crypto/dh/dh_key.c

   1 /*
   2  * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <stdio.h>
  11 #include "internal/cryptlib.h"
  12 #include "dh_local.h"
  13 #include "crypto/bn.h"
  14 #include "crypto/dh.h"
  15
  16 #ifndef FIPS_MODE
  17 static int generate_key(DH *dh);
  18 #endif /* FIPS_MODE */
  19
  20 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
  21                          const BIGNUM *a, const BIGNUM *p,
  22                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
  23 static int dh_init(DH *dh);
  24 static int dh_finish(DH *dh);
  25
  26 int dh_compute_key(OPENSSL_CTX *libctx, unsigned char *key,
  27                    const BIGNUM *pub_key, DH *dh)
  28 {
  29     BN_CTX *ctx = NULL;
  30     BN_MONT_CTX *mont = NULL;
  31     BIGNUM *tmp;
  32     int ret = -1;
  33 #ifndef FIPS_MODE
  34     int check_result;
  35 #endif
  36
  37     if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
  38         DHerr(0, DH_R_MODULUS_TOO_LARGE);
  39         goto err;
  40     }
  41
  42     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
  43         DHerr(0, DH_R_MODULUS_TOO_SMALL);
  44         return 0;
  45     }
  46
  47     ctx = BN_CTX_new_ex(libctx);
  48     if (ctx == NULL)
  49         goto err;
  50     BN_CTX_start(ctx);
  51     tmp = BN_CTX_get(ctx);
  52     if (tmp == NULL)
  53         goto err;
  54
  55     if (dh->priv_key == NULL) {
  56         DHerr(0, DH_R_NO_PRIVATE_VALUE);
  57         goto err;
  58     }
  59
  60     if (dh->flags & DH_FLAG_CACHE_MONT_P) {
  61         mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
  62                                       dh->lock, dh->params.p, ctx);
  63         BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
  64         if (!mont)
  65             goto err;
  66     }
  67 /* TODO(3.0) : Solve in a PR related to Key validation for DH */
  68 #ifndef FIPS_MODE
  69     if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result) {
  70         DHerr(0, DH_R_INVALID_PUBKEY);
  71         goto err;
  72     }
  73 #endif
  74     if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key, dh->params.p, ctx,
  75                               mont)) {
  76         DHerr(0, ERR_R_BN_LIB);
  77         goto err;
  78     }
  79
  80     ret = BN_bn2bin(tmp, key);
  81  err:
  82     BN_CTX_end(ctx);
  83     BN_CTX_free(ctx);
  84     return ret;
  85 }
  86
  87 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
  88 {
  89     return dh_compute_key(NULL, key, pub_key, dh);
  90 }
  91
  92 int dh_compute_key_padded(OPENSSL_CTX *libctx, unsigned char *key,
  93                           const BIGNUM *pub_key, DH *dh)
  94 {
  95     int rv, pad;
  96
  97 #ifdef FIPS_MODE
  98     rv = dh_compute_key(libctx, key, pub_key, dh);
  99 #else
 100     rv = dh->meth->compute_key(key, pub_key, dh);
 101 #endif
 102     if (rv <= 0)
 103         return rv;
 104     pad = BN_num_bytes(dh->params.p) - rv;
 105     if (pad > 0) {
 106         memmove(key + pad, key, rv);
 107         memset(key, 0, pad);
 108     }
 109     return rv + pad;
 110 }
 111
 112 #ifndef FIPS_MODE
 113 int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 114 {
 115     return dh->meth->compute_key(key, pub_key, dh);
 116 }
 117
 118 int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 119 {
 120     return dh_compute_key_padded(NULL, key, pub_key, dh);
 121 }
 122 #endif
 123
 124 static DH_METHOD dh_ossl = {
 125     "OpenSSL DH Method",
 126 #ifndef FIPS_MODE
 127     generate_key,
 128 #else
 129     NULL, /* TODO(3.0) : solve this in a keygen related PR */
 130 #endif
 131     compute_key,
 132     dh_bn_mod_exp,
 133     dh_init,
 134     dh_finish,
 135     DH_FLAG_FIPS_METHOD,
 136     NULL,
 137     NULL
 138 };
 139
 140 static const DH_METHOD *default_DH_method = &dh_ossl;
 141
 142 const DH_METHOD *DH_OpenSSL(void)
 143 {
 144     return &dh_ossl;
 145 }
 146
 147 const DH_METHOD *DH_get_default_method(void)
 148 {
 149     return default_DH_method;
 150 }
 151
 152 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
 153                          const BIGNUM *a, const BIGNUM *p,
 154                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
 155 {
 156     return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 157 }
 158
 159 static int dh_init(DH *dh)
 160 {
 161     dh->flags |= DH_FLAG_CACHE_MONT_P;
 162     ffc_params_init(&dh->params);
 163     return 1;
 164 }
 165
 166 static int dh_finish(DH *dh)
 167 {
 168     BN_MONT_CTX_free(dh->method_mont_p);
 169     return 1;
 170 }
 171
 172 #ifndef FIPS_MODE
 173
 174 void DH_set_default_method(const DH_METHOD *meth)
 175 {
 176     default_DH_method = meth;
 177 }
 178
 179 int DH_generate_key(DH *dh)
 180 {
 181     return dh->meth->generate_key(dh);
 182 }
 183
 184 static int generate_key(DH *dh)
 185 {
 186     int ok = 0;
 187     int generate_new_key = 0;
 188     unsigned l;
 189     BN_CTX *ctx = NULL;
 190     BN_MONT_CTX *mont = NULL;
 191     BIGNUM *pub_key = NULL, *priv_key = NULL;
 192
 193     if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
 194         DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
 195         return 0;
 196     }
 197
 198     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
 199         DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_SMALL);
 200         return 0;
 201     }
 202
 203     ctx = BN_CTX_new();
 204     if (ctx == NULL)
 205         goto err;
 206
 207     if (dh->priv_key == NULL) {
 208         priv_key = BN_secure_new();
 209         if (priv_key == NULL)
 210             goto err;
 211         generate_new_key = 1;
 212     } else
 213         priv_key = dh->priv_key;
 214
 215     if (dh->pub_key == NULL) {
 216         pub_key = BN_new();
 217         if (pub_key == NULL)
 218             goto err;
 219     } else
 220         pub_key = dh->pub_key;
 221
 222     if (dh->flags & DH_FLAG_CACHE_MONT_P) {
 223         mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
 224                                       dh->lock, dh->params.p, ctx);
 225         if (!mont)
 226             goto err;
 227     }
 228
 229     if (generate_new_key) {
 230         if (dh->params.q != NULL) {
 231             do {
 232                 if (!BN_priv_rand_range(priv_key, dh->params.q))
 233                     goto err;
 234             }
 235             while (BN_is_zero(priv_key) || BN_is_one(priv_key));
 236         } else {
 237             /* secret exponent length */
 238             l = dh->length ? dh->length : BN_num_bits(dh->params.p) - 1;
 239             if (!BN_priv_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
 240                 goto err;
 241             /*
 242              * We handle just one known case where g is a quadratic non-residue:
 243              * for g = 2: p % 8 == 3
 244              */
 245             if (BN_is_word(dh->params.g, DH_GENERATOR_2)
 246                 && !BN_is_bit_set(dh->params.p, 2)) {
 247                 /* clear bit 0, since it won't be a secret anyway */
 248                 if (!BN_clear_bit(priv_key, 0))
 249                     goto err;
 250             }
 251         }
 252     }
 253
 254     {
 255         BIGNUM *prk = BN_new();
 256
 257         if (prk == NULL)
 258             goto err;
 259         BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
 260
 261         if (!dh->meth->bn_mod_exp(dh, pub_key, dh->params.g, prk, dh->params.p,
 262                                   ctx, mont)) {
 263             BN_clear_free(prk);
 264             goto err;
 265         }
 266         /* We MUST free prk before any further use of priv_key */
 267         BN_clear_free(prk);
 268     }
 269
 270     dh->pub_key = pub_key;
 271     dh->priv_key = priv_key;
 272     dh->dirty_cnt++;
 273     ok = 1;
 274  err:
 275     if (ok != 1)
 276         DHerr(DH_F_GENERATE_KEY, ERR_R_BN_LIB);
 277
 278     if (pub_key != dh->pub_key)
 279         BN_free(pub_key);
 280     if (priv_key != dh->priv_key)
 281         BN_free(priv_key);
 282     BN_CTX_free(ctx);
 283     return ok;
 284 }
 285
 286
 287 int dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
 288 {
 289     int err_reason = DH_R_BN_ERROR;
 290     BIGNUM *pubkey = NULL;
 291     const BIGNUM *p;
 292     size_t p_size;
 293
 294     if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
 295         goto err;
 296     DH_get0_pqg(dh, &p, NULL, NULL);
 297     if (p == NULL || (p_size = BN_num_bytes(p)) == 0) {
 298         err_reason = DH_R_NO_PARAMETERS_SET;
 299         goto err;
 300     }
 301     /*
 302      * As per Section 4.2.8.1 of RFC 8446 fail if DHE's
 303      * public key is of size not equal to size of p
 304      */
 305     if (BN_is_zero(pubkey) || p_size != len) {
 306         err_reason = DH_R_INVALID_PUBKEY;
 307         goto err;
 308     }
 309     if (DH_set0_key(dh, pubkey, NULL) != 1)
 310         goto err;
 311     return 1;
 312 err:
 313     DHerr(DH_F_DH_BUF2KEY, err_reason);
 314     BN_free(pubkey);
 315     return 0;
 316 }
 317
 318 size_t dh_key2buf(const DH *dh, unsigned char **pbuf_out)
 319 {
 320     const BIGNUM *pubkey;
 321     unsigned char *pbuf;
 322     const BIGNUM *p;
 323     int p_size;
 324
 325     DH_get0_pqg(dh, &p, NULL, NULL);
 326     DH_get0_key(dh, &pubkey, NULL);
 327     if (p == NULL || pubkey == NULL
 328             || (p_size = BN_num_bytes(p)) == 0
 329             || BN_num_bytes(pubkey) == 0) {
 330         DHerr(DH_F_DH_KEY2BUF, DH_R_INVALID_PUBKEY);
 331         return 0;
 332     }
 333     if ((pbuf = OPENSSL_malloc(p_size)) == NULL) {
 334         DHerr(DH_F_DH_KEY2BUF, ERR_R_MALLOC_FAILURE);
 335         return 0;
 336     }
 337     /*
 338      * As per Section 4.2.8.1 of RFC 8446 left pad public
 339      * key with zeros to the size of p
 340      */
 341     if (BN_bn2binpad(pubkey, pbuf, p_size) < 0) {
 342         OPENSSL_free(pbuf);
 343         DHerr(DH_F_DH_KEY2BUF, DH_R_BN_ERROR);
 344         return 0;
 345     }
 346     *pbuf_out = pbuf;
 347     return p_size;
 348 }
 349 #endif /* FIPS_MODE */