Coverage Report

Created: 2024-11-21 07:03

/src/boringssl/crypto/fipsmodule/dh/check.c.inc
Line
Count
Source (jump to first uncovered line)
1
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2
 * All rights reserved.
3
 *
4
 * This package is an SSL implementation written
5
 * by Eric Young (eay@cryptsoft.com).
6
 * The implementation was written so as to conform with Netscapes SSL.
7
 *
8
 * This library is free for commercial and non-commercial use as long as
9
 * the following conditions are aheared to.  The following conditions
10
 * apply to all code found in this distribution, be it the RC4, RSA,
11
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12
 * included with this distribution is covered by the same copyright terms
13
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14
 *
15
 * Copyright remains Eric Young's, and as such any Copyright notices in
16
 * the code are not to be removed.
17
 * If this package is used in a product, Eric Young should be given attribution
18
 * as the author of the parts of the library used.
19
 * This can be in the form of a textual message at program startup or
20
 * in documentation (online or textual) provided with the package.
21
 *
22
 * Redistribution and use in source and binary forms, with or without
23
 * modification, are permitted provided that the following conditions
24
 * are met:
25
 * 1. Redistributions of source code must retain the copyright
26
 *    notice, this list of conditions and the following disclaimer.
27
 * 2. Redistributions in binary form must reproduce the above copyright
28
 *    notice, this list of conditions and the following disclaimer in the
29
 *    documentation and/or other materials provided with the distribution.
30
 * 3. All advertising materials mentioning features or use of this software
31
 *    must display the following acknowledgement:
32
 *    "This product includes cryptographic software written by
33
 *     Eric Young (eay@cryptsoft.com)"
34
 *    The word 'cryptographic' can be left out if the rouines from the library
35
 *    being used are not cryptographic related :-).
36
 * 4. If you include any Windows specific code (or a derivative thereof) from
37
 *    the apps directory (application code) you must include an acknowledgement:
38
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39
 *
40
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50
 * SUCH DAMAGE.
51
 *
52
 * The licence and distribution terms for any publically available version or
53
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
54
 * copied and put under another distribution licence
55
 * [including the GNU Public Licence.] */
56
57
#include <openssl/dh.h>
58
59
#include <openssl/bn.h>
60
#include <openssl/err.h>
61
62
#include "internal.h"
63
64
65
151
int dh_check_params_fast(const DH *dh) {
66
  // Most operations scale with p and q.
67
151
  if (BN_is_negative(dh->p) || !BN_is_odd(dh->p) ||
68
151
      BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
69
20
    OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS);
70
20
    return 0;
71
20
  }
72
73
  // q must be bounded by p.
74
131
  if (dh->q != NULL && (BN_is_negative(dh->q) || BN_ucmp(dh->q, dh->p) > 0)) {
75
0
    OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS);
76
0
    return 0;
77
0
  }
78
79
  // g must be an element of p's multiplicative group.
80
131
  if (BN_is_negative(dh->g) || BN_is_zero(dh->g) ||
81
131
      BN_ucmp(dh->g, dh->p) >= 0) {
82
18
    OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS);
83
18
    return 0;
84
18
  }
85
86
113
  return 1;
87
131
}
88
89
37
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) {
90
37
  *out_flags = 0;
91
37
  if (!dh_check_params_fast(dh)) {
92
0
    return 0;
93
0
  }
94
95
37
  BN_CTX *ctx = BN_CTX_new();
96
37
  if (ctx == NULL) {
97
0
    return 0;
98
0
  }
99
37
  BN_CTX_start(ctx);
100
101
37
  int ok = 0;
102
103
  // Check |pub_key| is greater than 1.
104
37
  if (BN_cmp(pub_key, BN_value_one()) <= 0) {
105
5
    *out_flags |= DH_CHECK_PUBKEY_TOO_SMALL;
106
5
  }
107
108
  // Check |pub_key| is less than |dh->p| - 1.
109
37
  BIGNUM *tmp = BN_CTX_get(ctx);
110
37
  if (tmp == NULL ||
111
37
      !BN_copy(tmp, dh->p) ||
112
37
      !BN_sub_word(tmp, 1)) {
113
0
    goto err;
114
0
  }
115
37
  if (BN_cmp(pub_key, tmp) >= 0) {
116
12
    *out_flags |= DH_CHECK_PUBKEY_TOO_LARGE;
117
12
  }
118
119
37
  if (dh->q != NULL) {
120
    // Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114
121
    // groups which are not safe primes but pick a generator on a prime-order
122
    // subgroup of size |dh->q|.
123
0
    if (!BN_mod_exp_mont(tmp, pub_key, dh->q, dh->p, ctx, NULL)) {
124
0
      goto err;
125
0
    }
126
0
    if (!BN_is_one(tmp)) {
127
0
      *out_flags |= DH_CHECK_PUBKEY_INVALID;
128
0
    }
129
0
  }
130
131
37
  ok = 1;
132
133
37
err:
134
37
  BN_CTX_end(ctx);
135
37
  BN_CTX_free(ctx);
136
37
  return ok;
137
37
}
138
139
140
0
int DH_check(const DH *dh, int *out_flags) {
141
0
  *out_flags = 0;
142
0
  if (!dh_check_params_fast(dh)) {
143
0
    return 0;
144
0
  }
145
146
  // Check that p is a safe prime and if g is 2, 3 or 5, check that it is a
147
  // suitable generator where:
148
  //   for 2, p mod 24 == 11
149
  //   for 3, p mod 12 == 5
150
  //   for 5, p mod 10 == 3 or 7
151
  // should hold.
152
0
  int ok = 0, r;
153
0
  BN_CTX *ctx = NULL;
154
0
  BN_ULONG l;
155
0
  BIGNUM *t1 = NULL, *t2 = NULL;
156
157
0
  ctx = BN_CTX_new();
158
0
  if (ctx == NULL) {
159
0
    goto err;
160
0
  }
161
0
  BN_CTX_start(ctx);
162
0
  t1 = BN_CTX_get(ctx);
163
0
  if (t1 == NULL) {
164
0
    goto err;
165
0
  }
166
0
  t2 = BN_CTX_get(ctx);
167
0
  if (t2 == NULL) {
168
0
    goto err;
169
0
  }
170
171
0
  if (dh->q) {
172
0
    if (BN_cmp(dh->g, BN_value_one()) <= 0) {
173
0
      *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;
174
0
    } else if (BN_cmp(dh->g, dh->p) >= 0) {
175
0
      *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;
176
0
    } else {
177
      // Check g^q == 1 mod p
178
0
      if (!BN_mod_exp_mont(t1, dh->g, dh->q, dh->p, ctx, NULL)) {
179
0
        goto err;
180
0
      }
181
0
      if (!BN_is_one(t1)) {
182
0
        *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;
183
0
      }
184
0
    }
185
0
    r = BN_is_prime_ex(dh->q, BN_prime_checks_for_validation, ctx, NULL);
186
0
    if (r < 0) {
187
0
      goto err;
188
0
    }
189
0
    if (!r) {
190
0
      *out_flags |= DH_CHECK_Q_NOT_PRIME;
191
0
    }
192
    // Check p == 1 mod q  i.e. q divides p - 1
193
0
    if (!BN_div(t1, t2, dh->p, dh->q, ctx)) {
194
0
      goto err;
195
0
    }
196
0
    if (!BN_is_one(t2)) {
197
0
      *out_flags |= DH_CHECK_INVALID_Q_VALUE;
198
0
    }
199
0
  } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
200
0
    l = BN_mod_word(dh->p, 24);
201
0
    if (l == (BN_ULONG)-1) {
202
0
      goto err;
203
0
    }
204
0
    if (l != 11) {
205
0
      *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;
206
0
    }
207
0
  } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
208
0
    l = BN_mod_word(dh->p, 10);
209
0
    if (l == (BN_ULONG)-1) {
210
0
      goto err;
211
0
    }
212
0
    if (l != 3 && l != 7) {
213
0
      *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;
214
0
    }
215
0
  } else {
216
0
    *out_flags |= DH_CHECK_UNABLE_TO_CHECK_GENERATOR;
217
0
  }
218
219
0
  r = BN_is_prime_ex(dh->p, BN_prime_checks_for_validation, ctx, NULL);
220
0
  if (r < 0) {
221
0
    goto err;
222
0
  }
223
0
  if (!r) {
224
0
    *out_flags |= DH_CHECK_P_NOT_PRIME;
225
0
  } else if (!dh->q) {
226
0
    if (!BN_rshift1(t1, dh->p)) {
227
0
      goto err;
228
0
    }
229
0
    r = BN_is_prime_ex(t1, BN_prime_checks_for_validation, ctx, NULL);
230
0
    if (r < 0) {
231
0
      goto err;
232
0
    }
233
0
    if (!r) {
234
0
      *out_flags |= DH_CHECK_P_NOT_SAFE_PRIME;
235
0
    }
236
0
  }
237
0
  ok = 1;
238
239
0
err:
240
0
  if (ctx != NULL) {
241
0
    BN_CTX_end(ctx);
242
0
    BN_CTX_free(ctx);
243
0
  }
244
0
  return ok;
245
0
}