 | } |
| 466 | if (DH_compute_key_padded(Z, dhpub, dh) <= 0) |
| 467 | goto err; |
| 468 | if (!DH_KDF_X9_42(key, *keylen, Z, Zlen, dctx->kdf_oid, |
| 469 | dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md)) |
| 470 | goto err; |
| 471 | *keylen = dctx->kdf_outlen; |
| 472 | ret = 1; |
| 473 | err: |
| 474 | OPENSSL_clear_free(Z, Zlen); |
| 475 | return ret; |
| 476 | } |
| 477 | #endif |
| 478 | return 0; |
| 479 | } |
| 480 | |
| 481 | const EVP_PKEY_METHOD dh_pkey_meth = { |
| 482 | EVP_PKEY_DH, |
| 483 | 0, |
| 484 | pkey_dh_init, |
| 485 | pkey_dh_copy, |
| 486 | pkey_dh_cleanup, |
| 487 | |
| 488 | 0, |
| 489 | pkey_dh_paramgen, |
| 490 | |
| 491 | 0, |
| 492 | pkey_dh_keygen, |
| 493 | |
| 494 | 0, |
| 495 | 0, |
| 496 | |
| 497 | 0, |
| 498 | 0, |
| 499 | |
| 500 | 0, 0, |
| 501 | |
| 502 | 0, 0, 0, 0, |
| 503 | |
| 504 | 0, 0, |
| 505 | |
| 506 | 0, 0, |
| 507 | |
| 508 | 0, |
| 509 | pkey_dh_derive, |
| 510 | |
| 511 | pkey_dh_ctrl, |
| 512 | pkey_dh_ctrl_str |
| 513 | }; |
| 514 | |
| 515 | const EVP_PKEY_METHOD dhx_pkey_meth = { |
| 516 | EVP_PKEY_DHX, |
| 517 | 0, |
| 518 | pkey_dh_init, |
| 519 | pkey_dh_copy, |
| 520 | pkey_dh_cleanup, |
| 521 | |
| 522 | 0, |
| 523 | pkey_dh_paramgen, |
| 524 | |
| 525 | 0, |
| 526 | pkey_dh_keygen, |
| 527 | |
| 528 | 0, |
| 529 | 0, |
| 530 | |
| 531 | 0, |
| 532 | 0, |
| 533 | |
| 534 | 0, 0, |
| 535 | |
| 536 | 0, 0, 0, 0, |
| 537 | |
| 538 | 0, 0, |
| 539 | |
| 540 | 0, 0, |
| 541 | |
| 542 | 0, |
| 543 | pkey_dh_derive, |
| 544 | |
| 545 | pkey_dh_ctrl, |
| 546 | pkey_dh_ctrl_str |
| 547 | }; |