From 738ee1819e3bb94723701fb505ce2971afe47a9b Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Mon, 20 Apr 2020 11:07:38 +1000 Subject: [PATCH] Fix DH_get_nid() so that it does not cache values. DH_set0_pqg() is now responsible for caching the nid, q and length. DH with or without named safe prime groups now default to using the maximum private key length (BN_num_bits(q) - 1) when generating a DH private key. The code is now shared between fips and non fips mode for DH key generation. The OSSL_PKEY_PARAM_DH_PRIV_LEN parameter can be used during keygen to override the maximum private key length to be in the range (2 * strength ... bits(q) - 1). Where the strength depends on the length of p. Added q = (p - 1) / 2 safe prime BIGNUMS so that the code is data driven (To simplify adding new names). The BIGNUMS were code generated. Fix error in documented return value for DH_get_nid Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/11562) --- crypto/bn/bn_dh.c | 468 +++++++++++++++++-- crypto/dh/dh_ameth.c | 2 +- crypto/dh/dh_group_params.c | 137 ++---- crypto/dh/dh_key.c | 12 +- crypto/dh/dh_lib.c | 10 +- crypto/dh/dh_local.h | 3 +- crypto/dsa/dsa_key.c | 5 + crypto/ffc/ffc_key_generate.c | 27 +- doc/man3/DH_get0_pqg.pod | 13 +- doc/man3/DH_new_by_nid.pod | 10 +- include/crypto/bn_dh.h | 13 +- include/crypto/dh.h | 1 + include/internal/ffc.h | 2 - include/openssl/core_names.h | 1 + include/openssl/dh.h | 2 +- providers/implementations/keymgmt/dh_kmgmt.c | 19 +- test/evp_pkey_provided_test.c | 6 +- test/ffc_internal_test.c | 8 +- test/recipes/15-test_gendh.t | 19 +- 19 files changed, 570 insertions(+), 188 deletions(-) diff --git a/crypto/bn/bn_dh.c b/crypto/bn/bn_dh.c index 2dfa5a09ca..9ffb6d8d83 100644 --- a/crypto/bn/bn_dh.c +++ b/crypto/bn/bn_dh.c @@ -45,9 +45,23 @@ static const BN_ULONG modp_1536_p[] = { BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) }; +/* q = (p - 1) / 2 */ +static const BN_ULONG modp_1536_q[] = { + BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6511B993, 0x78BA3604), + BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), + BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), + BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), + BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), + BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), + BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), + BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), + BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), + BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), + BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), + BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF) +}; # endif /* FIPS_MODE */ - /*- * "2048-bit MODP Group" from RFC3526, Section 3. * @@ -73,6 +87,25 @@ static const BN_ULONG modp_2048_p[] = { BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) }; +/* q = (p - 1) / 2 */ +static const BN_ULONG modp_2048_q[] = { + BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x45565534, 0x0AB9472D), + BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), + BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), + BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), + BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), + BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), + BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), + BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), + BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), + BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), + BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), + BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), + BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), + BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), + BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), + BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), +}; /*- * "3072-bit MODP Group" from RFC3526, Section 4. @@ -107,7 +140,33 @@ static const BN_ULONG modp_3072_p[] = { BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) }; - +/* q = (p - 1) / 2 */ +static const BN_ULONG modp_3072_q[] = { + BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x549D6965, 0x25C16890), + BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), + BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), + BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), + BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), + BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), + BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), + BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), + BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), + BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), + BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), + BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), + BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), + BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), + BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), + BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), + BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), + BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), + BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), + BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), + BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), + BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), + BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), + BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), +}; /*- * "4096-bit MODP Group" from RFC3526, Section 5. @@ -150,6 +209,41 @@ static const BN_ULONG modp_4096_p[] = { BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) }; +/* q = (p - 1) / 2 */ +static const BN_ULONG modp_4096_q[] = { + BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x9A0318CC, 0xA6FA1AE4), + BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), + BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), + BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), + BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), + BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), + BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), + BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), + BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), + BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), + BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), + BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), + BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), + BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), + BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), + BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), + BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), + BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), + BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), + BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), + BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), + BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), + BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), + BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), + BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), + BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), + BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), + BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), + BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), + BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), + BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), + BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), +}; /*- * "6144-bit MODP Group" from RFC3526, Section 6. @@ -208,6 +302,57 @@ static const BN_ULONG modp_6144_p[] = { BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) }; +/* q = (p - 1) / 2 */ +static const BN_ULONG modp_6144_q[] = { + BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x36E62012, 0x734A7C8F), + BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), + BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), + BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), + BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), + BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), + BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), + BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), + BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), + BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), + BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), + BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), + BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), + BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), + BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), + BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), + BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), + BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), + BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), + BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), + BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), + BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), + BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), + BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), + BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), + BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), + BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), + BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), + BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), + BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), + BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), + BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), + BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), + BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), + BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), + BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), + BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), + BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), + BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), + BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), + BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), + BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), + BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), + BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), + BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), + BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), + BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), + BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), +}; /* * "8192-bit MODP Group" from RFC3526, Section 7. @@ -282,6 +427,73 @@ static const BN_ULONG modp_8192_p[] = { BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) }; +/* q = (p - 1) / 2 */ +static const BN_ULONG modp_8192_q[] = { + BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCC76E9EF, 0xB064C06E), + BN_DEF(0x405CB738, 0xE40FAB74), BN_DEF(0x3B2B4A6F, 0x4F182871), + BN_DEF(0xAB3BF4D5, 0xCAAC7223), BN_DEF(0x7E013723, 0xE48C86D3), + BN_DEF(0x6AF71C15, 0xC44D0017), BN_DEF(0xA40E366B, 0x2004A1C5), + BN_DEF(0x75C3CFC9, 0x1AC8237A), BN_DEF(0x8F67D134, 0xFD79B5E1), + BN_DEF(0xBF73A6B9, 0xD8EA885E), BN_DEF(0xAEF6BF50, 0xFCD5A40C), + BN_DEF(0x8423428E, 0xB2798E62), BN_DEF(0xD012AEE0, 0x22CBF44C), + BN_DEF(0x3A55B51B, 0xEF988770), BN_DEF(0x1FA27C16, 0x369509FC), + BN_DEF(0xD9D13C53, 0x03159E7A), BN_DEF(0xF6ADEE9D, 0x3CB41981), + BN_DEF(0xD16043F4, 0xFD4EA5BF), BN_DEF(0x17C1C2EE, 0xA5E5E443), + BN_DEF(0x36751835, 0x9A39FE32), BN_DEF(0x0D11F863, 0x89F5ABD4), + BN_DEF(0x5201BE03, 0x91111702), BN_DEF(0x7E42456C, 0xF1FEDC5F), + BN_DEF(0xF1CEB296, 0x11C78B65), BN_DEF(0x15F8E4BC, 0x1A11DA3A), + BN_DEF(0x2D727AB4, 0x1D55B1CE), BN_DEF(0xB5D21233, 0x92BB7B49), + BN_DEF(0xC57E23F6, 0x3A0FD3DF), BN_DEF(0x46CEE980, 0x1DE4195B), + BN_DEF(0x39DC98DD, 0x6C5F6268), BN_DEF(0x54996FC6, 0x1C3BBE5B), + BN_DEF(0x897F72F2, 0xBA51C937), BN_DEF(0x36DF08AC, 0x734A7C8F), + BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), + BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), + BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), + BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), + BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), + BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), + BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), + BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), + BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), + BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), + BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), + BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), + BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), + BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), + BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), + BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), + BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), + BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), + BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), + BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), + BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), + BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), + BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), + BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), + BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), + BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), + BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), + BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), + BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), + BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), + BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), + BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), + BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), + BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), + BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), + BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), + BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), + BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), + BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), + BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), + BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), + BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), + BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), + BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), + BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), + BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), + BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), +}; /* DH parameters from RFC5114 */ static const BN_ULONG dh1024_160_p[] = { @@ -294,7 +506,10 @@ static const BN_ULONG dh1024_160_p[] = { BN_DEF(0x52D23B61, 0x9A6A9DCA), BN_DEF(0xFB06A3C6, 0x52C99FBC), BN_DEF(0xAE5D54EC, 0xDE92DE5E), BN_DEF(0xA080E01D, 0xB10B8F96) }; - +static const BN_ULONG dh1024_160_q[] = { + BN_DEF(0x49462353, 0x64B7CB9D), BN_DEF(0x8ABA4E7D, 0x81A8DF27), + (BN_ULONG)0xF518AA87 +}; static const BN_ULONG dh1024_160_g[] = { BN_DEF(0x22B3B2E5, 0x855E6EEB), BN_DEF(0xF97C2A24, 0x858F4DCE), BN_DEF(0x18D08BC8, 0x2D779D59), BN_DEF(0x8E73AFA3, 0xD662A4D1), @@ -306,11 +521,6 @@ static const BN_ULONG dh1024_160_g[] = { BN_DEF(0xEFB99905, 0x6765A442), BN_DEF(0xC3FD3412, 0xA4D1CBD5) }; -static const BN_ULONG dh1024_160_q[] = { - BN_DEF(0x49462353, 0x64B7CB9D), BN_DEF(0x8ABA4E7D, 0x81A8DF27), - (BN_ULONG)0xF518AA87 -}; - static const BN_ULONG dh2048_224_p[] = { BN_DEF(0x0C10E64F, 0x0AC4DFFE), BN_DEF(0x4E71B81C, 0xCF9DE538), BN_DEF(0xFFA31F71, 0x7EF363E2), BN_DEF(0x6B8E75B9, 0xE3FB73C1), @@ -329,7 +539,10 @@ static const BN_ULONG dh2048_224_p[] = { BN_DEF(0xB61D0A75, 0xB54B1597), BN_DEF(0x683B9FD1, 0xA20D64E5), BN_DEF(0x9559C51F, 0xD660FAA7), BN_DEF(0x9123A9D0, 0xAD107E1E) }; - +static const BN_ULONG dh2048_224_q[] = { + BN_DEF(0xB36371EB, 0xBF389A99), BN_DEF(0x4738CEBC, 0x1F80535A), + BN_DEF(0x99717710, 0xC58D93FE), (BN_ULONG)0x801C0D34 +}; static const BN_ULONG dh2048_224_g[] = { BN_DEF(0x191F2BFA, 0x84B890D3), BN_DEF(0x2A7065B3, 0x81BC087F), BN_DEF(0xF6EC0179, 0x19C418E1), BN_DEF(0x71CFFF4C, 0x7B5A0F1C), @@ -349,11 +562,6 @@ static const BN_ULONG dh2048_224_g[] = { BN_DEF(0x8FFDAC50, 0x9DF30B5C), BN_DEF(0x4F2D9AE3, 0xAC4032EF) }; -static const BN_ULONG dh2048_224_q[] = { - BN_DEF(0xB36371EB, 0xBF389A99), BN_DEF(0x4738CEBC, 0x1F80535A), - BN_DEF(0x99717710, 0xC58D93FE), (BN_ULONG)0x801C0D34 -}; - static const BN_ULONG dh2048_256_p[] = { BN_DEF(0x1E1A1597, 0xDB094AE9), BN_DEF(0xD7EF09CA, 0x693877FA), BN_DEF(0x6E11715F, 0x6116D227), BN_DEF(0xC198AF12, 0xA4B54330), @@ -372,7 +580,10 @@ static const BN_ULONG dh2048_256_p[] = { BN_DEF(0x435E3B00, 0x5D2CEED4), BN_DEF(0x660DD0F2, 0x8CEEF608), BN_DEF(0x65195999, 0xFFBBD19C), BN_DEF(0xB4B6663C, 0x87A8E61D) }; - +static const BN_ULONG dh2048_256_q[] = { + BN_DEF(0x64F5FBD3, 0xA308B0FE), BN_DEF(0x1EB3750B, 0x99B1A47D), + BN_DEF(0x40129DA2, 0xB4479976), BN_DEF(0xA709A097, 0x8CF83642) +}; static const BN_ULONG dh2048_256_g[] = { BN_DEF(0x6CC41659, 0x664B4C0F), BN_DEF(0xEF98C582, 0x5E2327CF), BN_DEF(0xD4795451, 0xD647D148), BN_DEF(0x90F00EF8, 0x2F630784), @@ -392,12 +603,6 @@ static const BN_ULONG dh2048_256_g[] = { BN_DEF(0x60EDBD48, 0x2E775066), BN_DEF(0x73134D0B, 0x3FB32C9B) }; -static const BN_ULONG dh2048_256_q[] = { - BN_DEF(0x64F5FBD3, 0xA308B0FE), BN_DEF(0x1EB3750B, 0x99B1A47D), - BN_DEF(0x40129DA2, 0xB4479976), BN_DEF(0xA709A097, 0x8CF83642) - -}; - /* Primes from RFC 7919 */ static const BN_ULONG ffdhe2048_p[] = { BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x61285C97, 0x886B4238), @@ -417,6 +622,25 @@ static const BN_ULONG ffdhe2048_p[] = { BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) }; +/* q = (p - 1) / 2 */ +static const BN_ULONG ffdhe2048_q[] = { + BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x30942E4B, 0x4435A11C), + BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), + BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), + BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), + BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), + BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), + BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), + BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), + BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), + BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), + BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), + BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), + BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), + BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), + BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), + BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), +}; static const BN_ULONG ffdhe3072_p[] = { BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x66C62E37, 0x25E41D2B), @@ -444,6 +668,33 @@ static const BN_ULONG ffdhe3072_p[] = { BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) }; +/* q = (p - 1) / 2 */ +static const BN_ULONG ffdhe3072_q[] = { + BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xB363171B, 0x12F20E95), + BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), + BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), + BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), + BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), + BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), + BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), + BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), + BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), + BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), + BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), + BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), + BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), + BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), + BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), + BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), + BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), + BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), + BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), + BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), + BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), + BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), + BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), + BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), +}; static const BN_ULONG ffdhe4096_p[] = { BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x5E655F6A, 0xC68A007E), @@ -479,6 +730,41 @@ static const BN_ULONG ffdhe4096_p[] = { BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) }; +/* q = (p - 1) / 2 */ +static const BN_ULONG ffdhe4096_q[] = { + BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x2F32AFB5, 0xE345003F), + BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), + BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), + BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), + BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), + BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), + BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), + BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), + BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), + BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), + BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), + BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), + BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), + BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), + BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), + BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), + BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), + BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), + BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), + BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), + BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), + BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), + BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), + BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), + BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), + BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), + BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), + BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), + BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), + BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), + BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), + BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), +}; static const BN_ULONG ffdhe6144_p[] = { BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xD0E40E65, 0xA40E329C), @@ -530,6 +816,57 @@ static const BN_ULONG ffdhe6144_p[] = { BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) }; +/* q = (p - 1) / 2 */ +static const BN_ULONG ffdhe6144_q[] = { + BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x68720732, 0x5207194E), + BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93), + BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC), + BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA), + BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416), + BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA), + BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC), + BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011), + BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725), + BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6), + BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849), + BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB), + BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F), + BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619), + BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19), + BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96), + BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F), + BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), + BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), + BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), + BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), + BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), + BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), + BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), + BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), + BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), + BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), + BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), + BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), + BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), + BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), + BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), + BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), + BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), + BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), + BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), + BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), + BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), + BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), + BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), + BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), + BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), + BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), + BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), + BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), + BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), + BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), + BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), +}; static const BN_ULONG ffdhe8192_p[] = { BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xC5C6424C, 0xD68C8BB7), @@ -597,6 +934,73 @@ static const BN_ULONG ffdhe8192_p[] = { BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) }; +/* q = (p - 1) / 2 */ +static const BN_ULONG ffdhe8192_q[] = { + BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0xE2E32126, 0x6B4645DB), + BN_DEF(0x41C7FC46, 0x008F154A), BN_DEF(0x54FA30A7, 0x84117283), + BN_DEF(0xFBD4221E, 0xCBE88EA4), BN_DEF(0x9833BF86, 0x535DFEF2), + BN_DEF(0x60FF437F, 0x17BA0F7C), BN_DEF(0x2EB8D43F, 0x7D7D5F0E), + BN_DEF(0xFDF2C518, 0x6F697DD5), BN_DEF(0x39585337, 0x5B42AEFF), + BN_DEF(0x5D4527F4, 0x8F7E4670), BN_DEF(0x1F97D22B, 0xC1FC0EA5), + BN_DEF(0xD2BBF118, 0x50FF183A), BN_DEF(0x446CE050, 0xEADC00CA), + BN_DEF(0xD6CD4AFC, 0xB1240B66), BN_DEF(0x286090BD, 0x4CF4F18B), + BN_DEF(0x07211E7E, 0x28D5348F), BN_DEF(0x1C137296, 0x0E10BF36), + BN_DEF(0x84B81FF7, 0x28D45498), BN_DEF(0xB523073A, 0x5DB84CC3), + BN_DEF(0x4E435811, 0xAA0FE346), BN_DEF(0x237EC128, 0x2C8B0660), + BN_DEF(0x1AE1AFAE, 0x1423605D), BN_DEF(0xC5BAC141, 0x2A282563), + BN_DEF(0xE95782F2, 0x149C441C), BN_DEF(0x600DEB81, 0xE596078E), + BN_DEF(0x3E499332, 0xAAAD97BA), BN_DEF(0x51D5C414, 0xC35B18A1), + BN_DEF(0xFB258877, 0x05C661DE), BN_DEF(0xF6E8E62F, 0xB43FF5B4), + BN_DEF(0x64A84EA1, 0x7ED91FE7), BN_DEF(0xECA8D732, 0x0F212D18), + BN_DEF(0x7B00641C, 0x1B568026), BN_DEF(0x67FA3555, 0x5207194E), + BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93), + BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC), + BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA), + BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416), + BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA), + BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC), + BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011), + BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725), + BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6), + BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849), + BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB), + BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F), + BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619), + BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19), + BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96), + BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F), + BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), + BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), + BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), + BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), + BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), + BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), + BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), + BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), + BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), + BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), + BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), + BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), + BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), + BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), + BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), + BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), + BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), + BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), + BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), + BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), + BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), + BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), + BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), + BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), + BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), + BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), + BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), + BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), + BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), + BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), + BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), +}; /* Macro to make a BIGNUM from static data */ @@ -608,32 +1012,44 @@ static const BN_ULONG ffdhe8192_p[] = { static const BN_ULONG value_2 = 2; -const BIGNUM _bignum_const_2 = - { (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA }; +const BIGNUM _bignum_const_2 = { + (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA +}; make_dh_bn(dh1024_160_p) -make_dh_bn(dh1024_160_g) make_dh_bn(dh1024_160_q) +make_dh_bn(dh1024_160_g) make_dh_bn(dh2048_224_p) -make_dh_bn(dh2048_224_g) make_dh_bn(dh2048_224_q) +make_dh_bn(dh2048_224_g) make_dh_bn(dh2048_256_p) -make_dh_bn(dh2048_256_g) make_dh_bn(dh2048_256_q) +make_dh_bn(dh2048_256_g) make_dh_bn(ffdhe2048_p) +make_dh_bn(ffdhe2048_q) make_dh_bn(ffdhe3072_p) +make_dh_bn(ffdhe3072_q) make_dh_bn(ffdhe4096_p) +make_dh_bn(ffdhe4096_q) make_dh_bn(ffdhe6144_p) +make_dh_bn(ffdhe6144_q) make_dh_bn(ffdhe8192_p) +make_dh_bn(ffdhe8192_q) # ifndef FIPS_MODE make_dh_bn(modp_1536_p) +make_dh_bn(modp_1536_q) # endif make_dh_bn(modp_2048_p) +make_dh_bn(modp_2048_q) make_dh_bn(modp_3072_p) +make_dh_bn(modp_3072_q) make_dh_bn(modp_4096_p) +make_dh_bn(modp_4096_q) make_dh_bn(modp_6144_p) +make_dh_bn(modp_6144_q) make_dh_bn(modp_8192_p) +make_dh_bn(modp_8192_q) #endif /* OPENSSL_NO_DH */ diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index ea92fc9db7..4d247dbba2 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -559,7 +559,7 @@ static int dh_pkey_import_from(const OSSL_PARAM params[], void *vpctx) return 0; } - if (!ffc_params_fromdata(dh_get0_params(dh), params) + if (!dh_ffc_params_fromdata(dh, params) || !dh_key_fromdata(dh, params) || !EVP_PKEY_assign_DH(pkey, dh)) { DH_free(dh); diff --git a/crypto/dh/dh_group_params.c b/crypto/dh/dh_group_params.c index 1f5a58ed87..7221e806c5 100644 --- a/crypto/dh/dh_group_params.c +++ b/crypto/dh/dh_group_params.c @@ -23,19 +23,18 @@ #include #include "crypto/bn_dh.h" #include "crypto/dh.h" -#include "crypto/security_bits.h" #include "e_os.h" /* strcasecmp */ #define FFDHE(sz) { \ SN_ffdhe##sz, NID_ffdhe##sz, \ sz, \ - &_bignum_ffdhe##sz##_p, NULL, &_bignum_const_2 \ + &_bignum_ffdhe##sz##_p, &_bignum_ffdhe##sz##_q, &_bignum_const_2 \ } #define MODP(sz) { \ SN_modp_##sz, NID_modp_##sz, \ sz, \ - &_bignum_modp_##sz##_p, NULL, &_bignum_const_2 \ + &_bignum_modp_##sz##_p, &_bignum_modp_##sz##_q, &_bignum_const_2 \ } #define RFC5114(name, uid, sz, tag) { \ @@ -102,30 +101,18 @@ const char *ffc_named_group_from_uid(int uid) } static DH *dh_param_init(OPENSSL_CTX *libctx, int uid, const BIGNUM *p, - const BIGNUM *q, const BIGNUM *g, - int32_t nbits) + const BIGNUM *q, const BIGNUM *g) { - BIGNUM *qtmp = NULL; DH *dh = dh_new_with_libctx(libctx); if (dh == NULL) return NULL; - if (q == NULL) { - qtmp = BN_dup(p); - /* Set q = (p - 1) / 2 (p is known to be odd so just shift right ) */ - if (qtmp == NULL || !BN_rshift1(qtmp, qtmp)) { - BN_free(qtmp); - DH_free(dh); - return NULL; - } - } dh->params.nid = uid; dh->params.p = (BIGNUM *)p; - dh->params.q = (q != NULL ? (BIGNUM *)q : qtmp); + dh->params.q = (BIGNUM *)q; dh->params.g = (BIGNUM *)g; - /* Private key length = 2 * max_target_security_strength */ - dh->length = nbits; + dh->length = BN_num_bits(q); dh->dirty_cnt++; return dh; } @@ -139,19 +126,10 @@ static DH *dh_new_by_group_name(OPENSSL_CTX *libctx, const char *name) for (i = 0; i < (int)OSSL_NELEM(dh_named_groups); ++i) { if (strcasecmp(dh_named_groups[i].name, name) == 0) { - int max_target_security_strength = - ifc_ffc_compute_security_bits(dh_named_groups[i].nbits); - - /* - * The last parameter specified here is - * 2 * max_target_security_strength. - * See SP800-56Ar3 Table(s) 25 & 26. - */ return dh_param_init(libctx, dh_named_groups[i].uid, dh_named_groups[i].p, dh_named_groups[i].q, - dh_named_groups[i].g, - 2 * max_target_security_strength); + dh_named_groups[i].g); } } DHerr(0, DH_R_INVALID_PARAMETER_NID); @@ -180,23 +158,10 @@ int ffc_set_group_pqg(FFC_PARAMS *ffc, const char *group_name) for (i = 0; i < (int)OSSL_NELEM(dh_named_groups); ++i) { if (strcasecmp(dh_named_groups[i].name, group_name) == 0) { - if (dh_named_groups[i].q != NULL) { - /* For groups with a q */ - ffc_params_set0_pqg(ffc, - (BIGNUM *)dh_named_groups[i].p, - (BIGNUM *)dh_named_groups[i].q, - (BIGNUM *)dh_named_groups[i].g); - } else { - /* For SAFE PRIME GROUPS */ - /* Set q = (p - 1) / 2 (p is known to be odd so just shift right) */ - q = BN_dup(dh_named_groups[i].p); - if (q == NULL || !BN_rshift1(q, q)) - break; /* exit with failure */ - - ffc_params_set0_pqg(ffc, - (BIGNUM *)dh_named_groups[i].p, q, - (BIGNUM *)dh_named_groups[i].g); - } + ffc_params_set0_pqg(ffc, + (BIGNUM *)dh_named_groups[i].p, + (BIGNUM *)dh_named_groups[i].q, + (BIGNUM *)dh_named_groups[i].g); /* flush the cached nid, The DH layer is responsible for caching */ ffc->nid = NID_undef; return 1; @@ -207,63 +172,43 @@ int ffc_set_group_pqg(FFC_PARAMS *ffc, const char *group_name) return 0; } -int DH_get_nid(DH *dh) +void dh_cache_named_group(DH *dh) { - BIGNUM *q = NULL; - int i, nid; + int i; if (dh == NULL) - return NID_undef; + return; + + dh->params.nid = NID_undef; /* flush cached value */ - nid = dh->params.nid; - /* Just return if it is already cached */ - if (nid != NID_undef) - return nid; + /* Exit if p or g is not set */ + if (dh->params.p == NULL + || dh->params.g == NULL) + return; for (i = 0; i < (int)OSSL_NELEM(dh_named_groups); ++i) { - /* Keep searching until a matching p is found */ - if (BN_cmp(dh->params.p, dh_named_groups[i].p) != 0) - continue; - - /* Return an error if g is not matching */ - if (BN_cmp(dh->params.g, dh_named_groups[i].g) != 0) - break; - if (dh_named_groups[i].q != NULL) { - /* RFC5114 NAMED GROUPS have q defined */ - - /* Verify q is correct if it exists */ - if (dh->params.q != NULL) { - if (BN_cmp(dh->params.q, dh_named_groups[i].q) != 0) - break; /* returns nid = NID_undef if q does not match */ - } else { - dh->params.q = (BIGNUM *)dh_named_groups[i].q; - } - } else { - /* For SAFE PRIME GROUPS */ - - /* Set q = (p - 1) / 2 (p is known to be odd so just shift right) */ - q = BN_dup(dh->params.p); - - if (q == NULL || !BN_rshift1(q, q)) - break; /* returns nid = NID_undef on failure */ - - /* Verify q is correct if it exists */ - if (dh->params.q != NULL) { - if (BN_cmp(dh->params.q, q) != 0) - break; /* returns nid = NID_undef if q does not match */ - } else { - /* assign the calculated q */ - dh->params.q = q; - q = NULL; /* set to NULL so it is not freed */ - } + /* Keep searching until a matching p and g is found */ + if (BN_cmp(dh->params.p, dh_named_groups[i].p) == 0 + && BN_cmp(dh->params.g, dh_named_groups[i].g) == 0) { + /* Verify q is correct if it exists */ + if (dh->params.q != NULL) { + if (BN_cmp(dh->params.q, dh_named_groups[i].q) != 0) + continue; /* ignore if q does not match */ + } else { + dh->params.q = (BIGNUM *)dh_named_groups[i].q; + } + dh->params.nid = dh_named_groups[i].uid; /* cache the nid */ + dh->length = BN_num_bits(dh->params.q); + dh->dirty_cnt++; + break; } - nid = dh->params.nid = dh_named_groups[i].uid; /* cache the nid */ - dh->length = - 2 * ifc_ffc_compute_security_bits(dh_named_groups[i].nbits); - dh->dirty_cnt++; - /* A matching p was found so break out of the loop */ - break; } - BN_free(q); - return nid; +} + +int DH_get_nid(const DH *dh) +{ + if (dh == NULL) + return NID_undef; + + return dh->params.nid; } diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index e46946153b..918949d953 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -18,6 +18,7 @@ #include "dh_local.h" #include "crypto/bn.h" #include "crypto/dh.h" +#include "crypto/security_bits.h" #ifdef FIPS_MODE # define MIN_STRENGTH 112 @@ -252,16 +253,15 @@ static int generate_key(DH *dh) if (generate_new_key) { /* Is it an approved safe prime ?*/ if (DH_get_nid(dh) != NID_undef) { - /* - * The safe prime group code sets N = 2*s - * (where s = max security strength supported). - * N = dh->length (N = maximum bit length of private key) - */ + int max_strength = + ifc_ffc_compute_security_bits(BN_num_bits(dh->params.p)); + if (dh->params.q == NULL || dh->length > BN_num_bits(dh->params.q)) goto err; + /* dh->length = maximum bit length of generated private key */ if (!ffc_generate_private_key(ctx, &dh->params, dh->length, - dh->length / 2, priv_key)) + max_strength, priv_key)) goto err; } else { #ifdef FIPS_MODE diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index 3643cb1471..7e42d13f3c 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -209,7 +209,8 @@ void DH_get0_pqg(const DH *dh, int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { - /* If the fields p and g in d are NULL, the corresponding input + /* + * If the fields p and g in d are NULL, the corresponding input * parameters MUST be non-NULL. q may remain NULL. */ if ((dh->params.p == NULL && p == NULL) @@ -217,7 +218,9 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) return 0; ffc_params_set0_pqg(&dh->params, p, q, g); - dh->params.nid = NID_undef; + dh_cache_named_group(dh); + if (q != NULL) + dh->length = BN_num_bits(q); /* * Check if this is a named group. If it finds a named group then the * 'q' and 'length' value are either already set or are set by the @@ -260,6 +263,7 @@ int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) if (priv_key != NULL) { BN_clear_free(dh->priv_key); dh->priv_key = priv_key; + dh->length = BN_num_bits(priv_key); } dh->dirty_cnt++; @@ -335,7 +339,7 @@ int dh_ffc_params_fromdata(DH *dh, const OSSL_PARAM params[]) ret = ffc_params_fromdata(ffc, params); if (ret) { - DH_get_nid(dh); + dh_cache_named_group(dh); dh->dirty_cnt++; } return ret; diff --git a/crypto/dh/dh_local.h b/crypto/dh/dh_local.h index 7fefcf76f3..3b0181f76a 100644 --- a/crypto/dh/dh_local.h +++ b/crypto/dh/dh_local.h @@ -21,7 +21,8 @@ struct dh_st { int pad; int version; FFC_PARAMS params; - int32_t length; /* optional value of N (if there is no q) */ + /* max generated private key length (can be less than len(q)) */ + int32_t length; BIGNUM *pub_key; /* g^x % p */ BIGNUM *priv_key; /* x */ int flags; diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 1d625272e5..f9bb3470f6 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -74,6 +74,11 @@ static int dsa_keygen(DSA *dsa, int pairwise_test) priv_key = dsa->priv_key; } + /* + * For FFC FIPS 186-4 keygen + * security strength s = 112, + * Max Private key size N = len(q) + */ if (!ffc_generate_private_key(ctx, &dsa->params, BN_num_bits(dsa->params.q), MIN_STRENGTH, priv_key)) goto err; diff --git a/crypto/ffc/ffc_key_generate.c b/crypto/ffc/ffc_key_generate.c index 4e2f231d83..aeabae010f 100644 --- a/crypto/ffc/ffc_key_generate.c +++ b/crypto/ffc/ffc_key_generate.c @@ -10,7 +10,6 @@ #include "internal/ffc.h" /* - * For Fips mode: * SP800-56Ar3 5.6.1.1.4 Key pair generation by testing candidates. * Generates a private key in the interval [1, min(2 ^ N - 1, q - 1)]. * @@ -22,33 +21,19 @@ */ int ffc_generate_private_key(BN_CTX *ctx, const FFC_PARAMS *params, int N, int s, BIGNUM *priv) -{ -#ifdef FIPS_MODE - return ffc_generate_private_key_fips(ctx, params, N, s, priv); -#else - do { - if (!BN_priv_rand_range_ex(priv, params->q, ctx)) - return 0; - } while (BN_is_zero(priv) || BN_is_one(priv)); - return 1; -#endif /* FIPS_MODE */ -} - -int ffc_generate_private_key_fips(BN_CTX *ctx, const FFC_PARAMS *params, - int N, int s, BIGNUM *priv) { int ret = 0, qbits = BN_num_bits(params->q); BIGNUM *m, *two_powN = NULL; - /* Step (2) : check range of N */ - if (N < 2 * s || N > qbits) - return 0; - /* Deal with the edge case where the value of N is not set */ - if (N == 0) { + if (N == 0) N = qbits; + if (s == 0) s = N / 2; - } + + /* Step (2) : check range of N */ + if (N < 2 * s || N > qbits) + return 0; two_powN = BN_new(); /* 2^N */ diff --git a/doc/man3/DH_get0_pqg.pod b/doc/man3/DH_get0_pqg.pod index 2c63e52b38..74268087a1 100644 --- a/doc/man3/DH_get0_pqg.pod +++ b/doc/man3/DH_get0_pqg.pod @@ -57,11 +57,9 @@ and therefore the values that have been passed in should not be freed directly after this function has been called. The I parameter may be NULL. DH_set0_pqg() also checks if the parameters associated with I

and I and optionally I are associated with known safe prime groups. If it is a safe -prime group then the value of I will be set to q = (p - 1) / 2 if I is NULL. -For safe prime groups the optional length parameter I is set to twice -the value of the maximum_target_security_strength(BN_num_bits(I

)) as listed in -SP800-56Ar3 Table(s) 25 & 26. If it is not a safe prime group then the optional -length parameter will be set if I is not NULL to BN_num_bits(I). +prime group then the value of I will be set to q = (p - 1) / 2 if I is +NULL. The optional length parameter will be set to BN_num_bits(I) if I +is not NULL. To get the public and private key values use the DH_get0_key() function. A pointer to the public key will be stored in I<*pub_key>, and a pointer to the @@ -96,7 +94,10 @@ object, or NULL if no such ENGINE has been set. This function is deprecated. The DH_get_length() and DH_set_length() functions get and set the optional length parameter associated with this DH object. If the length is nonzero then it is used, otherwise it is ignored. The I parameter indicates the -length of the secret exponent (private key) in bits. +length of the secret exponent (private key) in bits. These functions are +deprecated. For safe prime groups the optional length parameter I can be +set to a value greater or equal to 2 * maximum_target_security_strength(BN_num_bits(I

)) +as listed in SP800-56Ar3 Table(s) 25 & 26. =head1 NOTES diff --git a/doc/man3/DH_new_by_nid.pod b/doc/man3/DH_new_by_nid.pod index a333ecb6d2..163be09fed 100644 --- a/doc/man3/DH_new_by_nid.pod +++ b/doc/man3/DH_new_by_nid.pod @@ -2,7 +2,7 @@ =head1 NAME -DH_new_by_nid, DH_get_nid - get or find DH named parameters +DH_new_by_nid, DH_get_nid - create or get DH named parameters =head1 SYNOPSIS @@ -13,7 +13,7 @@ Deprecated since OpenSSL 3.0, can be hidden entirely by defining B with a suitable version value, see L: - int *DH_get_nid(DH *dh); + int DH_get_nid(const DH *dh); =head1 DESCRIPTION @@ -26,12 +26,6 @@ B, B or B. DH_get_nid() determines if the parameters contained in B match any named safe prime group. It returns the NID corresponding to the matching parameters or B if there is no match. -Internally it caches the nid, so that any subsequent calls can fetch the -cached value. -If a matching p and g are not found and the value of parameter q is not set, -then it is set to q = (p - 1) / 2. -If parameter q is already set then it must also match the expected q otherwise -no match will be found. This function is deprecated. =head1 RETURN VALUES diff --git a/include/crypto/bn_dh.h b/include/crypto/bn_dh.h index c19d4f0734..b900c36651 100644 --- a/include/crypto/bn_dh.h +++ b/include/crypto/bn_dh.h @@ -9,8 +9,8 @@ #define declare_dh_bn(x) \ extern const BIGNUM _bignum_dh##x##_p; \ + extern const BIGNUM _bignum_dh##x##_q; \ extern const BIGNUM _bignum_dh##x##_g; \ - extern const BIGNUM _bignum_dh##x##_q; declare_dh_bn(1024_160) declare_dh_bn(2048_224) @@ -23,6 +23,11 @@ extern const BIGNUM _bignum_ffdhe3072_p; extern const BIGNUM _bignum_ffdhe4096_p; extern const BIGNUM _bignum_ffdhe6144_p; extern const BIGNUM _bignum_ffdhe8192_p; +extern const BIGNUM _bignum_ffdhe2048_q; +extern const BIGNUM _bignum_ffdhe3072_q; +extern const BIGNUM _bignum_ffdhe4096_q; +extern const BIGNUM _bignum_ffdhe6144_q; +extern const BIGNUM _bignum_ffdhe8192_q; extern const BIGNUM _bignum_modp_1536_p; extern const BIGNUM _bignum_modp_2048_p; @@ -30,3 +35,9 @@ extern const BIGNUM _bignum_modp_3072_p; extern const BIGNUM _bignum_modp_4096_p; extern const BIGNUM _bignum_modp_6144_p; extern const BIGNUM _bignum_modp_8192_p; +extern const BIGNUM _bignum_modp_1536_q; +extern const BIGNUM _bignum_modp_2048_q; +extern const BIGNUM _bignum_modp_3072_q; +extern const BIGNUM _bignum_modp_4096_q; +extern const BIGNUM _bignum_modp_6144_q; +extern const BIGNUM _bignum_modp_8192_q; diff --git a/include/crypto/dh.h b/include/crypto/dh.h index 150d13b370..1ae2c2f0a3 100644 --- a/include/crypto/dh.h +++ b/include/crypto/dh.h @@ -20,6 +20,7 @@ int dh_generate_public_key(BN_CTX *ctx, DH *dh, const BIGNUM *priv_key, BIGNUM *pub_key); int dh_get_named_group_uid_from_size(int pbits); const char *dh_gen_type_id2name(int id); +void dh_cache_named_group(DH *dh); FFC_PARAMS *dh_get0_params(DH *dh); int dh_get0_nid(const DH *dh); diff --git a/include/internal/ffc.h b/include/internal/ffc.h index 90a13a5fd4..8a948066d6 100644 --- a/include/internal/ffc.h +++ b/include/internal/ffc.h @@ -149,8 +149,6 @@ int ffc_params_FIPS186_2_validate(const FFC_PARAMS *params, int type, int ffc_generate_private_key(BN_CTX *ctx, const FFC_PARAMS *params, int N, int s, BIGNUM *priv); -int ffc_generate_private_key_fips(BN_CTX *ctx, const FFC_PARAMS *params, - int N, int s, BIGNUM *priv); int ffc_params_validate_unverifiable_g(BN_CTX *ctx, BN_MONT_CTX *mont, const BIGNUM *p, const BIGNUM *q, diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index b5ee883bc7..4ac17497fc 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -207,6 +207,7 @@ extern "C" { /* Diffie-Hellman params */ #define OSSL_PKEY_PARAM_FFC_GROUP "group" #define OSSL_PKEY_PARAM_FFC_GENERATOR "safeprime-generator" +#define OSSL_PKEY_PARAM_DH_PRIV_LEN "priv_len" /* Elliptic Curve Domain Parameters */ #define OSSL_PKEY_PARAM_EC_NAME "curve-name" diff --git a/include/openssl/dh.h b/include/openssl/dh.h index ab455b7492..074cf84bab 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -196,7 +196,7 @@ DH *DH_get_2048_256(void); /* Named parameters, currently RFC7919 and RFC3526 */ /* TODO(3.0): deprecate DH_new_by_nid() after converting ssl/s3_lib.c */ DH *DH_new_by_nid(int nid); -DEPRECATEDIN_3_0(int DH_get_nid(DH *dh)) +DEPRECATEDIN_3_0(int DH_get_nid(const DH *dh)) # ifndef OPENSSL_NO_CMS /* RFC2631 KDF */ diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index 31a7c0b95c..f09654c048 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -65,6 +65,7 @@ struct dh_gen_ctx { int generator; /* Used by DH_PARAMGEN_TYPE_GENERATOR in non fips mode only */ int pcounter; int hindex; + int priv_len; OSSL_CALLBACK *cb; void *cbarg; @@ -432,20 +433,16 @@ static int dh_gen_set_params(void *genctx, const OSSL_PARAM params[]) gctx->gen_type = DH_PARAMGEN_TYPE_GROUP; } p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_GENERATOR); - if (p != NULL - && !OSSL_PARAM_get_int(p, &gctx->generator)) + if (p != NULL && !OSSL_PARAM_get_int(p, &gctx->generator)) return 0; p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_GINDEX); - if (p != NULL - && !OSSL_PARAM_get_int(p, &gctx->gindex)) + if (p != NULL && !OSSL_PARAM_get_int(p, &gctx->gindex)) return 0; p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_PCOUNTER); - if (p != NULL - && !OSSL_PARAM_get_int(p, &gctx->pcounter)) + if (p != NULL && !OSSL_PARAM_get_int(p, &gctx->pcounter)) return 0; p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_H); - if (p != NULL - && !OSSL_PARAM_get_int(p, &gctx->hindex)) + if (p != NULL && !OSSL_PARAM_get_int(p, &gctx->hindex)) return 0; p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_SEED); if (p != NULL @@ -476,6 +473,9 @@ static int dh_gen_set_params(void *genctx, const OSSL_PARAM params[]) if (gctx->md == NULL) return 0; } + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN); + if (p != NULL && !OSSL_PARAM_get_int(p, &gctx->priv_len)) + return 0; return 1; } @@ -493,6 +493,7 @@ static const OSSL_PARAM *dh_gen_settable_params(void *provctx) OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_GENERATOR, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_PCOUNTER, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_H, NULL), + OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL), OSSL_PARAM_END }; return settable; @@ -577,6 +578,8 @@ static void *dh_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { if (ffc->p == NULL || ffc->g == NULL) goto end; + if (gctx->priv_len > 0) + DH_set_length(dh, (long)gctx->priv_len); if (DH_generate_key(dh) <= 0) goto end; } diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index 7b61cbe11f..1ded0d9f9e 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c @@ -408,7 +408,8 @@ static int test_fromdata_dh_named_group(void) /* * DH key data was generated using the following: - * openssl genpkey -algorithm DH -pkeyopt group:ffdhe2048 -text + * openssl genpkey -algorithm DH -pkeyopt group:ffdhe2048 + * -pkeyopt priv_len:224 -text */ static const unsigned char priv_data[] = { 0x88, 0x85, 0xe7, 0x9f, 0xee, 0x6d, 0xc5, 0x7c, 0x78, 0xaf, 0x63, 0x5d, @@ -547,7 +548,8 @@ static int test_fromdata_dh_fips186_4(void) /* * DH key data was generated using the following: - * openssl genpkey -algorithm DH -pkeyopt group:ffdhe2048 -text + * openssl genpkey -algorithm DH + * -pkeyopt group:ffdhe2048 -pkeyopt priv_len:224 -text */ static const unsigned char priv_data[] = { 0x88, 0x85, 0xe7, 0x9f, 0xee, 0x6d, 0xc5, 0x7c, 0x78, 0xaf, 0x63, 0x5d, diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c index e74dc1bd0f..c0b8e67871 100644 --- a/test/ffc_internal_test.c +++ b/test/ffc_internal_test.c @@ -600,19 +600,19 @@ static int ffc_private_gen_test(int index) N = BN_num_bits(params->q); /* Fail since N < 2*s - where s = 112*/ - if (!TEST_false(ffc_generate_private_key_fips(ctx, params, 220, 112, priv))) + if (!TEST_false(ffc_generate_private_key(ctx, params, 220, 112, priv))) goto err; /* fail since N > len(q) */ - if (!TEST_false(ffc_generate_private_key_fips(ctx, params, N + 1, 112, priv))) + if (!TEST_false(ffc_generate_private_key(ctx, params, N + 1, 112, priv))) goto err; /* pass since 2s <= N <= len(q) */ - if (!TEST_true(ffc_generate_private_key_fips(ctx, params, N, 112, priv))) + if (!TEST_true(ffc_generate_private_key(ctx, params, N, 112, priv))) goto err; /* pass since N = len(q) */ if (!TEST_true(ffc_validate_private_key(params->q, priv, &res))) goto err; /* pass since 2s <= N < len(q) */ - if (!TEST_true(ffc_generate_private_key_fips(ctx, params, N / 2, 112, priv))) + if (!TEST_true(ffc_generate_private_key(ctx, params, N / 2, 112, priv))) goto err; if (!TEST_true(ffc_validate_private_key(params->q, priv, &res))) goto err; diff --git a/test/recipes/15-test_gendh.t b/test/recipes/15-test_gendh.t index 87ddac96f7..a2ef8dab9f 100644 --- a/test/recipes/15-test_gendh.t +++ b/test/recipes/15-test_gendh.t @@ -18,7 +18,7 @@ setup("test_gendh"); plan skip_all => "This test is unsupported in a no-dh build" if disabled("dh"); -plan tests => 9; +plan tests => 13; ok(run(app([ 'openssl', 'genpkey', '-genparam', '-algorithm', 'DH', @@ -80,4 +80,19 @@ ok(run(app([ 'openssl', 'genpkey', ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'DH'])), "genpkey DH with no params should fail"); - \ No newline at end of file + + ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', '-pkeyopt', + 'group:ffdhe3072', '-pkeyopt', 'priv_len:255', '-text'])), + 'genpkey DH with a small private len should fail'); + + ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', '-pkeyopt', + 'group:ffdhe3072', '-pkeyopt', 'priv_len:3072', '-text'])), + 'genpkey DH with a large private len should fail'); + + ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', '-pkeyopt', + 'group:ffdhe3072', '-pkeyopt', 'priv_len:256', '-text'])), + 'genpkey DH with a minimum strength private len'); + + ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', '-pkeyopt', + 'group:ffdhe2048', '-pkeyopt', 'priv_len:224', '-text'])), + 'genpkey 2048 DH with a minimum strength private len'); -- 2.25.1