1/* 2 * Copyright (c) 2006 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include <config.h> 35 36#include <stdio.h> 37#include <stdlib.h> 38#include <dh.h> 39 40#include <roken.h> 41 42#ifdef USE_HCRYPTO_TFM 43 44#include "tfm.h" 45 46static void 47BN2mpz(fp_int *s, const BIGNUM *bn) 48{ 49 size_t len; 50 void *p; 51 52 len = BN_num_bytes(bn); 53 p = malloc(len); 54 BN_bn2bin(bn, p); 55 fp_read_unsigned_bin(s, p, len); 56 free(p); 57} 58 59 60static BIGNUM * 61mpz2BN(fp_int *s) 62{ 63 size_t size; 64 BIGNUM *bn; 65 void *p; 66 67 size = fp_unsigned_bin_size(s); 68 p = malloc(size); 69 if (p == NULL && size != 0) 70 return NULL; 71 fp_to_unsigned_bin(s, p); 72 73 bn = BN_bin2bn(p, size, NULL); 74 free(p); 75 return bn; 76} 77 78/* 79 * 80 */ 81 82#define DH_NUM_TRIES 10 83 84static int 85tfm_dh_generate_key(DH *dh) 86{ 87 fp_int pub, priv_key, g, p; 88 int have_private_key = (dh->priv_key != NULL); 89 int codes, times = 0; 90 int res; 91 92 if (dh->p == NULL || dh->g == NULL) 93 return 0; 94 95 while (times++ < DH_NUM_TRIES) { 96 if (!have_private_key) { 97 size_t bits = BN_num_bits(dh->p); 98 99 if (dh->priv_key) 100 BN_free(dh->priv_key); 101 102 dh->priv_key = BN_new(); 103 if (dh->priv_key == NULL) 104 return 0; 105 if (!BN_rand(dh->priv_key, bits - 1, 0, 0)) { 106 BN_clear_free(dh->priv_key); 107 dh->priv_key = NULL; 108 return 0; 109 } 110 } 111 if (dh->pub_key) 112 BN_free(dh->pub_key); 113 114 fp_init_multi(&pub, &priv_key, &g, &p, NULL); 115 116 BN2mpz(&priv_key, dh->priv_key); 117 BN2mpz(&g, dh->g); 118 BN2mpz(&p, dh->p); 119 120 res = fp_exptmod(&g, &priv_key, &p, &pub); 121 122 fp_zero(&priv_key); 123 fp_zero(&g); 124 fp_zero(&p); 125 if (res != 0) 126 continue; 127 128 dh->pub_key = mpz2BN(&pub); 129 fp_zero(&pub); 130 if (dh->pub_key == NULL) 131 return 0; 132 133 if (DH_check_pubkey(dh, dh->pub_key, &codes) && codes == 0) 134 break; 135 if (have_private_key) 136 return 0; 137 } 138 139 if (times >= DH_NUM_TRIES) { 140 if (!have_private_key && dh->priv_key) { 141 BN_free(dh->priv_key); 142 dh->priv_key = NULL; 143 } 144 if (dh->pub_key) { 145 BN_free(dh->pub_key); 146 dh->pub_key = NULL; 147 } 148 return 0; 149 } 150 151 return 1; 152} 153 154static int 155tfm_dh_compute_key(unsigned char *shared, const BIGNUM * pub, DH *dh) 156{ 157 fp_int s, priv_key, p, peer_pub; 158 size_t size = 0; 159 int ret; 160 161 if (dh->pub_key == NULL || dh->g == NULL || dh->priv_key == NULL) 162 return -1; 163 164 fp_init(&p); 165 BN2mpz(&p, dh->p); 166 167 fp_init(&peer_pub); 168 BN2mpz(&peer_pub, pub); 169 170 /* check if peers pubkey is reasonable */ 171 if (fp_isneg(&peer_pub) 172 || fp_cmp(&peer_pub, &p) >= 0 173 || fp_cmp_d(&peer_pub, 1) <= 0) 174 { 175 fp_zero(&p); 176 fp_zero(&peer_pub); 177 return -1; 178 } 179 180 fp_init(&priv_key); 181 BN2mpz(&priv_key, dh->priv_key); 182 183 fp_init(&s); 184 185 ret = fp_exptmod(&peer_pub, &priv_key, &p, &s); 186 187 fp_zero(&p); 188 fp_zero(&peer_pub); 189 fp_zero(&priv_key); 190 191 if (ret != 0) 192 return -1; 193 194 size = fp_unsigned_bin_size(&s); 195 fp_to_unsigned_bin(&s, shared); 196 fp_zero(&s); 197 198 return size; 199} 200 201static int 202tfm_dh_generate_params(DH *dh, int a, int b, BN_GENCB *callback) 203{ 204 /* groups should already be known, we don't care about this */ 205 return 0; 206} 207 208static int 209tfm_dh_init(DH *dh) 210{ 211 return 1; 212} 213 214static int 215tfm_dh_finish(DH *dh) 216{ 217 return 1; 218} 219 220 221/* 222 * 223 */ 224 225const DH_METHOD _hc_dh_tfm_method = { 226 "hcrypto tfm DH", 227 tfm_dh_generate_key, 228 tfm_dh_compute_key, 229 NULL, 230 tfm_dh_init, 231 tfm_dh_finish, 232 0, 233 NULL, 234 tfm_dh_generate_params 235}; 236 237/** 238 * DH implementation using tfm. 239 * 240 * @return the DH_METHOD for the DH implementation using tfm. 241 * 242 * @ingroup hcrypto_dh 243 */ 244 245const DH_METHOD * 246DH_tfm_method(void) 247{ 248 return &_hc_dh_tfm_method; 249} 250 251#endif 252