/src/openssl/crypto/dh/dh_key.c

Source (jump to first uncovered line)
/* crypto/dh/dh_key.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

#include <stdio.h>
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rand.h>
#include <openssl/dh.h>

static int generate_key(DH *dh);
static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
                         const BIGNUM *a, const BIGNUM *p,
                         const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
static int dh_init(DH *dh);
static int dh_finish(DH *dh);

int DH_generate_key(DH *dh)
{
#ifdef OPENSSL_FIPS
    if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
        && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
        DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
        return 0;
    }
#endif
    return dh->meth->generate_key(dh);
}

int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
#ifdef OPENSSL_FIPS
    if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
        && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
        DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
        return 0;
    }
#endif
    return dh->meth->compute_key(key, pub_key, dh);
}

int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
    int rv, pad;
    rv = dh->meth->compute_key(key, pub_key, dh);
    if (rv <= 0)
        return rv;
    pad = BN_num_bytes(dh->p) - rv;
    if (pad > 0) {
        memmove(key + pad, key, rv);
        memset(key, 0, pad);
    }
    return rv + pad;
}

static DH_METHOD dh_ossl = {
    "OpenSSL DH Method",
    generate_key,
    compute_key,
    dh_bn_mod_exp,
    dh_init,
    dh_finish,
    0,
    NULL,
    NULL
};

const DH_METHOD *DH_OpenSSL(void)
{
    return &dh_ossl;
}

static int generate_key(DH *dh)
{
    int ok = 0;
    int generate_new_key = 0;
    unsigned l;
    BN_CTX *ctx;
    BN_MONT_CTX *mont = NULL;
    BIGNUM *pub_key = NULL, *priv_key = NULL;

    ctx = BN_CTX_new();
    if (ctx == NULL)
        goto err;

    if (dh->priv_key == NULL) {
        priv_key = BN_new();
        if (priv_key == NULL)
            goto err;
        generate_new_key = 1;
    } else
        priv_key = dh->priv_key;

    if (dh->pub_key == NULL) {
        pub_key = BN_new();
        if (pub_key == NULL)
            goto err;
    } else
        pub_key = dh->pub_key;

    if (dh->flags & DH_FLAG_CACHE_MONT_P) {
        mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
                                      CRYPTO_LOCK_DH, dh->p, ctx);
        if (!mont)
            goto err;
    }

    if (generate_new_key) {
        if (dh->q) {
            do {
                if (!BN_rand_range(priv_key, dh->q))
                    goto err;
            }
            while (BN_is_zero(priv_key) || BN_is_one(priv_key));
        } else {
            /* secret exponent length */
            l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
            if (!BN_rand(priv_key, l, 0, 0))
                goto err;
        }
    }

    {
        BIGNUM local_prk;
        BIGNUM *prk;

        if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
            BN_init(&local_prk);
            prk = &local_prk;
            BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
        } else
            prk = priv_key;

        if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont))
            goto err;
    }

    dh->pub_key = pub_key;
    dh->priv_key = priv_key;
    ok = 1;
 err:
    if (ok != 1)
        DHerr(DH_F_GENERATE_KEY, ERR_R_BN_LIB);

    if ((pub_key != NULL) && (dh->pub_key == NULL))
        BN_free(pub_key);
    if ((priv_key != NULL) && (dh->priv_key == NULL))
        BN_free(priv_key);
    BN_CTX_free(ctx);
    return (ok);
}

static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
    BN_CTX *ctx = NULL;
    BN_MONT_CTX *mont = NULL;
    BIGNUM *tmp;
    int ret = -1;
    int check_result;

    if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
        DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
        goto err;
    }

    ctx = BN_CTX_new();
    if (ctx == NULL)
        goto err;
    BN_CTX_start(ctx);
    tmp = BN_CTX_get(ctx);
    if (tmp == NULL)
        goto err;

    if (dh->priv_key == NULL) {
        DHerr(DH_F_COMPUTE_KEY, DH_R_NO_PRIVATE_VALUE);
        goto err;
    }

    if (dh->flags & DH_FLAG_CACHE_MONT_P) {
        mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
                                      CRYPTO_LOCK_DH, dh->p, ctx);
        if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
            /* XXX */
            BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
        }
        if (!mont)
            goto err;
    }

    if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result) {
        DHerr(DH_F_COMPUTE_KEY, DH_R_INVALID_PUBKEY);
        goto err;
    }

    if (!dh->
        meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key, dh->p, ctx, mont)) {
        DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB);
        goto err;
    }

    ret = BN_bn2bin(tmp, key);
 err:
    if (ctx != NULL) {
        BN_CTX_end(ctx);
        BN_CTX_free(ctx);
    }
    return (ret);
}

static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
                         const BIGNUM *a, const BIGNUM *p,
                         const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
    /*
     * If a is only one word long and constant time is false, use the faster
     * exponenentiation function.
     */
    if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) {
        BN_ULONG A = a->d[0];
        return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
    } else
        return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
}

static int dh_init(DH *dh)
{
    dh->flags |= DH_FLAG_CACHE_MONT_P;
    return (1);
}

static int dh_finish(DH *dh)
{
    if (dh->method_mont_p)
        BN_MONT_CTX_free(dh->method_mont_p);
    return (1);
}

Coverage Report

Created: 2022-11-30 06:20

Line	Count	Source (jump to first uncovered line)
1		/* crypto/dh/dh_key.c */
2		/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3		* All rights reserved.
4		*
5		* This package is an SSL implementation written
6		* by Eric Young (eay@cryptsoft.com).
7		* The implementation was written so as to conform with Netscapes SSL.
8		*
9		* This library is free for commercial and non-commercial use as long as
10		* the following conditions are aheared to. The following conditions
11		* apply to all code found in this distribution, be it the RC4, RSA,
12		* lhash, DES, etc., code; not just the SSL code. The SSL documentation
13		* included with this distribution is covered by the same copyright terms
14		* except that the holder is Tim Hudson (tjh@cryptsoft.com).
15		*
16		* Copyright remains Eric Young's, and as such any Copyright notices in
17		* the code are not to be removed.
18		* If this package is used in a product, Eric Young should be given attribution
19		* as the author of the parts of the library used.
20		* This can be in the form of a textual message at program startup or
21		* in documentation (online or textual) provided with the package.
22		*
23		* Redistribution and use in source and binary forms, with or without
24		* modification, are permitted provided that the following conditions
25		* are met:
26		* 1. Redistributions of source code must retain the copyright
27		* notice, this list of conditions and the following disclaimer.
28		* 2. Redistributions in binary form must reproduce the above copyright
29		* notice, this list of conditions and the following disclaimer in the
30		* documentation and/or other materials provided with the distribution.
31		* 3. All advertising materials mentioning features or use of this software
32		* must display the following acknowledgement:
33		* "This product includes cryptographic software written by
34		* Eric Young (eay@cryptsoft.com)"
35		* The word 'cryptographic' can be left out if the rouines from the library
36		* being used are not cryptographic related :-).
37		* 4. If you include any Windows specific code (or a derivative thereof) from
38		* the apps directory (application code) you must include an acknowledgement:
39		* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40		*
41		* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42		* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44		* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45		* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46		* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47		* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48		* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49		* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50		* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51		* SUCH DAMAGE.
52		*
53		* The licence and distribution terms for any publically available version or
54		* derivative of this code cannot be changed. i.e. this code cannot simply be
55		* copied and put under another distribution licence
56		* [including the GNU Public Licence.]
57		*/
58
59		#include <stdio.h>
60		#include "cryptlib.h"
61		#include <openssl/bn.h>
62		#include <openssl/rand.h>
63		#include <openssl/dh.h>
64
65		static int generate_key(DH *dh);
66		static int compute_key(unsigned char key, const BIGNUM pub_key, DH *dh);
67		static int dh_bn_mod_exp(const DH dh, BIGNUM r,
68		const BIGNUM a, const BIGNUM p,
69		const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);
70		static int dh_init(DH *dh);
71		static int dh_finish(DH *dh);
72
73		int DH_generate_key(DH *dh)
74	0	{
75		#ifdef OPENSSL_FIPS
76		if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
77		&& !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
78		DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
79		return 0;
80		}
81		#endif
82	0	return dh->meth->generate_key(dh);
83	0	}
84
85		int DH_compute_key(unsigned char key, const BIGNUM pub_key, DH *dh)
86	0	{
87		#ifdef OPENSSL_FIPS
88		if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
89		&& !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
90		DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
91		return 0;
92		}
93		#endif
94	0	return dh->meth->compute_key(key, pub_key, dh);
95	0	}
96
97		int DH_compute_key_padded(unsigned char key, const BIGNUM pub_key, DH *dh)
98	0	{
99	0	int rv, pad;
100	0	rv = dh->meth->compute_key(key, pub_key, dh);
101	0	if (rv <= 0)
102	0	return rv;
103	0	pad = BN_num_bytes(dh->p) - rv;
104	0	if (pad > 0) {
105	0	memmove(key + pad, key, rv);
106	0	memset(key, 0, pad);
107	0	}
108	0	return rv + pad;
109	0	}
110
111		static DH_METHOD dh_ossl = {
112		"OpenSSL DH Method",
113		generate_key,
114		compute_key,
115		dh_bn_mod_exp,
116		dh_init,
117		dh_finish,
118		0,
119		NULL,
120		NULL
121		};
122
123		const DH_METHOD *DH_OpenSSL(void)
124	133	{
125	133	return &dh_ossl;
126	133	}
127
128		static int generate_key(DH *dh)
129	0	{
130	0	int ok = 0;
131	0	int generate_new_key = 0;
132	0	unsigned l;
133	0	BN_CTX *ctx;
134	0	BN_MONT_CTX *mont = NULL;
135	0	BIGNUM pub_key = NULL, priv_key = NULL;
136
137	0	ctx = BN_CTX_new();
138	0	if (ctx == NULL)
139	0	goto err;
140
141	0	if (dh->priv_key == NULL) {
142	0	priv_key = BN_new();
143	0	if (priv_key == NULL)
144	0	goto err;
145	0	generate_new_key = 1;
146	0	} else
147	0	priv_key = dh->priv_key;
148
149	0	if (dh->pub_key == NULL) {
150	0	pub_key = BN_new();
151	0	if (pub_key == NULL)
152	0	goto err;
153	0	} else
154	0	pub_key = dh->pub_key;
155
156	0	if (dh->flags & DH_FLAG_CACHE_MONT_P) {
157	0	mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
158	0	CRYPTO_LOCK_DH, dh->p, ctx);
159	0	if (!mont)
160	0	goto err;
161	0	}
162
163	0	if (generate_new_key) {
164	0	if (dh->q) {
165	0	do {
166	0	if (!BN_rand_range(priv_key, dh->q))
167	0	goto err;
168	0	}
169	0	while (BN_is_zero(priv_key) \|\| BN_is_one(priv_key));
170	0	} else {
171		/* secret exponent length */
172	0	l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
173	0	if (!BN_rand(priv_key, l, 0, 0))
174	0	goto err;
175	0	}
176	0	}
177
178	0	{
179	0	BIGNUM local_prk;
180	0	BIGNUM *prk;
181
182	0	if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
183	0	BN_init(&local_prk);
184	0	prk = &local_prk;
185	0	BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
186	0	} else
187	0	prk = priv_key;
188
189	0	if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont))
190	0	goto err;
191	0	}
192
193	0	dh->pub_key = pub_key;
194	0	dh->priv_key = priv_key;
195	0	ok = 1;
196	0	err:
197	0	if (ok != 1)
198	0	DHerr(DH_F_GENERATE_KEY, ERR_R_BN_LIB);
199
200	0	if ((pub_key != NULL) && (dh->pub_key == NULL))
201	0	BN_free(pub_key);
202	0	if ((priv_key != NULL) && (dh->priv_key == NULL))
203	0	BN_free(priv_key);
204	0	BN_CTX_free(ctx);
205	0	return (ok);
206	0	}
207
208		static int compute_key(unsigned char key, const BIGNUM pub_key, DH *dh)
209	0	{
210	0	BN_CTX *ctx = NULL;
211	0	BN_MONT_CTX *mont = NULL;
212	0	BIGNUM *tmp;
213	0	int ret = -1;
214	0	int check_result;
215
216	0	if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
217	0	DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
218	0	goto err;
219	0	}
220
221	0	ctx = BN_CTX_new();
222	0	if (ctx == NULL)
223	0	goto err;
224	0	BN_CTX_start(ctx);
225	0	tmp = BN_CTX_get(ctx);
226	0	if (tmp == NULL)
227	0	goto err;
228
229	0	if (dh->priv_key == NULL) {
230	0	DHerr(DH_F_COMPUTE_KEY, DH_R_NO_PRIVATE_VALUE);
231	0	goto err;
232	0	}
233
234	0	if (dh->flags & DH_FLAG_CACHE_MONT_P) {
235	0	mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
236	0	CRYPTO_LOCK_DH, dh->p, ctx);
237	0	if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
238		/* XXX */
239	0	BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
240	0	}
241	0	if (!mont)
242	0	goto err;
243	0	}
244
245	0	if (!DH_check_pub_key(dh, pub_key, &check_result) \|\| check_result) {
246	0	DHerr(DH_F_COMPUTE_KEY, DH_R_INVALID_PUBKEY);
247	0	goto err;
248	0	}
249
250	0	if (!dh->
251	0	meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key, dh->p, ctx, mont)) {
252	0	DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB);
253	0	goto err;
254	0	}
255
256	0	ret = BN_bn2bin(tmp, key);
257	0	err:
258	0	if (ctx != NULL) {
259	0	BN_CTX_end(ctx);
260	0	BN_CTX_free(ctx);
261	0	}
262	0	return (ret);
263	0	}
264
265		static int dh_bn_mod_exp(const DH dh, BIGNUM r,
266		const BIGNUM a, const BIGNUM p,
267		const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx)
268	0	{
269		/*
270		* If a is only one word long and constant time is false, use the faster
271		* exponenentiation function.
272		*/
273	0	if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) {
274	0	BN_ULONG A = a->d[0];
275	0	return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
276	0	} else
277	0	return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
278	0	}
279
280		static int dh_init(DH *dh)
281	0	{
282	0	dh->flags \|= DH_FLAG_CACHE_MONT_P;
283	0	return (1);
284	0	}
285
286		static int dh_finish(DH *dh)
287	0	{
288	0	if (dh->method_mont_p)
289	0	BN_MONT_CTX_free(dh->method_mont_p);
290	0	return (1);
291	0	}