Source code
Revision control
Copy as Markdown
Other Tools
/*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <cstdlib>
#include <string>
#include <cassert>
#include "bn.h"
#include "dl_ossl.h"
#include "utils.h"
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#if defined(CRYPTO_BACKEND_OPENSSL3)
#include <openssl/core_names.h>
#include <openssl/param_build.h>
#endif
#if defined(CRYPTO_BACKEND_OPENSSL3)
static OSSL_PARAM *
dl_build_params(bignum_t *p, bignum_t *q, bignum_t *g, bignum_t *y, bignum_t *x)
{
OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
if (!bld) {
return NULL; // LCOV_EXCL_LINE
}
if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) ||
(q && !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q)) ||
!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g) ||
!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, y) ||
(x && !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, x))) {
/* LCOV_EXCL_START */
OSSL_PARAM_BLD_free(bld);
return NULL;
/* LCOV_EXCL_END */
}
OSSL_PARAM *param = OSSL_PARAM_BLD_to_param(bld);
OSSL_PARAM_BLD_free(bld);
return param;
}
#endif
EVP_PKEY *
dl_load_key(const pgp_mpi_t &mp,
const pgp_mpi_t *mq,
const pgp_mpi_t &mg,
const pgp_mpi_t &my,
const pgp_mpi_t *mx)
{
EVP_PKEY *evpkey = NULL;
rnp::bn p(mpi2bn(&mp));
rnp::bn q(mq ? mpi2bn(mq) : NULL);
rnp::bn g(mpi2bn(&mg));
rnp::bn y(mpi2bn(&my));
rnp::bn x(mx ? mpi2bn(mx) : NULL);
if (!p.get() || (mq && !q.get()) || !g.get() || !y.get() || (mx && !x.get())) {
/* LCOV_EXCL_START */
RNP_LOG("out of memory");
return NULL;
/* LCOV_EXCL_END */
}
#if defined(CRYPTO_BACKEND_OPENSSL3)
OSSL_PARAM *params = dl_build_params(p.get(), q.get(), g.get(), y.get(), x.get());
if (!params) {
/* LCOV_EXCL_START */
RNP_LOG("failed to build dsa params");
return NULL;
/* LCOV_EXCL_END */
}
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
if (!ctx) {
/* LCOV_EXCL_START */
RNP_LOG("failed to create dl context");
OSSL_PARAM_free(params);
return NULL;
/* LCOV_EXCL_END */
}
if ((EVP_PKEY_fromdata_init(ctx) != 1) ||
(EVP_PKEY_fromdata(
ctx, &evpkey, mx ? EVP_PKEY_KEYPAIR : EVP_PKEY_PUBLIC_KEY, params) != 1)) {
/* LCOV_EXCL_START */
RNP_LOG("failed to create key from data");
evpkey = NULL;
/* LCOV_EXCL_END */
}
OSSL_PARAM_free(params);
EVP_PKEY_CTX_free(ctx);
return evpkey;
#else
DH *dh = DH_new();
if (!dh) {
/* LCOV_EXCL_START */
RNP_LOG("out of memory");
return NULL;
/* LCOV_EXCL_END */
}
/* line below must not fail */
int res = DH_set0_pqg(dh, p.own(), q.own(), g.own());
assert(res == 1);
if (res < 1) {
goto done;
}
/* line below must not fail */
res = DH_set0_key(dh, y.own(), x.own());
assert(res == 1);
if (res < 1) {
goto done;
}
evpkey = EVP_PKEY_new();
if (!evpkey) {
/* LCOV_EXCL_START */
RNP_LOG("allocation failed");
goto done;
/* LCOV_EXCL_END */
}
if (EVP_PKEY_set1_DH(evpkey, dh) <= 0) {
/* LCOV_EXCL_START */
RNP_LOG("Failed to set key: %lu", ERR_peek_last_error());
EVP_PKEY_free(evpkey);
evpkey = NULL;
/* LCOV_EXCL_END */
}
done:
DH_free(dh);
return evpkey;
#endif
}
#if !defined(CRYPTO_BACKEND_OPENSSL3)
static rnp_result_t
dl_validate_secret_key(EVP_PKEY *dlkey, const pgp_mpi_t &mx)
{
const DH *dh = EVP_PKEY_get0_DH(dlkey);
assert(dh);
const bignum_t *p = DH_get0_p(dh);
const bignum_t *q = DH_get0_q(dh);
const bignum_t *g = DH_get0_g(dh);
const bignum_t *y = DH_get0_pub_key(dh);
assert(p && g && y);
bignum_t *p1 = NULL;
rnp_result_t ret = RNP_ERROR_GENERIC;
BN_CTX * ctx = BN_CTX_new();
bignum_t *x = mpi2bn(&mx);
bignum_t *cy = bn_new();
if (!x || !cy || !ctx) {
/* LCOV_EXCL_START */
RNP_LOG("Allocation failed");
goto done;
/* LCOV_EXCL_END */
}
if (!q) {
/* if q is NULL then group order is (p - 1) / 2 */
p1 = BN_dup(p);
if (!p1) {
/* LCOV_EXCL_START */
RNP_LOG("Allocation failed");
goto done;
/* LCOV_EXCL_END */
}
int res;
res = BN_rshift(p1, p1, 1);
assert(res == 1);
if (res < 1) {
/* LCOV_EXCL_START */
RNP_LOG("BN_rshift failed.");
goto done;
/* LCOV_EXCL_END */
}
q = p1;
}
if (BN_cmp(x, q) != -1) {
RNP_LOG("x is too large.");
goto done;
}
if (BN_mod_exp_mont_consttime(cy, g, x, p, ctx, NULL) < 1) {
RNP_LOG("Exponentiation failed");
goto done;
}
if (BN_cmp(cy, y) == 0) {
ret = RNP_SUCCESS;
}
done:
BN_CTX_free(ctx);
bn_free(x);
bn_free(cy);
bn_free(p1);
return ret;
}
#endif
rnp_result_t
dl_validate_key(EVP_PKEY *pkey, const pgp_mpi_t *x)
{
rnp_result_t ret = RNP_ERROR_GENERIC;
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
if (!ctx) {
/* LCOV_EXCL_START */
RNP_LOG("Context allocation failed: %lu", ERR_peek_last_error());
goto done;
/* LCOV_EXCL_END */
}
int res;
res = EVP_PKEY_param_check(ctx);
if (res < 0) {
RNP_LOG("Param validation error: %lu (%s)",
ERR_peek_last_error(),
ERR_reason_error_string(ERR_peek_last_error()));
}
if (res < 1) {
/* ElGamal specification doesn't seem to restrict P to the safe prime */
auto err = ERR_peek_last_error();
DHerr(DH_F_DH_CHECK_EX, DH_R_CHECK_P_NOT_SAFE_PRIME);
if ((ERR_GET_REASON(err) == DH_R_CHECK_P_NOT_SAFE_PRIME)) {
RNP_LOG("Warning! P is not a safe prime.");
} else {
goto done;
}
}
#if defined(CRYPTO_BACKEND_OPENSSL3)
res = x ? EVP_PKEY_pairwise_check(ctx) : EVP_PKEY_public_check(ctx);
if (res == 1) {
ret = RNP_SUCCESS;
}
#else
res = EVP_PKEY_public_check(ctx);
if (res < 0) {
RNP_LOG("Key validation error: %lu", ERR_peek_last_error());
}
if (res < 1) {
goto done;
}
/* There is no private key check in OpenSSL yet, so need to check x vs y manually */
if (!x) {
ret = RNP_SUCCESS;
goto done;
}
ret = dl_validate_secret_key(pkey, *x);
#endif
done:
EVP_PKEY_CTX_free(ctx);
return ret;
}