Fix DH ASN1 decode so that it detects named groups.

The dh->nid was not being set if the loaded p,g matched an inbuilt named group for "DH". NOTE: The "DHX" related path already worked since it calls DH_set0_pqg() (which does the name group check). This bug was detected when new tests were added for dh5114 groups, combined with the no-cache tests i.e. loading+import+export set the nid, but just loading did not. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14207)
2025-04-27 10:14:36 +00:00 · 2021-02-17 13:13:51 +10:00 · 2021-02-17 13:13:51 +10:00 · eabb301416
commit eabb301416
parent 576892d78f
4 changed files with 46 additions and 3 deletions
--- a/crypto/dh/dh_asn1.c
+++ b/crypto/dh/dh_asn1.c
@ -19,6 +19,7 @@
 #include "dh_local.h"
 #include <openssl/objects.h>
 #include <openssl/asn1t.h>
+#include "crypto/dh.h"

 /* Override the default free and new methods */
 static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@ -38,6 +39,7 @@ static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,

        DH_clear_flags(dh, DH_FLAG_TYPE_MASK);
        DH_set_flags(dh, DH_FLAG_TYPE_DH);
+        dh_cache_named_group(dh);
        dh->dirty_cnt++;
    }
    return 1;
@ -88,8 +90,6 @@ int i2d_int_dhx(const int_dhx942_dh *a, unsigned char **pp);

 IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(int_dhx942_dh, DHxparams, int_dhx)

-/* Application public function: read in X9.42 DH parameters into DH structure */
-
 DH *d2i_DHxparams(DH **a, const unsigned char **pp, long length)
 {
    FFC_PARAMS *params;
--- a/test/recipes/20-test_dhparam_check.t
+++ b/test/recipes/20-test_dhparam_check.t
@ -56,13 +56,17 @@ mkdir -p $TESTDIR
 ./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:3072 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p3072_q224_t1862.pem
 ./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:3072 -pkeyopt qbits:256 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p3072_q256_t1862.pem

+./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt group:ffdhe2048 -out $TESTDIR/dh_ffdhe2048.pem
+./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt group:ffdhe2048 -out $TESTDIR/dhx_ffdhe2048.pem
+
+
 =cut

 my @valid = glob(data_file("valid", "*.pem"));
 my @invalid = glob(data_file("invalid", "*.pem"));

 my $num_tests = scalar @valid + scalar @invalid;
-plan tests => 2 * $num_tests;
+plan tests => 2 + 2 * $num_tests;

 foreach (@valid) {
    ok(run(app([qw{openssl dhparam -noout -check -in}, $_])));
@ -73,3 +77,21 @@ foreach (@invalid) {
    ok(!run(app([qw{openssl dhparam -noout -check -in}, $_])));
    ok(!run(app([qw{openssl pkeyparam -noout -check -in}, $_])));
 }
+
+my $tmpfile = 'out.txt';
+
+sub contains {
+    my $expected = shift;
+    my $found = 0;
+    open(my $in, '<', $tmpfile) or die "Could not open file $tmpfile";
+    while(<$in>) {
+        $found = 1 if m/$expected/; # output must include $expected
+    }
+    close $in;
+    return $found;
+}
+
+# Check that if we load dh params with only a 'p' and 'g' that it detects
+# that this is actually a valid named group.
+ok(run(app([qw{openssl pkeyparam -text -in}, data_file("valid/dh_ffdhe2048.pem")], stdout => $tmpfile)));
+ok(contains("ffdhe2048"))
--- a/test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem
+++ b/test/recipes/20-test_dhparam_check_data/valid/dh_ffdhe2048.pem
@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICB/8=
+-----END DH PARAMETERS-----
--- a/test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem
+++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_ffdhe2048.pem
@ -0,0 +1,13 @@
+-----BEGIN X9.42 DH PARAMETERS-----
+MIICDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgKCAQB//////////9b8KixRXaVN
+V+4rEBOennjsXOLB5xabStTwmyCKMhn95knO5xJNn3y+l/GxsYY67HtA2QFXYjC9
+ae+Paur+srCSGfqPr4M3aEKxsqqe9o152quJrz+r5JrMJ4Y4cHNFu/FTRO159/Q5
+DvisUJtW85qYVmUnpB08vV4FWMFZkn2w6IRUpdlkcf3ctW1bsGv6NA6noVHvHKb6
+Vyt287G5XYyFg9PkdwU2uE8BfnDm+/F2YBoCZpQaF7DIuX9OdMLB/8cniRl3eUDB
+4f8djaY31rmd2v5eF2EQAuLHeMG+i0HZY3mlE2DZd/1ENaEcMJQuS///////////
+-----END X9.42 DH PARAMETERS-----