dhm.c 13.5 KB
Newer Older
1 2 3
/*
 *  Diffie-Hellman-Merkle key exchange
 *
4
 *  Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakker's avatar
Paul Bakker committed
5 6
 *
 *  This file is part of PolarSSL (http://www.polarssl.org)
7
 *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakker's avatar
Paul Bakker committed
8
 *
9
 *  All rights reserved.
Paul Bakker's avatar
Paul Bakker committed
10
 *
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
/*
 *  Reference:
 *
 *  http://www.cacr.math.uwaterloo.ca/hac/ (chapter 12)
 */

31
#include "polarssl/config.h"
32

33
#if defined(POLARSSL_DHM_C)
34

35
#include "polarssl/dhm.h"
36

37
#if defined(POLARSSL_PEM_PARSE_C)
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
#include "polarssl/pem.h"
#endif

#if defined(POLARSSL_ASN1_PARSE_C)
#include "polarssl/asn1.h"
#endif

#if defined(POLARSSL_MEMORY_C)
#include "polarssl/memory.h"
#else
#include <stdlib.h>
#define polarssl_malloc     malloc
#define polarssl_free       free
#endif

53 54 55 56 57
/*
 * helper to validate the mpi size and import it
 */
static int dhm_read_bignum( mpi *X,
                            unsigned char **p,
58
                            const unsigned char *end )
59 60 61 62
{
    int ret, n;

    if( end - *p < 2 )
63
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
64 65 66 67 68

    n = ( (*p)[0] << 8 ) | (*p)[1];
    (*p) += 2;

    if( (int)( end - *p ) < n )
69
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
70 71

    if( ( ret = mpi_read_binary( X, *p, n ) ) != 0 )
72
        return( POLARSSL_ERR_DHM_READ_PARAMS_FAILED + ret );
73 74 75 76 77 78

    (*p) += n;

    return( 0 );
}

Paul Bakker's avatar
Paul Bakker committed
79
/*
80
 * Verify sanity of parameter with regards to P
81
 *
82
 * Parameter should be: 2 <= public_param <= P - 2
83 84 85 86
 *
 * For more information on the attack, see:
 *  http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
 *  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
Paul Bakker's avatar
Paul Bakker committed
87
 */
88
static int dhm_check_range( const mpi *param, const mpi *P )
Paul Bakker's avatar
Paul Bakker committed
89
{
90 91
    mpi L, U;
    int ret = POLARSSL_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker's avatar
Paul Bakker committed
92

93
    mpi_init( &L ); mpi_init( &U );
94 95
    mpi_lset( &L, 2 );
    mpi_sub_int( &U, P, 2 );
Paul Bakker's avatar
Paul Bakker committed
96

97 98
    if( mpi_cmp_mpi( param, &L ) >= 0 &&
        mpi_cmp_mpi( param, &U ) <= 0 )
Paul Bakker's avatar
Paul Bakker committed
99
    {
100
        ret = 0;
Paul Bakker's avatar
Paul Bakker committed
101 102
    }

103
    mpi_free( &L ); mpi_free( &U );
Paul Bakker's avatar
Paul Bakker committed
104

105
    return( ret );
Paul Bakker's avatar
Paul Bakker committed
106 107
}

108 109 110 111 112
/*
 * Parse the ServerKeyExchange parameters
 */
int dhm_read_params( dhm_context *ctx,
                     unsigned char **p,
113
                     const unsigned char *end )
114
{
Paul Bakker's avatar
Paul Bakker committed
115
    int ret;
116

117
    dhm_free( ctx );
118 119 120 121 122 123

    if( ( ret = dhm_read_bignum( &ctx->P,  p, end ) ) != 0 ||
        ( ret = dhm_read_bignum( &ctx->G,  p, end ) ) != 0 ||
        ( ret = dhm_read_bignum( &ctx->GY, p, end ) ) != 0 )
        return( ret );

124 125 126
    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
        return( ret );

127 128 129 130 131 132 133 134 135
    ctx->len = mpi_size( &ctx->P );

    return( 0 );
}

/*
 * Setup and write the ServerKeyExchange parameters
 */
int dhm_make_params( dhm_context *ctx, int x_size,
136
                     unsigned char *output, size_t *olen,
137 138
                     int (*f_rng)(void *, unsigned char *, size_t),
                     void *p_rng )
139
{
140
    int ret, count = 0;
141
    size_t n1, n2, n3;
142 143
    unsigned char *p;

144 145 146
    if( mpi_cmp_int( &ctx->P, 0 ) == 0 )
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );

147
    /*
148
     * Generate X as large as possible ( < P )
149
     */
150 151 152
    do
    {
        mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
153

154 155 156 157 158 159 160
        while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
            mpi_shift_r( &ctx->X, 1 );

        if( count++ > 10 )
            return( POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED );
    }
    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
161

162 163 164
    /*
     * Calculate GX = G^X mod P
     */
165 166 167
    MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
                          &ctx->P , &ctx->RP ) );

168
    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
Paul Bakker's avatar
Paul Bakker committed
169 170
        return( ret );

171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194
    /*
     * export P, G, GX
     */
#define DHM_MPI_EXPORT(X,n)                     \
    MPI_CHK( mpi_write_binary( X, p + 2, n ) ); \
    *p++ = (unsigned char)( n >> 8 );           \
    *p++ = (unsigned char)( n      ); p += n;

    n1 = mpi_size( &ctx->P  );
    n2 = mpi_size( &ctx->G  );
    n3 = mpi_size( &ctx->GX );

    p = output;
    DHM_MPI_EXPORT( &ctx->P , n1 );
    DHM_MPI_EXPORT( &ctx->G , n2 );
    DHM_MPI_EXPORT( &ctx->GX, n3 );

    *olen  = p - output;

    ctx->len = n1;

cleanup:

    if( ret != 0 )
195
        return( POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED + ret );
196 197 198 199 200 201 202 203

    return( 0 );
}

/*
 * Import the peer's public value G^Y
 */
int dhm_read_public( dhm_context *ctx,
204
                     const unsigned char *input, size_t ilen )
205 206 207 208
{
    int ret;

    if( ctx == NULL || ilen < 1 || ilen > ctx->len )
209
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
210 211

    if( ( ret = mpi_read_binary( &ctx->GY, input, ilen ) ) != 0 )
212
        return( POLARSSL_ERR_DHM_READ_PUBLIC_FAILED + ret );
213 214 215 216 217 218 219 220

    return( 0 );
}

/*
 * Create own private value X and export G^X
 */
int dhm_make_public( dhm_context *ctx, int x_size,
221
                     unsigned char *output, size_t olen,
222 223
                     int (*f_rng)(void *, unsigned char *, size_t),
                     void *p_rng )
224
{
225
    int ret, count = 0;
226 227

    if( ctx == NULL || olen < 1 || olen > ctx->len )
228
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
229

230 231 232
    if( mpi_cmp_int( &ctx->P, 0 ) == 0 )
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );

233 234 235
    /*
     * generate X and calculate GX = G^X mod P
     */
236 237 238
    do
    {
        mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
239

240 241 242 243 244 245 246
        while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
            mpi_shift_r( &ctx->X, 1 );

        if( count++ > 10 )
            return( POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED );
    }
    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
247 248 249 250

    MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
                          &ctx->P , &ctx->RP ) );

251 252
    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
        return( ret );
Paul Bakker's avatar
Paul Bakker committed
253

254 255 256 257 258
    MPI_CHK( mpi_write_binary( &ctx->GX, output, olen ) );

cleanup:

    if( ret != 0 )
259
        return( POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED + ret );
260 261 262 263

    return( 0 );
}

264 265 266 267 268 269 270 271 272 273 274 275
/*
 * Use the blinding method and optimisation suggested in section 10 of:
 *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
 *  DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
 *  Berlin Heidelberg, 1996. p. 104-113.
 */
static int dhm_update_blinding( dhm_context *ctx,
                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
    int ret, count;

    /*
276 277
     * Don't use any blinding the first time a particular X is used,
     * but remember it to use blinding next time.
278
     */
279
    if( mpi_cmp_mpi( &ctx->X, &ctx->_X ) != 0 )
280
    {
281 282 283 284 285
        MPI_CHK( mpi_copy( &ctx->_X, &ctx->X ) );
        MPI_CHK( mpi_lset( &ctx->Vi, 1 ) );
        MPI_CHK( mpi_lset( &ctx->Vf, 1 ) );

        return( 0 );
286 287 288
    }

    /*
289 290
     * Ok, we need blinding. Can we re-use existing values?
     * If yes, just update them by squaring them.
291
     */
292
    if( mpi_cmp_int( &ctx->Vi, 1 ) != 0 )
293
    {
294 295 296
        MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
        MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );

297 298
        MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
        MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
299

300
        return( 0 );
301
    }
302 303

    /*
304
     * We need to generate blinding values from scratch
305
     */
306

307 308 309 310 311 312 313 314 315 316 317 318 319 320
    /* Vi = random( 2, P-1 ) */
    count = 0;
    do
    {
        mpi_fill_random( &ctx->Vi, mpi_size( &ctx->P ), f_rng, p_rng );

        while( mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
            mpi_shift_r( &ctx->Vi, 1 );

        if( count++ > 10 )
            return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
    }
    while( mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );

321 322 323 324 325 326 327 328
    /* Vf = Vi^-X mod P */
    MPI_CHK( mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
    MPI_CHK( mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );

cleanup:
    return( ret );
}

329 330 331 332
/*
 * Derive and export the shared secret (G^Y)^X mod P
 */
int dhm_calc_secret( dhm_context *ctx,
333 334 335
                     unsigned char *output, size_t *olen,
                     int (*f_rng)(void *, unsigned char *, size_t),
                     void *p_rng )
336 337
{
    int ret;
338
    mpi GYb;
339

340
    if( ctx == NULL || *olen < ctx->len )
341
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
342

343
    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
Paul Bakker's avatar
Paul Bakker committed
344 345
        return( ret );

346 347 348
    mpi_init( &GYb );

    /* Blind peer's value */
349
    if( f_rng != NULL )
350 351 352 353 354 355 356 357 358 359 360 361 362
    {
        MPI_CHK( dhm_update_blinding( ctx, f_rng, p_rng ) );
        MPI_CHK( mpi_mul_mpi( &GYb, &ctx->GY, &ctx->Vi ) );
        MPI_CHK( mpi_mod_mpi( &GYb, &GYb, &ctx->P ) );
    }
    else
        MPI_CHK( mpi_copy( &GYb, &ctx->GY ) );

    /* Do modular exponentiation */
    MPI_CHK( mpi_exp_mod( &ctx->K, &GYb, &ctx->X,
                          &ctx->P, &ctx->RP ) );

    /* Unblind secret value */
363
    if( f_rng != NULL )
364 365 366 367 368
    {
        MPI_CHK( mpi_mul_mpi( &ctx->K, &ctx->K, &ctx->Vf ) );
        MPI_CHK( mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
    }

369 370 371 372 373
    *olen = mpi_size( &ctx->K );

    MPI_CHK( mpi_write_binary( &ctx->K, output, *olen ) );

cleanup:
374
    mpi_free( &GYb );
375 376

    if( ret != 0 )
377
        return( POLARSSL_ERR_DHM_CALC_SECRET_FAILED + ret );
378 379 380 381 382 383 384 385 386

    return( 0 );
}

/*
 * Free the components of a DHM key
 */
void dhm_free( dhm_context *ctx )
{
387
    mpi_free( &ctx->_X); mpi_free( &ctx->Vf ); mpi_free( &ctx->Vi );
388 389 390
    mpi_free( &ctx->RP ); mpi_free( &ctx->K ); mpi_free( &ctx->GY );
    mpi_free( &ctx->GX ); mpi_free( &ctx->X ); mpi_free( &ctx->G );
    mpi_free( &ctx->P );
391 392

    memset( ctx, 0, sizeof( dhm_context ) );
393 394
}

395 396 397 398 399 400 401 402 403
#if defined(POLARSSL_ASN1_PARSE_C)
/*
 * Parse DHM parameters
 */
int dhm_parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen )
{
    int ret;
    size_t len;
    unsigned char *p, *end;
404
#if defined(POLARSSL_PEM_PARSE_C)
405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462
    pem_context pem;

    pem_init( &pem );
    memset( dhm, 0, sizeof( dhm_context ) );

    ret = pem_read_buffer( &pem,
                           "-----BEGIN DH PARAMETERS-----",
                           "-----END DH PARAMETERS-----",
                           dhmin, NULL, 0, &dhminlen );

    if( ret == 0 )
    {
        /*
         * Was PEM encoded
         */
        dhminlen = pem.buflen;
    }
    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
        goto exit;

    p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin;
#else
    p = (unsigned char *) dhmin;
#endif
    end = p + dhminlen;

    /*
     *  DHParams ::= SEQUENCE {
     *      prime            INTEGER,  -- P
     *      generator        INTEGER,  -- g
     *  }
     */
    if( ( ret = asn1_get_tag( &p, end, &len,
            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
    {
        ret = POLARSSL_ERR_DHM_INVALID_FORMAT + ret;
        goto exit;
    }

    end = p + len;

    if( ( ret = asn1_get_mpi( &p, end, &dhm->P  ) ) != 0 ||
        ( ret = asn1_get_mpi( &p, end, &dhm->G ) ) != 0 )
    {
        ret = POLARSSL_ERR_DHM_INVALID_FORMAT + ret;
        goto exit;
    }

    if( p != end )
    {
        ret = POLARSSL_ERR_DHM_INVALID_FORMAT +
              POLARSSL_ERR_ASN1_LENGTH_MISMATCH;
        goto exit;
    }

    ret = 0;

exit:
463
#if defined(POLARSSL_PEM_PARSE_C)
464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536
    pem_free( &pem );
#endif
    if( ret != 0 )
        dhm_free( dhm );

    return( ret );
}

#if defined(POLARSSL_FS_IO)
/*
 * Load all data from a file into a given buffer.
 */
static int load_file( const char *path, unsigned char **buf, size_t *n )
{
    FILE *f;
    long size;

    if( ( f = fopen( path, "rb" ) ) == NULL )
        return( POLARSSL_ERR_DHM_FILE_IO_ERROR );

    fseek( f, 0, SEEK_END );
    if( ( size = ftell( f ) ) == -1 )
    {
        fclose( f );
        return( POLARSSL_ERR_DHM_FILE_IO_ERROR );
    }
    fseek( f, 0, SEEK_SET );

    *n = (size_t) size;

    if( *n + 1 == 0 ||
        ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
    {
        fclose( f );
        return( POLARSSL_ERR_DHM_MALLOC_FAILED );
    }

    if( fread( *buf, 1, *n, f ) != *n )
    {
        fclose( f );
        polarssl_free( *buf );
        return( POLARSSL_ERR_DHM_FILE_IO_ERROR );
    }

    fclose( f );

    (*buf)[*n] = '\0';

    return( 0 );
}

/*
 * Load and parse DHM parameters
 */
int dhm_parse_dhmfile( dhm_context *dhm, const char *path )
{
    int ret;
    size_t n;
    unsigned char *buf;

    if ( ( ret = load_file( path, &buf, &n ) ) != 0 )
        return( ret );

    ret = dhm_parse_dhm( dhm, buf, n );

    memset( buf, 0, n + 1 );
    polarssl_free( buf );

    return( ret );
}
#endif /* POLARSSL_FS_IO */
#endif /* POLARSSL_ASN1_PARSE_C */

537
#if defined(POLARSSL_SELF_TEST)
538

539 540
#include "polarssl/certs.h"

541 542 543 544 545
/*
 * Checkup routine
 */
int dhm_self_test( int verbose )
{
546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571
#if defined(POLARSSL_CERTS_C)
    int ret;
    dhm_context dhm;

    if( verbose != 0 )
        printf( "  DHM parameter load: " );

    if( ( ret = dhm_parse_dhm( &dhm, (const unsigned char *) test_dhm_params,
                               strlen( test_dhm_params ) ) ) != 0 )
    {
        if( verbose != 0 )
            printf( "failed\n" );

        return( ret );
    }

    if( verbose != 0 )
        printf( "passed\n\n" );

    dhm_free( &dhm );

    return( 0 );
#else
    ((void) verbose);
    return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
#endif
572 573 574 575 576
}

#endif

#endif