VirtualBox

source: vbox/trunk/src/libs/openssl-1.1.1h/crypto/dh/dh_key.c@ 86719

Last change on this file since 86719 was 86560, checked in by vboxsync, 4 years ago

openssl-1.1.1h: Applied our OpenSSL changes to 1.1.1h. Didn't check te build. bugref:9847
File size: 5.8 KB
Line 
1/*
2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <stdio.h>
11#include "internal/cryptlib.h"
12#include "dh_local.h"
13#include "crypto/bn.h"
14
15static int generate_key(DH *dh);
16static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
17static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
18 const BIGNUM *a, const BIGNUM *p,
19 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
20static int dh_init(DH *dh);
21static int dh_finish(DH *dh);
22
23int DH_generate_key(DH *dh)
24{
25 return dh->meth->generate_key(dh);
26}
27
28int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
29{
30 return dh->meth->compute_key(key, pub_key, dh);
31}
32
33int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
34{
35 int rv, pad;
36 rv = dh->meth->compute_key(key, pub_key, dh);
37 if (rv <= 0)
38 return rv;
39 pad = BN_num_bytes(dh->p) - rv;
40 if (pad > 0) {
41 memmove(key + pad, key, rv);
42 memset(key, 0, pad);
43 }
44 return rv + pad;
45}
46
47static DH_METHOD dh_ossl = {
48 "OpenSSL DH Method",
49 generate_key,
50 compute_key,
51 dh_bn_mod_exp,
52 dh_init,
53 dh_finish,
54 DH_FLAG_FIPS_METHOD,
55 NULL,
56 NULL
57};
58
59static const DH_METHOD *default_DH_method = &dh_ossl;
60
61const DH_METHOD *DH_OpenSSL(void)
62{
63 return &dh_ossl;
64}
65
66void DH_set_default_method(const DH_METHOD *meth)
67{
68 default_DH_method = meth;
69}
70
71const DH_METHOD *DH_get_default_method(void)
72{
73 return default_DH_method;
74}
75
76static int generate_key(DH *dh)
77{
78 int ok = 0;
79 int generate_new_key = 0;
80 unsigned l;
81 BN_CTX *ctx = NULL;
82 BN_MONT_CTX *mont = NULL;
83 BIGNUM *pub_key = NULL, *priv_key = NULL;
84
85 if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
86 DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
87 return 0;
88 }
89
90 ctx = BN_CTX_new();
91 if (ctx == NULL)
92 goto err;
93
94 if (dh->priv_key == NULL) {
95 priv_key = BN_secure_new();
96 if (priv_key == NULL)
97 goto err;
98 generate_new_key = 1;
99 } else
100 priv_key = dh->priv_key;
101
102 if (dh->pub_key == NULL) {
103 pub_key = BN_new();
104 if (pub_key == NULL)
105 goto err;
106 } else
107 pub_key = dh->pub_key;
108
109 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
110 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
111 dh->lock, dh->p, ctx);
112 if (!mont)
113 goto err;
114 }
115
116 if (generate_new_key) {
117 if (dh->q) {
118 do {
119 if (!BN_priv_rand_range(priv_key, dh->q))
120 goto err;
121 }
122 while (BN_is_zero(priv_key) || BN_is_one(priv_key));
123 } else {
124 /* secret exponent length */
125 l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
126 if (!BN_priv_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
127 goto err;
128 /*
129 * We handle just one known case where g is a quadratic non-residue:
130 * for g = 2: p % 8 == 3
131 */
132 if (BN_is_word(dh->g, DH_GENERATOR_2) && !BN_is_bit_set(dh->p, 2)) {
133 /* clear bit 0, since it won't be a secret anyway */
134 if (!BN_clear_bit(priv_key, 0))
135 goto err;
136 }
137 }
138 }
139
140 {
141 BIGNUM *prk = BN_new();
142
143 if (prk == NULL)
144 goto err;
145 BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
146
147 if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
148 BN_clear_free(prk);
149 goto err;
150 }
151 /* We MUST free prk before any further use of priv_key */
152 BN_clear_free(prk);
153 }
154
155 dh->pub_key = pub_key;
156 dh->priv_key = priv_key;
157 ok = 1;
158 err:
159 if (ok != 1)
160 DHerr(DH_F_GENERATE_KEY, ERR_R_BN_LIB);
161
162 if (pub_key != dh->pub_key)
163 BN_free(pub_key);
164 if (priv_key != dh->priv_key)
165 BN_free(priv_key);
166 BN_CTX_free(ctx);
167 return ok;
168}
169
170static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
171{
172 BN_CTX *ctx = NULL;
173 BN_MONT_CTX *mont = NULL;
174 BIGNUM *tmp;
175 int ret = -1;
176 int check_result;
177
178 if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
179 DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
180 goto err;
181 }
182
183 ctx = BN_CTX_new();
184 if (ctx == NULL)
185 goto err;
186 BN_CTX_start(ctx);
187 tmp = BN_CTX_get(ctx);
188 if (tmp == NULL)
189 goto err;
190
191 if (dh->priv_key == NULL) {
192 DHerr(DH_F_COMPUTE_KEY, DH_R_NO_PRIVATE_VALUE);
193 goto err;
194 }
195
196 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
197 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
198 dh->lock, dh->p, ctx);
199 BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
200 if (!mont)
201 goto err;
202 }
203
204 if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result) {
205 DHerr(DH_F_COMPUTE_KEY, DH_R_INVALID_PUBKEY);
206 goto err;
207 }
208
209 if (!dh->
210 meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key, dh->p, ctx, mont)) {
211 DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB);
212 goto err;
213 }
214
215 ret = BN_bn2bin(tmp, key);
216 err:
217 BN_CTX_end(ctx);
218 BN_CTX_free(ctx);
219 return ret;
220}
221
222static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
223 const BIGNUM *a, const BIGNUM *p,
224 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
225{
226 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
227}
228
229static int dh_init(DH *dh)
230{
231 dh->flags |= DH_FLAG_CACHE_MONT_P;
232 return 1;
233}
234
235static int dh_finish(DH *dh)
236{
237 BN_MONT_CTX_free(dh->method_mont_p);
238 return 1;
239}
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette