mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-04-06 20:20:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

dhparam: update command line app to use EVP calls

Browse Source 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
This commit is contained in:
Pauli 2020-03-03 17:38:39 +10:00
parent b0cfe526d7
commit ccefc3411e
4 changed files with 88 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
apps/dhparam.c
View File

@ -7,9 +7,10 @@
* https://www.openssl.org/source/license.html
*/
#ifndef OPENSSL_NO_DEPRECATED_3_0
/* We need to use some deprecated APIs */
#define OPENSSL_SUPPRESS_DEPRECATED
# define OPENSSL_SUPPRESS_DEPRECATED
#endif
#include <openssl/opensslconf.h>
#include <stdio.h>
@ -25,13 +26,16 @@
#include <openssl/x509.h>
#include <openssl/pem.h>
#ifndef OPENSSL_NO_DSA
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
# include <openssl/dsa.h>
#endif
#define DEFBITS 2048
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
static int dh_cb(int p, int n, BN_GENCB *cb);
#endif
static int gendh_cb(EVP_PKEY_CTX *ctx);
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@ -81,9 +85,11 @@ int dhparam_main(int argc, char **argv)
{
BIO *in = NULL, *out = NULL;
DH *dh = NULL;
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
char *infile = NULL, *outfile = NULL, *prog;
ENGINE *e = NULL;
#ifndef OPENSSL_NO_DSA
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
int dsaparam = 0;
#endif
int i, text = 0, C = 0, ret = 1, num = 0, g = 0;
@ -127,7 +133,11 @@ int dhparam_main(int argc, char **argv)
break;
case OPT_DSAPARAM:
#ifndef OPENSSL_NO_DSA
# ifdef OPENSSL_NO_DEPRECATED_3_0
BIO_printf(bio_err, "The dsaparam option is deprecated.\n");
# else
dsaparam = 1;
# endif
#endif
break;
case OPT_C:
@ -164,7 +174,7 @@ int dhparam_main(int argc, char **argv)
if (g && !num)
num = DEFBITS;
#ifndef OPENSSL_NO_DSA
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
if (dsaparam && g) {
BIO_printf(bio_err,
"generator may not be chosen for DSA parameters\n");
@ -182,18 +192,18 @@ int dhparam_main(int argc, char **argv)
if (num) {
BN_GENCB *cb;
cb = BN_GENCB_new();
if (cb == NULL) {
ERR_print_errors(bio_err);
goto end;
}
BN_GENCB_set(cb, dh_cb, bio_err);
#ifndef OPENSSL_NO_DSA
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
if (dsaparam) {
DSA *dsa = DSA_new();
BN_GENCB *cb = BN_GENCB_new();
if (cb == NULL) {
ERR_print_errors(bio_err);
goto end;
}
BN_GENCB_set(cb, dh_cb, bio_err);
BIO_printf(bio_err,
"Generating DSA parameters, %d bit long prime\n", num);
@ -208,34 +218,52 @@ int dhparam_main(int argc, char **argv)
dh = DSA_dup_DH(dsa);
DSA_free(dsa);
BN_GENCB_free(cb);
if (dh == NULL) {
BN_GENCB_free(cb);
ERR_print_errors(bio_err);
goto end;
}
} else
#endif
{
dh = DH_new();
ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
if (ctx == NULL) {
ERR_print_errors(bio_err);
BIO_printf(bio_err,
"Error, DH key generation context allocation failed\n");
goto end;
}
EVP_PKEY_CTX_set_cb(ctx, gendh_cb);
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
BIO_printf(bio_err,
"Generating DH parameters, %d bit long safe prime, generator %d\n",
num, g);
BIO_printf(bio_err, "This is going to take a long time\n");
if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
BN_GENCB_free(cb);
if (!EVP_PKEY_paramgen_init(ctx)) {
BIO_printf(bio_err,
"Error, unable to initialise DH param generation\n");
ERR_print_errors(bio_err);
goto end;
}
if (!EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, num)) {
BIO_printf(bio_err, "Error, unable to set DH prime length\n");
ERR_print_errors(bio_err);
goto end;
}
if (!EVP_PKEY_paramgen(ctx, &pkey)) {
BIO_printf(bio_err, "Error, DH generation failed\n");
ERR_print_errors(bio_err);
goto end;
}
}
BN_GENCB_free(cb);
} else {
in = bio_open_default(infile, 'r', informat);
if (in == NULL)
goto end;
#ifndef OPENSSL_NO_DSA
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
if (dsaparam) {
DSA *dsa;
@ -264,10 +292,10 @@ int dhparam_main(int argc, char **argv)
* We have no PEM header to determine what type of DH params it
* is. We'll just try both.
*/
dh = d2i_DHparams_bio(in, NULL);
dh = ASN1_d2i_bio_of(DH, DH_new, d2i_DHparams, in, NULL);
/* BIO_reset() returns 0 for success for file BIOs only!!! */
if (dh == NULL && BIO_reset(in) == 0)
dh = d2i_DHxparams_bio(in, NULL);
dh = ASN1_d2i_bio_of(DH, DH_new, d2i_DHxparams, in, NULL);
} else {
/* informat == FORMAT_PEM */
dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
@ -283,33 +311,17 @@ int dhparam_main(int argc, char **argv)
/* dh != NULL */
}
if (text) {
DHparams_print(out, dh);
}
if (text)
EVP_PKEY_print_params(out, pkey, 4, NULL);
if (check) {
if (!DH_check(dh, &i)) {
if (!EVP_PKEY_param_check(ctx) /* DH_check(dh, &i) */) {
ERR_print_errors(bio_err);
BIO_printf(bio_err, "ERROR: Invalid parameters generated\n");
goto end;
}
if (i & DH_CHECK_P_NOT_PRIME)
BIO_printf(bio_err, "WARNING: p value is not prime\n");
if (i & DH_CHECK_P_NOT_SAFE_PRIME)
BIO_printf(bio_err, "WARNING: p value is not a safe prime\n");
if (i & DH_CHECK_Q_NOT_PRIME)
BIO_printf(bio_err, "WARNING: q value is not a prime\n");
if (i & DH_CHECK_INVALID_Q_VALUE)
BIO_printf(bio_err, "WARNING: q value is invalid\n");
if (i & DH_CHECK_INVALID_J_VALUE)
BIO_printf(bio_err, "WARNING: j value is invalid\n");
if (i & DH_UNABLE_TO_CHECK_GENERATOR)
BIO_printf(bio_err,
"WARNING: unable to check the generator value\n");
if (i & DH_NOT_SUITABLE_GENERATOR)
BIO_printf(bio_err, "WARNING: the g value is not a generator\n");
if (i == 0)
BIO_printf(bio_err, "DH parameters appear to be ok.\n");
if (num != 0 && i != 0) {
BIO_printf(bio_err, "DH parameters appear to be ok.\n");
if (num != 0) {
/*
* We have generated parameters but DH_check() indicates they are
* invalid! This should never happen!
@ -323,8 +335,9 @@ int dhparam_main(int argc, char **argv)
int len, bits;
const BIGNUM *pbn, *gbn;
len = DH_size(dh);
bits = DH_bits(dh);
dh = EVP_PKEY_get0_DH(pkey);
len = EVP_PKEY_size(pkey);
bits = EVP_PKEY_size(pkey);
DH_get0_pqg(dh, &pbn, NULL, &gbn);
data = app_malloc(len, "print a BN");
@ -362,9 +375,9 @@ int dhparam_main(int argc, char **argv)
DH_get0_pqg(dh, NULL, &q, NULL);
if (outformat == FORMAT_ASN1) {
if (q != NULL)
i = i2d_DHxparams_bio(out, dh);
i = ASN1_i2d_bio_of(DH, i2d_DHxparams, out, dh);
else
i = i2d_DHparams_bio(out, dh);
i = ASN1_i2d_bio_of(DH, i2d_DHparams, out, dh);
} else if (q != NULL) {
i = PEM_write_bio_DHxparams(out, dh);
} else {
@ -380,17 +393,31 @@ int dhparam_main(int argc, char **argv)
end:
BIO_free(in);
BIO_free_all(out);
DH_free(dh);
EVP_PKEY_free(pkey);
EVP_PKEY_CTX_free(ctx);
release_engine(e);
return ret;
}
static int dh_cb(int p, int n, BN_GENCB *cb)
static int common_dh_cb(int p, BIO *b)
{
static const char symbols[] = ".+*\n";
char c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
BIO_write(BN_GENCB_get_arg(cb), &c, 1);
(void)BIO_flush(BN_GENCB_get_arg(cb));
BIO_write(b, &c, 1);
(void)BIO_flush(b);
return 1;
}
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
static int dh_cb(int p, int n, BN_GENCB *cb)
{
return common_dh_cb(p, BN_GENCB_get_arg(cb));
}
#endif
static int gendh_cb(EVP_PKEY_CTX *ctx)
{
return common_dh_cb(EVP_PKEY_CTX_get_keygen_info(ctx, 0),
EVP_PKEY_CTX_get_app_data(ctx));
}

8
doc/man3/DH_get0_pqg.pod
View File

@ -27,13 +27,14 @@ DH_get_length, DH_set_length - Routines for getting and setting data in a DH obj
int DH_test_flags(const DH *dh, int flags);
void DH_set_flags(DH *dh, int flags);
long DH_get_length(const DH *dh);
int DH_set_length(DH *dh, long length);
Deprecated since OpenSSL 3.0, can be hidden entirely by defining
B<OPENSSL_API_COMPAT> with a suitable version value, see
L<openssl_user_macros(7)>:
ENGINE *DH_get0_engine(DH *d);
long DH_get_length(const DH *dh);
int DH_set_length(DH *dh, long length);
=head1 DESCRIPTION
@ -127,8 +128,7 @@ L<DH_set_method(3)>, L<DH_size(3)>, L<DH_meth_new(3)>
=head1 HISTORY
The DH_get0_engine(), DH_get_length() and DH_set_length() functions were
deprecated in OpenSSL 3.0.
The DH_get0_engine() function was deprecated in OpenSSL 3.0.
The functions described here were added in OpenSSL 1.1.0.

4
include/openssl/dh.h
View File

@ -222,8 +222,8 @@ void DH_clear_flags(DH *dh, int flags);
int DH_test_flags(const DH *dh, int flags);
void DH_set_flags(DH *dh, int flags);
DEPRECATEDIN_3_0(ENGINE *DH_get0_engine(DH *d))
DEPRECATEDIN_3_0(long DH_get_length(const DH *dh))
DEPRECATEDIN_3_0(int DH_set_length(DH *dh, long length))
long DH_get_length(const DH *dh);
int DH_set_length(DH *dh, long length);
DEPRECATEDIN_3_0(DH_METHOD *DH_meth_new(const char *name, int flags))
DEPRECATEDIN_3_0(void DH_meth_free(DH_METHOD *dhm))

4
util/libcrypto.num
View File

@ -3953,9 +3953,9 @@ DH_clear_flags 4041 3_0_0 EXIST::FUNCTION:DH
DH_get0_key 4042 3_0_0 EXIST::FUNCTION:DH
DH_get0_engine 4043 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
DH_set0_key 4044 3_0_0 EXIST::FUNCTION:DH
DH_set_length 4045 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
DH_set_length 4045 3_0_0 EXIST::FUNCTION:DH
DH_test_flags 4046 3_0_0 EXIST::FUNCTION:DH
DH_get_length 4047 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
DH_get_length 4047 3_0_0 EXIST::FUNCTION:DH
DH_get0_pqg 4048 3_0_0 EXIST::FUNCTION:DH
DH_meth_get_compute_key 4049 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
DH_meth_set1_name 4050 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH