* [including the GNU Public Licence.]
*/
+#define OPENSSL_FIPSAPI
+
#include <stdio.h>
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rand.h>
#include <openssl/dh.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
static int generate_key(DH *dh);
static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
return dh->meth->compute_key(key, pub_key, dh);
}
+int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+ {
+ int rv, pad;
+ rv = dh->meth->compute_key(key, pub_key, dh);
+ if (rv <= 0)
+ return rv;
+ pad = BN_num_bytes(dh->p) - rv;
+ if (pad > 0)
+ {
+ memmove(key + pad, key, rv);
+ memset(key, 0, pad);
+ }
+ return rv + pad;
+ }
+
static DH_METHOD dh_ossl = {
"OpenSSL DH Method",
generate_key,
int generate_new_key=0;
unsigned l;
BN_CTX *ctx;
- BN_MONT_CTX *mont;
+ BN_MONT_CTX *mont=NULL;
BIGNUM *pub_key=NULL,*priv_key=NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
+ {
+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
+#endif
+
ctx = BN_CTX_new();
if (ctx == NULL) goto err;
l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
if (!BN_rand(priv_key, l, 0, 0)) goto err;
}
- if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont))
- goto err;
+
+ {
+ BIGNUM local_prk;
+ BIGNUM *prk;
+
+ if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
+ {
+ BN_init(&local_prk);
+ prk = &local_prk;
+ BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
+ }
+ else
+ prk = priv_key;
+
+ if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err;
+ }
dh->pub_key=pub_key;
dh->priv_key=priv_key;
static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
- BN_CTX *ctx;
- BN_MONT_CTX *mont;
+ BN_CTX *ctx=NULL;
+ BN_MONT_CTX *mont=NULL;
BIGNUM *tmp;
int ret= -1;
+ int check_result;
+
+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS)
+ {
+ DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
+ goto err;
+ }
+
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
+ {
+ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+#endif
ctx = BN_CTX_new();
if (ctx == NULL) goto err;
{
mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
CRYPTO_LOCK_DH, dh->p, ctx);
+ if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
+ {
+ /* XXX */
+ BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
+ }
if (!mont)
goto err;
}
+ if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result)
+ {
+ DHerr(DH_F_COMPUTE_KEY,DH_R_INVALID_PUBKEY);
+ goto err;
+ }
+
if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))
{
DHerr(DH_F_COMPUTE_KEY,ERR_R_BN_LIB);
ret=BN_bn2bin(tmp,key);
err:
- BN_CTX_end(ctx);
- BN_CTX_free(ctx);
+ if (ctx != NULL)
+ {
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ }
return(ret);
}
const BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *m_ctx)
{
- if (a->top == 1)
+ /* If a is only one word long and constant time is false, use the faster
+ * exponenentiation function.
+ */
+ if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0))
{
BN_ULONG A = a->d[0];
return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx);
static int dh_init(DH *dh)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
dh->flags |= DH_FLAG_CACHE_MONT_P;
return(1);
}