dhm.c 13.4 KB
Newer Older
1 2 3
/*
 *  Diffie-Hellman-Merkle key exchange
 *
4
 *  Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakker's avatar
Paul Bakker committed
5 6
 *
 *  This file is part of PolarSSL (http://www.polarssl.org)
7
 *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakker's avatar
Paul Bakker committed
8
 *
9
 *  All rights reserved.
Paul Bakker's avatar
Paul Bakker committed
10
 *
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
/*
 *  Reference:
 *
 *  http://www.cacr.math.uwaterloo.ca/hac/ (chapter 12)
 */

31
#include "polarssl/config.h"
32

33
#if defined(POLARSSL_DHM_C)
34

35
#include "polarssl/dhm.h"
36

37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
#if defined(POLARSSL_PEM_C)
#include "polarssl/pem.h"
#endif

#if defined(POLARSSL_ASN1_PARSE_C)
#include "polarssl/asn1.h"
#endif

#if defined(POLARSSL_MEMORY_C)
#include "polarssl/memory.h"
#else
#include <stdlib.h>
#define polarssl_malloc     malloc
#define polarssl_free       free
#endif

53 54 55 56 57
/*
 * helper to validate the mpi size and import it
 */
static int dhm_read_bignum( mpi *X,
                            unsigned char **p,
58
                            const unsigned char *end )
59 60 61 62
{
    int ret, n;

    if( end - *p < 2 )
63
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
64 65 66 67 68

    n = ( (*p)[0] << 8 ) | (*p)[1];
    (*p) += 2;

    if( (int)( end - *p ) < n )
69
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
70 71

    if( ( ret = mpi_read_binary( X, *p, n ) ) != 0 )
72
        return( POLARSSL_ERR_DHM_READ_PARAMS_FAILED + ret );
73 74 75 76 77 78

    (*p) += n;

    return( 0 );
}

Paul Bakker's avatar
Paul Bakker committed
79
/*
80
 * Verify sanity of parameter with regards to P
81
 *
82
 * Parameter should be: 2 <= public_param <= P - 2
83 84 85 86
 *
 * For more information on the attack, see:
 *  http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
 *  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
Paul Bakker's avatar
Paul Bakker committed
87
 */
88
static int dhm_check_range( const mpi *param, const mpi *P )
Paul Bakker's avatar
Paul Bakker committed
89
{
90 91
    mpi L, U;
    int ret = POLARSSL_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker's avatar
Paul Bakker committed
92

93
    mpi_init( &L ); mpi_init( &U );
94 95
    mpi_lset( &L, 2 );
    mpi_sub_int( &U, P, 2 );
Paul Bakker's avatar
Paul Bakker committed
96

97 98
    if( mpi_cmp_mpi( param, &L ) >= 0 &&
        mpi_cmp_mpi( param, &U ) <= 0 )
Paul Bakker's avatar
Paul Bakker committed
99
    {
100
        ret = 0;
Paul Bakker's avatar
Paul Bakker committed
101 102
    }

103
    mpi_free( &L ); mpi_free( &U );
Paul Bakker's avatar
Paul Bakker committed
104

105
    return( ret );
Paul Bakker's avatar
Paul Bakker committed
106 107
}

108 109 110 111 112
/*
 * Parse the ServerKeyExchange parameters
 */
int dhm_read_params( dhm_context *ctx,
                     unsigned char **p,
113
                     const unsigned char *end )
114
{
Paul Bakker's avatar
Paul Bakker committed
115
    int ret;
116

117
    dhm_free( ctx );
118 119 120 121 122 123

    if( ( ret = dhm_read_bignum( &ctx->P,  p, end ) ) != 0 ||
        ( ret = dhm_read_bignum( &ctx->G,  p, end ) ) != 0 ||
        ( ret = dhm_read_bignum( &ctx->GY, p, end ) ) != 0 )
        return( ret );

124 125 126
    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
        return( ret );

127 128 129 130 131 132 133 134 135
    ctx->len = mpi_size( &ctx->P );

    return( 0 );
}

/*
 * Setup and write the ServerKeyExchange parameters
 */
int dhm_make_params( dhm_context *ctx, int x_size,
136
                     unsigned char *output, size_t *olen,
137 138
                     int (*f_rng)(void *, unsigned char *, size_t),
                     void *p_rng )
139
{
140
    int ret, count = 0;
141
    size_t n1, n2, n3;
142 143
    unsigned char *p;

144 145 146
    if( mpi_cmp_int( &ctx->P, 0 ) == 0 )
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );

147
    /*
148
     * Generate X as large as possible ( < P )
149
     */
150 151 152
    do
    {
        mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
153

154 155 156 157 158 159 160
        while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
            mpi_shift_r( &ctx->X, 1 );

        if( count++ > 10 )
            return( POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED );
    }
    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
161

162 163 164
    /*
     * Calculate GX = G^X mod P
     */
165 166 167
    MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
                          &ctx->P , &ctx->RP ) );

168
    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
Paul Bakker's avatar
Paul Bakker committed
169 170
        return( ret );

171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194
    /*
     * export P, G, GX
     */
#define DHM_MPI_EXPORT(X,n)                     \
    MPI_CHK( mpi_write_binary( X, p + 2, n ) ); \
    *p++ = (unsigned char)( n >> 8 );           \
    *p++ = (unsigned char)( n      ); p += n;

    n1 = mpi_size( &ctx->P  );
    n2 = mpi_size( &ctx->G  );
    n3 = mpi_size( &ctx->GX );

    p = output;
    DHM_MPI_EXPORT( &ctx->P , n1 );
    DHM_MPI_EXPORT( &ctx->G , n2 );
    DHM_MPI_EXPORT( &ctx->GX, n3 );

    *olen  = p - output;

    ctx->len = n1;

cleanup:

    if( ret != 0 )
195
        return( POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED + ret );
196 197 198 199 200 201 202 203

    return( 0 );
}

/*
 * Import the peer's public value G^Y
 */
int dhm_read_public( dhm_context *ctx,
204
                     const unsigned char *input, size_t ilen )
205 206 207 208
{
    int ret;

    if( ctx == NULL || ilen < 1 || ilen > ctx->len )
209
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
210 211

    if( ( ret = mpi_read_binary( &ctx->GY, input, ilen ) ) != 0 )
212
        return( POLARSSL_ERR_DHM_READ_PUBLIC_FAILED + ret );
213 214 215 216 217 218 219 220

    return( 0 );
}

/*
 * Create own private value X and export G^X
 */
int dhm_make_public( dhm_context *ctx, int x_size,
221
                     unsigned char *output, size_t olen,
222 223
                     int (*f_rng)(void *, unsigned char *, size_t),
                     void *p_rng )
224
{
225
    int ret, count = 0;
226 227

    if( ctx == NULL || olen < 1 || olen > ctx->len )
228
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
229

230 231 232
    if( mpi_cmp_int( &ctx->P, 0 ) == 0 )
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );

233 234 235
    /*
     * generate X and calculate GX = G^X mod P
     */
236 237 238
    do
    {
        mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
239

240 241 242 243 244 245 246
        while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
            mpi_shift_r( &ctx->X, 1 );

        if( count++ > 10 )
            return( POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED );
    }
    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
247 248 249 250

    MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
                          &ctx->P , &ctx->RP ) );

251 252
    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
        return( ret );
Paul Bakker's avatar
Paul Bakker committed
253

254 255 256 257 258
    MPI_CHK( mpi_write_binary( &ctx->GX, output, olen ) );

cleanup:

    if( ret != 0 )
259
        return( POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED + ret );
260 261 262 263

    return( 0 );
}

264 265 266 267 268 269 270 271 272 273 274 275
/*
 * Use the blinding method and optimisation suggested in section 10 of:
 *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
 *  DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
 *  Berlin Heidelberg, 1996. p. 104-113.
 */
static int dhm_update_blinding( dhm_context *ctx,
                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
    int ret, count;

    /*
276
     * If Vi is initialized, update it by squaring it
277
     */
278
    if( ctx->Vi.p != NULL )
279 280
    {
        MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297
        MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );
    }
    else
    {
        /* Vi = random( 2, P-1 ) */
        count = 0;
        do
        {
            mpi_fill_random( &ctx->Vi, mpi_size( &ctx->P ), f_rng, p_rng );

            while( mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
                mpi_shift_r( &ctx->Vi, 1 );

            if( count++ > 10 )
                return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
        }
        while( mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
298 299 300
    }

    /*
301
     * If X did not change, update Vf by squaring it too
302
     */
303
    if( mpi_cmp_mpi( &ctx->X, &ctx->_X ) == 0 )
304
    {
305 306 307
        MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
        MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
        return( 0 );
308
    }
309 310 311 312

    /*
     * Otherwise, compute Vf from scratch
     */
313 314 315 316 317 318 319 320 321 322 323 324

    /* Vf = Vi^-X mod P */
    MPI_CHK( mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
    MPI_CHK( mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );

    /* Remember secret associated with Vi and Vf */
    MPI_CHK( mpi_copy( &ctx->_X, &ctx->X ) );;

cleanup:
    return( ret );
}

325 326 327 328
/*
 * Derive and export the shared secret (G^Y)^X mod P
 */
int dhm_calc_secret( dhm_context *ctx,
329 330 331
                     unsigned char *output, size_t *olen,
                     int (*f_rng)(void *, unsigned char *, size_t),
                     void *p_rng )
332 333
{
    int ret;
334
    mpi GYb;
335

336
    if( ctx == NULL || *olen < ctx->len )
337
        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
338

339
    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
Paul Bakker's avatar
Paul Bakker committed
340 341
        return( ret );

342 343 344
    mpi_init( &GYb );

    /* Blind peer's value */
345
    if( f_rng != NULL )
346 347 348 349 350 351 352 353 354 355 356 357 358
    {
        MPI_CHK( dhm_update_blinding( ctx, f_rng, p_rng ) );
        MPI_CHK( mpi_mul_mpi( &GYb, &ctx->GY, &ctx->Vi ) );
        MPI_CHK( mpi_mod_mpi( &GYb, &GYb, &ctx->P ) );
    }
    else
        MPI_CHK( mpi_copy( &GYb, &ctx->GY ) );

    /* Do modular exponentiation */
    MPI_CHK( mpi_exp_mod( &ctx->K, &GYb, &ctx->X,
                          &ctx->P, &ctx->RP ) );

    /* Unblind secret value */
359
    if( f_rng != NULL )
360 361 362 363 364
    {
        MPI_CHK( mpi_mul_mpi( &ctx->K, &ctx->K, &ctx->Vf ) );
        MPI_CHK( mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
    }

365 366 367 368 369
    *olen = mpi_size( &ctx->K );

    MPI_CHK( mpi_write_binary( &ctx->K, output, *olen ) );

cleanup:
370
    mpi_free( &GYb );
371 372

    if( ret != 0 )
373
        return( POLARSSL_ERR_DHM_CALC_SECRET_FAILED + ret );
374 375 376 377 378 379 380 381 382

    return( 0 );
}

/*
 * Free the components of a DHM key
 */
void dhm_free( dhm_context *ctx )
{
383
    mpi_free( &ctx->_X); mpi_free( &ctx->Vf ); mpi_free( &ctx->Vi );
384 385 386
    mpi_free( &ctx->RP ); mpi_free( &ctx->K ); mpi_free( &ctx->GY );
    mpi_free( &ctx->GX ); mpi_free( &ctx->X ); mpi_free( &ctx->G );
    mpi_free( &ctx->P );
387 388

    memset( ctx, 0, sizeof( dhm_context ) );
389 390
}

391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532
#if defined(POLARSSL_ASN1_PARSE_C)
/*
 * Parse DHM parameters
 */
int dhm_parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen )
{
    int ret;
    size_t len;
    unsigned char *p, *end;
#if defined(POLARSSL_PEM_C)
    pem_context pem;

    pem_init( &pem );
    memset( dhm, 0, sizeof( dhm_context ) );

    ret = pem_read_buffer( &pem,
                           "-----BEGIN DH PARAMETERS-----",
                           "-----END DH PARAMETERS-----",
                           dhmin, NULL, 0, &dhminlen );

    if( ret == 0 )
    {
        /*
         * Was PEM encoded
         */
        dhminlen = pem.buflen;
    }
    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
        goto exit;

    p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin;
#else
    p = (unsigned char *) dhmin;
#endif
    end = p + dhminlen;

    /*
     *  DHParams ::= SEQUENCE {
     *      prime            INTEGER,  -- P
     *      generator        INTEGER,  -- g
     *  }
     */
    if( ( ret = asn1_get_tag( &p, end, &len,
            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
    {
        ret = POLARSSL_ERR_DHM_INVALID_FORMAT + ret;
        goto exit;
    }

    end = p + len;

    if( ( ret = asn1_get_mpi( &p, end, &dhm->P  ) ) != 0 ||
        ( ret = asn1_get_mpi( &p, end, &dhm->G ) ) != 0 )
    {
        ret = POLARSSL_ERR_DHM_INVALID_FORMAT + ret;
        goto exit;
    }

    if( p != end )
    {
        ret = POLARSSL_ERR_DHM_INVALID_FORMAT +
              POLARSSL_ERR_ASN1_LENGTH_MISMATCH;
        goto exit;
    }

    ret = 0;

exit:
#if defined(POLARSSL_PEM_C)
    pem_free( &pem );
#endif
    if( ret != 0 )
        dhm_free( dhm );

    return( ret );
}

#if defined(POLARSSL_FS_IO)
/*
 * Load all data from a file into a given buffer.
 */
static int load_file( const char *path, unsigned char **buf, size_t *n )
{
    FILE *f;
    long size;

    if( ( f = fopen( path, "rb" ) ) == NULL )
        return( POLARSSL_ERR_DHM_FILE_IO_ERROR );

    fseek( f, 0, SEEK_END );
    if( ( size = ftell( f ) ) == -1 )
    {
        fclose( f );
        return( POLARSSL_ERR_DHM_FILE_IO_ERROR );
    }
    fseek( f, 0, SEEK_SET );

    *n = (size_t) size;

    if( *n + 1 == 0 ||
        ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
    {
        fclose( f );
        return( POLARSSL_ERR_DHM_MALLOC_FAILED );
    }

    if( fread( *buf, 1, *n, f ) != *n )
    {
        fclose( f );
        polarssl_free( *buf );
        return( POLARSSL_ERR_DHM_FILE_IO_ERROR );
    }

    fclose( f );

    (*buf)[*n] = '\0';

    return( 0 );
}

/*
 * Load and parse DHM parameters
 */
int dhm_parse_dhmfile( dhm_context *dhm, const char *path )
{
    int ret;
    size_t n;
    unsigned char *buf;

    if ( ( ret = load_file( path, &buf, &n ) ) != 0 )
        return( ret );

    ret = dhm_parse_dhm( dhm, buf, n );

    memset( buf, 0, n + 1 );
    polarssl_free( buf );

    return( ret );
}
#endif /* POLARSSL_FS_IO */
#endif /* POLARSSL_ASN1_PARSE_C */

533
#if defined(POLARSSL_SELF_TEST)
534

535 536
#include "polarssl/certs.h"

537 538 539 540 541
/*
 * Checkup routine
 */
int dhm_self_test( int verbose )
{
542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567
#if defined(POLARSSL_CERTS_C)
    int ret;
    dhm_context dhm;

    if( verbose != 0 )
        printf( "  DHM parameter load: " );

    if( ( ret = dhm_parse_dhm( &dhm, (const unsigned char *) test_dhm_params,
                               strlen( test_dhm_params ) ) ) != 0 )
    {
        if( verbose != 0 )
            printf( "failed\n" );

        return( ret );
    }

    if( verbose != 0 )
        printf( "passed\n\n" );

    dhm_free( &dhm );

    return( 0 );
#else
    ((void) verbose);
    return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
#endif
568 569 570 571 572
}

#endif

#endif