1 /*
2 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * Finite Field cryptography (FFC) is used for DSA and DH.
12 * This file contains methods for validation of FFC parameters.
13 * It calls the same functions as the generation as the code is very similar.
14 */
15
16 #include <openssl/err.h>
17 #include <openssl/bn.h>
18 #include <openssl/dsaerr.h>
19 #include <openssl/dherr.h>
20 #include "internal/ffc.h"
21
22 /* FIPS186-4 A.2.2 Unverifiable partial validation of Generator g */
ossl_ffc_params_validate_unverifiable_g(BN_CTX * ctx,BN_MONT_CTX * mont,const BIGNUM * p,const BIGNUM * q,const BIGNUM * g,BIGNUM * tmp,int * ret)23 int ossl_ffc_params_validate_unverifiable_g(BN_CTX *ctx, BN_MONT_CTX *mont,
24 const BIGNUM *p, const BIGNUM *q,
25 const BIGNUM *g, BIGNUM *tmp,
26 int *ret)
27 {
28 /*
29 * A.2.2 Step (1) AND
30 * A.2.4 Step (2)
31 * Verify that 2 <= g <= (p - 1)
32 */
33 if (BN_cmp(g, BN_value_one()) <= 0 || BN_cmp(g, p) >= 0) {
34 *ret |= FFC_ERROR_NOT_SUITABLE_GENERATOR;
35 return 0;
36 }
37
38 /*
39 * A.2.2 Step (2) AND
40 * A.2.4 Step (3)
41 * Check g^q mod p = 1
42 */
43 if (!BN_mod_exp_mont(tmp, g, q, p, ctx, mont))
44 return 0;
45 if (BN_cmp(tmp, BN_value_one()) != 0) {
46 *ret |= FFC_ERROR_NOT_SUITABLE_GENERATOR;
47 return 0;
48 }
49 return 1;
50 }
51
ossl_ffc_params_FIPS186_4_validate(OSSL_LIB_CTX * libctx,const FFC_PARAMS * params,int type,int * res,BN_GENCB * cb)52 int ossl_ffc_params_FIPS186_4_validate(OSSL_LIB_CTX *libctx,
53 const FFC_PARAMS *params, int type,
54 int *res, BN_GENCB *cb)
55 {
56 size_t L, N;
57
58 if (params == NULL || params->p == NULL || params->q == NULL)
59 return FFC_PARAM_RET_STATUS_FAILED;
60
61 /* A.1.1.3 Step (1..2) : L = len(p), N = len(q) */
62 L = BN_num_bits(params->p);
63 N = BN_num_bits(params->q);
64 return ossl_ffc_params_FIPS186_4_gen_verify(libctx, (FFC_PARAMS *)params,
65 FFC_PARAM_MODE_VERIFY, type,
66 L, N, res, cb);
67 }
68
69 /* This may be used in FIPS mode to validate deprecated FIPS-186-2 Params */
ossl_ffc_params_FIPS186_2_validate(OSSL_LIB_CTX * libctx,const FFC_PARAMS * params,int type,int * res,BN_GENCB * cb)70 int ossl_ffc_params_FIPS186_2_validate(OSSL_LIB_CTX *libctx,
71 const FFC_PARAMS *params, int type,
72 int *res, BN_GENCB *cb)
73 {
74 size_t L, N;
75
76 if (params == NULL || params->p == NULL || params->q == NULL) {
77 *res = FFC_CHECK_INVALID_PQ;
78 return FFC_PARAM_RET_STATUS_FAILED;
79 }
80
81 /* A.1.1.3 Step (1..2) : L = len(p), N = len(q) */
82 L = BN_num_bits(params->p);
83 N = BN_num_bits(params->q);
84 return ossl_ffc_params_FIPS186_2_gen_verify(libctx, (FFC_PARAMS *)params,
85 FFC_PARAM_MODE_VERIFY, type,
86 L, N, res, cb);
87 }
88
89 /*
90 * This does a simple check of L and N and partial g.
91 * It makes no attempt to do a full validation of p, q or g since these require
92 * extra parameters such as the digest and seed, which may not be available for
93 * this test.
94 */
ossl_ffc_params_simple_validate(OSSL_LIB_CTX * libctx,const FFC_PARAMS * params,int paramstype,int * res)95 int ossl_ffc_params_simple_validate(OSSL_LIB_CTX *libctx, const FFC_PARAMS *params,
96 int paramstype, int *res)
97 {
98 int ret;
99 int tmpres = 0;
100 FFC_PARAMS tmpparams = {0};
101
102 if (params == NULL)
103 return 0;
104
105 if (res == NULL)
106 res = &tmpres;
107
108 if (!ossl_ffc_params_copy(&tmpparams, params))
109 return 0;
110
111 tmpparams.flags = FFC_PARAM_FLAG_VALIDATE_G;
112 tmpparams.gindex = FFC_UNVERIFIABLE_GINDEX;
113
114 #ifndef FIPS_MODULE
115 if (params->flags & FFC_PARAM_FLAG_VALIDATE_LEGACY)
116 ret = ossl_ffc_params_FIPS186_2_validate(libctx, &tmpparams, paramstype,
117 res, NULL);
118 else
119 #endif
120 ret = ossl_ffc_params_FIPS186_4_validate(libctx, &tmpparams, paramstype,
121 res, NULL);
122 #ifndef OPENSSL_NO_DH
123 if (ret == FFC_PARAM_RET_STATUS_FAILED
124 && (*res & FFC_ERROR_NOT_SUITABLE_GENERATOR) != 0) {
125 ERR_raise(ERR_LIB_DH, DH_R_NOT_SUITABLE_GENERATOR);
126 }
127 #endif
128
129 ossl_ffc_params_cleanup(&tmpparams);
130
131 return ret != FFC_PARAM_RET_STATUS_FAILED;
132 }
133
134 /*
135 * If possible (or always in FIPS_MODULE) do full FIPS 186-4 validation.
136 * Otherwise do simple check but in addition also check the primality of the
137 * p and q.
138 */
ossl_ffc_params_full_validate(OSSL_LIB_CTX * libctx,const FFC_PARAMS * params,int paramstype,int * res)139 int ossl_ffc_params_full_validate(OSSL_LIB_CTX *libctx, const FFC_PARAMS *params,
140 int paramstype, int *res)
141 {
142 int tmpres = 0;
143
144 if (params == NULL)
145 return 0;
146
147 if (res == NULL)
148 res = &tmpres;
149
150 #ifdef FIPS_MODULE
151 return ossl_ffc_params_FIPS186_4_validate(libctx, params, paramstype,
152 res, NULL);
153 #else
154 if (params->seed != NULL) {
155 if (params->flags & FFC_PARAM_FLAG_VALIDATE_LEGACY)
156 return ossl_ffc_params_FIPS186_2_validate(libctx, params, paramstype,
157 res, NULL);
158 else
159 return ossl_ffc_params_FIPS186_4_validate(libctx, params, paramstype,
160 res, NULL);
161 } else {
162 int ret = 0;
163
164 ret = ossl_ffc_params_simple_validate(libctx, params, paramstype, res);
165 if (ret) {
166 BN_CTX *ctx;
167
168 if ((ctx = BN_CTX_new_ex(libctx)) == NULL)
169 return 0;
170 if (BN_check_prime(params->q, ctx, NULL) != 1) {
171 # ifndef OPENSSL_NO_DSA
172 ERR_raise(ERR_LIB_DSA, DSA_R_Q_NOT_PRIME);
173 # endif
174 ret = 0;
175 }
176 if (ret && BN_check_prime(params->p, ctx, NULL) != 1) {
177 # ifndef OPENSSL_NO_DSA
178 ERR_raise(ERR_LIB_DSA, DSA_R_P_NOT_PRIME);
179 # endif
180 ret = 0;
181 }
182 BN_CTX_free(ctx);
183 }
184 return ret;
185 }
186 #endif
187 }
188