1 /* $NetBSD: dh-tfm.c,v 1.2 2017/01/28 21:31:47 christos Exp $ */ 2 3 /* 4 * Copyright (c) 2006 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include <config.h> 37 #include <krb5/roken.h> 38 39 #include <dh.h> 40 41 #ifdef USE_HCRYPTO_TFM 42 43 #include "tfm.h" 44 45 static void 46 BN2mpz(fp_int *s, const BIGNUM *bn) 47 { 48 size_t len; 49 void *p; 50 51 len = BN_num_bytes(bn); 52 p = malloc(len); 53 BN_bn2bin(bn, p); 54 fp_read_unsigned_bin(s, p, len); 55 free(p); 56 } 57 58 59 static BIGNUM * 60 mpz2BN(fp_int *s) 61 { 62 size_t size; 63 BIGNUM *bn; 64 void *p; 65 66 size = fp_unsigned_bin_size(s); 67 p = malloc(size); 68 if (p == NULL && size != 0) 69 return NULL; 70 fp_to_unsigned_bin(s, p); 71 72 bn = BN_bin2bn(p, size, NULL); 73 free(p); 74 return bn; 75 } 76 77 /* 78 * 79 */ 80 81 #define DH_NUM_TRIES 10 82 83 static int 84 tfm_dh_generate_key(DH *dh) 85 { 86 fp_int pub, priv_key, g, p; 87 int have_private_key = (dh->priv_key != NULL); 88 int codes, times = 0; 89 int res; 90 91 if (dh->p == NULL || dh->g == NULL) 92 return 0; 93 94 while (times++ < DH_NUM_TRIES) { 95 if (!have_private_key) { 96 size_t bits = BN_num_bits(dh->p); 97 98 if (dh->priv_key) 99 BN_free(dh->priv_key); 100 101 dh->priv_key = BN_new(); 102 if (dh->priv_key == NULL) 103 return 0; 104 if (!BN_rand(dh->priv_key, bits - 1, 0, 0)) { 105 BN_clear_free(dh->priv_key); 106 dh->priv_key = NULL; 107 return 0; 108 } 109 } 110 if (dh->pub_key) 111 BN_free(dh->pub_key); 112 113 fp_init_multi(&pub, &priv_key, &g, &p, NULL); 114 115 BN2mpz(&priv_key, dh->priv_key); 116 BN2mpz(&g, dh->g); 117 BN2mpz(&p, dh->p); 118 119 res = fp_exptmod(&g, &priv_key, &p, &pub); 120 121 fp_zero(&priv_key); 122 fp_zero(&g); 123 fp_zero(&p); 124 if (res != 0) 125 continue; 126 127 dh->pub_key = mpz2BN(&pub); 128 fp_zero(&pub); 129 if (dh->pub_key == NULL) 130 return 0; 131 132 if (DH_check_pubkey(dh, dh->pub_key, &codes) && codes == 0) 133 break; 134 if (have_private_key) 135 return 0; 136 } 137 138 if (times >= DH_NUM_TRIES) { 139 if (!have_private_key && dh->priv_key) { 140 BN_free(dh->priv_key); 141 dh->priv_key = NULL; 142 } 143 if (dh->pub_key) { 144 BN_free(dh->pub_key); 145 dh->pub_key = NULL; 146 } 147 return 0; 148 } 149 150 return 1; 151 } 152 153 static int 154 tfm_dh_compute_key(unsigned char *shared, const BIGNUM * pub, DH *dh) 155 { 156 fp_int s, priv_key, p, peer_pub; 157 size_t size = 0; 158 int ret; 159 160 if (dh->pub_key == NULL || dh->g == NULL || dh->priv_key == NULL) 161 return -1; 162 163 fp_init(&p); 164 BN2mpz(&p, dh->p); 165 166 fp_init(&peer_pub); 167 BN2mpz(&peer_pub, pub); 168 169 /* check if peers pubkey is reasonable */ 170 if (fp_isneg(&peer_pub) 171 || fp_cmp(&peer_pub, &p) >= 0 172 || fp_cmp_d(&peer_pub, 1) <= 0) 173 { 174 fp_zero(&p); 175 fp_zero(&peer_pub); 176 return -1; 177 } 178 179 fp_init(&priv_key); 180 BN2mpz(&priv_key, dh->priv_key); 181 182 fp_init(&s); 183 184 ret = fp_exptmod(&peer_pub, &priv_key, &p, &s); 185 186 fp_zero(&p); 187 fp_zero(&peer_pub); 188 fp_zero(&priv_key); 189 190 if (ret != 0) 191 return -1; 192 193 size = fp_unsigned_bin_size(&s); 194 fp_to_unsigned_bin(&s, shared); 195 fp_zero(&s); 196 197 return size; 198 } 199 200 static int 201 tfm_dh_generate_params(DH *dh, int a, int b, BN_GENCB *callback) 202 { 203 /* groups should already be known, we don't care about this */ 204 return 0; 205 } 206 207 static int 208 tfm_dh_init(DH *dh) 209 { 210 return 1; 211 } 212 213 static int 214 tfm_dh_finish(DH *dh) 215 { 216 return 1; 217 } 218 219 220 /* 221 * 222 */ 223 224 const DH_METHOD _hc_dh_tfm_method = { 225 "hcrypto tfm DH", 226 tfm_dh_generate_key, 227 tfm_dh_compute_key, 228 NULL, 229 tfm_dh_init, 230 tfm_dh_finish, 231 0, 232 NULL, 233 tfm_dh_generate_params 234 }; 235 236 /** 237 * DH implementation using tfm. 238 * 239 * @return the DH_METHOD for the DH implementation using tfm. 240 * 241 * @ingroup hcrypto_dh 242 */ 243 244 const DH_METHOD * 245 DH_tfm_method(void) 246 { 247 return &_hc_dh_tfm_method; 248 } 249 250 #endif 251