Skip to content

Commit

Permalink
Refs #8117. Change default key agreement algorithm to ECDH_prime256v1.
Browse files Browse the repository at this point in the history 
Signed-off-by: Miguel Company <MiguelCompany@eprosima.com>
  • Loading branch information
@MiguelCompany
MiguelCompany committed Apr 14, 2020
1 parent 09e07c8 commit 23e40d3
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 27 deletions.
76 changes: 50 additions & 26 deletions src/cpp/fastrtps_deprecated/security/authentication/PKIDH.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -741,7 +741,7 @@ static EVP_PKEY* generate_dh_key(
return nullptr;
}
}
else
else if (type == EVP_PKEY_DH)
{
params = EVP_PKEY_new();
if (params != nullptr)
Expand All @@ -759,6 +759,11 @@ static EVP_PKEY* generate_dh_key(
return nullptr;
}
}
else
{
exception = _SecurityException_("Wrong DH kind");
return nullptr;
}

EVP_PKEY* keys = nullptr;
EVP_PKEY_CTX* kctx = EVP_PKEY_CTX_new(params, NULL);
Expand Down Expand Up @@ -795,47 +800,56 @@ static EVP_PKEY* generate_dh_key(

static bool store_dh_public_key(
EVP_PKEY* dhkey,
int type,
std::vector<uint8_t>& buffer,
SecurityException& exception)
{
bool returnedValue = false;
DH* dh =

if (type == EVP_PKEY_DH)
{
DH* dh =
#if IS_OPENSSL_1_1
EVP_PKEY_get0_DH(dhkey);
#else
dhkey->pkey.dh;
#endif

if (dh != nullptr)
{
if (dh != nullptr)
{
#if IS_OPENSSL_1_1
const BIGNUM* pub_key = nullptr;
const BIGNUM* priv_key = nullptr;
DH_get0_key(dh, &pub_key, &priv_key);
const BIGNUM* pub_key = nullptr;
const BIGNUM* priv_key = nullptr;
DH_get0_key(dh, &pub_key, &priv_key);

#else
const BIGNUM* pub_key = dh->pub_key;
const BIGNUM* pub_key = dh->pub_key;
#endif

int len = BN_num_bytes(pub_key);
buffer.resize(len);
unsigned char* pointer = buffer.data();
if (BN_bn2bin(pub_key, pointer) == len)
{
returnedValue = true;
int len = BN_num_bytes(pub_key);
buffer.resize(len);
unsigned char* pointer = buffer.data();
if (BN_bn2bin(pub_key, pointer) == len)
{
returnedValue = true;
}
else
{
exception = _SecurityException_("Cannot serialize public key");
}
}
else
{
exception = _SecurityException_("Cannot serialize public key");
exception = _SecurityException_("OpenSSL library doesn't retrieve DH");
}
}
else
else if(type == EVP_PKEY_EC)
{
EC_KEY* ec =
#if IS_OPENSSL_1_1
EVP_PKEY_get0_EC_KEY(dhkey);
EVP_PKEY_get0_EC_KEY(dhkey);
#else
dhkey->pkey.ec;
dhkey->pkey.ec;
#endif
if (ec != nullptr)
{
Expand All @@ -857,14 +871,18 @@ static bool store_dh_public_key(
exception = _SecurityException_("OpenSSL library doesn't retrieve DH");
}
}
else
{
exception = _SecurityException_("Wrong DH kind");
}

return returnedValue;
}

static EVP_PKEY* generate_dh_peer_key(
const std::vector<uint8_t>& buffer,
SecurityException& exception,
int alg_kind = EVP_PKEY_DH)
int alg_kind)
{
if (alg_kind == EVP_PKEY_DH)
{
Expand Down Expand Up @@ -916,7 +934,7 @@ static EVP_PKEY* generate_dh_peer_key(
exception = _SecurityException_("OpenSSL library cannot create dh");
}
}
else
else if (alg_kind == EVP_PKEY_EC)
{
EC_KEY* ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);

Expand Down Expand Up @@ -962,6 +980,10 @@ static EVP_PKEY* generate_dh_peer_key(
exception = _SecurityException_("OpenSSL library cannot create ec");
}
}
else
{
exception = _SecurityException_("Wrong DH kind");
}

return nullptr;
}
Expand Down Expand Up @@ -1370,14 +1392,15 @@ ValidationResult_t PKIDH::begin_handshake_request(
bproperty.propagate(true);
(*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty));

int kagree_kind = get_dh_type((*handshake_handle_aux)->kagree_alg_);

// dh1
if (((*handshake_handle_aux)->dhkeys_ =
generate_dh_key(get_dh_type((*handshake_handle_aux)->kagree_alg_), exception)) != nullptr)
if (((*handshake_handle_aux)->dhkeys_ = generate_dh_key(kagree_kind, exception)) != nullptr)
{
bproperty.name("dh1");
bproperty.propagate(true);

if (store_dh_public_key((*handshake_handle_aux)->dhkeys_, bproperty.value(), exception))
if (store_dh_public_key((*handshake_handle_aux)->dhkeys_, kagree_kind, bproperty.value(), exception))
{
(*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty));

Expand Down Expand Up @@ -1732,7 +1755,7 @@ ValidationResult_t PKIDH::begin_handshake_reply(
bproperty.name("dh2");
bproperty.propagate(true);

if (store_dh_public_key((*handshake_handle_aux)->dhkeys_, bproperty.value(), exception))
if (store_dh_public_key((*handshake_handle_aux)->dhkeys_, kagree_kind, bproperty.value(), exception))
{
(*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty));

Expand Down Expand Up @@ -2056,14 +2079,15 @@ ValidationResult_t PKIDH::process_handshake_request(

// dh2
BinaryProperty* dh2 = DataHolderHelper::find_binary_property(handshake_message_in, "dh2");

if (dh2 == nullptr)
{
logWarning(SECURITY_AUTHENTICATION, "Cannot find property dh2");
return ValidationResult_t::VALIDATION_FAILED;
}

if ((handshake_handle->peerkeys_ = generate_dh_peer_key(dh2->value(), exception)) == nullptr)
int kagree_kind = get_dh_type(s_kagree_algo);

if ((handshake_handle->peerkeys_ = generate_dh_peer_key(dh2->value(), exception, kagree_kind)) == nullptr)
{
exception = _SecurityException_("Cannot store peer key from dh2");
return ValidationResult_t::VALIDATION_FAILED;
Expand Down
2 changes: 1 addition & 1 deletion src/cpp/fastrtps_deprecated/security/authentication/PKIIdentityHandle.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ class PKIIdentity
PKIIdentity() : store_(nullptr),
cert_(nullptr), pkey_(nullptr),
cert_content_(nullptr),
kagree_alg_(DH_2048_256),
kagree_alg_(ECDH_prime256v1),
there_are_crls_(false)
{}

Expand Down

0 comments on commit 23e40d3

Please sign in to comment.