dh_check.c 6.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233
  1. /*
  2. * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/bn.h>
  12. #include "dh_locl.h"
  13. /*-
  14. * Check that p and g are suitable enough
  15. *
  16. * p is odd
  17. * 1 < g < p - 1
  18. */
  19. int DH_check_params_ex(const DH *dh)
  20. {
  21. int errflags = 0;
  22. (void)DH_check_params(dh, &errflags);
  23. if ((errflags & DH_CHECK_P_NOT_PRIME) != 0)
  24. DHerr(DH_F_DH_CHECK_PARAMS_EX, DH_R_CHECK_P_NOT_PRIME);
  25. if ((errflags & DH_NOT_SUITABLE_GENERATOR) != 0)
  26. DHerr(DH_F_DH_CHECK_PARAMS_EX, DH_R_NOT_SUITABLE_GENERATOR);
  27. return errflags == 0;
  28. }
  29. int DH_check_params(const DH *dh, int *ret)
  30. {
  31. int ok = 0;
  32. BIGNUM *tmp = NULL;
  33. BN_CTX *ctx = NULL;
  34. *ret = 0;
  35. ctx = BN_CTX_new();
  36. if (ctx == NULL)
  37. goto err;
  38. BN_CTX_start(ctx);
  39. tmp = BN_CTX_get(ctx);
  40. if (tmp == NULL)
  41. goto err;
  42. if (!BN_is_odd(dh->p))
  43. *ret |= DH_CHECK_P_NOT_PRIME;
  44. if (BN_is_negative(dh->g) || BN_is_zero(dh->g) || BN_is_one(dh->g))
  45. *ret |= DH_NOT_SUITABLE_GENERATOR;
  46. if (BN_copy(tmp, dh->p) == NULL || !BN_sub_word(tmp, 1))
  47. goto err;
  48. if (BN_cmp(dh->g, tmp) >= 0)
  49. *ret |= DH_NOT_SUITABLE_GENERATOR;
  50. ok = 1;
  51. err:
  52. if (ctx != NULL) {
  53. BN_CTX_end(ctx);
  54. BN_CTX_free(ctx);
  55. }
  56. return ok;
  57. }
  58. /*-
  59. * Check that p is a safe prime and
  60. * if g is 2, 3 or 5, check that it is a suitable generator
  61. * where
  62. * for 2, p mod 24 == 11
  63. * for 3, p mod 12 == 5
  64. * for 5, p mod 10 == 3 or 7
  65. * should hold.
  66. */
  67. int DH_check_ex(const DH *dh)
  68. {
  69. int errflags = 0;
  70. (void)DH_check(dh, &errflags);
  71. if ((errflags & DH_NOT_SUITABLE_GENERATOR) != 0)
  72. DHerr(DH_F_DH_CHECK_EX, DH_R_NOT_SUITABLE_GENERATOR);
  73. if ((errflags & DH_CHECK_Q_NOT_PRIME) != 0)
  74. DHerr(DH_F_DH_CHECK_EX, DH_R_CHECK_Q_NOT_PRIME);
  75. if ((errflags & DH_CHECK_INVALID_Q_VALUE) != 0)
  76. DHerr(DH_F_DH_CHECK_EX, DH_R_CHECK_INVALID_Q_VALUE);
  77. if ((errflags & DH_CHECK_INVALID_J_VALUE) != 0)
  78. DHerr(DH_F_DH_CHECK_EX, DH_R_CHECK_INVALID_J_VALUE);
  79. if ((errflags & DH_UNABLE_TO_CHECK_GENERATOR) != 0)
  80. DHerr(DH_F_DH_CHECK_EX, DH_R_UNABLE_TO_CHECK_GENERATOR);
  81. if ((errflags & DH_CHECK_P_NOT_PRIME) != 0)
  82. DHerr(DH_F_DH_CHECK_EX, DH_R_CHECK_P_NOT_PRIME);
  83. if ((errflags & DH_CHECK_P_NOT_SAFE_PRIME) != 0)
  84. DHerr(DH_F_DH_CHECK_EX, DH_R_CHECK_P_NOT_SAFE_PRIME);
  85. return errflags == 0;
  86. }
  87. int DH_check(const DH *dh, int *ret)
  88. {
  89. int ok = 0, r;
  90. BN_CTX *ctx = NULL;
  91. BN_ULONG l;
  92. BIGNUM *t1 = NULL, *t2 = NULL;
  93. *ret = 0;
  94. ctx = BN_CTX_new();
  95. if (ctx == NULL)
  96. goto err;
  97. BN_CTX_start(ctx);
  98. t1 = BN_CTX_get(ctx);
  99. t2 = BN_CTX_get(ctx);
  100. if (t2 == NULL)
  101. goto err;
  102. if (dh->q) {
  103. if (BN_cmp(dh->g, BN_value_one()) <= 0)
  104. *ret |= DH_NOT_SUITABLE_GENERATOR;
  105. else if (BN_cmp(dh->g, dh->p) >= 0)
  106. *ret |= DH_NOT_SUITABLE_GENERATOR;
  107. else {
  108. /* Check g^q == 1 mod p */
  109. if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx))
  110. goto err;
  111. if (!BN_is_one(t1))
  112. *ret |= DH_NOT_SUITABLE_GENERATOR;
  113. }
  114. r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL);
  115. if (r < 0)
  116. goto err;
  117. if (!r)
  118. *ret |= DH_CHECK_Q_NOT_PRIME;
  119. /* Check p == 1 mod q i.e. q divides p - 1 */
  120. if (!BN_div(t1, t2, dh->p, dh->q, ctx))
  121. goto err;
  122. if (!BN_is_one(t2))
  123. *ret |= DH_CHECK_INVALID_Q_VALUE;
  124. if (dh->j && BN_cmp(dh->j, t1))
  125. *ret |= DH_CHECK_INVALID_J_VALUE;
  126. } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
  127. l = BN_mod_word(dh->p, 24);
  128. if (l == (BN_ULONG)-1)
  129. goto err;
  130. if (l != 11)
  131. *ret |= DH_NOT_SUITABLE_GENERATOR;
  132. } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
  133. l = BN_mod_word(dh->p, 10);
  134. if (l == (BN_ULONG)-1)
  135. goto err;
  136. if ((l != 3) && (l != 7))
  137. *ret |= DH_NOT_SUITABLE_GENERATOR;
  138. } else
  139. *ret |= DH_UNABLE_TO_CHECK_GENERATOR;
  140. r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL);
  141. if (r < 0)
  142. goto err;
  143. if (!r)
  144. *ret |= DH_CHECK_P_NOT_PRIME;
  145. else if (!dh->q) {
  146. if (!BN_rshift1(t1, dh->p))
  147. goto err;
  148. r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL);
  149. if (r < 0)
  150. goto err;
  151. if (!r)
  152. *ret |= DH_CHECK_P_NOT_SAFE_PRIME;
  153. }
  154. ok = 1;
  155. err:
  156. if (ctx != NULL) {
  157. BN_CTX_end(ctx);
  158. BN_CTX_free(ctx);
  159. }
  160. return ok;
  161. }
  162. int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
  163. {
  164. int errflags = 0;
  165. (void)DH_check(dh, &errflags);
  166. if ((errflags & DH_CHECK_PUBKEY_TOO_SMALL) != 0)
  167. DHerr(DH_F_DH_CHECK_PUB_KEY_EX, DH_R_CHECK_PUBKEY_TOO_SMALL);
  168. if ((errflags & DH_CHECK_PUBKEY_TOO_LARGE) != 0)
  169. DHerr(DH_F_DH_CHECK_PUB_KEY_EX, DH_R_CHECK_PUBKEY_TOO_LARGE);
  170. if ((errflags & DH_CHECK_PUBKEY_INVALID) != 0)
  171. DHerr(DH_F_DH_CHECK_PUB_KEY_EX, DH_R_CHECK_PUBKEY_INVALID);
  172. return errflags == 0;
  173. }
  174. int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
  175. {
  176. int ok = 0;
  177. BIGNUM *tmp = NULL;
  178. BN_CTX *ctx = NULL;
  179. *ret = 0;
  180. ctx = BN_CTX_new();
  181. if (ctx == NULL)
  182. goto err;
  183. BN_CTX_start(ctx);
  184. tmp = BN_CTX_get(ctx);
  185. if (tmp == NULL || !BN_set_word(tmp, 1))
  186. goto err;
  187. if (BN_cmp(pub_key, tmp) <= 0)
  188. *ret |= DH_CHECK_PUBKEY_TOO_SMALL;
  189. if (BN_copy(tmp, dh->p) == NULL || !BN_sub_word(tmp, 1))
  190. goto err;
  191. if (BN_cmp(pub_key, tmp) >= 0)
  192. *ret |= DH_CHECK_PUBKEY_TOO_LARGE;
  193. if (dh->q != NULL) {
  194. /* Check pub_key^q == 1 mod p */
  195. if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx))
  196. goto err;
  197. if (!BN_is_one(tmp))
  198. *ret |= DH_CHECK_PUBKEY_INVALID;
  199. }
  200. ok = 1;
  201. err:
  202. if (ctx != NULL) {
  203. BN_CTX_end(ctx);
  204. BN_CTX_free(ctx);
  205. }
  206. return ok;
  207. }