/src/openssl32/crypto/dh/dh_gen.c

Source (jump to first uncovered line)
/*
 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * NB: These functions have been upgraded - the previous prototypes are in
 * dh_depr.c as wrappers to these ones.  - Geoff
 */

/*
 * DH low level APIs are deprecated for public use, but still ok for
 * internal use.
 *
 * NOTE: When generating keys for key-agreement schemes - FIPS 140-2 IG 9.9
 * states that no additional pairwise tests are required (apart from the tests
 * specified in SP800-56A) when generating keys. Hence DH pairwise tests are
 * omitted here.
 */
#include "internal/deprecated.h"

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/sha.h>
#include "crypto/dh.h"
#include "crypto/security_bits.h"
#include "dh_local.h"

#ifndef FIPS_MODULE
static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
                                BN_GENCB *cb);
#endif /* FIPS_MODULE */

int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
                                    BN_GENCB *cb)
{
    int ret, res;

#ifndef FIPS_MODULE
    if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
        ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
                                                 FFC_PARAM_TYPE_DH,
                                                 pbits, qbits, &res, cb);
    else
#endif
        ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
                                                 FFC_PARAM_TYPE_DH,
                                                 pbits, qbits, &res, cb);
    if (ret > 0)
        dh->dirty_cnt++;
    return ret;
}

int ossl_dh_get_named_group_uid_from_size(int pbits)
{
    /*
     * Just choose an approved safe prime group.
     * The alternative to this is to generate FIPS186-4 domain parameters i.e.
     * return dh_generate_ffc_parameters(ret, prime_len, 0, NULL, cb);
     * As the FIPS186-4 generated params are for backwards compatibility,
     * the safe prime group should be used as the default.
     */
    int nid;

    switch (pbits) {
    case 2048:
        nid = NID_ffdhe2048;
        break;
    case 3072:
        nid = NID_ffdhe3072;
        break;
    case 4096:
        nid = NID_ffdhe4096;
        break;
    case 6144:
        nid = NID_ffdhe6144;
        break;
    case 8192:
        nid = NID_ffdhe8192;
        break;
    /* unsupported prime_len */
    default:
        return NID_undef;
    }
    return nid;
}

#ifdef FIPS_MODULE

static int dh_gen_named_group(OSSL_LIB_CTX *libctx, DH *ret, int prime_len)
{
    DH *dh;
    int ok = 0;
    int nid = ossl_dh_get_named_group_uid_from_size(prime_len);

    if (nid == NID_undef)
        return 0;

    dh = ossl_dh_new_by_nid_ex(libctx, nid);
    if (dh != NULL
        && ossl_ffc_params_copy(&ret->params, &dh->params)) {
        ok = 1;
        ret->dirty_cnt++;
    }
    DH_free(dh);
    return ok;
}
#endif /* FIPS_MODULE */

int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
                              BN_GENCB *cb)
{
#ifdef FIPS_MODULE
    if (generator != 2)
        return 0;
    return dh_gen_named_group(ret->libctx, ret, prime_len);
#else
    if (ret->meth->generate_params)
        return ret->meth->generate_params(ret, prime_len, generator, cb);
    return dh_builtin_genparams(ret, prime_len, generator, cb);
#endif /* FIPS_MODULE */
}

#ifndef FIPS_MODULE
/*-
 * We generate DH parameters as follows
 * find a prime p which is prime_len bits long,
 * where q=(p-1)/2 is also prime.
 * In the following we assume that g is not 0, 1 or p-1, since it
 * would generate only trivial subgroups.
 * For this case, g is a generator of the order-q subgroup if
 * g^q mod p == 1.
 * Or in terms of the Legendre symbol: (g/p) == 1.
 *
 * Having said all that,
 * there is another special case method for the generators 2, 3 and 5.
 * Using the quadratic reciprocity law it is possible to solve
 * (g/p) == 1 for the special values 2, 3, 5:
 * (2/p) == 1 if p mod 8 == 1 or 7.
 * (3/p) == 1 if p mod 12 == 1 or 11.
 * (5/p) == 1 if p mod 5 == 1 or 4.
 * See for instance: https://en.wikipedia.org/wiki/Legendre_symbol
 *
 * Since all safe primes > 7 must satisfy p mod 12 == 11
 * and all safe primes > 11 must satisfy p mod 5 != 1
 * we can further improve the condition for g = 2, 3 and 5:
 * for 2, p mod 24 == 23
 * for 3, p mod 12 == 11
 * for 5, p mod 60 == 59
 */
static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
                                BN_GENCB *cb)
{
    BIGNUM *t1, *t2;
    int g, ok = -1;
    BN_CTX *ctx = NULL;

    if (prime_len > OPENSSL_DH_MAX_MODULUS_BITS) {
        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
        return 0;
    }

    if (prime_len < DH_MIN_MODULUS_BITS) {
        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
        return 0;
    }

    ctx = BN_CTX_new_ex(ret->libctx);
    if (ctx == NULL)
        goto err;
    BN_CTX_start(ctx);
    t1 = BN_CTX_get(ctx);
    t2 = BN_CTX_get(ctx);
    if (t2 == NULL)
        goto err;

    /* Make sure 'ret' has the necessary elements */
    if (ret->params.p == NULL && ((ret->params.p = BN_new()) == NULL))
        goto err;
    if (ret->params.g == NULL && ((ret->params.g = BN_new()) == NULL))
        goto err;

    if (generator <= 1) {
        ERR_raise(ERR_LIB_DH, DH_R_BAD_GENERATOR);
        goto err;
    }
    if (generator == DH_GENERATOR_2) {
        if (!BN_set_word(t1, 24))
            goto err;
        if (!BN_set_word(t2, 23))
            goto err;
        g = 2;
    } else if (generator == DH_GENERATOR_5) {
        if (!BN_set_word(t1, 60))
            goto err;
        if (!BN_set_word(t2, 59))
            goto err;
        g = 5;
    } else {
        /*
         * in the general case, don't worry if 'generator' is a generator or
         * not: since we are using safe primes, it will generate either an
         * order-q or an order-2q group, which both is OK
         */
        if (!BN_set_word(t1, 12))
            goto err;
        if (!BN_set_word(t2, 11))
            goto err;
        g = generator;
    }

    if (!BN_generate_prime_ex2(ret->params.p, prime_len, 1, t1, t2, cb, ctx))
        goto err;
    if (!BN_GENCB_call(cb, 3, 0))
        goto err;
    if (!BN_set_word(ret->params.g, g))
        goto err;
    /* We are using safe prime p, set key length equivalent to RFC 7919 */
    ret->length = (2 * ossl_ifc_ffc_compute_security_bits(prime_len)
                   + 24) / 25 * 25;
    ret->dirty_cnt++;
    ok = 1;
 err:
    if (ok == -1) {
        ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB);
        ok = 0;
    }

    BN_CTX_end(ctx);
    BN_CTX_free(ctx);
    return ok;
}
#endif /* FIPS_MODULE */

Coverage Report

Created: 2025-06-13 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* NB: These functions have been upgraded - the previous prototypes are in
12		* dh_depr.c as wrappers to these ones. - Geoff
13		*/
14
15		/*
16		* DH low level APIs are deprecated for public use, but still ok for
17		* internal use.
18		*
19		* NOTE: When generating keys for key-agreement schemes - FIPS 140-2 IG 9.9
20		* states that no additional pairwise tests are required (apart from the tests
21		* specified in SP800-56A) when generating keys. Hence DH pairwise tests are
22		* omitted here.
23		*/
24		#include "internal/deprecated.h"
25
26		#include <stdio.h>
27		#include "internal/cryptlib.h"
28		#include <openssl/bn.h>
29		#include <openssl/sha.h>
30		#include "crypto/dh.h"
31		#include "crypto/security_bits.h"
32		#include "dh_local.h"
33
34		#ifndef FIPS_MODULE
35		static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
36		BN_GENCB *cb);
37		#endif /* FIPS_MODULE */
38
39		int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
40		BN_GENCB *cb)
41	0	{
42	0	int ret, res;
43
44	0	#ifndef FIPS_MODULE
45	0	if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
46	0	ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
47	0	FFC_PARAM_TYPE_DH,
48	0	pbits, qbits, &res, cb);
49	0	else
50	0	#endif
51	0	ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
52	0	FFC_PARAM_TYPE_DH,
53	0	pbits, qbits, &res, cb);
54	0	if (ret > 0)
55	0	dh->dirty_cnt++;
56	0	return ret;
57	0	}
58
59		int ossl_dh_get_named_group_uid_from_size(int pbits)
60	0	{
61		/*
62		* Just choose an approved safe prime group.
63		* The alternative to this is to generate FIPS186-4 domain parameters i.e.
64		* return dh_generate_ffc_parameters(ret, prime_len, 0, NULL, cb);
65		* As the FIPS186-4 generated params are for backwards compatibility,
66		* the safe prime group should be used as the default.
67		*/
68	0	int nid;
69
70	0	switch (pbits) {
71	0	case 2048:
72	0	nid = NID_ffdhe2048;
73	0	break;
74	0	case 3072:
75	0	nid = NID_ffdhe3072;
76	0	break;
77	0	case 4096:
78	0	nid = NID_ffdhe4096;
79	0	break;
80	0	case 6144:
81	0	nid = NID_ffdhe6144;
82	0	break;
83	0	case 8192:
84	0	nid = NID_ffdhe8192;
85	0	break;
86		/* unsupported prime_len */
87	0	default:
88	0	return NID_undef;
89	0	}
90	0	return nid;
91	0	}
92
93		#ifdef FIPS_MODULE
94
95		static int dh_gen_named_group(OSSL_LIB_CTX libctx, DH ret, int prime_len)
96		{
97		DH *dh;
98		int ok = 0;
99		int nid = ossl_dh_get_named_group_uid_from_size(prime_len);
100
101		if (nid == NID_undef)
102		return 0;
103
104		dh = ossl_dh_new_by_nid_ex(libctx, nid);
105		if (dh != NULL
106		&& ossl_ffc_params_copy(&ret->params, &dh->params)) {
107		ok = 1;
108		ret->dirty_cnt++;
109		}
110		DH_free(dh);
111		return ok;
112		}
113		#endif /* FIPS_MODULE */
114
115		int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
116		BN_GENCB *cb)
117	0	{
118		#ifdef FIPS_MODULE
119		if (generator != 2)
120		return 0;
121		return dh_gen_named_group(ret->libctx, ret, prime_len);
122		#else
123	0	if (ret->meth->generate_params)
124	0	return ret->meth->generate_params(ret, prime_len, generator, cb);
125	0	return dh_builtin_genparams(ret, prime_len, generator, cb);
126	0	#endif /* FIPS_MODULE */
127	0	}
128
129		#ifndef FIPS_MODULE
130		/*-
131		* We generate DH parameters as follows
132		* find a prime p which is prime_len bits long,
133		* where q=(p-1)/2 is also prime.
134		* In the following we assume that g is not 0, 1 or p-1, since it
135		* would generate only trivial subgroups.
136		* For this case, g is a generator of the order-q subgroup if
137		* g^q mod p == 1.
138		* Or in terms of the Legendre symbol: (g/p) == 1.
139		*
140		* Having said all that,
141		* there is another special case method for the generators 2, 3 and 5.
142		* Using the quadratic reciprocity law it is possible to solve
143		* (g/p) == 1 for the special values 2, 3, 5:
144		* (2/p) == 1 if p mod 8 == 1 or 7.
145		* (3/p) == 1 if p mod 12 == 1 or 11.
146		* (5/p) == 1 if p mod 5 == 1 or 4.
147		* See for instance: https://en.wikipedia.org/wiki/Legendre_symbol
148		*
149		* Since all safe primes > 7 must satisfy p mod 12 == 11
150		* and all safe primes > 11 must satisfy p mod 5 != 1
151		* we can further improve the condition for g = 2, 3 and 5:
152		* for 2, p mod 24 == 23
153		* for 3, p mod 12 == 11
154		* for 5, p mod 60 == 59
155		*/
156		static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
157		BN_GENCB *cb)
158	0	{
159	0	BIGNUM t1, t2;
160	0	int g, ok = -1;
161	0	BN_CTX *ctx = NULL;
162
163	0	if (prime_len > OPENSSL_DH_MAX_MODULUS_BITS) {
164	0	ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
165	0	return 0;
166	0	}
167
168	0	if (prime_len < DH_MIN_MODULUS_BITS) {
169	0	ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
170	0	return 0;
171	0	}
172
173	0	ctx = BN_CTX_new_ex(ret->libctx);
174	0	if (ctx == NULL)
175	0	goto err;
176	0	BN_CTX_start(ctx);
177	0	t1 = BN_CTX_get(ctx);
178	0	t2 = BN_CTX_get(ctx);
179	0	if (t2 == NULL)
180	0	goto err;
181
182		/* Make sure 'ret' has the necessary elements */
183	0	if (ret->params.p == NULL && ((ret->params.p = BN_new()) == NULL))
184	0	goto err;
185	0	if (ret->params.g == NULL && ((ret->params.g = BN_new()) == NULL))
186	0	goto err;
187
188	0	if (generator <= 1) {
189	0	ERR_raise(ERR_LIB_DH, DH_R_BAD_GENERATOR);
190	0	goto err;
191	0	}
192	0	if (generator == DH_GENERATOR_2) {
193	0	if (!BN_set_word(t1, 24))
194	0	goto err;
195	0	if (!BN_set_word(t2, 23))
196	0	goto err;
197	0	g = 2;
198	0	} else if (generator == DH_GENERATOR_5) {
199	0	if (!BN_set_word(t1, 60))
200	0	goto err;
201	0	if (!BN_set_word(t2, 59))
202	0	goto err;
203	0	g = 5;
204	0	} else {
205		/*
206		* in the general case, don't worry if 'generator' is a generator or
207		* not: since we are using safe primes, it will generate either an
208		* order-q or an order-2q group, which both is OK
209		*/
210	0	if (!BN_set_word(t1, 12))
211	0	goto err;
212	0	if (!BN_set_word(t2, 11))
213	0	goto err;
214	0	g = generator;
215	0	}
216
217	0	if (!BN_generate_prime_ex2(ret->params.p, prime_len, 1, t1, t2, cb, ctx))
218	0	goto err;
219	0	if (!BN_GENCB_call(cb, 3, 0))
220	0	goto err;
221	0	if (!BN_set_word(ret->params.g, g))
222	0	goto err;
223		/* We are using safe prime p, set key length equivalent to RFC 7919 */
224	0	ret->length = (2 * ossl_ifc_ffc_compute_security_bits(prime_len)
225	0	+ 24) / 25 * 25;
226	0	ret->dirty_cnt++;
227	0	ok = 1;
228	0	err:
229	0	if (ok == -1) {
230	0	ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB);
231	0	ok = 0;
232	0	}
233
234	0	BN_CTX_end(ctx);
235	0	BN_CTX_free(ctx);
236	0	return ok;
237	0	}
238		#endif /* FIPS_MODULE */