Allow DH_set0_key with only private key.

The pub_key field for DH isn't actually used in DH_compute_key at all.
(Note the peer public key is passed in as as BIGNUM.) It's mostly there
so the caller may extract it from DH_generate_key. It doesn't
particularly need to be present if filling in a DH from external
parameters.

The check in DH_set0_key conflicts with adding OpenSSL 1.1.0 to Node.
Their public API is a thin wrapper over the old OpenSSL one:
https://nodejs.org/api/crypto.html#crypto_class_diffiehellman

They have separate setPrivateKey and setPublicKey methods, so the public
key may be set last or not at all. In 1.0.2, either worked fine since
operations on DH objects generally didn't use the public key.  (Like
with OpenSSL, Node's setPublicKey method is also largely a no-op, but so
it goes.) In 1.1.0, DH_set0_key prevents create a private-key-only DH
object.

(cherry picked from commit d58ad9a2a287d1c0bc99ba63c997eed88cc161b5)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4425)

diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c
index 344eab275d74901b0e694d0fe5a81a820f78f6ba..716f4a4b0a571b85ba974f2850732f0cfc64d3c1 100644 (file)
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -230,13 +230,6 @@ void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
 
 int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
 {
-    /* If the field pub_key in dh is NULL, the corresponding input
-     * parameters MUST be non-NULL.  The priv_key field may
-     * be left NULL.
-     */
-    if (dh->pub_key == NULL && pub_key == NULL)
-        return 0;
-
     if (pub_key != NULL) {
         BN_free(dh->pub_key);
         dh->pub_key = pub_key;

diff --git a/doc/crypto/DH_get0_pqg.pod b/doc/crypto/DH_get0_pqg.pod
index 79647bf890b6399a197a41d3eafe0a956680967c..530f0b28a19c92cc84529e62429482a432dfdfce 100644 (file)
--- a/doc/crypto/DH_get0_pqg.pod
+++ b/doc/crypto/DH_get0_pqg.pod
@@ -48,13 +48,11 @@ been set yet, although if the private key has been set then the public key must
 be. The values point to the internal representation of the public key and
 private key values. This memory should not be freed directly.
 
-The public and private key values can be set using DH_set0_key(). The public
-key must be non-NULL the first time this function is called on a given DH
-object. The private key may be NULL.  On subsequent calls, either may be NULL,
-which means the corresponding DH field is left untouched. As for DH_set0_pqg()
-this function transfers the memory management of the key values to the DH
-object, and therefore they should not be freed directly after this function has
-been called.
+The public and private key values can be set using DH_set0_key(). Either
+parameter may be NULL, which means the corresponding DH field is left
+untouched. As with DH_set0_pqg() this function transfers the memory management
+of the key values to the DH object, and therefore they should not be freed
+directly after this function has been called.
 
 DH_set_flags() sets the flags in the B<flags> parameter on the DH object.
 Multiple flags can be passed in one go (bitwise ORed together). Any flags that

diff --git a/test/dhtest.c b/test/dhtest.c
index 2847c5c03827436f63df847f483a4b9b14d57ef7..8181fac36842540bf03a5ae2d6beadd8e1d868b9 100644 (file)
--- a/test/dhtest.c
+++ b/test/dhtest.c
@@ -40,13 +40,15 @@ int main(int argc, char *argv[])
     BN_GENCB *_cb = NULL;
     DH *a = NULL;
     DH *b = NULL;
+    DH *c = NULL;
     const BIGNUM *ap = NULL, *ag = NULL, *apub_key = NULL, *priv_key = NULL;
     const BIGNUM *bpub_key = NULL;
-    BIGNUM *bp = NULL, *bg = NULL;
+    BIGNUM *bp = NULL, *bg = NULL, *cpriv_key = NULL;
     char buf[12] = {0};
     unsigned char *abuf = NULL;
     unsigned char *bbuf = NULL;
-    int i, alen, blen, aout, bout;
+    unsigned char *cbuf = NULL;
+    int i, alen, blen, clen, aout, bout, cout;
     int ret = 1;
     BIO *out = NULL;
 
@@ -114,6 +116,13 @@ int main(int argc, char *argv[])
     BN_print(out, bpub_key);
     BIO_puts(out, "\n");
 
+    /* Also test with a private-key-only copy of |b|. */
+    if ((c = DHparams_dup(b)) == NULL
+            || (cpriv_key = BN_dup(priv_key)) == NULL
+            || !DH_set0_key(c, NULL, cpriv_key))
+        goto err;
+    cpriv_key = NULL;
+
     alen = DH_size(a);
     abuf = OPENSSL_malloc(alen);
     if (abuf == NULL)
@@ -141,7 +150,23 @@ int main(int argc, char *argv[])
         BIO_puts(out, buf);
     }
     BIO_puts(out, "\n");
-    if ((aout < 4) || (bout != aout) || (memcmp(abuf, bbuf, aout) != 0)) {
+
+    clen = DH_size(c);
+    cbuf = OPENSSL_malloc(clen);
+    if (cbuf == NULL)
+        goto err;
+
+    cout = DH_compute_key(cbuf, apub_key, c);
+
+    BIO_puts(out, "key3 =");
+    for (i = 0; i < cout; i++) {
+        sprintf(buf, "%02X", cbuf[i]);
+        BIO_puts(out, buf);
+    }
+    BIO_puts(out, "\n");
+
+    if ((aout < 4) || (bout != aout) || (memcmp(abuf, bbuf, aout) != 0)
+        || (cout != aout) || (memcmp(abuf, cbuf, aout) != 0)) {
         fprintf(stderr, "Error in DH routines\n");
         ret = 1;
     } else
@@ -154,10 +179,13 @@ int main(int argc, char *argv[])
 
     OPENSSL_free(abuf);
     OPENSSL_free(bbuf);
+    OPENSSL_free(cbuf);
     DH_free(b);
     DH_free(a);
+    DH_free(c);
     BN_free(bp);
     BN_free(bg);
+    BN_free(cpriv_key);
     BN_GENCB_free(_cb);
     BIO_free(out);