From 7165593ce5a07a6860d4d408ad640ee707172936 Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Thu, 16 Apr 2020 01:14:00 +1000 Subject: [PATCH] Add DH keygen to providers Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/11332) --- crypto/dh/build.info | 4 +- crypto/dh/dh_backend.c | 6 +- crypto/dh/dh_gen.c | 76 ++-- crypto/dh/dh_group_params.c | 185 ++++++--- crypto/dh/dh_lib.c | 217 +++++++++- crypto/evp/pmeth_lib.c | 29 +- crypto/ffc/ffc_backend.c | 13 +- crypto/ffc/ffc_params.c | 3 +- doc/man3/EVP_PKEY_CTX_ctrl.pod | 31 +- include/crypto/bn_dh.h | 3 +- include/crypto/dh.h | 10 +- include/internal/ffc.h | 7 +- include/openssl/core_names.h | 10 + include/openssl/dh.h | 47 +-- providers/implementations/keymgmt/dh_kmgmt.c | 390 ++++++++++++++++-- .../serializers/serializer_dh.c | 30 +- .../serializers/serializer_ffc_params.c | 2 +- test/evp_pkey_provided_test.c | 285 +++++++++++-- test/recipes/15-test_gendh.t | 83 ++++ .../30-test_evp_pkey_provided/DH.priv.der | Bin 38 -> 327 bytes .../30-test_evp_pkey_provided/DH.priv.pem | 8 +- .../30-test_evp_pkey_provided/DH.priv.txt | 29 +- .../30-test_evp_pkey_provided/DH.pub.der | Bin 36 -> 557 bytes .../30-test_evp_pkey_provided/DH.pub.pem | 13 +- .../30-test_evp_pkey_provided/DH.pub.txt | 25 +- util/libcrypto.num | 9 + 26 files changed, 1268 insertions(+), 247 deletions(-) create mode 100644 test/recipes/15-test_gendh.t diff --git a/crypto/dh/build.info b/crypto/dh/build.info index ce0918e7d3..f4498f4d2b 100644 --- a/crypto/dh/build.info +++ b/crypto/dh/build.info @@ -1,9 +1,9 @@ LIBS=../../libcrypto -$COMMON=dh_lib.c dh_key.c dh_group_params.c dh_check.c dh_backend.c +$COMMON=dh_lib.c dh_key.c dh_group_params.c dh_check.c dh_backend.c dh_gen.c SOURCE[../../libcrypto]=$COMMON\ - dh_asn1.c dh_gen.c dh_err.c dh_depr.c \ + dh_asn1.c dh_err.c dh_depr.c \ dh_ameth.c dh_pmeth.c dh_prn.c dh_rfc5114.c dh_kdf.c dh_meth.c SOURCE[../../providers/libfips.a]=$COMMON diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c index bbeb096d55..704f6efac1 100644 --- a/crypto/dh/dh_backend.c +++ b/crypto/dh/dh_backend.c @@ -24,10 +24,8 @@ int dh_key_fromdata(DH *dh, const OSSL_PARAM params[]) if (dh == NULL) return 0; - param_priv_key = - OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); - param_pub_key = - OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY); + param_priv_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); + param_pub_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY); /* * DH documentation says that a public key must be present if a diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c index f8cda1b7e9..39bb365216 100644 --- a/crypto/dh/dh_gen.c +++ b/crypto/dh/dh_gen.c @@ -26,6 +26,7 @@ #include #include "internal/cryptlib.h" #include +#include #include "crypto/dh.h" #include "dh_local.h" @@ -34,47 +35,45 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); #endif /* FIPS_MODE */ -/* - * TODO(3.0): keygen should be able to use this method to do a FIPS186-4 style - * paramgen. - */ -int dh_generate_ffc_parameters(DH *dh, int bits, - int qbits, int gindex, BN_GENCB *cb) +int dh_generate_ffc_parameters(DH *dh, int type, int pbits, + int qbits, EVP_MD *md, BN_GENCB *cb) { int ret, res; if (qbits <= 0) { - const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1(); - - qbits = EVP_MD_size(evpmd) * 8; + if (md != NULL) + qbits = EVP_MD_size(md) * 8; + else + qbits = (pbits >= 2048 ? SHA256_DIGEST_LENGTH : + SHA_DIGEST_LENGTH) * 8; } - dh->params.gindex = gindex; - ret = ffc_params_FIPS186_4_generate(dh->libctx, &dh->params, - FFC_PARAM_TYPE_DH, - bits, qbits, NULL, &res, cb); +#ifndef FIPS_MODE + if (type == DH_PARAMGEN_TYPE_FIPS_186_2) + ret = ffc_params_FIPS186_2_generate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, + pbits, qbits, md, &res, cb); + else +#endif + ret = ffc_params_FIPS186_4_generate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, + pbits, qbits, md, &res, cb); if (ret > 0) dh->dirty_cnt++; return ret; } -int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, - BN_GENCB *cb) +int dh_get_named_group_uid_from_size(int pbits) { -#ifdef FIPS_MODE /* * Just choose an approved safe prime group. * The alternative to this is to generate FIPS186-4 domain parameters i.e. - * return dh_generate_ffc_parameters(ret, prime_len, -1, -1, cb); + * return dh_generate_ffc_parameters(ret, prime_len, 0, NULL, cb); * As the FIPS186-4 generated params are for backwards compatability, * the safe prime group should be used as the default. */ - DH *dh = NULL; - int ok = 0, nid; + int nid; - if (generator != 2) - return 0; - - switch (prime_len) { + switch (pbits) { case 2048: nid = NID_ffdhe2048; break; @@ -92,15 +91,40 @@ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, break; /* unsupported prime_len */ default: - return 0; + return NID_undef; } - dh = DH_new_by_nid(nid); - if (dh != NULL && ffc_params_copy(&ret->params, &dh->params)) { + return nid; +} + +#ifdef FIPS_MODE + +static int dh_gen_named_group(OPENSSL_CTX *libctx, DH *ret, int prime_len) +{ + DH *dh; + int ok = 0; + int nid = dh_get_named_group_uid_from_size(prime_len); + + if (nid == NID_undef) + return 0; + + dh = dh_new_by_nid_with_libctx(libctx, nid); + if (dh != NULL + && ffc_params_copy(&ret->params, &dh->params)) { ok = 1; ret->dirty_cnt++; } DH_free(dh); return ok; +} +#endif /* FIPS_MODE */ + +int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, + BN_GENCB *cb) +{ +#ifdef FIPS_MODE + if (generator != 2) + return 0; + return dh_gen_named_group(ret->libctx, ret, prime_len); #else if (ret->meth->generate_params) return ret->meth->generate_params(ret, prime_len, generator, cb); diff --git a/crypto/dh/dh_group_params.c b/crypto/dh/dh_group_params.c index cc1c546655..1f5a58ed87 100644 --- a/crypto/dh/dh_group_params.c +++ b/crypto/dh/dh_group_params.c @@ -17,6 +17,7 @@ #include #include "internal/cryptlib.h" +#include "internal/ffc.h" #include "dh_local.h" #include #include @@ -25,18 +26,35 @@ #include "crypto/security_bits.h" #include "e_os.h" /* strcasecmp */ +#define FFDHE(sz) { \ + SN_ffdhe##sz, NID_ffdhe##sz, \ + sz, \ + &_bignum_ffdhe##sz##_p, NULL, &_bignum_const_2 \ +} + +#define MODP(sz) { \ + SN_modp_##sz, NID_modp_##sz, \ + sz, \ + &_bignum_modp_##sz##_p, NULL, &_bignum_const_2 \ +} -#define FFDHE(sz) { SN_ffdhe##sz, NID_ffdhe##sz, sz, &_bignum_ffdhe##sz##_p } -#define MODP(sz) { SN_modp_##sz, NID_modp_##sz, sz, &_bignum_modp_##sz##_p } +#define RFC5114(name, uid, sz, tag) { \ + name, uid, \ + sz, \ + &_bignum_dh##tag##_p, &_bignum_dh##tag##_q, &_bignum_dh##tag##_g \ +} -typedef struct safe_prime_group_st { +typedef struct dh_named_group_st { const char *name; - int nid; + int uid; int32_t nbits; const BIGNUM *p; -} SP_GROUP; + const BIGNUM *q; + const BIGNUM *g; +} DH_NAMED_GROUP; + -static const SP_GROUP sp_groups[] = { +static const DH_NAMED_GROUP dh_named_groups[] = { FFDHE(2048), FFDHE(3072), FFDHE(4096), @@ -50,74 +68,89 @@ static const SP_GROUP sp_groups[] = { MODP(4096), MODP(6144), MODP(8192), + /* + * Additional dh named groups from RFC 5114 that have a different g. + * The uid can be any unique identifier. + */ +#ifndef FIPS_MODE + RFC5114("dh_1024_160", 1, 1024, 1024_160), + RFC5114("dh_2048_224", 2, 2048, 2048_224), + RFC5114("dh_2048_256", 3, 2048, 2048_256), +#endif }; -int ffc_named_group_to_nid(const char *name) +int ffc_named_group_to_uid(const char *name) { size_t i; - for (i = 0; i < OSSL_NELEM(sp_groups); ++i) { - if (strcasecmp(sp_groups[i].name, name) == 0) - return sp_groups[i].nid; + for (i = 0; i < OSSL_NELEM(dh_named_groups); ++i) { + if (strcasecmp(dh_named_groups[i].name, name) == 0) + return dh_named_groups[i].uid; } return NID_undef; } -const char *ffc_named_group_from_nid(int nid) +const char *ffc_named_group_from_uid(int uid) { size_t i; - for (i = 0; i < OSSL_NELEM(sp_groups); ++i) { - if (sp_groups[i].nid == nid) - return sp_groups[i].name; + for (i = 0; i < OSSL_NELEM(dh_named_groups); ++i) { + if (dh_named_groups[i].uid == uid) + return dh_named_groups[i].name; } return NULL; } -#ifndef FIPS_MODE -static DH *dh_new_by_nid_with_ctx(OPENSSL_CTX *libctx, int nid); - -static DH *dh_param_init(OPENSSL_CTX *libctx, int nid, const BIGNUM *p, +static DH *dh_param_init(OPENSSL_CTX *libctx, int uid, const BIGNUM *p, + const BIGNUM *q, const BIGNUM *g, int32_t nbits) { - BIGNUM *q = NULL; - DH *dh = dh_new_with_ctx(libctx); + BIGNUM *qtmp = NULL; + DH *dh = dh_new_with_libctx(libctx); if (dh == NULL) return NULL; - q = BN_dup(p); - /* Set q = (p - 1) / 2 (p is known to be odd so just shift right ) */ - if (q == NULL || !BN_rshift1(q, q)) { - BN_free(q); - DH_free(dh); - return NULL; + if (q == NULL) { + qtmp = BN_dup(p); + /* Set q = (p - 1) / 2 (p is known to be odd so just shift right ) */ + if (qtmp == NULL || !BN_rshift1(qtmp, qtmp)) { + BN_free(qtmp); + DH_free(dh); + return NULL; + } } - dh->params.nid = nid; + dh->params.nid = uid; dh->params.p = (BIGNUM *)p; - dh->params.q = (BIGNUM *)q; - dh->params.g = (BIGNUM *)&_bignum_const_2; + dh->params.q = (q != NULL ? (BIGNUM *)q : qtmp); + dh->params.g = (BIGNUM *)g; /* Private key length = 2 * max_target_security_strength */ dh->length = nbits; dh->dirty_cnt++; return dh; } -static DH *dh_new_by_nid_with_ctx(OPENSSL_CTX *libctx, int nid) +static DH *dh_new_by_group_name(OPENSSL_CTX *libctx, const char *name) { int i; - for (i = 0; i < (int)OSSL_NELEM(sp_groups); ++i) { - if (sp_groups[i].nid == nid) { + if (name == NULL) + return NULL; + + for (i = 0; i < (int)OSSL_NELEM(dh_named_groups); ++i) { + if (strcasecmp(dh_named_groups[i].name, name) == 0) { int max_target_security_strength = - ifc_ffc_compute_security_bits(sp_groups[i].nbits); + ifc_ffc_compute_security_bits(dh_named_groups[i].nbits); /* * The last parameter specified here is * 2 * max_target_security_strength. * See SP800-56Ar3 Table(s) 25 & 26. */ - return dh_param_init(libctx, nid, sp_groups[i].p, + return dh_param_init(libctx, dh_named_groups[i].uid, + dh_named_groups[i].p, + dh_named_groups[i].q, + dh_named_groups[i].g, 2 * max_target_security_strength); } } @@ -125,11 +158,54 @@ static DH *dh_new_by_nid_with_ctx(OPENSSL_CTX *libctx, int nid) return NULL; } +DH *dh_new_by_nid_with_libctx(OPENSSL_CTX *libctx, int nid) +{ + const char *name = ffc_named_group_from_uid(nid); + + return dh_new_by_group_name(libctx, name); +} + DH *DH_new_by_nid(int nid) { - return dh_new_by_nid_with_ctx(NULL, nid); + return dh_new_by_nid_with_libctx(NULL, nid); +} + +int ffc_set_group_pqg(FFC_PARAMS *ffc, const char *group_name) +{ + int i; + BIGNUM *q = NULL; + + if (ffc == NULL) + return 0; + + for (i = 0; i < (int)OSSL_NELEM(dh_named_groups); ++i) { + if (strcasecmp(dh_named_groups[i].name, group_name) == 0) { + if (dh_named_groups[i].q != NULL) { + /* For groups with a q */ + ffc_params_set0_pqg(ffc, + (BIGNUM *)dh_named_groups[i].p, + (BIGNUM *)dh_named_groups[i].q, + (BIGNUM *)dh_named_groups[i].g); + } else { + /* For SAFE PRIME GROUPS */ + /* Set q = (p - 1) / 2 (p is known to be odd so just shift right) */ + q = BN_dup(dh_named_groups[i].p); + if (q == NULL || !BN_rshift1(q, q)) + break; /* exit with failure */ + + ffc_params_set0_pqg(ffc, + (BIGNUM *)dh_named_groups[i].p, q, + (BIGNUM *)dh_named_groups[i].g); + } + /* flush the cached nid, The DH layer is responsible for caching */ + ffc->nid = NID_undef; + return 1; + } + } + /* gets here on error or if the name was not found */ + BN_free(q); + return 0; } -#endif int DH_get_nid(DH *dh) { @@ -144,13 +220,28 @@ int DH_get_nid(DH *dh) if (nid != NID_undef) return nid; - if (BN_get_word(dh->params.g) != 2) - return NID_undef; + for (i = 0; i < (int)OSSL_NELEM(dh_named_groups); ++i) { + /* Keep searching until a matching p is found */ + if (BN_cmp(dh->params.p, dh_named_groups[i].p) != 0) + continue; + + /* Return an error if g is not matching */ + if (BN_cmp(dh->params.g, dh_named_groups[i].g) != 0) + break; + if (dh_named_groups[i].q != NULL) { + /* RFC5114 NAMED GROUPS have q defined */ + + /* Verify q is correct if it exists */ + if (dh->params.q != NULL) { + if (BN_cmp(dh->params.q, dh_named_groups[i].q) != 0) + break; /* returns nid = NID_undef if q does not match */ + } else { + dh->params.q = (BIGNUM *)dh_named_groups[i].q; + } + } else { + /* For SAFE PRIME GROUPS */ - for (i = 0; i < (int)OSSL_NELEM(sp_groups); ++i) { - /* If a matching p is found then we will break out of the loop */ - if (!BN_cmp(dh->params.p, sp_groups[i].p)) { - /* Set q = (p - 1) / 2 (p is known to be odd so just shift right ) */ + /* Set q = (p - 1) / 2 (p is known to be odd so just shift right) */ q = BN_dup(dh->params.p); if (q == NULL || !BN_rshift1(q, q)) @@ -165,11 +256,13 @@ int DH_get_nid(DH *dh) dh->params.q = q; q = NULL; /* set to NULL so it is not freed */ } - dh->params.nid = sp_groups[i].nid; /* cache the nid */ - dh->length = 2 * ifc_ffc_compute_security_bits(sp_groups[i].nbits); - dh->dirty_cnt++; - break; } + nid = dh->params.nid = dh_named_groups[i].uid; /* cache the nid */ + dh->length = + 2 * ifc_ffc_compute_security_bits(dh_named_groups[i].nbits); + dh->dirty_cnt++; + /* A matching p was found so break out of the loop */ + break; } BN_free(q); return nid; diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index 093695c637..3643cb1471 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,8 +17,10 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "internal/refcount.h" +#include "crypto/evp.h" #include "crypto/dh.h" #include "dh_local.h" @@ -61,7 +63,7 @@ DH *DH_new_method(ENGINE *engine) } #endif /* !FIPS_MODE */ -DH *dh_new_with_ctx(OPENSSL_CTX *libctx) +DH *dh_new_with_libctx(OPENSSL_CTX *libctx) { return dh_new_intern(NULL, libctx); } @@ -319,3 +321,214 @@ int dh_get0_nid(const DH *dh) { return dh->params.nid; } + +int dh_ffc_params_fromdata(DH *dh, const OSSL_PARAM params[]) +{ + int ret; + FFC_PARAMS *ffc; + + if (dh == NULL) + return 0; + ffc = dh_get0_params(dh); + if (ffc == NULL) + return 0; + + ret = ffc_params_fromdata(ffc, params); + if (ret) { + DH_get_nid(dh); + dh->dirty_cnt++; + } + return ret; +} + +static int dh_paramgen_check(EVP_PKEY_CTX *ctx) +{ + if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + /* Uses the same return values as EVP_PKEY_CTX_ctrl */ + return -2; + } + /* If key type not DH return error */ + if (ctx->pmeth != NULL + && ctx->pmeth->pkey_id != EVP_PKEY_DH + && ctx->pmeth->pkey_id != EVP_PKEY_DHX) + return -1; + return 1; +} + +int EVP_PKEY_CTX_set_dh_paramgen_gindex(EVP_PKEY_CTX *ctx, int gindex) +{ + int ret; + OSSL_PARAM params[2], *p = params; + + if ((ret = dh_paramgen_check(ctx)) <= 0) + return ret; + + *p++ = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_FFC_GINDEX, &gindex); + *p++ = OSSL_PARAM_construct_end(); + + return EVP_PKEY_CTX_set_params(ctx, params); +} + +int EVP_PKEY_CTX_set_dh_paramgen_seed(EVP_PKEY_CTX *ctx, + const unsigned char *seed, + size_t seedlen) +{ + int ret; + OSSL_PARAM params[2], *p = params; + + if ((ret = dh_paramgen_check(ctx)) <= 0) + return ret; + + *p++ = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_FFC_SEED, + (void *)seed, seedlen); + *p++ = OSSL_PARAM_construct_end(); + + return EVP_PKEY_CTX_set_params(ctx, params); +} + +int EVP_PKEY_CTX_set_dh_paramgen_type(EVP_PKEY_CTX *ctx, int typ) +{ + int ret; + OSSL_PARAM params[2], *p = params; + const char *name; + + if ((ret = dh_paramgen_check(ctx)) <= 0) + return ret; + +#if !defined(FIPS_MODE) + /* TODO(3.0): Remove this eventually when no more legacy */ + if (ctx->op.keymgmt.genctx == NULL) + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_TYPE, typ, NULL); +#endif + + name = dh_gen_type_id2name(typ); + if (name == NULL) + return 0; + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, + (char *) name, 0); + *p++ = OSSL_PARAM_construct_end(); + + return EVP_PKEY_CTX_set_params(ctx, params); +} + +int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int pbits) +{ + int ret; + OSSL_PARAM params[2], *p = params; + size_t bits = pbits; + + if ((ret = dh_paramgen_check(ctx)) <= 0) + return ret; + +#if !defined(FIPS_MODE) + /* TODO(3.0): Remove this eventually when no more legacy */ + if (ctx->op.keymgmt.genctx == NULL) + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN, pbits, + NULL); +#endif + *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_FFC_PBITS, &bits); + *p++ = OSSL_PARAM_construct_end(); + return EVP_PKEY_CTX_set_params(ctx, params); +} + +int EVP_PKEY_CTX_set_dh_paramgen_subprime_len(EVP_PKEY_CTX *ctx, int qbits) +{ + int ret; + OSSL_PARAM params[2], *p = params; + size_t bits2 = qbits; + + if ((ret = dh_paramgen_check(ctx)) <= 0) + return ret; + +#if !defined(FIPS_MODE) + /* TODO(3.0): Remove this eventually when no more legacy */ + if (ctx->op.keymgmt.genctx == NULL) + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN, qbits, + NULL); +#endif + *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_FFC_QBITS, &bits2); + *p++ = OSSL_PARAM_construct_end(); + + return EVP_PKEY_CTX_set_params(ctx, params); +} + +int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen) +{ + int ret; + OSSL_PARAM params[2], *p = params; + + if ((ret = dh_paramgen_check(ctx)) <= 0) + return ret; + +#if !defined(FIPS_MODE) + /* TODO(3.0): Remove this eventually when no more legacy */ + if (ctx->op.keymgmt.genctx == NULL) + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR, gen, NULL); +#endif + + *p++ = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_FFC_GENERATOR, &gen); + *p++ = OSSL_PARAM_construct_end(); + + return EVP_PKEY_CTX_set_params(ctx, params); +} + +int EVP_PKEY_CTX_set_dh_rfc5114(EVP_PKEY_CTX *ctx, int gen) +{ + int ret; + OSSL_PARAM params[2], *p = params; + const char *name; + + if ((ret = dh_paramgen_check(ctx)) <= 0) + return ret; + +#if !defined(FIPS_MODE) + /* TODO(3.0): Remove this eventually when no more legacy */ + if (ctx->op.keymgmt.genctx == NULL) + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_RFC5114, gen, NULL); +#endif + name = ffc_named_group_from_uid(gen); + if (name == NULL) + return 0; + + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_FFC_GROUP, + (void *)name, 0); + *p++ = OSSL_PARAM_construct_end(); + return EVP_PKEY_CTX_set_params(ctx, params); +} + +int EVP_PKEY_CTX_set_dhx_rfc5114(EVP_PKEY_CTX *ctx, int gen) +{ + return EVP_PKEY_CTX_set_dh_rfc5114(ctx, gen); +} + +int EVP_PKEY_CTX_set_dh_nid(EVP_PKEY_CTX *ctx, int nid) +{ + int ret; + OSSL_PARAM params[2], *p = params; + const char *name; + + if ((ret = dh_paramgen_check(ctx)) <= 0) + return ret; + +#if !defined(FIPS_MODE) + /* TODO(3.0): Remove this eventually when no more legacy */ + if (ctx->op.keymgmt.genctx == NULL) + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, + EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_DH_NID, nid, NULL); +#endif + name = ffc_named_group_from_uid(nid); + if (name == NULL) + return 0; + + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_FFC_GROUP, + (void *)name, 0); + *p++ = OSSL_PARAM_construct_end(); + return EVP_PKEY_CTX_set_params(ctx, params); +} diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 6d34accc3c..b6617492da 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -24,6 +24,8 @@ #include "internal/cryptlib.h" #include "crypto/asn1.h" #include "crypto/evp.h" +#include "crypto/dh.h" +#include "internal/ffc.h" #include "internal/numbers.h" #include "internal/provider.h" #include "evp_local.h" @@ -808,11 +810,22 @@ static int legacy_ctrl_to_param(EVP_PKEY_CTX *ctx, int keytype, int optype, */ if (cmd == EVP_PKEY_CTRL_CIPHER) return -2; + # ifndef OPENSSL_NO_DH if (keytype == EVP_PKEY_DH) { switch (cmd) { case EVP_PKEY_CTRL_DH_PAD: return EVP_PKEY_CTX_set_dh_pad(ctx, p1); + case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN: + return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, p1); + case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN: + return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx, p1); + case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR: + return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, p1); + case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE: + return EVP_PKEY_CTX_set_dh_paramgen_type(ctx, p1); + case EVP_PKEY_CTRL_DH_RFC5114: + return EVP_PKEY_CTX_set_dh_rfc5114(ctx, p1); } } # endif @@ -1021,7 +1034,21 @@ static int legacy_ctrl_str_to_param(EVP_PKEY_CTX *ctx, const char *name, name = OSSL_PKEY_PARAM_FFC_DIGEST; # endif # ifndef OPENSSL_NO_DH - else if (strcmp(name, "dh_pad") == 0) + else if (strcmp(name, "dh_paramgen_generator") == 0) + name = OSSL_PKEY_PARAM_FFC_GENERATOR; + else if (strcmp(name, "dh_paramgen_prime_len") == 0) + name = OSSL_PKEY_PARAM_FFC_PBITS; + else if (strcmp(name, "dh_paramgen_subprime_len") == 0) + name = OSSL_PKEY_PARAM_FFC_QBITS; + else if (strcmp(name, "dh_paramgen_type") == 0) { + name = OSSL_PKEY_PARAM_FFC_TYPE; + value = dh_gen_type_id2name(atoi(value)); + } else if (strcmp(name, "dh_param") == 0) + name = OSSL_PKEY_PARAM_FFC_GROUP; + else if (strcmp(name, "dh_rfc5114") == 0) { + name = OSSL_PKEY_PARAM_FFC_GROUP; + value = ffc_named_group_from_uid(atoi(value)); + } else if (strcmp(name, "dh_pad") == 0) name = OSSL_EXCHANGE_PARAM_PAD; # endif # ifndef OPENSSL_NO_EC diff --git a/crypto/ffc/ffc_backend.c b/crypto/ffc/ffc_backend.c index 1d076184bc..d3661b1706 100644 --- a/crypto/ffc/ffc_backend.c +++ b/crypto/ffc/ffc_backend.c @@ -22,25 +22,19 @@ int ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[]) const OSSL_PARAM *prm; const OSSL_PARAM *param_p, *param_q, *param_g; BIGNUM *p = NULL, *q = NULL, *g = NULL, *j = NULL; -#if 0 - char group_name[OSSL_MAX_NAME_SIZE]; - char *str = group_name; -#endif int i; if (ffc == NULL) return 0; -/* TODO(3.0) Add for DH PR */ -#if 0 prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_GROUP); if (prm != NULL) { - if (!OSSL_PARAM_get_utf8_string(prm, &str, sizeof(group_name))) + if (prm->data_type != OSSL_PARAM_UTF8_STRING) goto err; - if (!ffc_set_group_pqg(ffc, group_name)) + if (!ffc_set_group_pqg(ffc, prm->data)) goto err; } -#endif + param_p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_P); param_g = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_G); param_q = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_Q); @@ -66,6 +60,7 @@ int ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[]) if (prm != NULL) { if (!OSSL_PARAM_get_BN(prm, &j)) goto err; + j = NULL; } prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_H); if (prm != NULL) { diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c index 5950847703..89550bedec 100644 --- a/crypto/ffc/ffc_params.c +++ b/crypto/ffc/ffc_params.c @@ -215,7 +215,7 @@ int ffc_params_todata(const FFC_PARAMS *ffc, OSSL_PARAM_BLD *bld, ffc->seed, ffc->seedlen)) return 0; if (ffc->nid != NID_undef) { - const char *name = ffc_named_group_from_nid(ffc->nid); + const char *name = ffc_named_group_from_uid(ffc->nid); if (name == NULL || !ossl_param_build_set_utf8_string(bld, params, @@ -227,7 +227,6 @@ int ffc_params_todata(const FFC_PARAMS *ffc, OSSL_PARAM_BLD *bld, } #ifndef FIPS_MODE - int ffc_params_print(BIO *bp, const FFC_PARAMS *ffc, int indent) { if (!ASN1_bn_print(bp, "prime P:", ffc->p, NULL, indent)) diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index ded779feb0..039073cacf 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -41,6 +41,8 @@ EVP_PKEY_CTX_set_dh_paramgen_prime_len, EVP_PKEY_CTX_set_dh_paramgen_subprime_len, EVP_PKEY_CTX_set_dh_paramgen_generator, EVP_PKEY_CTX_set_dh_paramgen_type, +EVP_PKEY_CTX_set_dh_paramgen_gindex, +EVP_PKEY_CTX_set_dh_paramgen_seed, EVP_PKEY_CTX_set_dh_rfc5114, EVP_PKEY_CTX_set_dhx_rfc5114, EVP_PKEY_CTX_set_dh_pad, @@ -144,6 +146,10 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len int EVP_PKEY_CTX_set_dh_nid(EVP_PKEY_CTX *ctx, int nid); int EVP_PKEY_CTX_set_dh_rfc5114(EVP_PKEY_CTX *ctx, int rfc5114); int EVP_PKEY_CTX_set_dhx_rfc5114(EVP_PKEY_CTX *ctx, int rfc5114); + int EVP_PKEY_CTX_set_dh_paramgen_gindex(EVP_PKEY_CTX *ctx, int gindex); + int EVP_PKEY_CTX_set_dh_paramgen_seed(EVP_PKEY_CTX *ctx, + const unsigned char *seed, + size_t seedlen); int EVP_PKEY_CTX_set_dh_kdf_type(EVP_PKEY_CTX *ctx, int kdf); int EVP_PKEY_CTX_get_dh_kdf_type(EVP_PKEY_CTX *ctx); int EVP_PKEY_CTX_set0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT *oid); @@ -462,22 +468,39 @@ parameter generation. The supported parameters are: =over 4 -=item B +=item B + +Use a named group. If only the safe prime parameter I

is set this can be +used to select a ffdhe safe prime group of the correct size. + +=item B -Uses a generator g (PKCS#3 format). +FIPS186-4 FFC parameter generator. =item B FIPS186-2 FFC parameter generator (X9.42 DH). -=item B +=item B -FIPS186-4 FFC parameter generator. +Uses a safe prime generator g (PKCS#3 format). =back The default is B. +The EVP_PKEY_CTX_set_dh_paramgen_gindex() method sets the I used by +the generator G. The default value is -1 which uses unverifiable g, otherwise +a positive value uses verifiable g. This value must be saved if key validation +of g is required, since it is not part of a persisted key. + +The EVP_PKEY_CTX_set_dh_paramgen_seed() method sets the I to use for +generation rather than using a randomly generated value for the seed. This is +useful for testing purposes only and can fail if the seed does not produce +primes for both p & q on its first iteration. This value must be saved if +key validation of p, q, and verifiable g are required, since it is not part of +a persisted key. + The EVP_PKEY_CTX_set_dh_pad() function sets the DH padding mode. If I is 1 the shared secret is padded with zeros up to the size of the DH prime I

. diff --git a/include/crypto/bn_dh.h b/include/crypto/bn_dh.h index 2864fb3319..c19d4f0734 100644 --- a/include/crypto/bn_dh.h +++ b/include/crypto/bn_dh.h @@ -16,12 +16,13 @@ declare_dh_bn(1024_160) declare_dh_bn(2048_224) declare_dh_bn(2048_256) +extern const BIGNUM _bignum_const_2; + extern const BIGNUM _bignum_ffdhe2048_p; extern const BIGNUM _bignum_ffdhe3072_p; extern const BIGNUM _bignum_ffdhe4096_p; extern const BIGNUM _bignum_ffdhe6144_p; extern const BIGNUM _bignum_ffdhe8192_p; -extern const BIGNUM _bignum_const_2; extern const BIGNUM _bignum_modp_1536_p; extern const BIGNUM _bignum_modp_2048_p; diff --git a/include/crypto/dh.h b/include/crypto/dh.h index 5d5470f165..150d13b370 100644 --- a/include/crypto/dh.h +++ b/include/crypto/dh.h @@ -11,15 +11,19 @@ #include #include "internal/ffc.h" -DH *dh_new_with_ctx(OPENSSL_CTX *libctx); +DH *dh_new_by_nid_with_libctx(OPENSSL_CTX *libctx, int nid); +DH *dh_new_with_libctx(OPENSSL_CTX *libctx); -int dh_generate_ffc_parameters(DH *dh, int bits, - int qbits, int gindex, BN_GENCB *cb); +int dh_generate_ffc_parameters(DH *dh, int type, int pbits, + int qbits, EVP_MD *md, BN_GENCB *cb); int dh_generate_public_key(BN_CTX *ctx, DH *dh, const BIGNUM *priv_key, BIGNUM *pub_key); +int dh_get_named_group_uid_from_size(int pbits); +const char *dh_gen_type_id2name(int id); FFC_PARAMS *dh_get0_params(DH *dh); int dh_get0_nid(const DH *dh); +int dh_ffc_params_fromdata(DH *dh, const OSSL_PARAM params[]); int dh_key_fromdata(DH *dh, const OSSL_PARAM params[]); int dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret); diff --git a/include/internal/ffc.h b/include/internal/ffc.h index c8b2cb8c3c..90a13a5fd4 100644 --- a/include/internal/ffc.h +++ b/include/internal/ffc.h @@ -164,10 +164,11 @@ int ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv_key, int *ret); int ffc_params_todata(const FFC_PARAMS *ffc, OSSL_PARAM_BLD *tmpl, - OSSL_PARAM params[]); + OSSL_PARAM params[]); int ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[]); -int ffc_named_group_to_nid(const char *name); -const char *ffc_named_group_from_nid(int nid); +int ffc_set_group_pqg(FFC_PARAMS *ffc, const char *group_name); +int ffc_named_group_to_uid(const char *name); +const char *ffc_named_group_from_uid(int nid); int ffc_set_group_pqg(FFC_PARAMS *ffc, const char *group_name); #endif /* OSSL_INTERNAL_FFC_H */ diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 18f835231c..b5ee883bc7 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -198,6 +198,16 @@ extern "C" { #define OSSL_PKEY_PARAM_FFC_H "hindex" #define OSSL_PKEY_PARAM_FFC_GROUP "group" +#define OSSL_PKEY_PARAM_FFC_GINDEX "gindex" +#define OSSL_PKEY_PARAM_FFC_PCOUNTER "pcounter" +#define OSSL_PKEY_PARAM_FFC_SEED "seed" +#define OSSL_PKEY_PARAM_FFC_COFACTOR "j" +#define OSSL_PKEY_PARAM_FFC_H "hindex" + +/* Diffie-Hellman params */ +#define OSSL_PKEY_PARAM_FFC_GROUP "group" +#define OSSL_PKEY_PARAM_FFC_GENERATOR "safeprime-generator" + /* Elliptic Curve Domain Parameters */ #define OSSL_PKEY_PARAM_EC_NAME "curve-name" diff --git a/include/openssl/dh.h b/include/openssl/dh.h index 8af0670ecf..d705f50f09 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -104,11 +104,10 @@ DECLARE_ASN1_ITEM(DHparams) # define DH_CHECK_P_NOT_STRONG_PRIME DH_CHECK_P_NOT_SAFE_PRIME /* DH parameter generation types used by EVP_PKEY_CTX_set_dh_paramgen_type() */ -# define DH_PARAMGEN_TYPE_GENERATOR 0 /* Use a generator g */ -# define DH_PARAMGEN_TYPE_FIPS_186_2 1 /* Use legacy FIPS186-2 standard */ +# define DH_PARAMGEN_TYPE_GENERATOR 0 /* Use a safe prime generator */ +# define DH_PARAMGEN_TYPE_FIPS_186_2 1 /* Use FIPS186-2 standard */ # define DH_PARAMGEN_TYPE_FIPS_186_4 2 /* Use FIPS186-4 standard */ - -# define DH_CHECK_P_NOT_STRONG_PRIME DH_CHECK_P_NOT_SAFE_PRIME +# define DH_PARAMGEN_TYPE_GROUP 3 /* Use a named safe prime group */ # define d2i_DHparams_fp(fp, x) \ (DH *)ASN1_d2i_fp((char *(*)())DH_new, \ @@ -270,35 +269,17 @@ DEPRECATEDIN_3_0(int DH_meth_set_generate_params(DH_METHOD *dhm, (DH *, int, int, BN_GENCB *))) -# define EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, \ - EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN, len, NULL) - -# define EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx, len) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, \ - EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN, len, NULL) - -# define EVP_PKEY_CTX_set_dh_paramgen_type(ctx, typ) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, \ - EVP_PKEY_CTRL_DH_PARAMGEN_TYPE, typ, NULL) - -# define EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, gen) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, \ - EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR, gen, NULL) - -# define EVP_PKEY_CTX_set_dh_rfc5114(ctx, gen) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_PARAMGEN, \ - EVP_PKEY_CTRL_DH_RFC5114, gen, NULL) - -# define EVP_PKEY_CTX_set_dhx_rfc5114(ctx, gen) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DHX, EVP_PKEY_OP_PARAMGEN, \ - EVP_PKEY_CTRL_DH_RFC5114, gen, NULL) - -# define EVP_PKEY_CTX_set_dh_nid(ctx, nid) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, \ - EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, \ - EVP_PKEY_CTRL_DH_NID, nid, NULL) - +int EVP_PKEY_CTX_set_dh_paramgen_type(EVP_PKEY_CTX *ctx, int typ); +int EVP_PKEY_CTX_set_dh_paramgen_gindex(EVP_PKEY_CTX *ctx, int gindex); +int EVP_PKEY_CTX_set_dh_paramgen_seed(EVP_PKEY_CTX *ctx, + const unsigned char *seed, + size_t seedlen); +int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int pbits); +int EVP_PKEY_CTX_set_dh_paramgen_subprime_len(EVP_PKEY_CTX *ctx, int qlen); +int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen); +int EVP_PKEY_CTX_set_dh_nid(EVP_PKEY_CTX *ctx, int nid); +int EVP_PKEY_CTX_set_dh_rfc5114(EVP_PKEY_CTX *ctx, int gen); +int EVP_PKEY_CTX_set_dhx_rfc5114(EVP_PKEY_CTX *ctx, int gen); int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad); # define EVP_PKEY_CTX_set_dh_kdf_type(ctx, kdf) \ diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index 250e7aac95..31a7c0b95c 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,19 +13,27 @@ */ #include "internal/deprecated.h" +#include /* strcmp */ #include #include #include -#include -#include -#include +#include #include "prov/implementations.h" #include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "crypto/dh.h" +#include "internal/sizes.h" +#include "internal/nelem.h" +#include "internal/param_build_set.h" static OSSL_OP_keymgmt_new_fn dh_newdata; static OSSL_OP_keymgmt_free_fn dh_freedata; +static OSSL_OP_keymgmt_gen_init_fn dh_gen_init; +static OSSL_OP_keymgmt_gen_set_template_fn dh_gen_set_template; +static OSSL_OP_keymgmt_gen_set_params_fn dh_gen_set_params; +static OSSL_OP_keymgmt_gen_settable_params_fn dh_gen_settable_params; +static OSSL_OP_keymgmt_gen_fn dh_gen; +static OSSL_OP_keymgmt_gen_cleanup_fn dh_gen_cleanup; static OSSL_OP_keymgmt_get_params_fn dh_get_params; static OSSL_OP_keymgmt_gettable_params_fn dh_gettable_params; static OSSL_OP_keymgmt_has_fn dh_has; @@ -36,42 +44,81 @@ static OSSL_OP_keymgmt_import_types_fn dh_import_types; static OSSL_OP_keymgmt_export_fn dh_export; static OSSL_OP_keymgmt_export_types_fn dh_export_types; -#define DH_POSSIBLE_SELECTIONS \ +#define DH_POSSIBLE_SELECTIONS \ (OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) -static int domparams_to_params(DH *dh, OSSL_PARAM_BLD *tmpl) +struct dh_gen_ctx { + OPENSSL_CTX *libctx; + + FFC_PARAMS *ffc_params; + int selection; + /* All these parameters are used for parameter generation only */ + /* If there is a group name then the remaining parameters are not needed */ + int group_nid; + size_t pbits; + size_t qbits; + EVP_MD *md; + unsigned char *seed; /* optional FIPS186-4 param for testing */ + size_t seedlen; + int gindex; /* optional FIPS186-4 generator index (ignored if -1) */ + int gen_type; /* see dhtype2id */ + int generator; /* Used by DH_PARAMGEN_TYPE_GENERATOR in non fips mode only */ + int pcounter; + int hindex; + + OSSL_CALLBACK *cb; + void *cbarg; +}; + +typedef struct dh_name2id_st{ + const char *name; + int id; +} DH_GENTYPE_NAME2ID; + +static const DH_GENTYPE_NAME2ID dhtype2id[]= { - const BIGNUM *dh_p = NULL, *dh_g = NULL; + { "default", DH_PARAMGEN_TYPE_FIPS_186_4 }, + { "fips186_4", DH_PARAMGEN_TYPE_FIPS_186_4 }, + { "fips186_2", DH_PARAMGEN_TYPE_FIPS_186_2 }, + { "group", DH_PARAMGEN_TYPE_GROUP }, + { "generator", DH_PARAMGEN_TYPE_GENERATOR } +}; - if (dh == NULL) - return 0; +const char *dh_gen_type_id2name(int id) +{ + size_t i; - DH_get0_pqg(dh, &dh_p, NULL, &dh_g); - if (dh_p != NULL - && !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, dh_p)) - return 0; - if (dh_g != NULL - && !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, dh_g)) - return 0; + for (i = 0; i < OSSL_NELEM(dhtype2id); ++i) { + if (dhtype2id[i].id == id) + return dhtype2id[i].name; + } + return NULL; +} - return 1; +static int dh_gen_type_name2id(const char *name) +{ + size_t i; + + for (i = 0; i < OSSL_NELEM(dhtype2id); ++i) { + if (strcmp(dhtype2id[i].name, name) == 0) + return dhtype2id[i].id; + } + return -1; } -static int key_to_params(DH *dh, OSSL_PARAM_BLD *tmpl) +static int dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) { - const BIGNUM *priv_key = NULL, *pub_key = NULL; + const BIGNUM *priv = NULL, *pub = NULL; if (dh == NULL) return 0; - if (!domparams_to_params(dh, tmpl)) - return 0; - DH_get0_key(dh, &pub_key, &priv_key); - if (priv_key != NULL - && !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) + DH_get0_key(dh, &pub, &priv); + if (priv != NULL + && !ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_PRIV_KEY, priv)) return 0; - if (pub_key != NULL - && !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) + if (pub != NULL + && !ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_PUB_KEY, pub)) return 0; return 1; @@ -79,7 +126,7 @@ static int key_to_params(DH *dh, OSSL_PARAM_BLD *tmpl) static void *dh_newdata(void *provctx) { - return dh_new_with_ctx(PROV_LIBRARY_CONTEXT_OF(provctx)); + return dh_new_with_libctx(PROV_LIBRARY_CONTEXT_OF(provctx)); } static void dh_freedata(void *keydata) @@ -128,16 +175,17 @@ static int dh_match(const void *keydata1, const void *keydata2, int selection) static int dh_import(void *keydata, int selection, const OSSL_PARAM params[]) { DH *dh = keydata; - int ok = 0; + int ok = 1; if (dh == NULL) return 0; - if ((selection & DH_POSSIBLE_SELECTIONS) != 0) - ok = 1; + if ((selection & DH_POSSIBLE_SELECTIONS) == 0) + return 0; if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) - ok = ok && ffc_params_fromdata(dh_get0_params(dh), params); + ok = ok && dh_ffc_params_fromdata(dh, params); + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) ok = ok && dh_key_fromdata(dh, params); @@ -160,9 +208,9 @@ static int dh_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, return 0; if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) - ok = ok && domparams_to_params(dh, tmpl); + ok = ok && ffc_params_todata(dh_get0_params(dh), tmpl, NULL); if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && key_to_params(dh, tmpl); + ok = ok && dh_key_todata(dh, tmpl, NULL); if (!ok || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) { @@ -178,12 +226,19 @@ err: /* IMEXPORT = IMPORT + EXPORT */ -# define DH_IMEXPORTABLE_PARAMETERS \ - OSSL_PARAM_BN(OSSL_PKEY_PARAM_FFC_P, NULL, 0), \ - OSSL_PARAM_BN(OSSL_PKEY_PARAM_FFC_G, NULL, 0) -# define DH_IMEXPORTABLE_PUBLIC_KEY \ +# define DH_IMEXPORTABLE_PARAMETERS \ + OSSL_PARAM_BN(OSSL_PKEY_PARAM_FFC_P, NULL, 0), \ + OSSL_PARAM_BN(OSSL_PKEY_PARAM_FFC_Q, NULL, 0), \ + OSSL_PARAM_BN(OSSL_PKEY_PARAM_FFC_G, NULL, 0), \ + OSSL_PARAM_BN(OSSL_PKEY_PARAM_FFC_COFACTOR, NULL, 0), \ + OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_GINDEX, NULL), \ + OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_PCOUNTER, NULL), \ + OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_H, NULL), \ + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_GROUP, NULL, 0), \ + OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_FFC_SEED, NULL, 0) +# define DH_IMEXPORTABLE_PUBLIC_KEY \ OSSL_PARAM_BN(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0) -# define DH_IMEXPORTABLE_PRIVATE_KEY \ +# define DH_IMEXPORTABLE_PRIVATE_KEY \ OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0) static const OSSL_PARAM dh_all_types[] = { DH_IMEXPORTABLE_PARAMETERS, @@ -242,13 +297,17 @@ static ossl_inline int dh_get_params(void *key, OSSL_PARAM params[]) if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL && !OSSL_PARAM_set_int(p, DH_size(dh))) return 0; - return 1; + return ffc_params_todata(dh_get0_params(dh), NULL, params) + && dh_key_todata(dh, NULL, params); } static const OSSL_PARAM dh_params[] = { OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL), + DH_IMEXPORTABLE_PARAMETERS, + DH_IMEXPORTABLE_PUBLIC_KEY, + DH_IMEXPORTABLE_PRIVATE_KEY, OSSL_PARAM_END }; @@ -297,8 +356,261 @@ static int dh_validate(void *keydata, int selection) return ok; } +static void *dh_gen_init(void *provctx, int selection) +{ + OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx); + struct dh_gen_ctx *gctx = NULL; + + if ((selection & (OSSL_KEYMGMT_SELECT_KEYPAIR + | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS)) == 0) + return NULL; + + if ((gctx = OPENSSL_zalloc(sizeof(*gctx))) != NULL) { + gctx->selection = selection; + gctx->libctx = libctx; + gctx->pbits = 2048; + gctx->qbits = 224; + gctx->md = NULL; + gctx->gen_type = DH_PARAMGEN_TYPE_FIPS_186_4; + gctx->gindex = -1; + gctx->hindex = 0; + gctx->pcounter = -1; + gctx->generator = DH_GENERATOR_2; + } + return gctx; +} + +static int dh_gen_set_template(void *genctx, void *templ) +{ + struct dh_gen_ctx *gctx = genctx; + DH *dh = templ; + + if (gctx == NULL || dh == NULL) + return 0; + gctx->ffc_params = dh_get0_params(dh); + return 1; +} + +static int dh_set_gen_seed(struct dh_gen_ctx *gctx, unsigned char *seed, + size_t seedlen) +{ + OPENSSL_clear_free(gctx->seed, gctx->seedlen); + gctx->seed = NULL; + gctx->seedlen = 0; + if (seed != NULL && seedlen > 0) { + gctx->seed = OPENSSL_memdup(seed, seedlen); + if (gctx->seed == NULL) + return 0; + gctx->seedlen = seedlen; + } + return 1; +} + +static int dh_gen_set_params(void *genctx, const OSSL_PARAM params[]) +{ + struct dh_gen_ctx *gctx = genctx; + const OSSL_PARAM *p; + + if (gctx == NULL) + return 0; + + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_TYPE); + if (p != NULL) { + if (p->data_type != OSSL_PARAM_UTF8_STRING + || ((gctx->gen_type = dh_gen_type_name2id(p->data)) == -1)) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + } + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_GROUP); + if (p != NULL) { + if (p->data_type != OSSL_PARAM_UTF8_STRING + || ((gctx->group_nid = ffc_named_group_to_uid(p->data)) == NID_undef)) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + gctx->gen_type = DH_PARAMGEN_TYPE_GROUP; + } + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_GENERATOR); + if (p != NULL + && !OSSL_PARAM_get_int(p, &gctx->generator)) + return 0; + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_GINDEX); + if (p != NULL + && !OSSL_PARAM_get_int(p, &gctx->gindex)) + return 0; + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_PCOUNTER); + if (p != NULL + && !OSSL_PARAM_get_int(p, &gctx->pcounter)) + return 0; + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_H); + if (p != NULL + && !OSSL_PARAM_get_int(p, &gctx->hindex)) + return 0; + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_SEED); + if (p != NULL + && (p->data_type != OSSL_PARAM_OCTET_STRING + || !dh_set_gen_seed(gctx, p->data, p->data_size))) + return 0; + + if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_PBITS)) != NULL + && !OSSL_PARAM_get_size_t(p, &gctx->pbits)) + return 0; + if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_QBITS)) != NULL + && !OSSL_PARAM_get_size_t(p, &gctx->qbits)) + return 0; + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_DIGEST); + if (p != NULL) { + const OSSL_PARAM *p1; + char mdprops[OSSL_MAX_PROPQUERY_SIZE] = { '\0' }; + char *str = mdprops; + + if (p->data_type != OSSL_PARAM_UTF8_STRING) + return 0; + p1 = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_DIGEST_PROPS); + if (p1 != NULL + && !OSSL_PARAM_get_utf8_string(p1, &str, sizeof(mdprops))) + return 0; + EVP_MD_free(gctx->md); + gctx->md = EVP_MD_fetch(gctx->libctx, p->data, mdprops); + if (gctx->md == NULL) + return 0; + } + return 1; +} + +static const OSSL_PARAM *dh_gen_settable_params(void *provctx) +{ + static OSSL_PARAM settable[] = { + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_GROUP, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, NULL, 0), + OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_PBITS, NULL), + OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_QBITS, NULL), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST_PROPS, NULL, 0), + OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_GINDEX, NULL), + OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_FFC_SEED, NULL, 0), + OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_GENERATOR, NULL), + OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_PCOUNTER, NULL), + OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_H, NULL), + OSSL_PARAM_END + }; + return settable; +} + +static int dh_gencb(int p, int n, BN_GENCB *cb) +{ + struct dh_gen_ctx *gctx = BN_GENCB_get_arg(cb); + OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END }; + + params[0] = OSSL_PARAM_construct_int(OSSL_GEN_PARAM_POTENTIAL, &p); + params[1] = OSSL_PARAM_construct_int(OSSL_GEN_PARAM_ITERATION, &n); + + return gctx->cb(params, gctx->cbarg); +} + +static void *dh_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) +{ + int ret = 0; + struct dh_gen_ctx *gctx = genctx; + DH *dh = NULL; + BN_GENCB *gencb = NULL; + FFC_PARAMS *ffc; + + if (gctx == NULL) + return NULL; + + /* For parameter generation - If there is a group name just create it */ + if (gctx->gen_type == DH_PARAMGEN_TYPE_GROUP) { + /* Select a named group if there is not one already */ + if (gctx->group_nid == NID_undef) + gctx->group_nid = dh_get_named_group_uid_from_size(gctx->pbits); + if (gctx->group_nid == NID_undef) + return NULL; + dh = dh_new_by_nid_with_libctx(gctx->libctx, gctx->group_nid); + if (dh == NULL) + return NULL; + ffc = dh_get0_params(dh); + } else { + dh = dh_new_with_libctx(gctx->libctx); + if (dh == NULL) + return NULL; + ffc = dh_get0_params(dh); + + /* Copy the template value if one was passed */ + if (gctx->ffc_params != NULL + && !ffc_params_copy(ffc, gctx->ffc_params)) + goto end; + + if (!ffc_params_set_seed(ffc, gctx->seed, gctx->seedlen)) + goto end; + if (gctx->gindex != -1) { + ffc_params_set_gindex(ffc, gctx->gindex); + if (gctx->pcounter != -1) + ffc_params_set_pcounter(ffc, gctx->pcounter); + } else if (gctx->hindex != 0) { + ffc_params_set_h(ffc, gctx->hindex); + } + gctx->cb = osslcb; + gctx->cbarg = cbarg; + gencb = BN_GENCB_new(); + if (gencb != NULL) + BN_GENCB_set(gencb, dh_gencb, genctx); + + if ((gctx->selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { + /* + * NOTE: The old safe prime generator code is not used in fips mode, + * (i.e internally it ignores the generator and chooses a named + * group based on pbits. + */ + if (gctx->gen_type == DH_PARAMGEN_TYPE_GENERATOR) + ret = DH_generate_parameters_ex(dh, gctx->pbits, + gctx->generator, gencb); + else + ret = dh_generate_ffc_parameters(dh, gctx->gen_type, gctx->pbits, + gctx->qbits, gctx->md, gencb); + if (ret <= 0) + goto end; + } + } + + if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + if (ffc->p == NULL || ffc->g == NULL) + goto end; + if (DH_generate_key(dh) <= 0) + goto end; + } + ret = 1; +end: + if (ret <= 0) { + DH_free(dh); + dh = NULL; + } + BN_GENCB_free(gencb); + return dh; +} + +static void dh_gen_cleanup(void *genctx) +{ + struct dh_gen_ctx *gctx = genctx; + + if (gctx == NULL) + return; + + OPENSSL_clear_free(gctx->seed, gctx->seedlen); + EVP_MD_free(gctx->md); + OPENSSL_free(gctx); +} + const OSSL_DISPATCH dh_keymgmt_functions[] = { { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))dh_newdata }, + { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))dh_gen_init }, + { OSSL_FUNC_KEYMGMT_GEN_SET_TEMPLATE, (void (*)(void))dh_gen_set_template }, + { OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS, (void (*)(void))dh_gen_set_params }, + { OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS, + (void (*)(void))dh_gen_settable_params }, + { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))dh_gen }, + { OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))dh_gen_cleanup }, { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))dh_freedata }, { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))dh_get_params }, { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))dh_gettable_params }, diff --git a/providers/implementations/serializers/serializer_dh.c b/providers/implementations/serializers/serializer_dh.c index b2517ed947..d8e85a5482 100644 --- a/providers/implementations/serializers/serializer_dh.c +++ b/providers/implementations/serializers/serializer_dh.c @@ -13,11 +13,12 @@ */ #include "internal/deprecated.h" -#include #include #include "prov/bio.h" /* ossl_prov_bio_printf() */ #include "prov/implementations.h" /* rsa_keymgmt_functions */ #include "prov/providercommonerr.h" /* PROV_R_BN_ERROR */ +#include "internal/ffc.h" +#include "crypto/dh.h" #include "serializer_local.h" OSSL_OP_keymgmt_new_fn *ossl_prov_get_keymgmt_dh_new(void) @@ -39,8 +40,7 @@ int ossl_prov_print_dh(BIO *out, DH *dh, enum dh_print_type type) { const char *type_label = NULL; const BIGNUM *priv_key = NULL, *pub_key = NULL; - const BIGNUM *p = NULL, *g = NULL; - + const BIGNUM *p = NULL; switch (type) { case dh_print_priv: @@ -67,35 +67,19 @@ int ossl_prov_print_dh(BIO *out, DH *dh, enum dh_print_type type) } p = DH_get0_p(dh); - g = DH_get0_g(dh); - if (p == NULL || g == NULL) + if (p == NULL) goto null_err; - /* - * TODO(3.0): add printing of: - * - * - q (label "subgroup order:") - * - j (label "subgroup factor:") - * - seed (label "seed:") - * - counter (label "counter:") - * - * This can happen as soon as there are DH_get0_ functions for them. - */ - if (ossl_prov_bio_printf(out, "%s: (%d bit)\n", type_label, BN_num_bits(p)) <= 0) goto err; if (priv_key != NULL - && !ossl_prov_print_labeled_bignum(out, " private-key:", priv_key)) + && !ossl_prov_print_labeled_bignum(out, "private-key:", priv_key)) goto err; if (pub_key != NULL - && !ossl_prov_print_labeled_bignum(out, " public-key:", pub_key)) - goto err; - if (p != NULL - && !ossl_prov_print_labeled_bignum(out, " prime:", p)) + && !ossl_prov_print_labeled_bignum(out, "public-key:", pub_key)) goto err; - if (g != NULL - && !ossl_prov_print_labeled_bignum(out, " generator:", g)) + if (!ffc_params_prov_print(out, dh_get0_params(dh))) goto err; return 1; diff --git a/providers/implementations/serializers/serializer_ffc_params.c b/providers/implementations/serializers/serializer_ffc_params.c index da38763cfe..20cf4b3d24 100644 --- a/providers/implementations/serializers/serializer_ffc_params.c +++ b/providers/implementations/serializers/serializer_ffc_params.c @@ -15,7 +15,7 @@ int ffc_params_prov_print(BIO *out, const FFC_PARAMS *ffc) { if (ffc->nid != NID_undef) { - const char *name = ffc_named_group_from_nid(ffc->nid); + const char *name = ffc_named_group_from_uid(ffc->nid); if (name == NULL) goto err; diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index 5a66162cae..7b61cbe11f 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c @@ -12,12 +12,12 @@ #include #include #include -#include +#include #include #include "crypto/ecx.h" -#include "internal/nelem.h" -#include "openssl/param_build.h" #include "crypto/evp.h" /* For the internal API */ +#include "crypto/bn_dh.h" /* _bignum_ffdhe2048_p */ +#include "internal/nelem.h" #include "testutil.h" static char *datadir = NULL; @@ -391,73 +391,283 @@ static int test_evp_pkey_get_bn_param_large(void) #ifndef OPENSSL_NO_DH -/* Array indexes used in test_fromdata_dh */ -#define PRIV_KEY 0 -#define PUB_KEY 1 -#define FFC_P 2 -#define FFC_G 3 - -static int test_fromdata_dh(void) +static int test_fromdata_dh_named_group(void) { int ret = 0; + int gindex = 0, pcounter = 0, hindex = 0; EVP_PKEY_CTX *ctx = NULL, *key_ctx = NULL; EVP_PKEY *pk = NULL, *copy_pk = NULL; + size_t len; + BIGNUM *pub = NULL, *priv = NULL; + BIGNUM *pub_out = NULL, *priv_out = NULL; + BIGNUM *p = NULL, *q = NULL, *g = NULL, *j = NULL; + OSSL_PARAM *fromdata_params = NULL; + OSSL_PARAM_BLD *bld = NULL; + char name_out[80]; + unsigned char seed_out[32]; + /* - * 32-bit DH key, extracted from this command, - * executed with OpenSSL 1.0.2: - * - * openssl dhparam -out dhp.pem 32 - * openssl genpkey -paramfile dhp.pem | openssl pkey -text + * DH key data was generated using the following: + * openssl genpkey -algorithm DH -pkeyopt group:ffdhe2048 -text */ - static unsigned long key_numbers[] = { - 0x666c2b06, /* priv-key */ - 0x6fa6de50, /* pub-key */ - 0x8bb45f53, /* P */ - 0x2, /* G */ + static const unsigned char priv_data[] = { + 0x88, 0x85, 0xe7, 0x9f, 0xee, 0x6d, 0xc5, 0x7c, 0x78, 0xaf, 0x63, 0x5d, + 0x38, 0x2a, 0xd0, 0xed, 0x56, 0x4b, 0x47, 0x21, 0x2b, 0xfa, 0x55, 0xfa, + 0x87, 0xe8, 0xa9, 0x7b, }; - OSSL_PARAM fromdata_params[] = { - OSSL_PARAM_ulong(OSSL_PKEY_PARAM_PRIV_KEY, &key_numbers[PRIV_KEY]), - OSSL_PARAM_ulong(OSSL_PKEY_PARAM_PUB_KEY, &key_numbers[PUB_KEY]), - OSSL_PARAM_ulong(OSSL_PKEY_PARAM_FFC_P, &key_numbers[FFC_P]), - OSSL_PARAM_ulong(OSSL_PKEY_PARAM_FFC_G, &key_numbers[FFC_G]), - OSSL_PARAM_END + static const unsigned char pub_data[] = { + 0x00, 0xd6, 0x2d, 0x77, 0xe0, 0xd3, 0x7d, 0xf8, 0xeb, 0x98, 0x50, 0xa1, + 0x82, 0x22, 0x65, 0xd5, 0xd9, 0xfe, 0xc9, 0x3f, 0xbe, 0x16, 0x83, 0xbd, + 0x33, 0xe9, 0xc6, 0x93, 0xcf, 0x08, 0xaf, 0x83, 0xfa, 0x80, 0x8a, 0x6c, + 0x64, 0xdf, 0x70, 0x64, 0xd5, 0x0a, 0x7c, 0x5a, 0x72, 0xda, 0x66, 0xe6, + 0xf9, 0xf5, 0x31, 0x21, 0x92, 0xb0, 0x60, 0x1a, 0xb5, 0xd3, 0xf0, 0xa5, + 0xfa, 0x48, 0x95, 0x2e, 0x38, 0xd9, 0xc5, 0xe6, 0xda, 0xfb, 0x6c, 0x03, + 0x9d, 0x4b, 0x69, 0xb7, 0x95, 0xe4, 0x5c, 0xc0, 0x93, 0x4f, 0x48, 0xd9, + 0x7e, 0x06, 0x22, 0xb2, 0xde, 0xf3, 0x79, 0x24, 0xed, 0xe1, 0xd1, 0x4a, + 0x57, 0xf1, 0x40, 0x86, 0x70, 0x42, 0x25, 0xc5, 0x27, 0x68, 0xc9, 0xfa, + 0xe5, 0x8e, 0x62, 0x7e, 0xff, 0x49, 0x6c, 0x5b, 0xb5, 0xba, 0xf9, 0xef, + 0x9a, 0x1a, 0x10, 0xd4, 0x81, 0x53, 0xcf, 0x83, 0x04, 0x18, 0x1c, 0xe1, + 0xdb, 0xe1, 0x65, 0xa9, 0x7f, 0xe1, 0x33, 0xeb, 0xc3, 0x4f, 0xe3, 0xb7, + 0x22, 0xf7, 0x1c, 0x09, 0x4f, 0xed, 0xc6, 0x07, 0x8e, 0x78, 0x05, 0x8f, + 0x7c, 0x96, 0xd9, 0x12, 0xe0, 0x81, 0x74, 0x1a, 0xe9, 0x13, 0xc0, 0x20, + 0x82, 0x65, 0xbb, 0x42, 0x3b, 0xed, 0x08, 0x6a, 0x84, 0x4f, 0xea, 0x77, + 0x14, 0x32, 0xf9, 0xed, 0xc2, 0x12, 0xd6, 0xc5, 0xc6, 0xb3, 0xe5, 0xf2, + 0x6e, 0xf6, 0x16, 0x7f, 0x37, 0xde, 0xbc, 0x09, 0xc7, 0x06, 0x6b, 0x12, + 0xbc, 0xad, 0x2d, 0x49, 0x25, 0xd5, 0xdc, 0xf4, 0x18, 0x14, 0xd2, 0xf0, + 0xf1, 0x1d, 0x1f, 0x3a, 0xaa, 0x15, 0x55, 0xbb, 0x0d, 0x7f, 0xbe, 0x67, + 0xa1, 0xa7, 0xf0, 0xaa, 0xb3, 0xfb, 0x41, 0x82, 0x39, 0x49, 0x93, 0xbc, + 0xa8, 0xee, 0x72, 0x13, 0x45, 0x65, 0x15, 0x42, 0x17, 0xaa, 0xd8, 0xab, + 0xcf, 0x33, 0x42, 0x83, 0x42 }; + static const char group_name[] = "ffdhe2048"; + + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_ptr(pub = BN_bin2bn(pub_data, sizeof(pub_data), NULL)) + || !TEST_ptr(priv = BN_bin2bn(priv_data, sizeof(priv_data), NULL)) + || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, + OSSL_PKEY_PARAM_FFC_GROUP, + group_name, 0)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv)) + || !TEST_ptr(fromdata_params = OSSL_PARAM_BLD_to_param(bld))) + goto err; if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL))) goto err; if (!TEST_true(EVP_PKEY_key_fromdata_init(ctx)) || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, fromdata_params)) - || !TEST_int_eq(EVP_PKEY_bits(pk), 32) - || !TEST_int_eq(EVP_PKEY_security_bits(pk), 0) /* Missing Q */ - || !TEST_int_eq(EVP_PKEY_size(pk), 4)) + || !TEST_int_eq(EVP_PKEY_bits(pk), 2048) + || !TEST_int_eq(EVP_PKEY_security_bits(pk), 112) + || !TEST_int_eq(EVP_PKEY_size(pk), 256)) + goto err; + + if (!TEST_true(EVP_PKEY_get_utf8_string_param(pk, OSSL_PKEY_PARAM_FFC_GROUP, + name_out, sizeof(name_out), + &len)) + || !TEST_str_eq(name_out, group_name) + || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_PUB_KEY, + &pub_out)) + + || !TEST_BN_eq(pub, pub_out) + || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_PRIV_KEY, + &priv_out)) + || !TEST_BN_eq(priv, priv_out) + || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_P, &p)) + || !TEST_BN_eq(&_bignum_ffdhe2048_p, p) + || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_Q, &q)) + || !TEST_ptr(q) + || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_G, &g)) + || !TEST_BN_eq(&_bignum_const_2, g) + || !TEST_false(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_COFACTOR, + &j)) + || !TEST_ptr_null(j) + || !TEST_false(EVP_PKEY_get_octet_string_param(pk, + OSSL_PKEY_PARAM_FFC_SEED, + seed_out, + sizeof(seed_out), &len)) + || !TEST_true(EVP_PKEY_get_int_param(pk, OSSL_PKEY_PARAM_FFC_GINDEX, + &gindex)) + || !TEST_int_eq(gindex, -1) + || !TEST_true(EVP_PKEY_get_int_param(pk, OSSL_PKEY_PARAM_FFC_H, &hindex)) + || !TEST_int_eq(hindex, 0) + || !TEST_true(EVP_PKEY_get_int_param(pk, OSSL_PKEY_PARAM_FFC_PCOUNTER, + &pcounter)) + || !TEST_int_eq(pcounter, -1)) + goto err; + + if (!TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pk, ""))) + goto err; + + if (!TEST_true(EVP_PKEY_check(key_ctx)) + || !TEST_true(EVP_PKEY_public_check(key_ctx)) + || !TEST_true(EVP_PKEY_private_check(key_ctx)) + || !TEST_true(EVP_PKEY_pairwise_check(key_ctx))) goto err; if (!TEST_ptr(copy_pk = EVP_PKEY_new()) || !TEST_true(EVP_PKEY_copy_parameters(copy_pk, pk))) goto err; + ret = test_print_key_using_pem("DH", pk) + && test_print_key_using_serializer("DH", pk); +err: + BN_free(p); + BN_free(q); + BN_free(g); + BN_free(j); + BN_free(pub); + BN_free(priv); + BN_free(pub_out); + BN_free(priv_out); + EVP_PKEY_free(copy_pk); + EVP_PKEY_free(pk); + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_CTX_free(key_ctx); + OSSL_PARAM_BLD_free_params(fromdata_params); + OSSL_PARAM_BLD_free(bld); + + return ret; +} + +static int test_fromdata_dh_fips186_4(void) +{ + int ret = 0; + int gindex = 0, pcounter = 0, hindex = 0; + EVP_PKEY_CTX *ctx = NULL, *key_ctx = NULL; + EVP_PKEY *pk = NULL; + size_t len; + BIGNUM *pub = NULL, *priv = NULL; + BIGNUM *pub_out = NULL, *priv_out = NULL; + BIGNUM *p = NULL, *q = NULL, *g = NULL, *j = NULL; + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *fromdata_params = NULL; + char name_out[80]; + unsigned char seed_out[32]; + + /* + * DH key data was generated using the following: + * openssl genpkey -algorithm DH -pkeyopt group:ffdhe2048 -text + */ + static const unsigned char priv_data[] = { + 0x88, 0x85, 0xe7, 0x9f, 0xee, 0x6d, 0xc5, 0x7c, 0x78, 0xaf, 0x63, 0x5d, + 0x38, 0x2a, 0xd0, 0xed, 0x56, 0x4b, 0x47, 0x21, 0x2b, 0xfa, 0x55, 0xfa, + 0x87, 0xe8, 0xa9, 0x7b, + }; + static const unsigned char pub_data[] = { + 0xd6, 0x2d, 0x77, 0xe0, 0xd3, 0x7d, 0xf8, 0xeb, 0x98, 0x50, 0xa1, 0x82, + 0x22, 0x65, 0xd5, 0xd9, 0xfe, 0xc9, 0x3f, 0xbe, 0x16, 0x83, 0xbd, 0x33, + 0xe9, 0xc6, 0x93, 0xcf, 0x08, 0xaf, 0x83, 0xfa, 0x80, 0x8a, 0x6c, 0x64, + 0xdf, 0x70, 0x64, 0xd5, 0x0a, 0x7c, 0x5a, 0x72, 0xda, 0x66, 0xe6, 0xf9, + 0xf5, 0x31, 0x21, 0x92, 0xb0, 0x60, 0x1a, 0xb5, 0xd3, 0xf0, 0xa5, 0xfa, + 0x48, 0x95, 0x2e, 0x38, 0xd9, 0xc5, 0xe6, 0xda, 0xfb, 0x6c, 0x03, 0x9d, + 0x4b, 0x69, 0xb7, 0x95, 0xe4, 0x5c, 0xc0, 0x93, 0x4f, 0x48, 0xd9, 0x7e, + 0x06, 0x22, 0xb2, 0xde, 0xf3, 0x79, 0x24, 0xed, 0xe1, 0xd1, 0x4a, 0x57, + 0xf1, 0x40, 0x86, 0x70, 0x42, 0x25, 0xc5, 0x27, 0x68, 0xc9, 0xfa, 0xe5, + 0x8e, 0x62, 0x7e, 0xff, 0x49, 0x6c, 0x5b, 0xb5, 0xba, 0xf9, 0xef, 0x9a, + 0x1a, 0x10, 0xd4, 0x81, 0x53, 0xcf, 0x83, 0x04, 0x18, 0x1c, 0xe1, 0xdb, + 0xe1, 0x65, 0xa9, 0x7f, 0xe1, 0x33, 0xeb, 0xc3, 0x4f, 0xe3, 0xb7, 0x22, + 0xf7, 0x1c, 0x09, 0x4f, 0xed, 0xc6, 0x07, 0x8e, 0x78, 0x05, 0x8f, 0x7c, + 0x96, 0xd9, 0x12, 0xe0, 0x81, 0x74, 0x1a, 0xe9, 0x13, 0xc0, 0x20, 0x82, + 0x65, 0xbb, 0x42, 0x3b, 0xed, 0x08, 0x6a, 0x84, 0x4f, 0xea, 0x77, 0x14, + 0x32, 0xf9, 0xed, 0xc2, 0x12, 0xd6, 0xc5, 0xc6, 0xb3, 0xe5, 0xf2, 0x6e, + 0xf6, 0x16, 0x7f, 0x37, 0xde, 0xbc, 0x09, 0xc7, 0x06, 0x6b, 0x12, 0xbc, + 0xad, 0x2d, 0x49, 0x25, 0xd5, 0xdc, 0xf4, 0x18, 0x14, 0xd2, 0xf0, 0xf1, + 0x1d, 0x1f, 0x3a, 0xaa, 0x15, 0x55, 0xbb, 0x0d, 0x7f, 0xbe, 0x67, 0xa1, + 0xa7, 0xf0, 0xaa, 0xb3, 0xfb, 0x41, 0x82, 0x39, 0x49, 0x93, 0xbc, 0xa8, + 0xee, 0x72, 0x13, 0x45, 0x65, 0x15, 0x42, 0x17, 0xaa, 0xd8, 0xab, 0xcf, + 0x33, 0x42, 0x83, 0x42 + }; + static const char group_name[] = "ffdhe2048"; + + + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_ptr(pub = BN_bin2bn(pub_data, sizeof(pub_data), NULL)) + || !TEST_ptr(priv = BN_bin2bn(priv_data, sizeof(priv_data), NULL)) + || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, + OSSL_PKEY_PARAM_FFC_GROUP, + group_name, 0)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv)) + || !TEST_ptr(fromdata_params = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL))) + goto err; + + if (!TEST_true(EVP_PKEY_key_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pk, fromdata_params)) + || !TEST_int_eq(EVP_PKEY_bits(pk), 2048) + || !TEST_int_eq(EVP_PKEY_security_bits(pk), 112) + || !TEST_int_eq(EVP_PKEY_size(pk), 256)) + goto err; + + if (!TEST_true(EVP_PKEY_get_utf8_string_param(pk, OSSL_PKEY_PARAM_FFC_GROUP, + name_out, sizeof(name_out), + &len)) + || !TEST_str_eq(name_out, group_name) + || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_PUB_KEY, + &pub_out)) + || !TEST_BN_eq(pub, pub_out) + || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_PRIV_KEY, + &priv_out)) + || !TEST_BN_eq(priv, priv_out) + || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_P, &p)) + || !TEST_BN_eq(&_bignum_ffdhe2048_p, p) + || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_Q, &q)) + || !TEST_ptr(q) + || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_G, &g)) + || !TEST_BN_eq(&_bignum_const_2, g) + || !TEST_false(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_FFC_COFACTOR, + &j)) + || !TEST_ptr_null(j) + || !TEST_false(EVP_PKEY_get_octet_string_param(pk, + OSSL_PKEY_PARAM_FFC_SEED, + seed_out, + sizeof(seed_out), &len)) + || !TEST_true(EVP_PKEY_get_int_param(pk, OSSL_PKEY_PARAM_FFC_GINDEX, + &gindex)) + || !TEST_int_eq(gindex, -1) + || !TEST_true(EVP_PKEY_get_int_param(pk, OSSL_PKEY_PARAM_FFC_H, &hindex)) + || !TEST_int_eq(hindex, 0) + || !TEST_true(EVP_PKEY_get_int_param(pk, OSSL_PKEY_PARAM_FFC_PCOUNTER, + &pcounter)) + || !TEST_int_eq(pcounter, -1)) + goto err; + if (!TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pk, ""))) goto err; - if (!TEST_false(EVP_PKEY_check(key_ctx)) + if (!TEST_true(EVP_PKEY_check(key_ctx)) || !TEST_true(EVP_PKEY_public_check(key_ctx)) - || !TEST_false(EVP_PKEY_private_check(key_ctx)) /* Need a q */ - || !TEST_false(EVP_PKEY_pairwise_check(key_ctx))) + || !TEST_true(EVP_PKEY_private_check(key_ctx)) + || !TEST_true(EVP_PKEY_pairwise_check(key_ctx))) goto err; ret = test_print_key_using_pem("DH", pk) && test_print_key_using_serializer("DH", pk); - err: +err: + BN_free(p); + BN_free(q); + BN_free(g); + BN_free(j); + BN_free(pub); + BN_free(priv); + BN_free(pub_out); + BN_free(priv_out); EVP_PKEY_free(pk); - EVP_PKEY_free(copy_pk); EVP_PKEY_CTX_free(ctx); EVP_PKEY_CTX_free(key_ctx); + OSSL_PARAM_BLD_free_params(fromdata_params); + OSSL_PARAM_BLD_free(bld); return ret; } + #endif + + #ifndef OPENSSL_NO_EC /* Array indexes used in test_fromdata_ecx */ # define PRIV_KEY 0 @@ -677,7 +887,7 @@ static int test_fromdata_ec(void) int ret = 0; EVP_PKEY_CTX *ctx = NULL; EVP_PKEY *pk = NULL, *copy_pk = NULL; - OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); + OSSL_PARAM_BLD *bld = NULL; BIGNUM *ec_priv_bn = NULL; BIGNUM *bn_priv = NULL; OSSL_PARAM *fromdata_params = NULL; @@ -708,7 +918,7 @@ static int test_fromdata_ec(void) size_t len; - if (!TEST_ptr(bld)) + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())) goto err; if (!TEST_ptr(ec_priv_bn = BN_bin2bn(ec_priv_keydata, sizeof(ec_priv_keydata), NULL))) @@ -1015,7 +1225,8 @@ int setup_tests(void) ADD_TEST(test_evp_pkey_get_bn_param_large); ADD_TEST(test_fromdata_rsa); #ifndef OPENSSL_NO_DH - ADD_TEST(test_fromdata_dh); + ADD_TEST(test_fromdata_dh_fips186_4); + ADD_TEST(test_fromdata_dh_named_group); #endif #ifndef OPENSSL_NO_DSA ADD_TEST(test_fromdata_dsa_fips186_4); diff --git a/test/recipes/15-test_gendh.t b/test/recipes/15-test_gendh.t new file mode 100644 index 0000000000..87ddac96f7 --- /dev/null +++ b/test/recipes/15-test_gendh.t @@ -0,0 +1,83 @@ +#! /usr/bin/env perl +# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_gendh"); + +plan skip_all => "This test is unsupported in a no-dh build" if disabled("dh"); + +plan tests => 9; + +ok(run(app([ 'openssl', 'genpkey', '-genparam', + '-algorithm', 'DH', + '-pkeyopt', 'gindex:1', + '-pkeyopt', 'type:fips186_4', + '-text'])), + "genpkey DH params fips186_4 with verifiable g"); + +ok(run(app([ 'openssl', 'genpkey', '-genparam', + '-algorithm', 'DH', + '-pkeyopt', 'type:fips186_4', + '-text'])), + "genpkey DH params fips186_4 with unverifiable g"); + +ok(run(app([ 'openssl', 'genpkey', '-genparam', + '-algorithm', 'DH', + '-pkeyopt', 'type:fips186_2', + '-text'])), + "genpkey DH params fips186_2"); + +ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', + '-pkeyopt', 'type:group', + '-text'])), + "genpkey DH default group"); + +ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', + '-pkeyopt', 'type:group', + '-pkeyopt', 'group:ffdhe2048', + '-text'])), + "genpkey DH group ffdhe2048"); + +ok(run(app([ 'openssl', 'genpkey', '-genparam', + '-algorithm', 'DH', + '-pkeyopt', 'gindex:1', + '-pkeyopt', 'type:fips186_4', + '-out', 'dhgen.pem'])), + "genpkey DH params fips186_4 PEM"); + +ok(run(app([ 'openssl', 'genpkey', '-genparam', + '-algorithm', 'DH', + '-pkeyopt', 'gindex:1', + '-pkeyopt', 'pbits:2048', + '-pkeyopt', 'qbits:256', + '-pkeyopt', 'type:fips186_4', + '-outform', 'DER', + '-out', 'dhgen.der'])), + "genpkey DH params fips186_4 DER"); + +# The seed and counter should be the ones generated from the param generation +# Just put some dummy ones in to show it works. +ok(run(app([ 'openssl', 'genpkey', + '-paramfile', 'dhgen.der', + '-pkeyopt', 'gindex:1', + '-pkeyopt', 'hexseed:0102030405060708090A0B0C0D0E0F1011121314', + '-pkeyopt', 'pcounter:25', + '-text'])), + "genpkey DH fips186_4 with DER params"); + + ok(!run(app([ 'openssl', 'genpkey', + '-algorithm', 'DH'])), + "genpkey DH with no params should fail"); + \ No newline at end of file diff --git a/test/recipes/30-test_evp_pkey_provided/DH.priv.der b/test/recipes/30-test_evp_pkey_provided/DH.priv.der index 0063e62ecdeb08d9bd2d93ca3a5a1750ed09b9b2..d77f50d8c64668963ef3e83217efa4fb52659720 100644 GIT binary patch literal 327 zcmV-N0l5A!f&oJU0RS+90UHJhDuzgg_YDC90Wg9A3<81y0RaF1|NsC0|NpJ{R9K?B zN}8|SRv;%mJn`7M#e>c*HkGO2HbE3*GyBYwoz5hiKKXqw<6~nCb=dZSvI4HeVS3Zw z9@W+TWnm;U^&ejbZqS8eWmP@x8uPVR6JCE;$u*cy3~=D)i+AFtiQ4n;=yDzLSfMtp z=QS{_%1=l-d3wAGv4XQC`(e=tsY|lRTI~z=It#doI{Jbv0 zAO*#a@q>L9gR;i+N+!Xw@A`;qLO5Y4T$lg<|NsC0|NjC30s;a6-~=B69RP@h=b!Fv Z#e8_LV_i5Z(Ct=BM@;Wj}OWHbBBlby~an?Ct{FXLll40YJ{fwBUw#9?~V-yYS~ z{bgY!GxZ-|25!)WV`Wu6?Hcp7R})@;SIIS)PYiJ2=8JdYrit3~@91(J@mQfYt>-l` ztjbSFI(d4$3bBH-B>Q2}2&qf5$m9FDYTCD8*Ys!|PeP;KIZgDgR_*6wa=RG|2dBvH z3T<$n0{r34_u}lpGz85kG%sP1a{ip@g@gZ&PZBcj@_~cH{yQ5?Z>@7Xwfwv;!XO33 zj`4$i7K5_J^GYVcvhVtcYeG0-C|sBS|NsC0|Ns920RjR70N?|H0R{j9f&l>l)-8A7 z(|!2sm{6gDB4yRt{>eYS7K6Pr>Bf`K2(N?sfQoEn-*9Br3Vd2}+GghY^)VrmuwWXs z)9|JGNR=))*~RAC`)mW9OKG>2hV9UnTX6;-