Coverage Report

Created: 2026-02-22 06:11

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/openssl/providers/implementations/exchange/dh_exch.c
Line
Count
Source
1
/*
2
 * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
/*
11
 * DH low level APIs are deprecated for public use, but still ok for
12
 * internal use.
13
 */
14
#include "internal/deprecated.h"
15
16
#include <string.h>
17
#include <openssl/crypto.h>
18
#include <openssl/core_dispatch.h>
19
#include <openssl/core_names.h>
20
#include <openssl/dh.h>
21
#include <openssl/err.h>
22
#include <openssl/proverr.h>
23
#include <openssl/params.h>
24
#include "internal/cryptlib.h"
25
#include "internal/fips.h"
26
#include "prov/providercommon.h"
27
#include "prov/implementations.h"
28
#include "prov/provider_ctx.h"
29
#include "prov/securitycheck.h"
30
#include "crypto/dh.h"
31
#include "providers/implementations/exchange/dh_exch.inc"
32
33
static OSSL_FUNC_keyexch_newctx_fn dh_newctx;
34
static OSSL_FUNC_keyexch_init_fn dh_init;
35
static OSSL_FUNC_keyexch_set_peer_fn dh_set_peer;
36
static OSSL_FUNC_keyexch_derive_fn dh_derive;
37
static OSSL_FUNC_keyexch_freectx_fn dh_freectx;
38
static OSSL_FUNC_keyexch_dupctx_fn dh_dupctx;
39
static OSSL_FUNC_keyexch_set_ctx_params_fn dh_set_ctx_params;
40
static OSSL_FUNC_keyexch_settable_ctx_params_fn dh_settable_ctx_params;
41
static OSSL_FUNC_keyexch_get_ctx_params_fn dh_get_ctx_params;
42
static OSSL_FUNC_keyexch_gettable_ctx_params_fn dh_gettable_ctx_params;
43
44
/*
45
 * This type is only really used to handle some legacy related functionality.
46
 * If you need to use other KDF's (such as SSKDF) just use PROV_DH_KDF_NONE
47
 * here and then create and run a KDF after the key is derived.
48
 * Note that X942 has 2 variants of key derivation:
49
 *   (1) DH_KDF_X9_42_ASN1 - which contains an ANS1 encoded object that has
50
 *   the counter embedded in it.
51
 *   (2) DH_KDF_X941_CONCAT - which is the same as ECDH_X963_KDF (which can be
52
 *       done by creating a "X963KDF".
53
 */
54
enum kdf_type {
55
    PROV_DH_KDF_NONE = 0,
56
    PROV_DH_KDF_X9_42_ASN1
57
};
58
59
/*
60
 * What's passed as an actual key is defined by the KEYMGMT interface.
61
 * We happen to know that our KEYMGMT simply passes DH structures, so
62
 * we use that here too.
63
 */
64
65
typedef struct {
66
    OSSL_LIB_CTX *libctx;
67
    DH *dh;
68
    DH *dhpeer;
69
    unsigned int pad : 1;
70
71
    /* DH KDF */
72
    /* KDF (if any) to use for DH */
73
    enum kdf_type kdf_type;
74
    /* Message digest to use for key derivation */
75
    EVP_MD *kdf_md;
76
    /* User key material */
77
    unsigned char *kdf_ukm;
78
    size_t kdf_ukmlen;
79
    /* KDF output length */
80
    size_t kdf_outlen;
81
    char *kdf_cekalg;
82
    OSSL_FIPS_IND_DECLARE
83
} PROV_DH_CTX;
84
85
static void *dh_newctx(void *provctx)
86
0
{
87
0
    PROV_DH_CTX *pdhctx;
88
89
0
    if (!ossl_prov_is_running())
90
0
        return NULL;
91
92
#ifdef FIPS_MODULE
93
    if (!ossl_deferred_self_test(PROV_LIBCTX_OF(provctx),
94
            ST_ID_KA_DH))
95
        return NULL;
96
#endif
97
98
0
    pdhctx = OPENSSL_zalloc(sizeof(PROV_DH_CTX));
99
0
    if (pdhctx == NULL)
100
0
        return NULL;
101
0
    OSSL_FIPS_IND_INIT(pdhctx)
102
0
    pdhctx->libctx = PROV_LIBCTX_OF(provctx);
103
0
    pdhctx->kdf_type = PROV_DH_KDF_NONE;
104
0
    return pdhctx;
105
0
}
106
107
#ifdef FIPS_MODULE
108
static int dh_check_key(PROV_DH_CTX *ctx)
109
{
110
    int key_approved = ossl_dh_check_key(ctx->dh);
111
112
    if (!key_approved) {
113
        if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
114
                ctx->libctx, "DH Init", "DH Key",
115
                ossl_fips_config_securitycheck_enabled)) {
116
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
117
            return 0;
118
        }
119
    }
120
    return 1;
121
}
122
123
static int digest_check(PROV_DH_CTX *ctx, const EVP_MD *md)
124
{
125
    return ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND_GET(ctx),
126
        OSSL_FIPS_IND_SETTABLE1, ctx->libctx,
127
        md, "DH Set Ctx");
128
}
129
#endif
130
131
static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[])
132
0
{
133
0
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
134
135
0
    if (!ossl_prov_is_running()
136
0
        || pdhctx == NULL
137
0
        || vdh == NULL
138
0
        || !DH_up_ref(vdh))
139
0
        return 0;
140
0
    DH_free(pdhctx->dh);
141
0
    pdhctx->dh = vdh;
142
0
    pdhctx->kdf_type = PROV_DH_KDF_NONE;
143
144
0
    OSSL_FIPS_IND_SET_APPROVED(pdhctx)
145
0
    if (!dh_set_ctx_params(pdhctx, params))
146
0
        return 0;
147
#ifdef FIPS_MODULE
148
    if (!dh_check_key(pdhctx))
149
        return 0;
150
#endif
151
0
    return 1;
152
0
}
153
154
/* The 2 parties must share the same domain parameters */
155
static int dh_match_params(DH *priv, DH *peer)
156
0
{
157
0
    int ret;
158
0
    FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv);
159
0
    FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer);
160
161
0
    ret = dhparams_priv != NULL
162
0
        && dhparams_peer != NULL
163
0
        && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1);
164
0
    if (!ret)
165
0
        ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
166
0
    return ret;
167
0
}
168
169
static int dh_set_peer(void *vpdhctx, void *vdh)
170
0
{
171
0
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
172
173
0
    if (!ossl_prov_is_running()
174
0
        || pdhctx == NULL
175
0
        || vdh == NULL
176
0
        || !dh_match_params(vdh, pdhctx->dh)
177
0
        || !DH_up_ref(vdh))
178
0
        return 0;
179
0
    DH_free(pdhctx->dhpeer);
180
0
    pdhctx->dhpeer = vdh;
181
0
    return 1;
182
0
}
183
184
static int dh_plain_derive(void *vpdhctx,
185
    unsigned char *secret, size_t *secretlen,
186
    size_t outlen, unsigned int pad)
187
0
{
188
0
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
189
0
    int ret;
190
0
    size_t dhsize;
191
0
    const BIGNUM *pub_key = NULL;
192
193
0
    if (pdhctx->dh == NULL || pdhctx->dhpeer == NULL) {
194
0
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
195
0
        return 0;
196
0
    }
197
198
0
    dhsize = (size_t)DH_size(pdhctx->dh);
199
0
    if (secret == NULL) {
200
0
        *secretlen = dhsize;
201
0
        return 1;
202
0
    }
203
0
    if (outlen < dhsize) {
204
0
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
205
0
        return 0;
206
0
    }
207
208
0
    DH_get0_key(pdhctx->dhpeer, &pub_key, NULL);
209
0
    if (pad)
210
0
        ret = DH_compute_key_padded(secret, pub_key, pdhctx->dh);
211
0
    else
212
0
        ret = DH_compute_key(secret, pub_key, pdhctx->dh);
213
0
    if (ret <= 0)
214
0
        return 0;
215
216
0
    *secretlen = ret;
217
0
    return 1;
218
0
}
219
220
static int dh_X9_42_kdf_derive(void *vpdhctx, unsigned char *secret,
221
    size_t *secretlen, size_t outlen)
222
0
{
223
0
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
224
0
    unsigned char *stmp = NULL;
225
0
    size_t stmplen;
226
0
    int ret = 0;
227
228
0
    if (secret == NULL) {
229
0
        *secretlen = pdhctx->kdf_outlen;
230
0
        return 1;
231
0
    }
232
233
0
    if (pdhctx->kdf_outlen > outlen) {
234
0
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
235
0
        return 0;
236
0
    }
237
0
    if (!dh_plain_derive(pdhctx, NULL, &stmplen, 0, 1))
238
0
        return 0;
239
0
    if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL)
240
0
        return 0;
241
0
    if (!dh_plain_derive(pdhctx, stmp, &stmplen, stmplen, 1))
242
0
        goto err;
243
244
    /* Do KDF stuff */
245
0
    if (pdhctx->kdf_type == PROV_DH_KDF_X9_42_ASN1) {
246
0
        if (!ossl_dh_kdf_X9_42_asn1(secret, pdhctx->kdf_outlen,
247
0
                stmp, stmplen,
248
0
                pdhctx->kdf_cekalg,
249
0
                pdhctx->kdf_ukm,
250
0
                pdhctx->kdf_ukmlen,
251
0
                pdhctx->kdf_md,
252
0
                pdhctx->libctx, NULL))
253
0
            goto err;
254
0
    }
255
0
    *secretlen = pdhctx->kdf_outlen;
256
0
    ret = 1;
257
0
err:
258
0
    OPENSSL_secure_clear_free(stmp, stmplen);
259
0
    return ret;
260
0
}
261
262
static int dh_derive(void *vpdhctx, unsigned char *secret,
263
    size_t *psecretlen, size_t outlen)
264
0
{
265
0
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
266
267
0
    if (!ossl_prov_is_running())
268
0
        return 0;
269
270
0
    switch (pdhctx->kdf_type) {
271
0
    case PROV_DH_KDF_NONE:
272
0
        return dh_plain_derive(pdhctx, secret, psecretlen, outlen,
273
0
            pdhctx->pad);
274
0
    case PROV_DH_KDF_X9_42_ASN1:
275
0
        return dh_X9_42_kdf_derive(pdhctx, secret, psecretlen, outlen);
276
0
    default:
277
0
        break;
278
0
    }
279
0
    return 0;
280
0
}
281
282
static void dh_freectx(void *vpdhctx)
283
0
{
284
0
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
285
286
0
    OPENSSL_free(pdhctx->kdf_cekalg);
287
0
    DH_free(pdhctx->dh);
288
0
    DH_free(pdhctx->dhpeer);
289
0
    EVP_MD_free(pdhctx->kdf_md);
290
0
    OPENSSL_clear_free(pdhctx->kdf_ukm, pdhctx->kdf_ukmlen);
291
292
0
    OPENSSL_free(pdhctx);
293
0
}
294
295
static void *dh_dupctx(void *vpdhctx)
296
0
{
297
0
    PROV_DH_CTX *srcctx = (PROV_DH_CTX *)vpdhctx;
298
0
    PROV_DH_CTX *dstctx;
299
300
0
    if (!ossl_prov_is_running())
301
0
        return NULL;
302
303
0
    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
304
0
    if (dstctx == NULL)
305
0
        return NULL;
306
307
0
    *dstctx = *srcctx;
308
0
    dstctx->dh = NULL;
309
0
    dstctx->dhpeer = NULL;
310
0
    dstctx->kdf_md = NULL;
311
0
    dstctx->kdf_ukm = NULL;
312
0
    dstctx->kdf_cekalg = NULL;
313
314
0
    if (srcctx->dh != NULL && !DH_up_ref(srcctx->dh))
315
0
        goto err;
316
0
    else
317
0
        dstctx->dh = srcctx->dh;
318
319
0
    if (srcctx->dhpeer != NULL && !DH_up_ref(srcctx->dhpeer))
320
0
        goto err;
321
0
    else
322
0
        dstctx->dhpeer = srcctx->dhpeer;
323
324
0
    if (srcctx->kdf_md != NULL && !EVP_MD_up_ref(srcctx->kdf_md))
325
0
        goto err;
326
0
    else
327
0
        dstctx->kdf_md = srcctx->kdf_md;
328
329
    /* Duplicate UKM data if present */
330
0
    if (srcctx->kdf_ukm != NULL && srcctx->kdf_ukmlen > 0) {
331
0
        dstctx->kdf_ukm = OPENSSL_memdup(srcctx->kdf_ukm,
332
0
            srcctx->kdf_ukmlen);
333
0
        if (dstctx->kdf_ukm == NULL)
334
0
            goto err;
335
0
    }
336
337
0
    if (srcctx->kdf_cekalg != NULL) {
338
0
        dstctx->kdf_cekalg = OPENSSL_strdup(srcctx->kdf_cekalg);
339
0
        if (dstctx->kdf_cekalg == NULL)
340
0
            goto err;
341
0
    }
342
343
0
    return dstctx;
344
0
err:
345
0
    dh_freectx(dstctx);
346
0
    return NULL;
347
0
}
348
349
static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
350
0
{
351
0
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
352
0
    struct dh_set_ctx_params_st p;
353
0
    unsigned int pad;
354
0
    char name[80] = { '\0' }; /* should be big enough */
355
0
    char *str = NULL;
356
357
0
    if (pdhctx == NULL || !dh_set_ctx_params_decoder(params, &p))
358
0
        return 0;
359
360
0
    if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(pdhctx, OSSL_FIPS_IND_SETTABLE0, p.ind_k))
361
0
        return 0;
362
0
    if (!OSSL_FIPS_IND_SET_CTX_FROM_PARAM(pdhctx, OSSL_FIPS_IND_SETTABLE1, p.ind_d))
363
0
        return 0;
364
365
0
    if (p.kdf != NULL) {
366
0
        str = name;
367
0
        if (!OSSL_PARAM_get_utf8_string(p.kdf, &str, sizeof(name)))
368
0
            return 0;
369
370
0
        if (name[0] == '\0')
371
0
            pdhctx->kdf_type = PROV_DH_KDF_NONE;
372
0
        else if (strcmp(name, OSSL_KDF_NAME_X942KDF_ASN1) == 0)
373
0
            pdhctx->kdf_type = PROV_DH_KDF_X9_42_ASN1;
374
0
        else
375
0
            return 0;
376
0
    }
377
378
0
    if (p.digest != NULL) {
379
0
        char mdprops[80] = { '\0' }; /* should be big enough */
380
381
0
        str = name;
382
0
        if (!OSSL_PARAM_get_utf8_string(p.digest, &str, sizeof(name)))
383
0
            return 0;
384
385
0
        str = mdprops;
386
0
        if (p.propq != NULL) {
387
0
            if (!OSSL_PARAM_get_utf8_string(p.propq, &str, sizeof(mdprops)))
388
0
                return 0;
389
0
        }
390
391
0
        EVP_MD_free(pdhctx->kdf_md);
392
0
        pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
393
0
        if (pdhctx->kdf_md == NULL)
394
0
            return 0;
395
        /* XOF digests are not allowed */
396
0
        if (EVP_MD_xof(pdhctx->kdf_md)) {
397
0
            ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
398
0
            return 0;
399
0
        }
400
#ifdef FIPS_MODULE
401
        if (!digest_check(pdhctx, pdhctx->kdf_md)) {
402
            EVP_MD_free(pdhctx->kdf_md);
403
            pdhctx->kdf_md = NULL;
404
            return 0;
405
        }
406
#endif
407
0
    }
408
409
0
    if (p.len != NULL) {
410
0
        size_t outlen;
411
412
0
        if (!OSSL_PARAM_get_size_t(p.len, &outlen))
413
0
            return 0;
414
0
        pdhctx->kdf_outlen = outlen;
415
0
    }
416
417
0
    if (p.ukm != NULL) {
418
0
        void *tmp_ukm = NULL;
419
0
        size_t tmp_ukmlen;
420
421
0
        OPENSSL_free(pdhctx->kdf_ukm);
422
0
        pdhctx->kdf_ukm = NULL;
423
0
        pdhctx->kdf_ukmlen = 0;
424
        /* ukm is an optional field so it can be NULL */
425
0
        if (p.ukm->data != NULL && p.ukm->data_size != 0) {
426
0
            if (!OSSL_PARAM_get_octet_string(p.ukm, &tmp_ukm, 0, &tmp_ukmlen))
427
0
                return 0;
428
0
            pdhctx->kdf_ukm = tmp_ukm;
429
0
            pdhctx->kdf_ukmlen = tmp_ukmlen;
430
0
        }
431
0
    }
432
433
0
    if (p.pad != NULL) {
434
0
        if (!OSSL_PARAM_get_uint(p.pad, &pad))
435
0
            return 0;
436
0
        pdhctx->pad = pad ? 1 : 0;
437
0
    }
438
439
0
    if (p.cekalg != NULL) {
440
0
        str = name;
441
442
0
        OPENSSL_free(pdhctx->kdf_cekalg);
443
0
        pdhctx->kdf_cekalg = NULL;
444
0
        if (p.cekalg->data != NULL && p.cekalg->data_size != 0) {
445
0
            if (!OSSL_PARAM_get_utf8_string(p.cekalg, &str, sizeof(name)))
446
0
                return 0;
447
0
            pdhctx->kdf_cekalg = OPENSSL_strdup(name);
448
0
            if (pdhctx->kdf_cekalg == NULL)
449
0
                return 0;
450
0
        }
451
0
    }
452
0
    return 1;
453
0
}
454
455
static const OSSL_PARAM *dh_settable_ctx_params(ossl_unused void *vpdhctx,
456
    ossl_unused void *provctx)
457
0
{
458
0
    return dh_set_ctx_params_list;
459
0
}
460
461
static const OSSL_PARAM *dh_gettable_ctx_params(ossl_unused void *vpdhctx,
462
    ossl_unused void *provctx)
463
0
{
464
0
    return dh_get_ctx_params_list;
465
0
}
466
467
static int dh_get_ctx_params(void *vpdhctx, OSSL_PARAM params[])
468
0
{
469
0
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
470
0
    struct dh_get_ctx_params_st p;
471
472
0
    if (pdhctx == NULL || !dh_get_ctx_params_decoder(params, &p))
473
0
        return 0;
474
475
0
    if (p.kdf != NULL) {
476
0
        const char *kdf_type = NULL;
477
478
0
        switch (pdhctx->kdf_type) {
479
0
        case PROV_DH_KDF_NONE:
480
0
            kdf_type = "";
481
0
            break;
482
0
        case PROV_DH_KDF_X9_42_ASN1:
483
0
            kdf_type = OSSL_KDF_NAME_X942KDF_ASN1;
484
0
            break;
485
0
        default:
486
0
            return 0;
487
0
        }
488
489
0
        if (!OSSL_PARAM_set_utf8_string(p.kdf, kdf_type))
490
0
            return 0;
491
0
    }
492
493
0
    if (p.digest != NULL
494
0
        && !OSSL_PARAM_set_utf8_string(p.digest, pdhctx->kdf_md == NULL ? "" : EVP_MD_get0_name(pdhctx->kdf_md))) {
495
0
        return 0;
496
0
    }
497
498
0
    if (p.len != NULL && !OSSL_PARAM_set_size_t(p.len, pdhctx->kdf_outlen))
499
0
        return 0;
500
501
0
    if (p.ukm != NULL
502
0
        && !OSSL_PARAM_set_octet_ptr(p.ukm, pdhctx->kdf_ukm, pdhctx->kdf_ukmlen))
503
0
        return 0;
504
505
0
    if (p.cekalg != NULL
506
0
        && !OSSL_PARAM_set_utf8_string(p.cekalg, pdhctx->kdf_cekalg == NULL ? "" : pdhctx->kdf_cekalg))
507
0
        return 0;
508
509
0
    if (!OSSL_FIPS_IND_GET_CTX_FROM_PARAM(pdhctx, p.ind))
510
0
        return 0;
511
0
    return 1;
512
0
}
513
514
const OSSL_DISPATCH ossl_dh_keyexch_functions[] = {
515
    { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))dh_newctx },
516
    { OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))dh_init },
517
    { OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))dh_derive },
518
    { OSSL_FUNC_KEYEXCH_SET_PEER, (void (*)(void))dh_set_peer },
519
    { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))dh_freectx },
520
    { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))dh_dupctx },
521
    { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))dh_set_ctx_params },
522
    { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS,
523
        (void (*)(void))dh_settable_ctx_params },
524
    { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))dh_get_ctx_params },
525
    { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS,
526
        (void (*)(void))dh_gettable_ctx_params },
527
    OSSL_DISPATCH_END
528
};