1 /*
2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * DH low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <stdio.h>
17 #include "internal/cryptlib.h"
18 #include "dh_local.h"
19 #include "crypto/bn.h"
20 #include "crypto/dh.h"
21 #include "crypto/security_bits.h"
22
23 #ifdef FIPS_MODULE
24 #define MIN_STRENGTH 112
25 #else
26 #define MIN_STRENGTH 80
27 #endif
28
29 static int generate_key(DH *dh);
30 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
31 const BIGNUM *a, const BIGNUM *p,
32 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
33 static int dh_init(DH *dh);
34 static int dh_finish(DH *dh);
35
36 /*
37 * See SP800-56Ar3 Section 5.7.1.1
38 * Finite Field Cryptography Diffie-Hellman (FFC DH) Primitive
39 */
ossl_dh_compute_key(unsigned char * key,const BIGNUM * pub_key,DH * dh)40 int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
41 {
42 BN_CTX *ctx = NULL;
43 BN_MONT_CTX *mont = NULL;
44 BIGNUM *z = NULL, *pminus1;
45 int ret = -1;
46
47 if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
48 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
49 goto err;
50 }
51
52 if (dh->params.q != NULL
53 && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
54 ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
55 goto err;
56 }
57
58 if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
59 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
60 return 0;
61 }
62
63 ctx = BN_CTX_new_ex(dh->libctx);
64 if (ctx == NULL)
65 goto err;
66 BN_CTX_start(ctx);
67 pminus1 = BN_CTX_get(ctx);
68 z = BN_CTX_get(ctx);
69 if (z == NULL)
70 goto err;
71
72 if (dh->priv_key == NULL) {
73 ERR_raise(ERR_LIB_DH, DH_R_NO_PRIVATE_VALUE);
74 goto err;
75 }
76
77 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
78 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
79 dh->lock, dh->params.p, ctx);
80 BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
81 if (!mont)
82 goto err;
83 }
84
85 /* (Step 1) Z = pub_key^priv_key mod p */
86 if (!dh->meth->bn_mod_exp(dh, z, pub_key, dh->priv_key, dh->params.p, ctx,
87 mont)) {
88 ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB);
89 goto err;
90 }
91
92 /* (Step 2) Error if z <= 1 or z = p - 1 */
93 if (BN_copy(pminus1, dh->params.p) == NULL
94 || !BN_sub_word(pminus1, 1)
95 || BN_cmp(z, BN_value_one()) <= 0
96 || BN_cmp(z, pminus1) == 0) {
97 ERR_raise(ERR_LIB_DH, DH_R_INVALID_SECRET);
98 goto err;
99 }
100
101 /* return the padded key, i.e. same number of bytes as the modulus */
102 ret = BN_bn2binpad(z, key, BN_num_bytes(dh->params.p));
103 err:
104 BN_clear(z); /* (Step 2) destroy intermediate values */
105 BN_CTX_end(ctx);
106 BN_CTX_free(ctx);
107 return ret;
108 }
109
110 /*-
111 * NB: This function is inherently not constant time due to the
112 * RFC 5246 (8.1.2) padding style that strips leading zero bytes.
113 */
DH_compute_key(unsigned char * key,const BIGNUM * pub_key,DH * dh)114 int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
115 {
116 int ret = 0, i;
117 volatile size_t npad = 0, mask = 1;
118
119 /* compute the key; ret is constant unless compute_key is external */
120 #ifdef FIPS_MODULE
121 ret = ossl_dh_compute_key(key, pub_key, dh);
122 #else
123 ret = dh->meth->compute_key(key, pub_key, dh);
124 #endif
125 if (ret <= 0)
126 return ret;
127
128 /* count leading zero bytes, yet still touch all bytes */
129 for (i = 0; i < ret; i++) {
130 mask &= !key[i];
131 npad += mask;
132 }
133
134 /* unpad key */
135 ret -= npad;
136 /* key-dependent memory access, potentially leaking npad / ret */
137 memmove(key, key + npad, ret);
138 /* key-dependent memory access, potentially leaking npad / ret */
139 memset(key + ret, 0, npad);
140
141 return ret;
142 }
143
DH_compute_key_padded(unsigned char * key,const BIGNUM * pub_key,DH * dh)144 int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
145 {
146 int rv, pad;
147
148 /* rv is constant unless compute_key is external */
149 #ifdef FIPS_MODULE
150 rv = ossl_dh_compute_key(key, pub_key, dh);
151 #else
152 rv = dh->meth->compute_key(key, pub_key, dh);
153 #endif
154 if (rv <= 0)
155 return rv;
156 pad = BN_num_bytes(dh->params.p) - rv;
157 /* pad is constant (zero) unless compute_key is external */
158 if (pad > 0) {
159 memmove(key + pad, key, rv);
160 memset(key, 0, pad);
161 }
162 return rv + pad;
163 }
164
165 static DH_METHOD dh_ossl = {
166 "OpenSSL DH Method",
167 generate_key,
168 ossl_dh_compute_key,
169 dh_bn_mod_exp,
170 dh_init,
171 dh_finish,
172 DH_FLAG_FIPS_METHOD,
173 NULL,
174 NULL
175 };
176
177 static const DH_METHOD *default_DH_method = &dh_ossl;
178
DH_OpenSSL(void)179 const DH_METHOD *DH_OpenSSL(void)
180 {
181 return &dh_ossl;
182 }
183
DH_get_default_method(void)184 const DH_METHOD *DH_get_default_method(void)
185 {
186 return default_DH_method;
187 }
188
dh_bn_mod_exp(const DH * dh,BIGNUM * r,const BIGNUM * a,const BIGNUM * p,const BIGNUM * m,BN_CTX * ctx,BN_MONT_CTX * m_ctx)189 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
190 const BIGNUM *a, const BIGNUM *p,
191 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
192 {
193 #ifdef S390X_MOD_EXP
194 return s390x_mod_exp(r, a, p, m, ctx, m_ctx);
195 #else
196 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
197 #endif
198 }
199
dh_init(DH * dh)200 static int dh_init(DH *dh)
201 {
202 dh->flags |= DH_FLAG_CACHE_MONT_P;
203 dh->dirty_cnt++;
204 return 1;
205 }
206
dh_finish(DH * dh)207 static int dh_finish(DH *dh)
208 {
209 BN_MONT_CTX_free(dh->method_mont_p);
210 return 1;
211 }
212
213 #ifndef FIPS_MODULE
DH_set_default_method(const DH_METHOD * meth)214 void DH_set_default_method(const DH_METHOD *meth)
215 {
216 default_DH_method = meth;
217 }
218 #endif /* FIPS_MODULE */
219
DH_generate_key(DH * dh)220 int DH_generate_key(DH *dh)
221 {
222 #ifdef FIPS_MODULE
223 return generate_key(dh);
224 #else
225 return dh->meth->generate_key(dh);
226 #endif
227 }
228
ossl_dh_generate_public_key(BN_CTX * ctx,const DH * dh,const BIGNUM * priv_key,BIGNUM * pub_key)229 int ossl_dh_generate_public_key(BN_CTX *ctx, const DH *dh,
230 const BIGNUM *priv_key, BIGNUM *pub_key)
231 {
232 int ret = 0;
233 BIGNUM *prk = BN_new();
234 BN_MONT_CTX *mont = NULL;
235
236 if (prk == NULL)
237 return 0;
238
239 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
240 /*
241 * We take the input DH as const, but we lie, because in some cases we
242 * want to get a hold of its Montgomery context.
243 *
244 * We cast to remove the const qualifier in this case, it should be
245 * fine...
246 */
247 BN_MONT_CTX **pmont = (BN_MONT_CTX **)&dh->method_mont_p;
248
249 mont = BN_MONT_CTX_set_locked(pmont, dh->lock, dh->params.p, ctx);
250 if (mont == NULL)
251 goto err;
252 }
253 BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
254
255 /* pub_key = g^priv_key mod p */
256 if (!dh->meth->bn_mod_exp(dh, pub_key, dh->params.g, prk, dh->params.p,
257 ctx, mont))
258 goto err;
259 ret = 1;
260 err:
261 BN_clear_free(prk);
262 return ret;
263 }
264
generate_key(DH * dh)265 static int generate_key(DH *dh)
266 {
267 int ok = 0;
268 int generate_new_key = 0;
269 #ifndef FIPS_MODULE
270 int l;
271 #endif
272 BN_CTX *ctx = NULL;
273 BIGNUM *pub_key = NULL, *priv_key = NULL;
274
275 if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
276 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
277 return 0;
278 }
279
280 if (dh->params.q != NULL
281 && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
282 ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
283 return 0;
284 }
285
286 if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
287 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
288 return 0;
289 }
290
291 ctx = BN_CTX_new_ex(dh->libctx);
292 if (ctx == NULL)
293 goto err;
294
295 if (dh->priv_key == NULL) {
296 priv_key = BN_secure_new();
297 if (priv_key == NULL)
298 goto err;
299 generate_new_key = 1;
300 } else {
301 priv_key = dh->priv_key;
302 }
303
304 if (dh->pub_key == NULL) {
305 pub_key = BN_new();
306 if (pub_key == NULL)
307 goto err;
308 } else {
309 pub_key = dh->pub_key;
310 }
311 if (generate_new_key) {
312 /* Is it an approved safe prime ?*/
313 if (DH_get_nid(dh) != NID_undef) {
314 int max_strength = ossl_ifc_ffc_compute_security_bits(BN_num_bits(dh->params.p));
315
316 if (dh->params.q == NULL
317 || dh->length > BN_num_bits(dh->params.q))
318 goto err;
319 /* dh->length = maximum bit length of generated private key */
320 if (!ossl_ffc_generate_private_key(ctx, &dh->params, dh->length,
321 max_strength, priv_key))
322 goto err;
323 } else {
324 #ifdef FIPS_MODULE
325 if (dh->params.q == NULL)
326 goto err;
327 #else
328 if (dh->params.q == NULL) {
329 /* secret exponent length, must satisfy 2^l < (p-1)/2 */
330 l = BN_num_bits(dh->params.p);
331 if (dh->length >= l)
332 goto err;
333 l -= 2;
334 if (dh->length != 0 && dh->length < l)
335 l = dh->length;
336 if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE,
337 BN_RAND_BOTTOM_ANY, 0, ctx))
338 goto err;
339 /*
340 * We handle just one known case where g is a quadratic non-residue:
341 * for g = 2: p % 8 == 3
342 */
343 if (BN_is_word(dh->params.g, DH_GENERATOR_2)
344 && !BN_is_bit_set(dh->params.p, 2)) {
345 /* clear bit 0, since it won't be a secret anyway */
346 if (!BN_clear_bit(priv_key, 0))
347 goto err;
348 }
349 } else
350 #endif
351 {
352 /* Do a partial check for invalid p, q, g */
353 if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
354 FFC_PARAM_TYPE_DH, NULL))
355 goto err;
356 /*
357 * For FFC FIPS 186-4 keygen
358 * security strength s = 112,
359 * Max Private key size N = len(q)
360 */
361 if (!ossl_ffc_generate_private_key(ctx, &dh->params,
362 BN_num_bits(dh->params.q),
363 MIN_STRENGTH,
364 priv_key))
365 goto err;
366 }
367 }
368 }
369
370 if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
371 goto err;
372
373 dh->pub_key = pub_key;
374 dh->priv_key = priv_key;
375 dh->dirty_cnt++;
376 ok = 1;
377 err:
378 if (ok != 1)
379 ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB);
380
381 if (pub_key != dh->pub_key)
382 BN_free(pub_key);
383 if (priv_key != dh->priv_key)
384 BN_free(priv_key);
385 BN_CTX_free(ctx);
386 return ok;
387 }
388
ossl_dh_buf2key(DH * dh,const unsigned char * buf,size_t len)389 int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
390 {
391 int err_reason = DH_R_BN_ERROR;
392 BIGNUM *pubkey = NULL;
393 const BIGNUM *p;
394 int ret;
395
396 if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
397 goto err;
398 DH_get0_pqg(dh, &p, NULL, NULL);
399 if (p == NULL || BN_num_bytes(p) == 0) {
400 err_reason = DH_R_NO_PARAMETERS_SET;
401 goto err;
402 }
403 /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */
404 if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) {
405 err_reason = DH_R_INVALID_PUBKEY;
406 goto err;
407 }
408 if (DH_set0_key(dh, pubkey, NULL) != 1)
409 goto err;
410 return 1;
411 err:
412 ERR_raise(ERR_LIB_DH, err_reason);
413 BN_free(pubkey);
414 return 0;
415 }
416
ossl_dh_key2buf(const DH * dh,unsigned char ** pbuf_out,size_t size,int alloc)417 size_t ossl_dh_key2buf(const DH *dh, unsigned char **pbuf_out, size_t size,
418 int alloc)
419 {
420 const BIGNUM *pubkey;
421 unsigned char *pbuf = NULL;
422 const BIGNUM *p;
423 int p_size;
424
425 DH_get0_pqg(dh, &p, NULL, NULL);
426 DH_get0_key(dh, &pubkey, NULL);
427 if (p == NULL || pubkey == NULL
428 || (p_size = BN_num_bytes(p)) == 0
429 || BN_num_bytes(pubkey) == 0) {
430 ERR_raise(ERR_LIB_DH, DH_R_INVALID_PUBKEY);
431 return 0;
432 }
433 if (pbuf_out != NULL && (alloc || *pbuf_out != NULL)) {
434 if (!alloc) {
435 if (size >= (size_t)p_size)
436 pbuf = *pbuf_out;
437 if (pbuf == NULL)
438 ERR_raise(ERR_LIB_DH, DH_R_INVALID_SIZE);
439 } else {
440 pbuf = OPENSSL_malloc(p_size);
441 }
442
443 /* Errors raised above */
444 if (pbuf == NULL)
445 return 0;
446 /*
447 * As per Section 4.2.8.1 of RFC 8446 left pad public
448 * key with zeros to the size of p
449 */
450 if (BN_bn2binpad(pubkey, pbuf, p_size) < 0) {
451 if (alloc)
452 OPENSSL_free(pbuf);
453 ERR_raise(ERR_LIB_DH, DH_R_BN_ERROR);
454 return 0;
455 }
456 *pbuf_out = pbuf;
457 }
458 return p_size;
459 }
460