/src/openssl31/providers/implementations/exchange/dh_exch.c

Source (jump to first uncovered line)
/*
 * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * DH low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <string.h>
#include <openssl/crypto.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/proverr.h>
#include <openssl/params.h>
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
#include "crypto/dh.h"

static OSSL_FUNC_keyexch_newctx_fn dh_newctx;
static OSSL_FUNC_keyexch_init_fn dh_init;
static OSSL_FUNC_keyexch_set_peer_fn dh_set_peer;
static OSSL_FUNC_keyexch_derive_fn dh_derive;
static OSSL_FUNC_keyexch_freectx_fn dh_freectx;
static OSSL_FUNC_keyexch_dupctx_fn dh_dupctx;
static OSSL_FUNC_keyexch_set_ctx_params_fn dh_set_ctx_params;
static OSSL_FUNC_keyexch_settable_ctx_params_fn dh_settable_ctx_params;
static OSSL_FUNC_keyexch_get_ctx_params_fn dh_get_ctx_params;
static OSSL_FUNC_keyexch_gettable_ctx_params_fn dh_gettable_ctx_params;

/*
 * This type is only really used to handle some legacy related functionality.
 * If you need to use other KDF's (such as SSKDF) just use PROV_DH_KDF_NONE
 * here and then create and run a KDF after the key is derived.
 * Note that X942 has 2 variants of key derivation:
 *   (1) DH_KDF_X9_42_ASN1 - which contains an ANS1 encoded object that has
 *   the counter embedded in it.
 *   (2) DH_KDF_X941_CONCAT - which is the same as ECDH_X963_KDF (which can be
 *       done by creating a "X963KDF".
 */
enum kdf_type {
    PROV_DH_KDF_NONE = 0,
    PROV_DH_KDF_X9_42_ASN1
};

/*
 * What's passed as an actual key is defined by the KEYMGMT interface.
 * We happen to know that our KEYMGMT simply passes DH structures, so
 * we use that here too.
 */

typedef struct {
    OSSL_LIB_CTX *libctx;
    DH *dh;
    DH *dhpeer;
    unsigned int pad : 1;

    /* DH KDF */
    /* KDF (if any) to use for DH */
    enum kdf_type kdf_type;
    /* Message digest to use for key derivation */
    EVP_MD *kdf_md;
    /* User key material */
    unsigned char *kdf_ukm;
    size_t kdf_ukmlen;
    /* KDF output length */
    size_t kdf_outlen;
    char *kdf_cekalg;
} PROV_DH_CTX;

static void *dh_newctx(void *provctx)
{
    PROV_DH_CTX *pdhctx;

    if (!ossl_prov_is_running())
        return NULL;

    pdhctx = OPENSSL_zalloc(sizeof(PROV_DH_CTX));
    if (pdhctx == NULL)
        return NULL;
    pdhctx->libctx = PROV_LIBCTX_OF(provctx);
    pdhctx->kdf_type = PROV_DH_KDF_NONE;
    return pdhctx;
}

static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[])
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;

    if (!ossl_prov_is_running()
            || pdhctx == NULL
            || vdh == NULL
            || !DH_up_ref(vdh))
        return 0;
    DH_free(pdhctx->dh);
    pdhctx->dh = vdh;
    pdhctx->kdf_type = PROV_DH_KDF_NONE;
    return dh_set_ctx_params(pdhctx, params)
           && ossl_dh_check_key(pdhctx->libctx, vdh);
}

/* The 2 parties must share the same domain parameters */
static int dh_match_params(DH *priv, DH *peer)
{
    int ret;
    FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv);
    FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer);

    ret = dhparams_priv != NULL
          && dhparams_peer != NULL
          && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1);
    if (!ret)
        ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
    return ret;
}

static int dh_set_peer(void *vpdhctx, void *vdh)
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;

    if (!ossl_prov_is_running()
            || pdhctx == NULL
            || vdh == NULL
            || !dh_match_params(vdh, pdhctx->dh)
            || !DH_up_ref(vdh))
        return 0;
    DH_free(pdhctx->dhpeer);
    pdhctx->dhpeer = vdh;
    return 1;
}

static int dh_plain_derive(void *vpdhctx,
                           unsigned char *secret, size_t *secretlen,
                           size_t outlen, unsigned int pad)
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
    int ret;
    size_t dhsize;
    const BIGNUM *pub_key = NULL;

    if (pdhctx->dh == NULL || pdhctx->dhpeer == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
        return 0;
    }

    dhsize = (size_t)DH_size(pdhctx->dh);
    if (secret == NULL) {
        *secretlen = dhsize;
        return 1;
    }
    if (outlen < dhsize) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }

    DH_get0_key(pdhctx->dhpeer, &pub_key, NULL);
    if (pad)
        ret = DH_compute_key_padded(secret, pub_key, pdhctx->dh);
    else
        ret = DH_compute_key(secret, pub_key, pdhctx->dh);
    if (ret <= 0)
        return 0;

    *secretlen = ret;
    return 1;
}

static int dh_X9_42_kdf_derive(void *vpdhctx, unsigned char *secret,
                               size_t *secretlen, size_t outlen)
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
    unsigned char *stmp = NULL;
    size_t stmplen;
    int ret = 0;

    if (secret == NULL) {
        *secretlen = pdhctx->kdf_outlen;
        return 1;
    }

    if (pdhctx->kdf_outlen > outlen) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }
    if (!dh_plain_derive(pdhctx, NULL, &stmplen, 0, 1))
        return 0;
    if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL) {
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
        return 0;
    }
    if (!dh_plain_derive(pdhctx, stmp, &stmplen, stmplen, 1))
        goto err;

    /* Do KDF stuff */
    if (pdhctx->kdf_type == PROV_DH_KDF_X9_42_ASN1) {
        if (!ossl_dh_kdf_X9_42_asn1(secret, pdhctx->kdf_outlen,
                                    stmp, stmplen,
                                    pdhctx->kdf_cekalg,
                                    pdhctx->kdf_ukm,
                                    pdhctx->kdf_ukmlen,
                                    pdhctx->kdf_md,
                                    pdhctx->libctx, NULL))
            goto err;
    }
    *secretlen = pdhctx->kdf_outlen;
    ret = 1;
err:
    OPENSSL_secure_clear_free(stmp, stmplen);
    return ret;
}

static int dh_derive(void *vpdhctx, unsigned char *secret,
                     size_t *psecretlen, size_t outlen)
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;

    if (!ossl_prov_is_running())
        return 0;

    switch (pdhctx->kdf_type) {
        case PROV_DH_KDF_NONE:
            return dh_plain_derive(pdhctx, secret, psecretlen, outlen,
                                   pdhctx->pad);
        case PROV_DH_KDF_X9_42_ASN1:
            return dh_X9_42_kdf_derive(pdhctx, secret, psecretlen, outlen);
        default:
            break;
    }
    return 0;
}

static void dh_freectx(void *vpdhctx)
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;

    OPENSSL_free(pdhctx->kdf_cekalg);
    DH_free(pdhctx->dh);
    DH_free(pdhctx->dhpeer);
    EVP_MD_free(pdhctx->kdf_md);
    OPENSSL_clear_free(pdhctx->kdf_ukm, pdhctx->kdf_ukmlen);

    OPENSSL_free(pdhctx);
}

static void *dh_dupctx(void *vpdhctx)
{
    PROV_DH_CTX *srcctx = (PROV_DH_CTX *)vpdhctx;
    PROV_DH_CTX *dstctx;

    if (!ossl_prov_is_running())
        return NULL;

    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
    if (dstctx == NULL)
        return NULL;

    *dstctx = *srcctx;
    dstctx->dh = NULL;
    dstctx->dhpeer = NULL;
    dstctx->kdf_md = NULL;
    dstctx->kdf_ukm = NULL;
    dstctx->kdf_cekalg = NULL;

    if (srcctx->dh != NULL && !DH_up_ref(srcctx->dh))
        goto err;
    else
        dstctx->dh = srcctx->dh;

    if (srcctx->dhpeer != NULL && !DH_up_ref(srcctx->dhpeer))
        goto err;
    else
        dstctx->dhpeer = srcctx->dhpeer;

    if (srcctx->kdf_md != NULL && !EVP_MD_up_ref(srcctx->kdf_md))
        goto err;
    else
        dstctx->kdf_md = srcctx->kdf_md;

    /* Duplicate UKM data if present */
    if (srcctx->kdf_ukm != NULL && srcctx->kdf_ukmlen > 0) {
        dstctx->kdf_ukm = OPENSSL_memdup(srcctx->kdf_ukm,
                                         srcctx->kdf_ukmlen);
        if (dstctx->kdf_ukm == NULL)
            goto err;
    }

    if (srcctx->kdf_cekalg != NULL) {
        dstctx->kdf_cekalg = OPENSSL_strdup(srcctx->kdf_cekalg);
        if (dstctx->kdf_cekalg == NULL)
            goto err;
    }

    return dstctx;
err:
    dh_freectx(dstctx);
    return NULL;
}

static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
    const OSSL_PARAM *p;
    unsigned int pad;
    char name[80] = { '\0' }; /* should be big enough */
    char *str = NULL;

    if (pdhctx == NULL)
        return 0;
    if (params == NULL)
        return 1;

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
    if (p != NULL) {
        str = name;
        if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
            return 0;

        if (name[0] == '\0')
            pdhctx->kdf_type = PROV_DH_KDF_NONE;
        else if (strcmp(name, OSSL_KDF_NAME_X942KDF_ASN1) == 0)
            pdhctx->kdf_type = PROV_DH_KDF_X9_42_ASN1;
        else
            return 0;
    }
    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
    if (p != NULL) {
        char mdprops[80] = { '\0' }; /* should be big enough */

        str = name;
        if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
            return 0;

        str = mdprops;
        p = OSSL_PARAM_locate_const(params,
                                    OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS);

        if (p != NULL) {
            if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(mdprops)))
                return 0;
        }

        EVP_MD_free(pdhctx->kdf_md);
        pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
        if (pdhctx->kdf_md == NULL)
            return 0;
        if (!ossl_digest_is_allowed(pdhctx->libctx, pdhctx->kdf_md)) {
            EVP_MD_free(pdhctx->kdf_md);
            pdhctx->kdf_md = NULL;
            return 0;
        }
    }

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
    if (p != NULL) {
        size_t outlen;

        if (!OSSL_PARAM_get_size_t(p, &outlen))
            return 0;
        pdhctx->kdf_outlen = outlen;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
    if (p != NULL) {
        void *tmp_ukm = NULL;
        size_t tmp_ukmlen;

        OPENSSL_free(pdhctx->kdf_ukm);
        pdhctx->kdf_ukm = NULL;
        pdhctx->kdf_ukmlen = 0;
        /* ukm is an optional field so it can be NULL */
        if (p->data != NULL && p->data_size != 0) {
            if (!OSSL_PARAM_get_octet_string(p, &tmp_ukm, 0, &tmp_ukmlen))
                return 0;
            pdhctx->kdf_ukm = tmp_ukm;
            pdhctx->kdf_ukmlen = tmp_ukmlen;
        }
    }

    p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_PAD);
    if (p != NULL) {
        if (!OSSL_PARAM_get_uint(p, &pad))
            return 0;
        pdhctx->pad = pad ? 1 : 0;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG);
    if (p != NULL) {
        str = name;

        OPENSSL_free(pdhctx->kdf_cekalg);
        pdhctx->kdf_cekalg = NULL;
        if (p->data != NULL && p->data_size != 0) {
            if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
                return 0;
            pdhctx->kdf_cekalg = OPENSSL_strdup(name);
            if (pdhctx->kdf_cekalg == NULL)
                return 0;
        }
    }
    return 1;
}

static const OSSL_PARAM known_settable_ctx_params[] = {
    OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_PAD, NULL),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, NULL, 0),
    OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
    OSSL_PARAM_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
    OSSL_PARAM_END
};

static const OSSL_PARAM *dh_settable_ctx_params(ossl_unused void *vpdhctx,
                                                ossl_unused void *provctx)
{
    return known_settable_ctx_params;
}

static const OSSL_PARAM known_gettable_ctx_params[] = {
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
    OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
    OSSL_PARAM_DEFN(OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR,
                    NULL, 0),
    OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
    OSSL_PARAM_END
};

static const OSSL_PARAM *dh_gettable_ctx_params(ossl_unused void *vpdhctx,
                                                ossl_unused void *provctx)
{
    return known_gettable_ctx_params;
}

static int dh_get_ctx_params(void *vpdhctx, OSSL_PARAM params[])
{
    PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
    OSSL_PARAM *p;

    if (pdhctx == NULL)
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
    if (p != NULL) {
        const char *kdf_type = NULL;

        switch (pdhctx->kdf_type) {
            case PROV_DH_KDF_NONE:
                kdf_type = "";
                break;
            case PROV_DH_KDF_X9_42_ASN1:
                kdf_type = OSSL_KDF_NAME_X942KDF_ASN1;
                break;
            default:
                return 0;
        }

        if (!OSSL_PARAM_set_utf8_string(p, kdf_type))
            return 0;
    }

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
    if (p != NULL
            && !OSSL_PARAM_set_utf8_string(p, pdhctx->kdf_md == NULL
                                           ? ""
                                           : EVP_MD_get0_name(pdhctx->kdf_md))){
        return 0;
    }

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, pdhctx->kdf_outlen))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
    if (p != NULL
        && !OSSL_PARAM_set_octet_ptr(p, pdhctx->kdf_ukm, pdhctx->kdf_ukmlen))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_CEK_ALG);
    if (p != NULL
            && !OSSL_PARAM_set_utf8_string(p, pdhctx->kdf_cekalg == NULL
                                           ? "" :  pdhctx->kdf_cekalg))
        return 0;

    return 1;
}

const OSSL_DISPATCH ossl_dh_keyexch_functions[] = {
    { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))dh_newctx },
    { OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))dh_init },
    { OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))dh_derive },
    { OSSL_FUNC_KEYEXCH_SET_PEER, (void (*)(void))dh_set_peer },
    { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))dh_freectx },
    { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))dh_dupctx },
    { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))dh_set_ctx_params },
    { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS,
      (void (*)(void))dh_settable_ctx_params },
    { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))dh_get_ctx_params },
    { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS,
      (void (*)(void))dh_gettable_ctx_params },
    { 0, NULL }
};

Coverage Report

Created: 2025-06-13 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* DH low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <string.h>
17		#include <openssl/crypto.h>
18		#include <openssl/core_dispatch.h>
19		#include <openssl/core_names.h>
20		#include <openssl/dh.h>
21		#include <openssl/err.h>
22		#include <openssl/proverr.h>
23		#include <openssl/params.h>
24		#include "prov/providercommon.h"
25		#include "prov/implementations.h"
26		#include "prov/provider_ctx.h"
27		#include "prov/securitycheck.h"
28		#include "crypto/dh.h"
29
30		static OSSL_FUNC_keyexch_newctx_fn dh_newctx;
31		static OSSL_FUNC_keyexch_init_fn dh_init;
32		static OSSL_FUNC_keyexch_set_peer_fn dh_set_peer;
33		static OSSL_FUNC_keyexch_derive_fn dh_derive;
34		static OSSL_FUNC_keyexch_freectx_fn dh_freectx;
35		static OSSL_FUNC_keyexch_dupctx_fn dh_dupctx;
36		static OSSL_FUNC_keyexch_set_ctx_params_fn dh_set_ctx_params;
37		static OSSL_FUNC_keyexch_settable_ctx_params_fn dh_settable_ctx_params;
38		static OSSL_FUNC_keyexch_get_ctx_params_fn dh_get_ctx_params;
39		static OSSL_FUNC_keyexch_gettable_ctx_params_fn dh_gettable_ctx_params;
40
41		/*
42		* This type is only really used to handle some legacy related functionality.
43		* If you need to use other KDF's (such as SSKDF) just use PROV_DH_KDF_NONE
44		* here and then create and run a KDF after the key is derived.
45		* Note that X942 has 2 variants of key derivation:
46		* (1) DH_KDF_X9_42_ASN1 - which contains an ANS1 encoded object that has
47		* the counter embedded in it.
48		* (2) DH_KDF_X941_CONCAT - which is the same as ECDH_X963_KDF (which can be
49		* done by creating a "X963KDF".
50		*/
51		enum kdf_type {
52		PROV_DH_KDF_NONE = 0,
53		PROV_DH_KDF_X9_42_ASN1
54		};
55
56		/*
57		* What's passed as an actual key is defined by the KEYMGMT interface.
58		* We happen to know that our KEYMGMT simply passes DH structures, so
59		* we use that here too.
60		*/
61
62		typedef struct {
63		OSSL_LIB_CTX *libctx;
64		DH *dh;
65		DH *dhpeer;
66		unsigned int pad : 1;
67
68		/* DH KDF */
69		/* KDF (if any) to use for DH */
70		enum kdf_type kdf_type;
71		/* Message digest to use for key derivation */
72		EVP_MD *kdf_md;
73		/* User key material */
74		unsigned char *kdf_ukm;
75		size_t kdf_ukmlen;
76		/* KDF output length */
77		size_t kdf_outlen;
78		char *kdf_cekalg;
79		} PROV_DH_CTX;
80
81		static void dh_newctx(void provctx)
82	3.76k	{
83	3.76k	PROV_DH_CTX *pdhctx;
84
85	3.76k	if (!ossl_prov_is_running())
86	0	return NULL;
87
88	3.76k	pdhctx = OPENSSL_zalloc(sizeof(PROV_DH_CTX));
89	3.76k	if (pdhctx == NULL)
90	0	return NULL;
91	3.76k	pdhctx->libctx = PROV_LIBCTX_OF(provctx);
92	3.76k	pdhctx->kdf_type = PROV_DH_KDF_NONE;
93	3.76k	return pdhctx;
94	3.76k	}
95
96		static int dh_init(void vpdhctx, void vdh, const OSSL_PARAM params[])
97	2.78k	{
98	2.78k	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
99
100	2.78k	if (!ossl_prov_is_running()
101	2.78k	\|\| pdhctx == NULL
102	2.78k	\|\| vdh == NULL
103	2.78k	\|\| !DH_up_ref(vdh))
104	0	return 0;
105	2.78k	DH_free(pdhctx->dh);
106	2.78k	pdhctx->dh = vdh;
107	2.78k	pdhctx->kdf_type = PROV_DH_KDF_NONE;
108	2.78k	return dh_set_ctx_params(pdhctx, params)
109	2.78k	&& ossl_dh_check_key(pdhctx->libctx, vdh);
110	2.78k	}
111
112		/* The 2 parties must share the same domain parameters */
113		static int dh_match_params(DH priv, DH peer)
114	3.43k	{
115	3.43k	int ret;
116	3.43k	FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv);
117	3.43k	FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer);
118
119	3.43k	ret = dhparams_priv != NULL
120	3.43k	&& dhparams_peer != NULL
121	3.43k	&& ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1);
122	3.43k	if (!ret)
123	3.43k	ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
124	3.43k	return ret;
125	3.43k	}
126
127		static int dh_set_peer(void vpdhctx, void vdh)
128	3.43k	{
129	3.43k	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
130
131	3.43k	if (!ossl_prov_is_running()
132	3.43k	\|\| pdhctx == NULL
133	3.43k	\|\| vdh == NULL
134	3.43k	\|\| !dh_match_params(vdh, pdhctx->dh)
135	3.43k	\|\| !DH_up_ref(vdh))
136	0	return 0;
137	3.43k	DH_free(pdhctx->dhpeer);
138	3.43k	pdhctx->dhpeer = vdh;
139	3.43k	return 1;
140	3.43k	}
141
142		static int dh_plain_derive(void *vpdhctx,
143		unsigned char secret, size_t secretlen,
144		size_t outlen, unsigned int pad)
145	6.86k	{
146	6.86k	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
147	6.86k	int ret;
148	6.86k	size_t dhsize;
149	6.86k	const BIGNUM *pub_key = NULL;
150
151	6.86k	if (pdhctx->dh == NULL \|\| pdhctx->dhpeer == NULL) {
152	0	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
153	0	return 0;
154	0	}
155
156	6.86k	dhsize = (size_t)DH_size(pdhctx->dh);
157	6.86k	if (secret == NULL) {
158	3.43k	*secretlen = dhsize;
159	3.43k	return 1;
160	3.43k	}
161	3.43k	if (outlen < dhsize) {
162	0	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
163	0	return 0;
164	0	}
165
166	3.43k	DH_get0_key(pdhctx->dhpeer, &pub_key, NULL);
167	3.43k	if (pad)
168	177	ret = DH_compute_key_padded(secret, pub_key, pdhctx->dh);
169	3.25k	else
170	3.25k	ret = DH_compute_key(secret, pub_key, pdhctx->dh);
171	3.43k	if (ret <= 0)
172	0	return 0;
173
174	3.43k	*secretlen = ret;
175	3.43k	return 1;
176	3.43k	}
177
178		static int dh_X9_42_kdf_derive(void vpdhctx, unsigned char secret,
179		size_t *secretlen, size_t outlen)
180	0	{
181	0	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
182	0	unsigned char *stmp = NULL;
183	0	size_t stmplen;
184	0	int ret = 0;
185
186	0	if (secret == NULL) {
187	0	*secretlen = pdhctx->kdf_outlen;
188	0	return 1;
189	0	}
190
191	0	if (pdhctx->kdf_outlen > outlen) {
192	0	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
193	0	return 0;
194	0	}
195	0	if (!dh_plain_derive(pdhctx, NULL, &stmplen, 0, 1))
196	0	return 0;
197	0	if ((stmp = OPENSSL_secure_malloc(stmplen)) == NULL) {
198	0	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
199	0	return 0;
200	0	}
201	0	if (!dh_plain_derive(pdhctx, stmp, &stmplen, stmplen, 1))
202	0	goto err;
203
204		/* Do KDF stuff */
205	0	if (pdhctx->kdf_type == PROV_DH_KDF_X9_42_ASN1) {
206	0	if (!ossl_dh_kdf_X9_42_asn1(secret, pdhctx->kdf_outlen,
207	0	stmp, stmplen,
208	0	pdhctx->kdf_cekalg,
209	0	pdhctx->kdf_ukm,
210	0	pdhctx->kdf_ukmlen,
211	0	pdhctx->kdf_md,
212	0	pdhctx->libctx, NULL))
213	0	goto err;
214	0	}
215	0	*secretlen = pdhctx->kdf_outlen;
216	0	ret = 1;
217	0	err:
218	0	OPENSSL_secure_clear_free(stmp, stmplen);
219	0	return ret;
220	0	}
221
222		static int dh_derive(void vpdhctx, unsigned char secret,
223		size_t *psecretlen, size_t outlen)
224	6.86k	{
225	6.86k	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
226
227	6.86k	if (!ossl_prov_is_running())
228	0	return 0;
229
230	6.86k	switch (pdhctx->kdf_type) {
231	6.86k	case PROV_DH_KDF_NONE:
232	6.86k	return dh_plain_derive(pdhctx, secret, psecretlen, outlen,
233	6.86k	pdhctx->pad);
234	0	case PROV_DH_KDF_X9_42_ASN1:
235	0	return dh_X9_42_kdf_derive(pdhctx, secret, psecretlen, outlen);
236	0	default:
237	0	break;
238	6.86k	}
239	0	return 0;
240	6.86k	}
241
242		static void dh_freectx(void *vpdhctx)
243	3.76k	{
244	3.76k	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
245
246	3.76k	OPENSSL_free(pdhctx->kdf_cekalg);
247	3.76k	DH_free(pdhctx->dh);
248	3.76k	DH_free(pdhctx->dhpeer);
249	3.76k	EVP_MD_free(pdhctx->kdf_md);
250	3.76k	OPENSSL_clear_free(pdhctx->kdf_ukm, pdhctx->kdf_ukmlen);
251
252	3.76k	OPENSSL_free(pdhctx);
253	3.76k	}
254
255		static void dh_dupctx(void vpdhctx)
256	0	{
257	0	PROV_DH_CTX srcctx = (PROV_DH_CTX )vpdhctx;
258	0	PROV_DH_CTX *dstctx;
259
260	0	if (!ossl_prov_is_running())
261	0	return NULL;
262
263	0	dstctx = OPENSSL_zalloc(sizeof(*srcctx));
264	0	if (dstctx == NULL)
265	0	return NULL;
266
267	0	dstctx = srcctx;
268	0	dstctx->dh = NULL;
269	0	dstctx->dhpeer = NULL;
270	0	dstctx->kdf_md = NULL;
271	0	dstctx->kdf_ukm = NULL;
272	0	dstctx->kdf_cekalg = NULL;
273
274	0	if (srcctx->dh != NULL && !DH_up_ref(srcctx->dh))
275	0	goto err;
276	0	else
277	0	dstctx->dh = srcctx->dh;
278
279	0	if (srcctx->dhpeer != NULL && !DH_up_ref(srcctx->dhpeer))
280	0	goto err;
281	0	else
282	0	dstctx->dhpeer = srcctx->dhpeer;
283
284	0	if (srcctx->kdf_md != NULL && !EVP_MD_up_ref(srcctx->kdf_md))
285	0	goto err;
286	0	else
287	0	dstctx->kdf_md = srcctx->kdf_md;
288
289		/* Duplicate UKM data if present */
290	0	if (srcctx->kdf_ukm != NULL && srcctx->kdf_ukmlen > 0) {
291	0	dstctx->kdf_ukm = OPENSSL_memdup(srcctx->kdf_ukm,
292	0	srcctx->kdf_ukmlen);
293	0	if (dstctx->kdf_ukm == NULL)
294	0	goto err;
295	0	}
296
297	0	if (srcctx->kdf_cekalg != NULL) {
298	0	dstctx->kdf_cekalg = OPENSSL_strdup(srcctx->kdf_cekalg);
299	0	if (dstctx->kdf_cekalg == NULL)
300	0	goto err;
301	0	}
302
303	0	return dstctx;
304	0	err:
305	0	dh_freectx(dstctx);
306	0	return NULL;
307	0	}
308
309		static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
310	1.88k	{
311	1.88k	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
312	1.88k	const OSSL_PARAM *p;
313	1.88k	unsigned int pad;
314	1.88k	char name[80] = { '\0' }; /* should be big enough */
315	1.88k	char *str = NULL;
316
317	1.88k	if (pdhctx == NULL)
318	0	return 0;
319	1.88k	if (params == NULL)
320	1.88k	return 1;
321
322	0	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
323	0	if (p != NULL) {
324	0	str = name;
325	0	if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
326	0	return 0;
327
328	0	if (name[0] == '\0')
329	0	pdhctx->kdf_type = PROV_DH_KDF_NONE;
330	0	else if (strcmp(name, OSSL_KDF_NAME_X942KDF_ASN1) == 0)
331	0	pdhctx->kdf_type = PROV_DH_KDF_X9_42_ASN1;
332	0	else
333	0	return 0;
334	0	}
335	0	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
336	0	if (p != NULL) {
337	0	char mdprops[80] = { '\0' }; /* should be big enough */
338
339	0	str = name;
340	0	if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
341	0	return 0;
342
343	0	str = mdprops;
344	0	p = OSSL_PARAM_locate_const(params,
345	0	OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS);
346
347	0	if (p != NULL) {
348	0	if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(mdprops)))
349	0	return 0;
350	0	}
351
352	0	EVP_MD_free(pdhctx->kdf_md);
353	0	pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
354	0	if (pdhctx->kdf_md == NULL)
355	0	return 0;
356	0	if (!ossl_digest_is_allowed(pdhctx->libctx, pdhctx->kdf_md)) {
357	0	EVP_MD_free(pdhctx->kdf_md);
358	0	pdhctx->kdf_md = NULL;
359	0	return 0;
360	0	}
361	0	}
362
363	0	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
364	0	if (p != NULL) {
365	0	size_t outlen;
366
367	0	if (!OSSL_PARAM_get_size_t(p, &outlen))
368	0	return 0;
369	0	pdhctx->kdf_outlen = outlen;
370	0	}
371
372	0	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
373	0	if (p != NULL) {
374	0	void *tmp_ukm = NULL;
375	0	size_t tmp_ukmlen;
376
377	0	OPENSSL_free(pdhctx->kdf_ukm);
378	0	pdhctx->kdf_ukm = NULL;
379	0	pdhctx->kdf_ukmlen = 0;
380		/* ukm is an optional field so it can be NULL */
381	0	if (p->data != NULL && p->data_size != 0) {
382	0	if (!OSSL_PARAM_get_octet_string(p, &tmp_ukm, 0, &tmp_ukmlen))
383	0	return 0;
384	0	pdhctx->kdf_ukm = tmp_ukm;
385	0	pdhctx->kdf_ukmlen = tmp_ukmlen;
386	0	}
387	0	}
388
389	0	p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_PAD);
390	0	if (p != NULL) {
391	0	if (!OSSL_PARAM_get_uint(p, &pad))
392	0	return 0;
393	0	pdhctx->pad = pad ? 1 : 0;
394	0	}
395
396	0	p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CEK_ALG);
397	0	if (p != NULL) {
398	0	str = name;
399
400	0	OPENSSL_free(pdhctx->kdf_cekalg);
401	0	pdhctx->kdf_cekalg = NULL;
402	0	if (p->data != NULL && p->data_size != 0) {
403	0	if (!OSSL_PARAM_get_utf8_string(p, &str, sizeof(name)))
404	0	return 0;
405	0	pdhctx->kdf_cekalg = OPENSSL_strdup(name);
406	0	if (pdhctx->kdf_cekalg == NULL)
407	0	return 0;
408	0	}
409	0	}
410	0	return 1;
411	0	}
412
413		static const OSSL_PARAM known_settable_ctx_params[] = {
414		OSSL_PARAM_int(OSSL_EXCHANGE_PARAM_PAD, NULL),
415		OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
416		OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
417		OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS, NULL, 0),
418		OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
419		OSSL_PARAM_octet_string(OSSL_EXCHANGE_PARAM_KDF_UKM, NULL, 0),
420		OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
421		OSSL_PARAM_END
422		};
423
424		static const OSSL_PARAM dh_settable_ctx_params(ossl_unused void vpdhctx,
425		ossl_unused void *provctx)
426	182	{
427	182	return known_settable_ctx_params;
428	182	}
429
430		static const OSSL_PARAM known_gettable_ctx_params[] = {
431		OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_TYPE, NULL, 0),
432		OSSL_PARAM_utf8_string(OSSL_EXCHANGE_PARAM_KDF_DIGEST, NULL, 0),
433		OSSL_PARAM_size_t(OSSL_EXCHANGE_PARAM_KDF_OUTLEN, NULL),
434		OSSL_PARAM_DEFN(OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR,
435		NULL, 0),
436		OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CEK_ALG, NULL, 0),
437		OSSL_PARAM_END
438		};
439
440		static const OSSL_PARAM dh_gettable_ctx_params(ossl_unused void vpdhctx,
441		ossl_unused void *provctx)
442	0	{
443	0	return known_gettable_ctx_params;
444	0	}
445
446		static int dh_get_ctx_params(void *vpdhctx, OSSL_PARAM params[])
447	0	{
448	0	PROV_DH_CTX pdhctx = (PROV_DH_CTX )vpdhctx;
449	0	OSSL_PARAM *p;
450
451	0	if (pdhctx == NULL)
452	0	return 0;
453
454	0	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
455	0	if (p != NULL) {
456	0	const char *kdf_type = NULL;
457
458	0	switch (pdhctx->kdf_type) {
459	0	case PROV_DH_KDF_NONE:
460	0	kdf_type = "";
461	0	break;
462	0	case PROV_DH_KDF_X9_42_ASN1:
463	0	kdf_type = OSSL_KDF_NAME_X942KDF_ASN1;
464	0	break;
465	0	default:
466	0	return 0;
467	0	}
468
469	0	if (!OSSL_PARAM_set_utf8_string(p, kdf_type))
470	0	return 0;
471	0	}
472
473	0	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_DIGEST);
474	0	if (p != NULL
475	0	&& !OSSL_PARAM_set_utf8_string(p, pdhctx->kdf_md == NULL
476	0	? ""
477	0	: EVP_MD_get0_name(pdhctx->kdf_md))){
478	0	return 0;
479	0	}
480
481	0	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN);
482	0	if (p != NULL && !OSSL_PARAM_set_size_t(p, pdhctx->kdf_outlen))
483	0	return 0;
484
485	0	p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_UKM);
486	0	if (p != NULL
487	0	&& !OSSL_PARAM_set_octet_ptr(p, pdhctx->kdf_ukm, pdhctx->kdf_ukmlen))
488	0	return 0;
489
490	0	p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_CEK_ALG);
491	0	if (p != NULL
492	0	&& !OSSL_PARAM_set_utf8_string(p, pdhctx->kdf_cekalg == NULL
493	0	? "" : pdhctx->kdf_cekalg))
494	0	return 0;
495
496	0	return 1;
497	0	}
498
499		const OSSL_DISPATCH ossl_dh_keyexch_functions[] = {
500		{ OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))dh_newctx },
501		{ OSSL_FUNC_KEYEXCH_INIT, (void (*)(void))dh_init },
502		{ OSSL_FUNC_KEYEXCH_DERIVE, (void (*)(void))dh_derive },
503		{ OSSL_FUNC_KEYEXCH_SET_PEER, (void (*)(void))dh_set_peer },
504		{ OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))dh_freectx },
505		{ OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))dh_dupctx },
506		{ OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))dh_set_ctx_params },
507		{ OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS,
508		(void (*)(void))dh_settable_ctx_params },
509		{ OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))dh_get_ctx_params },
510		{ OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS,
511		(void (*)(void))dh_gettable_ctx_params },
512		{ 0, NULL }
513		};