Avoid weak subgroups in Diffie Hellman.

author Ben Laurie <ben@openssl.org>

Sat, 20 Aug 2005 18:35:53 +0000 (18:35 +0000)

committer Ben Laurie <ben@openssl.org>

Sat, 20 Aug 2005 18:35:53 +0000 (18:35 +0000)
author Ben Laurie <ben@openssl.org>
Sat, 20 Aug 2005 18:35:53 +0000 (18:35 +0000)
committer Ben Laurie <ben@openssl.org>
Sat, 20 Aug 2005 18:35:53 +0000 (18:35 +0000)
diff --git a/CHANGES b/CHANGES

index aec00a9c617ac86e4982fc477b2659609e4bd191..95e47d9b84b64e263e89de5b15dfda4565cfab70 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
  
   Changes between 0.9.8 and 0.9.8a  [XX xxx XXXX]
  
+  *) Avoid small subgroup attacks in Diffie-Hellman.
+     [Nick Matthewson and Ben Laurie]
+
    *) Extended Windows CE support.
       [Satoshi Nakamura and Andy Polyakov]
  
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h

index dadcae8bd7262e1fb3cca8ecf29d1dd418dfe717..2819678c2ccc4d7f704d6fad3398382a8c064e21 100644 (file)
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -1058,6 +1058,7 @@ void ERR_load_ASN1_strings(void);
  #define ASN1_F_ASN1_MBSTRING_NCOPY                      122
  #define ASN1_F_ASN1_OBJECT_NEW                          123
  #define ASN1_F_ASN1_PACK_STRING                                 124
+#define ASN1_F_ASN1_PCTX_NEW                            205
  #define ASN1_F_ASN1_PKCS5_PBE_SET                       125
  #define ASN1_F_ASN1_SEQ_PACK                            126
  #define ASN1_F_ASN1_SEQ_UNPACK                          127
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c

index b9df21c5fea98c59dbe5dbfa776a603734a5dd46..bef2519e65a6371062baa77804f684f23c166924 100644 (file)
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -111,6 +111,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
  {ERR_FUNC(ASN1_F_ASN1_MBSTRING_NCOPY), "ASN1_mbstring_ncopy"},
  {ERR_FUNC(ASN1_F_ASN1_OBJECT_NEW),     "ASN1_OBJECT_new"},
  {ERR_FUNC(ASN1_F_ASN1_PACK_STRING),    "ASN1_pack_string"},
+{ERR_FUNC(ASN1_F_ASN1_PCTX_NEW),       "ASN1_PCTX_NEW"},
  {ERR_FUNC(ASN1_F_ASN1_PKCS5_PBE_SET),  "ASN1_PKCS5_PBE_SET"},
  {ERR_FUNC(ASN1_F_ASN1_SEQ_PACK),       "ASN1_seq_pack"},
  {ERR_FUNC(ASN1_F_ASN1_SEQ_UNPACK),     "ASN1_seq_unpack"},
diff --git a/crypto/bn/Makefile b/crypto/bn/Makefile

index 4afb6a393c962d9a7053649e63b09e013e92ec88..ab9c494913146b5271e1d586adcd65d7183b44f6 100644 (file)
--- a/crypto/bn/Makefile
+++ b/crypto/bn/Makefile
@@ -28,13 +28,13 @@ LIBSRC=     bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \
         bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
         bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
         bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
-       bn_depr.c
+       bn_depr.c bn_const.c
  
  LIBOBJ=        bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
         bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
         bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
         bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o bn_nist.o \
-       bn_depr.o
+       bn_depr.o bn_const.o
  
  SRC= $(LIBSRC)
  
diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h

index 670584ad74a7cbe683c0df7d8045dad624ae0722..b990ff2b5d50034ab0eeb3825a6ac60cdc75392c 100644 (file)
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -732,6 +732,18 @@ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
  BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
  BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
  
+/* Primes from RFC 2409 */
+int get_rfc2409_prime_768(BIGNUM **bn);
+int get_rfc2409_prime_1024(BIGNUM **bn);
+
+/* Primes from RFC 3526 */
+int get_rfc3526_prime_1536(BIGNUM **bn);
+int get_rfc3526_prime_2048(BIGNUM **bn);
+int get_rfc3526_prime_3072(BIGNUM **bn);
+int get_rfc3526_prime_4096(BIGNUM **bn);
+int get_rfc3526_prime_6144(BIGNUM **bn);
+int get_rfc3526_prime_8192(BIGNUM **bn);
+
  int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom);
  
  /* BEGIN ERROR CODES */
diff --git a/crypto/bn/bn_const.c b/crypto/bn/bn_const.c

new file mode 100755 (executable)

index 0000000..2953195
--- /dev/null
+++ b/crypto/bn/bn_const.c
@@ -0,0 +1,249 @@
+/* crypto/bn/knownprimes.c */
+/* Insert boilerplate */
+
+#include "bn.h"
+
+/* "First Oakley Default Group" from RFC2409, section 6.1.
+ *
+ * The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 }
+ *
+ * RFC2409 specifies a generator of 2.
+ * RFC2412 specifies a generator of of 22.
+ */
+static const char RFC2409_PRIME_768[] =
+       "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
+       "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
+       "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
+       "E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF";
+
+/* "Second Oakley Default Group" from RFC2409, section 6.2.
+ *
+ * The prime is: 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
+ *
+ * RFC2409 specifies a generator of 2.
+ * RFC2412 specifies a generator of 22.
+ */
+static const char RFC2409_PRIME_1024[] =
+       "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
+       "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
+       "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
+       "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381"
+       "FFFFFFFFFFFFFFFF";
+
+/* "1536-bit MODP Group" from RFC3526, Section 2.
+ *
+ * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }
+ *
+ * RFC3526 specifies a generator of 2.
+ * RFC2312 specifies a generator of 22.
+ */
+static const char RFC3526_PRIME_1536[] =
+       "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
+       "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
+       "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
+       "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
+       "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
+       "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
+       "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
+       "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF";
+
+/* "2048-bit MODP Group" from RFC3526, Section 3.
+ *
+ * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }
+ *
+ * RFC3526 specifies a generator of 2.
+ */
+static const char RFC3526_PRIME_2048[] =
+       "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
+       "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
+       "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
+       "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
+       "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
+       "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
+       "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
+       "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"
+       "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"
+       "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"
+       "15728E5A8AACAA68FFFFFFFFFFFFFFFF";
+
+/* "3072-bit MODP Group" from RFC3526, Section 4.
+ *
+ * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }
+ *
+ * RFC3526 specifies a generator of 2.
+ */
+static const char RFC3526_PRIME_3072[] =
+       "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
+       "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
+       "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
+       "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
+       "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
+       "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
+       "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
+       "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"
+       "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"
+       "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"
+       "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"
+       "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"
+       "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"
+       "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"
+       "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"
+       "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF";
+
+/* "4096-bit MODP Group" from RFC3526, Section 5.
+ *
+ * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 }
+ *
+ * RFC3526 specifies a generator of 2.
+ */
+static const char RFC3526_PRIME_4096[] =
+       "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
+       "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
+       "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
+       "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
+       "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
+       "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
+       "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
+       "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"
+       "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"
+       "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"
+       "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"
+       "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"
+       "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"
+       "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"
+       "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"
+       "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7"
+       "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA"
+       "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6"
+       "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED"
+       "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9"
+       "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199"
+       "FFFFFFFFFFFFFFFF";
+
+/* "6144-bit MODP Group" from RFC3526, Section 6.
+ *
+ * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 }
+ *
+ * RFC3526 specifies a generator of 2.
+ */
+static const char RFC3526_PRIME_6144[] =
+       "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
+       "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
+       "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
+       "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
+       "49286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8"
+       "FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D"
+       "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C"
+       "180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718"
+       "3995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D"
+       "04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7D"
+       "B3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D226"
+       "1AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200C"
+       "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFC"
+       "E0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B26"
+       "99C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB"
+       "04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2"
+       "233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127"
+       "D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934028492"
+       "36C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406"
+       "AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918"
+       "DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B33205151"
+       "2BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03"
+       "F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97F"
+       "BEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA"
+       "CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58B"
+       "B7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632"
+       "387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E"
+       "6DCC4024FFFFFFFFFFFFFFFF";
+
+/* "8192-bit MODP Group" from RFC3526, Section 7.
+ *
+ * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 }
+ *
+ * RFC3526 specifies a generator of 2.
+ */
+static const char RFC3526_PRIME_8192[] =
+       "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
+       "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
+       "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
+       "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
+       "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
+       "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
+       "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
+       "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"
+       "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"
+       "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"
+       "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"
+       "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"
+       "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"
+       "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"
+       "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"
+       "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7"
+       "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA"
+       "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6"
+       "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED"
+       "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9"
+       "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934028492"
+       "36C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BD"
+       "F8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831"
+       "179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1B"
+       "DB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF"
+       "5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6"
+       "D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F3"
+       "23A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA"
+       "CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE328"
+       "06A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55C"
+       "DA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE"
+       "12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E4"
+       "38777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300"
+       "741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F568"
+       "3423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD9"
+       "22222E04A4037C0713EB57A81A23F0C73473FC646CEA306B"
+       "4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A"
+       "062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A36"
+       "4597E899A0255DC164F31CC50846851DF9AB48195DED7EA1"
+       "B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F92"
+       "4009438B481C6CD7889A002ED5EE382BC9190DA6FC026E47"
+       "9558E4475677E9AA9E3050E2765694DFC81F56E880B96E71"
+       "60C980DD98EDD3DFFFFFFFFFFFFFFFFF";
+
+int get_rfc2409_prime_768(BIGNUM **bn)
+       {
+       return BN_hex2bn(bn,RFC2409_PRIME_768);
+       }
+
+int get_rfc2409_prime_1024(BIGNUM **bn)
+       {
+       return BN_hex2bn(bn,RFC2409_PRIME_1024);
+       }
+
+int get_rfc3526_prime_1536(BIGNUM **bn)
+       {
+       return BN_hex2bn(bn,RFC3526_PRIME_1536);
+       }
+
+int get_rfc3526_prime_2048(BIGNUM **bn)
+       {
+       return BN_hex2bn(bn,RFC3526_PRIME_2048);
+       }
+
+int get_rfc3526_prime_3072(BIGNUM **bn)
+       {
+       return BN_hex2bn(bn,RFC3526_PRIME_3072);
+       }
+
+int get_rfc3526_prime_4096(BIGNUM **bn)
+       {
+       return BN_hex2bn(bn,RFC3526_PRIME_4096);
+       }
+
+int get_rfc3526_prime_6144(BIGNUM **bn)
+       {
+       return BN_hex2bn(bn,RFC3526_PRIME_6144);
+       }
+
+int get_rfc3526_prime_8192(BIGNUM **bn)
+       {
+       return BN_hex2bn(bn,RFC3526_PRIME_8192);
+       }
diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h

index d1559fd4f878cf9e7b8a1eae15f1bdf3ab486c96..7871882e35a40865e43e64f034735fca0c794b6e 100644 (file)
--- a/crypto/dh/dh.h
+++ b/crypto/dh/dh.h
@@ -145,6 +145,10 @@ struct dh_st
  #define DH_UNABLE_TO_CHECK_GENERATOR   0x04
  #define DH_NOT_SUITABLE_GENERATOR      0x08
  
+/* DH_check_pub_key error codes */
+#define DH_CHECK_PUBKEY_TOO_SMALL      0x01
+#define DH_CHECK_PUBKEY_TOO_LARGE      0x02
+
  /* primes p where (p-1)/2 is prime too are called "safe"; we define
     this for backward compatibility: */
  #define DH_CHECK_P_NOT_STRONG_PRIME    DH_CHECK_P_NOT_SAFE_PRIME
@@ -183,6 +187,7 @@ DH *        DH_generate_parameters(int prime_len,int generator,
  int    DH_generate_parameters_ex(DH *dh, int prime_len,int generator, BN_GENCB *cb);
  
  int    DH_check(const DH *dh,int *codes);
+int    DH_check_pub_key(const DH *dh,const BIGNUM *pub_key, int *codes);
  int    DH_generate_key(DH *dh);
  int    DH_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh);
  DH *   d2i_DHparams(DH **a,const unsigned char **pp, long length);
@@ -216,6 +221,7 @@ void ERR_load_DH_strings(void);
  /* Reason codes. */
  #define DH_R_BAD_GENERATOR                              101
  #define DH_R_NO_PRIVATE_VALUE                           100
+#define DH_R_INVALID_PUBKEY                             102
  
  #ifdef  __cplusplus
  }
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c

index bfc9c3ad7685eaee12ccc66c88ce8fe3aef1c3eb..058aec75bcd922455764bb73c643ce4752f87932 100644 (file)
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -118,3 +118,25 @@ err:
         if (q != NULL) BN_free(q);
         return(ok);
         }
+
+int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
+       {
+       int ok=0;
+       BIGNUM *q=NULL;
+
+       *ret=0;
+       q=BN_new();
+       if (q == NULL) goto err;
+       BN_set_word(q,1);
+       if (BN_cmp(pub_key,q) <= 0)
+               *ret|=DH_CHECK_PUBKEY_TOO_SMALL;
+       BN_copy(q,dh->p);
+       BN_sub_word(q,1);
+       if (BN_cmp(pub_key,q) >= 0)
+               *ret|=DH_CHECK_PUBKEY_TOO_LARGE;
+
+       ok = 1;
+err:
+       if (q != NULL) BN_free(q);
+       return(ok);
+       }
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c

index edce2c7036fb6ae69bbc4cd07cc65debfbcfb463..ea67fb71a0d2ef64b142f54981ae74fba677dcc4 100644 (file)
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -84,6 +84,7 @@ static ERR_STRING_DATA DH_str_reasons[]=
         {
  {ERR_REASON(DH_R_BAD_GENERATOR)          ,"bad generator"},
  {ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"},
+{ERR_REASON(DH_R_INVALID_PUBKEY)         ,"invalid public key"},
  {0,NULL}
         };
  
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c

index 39eefe387eab82b63a3e0a3c42097d4012771f44..cc17c8851b691daf2798cad861f56b03adb9cbb1 100644 (file)
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -177,6 +177,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
         BN_MONT_CTX *mont=NULL;
         BIGNUM *tmp;
         int ret= -1;
+        int check_result;
  
         ctx = BN_CTX_new();
         if (ctx == NULL) goto err;
@@ -202,6 +203,12 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
                         goto err;
                 }
  
+        if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result)
+               {
+               DHerr(DH_F_COMPUTE_KEY,DH_R_INVALID_PUBKEY);
+               goto err;
+               }
+
         if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))
                 {
                 DHerr(DH_F_COMPUTE_KEY,ERR_R_BN_LIB);
author	Ben Laurie <ben@openssl.org>
	Sat, 20 Aug 2005 18:35:53 +0000 (18:35 +0000)
committer	Ben Laurie <ben@openssl.org>
	Sat, 20 Aug 2005 18:35:53 +0000 (18:35 +0000)
CHANGES		patch \| blob \| history
crypto/asn1/asn1.h		patch \| blob \| history
crypto/asn1/asn1_err.c		patch \| blob \| history
crypto/bn/Makefile		patch \| blob \| history
crypto/bn/bn.h		patch \| blob \| history
crypto/bn/bn_const.c	[new file with mode: 0755]	patch \| blob
crypto/dh/dh.h		patch \| blob \| history
crypto/dh/dh_check.c		patch \| blob \| history
crypto/dh/dh_err.c		patch \| blob \| history
crypto/dh/dh_key.c		patch \| blob \| history