/src/openssl/crypto/ffc/ffc_params_generate.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | /* |
11 | | * For the prime check.. |
12 | | * FIPS 186-4 Section C.3 Table C.1 |
13 | | * Returns the minimum number of Miller Rabin iterations for a L,N pair |
14 | | * (where L = len(p), N = len(q)) |
15 | | * L N Min |
16 | | * 1024 160 40 |
17 | | * 2048 224 56 |
18 | | * 2048 256 56 |
19 | | * 3072 256 64 |
20 | | * |
21 | | * BN_check_prime() uses: |
22 | | * 64 iterations for L <= 2048 OR |
23 | | * 128 iterations for L > 2048 |
24 | | * So this satisfies the requirement. |
25 | | */ |
26 | | |
27 | | #include <string.h> /* memset */ |
28 | | #include <openssl/sha.h> /* SHA_DIGEST_LENGTH */ |
29 | | #include <openssl/rand.h> |
30 | | #include <openssl/err.h> |
31 | | #include <openssl/dherr.h> |
32 | | #include <openssl/dsaerr.h> |
33 | | #include "crypto/bn.h" |
34 | | #include "internal/ffc.h" |
35 | | |
36 | | /* |
37 | | * Verify that the passed in L, N pair for DH or DSA is valid. |
38 | | * Returns 0 if invalid, otherwise it returns the security strength. |
39 | | */ |
40 | | |
41 | | #ifdef FIPS_MODULE |
42 | | static int ffc_validate_LN(size_t L, size_t N, int type, int verify) |
43 | | { |
44 | | if (type == FFC_PARAM_TYPE_DH) { |
45 | | /* Valid DH L,N parameters from SP800-56Ar3 5.5.1 Table 1 */ |
46 | | if (L == 2048 && (N == 224 || N == 256)) |
47 | | return 112; |
48 | | #ifndef OPENSSL_NO_DH |
49 | | ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, |
50 | | "(L, N)=(%zu, %zu) should be (2048, 224) or (2048, 256)", L, N); |
51 | | #endif |
52 | | } else if (type == FFC_PARAM_TYPE_DSA) { |
53 | | /* Valid DSA L,N parameters from FIPS 186-4 Section 4.2 */ |
54 | | /* In fips mode 1024/160 can only be used for verification */ |
55 | | if (verify && L == 1024 && N == 160) |
56 | | return 80; |
57 | | if (L == 2048 && (N == 224 || N == 256)) |
58 | | return 112; |
59 | | if (L == 3072 && N == 256) |
60 | | return 128; |
61 | | #ifndef OPENSSL_NO_DSA |
62 | | ERR_raise_data(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS, |
63 | | "(L, N)=(%zu, %zu) should be (1024, 160) (for verification only), " |
64 | | "(2048, 224), (2048, 256), or (3072, 256)", |
65 | | L, N); |
66 | | #endif |
67 | | } |
68 | | return 0; |
69 | | } |
70 | | #else |
71 | | static int ffc_validate_LN(size_t L, size_t N, int type, int verify) |
72 | 0 | { |
73 | 0 | if (type == FFC_PARAM_TYPE_DH) { |
74 | | /* Allow legacy 1024/160 in non fips mode */ |
75 | 0 | if (L == 1024 && N == 160) |
76 | 0 | return 80; |
77 | | /* Valid DH L,N parameters from SP800-56Ar3 5.5.1 Table 1 */ |
78 | 0 | if (L == 2048 && (N == 224 || N == 256)) |
79 | 0 | return 112; |
80 | 0 | #ifndef OPENSSL_NO_DH |
81 | 0 | ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, |
82 | 0 | "(L, N)=(%zu, %zu) should be (1024, 160), (2048, 224), or " |
83 | 0 | "(2048, 256)", |
84 | 0 | L, N); |
85 | 0 | #endif |
86 | 0 | } else if (type == FFC_PARAM_TYPE_DSA) { |
87 | 0 | if (L >= 3072 && N >= 256) |
88 | 0 | return 128; |
89 | 0 | if (L >= 2048 && N >= 224) |
90 | 0 | return 112; |
91 | 0 | if (L >= 1024 && N >= 160) |
92 | 0 | return 80; |
93 | 0 | #ifndef OPENSSL_NO_DSA |
94 | 0 | ERR_raise_data(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS, |
95 | 0 | "(L, N)=(%zu, %zu) should be at least (1024, 160)", L, N); |
96 | 0 | #endif |
97 | 0 | } |
98 | 0 | return 0; |
99 | 0 | } |
100 | | #endif /* FIPS_MODULE */ |
101 | | |
102 | | /* FIPS186-4 A.2.1 Unverifiable Generation of Generator g */ |
103 | | static int generate_unverifiable_g(BN_CTX *ctx, BN_MONT_CTX *mont, BIGNUM *g, |
104 | | BIGNUM *hbn, const BIGNUM *p, |
105 | | const BIGNUM *e, const BIGNUM *pm1, |
106 | | int *hret) |
107 | 0 | { |
108 | 0 | int h = 2; |
109 | | |
110 | | /* Step (2): choose h (where 1 < h)*/ |
111 | 0 | if (!BN_set_word(hbn, h)) |
112 | 0 | return 0; |
113 | | |
114 | 0 | for (;;) { |
115 | | /* Step (3): g = h^e % p */ |
116 | 0 | if (!BN_mod_exp_mont(g, hbn, e, p, ctx, mont)) |
117 | 0 | return 0; |
118 | | /* Step (4): Finish if g > 1 */ |
119 | 0 | if (BN_cmp(g, BN_value_one()) > 0) |
120 | 0 | break; |
121 | | |
122 | | /* Step (2) Choose any h in the range 1 < h < (p-1) */ |
123 | 0 | if (!BN_add_word(hbn, 1) || BN_cmp(hbn, pm1) >= 0) |
124 | 0 | return 0; |
125 | 0 | ++h; |
126 | 0 | } |
127 | 0 | *hret = h; |
128 | 0 | return 1; |
129 | 0 | } |
130 | | |
131 | | /* |
132 | | * FIPS186-4 A.2 Generation of canonical generator g. |
133 | | * |
134 | | * It requires the following values as input: |
135 | | * 'evpmd' digest, 'p' prime, 'e' cofactor, gindex and seed. |
136 | | * tmp is a passed in temporary BIGNUM. |
137 | | * mont is used in a BN_mod_exp_mont() with a modulus of p. |
138 | | * Returns a value in g. |
139 | | */ |
140 | | static int generate_canonical_g(BN_CTX *ctx, BN_MONT_CTX *mont, |
141 | | const EVP_MD *evpmd, BIGNUM *g, BIGNUM *tmp, |
142 | | const BIGNUM *p, const BIGNUM *e, |
143 | | int gindex, unsigned char *seed, size_t seedlen) |
144 | 0 | { |
145 | 0 | int ret = 0; |
146 | 0 | int counter = 1; |
147 | 0 | unsigned char md[EVP_MAX_MD_SIZE]; |
148 | 0 | EVP_MD_CTX *mctx = NULL; |
149 | 0 | int mdsize; |
150 | |
|
151 | 0 | mdsize = EVP_MD_get_size(evpmd); |
152 | 0 | if (mdsize <= 0) |
153 | 0 | return 0; |
154 | | |
155 | 0 | mctx = EVP_MD_CTX_new(); |
156 | 0 | if (mctx == NULL) |
157 | 0 | return 0; |
158 | | |
159 | | /* |
160 | | * A.2.3 Step (4) & (5) |
161 | | * A.2.4 Step (6) & (7) |
162 | | * counter = 0; counter += 1 |
163 | | */ |
164 | 0 | for (counter = 1; counter <= 0xFFFF; ++counter) { |
165 | | /* |
166 | | * A.2.3 Step (7) & (8) & (9) |
167 | | * A.2.4 Step (9) & (10) & (11) |
168 | | * W = Hash(seed || "ggen" || index || counter) |
169 | | * g = W^e % p |
170 | | */ |
171 | 0 | static const unsigned char ggen[4] = { 0x67, 0x67, 0x65, 0x6e }; |
172 | |
|
173 | 0 | md[0] = (unsigned char)(gindex & 0xff); |
174 | 0 | md[1] = (unsigned char)((counter >> 8) & 0xff); |
175 | 0 | md[2] = (unsigned char)(counter & 0xff); |
176 | 0 | if (!EVP_DigestInit_ex(mctx, evpmd, NULL) |
177 | 0 | || !EVP_DigestUpdate(mctx, seed, seedlen) |
178 | 0 | || !EVP_DigestUpdate(mctx, ggen, sizeof(ggen)) |
179 | 0 | || !EVP_DigestUpdate(mctx, md, 3) |
180 | 0 | || !EVP_DigestFinal_ex(mctx, md, NULL) |
181 | 0 | || (BN_bin2bn(md, mdsize, tmp) == NULL) |
182 | 0 | || !BN_mod_exp_mont(g, tmp, e, p, ctx, mont)) |
183 | 0 | break; /* exit on failure */ |
184 | | /* |
185 | | * A.2.3 Step (10) |
186 | | * A.2.4 Step (12) |
187 | | * Found a value for g if (g >= 2) |
188 | | */ |
189 | 0 | if (BN_cmp(g, BN_value_one()) > 0) { |
190 | 0 | ret = 1; |
191 | 0 | break; /* found g */ |
192 | 0 | } |
193 | 0 | } |
194 | 0 | EVP_MD_CTX_free(mctx); |
195 | 0 | return ret; |
196 | 0 | } |
197 | | |
198 | | /* Generation of p is the same for FIPS 186-4 & FIPS 186-2 */ |
199 | | static int generate_p(BN_CTX *ctx, const EVP_MD *evpmd, int max_counter, int n, |
200 | | unsigned char *buf, size_t buf_len, const BIGNUM *q, |
201 | | BIGNUM *p, int L, BN_GENCB *cb, int *counter, |
202 | | int *res) |
203 | 0 | { |
204 | 0 | int ret = -1; |
205 | 0 | int i, j, k, r; |
206 | 0 | unsigned char md[EVP_MAX_MD_SIZE]; |
207 | 0 | int mdsize; |
208 | 0 | BIGNUM *W, *X, *tmp, *c, *test; |
209 | |
|
210 | 0 | BN_CTX_start(ctx); |
211 | 0 | W = BN_CTX_get(ctx); |
212 | 0 | X = BN_CTX_get(ctx); |
213 | 0 | c = BN_CTX_get(ctx); |
214 | 0 | test = BN_CTX_get(ctx); |
215 | 0 | tmp = BN_CTX_get(ctx); |
216 | 0 | if (tmp == NULL) |
217 | 0 | goto err; |
218 | | |
219 | 0 | if (!BN_lshift(test, BN_value_one(), L - 1)) |
220 | 0 | goto err; |
221 | | |
222 | 0 | mdsize = EVP_MD_get_size(evpmd); |
223 | 0 | if (mdsize <= 0) |
224 | 0 | goto err; |
225 | | |
226 | | /* A.1.1.2 Step (10) AND |
227 | | * A.1.1.2 Step (12) |
228 | | * offset = 1 (this is handled below) |
229 | | */ |
230 | | /* |
231 | | * A.1.1.2 Step (11) AND |
232 | | * A.1.1.3 Step (13) |
233 | | */ |
234 | 0 | for (i = 0; i <= max_counter; i++) { |
235 | 0 | if ((i != 0) && !BN_GENCB_call(cb, 0, i)) |
236 | 0 | goto err; |
237 | | |
238 | 0 | BN_zero(W); |
239 | | /* seed_tmp buffer contains "seed + offset - 1" */ |
240 | 0 | for (j = 0; j <= n; j++) { |
241 | | /* obtain "seed + offset + j" by incrementing by 1: */ |
242 | 0 | for (k = (int)buf_len - 1; k >= 0; k--) { |
243 | 0 | buf[k]++; |
244 | 0 | if (buf[k] != 0) |
245 | 0 | break; |
246 | 0 | } |
247 | | /* |
248 | | * A.1.1.2 Step (11.1) AND |
249 | | * A.1.1.3 Step (13.1) |
250 | | * tmp = V(j) = Hash((seed + offset + j) % 2^seedlen) |
251 | | */ |
252 | 0 | if (!EVP_Digest(buf, buf_len, md, NULL, evpmd, NULL) |
253 | 0 | || (BN_bin2bn(md, mdsize, tmp) == NULL) |
254 | | /* |
255 | | * A.1.1.2 Step (11.2) |
256 | | * A.1.1.3 Step (13.2) |
257 | | * W += V(j) * 2^(outlen * j) |
258 | | */ |
259 | 0 | || !BN_lshift(tmp, tmp, (mdsize << 3) * j) |
260 | 0 | || !BN_add(W, W, tmp)) |
261 | 0 | goto err; |
262 | 0 | } |
263 | | |
264 | | /* |
265 | | * A.1.1.2 Step (11.3) AND |
266 | | * A.1.1.3 Step (13.3) |
267 | | * X = W + 2^(L-1) where W < 2^(L-1) |
268 | | */ |
269 | 0 | if (!BN_mask_bits(W, L - 1) |
270 | 0 | || BN_copy(X, W) == NULL |
271 | 0 | || !BN_add(X, X, test) |
272 | | /* |
273 | | * A.1.1.2 Step (11.4) AND |
274 | | * A.1.1.3 Step (13.4) |
275 | | * c = X mod 2q |
276 | | */ |
277 | 0 | || !BN_lshift1(tmp, q) |
278 | 0 | || !BN_mod(c, X, tmp, ctx) |
279 | | /* |
280 | | * A.1.1.2 Step (11.5) AND |
281 | | * A.1.1.3 Step (13.5) |
282 | | * p = X - (c - 1) |
283 | | */ |
284 | 0 | || !BN_sub(tmp, c, BN_value_one()) |
285 | 0 | || !BN_sub(p, X, tmp)) |
286 | 0 | goto err; |
287 | | |
288 | | /* |
289 | | * A.1.1.2 Step (11.6) AND |
290 | | * A.1.1.3 Step (13.6) |
291 | | * if (p < 2 ^ (L-1)) continue |
292 | | * This makes sure the top bit is set. |
293 | | */ |
294 | 0 | if (BN_cmp(p, test) >= 0) { |
295 | | /* |
296 | | * A.1.1.2 Step (11.7) AND |
297 | | * A.1.1.3 Step (13.7) |
298 | | * Test if p is prime |
299 | | * (This also makes sure the bottom bit is set) |
300 | | */ |
301 | 0 | r = BN_check_prime(p, ctx, cb); |
302 | | /* A.1.1.2 Step (11.8) : Return if p is prime */ |
303 | 0 | if (r > 0) { |
304 | 0 | *counter = i; |
305 | 0 | ret = 1; /* return success */ |
306 | 0 | goto err; |
307 | 0 | } |
308 | 0 | if (r != 0) |
309 | 0 | goto err; |
310 | 0 | } |
311 | | /* Step (11.9) : offset = offset + n + 1 is done auto-magically */ |
312 | 0 | } |
313 | | /* No prime P found */ |
314 | 0 | ret = 0; |
315 | 0 | *res |= FFC_CHECK_P_NOT_PRIME; |
316 | 0 | err: |
317 | 0 | BN_CTX_end(ctx); |
318 | 0 | return ret; |
319 | 0 | } |
320 | | |
321 | | static int generate_q_fips186_4(BN_CTX *ctx, BIGNUM *q, const EVP_MD *evpmd, |
322 | | int qsize, unsigned char *seed, size_t seedlen, |
323 | | int generate_seed, int *retm, int *res, |
324 | | BN_GENCB *cb) |
325 | 0 | { |
326 | 0 | int ret = 0, r; |
327 | 0 | int m = *retm; |
328 | 0 | unsigned char md[EVP_MAX_MD_SIZE]; |
329 | 0 | int mdsize = EVP_MD_get_size(evpmd); |
330 | 0 | unsigned char *pmd; |
331 | 0 | OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); |
332 | |
|
333 | 0 | if (mdsize <= 0) |
334 | 0 | goto err; |
335 | | |
336 | | /* find q */ |
337 | 0 | for (;;) { |
338 | 0 | if (!BN_GENCB_call(cb, 0, m++)) |
339 | 0 | goto err; |
340 | | |
341 | | /* A.1.1.2 Step (5) : generate seed with size seed_len */ |
342 | 0 | if (generate_seed |
343 | 0 | && RAND_bytes_ex(libctx, seed, seedlen, 0) <= 0) |
344 | 0 | goto err; |
345 | | /* |
346 | | * A.1.1.2 Step (6) AND |
347 | | * A.1.1.3 Step (7) |
348 | | * U = Hash(seed) % (2^(N-1)) |
349 | | */ |
350 | 0 | if (!EVP_Digest(seed, seedlen, md, NULL, evpmd, NULL)) |
351 | 0 | goto err; |
352 | | /* Take least significant bits of md */ |
353 | 0 | if (mdsize > qsize) |
354 | 0 | pmd = md + mdsize - qsize; |
355 | 0 | else |
356 | 0 | pmd = md; |
357 | 0 | if (mdsize < qsize) |
358 | 0 | memset(md + mdsize, 0, qsize - mdsize); |
359 | | |
360 | | /* |
361 | | * A.1.1.2 Step (7) AND |
362 | | * A.1.1.3 Step (8) |
363 | | * q = U + 2^(N-1) + (1 - U %2) (This sets top and bottom bits) |
364 | | */ |
365 | 0 | pmd[0] |= 0x80; |
366 | 0 | pmd[qsize - 1] |= 0x01; |
367 | 0 | if (!BN_bin2bn(pmd, qsize, q)) |
368 | 0 | goto err; |
369 | | |
370 | | /* |
371 | | * A.1.1.2 Step (8) AND |
372 | | * A.1.1.3 Step (9) |
373 | | * Test if q is prime |
374 | | */ |
375 | 0 | r = BN_check_prime(q, ctx, cb); |
376 | 0 | if (r > 0) { |
377 | 0 | ret = 1; |
378 | 0 | goto err; |
379 | 0 | } |
380 | | /* |
381 | | * A.1.1.3 Step (9) : If the provided seed didn't produce a prime q |
382 | | * return an error. |
383 | | */ |
384 | 0 | if (!generate_seed) { |
385 | 0 | *res |= FFC_CHECK_Q_NOT_PRIME; |
386 | 0 | goto err; |
387 | 0 | } |
388 | 0 | if (r != 0) |
389 | 0 | goto err; |
390 | | /* A.1.1.2 Step (9) : if q is not prime, try another q */ |
391 | 0 | } |
392 | 0 | err: |
393 | 0 | *retm = m; |
394 | 0 | return ret; |
395 | 0 | } |
396 | | |
397 | | static int generate_q_fips186_2(BN_CTX *ctx, BIGNUM *q, const EVP_MD *evpmd, |
398 | | unsigned char *buf, unsigned char *seed, |
399 | | size_t qsize, int generate_seed, int *retm, |
400 | | int *res, BN_GENCB *cb) |
401 | 0 | { |
402 | 0 | unsigned char buf2[EVP_MAX_MD_SIZE]; |
403 | 0 | unsigned char md[EVP_MAX_MD_SIZE]; |
404 | 0 | int i, r, ret = 0, m = *retm; |
405 | 0 | OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); |
406 | | |
407 | | /* find q */ |
408 | 0 | for (;;) { |
409 | | /* step 1 */ |
410 | 0 | if (!BN_GENCB_call(cb, 0, m++)) |
411 | 0 | goto err; |
412 | | |
413 | 0 | if (generate_seed && RAND_bytes_ex(libctx, seed, qsize, 0) <= 0) |
414 | 0 | goto err; |
415 | | |
416 | 0 | memcpy(buf, seed, qsize); |
417 | 0 | memcpy(buf2, seed, qsize); |
418 | | |
419 | | /* precompute "SEED + 1" for step 7: */ |
420 | 0 | for (i = (int)qsize - 1; i >= 0; i--) { |
421 | 0 | buf[i]++; |
422 | 0 | if (buf[i] != 0) |
423 | 0 | break; |
424 | 0 | } |
425 | | |
426 | | /* step 2 */ |
427 | 0 | if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL)) |
428 | 0 | goto err; |
429 | 0 | if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) |
430 | 0 | goto err; |
431 | 0 | for (i = 0; i < (int)qsize; i++) |
432 | 0 | md[i] ^= buf2[i]; |
433 | | |
434 | | /* step 3 */ |
435 | 0 | md[0] |= 0x80; |
436 | 0 | md[qsize - 1] |= 0x01; |
437 | 0 | if (!BN_bin2bn(md, (int)qsize, q)) |
438 | 0 | goto err; |
439 | | |
440 | | /* step 4 */ |
441 | 0 | r = BN_check_prime(q, ctx, cb); |
442 | 0 | if (r > 0) { |
443 | | /* Found a prime */ |
444 | 0 | ret = 1; |
445 | 0 | goto err; |
446 | 0 | } |
447 | 0 | if (r != 0) |
448 | 0 | goto err; /* Exit if error */ |
449 | | /* Try another iteration if it wasn't prime - was in old code.. */ |
450 | 0 | generate_seed = 1; |
451 | 0 | } |
452 | 0 | err: |
453 | 0 | *retm = m; |
454 | 0 | return ret; |
455 | 0 | } |
456 | | |
457 | | static const char *default_mdname(size_t N) |
458 | 0 | { |
459 | 0 | if (N == 160) |
460 | 0 | return "SHA1"; |
461 | 0 | else if (N == 224) |
462 | 0 | return "SHA-224"; |
463 | 0 | else if (N == 256) |
464 | 0 | return "SHA-256"; |
465 | 0 | return NULL; |
466 | 0 | } |
467 | | |
468 | | /* |
469 | | * FIPS 186-4 FFC parameter generation (as defined in Appendix A). |
470 | | * The same code is used for validation (when validate_flags != 0) |
471 | | * |
472 | | * The primes p & q are generated/validated using: |
473 | | * A.1.1.2 Generation of probable primes p & q using approved hash. |
474 | | * A.1.1.3 Validation of generated probable primes |
475 | | * |
476 | | * Generator 'g' has 2 types in FIPS 186-4: |
477 | | * (1) A.2.1 unverifiable generation of generator g. |
478 | | * A.2.2 Assurance of the validity of unverifiable generator g. |
479 | | * (2) A.2.3 Verifiable Canonical Generation of the generator g. |
480 | | * A.2.4 Validation for Canonical Generation of the generator g. |
481 | | * |
482 | | * Notes: |
483 | | * (1) is only a partial validation of g, The validation of (2) requires |
484 | | * the seed and index used during generation as input. |
485 | | * |
486 | | * params: used to pass in values for generation and validation. |
487 | | * params->md: is the digest to use, If this value is NULL, then the digest is |
488 | | * chosen using the value of N. |
489 | | * params->flags: |
490 | | * For validation one of: |
491 | | * -FFC_PARAM_FLAG_VALIDATE_PQ |
492 | | * -FFC_PARAM_FLAG_VALIDATE_G |
493 | | * -FFC_PARAM_FLAG_VALIDATE_PQG |
494 | | * For generation of p & q: |
495 | | * - This is skipped if p & q are passed in. |
496 | | * - If the seed is passed in then generation of p & q uses this seed (and if |
497 | | * this fails an error will occur). |
498 | | * - Otherwise the seed is generated, and values of p & q are generated and |
499 | | * the value of seed and counter are optionally returned. |
500 | | * For the generation of g (after the generation of p, q): |
501 | | * - If the seed has been generated or passed in and a valid gindex is passed |
502 | | * in then canonical generation of g is used otherwise unverifiable |
503 | | * generation of g is chosen. |
504 | | * For validation of p & q: |
505 | | * - p, q, and the seed and counter used for generation must be passed in. |
506 | | * For validation of g: |
507 | | * - For a partial validation : p, q and g are required. |
508 | | * - For a canonical validation : the gindex and seed used for generation are |
509 | | * also required. |
510 | | * mode: The mode - either FFC_PARAM_MODE_GENERATE or FFC_PARAM_MODE_VERIFY. |
511 | | * type: The key type - FFC_PARAM_TYPE_DSA or FFC_PARAM_TYPE_DH. |
512 | | * L: is the size of the prime p in bits (e.g 2048) |
513 | | * N: is the size of the prime q in bits (e.g 256) |
514 | | * res: A returned failure reason (One of FFC_CHECK_XXXX), |
515 | | * or 0 for general failures. |
516 | | * cb: A callback (can be NULL) that is called during different phases |
517 | | * |
518 | | * Returns: |
519 | | * - FFC_PARAM_RET_STATUS_FAILED: if there was an error, or validation failed. |
520 | | * - FFC_PARAM_RET_STATUS_SUCCESS if the generation or validation succeeded. |
521 | | * - FFC_PARAM_RET_STATUS_UNVERIFIABLE_G if the validation of G succeeded, |
522 | | * but G is unverifiable. |
523 | | */ |
524 | | int ossl_ffc_params_FIPS186_4_gen_verify(OSSL_LIB_CTX *libctx, |
525 | | FFC_PARAMS *params, int mode, int type, |
526 | | size_t L, size_t N, int *res, |
527 | | BN_GENCB *cb) |
528 | 0 | { |
529 | 0 | int ok = FFC_PARAM_RET_STATUS_FAILED; |
530 | 0 | unsigned char *seed = NULL, *seed_tmp = NULL; |
531 | 0 | int mdsize, counter = 0, pcounter = 0, r = 0; |
532 | 0 | size_t seedlen = 0; |
533 | 0 | BIGNUM *tmp, *pm1, *e, *test; |
534 | 0 | BIGNUM *g = NULL, *q = NULL, *p = NULL; |
535 | 0 | BN_MONT_CTX *mont = NULL; |
536 | 0 | int n = 0, m = 0, qsize; |
537 | 0 | int canonical_g = 0, hret = 0; |
538 | 0 | BN_CTX *ctx = NULL; |
539 | 0 | EVP_MD_CTX *mctx = NULL; |
540 | 0 | EVP_MD *md = NULL; |
541 | 0 | int verify = (mode == FFC_PARAM_MODE_VERIFY); |
542 | 0 | unsigned int flags = verify ? params->flags : 0; |
543 | 0 | const char *def_name; |
544 | |
|
545 | 0 | *res = 0; |
546 | |
|
547 | 0 | if (params->mdname != NULL) { |
548 | 0 | md = EVP_MD_fetch(libctx, params->mdname, params->mdprops); |
549 | 0 | } else { |
550 | 0 | if (N == 0) |
551 | 0 | N = (L >= 2048 ? SHA256_DIGEST_LENGTH : SHA_DIGEST_LENGTH) * 8; |
552 | 0 | def_name = default_mdname(N); |
553 | 0 | if (def_name == NULL) { |
554 | 0 | *res = FFC_CHECK_INVALID_Q_VALUE; |
555 | 0 | goto err; |
556 | 0 | } |
557 | 0 | md = EVP_MD_fetch(libctx, def_name, params->mdprops); |
558 | 0 | } |
559 | 0 | if (md == NULL) |
560 | 0 | goto err; |
561 | 0 | mdsize = EVP_MD_get_size(md); |
562 | 0 | if (mdsize <= 0) |
563 | 0 | goto err; |
564 | | |
565 | 0 | if (N == 0) |
566 | 0 | N = mdsize * 8; |
567 | 0 | qsize = (int)(N >> 3); |
568 | | |
569 | | /* |
570 | | * A.1.1.2 Step (1) AND |
571 | | * A.1.1.3 Step (3) |
572 | | * Check that the L,N pair is an acceptable pair. |
573 | | */ |
574 | 0 | if (L <= N || !ffc_validate_LN(L, N, type, verify)) { |
575 | 0 | *res = FFC_CHECK_BAD_LN_PAIR; |
576 | 0 | goto err; |
577 | 0 | } |
578 | | |
579 | 0 | mctx = EVP_MD_CTX_new(); |
580 | 0 | if (mctx == NULL) |
581 | 0 | goto err; |
582 | | |
583 | 0 | if ((ctx = BN_CTX_new_ex(libctx)) == NULL) |
584 | 0 | goto err; |
585 | | |
586 | 0 | BN_CTX_start(ctx); |
587 | 0 | g = BN_CTX_get(ctx); |
588 | 0 | pm1 = BN_CTX_get(ctx); |
589 | 0 | e = BN_CTX_get(ctx); |
590 | 0 | test = BN_CTX_get(ctx); |
591 | 0 | tmp = BN_CTX_get(ctx); |
592 | 0 | if (tmp == NULL) |
593 | 0 | goto err; |
594 | | |
595 | 0 | seedlen = params->seedlen; |
596 | 0 | if (seedlen == 0) |
597 | 0 | seedlen = (size_t)mdsize; |
598 | | /* If the seed was passed in - use this value as the seed */ |
599 | 0 | if (params->seed != NULL) |
600 | 0 | seed = params->seed; |
601 | |
|
602 | 0 | if (!verify) { |
603 | | /* For generation: p & q must both be NULL or NON-NULL */ |
604 | 0 | if ((params->p == NULL) != (params->q == NULL)) { |
605 | 0 | *res = FFC_CHECK_INVALID_PQ; |
606 | 0 | goto err; |
607 | 0 | } |
608 | 0 | } else { |
609 | | /* Validation of p,q requires seed and counter to be valid */ |
610 | 0 | if ((flags & FFC_PARAM_FLAG_VALIDATE_PQ) != 0) { |
611 | 0 | if (seed == NULL || params->pcounter < 0) { |
612 | 0 | *res = FFC_CHECK_MISSING_SEED_OR_COUNTER; |
613 | 0 | goto err; |
614 | 0 | } |
615 | 0 | } |
616 | 0 | if ((flags & FFC_PARAM_FLAG_VALIDATE_G) != 0) { |
617 | | /* validation of g also requires g to be set */ |
618 | 0 | if (params->g == NULL) { |
619 | 0 | *res = FFC_CHECK_INVALID_G; |
620 | 0 | goto err; |
621 | 0 | } |
622 | 0 | } |
623 | 0 | } |
624 | | |
625 | | /* |
626 | | * If p & q are passed in and |
627 | | * validate_flags = 0 then skip the generation of PQ. |
628 | | * validate_flags = VALIDATE_G then also skip the validation of PQ. |
629 | | */ |
630 | 0 | if (params->p != NULL && ((flags & FFC_PARAM_FLAG_VALIDATE_PQ) == 0)) { |
631 | | /* p and q already exists so only generate g */ |
632 | 0 | p = params->p; |
633 | 0 | q = params->q; |
634 | 0 | goto g_only; |
635 | | /* otherwise fall through to validate p & q */ |
636 | 0 | } |
637 | | |
638 | | /* p & q will be used for generation and validation */ |
639 | 0 | p = BN_CTX_get(ctx); |
640 | 0 | q = BN_CTX_get(ctx); |
641 | 0 | if (q == NULL) |
642 | 0 | goto err; |
643 | | |
644 | | /* |
645 | | * A.1.1.2 Step (2) AND |
646 | | * A.1.1.3 Step (6) |
647 | | * Return invalid if seedlen < N |
648 | | */ |
649 | 0 | if ((seedlen * 8) < N) { |
650 | 0 | *res = FFC_CHECK_INVALID_SEED_SIZE; |
651 | 0 | goto err; |
652 | 0 | } |
653 | | |
654 | 0 | seed_tmp = OPENSSL_malloc(seedlen); |
655 | 0 | if (seed_tmp == NULL) |
656 | 0 | goto err; |
657 | | |
658 | 0 | if (seed == NULL) { |
659 | | /* Validation requires the seed to be supplied */ |
660 | 0 | if (verify) { |
661 | 0 | *res = FFC_CHECK_MISSING_SEED_OR_COUNTER; |
662 | 0 | goto err; |
663 | 0 | } |
664 | | /* if the seed is not supplied then alloc a seed buffer */ |
665 | 0 | seed = OPENSSL_malloc(seedlen); |
666 | 0 | if (seed == NULL) |
667 | 0 | goto err; |
668 | 0 | } |
669 | | |
670 | | /* A.1.1.2 Step (11): max loop count = 4L - 1 */ |
671 | 0 | counter = (int)(4 * L - 1); |
672 | | /* Validation requires the counter to be supplied */ |
673 | 0 | if (verify) { |
674 | | /* A.1.1.3 Step (4) : if (counter > (4L -1)) return INVALID */ |
675 | 0 | if (params->pcounter > counter) { |
676 | 0 | *res = FFC_CHECK_INVALID_COUNTER; |
677 | 0 | goto err; |
678 | 0 | } |
679 | 0 | counter = params->pcounter; |
680 | 0 | } |
681 | | |
682 | | /* |
683 | | * A.1.1.2 Step (3) AND |
684 | | * A.1.1.3 Step (10) |
685 | | * n = floor(L / hash_outlen) - 1 |
686 | | */ |
687 | 0 | n = (int)((L - 1) / (mdsize << 3)); |
688 | | |
689 | | /* Calculate 2^(L-1): Used in step A.1.1.2 Step (11.3) */ |
690 | 0 | if (!BN_lshift(test, BN_value_one(), (int)(L - 1))) |
691 | 0 | goto err; |
692 | | |
693 | 0 | for (;;) { |
694 | 0 | if (!generate_q_fips186_4(ctx, q, md, qsize, seed, seedlen, |
695 | 0 | seed != params->seed, &m, res, cb)) |
696 | 0 | goto err; |
697 | | /* A.1.1.3 Step (9): Verify that q matches the expected value */ |
698 | 0 | if (verify && (BN_cmp(q, params->q) != 0)) { |
699 | 0 | *res = FFC_CHECK_Q_MISMATCH; |
700 | 0 | goto err; |
701 | 0 | } |
702 | 0 | if (!BN_GENCB_call(cb, 2, 0)) |
703 | 0 | goto err; |
704 | 0 | if (!BN_GENCB_call(cb, 3, 0)) |
705 | 0 | goto err; |
706 | | |
707 | 0 | memcpy(seed_tmp, seed, seedlen); |
708 | 0 | r = generate_p(ctx, md, counter, n, seed_tmp, seedlen, q, p, (int)L, |
709 | 0 | cb, &pcounter, res); |
710 | 0 | if (r > 0) |
711 | 0 | break; /* found p */ |
712 | 0 | if (r < 0) |
713 | 0 | goto err; |
714 | | /* |
715 | | * A.1.1.3 Step (14): |
716 | | * If we get here we failed to get a p for the given seed. If the |
717 | | * seed is not random then it needs to fail (as it will always fail). |
718 | | */ |
719 | 0 | if (seed == params->seed) { |
720 | 0 | *res = FFC_CHECK_P_NOT_PRIME; |
721 | 0 | goto err; |
722 | 0 | } |
723 | 0 | } |
724 | 0 | if (!BN_GENCB_call(cb, 2, 1)) |
725 | 0 | goto err; |
726 | | /* |
727 | | * Gets here if we found p. |
728 | | * A.1.1.3 Step (14): return error if i != counter OR computed_p != known_p. |
729 | | */ |
730 | 0 | if (verify && (pcounter != counter || (BN_cmp(p, params->p) != 0))) |
731 | 0 | goto err; |
732 | | |
733 | | /* If validating p & q only then skip the g validation test */ |
734 | 0 | if ((flags & FFC_PARAM_FLAG_VALIDATE_PQG) == FFC_PARAM_FLAG_VALIDATE_PQ) |
735 | 0 | goto pass; |
736 | 0 | g_only: |
737 | 0 | if ((mont = BN_MONT_CTX_new()) == NULL) |
738 | 0 | goto err; |
739 | 0 | if (!BN_MONT_CTX_set(mont, p, ctx)) |
740 | 0 | goto err; |
741 | | |
742 | 0 | if (((flags & FFC_PARAM_FLAG_VALIDATE_G) != 0) |
743 | 0 | && !ossl_ffc_params_validate_unverifiable_g(ctx, mont, p, q, params->g, |
744 | 0 | tmp, res)) |
745 | 0 | goto err; |
746 | | |
747 | | /* |
748 | | * A.2.1 Step (1) AND |
749 | | * A.2.3 Step (3) AND |
750 | | * A.2.4 Step (5) |
751 | | * e = (p - 1) / q (i.e- Cofactor 'e' is given by p = q * e + 1) |
752 | | */ |
753 | 0 | if (!(BN_sub(pm1, p, BN_value_one()) && BN_div(e, NULL, pm1, q, ctx))) |
754 | 0 | goto err; |
755 | | |
756 | | /* Canonical g requires a seed and index to be set */ |
757 | 0 | if ((seed != NULL) && (params->gindex != FFC_UNVERIFIABLE_GINDEX)) { |
758 | 0 | canonical_g = 1; |
759 | 0 | if (!generate_canonical_g(ctx, mont, md, g, tmp, p, e, |
760 | 0 | params->gindex, seed, seedlen)) { |
761 | 0 | *res = FFC_CHECK_INVALID_G; |
762 | 0 | goto err; |
763 | 0 | } |
764 | | /* A.2.4 Step (13): Return valid if computed_g == g */ |
765 | 0 | if (verify && BN_cmp(g, params->g) != 0) { |
766 | 0 | *res = FFC_CHECK_G_MISMATCH; |
767 | 0 | goto err; |
768 | 0 | } |
769 | 0 | } else if (!verify) { |
770 | 0 | if (!generate_unverifiable_g(ctx, mont, g, tmp, p, e, pm1, &hret)) |
771 | 0 | goto err; |
772 | 0 | } |
773 | | |
774 | 0 | if (!BN_GENCB_call(cb, 3, 1)) |
775 | 0 | goto err; |
776 | | |
777 | 0 | if (!verify) { |
778 | 0 | if (p != params->p) { |
779 | 0 | BN_free(params->p); |
780 | 0 | params->p = BN_dup(p); |
781 | 0 | } |
782 | 0 | if (q != params->q) { |
783 | 0 | BN_free(params->q); |
784 | 0 | params->q = BN_dup(q); |
785 | 0 | } |
786 | 0 | if (g != params->g) { |
787 | 0 | BN_free(params->g); |
788 | 0 | params->g = BN_dup(g); |
789 | 0 | } |
790 | 0 | if (params->p == NULL || params->q == NULL || params->g == NULL) |
791 | 0 | goto err; |
792 | 0 | if (!ossl_ffc_params_set_validate_params(params, seed, seedlen, |
793 | 0 | pcounter)) |
794 | 0 | goto err; |
795 | 0 | params->h = hret; |
796 | 0 | } |
797 | 0 | pass: |
798 | 0 | if ((flags & FFC_PARAM_FLAG_VALIDATE_G) != 0 && (canonical_g == 0)) |
799 | | /* Return for the case where g is partially valid */ |
800 | 0 | ok = FFC_PARAM_RET_STATUS_UNVERIFIABLE_G; |
801 | 0 | else |
802 | 0 | ok = FFC_PARAM_RET_STATUS_SUCCESS; |
803 | 0 | err: |
804 | 0 | if (seed != params->seed) |
805 | 0 | OPENSSL_free(seed); |
806 | 0 | OPENSSL_free(seed_tmp); |
807 | 0 | if (ctx != NULL) |
808 | 0 | BN_CTX_end(ctx); |
809 | 0 | BN_CTX_free(ctx); |
810 | 0 | BN_MONT_CTX_free(mont); |
811 | 0 | EVP_MD_CTX_free(mctx); |
812 | 0 | EVP_MD_free(md); |
813 | 0 | return ok; |
814 | 0 | } |
815 | | |
816 | | /* Note this function is only used for verification in fips mode */ |
817 | | int ossl_ffc_params_FIPS186_2_gen_verify(OSSL_LIB_CTX *libctx, |
818 | | FFC_PARAMS *params, int mode, int type, |
819 | | size_t L, size_t N, int *res, |
820 | | BN_GENCB *cb) |
821 | 0 | { |
822 | 0 | int ok = FFC_PARAM_RET_STATUS_FAILED; |
823 | 0 | unsigned char seed[SHA256_DIGEST_LENGTH]; |
824 | 0 | unsigned char buf[SHA256_DIGEST_LENGTH]; |
825 | 0 | BIGNUM *r0, *test, *tmp, *g = NULL, *q = NULL, *p = NULL; |
826 | 0 | BN_MONT_CTX *mont = NULL; |
827 | 0 | EVP_MD *md = NULL; |
828 | 0 | int md_size; |
829 | 0 | size_t qsize; |
830 | 0 | int n = 0, m = 0; |
831 | 0 | int counter = 0, pcounter = 0, use_random_seed; |
832 | 0 | int rv; |
833 | 0 | BN_CTX *ctx = NULL; |
834 | 0 | int hret = -1; |
835 | 0 | unsigned char *seed_in = params->seed; |
836 | 0 | size_t seed_len = params->seedlen; |
837 | 0 | int verify = (mode == FFC_PARAM_MODE_VERIFY); |
838 | 0 | unsigned int flags = verify ? params->flags : 0; |
839 | 0 | const char *def_name; |
840 | |
|
841 | 0 | *res = 0; |
842 | |
|
843 | 0 | if (params->mdname != NULL) { |
844 | 0 | md = EVP_MD_fetch(libctx, params->mdname, params->mdprops); |
845 | 0 | } else { |
846 | 0 | if (N == 0) |
847 | 0 | N = (L >= 2048 ? SHA256_DIGEST_LENGTH : SHA_DIGEST_LENGTH) * 8; |
848 | 0 | def_name = default_mdname(N); |
849 | 0 | if (def_name == NULL) { |
850 | 0 | *res = FFC_CHECK_INVALID_Q_VALUE; |
851 | 0 | goto err; |
852 | 0 | } |
853 | 0 | md = EVP_MD_fetch(libctx, def_name, params->mdprops); |
854 | 0 | } |
855 | 0 | if (md == NULL) |
856 | 0 | goto err; |
857 | 0 | md_size = EVP_MD_get_size(md); |
858 | 0 | if (md_size <= 0) |
859 | 0 | goto err; |
860 | 0 | if (N == 0) |
861 | 0 | N = md_size * 8; |
862 | 0 | qsize = N >> 3; |
863 | | |
864 | | /* |
865 | | * The original spec allowed L = 512 + 64*j (j = 0.. 8) |
866 | | * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf |
867 | | * says that 512 can be used for legacy verification. |
868 | | */ |
869 | 0 | if (L < 512) { |
870 | 0 | *res = FFC_CHECK_BAD_LN_PAIR; |
871 | 0 | goto err; |
872 | 0 | } |
873 | 0 | if (qsize != SHA_DIGEST_LENGTH |
874 | 0 | && qsize != SHA224_DIGEST_LENGTH |
875 | 0 | && qsize != SHA256_DIGEST_LENGTH) { |
876 | | /* invalid q size */ |
877 | 0 | *res = FFC_CHECK_INVALID_Q_VALUE; |
878 | 0 | goto err; |
879 | 0 | } |
880 | | |
881 | 0 | L = (L + 63) / 64 * 64; |
882 | |
|
883 | 0 | if (seed_in != NULL) { |
884 | 0 | if (seed_len < qsize) { |
885 | 0 | *res = FFC_CHECK_INVALID_SEED_SIZE; |
886 | 0 | goto err; |
887 | 0 | } |
888 | | /* Only consume as much seed as is expected. */ |
889 | 0 | if (seed_len > qsize) |
890 | 0 | seed_len = qsize; |
891 | 0 | memcpy(seed, seed_in, seed_len); |
892 | 0 | } |
893 | | |
894 | 0 | ctx = BN_CTX_new_ex(libctx); |
895 | 0 | if (ctx == NULL) |
896 | 0 | goto err; |
897 | | |
898 | 0 | BN_CTX_start(ctx); |
899 | |
|
900 | 0 | r0 = BN_CTX_get(ctx); |
901 | 0 | g = BN_CTX_get(ctx); |
902 | 0 | q = BN_CTX_get(ctx); |
903 | 0 | p = BN_CTX_get(ctx); |
904 | 0 | tmp = BN_CTX_get(ctx); |
905 | 0 | test = BN_CTX_get(ctx); |
906 | 0 | if (test == NULL) |
907 | 0 | goto err; |
908 | | |
909 | 0 | if (!BN_lshift(test, BN_value_one(), (int)(L - 1))) |
910 | 0 | goto err; |
911 | | |
912 | 0 | if (!verify) { |
913 | | /* For generation: p & q must both be NULL or NON-NULL */ |
914 | 0 | if ((params->p != NULL) != (params->q != NULL)) { |
915 | 0 | *res = FFC_CHECK_INVALID_PQ; |
916 | 0 | goto err; |
917 | 0 | } |
918 | 0 | } else { |
919 | 0 | if ((flags & FFC_PARAM_FLAG_VALIDATE_PQ) != 0) { |
920 | | /* Validation of p,q requires seed and counter to be valid */ |
921 | 0 | if (seed_in == NULL || params->pcounter < 0) { |
922 | 0 | *res = FFC_CHECK_MISSING_SEED_OR_COUNTER; |
923 | 0 | goto err; |
924 | 0 | } |
925 | 0 | } |
926 | 0 | if ((flags & FFC_PARAM_FLAG_VALIDATE_G) != 0) { |
927 | | /* validation of g also requires g to be set */ |
928 | 0 | if (params->g == NULL) { |
929 | 0 | *res = FFC_CHECK_INVALID_G; |
930 | 0 | goto err; |
931 | 0 | } |
932 | 0 | } |
933 | 0 | } |
934 | | |
935 | 0 | if (params->p != NULL && ((flags & FFC_PARAM_FLAG_VALIDATE_PQ) == 0)) { |
936 | | /* p and q already exists so only generate g */ |
937 | 0 | p = params->p; |
938 | 0 | q = params->q; |
939 | 0 | goto g_only; |
940 | | /* otherwise fall through to validate p and q */ |
941 | 0 | } |
942 | | |
943 | 0 | use_random_seed = (seed_in == NULL); |
944 | 0 | for (;;) { |
945 | 0 | if (!generate_q_fips186_2(ctx, q, md, buf, seed, qsize, |
946 | 0 | use_random_seed, &m, res, cb)) |
947 | 0 | goto err; |
948 | | |
949 | 0 | if (!BN_GENCB_call(cb, 2, 0)) |
950 | 0 | goto err; |
951 | 0 | if (!BN_GENCB_call(cb, 3, 0)) |
952 | 0 | goto err; |
953 | | |
954 | | /* step 6 */ |
955 | 0 | n = (int)((L - 1) / 160); |
956 | 0 | counter = (int)(4 * L - 1); /* Was 4096 */ |
957 | | /* Validation requires the counter to be supplied */ |
958 | 0 | if (verify) { |
959 | 0 | if (params->pcounter > counter) { |
960 | 0 | *res = FFC_CHECK_INVALID_COUNTER; |
961 | 0 | goto err; |
962 | 0 | } |
963 | 0 | counter = params->pcounter; |
964 | 0 | } |
965 | | |
966 | 0 | rv = generate_p(ctx, md, counter, n, buf, qsize, q, p, (int)L, cb, |
967 | 0 | &pcounter, res); |
968 | 0 | if (rv > 0) |
969 | 0 | break; /* found it */ |
970 | 0 | if (rv == -1) |
971 | 0 | goto err; |
972 | | /* This is what the old code did - probably not a good idea! */ |
973 | 0 | use_random_seed = 1; |
974 | 0 | } |
975 | | |
976 | 0 | if (!BN_GENCB_call(cb, 2, 1)) |
977 | 0 | goto err; |
978 | | |
979 | 0 | if (verify) { |
980 | 0 | if (pcounter != counter) { |
981 | 0 | *res = FFC_CHECK_COUNTER_MISMATCH; |
982 | 0 | goto err; |
983 | 0 | } |
984 | 0 | if (BN_cmp(p, params->p) != 0) { |
985 | 0 | *res = FFC_CHECK_P_MISMATCH; |
986 | 0 | goto err; |
987 | 0 | } |
988 | 0 | } |
989 | | /* If validating p & q only then skip the g validation test */ |
990 | 0 | if ((flags & FFC_PARAM_FLAG_VALIDATE_PQG) == FFC_PARAM_FLAG_VALIDATE_PQ) |
991 | 0 | goto pass; |
992 | 0 | g_only: |
993 | 0 | if ((mont = BN_MONT_CTX_new()) == NULL) |
994 | 0 | goto err; |
995 | 0 | if (!BN_MONT_CTX_set(mont, p, ctx)) |
996 | 0 | goto err; |
997 | | |
998 | 0 | if (!verify) { |
999 | | /* We now need to generate g */ |
1000 | | /* set test = p - 1 */ |
1001 | 0 | if (!BN_sub(test, p, BN_value_one())) |
1002 | 0 | goto err; |
1003 | | /* Set r0 = (p - 1) / q */ |
1004 | 0 | if (!BN_div(r0, NULL, test, q, ctx)) |
1005 | 0 | goto err; |
1006 | 0 | if (!generate_unverifiable_g(ctx, mont, g, tmp, p, r0, test, &hret)) |
1007 | 0 | goto err; |
1008 | 0 | } else if (((flags & FFC_PARAM_FLAG_VALIDATE_G) != 0) |
1009 | 0 | && !ossl_ffc_params_validate_unverifiable_g(ctx, mont, p, q, |
1010 | 0 | params->g, tmp, |
1011 | 0 | res)) { |
1012 | 0 | goto err; |
1013 | 0 | } |
1014 | | |
1015 | 0 | if (!BN_GENCB_call(cb, 3, 1)) |
1016 | 0 | goto err; |
1017 | | |
1018 | 0 | if (!verify) { |
1019 | 0 | if (p != params->p) { |
1020 | 0 | BN_free(params->p); |
1021 | 0 | params->p = BN_dup(p); |
1022 | 0 | } |
1023 | 0 | if (q != params->q) { |
1024 | 0 | BN_free(params->q); |
1025 | 0 | params->q = BN_dup(q); |
1026 | 0 | } |
1027 | 0 | if (g != params->g) { |
1028 | 0 | BN_free(params->g); |
1029 | 0 | params->g = BN_dup(g); |
1030 | 0 | } |
1031 | 0 | if (params->p == NULL || params->q == NULL || params->g == NULL) |
1032 | 0 | goto err; |
1033 | 0 | if (!ossl_ffc_params_set_validate_params(params, seed, qsize, pcounter)) |
1034 | 0 | goto err; |
1035 | 0 | params->h = hret; |
1036 | 0 | } |
1037 | 0 | pass: |
1038 | 0 | if ((flags & FFC_PARAM_FLAG_VALIDATE_G) != 0) |
1039 | 0 | ok = FFC_PARAM_RET_STATUS_UNVERIFIABLE_G; |
1040 | 0 | else |
1041 | 0 | ok = FFC_PARAM_RET_STATUS_SUCCESS; |
1042 | 0 | err: |
1043 | 0 | if (ctx != NULL) |
1044 | 0 | BN_CTX_end(ctx); |
1045 | 0 | BN_CTX_free(ctx); |
1046 | 0 | BN_MONT_CTX_free(mont); |
1047 | 0 | EVP_MD_free(md); |
1048 | 0 | return ok; |
1049 | 0 | } |
1050 | | |
1051 | | int ossl_ffc_params_FIPS186_4_generate(OSSL_LIB_CTX *libctx, FFC_PARAMS *params, |
1052 | | int type, size_t L, size_t N, |
1053 | | int *res, BN_GENCB *cb) |
1054 | 0 | { |
1055 | 0 | return ossl_ffc_params_FIPS186_4_gen_verify(libctx, params, |
1056 | 0 | FFC_PARAM_MODE_GENERATE, |
1057 | 0 | type, L, N, res, cb); |
1058 | 0 | } |
1059 | | |
1060 | | /* This should no longer be used in FIPS mode */ |
1061 | | int ossl_ffc_params_FIPS186_2_generate(OSSL_LIB_CTX *libctx, FFC_PARAMS *params, |
1062 | | int type, size_t L, size_t N, |
1063 | | int *res, BN_GENCB *cb) |
1064 | 0 | { |
1065 | 0 | if (!ossl_ffc_params_FIPS186_2_gen_verify(libctx, params, |
1066 | 0 | FFC_PARAM_MODE_GENERATE, |
1067 | 0 | type, L, N, res, cb)) |
1068 | 0 | return 0; |
1069 | | |
1070 | 0 | ossl_ffc_params_enable_flags(params, FFC_PARAM_FLAG_VALIDATE_LEGACY, 1); |
1071 | 0 | return 1; |
1072 | 0 | } |