]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/dh/dh_key.c
Copyright consolidation 05/10
[thirdparty/openssl.git] / crypto / dh / dh_key.c
1 /*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include "internal/cryptlib.h"
12 #include <openssl/rand.h>
13 #include "dh_locl.h"
14 #include "internal/bn_int.h"
15
16 static int generate_key(DH *dh);
17 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
18 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
19 const BIGNUM *a, const BIGNUM *p,
20 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
21 static int dh_init(DH *dh);
22 static int dh_finish(DH *dh);
23
24 int DH_generate_key(DH *dh)
25 {
26 return dh->meth->generate_key(dh);
27 }
28
29 int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
30 {
31 return dh->meth->compute_key(key, pub_key, dh);
32 }
33
34 int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
35 {
36 int rv, pad;
37 rv = dh->meth->compute_key(key, pub_key, dh);
38 if (rv <= 0)
39 return rv;
40 pad = BN_num_bytes(dh->p) - rv;
41 if (pad > 0) {
42 memmove(key + pad, key, rv);
43 memset(key, 0, pad);
44 }
45 return rv + pad;
46 }
47
48 static DH_METHOD dh_ossl = {
49 "OpenSSL DH Method",
50 generate_key,
51 compute_key,
52 dh_bn_mod_exp,
53 dh_init,
54 dh_finish,
55 DH_FLAG_FIPS_METHOD,
56 NULL,
57 NULL
58 };
59
60 const DH_METHOD *DH_OpenSSL(void)
61 {
62 return &dh_ossl;
63 }
64
65 static int generate_key(DH *dh)
66 {
67 int ok = 0;
68 int generate_new_key = 0;
69 unsigned l;
70 BN_CTX *ctx;
71 BN_MONT_CTX *mont = NULL;
72 BIGNUM *pub_key = NULL, *priv_key = NULL;
73
74 ctx = BN_CTX_new();
75 if (ctx == NULL)
76 goto err;
77
78 if (dh->priv_key == NULL) {
79 priv_key = BN_secure_new();
80 if (priv_key == NULL)
81 goto err;
82 generate_new_key = 1;
83 } else
84 priv_key = dh->priv_key;
85
86 if (dh->pub_key == NULL) {
87 pub_key = BN_new();
88 if (pub_key == NULL)
89 goto err;
90 } else
91 pub_key = dh->pub_key;
92
93 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
94 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
95 dh->lock, dh->p, ctx);
96 if (!mont)
97 goto err;
98 }
99
100 if (generate_new_key) {
101 if (dh->q) {
102 do {
103 if (!BN_rand_range(priv_key, dh->q))
104 goto err;
105 }
106 while (BN_is_zero(priv_key) || BN_is_one(priv_key));
107 } else {
108 /* secret exponent length */
109 l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
110 if (!BN_rand(priv_key, l, 0, 0))
111 goto err;
112 }
113 }
114
115 {
116 BIGNUM *local_prk = NULL;
117 BIGNUM *prk;
118
119 if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
120 local_prk = prk = BN_new();
121 if (local_prk == NULL)
122 goto err;
123 BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
124 } else {
125 prk = priv_key;
126 }
127
128 if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
129 BN_free(local_prk);
130 goto err;
131 }
132 /* We MUST free local_prk before any further use of priv_key */
133 BN_free(local_prk);
134 }
135
136 dh->pub_key = pub_key;
137 dh->priv_key = priv_key;
138 ok = 1;
139 err:
140 if (ok != 1)
141 DHerr(DH_F_GENERATE_KEY, ERR_R_BN_LIB);
142
143 if (pub_key != dh->pub_key)
144 BN_free(pub_key);
145 if (priv_key != dh->priv_key)
146 BN_free(priv_key);
147 BN_CTX_free(ctx);
148 return (ok);
149 }
150
151 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
152 {
153 BN_CTX *ctx = NULL;
154 BN_MONT_CTX *mont = NULL;
155 BIGNUM *tmp;
156 int ret = -1;
157 int check_result;
158
159 if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
160 DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
161 goto err;
162 }
163
164 ctx = BN_CTX_new();
165 if (ctx == NULL)
166 goto err;
167 BN_CTX_start(ctx);
168 tmp = BN_CTX_get(ctx);
169
170 if (dh->priv_key == NULL) {
171 DHerr(DH_F_COMPUTE_KEY, DH_R_NO_PRIVATE_VALUE);
172 goto err;
173 }
174
175 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
176 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
177 dh->lock, dh->p, ctx);
178 if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
179 /* XXX */
180 BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
181 }
182 if (!mont)
183 goto err;
184 }
185
186 if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result) {
187 DHerr(DH_F_COMPUTE_KEY, DH_R_INVALID_PUBKEY);
188 goto err;
189 }
190
191 if (!dh->
192 meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key, dh->p, ctx, mont)) {
193 DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB);
194 goto err;
195 }
196
197 ret = BN_bn2bin(tmp, key);
198 err:
199 if (ctx != NULL) {
200 BN_CTX_end(ctx);
201 BN_CTX_free(ctx);
202 }
203 return (ret);
204 }
205
206 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
207 const BIGNUM *a, const BIGNUM *p,
208 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
209 {
210 /*
211 * If a is only one word long and constant time is false, use the faster
212 * exponentiation function.
213 */
214 if (bn_get_top(a) == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) {
215 BN_ULONG A = bn_get_words(a)[0];
216 return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
217 } else
218 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
219 }
220
221 static int dh_init(DH *dh)
222 {
223 dh->flags |= DH_FLAG_CACHE_MONT_P;
224 return (1);
225 }
226
227 static int dh_finish(DH *dh)
228 {
229 BN_MONT_CTX_free(dh->method_mont_p);
230 return (1);
231 }