X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=crypto%2Fdh%2Fdh_key.c;h=6c7a45726706de542aa6117a0011b82e9b8f798c;hb=bc91494e064ebdcff68f987947f97e404fbca0b5;hp=48e7be45c5cb7a08f500dae90ca9ca86a278a91c;hpb=43eb3b0130539b6ebce32e683b56c531f19adb1e;p=openssl.git diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 48e7be45c5..6c7a457267 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -56,11 +56,16 @@ * [including the GNU Public Licence.] */ +#define OPENSSL_FIPSAPI + #include #include "cryptlib.h" #include #include #include +#ifdef OPENSSL_FIPS +#include +#endif static int generate_key(DH *dh); static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); @@ -81,6 +86,21 @@ int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) return dh->meth->compute_key(key, pub_key, dh); } +int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) + { + int rv, pad; + rv = dh->meth->compute_key(key, pub_key, dh); + if (rv <= 0) + return rv; + pad = BN_num_bytes(dh->p) - rv; + if (pad > 0) + { + memmove(key + pad, key, rv); + memset(key, 0, pad); + } + return rv + pad; + } + static DH_METHOD dh_ossl = { "OpenSSL DH Method", generate_key, @@ -104,9 +124,17 @@ static int generate_key(DH *dh) int generate_new_key=0; unsigned l; BN_CTX *ctx; - BN_MONT_CTX *mont; + BN_MONT_CTX *mont=NULL; BIGNUM *pub_key=NULL,*priv_key=NULL; +#ifdef OPENSSL_FIPS + if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) + { + DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); + return 0; + } +#endif + ctx = BN_CTX_new(); if (ctx == NULL) goto err; @@ -127,28 +155,43 @@ static int generate_key(DH *dh) else pub_key=dh->pub_key; - if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P)) + + if (dh->flags & DH_FLAG_CACHE_MONT_P) { - if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p, - dh->p,ctx)) goto err; + mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, + CRYPTO_LOCK_DH, dh->p, ctx); + if (!mont) + goto err; } - mont=(BN_MONT_CTX *)dh->method_mont_p; if (generate_new_key) { l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */ if (!BN_rand(priv_key, l, 0, 0)) goto err; } - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont)) - goto err; + + { + BIGNUM local_prk; + BIGNUM *prk; + + if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) + { + BN_init(&local_prk); + prk = &local_prk; + BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); + } + else + prk = priv_key; + + if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err; + } dh->pub_key=pub_key; dh->priv_key=priv_key; ok=1; err: if (ok != 1) - DHerr(DH_F_DH_GENERATE_KEY,ERR_R_BN_LIB); + DHerr(DH_F_GENERATE_KEY,ERR_R_BN_LIB); if ((pub_key != NULL) && (dh->pub_key == NULL)) BN_free(pub_key); if ((priv_key != NULL) && (dh->priv_key == NULL)) BN_free(priv_key); @@ -158,10 +201,25 @@ err: static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { - BN_CTX *ctx; - BN_MONT_CTX *mont; + BN_CTX *ctx=NULL; + BN_MONT_CTX *mont=NULL; BIGNUM *tmp; int ret= -1; + int check_result; + + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) + { + DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE); + goto err; + } + +#ifdef OPENSSL_FIPS + if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) + { + DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL); + goto err; + } +#endif ctx = BN_CTX_new(); if (ctx == NULL) goto err; @@ -170,27 +228,42 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) if (dh->priv_key == NULL) { - DHerr(DH_F_DH_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE); + DHerr(DH_F_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE); goto err; } - if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P)) + + if (dh->flags & DH_FLAG_CACHE_MONT_P) + { + mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, + CRYPTO_LOCK_DH, dh->p, ctx); + if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) + { + /* XXX */ + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); + } + if (!mont) + goto err; + } + + if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result) { - if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p, - dh->p,ctx)) goto err; + DHerr(DH_F_COMPUTE_KEY,DH_R_INVALID_PUBKEY); + goto err; } - mont=(BN_MONT_CTX *)dh->method_mont_p; if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont)) { - DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB); + DHerr(DH_F_COMPUTE_KEY,ERR_R_BN_LIB); goto err; } ret=BN_bn2bin(tmp,key); err: - BN_CTX_end(ctx); - BN_CTX_free(ctx); + if (ctx != NULL) + { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } return(ret); } @@ -199,7 +272,10 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { - if (a->top == 1) + /* If a is only one word long and constant time is false, use the faster + * exponenentiation function. + */ + if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) { BN_ULONG A = a->d[0]; return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx); @@ -211,6 +287,9 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, static int dh_init(DH *dh) { +#ifdef OPENSSL_FIPS + FIPS_selftest_check(); +#endif dh->flags |= DH_FLAG_CACHE_MONT_P; return(1); } @@ -218,6 +297,6 @@ static int dh_init(DH *dh) static int dh_finish(DH *dh) { if(dh->method_mont_p) - BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p); + BN_MONT_CTX_free(dh->method_mont_p); return(1); }