This is required in order to share code for FIPS related parameter generation and validation routinues.
Note the 'counter' field is now stored as a integer (as that is the form required for generation/validation functions).
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10860)
md2 md4 md5 sha mdc2 hmac ripemd whrlpool poly1305 \
siphash sm3 des aes rc2 rc4 rc5 idea aria bf cast camellia \
seed sm4 chacha modes bn ec rsa dsa dh sm2 dso engine \
- err comp ocsp cms ts srp cmac ct async ess crmf cmp serializer
+ err comp ocsp cms ts srp cmac ct async ess crmf cmp serializer \
+ ffc
LIBS=../libcrypto
else
pub_key = NULL;
- if (x->p == NULL || (ptype == 2 && priv_key == NULL)
+ if (x->params.p == NULL || (ptype == 2 && priv_key == NULL)
|| (ptype > 0 && pub_key == NULL)) {
reason = ERR_R_PASSED_NULL_PARAMETER;
goto err;
ktype = "DH Parameters";
if (!BIO_indent(bp, indent, 128)
- || BIO_printf(bp, "%s: (%d bit)\n", ktype, BN_num_bits(x->p)) <= 0)
+ || BIO_printf(bp, "%s: (%d bit)\n", ktype, DH_bits(x)) <= 0)
goto err;
indent += 4;
if (!ASN1_bn_print(bp, "public-key:", pub_key, NULL, indent))
goto err;
- if (!ASN1_bn_print(bp, "prime:", x->p, NULL, indent))
+ if (!ffc_params_print(bp, &x->params, indent))
goto err;
- if (!ASN1_bn_print(bp, "generator:", x->g, NULL, indent))
- goto err;
- if (x->q && !ASN1_bn_print(bp, "subgroup order:", x->q, NULL, indent))
- goto err;
- if (x->j && !ASN1_bn_print(bp, "subgroup factor:", x->j, NULL, indent))
- goto err;
- if (x->seed) {
- int i;
- if (!BIO_indent(bp, indent, 128)
- || BIO_puts(bp, "seed:") <= 0)
- goto err;
- for (i = 0; i < x->seedlen; i++) {
- if ((i % 15) == 0) {
- if (BIO_puts(bp, "\n") <= 0
- || !BIO_indent(bp, indent + 4, 128))
- goto err;
- }
- if (BIO_printf(bp, "%02x%s", x->seed[i],
- ((i + 1) == x->seedlen) ? "" : ":") <= 0)
- goto err;
- }
- if (BIO_write(bp, "\n", 1) <= 0)
- return 0;
- }
- if (x->counter && !ASN1_bn_print(bp, "counter:", x->counter, NULL, indent))
- goto err;
if (x->length != 0) {
if (!BIO_indent(bp, indent, 128)
|| BIO_printf(bp, "recommended-private-length: %d bits\n",
static int dh_bits(const EVP_PKEY *pkey)
{
- return BN_num_bits(pkey->pkey.dh->p);
+ return DH_bits(pkey->pkey.dh);
}
static int dh_security_bits(const EVP_PKEY *pkey)
static int dh_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
{
- if (BN_cmp(a->pkey.dh->p, b->pkey.dh->p) ||
- BN_cmp(a->pkey.dh->g, b->pkey.dh->g))
- return 0;
- else if (a->ameth == &dhx_asn1_meth) {
- if (BN_cmp(a->pkey.dh->q, b->pkey.dh->q))
- return 0;
- }
- return 1;
-}
-
-static int int_dh_bn_cpy(BIGNUM **dst, const BIGNUM *src)
-{
- BIGNUM *a;
-
- /*
- * If source is read only just copy the pointer, so
- * we don't have to reallocate it.
- */
- if (src == NULL)
- a = NULL;
- else if (BN_get_flags(src, BN_FLG_STATIC_DATA)
- && !BN_get_flags(src, BN_FLG_MALLOCED))
- a = (BIGNUM *)src;
- else if ((a = BN_dup(src)) == NULL)
- return 0;
- BN_clear_free(*dst);
- *dst = a;
- return 1;
+ return ffc_params_cmp(&a->pkey.dh->params, &a->pkey.dh->params,
+ a->ameth != &dhx_asn1_meth);
}
static int int_dh_param_copy(DH *to, const DH *from, int is_x942)
{
if (is_x942 == -1)
- is_x942 = ! !from->q;
- if (!int_dh_bn_cpy(&to->p, from->p))
+ is_x942 = (from->params.q != NULL);
+ if (!ffc_params_copy(&to->params, &from->params))
return 0;
- if (!int_dh_bn_cpy(&to->g, from->g))
- return 0;
- if (is_x942) {
- if (!int_dh_bn_cpy(&to->q, from->q))
- return 0;
- if (!int_dh_bn_cpy(&to->j, from->j))
- return 0;
- OPENSSL_free(to->seed);
- to->seed = NULL;
- to->seedlen = 0;
- if (from->seed) {
- to->seed = OPENSSL_memdup(from->seed, from->seedlen);
- if (!to->seed)
- return 0;
- to->seedlen = from->seedlen;
- }
- } else
+ if (!is_x942)
to->length = from->length;
to->dirty_cnt++;
return 1;
static int dh_missing_parameters(const EVP_PKEY *a)
{
- if (a->pkey.dh == NULL || a->pkey.dh->p == NULL || a->pkey.dh->g == NULL)
- return 1;
- return 0;
+ return a->pkey.dh == NULL
+ || a->pkey.dh->params.p == NULL
+ || a->pkey.dh->params.g == NULL;
}
static int dh_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
static int dh_cms_decrypt(CMS_RecipientInfo *ri)
{
EVP_PKEY_CTX *pctx;
+
pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
if (pctx == NULL)
}
ASN1_SEQUENCE_cb(DHparams, dh_cb) = {
- ASN1_SIMPLE(DH, p, BIGNUM),
- ASN1_SIMPLE(DH, g, BIGNUM),
+ ASN1_SIMPLE(DH, params.p, BIGNUM),
+ ASN1_SIMPLE(DH, params.g, BIGNUM),
ASN1_OPT_EMBED(DH, length, ZINT32),
} ASN1_SEQUENCE_END_cb(DH, DHparams)
DH *d2i_DHxparams(DH **a, const unsigned char **pp, long length)
{
+ FFC_PARAMS *params;
int_dhx942_dh *dhx = NULL;
DH *dh = NULL;
dh = DH_new();
return NULL;
}
- if (a) {
+ if (a != NULL) {
DH_free(*a);
*a = dh;
}
- dh->p = dhx->p;
- dh->q = dhx->q;
- dh->g = dhx->g;
- dh->j = dhx->j;
+ params = &dh->params;
+ ffc_params_set0_pqg(params, dhx->p, dhx->q, dhx->g);
+ ffc_params_set0_j(params, dhx->j);
- if (dhx->vparams) {
- dh->seed = dhx->vparams->seed->data;
- dh->seedlen = dhx->vparams->seed->length;
- dh->counter = dhx->vparams->counter;
- dhx->vparams->seed->data = NULL;
+ if (dhx->vparams != NULL) {
+ /* The counter has a maximum value of 4 * numbits(p) - 1 */
+ size_t counter = (size_t)BN_get_word(dhx->vparams->counter);
+ ffc_params_set_validate_params(params, dhx->vparams->seed->data,
+ dhx->vparams->seed->length, counter);
ASN1_BIT_STRING_free(dhx->vparams->seed);
+ BN_free(dhx->vparams->counter);
OPENSSL_free(dhx->vparams);
dhx->vparams = NULL;
}
int i2d_DHxparams(const DH *dh, unsigned char **pp)
{
+ int ret = 0;
int_dhx942_dh dhx;
- int_dhvparams dhv;
- ASN1_BIT_STRING bs;
- dhx.p = dh->p;
- dhx.g = dh->g;
- dhx.q = dh->q;
- dhx.j = dh->j;
- if (dh->counter && dh->seed && dh->seedlen > 0) {
- bs.flags = ASN1_STRING_FLAG_BITS_LEFT;
- bs.data = dh->seed;
- bs.length = dh->seedlen;
- dhv.seed = &bs;
- dhv.counter = dh->counter;
+ int_dhvparams dhv = { NULL, NULL };
+ ASN1_BIT_STRING seed;
+ size_t seedlen = 0;
+ const FFC_PARAMS *params = &dh->params;
+ int counter;
+
+ ffc_params_get0_pqg(params, (const BIGNUM **)&dhx.p,
+ (const BIGNUM **)&dhx.q, (const BIGNUM **)&dhx.g);
+ dhx.j = params->j;
+ ffc_params_get_validate_params(params, &seed.data, &seedlen, &counter);
+ seed.length = (int)seedlen;
+
+ if (counter != -1 && seed.data != NULL && seed.length > 0) {
+ seed.flags = ASN1_STRING_FLAG_BITS_LEFT;
+ dhv.seed = &seed;
+ dhv.counter = BN_new();
+ if (dhv.counter == NULL)
+ return 0;
+ if (!BN_set_word(dhv.counter, (BN_ULONG)counter))
+ goto err;
dhx.vparams = &dhv;
- } else
+ } else {
dhx.vparams = NULL;
-
- return i2d_int_dhx(&dhx, pp);
+ }
+ ret = i2d_int_dhx(&dhx, pp);
+err:
+ BN_free(dhv.counter);
+ return ret;
}
if (tmp == NULL)
goto err;
- if (!BN_is_odd(dh->p))
+ if (!BN_is_odd(dh->params.p))
*ret |= DH_CHECK_P_NOT_PRIME;
- if (BN_is_negative(dh->g) || BN_is_zero(dh->g) || BN_is_one(dh->g))
+ if (BN_is_negative(dh->params.g)
+ || BN_is_zero(dh->params.g)
+ || BN_is_one(dh->params.g))
*ret |= DH_NOT_SUITABLE_GENERATOR;
- if (BN_copy(tmp, dh->p) == NULL || !BN_sub_word(tmp, 1))
+ if (BN_copy(tmp, dh->params.p) == NULL || !BN_sub_word(tmp, 1))
goto err;
- if (BN_cmp(dh->g, tmp) >= 0)
+ if (BN_cmp(dh->params.g, tmp) >= 0)
*ret |= DH_NOT_SUITABLE_GENERATOR;
- if (BN_num_bits(dh->p) < DH_MIN_MODULUS_BITS)
+ if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS)
*ret |= DH_MODULUS_TOO_SMALL;
- if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS)
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS)
*ret |= DH_MODULUS_TOO_LARGE;
ok = 1;
if (t2 == NULL)
goto err;
- if (dh->q) {
- if (BN_cmp(dh->g, BN_value_one()) <= 0)
+ if (dh->params.q != NULL) {
+ if (BN_cmp(dh->params.g, BN_value_one()) <= 0)
*ret |= DH_NOT_SUITABLE_GENERATOR;
- else if (BN_cmp(dh->g, dh->p) >= 0)
+ else if (BN_cmp(dh->params.g, dh->params.p) >= 0)
*ret |= DH_NOT_SUITABLE_GENERATOR;
else {
/* Check g^q == 1 mod p */
- if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx))
+ if (!BN_mod_exp(t1, dh->params.g, dh->params.q, dh->params.p, ctx))
goto err;
if (!BN_is_one(t1))
*ret |= DH_NOT_SUITABLE_GENERATOR;
}
- r = BN_check_prime(dh->q, ctx, NULL);
+ r = BN_check_prime(dh->params.q, ctx, NULL);
if (r < 0)
goto err;
if (!r)
*ret |= DH_CHECK_Q_NOT_PRIME;
/* Check p == 1 mod q i.e. q divides p - 1 */
- if (!BN_div(t1, t2, dh->p, dh->q, ctx))
+ if (!BN_div(t1, t2, dh->params.p, dh->params.q, ctx))
goto err;
if (!BN_is_one(t2))
*ret |= DH_CHECK_INVALID_Q_VALUE;
- if (dh->j && BN_cmp(dh->j, t1))
+ if (dh->params.j != NULL
+ && BN_cmp(dh->params.j, t1))
*ret |= DH_CHECK_INVALID_J_VALUE;
}
- r = BN_check_prime(dh->p, ctx, NULL);
+ r = BN_check_prime(dh->params.p, ctx, NULL);
if (r < 0)
goto err;
if (!r)
*ret |= DH_CHECK_P_NOT_PRIME;
- else if (!dh->q) {
- if (!BN_rshift1(t1, dh->p))
+ else if (dh->params.q == NULL) {
+ if (!BN_rshift1(t1, dh->params.p))
goto err;
r = BN_check_prime(t1, ctx, NULL);
if (r < 0)
goto err;
if (BN_cmp(pub_key, tmp) <= 0)
*ret |= DH_CHECK_PUBKEY_TOO_SMALL;
- if (BN_copy(tmp, dh->p) == NULL || !BN_sub_word(tmp, 1))
+ if (BN_copy(tmp, dh->params.p) == NULL || !BN_sub_word(tmp, 1))
goto err;
if (BN_cmp(pub_key, tmp) >= 0)
*ret |= DH_CHECK_PUBKEY_TOO_LARGE;
- if (dh->q != NULL) {
+ if (dh->params.q != NULL) {
/* Check pub_key^q == 1 mod p */
- if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx))
+ if (!BN_mod_exp(tmp, pub_key, dh->params.q, dh->params.p, ctx))
goto err;
if (!BN_is_one(tmp))
*ret |= DH_CHECK_PUBKEY_INVALID;
goto err;
/* Make sure 'ret' has the necessary elements */
- if (!ret->p && ((ret->p = BN_new()) == NULL))
+ if (ret->params.p == NULL && ((ret->params.p = BN_new()) == NULL))
goto err;
- if (!ret->g && ((ret->g = BN_new()) == NULL))
+ if (ret->params.g == NULL && ((ret->params.g = BN_new()) == NULL))
goto err;
if (generator <= 1) {
g = generator;
}
- if (!BN_generate_prime_ex(ret->p, prime_len, 1, t1, t2, cb))
+ if (!BN_generate_prime_ex(ret->params.p, prime_len, 1, t1, t2, cb))
goto err;
if (!BN_GENCB_call(cb, 3, 0))
goto err;
- if (!BN_set_word(ret->g, g))
+ if (!BN_set_word(ret->params.g, g))
goto err;
ret->dirty_cnt++;
ok = 1;
int check_result;
#endif
- if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
DHerr(0, DH_R_MODULUS_TOO_LARGE);
goto err;
}
- if (BN_num_bits(dh->p) < DH_MIN_MODULUS_BITS) {
+ if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
DHerr(0, DH_R_MODULUS_TOO_SMALL);
return 0;
}
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
- dh->lock, dh->p, ctx);
+ dh->lock, dh->params.p, ctx);
BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
if (!mont)
goto err;
goto err;
}
#endif
- if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key, dh->p, ctx,
+ if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key, dh->params.p, ctx,
mont)) {
DHerr(0, ERR_R_BN_LIB);
goto err;
#endif
if (rv <= 0)
return rv;
- pad = BN_num_bytes(dh->p) - rv;
+ pad = BN_num_bytes(dh->params.p) - rv;
if (pad > 0) {
memmove(key + pad, key, rv);
memset(key, 0, pad);
static int dh_init(DH *dh)
{
dh->flags |= DH_FLAG_CACHE_MONT_P;
+ ffc_params_init(&dh->params);
return 1;
}
BN_MONT_CTX *mont = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
- if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
return 0;
}
- if (BN_num_bits(dh->p) < DH_MIN_MODULUS_BITS) {
+ if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_SMALL);
return 0;
}
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
- dh->lock, dh->p, ctx);
+ dh->lock, dh->params.p, ctx);
if (!mont)
goto err;
}
if (generate_new_key) {
- if (dh->q) {
+ if (dh->params.q != NULL) {
do {
- if (!BN_priv_rand_range(priv_key, dh->q))
+ if (!BN_priv_rand_range(priv_key, dh->params.q))
goto err;
}
while (BN_is_zero(priv_key) || BN_is_one(priv_key));
} else {
/* secret exponent length */
- l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
+ l = dh->length ? dh->length : BN_num_bits(dh->params.p) - 1;
if (!BN_priv_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
goto err;
/*
* We handle just one known case where g is a quadratic non-residue:
* for g = 2: p % 8 == 3
*/
- if (BN_is_word(dh->g, DH_GENERATOR_2) && !BN_is_bit_set(dh->p, 2)) {
+ if (BN_is_word(dh->params.g, DH_GENERATOR_2)
+ && !BN_is_bit_set(dh->params.p, 2)) {
/* clear bit 0, since it won't be a secret anyway */
if (!BN_clear_bit(priv_key, 0))
goto err;
goto err;
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
- if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
+ if (!dh->meth->bn_mod_exp(dh, pub_key, dh->params.g, prk, dh->params.p,
+ ctx, mont)) {
BN_clear_free(prk);
goto err;
}
return ok;
}
+
int dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
{
int err_reason = DH_R_BN_ERROR;
#include "dh_local.h"
#include "crypto/dh.h"
#include <openssl/engine.h>
+#include "crypto/dh.h"
#ifndef FIPS_MODE
int DH_set_method(DH *dh, const DH_METHOD *meth)
CRYPTO_THREAD_lock_free(r->lock);
- BN_clear_free(r->p);
- BN_clear_free(r->g);
- BN_clear_free(r->q);
- BN_clear_free(r->j);
- OPENSSL_free(r->seed);
- BN_clear_free(r->counter);
+ ffc_params_cleanup(&r->params);
BN_clear_free(r->pub_key);
BN_clear_free(r->priv_key);
OPENSSL_free(r);
int DH_bits(const DH *dh)
{
- return BN_num_bits(dh->p);
+ return BN_num_bits(dh->params.p);
}
int DH_size(const DH *dh)
{
- return BN_num_bytes(dh->p);
+ return BN_num_bytes(dh->params.p);
}
int DH_security_bits(const DH *dh)
{
int N;
- if (dh->q)
- N = BN_num_bits(dh->q);
+ if (dh->params.q != NULL)
+ N = BN_num_bits(dh->params.q);
else if (dh->length)
N = dh->length;
else
N = -1;
- return BN_security_bits(BN_num_bits(dh->p), N);
+ return BN_security_bits(BN_num_bits(dh->params.p), N);
}
void DH_get0_pqg(const DH *dh,
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
{
- if (p != NULL)
- *p = dh->p;
- if (q != NULL)
- *q = dh->q;
- if (g != NULL)
- *g = dh->g;
+ ffc_params_get0_pqg(&dh->params, p, q, g);
}
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
/* If the fields p and g in d are NULL, the corresponding input
* parameters MUST be non-NULL. q may remain NULL.
*/
- if ((dh->p == NULL && p == NULL)
- || (dh->g == NULL && g == NULL))
+ if ((dh->params.p == NULL && p == NULL)
+ || (dh->params.g == NULL && g == NULL))
return 0;
- if (p != NULL) {
- BN_free(dh->p);
- dh->p = p;
- }
- if (q != NULL) {
- BN_free(dh->q);
- dh->q = q;
- }
- if (g != NULL) {
- BN_free(dh->g);
- dh->g = g;
- }
+ ffc_params_set0_pqg(&dh->params, p, q, g);
- if (q != NULL) {
+ if (q != NULL)
dh->length = BN_num_bits(q);
- }
dh->dirty_cnt++;
return 1;
const BIGNUM *DH_get0_p(const DH *dh)
{
- return dh->p;
+ return dh->params.p;
}
const BIGNUM *DH_get0_q(const DH *dh)
{
- return dh->q;
+ return dh->params.q;
}
const BIGNUM *DH_get0_g(const DH *dh)
{
- return dh->g;
+ return dh->params.g;
}
const BIGNUM *DH_get0_priv_key(const DH *dh)
return dh->engine;
}
#endif /*FIPS_MODE */
+
+FFC_PARAMS *dh_get0_params(DH *dh)
+{
+ return &dh->params;
+}
/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/dh.h>
#include "internal/refcount.h"
+#include "internal/ffc.h"
#define DH_MIN_MODULUS_BITS 512
*/
int pad;
int version;
- BIGNUM *p;
- BIGNUM *g;
- int32_t length; /* optional */
+ FFC_PARAMS params;
+ int32_t length; /* optional value of N (if there is no q) */
BIGNUM *pub_key; /* g^x % p */
BIGNUM *priv_key; /* x */
int flags;
BN_MONT_CTX *method_mont_p;
- /* Place holders if we want to do X9.42 DH */
- BIGNUM *q;
- BIGNUM *j;
- unsigned char *seed;
- int seedlen;
- BIGNUM *counter;
CRYPTO_REF_COUNT references;
#ifndef FIPS_MODE
CRYPTO_EX_DATA ex_data;
\
if (dh == NULL) \
return NULL; \
- dh->p = BN_dup(&_bignum_dh##x##_p); \
- dh->g = BN_dup(&_bignum_dh##x##_g); \
- dh->q = BN_dup(&_bignum_dh##x##_q); \
- if (dh->p == NULL || dh->q == NULL || dh->g == NULL) {\
+ dh->params.p = BN_dup(&_bignum_dh##x##_p); \
+ dh->params.g = BN_dup(&_bignum_dh##x##_g); \
+ dh->params.q = BN_dup(&_bignum_dh##x##_q); \
+ if (dh->params.p == NULL || dh->params.q == NULL || dh->params.g == NULL) {\
DH_free(dh); \
return NULL; \
} \
DH *dh = DH_new();
if (dh == NULL)
return NULL;
- dh->p = (BIGNUM *)p;
- dh->g = (BIGNUM *)&_bignum_const_2;
+ dh->params.p = (BIGNUM *)p;
+ dh->params.g = (BIGNUM *)&_bignum_const_2;
dh->length = nbits;
dh->dirty_cnt++;
return dh;
{
int nid;
- if (BN_get_word(dh->g) != 2)
+ if (BN_get_word(dh->params.g) != 2)
return NID_undef;
- if (!BN_cmp(dh->p, &_bignum_ffdhe2048_p))
+ if (!BN_cmp(dh->params.p, &_bignum_ffdhe2048_p))
nid = NID_ffdhe2048;
- else if (!BN_cmp(dh->p, &_bignum_ffdhe3072_p))
+ else if (!BN_cmp(dh->params.p, &_bignum_ffdhe3072_p))
nid = NID_ffdhe3072;
- else if (!BN_cmp(dh->p, &_bignum_ffdhe4096_p))
+ else if (!BN_cmp(dh->params.p, &_bignum_ffdhe4096_p))
nid = NID_ffdhe4096;
- else if (!BN_cmp(dh->p, &_bignum_ffdhe6144_p))
+ else if (!BN_cmp(dh->params.p, &_bignum_ffdhe6144_p))
nid = NID_ffdhe6144;
- else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p))
+ else if (!BN_cmp(dh->params.p, &_bignum_ffdhe8192_p))
nid = NID_ffdhe8192;
else
return NID_undef;
- if (dh->q != NULL) {
- BIGNUM *q = BN_dup(dh->p);
+ if (dh->params.q != NULL) {
+ BIGNUM *q = BN_dup(dh->params.p);
/* Check q = p * 2 + 1 we already know q is odd, so just shift right */
- if (q == NULL || !BN_rshift1(q, q) || !BN_cmp(dh->q, q))
+ if (q == NULL || !BN_rshift1(q, q) || !BN_cmp(dh->params.q, q))
nid = NID_undef;
BN_free(q);
}
ASN1_OBJECT *aobj;
dsa = pkey->pkey.dsa;
- if (pkey->save_parameters && dsa->p && dsa->q && dsa->g) {
+ if (pkey->save_parameters
+ && dsa->params.p != NULL
+ && dsa->params.q != NULL
+ && dsa->params.g != NULL) {
str = ASN1_STRING_new();
if (str == NULL) {
DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
}
BN_set_flags(dsa->priv_key, BN_FLG_CONSTTIME);
- if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) {
+ if (!BN_mod_exp(dsa->pub_key, dsa->params.g, dsa->priv_key, dsa->params.p,
+ ctx)) {
DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_BN_ERROR);
goto dsaerr;
}
{
DSA *dsa;
dsa = pkey->pkey.dsa;
- if (dsa == NULL || dsa->p == NULL || dsa->q == NULL || dsa->g == NULL)
- return 1;
- return 0;
+ return dsa == NULL
+ || dsa->params.p == NULL
+ || dsa->params.q == NULL
+ || dsa->params.g == NULL;
}
static int dsa_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
{
- BIGNUM *a;
-
if (to->pkey.dsa == NULL) {
to->pkey.dsa = DSA_new();
if (to->pkey.dsa == NULL)
return 0;
}
-
- if ((a = BN_dup(from->pkey.dsa->p)) == NULL)
+ if (!ffc_params_copy(&to->pkey.dsa->params, &from->pkey.dsa->params))
return 0;
- BN_free(to->pkey.dsa->p);
- to->pkey.dsa->p = a;
- if ((a = BN_dup(from->pkey.dsa->q)) == NULL)
- return 0;
- BN_free(to->pkey.dsa->q);
- to->pkey.dsa->q = a;
-
- if ((a = BN_dup(from->pkey.dsa->g)) == NULL)
- return 0;
- BN_free(to->pkey.dsa->g);
- to->pkey.dsa->g = a;
to->pkey.dsa->dirty_cnt++;
return 1;
}
static int dsa_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
{
- if (BN_cmp(a->pkey.dsa->p, b->pkey.dsa->p) ||
- BN_cmp(a->pkey.dsa->q, b->pkey.dsa->q) ||
- BN_cmp(a->pkey.dsa->g, b->pkey.dsa->g))
- return 0;
- else
- return 1;
+ return ffc_params_cmp(&a->pkey.dsa->params, &b->pkey.dsa->params, 1);
}
static int dsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
{
- if (BN_cmp(b->pkey.dsa->pub_key, a->pkey.dsa->pub_key) != 0)
- return 0;
- else
- return 1;
+ return BN_cmp(b->pkey.dsa->pub_key, a->pkey.dsa->pub_key) == 0;
}
static void int_dsa_free(EVP_PKEY *pkey)
const BIGNUM *priv_key, *pub_key;
int mod_len = 0;
- if (x->p != NULL)
- mod_len = BN_num_bits(x->p);
+ if (x->params.p != NULL)
+ mod_len = DSA_bits(x);
if (ptype == 2)
priv_key = x->priv_key;
else
ktype = "DSA-Parameters";
- if (priv_key) {
+ if (priv_key != NULL) {
if (!BIO_indent(bp, off, 128))
goto err;
- if (BIO_printf(bp, "%s: (%d bit)\n", ktype, BN_num_bits(x->p))
- <= 0)
+ if (BIO_printf(bp, "%s: (%d bit)\n", ktype, mod_len) <= 0)
goto err;
} else {
if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
goto err;
if (!ASN1_bn_print(bp, "pub: ", pub_key, NULL, off))
goto err;
- if (!ASN1_bn_print(bp, "P: ", x->p, NULL, off))
- goto err;
- if (!ASN1_bn_print(bp, "Q: ", x->q, NULL, off))
- goto err;
- if (!ASN1_bn_print(bp, "G: ", x->g, NULL, off))
+ if (!ffc_params_print(bp, &x->params, off))
goto err;
ret = 1;
err:
DSA_SIG *dsa_sig;
const unsigned char *p;
- if (!sig) {
+ if (sig == NULL) {
if (BIO_puts(bp, "\n") <= 0)
return 0;
else
}
p = sig->data;
dsa_sig = d2i_DSA_SIG(NULL, &p, sig->length);
- if (dsa_sig) {
+ if (dsa_sig != NULL) {
int rv = 0;
const BIGNUM *r, *s;
ASN1_SEQUENCE_cb(DSAPrivateKey, dsa_cb) = {
ASN1_EMBED(DSA, version, INT32),
- ASN1_SIMPLE(DSA, p, BIGNUM),
- ASN1_SIMPLE(DSA, q, BIGNUM),
- ASN1_SIMPLE(DSA, g, BIGNUM),
+ ASN1_SIMPLE(DSA, params.p, BIGNUM),
+ ASN1_SIMPLE(DSA, params.q, BIGNUM),
+ ASN1_SIMPLE(DSA, params.g, BIGNUM),
ASN1_SIMPLE(DSA, pub_key, BIGNUM),
ASN1_SIMPLE(DSA, priv_key, CBIGNUM)
} static_ASN1_SEQUENCE_END_cb(DSA, DSAPrivateKey)
IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(DSA, DSAPrivateKey, DSAPrivateKey)
ASN1_SEQUENCE_cb(DSAparams, dsa_cb) = {
- ASN1_SIMPLE(DSA, p, BIGNUM),
- ASN1_SIMPLE(DSA, q, BIGNUM),
- ASN1_SIMPLE(DSA, g, BIGNUM),
+ ASN1_SIMPLE(DSA, params.p, BIGNUM),
+ ASN1_SIMPLE(DSA, params.q, BIGNUM),
+ ASN1_SIMPLE(DSA, params.g, BIGNUM),
} static_ASN1_SEQUENCE_END_cb(DSA, DSAparams)
IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(DSA, DSAparams, DSAparams)
ASN1_SEQUENCE_cb(DSAPublicKey, dsa_cb) = {
ASN1_SIMPLE(DSA, pub_key, BIGNUM),
- ASN1_SIMPLE(DSA, p, BIGNUM),
- ASN1_SIMPLE(DSA, q, BIGNUM),
- ASN1_SIMPLE(DSA, g, BIGNUM)
+ ASN1_SIMPLE(DSA, params.p, BIGNUM),
+ ASN1_SIMPLE(DSA, params.q, BIGNUM),
+ ASN1_SIMPLE(DSA, params.g, BIGNUM)
} static_ASN1_SEQUENCE_END_cb(DSA, DSAPublicKey)
IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(DSA, DSAPublicKey, DSAPublicKey)
ok = 1;
err:
if (ok) {
- BN_free(ret->p);
- BN_free(ret->q);
- BN_free(ret->g);
- ret->p = BN_dup(p);
- ret->q = BN_dup(q);
- ret->g = BN_dup(g);
+ BN_free(ret->params.p);
+ BN_free(ret->params.q);
+ BN_free(ret->params.g);
+ ret->params.p = BN_dup(p);
+ ret->params.q = BN_dup(q);
+ ret->params.g = BN_dup(g);
ret->dirty_cnt++;
- if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
+ if (ret->params.p == NULL
+ || ret->params.q == NULL
+ || ret->params.g == NULL) {
ok = 0;
goto err;
}
mdsize = EVP_MD_size(evpmd);
/* If unverifiable g generation only don't need seed */
- if (!ret->p || !ret->q || idx >= 0) {
+ if (!ret->params.p || !ret->params.q || idx >= 0) {
if (seed_len == 0)
seed_len = mdsize;
goto err;
/* if p, q already supplied generate g only */
- if (ret->p && ret->q) {
- p = ret->p;
- q = ret->q;
+ if (ret->params.p && ret->params.q) {
+ p = ret->params.p;
+ q = ret->params.q;
if (idx >= 0)
memcpy(seed_tmp, seed, seed_len);
goto g_only;
ok = 1;
err:
if (ok == 1) {
- if (p != ret->p) {
- BN_free(ret->p);
- ret->p = BN_dup(p);
+ if (p != ret->params.p) {
+ BN_free(ret->params.p);
+ ret->params.p = BN_dup(p);
}
- if (q != ret->q) {
- BN_free(ret->q);
- ret->q = BN_dup(q);
+ if (q != ret->params.q) {
+ BN_free(ret->params.q);
+ ret->params.q = BN_dup(q);
}
- BN_free(ret->g);
- ret->g = BN_dup(g);
- if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
+ BN_free(ret->params.g);
+ ret->params.g = BN_dup(g);
+ if (ret->params.p == NULL
+ || ret->params.q == NULL
+ || ret->params.g == NULL) {
ok = -1;
goto err;
}
priv_key = dsa->priv_key;
do
- if (!BN_priv_rand_range(priv_key, dsa->q))
+ if (!BN_priv_rand_range(priv_key, dsa->params.q))
goto err;
while (BN_is_zero(priv_key)) ;
goto err;
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
- if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
+ if (!BN_mod_exp(pub_key, dsa->params.g, prk, dsa->params.p, ctx)) {
BN_free(prk);
goto err;
}
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include "internal/cryptlib.h"
#include "internal/refcount.h"
#include <openssl/bn.h>
-#include "dsa_local.h"
#include <openssl/asn1.h>
#include <openssl/engine.h>
-#include <openssl/dh.h>
+#include "dsa_local.h"
#include "crypto/dsa.h"
+#include "crypto/dh.h" /* required by DSA_dup_DH() */
#ifndef FIPS_MODE
return CRYPTO_get_ex_data(&d->ex_data, idx);
}
-#ifndef OPENSSL_NO_DH
+# ifndef OPENSSL_NO_DH
DH *DSA_dup_DH(const DSA *r)
{
/*
- * DSA has p, q, g, optional pub_key, optional priv_key. DH has p,
- * optional length, g, optional pub_key, optional priv_key, optional q.
+ * DSA has p, q, g, optional pub_key, optional priv_key.
+ * DH has p, optional length, g, optional pub_key,
+ * optional priv_key, optional q.
*/
-
DH *ret = NULL;
- BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
if (r == NULL)
goto err;
ret = DH_new();
if (ret == NULL)
goto err;
- if (r->p != NULL || r->g != NULL || r->q != NULL) {
- if (r->p == NULL || r->g == NULL || r->q == NULL) {
- /* Shouldn't happen */
- goto err;
- }
- p = BN_dup(r->p);
- g = BN_dup(r->g);
- q = BN_dup(r->q);
- if (p == NULL || g == NULL || q == NULL || !DH_set0_pqg(ret, p, q, g))
- goto err;
- p = g = q = NULL;
- }
+
+ if (!ffc_params_copy(dh_get0_params(ret), &r->params))
+ goto err;
if (r->pub_key != NULL) {
pub_key = BN_dup(r->pub_key);
return ret;
err:
- BN_free(p);
- BN_free(g);
- BN_free(q);
BN_free(pub_key);
BN_free(priv_key);
DH_free(ret);
return NULL;
}
-#endif
+# endif /* OPENSSL_NO_DH */
const BIGNUM *DSA_get0_p(const DSA *d)
{
- return d->p;
+ return d->params.p;
}
const BIGNUM *DSA_get0_q(const DSA *d)
{
- return d->q;
+ return d->params.q;
}
const BIGNUM *DSA_get0_g(const DSA *d)
{
- return d->g;
+ return d->params.g;
}
const BIGNUM *DSA_get0_pub_key(const DSA *d)
CRYPTO_THREAD_lock_free(r->lock);
- BN_clear_free(r->p);
- BN_clear_free(r->q);
- BN_clear_free(r->g);
+ ffc_params_cleanup(&r->params);
BN_clear_free(r->pub_key);
BN_clear_free(r->priv_key);
OPENSSL_free(r);
void DSA_get0_pqg(const DSA *d,
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
{
- if (p != NULL)
- *p = d->p;
- if (q != NULL)
- *q = d->q;
- if (g != NULL)
- *g = d->g;
+ ffc_params_get0_pqg(&d->params, p, q, g);
}
int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
/* If the fields p, q and g in d are NULL, the corresponding input
* parameters MUST be non-NULL.
*/
- if ((d->p == NULL && p == NULL)
- || (d->q == NULL && q == NULL)
- || (d->g == NULL && g == NULL))
+ if ((d->params.p == NULL && p == NULL)
+ || (d->params.q == NULL && q == NULL)
+ || (d->params.g == NULL && g == NULL))
return 0;
- if (p != NULL) {
- BN_free(d->p);
- d->p = p;
- }
- if (q != NULL) {
- BN_free(d->q);
- d->q = q;
- }
- if (g != NULL) {
- BN_free(d->g);
- d->g = g;
- }
+ ffc_params_set0_pqg(&d->params, p, q, g);
d->dirty_cnt++;
return 1;
int DSA_security_bits(const DSA *d)
{
- if (d->p && d->q)
- return BN_security_bits(BN_num_bits(d->p), BN_num_bits(d->q));
+ if (d->params.p != NULL && d->params.q != NULL)
+ return BN_security_bits(BN_num_bits(d->params.p),
+ BN_num_bits(d->params.q));
return -1;
}
int DSA_bits(const DSA *dsa)
{
- return BN_num_bits(dsa->p);
+ return BN_num_bits(dsa->params.p);
}
#include <openssl/dsa.h>
#include "internal/refcount.h"
+#include "internal/ffc.h"
struct dsa_st {
/*
*/
int pad;
int32_t version;
- BIGNUM *p;
- BIGNUM *q; /* == 20 */
- BIGNUM *g;
+ FFC_PARAMS params;
BIGNUM *pub_key; /* y public key */
BIGNUM *priv_key; /* x private key */
int flags;
DSA_SIG *ret = NULL;
int rv = 0;
- if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
+ if (dsa->params.p == NULL
+ || dsa->params.q == NULL
+ || dsa->params.g == NULL) {
reason = DSA_R_MISSING_PARAMETERS;
goto err;
}
if (!dsa_sign_setup(dsa, ctx, &kinv, &ret->r, dgst, dlen))
goto err;
- if (dlen > BN_num_bytes(dsa->q))
+ if (dlen > BN_num_bytes(dsa->params.q))
/*
* if the digest length is greater than the size of q use the
* BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
* 4.2
*/
- dlen = BN_num_bytes(dsa->q);
+ dlen = BN_num_bytes(dsa->params.q);
if (BN_bin2bn(dgst, dlen, m) == NULL)
goto err;
/* Generate a blinding value */
do {
- if (!BN_priv_rand_ex(blind, BN_num_bits(dsa->q) - 1,
+ if (!BN_priv_rand_ex(blind, BN_num_bits(dsa->params.q) - 1,
BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, ctx))
goto err;
} while (BN_is_zero(blind));
BN_set_flags(tmp, BN_FLG_CONSTTIME);
/* tmp := blind * priv_key * r mod q */
- if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx))
+ if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->params.q, ctx))
goto err;
- if (!BN_mod_mul(tmp, tmp, ret->r, dsa->q, ctx))
+ if (!BN_mod_mul(tmp, tmp, ret->r, dsa->params.q, ctx))
goto err;
/* blindm := blind * m mod q */
- if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx))
+ if (!BN_mod_mul(blindm, blind, m, dsa->params.q, ctx))
goto err;
/* s : = (blind * priv_key * r) + (blind * m) mod q */
- if (!BN_mod_add_quick(ret->s, tmp, blindm, dsa->q))
+ if (!BN_mod_add_quick(ret->s, tmp, blindm, dsa->params.q))
goto err;
/* s := s * k^-1 mod q */
- if (!BN_mod_mul(ret->s, ret->s, kinv, dsa->q, ctx))
+ if (!BN_mod_mul(ret->s, ret->s, kinv, dsa->params.q, ctx))
goto err;
/* s:= s * blind^-1 mod q */
- if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL)
+ if (BN_mod_inverse(blind, blind, dsa->params.q, ctx) == NULL)
goto err;
- if (!BN_mod_mul(ret->s, ret->s, blind, dsa->q, ctx))
+ if (!BN_mod_mul(ret->s, ret->s, blind, dsa->params.q, ctx))
goto err;
/*
int ret = 0;
int q_bits, q_words;
- if (!dsa->p || !dsa->q || !dsa->g) {
+ if (!dsa->params.p || !dsa->params.q || !dsa->params.g) {
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
return 0;
}
/* Reject obviously invalid parameters */
- if (BN_is_zero(dsa->p) || BN_is_zero(dsa->q) || BN_is_zero(dsa->g)) {
+ if (BN_is_zero(dsa->params.p)
+ || BN_is_zero(dsa->params.q)
+ || BN_is_zero(dsa->params.g)) {
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_INVALID_PARAMETERS);
return 0;
}
ctx = ctx_in;
/* Preallocate space */
- q_bits = BN_num_bits(dsa->q);
- q_words = bn_get_top(dsa->q);
+ q_bits = BN_num_bits(dsa->params.q);
+ q_words = bn_get_top(dsa->params.q);
if (!bn_wexpand(k, q_words + 2)
|| !bn_wexpand(l, q_words + 2))
goto err;
* We calculate k from SHA512(private_key + H(message) + random).
* This protects the private key from a weak PRNG.
*/
- if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst,
+ if (!BN_generate_dsa_nonce(k, dsa->params.q, dsa->priv_key, dgst,
dlen, ctx))
goto err;
- } else if (!BN_priv_rand_range_ex(k, dsa->q, ctx))
+ } else if (!BN_priv_rand_range_ex(k, dsa->params.q, ctx))
goto err;
} while (BN_is_zero(k));
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
- dsa->lock, dsa->p, ctx))
+ dsa->lock, dsa->params.p, ctx))
goto err;
}
* https://github.com/openssl/openssl/pull/7486#discussion_r228323705
* The fix is to rework BN so these gymnastics aren't required.
*/
- if (!BN_add(l, k, dsa->q)
- || !BN_add(k, l, dsa->q))
+ if (!BN_add(l, k, dsa->params.q)
+ || !BN_add(k, l, dsa->params.q))
goto err;
BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
if ((dsa)->meth->bn_mod_exp != NULL) {
- if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
- dsa->method_mont_p))
+ if (!dsa->meth->bn_mod_exp(dsa, r, dsa->params.g, k, dsa->params.p,
+ ctx, dsa->method_mont_p))
goto err;
} else {
- if (!BN_mod_exp_mont(r, dsa->g, k, dsa->p, ctx, dsa->method_mont_p))
+ if (!BN_mod_exp_mont(r, dsa->params.g, k, dsa->params.p, ctx,
+ dsa->method_mont_p))
goto err;
}
- if (!BN_mod(r, r, dsa->q, ctx))
+ if (!BN_mod(r, r, dsa->params.q, ctx))
goto err;
/* Compute part of 's = inv(k) (m + xr) mod q' */
- if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
+ if ((kinv = dsa_mod_inverse_fermat(k, dsa->params.q, ctx)) == NULL)
goto err;
BN_clear_free(*kinvp);
BN_MONT_CTX *mont = NULL;
const BIGNUM *r, *s;
int ret = -1, i;
- if (!dsa->p || !dsa->q || !dsa->g) {
+ if (dsa->params.p == NULL
+ || dsa->params.q == NULL
+ || dsa->params.g == NULL) {
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MISSING_PARAMETERS);
return -1;
}
- i = BN_num_bits(dsa->q);
+ i = BN_num_bits(dsa->params.q);
/* fips 186-3 allows only different sizes for q */
if (i != 160 && i != 224 && i != 256) {
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
return -1;
}
- if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
+ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
return -1;
}
DSA_SIG_get0(sig, &r, &s);
if (BN_is_zero(r) || BN_is_negative(r) ||
- BN_ucmp(r, dsa->q) >= 0) {
+ BN_ucmp(r, dsa->params.q) >= 0) {
ret = 0;
goto err;
}
if (BN_is_zero(s) || BN_is_negative(s) ||
- BN_ucmp(s, dsa->q) >= 0) {
+ BN_ucmp(s, dsa->params.q) >= 0) {
ret = 0;
goto err;
}
/*
* Calculate W = inv(S) mod Q save W in u2
*/
- if ((BN_mod_inverse(u2, s, dsa->q, ctx)) == NULL)
+ if ((BN_mod_inverse(u2, s, dsa->params.q, ctx)) == NULL)
goto err;
/* save M in u1 */
goto err;
/* u1 = M * w mod q */
- if (!BN_mod_mul(u1, u1, u2, dsa->q, ctx))
+ if (!BN_mod_mul(u1, u1, u2, dsa->params.q, ctx))
goto err;
/* u2 = r * w mod q */
- if (!BN_mod_mul(u2, r, u2, dsa->q, ctx))
+ if (!BN_mod_mul(u2, r, u2, dsa->params.q, ctx))
goto err;
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
- dsa->lock, dsa->p, ctx);
+ dsa->lock, dsa->params.p, ctx);
if (!mont)
goto err;
}
if (dsa->meth->dsa_mod_exp != NULL) {
- if (!dsa->meth->dsa_mod_exp(dsa, t1, dsa->g, u1, dsa->pub_key, u2,
- dsa->p, ctx, mont))
+ if (!dsa->meth->dsa_mod_exp(dsa, t1, dsa->params.g, u1, dsa->pub_key, u2,
+ dsa->params.p, ctx, mont))
goto err;
} else {
- if (!BN_mod_exp2_mont(t1, dsa->g, u1, dsa->pub_key, u2, dsa->p, ctx,
- mont))
+ if (!BN_mod_exp2_mont(t1, dsa->params.g, u1, dsa->pub_key, u2,
+ dsa->params.p, ctx, mont))
goto err;
}
/* let u1 = u1 mod q */
- if (!BN_mod(u1, t1, dsa->q, ctx))
+ if (!BN_mod(u1, t1, dsa->params.q, ctx))
goto err;
/*
static int dsa_init(DSA *dsa)
{
dsa->flags |= DSA_FLAG_CACHE_MONT_P;
+ ffc_params_init(&dsa->params);
return 1;
}
int ret;
DSA_SIG sig;
- sig.r = sig.s = dsa->q;
+ sig.r = sig.s = dsa->params.q;
ret = i2d_DSA_SIG(&sig, NULL);
if (ret < 0)
--- /dev/null
+LIBS=../../libcrypto
+
+$COMMON=ffc_params.c
+
+SOURCE[../../libcrypto]=$COMMON
+SOURCE[../../providers/libfips.a]=$COMMON
--- /dev/null
+/*
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h> /* memset */
+#include "internal/ffc.h"
+#ifndef FIPS_MODE
+# include <openssl/asn1.h> /* ffc_params_print */
+#endif
+
+void ffc_params_init(FFC_PARAMS *params)
+{
+ memset(params, 0, sizeof(FFC_PARAMS));
+ params->pcounter = -1;
+}
+
+void ffc_params_cleanup(FFC_PARAMS *params)
+{
+ BN_free(params->p);
+ BN_free(params->q);
+ BN_free(params->g);
+ BN_free(params->j);
+ OPENSSL_free(params->seed);
+ ffc_params_init(params);
+}
+
+void ffc_params_set0_pqg(FFC_PARAMS *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ if (p != NULL && p != d->p) {
+ BN_free(d->p);
+ d->p = p;
+ }
+ if (q != NULL && q != d->q) {
+ BN_free(d->q);
+ d->q = q;
+ }
+ if (g != NULL && g != d->g) {
+ BN_free(d->g);
+ d->g = g;
+ }
+}
+
+void ffc_params_get0_pqg(const FFC_PARAMS *d, const BIGNUM **p,
+ const BIGNUM **q, const BIGNUM **g)
+{
+ if (p != NULL)
+ *p = d->p;
+ if (q != NULL)
+ *q = d->q;
+ if (g != NULL)
+ *g = d->g;
+}
+
+
+/* j is the 'cofactor' that is optionally output for ASN1. */
+void ffc_params_set0_j(FFC_PARAMS *d, BIGNUM *j)
+{
+ BN_free(d->j);
+ d->j = NULL;
+ if (j != NULL)
+ d->j = j;
+}
+
+int ffc_params_set_validate_params(FFC_PARAMS *params,
+ const unsigned char *seed, size_t seedlen,
+ int counter)
+{
+ if (params == NULL)
+ return 0;
+
+ if (params->seed != NULL)
+ OPENSSL_free(params->seed);
+
+ if (seed != NULL && seedlen > 0) {
+ params->seed = OPENSSL_memdup(seed, seedlen);
+ if (params->seed == NULL)
+ return 0;
+ params->seedlen = seedlen;
+ } else {
+ params->seed = NULL;
+ params->seedlen = 0;
+ }
+ params->pcounter = counter;
+ return 1;
+}
+
+void ffc_params_get_validate_params(const FFC_PARAMS *params,
+ unsigned char **seed, size_t *seedlen,
+ int *pcounter)
+{
+ if (seed != NULL)
+ *seed = params->seed;
+ if (seedlen != NULL)
+ *seedlen = params->seedlen;
+ if (pcounter != NULL)
+ *pcounter = params->pcounter;
+}
+
+static int ffc_bn_cpy(BIGNUM **dst, const BIGNUM *src)
+{
+ BIGNUM *a;
+
+ /*
+ * If source is read only just copy the pointer, so
+ * we don't have to reallocate it.
+ */
+ if (src == NULL)
+ a = NULL;
+ else if (BN_get_flags(src, BN_FLG_STATIC_DATA)
+ && !BN_get_flags(src, BN_FLG_MALLOCED))
+ a = (BIGNUM *)src;
+ else if ((a = BN_dup(src)) == NULL)
+ return 0;
+ BN_clear_free(*dst);
+ *dst = a;
+ return 1;
+}
+
+int ffc_params_copy(FFC_PARAMS *dst, const FFC_PARAMS *src)
+{
+ if (!ffc_bn_cpy(&dst->p, src->p)
+ || !ffc_bn_cpy(&dst->g, src->g)
+ || !ffc_bn_cpy(&dst->q, src->q)
+ || !ffc_bn_cpy(&dst->j, src->j))
+ return 0;
+
+ OPENSSL_free(dst->seed);
+ dst->seedlen = src->seedlen;
+ if (src->seed != NULL) {
+ dst->seed = OPENSSL_memdup(src->seed, src->seedlen);
+ if (dst->seed == NULL)
+ return 0;
+ } else {
+ dst->seed = NULL;
+ }
+ dst->pcounter = src->pcounter;
+ return 1;
+}
+
+int ffc_params_cmp(const FFC_PARAMS *a, const FFC_PARAMS *b, int ignore_q)
+{
+ return BN_cmp(a->p, b->p) == 0
+ && BN_cmp(a->g, b->g) == 0
+ && (ignore_q || BN_cmp(a->q, b->q) == 0); /* Note: q may be NULL */
+}
+
+#ifndef FIPS_MODE
+int ffc_params_print(BIO *bp, const FFC_PARAMS *ffc, int indent)
+{
+ if (!ASN1_bn_print(bp, "prime P:", ffc->p, NULL, indent))
+ goto err;
+ if (!ASN1_bn_print(bp, "generator G:", ffc->g, NULL, indent))
+ goto err;
+ if (ffc->q != NULL
+ && !ASN1_bn_print(bp, "subgroup order Q:", ffc->q, NULL, indent))
+ goto err;
+ if (ffc->j != NULL
+ && !ASN1_bn_print(bp, "subgroup factor:", ffc->j, NULL, indent))
+ goto err;
+ if (ffc->seed != NULL) {
+ size_t i;
+ BIO_indent(bp, indent, 128);
+ BIO_puts(bp, "seed:");
+ for (i = 0; i < ffc->seedlen; i++) {
+ if ((i % 15) == 0) {
+ if (BIO_puts(bp, "\n") <= 0
+ || !BIO_indent(bp, indent + 4, 128))
+ goto err;
+ }
+ if (BIO_printf(bp, "%02x%s", ffc->seed[i],
+ ((i + 1) == ffc->seedlen) ? "" : ":") <= 0)
+ goto err;
+ }
+ if (BIO_write(bp, "\n", 1) <= 0)
+ return 0;
+ }
+ if (ffc->pcounter != -1) {
+ BIO_indent(bp, indent, 128);
+ if (BIO_printf(bp, "counter: %d\n", ffc->pcounter) <= 0)
+ goto err;
+ }
+ return 1;
+err:
+ return 0;
+}
+#endif /* FIPS_MODE */
*/
#include <openssl/dh.h>
+#include "internal/ffc.h"
int dh_compute_key(OPENSSL_CTX *ctx, unsigned char *key, const BIGNUM *pub_key,
DH *dh);
int dh_compute_key_padded(OPENSSL_CTX *ctx, unsigned char *key,
const BIGNUM *pub_key, DH *dh);
+FFC_PARAMS *dh_get0_params(DH *dh);
--- /dev/null
+/*
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_FFC_H
+# define OSSL_INTERNAL_FFC_H
+
+# include <openssl/bn.h>
+
+/*
+ * Finite field cryptography (FFC) domain parameters are used by DH and DSA.
+ * Refer to FIPS186_4 Appendix A & B.
+ */
+typedef struct ffc_params_st {
+ /* Primes */
+ BIGNUM *p;
+ BIGNUM *q;
+ /* Generator */
+ BIGNUM *g;
+ /* DH X9.42 Optional Subgroup factor j >= 2 where p = j * q + 1 */
+ BIGNUM *j;
+
+ /* Required for FIPS186_4 validation of p, q and optionally canonical g */
+ unsigned char *seed;
+ /* If this value is zero the hash size is used as the seed length */
+ size_t seedlen;
+ /* Required for FIPS186_4 validation of p and q */
+ int pcounter;
+
+} FFC_PARAMS;
+
+void ffc_params_init(FFC_PARAMS *params);
+void ffc_params_cleanup(FFC_PARAMS *params);
+void ffc_params_set0_pqg(FFC_PARAMS *params, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+void ffc_params_get0_pqg(const FFC_PARAMS *params, const BIGNUM **p,
+ const BIGNUM **q, const BIGNUM **g);
+void ffc_params_set0_j(FFC_PARAMS *d, BIGNUM *j);
+int ffc_params_set_validate_params(FFC_PARAMS *params,
+ const unsigned char *seed, size_t seedlen,
+ int counter);
+void ffc_params_get_validate_params(const FFC_PARAMS *params,
+ unsigned char **seed, size_t *seedlen,
+ int *pcounter);
+
+int ffc_params_copy(FFC_PARAMS *dst, const FFC_PARAMS *src);
+int ffc_params_cmp(const FFC_PARAMS *a, const FFC_PARAMS *b, int ignore_q);
+
+#ifndef FIPS_MODE
+int ffc_params_print(BIO *bp, const FFC_PARAMS *ffc, int indent);
+#endif /* FIPS_MODE */
+
+#endif /* OSSL_INTERNAL_FFC_H */
projects / oweals / openssl.git / commitdiff