xref: /freebsd/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7 (revision 0e8011faf58b743cc652e3b2ad0f7671227610df)
Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)

Standard preamble:
========================================================================
..
..
.. Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.

If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.

Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================

Title "EVP_PKEY-DH 7ossl"
EVP_PKEY-DH 7ossl "2023-09-19" "3.0.11" "OpenSSL"
For nroff, turn off justification. Always turn off hyphenation; it makes
way too many mistakes in technical documents.
"NAME"
EVP_PKEY-DH, EVP_PKEY-DHX, EVP_KEYMGMT-DH, EVP_KEYMGMT-DHX \- EVP_PKEY DH and DHX keytype and algorithm support
"DESCRIPTION"
Header "DESCRIPTION" For \s-1DH\s0 \s-1FFC\s0 key agreement, two classes of domain parameters can be used: \*(L"safe\*(R" domain parameters that are associated with approved named safe-prime groups, and a class of \*(L"FIPS186-type\*(R" domain parameters. FIPS186-type domain parameters should only be used for backward compatibility with existing applications that cannot be upgraded to use the approved safe-prime groups.

See \s-1EVP_PKEY-FFC\s0\|(7) for more information about \s-1FFC\s0 keys.

The \s-1DH\s0 key type uses PKCS#3 format which saves p and g, but not the \fIq value. The \s-1DHX\s0 key type uses X9.42 format which saves the value of q and this must be used for \s-1FIPS186-4.\s0 If key validation is required, users should be aware of the nuances associated with \s-1FIPS186-4\s0 style parameters as discussed in \*(L"\s-1DH\s0 key validation\*(R".

"\s-1DH\s0 and \s-1DHX\s0 domain parameters"
Subsection "DH and DHX domain parameters" In addition to the common \s-1FCC\s0 parameters that all \s-1FFC\s0 keytypes should support (see \*(L"\s-1FFC\s0 parameters\*(R" in \s-1EVP_PKEY-FFC\s0\|(7)) the \s-1DHX\s0 and \s-1DH\s0 keytype implementations support the following: Item "group (OSSL_PKEY_PARAM_GROUP_NAME) <UTF8 string>" Sets or gets a string that associates a \s-1DH\s0 or \s-1DHX\s0 named safe prime group with known values for p, q and g. .Sp The following values can be used by the OpenSSL's default and \s-1FIPS\s0 providers: \*(L"ffdhe2048\*(R", \*(L"ffdhe3072\*(R", \*(L"ffdhe4096\*(R", \*(L"ffdhe6144\*(R", \*(L"ffdhe8192\*(R", \*(L"modp_2048\*(R", \*(L"modp_3072\*(R", \*(L"modp_4096\*(R", \*(L"modp_6144\*(R", \*(L"modp_8192\*(R". .Sp The following additional values can also be used by OpenSSL's default provider: \*(L"modp_1536\*(R", \*(L"dh_1024_160\*(R", \*(L"dh_2048_224\*(R", \*(L"dh_2048_256\*(R". .Sp \s-1DH/DHX\s0 named groups can be easily validated since the parameters are well known. For protocols that only transfer p and g the value of q can also be retrieved.
"\s-1DH\s0 and \s-1DHX\s0 additional parameters"
Subsection "DH and DHX additional parameters" Item "encoded-pub-key (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>" Used for getting and setting the encoding of the \s-1DH\s0 public key used in a key exchange message for the \s-1TLS\s0 protocol. See EVP_PKEY_set1_encoded_public_key() and EVP_PKEY_get1_encoded_public_key().
"\s-1DH\s0 additional domain parameters"
Subsection "DH additional domain parameters" Item "safeprime-generator (OSSL_PKEY_PARAM_DH_GENERATOR) <integer>" Used for \s-1DH\s0 generation of safe primes using the old safe prime generator code. The default value is 2. It is recommended to use a named safe prime group instead, if domain parameter validation is required. .Sp Randomly generated safe primes are not allowed by \s-1FIPS,\s0 so setting this value for the OpenSSL \s-1FIPS\s0 provider will instead choose a named safe prime group based on the size of p.
"\s-1DH\s0 and \s-1DHX\s0 domain parameter / key generation parameters"
Subsection "DH and DHX domain parameter / key generation parameters" In addition to the common \s-1FFC\s0 key generation parameters that all \s-1FFC\s0 key types should support (see \*(L"\s-1FFC\s0 key generation parameters\*(R" in \s-1EVP_PKEY-FFC\s0\|(7)) the \fB\s-1DH\s0 and \s-1DHX\s0 keytype implementation supports the following: Item "type (OSSL_PKEY_PARAM_FFC_TYPE) <UTF8 string>" Sets the type of parameter generation. For \s-1DH\s0 valid values are:

Item "fips186_4"

0 Item "default" Item "fips186_2"

These are described in \*(L"\s-1FFC\s0 key generation parameters\*(R" in \s-1EVP_PKEY-FFC\s0\|(7) Item "group" This specifies that a named safe prime name will be chosen using the \*(L"pbits\*(R" type. Item "generator" A safe prime generator. See the \*(L"safeprime-generator\*(R" type above. This is only valid for \s-1DH\s0 keys.

Item "pbits (OSSL_PKEY_PARAM_FFC_PBITS) <unsigned integer>" Sets the size (in bits) of the prime 'p'. .Sp For \*(L"fips186_4\*(R" this must be 2048. For \*(L"fips186_2\*(R" this must be 1024. For \*(L"group\*(R" this can be any one of 2048, 3072, 4096, 6144 or 8192. Item "priv_len (OSSL_PKEY_PARAM_DH_PRIV_LEN) <integer>" An optional value to set the maximum length of the generated private key. The default value used if this is not set is the maximum value of BN_num_bits(q)). The minimum value that this can be set to is 2 * s. Where s is the security strength of the key which has values of 112, 128, 152, 176 and 200 for key sizes of 2048, 3072, 4096, 6144 and 8192.
"\s-1DH\s0 key validation"
Subsection "DH key validation" For \s-1DHX\s0 that is not a named group the \s-1FIPS186-4\s0 standard specifies that the values used for \s-1FFC\s0 parameter generation are also required for parameter validation. This means that optional \s-1FFC\s0 domain parameter values for \fIseed, pcounter and gindex or hindex may need to be stored for validation purposes. For \s-1DHX\s0 the seed and pcounter can be stored in \s-1ASN1\s0 data (but the gindex or hindex cannot be stored). It is recommended to use a named safe prime group instead.

For \s-1DH\s0 keys, EVP_PKEY_param_check\|(3) behaves in the following way: The OpenSSL \s-1FIPS\s0 provider tests if the parameters are either an approved safe prime group \s-1OR\s0 that the \s-1FFC\s0 parameters conform to \s-1FIPS186-4\s0 as defined in SP800-56Ar3 Assurances of Domain-Parameter Validity. The OpenSSL default provider uses simpler checks that allows there to be no q value for backwards compatibility.

For \s-1DH\s0 keys, EVP_PKEY_param_check_quick\|(3) is equivalent to \fBEVP_PKEY_param_check\|(3).

For \s-1DH\s0 keys, EVP_PKEY_public_check\|(3) conforms to SP800-56Ar3 \s-1FFC\s0 Full Public-Key Validation.

For \s-1DH\s0 keys, EVP_PKEY_public_check_quick\|(3) conforms to SP800-56Ar3 \s-1FFC\s0 Partial Public-Key Validation when the \s-1DH\s0 key is an approved named safe prime group, otherwise it is the same as \fBEVP_PKEY_public_check\|(3).

For \s-1DH\s0 Keys, EVP_PKEY_private_check\|(3) tests that the private key is in the correct range according to SP800-56Ar3. The OpenSSL \s-1FIPS\s0 provider requires the value of q to be set (note that this is set for named safe prime groups). For backwards compatibility the OpenSSL default provider only requires p to be set.

For \s-1DH\s0 keys, EVP_PKEY_pairwise_check\|(3) conforms to SP800-56Ar3 Owner Assurance of Pair-wise Consistency.

"EXAMPLES"
Header "EXAMPLES" An \s-1EVP_PKEY\s0 context can be obtained by calling:

.Vb 1 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); .Ve

A \s-1DH\s0 key can be generated with a named safe prime group by calling:

.Vb 4 int priv_len = 2 * 112; OSSL_PARAM params[3]; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); \& params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0); /* "priv_len" is optional */ params[1] = OSSL_PARAM_construct_int("priv_len", &priv_len); params[2] = OSSL_PARAM_construct_end(); \& EVP_PKEY_keygen_init(pctx); EVP_PKEY_CTX_set_params(pctx, params); EVP_PKEY_generate(pctx, &pkey); ... EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(pctx); .Ve

\fB\s-1DHX\s0 domain parameters can be generated according to \s-1FIPS186-4\s0 by calling:

.Vb 6 int gindex = 2; unsigned int pbits = 2048; unsigned int qbits = 256; OSSL_PARAM params[6]; EVP_PKEY *param_key = NULL; EVP_PKEY_CTX *pctx = NULL; \& pctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL); EVP_PKEY_paramgen_init(pctx); \& params[0] = OSSL_PARAM_construct_uint("pbits", &pbits); params[1] = OSSL_PARAM_construct_uint("qbits", &qbits); params[2] = OSSL_PARAM_construct_int("gindex", &gindex); params[3] = OSSL_PARAM_construct_utf8_string("type", "fips186_4", 0); params[4] = OSSL_PARAM_construct_utf8_string("digest", "SHA256", 0); params[5] = OSSL_PARAM_construct_end(); EVP_PKEY_CTX_set_params(pctx, params); \& EVP_PKEY_generate(pctx, &param_key); \& EVP_PKEY_print_params(bio_out, param_key, 0, NULL); ... EVP_PKEY_free(param_key); EVP_PKEY_CTX_free(pctx); .Ve

A \s-1DH\s0 key can be generated using domain parameters by calling:

.Vb 2 EVP_PKEY *key = NULL; EVP_PKEY_CTX *gctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_key, NULL); \& EVP_PKEY_keygen_init(gctx); EVP_PKEY_generate(gctx, &key); EVP_PKEY_print_private(bio_out, key, 0, NULL); ... EVP_PKEY_free(key); EVP_PKEY_CTX_free(gctx); .Ve

To validate \s-1FIPS186-4\s0 \s-1DHX\s0 domain parameters decoded from \s-1PEM\s0 or \fB\s-1DER\s0 data, additional values used during generation may be required to be set into the key.

\fBEVP_PKEY_todata(), OSSL_PARAM_merge(), and EVP_PKEY_fromdata() are useful to add these parameters to the original key or domain parameters before the actual validation. In production code the return values should be checked.

.Vb 11 EVP_PKEY *received_domp = ...; /* parameters received and decoded */ unsigned char *seed = ...; /* and additional parameters received */ size_t seedlen = ...; /* by other means, required */ int gindex = ...; /* for the validation */ int pcounter = ...; int hindex = ...; OSSL_PARAM extra_params[4]; OSSL_PARAM *domain_params = NULL; OSSL_PARAM *merged_params = NULL; EVP_PKEY_CTX *ctx = NULL, *validate_ctx = NULL; EVP_PKEY *complete_domp = NULL; \& EVP_PKEY_todata(received_domp, OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, &domain_params); extra_params[0] = OSSL_PARAM_construct_octet_string("seed", seed, seedlen); /* * NOTE: For unverifiable g use "hindex" instead of "gindex" * extra_params[1] = OSSL_PARAM_construct_int("hindex", &hindex); */ extra_params[1] = OSSL_PARAM_construct_int("gindex", &gindex); extra_params[2] = OSSL_PARAM_construct_int("pcounter", &pcounter); extra_params[3] = OSSL_PARAM_construct_end(); merged_params = OSSL_PARAM_merge(domain_params, extra_params); \& ctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL); EVP_PKEY_fromdata_init(ctx); EVP_PKEY_fromdata(ctx, &complete_domp, OSSL_KEYMGMT_SELECT_ALL, merged_params); \& validate_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, complete_domp, NULL); if (EVP_PKEY_param_check(validate_ctx) > 0) /* validation_passed(); */ else /* validation_failed(); */ \& OSSL_PARAM_free(domain_params); OSSL_PARAM_free(merged_params); EVP_PKEY_CTX_free(ctx); EVP_PKEY_CTX_free(validate_ctx); EVP_PKEY_free(complete_domp); .Ve

"CONFORMING TO"
Header "CONFORMING TO"
"\s-1RFC 7919\s0 (\s-1TLS\s0 ffdhe named safe prime groups)" 4
Item "RFC 7919 (TLS ffdhe named safe prime groups)"

0

"\s-1RFC 3526\s0 (\s-1IKE\s0 modp named safe prime groups)" 4
Item "RFC 3526 (IKE modp named safe prime groups)" Item "RFC 5114 (Additional DH named groups for dh_1024_160, dh_2048_224 and dh_2048_256"")."

The following sections of SP800-56Ar3:

"5.5.1.1 \s-1FFC\s0 Domain Parameter Selection/Generation" 4
Item "5.5.1.1 FFC Domain Parameter Selection/Generation"

0

"Appendix D: \s-1FFC\s0 Safe-prime Groups" 4
Item "Appendix D: FFC Safe-prime Groups"

The following sections of \s-1FIPS186-4:\s0

"A.1.1.2 Generation of Probable Primes p and q Using an Approved Hash Function." 4
Item "A.1.1.2 Generation of Probable Primes p and q Using an Approved Hash Function."

0

"A.2.3 Generation of canonical generator g." 4
Item "A.2.3 Generation of canonical generator g."
"A.2.1 Unverifiable Generation of the Generator g." 4
Item "A.2.1 Unverifiable Generation of the Generator g."

"SEE ALSO"
Header "SEE ALSO" \s-1EVP_PKEY-FFC\s0\|(7), \s-1EVP_KEYEXCH-DH\s0\|(7) \s-1EVP_PKEY\s0\|(3), \fBprovider-keymgmt\|(7), \s-1EVP_KEYMGMT\s0\|(3), \fBOSSL_PROVIDER-default\|(7), \s-1OSSL_PROVIDER-FIPS\s0\|(7)
"COPYRIGHT"
Header "COPYRIGHT" Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.