1/*
2 * Copyright (c) 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#ifdef HAVE_CONFIG_H
35#include <config.h>
36#endif
37
38#include <stdio.h>
39#include <stdlib.h>
40#include <dh.h>
41
42#include <roken.h>
43
44#include "imath/imath.h"
45
46static void
47BN2mpz(mpz_t *s, const BIGNUM *bn)
48{
49    size_t len;
50    void *p;
51
52    len = BN_num_bytes(bn);
53    p = malloc(len);
54    BN_bn2bin(bn, p);
55    mp_int_read_unsigned(s, p, len);
56    free(p);
57}
58
59
60static BIGNUM *
61mpz2BN(mpz_t *s)
62{
63    size_t size;
64    BIGNUM *bn;
65    void *p;
66
67    size = mp_int_unsigned_len(s);
68    p = malloc(size);
69    if (p == NULL && size != 0)
70	return NULL;
71    mp_int_to_unsigned(s, p, size);
72
73    bn = BN_bin2bn(p, size, NULL);
74    free(p);
75    return bn;
76}
77
78/*
79 *
80 */
81
82#define DH_NUM_TRIES 10
83
84static int
85dh_generate_key(DH *dh)
86{
87    mpz_t pub, priv_key, g, p;
88    int have_private_key = (dh->priv_key != NULL);
89    int codes, times = 0;
90    mp_result res;
91
92    if (dh->p == NULL || dh->g == NULL)
93	return 0;
94
95    while (times++ < DH_NUM_TRIES) {
96	if (!have_private_key) {
97	    size_t bits = BN_num_bits(dh->p);
98
99	    if (dh->priv_key)
100		BN_free(dh->priv_key);
101
102	    dh->priv_key = BN_new();
103	    if (dh->priv_key == NULL)
104		return 0;
105	    if (!BN_rand(dh->priv_key, bits - 1, 0, 0)) {
106		BN_clear_free(dh->priv_key);
107		dh->priv_key = NULL;
108		return 0;
109	    }
110	}
111	if (dh->pub_key)
112	    BN_free(dh->pub_key);
113
114	mp_int_init(&pub);
115	mp_int_init(&priv_key);
116	mp_int_init(&g);
117	mp_int_init(&p);
118
119	BN2mpz(&priv_key, dh->priv_key);
120	BN2mpz(&g, dh->g);
121	BN2mpz(&p, dh->p);
122
123	res = mp_int_exptmod(&g, &priv_key, &p, &pub);
124
125	mp_int_clear(&priv_key);
126	mp_int_clear(&g);
127	mp_int_clear(&p);
128	if (res != MP_OK)
129	    continue;
130
131	dh->pub_key = mpz2BN(&pub);
132	mp_int_clear(&pub);
133	if (dh->pub_key == NULL)
134	    return 0;
135
136	if (DH_check_pubkey(dh, dh->pub_key, &codes) && codes == 0)
137	    break;
138	if (have_private_key)
139	    return 0;
140    }
141
142    if (times >= DH_NUM_TRIES) {
143	if (!have_private_key && dh->priv_key) {
144	    BN_free(dh->priv_key);
145	    dh->priv_key = NULL;
146	}
147	if (dh->pub_key) {
148	    BN_free(dh->pub_key);
149	    dh->pub_key = NULL;
150	}
151	return 0;
152    }
153
154    return 1;
155}
156
157static int
158dh_compute_key(unsigned char *shared, const BIGNUM * pub, DH *dh)
159{
160    mpz_t s, priv_key, p, peer_pub;
161    size_t size = 0;
162    mp_result res;
163
164    if (dh->pub_key == NULL || dh->g == NULL || dh->priv_key == NULL)
165	return -1;
166
167    mp_int_init(&p);
168    BN2mpz(&p, dh->p);
169
170    mp_int_init(&peer_pub);
171    BN2mpz(&peer_pub, pub);
172
173    /* check if peers pubkey is reasonable */
174    if (MP_SIGN(&peer_pub) == MP_NEG
175	|| mp_int_compare(&peer_pub, &p) >= 0
176	|| mp_int_compare_value(&peer_pub, 1) <= 0)
177    {
178	mp_int_clear(&p);
179	mp_int_clear(&peer_pub);
180	return -1;
181    }
182
183    mp_int_init(&priv_key);
184    BN2mpz(&priv_key, dh->priv_key);
185
186    mp_int_init(&s);
187
188    mp_int_exptmod(&peer_pub, &priv_key, &p, &s);
189
190    mp_int_clear(&p);
191    mp_int_clear(&peer_pub);
192    mp_int_clear(&priv_key);
193
194    size = mp_int_unsigned_len(&s);
195    res = mp_int_to_unsigned(&s, shared, size);
196    mp_int_clear(&s);
197
198    return (res == MP_OK) ? size : -1;
199}
200
201static int
202dh_generate_params(DH *dh, int a, int b, BN_GENCB *callback)
203{
204    /* groups should already be known, we don't care about this */
205    return 0;
206}
207
208static int
209dh_init(DH *dh)
210{
211    return 1;
212}
213
214static int
215dh_finish(DH *dh)
216{
217    return 1;
218}
219
220
221/*
222 *
223 */
224
225const DH_METHOD _hc_dh_imath_method = {
226    "hcrypto imath DH",
227    dh_generate_key,
228    dh_compute_key,
229    NULL,
230    dh_init,
231    dh_finish,
232    0,
233    NULL,
234    dh_generate_params
235};
236
237/**
238 * DH implementation using libimath.
239 *
240 * @return the DH_METHOD for the DH implementation using libimath.
241 *
242 * @ingroup hcrypto_dh
243 */
244
245const DH_METHOD *
246DH_imath_method(void)
247{
248    return &_hc_dh_imath_method;
249}
250