dhm.c 13.7 KB
Newer Older
1 2 3
/*
 *  Diffie-Hellman-Merkle key exchange
 *
4
 *  Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakker's avatar
Paul Bakker committed
5 6
 *
 *  This file is part of PolarSSL (http://www.polarssl.org)
7
 *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakker's avatar
Paul Bakker committed
8
 *
9
 *  All rights reserved.
Paul Bakker's avatar
Paul Bakker committed
10
 *
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
/*
 *  Reference:
 *
 *  http://www.cacr.math.uwaterloo.ca/hac/ (chapter 12)
 */

31
#include "polarssl/config.h"
32

33
#if defined(POLARSSL_DHM_C)
34

35
#include "polarssl/dhm.h"
36

37
#if defined(POLARSSL_PEM_PARSE_C)
38 39 40 41 42 43 44
#include "polarssl/pem.h"
#endif

#if defined(POLARSSL_ASN1_PARSE_C)
#include "polarssl/asn1.h"
#endif

45 46
#if defined(POLARSSL_PLATFORM_C)
#include "polarssl/platform.h"
47 48
#else
#include <stdlib.h>
49
#define polarssl_printf     printf
50 51 52 53
#define polarssl_malloc     malloc
#define polarssl_free       free
#endif

54 55 56 57 58
/*
 * helper to validate the mpi size and import it
 */
static int dhm_read_bignum( mpi *X,
                            unsigned char **p,
59
                            const unsigned char *end )
60 61 62 63
{
    int ret, n;

    if( end - *p < 2 )
64
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
65 66 67 68 69

    n = ( (*p)[0] << 8 ) | (*p)[1];
    (*p) += 2;

    if( (int)( end - *p ) < n )
70
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
71 72

    if( ( ret = mpi_read_binary( X, *p, n ) ) != 0 )
73
        return( POLARSSL_ERR_DHM_READ_PARAMS_FAILED + ret );
74 75 76 77 78 79

    (*p) += n;

    return( 0 );
}

Paul Bakker's avatar
Paul Bakker committed
80
/*
81
 * Verify sanity of parameter with regards to P
82
 *
83
 * Parameter should be: 2 <= public_param <= P - 2
84 85 86 87
 *
 * For more information on the attack, see:
 *  http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
 *  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
Paul Bakker's avatar
Paul Bakker committed
88
 */
89
static int dhm_check_range( const mpi *param, const mpi *P )
Paul Bakker's avatar
Paul Bakker committed
90
{
91 92
    mpi L, U;
    int ret = POLARSSL_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker's avatar
Paul Bakker committed
93

94
    mpi_init( &L ); mpi_init( &U );
95 96
    mpi_lset( &L, 2 );
    mpi_sub_int( &U, P, 2 );
Paul Bakker's avatar
Paul Bakker committed
97

98 99
    if( mpi_cmp_mpi( param, &L ) >= 0 &&
        mpi_cmp_mpi( param, &U ) <= 0 )
Paul Bakker's avatar
Paul Bakker committed
100
    {
101
        ret = 0;
Paul Bakker's avatar
Paul Bakker committed
102 103
    }

104
    mpi_free( &L ); mpi_free( &U );
Paul Bakker's avatar
Paul Bakker committed
105

106
    return( ret );
Paul Bakker's avatar
Paul Bakker committed
107 108
}

109 110 111 112 113
/*
 * Parse the ServerKeyExchange parameters
 */
int dhm_read_params( dhm_context *ctx,
                     unsigned char **p,
114
                     const unsigned char *end )
115
{
Paul Bakker's avatar
Paul Bakker committed
116
    int ret;
117

118
    dhm_free( ctx );
119 120 121 122 123 124

    if( ( ret = dhm_read_bignum( &ctx->P,  p, end ) ) != 0 ||
        ( ret = dhm_read_bignum( &ctx->G,  p, end ) ) != 0 ||
        ( ret = dhm_read_bignum( &ctx->GY, p, end ) ) != 0 )
        return( ret );

125 126 127
    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
        return( ret );

128 129 130 131 132 133 134 135 136
    ctx->len = mpi_size( &ctx->P );

    return( 0 );
}

/*
 * Setup and write the ServerKeyExchange parameters
 */
int dhm_make_params( dhm_context *ctx, int x_size,
137
                     unsigned char *output, size_t *olen,
138 139
                     int (*f_rng)(void *, unsigned char *, size_t),
                     void *p_rng )
140
{
141
    int ret, count = 0;
142
    size_t n1, n2, n3;
143 144
    unsigned char *p;

145 146 147
    if( mpi_cmp_int( &ctx->P, 0 ) == 0 )
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );

148
    /*
149
     * Generate X as large as possible ( < P )
150
     */
151 152 153
    do
    {
        mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
154

155 156 157 158 159 160 161
        while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
            mpi_shift_r( &ctx->X, 1 );

        if( count++ > 10 )
            return( POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED );
    }
    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
162

163 164 165
    /*
     * Calculate GX = G^X mod P
     */
166 167 168
    MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
                          &ctx->P , &ctx->RP ) );

169
    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
Paul Bakker's avatar
Paul Bakker committed
170 171
        return( ret );

172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195
    /*
     * export P, G, GX
     */
#define DHM_MPI_EXPORT(X,n)                     \
    MPI_CHK( mpi_write_binary( X, p + 2, n ) ); \
    *p++ = (unsigned char)( n >> 8 );           \
    *p++ = (unsigned char)( n      ); p += n;

    n1 = mpi_size( &ctx->P  );
    n2 = mpi_size( &ctx->G  );
    n3 = mpi_size( &ctx->GX );

    p = output;
    DHM_MPI_EXPORT( &ctx->P , n1 );
    DHM_MPI_EXPORT( &ctx->G , n2 );
    DHM_MPI_EXPORT( &ctx->GX, n3 );

    *olen  = p - output;

    ctx->len = n1;

cleanup:

    if( ret != 0 )
196
        return( POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED + ret );
197 198 199 200 201 202 203 204

    return( 0 );
}

/*
 * Import the peer's public value G^Y
 */
int dhm_read_public( dhm_context *ctx,
205
                     const unsigned char *input, size_t ilen )
206 207 208 209
{
    int ret;

    if( ctx == NULL || ilen < 1 || ilen > ctx->len )
210
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
211 212

    if( ( ret = mpi_read_binary( &ctx->GY, input, ilen ) ) != 0 )
213
        return( POLARSSL_ERR_DHM_READ_PUBLIC_FAILED + ret );
214 215 216 217 218 219 220 221

    return( 0 );
}

/*
 * Create own private value X and export G^X
 */
int dhm_make_public( dhm_context *ctx, int x_size,
222
                     unsigned char *output, size_t olen,
223 224
                     int (*f_rng)(void *, unsigned char *, size_t),
                     void *p_rng )
225
{
226
    int ret, count = 0;
227 228

    if( ctx == NULL || olen < 1 || olen > ctx->len )
229
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
230

231 232 233
    if( mpi_cmp_int( &ctx->P, 0 ) == 0 )
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );

234 235 236
    /*
     * generate X and calculate GX = G^X mod P
     */
237 238 239
    do
    {
        mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
240

241 242 243 244 245 246 247
        while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
            mpi_shift_r( &ctx->X, 1 );

        if( count++ > 10 )
            return( POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED );
    }
    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
248 249 250 251

    MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
                          &ctx->P , &ctx->RP ) );

252 253
    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
        return( ret );
Paul Bakker's avatar
Paul Bakker committed
254

255 256 257 258 259
    MPI_CHK( mpi_write_binary( &ctx->GX, output, olen ) );

cleanup:

    if( ret != 0 )
260
        return( POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED + ret );
261 262 263 264

    return( 0 );
}

265 266 267 268 269 270 271 272 273 274 275 276
/*
 * Use the blinding method and optimisation suggested in section 10 of:
 *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
 *  DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
 *  Berlin Heidelberg, 1996. p. 104-113.
 */
static int dhm_update_blinding( dhm_context *ctx,
                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
    int ret, count;

    /*
277 278
     * Don't use any blinding the first time a particular X is used,
     * but remember it to use blinding next time.
279
     */
280
    if( mpi_cmp_mpi( &ctx->X, &ctx->pX ) != 0 )
281
    {
282
        MPI_CHK( mpi_copy( &ctx->pX, &ctx->X ) );
283 284 285 286
        MPI_CHK( mpi_lset( &ctx->Vi, 1 ) );
        MPI_CHK( mpi_lset( &ctx->Vf, 1 ) );

        return( 0 );
287 288 289
    }

    /*
290 291
     * Ok, we need blinding. Can we re-use existing values?
     * If yes, just update them by squaring them.
292
     */
293
    if( mpi_cmp_int( &ctx->Vi, 1 ) != 0 )
294
    {
295 296 297
        MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
        MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );

298 299
        MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
        MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
300

301
        return( 0 );
302
    }
303 304

    /*
305
     * We need to generate blinding values from scratch
306
     */
307

308 309 310 311 312 313 314 315 316 317 318 319 320 321
    /* Vi = random( 2, P-1 ) */
    count = 0;
    do
    {
        mpi_fill_random( &ctx->Vi, mpi_size( &ctx->P ), f_rng, p_rng );

        while( mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
            mpi_shift_r( &ctx->Vi, 1 );

        if( count++ > 10 )
            return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
    }
    while( mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );

322 323 324 325 326 327 328 329
    /* Vf = Vi^-X mod P */
    MPI_CHK( mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
    MPI_CHK( mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );

cleanup:
    return( ret );
}

330 331 332 333
/*
 * Derive and export the shared secret (G^Y)^X mod P
 */
int dhm_calc_secret( dhm_context *ctx,
334 335 336
                     unsigned char *output, size_t *olen,
                     int (*f_rng)(void *, unsigned char *, size_t),
                     void *p_rng )
337 338
{
    int ret;
339
    mpi GYb;
340

341
    if( ctx == NULL || *olen < ctx->len )
342
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
343

344
    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
Paul Bakker's avatar
Paul Bakker committed
345 346
        return( ret );

347 348 349
    mpi_init( &GYb );

    /* Blind peer's value */
350
    if( f_rng != NULL )
351 352 353 354 355 356 357 358 359 360 361 362 363
    {
        MPI_CHK( dhm_update_blinding( ctx, f_rng, p_rng ) );
        MPI_CHK( mpi_mul_mpi( &GYb, &ctx->GY, &ctx->Vi ) );
        MPI_CHK( mpi_mod_mpi( &GYb, &GYb, &ctx->P ) );
    }
    else
        MPI_CHK( mpi_copy( &GYb, &ctx->GY ) );

    /* Do modular exponentiation */
    MPI_CHK( mpi_exp_mod( &ctx->K, &GYb, &ctx->X,
                          &ctx->P, &ctx->RP ) );

    /* Unblind secret value */
364
    if( f_rng != NULL )
365 366 367 368 369
    {
        MPI_CHK( mpi_mul_mpi( &ctx->K, &ctx->K, &ctx->Vf ) );
        MPI_CHK( mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
    }

370 371 372 373 374
    *olen = mpi_size( &ctx->K );

    MPI_CHK( mpi_write_binary( &ctx->K, output, *olen ) );

cleanup:
375
    mpi_free( &GYb );
376 377

    if( ret != 0 )
378
        return( POLARSSL_ERR_DHM_CALC_SECRET_FAILED + ret );
379 380 381 382 383 384 385 386 387

    return( 0 );
}

/*
 * Free the components of a DHM key
 */
void dhm_free( dhm_context *ctx )
{
388
    mpi_free( &ctx->pX); mpi_free( &ctx->Vf ); mpi_free( &ctx->Vi );
389 390 391
    mpi_free( &ctx->RP ); mpi_free( &ctx->K ); mpi_free( &ctx->GY );
    mpi_free( &ctx->GX ); mpi_free( &ctx->X ); mpi_free( &ctx->G );
    mpi_free( &ctx->P );
392 393

    memset( ctx, 0, sizeof( dhm_context ) );
394 395
}

396 397 398 399 400 401 402 403 404
#if defined(POLARSSL_ASN1_PARSE_C)
/*
 * Parse DHM parameters
 */
int dhm_parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen )
{
    int ret;
    size_t len;
    unsigned char *p, *end;
405
#if defined(POLARSSL_PEM_PARSE_C)
406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462
    pem_context pem;

    pem_init( &pem );
    memset( dhm, 0, sizeof( dhm_context ) );

    ret = pem_read_buffer( &pem,
                           "-----BEGIN DH PARAMETERS-----",
                           "-----END DH PARAMETERS-----",
                           dhmin, NULL, 0, &dhminlen );

    if( ret == 0 )
    {
        /*
         * Was PEM encoded
         */
        dhminlen = pem.buflen;
    }
    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
        goto exit;

    p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin;
#else
    p = (unsigned char *) dhmin;
#endif
    end = p + dhminlen;

    /*
     *  DHParams ::= SEQUENCE {
     *      prime            INTEGER,  -- P
     *      generator        INTEGER,  -- g
     *  }
     */
    if( ( ret = asn1_get_tag( &p, end, &len,
            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
    {
        ret = POLARSSL_ERR_DHM_INVALID_FORMAT + ret;
        goto exit;
    }

    end = p + len;

    if( ( ret = asn1_get_mpi( &p, end, &dhm->P  ) ) != 0 ||
        ( ret = asn1_get_mpi( &p, end, &dhm->G ) ) != 0 )
    {
        ret = POLARSSL_ERR_DHM_INVALID_FORMAT + ret;
        goto exit;
    }

    if( p != end )
    {
        ret = POLARSSL_ERR_DHM_INVALID_FORMAT +
              POLARSSL_ERR_ASN1_LENGTH_MISMATCH;
        goto exit;
    }

    ret = 0;

463 464
    dhm->len = mpi_size( &dhm->P );

465
exit:
466
#if defined(POLARSSL_PEM_PARSE_C)
467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539
    pem_free( &pem );
#endif
    if( ret != 0 )
        dhm_free( dhm );

    return( ret );
}

#if defined(POLARSSL_FS_IO)
/*
 * Load all data from a file into a given buffer.
 */
static int load_file( const char *path, unsigned char **buf, size_t *n )
{
    FILE *f;
    long size;

    if( ( f = fopen( path, "rb" ) ) == NULL )
        return( POLARSSL_ERR_DHM_FILE_IO_ERROR );

    fseek( f, 0, SEEK_END );
    if( ( size = ftell( f ) ) == -1 )
    {
        fclose( f );
        return( POLARSSL_ERR_DHM_FILE_IO_ERROR );
    }
    fseek( f, 0, SEEK_SET );

    *n = (size_t) size;

    if( *n + 1 == 0 ||
        ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
    {
        fclose( f );
        return( POLARSSL_ERR_DHM_MALLOC_FAILED );
    }

    if( fread( *buf, 1, *n, f ) != *n )
    {
        fclose( f );
        polarssl_free( *buf );
        return( POLARSSL_ERR_DHM_FILE_IO_ERROR );
    }

    fclose( f );

    (*buf)[*n] = '\0';

    return( 0 );
}

/*
 * Load and parse DHM parameters
 */
int dhm_parse_dhmfile( dhm_context *dhm, const char *path )
{
    int ret;
    size_t n;
    unsigned char *buf;

    if ( ( ret = load_file( path, &buf, &n ) ) != 0 )
        return( ret );

    ret = dhm_parse_dhm( dhm, buf, n );

    memset( buf, 0, n + 1 );
    polarssl_free( buf );

    return( ret );
}
#endif /* POLARSSL_FS_IO */
#endif /* POLARSSL_ASN1_PARSE_C */

540
#if defined(POLARSSL_SELF_TEST)
541

542 543
#include "polarssl/certs.h"

544 545 546 547 548
/*
 * Checkup routine
 */
int dhm_self_test( int verbose )
{
549 550 551 552 553
#if defined(POLARSSL_CERTS_C)
    int ret;
    dhm_context dhm;

    if( verbose != 0 )
554
        polarssl_printf( "  DHM parameter load: " );
555 556 557 558 559

    if( ( ret = dhm_parse_dhm( &dhm, (const unsigned char *) test_dhm_params,
                               strlen( test_dhm_params ) ) ) != 0 )
    {
        if( verbose != 0 )
560
            polarssl_printf( "failed\n" );
561 562 563 564 565

        return( ret );
    }

    if( verbose != 0 )
566
        polarssl_printf( "passed\n\n" );
567 568 569 570 571

    dhm_free( &dhm );

    return( 0 );
#else
572 573 574 575
    if( verbose != 0 )
        polarssl_printf( "  DHM parameter load: skipped\n" );

    return( 0 );
576
#endif
577 578 579 580 581
}

#endif

#endif