mirror of https://github.com/openssl/openssl.git
188 lines
5.9 KiB
C
188 lines
5.9 KiB
C
/*
|
|
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
/*
|
|
* Finite Field cryptography (FFC) is used for DSA and DH.
|
|
* This file contains methods for validation of FFC parameters.
|
|
* It calls the same functions as the generation as the code is very similar.
|
|
*/
|
|
|
|
#include <openssl/err.h>
|
|
#include <openssl/bn.h>
|
|
#include <openssl/dsaerr.h>
|
|
#include <openssl/dherr.h>
|
|
#include "internal/ffc.h"
|
|
|
|
/* FIPS186-4 A.2.2 Unverifiable partial validation of Generator g */
|
|
int ossl_ffc_params_validate_unverifiable_g(BN_CTX *ctx, BN_MONT_CTX *mont,
|
|
const BIGNUM *p, const BIGNUM *q,
|
|
const BIGNUM *g, BIGNUM *tmp,
|
|
int *ret)
|
|
{
|
|
/*
|
|
* A.2.2 Step (1) AND
|
|
* A.2.4 Step (2)
|
|
* Verify that 2 <= g <= (p - 1)
|
|
*/
|
|
if (BN_cmp(g, BN_value_one()) <= 0 || BN_cmp(g, p) >= 0) {
|
|
*ret |= FFC_ERROR_NOT_SUITABLE_GENERATOR;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* A.2.2 Step (2) AND
|
|
* A.2.4 Step (3)
|
|
* Check g^q mod p = 1
|
|
*/
|
|
if (!BN_mod_exp_mont(tmp, g, q, p, ctx, mont))
|
|
return 0;
|
|
if (BN_cmp(tmp, BN_value_one()) != 0) {
|
|
*ret |= FFC_ERROR_NOT_SUITABLE_GENERATOR;
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
int ossl_ffc_params_FIPS186_4_validate(OSSL_LIB_CTX *libctx,
|
|
const FFC_PARAMS *params, int type,
|
|
int *res, BN_GENCB *cb)
|
|
{
|
|
size_t L, N;
|
|
|
|
if (params == NULL || params->p == NULL || params->q == NULL)
|
|
return FFC_PARAM_RET_STATUS_FAILED;
|
|
|
|
/* A.1.1.3 Step (1..2) : L = len(p), N = len(q) */
|
|
L = BN_num_bits(params->p);
|
|
N = BN_num_bits(params->q);
|
|
return ossl_ffc_params_FIPS186_4_gen_verify(libctx, (FFC_PARAMS *)params,
|
|
FFC_PARAM_MODE_VERIFY, type,
|
|
L, N, res, cb);
|
|
}
|
|
|
|
/* This may be used in FIPS mode to validate deprecated FIPS-186-2 Params */
|
|
int ossl_ffc_params_FIPS186_2_validate(OSSL_LIB_CTX *libctx,
|
|
const FFC_PARAMS *params, int type,
|
|
int *res, BN_GENCB *cb)
|
|
{
|
|
size_t L, N;
|
|
|
|
if (params == NULL || params->p == NULL || params->q == NULL) {
|
|
*res = FFC_CHECK_INVALID_PQ;
|
|
return FFC_PARAM_RET_STATUS_FAILED;
|
|
}
|
|
|
|
/* A.1.1.3 Step (1..2) : L = len(p), N = len(q) */
|
|
L = BN_num_bits(params->p);
|
|
N = BN_num_bits(params->q);
|
|
return ossl_ffc_params_FIPS186_2_gen_verify(libctx, (FFC_PARAMS *)params,
|
|
FFC_PARAM_MODE_VERIFY, type,
|
|
L, N, res, cb);
|
|
}
|
|
|
|
/*
|
|
* This does a simple check of L and N and partial g.
|
|
* It makes no attempt to do a full validation of p, q or g since these require
|
|
* extra parameters such as the digest and seed, which may not be available for
|
|
* this test.
|
|
*/
|
|
int ossl_ffc_params_simple_validate(OSSL_LIB_CTX *libctx, const FFC_PARAMS *params,
|
|
int paramstype, int *res)
|
|
{
|
|
int ret;
|
|
int tmpres = 0;
|
|
FFC_PARAMS tmpparams = {0};
|
|
|
|
if (params == NULL)
|
|
return 0;
|
|
|
|
if (res == NULL)
|
|
res = &tmpres;
|
|
|
|
if (!ossl_ffc_params_copy(&tmpparams, params))
|
|
return 0;
|
|
|
|
tmpparams.flags = FFC_PARAM_FLAG_VALIDATE_G;
|
|
tmpparams.gindex = FFC_UNVERIFIABLE_GINDEX;
|
|
|
|
#ifndef FIPS_MODULE
|
|
if (params->flags & FFC_PARAM_FLAG_VALIDATE_LEGACY)
|
|
ret = ossl_ffc_params_FIPS186_2_validate(libctx, &tmpparams, paramstype,
|
|
res, NULL);
|
|
else
|
|
#endif
|
|
ret = ossl_ffc_params_FIPS186_4_validate(libctx, &tmpparams, paramstype,
|
|
res, NULL);
|
|
#ifndef OPENSSL_NO_DH
|
|
if (ret == FFC_PARAM_RET_STATUS_FAILED
|
|
&& (*res & FFC_ERROR_NOT_SUITABLE_GENERATOR) != 0) {
|
|
ERR_raise(ERR_LIB_DH, DH_R_NOT_SUITABLE_GENERATOR);
|
|
}
|
|
#endif
|
|
|
|
ossl_ffc_params_cleanup(&tmpparams);
|
|
|
|
return ret != FFC_PARAM_RET_STATUS_FAILED;
|
|
}
|
|
|
|
/*
|
|
* If possible (or always in FIPS_MODULE) do full FIPS 186-4 validation.
|
|
* Otherwise do simple check but in addition also check the primality of the
|
|
* p and q.
|
|
*/
|
|
int ossl_ffc_params_full_validate(OSSL_LIB_CTX *libctx, const FFC_PARAMS *params,
|
|
int paramstype, int *res)
|
|
{
|
|
int tmpres = 0;
|
|
|
|
if (params == NULL)
|
|
return 0;
|
|
|
|
if (res == NULL)
|
|
res = &tmpres;
|
|
|
|
#ifdef FIPS_MODULE
|
|
return ossl_ffc_params_FIPS186_4_validate(libctx, params, paramstype,
|
|
res, NULL);
|
|
#else
|
|
if (params->seed != NULL) {
|
|
if (params->flags & FFC_PARAM_FLAG_VALIDATE_LEGACY)
|
|
return ossl_ffc_params_FIPS186_2_validate(libctx, params, paramstype,
|
|
res, NULL);
|
|
else
|
|
return ossl_ffc_params_FIPS186_4_validate(libctx, params, paramstype,
|
|
res, NULL);
|
|
} else {
|
|
int ret = 0;
|
|
|
|
ret = ossl_ffc_params_simple_validate(libctx, params, paramstype, res);
|
|
if (ret) {
|
|
BN_CTX *ctx;
|
|
|
|
if ((ctx = BN_CTX_new_ex(libctx)) == NULL)
|
|
return 0;
|
|
if (BN_check_prime(params->q, ctx, NULL) != 1) {
|
|
# ifndef OPENSSL_NO_DSA
|
|
ERR_raise(ERR_LIB_DSA, DSA_R_Q_NOT_PRIME);
|
|
# endif
|
|
ret = 0;
|
|
}
|
|
if (ret && BN_check_prime(params->p, ctx, NULL) != 1) {
|
|
# ifndef OPENSSL_NO_DSA
|
|
ERR_raise(ERR_LIB_DSA, DSA_R_P_NOT_PRIME);
|
|
# endif
|
|
ret = 0;
|
|
}
|
|
BN_CTX_free(ctx);
|
|
}
|
|
return ret;
|
|
}
|
|
#endif
|
|
}
|