1 /*
2  * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * DH & DSA low level APIs are deprecated for public use, but still ok for
12  * internal use.
13  */
14 #include "internal/deprecated.h"
15 
16 #include <stdio.h>
17 #include "internal/cryptlib.h"
18 #include <openssl/asn1t.h>
19 #include <openssl/x509.h>
20 #include <openssl/evp.h>
21 #include "dh_local.h"
22 #include <openssl/bn.h>
23 #include <openssl/dsa.h>
24 #include <openssl/objects.h>
25 #include "crypto/evp.h"
26 
27 /* DH pkey context structure */
28 
29 typedef struct {
30     /* Parameter gen parameters */
31     int prime_len;
32     int generator;
33     int paramgen_type;
34     int subprime_len;
35     int pad;
36     /* message digest used for parameter generation */
37     const EVP_MD *md;
38     int param_nid;
39     /* Keygen callback info */
40     int gentmp[2];
41     /* KDF (if any) to use for DH */
42     char kdf_type;
43     /* OID to use for KDF */
44     ASN1_OBJECT *kdf_oid;
45     /* Message digest to use for key derivation */
46     const EVP_MD *kdf_md;
47     /* User key material */
48     unsigned char *kdf_ukm;
49     size_t kdf_ukmlen;
50     /* KDF output length */
51     size_t kdf_outlen;
52 } DH_PKEY_CTX;
53 
pkey_dh_init(EVP_PKEY_CTX * ctx)54 static int pkey_dh_init(EVP_PKEY_CTX *ctx)
55 {
56     DH_PKEY_CTX *dctx;
57 
58     if ((dctx = OPENSSL_zalloc(sizeof(*dctx))) == NULL) {
59         ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
60         return 0;
61     }
62     dctx->prime_len = 2048;
63     dctx->subprime_len = -1;
64     dctx->generator = 2;
65     dctx->kdf_type = EVP_PKEY_DH_KDF_NONE;
66 
67     ctx->data = dctx;
68     ctx->keygen_info = dctx->gentmp;
69     ctx->keygen_info_count = 2;
70 
71     return 1;
72 }
73 
pkey_dh_cleanup(EVP_PKEY_CTX * ctx)74 static void pkey_dh_cleanup(EVP_PKEY_CTX *ctx)
75 {
76     DH_PKEY_CTX *dctx = ctx->data;
77 
78     if (dctx != NULL) {
79         OPENSSL_free(dctx->kdf_ukm);
80         ASN1_OBJECT_free(dctx->kdf_oid);
81         OPENSSL_free(dctx);
82     }
83 }
84 
85 
pkey_dh_copy(EVP_PKEY_CTX * dst,const EVP_PKEY_CTX * src)86 static int pkey_dh_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
87 {
88     DH_PKEY_CTX *dctx, *sctx;
89 
90     if (!pkey_dh_init(dst))
91         return 0;
92     sctx = src->data;
93     dctx = dst->data;
94     dctx->prime_len = sctx->prime_len;
95     dctx->subprime_len = sctx->subprime_len;
96     dctx->generator = sctx->generator;
97     dctx->paramgen_type = sctx->paramgen_type;
98     dctx->pad = sctx->pad;
99     dctx->md = sctx->md;
100     dctx->param_nid = sctx->param_nid;
101 
102     dctx->kdf_type = sctx->kdf_type;
103     dctx->kdf_oid = OBJ_dup(sctx->kdf_oid);
104     if (dctx->kdf_oid == NULL)
105         return 0;
106     dctx->kdf_md = sctx->kdf_md;
107     if (sctx->kdf_ukm != NULL) {
108         dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
109         if (dctx->kdf_ukm == NULL)
110           return 0;
111         dctx->kdf_ukmlen = sctx->kdf_ukmlen;
112     }
113     dctx->kdf_outlen = sctx->kdf_outlen;
114     return 1;
115 }
116 
pkey_dh_ctrl(EVP_PKEY_CTX * ctx,int type,int p1,void * p2)117 static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
118 {
119     DH_PKEY_CTX *dctx = ctx->data;
120     switch (type) {
121     case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN:
122         if (p1 < 256)
123             return -2;
124         dctx->prime_len = p1;
125         return 1;
126 
127     case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN:
128         if (dctx->paramgen_type == DH_PARAMGEN_TYPE_GENERATOR)
129             return -2;
130         dctx->subprime_len = p1;
131         return 1;
132 
133     case EVP_PKEY_CTRL_DH_PAD:
134         dctx->pad = p1;
135         return 1;
136 
137     case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR:
138         if (dctx->paramgen_type != DH_PARAMGEN_TYPE_GENERATOR)
139             return -2;
140         dctx->generator = p1;
141         return 1;
142 
143     case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE:
144 #ifdef OPENSSL_NO_DSA
145         if (p1 != DH_PARAMGEN_TYPE_GENERATOR)
146             return -2;
147 #else
148         if (p1 < 0 || p1 > 2)
149             return -2;
150 #endif
151         dctx->paramgen_type = p1;
152         return 1;
153 
154     case EVP_PKEY_CTRL_DH_RFC5114:
155         if (p1 < 1 || p1 > 3 || dctx->param_nid != NID_undef)
156             return -2;
157         dctx->param_nid = p1;
158         return 1;
159 
160     case EVP_PKEY_CTRL_DH_NID:
161         if (p1 <= 0 || dctx->param_nid != NID_undef)
162             return -2;
163         dctx->param_nid = p1;
164         return 1;
165 
166     case EVP_PKEY_CTRL_PEER_KEY:
167         /* Default behaviour is OK */
168         return 1;
169 
170     case EVP_PKEY_CTRL_DH_KDF_TYPE:
171         if (p1 == -2)
172             return dctx->kdf_type;
173         if (p1 != EVP_PKEY_DH_KDF_NONE && p1 != EVP_PKEY_DH_KDF_X9_42)
174             return -2;
175         dctx->kdf_type = p1;
176         return 1;
177 
178     case EVP_PKEY_CTRL_DH_KDF_MD:
179         dctx->kdf_md = p2;
180         return 1;
181 
182     case EVP_PKEY_CTRL_GET_DH_KDF_MD:
183         *(const EVP_MD **)p2 = dctx->kdf_md;
184         return 1;
185 
186     case EVP_PKEY_CTRL_DH_KDF_OUTLEN:
187         if (p1 <= 0)
188             return -2;
189         dctx->kdf_outlen = (size_t)p1;
190         return 1;
191 
192     case EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN:
193         *(int *)p2 = dctx->kdf_outlen;
194         return 1;
195 
196     case EVP_PKEY_CTRL_DH_KDF_UKM:
197         OPENSSL_free(dctx->kdf_ukm);
198         dctx->kdf_ukm = p2;
199         if (p2)
200             dctx->kdf_ukmlen = p1;
201         else
202             dctx->kdf_ukmlen = 0;
203         return 1;
204 
205     case EVP_PKEY_CTRL_GET_DH_KDF_UKM:
206         *(unsigned char **)p2 = dctx->kdf_ukm;
207         return dctx->kdf_ukmlen;
208 
209     case EVP_PKEY_CTRL_DH_KDF_OID:
210         ASN1_OBJECT_free(dctx->kdf_oid);
211         dctx->kdf_oid = p2;
212         return 1;
213 
214     case EVP_PKEY_CTRL_GET_DH_KDF_OID:
215         *(ASN1_OBJECT **)p2 = dctx->kdf_oid;
216         return 1;
217 
218     default:
219         return -2;
220 
221     }
222 }
223 
pkey_dh_ctrl_str(EVP_PKEY_CTX * ctx,const char * type,const char * value)224 static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx,
225                             const char *type, const char *value)
226 {
227     if (strcmp(type, "dh_paramgen_prime_len") == 0) {
228         int len;
229         len = atoi(value);
230         return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len);
231     }
232     if (strcmp(type, "dh_rfc5114") == 0) {
233         DH_PKEY_CTX *dctx = ctx->data;
234         int id;
235 
236         id = atoi(value);
237         if (id < 0 || id > 3)
238             return -2;
239         dctx->param_nid = id;
240         return 1;
241     }
242     if (strcmp(type, "dh_param") == 0) {
243         DH_PKEY_CTX *dctx = ctx->data;
244         int nid = OBJ_sn2nid(value);
245 
246         if (nid == NID_undef) {
247             ERR_raise(ERR_LIB_DH, DH_R_INVALID_PARAMETER_NAME);
248             return -2;
249         }
250         dctx->param_nid = nid;
251         return 1;
252     }
253     if (strcmp(type, "dh_paramgen_generator") == 0) {
254         int len;
255         len = atoi(value);
256         return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, len);
257     }
258     if (strcmp(type, "dh_paramgen_subprime_len") == 0) {
259         int len;
260         len = atoi(value);
261         return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx, len);
262     }
263     if (strcmp(type, "dh_paramgen_type") == 0) {
264         int typ;
265         typ = atoi(value);
266         return EVP_PKEY_CTX_set_dh_paramgen_type(ctx, typ);
267     }
268     if (strcmp(type, "dh_pad") == 0) {
269         int pad;
270         pad = atoi(value);
271         return EVP_PKEY_CTX_set_dh_pad(ctx, pad);
272     }
273     return -2;
274 }
275 
ffc_params_generate(OSSL_LIB_CTX * libctx,DH_PKEY_CTX * dctx,BN_GENCB * pcb)276 static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
277                                BN_GENCB *pcb)
278 {
279     DH *ret;
280     int rv = 0;
281     int res;
282     int prime_len = dctx->prime_len;
283     int subprime_len = dctx->subprime_len;
284 
285     if (dctx->paramgen_type > DH_PARAMGEN_TYPE_FIPS_186_4)
286         return NULL;
287     ret = DH_new();
288     if (ret == NULL)
289         return NULL;
290 
291     if (subprime_len == -1) {
292         if (prime_len >= 2048)
293             subprime_len = 256;
294         else
295             subprime_len = 160;
296     }
297 
298     if (dctx->md != NULL)
299         ossl_ffc_set_digest(&ret->params, EVP_MD_get0_name(dctx->md), NULL);
300 
301 # ifndef FIPS_MODULE
302     if (dctx->paramgen_type == DH_PARAMGEN_TYPE_FIPS_186_2)
303         rv = ossl_ffc_params_FIPS186_2_generate(libctx, &ret->params,
304                                                 FFC_PARAM_TYPE_DH,
305                                                 prime_len, subprime_len, &res,
306                                                 pcb);
307     else
308 # endif
309     /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
310     if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
311         rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
312                                                 FFC_PARAM_TYPE_DH,
313                                                 prime_len, subprime_len, &res,
314                                                 pcb);
315     if (rv <= 0) {
316         DH_free(ret);
317         return NULL;
318     }
319     return ret;
320 }
321 
pkey_dh_paramgen(EVP_PKEY_CTX * ctx,EVP_PKEY * pkey)322 static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx,
323                             EVP_PKEY *pkey)
324 {
325     DH *dh = NULL;
326     DH_PKEY_CTX *dctx = ctx->data;
327     BN_GENCB *pcb = NULL;
328     int ret;
329 
330     /*
331      * Look for a safe prime group for key establishment. Which uses
332      * either RFC_3526 (modp_XXXX) or RFC_7919 (ffdheXXXX).
333      * RFC_5114 is also handled here for param_nid = (1..3)
334      */
335     if (dctx->param_nid != NID_undef) {
336         int type = dctx->param_nid <= 3 ? EVP_PKEY_DHX : EVP_PKEY_DH;
337 
338         if ((dh = DH_new_by_nid(dctx->param_nid)) == NULL)
339             return 0;
340         EVP_PKEY_assign(pkey, type, dh);
341         return 1;
342     }
343 
344     if (ctx->pkey_gencb != NULL) {
345         pcb = BN_GENCB_new();
346         if (pcb == NULL)
347             return 0;
348         evp_pkey_set_cb_translate(pcb, ctx);
349     }
350 # ifdef FIPS_MODULE
351     dctx->paramgen_type = DH_PARAMGEN_TYPE_FIPS_186_4;
352 # endif /* FIPS_MODULE */
353     if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2) {
354         dh = ffc_params_generate(NULL, dctx, pcb);
355         BN_GENCB_free(pcb);
356         if (dh == NULL)
357             return 0;
358         EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh);
359         return 1;
360     }
361     dh = DH_new();
362     if (dh == NULL) {
363         BN_GENCB_free(pcb);
364         return 0;
365     }
366     ret = DH_generate_parameters_ex(dh,
367                                     dctx->prime_len, dctx->generator, pcb);
368     BN_GENCB_free(pcb);
369     if (ret)
370         EVP_PKEY_assign_DH(pkey, dh);
371     else
372         DH_free(dh);
373     return ret;
374 }
375 
pkey_dh_keygen(EVP_PKEY_CTX * ctx,EVP_PKEY * pkey)376 static int pkey_dh_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
377 {
378     DH_PKEY_CTX *dctx = ctx->data;
379     DH *dh = NULL;
380 
381     if (ctx->pkey == NULL && dctx->param_nid == NID_undef) {
382         ERR_raise(ERR_LIB_DH, DH_R_NO_PARAMETERS_SET);
383         return 0;
384     }
385     if (dctx->param_nid != NID_undef)
386         dh = DH_new_by_nid(dctx->param_nid);
387     else
388         dh = DH_new();
389     if (dh == NULL)
390         return 0;
391     EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, dh);
392     /* Note: if error return, pkey is freed by parent routine */
393     if (ctx->pkey != NULL && !EVP_PKEY_copy_parameters(pkey, ctx->pkey))
394         return 0;
395     return DH_generate_key((DH *)EVP_PKEY_get0_DH(pkey));
396 }
397 
pkey_dh_derive(EVP_PKEY_CTX * ctx,unsigned char * key,size_t * keylen)398 static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
399                           size_t *keylen)
400 {
401     int ret;
402     DH *dh;
403     const DH *dhpub;
404     DH_PKEY_CTX *dctx = ctx->data;
405     BIGNUM *dhpubbn;
406 
407     if (ctx->pkey == NULL || ctx->peerkey == NULL) {
408         ERR_raise(ERR_LIB_DH, DH_R_KEYS_NOT_SET);
409         return 0;
410     }
411     dh = (DH *)EVP_PKEY_get0_DH(ctx->pkey);
412     dhpub = EVP_PKEY_get0_DH(ctx->peerkey);
413     if (dhpub == NULL) {
414         ERR_raise(ERR_LIB_DH, DH_R_KEYS_NOT_SET);
415         return 0;
416     }
417     dhpubbn = dhpub->pub_key;
418     if (dctx->kdf_type == EVP_PKEY_DH_KDF_NONE) {
419         if (key == NULL) {
420             *keylen = DH_size(dh);
421             return 1;
422         }
423         if (dctx->pad)
424             ret = DH_compute_key_padded(key, dhpubbn, dh);
425         else
426             ret = DH_compute_key(key, dhpubbn, dh);
427         if (ret < 0)
428             return ret;
429         *keylen = ret;
430         return 1;
431     }
432     else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
433 
434         unsigned char *Z = NULL;
435         int Zlen = 0;
436 
437         if (!dctx->kdf_outlen || !dctx->kdf_oid)
438             return 0;
439         if (key == NULL) {
440             *keylen = dctx->kdf_outlen;
441             return 1;
442         }
443         if (*keylen != dctx->kdf_outlen)
444             return 0;
445         ret = 0;
446         if ((Zlen = DH_size(dh)) <= 0)
447             return 0;
448         if ((Z = OPENSSL_malloc(Zlen)) == NULL) {
449             ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
450             return 0;
451         }
452         if (DH_compute_key_padded(Z, dhpubbn, dh) <= 0)
453             goto err;
454         if (!DH_KDF_X9_42(key, *keylen, Z, Zlen, dctx->kdf_oid,
455                           dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
456             goto err;
457         *keylen = dctx->kdf_outlen;
458         ret = 1;
459  err:
460         OPENSSL_clear_free(Z, Zlen);
461         return ret;
462     }
463     return 0;
464 }
465 
466 static const EVP_PKEY_METHOD dh_pkey_meth = {
467     EVP_PKEY_DH,
468     0,
469     pkey_dh_init,
470     pkey_dh_copy,
471     pkey_dh_cleanup,
472 
473     0,
474     pkey_dh_paramgen,
475 
476     0,
477     pkey_dh_keygen,
478 
479     0,
480     0,
481 
482     0,
483     0,
484 
485     0, 0,
486 
487     0, 0, 0, 0,
488 
489     0, 0,
490 
491     0, 0,
492 
493     0,
494     pkey_dh_derive,
495 
496     pkey_dh_ctrl,
497     pkey_dh_ctrl_str
498 };
499 
ossl_dh_pkey_method(void)500 const EVP_PKEY_METHOD *ossl_dh_pkey_method(void)
501 {
502     return &dh_pkey_meth;
503 }
504 
505 static const EVP_PKEY_METHOD dhx_pkey_meth = {
506     EVP_PKEY_DHX,
507     0,
508     pkey_dh_init,
509     pkey_dh_copy,
510     pkey_dh_cleanup,
511 
512     0,
513     pkey_dh_paramgen,
514 
515     0,
516     pkey_dh_keygen,
517 
518     0,
519     0,
520 
521     0,
522     0,
523 
524     0, 0,
525 
526     0, 0, 0, 0,
527 
528     0, 0,
529 
530     0, 0,
531 
532     0,
533     pkey_dh_derive,
534 
535     pkey_dh_ctrl,
536     pkey_dh_ctrl_str
537 };
538 
ossl_dhx_pkey_method(void)539 const EVP_PKEY_METHOD *ossl_dhx_pkey_method(void)
540 {
541     return &dhx_pkey_meth;
542 }
543