TLS1.3 FFDHE Support

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8178)

4 files changed, 83 insertions, 3 deletions

diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
index 1424c41abe..524cac5bd8 100644
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -490,6 +490,18 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri);
 static int dh_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 {
     switch (op) {
+    case ASN1_PKEY_CTRL_SET1_TLS_ENCPT:
+        return dh_buf2key(EVP_PKEY_get0_DH(pkey), arg2, arg1);
+    case ASN1_PKEY_CTRL_GET1_TLS_ENCPT:
+        return dh_key2buf(EVP_PKEY_get0_DH(pkey), arg2);
+    default:
+        return -2;
+    }
+}
+
+static int dhx_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
+{
+    switch (op) {
 #ifndef OPENSSL_NO_CMS
 
     case ASN1_PKEY_CTRL_CMS_ENVELOPE:
@@ -558,7 +570,7 @@ const EVP_PKEY_ASN1_METHOD dh_asn1_meth = {
     0,
 
     int_dh_free,
-    0,
+    dh_pkey_ctrl,
 
     0, 0, 0, 0, 0,
 
@@ -597,7 +609,7 @@ const EVP_PKEY_ASN1_METHOD dhx_asn1_meth = {
     0,
 
     int_dh_free,
-    dh_pkey_ctrl,
+    dhx_pkey_ctrl,
 
     0, 0, 0, 0, 0,
 
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index 66bf6b5ad8..a78a6a9c3f 100644
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -16,6 +16,7 @@
 static const ERR_STRING_DATA DH_str_functs[] = {
     {ERR_PACK(ERR_LIB_DH, DH_F_COMPUTE_KEY, 0), "compute_key"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
+    {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUF2KEY, 0), "dh_buf2key"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
      "dh_builtin_genparams"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
@@ -25,6 +26,7 @@ static const ERR_STRING_DATA DH_str_functs[] = {
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0),
      "dh_cms_set_shared_info"},
+    {ERR_PACK(ERR_LIB_DH, DH_F_DH_KEY2BUF, 0), "dh_key2buf"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"},
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 4b0b1f3255..6b3a1247b2 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -228,3 +228,66 @@ static int dh_finish(DH *dh)
     BN_MONT_CTX_free(dh->method_mont_p);
     return 1;
 }
+
+int dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
+{
+    int err_reason = DH_R_BN_ERROR;
+    BIGNUM *pubkey = NULL;
+    const BIGNUM *p;
+    size_t p_size;
+
+    if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
+        goto err;
+    DH_get0_pqg(dh, &p, NULL, NULL);
+    if (p == NULL || (p_size = BN_num_bytes(p)) == 0) {
+        err_reason = DH_R_NO_PARAMETERS_SET;
+        goto err;
+    }
+    /*
+     * As per Section 4.2.8.1 of RFC 8446 fail if DHE's
+     * public key is of size not equal to size of p
+     */
+    if (BN_is_zero(pubkey) || p_size != len) {
+        err_reason = DH_R_INVALID_PUBKEY;
+        goto err;
+    }
+    if (DH_set0_key(dh, pubkey, NULL) != 1)
+        goto err;
+    return 1;
+err:
+    DHerr(DH_F_DH_BUF2KEY, err_reason);
+    BN_free(pubkey);
+    return 0;
+}
+
+size_t dh_key2buf(const DH *dh, unsigned char **pbuf_out)
+{
+    const BIGNUM *pubkey;
+    unsigned char *pbuf;
+    const BIGNUM *p;
+    int p_size;
+
+    DH_get0_pqg(dh, &p, NULL, NULL);
+    DH_get0_key(dh, &pubkey, NULL);
+    if (p == NULL || pubkey == NULL
+            || (p_size = BN_num_bytes(p)) == 0
+            || BN_num_bytes(pubkey) == 0) {
+        DHerr(DH_F_DH_KEY2BUF, DH_R_INVALID_PUBKEY);
+        return 0;
+    }
+    if ((pbuf = OPENSSL_malloc(p_size)) == NULL) {
+        DHerr(DH_F_DH_KEY2BUF, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
+    /*
+     * As per Section 4.2.8.1 of RFC 8446 left pad public
+     * key with zeros to the size of p
+     */
+    if (BN_bn2binpad(pubkey, pbuf, p_size) < 0) {
+        OPENSSL_free(pbuf);
+        DHerr(DH_F_DH_KEY2BUF, DH_R_BN_ERROR);
+        return 0;
+    }
+    *pbuf_out = pbuf;
+    return p_size;
+}
diff --git a/crypto/dh/dh_locl.h b/crypto/dh/dh_locl.h
index 6186901ee7..bb64cde9f7 100644
--- a/crypto/dh/dh_locl.h
+++ b/crypto/dh/dh_locl.h
@@ -55,3 +55,6 @@ struct dh_method {
     int (*generate_params) (DH *dh, int prime_len, int generator,
                             BN_GENCB *cb);
 };
+
+int dh_buf2key(DH *key, const unsigned char *buf, size_t len);
+size_t dh_key2buf(const DH *dh, unsigned char **pbuf);