/src/openssl30/crypto/dh/dh_gen.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | /* |
11 | | * NB: These functions have been upgraded - the previous prototypes are in |
12 | | * dh_depr.c as wrappers to these ones. - Geoff |
13 | | */ |
14 | | |
15 | | /* |
16 | | * DH low level APIs are deprecated for public use, but still ok for |
17 | | * internal use. |
18 | | * |
19 | | * NOTE: When generating keys for key-agreement schemes - FIPS 140-2 IG 9.9 |
20 | | * states that no additional pairwise tests are required (apart from the tests |
21 | | * specified in SP800-56A) when generating keys. Hence DH pairwise tests are |
22 | | * omitted here. |
23 | | */ |
24 | | #include "internal/deprecated.h" |
25 | | |
26 | | #include <stdio.h> |
27 | | #include "internal/cryptlib.h" |
28 | | #include <openssl/bn.h> |
29 | | #include <openssl/sha.h> |
30 | | #include "crypto/dh.h" |
31 | | #include "dh_local.h" |
32 | | |
33 | | #ifndef FIPS_MODULE |
34 | | static int dh_builtin_genparams(DH *ret, int prime_len, int generator, |
35 | | BN_GENCB *cb); |
36 | | #endif /* FIPS_MODULE */ |
37 | | |
38 | | int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, |
39 | | BN_GENCB *cb) |
40 | 0 | { |
41 | 0 | int ret, res; |
42 | |
|
43 | 0 | #ifndef FIPS_MODULE |
44 | 0 | if (type == DH_PARAMGEN_TYPE_FIPS_186_2) |
45 | 0 | ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params, |
46 | 0 | FFC_PARAM_TYPE_DH, |
47 | 0 | pbits, qbits, &res, cb); |
48 | 0 | else |
49 | 0 | #endif |
50 | 0 | ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params, |
51 | 0 | FFC_PARAM_TYPE_DH, |
52 | 0 | pbits, qbits, &res, cb); |
53 | 0 | if (ret > 0) |
54 | 0 | dh->dirty_cnt++; |
55 | 0 | return ret; |
56 | 0 | } |
57 | | |
58 | | int ossl_dh_get_named_group_uid_from_size(int pbits) |
59 | 0 | { |
60 | | /* |
61 | | * Just choose an approved safe prime group. |
62 | | * The alternative to this is to generate FIPS186-4 domain parameters i.e. |
63 | | * return dh_generate_ffc_parameters(ret, prime_len, 0, NULL, cb); |
64 | | * As the FIPS186-4 generated params are for backwards compatibility, |
65 | | * the safe prime group should be used as the default. |
66 | | */ |
67 | 0 | int nid; |
68 | |
|
69 | 0 | switch (pbits) { |
70 | 0 | case 2048: |
71 | 0 | nid = NID_ffdhe2048; |
72 | 0 | break; |
73 | 0 | case 3072: |
74 | 0 | nid = NID_ffdhe3072; |
75 | 0 | break; |
76 | 0 | case 4096: |
77 | 0 | nid = NID_ffdhe4096; |
78 | 0 | break; |
79 | 0 | case 6144: |
80 | 0 | nid = NID_ffdhe6144; |
81 | 0 | break; |
82 | 0 | case 8192: |
83 | 0 | nid = NID_ffdhe8192; |
84 | 0 | break; |
85 | | /* unsupported prime_len */ |
86 | 0 | default: |
87 | 0 | return NID_undef; |
88 | 0 | } |
89 | 0 | return nid; |
90 | 0 | } |
91 | | |
92 | | #ifdef FIPS_MODULE |
93 | | |
94 | | static int dh_gen_named_group(OSSL_LIB_CTX *libctx, DH *ret, int prime_len) |
95 | | { |
96 | | DH *dh; |
97 | | int ok = 0; |
98 | | int nid = ossl_dh_get_named_group_uid_from_size(prime_len); |
99 | | |
100 | | if (nid == NID_undef) |
101 | | return 0; |
102 | | |
103 | | dh = ossl_dh_new_by_nid_ex(libctx, nid); |
104 | | if (dh != NULL |
105 | | && ossl_ffc_params_copy(&ret->params, &dh->params)) { |
106 | | ok = 1; |
107 | | ret->dirty_cnt++; |
108 | | } |
109 | | DH_free(dh); |
110 | | return ok; |
111 | | } |
112 | | #endif /* FIPS_MODULE */ |
113 | | |
114 | | int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, |
115 | | BN_GENCB *cb) |
116 | 0 | { |
117 | | #ifdef FIPS_MODULE |
118 | | if (generator != 2) |
119 | | return 0; |
120 | | return dh_gen_named_group(ret->libctx, ret, prime_len); |
121 | | #else |
122 | 0 | if (ret->meth->generate_params) |
123 | 0 | return ret->meth->generate_params(ret, prime_len, generator, cb); |
124 | 0 | return dh_builtin_genparams(ret, prime_len, generator, cb); |
125 | 0 | #endif /* FIPS_MODULE */ |
126 | 0 | } |
127 | | |
128 | | #ifndef FIPS_MODULE |
129 | | /*- |
130 | | * We generate DH parameters as follows |
131 | | * find a prime p which is prime_len bits long, |
132 | | * where q=(p-1)/2 is also prime. |
133 | | * In the following we assume that g is not 0, 1 or p-1, since it |
134 | | * would generate only trivial subgroups. |
135 | | * For this case, g is a generator of the order-q subgroup if |
136 | | * g^q mod p == 1. |
137 | | * Or in terms of the Legendre symbol: (g/p) == 1. |
138 | | * |
139 | | * Having said all that, |
140 | | * there is another special case method for the generators 2, 3 and 5. |
141 | | * Using the quadratic reciprocity law it is possible to solve |
142 | | * (g/p) == 1 for the special values 2, 3, 5: |
143 | | * (2/p) == 1 if p mod 8 == 1 or 7. |
144 | | * (3/p) == 1 if p mod 12 == 1 or 11. |
145 | | * (5/p) == 1 if p mod 5 == 1 or 4. |
146 | | * See for instance: https://en.wikipedia.org/wiki/Legendre_symbol |
147 | | * |
148 | | * Since all safe primes > 7 must satisfy p mod 12 == 11 |
149 | | * and all safe primes > 11 must satisfy p mod 5 != 1 |
150 | | * we can further improve the condition for g = 2, 3 and 5: |
151 | | * for 2, p mod 24 == 23 |
152 | | * for 3, p mod 12 == 11 |
153 | | * for 5, p mod 60 == 59 |
154 | | */ |
155 | | static int dh_builtin_genparams(DH *ret, int prime_len, int generator, |
156 | | BN_GENCB *cb) |
157 | 0 | { |
158 | 0 | BIGNUM *t1, *t2; |
159 | 0 | int g, ok = -1; |
160 | 0 | BN_CTX *ctx = NULL; |
161 | |
|
162 | 0 | if (prime_len > OPENSSL_DH_MAX_MODULUS_BITS) { |
163 | 0 | ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); |
164 | 0 | return 0; |
165 | 0 | } |
166 | | |
167 | 0 | if (prime_len < DH_MIN_MODULUS_BITS) { |
168 | 0 | ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); |
169 | 0 | return 0; |
170 | 0 | } |
171 | | |
172 | 0 | ctx = BN_CTX_new_ex(ret->libctx); |
173 | 0 | if (ctx == NULL) |
174 | 0 | goto err; |
175 | 0 | BN_CTX_start(ctx); |
176 | 0 | t1 = BN_CTX_get(ctx); |
177 | 0 | t2 = BN_CTX_get(ctx); |
178 | 0 | if (t2 == NULL) |
179 | 0 | goto err; |
180 | | |
181 | | /* Make sure 'ret' has the necessary elements */ |
182 | 0 | if (ret->params.p == NULL && ((ret->params.p = BN_new()) == NULL)) |
183 | 0 | goto err; |
184 | 0 | if (ret->params.g == NULL && ((ret->params.g = BN_new()) == NULL)) |
185 | 0 | goto err; |
186 | | |
187 | 0 | if (generator <= 1) { |
188 | 0 | ERR_raise(ERR_LIB_DH, DH_R_BAD_GENERATOR); |
189 | 0 | goto err; |
190 | 0 | } |
191 | 0 | if (generator == DH_GENERATOR_2) { |
192 | 0 | if (!BN_set_word(t1, 24)) |
193 | 0 | goto err; |
194 | 0 | if (!BN_set_word(t2, 23)) |
195 | 0 | goto err; |
196 | 0 | g = 2; |
197 | 0 | } else if (generator == DH_GENERATOR_5) { |
198 | 0 | if (!BN_set_word(t1, 60)) |
199 | 0 | goto err; |
200 | 0 | if (!BN_set_word(t2, 59)) |
201 | 0 | goto err; |
202 | 0 | g = 5; |
203 | 0 | } else { |
204 | | /* |
205 | | * in the general case, don't worry if 'generator' is a generator or |
206 | | * not: since we are using safe primes, it will generate either an |
207 | | * order-q or an order-2q group, which both is OK |
208 | | */ |
209 | 0 | if (!BN_set_word(t1, 12)) |
210 | 0 | goto err; |
211 | 0 | if (!BN_set_word(t2, 11)) |
212 | 0 | goto err; |
213 | 0 | g = generator; |
214 | 0 | } |
215 | | |
216 | 0 | if (!BN_generate_prime_ex2(ret->params.p, prime_len, 1, t1, t2, cb, ctx)) |
217 | 0 | goto err; |
218 | 0 | if (!BN_GENCB_call(cb, 3, 0)) |
219 | 0 | goto err; |
220 | 0 | if (!BN_set_word(ret->params.g, g)) |
221 | 0 | goto err; |
222 | 0 | ret->dirty_cnt++; |
223 | 0 | ok = 1; |
224 | 0 | err: |
225 | 0 | if (ok == -1) { |
226 | 0 | ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB); |
227 | 0 | ok = 0; |
228 | 0 | } |
229 | |
|
230 | 0 | BN_CTX_end(ctx); |
231 | 0 | BN_CTX_free(ctx); |
232 | 0 | return ok; |
233 | 0 | } |
234 | | #endif /* FIPS_MODULE */ |