Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
8774 | rgimad | 1 | /* |
2 | * Diffie-Hellman-Merkle key exchange |
||
3 | * |
||
4 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved |
||
5 | * SPDX-License-Identifier: GPL-2.0 |
||
6 | * |
||
7 | * This program is free software; you can redistribute it and/or modify |
||
8 | * it under the terms of the GNU General Public License as published by |
||
9 | * the Free Software Foundation; either version 2 of the License, or |
||
10 | * (at your option) any later version. |
||
11 | * |
||
12 | * This program is distributed in the hope that it will be useful, |
||
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
15 | * GNU General Public License for more details. |
||
16 | * |
||
17 | * You should have received a copy of the GNU General Public License along |
||
18 | * with this program; if not, write to the Free Software Foundation, Inc., |
||
19 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
||
20 | * |
||
21 | * This file is part of mbed TLS (https://tls.mbed.org) |
||
22 | */ |
||
23 | /* |
||
24 | * The following sources were referenced in the design of this implementation |
||
25 | * of the Diffie-Hellman-Merkle algorithm: |
||
26 | * |
||
27 | * [1] Handbook of Applied Cryptography - 1997, Chapter 12 |
||
28 | * Menezes, van Oorschot and Vanstone |
||
29 | * |
||
30 | */ |
||
31 | |||
32 | #if !defined(MBEDTLS_CONFIG_FILE) |
||
33 | #include "mbedtls/config.h" |
||
34 | #else |
||
35 | #include MBEDTLS_CONFIG_FILE |
||
36 | #endif |
||
37 | |||
38 | #if defined(MBEDTLS_DHM_C) |
||
39 | |||
40 | #include "mbedtls/dhm.h" |
||
41 | #include "mbedtls/platform_util.h" |
||
42 | |||
43 | #include |
||
44 | |||
45 | #if defined(MBEDTLS_PEM_PARSE_C) |
||
46 | #include "mbedtls/pem.h" |
||
47 | #endif |
||
48 | |||
49 | #if defined(MBEDTLS_ASN1_PARSE_C) |
||
50 | #include "mbedtls/asn1.h" |
||
51 | #endif |
||
52 | |||
53 | #if defined(MBEDTLS_PLATFORM_C) |
||
54 | #include "mbedtls/platform.h" |
||
55 | #else |
||
56 | #include |
||
57 | #include |
||
58 | #define mbedtls_printf printf |
||
59 | #define mbedtls_calloc calloc |
||
60 | #define mbedtls_free free |
||
61 | #endif |
||
62 | |||
63 | #if !defined(MBEDTLS_DHM_ALT) |
||
64 | |||
65 | #define DHM_VALIDATE_RET( cond ) \ |
||
66 | MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_DHM_BAD_INPUT_DATA ) |
||
67 | #define DHM_VALIDATE( cond ) \ |
||
68 | MBEDTLS_INTERNAL_VALIDATE( cond ) |
||
69 | |||
70 | /* |
||
71 | * helper to validate the mbedtls_mpi size and import it |
||
72 | */ |
||
73 | static int dhm_read_bignum( mbedtls_mpi *X, |
||
74 | unsigned char **p, |
||
75 | const unsigned char *end ) |
||
76 | { |
||
77 | int ret, n; |
||
78 | |||
79 | if( end - *p < 2 ) |
||
80 | return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA ); |
||
81 | |||
82 | n = ( (*p)[0] << 8 ) | (*p)[1]; |
||
83 | (*p) += 2; |
||
84 | |||
85 | if( (int)( end - *p ) < n ) |
||
86 | return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA ); |
||
87 | |||
88 | if( ( ret = mbedtls_mpi_read_binary( X, *p, n ) ) != 0 ) |
||
89 | return( MBEDTLS_ERR_DHM_READ_PARAMS_FAILED + ret ); |
||
90 | |||
91 | (*p) += n; |
||
92 | |||
93 | return( 0 ); |
||
94 | } |
||
95 | |||
96 | /* |
||
97 | * Verify sanity of parameter with regards to P |
||
98 | * |
||
99 | * Parameter should be: 2 <= public_param <= P - 2 |
||
100 | * |
||
101 | * This means that we need to return an error if |
||
102 | * public_param < 2 or public_param > P-2 |
||
103 | * |
||
104 | * For more information on the attack, see: |
||
105 | * http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf |
||
106 | * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643 |
||
107 | */ |
||
108 | static int dhm_check_range( const mbedtls_mpi *param, const mbedtls_mpi *P ) |
||
109 | { |
||
110 | mbedtls_mpi L, U; |
||
111 | int ret = 0; |
||
112 | |||
113 | mbedtls_mpi_init( &L ); mbedtls_mpi_init( &U ); |
||
114 | |||
115 | MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &L, 2 ) ); |
||
116 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &U, P, 2 ) ); |
||
117 | |||
118 | if( mbedtls_mpi_cmp_mpi( param, &L ) < 0 || |
||
119 | mbedtls_mpi_cmp_mpi( param, &U ) > 0 ) |
||
120 | { |
||
121 | ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA; |
||
122 | } |
||
123 | |||
124 | cleanup: |
||
125 | mbedtls_mpi_free( &L ); mbedtls_mpi_free( &U ); |
||
126 | return( ret ); |
||
127 | } |
||
128 | |||
129 | void mbedtls_dhm_init( mbedtls_dhm_context *ctx ) |
||
130 | { |
||
131 | DHM_VALIDATE( ctx != NULL ); |
||
132 | memset( ctx, 0, sizeof( mbedtls_dhm_context ) ); |
||
133 | } |
||
134 | |||
135 | /* |
||
136 | * Parse the ServerKeyExchange parameters |
||
137 | */ |
||
138 | int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx, |
||
139 | unsigned char **p, |
||
140 | const unsigned char *end ) |
||
141 | { |
||
142 | int ret; |
||
143 | DHM_VALIDATE_RET( ctx != NULL ); |
||
144 | DHM_VALIDATE_RET( p != NULL && *p != NULL ); |
||
145 | DHM_VALIDATE_RET( end != NULL ); |
||
146 | |||
147 | if( ( ret = dhm_read_bignum( &ctx->P, p, end ) ) != 0 || |
||
148 | ( ret = dhm_read_bignum( &ctx->G, p, end ) ) != 0 || |
||
149 | ( ret = dhm_read_bignum( &ctx->GY, p, end ) ) != 0 ) |
||
150 | return( ret ); |
||
151 | |||
152 | if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 ) |
||
153 | return( ret ); |
||
154 | |||
155 | ctx->len = mbedtls_mpi_size( &ctx->P ); |
||
156 | |||
157 | return( 0 ); |
||
158 | } |
||
159 | |||
160 | /* |
||
161 | * Setup and write the ServerKeyExchange parameters |
||
162 | */ |
||
163 | int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, |
||
164 | unsigned char *output, size_t *olen, |
||
165 | int (*f_rng)(void *, unsigned char *, size_t), |
||
166 | void *p_rng ) |
||
167 | { |
||
168 | int ret, count = 0; |
||
169 | size_t n1, n2, n3; |
||
170 | unsigned char *p; |
||
171 | DHM_VALIDATE_RET( ctx != NULL ); |
||
172 | DHM_VALIDATE_RET( output != NULL ); |
||
173 | DHM_VALIDATE_RET( olen != NULL ); |
||
174 | DHM_VALIDATE_RET( f_rng != NULL ); |
||
175 | |||
176 | if( mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 ) |
||
177 | return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA ); |
||
178 | |||
179 | /* |
||
180 | * Generate X as large as possible ( < P ) |
||
181 | */ |
||
182 | do |
||
183 | { |
||
184 | MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng ) ); |
||
185 | |||
186 | while( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 ) |
||
187 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->X, 1 ) ); |
||
188 | |||
189 | if( count++ > 10 ) |
||
190 | return( MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED ); |
||
191 | } |
||
192 | while( dhm_check_range( &ctx->X, &ctx->P ) != 0 ); |
||
193 | |||
194 | /* |
||
195 | * Calculate GX = G^X mod P |
||
196 | */ |
||
197 | MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X, |
||
198 | &ctx->P , &ctx->RP ) ); |
||
199 | |||
200 | if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 ) |
||
201 | return( ret ); |
||
202 | |||
203 | /* |
||
204 | * export P, G, GX |
||
205 | */ |
||
206 | #define DHM_MPI_EXPORT( X, n ) \ |
||
207 | do { \ |
||
208 | MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( ( X ), \ |
||
209 | p + 2, \ |
||
210 | ( n ) ) ); \ |
||
211 | *p++ = (unsigned char)( ( n ) >> 8 ); \ |
||
212 | *p++ = (unsigned char)( ( n ) ); \ |
||
213 | p += ( n ); \ |
||
214 | } while( 0 ) |
||
215 | |||
216 | n1 = mbedtls_mpi_size( &ctx->P ); |
||
217 | n2 = mbedtls_mpi_size( &ctx->G ); |
||
218 | n3 = mbedtls_mpi_size( &ctx->GX ); |
||
219 | |||
220 | p = output; |
||
221 | DHM_MPI_EXPORT( &ctx->P , n1 ); |
||
222 | DHM_MPI_EXPORT( &ctx->G , n2 ); |
||
223 | DHM_MPI_EXPORT( &ctx->GX, n3 ); |
||
224 | |||
225 | *olen = p - output; |
||
226 | |||
227 | ctx->len = n1; |
||
228 | |||
229 | cleanup: |
||
230 | |||
231 | if( ret != 0 ) |
||
232 | return( MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED + ret ); |
||
233 | |||
234 | return( 0 ); |
||
235 | } |
||
236 | |||
237 | /* |
||
238 | * Set prime modulus and generator |
||
239 | */ |
||
240 | int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx, |
||
241 | const mbedtls_mpi *P, |
||
242 | const mbedtls_mpi *G ) |
||
243 | { |
||
244 | int ret; |
||
245 | DHM_VALIDATE_RET( ctx != NULL ); |
||
246 | DHM_VALIDATE_RET( P != NULL ); |
||
247 | DHM_VALIDATE_RET( G != NULL ); |
||
248 | |||
249 | if( ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 || |
||
250 | ( ret = mbedtls_mpi_copy( &ctx->G, G ) ) != 0 ) |
||
251 | { |
||
252 | return( MBEDTLS_ERR_DHM_SET_GROUP_FAILED + ret ); |
||
253 | } |
||
254 | |||
255 | ctx->len = mbedtls_mpi_size( &ctx->P ); |
||
256 | return( 0 ); |
||
257 | } |
||
258 | |||
259 | /* |
||
260 | * Import the peer's public value G^Y |
||
261 | */ |
||
262 | int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx, |
||
263 | const unsigned char *input, size_t ilen ) |
||
264 | { |
||
265 | int ret; |
||
266 | DHM_VALIDATE_RET( ctx != NULL ); |
||
267 | DHM_VALIDATE_RET( input != NULL ); |
||
268 | |||
269 | if( ilen < 1 || ilen > ctx->len ) |
||
270 | return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA ); |
||
271 | |||
272 | if( ( ret = mbedtls_mpi_read_binary( &ctx->GY, input, ilen ) ) != 0 ) |
||
273 | return( MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED + ret ); |
||
274 | |||
275 | return( 0 ); |
||
276 | } |
||
277 | |||
278 | /* |
||
279 | * Create own private value X and export G^X |
||
280 | */ |
||
281 | int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size, |
||
282 | unsigned char *output, size_t olen, |
||
283 | int (*f_rng)(void *, unsigned char *, size_t), |
||
284 | void *p_rng ) |
||
285 | { |
||
286 | int ret, count = 0; |
||
287 | DHM_VALIDATE_RET( ctx != NULL ); |
||
288 | DHM_VALIDATE_RET( output != NULL ); |
||
289 | DHM_VALIDATE_RET( f_rng != NULL ); |
||
290 | |||
291 | if( olen < 1 || olen > ctx->len ) |
||
292 | return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA ); |
||
293 | |||
294 | if( mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 ) |
||
295 | return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA ); |
||
296 | |||
297 | /* |
||
298 | * generate X and calculate GX = G^X mod P |
||
299 | */ |
||
300 | do |
||
301 | { |
||
302 | MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng ) ); |
||
303 | |||
304 | while( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 ) |
||
305 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->X, 1 ) ); |
||
306 | |||
307 | if( count++ > 10 ) |
||
308 | return( MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED ); |
||
309 | } |
||
310 | while( dhm_check_range( &ctx->X, &ctx->P ) != 0 ); |
||
311 | |||
312 | MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X, |
||
313 | &ctx->P , &ctx->RP ) ); |
||
314 | |||
315 | if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 ) |
||
316 | return( ret ); |
||
317 | |||
318 | MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->GX, output, olen ) ); |
||
319 | |||
320 | cleanup: |
||
321 | |||
322 | if( ret != 0 ) |
||
323 | return( MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED + ret ); |
||
324 | |||
325 | return( 0 ); |
||
326 | } |
||
327 | |||
328 | /* |
||
329 | * Use the blinding method and optimisation suggested in section 10 of: |
||
330 | * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, |
||
331 | * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer |
||
332 | * Berlin Heidelberg, 1996. p. 104-113. |
||
333 | */ |
||
334 | static int dhm_update_blinding( mbedtls_dhm_context *ctx, |
||
335 | int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) |
||
336 | { |
||
337 | int ret, count; |
||
338 | |||
339 | /* |
||
340 | * Don't use any blinding the first time a particular X is used, |
||
341 | * but remember it to use blinding next time. |
||
342 | */ |
||
343 | if( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->pX ) != 0 ) |
||
344 | { |
||
345 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &ctx->pX, &ctx->X ) ); |
||
346 | MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->Vi, 1 ) ); |
||
347 | MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->Vf, 1 ) ); |
||
348 | |||
349 | return( 0 ); |
||
350 | } |
||
351 | |||
352 | /* |
||
353 | * Ok, we need blinding. Can we re-use existing values? |
||
354 | * If yes, just update them by squaring them. |
||
355 | */ |
||
356 | if( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 ) |
||
357 | { |
||
358 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) ); |
||
359 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) ); |
||
360 | |||
361 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) ); |
||
362 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) ); |
||
363 | |||
364 | return( 0 ); |
||
365 | } |
||
366 | |||
367 | /* |
||
368 | * We need to generate blinding values from scratch |
||
369 | */ |
||
370 | |||
371 | /* Vi = random( 2, P-1 ) */ |
||
372 | count = 0; |
||
373 | do |
||
374 | { |
||
375 | MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vi, mbedtls_mpi_size( &ctx->P ), f_rng, p_rng ) ); |
||
376 | |||
377 | while( mbedtls_mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 ) |
||
378 | MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->Vi, 1 ) ); |
||
379 | |||
380 | if( count++ > 10 ) |
||
381 | return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ); |
||
382 | } |
||
383 | while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) <= 0 ); |
||
384 | |||
385 | /* Vf = Vi^-X mod P */ |
||
386 | MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) ); |
||
387 | MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) ); |
||
388 | |||
389 | cleanup: |
||
390 | return( ret ); |
||
391 | } |
||
392 | |||
393 | /* |
||
394 | * Derive and export the shared secret (G^Y)^X mod P |
||
395 | */ |
||
396 | int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx, |
||
397 | unsigned char *output, size_t output_size, size_t *olen, |
||
398 | int (*f_rng)(void *, unsigned char *, size_t), |
||
399 | void *p_rng ) |
||
400 | { |
||
401 | int ret; |
||
402 | mbedtls_mpi GYb; |
||
403 | DHM_VALIDATE_RET( ctx != NULL ); |
||
404 | DHM_VALIDATE_RET( output != NULL ); |
||
405 | DHM_VALIDATE_RET( olen != NULL ); |
||
406 | |||
407 | if( output_size < ctx->len ) |
||
408 | return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA ); |
||
409 | |||
410 | if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 ) |
||
411 | return( ret ); |
||
412 | |||
413 | mbedtls_mpi_init( &GYb ); |
||
414 | |||
415 | /* Blind peer's value */ |
||
416 | if( f_rng != NULL ) |
||
417 | { |
||
418 | MBEDTLS_MPI_CHK( dhm_update_blinding( ctx, f_rng, p_rng ) ); |
||
419 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &GYb, &ctx->GY, &ctx->Vi ) ); |
||
420 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &GYb, &GYb, &ctx->P ) ); |
||
421 | } |
||
422 | else |
||
423 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &GYb, &ctx->GY ) ); |
||
424 | |||
425 | /* Do modular exponentiation */ |
||
426 | MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->K, &GYb, &ctx->X, |
||
427 | &ctx->P, &ctx->RP ) ); |
||
428 | |||
429 | /* Unblind secret value */ |
||
430 | if( f_rng != NULL ) |
||
431 | { |
||
432 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->K, &ctx->K, &ctx->Vf ) ); |
||
433 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) ); |
||
434 | } |
||
435 | |||
436 | *olen = mbedtls_mpi_size( &ctx->K ); |
||
437 | |||
438 | MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->K, output, *olen ) ); |
||
439 | |||
440 | cleanup: |
||
441 | mbedtls_mpi_free( &GYb ); |
||
442 | |||
443 | if( ret != 0 ) |
||
444 | return( MBEDTLS_ERR_DHM_CALC_SECRET_FAILED + ret ); |
||
445 | |||
446 | return( 0 ); |
||
447 | } |
||
448 | |||
449 | /* |
||
450 | * Free the components of a DHM key |
||
451 | */ |
||
452 | void mbedtls_dhm_free( mbedtls_dhm_context *ctx ) |
||
453 | { |
||
454 | if( ctx == NULL ) |
||
455 | return; |
||
456 | |||
457 | mbedtls_mpi_free( &ctx->pX ); |
||
458 | mbedtls_mpi_free( &ctx->Vf ); |
||
459 | mbedtls_mpi_free( &ctx->Vi ); |
||
460 | mbedtls_mpi_free( &ctx->RP ); |
||
461 | mbedtls_mpi_free( &ctx->K ); |
||
462 | mbedtls_mpi_free( &ctx->GY ); |
||
463 | mbedtls_mpi_free( &ctx->GX ); |
||
464 | mbedtls_mpi_free( &ctx->X ); |
||
465 | mbedtls_mpi_free( &ctx->G ); |
||
466 | mbedtls_mpi_free( &ctx->P ); |
||
467 | |||
468 | mbedtls_platform_zeroize( ctx, sizeof( mbedtls_dhm_context ) ); |
||
469 | } |
||
470 | |||
471 | #if defined(MBEDTLS_ASN1_PARSE_C) |
||
472 | /* |
||
473 | * Parse DHM parameters |
||
474 | */ |
||
475 | int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin, |
||
476 | size_t dhminlen ) |
||
477 | { |
||
478 | int ret; |
||
479 | size_t len; |
||
480 | unsigned char *p, *end; |
||
481 | #if defined(MBEDTLS_PEM_PARSE_C) |
||
482 | mbedtls_pem_context pem; |
||
483 | #endif /* MBEDTLS_PEM_PARSE_C */ |
||
484 | |||
485 | DHM_VALIDATE_RET( dhm != NULL ); |
||
486 | DHM_VALIDATE_RET( dhmin != NULL ); |
||
487 | |||
488 | #if defined(MBEDTLS_PEM_PARSE_C) |
||
489 | mbedtls_pem_init( &pem ); |
||
490 | |||
491 | /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ |
||
492 | if( dhminlen == 0 || dhmin[dhminlen - 1] != '\0' ) |
||
493 | ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; |
||
494 | else |
||
495 | ret = mbedtls_pem_read_buffer( &pem, |
||
496 | "-----BEGIN DH PARAMETERS-----", |
||
497 | "-----END DH PARAMETERS-----", |
||
498 | dhmin, NULL, 0, &dhminlen ); |
||
499 | |||
500 | if( ret == 0 ) |
||
501 | { |
||
502 | /* |
||
503 | * Was PEM encoded |
||
504 | */ |
||
505 | dhminlen = pem.buflen; |
||
506 | } |
||
507 | else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) |
||
508 | goto exit; |
||
509 | |||
510 | p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin; |
||
511 | #else |
||
512 | p = (unsigned char *) dhmin; |
||
513 | #endif /* MBEDTLS_PEM_PARSE_C */ |
||
514 | end = p + dhminlen; |
||
515 | |||
516 | /* |
||
517 | * DHParams ::= SEQUENCE { |
||
518 | * prime INTEGER, -- P |
||
519 | * generator INTEGER, -- g |
||
520 | * privateValueLength INTEGER OPTIONAL |
||
521 | * } |
||
522 | */ |
||
523 | if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, |
||
524 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) |
||
525 | { |
||
526 | ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret; |
||
527 | goto exit; |
||
528 | } |
||
529 | |||
530 | end = p + len; |
||
531 | |||
532 | if( ( ret = mbedtls_asn1_get_mpi( &p, end, &dhm->P ) ) != 0 || |
||
533 | ( ret = mbedtls_asn1_get_mpi( &p, end, &dhm->G ) ) != 0 ) |
||
534 | { |
||
535 | ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret; |
||
536 | goto exit; |
||
537 | } |
||
538 | |||
539 | if( p != end ) |
||
540 | { |
||
541 | /* This might be the optional privateValueLength. |
||
542 | * If so, we can cleanly discard it */ |
||
543 | mbedtls_mpi rec; |
||
544 | mbedtls_mpi_init( &rec ); |
||
545 | ret = mbedtls_asn1_get_mpi( &p, end, &rec ); |
||
546 | mbedtls_mpi_free( &rec ); |
||
547 | if ( ret != 0 ) |
||
548 | { |
||
549 | ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret; |
||
550 | goto exit; |
||
551 | } |
||
552 | if ( p != end ) |
||
553 | { |
||
554 | ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + |
||
555 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; |
||
556 | goto exit; |
||
557 | } |
||
558 | } |
||
559 | |||
560 | ret = 0; |
||
561 | |||
562 | dhm->len = mbedtls_mpi_size( &dhm->P ); |
||
563 | |||
564 | exit: |
||
565 | #if defined(MBEDTLS_PEM_PARSE_C) |
||
566 | mbedtls_pem_free( &pem ); |
||
567 | #endif |
||
568 | if( ret != 0 ) |
||
569 | mbedtls_dhm_free( dhm ); |
||
570 | |||
571 | return( ret ); |
||
572 | } |
||
573 | |||
574 | #if defined(MBEDTLS_FS_IO) |
||
575 | /* |
||
576 | * Load all data from a file into a given buffer. |
||
577 | * |
||
578 | * The file is expected to contain either PEM or DER encoded data. |
||
579 | * A terminating null byte is always appended. It is included in the announced |
||
580 | * length only if the data looks like it is PEM encoded. |
||
581 | */ |
||
582 | static int load_file( const char *path, unsigned char **buf, size_t *n ) |
||
583 | { |
||
584 | FILE *f; |
||
585 | long size; |
||
586 | |||
587 | if( ( f = fopen( path, "rb" ) ) == NULL ) |
||
588 | return( MBEDTLS_ERR_DHM_FILE_IO_ERROR ); |
||
589 | |||
590 | fseek( f, 0, SEEK_END ); |
||
591 | if( ( size = ftell( f ) ) == -1 ) |
||
592 | { |
||
593 | fclose( f ); |
||
594 | return( MBEDTLS_ERR_DHM_FILE_IO_ERROR ); |
||
595 | } |
||
596 | fseek( f, 0, SEEK_SET ); |
||
597 | |||
598 | *n = (size_t) size; |
||
599 | |||
600 | if( *n + 1 == 0 || |
||
601 | ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL ) |
||
602 | { |
||
603 | fclose( f ); |
||
604 | return( MBEDTLS_ERR_DHM_ALLOC_FAILED ); |
||
605 | } |
||
606 | |||
607 | if( fread( *buf, 1, *n, f ) != *n ) |
||
608 | { |
||
609 | fclose( f ); |
||
610 | |||
611 | mbedtls_platform_zeroize( *buf, *n + 1 ); |
||
612 | mbedtls_free( *buf ); |
||
613 | |||
614 | return( MBEDTLS_ERR_DHM_FILE_IO_ERROR ); |
||
615 | } |
||
616 | |||
617 | fclose( f ); |
||
618 | |||
619 | (*buf)[*n] = '\0'; |
||
620 | |||
621 | if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL ) |
||
622 | ++*n; |
||
623 | |||
624 | return( 0 ); |
||
625 | } |
||
626 | |||
627 | /* |
||
628 | * Load and parse DHM parameters |
||
629 | */ |
||
630 | int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ) |
||
631 | { |
||
632 | int ret; |
||
633 | size_t n; |
||
634 | unsigned char *buf; |
||
635 | DHM_VALIDATE_RET( dhm != NULL ); |
||
636 | DHM_VALIDATE_RET( path != NULL ); |
||
637 | |||
638 | if( ( ret = load_file( path, &buf, &n ) ) != 0 ) |
||
639 | return( ret ); |
||
640 | |||
641 | ret = mbedtls_dhm_parse_dhm( dhm, buf, n ); |
||
642 | |||
643 | mbedtls_platform_zeroize( buf, n ); |
||
644 | mbedtls_free( buf ); |
||
645 | |||
646 | return( ret ); |
||
647 | } |
||
648 | #endif /* MBEDTLS_FS_IO */ |
||
649 | #endif /* MBEDTLS_ASN1_PARSE_C */ |
||
650 | #endif /* MBEDTLS_DHM_ALT */ |
||
651 | |||
652 | #if defined(MBEDTLS_SELF_TEST) |
||
653 | |||
654 | #if defined(MBEDTLS_PEM_PARSE_C) |
||
655 | static const char mbedtls_test_dhm_params[] = |
||
656 | "-----BEGIN DH PARAMETERS-----\r\n" |
||
657 | "MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n" |
||
658 | "1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n" |
||
659 | "9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n" |
||
660 | "-----END DH PARAMETERS-----\r\n"; |
||
661 | #else /* MBEDTLS_PEM_PARSE_C */ |
||
662 | static const char mbedtls_test_dhm_params[] = { |
||
663 | 0x30, 0x81, 0x87, 0x02, 0x81, 0x81, 0x00, 0x9e, 0x35, 0xf4, 0x30, 0x44, |
||
664 | 0x3a, 0x09, 0x90, 0x4f, 0x3a, 0x39, 0xa9, 0x79, 0x79, 0x7d, 0x07, 0x0d, |
||
665 | 0xf5, 0x33, 0x78, 0xe7, 0x9c, 0x24, 0x38, 0xbe, 0xf4, 0xe7, 0x61, 0xf3, |
||
666 | 0xc7, 0x14, 0x55, 0x33, 0x28, 0x58, 0x9b, 0x04, 0x1c, 0x80, 0x9b, 0xe1, |
||
667 | 0xd6, 0xc6, 0xb5, 0xf1, 0xfc, 0x9f, 0x47, 0xd3, 0xa2, 0x54, 0x43, 0x18, |
||
668 | 0x82, 0x53, 0xa9, 0x92, 0xa5, 0x68, 0x18, 0xb3, 0x7b, 0xa9, 0xde, 0x5a, |
||
669 | 0x40, 0xd3, 0x62, 0xe5, 0x6e, 0xff, 0x0b, 0xe5, 0x41, 0x74, 0x74, 0xc1, |
||
670 | 0x25, 0xc1, 0x99, 0x27, 0x2c, 0x8f, 0xe4, 0x1d, 0xea, 0x73, 0x3d, 0xf6, |
||
671 | 0xf6, 0x62, 0xc9, 0x2a, 0xe7, 0x65, 0x56, 0xe7, 0x55, 0xd1, 0x0c, 0x64, |
||
672 | 0xe6, 0xa5, 0x09, 0x68, 0xf6, 0x7f, 0xc6, 0xea, 0x73, 0xd0, 0xdc, 0xa8, |
||
673 | 0x56, 0x9b, 0xe2, 0xba, 0x20, 0x4e, 0x23, 0x58, 0x0d, 0x8b, 0xca, 0x2f, |
||
674 | 0x49, 0x75, 0xb3, 0x02, 0x01, 0x02 }; |
||
675 | #endif /* MBEDTLS_PEM_PARSE_C */ |
||
676 | |||
677 | static const size_t mbedtls_test_dhm_params_len = sizeof( mbedtls_test_dhm_params ); |
||
678 | |||
679 | /* |
||
680 | * Checkup routine |
||
681 | */ |
||
682 | int mbedtls_dhm_self_test( int verbose ) |
||
683 | { |
||
684 | int ret; |
||
685 | mbedtls_dhm_context dhm; |
||
686 | |||
687 | mbedtls_dhm_init( &dhm ); |
||
688 | |||
689 | if( verbose != 0 ) |
||
690 | mbedtls_printf( " DHM parameter load: " ); |
||
691 | |||
692 | if( ( ret = mbedtls_dhm_parse_dhm( &dhm, |
||
693 | (const unsigned char *) mbedtls_test_dhm_params, |
||
694 | mbedtls_test_dhm_params_len ) ) != 0 ) |
||
695 | { |
||
696 | if( verbose != 0 ) |
||
697 | mbedtls_printf( "failed\n" ); |
||
698 | |||
699 | ret = 1; |
||
700 | goto exit; |
||
701 | } |
||
702 | |||
703 | if( verbose != 0 ) |
||
704 | mbedtls_printf( "passed\n\n" ); |
||
705 | |||
706 | exit: |
||
707 | mbedtls_dhm_free( &dhm ); |
||
708 | |||
709 | return( ret ); |
||
710 | } |
||
711 | |||
712 | #endif /* MBEDTLS_SELF_TEST */ |
||
713 | |||
714 | #endif /* MBEDTLS_DHM_C */>=>>>>>>=>=>>><>> |