1 /*
2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * DH low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <stdio.h>
17 #include "internal/cryptlib.h"
18 #include "dh_local.h"
19 #include "crypto/bn.h"
20 #include "crypto/dh.h"
21 #include "crypto/security_bits.h"
22
23 #ifdef FIPS_MODULE
24 # define MIN_STRENGTH 112
25 #else
26 # define MIN_STRENGTH 80
27 #endif
28
29 static int generate_key(DH *dh);
30 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
31 const BIGNUM *a, const BIGNUM *p,
32 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
33 static int dh_init(DH *dh);
34 static int dh_finish(DH *dh);
35
36 /*
37 * See SP800-56Ar3 Section 5.7.1.1
38 * Finite Field Cryptography Diffie-Hellman (FFC DH) Primitive
39 */
ossl_dh_compute_key(unsigned char * key,const BIGNUM * pub_key,DH * dh)40 int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
41 {
42 BN_CTX *ctx = NULL;
43 BN_MONT_CTX *mont = NULL;
44 BIGNUM *z = NULL, *pminus1;
45 int ret = -1;
46
47 if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
48 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
49 goto err;
50 }
51
52 if (dh->params.q != NULL
53 && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
54 ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
55 goto err;
56 }
57
58 if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
59 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
60 return 0;
61 }
62
63 ctx = BN_CTX_new_ex(dh->libctx);
64 if (ctx == NULL)
65 goto err;
66 BN_CTX_start(ctx);
67 pminus1 = BN_CTX_get(ctx);
68 z = BN_CTX_get(ctx);
69 if (z == NULL)
70 goto err;
71
72 if (dh->priv_key == NULL) {
73 ERR_raise(ERR_LIB_DH, DH_R_NO_PRIVATE_VALUE);
74 goto err;
75 }
76
77 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
78 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
79 dh->lock, dh->params.p, ctx);
80 BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
81 if (!mont)
82 goto err;
83 }
84
85 /* (Step 1) Z = pub_key^priv_key mod p */
86 if (!dh->meth->bn_mod_exp(dh, z, pub_key, dh->priv_key, dh->params.p, ctx,
87 mont)) {
88 ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB);
89 goto err;
90 }
91
92 /* (Step 2) Error if z <= 1 or z = p - 1 */
93 if (BN_copy(pminus1, dh->params.p) == NULL
94 || !BN_sub_word(pminus1, 1)
95 || BN_cmp(z, BN_value_one()) <= 0
96 || BN_cmp(z, pminus1) == 0) {
97 ERR_raise(ERR_LIB_DH, DH_R_INVALID_SECRET);
98 goto err;
99 }
100
101 /* return the padded key, i.e. same number of bytes as the modulus */
102 ret = BN_bn2binpad(z, key, BN_num_bytes(dh->params.p));
103 err:
104 BN_clear(z); /* (Step 2) destroy intermediate values */
105 BN_CTX_end(ctx);
106 BN_CTX_free(ctx);
107 return ret;
108 }
109
110 /*-
111 * NB: This function is inherently not constant time due to the
112 * RFC 5246 (8.1.2) padding style that strips leading zero bytes.
113 */
DH_compute_key(unsigned char * key,const BIGNUM * pub_key,DH * dh)114 int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
115 {
116 int ret = 0, i;
117 volatile size_t npad = 0, mask = 1;
118
119 /* compute the key; ret is constant unless compute_key is external */
120 #ifdef FIPS_MODULE
121 ret = ossl_dh_compute_key(key, pub_key, dh);
122 #else
123 ret = dh->meth->compute_key(key, pub_key, dh);
124 #endif
125 if (ret <= 0)
126 return ret;
127
128 /* count leading zero bytes, yet still touch all bytes */
129 for (i = 0; i < ret; i++) {
130 mask &= !key[i];
131 npad += mask;
132 }
133
134 /* unpad key */
135 ret -= npad;
136 /* key-dependent memory access, potentially leaking npad / ret */
137 memmove(key, key + npad, ret);
138 /* key-dependent memory access, potentially leaking npad / ret */
139 memset(key + ret, 0, npad);
140
141 return ret;
142 }
143
DH_compute_key_padded(unsigned char * key,const BIGNUM * pub_key,DH * dh)144 int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
145 {
146 int rv, pad;
147
148 /* rv is constant unless compute_key is external */
149 #ifdef FIPS_MODULE
150 rv = ossl_dh_compute_key(key, pub_key, dh);
151 #else
152 rv = dh->meth->compute_key(key, pub_key, dh);
153 #endif
154 if (rv <= 0)
155 return rv;
156 pad = BN_num_bytes(dh->params.p) - rv;
157 /* pad is constant (zero) unless compute_key is external */
158 if (pad > 0) {
159 memmove(key + pad, key, rv);
160 memset(key, 0, pad);
161 }
162 return rv + pad;
163 }
164
165 static DH_METHOD dh_ossl = {
166 "OpenSSL DH Method",
167 generate_key,
168 ossl_dh_compute_key,
169 dh_bn_mod_exp,
170 dh_init,
171 dh_finish,
172 DH_FLAG_FIPS_METHOD,
173 NULL,
174 NULL
175 };
176
177 static const DH_METHOD *default_DH_method = &dh_ossl;
178
DH_OpenSSL(void)179 const DH_METHOD *DH_OpenSSL(void)
180 {
181 return &dh_ossl;
182 }
183
DH_get_default_method(void)184 const DH_METHOD *DH_get_default_method(void)
185 {
186 return default_DH_method;
187 }
188
dh_bn_mod_exp(const DH * dh,BIGNUM * r,const BIGNUM * a,const BIGNUM * p,const BIGNUM * m,BN_CTX * ctx,BN_MONT_CTX * m_ctx)189 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
190 const BIGNUM *a, const BIGNUM *p,
191 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
192 {
193 #ifdef S390X_MOD_EXP
194 return s390x_mod_exp(r, a, p, m, ctx, m_ctx);
195 #else
196 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
197 #endif
198 }
199
dh_init(DH * dh)200 static int dh_init(DH *dh)
201 {
202 dh->flags |= DH_FLAG_CACHE_MONT_P;
203 dh->dirty_cnt++;
204 return 1;
205 }
206
dh_finish(DH * dh)207 static int dh_finish(DH *dh)
208 {
209 BN_MONT_CTX_free(dh->method_mont_p);
210 return 1;
211 }
212
213 #ifndef FIPS_MODULE
DH_set_default_method(const DH_METHOD * meth)214 void DH_set_default_method(const DH_METHOD *meth)
215 {
216 default_DH_method = meth;
217 }
218 #endif /* FIPS_MODULE */
219
DH_generate_key(DH * dh)220 int DH_generate_key(DH *dh)
221 {
222 #ifdef FIPS_MODULE
223 return generate_key(dh);
224 #else
225 return dh->meth->generate_key(dh);
226 #endif
227 }
228
ossl_dh_generate_public_key(BN_CTX * ctx,const DH * dh,const BIGNUM * priv_key,BIGNUM * pub_key)229 int ossl_dh_generate_public_key(BN_CTX *ctx, const DH *dh,
230 const BIGNUM *priv_key, BIGNUM *pub_key)
231 {
232 int ret = 0;
233 BIGNUM *prk = BN_new();
234 BN_MONT_CTX *mont = NULL;
235
236 if (prk == NULL)
237 return 0;
238
239 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
240 /*
241 * We take the input DH as const, but we lie, because in some cases we
242 * want to get a hold of its Montgomery context.
243 *
244 * We cast to remove the const qualifier in this case, it should be
245 * fine...
246 */
247 BN_MONT_CTX **pmont = (BN_MONT_CTX **)&dh->method_mont_p;
248
249 mont = BN_MONT_CTX_set_locked(pmont, dh->lock, dh->params.p, ctx);
250 if (mont == NULL)
251 goto err;
252 }
253 BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
254
255 /* pub_key = g^priv_key mod p */
256 if (!dh->meth->bn_mod_exp(dh, pub_key, dh->params.g, prk, dh->params.p,
257 ctx, mont))
258 goto err;
259 ret = 1;
260 err:
261 BN_clear_free(prk);
262 return ret;
263 }
264
generate_key(DH * dh)265 static int generate_key(DH *dh)
266 {
267 int ok = 0;
268 int generate_new_key = 0;
269 #ifndef FIPS_MODULE
270 int l;
271 #endif
272 BN_CTX *ctx = NULL;
273 BIGNUM *pub_key = NULL, *priv_key = NULL;
274
275 if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
276 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
277 return 0;
278 }
279
280 if (dh->params.q != NULL
281 && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
282 ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
283 return 0;
284 }
285
286 if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
287 ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
288 return 0;
289 }
290
291 ctx = BN_CTX_new_ex(dh->libctx);
292 if (ctx == NULL)
293 goto err;
294
295 if (dh->priv_key == NULL) {
296 priv_key = BN_secure_new();
297 if (priv_key == NULL)
298 goto err;
299 generate_new_key = 1;
300 } else {
301 priv_key = dh->priv_key;
302 }
303
304 if (dh->pub_key == NULL) {
305 pub_key = BN_new();
306 if (pub_key == NULL)
307 goto err;
308 } else {
309 pub_key = dh->pub_key;
310 }
311 if (generate_new_key) {
312 /* Is it an approved safe prime ?*/
313 if (DH_get_nid(dh) != NID_undef) {
314 int max_strength =
315 ossl_ifc_ffc_compute_security_bits(BN_num_bits(dh->params.p));
316
317 if (dh->params.q == NULL
318 || dh->length > BN_num_bits(dh->params.q))
319 goto err;
320 /* dh->length = maximum bit length of generated private key */
321 if (!ossl_ffc_generate_private_key(ctx, &dh->params, dh->length,
322 max_strength, priv_key))
323 goto err;
324 } else {
325 #ifdef FIPS_MODULE
326 if (dh->params.q == NULL)
327 goto err;
328 #else
329 if (dh->params.q == NULL) {
330 /* secret exponent length, must satisfy 2^l < (p-1)/2 */
331 l = BN_num_bits(dh->params.p);
332 if (dh->length >= l)
333 goto err;
334 l -= 2;
335 if (dh->length != 0 && dh->length < l)
336 l = dh->length;
337 if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE,
338 BN_RAND_BOTTOM_ANY, 0, ctx))
339 goto err;
340 /*
341 * We handle just one known case where g is a quadratic non-residue:
342 * for g = 2: p % 8 == 3
343 */
344 if (BN_is_word(dh->params.g, DH_GENERATOR_2)
345 && !BN_is_bit_set(dh->params.p, 2)) {
346 /* clear bit 0, since it won't be a secret anyway */
347 if (!BN_clear_bit(priv_key, 0))
348 goto err;
349 }
350 } else
351 #endif
352 {
353 /* Do a partial check for invalid p, q, g */
354 if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
355 FFC_PARAM_TYPE_DH, NULL))
356 goto err;
357 /*
358 * For FFC FIPS 186-4 keygen
359 * security strength s = 112,
360 * Max Private key size N = len(q)
361 */
362 if (!ossl_ffc_generate_private_key(ctx, &dh->params,
363 BN_num_bits(dh->params.q),
364 MIN_STRENGTH,
365 priv_key))
366 goto err;
367 }
368 }
369 }
370
371 if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
372 goto err;
373
374 dh->pub_key = pub_key;
375 dh->priv_key = priv_key;
376 dh->dirty_cnt++;
377 ok = 1;
378 err:
379 if (ok != 1)
380 ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB);
381
382 if (pub_key != dh->pub_key)
383 BN_free(pub_key);
384 if (priv_key != dh->priv_key)
385 BN_free(priv_key);
386 BN_CTX_free(ctx);
387 return ok;
388 }
389
ossl_dh_buf2key(DH * dh,const unsigned char * buf,size_t len)390 int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
391 {
392 int err_reason = DH_R_BN_ERROR;
393 BIGNUM *pubkey = NULL;
394 const BIGNUM *p;
395 int ret;
396
397 if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
398 goto err;
399 DH_get0_pqg(dh, &p, NULL, NULL);
400 if (p == NULL || BN_num_bytes(p) == 0) {
401 err_reason = DH_R_NO_PARAMETERS_SET;
402 goto err;
403 }
404 /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */
405 if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) {
406 err_reason = DH_R_INVALID_PUBKEY;
407 goto err;
408 }
409 if (DH_set0_key(dh, pubkey, NULL) != 1)
410 goto err;
411 return 1;
412 err:
413 ERR_raise(ERR_LIB_DH, err_reason);
414 BN_free(pubkey);
415 return 0;
416 }
417
ossl_dh_key2buf(const DH * dh,unsigned char ** pbuf_out,size_t size,int alloc)418 size_t ossl_dh_key2buf(const DH *dh, unsigned char **pbuf_out, size_t size,
419 int alloc)
420 {
421 const BIGNUM *pubkey;
422 unsigned char *pbuf = NULL;
423 const BIGNUM *p;
424 int p_size;
425
426 DH_get0_pqg(dh, &p, NULL, NULL);
427 DH_get0_key(dh, &pubkey, NULL);
428 if (p == NULL || pubkey == NULL
429 || (p_size = BN_num_bytes(p)) == 0
430 || BN_num_bytes(pubkey) == 0) {
431 ERR_raise(ERR_LIB_DH, DH_R_INVALID_PUBKEY);
432 return 0;
433 }
434 if (pbuf_out != NULL && (alloc || *pbuf_out != NULL)) {
435 if (!alloc) {
436 if (size >= (size_t)p_size)
437 pbuf = *pbuf_out;
438 if (pbuf == NULL)
439 ERR_raise(ERR_LIB_DH, DH_R_INVALID_SIZE);
440 } else {
441 pbuf = OPENSSL_malloc(p_size);
442 }
443
444 /* Errors raised above */
445 if (pbuf == NULL)
446 return 0;
447 /*
448 * As per Section 4.2.8.1 of RFC 8446 left pad public
449 * key with zeros to the size of p
450 */
451 if (BN_bn2binpad(pubkey, pbuf, p_size) < 0) {
452 if (alloc)
453 OPENSSL_free(pbuf);
454 ERR_raise(ERR_LIB_DH, DH_R_BN_ERROR);
455 return 0;
456 }
457 *pbuf_out = pbuf;
458 }
459 return p_size;
460 }
461