1 /* 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include "dh_local.h" 13 #include "crypto/bn.h" 14 15 static int generate_key(DH *dh); 16 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); 17 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, 18 const BIGNUM *a, const BIGNUM *p, 19 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); 20 static int dh_init(DH *dh); 21 static int dh_finish(DH *dh); 22 23 int DH_generate_key(DH *dh) 24 { 25 return dh->meth->generate_key(dh); 26 } 27 28 /*- 29 * NB: This function is inherently not constant time due to the 30 * RFC 5246 (8.1.2) padding style that strips leading zero bytes. 31 */ 32 int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) 33 { 34 int ret = 0, i; 35 volatile size_t npad = 0, mask = 1; 36 37 /* compute the key; ret is constant unless compute_key is external */ 38 if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0) 39 return ret; 40 41 /* count leading zero bytes, yet still touch all bytes */ 42 for (i = 0; i < ret; i++) { 43 mask &= !key[i]; 44 npad += mask; 45 } 46 47 /* unpad key */ 48 ret -= npad; 49 /* key-dependent memory access, potentially leaking npad / ret */ 50 memmove(key, key + npad, ret); 51 /* key-dependent memory access, potentially leaking npad / ret */ 52 memset(key + ret, 0, npad); 53 54 return ret; 55 } 56 57 int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) 58 { 59 int rv, pad; 60 61 /* rv is constant unless compute_key is external */ 62 rv = dh->meth->compute_key(key, pub_key, dh); 63 if (rv <= 0) 64 return rv; 65 pad = BN_num_bytes(dh->p) - rv; 66 /* pad is constant (zero) unless compute_key is external */ 67 if (pad > 0) { 68 memmove(key + pad, key, rv); 69 memset(key, 0, pad); 70 } 71 return rv + pad; 72 } 73 74 static DH_METHOD dh_ossl = { 75 "OpenSSL DH Method", 76 generate_key, 77 compute_key, 78 dh_bn_mod_exp, 79 dh_init, 80 dh_finish, 81 DH_FLAG_FIPS_METHOD, 82 NULL, 83 NULL 84 }; 85 86 static const DH_METHOD *default_DH_method = &dh_ossl; 87 88 const DH_METHOD *DH_OpenSSL(void) 89 { 90 return &dh_ossl; 91 } 92 93 void DH_set_default_method(const DH_METHOD *meth) 94 { 95 default_DH_method = meth; 96 } 97 98 const DH_METHOD *DH_get_default_method(void) 99 { 100 return default_DH_method; 101 } 102 103 static int generate_key(DH *dh) 104 { 105 int ok = 0; 106 int generate_new_key = 0; 107 unsigned l; 108 BN_CTX *ctx = NULL; 109 BN_MONT_CTX *mont = NULL; 110 BIGNUM *pub_key = NULL, *priv_key = NULL; 111 112 if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { 113 DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); 114 return 0; 115 } 116 117 ctx = BN_CTX_new(); 118 if (ctx == NULL) 119 goto err; 120 121 if (dh->priv_key == NULL) { 122 priv_key = BN_secure_new(); 123 if (priv_key == NULL) 124 goto err; 125 generate_new_key = 1; 126 } else 127 priv_key = dh->priv_key; 128 129 if (dh->pub_key == NULL) { 130 pub_key = BN_new(); 131 if (pub_key == NULL) 132 goto err; 133 } else 134 pub_key = dh->pub_key; 135 136 if (dh->flags & DH_FLAG_CACHE_MONT_P) { 137 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, 138 dh->lock, dh->p, ctx); 139 if (!mont) 140 goto err; 141 } 142 143 if (generate_new_key) { 144 if (dh->q) { 145 do { 146 if (!BN_priv_rand_range(priv_key, dh->q)) 147 goto err; 148 } 149 while (BN_is_zero(priv_key) || BN_is_one(priv_key)); 150 } else { 151 /* secret exponent length */ 152 l = dh->length ? dh->length : BN_num_bits(dh->p) - 1; 153 if (!BN_priv_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) 154 goto err; 155 /* 156 * We handle just one known case where g is a quadratic non-residue: 157 * for g = 2: p % 8 == 3 158 */ 159 if (BN_is_word(dh->g, DH_GENERATOR_2) && !BN_is_bit_set(dh->p, 2)) { 160 /* clear bit 0, since it won't be a secret anyway */ 161 if (!BN_clear_bit(priv_key, 0)) 162 goto err; 163 } 164 } 165 } 166 167 { 168 BIGNUM *prk = BN_new(); 169 170 if (prk == NULL) 171 goto err; 172 BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); 173 174 if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) { 175 BN_clear_free(prk); 176 goto err; 177 } 178 /* We MUST free prk before any further use of priv_key */ 179 BN_clear_free(prk); 180 } 181 182 dh->pub_key = pub_key; 183 dh->priv_key = priv_key; 184 ok = 1; 185 err: 186 if (ok != 1) 187 DHerr(DH_F_GENERATE_KEY, ERR_R_BN_LIB); 188 189 if (pub_key != dh->pub_key) 190 BN_free(pub_key); 191 if (priv_key != dh->priv_key) 192 BN_free(priv_key); 193 BN_CTX_free(ctx); 194 return ok; 195 } 196 197 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) 198 { 199 BN_CTX *ctx = NULL; 200 BN_MONT_CTX *mont = NULL; 201 BIGNUM *tmp; 202 int ret = -1; 203 int check_result; 204 205 if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { 206 DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); 207 goto err; 208 } 209 210 ctx = BN_CTX_new(); 211 if (ctx == NULL) 212 goto err; 213 BN_CTX_start(ctx); 214 tmp = BN_CTX_get(ctx); 215 if (tmp == NULL) 216 goto err; 217 218 if (dh->priv_key == NULL) { 219 DHerr(DH_F_COMPUTE_KEY, DH_R_NO_PRIVATE_VALUE); 220 goto err; 221 } 222 223 if (dh->flags & DH_FLAG_CACHE_MONT_P) { 224 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, 225 dh->lock, dh->p, ctx); 226 BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); 227 if (!mont) 228 goto err; 229 } 230 231 if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result) { 232 DHerr(DH_F_COMPUTE_KEY, DH_R_INVALID_PUBKEY); 233 goto err; 234 } 235 236 if (!dh-> 237 meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key, dh->p, ctx, mont)) { 238 DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); 239 goto err; 240 } 241 242 ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->p)); 243 err: 244 BN_CTX_end(ctx); 245 BN_CTX_free(ctx); 246 return ret; 247 } 248 249 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, 250 const BIGNUM *a, const BIGNUM *p, 251 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) 252 { 253 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); 254 } 255 256 static int dh_init(DH *dh) 257 { 258 dh->flags |= DH_FLAG_CACHE_MONT_P; 259 return 1; 260 } 261 262 static int dh_finish(DH *dh) 263 { 264 BN_MONT_CTX_free(dh->method_mont_p); 265 return 1; 266 } 267