]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/dh/dh_key.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
threads_pthread.c: change inline to ossl_inline
[thirdparty/openssl.git] / crypto / dh / dh_key.c
1 /*
2 * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * DH low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <stdio.h>
17 #include "internal/cryptlib.h"
18 #include "dh_local.h"
19 #include "crypto/bn.h"
20 #include "crypto/dh.h"
21 #include "crypto/security_bits.h"
22
23 #ifdef FIPS_MODULE
24 # define MIN_STRENGTH 112
25 #else
26 # define MIN_STRENGTH 80
27 #endif
28
29 static int generate_key(DH *dh);
30 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
31 const BIGNUM *a, const BIGNUM *p,
32 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
33 static int dh_init(DH *dh);
34 static int dh_finish(DH *dh);
35
36 /*
37 * See SP800-56Ar3 Section 5.7.1.1
38 * Finite Field Cryptography Diffie-Hellman (FFC DH) Primitive
39 */
40 int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
41 {
42 BN_CTX *ctx = NULL;
43 BN_MONT_CTX *mont = NULL;
44 BIGNUM *z = NULL, *pminus1;
45 int ret = -1;
46
47 if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
48 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
49 goto err;
50 }
51
52 if (dh->params.q != NULL
53 && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
54 ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
55 goto err;
56 }
57
58 if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
59 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
60 return 0;
61 }
62
63 ctx = BN_CTX_new_ex(dh->libctx);
64 if (ctx == NULL)
65 goto err;
66 BN_CTX_start(ctx);
67 pminus1 = BN_CTX_get(ctx);
68 z = BN_CTX_get(ctx);
69 if (z == NULL)
70 goto err;
71
72 if (dh->priv_key == NULL) {
73 ERR_raise(ERR_LIB_DH, DH_R_NO_PRIVATE_VALUE);
74 goto err;
75 }
76
77 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
78 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
79 dh->lock, dh->params.p, ctx);
80 BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
81 if (!mont)
82 goto err;
83 }
84
85 /* (Step 1) Z = pub_key^priv_key mod p */
86 if (!dh->meth->bn_mod_exp(dh, z, pub_key, dh->priv_key, dh->params.p, ctx,
87 mont)) {
88 ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB);
89 goto err;
90 }
91
92 /* (Step 2) Error if z <= 1 or z = p - 1 */
93 if (BN_copy(pminus1, dh->params.p) == NULL
94 || !BN_sub_word(pminus1, 1)
95 || BN_cmp(z, BN_value_one()) <= 0
96 || BN_cmp(z, pminus1) == 0) {
97 ERR_raise(ERR_LIB_DH, DH_R_INVALID_SECRET);
98 goto err;
99 }
100
101 /* return the padded key, i.e. same number of bytes as the modulus */
102 ret = BN_bn2binpad(z, key, BN_num_bytes(dh->params.p));
103 err:
104 BN_clear(z); /* (Step 2) destroy intermediate values */
105 BN_CTX_end(ctx);
106 BN_CTX_free(ctx);
107 return ret;
108 }
109
110 /*-
111 * NB: This function is inherently not constant time due to the
112 * RFC 5246 (8.1.2) padding style that strips leading zero bytes.
113 */
114 int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
115 {
116 int ret = 0, i;
117 volatile size_t npad = 0, mask = 1;
118
119 /* compute the key; ret is constant unless compute_key is external */
120 #ifdef FIPS_MODULE
121 ret = ossl_dh_compute_key(key, pub_key, dh);
122 #else
123 ret = dh->meth->compute_key(key, pub_key, dh);
124 #endif
125 if (ret <= 0)
126 return ret;
127
128 /* count leading zero bytes, yet still touch all bytes */
129 for (i = 0; i < ret; i++) {
130 mask &= !key[i];
131 npad += mask;
132 }
133
134 /* unpad key */
135 ret -= npad;
136 /* key-dependent memory access, potentially leaking npad / ret */
137 memmove(key, key + npad, ret);
138 /* key-dependent memory access, potentially leaking npad / ret */
139 memset(key + ret, 0, npad);
140
141 return ret;
142 }
143
144 int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
145 {
146 int rv, pad;
147
148 /* rv is constant unless compute_key is external */
149 #ifdef FIPS_MODULE
150 rv = ossl_dh_compute_key(key, pub_key, dh);
151 #else
152 rv = dh->meth->compute_key(key, pub_key, dh);
153 #endif
154 if (rv <= 0)
155 return rv;
156 pad = BN_num_bytes(dh->params.p) - rv;
157 /* pad is constant (zero) unless compute_key is external */
158 if (pad > 0) {
159 memmove(key + pad, key, rv);
160 memset(key, 0, pad);
161 }
162 return rv + pad;
163 }
164
165 static DH_METHOD dh_ossl = {
166 "OpenSSL DH Method",
167 generate_key,
168 ossl_dh_compute_key,
169 dh_bn_mod_exp,
170 dh_init,
171 dh_finish,
172 DH_FLAG_FIPS_METHOD,
173 NULL,
174 NULL
175 };
176
177 static const DH_METHOD *default_DH_method = &dh_ossl;
178
179 const DH_METHOD *DH_OpenSSL(void)
180 {
181 return &dh_ossl;
182 }
183
184 const DH_METHOD *DH_get_default_method(void)
185 {
186 return default_DH_method;
187 }
188
189 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
190 const BIGNUM *a, const BIGNUM *p,
191 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
192 {
193 #ifdef S390X_MOD_EXP
194 return s390x_mod_exp(r, a, p, m, ctx, m_ctx);
195 #else
196 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
197 #endif
198 }
199
200 static int dh_init(DH *dh)
201 {
202 dh->flags |= DH_FLAG_CACHE_MONT_P;
203 dh->dirty_cnt++;
204 return 1;
205 }
206
207 static int dh_finish(DH *dh)
208 {
209 BN_MONT_CTX_free(dh->method_mont_p);
210 return 1;
211 }
212
213 #ifndef FIPS_MODULE
214 void DH_set_default_method(const DH_METHOD *meth)
215 {
216 default_DH_method = meth;
217 }
218 #endif /* FIPS_MODULE */
219
220 int DH_generate_key(DH *dh)
221 {
222 #ifdef FIPS_MODULE
223 return generate_key(dh);
224 #else
225 return dh->meth->generate_key(dh);
226 #endif
227 }
228
229 int ossl_dh_generate_public_key(BN_CTX *ctx, const DH *dh,
230 const BIGNUM *priv_key, BIGNUM *pub_key)
231 {
232 int ret = 0;
233 BIGNUM *prk = BN_new();
234 BN_MONT_CTX *mont = NULL;
235
236 if (prk == NULL)
237 return 0;
238
239 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
240 /*
241 * We take the input DH as const, but we lie, because in some cases we
242 * want to get a hold of its Montgomery context.
243 *
244 * We cast to remove the const qualifier in this case, it should be
245 * fine...
246 */
247 BN_MONT_CTX **pmont = (BN_MONT_CTX **)&dh->method_mont_p;
248
249 mont = BN_MONT_CTX_set_locked(pmont, dh->lock, dh->params.p, ctx);
250 if (mont == NULL)
251 goto err;
252 }
253 BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
254
255 /* pub_key = g^priv_key mod p */
256 if (!dh->meth->bn_mod_exp(dh, pub_key, dh->params.g, prk, dh->params.p,
257 ctx, mont))
258 goto err;
259 ret = 1;
260 err:
261 BN_clear_free(prk);
262 return ret;
263 }
264
265 static int generate_key(DH *dh)
266 {
267 int ok = 0;
268 int generate_new_key = 0;
269 #ifndef FIPS_MODULE
270 unsigned l;
271 #endif
272 BN_CTX *ctx = NULL;
273 BIGNUM *pub_key = NULL, *priv_key = NULL;
274
275 if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
276 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
277 return 0;
278 }
279
280 if (dh->params.q != NULL
281 && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
282 ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
283 return 0;
284 }
285
286 if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
287 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
288 return 0;
289 }
290
291 ctx = BN_CTX_new_ex(dh->libctx);
292 if (ctx == NULL)
293 goto err;
294
295 if (dh->priv_key == NULL) {
296 priv_key = BN_secure_new();
297 if (priv_key == NULL)
298 goto err;
299 generate_new_key = 1;
300 } else {
301 priv_key = dh->priv_key;
302 }
303
304 if (dh->pub_key == NULL) {
305 pub_key = BN_new();
306 if (pub_key == NULL)
307 goto err;
308 } else {
309 pub_key = dh->pub_key;
310 }
311 if (generate_new_key) {
312 /* Is it an approved safe prime ?*/
313 if (DH_get_nid(dh) != NID_undef) {
314 int max_strength =
315 ossl_ifc_ffc_compute_security_bits(BN_num_bits(dh->params.p));
316
317 if (dh->params.q == NULL
318 || dh->length > BN_num_bits(dh->params.q))
319 goto err;
320 /* dh->length = maximum bit length of generated private key */
321 if (!ossl_ffc_generate_private_key(ctx, &dh->params, dh->length,
322 max_strength, priv_key))
323 goto err;
324 } else {
325 #ifdef FIPS_MODULE
326 if (dh->params.q == NULL)
327 goto err;
328 #else
329 if (dh->params.q == NULL) {
330 /* secret exponent length, must satisfy 2^(l-1) <= p */
331 if (dh->length != 0
332 && dh->length >= BN_num_bits(dh->params.p))
333 goto err;
334 l = dh->length ? dh->length : BN_num_bits(dh->params.p) - 1;
335 if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE,
336 BN_RAND_BOTTOM_ANY, 0, ctx))
337 goto err;
338 /*
339 * We handle just one known case where g is a quadratic non-residue:
340 * for g = 2: p % 8 == 3
341 */
342 if (BN_is_word(dh->params.g, DH_GENERATOR_2)
343 && !BN_is_bit_set(dh->params.p, 2)) {
344 /* clear bit 0, since it won't be a secret anyway */
345 if (!BN_clear_bit(priv_key, 0))
346 goto err;
347 }
348 } else
349 #endif
350 {
351 /* Do a partial check for invalid p, q, g */
352 if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
353 FFC_PARAM_TYPE_DH, NULL))
354 goto err;
355 /*
356 * For FFC FIPS 186-4 keygen
357 * security strength s = 112,
358 * Max Private key size N = len(q)
359 */
360 if (!ossl_ffc_generate_private_key(ctx, &dh->params,
361 BN_num_bits(dh->params.q),
362 MIN_STRENGTH,
363 priv_key))
364 goto err;
365 }
366 }
367 }
368
369 if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
370 goto err;
371
372 dh->pub_key = pub_key;
373 dh->priv_key = priv_key;
374 dh->dirty_cnt++;
375 ok = 1;
376 err:
377 if (ok != 1)
378 ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB);
379
380 if (pub_key != dh->pub_key)
381 BN_free(pub_key);
382 if (priv_key != dh->priv_key)
383 BN_free(priv_key);
384 BN_CTX_free(ctx);
385 return ok;
386 }
387
388 int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
389 {
390 int err_reason = DH_R_BN_ERROR;
391 BIGNUM *pubkey = NULL;
392 const BIGNUM *p;
393 int ret;
394
395 if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
396 goto err;
397 DH_get0_pqg(dh, &p, NULL, NULL);
398 if (p == NULL || BN_num_bytes(p) == 0) {
399 err_reason = DH_R_NO_PARAMETERS_SET;
400 goto err;
401 }
402 /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */
403 if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) {
404 err_reason = DH_R_INVALID_PUBKEY;
405 goto err;
406 }
407 if (DH_set0_key(dh, pubkey, NULL) != 1)
408 goto err;
409 return 1;
410 err:
411 ERR_raise(ERR_LIB_DH, err_reason);
412 BN_free(pubkey);
413 return 0;
414 }
415
416 size_t ossl_dh_key2buf(const DH *dh, unsigned char **pbuf_out, size_t size,
417 int alloc)
418 {
419 const BIGNUM *pubkey;
420 unsigned char *pbuf = NULL;
421 const BIGNUM *p;
422 int p_size;
423
424 DH_get0_pqg(dh, &p, NULL, NULL);
425 DH_get0_key(dh, &pubkey, NULL);
426 if (p == NULL || pubkey == NULL
427 || (p_size = BN_num_bytes(p)) == 0
428 || BN_num_bytes(pubkey) == 0) {
429 ERR_raise(ERR_LIB_DH, DH_R_INVALID_PUBKEY);
430 return 0;
431 }
432 if (pbuf_out != NULL && (alloc || *pbuf_out != NULL)) {
433 if (!alloc) {
434 if (size >= (size_t)p_size)
435 pbuf = *pbuf_out;
436 if (pbuf == NULL)
437 ERR_raise(ERR_LIB_DH, DH_R_INVALID_SIZE);
438 } else {
439 pbuf = OPENSSL_malloc(p_size);
440 }
441
442 /* Errors raised above */
443 if (pbuf == NULL)
444 return 0;
445 /*
446 * As per Section 4.2.8.1 of RFC 8446 left pad public
447 * key with zeros to the size of p
448 */
449 if (BN_bn2binpad(pubkey, pbuf, p_size) < 0) {
450 if (alloc)
451 OPENSSL_free(pbuf);
452 ERR_raise(ERR_LIB_DH, DH_R_BN_ERROR);
453 return 0;
454 }
455 *pbuf_out = pbuf;
456 }
457 return p_size;
458 }
A mirror of the official openssl repository