Fix DH_get_nid() so that it does not cache values.

DH_set0_pqg() is now responsible for caching the nid, q and length. DH with or without named safe prime groups now default to using the maximum private key length (BN_num_bits(q) - 1) when generating a DH private key. The code is now shared between fips and non fips mode for DH key generation. The OSSL_PKEY_PARAM_DH_PRIV_LEN parameter can be used during keygen to override the maximum private key length to be in the range (2 * strength ... bits(q) - 1). Where the strength depends on the length of p. Added q = (p - 1) / 2 safe prime BIGNUMS so that the code is data driven (To simplify adding new names). The BIGNUMS were code generated. Fix error in documented return value for DH_get_nid Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11562)
author: Shane Lontis <shane.lontis@oracle.com> 2020-04-20 11:07:38 +1000
committer: Shane Lontis <shane.lontis@oracle.com> 2020-04-20 11:07:38 +1000
commit: 738ee1819e3bb94723701fb505ce2971afe47a9b (patch)
tree: 2fd8588534087594f2371060c20bc6890d39a33a /test
parent: 9e537cd2ad01b172f2700a670e9269075078a426 (diff)
download: openssl-new-738ee1819e3bb94723701fb505ce2971afe47a9b.tar.gz
3 files changed, 25 insertions, 8 deletions
diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c
index 7b61cbe11f..1ded0d9f9e 100644
--- a/test/evp_pkey_provided_test.c
+++ b/test/evp_pkey_provided_test.c
@@ -408,7 +408,8 @@ static int test_fromdata_dh_named_group(void)
 
     /*
      * DH key data was generated using the following:
-     * openssl genpkey -algorithm DH -pkeyopt group:ffdhe2048 -text
+     * openssl genpkey -algorithm DH -pkeyopt group:ffdhe2048
+     *                 -pkeyopt priv_len:224 -text
      */
     static const unsigned char priv_data[] = {
         0x88, 0x85, 0xe7, 0x9f, 0xee, 0x6d, 0xc5, 0x7c, 0x78, 0xaf, 0x63, 0x5d,
@@ -547,7 +548,8 @@ static int test_fromdata_dh_fips186_4(void)
 
     /*
      * DH key data was generated using the following:
-     * openssl genpkey -algorithm DH -pkeyopt group:ffdhe2048 -text
+     * openssl genpkey -algorithm DH
+     *                 -pkeyopt group:ffdhe2048 -pkeyopt priv_len:224 -text
      */
     static const unsigned char priv_data[] = {
        0x88, 0x85, 0xe7, 0x9f, 0xee, 0x6d, 0xc5, 0x7c, 0x78, 0xaf, 0x63, 0x5d,
diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c
index e74dc1bd0f..c0b8e67871 100644
--- a/test/ffc_internal_test.c
+++ b/test/ffc_internal_test.c
@@ -600,19 +600,19 @@ static int ffc_private_gen_test(int index)
 
     N = BN_num_bits(params->q);
     /* Fail since N < 2*s - where s = 112*/
-    if (!TEST_false(ffc_generate_private_key_fips(ctx, params, 220, 112, priv)))
+    if (!TEST_false(ffc_generate_private_key(ctx, params, 220, 112, priv)))
         goto err;
     /* fail since N > len(q) */
-    if (!TEST_false(ffc_generate_private_key_fips(ctx, params, N + 1, 112, priv)))
+    if (!TEST_false(ffc_generate_private_key(ctx, params, N + 1, 112, priv)))
         goto err;
     /* pass since 2s <= N <= len(q) */
-    if (!TEST_true(ffc_generate_private_key_fips(ctx, params, N, 112, priv)))
+    if (!TEST_true(ffc_generate_private_key(ctx, params, N, 112, priv)))
         goto err;
     /* pass since N = len(q) */
     if (!TEST_true(ffc_validate_private_key(params->q, priv, &res)))
         goto err;
     /* pass since 2s <= N < len(q) */
-    if (!TEST_true(ffc_generate_private_key_fips(ctx, params, N / 2, 112, priv)))
+    if (!TEST_true(ffc_generate_private_key(ctx, params, N / 2, 112, priv)))
         goto err;
     if (!TEST_true(ffc_validate_private_key(params->q, priv, &res)))
         goto err;
diff --git a/test/recipes/15-test_gendh.t b/test/recipes/15-test_gendh.t
index 87ddac96f7..a2ef8dab9f 100644
--- a/test/recipes/15-test_gendh.t
+++ b/test/recipes/15-test_gendh.t
@@ -18,7 +18,7 @@ setup("test_gendh");
 
 plan skip_all => "This test is unsupported in a no-dh build" if disabled("dh");
 
-plan tests => 9;
+plan tests => 13;
 
 ok(run(app([ 'openssl', 'genpkey', '-genparam',
              '-algorithm', 'DH',
@@ -80,4 +80,19 @@ ok(run(app([ 'openssl', 'genpkey',
  ok(!run(app([ 'openssl', 'genpkey',
               '-algorithm', 'DH'])),
    "genpkey DH with no params should fail");
-   
-\ No newline at end of file
+
+ ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', '-pkeyopt',
+               'group:ffdhe3072', '-pkeyopt', 'priv_len:255', '-text'])),
+    'genpkey DH with a small private len should fail');
+
+ ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', '-pkeyopt',
+               'group:ffdhe3072', '-pkeyopt', 'priv_len:3072', '-text'])),
+    'genpkey DH with a large private len should fail');
+
+ ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', '-pkeyopt',
+              'group:ffdhe3072', '-pkeyopt', 'priv_len:256', '-text'])),
+    'genpkey DH with a minimum strength private len');
+
+ ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', '-pkeyopt',
+              'group:ffdhe2048', '-pkeyopt', 'priv_len:224', '-text'])),
+    'genpkey 2048 DH with a minimum strength private len');
author	Shane Lontis <shane.lontis@oracle.com>	2020-04-20 11:07:38 +1000
committer	Shane Lontis <shane.lontis@oracle.com>	2020-04-20 11:07:38 +1000
commit	738ee1819e3bb94723701fb505ce2971afe47a9b (patch)
tree	2fd8588534087594f2371060c20bc6890d39a33a /test
parent	9e537cd2ad01b172f2700a670e9269075078a426 (diff)
download	openssl-new-738ee1819e3bb94723701fb505ce2971afe47a9b.tar.gz