TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 1b75e5f7844f809e4f6fded25021d95b4627717b / . / programs / pkey / dh_client.c
blob: 6b4e49da50b9c23a1b4071ee7f29d96c11fba4eb [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * Diffie-Hellman-Merkle key exchange (client side)
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19
Bence Szépkútic662b362021-05-27 11:25:03 +0200[diff] [blame]20#include "mbedtls/build_info.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]22#include "mbedtls/platform.h"
Andrzej Kurek1b75e5f2023-04-04 09:55:06 -0400[diff] [blame^]23#include "mbedtls/md.h"
Rich Evansf90016a2015-01-19 14:26:37 +0000[diff] [blame]24
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]25#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
26 defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
Manuel Pégourié-Gonnard93302422023-03-21 17:23:08 +0100[diff] [blame]27 defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) && \
Janos Follath9fe6f922016-10-07 14:17:56 +0100[diff] [blame]28 defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
Manuel Pégourié-Gonnard93302422023-03-21 17:23:08 +0100[diff] [blame]29 defined(MBEDTLS_MD_CAN_SHA1)
Andres AG788aa4a2016-09-14 14:32:09 +0100[diff] [blame]30#include "mbedtls/net_sockets.h"
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]31#include "mbedtls/aes.h"
32#include "mbedtls/dhm.h"
33#include "mbedtls/rsa.h"
34#include "mbedtls/sha1.h"
35#include "mbedtls/entropy.h"
36#include "mbedtls/ctr_drbg.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Rich Evans18b78c72015-02-11 14:06:19 +0000[diff] [blame]38#include <stdio.h>
39#include <string.h>
40#endif
41
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42#define SERVER_NAME "localhost"
Manuel Pégourié-Gonnardc0d74942015-06-23 12:30:57 +0200[diff] [blame]43#define SERVER_PORT "11999"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]44
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]45#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \
46 !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
Manuel Pégourié-Gonnard93302422023-03-21 17:23:08 +0100[diff] [blame]47 !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
Janos Follath9fe6f922016-10-07 14:17:56 +0100[diff] [blame]48 !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
Manuel Pégourié-Gonnard93302422023-03-21 17:23:08 +0100[diff] [blame]49 !defined(MBEDTLS_MD_CAN_SHA1)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]50int main(void)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]51{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52 mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]53 "and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
Manuel Pégourié-Gonnard93302422023-03-21 17:23:08 +0100[diff] [blame]54 "MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or "
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]55 "MBEDTLS_CTR_DRBG_C not defined.\n");
56 mbedtls_exit(0);
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]57}
58#else
Simon Butcher63cb97e2018-12-06 17:43:31 +0000[diff] [blame]59
Simon Butcher63cb97e2018-12-06 17:43:31 +0000[diff] [blame]60
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]61int main(void)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62{
63 FILE *f;
64
Andres Amaya Garcia898841d2018-04-29 19:23:39 +0100[diff] [blame]65 int ret = 1;
66 int exit_code = MBEDTLS_EXIT_FAILURE;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]67 size_t n, buflen;
Manuel Pégourié-Gonnard5db64322015-06-30 15:40:39 +0200[diff] [blame]68 mbedtls_net_context server_fd;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]69
70 unsigned char *p, *end;
Paul Bakker520ea912012-10-24 14:17:01 +0000[diff] [blame]71 unsigned char buf[2048];
Manuel Pégourié-Gonnard102a6202015-08-27 21:51:44 +0200[diff] [blame]72 unsigned char hash[32];
Paul Bakkeref3f8c72013-06-24 13:01:08 +0200[diff] [blame]73 const char *pers = "dh_client";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]74
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]75 mbedtls_entropy_context entropy;
76 mbedtls_ctr_drbg_context ctr_drbg;
77 mbedtls_rsa_context rsa;
78 mbedtls_dhm_context dhm;
79 mbedtls_aes_context aes;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]80
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]81 mbedtls_net_init(&server_fd);
82 mbedtls_dhm_init(&dhm);
83 mbedtls_aes_init(&aes);
84 mbedtls_ctr_drbg_init(&ctr_drbg);
Paul Bakker8cfd9d82014-06-18 11:16:11 +0200[diff] [blame]85
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]86 /*
87 * 1. Setup the RNG
88 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]89 mbedtls_printf("\n . Seeding the random number generator");
90 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]91
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]92 mbedtls_entropy_init(&entropy);
93 if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
94 (const unsigned char *) pers,
95 strlen(pers))) != 0) {
96 mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
Paul Bakker508ad5a2011-12-04 17:09:26 +0000[diff] [blame]97 goto exit;
98 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]99
100 /*
101 * 2. Read the server's public RSA key
102 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]103 mbedtls_printf("\n . Reading public key from rsa_pub.txt");
104 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]105
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]106 if ((f = fopen("rsa_pub.txt", "rb")) == NULL) {
107 mbedtls_printf(" failed\n ! Could not open rsa_pub.txt\n" \
108 " ! Please run rsa_genkey first\n\n");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]109 goto exit;
110 }
111
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]112 mbedtls_rsa_init(&rsa);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]113
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114 if ((ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(N), 16, f)) != 0 ||
115 (ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(E), 16, f)) != 0) {
116 mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret);
117 fclose(f);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]118 goto exit;
119 }
120
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]121 rsa.MBEDTLS_PRIVATE(len) = (mbedtls_mpi_bitlen(&rsa.MBEDTLS_PRIVATE(N)) + 7) >> 3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]122
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]123 fclose(f);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]124
125 /*
126 * 3. Initiate the connection
127 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]128 mbedtls_printf("\n . Connecting to tcp/%s/%s", SERVER_NAME,
129 SERVER_PORT);
130 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]131
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]132 if ((ret = mbedtls_net_connect(&server_fd, SERVER_NAME,
133 SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) {
134 mbedtls_printf(" failed\n ! mbedtls_net_connect returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]135 goto exit;
136 }
137
138 /*
139 * 4a. First get the buffer length
140 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]141 mbedtls_printf("\n . Receiving the server's DH parameters");
142 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]143
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]144 memset(buf, 0, sizeof(buf));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]145
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]146 if ((ret = mbedtls_net_recv(&server_fd, buf, 2)) != 2) {
147 mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]148 goto exit;
149 }
150
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]151 n = buflen = (buf[0] << 8) | buf[1];
152 if (buflen < 1 || buflen > sizeof(buf)) {
153 mbedtls_printf(" failed\n ! Got an invalid buffer length\n\n");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]154 goto exit;
155 }
156
157 /*
158 * 4b. Get the DHM parameters: P, G and Ys = G^Xs mod P
159 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]160 memset(buf, 0, sizeof(buf));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]161
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]162 if ((ret = mbedtls_net_recv(&server_fd, buf, n)) != (int) n) {
163 mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]164 goto exit;
165 }
166
167 p = buf, end = buf + buflen;
168
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]169 if ((ret = mbedtls_dhm_read_params(&dhm, &p, end)) != 0) {
170 mbedtls_printf(" failed\n ! mbedtls_dhm_read_params returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]171 goto exit;
172 }
173
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]174 n = mbedtls_dhm_get_len(&dhm);
175 if (n < 64 || n > 512) {
176 mbedtls_printf(" failed\n ! Invalid DHM modulus size\n\n");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]177 goto exit;
178 }
179
180 /*
181 * 5. Check that the server's RSA signature matches
Manuel Pégourié-Gonnard6f60cd82015-02-10 10:47:03 +0000[diff] [blame]182 * the SHA-256 hash of (P,G,Ys)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]183 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]184 mbedtls_printf("\n . Verifying the server's RSA signature");
185 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]186
Paul Bakker88f17b82012-04-26 18:52:13 +0000[diff] [blame]187 p += 2;
188
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]189 if ((n = (size_t) (end - p)) != rsa.MBEDTLS_PRIVATE(len)) {
190 mbedtls_printf(" failed\n ! Invalid RSA signature size\n\n");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]191 goto exit;
192 }
193
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]194 if ((ret = mbedtls_sha1(buf, (int) (p - 2 - buf), hash)) != 0) {
195 mbedtls_printf(" failed\n ! mbedtls_sha1 returned %d\n\n", ret);
Andres Amaya Garcia1ff60f42017-06-28 13:26:36 +0100[diff] [blame]196 goto exit;
197 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]199 if ((ret = mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA256,
200 32, hash, p)) != 0) {
201 mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]202 goto exit;
203 }
204
205 /*
206 * 6. Send our public value: Yc = G ^ Xc mod P
207 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]208 mbedtls_printf("\n . Sending own public value to server");
209 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]211 n = mbedtls_dhm_get_len(&dhm);
212 if ((ret = mbedtls_dhm_make_public(&dhm, (int) n, buf, n,
213 mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
214 mbedtls_printf(" failed\n ! mbedtls_dhm_make_public returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215 goto exit;
216 }
217
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]218 if ((ret = mbedtls_net_send(&server_fd, buf, n)) != (int) n) {
219 mbedtls_printf(" failed\n ! mbedtls_net_send returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220 goto exit;
221 }
222
223 /*
224 * 7. Derive the shared secret: K = Ys ^ Xc mod P
225 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]226 mbedtls_printf("\n . Shared secret: ");
227 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]228
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]229 if ((ret = mbedtls_dhm_calc_secret(&dhm, buf, sizeof(buf), &n,
230 mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
231 mbedtls_printf(" failed\n ! mbedtls_dhm_calc_secret returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]232 goto exit;
233 }
234
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]235 for (n = 0; n < 16; n++) {
236 mbedtls_printf("%02x", buf[n]);
237 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]238
239 /*
240 * 8. Setup the AES-256 decryption key
241 *
242 * This is an overly simplified example; best practice is
243 * to hash the shared secret with a random value to derive
244 * the keying material for the encryption/decryption keys,
245 * IVs and MACs.
246 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]247 mbedtls_printf("...\n . Receiving and decrypting the ciphertext");
248 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]249
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]250 ret = mbedtls_aes_setkey_dec(&aes, buf, 256);
251 if (ret != 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]252 goto exit;
253 }
254
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]255 memset(buf, 0, sizeof(buf));
256
257 if ((ret = mbedtls_net_recv(&server_fd, buf, 16)) != 16) {
258 mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret);
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]259 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]260 }
261
262 ret = mbedtls_aes_crypt_ecb(&aes, MBEDTLS_AES_DECRYPT, buf, buf);
263 if (ret != 0) {
264 goto exit;
265 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]266 buf[16] = '\0';
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]267 mbedtls_printf("\n . Plaintext is \"%s\"\n\n", (char *) buf);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]268
Andres Amaya Garcia898841d2018-04-29 19:23:39 +0100[diff] [blame]269 exit_code = MBEDTLS_EXIT_SUCCESS;
270
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]271exit:
272
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]273 mbedtls_net_free(&server_fd);
Paul Bakker0c226102014-04-17 16:02:36 +0200[diff] [blame]274
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]275 mbedtls_aes_free(&aes);
276 mbedtls_rsa_free(&rsa);
277 mbedtls_dhm_free(&dhm);
278 mbedtls_ctr_drbg_free(&ctr_drbg);
279 mbedtls_entropy_free(&entropy);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]280
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]281 mbedtls_exit(exit_code);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]282}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]283#endif /* MBEDTLS_AES_C && MBEDTLS_DHM_C && MBEDTLS_ENTROPY_C &&
Manuel Pégourié-Gonnard93302422023-03-21 17:23:08 +0100[diff] [blame]284 MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]285 MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */