/src/boringssl/crypto/fipsmodule/dh/check.c.inc
Line | Count | Source (jump to first uncovered line) |
1 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
2 | | * All rights reserved. |
3 | | * |
4 | | * This package is an SSL implementation written |
5 | | * by Eric Young (eay@cryptsoft.com). |
6 | | * The implementation was written so as to conform with Netscapes SSL. |
7 | | * |
8 | | * This library is free for commercial and non-commercial use as long as |
9 | | * the following conditions are aheared to. The following conditions |
10 | | * apply to all code found in this distribution, be it the RC4, RSA, |
11 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
12 | | * included with this distribution is covered by the same copyright terms |
13 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
14 | | * |
15 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
16 | | * the code are not to be removed. |
17 | | * If this package is used in a product, Eric Young should be given attribution |
18 | | * as the author of the parts of the library used. |
19 | | * This can be in the form of a textual message at program startup or |
20 | | * in documentation (online or textual) provided with the package. |
21 | | * |
22 | | * Redistribution and use in source and binary forms, with or without |
23 | | * modification, are permitted provided that the following conditions |
24 | | * are met: |
25 | | * 1. Redistributions of source code must retain the copyright |
26 | | * notice, this list of conditions and the following disclaimer. |
27 | | * 2. Redistributions in binary form must reproduce the above copyright |
28 | | * notice, this list of conditions and the following disclaimer in the |
29 | | * documentation and/or other materials provided with the distribution. |
30 | | * 3. All advertising materials mentioning features or use of this software |
31 | | * must display the following acknowledgement: |
32 | | * "This product includes cryptographic software written by |
33 | | * Eric Young (eay@cryptsoft.com)" |
34 | | * The word 'cryptographic' can be left out if the rouines from the library |
35 | | * being used are not cryptographic related :-). |
36 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
37 | | * the apps directory (application code) you must include an acknowledgement: |
38 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
39 | | * |
40 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
41 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
42 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
43 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
44 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
45 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
46 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
47 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
48 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
49 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
50 | | * SUCH DAMAGE. |
51 | | * |
52 | | * The licence and distribution terms for any publically available version or |
53 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
54 | | * copied and put under another distribution licence |
55 | | * [including the GNU Public Licence.] */ |
56 | | |
57 | | #include <openssl/dh.h> |
58 | | |
59 | | #include <openssl/bn.h> |
60 | | #include <openssl/err.h> |
61 | | |
62 | | #include "internal.h" |
63 | | |
64 | | |
65 | 151 | int dh_check_params_fast(const DH *dh) { |
66 | | // Most operations scale with p and q. |
67 | 151 | if (BN_is_negative(dh->p) || !BN_is_odd(dh->p) || |
68 | 151 | BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { |
69 | 20 | OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS); |
70 | 20 | return 0; |
71 | 20 | } |
72 | | |
73 | | // q must be bounded by p. |
74 | 131 | if (dh->q != NULL && (BN_is_negative(dh->q) || BN_ucmp(dh->q, dh->p) > 0)) { |
75 | 0 | OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS); |
76 | 0 | return 0; |
77 | 0 | } |
78 | | |
79 | | // g must be an element of p's multiplicative group. |
80 | 131 | if (BN_is_negative(dh->g) || BN_is_zero(dh->g) || |
81 | 131 | BN_ucmp(dh->g, dh->p) >= 0) { |
82 | 18 | OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS); |
83 | 18 | return 0; |
84 | 18 | } |
85 | | |
86 | 113 | return 1; |
87 | 131 | } |
88 | | |
89 | 37 | int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) { |
90 | 37 | *out_flags = 0; |
91 | 37 | if (!dh_check_params_fast(dh)) { |
92 | 0 | return 0; |
93 | 0 | } |
94 | | |
95 | 37 | BN_CTX *ctx = BN_CTX_new(); |
96 | 37 | if (ctx == NULL) { |
97 | 0 | return 0; |
98 | 0 | } |
99 | 37 | BN_CTX_start(ctx); |
100 | | |
101 | 37 | int ok = 0; |
102 | | |
103 | | // Check |pub_key| is greater than 1. |
104 | 37 | if (BN_cmp(pub_key, BN_value_one()) <= 0) { |
105 | 5 | *out_flags |= DH_CHECK_PUBKEY_TOO_SMALL; |
106 | 5 | } |
107 | | |
108 | | // Check |pub_key| is less than |dh->p| - 1. |
109 | 37 | BIGNUM *tmp = BN_CTX_get(ctx); |
110 | 37 | if (tmp == NULL || |
111 | 37 | !BN_copy(tmp, dh->p) || |
112 | 37 | !BN_sub_word(tmp, 1)) { |
113 | 0 | goto err; |
114 | 0 | } |
115 | 37 | if (BN_cmp(pub_key, tmp) >= 0) { |
116 | 12 | *out_flags |= DH_CHECK_PUBKEY_TOO_LARGE; |
117 | 12 | } |
118 | | |
119 | 37 | if (dh->q != NULL) { |
120 | | // Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114 |
121 | | // groups which are not safe primes but pick a generator on a prime-order |
122 | | // subgroup of size |dh->q|. |
123 | 0 | if (!BN_mod_exp_mont(tmp, pub_key, dh->q, dh->p, ctx, NULL)) { |
124 | 0 | goto err; |
125 | 0 | } |
126 | 0 | if (!BN_is_one(tmp)) { |
127 | 0 | *out_flags |= DH_CHECK_PUBKEY_INVALID; |
128 | 0 | } |
129 | 0 | } |
130 | | |
131 | 37 | ok = 1; |
132 | | |
133 | 37 | err: |
134 | 37 | BN_CTX_end(ctx); |
135 | 37 | BN_CTX_free(ctx); |
136 | 37 | return ok; |
137 | 37 | } |
138 | | |
139 | | |
140 | 0 | int DH_check(const DH *dh, int *out_flags) { |
141 | 0 | *out_flags = 0; |
142 | 0 | if (!dh_check_params_fast(dh)) { |
143 | 0 | return 0; |
144 | 0 | } |
145 | | |
146 | | // Check that p is a safe prime and if g is 2, 3 or 5, check that it is a |
147 | | // suitable generator where: |
148 | | // for 2, p mod 24 == 11 |
149 | | // for 3, p mod 12 == 5 |
150 | | // for 5, p mod 10 == 3 or 7 |
151 | | // should hold. |
152 | 0 | int ok = 0, r; |
153 | 0 | BN_CTX *ctx = NULL; |
154 | 0 | BN_ULONG l; |
155 | 0 | BIGNUM *t1 = NULL, *t2 = NULL; |
156 | |
|
157 | 0 | ctx = BN_CTX_new(); |
158 | 0 | if (ctx == NULL) { |
159 | 0 | goto err; |
160 | 0 | } |
161 | 0 | BN_CTX_start(ctx); |
162 | 0 | t1 = BN_CTX_get(ctx); |
163 | 0 | if (t1 == NULL) { |
164 | 0 | goto err; |
165 | 0 | } |
166 | 0 | t2 = BN_CTX_get(ctx); |
167 | 0 | if (t2 == NULL) { |
168 | 0 | goto err; |
169 | 0 | } |
170 | | |
171 | 0 | if (dh->q) { |
172 | 0 | if (BN_cmp(dh->g, BN_value_one()) <= 0) { |
173 | 0 | *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR; |
174 | 0 | } else if (BN_cmp(dh->g, dh->p) >= 0) { |
175 | 0 | *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR; |
176 | 0 | } else { |
177 | | // Check g^q == 1 mod p |
178 | 0 | if (!BN_mod_exp_mont(t1, dh->g, dh->q, dh->p, ctx, NULL)) { |
179 | 0 | goto err; |
180 | 0 | } |
181 | 0 | if (!BN_is_one(t1)) { |
182 | 0 | *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR; |
183 | 0 | } |
184 | 0 | } |
185 | 0 | r = BN_is_prime_ex(dh->q, BN_prime_checks_for_validation, ctx, NULL); |
186 | 0 | if (r < 0) { |
187 | 0 | goto err; |
188 | 0 | } |
189 | 0 | if (!r) { |
190 | 0 | *out_flags |= DH_CHECK_Q_NOT_PRIME; |
191 | 0 | } |
192 | | // Check p == 1 mod q i.e. q divides p - 1 |
193 | 0 | if (!BN_div(t1, t2, dh->p, dh->q, ctx)) { |
194 | 0 | goto err; |
195 | 0 | } |
196 | 0 | if (!BN_is_one(t2)) { |
197 | 0 | *out_flags |= DH_CHECK_INVALID_Q_VALUE; |
198 | 0 | } |
199 | 0 | } else if (BN_is_word(dh->g, DH_GENERATOR_2)) { |
200 | 0 | l = BN_mod_word(dh->p, 24); |
201 | 0 | if (l == (BN_ULONG)-1) { |
202 | 0 | goto err; |
203 | 0 | } |
204 | 0 | if (l != 11) { |
205 | 0 | *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR; |
206 | 0 | } |
207 | 0 | } else if (BN_is_word(dh->g, DH_GENERATOR_5)) { |
208 | 0 | l = BN_mod_word(dh->p, 10); |
209 | 0 | if (l == (BN_ULONG)-1) { |
210 | 0 | goto err; |
211 | 0 | } |
212 | 0 | if (l != 3 && l != 7) { |
213 | 0 | *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR; |
214 | 0 | } |
215 | 0 | } else { |
216 | 0 | *out_flags |= DH_CHECK_UNABLE_TO_CHECK_GENERATOR; |
217 | 0 | } |
218 | | |
219 | 0 | r = BN_is_prime_ex(dh->p, BN_prime_checks_for_validation, ctx, NULL); |
220 | 0 | if (r < 0) { |
221 | 0 | goto err; |
222 | 0 | } |
223 | 0 | if (!r) { |
224 | 0 | *out_flags |= DH_CHECK_P_NOT_PRIME; |
225 | 0 | } else if (!dh->q) { |
226 | 0 | if (!BN_rshift1(t1, dh->p)) { |
227 | 0 | goto err; |
228 | 0 | } |
229 | 0 | r = BN_is_prime_ex(t1, BN_prime_checks_for_validation, ctx, NULL); |
230 | 0 | if (r < 0) { |
231 | 0 | goto err; |
232 | 0 | } |
233 | 0 | if (!r) { |
234 | 0 | *out_flags |= DH_CHECK_P_NOT_SAFE_PRIME; |
235 | 0 | } |
236 | 0 | } |
237 | 0 | ok = 1; |
238 | |
|
239 | 0 | err: |
240 | 0 | if (ctx != NULL) { |
241 | 0 | BN_CTX_end(ctx); |
242 | 0 | BN_CTX_free(ctx); |
243 | 0 | } |
244 | 0 | return ok; |
245 | 0 | } |