1/* $NetBSD: dh-tfm.c,v 1.1.1.1 2011/04/13 18:14:49 elric Exp $ */ 2 3/* 4 * Copyright (c) 2006 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#include <config.h> 37 38#include <stdio.h> 39#include <stdlib.h> 40#include <dh.h> 41 42#include <krb5/roken.h> 43 44#ifdef USE_HCRYPTO_TFM 45 46#include "tfm.h" 47 48static void 49BN2mpz(fp_int *s, const BIGNUM *bn) 50{ 51 size_t len; 52 void *p; 53 54 len = BN_num_bytes(bn); 55 p = malloc(len); 56 BN_bn2bin(bn, p); 57 fp_read_unsigned_bin(s, p, len); 58 free(p); 59} 60 61 62static BIGNUM * 63mpz2BN(fp_int *s) 64{ 65 size_t size; 66 BIGNUM *bn; 67 void *p; 68 69 size = fp_unsigned_bin_size(s); 70 p = malloc(size); 71 if (p == NULL && size != 0) 72 return NULL; 73 fp_to_unsigned_bin(s, p); 74 75 bn = BN_bin2bn(p, size, NULL); 76 free(p); 77 return bn; 78} 79 80/* 81 * 82 */ 83 84#define DH_NUM_TRIES 10 85 86static int 87tfm_dh_generate_key(DH *dh) 88{ 89 fp_int pub, priv_key, g, p; 90 int have_private_key = (dh->priv_key != NULL); 91 int codes, times = 0; 92 int res; 93 94 if (dh->p == NULL || dh->g == NULL) 95 return 0; 96 97 while (times++ < DH_NUM_TRIES) { 98 if (!have_private_key) { 99 size_t bits = BN_num_bits(dh->p); 100 101 if (dh->priv_key) 102 BN_free(dh->priv_key); 103 104 dh->priv_key = BN_new(); 105 if (dh->priv_key == NULL) 106 return 0; 107 if (!BN_rand(dh->priv_key, bits - 1, 0, 0)) { 108 BN_clear_free(dh->priv_key); 109 dh->priv_key = NULL; 110 return 0; 111 } 112 } 113 if (dh->pub_key) 114 BN_free(dh->pub_key); 115 116 fp_init_multi(&pub, &priv_key, &g, &p, NULL); 117 118 BN2mpz(&priv_key, dh->priv_key); 119 BN2mpz(&g, dh->g); 120 BN2mpz(&p, dh->p); 121 122 res = fp_exptmod(&g, &priv_key, &p, &pub); 123 124 fp_zero(&priv_key); 125 fp_zero(&g); 126 fp_zero(&p); 127 if (res != 0) 128 continue; 129 130 dh->pub_key = mpz2BN(&pub); 131 fp_zero(&pub); 132 if (dh->pub_key == NULL) 133 return 0; 134 135 if (DH_check_pubkey(dh, dh->pub_key, &codes) && codes == 0) 136 break; 137 if (have_private_key) 138 return 0; 139 } 140 141 if (times >= DH_NUM_TRIES) { 142 if (!have_private_key && dh->priv_key) { 143 BN_free(dh->priv_key); 144 dh->priv_key = NULL; 145 } 146 if (dh->pub_key) { 147 BN_free(dh->pub_key); 148 dh->pub_key = NULL; 149 } 150 return 0; 151 } 152 153 return 1; 154} 155 156static int 157tfm_dh_compute_key(unsigned char *shared, const BIGNUM * pub, DH *dh) 158{ 159 fp_int s, priv_key, p, peer_pub; 160 size_t size = 0; 161 int ret; 162 163 if (dh->pub_key == NULL || dh->g == NULL || dh->priv_key == NULL) 164 return -1; 165 166 fp_init(&p); 167 BN2mpz(&p, dh->p); 168 169 fp_init(&peer_pub); 170 BN2mpz(&peer_pub, pub); 171 172 /* check if peers pubkey is reasonable */ 173 if (fp_isneg(&peer_pub) 174 || fp_cmp(&peer_pub, &p) >= 0 175 || fp_cmp_d(&peer_pub, 1) <= 0) 176 { 177 fp_zero(&p); 178 fp_zero(&peer_pub); 179 return -1; 180 } 181 182 fp_init(&priv_key); 183 BN2mpz(&priv_key, dh->priv_key); 184 185 fp_init(&s); 186 187 ret = fp_exptmod(&peer_pub, &priv_key, &p, &s); 188 189 fp_zero(&p); 190 fp_zero(&peer_pub); 191 fp_zero(&priv_key); 192 193 if (ret != 0) 194 return -1; 195 196 size = fp_unsigned_bin_size(&s); 197 fp_to_unsigned_bin(&s, shared); 198 fp_zero(&s); 199 200 return size; 201} 202 203static int 204tfm_dh_generate_params(DH *dh, int a, int b, BN_GENCB *callback) 205{ 206 /* groups should already be known, we don't care about this */ 207 return 0; 208} 209 210static int 211tfm_dh_init(DH *dh) 212{ 213 return 1; 214} 215 216static int 217tfm_dh_finish(DH *dh) 218{ 219 return 1; 220} 221 222 223/* 224 * 225 */ 226 227const DH_METHOD _hc_dh_tfm_method = { 228 "hcrypto tfm DH", 229 tfm_dh_generate_key, 230 tfm_dh_compute_key, 231 NULL, 232 tfm_dh_init, 233 tfm_dh_finish, 234 0, 235 NULL, 236 tfm_dh_generate_params 237}; 238 239/** 240 * DH implementation using tfm. 241 * 242 * @return the DH_METHOD for the DH implementation using tfm. 243 * 244 * @ingroup hcrypto_dh 245 */ 246 247const DH_METHOD * 248DH_tfm_method(void) 249{ 250 return &_hc_dh_tfm_method; 251} 252 253#endif 254