static int
DH_check_pub_key_rfc(const DH *dh, BN_CTX *ctx, int *ret)
{
BIGNUM *bn = NULL;
int ok = 0;
const BIGNUM *pub_key, *p, *q, *g;
check((dh && ret), "Invalid arguments");
BN_CTX_start(ctx);
DH_get0_key(dh, &pub_key, NULL);
DH_get0_pqg(dh, &p, &q, &g);
/* Verify that y lies within the interval [2,p-1]. */
if (!DH_check_pub_key(dh, pub_key, ret))
goto err;
/* If the DH is conform to RFC 2631 it should have a non-NULL q.
* Others (like the DHs generated from OpenSSL) might have a problem with
* this check. */
if (q) {
/* Compute y^q mod p. If the result == 1, the key is valid. */
bn = BN_CTX_get(ctx);
if (!bn || !BN_mod_exp(bn, pub_key, q, p, ctx))
goto err;
if (!BN_is_one(bn))
*ret |= DH_CHECK_PUBKEY_INVALID;
}
ok = 1;
err:
BN_CTX_end(ctx);
return ok;
}
int
dh_gen_key(DH *dh, int need)
{
int pbits;
const BIGNUM *p, *pub_key, *priv_key;
DH_get0_pqg(dh, &p, NULL, NULL);
if (need < 0 || p == NULL ||
(pbits = BN_num_bits(p)) <= 0 ||
need > INT_MAX / 2 || 2 * need > pbits)
return SSH_ERR_INVALID_ARGUMENT;
if (need < 256)
need = 256;
/*
* Pollard Rho, Big step/Little Step attacks are O(sqrt(n)),
* so double requested need here.
*/
DH_set_length(dh, MIN(need * 2, pbits - 1));
if (DH_generate_key(dh) == 0) {
return SSH_ERR_LIBCRYPTO_ERROR;
}
DH_get0_key(dh, &pub_key, &priv_key);
if (!dh_pub_is_valid(dh, pub_key)) {
#if 0
BN_clear(priv_key);
#endif
return SSH_ERR_LIBCRYPTO_ERROR;
}
return 0;
}
bool
tr_dh_make_key (tr_dh_ctx_t raw_handle,
size_t private_key_length,
uint8_t * public_key,
size_t * public_key_length)
{
DH * handle = raw_handle;
int dh_size, my_public_key_length;
const BIGNUM * my_public_key;
assert (handle != NULL);
assert (public_key != NULL);
DH_set_length(handle, private_key_length * 8);
if (!check_result (DH_generate_key (handle)))
return false;
DH_get0_key (handle, &my_public_key, NULL);
my_public_key_length = BN_bn2bin (my_public_key, public_key);
dh_size = DH_size (handle);
tr_dh_align_key (public_key, my_public_key_length, dh_size);
if (public_key_length != NULL)
*public_key_length = dh_size;
return true;
}
// Set from OpenSSL representation
void OSSLDHPublicKey::setFromOSSL(const DH* inDH)
{
const BIGNUM* bn_p = NULL;
const BIGNUM* bn_g = NULL;
const BIGNUM* bn_pub_key = NULL;
DH_get0_pqg(inDH, &bn_p, NULL, &bn_g);
DH_get0_key(inDH, &bn_pub_key, NULL);
if (bn_p)
{
ByteString inP = OSSL::bn2ByteString(bn_p);
setP(inP);
}
if (bn_g)
{
ByteString inG = OSSL::bn2ByteString(bn_g);
setG(inG);
}
if (bn_pub_key)
{
ByteString inY = OSSL::bn2ByteString(bn_pub_key);
setY(inY);
}
}
static VALUE
ossl_dh_initialize_copy(VALUE self, VALUE other)
{
EVP_PKEY *pkey;
DH *dh, *dh_other;
const BIGNUM *pub, *priv;
GetPKey(self, pkey);
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE)
ossl_raise(eDHError, "DH already initialized");
GetDH(other, dh_other);
dh = DHparams_dup(dh_other);
if (!dh)
ossl_raise(eDHError, "DHparams_dup");
EVP_PKEY_assign_DH(pkey, dh);
DH_get0_key(dh_other, &pub, &priv);
if (pub) {
BIGNUM *pub2 = BN_dup(pub);
BIGNUM *priv2 = BN_dup(priv);
if (!pub2 || priv && !priv2) {
BN_clear_free(pub2);
BN_clear_free(priv2);
ossl_raise(eDHError, "BN_dup");
}
DH_set0_key(dh, pub2, priv2);
}
return self;
}
BUF_MEM *
dh_generate_key(EVP_PKEY *key, BN_CTX *bn_ctx)
{
int suc;
DH *dh = NULL;
BUF_MEM *ret = NULL;
const BIGNUM *pub_key;
check(key, "Invalid arguments");
dh = EVP_PKEY_get1_DH(key);
if (!dh)
goto err;
if (!DH_generate_key(dh) || !DH_check_pub_key_rfc(dh, bn_ctx, &suc))
goto err;
if (suc)
goto err;
DH_get0_key(dh, &pub_key, NULL);
ret = BN_bn2buf(pub_key);
err:
if (dh)
DH_free(dh);
return ret;
}
/* DH *************************************************************************/
const BIGNUM *HsOpenSSL_DH_get_pub_key(DH *dh) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
const BIGNUM** pub_key = 0;
const BIGNUM** priv_key = 0;
DH_get0_key(dh, pub_key, priv_key);
return *pub_key;
#else
return dh->pub_key;
#endif
}
/*
* call-seq:
* dh.public? -> true | false
*
* Indicates whether this DH instance has a public key associated with it or
* not. The public key may be retrieved with DH#pub_key.
*/
static VALUE
ossl_dh_is_public(VALUE self)
{
DH *dh;
const BIGNUM *bn;
GetDH(self, dh);
DH_get0_key(dh, &bn, NULL);
return bn ? Qtrue : Qfalse;
}
/* Caller is not responsible for freeing values returned by these accessors
* Per https://www.openssl.org/docs/man1.1.0/crypto/DH_get0_pqg.html
*/
static const BIGNUM *s2n_get_Ys_dh_param(struct s2n_dh_params *dh_params)
{
const BIGNUM *Ys = NULL;
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined LIBRESSL_VERSION_NUMBER
Ys = dh_params->dh->pub_key;
#else
DH_get0_key(dh_params->dh, &Ys, NULL);
#endif
return Ys;
}
/*
* call-seq:
* dh.private? -> true | false
*
* Indicates whether this DH instance has a private key associated with it or
* not. The private key may be retrieved with DH#priv_key.
*/
static VALUE
ossl_dh_is_private(VALUE self)
{
DH *dh;
const BIGNUM *bn;
GetDH(self, dh);
DH_get0_key(dh, NULL, &bn);
#if !defined(OPENSSL_NO_ENGINE)
return (bn || DH_get0_engine(dh)) ? Qtrue : Qfalse;
#else
return bn ? Qtrue : Qfalse;
#endif
}
/**
Generates DH public key.
This function generates random secret exponent, and computes the public key, which is
returned via parameter PublicKey and PublicKeySize. DH context is updated accordingly.
If the PublicKey buffer is too small to hold the public key, FALSE is returned and
PublicKeySize is set to the required buffer size to obtain the public key.
If DhContext is NULL, then return FALSE.
If PublicKeySize is NULL, then return FALSE.
If PublicKeySize is large enough but PublicKey is NULL, then return FALSE.
@param[in, out] DhContext Pointer to the DH context.
@param[out] PublicKey Pointer to the buffer to receive generated public key.
@param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes.
On output, the size of data returned in PublicKey buffer in bytes.
@retval TRUE DH public key generation succeeded.
@retval FALSE DH public key generation failed.
@retval FALSE PublicKeySize is not large enough.
**/
BOOLEAN
EFIAPI
DhGenerateKey (
IN OUT VOID *DhContext,
OUT UINT8 *PublicKey,
IN OUT UINTN *PublicKeySize
)
{
BOOLEAN RetVal;
DH *Dh;
BIGNUM *DhPubKey;
INTN Size;
//
// Check input parameters.
//
if (DhContext == NULL || PublicKeySize == NULL) {
return FALSE;
}
if (PublicKey == NULL && *PublicKeySize != 0) {
return FALSE;
}
Dh = (DH *) DhContext;
RetVal = (BOOLEAN) DH_generate_key (DhContext);
if (RetVal) {
DH_get0_key (Dh, (const BIGNUM **)&DhPubKey, NULL);
Size = BN_num_bytes (DhPubKey);
if ((Size > 0) && (*PublicKeySize < (UINTN) Size)) {
*PublicKeySize = Size;
return FALSE;
}
if (PublicKey != NULL) {
BN_bn2bin (DhPubKey, PublicKey);
}
*PublicKeySize = Size;
}
return RetVal;
}
/*
* call-seq:
* dh.params -> hash
*
* Stores all parameters of key to the hash
* INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!!
* Don't use :-)) (I's up to you)
*/
static VALUE
ossl_dh_get_params(VALUE self)
{
DH *dh;
VALUE hash;
const BIGNUM *p, *q, *g, *pub_key, *priv_key;
GetDH(self, dh);
DH_get0_pqg(dh, &p, &q, &g);
DH_get0_key(dh, &pub_key, &priv_key);
hash = rb_hash_new();
rb_hash_aset(hash, rb_str_new2("p"), ossl_bn_new(p));
rb_hash_aset(hash, rb_str_new2("q"), ossl_bn_new(q));
rb_hash_aset(hash, rb_str_new2("g"), ossl_bn_new(g));
rb_hash_aset(hash, rb_str_new2("pub_key"), ossl_bn_new(pub_key));
rb_hash_aset(hash, rb_str_new2("priv_key"), ossl_bn_new(priv_key));
return hash;
}
BUF_MEM *
get_pubkey(EVP_PKEY *key, BN_CTX *bn_ctx)
{
BUF_MEM *out;
DH *dh;
EC_KEY *ec;
const EC_POINT *ec_pub;
const BIGNUM *dh_pub_key;
check_return(key, "invalid arguments");
switch (EVP_PKEY_base_id(key)) {
case EVP_PKEY_DH:
dh = EVP_PKEY_get1_DH(key);
check_return(dh, "no DH key");
DH_get0_key(dh, &dh_pub_key, NULL);
out = BN_bn2buf(dh_pub_key);
DH_free(dh);
break;
case EVP_PKEY_EC:
ec = EVP_PKEY_get1_EC_KEY(key);
check_return(ec, "no EC key");
ec_pub = EC_KEY_get0_public_key(ec);
check_return(ec_pub, "no EC public key");
out = EC_POINT_point2mem(ec, bn_ctx, ec_pub);
EC_KEY_free(ec);
break;
default:
log_err("unknown type of key");
return NULL;
}
return out;
}
bool diffie_hellman::generate_pub_key()
{
if( !p.size() )
return valid = false;
ssl_dh dh = DH_new();
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
const auto bn_p = BN_bin2bn( (unsigned char*)&p.front(), p.size(), NULL );
const auto bn_g = BN_bin2bn( (unsigned char*)&g, 1, NULL );
DH_set0_pqg(dh.obj, bn_p, NULL, bn_g);
#else
dh->p = BN_bin2bn( (unsigned char*)&p.front(), p.size(), NULL );
dh->g = BN_bin2bn( (unsigned char*)&g, 1, NULL );
#endif
if( !fc::validate( dh, valid ) )
{
return false;
}
DH_generate_key(dh);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
ssl_bignum bn_pub_key;
ssl_bignum bn_priv_key;
DH_get0_key(dh.obj, (const BIGNUM**)&bn_pub_key.obj, (const BIGNUM**)&bn_priv_key.obj);
pub_key.resize( BN_num_bytes( bn_pub_key ) );
priv_key.resize( BN_num_bytes( bn_priv_key ) );
if( pub_key.size() )
BN_bn2bin( bn_pub_key.obj, (unsigned char*)&pub_key.front() );
if( priv_key.size() )
BN_bn2bin( bn_priv_key.obj, (unsigned char*)&priv_key.front() );
#else
pub_key.resize( BN_num_bytes( dh->pub_key ) );
priv_key.resize( BN_num_bytes( dh->priv_key ) );
if( pub_key.size() )
BN_bn2bin( dh->pub_key, (unsigned char*)&pub_key.front() );
if( priv_key.size() )
BN_bn2bin( dh->priv_key, (unsigned char*)&priv_key.front() );
#endif
return true;
}
static LUA_FUNCTION(openssl_dh_parse)
{
const BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *pri = NULL;
DH* dh = CHECK_OBJECT(1, DH, "openssl.dh");
lua_newtable(L);
lua_pushinteger(L, DH_size(dh));
lua_setfield(L, -2, "size");
lua_pushinteger(L, DH_bits(dh));
lua_setfield(L, -2, "bits");
DH_get0_pqg(dh, &p, &q, &g);
DH_get0_key(dh, &pub, &pri);
OPENSSL_PKEY_GET_BN(p, p);
OPENSSL_PKEY_GET_BN(q, q);
OPENSSL_PKEY_GET_BN(g, g);
OPENSSL_PKEY_GET_BN(pub, priv_key);
OPENSSL_PKEY_GET_BN(pri, pub_key);
return 1;
}
int main (int argc,
const char *argv[])
{
DH *c_dh = NULL;
DH *s_dh = NULL;
unsigned char *c_keybuf = NULL;
unsigned char *s_keybuf = NULL;
int c_keylen = 0, s_keylen = 0, i = 0;
const BIGNUM *pub_key;
/* TBD -- Generate random private keys */
/* Generate initial DH params on the client side */
if (NULL == (c_dh = tr_create_dh_params(NULL, 0))) {
printf("Error: Can't create client DH params, exiting.\n");
exit(1);
}
fprintf(stderr, "Client DH Parameters:\n");
DHparams_print_fp(stdout, c_dh);
fprintf(stderr, "\n");
/*** Would now send DH params and client's public key to the server ***/
/* Generate DH params on the server side */
if (NULL == (s_dh = tr_create_matching_dh(NULL, 0, c_dh))) {
printf("Error: Can't create server server DH params, exiting.\n");
exit(1);
}
fprintf(stdout, "Server DH Parameters:\n");
DHparams_print_fp(stdout, s_dh);
fprintf(stdout, "\n");
/*** Would now send server's pub key to client ***/
/* Compute key on client */
DH_get0_key(s_dh, &pub_key, NULL);
if (0 > (c_keylen = tr_compute_dh_key(&c_keybuf,
pub_key,
c_dh))) {
printf("Error: Can't compute client key.\n");
}
/* Compute key on server */
DH_get0_key(c_dh, &pub_key, NULL);
if (0 > (s_keylen = tr_compute_dh_key(&s_keybuf,
pub_key,
s_dh))) {
printf("Error: Can't compute server key.\n");
exit(1);
}
/* Print out the client key. */
printf("Client Key Generated (len = %d):\n", c_keylen);
for (i = 0; i < c_keylen; i++) {
printf("%2x", c_keybuf[i]);
}
printf("\n");
/* Print out the server key. */
printf("Server Key Generated (len = %d):\n", s_keylen);
for (i = 0; i < s_keylen; i++) {
printf("%2x", s_keybuf[i]);
}
printf("\n");
/* Compare the two keys to see if they match */
if ((c_keylen != s_keylen) ||
(0 != memcmp(c_keybuf, s_keybuf, c_keylen))) {
printf("Error: Different keys generated!\n");
exit(1);
}
printf("Success: Identical keys generated, key length = %d!\n", c_keylen);
exit(0);
}
int main(int argc, char *argv[])
{
BN_GENCB *_cb = NULL;
DH *a = NULL;
DH *b = NULL;
BIGNUM *ap = NULL, *ag = NULL, *bp = NULL, *bg = NULL, *apub_key = NULL;
BIGNUM *bpub_key = NULL, *priv_key = NULL;
char buf[12] = {0};
unsigned char *abuf = NULL;
unsigned char *bbuf = NULL;
int i, alen, blen, aout, bout;
int ret = 1;
BIO *out = NULL;
CRYPTO_set_mem_debug(1);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
RAND_seed(rnd_seed, sizeof rnd_seed);
out = BIO_new(BIO_s_file());
if (out == NULL)
EXIT(1);
BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
_cb = BN_GENCB_new();
if (_cb == NULL)
goto err;
BN_GENCB_set(_cb, &cb, out);
if (((a = DH_new()) == NULL)
|| (!DH_generate_parameters_ex(a, 64, DH_GENERATOR_5, _cb)))
goto err;
if (!DH_check(a, &i))
goto err;
if (i & DH_CHECK_P_NOT_PRIME)
BIO_puts(out, "p value is not prime\n");
if (i & DH_CHECK_P_NOT_SAFE_PRIME)
BIO_puts(out, "p value is not a safe prime\n");
if (i & DH_UNABLE_TO_CHECK_GENERATOR)
BIO_puts(out, "unable to check the generator value\n");
if (i & DH_NOT_SUITABLE_GENERATOR)
BIO_puts(out, "the g value is not a generator\n");
DH_get0_pqg(a, &ap, NULL, &ag);
BIO_puts(out, "\np =");
BN_print(out, ap);
BIO_puts(out, "\ng =");
BN_print(out, ag);
BIO_puts(out, "\n");
b = DH_new();
if (b == NULL)
goto err;
bp = BN_dup(ap);
bg = BN_dup(ag);
if ((bp == NULL) || (bg == NULL) || !DH_set0_pqg(b, bp, NULL, bg))
goto err;
bp = bg = NULL;
if (!DH_generate_key(a))
goto err;
DH_get0_key(a, &apub_key, &priv_key);
BIO_puts(out, "pri 1=");
BN_print(out, priv_key);
BIO_puts(out, "\npub 1=");
BN_print(out, apub_key);
BIO_puts(out, "\n");
if (!DH_generate_key(b))
goto err;
DH_get0_key(b, &bpub_key, &priv_key);
BIO_puts(out, "pri 2=");
BN_print(out, priv_key);
BIO_puts(out, "\npub 2=");
BN_print(out, bpub_key);
BIO_puts(out, "\n");
alen = DH_size(a);
abuf = OPENSSL_malloc(alen);
if (abuf == NULL)
goto err;
aout = DH_compute_key(abuf, bpub_key, a);
BIO_puts(out, "key1 =");
for (i = 0; i < aout; i++) {
sprintf(buf, "%02X", abuf[i]);
BIO_puts(out, buf);
}
BIO_puts(out, "\n");
blen = DH_size(b);
bbuf = OPENSSL_malloc(blen);
if (bbuf == NULL)
goto err;
bout = DH_compute_key(bbuf, apub_key, b);
BIO_puts(out, "key2 =");
for (i = 0; i < bout; i++) {
sprintf(buf, "%02X", bbuf[i]);
BIO_puts(out, buf);
}
BIO_puts(out, "\n");
if ((aout < 4) || (bout != aout) || (memcmp(abuf, bbuf, aout) != 0)) {
fprintf(stderr, "Error in DH routines\n");
ret = 1;
} else
ret = 0;
if (!run_rfc5114_tests())
ret = 1;
err:
(void)BIO_flush(out);
ERR_print_errors_fp(stderr);
OPENSSL_free(abuf);
OPENSSL_free(bbuf);
DH_free(b);
DH_free(a);
BN_free(bp);
BN_free(bg);
BN_GENCB_free(_cb);
BIO_free(out);
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
if (CRYPTO_mem_leaks_fp(stderr) <= 0)
ret = 1;
#endif
EXIT(ret);
}
ERL_NIF_TERM dh_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
{/* (PrivKey|undefined, DHParams=[P,G], Mpint, Len|0) */
DH *dh_params = NULL;
int mpint; /* 0 or 4 */
{
ERL_NIF_TERM head, tail;
BIGNUM
*dh_p = NULL,
*dh_g = NULL,
*priv_key_in = NULL;
unsigned long
len = 0;
if (!(get_bn_from_bin(env, argv[0], &priv_key_in)
|| argv[0] == atom_undefined)
|| !enif_get_list_cell(env, argv[1], &head, &tail)
|| !get_bn_from_bin(env, head, &dh_p)
|| !enif_get_list_cell(env, tail, &head, &tail)
|| !get_bn_from_bin(env, head, &dh_g)
|| !enif_is_empty_list(env, tail)
|| !enif_get_int(env, argv[2], &mpint) || (mpint & ~4)
|| !enif_get_ulong(env, argv[3], &len)
/* Load dh_params with values to use by the generator.
Mem mgmnt transfered from dh_p etc to dh_params */
|| !(dh_params = DH_new())
|| (priv_key_in && !DH_set0_key(dh_params, NULL, priv_key_in))
|| !DH_set0_pqg(dh_params, dh_p, NULL, dh_g)
) {
if (priv_key_in) BN_free(priv_key_in);
if (dh_p) BN_free(dh_p);
if (dh_g) BN_free(dh_g);
if (dh_params) DH_free(dh_params);
return enif_make_badarg(env);
}
if (len) {
if (len < BN_num_bits(dh_p))
DH_set_length(dh_params, len);
else {
if (priv_key_in) BN_free(priv_key_in);
if (dh_p) BN_free(dh_p);
if (dh_g) BN_free(dh_g);
if (dh_params) DH_free(dh_params);
return enif_make_badarg(env);
}
}
}
#ifdef HAS_EVP_PKEY_CTX
{
EVP_PKEY_CTX *ctx;
EVP_PKEY *dhkey, *params;
int success;
params = EVP_PKEY_new();
success = EVP_PKEY_set1_DH(params, dh_params); /* set the key referenced by params to dh_params... */
DH_free(dh_params); /* ...dh_params (and params) must be freed */
if (!success) return atom_error;
ctx = EVP_PKEY_CTX_new(params, NULL);
EVP_PKEY_free(params);
if (!ctx) {
return atom_error;
}
if (!EVP_PKEY_keygen_init(ctx)) {
/* EVP_PKEY_CTX_free(ctx); */
return atom_error;
}
dhkey = EVP_PKEY_new();
if (!EVP_PKEY_keygen(ctx, &dhkey)) { /* "performs a key generation operation, the ... */
/*... generated key is written to ppkey." (=last arg) */
/* EVP_PKEY_CTX_free(ctx); */
/* EVP_PKEY_free(dhkey); */
return atom_error;
}
dh_params = EVP_PKEY_get1_DH(dhkey); /* return the referenced key. dh_params and dhkey must be freed */
EVP_PKEY_free(dhkey);
if (!dh_params) {
/* EVP_PKEY_CTX_free(ctx); */
return atom_error;
}
EVP_PKEY_CTX_free(ctx);
}
#else
if (!DH_generate_key(dh_params)) return atom_error;
#endif
{
unsigned char *pub_ptr, *prv_ptr;
int pub_len, prv_len;
ERL_NIF_TERM ret_pub, ret_prv;
const BIGNUM *pub_key_gen, *priv_key_gen;
DH_get0_key(dh_params,
&pub_key_gen, &priv_key_gen); /* Get pub_key_gen and priv_key_gen.
"The values point to the internal representation of
the public key and private key values. This memory
should not be freed directly." says man */
pub_len = BN_num_bytes(pub_key_gen);
prv_len = BN_num_bytes(priv_key_gen);
pub_ptr = enif_make_new_binary(env, pub_len+mpint, &ret_pub);
prv_ptr = enif_make_new_binary(env, prv_len+mpint, &ret_prv);
if (mpint) {
put_int32(pub_ptr, pub_len); pub_ptr += 4;
put_int32(prv_ptr, prv_len); prv_ptr += 4;
}
BN_bn2bin(pub_key_gen, pub_ptr);
BN_bn2bin(priv_key_gen, prv_ptr);
ERL_VALGRIND_MAKE_MEM_DEFINED(pub_ptr, pub_len);
ERL_VALGRIND_MAKE_MEM_DEFINED(prv_ptr, prv_len);
DH_free(dh_params);
return enif_make_tuple2(env, ret_pub, ret_prv);
}
}
inline bn::bignum dh_key::private_key() const
{
const BIGNUM* priv_key = NULL;
DH_get0_key(raw(), nullptr, &priv_key);
return const_cast<BIGNUM*>(priv_key);
}
int
input_kex_dh_init(int type, u_int32_t seq, struct ssh *ssh)
{
struct kex *kex = ssh->kex;
BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
const BIGNUM *pub_key;
struct sshkey *server_host_public, *server_host_private;
u_char *kbuf = NULL, *signature = NULL, *server_host_key_blob = NULL;
u_char hash[SSH_DIGEST_MAX_LENGTH];
size_t sbloblen, slen;
size_t klen = 0, hashlen;
int kout, r;
if (kex->load_host_public_key == NULL ||
kex->load_host_private_key == NULL) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
server_host_public = kex->load_host_public_key(kex->hostkey_type,
kex->hostkey_nid, ssh);
server_host_private = kex->load_host_private_key(kex->hostkey_type,
kex->hostkey_nid, ssh);
if (server_host_public == NULL) {
r = SSH_ERR_NO_HOSTKEY_LOADED;
goto out;
}
/* key, cert */
if ((dh_client_pub = BN_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
DH_get0_key(kex->dh, &pub_key, NULL);
if ((r = sshpkt_get_bignum2(ssh, dh_client_pub)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
#ifdef DEBUG_KEXDH
fprintf(stderr, "dh_client_pub= ");
BN_print_fp(stderr, dh_client_pub);
fprintf(stderr, "\n");
debug("bits %d", BN_num_bits(dh_client_pub));
DHparams_print_fp(stderr, kex->dh);
fprintf(stderr, "pub= ");
BN_print_fp(stderr, pub_key);
fprintf(stderr, "\n");
#endif
if (!dh_pub_is_valid(kex->dh, dh_client_pub)) {
sshpkt_disconnect(ssh, "bad client public DH value");
r = SSH_ERR_MESSAGE_INCOMPLETE;
goto out;
}
klen = DH_size(kex->dh);
if ((kbuf = malloc(klen)) == NULL ||
(shared_secret = BN_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((kout = DH_compute_key(kbuf, dh_client_pub, kex->dh)) < 0 ||
BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
#ifdef DEBUG_KEXDH
dump_digest("shared secret", kbuf, kout);
#endif
if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob,
&sbloblen)) != 0)
goto out;
/* calc H */
hashlen = sizeof(hash);
if ((r = kex_dh_hash(
kex->hash_alg,
kex->client_version_string,
kex->server_version_string,
sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
sshbuf_ptr(kex->my), sshbuf_len(kex->my),
server_host_key_blob, sbloblen,
dh_client_pub,
pub_key,
shared_secret,
hash, &hashlen)) != 0)
goto out;
/* save session id := H */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = malloc(kex->session_id_len);
if (kex->session_id == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
if ((r = kex->sign(server_host_private, server_host_public, &signature,
&slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
goto out;
/* destroy_sensitive_data(); */
/* send server hostkey, DH pubkey 'f' and signed H */
if ((r = sshpkt_start(ssh, SSH2_MSG_KEXDH_REPLY)) != 0 ||
(r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
(r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || /* f */
(r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
goto out;
if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
r = kex_send_newkeys(ssh);
out:
explicit_bzero(hash, sizeof(hash));
DH_free(kex->dh);
kex->dh = NULL;
BN_clear_free(dh_client_pub);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
BN_clear_free(shared_secret);
free(server_host_key_blob);
free(signature);
return r;
}
static int dh_test(void)
{
BN_GENCB *_cb = NULL;
DH *a = NULL;
DH *b = NULL;
const BIGNUM *ap = NULL, *ag = NULL, *apub_key = NULL;
const BIGNUM *bpub_key = NULL;
BIGNUM *bp = NULL, *bg = NULL;
unsigned char *abuf = NULL;
unsigned char *bbuf = NULL;
int i, alen, blen, aout, bout;
int ret = 0;
RAND_seed(rnd_seed, sizeof rnd_seed);
if (!TEST_ptr(_cb = BN_GENCB_new()))
goto err;
BN_GENCB_set(_cb, &cb, NULL);
if (!TEST_ptr(a = DH_new())
|| !TEST_true(DH_generate_parameters_ex(a, 64,
DH_GENERATOR_5, _cb)))
goto err;
if (!DH_check(a, &i))
goto err;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
|| !TEST_false(i & DH_UNABLE_TO_CHECK_GENERATOR)
|| !TEST_false(i & DH_NOT_SUITABLE_GENERATOR))
goto err;
DH_get0_pqg(a, &ap, NULL, &ag);
if (!TEST_ptr(b = DH_new()))
goto err;
if (!TEST_ptr(bp = BN_dup(ap))
|| !TEST_ptr(bg = BN_dup(ag))
|| !TEST_true(DH_set0_pqg(b, bp, NULL, bg)))
goto err;
bp = bg = NULL;
if (!DH_generate_key(a))
goto err;
DH_get0_key(a, &apub_key, NULL);
if (!DH_generate_key(b))
goto err;
DH_get0_key(b, &bpub_key, NULL);
alen = DH_size(a);
if (!TEST_ptr(abuf = OPENSSL_malloc(alen))
|| !TEST_true((aout = DH_compute_key(abuf, bpub_key, a)) != -1))
goto err;
blen = DH_size(b);
if (!TEST_ptr(bbuf = OPENSSL_malloc(blen))
|| !TEST_true((bout = DH_compute_key(bbuf, apub_key, b)) != -1))
goto err;
if (!TEST_true(aout >= 4)
|| !TEST_mem_eq(abuf, aout, bbuf, bout))
goto err;
ret = 1;
err:
OPENSSL_free(abuf);
OPENSSL_free(bbuf);
DH_free(b);
DH_free(a);
BN_free(bp);
BN_free(bg);
BN_GENCB_free(_cb);
return ret;
}
static int run_rfc5114_tests(void)
{
int i;
DH *dhA = NULL;
DH *dhB = NULL;
unsigned char *Z1 = NULL;
unsigned char *Z2 = NULL;
const rfc5114_td *td = NULL;
BIGNUM *bady = NULL, *priv_key = NULL, *pub_key = NULL;
for (i = 0; i < (int)OSSL_NELEM(rfctd); i++) {
td = rfctd + i;
/* Set up DH structures setting key components */
dhA = td->get_param();
dhB = td->get_param();
if ((dhA == NULL) || (dhB == NULL))
goto bad_err;
priv_key = BN_bin2bn(td->xA, td->xA_len, NULL);
pub_key = BN_bin2bn(td->yA, td->yA_len, NULL);
if (priv_key == NULL || pub_key == NULL
|| !DH_set0_key(dhA, pub_key, priv_key))
goto bad_err;
priv_key = BN_bin2bn(td->xB, td->xB_len, NULL);
pub_key = BN_bin2bn(td->yB, td->yB_len, NULL);
if (priv_key == NULL || pub_key == NULL
|| !DH_set0_key(dhB, pub_key, priv_key))
goto bad_err;
priv_key = pub_key = NULL;
if ((td->Z_len != (size_t)DH_size(dhA))
|| (td->Z_len != (size_t)DH_size(dhB)))
goto err;
Z1 = OPENSSL_malloc(DH_size(dhA));
Z2 = OPENSSL_malloc(DH_size(dhB));
if ((Z1 == NULL) || (Z2 == NULL))
goto bad_err;
/*
* Work out shared secrets using both sides and compare with expected
* values.
*/
DH_get0_key(dhB, &pub_key, NULL);
if (DH_compute_key(Z1, pub_key, dhA) == -1) {
pub_key = NULL;
goto bad_err;
}
DH_get0_key(dhA, &pub_key, NULL);
if (DH_compute_key(Z2, pub_key, dhB) == -1) {
pub_key = NULL;
goto bad_err;
}
pub_key = NULL;
if (memcmp(Z1, td->Z, td->Z_len))
goto err;
if (memcmp(Z2, td->Z, td->Z_len))
goto err;
printf("RFC5114 parameter test %d OK\n", i + 1);
DH_free(dhA);
DH_free(dhB);
OPENSSL_free(Z1);
OPENSSL_free(Z2);
dhA = NULL;
dhB = NULL;
Z1 = NULL;
Z2 = NULL;
}
/* Now i == OSSL_NELEM(rfctd) */
/* RFC5114 uses unsafe primes, so now test an invalid y value */
dhA = DH_get_2048_224();
if (dhA == NULL)
goto bad_err;
Z1 = OPENSSL_malloc(DH_size(dhA));
if (Z1 == NULL)
goto bad_err;
bady = BN_bin2bn(dhtest_rfc5114_2048_224_bad_y,
sizeof(dhtest_rfc5114_2048_224_bad_y), NULL);
if (bady == NULL)
goto bad_err;
if (!DH_generate_key(dhA))
goto bad_err;
if (DH_compute_key(Z1, bady, dhA) != -1) {
/*
* DH_compute_key should fail with -1. If we get here we unexpectedly
* allowed an invalid y value
*/
goto err;
}
/* We'll have a stale error on the queue from the above test so clear it */
ERR_clear_error();
printf("RFC5114 parameter test %d OK\n", i + 1);
BN_free(bady);
DH_free(dhA);
OPENSSL_free(Z1);
return 1;
bad_err:
BN_free(bady);
DH_free(dhA);
DH_free(dhB);
BN_free(pub_key);
BN_free(priv_key);
OPENSSL_free(Z1);
OPENSSL_free(Z2);
fprintf(stderr, "Initialisation error RFC5114 set %d\n", i + 1);
ERR_print_errors_fp(stderr);
return 0;
err:
BN_free(bady);
DH_free(dhA);
DH_free(dhB);
OPENSSL_free(Z1);
OPENSSL_free(Z2);
fprintf(stderr, "Test failed RFC5114 set %d\n", i + 1);
return 0;
}
inline bn::bignum dh_key::public_key() const
{
const BIGNUM* pub_key = nullptr;
DH_get0_key(raw(), &pub_key, nullptr);
return const_cast<BIGNUM*>(pub_key);
}
int
get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar,
size_t outkey_len,
netsnmp_pdu *pdu, const char *keyname,
oid *keyoid, size_t keyoid_len) {
u_char *dhkeychange;
DH *dh;
const BIGNUM *p, *g, *pub_key;
BIGNUM *other_pub;
u_char *key;
size_t key_len;
dhkeychange = (u_char *) malloc(2 * vars->val_len * sizeof(char));
if (!dhkeychange)
return SNMPERR_GENERR;
memcpy(dhkeychange, vars->val.string, vars->val_len);
{
const unsigned char *cp = dhvar->val.string;
dh = d2i_DHparams(NULL, &cp, dhvar->val_len);
}
if (dh)
DH_get0_pqg(dh, &p, NULL, &g);
if (!dh || !g || !p) {
SNMP_FREE(dhkeychange);
return SNMPERR_GENERR;
}
if (!DH_generate_key(dh)) {
SNMP_FREE(dhkeychange);
return SNMPERR_GENERR;
}
DH_get0_key(dh, &pub_key, NULL);
if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) {
SNMP_FREE(dhkeychange);
fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n",
(unsigned long)vars->val_len, BN_num_bytes(pub_key));
return SNMPERR_GENERR;
}
BN_bn2bin(pub_key, dhkeychange + vars->val_len);
key_len = DH_size(dh);
if (!key_len) {
SNMP_FREE(dhkeychange);
return SNMPERR_GENERR;
}
key = (u_char *) malloc(key_len * sizeof(u_char));
if (!key) {
SNMP_FREE(dhkeychange);
return SNMPERR_GENERR;
}
other_pub = BN_bin2bn(vars->val.string, vars->val_len, NULL);
if (!other_pub) {
SNMP_FREE(dhkeychange);
SNMP_FREE(key);
return SNMPERR_GENERR;
}
if (DH_compute_key(key, other_pub, dh)) {
u_char *kp;
printf("new %s key: 0x", keyname);
for(kp = key + key_len - outkey_len;
kp - key < (int)key_len; kp++) {
printf("%02x", (unsigned char) *kp);
}
printf("\n");
}
snmp_pdu_add_variable(pdu, keyoid, keyoid_len,
ASN_OCTET_STR, dhkeychange,
2 * vars->val_len);
SNMP_FREE(dhkeychange);
SNMP_FREE(other_pub);
SNMP_FREE(key);
return SNMPERR_SUCCESS;
}
