Move DH parameter generation out of the FIPS module.
This moved, en masse, into the FIPS module in e7f08827d2. But we want to
minimise the amount that's in the FIPS module and it doesn't appear that
we need this at the current time.
Change-Id: Ib2c243aad461b716314eeeb6a460955818a7aa22
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44605
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/crypto/dh_extra/params.c b/crypto/dh_extra/params.c
index 3336029..6023ab1 100644
--- a/crypto/dh_extra/params.c
+++ b/crypto/dh_extra/params.c
@@ -53,6 +53,8 @@
#include <openssl/dh.h>
#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
#include "../fipsmodule/bn/internal.h"
@@ -91,3 +93,180 @@
return ret;
}
+
+int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator,
+ BN_GENCB *cb) {
+ // We generate DH parameters as follows
+ // find a prime q which is prime_bits/2 bits long.
+ // p=(2*q)+1 or (p-1)/2 = q
+ // For this case, g is a generator if
+ // g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
+ // Since the factors of p-1 are q and 2, we just need to check
+ // g^2 mod p != 1 and g^q mod p != 1.
+ //
+ // Having said all that,
+ // there is another special case method for the generators 2, 3 and 5.
+ // for 2, p mod 24 == 11
+ // for 3, p mod 12 == 5 <<<<< does not work for safe primes.
+ // for 5, p mod 10 == 3 or 7
+ //
+ // Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
+ // special generators and for answering some of my questions.
+ //
+ // I've implemented the second simple method :-).
+ // Since DH should be using a safe prime (both p and q are prime),
+ // this generator function can take a very very long time to run.
+
+ // Actually there is no reason to insist that 'generator' be a generator.
+ // It's just as OK (and in some sense better) to use a generator of the
+ // order-q subgroup.
+
+ BIGNUM *t1, *t2;
+ int g, ok = 0;
+ BN_CTX *ctx = NULL;
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL) {
+ goto err;
+ }
+ BN_CTX_start(ctx);
+ t1 = BN_CTX_get(ctx);
+ t2 = BN_CTX_get(ctx);
+ if (t1 == NULL || t2 == NULL) {
+ goto err;
+ }
+
+ // Make sure |dh| has the necessary elements
+ if (dh->p == NULL) {
+ dh->p = BN_new();
+ if (dh->p == NULL) {
+ goto err;
+ }
+ }
+ if (dh->g == NULL) {
+ dh->g = BN_new();
+ if (dh->g == NULL) {
+ goto err;
+ }
+ }
+
+ if (generator <= 1) {
+ OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
+ goto err;
+ }
+ if (generator == DH_GENERATOR_2) {
+ if (!BN_set_word(t1, 24)) {
+ goto err;
+ }
+ if (!BN_set_word(t2, 11)) {
+ goto err;
+ }
+ g = 2;
+ } else if (generator == DH_GENERATOR_5) {
+ if (!BN_set_word(t1, 10)) {
+ goto err;
+ }
+ if (!BN_set_word(t2, 3)) {
+ goto err;
+ }
+ // BN_set_word(t3,7); just have to miss
+ // out on these ones :-(
+ g = 5;
+ } else {
+ // in the general case, don't worry if 'generator' is a
+ // generator or not: since we are using safe primes,
+ // it will generate either an order-q or an order-2q group,
+ // which both is OK
+ if (!BN_set_word(t1, 2)) {
+ goto err;
+ }
+ if (!BN_set_word(t2, 1)) {
+ goto err;
+ }
+ g = generator;
+ }
+
+ if (!BN_generate_prime_ex(dh->p, prime_bits, 1, t1, t2, cb)) {
+ goto err;
+ }
+ if (!BN_GENCB_call(cb, 3, 0)) {
+ goto err;
+ }
+ if (!BN_set_word(dh->g, g)) {
+ goto err;
+ }
+ ok = 1;
+
+err:
+ if (!ok) {
+ OPENSSL_PUT_ERROR(DH, ERR_R_BN_LIB);
+ }
+
+ if (ctx != NULL) {
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ }
+ return ok;
+}
+
+static int int_dh_bn_cpy(BIGNUM **dst, const BIGNUM *src) {
+ BIGNUM *a = NULL;
+
+ if (src) {
+ a = BN_dup(src);
+ if (!a) {
+ return 0;
+ }
+ }
+
+ BN_free(*dst);
+ *dst = a;
+ return 1;
+}
+
+static int int_dh_param_copy(DH *to, const DH *from, int is_x942) {
+ if (is_x942 == -1) {
+ is_x942 = !!from->q;
+ }
+ if (!int_dh_bn_cpy(&to->p, from->p) ||
+ !int_dh_bn_cpy(&to->g, from->g)) {
+ return 0;
+ }
+
+ if (!is_x942) {
+ return 1;
+ }
+
+ if (!int_dh_bn_cpy(&to->q, from->q) ||
+ !int_dh_bn_cpy(&to->j, from->j)) {
+ return 0;
+ }
+
+ OPENSSL_free(to->seed);
+ to->seed = NULL;
+ to->seedlen = 0;
+
+ if (from->seed) {
+ to->seed = OPENSSL_memdup(from->seed, from->seedlen);
+ if (!to->seed) {
+ return 0;
+ }
+ to->seedlen = from->seedlen;
+ }
+
+ return 1;
+}
+
+DH *DHparams_dup(const DH *dh) {
+ DH *ret = DH_new();
+ if (!ret) {
+ return NULL;
+ }
+
+ if (!int_dh_param_copy(ret, dh, -1)) {
+ DH_free(ret);
+ return NULL;
+ }
+
+ return ret;
+}
diff --git a/crypto/fipsmodule/dh/dh.c b/crypto/fipsmodule/dh/dh.c
index 6bc1e53..05acbe2 100644
--- a/crypto/fipsmodule/dh/dh.c
+++ b/crypto/fipsmodule/dh/dh.c
@@ -184,120 +184,6 @@
return 1;
}
-int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, BN_GENCB *cb) {
- // We generate DH parameters as follows
- // find a prime q which is prime_bits/2 bits long.
- // p=(2*q)+1 or (p-1)/2 = q
- // For this case, g is a generator if
- // g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
- // Since the factors of p-1 are q and 2, we just need to check
- // g^2 mod p != 1 and g^q mod p != 1.
- //
- // Having said all that,
- // there is another special case method for the generators 2, 3 and 5.
- // for 2, p mod 24 == 11
- // for 3, p mod 12 == 5 <<<<< does not work for safe primes.
- // for 5, p mod 10 == 3 or 7
- //
- // Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
- // special generators and for answering some of my questions.
- //
- // I've implemented the second simple method :-).
- // Since DH should be using a safe prime (both p and q are prime),
- // this generator function can take a very very long time to run.
-
- // Actually there is no reason to insist that 'generator' be a generator.
- // It's just as OK (and in some sense better) to use a generator of the
- // order-q subgroup.
-
- BIGNUM *t1, *t2;
- int g, ok = 0;
- BN_CTX *ctx = NULL;
-
- ctx = BN_CTX_new();
- if (ctx == NULL) {
- goto err;
- }
- BN_CTX_start(ctx);
- t1 = BN_CTX_get(ctx);
- t2 = BN_CTX_get(ctx);
- if (t1 == NULL || t2 == NULL) {
- goto err;
- }
-
- // Make sure |dh| has the necessary elements
- if (dh->p == NULL) {
- dh->p = BN_new();
- if (dh->p == NULL) {
- goto err;
- }
- }
- if (dh->g == NULL) {
- dh->g = BN_new();
- if (dh->g == NULL) {
- goto err;
- }
- }
-
- if (generator <= 1) {
- OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
- goto err;
- }
- if (generator == DH_GENERATOR_2) {
- if (!BN_set_word(t1, 24)) {
- goto err;
- }
- if (!BN_set_word(t2, 11)) {
- goto err;
- }
- g = 2;
- } else if (generator == DH_GENERATOR_5) {
- if (!BN_set_word(t1, 10)) {
- goto err;
- }
- if (!BN_set_word(t2, 3)) {
- goto err;
- }
- // BN_set_word(t3,7); just have to miss
- // out on these ones :-(
- g = 5;
- } else {
- // in the general case, don't worry if 'generator' is a
- // generator or not: since we are using safe primes,
- // it will generate either an order-q or an order-2q group,
- // which both is OK
- if (!BN_set_word(t1, 2)) {
- goto err;
- }
- if (!BN_set_word(t2, 1)) {
- goto err;
- }
- g = generator;
- }
-
- if (!BN_generate_prime_ex(dh->p, prime_bits, 1, t1, t2, cb)) {
- goto err;
- }
- if (!BN_GENCB_call(cb, 3, 0)) {
- goto err;
- }
- if (!BN_set_word(dh->g, g)) {
- goto err;
- }
- ok = 1;
-
-err:
- if (!ok) {
- OPENSSL_PUT_ERROR(DH, ERR_R_BN_LIB);
- }
-
- if (ctx != NULL) {
- BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- }
- return ok;
-}
-
int DH_generate_key(DH *dh) {
int ok = 0;
int generate_new_key = 0;
@@ -508,65 +394,3 @@
CRYPTO_refcount_inc(&dh->references);
return 1;
}
-
-static int int_dh_bn_cpy(BIGNUM **dst, const BIGNUM *src) {
- BIGNUM *a = NULL;
-
- if (src) {
- a = BN_dup(src);
- if (!a) {
- return 0;
- }
- }
-
- BN_free(*dst);
- *dst = a;
- return 1;
-}
-
-static int int_dh_param_copy(DH *to, const DH *from, int is_x942) {
- if (is_x942 == -1) {
- is_x942 = !!from->q;
- }
- if (!int_dh_bn_cpy(&to->p, from->p) ||
- !int_dh_bn_cpy(&to->g, from->g)) {
- return 0;
- }
-
- if (!is_x942) {
- return 1;
- }
-
- if (!int_dh_bn_cpy(&to->q, from->q) ||
- !int_dh_bn_cpy(&to->j, from->j)) {
- return 0;
- }
-
- OPENSSL_free(to->seed);
- to->seed = NULL;
- to->seedlen = 0;
-
- if (from->seed) {
- to->seed = OPENSSL_memdup(from->seed, from->seedlen);
- if (!to->seed) {
- return 0;
- }
- to->seedlen = from->seedlen;
- }
-
- return 1;
-}
-
-DH *DHparams_dup(const DH *dh) {
- DH *ret = DH_new();
- if (!ret) {
- return NULL;
- }
-
- if (!int_dh_param_copy(ret, dh, -1)) {
- DH_free(ret);
- return NULL;
- }
-
- return ret;
-}
