1 /*
2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * DH low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <stdio.h>
17 #include "internal/cryptlib.h"
18 #include "dh_local.h"
19 #include "crypto/bn.h"
20 #include "crypto/dh.h"
21 #include "crypto/security_bits.h"
22
23 #ifdef FIPS_MODULE
24 # define MIN_STRENGTH 112
25 #else
26 # define MIN_STRENGTH 80
27 #endif
28
29 static int generate_key(DH *dh);
30 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
31 const BIGNUM *a, const BIGNUM *p,
32 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
33 static int dh_init(DH *dh);
34 static int dh_finish(DH *dh);
35
36 /*
37 * See SP800-56Ar3 Section 5.7.1.1
38 * Finite Field Cryptography Diffie-Hellman (FFC DH) Primitive
39 */
ossl_dh_compute_key(unsigned char * key,const BIGNUM * pub_key,DH * dh)40 int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
41 {
42 BN_CTX *ctx = NULL;
43 BN_MONT_CTX *mont = NULL;
44 BIGNUM *z = NULL, *pminus1;
45 int ret = -1;
46
47 if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
48 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
49 goto err;
50 }
51
52 if (dh->params.q != NULL
53 && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
54 ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
55 goto err;
56 }
57
58 if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
59 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
60 return 0;
61 }
62
63 ctx = BN_CTX_new_ex(dh->libctx);
64 if (ctx == NULL)
65 goto err;
66 BN_CTX_start(ctx);
67 pminus1 = BN_CTX_get(ctx);
68 z = BN_CTX_get(ctx);
69 if (z == NULL)
70 goto err;
71
72 if (dh->priv_key == NULL) {
73 ERR_raise(ERR_LIB_DH, DH_R_NO_PRIVATE_VALUE);
74 goto err;
75 }
76
77 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
78 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
79 dh->lock, dh->params.p, ctx);
80 BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
81 if (!mont)
82 goto err;
83 }
84
85 /* (Step 1) Z = pub_key^priv_key mod p */
86 if (!dh->meth->bn_mod_exp(dh, z, pub_key, dh->priv_key, dh->params.p, ctx,
87 mont)) {
88 ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB);
89 goto err;
90 }
91
92 /* (Step 2) Error if z <= 1 or z = p - 1 */
93 if (BN_copy(pminus1, dh->params.p) == NULL
94 || !BN_sub_word(pminus1, 1)
95 || BN_cmp(z, BN_value_one()) <= 0
96 || BN_cmp(z, pminus1) == 0) {
97 ERR_raise(ERR_LIB_DH, DH_R_INVALID_SECRET);
98 goto err;
99 }
100
101 /* return the padded key, i.e. same number of bytes as the modulus */
102 ret = BN_bn2binpad(z, key, BN_num_bytes(dh->params.p));
103 err:
104 BN_clear(z); /* (Step 2) destroy intermediate values */
105 BN_CTX_end(ctx);
106 BN_CTX_free(ctx);
107 return ret;
108 }
109
110 /*-
111 * NB: This function is inherently not constant time due to the
112 * RFC 5246 (8.1.2) padding style that strips leading zero bytes.
113 */
DH_compute_key(unsigned char * key,const BIGNUM * pub_key,DH * dh)114 int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
115 {
116 int ret = 0, i;
117 volatile size_t npad = 0, mask = 1;
118
119 /* compute the key; ret is constant unless compute_key is external */
120 #ifdef FIPS_MODULE
121 ret = ossl_dh_compute_key(key, pub_key, dh);
122 #else
123 ret = dh->meth->compute_key(key, pub_key, dh);
124 #endif
125 if (ret <= 0)
126 return ret;
127
128 /* count leading zero bytes, yet still touch all bytes */
129 for (i = 0; i < ret; i++) {
130 mask &= !key[i];
131 npad += mask;
132 }
133
134 /* unpad key */
135 ret -= npad;
136 /* key-dependent memory access, potentially leaking npad / ret */
137 memmove(key, key + npad, ret);
138 /* key-dependent memory access, potentially leaking npad / ret */
139 memset(key + ret, 0, npad);
140
141 return ret;
142 }
143
DH_compute_key_padded(unsigned char * key,const BIGNUM * pub_key,DH * dh)144 int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
145 {
146 int rv, pad;
147
148 /* rv is constant unless compute_key is external */
149 #ifdef FIPS_MODULE
150 rv = ossl_dh_compute_key(key, pub_key, dh);
151 #else
152 rv = dh->meth->compute_key(key, pub_key, dh);
153 #endif
154 if (rv <= 0)
155 return rv;
156 pad = BN_num_bytes(dh->params.p) - rv;
157 /* pad is constant (zero) unless compute_key is external */
158 if (pad > 0) {
159 memmove(key + pad, key, rv);
160 memset(key, 0, pad);
161 }
162 return rv + pad;
163 }
164
165 static DH_METHOD dh_ossl = {
166 "OpenSSL DH Method",
167 generate_key,
168 ossl_dh_compute_key,
169 dh_bn_mod_exp,
170 dh_init,
171 dh_finish,
172 DH_FLAG_FIPS_METHOD,
173 NULL,
174 NULL
175 };
176
177 static const DH_METHOD *default_DH_method = &dh_ossl;
178
DH_OpenSSL(void)179 const DH_METHOD *DH_OpenSSL(void)
180 {
181 return &dh_ossl;
182 }
183
DH_get_default_method(void)184 const DH_METHOD *DH_get_default_method(void)
185 {
186 return default_DH_method;
187 }
188
dh_bn_mod_exp(const DH * dh,BIGNUM * r,const BIGNUM * a,const BIGNUM * p,const BIGNUM * m,BN_CTX * ctx,BN_MONT_CTX * m_ctx)189 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
190 const BIGNUM *a, const BIGNUM *p,
191 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
192 {
193 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
194 }
195
dh_init(DH * dh)196 static int dh_init(DH *dh)
197 {
198 dh->flags |= DH_FLAG_CACHE_MONT_P;
199 ossl_ffc_params_init(&dh->params);
200 dh->dirty_cnt++;
201 return 1;
202 }
203
dh_finish(DH * dh)204 static int dh_finish(DH *dh)
205 {
206 BN_MONT_CTX_free(dh->method_mont_p);
207 return 1;
208 }
209
210 #ifndef FIPS_MODULE
DH_set_default_method(const DH_METHOD * meth)211 void DH_set_default_method(const DH_METHOD *meth)
212 {
213 default_DH_method = meth;
214 }
215 #endif /* FIPS_MODULE */
216
DH_generate_key(DH * dh)217 int DH_generate_key(DH *dh)
218 {
219 #ifdef FIPS_MODULE
220 return generate_key(dh);
221 #else
222 return dh->meth->generate_key(dh);
223 #endif
224 }
225
ossl_dh_generate_public_key(BN_CTX * ctx,const DH * dh,const BIGNUM * priv_key,BIGNUM * pub_key)226 int ossl_dh_generate_public_key(BN_CTX *ctx, const DH *dh,
227 const BIGNUM *priv_key, BIGNUM *pub_key)
228 {
229 int ret = 0;
230 BIGNUM *prk = BN_new();
231 BN_MONT_CTX *mont = NULL;
232
233 if (prk == NULL)
234 return 0;
235
236 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
237 /*
238 * We take the input DH as const, but we lie, because in some cases we
239 * want to get a hold of its Montgomery context.
240 *
241 * We cast to remove the const qualifier in this case, it should be
242 * fine...
243 */
244 BN_MONT_CTX **pmont = (BN_MONT_CTX **)&dh->method_mont_p;
245
246 mont = BN_MONT_CTX_set_locked(pmont, dh->lock, dh->params.p, ctx);
247 if (mont == NULL)
248 goto err;
249 }
250 BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
251
252 /* pub_key = g^priv_key mod p */
253 if (!dh->meth->bn_mod_exp(dh, pub_key, dh->params.g, prk, dh->params.p,
254 ctx, mont))
255 goto err;
256 ret = 1;
257 err:
258 BN_clear_free(prk);
259 return ret;
260 }
261
generate_key(DH * dh)262 static int generate_key(DH *dh)
263 {
264 int ok = 0;
265 int generate_new_key = 0;
266 #ifndef FIPS_MODULE
267 unsigned l;
268 #endif
269 BN_CTX *ctx = NULL;
270 BIGNUM *pub_key = NULL, *priv_key = NULL;
271
272 if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
273 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
274 return 0;
275 }
276
277 if (dh->params.q != NULL
278 && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
279 ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
280 return 0;
281 }
282
283 if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
284 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
285 return 0;
286 }
287
288 ctx = BN_CTX_new_ex(dh->libctx);
289 if (ctx == NULL)
290 goto err;
291
292 if (dh->priv_key == NULL) {
293 priv_key = BN_secure_new();
294 if (priv_key == NULL)
295 goto err;
296 generate_new_key = 1;
297 } else {
298 priv_key = dh->priv_key;
299 }
300
301 if (dh->pub_key == NULL) {
302 pub_key = BN_new();
303 if (pub_key == NULL)
304 goto err;
305 } else {
306 pub_key = dh->pub_key;
307 }
308 if (generate_new_key) {
309 /* Is it an approved safe prime ?*/
310 if (DH_get_nid(dh) != NID_undef) {
311 int max_strength =
312 ossl_ifc_ffc_compute_security_bits(BN_num_bits(dh->params.p));
313
314 if (dh->params.q == NULL
315 || dh->length > BN_num_bits(dh->params.q))
316 goto err;
317 /* dh->length = maximum bit length of generated private key */
318 if (!ossl_ffc_generate_private_key(ctx, &dh->params, dh->length,
319 max_strength, priv_key))
320 goto err;
321 } else {
322 #ifdef FIPS_MODULE
323 if (dh->params.q == NULL)
324 goto err;
325 #else
326 if (dh->params.q == NULL) {
327 /* secret exponent length, must satisfy 2^(l-1) <= p */
328 if (dh->length != 0
329 && dh->length >= BN_num_bits(dh->params.p))
330 goto err;
331 l = dh->length ? dh->length : BN_num_bits(dh->params.p) - 1;
332 if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE,
333 BN_RAND_BOTTOM_ANY, 0, ctx))
334 goto err;
335 /*
336 * We handle just one known case where g is a quadratic non-residue:
337 * for g = 2: p % 8 == 3
338 */
339 if (BN_is_word(dh->params.g, DH_GENERATOR_2)
340 && !BN_is_bit_set(dh->params.p, 2)) {
341 /* clear bit 0, since it won't be a secret anyway */
342 if (!BN_clear_bit(priv_key, 0))
343 goto err;
344 }
345 } else
346 #endif
347 {
348 /* Do a partial check for invalid p, q, g */
349 if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
350 FFC_PARAM_TYPE_DH, NULL))
351 goto err;
352 /*
353 * For FFC FIPS 186-4 keygen
354 * security strength s = 112,
355 * Max Private key size N = len(q)
356 */
357 if (!ossl_ffc_generate_private_key(ctx, &dh->params,
358 BN_num_bits(dh->params.q),
359 MIN_STRENGTH,
360 priv_key))
361 goto err;
362 }
363 }
364 }
365
366 if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
367 goto err;
368
369 dh->pub_key = pub_key;
370 dh->priv_key = priv_key;
371 dh->dirty_cnt++;
372 ok = 1;
373 err:
374 if (ok != 1)
375 ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB);
376
377 if (pub_key != dh->pub_key)
378 BN_free(pub_key);
379 if (priv_key != dh->priv_key)
380 BN_free(priv_key);
381 BN_CTX_free(ctx);
382 return ok;
383 }
384
ossl_dh_buf2key(DH * dh,const unsigned char * buf,size_t len)385 int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
386 {
387 int err_reason = DH_R_BN_ERROR;
388 BIGNUM *pubkey = NULL;
389 const BIGNUM *p;
390 int ret;
391
392 if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
393 goto err;
394 DH_get0_pqg(dh, &p, NULL, NULL);
395 if (p == NULL || BN_num_bytes(p) == 0) {
396 err_reason = DH_R_NO_PARAMETERS_SET;
397 goto err;
398 }
399 /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */
400 if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) {
401 err_reason = DH_R_INVALID_PUBKEY;
402 goto err;
403 }
404 if (DH_set0_key(dh, pubkey, NULL) != 1)
405 goto err;
406 return 1;
407 err:
408 ERR_raise(ERR_LIB_DH, err_reason);
409 BN_free(pubkey);
410 return 0;
411 }
412
ossl_dh_key2buf(const DH * dh,unsigned char ** pbuf_out,size_t size,int alloc)413 size_t ossl_dh_key2buf(const DH *dh, unsigned char **pbuf_out, size_t size,
414 int alloc)
415 {
416 const BIGNUM *pubkey;
417 unsigned char *pbuf = NULL;
418 const BIGNUM *p;
419 int p_size;
420
421 DH_get0_pqg(dh, &p, NULL, NULL);
422 DH_get0_key(dh, &pubkey, NULL);
423 if (p == NULL || pubkey == NULL
424 || (p_size = BN_num_bytes(p)) == 0
425 || BN_num_bytes(pubkey) == 0) {
426 ERR_raise(ERR_LIB_DH, DH_R_INVALID_PUBKEY);
427 return 0;
428 }
429 if (pbuf_out != NULL && (alloc || *pbuf_out != NULL)) {
430 if (!alloc) {
431 if (size >= (size_t)p_size)
432 pbuf = *pbuf_out;
433 } else {
434 pbuf = OPENSSL_malloc(p_size);
435 }
436
437 if (pbuf == NULL) {
438 ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE);
439 return 0;
440 }
441 /*
442 * As per Section 4.2.8.1 of RFC 8446 left pad public
443 * key with zeros to the size of p
444 */
445 if (BN_bn2binpad(pubkey, pbuf, p_size) < 0) {
446 if (alloc)
447 OPENSSL_free(pbuf);
448 ERR_raise(ERR_LIB_DH, DH_R_BN_ERROR);
449 return 0;
450 }
451 *pbuf_out = pbuf;
452 }
453 return p_size;
454 }
455