/src/openssl/providers/implementations/exchange/dh_exch.c

Source (jump to first uncovered line)
/*
 * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * DH low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <string.h>
#include <openssl/crypto.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/proverr.h>
#include <openssl/params.h>
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
#include "prov/fipsindicator.h"
#include "crypto/dh.h"

static OSSL_FUNC_keyexch_newctx_fn dh_newctx;
static OSSL_FUNC_keyexch_init_fn dh_init;
static OSSL_FUNC_keyexch_set_peer_fn dh_set_peer;
static OSSL_FUNC_keyexch_derive_fn dh_derive;
static OSSL_FUNC_keyexch_freectx_fn dh_freectx;
static OSSL_FUNC_keyexch_dupctx_fn dh_dupctx;
static OSSL_FUNC_keyexch_set_ctx_params_fn dh_set_ctx_params;
static OSSL_FUNC_keyexch_settable_ctx_params_fn dh_settable_ctx_params;
static OSSL_FUNC_keyexch_get_ctx_params_fn dh_get_ctx_params;
static OSSL_FUNC_keyexch_gettable_ctx_params_fn dh_gettable_ctx_params;

/*
 * This type is only really used to handle some legacy related functionality.
 * If you need to use other KDF's (such as SSKDF) just use PROV_DH_KDF_NONE
 * here and then create and run a KDF after the key is derived.
 * Note that X942 has 2 variants of key derivation:
 *   (1) DH_KDF_X9_42_ASN1 - which contains an ANS1 encoded object that has
 *   the counter embedded in it.
 *   (2) DH_KDF_X941_CONCAT - which is the same as ECDH_X963_KDF (which can be
 *       done by creating a "X963KDF".
 */
enum kdf_type {
    PROV_DH_KDF_NONE = 0,
    PROV_DH_KDF_X9_42_ASN1
};

/*
 * What's passed as an actual key is defined by the KEYMGMT interface.
 * We happen to know that our KEYMGMT simply passes DH structures, so
 * we use that here too.
 */

typedef struct {
    OSSL_LIB_CTX *libctx;
    DH *dh;
    DH *dhpeer;
    unsigned int pad : 1;

    /* DH KDF */
    /* KDF (if any) to use for DH */
    enum kdf_type kdf_type;
    /* Message digest to use for key derivation */
    EVP_MD *kdf_md;
    /* User key material */
    unsigned char *kdf_ukm;
    size_t kdf_ukmlen;
    /* KDF output length */
    size_t kdf_outlen;
    char *kdf_cekalg;
    OSSL_FIPS_IND_DECLARE
} PROV_DH_CTX;

static void *dh_newctx(void *provctx)
{
    PROV_DH_CTX *pdhctx;

    if (!ossl_prov_is_running())
        return NULL;

    pdhctx = OPENSSL_zalloc(sizeof(PROV_DH_CTX));
    if (pdhctx == NULL)
        return NULL;
    OSSL_FIPS_IND_INIT(pdhctx)
    pdhctx->libctx = PROV_LIBCTX_OF(provctx);
    pdhctx->kdf_type = PROV_DH_KDF_NONE;
    return pdhctx;
}

#ifdef FIPS_MODULE
static int dh_check_key(PROV_DH_CTX *ctx)
{
    int key_approved = ossl_dh_check_key(ctx->dh);

    if (!key_approved) {
        if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
                                         ctx->libctx, "DH Init", "DH Key",
                                         ossl_securitycheck_enabled)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
            return 0;
        }
    }
    return 1;
}

static int digest_check(PROV_DH_CTX *ctx, const EVP_MD *md)
{
    return ossl_fips_ind_digest_check(OSSL_FIPS_IND_GET(ctx),
                                      OSSL_FIPS_IND_SETTABLE1, ctx->libctx,
                                      md, "DH Set Ctx");
}
#endif

static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[])
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;

    if (!ossl_prov_is_running()
            || pdhctx == NULL
            || vdh == NULL
            || !DH_up_ref(vdh))
        return 0;
    DH_free(pdhctx->dh);
    pdhctx->dh = vdh;
    pdhctx->kdf_type = PROV_DH_KDF_NONE;

    OSSL_FIPS_IND_SET_APPROVED(pdhctx)
    if (!dh_set_ctx_params(pdhctx, params))
        return 0;
#ifdef FIPS_MODULE
    if (!dh_check_key(pdhctx))
        return 0;
#endif
    return 1;
}

/* The 2 parties must share the same domain parameters */
static int dh_match_params(DH *priv, DH *peer)
{
    int ret;
    FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv);
    FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer);

    ret = dhparams_priv != NULL
          && dhparams_peer != NULL
          && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1);
    if (!ret)
        ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
    return ret;
}

static int dh_set_peer(void *vpdhctx, void *vdh)
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;

    if (!ossl_prov_is_running()
            || pdhctx == NULL
            || vdh == NULL
            || !dh_match_params(vdh, pdhctx->dh)
            || !DH_up_ref(vdh))
        return 0;
    DH_free(pdhctx->dhpeer);
    pdhctx->dhpeer = vdh;
    return 1;
}

static int dh_plain_derive(void *vpdhctx,
                           unsigned char *secret, size_t *secretlen,
                           size_t outlen, unsigned int pad)
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
    int ret;
    size_t dhsize;
    const BIGNUM *pub_key = NULL;

    if (pdhctx->dh == NULL || pdhctx->dhpeer == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
        return 0;
    }

    dhsize = (size_t)DH_size(pdhctx->dh);
    if (secret == NULL) {
        *secretlen = dhsize;
        return 1;
    }
    if (outlen < dhsize) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }

    DH_get0_key(pdhctx->dhpeer, &pub_key, NULL);
    if (pad)
        ret = DH_compute_key_padded(secret, pub_key, pdhctx->dh);
    else
        ret = DH_compute_key(secret, pub_key, pdhctx->dh);
    if (ret <= 0)
        return 0;

    *secretlen = ret;
    return 1;
}

static int dh_X9_42_kdf_derive(void *vpdhctx, unsigned char *secret,
                               size_t *secretlen, size_t outlen)
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
    unsigned char *stmp = NULL;
    size_t stmplen;
    int ret = 0;

    if (secret == NULL) {
        *secretlen = pdhctx->kdf_outlen;
        return 1;
    }

    if (pdhctx->kdf_outlen > outlen) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }
    if (!dh_plain_derive(pdhctx, NULL, &stmplen, 0, 1))
        return 0;
    if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL)
        return 0;
    if (!dh_plain_derive(pdhctx, stmp, &stmplen, stmplen, 1))
        goto err;

    /* Do KDF stuff */
    if (pdhctx->kdf_type == PROV_DH_KDF_X9_42_ASN1) {
        if (!ossl_dh_kdf_X9_42_asn1(secret, pdhctx->kdf_outlen,
                                    stmp, stmplen,
                                    pdhctx->kdf_cekalg,
                                    pdhctx->kdf_ukm,
                                    pdhctx->kdf_ukmlen,
                                    pdhctx->kdf_md,
                                    pdhctx->libctx, NULL))
            goto err;
    }
    *secretlen = pdhctx->kdf_outlen;
    ret = 1;
err:
    OPENSSL_secure_clear_free(stmp, stmplen);
    return ret;
}

static int dh_derive(void *vpdhctx, unsigned char *secret,
                     size_t *psecretlen, size_t outlen)
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;

    if (!ossl_prov_is_running())
        return 0;

    switch (pdhctx->kdf_type) {
        case PROV_DH_KDF_NONE:
            return dh_plain_derive(pdhctx, secret, psecretlen, outlen,
                                   pdhctx->pad);
        case PROV_DH_KDF_X9_42_ASN1:
            return dh_X9_42_kdf_derive(pdhctx, secret, psecretlen, outlen);
        default:
            break;
    }
    return 0;
}

static void dh_freectx(void *vpdhctx)
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;

    OPENSSL_free(pdhctx->kdf_cekalg);
    DH_free(pdhctx->dh);
    DH_free(pdhctx->dhpeer);
    EVP_MD_free(pdhctx->kdf_md);
    OPENSSL_clear_free(pdhctx->kdf_ukm, pdhctx->kdf_ukmlen);

    OPENSSL_free(pdhctx);
}

static void *dh_dupctx(void *vpdhctx)
{
    PROV_DH_CTX *srcctx = (PROV_DH_CTX *)vpdhctx;
    PROV_DH_CTX *dstctx;

    if (!ossl_prov_is_running())
        return NULL;

    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
    if (dstctx == NULL)
        return NULL;

    *dstctx = *srcctx;
    dstctx->dh = NULL;
    dstctx->dhpeer = NULL;
    dstctx->kdf_md = NULL;
    dstctx->kdf_ukm = NULL;
    dstctx->kdf_cekalg = NULL;

    if (srcctx->dh != NULL && !DH_up_ref(srcctx->dh))
        goto err;
    else
        dstctx->dh = srcctx->dh;

    if (srcctx->dhpeer != NULL && !DH_up_ref(srcctx->dhpeer))
        goto err;
    else
        dstctx->dhpeer = srcctx->dhpeer;

    if (srcctx->kdf_md != NULL && !EVP_MD_up_ref(srcctx->kdf_md))
        goto err;
    else
        dstctx->kdf_md = srcctx->kdf_md;

    /* Duplicate UKM data if present */
    if (srcctx->kdf_ukm != NULL && srcctx->kdf_ukmlen > 0) {
        dstctx->kdf_ukm = OPENSSL_memdup(srcctx->kdf_ukm,
                                         srcctx->kdf_ukmlen);
        if (dstctx->kdf_ukm == NULL)
            goto err;
    }

    if (srcctx->kdf_cekalg != NULL) {
        dstctx->kdf_cekalg = OPENSSL_strdup(srcctx->kdf_cekalg);
        if (dstctx->kdf_cekalg == NULL)
            goto err;
    }

    return dstctx;
err:
    dh_freectx(dstctx);
    return NULL;
}

static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
    const OSSL_PARAM *p;
    unsigned int pad;
    char name[80] = { '\0' }; /* should be big enough */
    char *str = NULL;

    if (pdhctx == NULL)
        return 0;
    if (params == NULL)
        return 1;

    if (!OSSL_FIPS_IND_SET_CTX_PARAM(pdhctx, OSSL_FIPS_IND_SETTABLE0, params,
                                     OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK))
        return  0;
    if (!OSSL_FIPS_IND_SET_CTX_PARAM(pdhctx, OSSL_FIPS_IND_SETTABLE1, params,
                                     OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK))
        return  0;

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
    if (p != NULL) {
        str = name;
        if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
            return 0;

        if (name[0] == '\0')
            pdhctx->kdf_type = PROV_DH_KDF_NONE;
        else if (strcmp(name, OSSL_KDF_NAME_X942KDF_ASN1) == 0)
            pdhctx->kdf_type = PROV_DH_KDF_X9_42_ASN1;
        else
            return 0;
    }
    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
    if (p != NULL) {
        char mdprops[80] = { '\0' }; /* should be big enough */

        str = name;
        if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
            return 0;

        str = mdprops;
        p = OSSL_PARAM_locate_const(params,
                                    OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS);

        if (p != NULL) {
            if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(mdprops)))
                return 0;
        }

        EVP_MD_free(pdhctx->kdf_md);
        pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
        if (pdhctx->kdf_md == NULL)
            return 0;
#ifdef FIPS_MODULE
        if (!digest_check(pdhctx, pdhctx->kdf_md)) {
            EVP_MD_free(pdhctx->kdf_md);
            pdhctx->kdf_md = NULL;
            return 0;
        }
#endif
    }

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
    if (p != NULL) {
        size_t outlen;

        if (!OSSL_PARAM_get_size_t(p, &outlen))
            return 0;
        pdhctx->kdf_outlen = outlen;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
    if (p != NULL) {
        void *tmp_ukm = NULL;
        size_t tmp_ukmlen;

        OPENSSL_free(pdhctx->kdf_ukm);
        pdhctx->kdf_ukm = NULL;
        pdhctx->kdf_ukmlen = 0;
        /* ukm is an optional field so it can be NULL */
        if (p->data != NULL && p->data_size != 0) {
            if (!OSSL_PARAM_get_octet_string(p, &tmp_ukm, 0, &tmp_ukmlen))
                return 0;
            pdhctx->kdf_ukm = tmp_ukm;
            pdhctx->kdf_ukmlen = tmp_ukmlen;
        }
    }

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_PAD);
    if (p != NULL) {
        if (!OSSL_PARAM_get_uint(p, &pad))
            return 0;
        pdhctx->pad = pad ? 1 : 0;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG);
    if (p != NULL) {
        str = name;

        OPENSSL_free(pdhctx->kdf_cekalg);
        pdhctx->kdf_cekalg = NULL;
        if (p->data != NULL && p->data_size != 0) {
            if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
                return 0;
            pdhctx->kdf_cekalg = OPENSSL_strdup(name);
            if (pdhctx->kdf_cekalg == NULL)
                return 0;
        }
    }
    return 1;
}

static const OSSL_PARAM known_settable_ctx_params[] = {
    OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_PAD, NULL),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, NULL, 0),
    OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
    OSSL_PARAM_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
    OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK)
    OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK)
    OSSL_PARAM_END
};

static const OSSL_PARAM *dh_settable_ctx_params(ossl_unused void *vpdhctx,
                                                ossl_unused void *provctx)
{
    return known_settable_ctx_params;
}

static const OSSL_PARAM known_gettable_ctx_params[] = {
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
    OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
    OSSL_PARAM_DEFN(OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR,
                    NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
    OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
    OSSL_PARAM_END
};

static const OSSL_PARAM *dh_gettable_ctx_params(ossl_unused void *vpdhctx,
                                                ossl_unused void *provctx)
{
    return known_gettable_ctx_params;
}

static int dh_get_ctx_params(void *vpdhctx, OSSL_PARAM params[])
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
    OSSL_PARAM *p;

    if (pdhctx == NULL)
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
    if (p != NULL) {
        const char *kdf_type = NULL;

        switch (pdhctx->kdf_type) {
            case PROV_DH_KDF_NONE:
                kdf_type = "";
                break;
            case PROV_DH_KDF_X9_42_ASN1:
                kdf_type = OSSL_KDF_NAME_X942KDF_ASN1;
                break;
            default:
                return 0;
        }

        if (!OSSL_PARAM_set_utf8_string(p, kdf_type))
            return 0;
    }

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
    if (p != NULL
            && !OSSL_PARAM_set_utf8_string(p, pdhctx->kdf_md == NULL
                                           ? ""
                                           : EVP_MD_get0_name(pdhctx->kdf_md))) {
        return 0;
    }

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, pdhctx->kdf_outlen))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
    if (p != NULL
        && !OSSL_PARAM_set_octet_ptr(p, pdhctx->kdf_ukm, pdhctx->kdf_ukmlen))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_CEK_ALG);
    if (p != NULL
            && !OSSL_PARAM_set_utf8_string(p, pdhctx->kdf_cekalg == NULL
                                           ? "" :  pdhctx->kdf_cekalg))
        return 0;
    if (!OSSL_FIPS_IND_GET_CTX_PARAM(pdhctx, params))
        return 0;
    return 1;
}

const OSSL_DISPATCH ossl_dh_keyexch_functions[] = {
    { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))dh_newctx },
    { OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))dh_init },
    { OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))dh_derive },
    { OSSL_FUNC_KEYEXCH_SET_PEER, (void (*)(void))dh_set_peer },
    { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))dh_freectx },
    { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))dh_dupctx },
    { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))dh_set_ctx_params },
    { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS,
      (void (*)(void))dh_settable_ctx_params },
    { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))dh_get_ctx_params },
    { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS,
      (void (*)(void))dh_gettable_ctx_params },
    OSSL_DISPATCH_END
};

Coverage Report

Created: 2024-07-27 06:37

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* DH low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <string.h>
17		#include <openssl/crypto.h>
18		#include <openssl/core_dispatch.h>
19		#include <openssl/core_names.h>
20		#include <openssl/dh.h>
21		#include <openssl/err.h>
22		#include <openssl/proverr.h>
23		#include <openssl/params.h>
24		#include "prov/providercommon.h"
25		#include "prov/implementations.h"
26		#include "prov/provider_ctx.h"
27		#include "prov/securitycheck.h"
28		#include "prov/fipsindicator.h"
29		#include "crypto/dh.h"
30
31		static OSSL_FUNC_keyexch_newctx_fn dh_newctx;
32		static OSSL_FUNC_keyexch_init_fn dh_init;
33		static OSSL_FUNC_keyexch_set_peer_fn dh_set_peer;
34		static OSSL_FUNC_keyexch_derive_fn dh_derive;
35		static OSSL_FUNC_keyexch_freectx_fn dh_freectx;
36		static OSSL_FUNC_keyexch_dupctx_fn dh_dupctx;
37		static OSSL_FUNC_keyexch_set_ctx_params_fn dh_set_ctx_params;
38		static OSSL_FUNC_keyexch_settable_ctx_params_fn dh_settable_ctx_params;
39		static OSSL_FUNC_keyexch_get_ctx_params_fn dh_get_ctx_params;
40		static OSSL_FUNC_keyexch_gettable_ctx_params_fn dh_gettable_ctx_params;
41
42		/*
43		* This type is only really used to handle some legacy related functionality.
44		* If you need to use other KDF's (such as SSKDF) just use PROV_DH_KDF_NONE
45		* here and then create and run a KDF after the key is derived.
46		* Note that X942 has 2 variants of key derivation:
47		* (1) DH_KDF_X9_42_ASN1 - which contains an ANS1 encoded object that has
48		* the counter embedded in it.
49		* (2) DH_KDF_X941_CONCAT - which is the same as ECDH_X963_KDF (which can be
50		* done by creating a "X963KDF".
51		*/
52		enum kdf_type {
53		PROV_DH_KDF_NONE = 0,
54		PROV_DH_KDF_X9_42_ASN1
55		};
56
57		/*
58		* What's passed as an actual key is defined by the KEYMGMT interface.
59		* We happen to know that our KEYMGMT simply passes DH structures, so
60		* we use that here too.
61		*/
62
63		typedef struct {
64		OSSL_LIB_CTX *libctx;
65		DH *dh;
66		DH *dhpeer;
67		unsigned int pad : 1;
68
69		/* DH KDF */
70		/* KDF (if any) to use for DH */
71		enum kdf_type kdf_type;
72		/* Message digest to use for key derivation */
73		EVP_MD *kdf_md;
74		/* User key material */
75		unsigned char *kdf_ukm;
76		size_t kdf_ukmlen;
77		/* KDF output length */
78		size_t kdf_outlen;
79		char *kdf_cekalg;
80		OSSL_FIPS_IND_DECLARE
81		} PROV_DH_CTX;
82
83		static void dh_newctx(void provctx)
84	0	{
85	0	PROV_DH_CTX *pdhctx;
86
87	0	if (!ossl_prov_is_running())
88	0	return NULL;
89
90	0	pdhctx = OPENSSL_zalloc(sizeof(PROV_DH_CTX));
91	0	if (pdhctx == NULL)
92	0	return NULL;
93	0	OSSL_FIPS_IND_INIT(pdhctx)
94	0	pdhctx->libctx = PROV_LIBCTX_OF(provctx);
95	0	pdhctx->kdf_type = PROV_DH_KDF_NONE;
96	0	return pdhctx;
97	0	}
98
99		#ifdef FIPS_MODULE
100		static int dh_check_key(PROV_DH_CTX *ctx)
101		{
102		int key_approved = ossl_dh_check_key(ctx->dh);
103
104		if (!key_approved) {
105		if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
106		ctx->libctx, "DH Init", "DH Key",
107		ossl_securitycheck_enabled)) {
108		ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
109		return 0;
110		}
111		}
112		return 1;
113		}
114
115		static int digest_check(PROV_DH_CTX ctx, const EVP_MD md)
116		{
117		return ossl_fips_ind_digest_check(OSSL_FIPS_IND_GET(ctx),
118		OSSL_FIPS_IND_SETTABLE1, ctx->libctx,
119		md, "DH Set Ctx");
120		}
121		#endif
122
123		static int dh_init(void vpdhctx, void vdh, const OSSL_PARAM params[])
124	0	{
125	0	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
126
127	0	if (!ossl_prov_is_running()
128	0	\|\| pdhctx == NULL
129	0	\|\| vdh == NULL
130	0	\|\| !DH_up_ref(vdh))
131	0	return 0;
132	0	DH_free(pdhctx->dh);
133	0	pdhctx->dh = vdh;
134	0	pdhctx->kdf_type = PROV_DH_KDF_NONE;
135
136	0	OSSL_FIPS_IND_SET_APPROVED(pdhctx)
137	0	if (!dh_set_ctx_params(pdhctx, params))
138	0	return 0;
139		#ifdef FIPS_MODULE
140		if (!dh_check_key(pdhctx))
141		return 0;
142		#endif
143	0	return 1;
144	0	}
145
146		/* The 2 parties must share the same domain parameters */
147		static int dh_match_params(DH priv, DH peer)
148	0	{
149	0	int ret;
150	0	FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv);
151	0	FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer);
152
153	0	ret = dhparams_priv != NULL
154	0	&& dhparams_peer != NULL
155	0	&& ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1);
156	0	if (!ret)
157	0	ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
158	0	return ret;
159	0	}
160
161		static int dh_set_peer(void vpdhctx, void vdh)
162	0	{
163	0	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
164
165	0	if (!ossl_prov_is_running()
166	0	\|\| pdhctx == NULL
167	0	\|\| vdh == NULL
168	0	\|\| !dh_match_params(vdh, pdhctx->dh)
169	0	\|\| !DH_up_ref(vdh))
170	0	return 0;
171	0	DH_free(pdhctx->dhpeer);
172	0	pdhctx->dhpeer = vdh;
173	0	return 1;
174	0	}
175
176		static int dh_plain_derive(void *vpdhctx,
177		unsigned char secret, size_t secretlen,
178		size_t outlen, unsigned int pad)
179	0	{
180	0	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
181	0	int ret;
182	0	size_t dhsize;
183	0	const BIGNUM *pub_key = NULL;
184
185	0	if (pdhctx->dh == NULL \|\| pdhctx->dhpeer == NULL) {
186	0	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
187	0	return 0;
188	0	}
189
190	0	dhsize = (size_t)DH_size(pdhctx->dh);
191	0	if (secret == NULL) {
192	0	*secretlen = dhsize;
193	0	return 1;
194	0	}
195	0	if (outlen < dhsize) {
196	0	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
197	0	return 0;
198	0	}
199
200	0	DH_get0_key(pdhctx->dhpeer, &pub_key, NULL);
201	0	if (pad)
202	0	ret = DH_compute_key_padded(secret, pub_key, pdhctx->dh);
203	0	else
204	0	ret = DH_compute_key(secret, pub_key, pdhctx->dh);
205	0	if (ret <= 0)
206	0	return 0;
207
208	0	*secretlen = ret;
209	0	return 1;
210	0	}
211
212		static int dh_X9_42_kdf_derive(void vpdhctx, unsigned char secret,
213		size_t *secretlen, size_t outlen)
214	0	{
215	0	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
216	0	unsigned char *stmp = NULL;
217	0	size_t stmplen;
218	0	int ret = 0;
219
220	0	if (secret == NULL) {
221	0	*secretlen = pdhctx->kdf_outlen;
222	0	return 1;
223	0	}
224
225	0	if (pdhctx->kdf_outlen > outlen) {
226	0	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
227	0	return 0;
228	0	}
229	0	if (!dh_plain_derive(pdhctx, NULL, &stmplen, 0, 1))
230	0	return 0;
231	0	if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL)
232	0	return 0;
233	0	if (!dh_plain_derive(pdhctx, stmp, &stmplen, stmplen, 1))
234	0	goto err;
235
236		/* Do KDF stuff */
237	0	if (pdhctx->kdf_type == PROV_DH_KDF_X9_42_ASN1) {
238	0	if (!ossl_dh_kdf_X9_42_asn1(secret, pdhctx->kdf_outlen,
239	0	stmp, stmplen,
240	0	pdhctx->kdf_cekalg,
241	0	pdhctx->kdf_ukm,
242	0	pdhctx->kdf_ukmlen,
243	0	pdhctx->kdf_md,
244	0	pdhctx->libctx, NULL))
245	0	goto err;
246	0	}
247	0	*secretlen = pdhctx->kdf_outlen;
248	0	ret = 1;
249	0	err:
250	0	OPENSSL_secure_clear_free(stmp, stmplen);
251	0	return ret;
252	0	}
253
254		static int dh_derive(void vpdhctx, unsigned char secret,
255		size_t *psecretlen, size_t outlen)
256	0	{
257	0	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
258
259	0	if (!ossl_prov_is_running())
260	0	return 0;
261
262	0	switch (pdhctx->kdf_type) {
263	0	case PROV_DH_KDF_NONE:
264	0	return dh_plain_derive(pdhctx, secret, psecretlen, outlen,
265	0	pdhctx->pad);
266	0	case PROV_DH_KDF_X9_42_ASN1:
267	0	return dh_X9_42_kdf_derive(pdhctx, secret, psecretlen, outlen);
268	0	default:
269	0	break;
270	0	}
271	0	return 0;
272	0	}
273
274		static void dh_freectx(void *vpdhctx)
275	0	{
276	0	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
277
278	0	OPENSSL_free(pdhctx->kdf_cekalg);
279	0	DH_free(pdhctx->dh);
280	0	DH_free(pdhctx->dhpeer);
281	0	EVP_MD_free(pdhctx->kdf_md);
282	0	OPENSSL_clear_free(pdhctx->kdf_ukm, pdhctx->kdf_ukmlen);
283
284	0	OPENSSL_free(pdhctx);
285	0	}
286
287		static void dh_dupctx(void vpdhctx)
288	0	{
289	0	PROV_DH_CTX srcctx = (PROV_DH_CTX )vpdhctx;
290	0	PROV_DH_CTX *dstctx;
291
292	0	if (!ossl_prov_is_running())
293	0	return NULL;
294
295	0	dstctx = OPENSSL_zalloc(sizeof(*srcctx));
296	0	if (dstctx == NULL)
297	0	return NULL;
298
299	0	dstctx = srcctx;
300	0	dstctx->dh = NULL;
301	0	dstctx->dhpeer = NULL;
302	0	dstctx->kdf_md = NULL;
303	0	dstctx->kdf_ukm = NULL;
304	0	dstctx->kdf_cekalg = NULL;
305
306	0	if (srcctx->dh != NULL && !DH_up_ref(srcctx->dh))
307	0	goto err;
308	0	else
309	0	dstctx->dh = srcctx->dh;
310
311	0	if (srcctx->dhpeer != NULL && !DH_up_ref(srcctx->dhpeer))
312	0	goto err;
313	0	else
314	0	dstctx->dhpeer = srcctx->dhpeer;
315
316	0	if (srcctx->kdf_md != NULL && !EVP_MD_up_ref(srcctx->kdf_md))
317	0	goto err;
318	0	else
319	0	dstctx->kdf_md = srcctx->kdf_md;
320
321		/* Duplicate UKM data if present */
322	0	if (srcctx->kdf_ukm != NULL && srcctx->kdf_ukmlen > 0) {
323	0	dstctx->kdf_ukm = OPENSSL_memdup(srcctx->kdf_ukm,
324	0	srcctx->kdf_ukmlen);
325	0	if (dstctx->kdf_ukm == NULL)
326	0	goto err;
327	0	}
328
329	0	if (srcctx->kdf_cekalg != NULL) {
330	0	dstctx->kdf_cekalg = OPENSSL_strdup(srcctx->kdf_cekalg);
331	0	if (dstctx->kdf_cekalg == NULL)
332	0	goto err;
333	0	}
334
335	0	return dstctx;
336	0	err:
337	0	dh_freectx(dstctx);
338	0	return NULL;
339	0	}
340
341		static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
342	0	{
343	0	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
344	0	const OSSL_PARAM *p;
345	0	unsigned int pad;
346	0	char name[80] = { '\0' }; /* should be big enough */
347	0	char *str = NULL;
348
349	0	if (pdhctx == NULL)
350	0	return 0;
351	0	if (params == NULL)
352	0	return 1;
353
354	0	if (!OSSL_FIPS_IND_SET_CTX_PARAM(pdhctx, OSSL_FIPS_IND_SETTABLE0, params,
355	0	OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK))
356	0	return 0;
357	0	if (!OSSL_FIPS_IND_SET_CTX_PARAM(pdhctx, OSSL_FIPS_IND_SETTABLE1, params,
358	0	OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK))
359	0	return 0;
360
361	0	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
362	0	if (p != NULL) {
363	0	str = name;
364	0	if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
365	0	return 0;
366
367	0	if (name[0] == '\0')
368	0	pdhctx->kdf_type = PROV_DH_KDF_NONE;
369	0	else if (strcmp(name, OSSL_KDF_NAME_X942KDF_ASN1) == 0)
370	0	pdhctx->kdf_type = PROV_DH_KDF_X9_42_ASN1;
371	0	else
372	0	return 0;
373	0	}
374	0	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
375	0	if (p != NULL) {
376	0	char mdprops[80] = { '\0' }; /* should be big enough */
377
378	0	str = name;
379	0	if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
380	0	return 0;
381
382	0	str = mdprops;
383	0	p = OSSL_PARAM_locate_const(params,
384	0	OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS);
385
386	0	if (p != NULL) {
387	0	if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(mdprops)))
388	0	return 0;
389	0	}
390
391	0	EVP_MD_free(pdhctx->kdf_md);
392	0	pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
393	0	if (pdhctx->kdf_md == NULL)
394	0	return 0;
395		#ifdef FIPS_MODULE
396		if (!digest_check(pdhctx, pdhctx->kdf_md)) {
397		EVP_MD_free(pdhctx->kdf_md);
398		pdhctx->kdf_md = NULL;
399		return 0;
400		}
401		#endif
402	0	}
403
404	0	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
405	0	if (p != NULL) {
406	0	size_t outlen;
407
408	0	if (!OSSL_PARAM_get_size_t(p, &outlen))
409	0	return 0;
410	0	pdhctx->kdf_outlen = outlen;
411	0	}
412
413	0	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
414	0	if (p != NULL) {
415	0	void *tmp_ukm = NULL;
416	0	size_t tmp_ukmlen;
417
418	0	OPENSSL_free(pdhctx->kdf_ukm);
419	0	pdhctx->kdf_ukm = NULL;
420	0	pdhctx->kdf_ukmlen = 0;
421		/* ukm is an optional field so it can be NULL */
422	0	if (p->data != NULL && p->data_size != 0) {
423	0	if (!OSSL_PARAM_get_octet_string(p, &tmp_ukm, 0, &tmp_ukmlen))
424	0	return 0;
425	0	pdhctx->kdf_ukm = tmp_ukm;
426	0	pdhctx->kdf_ukmlen = tmp_ukmlen;
427	0	}
428	0	}
429
430	0	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_PAD);
431	0	if (p != NULL) {
432	0	if (!OSSL_PARAM_get_uint(p, &pad))
433	0	return 0;
434	0	pdhctx->pad = pad ? 1 : 0;
435	0	}
436
437	0	p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG);
438	0	if (p != NULL) {
439	0	str = name;
440
441	0	OPENSSL_free(pdhctx->kdf_cekalg);
442	0	pdhctx->kdf_cekalg = NULL;
443	0	if (p->data != NULL && p->data_size != 0) {
444	0	if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
445	0	return 0;
446	0	pdhctx->kdf_cekalg = OPENSSL_strdup(name);
447	0	if (pdhctx->kdf_cekalg == NULL)
448	0	return 0;
449	0	}
450	0	}
451	0	return 1;
452	0	}
453
454		static const OSSL_PARAM known_settable_ctx_params[] = {
455		OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_PAD, NULL),
456		OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
457		OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
458		OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, NULL, 0),
459		OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
460		OSSL_PARAM_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, NULL, 0),
461		OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
462		OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK)
463		OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK)
464		OSSL_PARAM_END
465		};
466
467		static const OSSL_PARAM dh_settable_ctx_params(ossl_unused void vpdhctx,
468		ossl_unused void *provctx)
469	0	{
470	0	return known_settable_ctx_params;
471	0	}
472
473		static const OSSL_PARAM known_gettable_ctx_params[] = {
474		OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
475		OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
476		OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
477		OSSL_PARAM_DEFN(OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR,
478		NULL, 0),
479		OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
480		OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
481		OSSL_PARAM_END
482		};
483
484		static const OSSL_PARAM dh_gettable_ctx_params(ossl_unused void vpdhctx,
485		ossl_unused void *provctx)
486	0	{
487	0	return known_gettable_ctx_params;
488	0	}
489
490		static int dh_get_ctx_params(void *vpdhctx, OSSL_PARAM params[])
491	0	{
492	0	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
493	0	OSSL_PARAM *p;
494
495	0	if (pdhctx == NULL)
496	0	return 0;
497
498	0	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
499	0	if (p != NULL) {
500	0	const char *kdf_type = NULL;
501
502	0	switch (pdhctx->kdf_type) {
503	0	case PROV_DH_KDF_NONE:
504	0	kdf_type = "";
505	0	break;
506	0	case PROV_DH_KDF_X9_42_ASN1:
507	0	kdf_type = OSSL_KDF_NAME_X942KDF_ASN1;
508	0	break;
509	0	default:
510	0	return 0;
511	0	}
512
513	0	if (!OSSL_PARAM_set_utf8_string(p, kdf_type))
514	0	return 0;
515	0	}
516
517	0	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
518	0	if (p != NULL
519	0	&& !OSSL_PARAM_set_utf8_string(p, pdhctx->kdf_md == NULL
520	0	? ""
521	0	: EVP_MD_get0_name(pdhctx->kdf_md))) {
522	0	return 0;
523	0	}
524
525	0	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
526	0	if (p != NULL && !OSSL_PARAM_set_size_t(p, pdhctx->kdf_outlen))
527	0	return 0;
528
529	0	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
530	0	if (p != NULL
531	0	&& !OSSL_PARAM_set_octet_ptr(p, pdhctx->kdf_ukm, pdhctx->kdf_ukmlen))
532	0	return 0;
533
534	0	p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_CEK_ALG);
535	0	if (p != NULL
536	0	&& !OSSL_PARAM_set_utf8_string(p, pdhctx->kdf_cekalg == NULL
537	0	? "" : pdhctx->kdf_cekalg))
538	0	return 0;
539	0	if (!OSSL_FIPS_IND_GET_CTX_PARAM(pdhctx, params))
540	0	return 0;
541	0	return 1;
542	0	}
543
544		const OSSL_DISPATCH ossl_dh_keyexch_functions[] = {
545		{ OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))dh_newctx },
546		{ OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))dh_init },
547		{ OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))dh_derive },
548		{ OSSL_FUNC_KEYEXCH_SET_PEER, (void (*)(void))dh_set_peer },
549		{ OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))dh_freectx },
550		{ OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))dh_dupctx },
551		{ OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))dh_set_ctx_params },
552		{ OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS,
553		(void (*)(void))dh_settable_ctx_params },
554		{ OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))dh_get_ctx_params },
555		{ OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS,
556		(void (*)(void))dh_gettable_ctx_params },
557		OSSL_DISPATCH_END
558		};