1 /* $NetBSD: dh.c,v 1.1.1.2 2014/04/24 12:45:30 pettai Exp $ */
2
3 /*
4 * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #ifdef HAVE_CONFIG_H
37 #include <config.h>
38 #endif
39
40 #include <stdio.h>
41 #include <stdlib.h>
42 #include <krb5/krb5-types.h>
43 #include <krb5/rfc2459_asn1.h>
44
45 #include <dh.h>
46
47 #include <krb5/roken.h>
48
49 /**
50 * @page page_dh DH - Diffie-Hellman key exchange
51 *
52 * Diffie-Hellman key exchange is a protocol that allows two parties
53 * to establish a shared secret key.
54 *
55 * Include and example how to use DH_new() and friends here.
56 *
57 * See the library functions here: @ref hcrypto_dh
58 */
59
60 /**
61 * Create a new DH object using DH_new_method(NULL), see DH_new_method().
62 *
63 * @return a newly allocated DH object.
64 *
65 * @ingroup hcrypto_dh
66 */
67
68 DH *
DH_new(void)69 DH_new(void)
70 {
71 return DH_new_method(NULL);
72 }
73
74 /**
75 * Create a new DH object from the given engine, if the NULL is used,
76 * the default engine is used. Free the DH object with DH_free().
77 *
78 * @param engine The engine to use to allocate the DH object.
79 *
80 * @return a newly allocated DH object.
81 *
82 * @ingroup hcrypto_dh
83 */
84
85 DH *
DH_new_method(ENGINE * engine)86 DH_new_method(ENGINE *engine)
87 {
88 DH *dh;
89
90 dh = calloc(1, sizeof(*dh));
91 if (dh == NULL)
92 return NULL;
93
94 dh->references = 1;
95
96 if (engine) {
97 ENGINE_up_ref(engine);
98 dh->engine = engine;
99 } else {
100 dh->engine = ENGINE_get_default_DH();
101 }
102
103 if (dh->engine) {
104 dh->meth = ENGINE_get_DH(dh->engine);
105 if (dh->meth == NULL) {
106 ENGINE_finish(engine);
107 free(dh);
108 return 0;
109 }
110 }
111
112 if (dh->meth == NULL)
113 dh->meth = DH_get_default_method();
114
115 (*dh->meth->init)(dh);
116
117 return dh;
118 }
119
120 /**
121 * Free a DH object and release related resources, like ENGINE, that
122 * the object was using.
123 *
124 * @param dh object to be freed.
125 *
126 * @ingroup hcrypto_dh
127 */
128
129 void
DH_free(DH * dh)130 DH_free(DH *dh)
131 {
132 if (dh->references <= 0)
133 abort();
134
135 if (--dh->references > 0)
136 return;
137
138 (*dh->meth->finish)(dh);
139
140 if (dh->engine)
141 ENGINE_finish(dh->engine);
142
143 #define free_if(f) if (f) { BN_free(f); }
144 free_if(dh->p);
145 free_if(dh->g);
146 free_if(dh->pub_key);
147 free_if(dh->priv_key);
148 free_if(dh->q);
149 free_if(dh->j);
150 free_if(dh->counter);
151 #undef free_if
152
153 memset(dh, 0, sizeof(*dh));
154 free(dh);
155 }
156
157 /**
158 * Add a reference to the DH object. The object should be free with
159 * DH_free() to drop the reference.
160 *
161 * @param dh the object to increase the reference count too.
162 *
163 * @return the updated reference count, can't safely be used except
164 * for debug printing.
165 *
166 * @ingroup hcrypto_dh
167 */
168
169 int
DH_up_ref(DH * dh)170 DH_up_ref(DH *dh)
171 {
172 return ++dh->references;
173 }
174
175 /**
176 * The maximum output size of the DH_compute_key() function.
177 *
178 * @param dh The DH object to get the size from.
179 *
180 * @return the maximum size in bytes of the out data.
181 *
182 * @ingroup hcrypto_dh
183 */
184
185 int
DH_size(const DH * dh)186 DH_size(const DH *dh)
187 {
188 return BN_num_bytes(dh->p);
189 }
190
191 /**
192 * Set the data index idx in the DH object to data.
193 *
194 * @param dh DH object.
195 * @param idx index to set the data for.
196 * @param data data to store for the index idx.
197 *
198 * @return 1 on success.
199 *
200 * @ingroup hcrypto_dh
201 */
202
203 int
DH_set_ex_data(DH * dh,int idx,void * data)204 DH_set_ex_data(DH *dh, int idx, void *data)
205 {
206 dh->ex_data.sk = data;
207 return 1;
208 }
209
210 /**
211 * Get the data for index idx in the DH object.
212 *
213 * @param dh DH object.
214 * @param idx index to get the data for.
215 *
216 * @return the object store in index idx
217 *
218 * @ingroup hcrypto_dh
219 */
220
221 void *
DH_get_ex_data(DH * dh,int idx)222 DH_get_ex_data(DH *dh, int idx)
223 {
224 return dh->ex_data.sk;
225 }
226
227 /**
228 * Generate DH parameters for the DH object give parameters.
229 *
230 * @param dh The DH object to generate parameters for.
231 * @param prime_len length of the prime
232 * @param generator generator, g
233 * @param cb Callback parameters to show progress, can be NULL.
234 *
235 * @return the maximum size in bytes of the out data.
236 *
237 * @ingroup hcrypto_dh
238 */
239
240 int
DH_generate_parameters_ex(DH * dh,int prime_len,int generator,BN_GENCB * cb)241 DH_generate_parameters_ex(DH *dh, int prime_len, int generator, BN_GENCB *cb)
242 {
243 if (dh->meth->generate_params)
244 return dh->meth->generate_params(dh, prime_len, generator, cb);
245 return 0;
246 }
247
248 /**
249 * Check that the public key is sane.
250 *
251 * @param dh the local peer DH parameters.
252 * @param pub_key the remote peer public key parameters.
253 * @param codes return that the failures of the pub_key are.
254 *
255 * @return 1 on success, 0 on failure and *codes is set the the
256 * combined fail check for the public key
257 *
258 * @ingroup hcrypto_dh
259 */
260
261 int
DH_check_pubkey(const DH * dh,const BIGNUM * pub_key,int * codes)262 DH_check_pubkey(const DH *dh, const BIGNUM *pub_key, int *codes)
263 {
264 BIGNUM *bn = NULL, *sum = NULL;
265 int ret = 0;
266
267 *codes = 0;
268
269 /**
270 * Checks that the function performs are:
271 * - pub_key is not negative
272 */
273
274 if (BN_is_negative(pub_key))
275 goto out;
276
277 /**
278 * - pub_key > 1 and pub_key < p - 1,
279 * to avoid small subgroups attack.
280 */
281
282 bn = BN_new();
283 if (bn == NULL)
284 goto out;
285
286 if (!BN_set_word(bn, 1))
287 goto out;
288
289 if (BN_cmp(bn, pub_key) >= 0)
290 *codes |= DH_CHECK_PUBKEY_TOO_SMALL;
291
292 sum = BN_new();
293 if (sum == NULL)
294 goto out;
295
296 BN_uadd(sum, pub_key, bn);
297
298 if (BN_cmp(sum, dh->p) >= 0)
299 *codes |= DH_CHECK_PUBKEY_TOO_LARGE;
300
301 /**
302 * - if g == 2, pub_key have more then one bit set,
303 * if bits set is 1, log_2(pub_key) is trival
304 */
305
306 if (!BN_set_word(bn, 2))
307 goto out;
308
309 if (BN_cmp(bn, dh->g) == 0) {
310 unsigned i, n = BN_num_bits(pub_key);
311 unsigned bits = 0;
312
313 for (i = 0; i <= n; i++)
314 if (BN_is_bit_set(pub_key, i))
315 bits++;
316
317 if (bits < 2) {
318 *codes |= DH_CHECK_PUBKEY_TOO_SMALL;
319 goto out;
320 }
321 }
322
323 ret = 1;
324 out:
325 if (bn)
326 BN_free(bn);
327 if (sum)
328 BN_free(sum);
329
330 return ret;
331 }
332
333 /**
334 * Generate a new DH private-public key pair. The dh parameter must be
335 * allocted first with DH_new(). dh->p and dp->g must be set.
336 *
337 * @param dh dh parameter.
338 *
339 * @return 1 on success.
340 *
341 * @ingroup hcrypto_dh
342 */
343
344 int
DH_generate_key(DH * dh)345 DH_generate_key(DH *dh)
346 {
347 return dh->meth->generate_key(dh);
348 }
349
350 /**
351 * Complute the shared secret key.
352 *
353 * @param shared_key the resulting shared key, need to be at least
354 * DH_size() large.
355 * @param peer_pub_key the peer's public key.
356 * @param dh the dh key pair.
357 *
358 * @return 1 on success.
359 *
360 * @ingroup hcrypto_dh
361 */
362
363 int
DH_compute_key(unsigned char * shared_key,const BIGNUM * peer_pub_key,DH * dh)364 DH_compute_key(unsigned char *shared_key,
365 const BIGNUM *peer_pub_key, DH *dh)
366 {
367 int codes;
368
369 /**
370 * Checks that the pubkey passed in is valid using
371 * DH_check_pubkey().
372 */
373
374 if (!DH_check_pubkey(dh, peer_pub_key, &codes) || codes != 0)
375 return -1;
376
377 return dh->meth->compute_key(shared_key, peer_pub_key, dh);
378 }
379
380 /**
381 * Set a new method for the DH keypair.
382 *
383 * @param dh dh parameter.
384 * @param method the new method for the DH parameter.
385 *
386 * @return 1 on success.
387 *
388 * @ingroup hcrypto_dh
389 */
390
391 int
DH_set_method(DH * dh,const DH_METHOD * method)392 DH_set_method(DH *dh, const DH_METHOD *method)
393 {
394 (*dh->meth->finish)(dh);
395 if (dh->engine) {
396 ENGINE_finish(dh->engine);
397 dh->engine = NULL;
398 }
399 dh->meth = method;
400 (*dh->meth->init)(dh);
401 return 1;
402 }
403
404 /*
405 *
406 */
407
408 static int
dh_null_generate_key(DH * dh)409 dh_null_generate_key(DH *dh)
410 {
411 return 0;
412 }
413
414 static int
dh_null_compute_key(unsigned char * shared,const BIGNUM * pub,DH * dh)415 dh_null_compute_key(unsigned char *shared,const BIGNUM *pub, DH *dh)
416 {
417 return 0;
418 }
419
420 static int
dh_null_init(DH * dh)421 dh_null_init(DH *dh)
422 {
423 return 1;
424 }
425
426 static int
dh_null_finish(DH * dh)427 dh_null_finish(DH *dh)
428 {
429 return 1;
430 }
431
432 static int
dh_null_generate_params(DH * dh,int prime_num,int len,BN_GENCB * cb)433 dh_null_generate_params(DH *dh, int prime_num, int len, BN_GENCB *cb)
434 {
435 return 0;
436 }
437
438 static const DH_METHOD dh_null_method = {
439 "hcrypto null DH",
440 dh_null_generate_key,
441 dh_null_compute_key,
442 NULL,
443 dh_null_init,
444 dh_null_finish,
445 0,
446 NULL,
447 dh_null_generate_params
448 };
449
450 extern const DH_METHOD _hc_dh_ltm_method;
451 static const DH_METHOD *dh_default_method = &_hc_dh_ltm_method;
452
453 /**
454 * Return the dummy DH implementation.
455 *
456 * @return pointer to a DH_METHOD.
457 *
458 * @ingroup hcrypto_dh
459 */
460
461 const DH_METHOD *
DH_null_method(void)462 DH_null_method(void)
463 {
464 return &dh_null_method;
465 }
466
467 /**
468 * Set the default DH implementation.
469 *
470 * @param meth pointer to a DH_METHOD.
471 *
472 * @ingroup hcrypto_dh
473 */
474
475 void
DH_set_default_method(const DH_METHOD * meth)476 DH_set_default_method(const DH_METHOD *meth)
477 {
478 dh_default_method = meth;
479 }
480
481 /**
482 * Return the default DH implementation.
483 *
484 * @return pointer to a DH_METHOD.
485 *
486 * @ingroup hcrypto_dh
487 */
488
489 const DH_METHOD *
DH_get_default_method(void)490 DH_get_default_method(void)
491 {
492 return dh_default_method;
493 }
494
495 /*
496 *
497 */
498
499 static int
bn2heim_int(BIGNUM * bn,heim_integer * integer)500 bn2heim_int(BIGNUM *bn, heim_integer *integer)
501 {
502 integer->length = BN_num_bytes(bn);
503 integer->data = malloc(integer->length);
504 if (integer->data == NULL) {
505 integer->length = 0;
506 return ENOMEM;
507 }
508 BN_bn2bin(bn, integer->data);
509 integer->negative = BN_is_negative(bn);
510 return 0;
511 }
512
513 /**
514 *
515 */
516
517 int
i2d_DHparams(DH * dh,unsigned char ** pp)518 i2d_DHparams(DH *dh, unsigned char **pp)
519 {
520 DHParameter data;
521 size_t size;
522 int ret;
523
524 memset(&data, 0, sizeof(data));
525
526 if (bn2heim_int(dh->p, &data.prime) ||
527 bn2heim_int(dh->g, &data.base))
528 {
529 free_DHParameter(&data);
530 return -1;
531 }
532
533 if (pp == NULL) {
534 size = length_DHParameter(&data);
535 free_DHParameter(&data);
536 } else {
537 void *p;
538 size_t len;
539
540 ASN1_MALLOC_ENCODE(DHParameter, p, len, &data, &size, ret);
541 free_DHParameter(&data);
542 if (ret)
543 return -1;
544 if (len != size) {
545 abort();
546 return -1;
547 }
548
549 memcpy(*pp, p, size);
550 free(p);
551
552 *pp += size;
553 }
554
555 return size;
556 }
557