From f1ffaaeece5efb7d2f4859a59e3164edf9b4b769 Mon Sep 17 00:00:00 2001
From: Shane Lontis <shane.lontis@oracle.com>
Date: Thu, 15 Apr 2021 18:25:17 +1000
Subject: Fixes related to separation of DH and DHX types

Fix dh_rfc5114 option in genpkey.

Fixes #14145
Fixes #13956
Fixes #13952
Fixes #13871
Fixes #14054
Fixes #14444

Updated documentation for app to indicate what options are available for
DH and DHX keys.

DH and DHX now have different keymanager gen_set_params() methods.

Added CHANGES entry to indicate the breaking change.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14883)
---
 crypto/evp/ctrl_params_translate.c | 104 ++++++++++++++++++++++---------------
 1 file changed, 61 insertions(+), 43 deletions(-)

(limited to 'crypto/evp/ctrl_params_translate.c')

diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
index 8f4ffd3bc4..f48e723c33 100644
--- a/crypto/evp/ctrl_params_translate.c
+++ b/crypto/evp/ctrl_params_translate.c
@@ -977,7 +977,7 @@ static int fix_oid(enum state state,
     return ret;
 }
 
-/* EVP_PKEY_CTRL_DH_NID, ...??? */
+/* EVP_PKEY_CTRL_DH_NID */
 static int fix_dh_nid(enum state state,
                       const struct translation_st *translation,
                       struct translation_ctx_st *ctx)
@@ -987,7 +987,7 @@ static int fix_dh_nid(enum state state,
     if ((ret = default_check(state, translation, ctx)) <= 0)
         return ret;
 
-    /* This is currently only settable */
+    /* This is only settable */
     if (ctx->action_type != SET)
         return 0;
 
@@ -997,16 +997,30 @@ static int fix_dh_nid(enum state state,
         ctx->p1 = 0;
     }
 
-    if ((ret = default_fixup_args(state, translation, ctx)) <= 0)
+    return default_fixup_args(state, translation, ctx);
+}
+
+/* EVP_PKEY_CTRL_DH_RFC5114 */
+static int fix_dh_nid5114(enum state state,
+                          const struct translation_st *translation,
+                          struct translation_ctx_st *ctx)
+{
+    int ret;
+
+    if ((ret = default_check(state, translation, ctx)) <= 0)
         return ret;
 
-    if (state == PRE_PARAMS_TO_CTRL) {
-        ctx->p1 =
-            ossl_ffc_named_group_get_uid(ossl_ffc_name_to_dh_named_group(ctx->p2));
-        ctx->p2 = NULL;
+    /* This is only settable */
+    if (ctx->action_type != SET)
+        return 0;
+
+    if (state == PRE_CTRL_STR_TO_PARAMS) {
+        ctx->p2 = (char *)ossl_ffc_named_group_get_name
+            (ossl_ffc_uid_to_dh_named_group(atoi(ctx->p2)));
+        ctx->p1 = 0;
     }
 
-    return ret;
+    return default_fixup_args(state, translation, ctx);
 }
 
 /* EVP_PKEY_CTRL_DH_PARAMGEN_TYPE */
@@ -1019,24 +1033,16 @@ static int fix_dh_paramgen_type(enum state state,
     if ((ret = default_check(state, translation, ctx)) <= 0)
         return ret;
 
-    /* This is currently only settable */
+    /* This is only settable */
     if (ctx->action_type != SET)
         return 0;
 
-    if (state == PRE_CTRL_TO_PARAMS) {
-        ctx->p2 = (char *)ossl_dh_gen_type_id2name(ctx->p1);
-        ctx->p1 = 0;
-    }
-
-    if ((ret = default_fixup_args(state, translation, ctx)) <= 0)
-        return ret;
-
-    if (state == PRE_PARAMS_TO_CTRL) {
-        ctx->p1 = ossl_dh_gen_type_name2id(ctx->p2);
-        ctx->p2 = NULL;
+    if (state == PRE_CTRL_STR_TO_PARAMS) {
+        ctx->p2 = (char *)ossl_dh_gen_type_id2name(atoi(ctx->p2));
+        ctx->p1 = strlen(ctx->p2);
     }
 
-    return ret;
+    return default_fixup_args(state, translation, ctx);
 }
 
 /* EVP_PKEY_CTRL_EC_PARAM_ENC */
@@ -1927,35 +1933,47 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
       EVP_PKEY_CTRL_GET_DH_KDF_OID, NULL, NULL,
       OSSL_KDF_PARAM_CEK_ALG, OSSL_PARAM_UTF8_STRING, fix_oid },
 
-    { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_DERIVE,
-      EVP_PKEY_CTRL_DH_PAD, "dh_pad", NULL,
-      OSSL_EXCHANGE_PARAM_PAD, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
+    /* DHX Keygen Parameters that are shared with DH */
+    { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_PARAMGEN,
+      EVP_PKEY_CTRL_DH_PARAMGEN_TYPE, "dh_paramgen_type", NULL,
+      OSSL_PKEY_PARAM_FFC_TYPE, OSSL_PARAM_UTF8_STRING, fix_dh_paramgen_type },
+    { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_PARAMGEN,
+      EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN, "dh_paramgen_prime_len", NULL,
+      OSSL_PKEY_PARAM_FFC_PBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
+    { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_PARAMGEN  | EVP_PKEY_OP_KEYGEN,
+      EVP_PKEY_CTRL_DH_NID, "dh_param", NULL,
+      OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, NULL },
+    { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_PARAMGEN  | EVP_PKEY_OP_KEYGEN,
+      EVP_PKEY_CTRL_DH_RFC5114, "dh_rfc5114", NULL,
+      OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_dh_nid5114 },
 
+    /* DH Keygen Parameters that are shared with DHX */
+    { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN,
+      EVP_PKEY_CTRL_DH_PARAMGEN_TYPE, "dh_paramgen_type", NULL,
+      OSSL_PKEY_PARAM_FFC_TYPE, OSSL_PARAM_UTF8_STRING, fix_dh_paramgen_type },
+    { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN,
+      EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN, "dh_paramgen_prime_len", NULL,
+      OSSL_PKEY_PARAM_FFC_PBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
     { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN,
       EVP_PKEY_CTRL_DH_NID, "dh_param", NULL,
       OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_dh_nid },
-    { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN,
-      EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN, NULL, NULL,
-      OSSL_PKEY_PARAM_FFC_PBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
-    { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN,
-      EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN, "dh_paramgen_subprime_len", NULL,
-      OSSL_PKEY_PARAM_FFC_QBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
+    { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN  | EVP_PKEY_OP_KEYGEN,
+      EVP_PKEY_CTRL_DH_RFC5114, "dh_rfc5114", NULL,
+      OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_dh_nid5114 },
+
+    /* DH specific Keygen Parameters */
     { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN,
       EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR, "dh_paramgen_generator", NULL,
       OSSL_PKEY_PARAM_DH_GENERATOR, OSSL_PARAM_INTEGER, NULL },
-    { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN,
-      EVP_PKEY_CTRL_DH_PARAMGEN_TYPE, "dh_paramgen_type", NULL,
-      OSSL_PKEY_PARAM_FFC_TYPE, OSSL_PARAM_UTF8_STRING, fix_dh_paramgen_type },
- /*
-  * This is know to be incorrect, will be fixed and enabled when the
-  * underlying code is corrected.
-  * Until then, we simply don't support it here.
-  */
-#if 0
-    { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN,
-      EVP_PKEY_CTRL_DH_RFC5114, "dh_rfc5114", NULL,
-      OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_INTEGER, NULL },
-#endif
+
+    /* DHX specific Keygen Parameters */
+    { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_PARAMGEN,
+      EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN, "dh_paramgen_subprime_len", NULL,
+      OSSL_PKEY_PARAM_FFC_QBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
+
+    { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_DERIVE,
+      EVP_PKEY_CTRL_DH_PAD, "dh_pad", NULL,
+      OSSL_EXCHANGE_PARAM_PAD, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
 
     /*-
      * DSA
-- 
cgit v1.2.3