dh_check.c 10.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360
  1. /*
  2. * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * DH low level APIs are deprecated for public use, but still ok for
  11. * internal use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <stdio.h>
  15. #include "internal/cryptlib.h"
  16. #include <openssl/bn.h>
  17. #include "dh_local.h"
  18. #include "crypto/dh.h"
  19. /*-
  20. * Check that p and g are suitable enough
  21. *
  22. * p is odd
  23. * 1 < g < p - 1
  24. */
  25. int DH_check_params_ex(const DH *dh)
  26. {
  27. int errflags = 0;
  28. if (!DH_check_params(dh, &errflags))
  29. return 0;
  30. if ((errflags & DH_CHECK_P_NOT_PRIME) != 0)
  31. ERR_raise(ERR_LIB_DH, DH_R_CHECK_P_NOT_PRIME);
  32. if ((errflags & DH_NOT_SUITABLE_GENERATOR) != 0)
  33. ERR_raise(ERR_LIB_DH, DH_R_NOT_SUITABLE_GENERATOR);
  34. if ((errflags & DH_MODULUS_TOO_SMALL) != 0)
  35. ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
  36. if ((errflags & DH_MODULUS_TOO_LARGE) != 0)
  37. ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
  38. return errflags == 0;
  39. }
  40. #ifdef FIPS_MODULE
  41. int DH_check_params(const DH *dh, int *ret)
  42. {
  43. int nid;
  44. *ret = 0;
  45. /*
  46. * SP800-56A R3 Section 5.5.2 Assurances of Domain Parameter Validity
  47. * (1a) The domain parameters correspond to any approved safe prime group.
  48. */
  49. nid = DH_get_nid((DH *)dh);
  50. if (nid != NID_undef)
  51. return 1;
  52. /*
  53. * OR
  54. * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
  55. * validity tests.
  56. */
  57. return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params,
  58. FFC_PARAM_TYPE_DH, ret, NULL);
  59. }
  60. #else
  61. int DH_check_params(const DH *dh, int *ret)
  62. {
  63. int ok = 0;
  64. BIGNUM *tmp = NULL;
  65. BN_CTX *ctx = NULL;
  66. *ret = 0;
  67. ctx = BN_CTX_new_ex(dh->libctx);
  68. if (ctx == NULL)
  69. goto err;
  70. BN_CTX_start(ctx);
  71. tmp = BN_CTX_get(ctx);
  72. if (tmp == NULL)
  73. goto err;
  74. if (!BN_is_odd(dh->params.p))
  75. *ret |= DH_CHECK_P_NOT_PRIME;
  76. if (BN_is_negative(dh->params.g)
  77. || BN_is_zero(dh->params.g)
  78. || BN_is_one(dh->params.g))
  79. *ret |= DH_NOT_SUITABLE_GENERATOR;
  80. if (BN_copy(tmp, dh->params.p) == NULL || !BN_sub_word(tmp, 1))
  81. goto err;
  82. if (BN_cmp(dh->params.g, tmp) >= 0)
  83. *ret |= DH_NOT_SUITABLE_GENERATOR;
  84. if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS)
  85. *ret |= DH_MODULUS_TOO_SMALL;
  86. if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS)
  87. *ret |= DH_MODULUS_TOO_LARGE;
  88. ok = 1;
  89. err:
  90. BN_CTX_end(ctx);
  91. BN_CTX_free(ctx);
  92. return ok;
  93. }
  94. #endif /* FIPS_MODULE */
  95. /*-
  96. * Check that p is a safe prime and
  97. * g is a suitable generator.
  98. */
  99. int DH_check_ex(const DH *dh)
  100. {
  101. int errflags = 0;
  102. if (!DH_check(dh, &errflags))
  103. return 0;
  104. if ((errflags & DH_NOT_SUITABLE_GENERATOR) != 0)
  105. ERR_raise(ERR_LIB_DH, DH_R_NOT_SUITABLE_GENERATOR);
  106. if ((errflags & DH_CHECK_Q_NOT_PRIME) != 0)
  107. ERR_raise(ERR_LIB_DH, DH_R_CHECK_Q_NOT_PRIME);
  108. if ((errflags & DH_CHECK_INVALID_Q_VALUE) != 0)
  109. ERR_raise(ERR_LIB_DH, DH_R_CHECK_INVALID_Q_VALUE);
  110. if ((errflags & DH_CHECK_INVALID_J_VALUE) != 0)
  111. ERR_raise(ERR_LIB_DH, DH_R_CHECK_INVALID_J_VALUE);
  112. if ((errflags & DH_UNABLE_TO_CHECK_GENERATOR) != 0)
  113. ERR_raise(ERR_LIB_DH, DH_R_UNABLE_TO_CHECK_GENERATOR);
  114. if ((errflags & DH_CHECK_P_NOT_PRIME) != 0)
  115. ERR_raise(ERR_LIB_DH, DH_R_CHECK_P_NOT_PRIME);
  116. if ((errflags & DH_CHECK_P_NOT_SAFE_PRIME) != 0)
  117. ERR_raise(ERR_LIB_DH, DH_R_CHECK_P_NOT_SAFE_PRIME);
  118. if ((errflags & DH_MODULUS_TOO_SMALL) != 0)
  119. ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
  120. if ((errflags & DH_MODULUS_TOO_LARGE) != 0)
  121. ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
  122. return errflags == 0;
  123. }
  124. /* Note: according to documentation - this only checks the params */
  125. int DH_check(const DH *dh, int *ret)
  126. {
  127. #ifdef FIPS_MODULE
  128. return DH_check_params(dh, ret);
  129. #else
  130. int ok = 0, r, q_good = 0;
  131. BN_CTX *ctx = NULL;
  132. BIGNUM *t1 = NULL, *t2 = NULL;
  133. int nid = DH_get_nid((DH *)dh);
  134. *ret = 0;
  135. if (nid != NID_undef)
  136. return 1;
  137. /* Don't do any checks at all with an excessively large modulus */
  138. if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
  139. ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
  140. *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_P_NOT_PRIME;
  141. return 0;
  142. }
  143. if (!DH_check_params(dh, ret))
  144. return 0;
  145. ctx = BN_CTX_new_ex(dh->libctx);
  146. if (ctx == NULL)
  147. goto err;
  148. BN_CTX_start(ctx);
  149. t1 = BN_CTX_get(ctx);
  150. t2 = BN_CTX_get(ctx);
  151. if (t2 == NULL)
  152. goto err;
  153. if (dh->params.q != NULL) {
  154. if (BN_ucmp(dh->params.p, dh->params.q) > 0)
  155. q_good = 1;
  156. else
  157. *ret |= DH_CHECK_INVALID_Q_VALUE;
  158. }
  159. if (q_good) {
  160. if (BN_cmp(dh->params.g, BN_value_one()) <= 0)
  161. *ret |= DH_NOT_SUITABLE_GENERATOR;
  162. else if (BN_cmp(dh->params.g, dh->params.p) >= 0)
  163. *ret |= DH_NOT_SUITABLE_GENERATOR;
  164. else {
  165. /* Check g^q == 1 mod p */
  166. if (!BN_mod_exp(t1, dh->params.g, dh->params.q, dh->params.p, ctx))
  167. goto err;
  168. if (!BN_is_one(t1))
  169. *ret |= DH_NOT_SUITABLE_GENERATOR;
  170. }
  171. r = BN_check_prime(dh->params.q, ctx, NULL);
  172. if (r < 0)
  173. goto err;
  174. if (!r)
  175. *ret |= DH_CHECK_Q_NOT_PRIME;
  176. /* Check p == 1 mod q i.e. q divides p - 1 */
  177. if (!BN_div(t1, t2, dh->params.p, dh->params.q, ctx))
  178. goto err;
  179. if (!BN_is_one(t2))
  180. *ret |= DH_CHECK_INVALID_Q_VALUE;
  181. if (dh->params.j != NULL
  182. && BN_cmp(dh->params.j, t1))
  183. *ret |= DH_CHECK_INVALID_J_VALUE;
  184. }
  185. r = BN_check_prime(dh->params.p, ctx, NULL);
  186. if (r < 0)
  187. goto err;
  188. if (!r)
  189. *ret |= DH_CHECK_P_NOT_PRIME;
  190. else if (dh->params.q == NULL) {
  191. if (!BN_rshift1(t1, dh->params.p))
  192. goto err;
  193. r = BN_check_prime(t1, ctx, NULL);
  194. if (r < 0)
  195. goto err;
  196. if (!r)
  197. *ret |= DH_CHECK_P_NOT_SAFE_PRIME;
  198. }
  199. ok = 1;
  200. err:
  201. BN_CTX_end(ctx);
  202. BN_CTX_free(ctx);
  203. return ok;
  204. #endif /* FIPS_MODULE */
  205. }
  206. int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
  207. {
  208. int errflags = 0;
  209. if (!DH_check_pub_key(dh, pub_key, &errflags))
  210. return 0;
  211. if ((errflags & DH_CHECK_PUBKEY_TOO_SMALL) != 0)
  212. ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_TOO_SMALL);
  213. if ((errflags & DH_CHECK_PUBKEY_TOO_LARGE) != 0)
  214. ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_TOO_LARGE);
  215. if ((errflags & DH_CHECK_PUBKEY_INVALID) != 0)
  216. ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
  217. return errflags == 0;
  218. }
  219. /*
  220. * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Full public key validation.
  221. */
  222. int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
  223. {
  224. /* Don't do any checks at all with an excessively large modulus */
  225. if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
  226. ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
  227. *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
  228. return 0;
  229. }
  230. if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
  231. *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
  232. return 1;
  233. }
  234. return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
  235. }
  236. /*
  237. * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Partial public key validation.
  238. * To only be used with ephemeral FFC public keys generated using the approved
  239. * safe-prime groups.
  240. */
  241. int ossl_dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret)
  242. {
  243. return ossl_ffc_validate_public_key_partial(&dh->params, pub_key, ret)
  244. && *ret == 0;
  245. }
  246. int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret)
  247. {
  248. int ok = 0;
  249. BIGNUM *two_powN = NULL, *upper;
  250. *ret = 0;
  251. two_powN = BN_new();
  252. if (two_powN == NULL)
  253. return 0;
  254. if (dh->params.q != NULL) {
  255. upper = dh->params.q;
  256. #ifndef FIPS_MODULE
  257. } else if (dh->params.p != NULL) {
  258. /*
  259. * We do not have q so we just check the key is within some
  260. * reasonable range, or the number of bits is equal to dh->length.
  261. */
  262. int length = dh->length;
  263. if (length == 0) {
  264. length = BN_num_bits(dh->params.p) - 1;
  265. if (BN_num_bits(priv_key) <= length
  266. && BN_num_bits(priv_key) > 1)
  267. ok = 1;
  268. } else if (BN_num_bits(priv_key) == length) {
  269. ok = 1;
  270. }
  271. goto end;
  272. #endif
  273. } else {
  274. goto end;
  275. }
  276. /* Is it from an approved Safe prime group ?*/
  277. if (DH_get_nid((DH *)dh) != NID_undef && dh->length != 0) {
  278. if (!BN_lshift(two_powN, BN_value_one(), dh->length))
  279. goto end;
  280. if (BN_cmp(two_powN, dh->params.q) < 0)
  281. upper = two_powN;
  282. }
  283. if (!ossl_ffc_validate_private_key(upper, priv_key, ret))
  284. goto end;
  285. ok = 1;
  286. end:
  287. BN_free(two_powN);
  288. return ok;
  289. }
  290. /*
  291. * FFC pairwise check from SP800-56A R3.
  292. * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency
  293. */
  294. int ossl_dh_check_pairwise(const DH *dh)
  295. {
  296. int ret = 0;
  297. BN_CTX *ctx = NULL;
  298. BIGNUM *pub_key = NULL;
  299. if (dh->params.p == NULL
  300. || dh->params.g == NULL
  301. || dh->priv_key == NULL
  302. || dh->pub_key == NULL)
  303. return 0;
  304. ctx = BN_CTX_new_ex(dh->libctx);
  305. if (ctx == NULL)
  306. goto err;
  307. pub_key = BN_new();
  308. if (pub_key == NULL)
  309. goto err;
  310. /* recalculate the public key = (g ^ priv) mod p */
  311. if (!ossl_dh_generate_public_key(ctx, dh, dh->priv_key, pub_key))
  312. goto err;
  313. /* check it matches the existing pubic_key */
  314. ret = BN_cmp(pub_key, dh->pub_key) == 0;
  315. err:
  316. BN_free(pub_key);
  317. BN_CTX_free(ctx);
  318. return ret;
  319. }