1/*
2 * Copyright (c) 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#include <config.h>
35
36#include <stdio.h>
37#include <stdlib.h>
38#include <dh.h>
39
40#include <roken.h>
41
42#ifdef USE_HCRYPTO_TFM
43
44#include "tfm.h"
45
46static void
47BN2mpz(fp_int *s, const BIGNUM *bn)
48{
49    size_t len;
50    void *p;
51
52    len = BN_num_bytes(bn);
53    p = malloc(len);
54    BN_bn2bin(bn, p);
55    fp_read_unsigned_bin(s, p, len);
56    free(p);
57}
58
59
60static BIGNUM *
61mpz2BN(fp_int *s)
62{
63    size_t size;
64    BIGNUM *bn;
65    void *p;
66
67    size = fp_unsigned_bin_size(s);
68    p = malloc(size);
69    if (p == NULL && size != 0)
70	return NULL;
71    fp_to_unsigned_bin(s, p);
72
73    bn = BN_bin2bn(p, size, NULL);
74    free(p);
75    return bn;
76}
77
78/*
79 *
80 */
81
82#define DH_NUM_TRIES 10
83
84static int
85tfm_dh_generate_key(DH *dh)
86{
87    fp_int pub, priv_key, g, p;
88    int have_private_key = (dh->priv_key != NULL);
89    int codes, times = 0;
90    int res;
91
92    if (dh->p == NULL || dh->g == NULL)
93	return 0;
94
95    while (times++ < DH_NUM_TRIES) {
96	if (!have_private_key) {
97	    size_t bits = BN_num_bits(dh->p);
98
99	    if (dh->priv_key)
100		BN_free(dh->priv_key);
101
102	    dh->priv_key = BN_new();
103	    if (dh->priv_key == NULL)
104		return 0;
105	    if (!BN_rand(dh->priv_key, bits - 1, 0, 0)) {
106		BN_clear_free(dh->priv_key);
107		dh->priv_key = NULL;
108		return 0;
109	    }
110	}
111	if (dh->pub_key)
112	    BN_free(dh->pub_key);
113
114	fp_init_multi(&pub, &priv_key, &g, &p, NULL);
115
116	BN2mpz(&priv_key, dh->priv_key);
117	BN2mpz(&g, dh->g);
118	BN2mpz(&p, dh->p);
119
120	res = fp_exptmod(&g, &priv_key, &p, &pub);
121
122	fp_zero(&priv_key);
123	fp_zero(&g);
124	fp_zero(&p);
125	if (res != 0)
126	    continue;
127
128	dh->pub_key = mpz2BN(&pub);
129	fp_zero(&pub);
130	if (dh->pub_key == NULL)
131	    return 0;
132
133	if (DH_check_pubkey(dh, dh->pub_key, &codes) && codes == 0)
134	    break;
135	if (have_private_key)
136	    return 0;
137    }
138
139    if (times >= DH_NUM_TRIES) {
140	if (!have_private_key && dh->priv_key) {
141	    BN_free(dh->priv_key);
142	    dh->priv_key = NULL;
143	}
144	if (dh->pub_key) {
145	    BN_free(dh->pub_key);
146	    dh->pub_key = NULL;
147	}
148	return 0;
149    }
150
151    return 1;
152}
153
154static int
155tfm_dh_compute_key(unsigned char *shared, const BIGNUM * pub, DH *dh)
156{
157    fp_int s, priv_key, p, peer_pub;
158    size_t size = 0;
159    int ret;
160
161    if (dh->pub_key == NULL || dh->g == NULL || dh->priv_key == NULL)
162	return -1;
163
164    fp_init(&p);
165    BN2mpz(&p, dh->p);
166
167    fp_init(&peer_pub);
168    BN2mpz(&peer_pub, pub);
169
170    /* check if peers pubkey is reasonable */
171    if (fp_isneg(&peer_pub)
172	|| fp_cmp(&peer_pub, &p) >= 0
173	|| fp_cmp_d(&peer_pub, 1) <= 0)
174    {
175	fp_zero(&p);
176	fp_zero(&peer_pub);
177	return -1;
178    }
179
180    fp_init(&priv_key);
181    BN2mpz(&priv_key, dh->priv_key);
182
183    fp_init(&s);
184
185    ret = fp_exptmod(&peer_pub, &priv_key, &p, &s);
186
187    fp_zero(&p);
188    fp_zero(&peer_pub);
189    fp_zero(&priv_key);
190
191    if (ret != 0)
192	return -1;
193
194    size = fp_unsigned_bin_size(&s);
195    fp_to_unsigned_bin(&s, shared);
196    fp_zero(&s);
197
198    return size;
199}
200
201static int
202tfm_dh_generate_params(DH *dh, int a, int b, BN_GENCB *callback)
203{
204    /* groups should already be known, we don't care about this */
205    return 0;
206}
207
208static int
209tfm_dh_init(DH *dh)
210{
211    return 1;
212}
213
214static int
215tfm_dh_finish(DH *dh)
216{
217    return 1;
218}
219
220
221/*
222 *
223 */
224
225const DH_METHOD _hc_dh_tfm_method = {
226    "hcrypto tfm DH",
227    tfm_dh_generate_key,
228    tfm_dh_compute_key,
229    NULL,
230    tfm_dh_init,
231    tfm_dh_finish,
232    0,
233    NULL,
234    tfm_dh_generate_params
235};
236
237/**
238 * DH implementation using tfm.
239 *
240 * @return the DH_METHOD for the DH implementation using tfm.
241 *
242 * @ingroup hcrypto_dh
243 */
244
245const DH_METHOD *
246DH_tfm_method(void)
247{
248    return &_hc_dh_tfm_method;
249}
250
251#endif
252