Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / 4969cc9b0ab2905ec478277f50ed3849b37a6c6b / . / src / crypto / dh / check.c
blob: d27fdf1540466778974459537290b4cd9e4c0238 [file] [log] [blame]
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57#include <openssl/dh.h>
58
59#include <openssl/bn.h>
60
61#include "internal.h"
62
63
64int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]65 *ret = 0;
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame^]66
67 BN_CTX *ctx = BN_CTX_new();
68 if (ctx == NULL) {
69 return 0;
70 }
71 BN_CTX_start(ctx);
72
73 int ok = 0;
74
75 /* Check |pub_key| is greater than 1. */
76 BIGNUM *tmp = BN_CTX_get(ctx);
77 if (tmp == NULL ||
78 !BN_set_word(tmp, 1)) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]79 goto err;
80 }
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame^]81 if (BN_cmp(pub_key, tmp) <= 0) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]82 *ret |= DH_CHECK_PUBKEY_TOO_SMALL;
83 }
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame^]84
85 /* Check |pub_key| is less than |dh->p| - 1. */
86 if (!BN_copy(tmp, dh->p) ||
87 !BN_sub_word(tmp, 1)) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]88 goto err;
89 }
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame^]90 if (BN_cmp(pub_key, tmp) >= 0) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]91 *ret |= DH_CHECK_PUBKEY_TOO_LARGE;
92 }
93
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame^]94 if (dh->q != NULL) {
95 /* Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114
96 * groups which are not safe primes but pick a generator on a prime-order
97 * subgroup of size |dh->q|. */
98 if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) {
99 goto err;
100 }
101 if (!BN_is_one(tmp)) {
102 *ret |= DH_CHECK_PUBKEY_INVALID;
103 }
104 }
105
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]106 ok = 1;
107
108err:
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame^]109 BN_CTX_end(ctx);
110 BN_CTX_free(ctx);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]111 return ok;
112}
113
114
115int DH_check(const DH *dh, int *ret) {
116 /* Check that p is a safe prime and if g is 2, 3 or 5, check that it is a
117 * suitable generator where:
118 * for 2, p mod 24 == 11
119 * for 3, p mod 12 == 5
120 * for 5, p mod 10 == 3 or 7
121 * should hold.
122 */
123 int ok = 0;
124 BN_CTX *ctx = NULL;
125 BN_ULONG l;
126 BIGNUM *t1 = NULL, *t2 = NULL;
127
128 *ret = 0;
129 ctx = BN_CTX_new();
130 if (ctx == NULL) {
131 goto err;
132 }
133 BN_CTX_start(ctx);
134 t1 = BN_CTX_get(ctx);
135 if (t1 == NULL) {
136 goto err;
137 }
138 t2 = BN_CTX_get(ctx);
139 if (t2 == NULL) {
140 goto err;
141 }
142
143 if (dh->q) {
144 if (BN_cmp(dh->g, BN_value_one()) <= 0) {
145 *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
146 } else if (BN_cmp(dh->g, dh->p) >= 0) {
147 *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
148 } else {
149 /* Check g^q == 1 mod p */
150 if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx)) {
151 goto err;
152 }
153 if (!BN_is_one(t1)) {
154 *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
155 }
156 }
157 if (!BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL)) {
158 *ret |= DH_CHECK_Q_NOT_PRIME;
159 }
160 /* Check p == 1 mod q i.e. q divides p - 1 */
161 if (!BN_div(t1, t2, dh->p, dh->q, ctx)) {
162 goto err;
163 }
164 if (!BN_is_one(t2)) {
165 *ret |= DH_CHECK_INVALID_Q_VALUE;
166 }
167 if (dh->j && BN_cmp(dh->j, t1)) {
168 *ret |= DH_CHECK_INVALID_J_VALUE;
169 }
170 } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
171 l = BN_mod_word(dh->p, 24);
172 if (l != 11) {
173 *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
174 }
175 } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
176 l = BN_mod_word(dh->p, 10);
177 if (l != 3 && l != 7) {
178 *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
179 }
180 } else {
181 *ret |= DH_CHECK_UNABLE_TO_CHECK_GENERATOR;
182 }
183
184 if (!BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL)) {
185 *ret |= DH_CHECK_P_NOT_PRIME;
186 } else if (!dh->q) {
187 if (!BN_rshift1(t1, dh->p)) {
188 goto err;
189 }
190 if (!BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL)) {
191 *ret |= DH_CHECK_P_NOT_SAFE_PRIME;
192 }
193 }
194 ok = 1;
195
196err:
197 if (ctx != NULL) {
198 BN_CTX_end(ctx);
199 BN_CTX_free(ctx);
200 }
201 return ok;
202}