Blame - library/dhm.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: 941a89da80b31e7d990a2ca78a20496c7dcbee97 [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* Diffie-Hellman-Merkle key exchange
				3	*
Bence Szépkúti	1e14827	2020-08-07 13:07:28 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Dave Rodgman	16799db	2023-11-02 19:47:20 +0000	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	6	*/
				7	/*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	8	* The following sources were referenced in the design of this implementation
				9	* of the Diffie-Hellman-Merkle algorithm:
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	10	*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	11	* [1] Handbook of Applied Cryptography - 1997, Chapter 12
				12	* Menezes, van Oorschot and Vanstone
				13	*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	14	*/
				15
Gilles Peskine	db09ef6	2020-06-03 01:43:33 +0200	[diff] [blame]	16	#include "common.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	17
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	18	#if defined(MBEDTLS_DHM_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	19
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	20	#include "mbedtls/dhm.h"
Manuel Pégourié-Gonnard	c2d210e	2025-07-10 21:48:41 +0200	[diff] [blame]	21	#include "bignum_internal.h"
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	22	#include "mbedtls/platform_util.h"
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	23	#include "mbedtls/error.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	24
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	25	#include <string.h>
				26
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	27	#if defined(MBEDTLS_PEM_PARSE_C)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	28	#include "mbedtls/pem.h"
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	29	#endif
				30
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	31	#if defined(MBEDTLS_ASN1_PARSE_C)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	32	#include "mbedtls/asn1.h"
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	33	#endif
				34
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	35	#include "mbedtls/platform.h"
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	36
Reuven Levin	1f35ca9	2017-12-07 10:09:32 +0000	[diff] [blame]	37	#if !defined(MBEDTLS_DHM_ALT)
Paul Bakker	3461772	2014-06-13 17:20:13 +0200	[diff] [blame]	38
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	39	/*
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	40	* helper to validate the mbedtls_mpi size and import it
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	41	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	42	static int dhm_read_bignum(mbedtls_mpi *X,
				43	unsigned char **p,
				44	const unsigned char *end)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	45	{
				46	int ret, n;
				47
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	48	if (end - *p < 2) {
				49	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				50	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	51
Dave Rodgman	a3d0f61	2023-11-03 23:34:02 +0000	[diff] [blame]	52	n = MBEDTLS_GET_UINT16_BE(*p, 0);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	53	(*p) += 2;
				54
Dave Rodgman	e4a6f5a	2023-11-04 12:20:09 +0000	[diff] [blame]	55	if ((size_t) (end - *p) < (size_t) n) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	56	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				57	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	58
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	59	if ((ret = mbedtls_mpi_read_binary(X, *p, n)) != 0) {
				60	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED, ret);
				61	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	62
				63	(*p) += n;
				64
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	65	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	66	}
				67
				68	/*
Paul Bakker	aec37cb	2012-04-26 18:59:59 +0000	[diff] [blame]	69	* Verify sanity of parameter with regards to P
Paul Bakker	345a6fe	2011-02-28 21:20:02 +0000	[diff] [blame]	70	*
Paul Bakker	aec37cb	2012-04-26 18:59:59 +0000	[diff] [blame]	71	* Parameter should be: 2 <= public_param <= P - 2
Paul Bakker	345a6fe	2011-02-28 21:20:02 +0000	[diff] [blame]	72	*
Janos Follath	aa325d7	2017-09-20 15:33:24 +0100	[diff] [blame]	73	* This means that we need to return an error if
Janos Follath	1ad1c6d	2017-09-21 09:02:11 +0100	[diff] [blame]	74	* public_param < 2 or public_param > P-2
Janos Follath	aa325d7	2017-09-20 15:33:24 +0100	[diff] [blame]	75	*
Paul Bakker	345a6fe	2011-02-28 21:20:02 +0000	[diff] [blame]	76	* For more information on the attack, see:
				77	* http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
				78	* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	79	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	80	static int dhm_check_range(const mbedtls_mpi param, const mbedtls_mpi P)
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	81	{
Gilles Peskine	8e38acc	2021-03-31 22:56:43 +0200	[diff] [blame]	82	mbedtls_mpi U;
Janos Follath	aa325d7	2017-09-20 15:33:24 +0100	[diff] [blame]	83	int ret = 0;
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	84
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	85	mbedtls_mpi_init(&U);
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	86
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	87	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&U, P, 2));
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	88
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	89	if (mbedtls_mpi_cmp_int(param, 2) < 0 \|\|
				90	mbedtls_mpi_cmp_mpi(param, &U) > 0) {
Janos Follath	aa325d7	2017-09-20 15:33:24 +0100	[diff] [blame]	91	ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	92	}
				93
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	94	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	95	mbedtls_mpi_free(&U);
				96	return ret;
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	97	}
				98
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	99	void mbedtls_dhm_init(mbedtls_dhm_context *ctx)
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	100	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	101	memset(ctx, 0, sizeof(mbedtls_dhm_context));
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	102	}
				103
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	104	size_t mbedtls_dhm_get_bitlen(const mbedtls_dhm_context *ctx)
Gilles Peskine	487bbf6	2021-05-27 22:17:07 +0200	[diff] [blame]	105	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	106	return mbedtls_mpi_bitlen(&ctx->P);
Gilles Peskine	487bbf6	2021-05-27 22:17:07 +0200	[diff] [blame]	107	}
				108
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	109	size_t mbedtls_dhm_get_len(const mbedtls_dhm_context *ctx)
Gilles Peskine	487bbf6	2021-05-27 22:17:07 +0200	[diff] [blame]	110	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	111	return mbedtls_mpi_size(&ctx->P);
Gilles Peskine	487bbf6	2021-05-27 22:17:07 +0200	[diff] [blame]	112	}
				113
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	114	int mbedtls_dhm_get_value(const mbedtls_dhm_context *ctx,
				115	mbedtls_dhm_parameter param,
				116	mbedtls_mpi *dest)
Gilles Peskine	71acc6e	2021-05-27 22:50:53 +0200	[diff] [blame]	117	{
				118	const mbedtls_mpi *src = NULL;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	119	switch (param) {
Gilles Peskine	71acc6e	2021-05-27 22:50:53 +0200	[diff] [blame]	120	case MBEDTLS_DHM_PARAM_P:
				121	src = &ctx->P;
				122	break;
				123	case MBEDTLS_DHM_PARAM_G:
				124	src = &ctx->G;
				125	break;
				126	case MBEDTLS_DHM_PARAM_X:
				127	src = &ctx->X;
				128	break;
				129	case MBEDTLS_DHM_PARAM_GX:
				130	src = &ctx->GX;
				131	break;
				132	case MBEDTLS_DHM_PARAM_GY:
				133	src = &ctx->GY;
				134	break;
				135	case MBEDTLS_DHM_PARAM_K:
				136	src = &ctx->K;
				137	break;
				138	default:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	139	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Gilles Peskine	71acc6e	2021-05-27 22:50:53 +0200	[diff] [blame]	140	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	141	return mbedtls_mpi_copy(dest, src);
Gilles Peskine	71acc6e	2021-05-27 22:50:53 +0200	[diff] [blame]	142	}
				143
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	144	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	145	* Parse the ServerKeyExchange parameters
				146	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	147	int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
				148	unsigned char **p,
				149	const unsigned char *end)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	150	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	151	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	152
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	153	if ((ret = dhm_read_bignum(&ctx->P, p, end)) != 0 \|\|
				154	(ret = dhm_read_bignum(&ctx->G, p, end)) != 0 \|\|
				155	(ret = dhm_read_bignum(&ctx->GY, p, end)) != 0) {
				156	return ret;
				157	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	158
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	159	if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0) {
				160	return ret;
				161	}
Paul Bakker	345a6fe	2011-02-28 21:20:02 +0000	[diff] [blame]	162
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	163	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	164	}
				165
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	166	/*
Gilles Peskine	da7ee01	2021-03-31 23:04:50 +0200	[diff] [blame]	167	* Pick a random R in the range [2, M-2] for blinding or key generation.
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	168	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	169	static int dhm_random_below(mbedtls_mpi R, const mbedtls_mpi M,
				170	int (f_rng)(void , unsigned char , size_t), void p_rng)
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	171	{
Gilles Peskine	da7ee01	2021-03-31 23:04:50 +0200	[diff] [blame]	172	int ret;
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	173
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	174	MBEDTLS_MPI_CHK(mbedtls_mpi_random(R, 3, M, f_rng, p_rng));
				175	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(R, R, 1));
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	176
				177	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	178	return ret;
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	179	}
				180
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	181	static int dhm_make_common(mbedtls_dhm_context *ctx, int x_size,
				182	int (f_rng)(void , unsigned char *, size_t),
				183	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	184	{
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	185	int ret = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	186
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	187	if (mbedtls_mpi_cmp_int(&ctx->P, 0) == 0) {
				188	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker	aec37cb	2012-04-26 18:59:59 +0000	[diff] [blame]	189	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	190	if (x_size < 0) {
				191	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				192	}
				193
				194	if ((unsigned) x_size < mbedtls_mpi_size(&ctx->P)) {
				195	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->X, x_size, f_rng, p_rng));
				196	} else {
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	197	/* Generate X as large as possible ( <= P - 2 ) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	198	ret = dhm_random_below(&ctx->X, &ctx->P, f_rng, p_rng);
				199	if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
				200	return MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED;
				201	}
				202	if (ret != 0) {
				203	return ret;
				204	}
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	205	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	206
Paul Bakker	ff7fe67	2010-07-18 09:45:05 +0000	[diff] [blame]	207	/*
				208	* Calculate GX = G^X mod P
				209	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	210	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->GX, &ctx->G, &ctx->X,
				211	&ctx->P, &ctx->RP));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	212
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	213	if ((ret = dhm_check_range(&ctx->GX, &ctx->P)) != 0) {
				214	return ret;
				215	}
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	216
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	217	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	218	return ret;
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	219	}
				220
				221	/*
				222	* Setup and write the ServerKeyExchange parameters
				223	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	224	int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx, int x_size,
				225	unsigned char output, size_t olen,
				226	int (f_rng)(void , unsigned char *, size_t),
				227	void *p_rng)
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	228	{
				229	int ret;
				230	size_t n1, n2, n3;
				231	unsigned char *p;
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	232
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	233	ret = dhm_make_common(ctx, x_size, f_rng, p_rng);
				234	if (ret != 0) {
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	235	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	236	}
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	237
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	238	/*
Gilles Peskine	03299dc	2021-04-13 22:10:24 +0200	[diff] [blame]	239	* Export P, G, GX. RFC 5246 §4.4 states that "leading zero octets are
				240	* not required". We omit leading zeros for compactness.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	241	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	242	#define DHM_MPI_EXPORT(X, n) \
Hanno Becker	e71ad12	2017-09-28 10:32:25 +0100	[diff] [blame]	243	do { \
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	244	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary((X), \
				245	p + 2, \
				246	(n))); \
				247	*p++ = MBEDTLS_BYTE_1(n); \
				248	*p++ = MBEDTLS_BYTE_0(n); \
				249	p += (n); \
				250	} while (0)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	251
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	252	n1 = mbedtls_mpi_size(&ctx->P);
				253	n2 = mbedtls_mpi_size(&ctx->G);
				254	n3 = mbedtls_mpi_size(&ctx->GX);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	255
				256	p = output;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	257	DHM_MPI_EXPORT(&ctx->P, n1);
				258	DHM_MPI_EXPORT(&ctx->G, n2);
				259	DHM_MPI_EXPORT(&ctx->GX, n3);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	260
Dave Rodgman	e4a6f5a	2023-11-04 12:20:09 +0000	[diff] [blame]	261	*olen = (size_t) (p - output);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	262
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	263	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	264	if (ret != 0 && ret > -128) {
				265	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED, ret);
				266	}
				267	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	268	}
				269
				270	/*
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	271	* Set prime modulus and generator
				272	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	273	int mbedtls_dhm_set_group(mbedtls_dhm_context *ctx,
				274	const mbedtls_mpi *P,
				275	const mbedtls_mpi *G)
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	276	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	277	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	278
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	279	if ((ret = mbedtls_mpi_copy(&ctx->P, P)) != 0 \|\|
				280	(ret = mbedtls_mpi_copy(&ctx->G, G)) != 0) {
				281	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_SET_GROUP_FAILED, ret);
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	282	}
				283
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	284	return 0;
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	285	}
				286
				287	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	288	* Import the peer's public value G^Y
				289	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	290	int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
				291	const unsigned char *input, size_t ilen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	292	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	293	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	294
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	295	if (ilen < 1 \|\| ilen > mbedtls_dhm_get_len(ctx)) {
				296	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				297	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	298
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	299	if ((ret = mbedtls_mpi_read_binary(&ctx->GY, input, ilen)) != 0) {
				300	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED, ret);
				301	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	302
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	303	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	304	}
				305
				306	/*
				307	* Create own private value X and export G^X
				308	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	309	int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
				310	unsigned char *output, size_t olen,
				311	int (f_rng)(void , unsigned char *, size_t),
				312	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	313	{
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	314	int ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	315
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	316	if (olen < 1 \|\| olen > mbedtls_dhm_get_len(ctx)) {
				317	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				318	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	319
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	320	ret = dhm_make_common(ctx, x_size, f_rng, p_rng);
				321	if (ret == MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED) {
				322	return MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED;
				323	}
				324	if (ret != 0) {
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	325	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	326	}
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	327
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	328	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->GX, output, olen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	329
				330	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	331	if (ret != 0 && ret > -128) {
				332	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED, ret);
				333	}
				334	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	335	}
				336
Manuel Pégourié-Gonnard	9f58c4b	2020-06-25 12:34:58 +0200	[diff] [blame]	337
				338	/*
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	339	* Use the blinding method and optimisation suggested in section 10 of:
				340	* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
Manuel Pégourié-Gonnard	998930a	2015-04-03 13:48:06 +0200	[diff] [blame]	341	* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	342	* Berlin Heidelberg, 1996. p. 104-113.
				343	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	344	static int dhm_update_blinding(mbedtls_dhm_context *ctx,
				345	int (f_rng)(void , unsigned char , size_t), void p_rng)
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	346	{
Manuel Pégourié-Gonnard	9f58c4b	2020-06-25 12:34:58 +0200	[diff] [blame]	347	int ret;
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	348
				349	/*
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	350	* Don't use any blinding the first time a particular X is used,
				351	* but remember it to use blinding next time.
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	352	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	353	if (mbedtls_mpi_cmp_mpi(&ctx->X, &ctx->pX) != 0) {
				354	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&ctx->pX, &ctx->X));
				355	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vi, 1));
				356	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vf, 1));
Manuel Pégourié-Gonnard	ed8a02b	2013-09-04 16:39:03 +0200	[diff] [blame]	357
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	358	return 0;
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	359	}
				360
				361	/*
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	362	* Ok, we need blinding. Can we re-use existing values?
				363	* If yes, just update them by squaring them.
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	364	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	365	if (mbedtls_mpi_cmp_int(&ctx->Vi, 1) != 0) {
				366	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
				367	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->P));
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	368
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	369	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
				370	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	371
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	372	return 0;
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	373	}
				374
				375	/*
				376	* We need to generate blinding values from scratch
				377	*/
				378
Gilles Peskine	7b2b66e	2021-03-31 22:50:57 +0200	[diff] [blame]	379	/* Vi = random( 2, P-2 ) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	380	MBEDTLS_MPI_CHK(dhm_random_below(&ctx->Vi, &ctx->P, f_rng, p_rng));
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	381
Manuel Pégourié-Gonnard	6ab0f51	2025-08-26 11:31:52 +0200	[diff] [blame]	382	/* Vf = Vi^-X = (Vi^-1)^X mod P */
Manuel Pégourié-Gonnard	c2d210e	2025-07-10 21:48:41 +0200	[diff] [blame]	383	MBEDTLS_MPI_CHK(mbedtls_mpi_gcd_modinv_odd(NULL, &ctx->Vf, &ctx->Vi, &ctx->P));
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	384	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP));
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	385
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	386	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	387	return ret;
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	388	}
				389
				390	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	391	* Derive and export the shared secret (G^Y)^X mod P
				392	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	393	int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
				394	unsigned char output, size_t output_size, size_t olen,
				395	int (f_rng)(void , unsigned char *, size_t),
				396	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	397	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	398	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	399	mbedtls_mpi GYb;
Manuel Pégourié-Gonnard	2d62764	2013-09-04 14:22:07 +0200	[diff] [blame]	400
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	401	if (f_rng == NULL) {
				402	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				403	}
Manuel Pégourié-Gonnard	1a87722	2021-06-15 11:29:26 +0200	[diff] [blame]	404
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	405	if (output_size < mbedtls_dhm_get_len(ctx)) {
				406	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				407	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	408
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	409	if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0) {
				410	return ret;
				411	}
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	412
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	413	mbedtls_mpi_init(&GYb);
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	414
				415	/* Blind peer's value */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	416	MBEDTLS_MPI_CHK(dhm_update_blinding(ctx, f_rng, p_rng));
				417	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&GYb, &ctx->GY, &ctx->Vi));
				418	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&GYb, &GYb, &ctx->P));
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	419
				420	/* Do modular exponentiation */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	421	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->K, &GYb, &ctx->X,
				422	&ctx->P, &ctx->RP));
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	423
				424	/* Unblind secret value */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	425	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->K, &ctx->K, &ctx->Vf));
				426	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->K, &ctx->K, &ctx->P));
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	427
Gilles Peskine	03299dc	2021-04-13 22:10:24 +0200	[diff] [blame]	428	/* Output the secret without any leading zero byte. This is mandatory
				429	* for TLS per RFC 5246 §8.1.2. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	430	*olen = mbedtls_mpi_size(&ctx->K);
				431	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->K, output, *olen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	432
				433	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	434	mbedtls_mpi_free(&GYb);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	435
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	436	if (ret != 0) {
				437	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED, ret);
				438	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	439
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	440	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	441	}
				442
				443	/*
				444	* Free the components of a DHM key
				445	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	446	void mbedtls_dhm_free(mbedtls_dhm_context *ctx)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	447	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	448	if (ctx == NULL) {
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	449	return;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	450	}
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	451
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	452	mbedtls_mpi_free(&ctx->pX);
				453	mbedtls_mpi_free(&ctx->Vf);
				454	mbedtls_mpi_free(&ctx->Vi);
				455	mbedtls_mpi_free(&ctx->RP);
				456	mbedtls_mpi_free(&ctx->K);
				457	mbedtls_mpi_free(&ctx->GY);
				458	mbedtls_mpi_free(&ctx->GX);
				459	mbedtls_mpi_free(&ctx->X);
				460	mbedtls_mpi_free(&ctx->G);
				461	mbedtls_mpi_free(&ctx->P);
Manuel Pégourié-Gonnard	b72b4ed	2013-09-13 13:55:26 +0200	[diff] [blame]	462
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	463	mbedtls_platform_zeroize(ctx, sizeof(mbedtls_dhm_context));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	464	}
				465
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	466	#if defined(MBEDTLS_ASN1_PARSE_C)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	467	/*
				468	* Parse DHM parameters
				469	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	470	int mbedtls_dhm_parse_dhm(mbedtls_dhm_context dhm, const unsigned char dhmin,
				471	size_t dhminlen)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	472	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	473	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	474	size_t len;
				475	unsigned char p, end;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	476	#if defined(MBEDTLS_PEM_PARSE_C)
				477	mbedtls_pem_context pem;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	478	#endif /* MBEDTLS_PEM_PARSE_C */
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	479
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	480	#if defined(MBEDTLS_PEM_PARSE_C)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	481	mbedtls_pem_init(&pem);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	482
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	483	/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	484	if (dhminlen == 0 \|\| dhmin[dhminlen - 1] != '\0') {
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	485	ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	486	} else {
				487	ret = mbedtls_pem_read_buffer(&pem,
				488	"-----BEGIN DH PARAMETERS-----",
				489	"-----END DH PARAMETERS-----",
				490	dhmin, NULL, 0, &dhminlen);
				491	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	492
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	493	if (ret == 0) {
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	494	/*
				495	* Was PEM encoded
				496	*/
				497	dhminlen = pem.buflen;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	498	} else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	499	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	500	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	501
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	502	p = (ret == 0) ? pem.buf : (unsigned char *) dhmin;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	503	#else
				504	p = (unsigned char *) dhmin;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	505	#endif /* MBEDTLS_PEM_PARSE_C */
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	506	end = p + dhminlen;
				507
				508	/*
				509	* DHParams ::= SEQUENCE {
Daniel Kahn Gillmor	2ed8173	2015-04-03 13:09:24 -0400	[diff] [blame]	510	* prime INTEGER, -- P
				511	* generator INTEGER, -- g
				512	* privateValueLength INTEGER OPTIONAL
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	513	* }
				514	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	515	if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
				516	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE)) != 0) {
				517	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	518	goto exit;
				519	}
				520
				521	end = p + len;
				522
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	523	if ((ret = mbedtls_asn1_get_mpi(&p, end, &dhm->P)) != 0 \|\|
				524	(ret = mbedtls_asn1_get_mpi(&p, end, &dhm->G)) != 0) {
				525	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	526	goto exit;
				527	}
				528
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	529	if (p != end) {
Manuel Pégourié-Gonnard	de9b363	2015-04-17 20:06:31 +0200	[diff] [blame]	530	/* This might be the optional privateValueLength.
				531	* If so, we can cleanly discard it */
				532	mbedtls_mpi rec;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	533	mbedtls_mpi_init(&rec);
				534	ret = mbedtls_asn1_get_mpi(&p, end, &rec);
				535	mbedtls_mpi_free(&rec);
				536	if (ret != 0) {
				537	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
Daniel Kahn Gillmor	2ed8173	2015-04-03 13:09:24 -0400	[diff] [blame]	538	goto exit;
				539	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	540	if (p != end) {
				541	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT,
				542	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
Daniel Kahn Gillmor	2ed8173	2015-04-03 13:09:24 -0400	[diff] [blame]	543	goto exit;
				544	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	545	}
				546
				547	ret = 0;
				548
				549	exit:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	550	#if defined(MBEDTLS_PEM_PARSE_C)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	551	mbedtls_pem_free(&pem);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	552	#endif
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	553	if (ret != 0) {
				554	mbedtls_dhm_free(dhm);
				555	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	556
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	557	return ret;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	558	}
				559
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	560	#if defined(MBEDTLS_FS_IO)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	561	/*
				562	* Load all data from a file into a given buffer.
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	563	*
				564	* The file is expected to contain either PEM or DER encoded data.
				565	* A terminating null byte is always appended. It is included in the announced
				566	* length only if the data looks like it is PEM encoded.
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	567	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	568	static int load_file(const char path, unsigned char buf, size_t n)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	569	{
				570	FILE *f;
				571	long size;
				572
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	573	if ((f = fopen(path, "rb")) == NULL) {
				574	return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
				575	}
Gilles Peskine	da0913b	2022-06-30 17:03:40 +0200	[diff] [blame]	576	/* The data loaded here is public, so don't bother disabling buffering. */
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	577
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	578	fseek(f, 0, SEEK_END);
				579	if ((size = ftell(f)) == -1) {
				580	fclose(f);
				581	return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	582	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	583	fseek(f, 0, SEEK_SET);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	584
				585	*n = (size_t) size;
				586
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	587	if (*n + 1 == 0 \|\|
				588	(buf = mbedtls_calloc(1, n + 1)) == NULL) {
				589	fclose(f);
				590	return MBEDTLS_ERR_DHM_ALLOC_FAILED;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	591	}
				592
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	593	if (fread(buf, 1, n, f) != *n) {
				594	fclose(f);
Andres Amaya Garcia	bdbca7b	2017-06-23 16:23:21 +0100	[diff] [blame]	595
Tom Cosgrove	ca8c61b	2023-07-17 15:17:40 +0100	[diff] [blame]	596	mbedtls_zeroize_and_free(buf, n + 1);
Andres Amaya Garcia	bdbca7b	2017-06-23 16:23:21 +0100	[diff] [blame]	597
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	598	return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	599	}
				600
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	601	fclose(f);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	602
				603	(buf)[n] = '\0';
				604
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	605	if (strstr((const char ) buf, "-----BEGIN ") != NULL) {
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	606	++*n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	607	}
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	608
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	609	return 0;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	610	}
				611
				612	/*
				613	* Load and parse DHM parameters
				614	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	615	int mbedtls_dhm_parse_dhmfile(mbedtls_dhm_context dhm, const char path)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	616	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	617	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	618	size_t n;
				619	unsigned char *buf;
				620
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	621	if ((ret = load_file(path, &buf, &n)) != 0) {
				622	return ret;
				623	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	624
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	625	ret = mbedtls_dhm_parse_dhm(dhm, buf, n);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	626
Tom Cosgrove	ca8c61b	2023-07-17 15:17:40 +0100	[diff] [blame]	627	mbedtls_zeroize_and_free(buf, n);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	628
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	629	return ret;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	630	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	631	#endif /* MBEDTLS_FS_IO */
				632	#endif /* MBEDTLS_ASN1_PARSE_C */
nirekh01	49762fa	2017-12-25 06:46:48 +0000	[diff] [blame]	633	#endif /* MBEDTLS_DHM_ALT */
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	634
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	635	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	636
Hanno Becker	8b0f9e6	2019-05-31 17:28:59 +0100	[diff] [blame]	637	#if defined(MBEDTLS_PEM_PARSE_C)
Manuel Pégourié-Gonnard	53585ee	2015-06-25 08:52:25 +0200	[diff] [blame]	638	static const char mbedtls_test_dhm_params[] =
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	639	"-----BEGIN DH PARAMETERS-----\r\n"
				640	"MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n"
				641	"1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n"
				642	"9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
				643	"-----END DH PARAMETERS-----\r\n";
Hanno Becker	8b0f9e6	2019-05-31 17:28:59 +0100	[diff] [blame]	644	#else /* MBEDTLS_PEM_PARSE_C */
				645	static const char mbedtls_test_dhm_params[] = {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	646	0x30, 0x81, 0x87, 0x02, 0x81, 0x81, 0x00, 0x9e, 0x35, 0xf4, 0x30, 0x44,
				647	0x3a, 0x09, 0x90, 0x4f, 0x3a, 0x39, 0xa9, 0x79, 0x79, 0x7d, 0x07, 0x0d,
				648	0xf5, 0x33, 0x78, 0xe7, 0x9c, 0x24, 0x38, 0xbe, 0xf4, 0xe7, 0x61, 0xf3,
				649	0xc7, 0x14, 0x55, 0x33, 0x28, 0x58, 0x9b, 0x04, 0x1c, 0x80, 0x9b, 0xe1,
				650	0xd6, 0xc6, 0xb5, 0xf1, 0xfc, 0x9f, 0x47, 0xd3, 0xa2, 0x54, 0x43, 0x18,
				651	0x82, 0x53, 0xa9, 0x92, 0xa5, 0x68, 0x18, 0xb3, 0x7b, 0xa9, 0xde, 0x5a,
				652	0x40, 0xd3, 0x62, 0xe5, 0x6e, 0xff, 0x0b, 0xe5, 0x41, 0x74, 0x74, 0xc1,
				653	0x25, 0xc1, 0x99, 0x27, 0x2c, 0x8f, 0xe4, 0x1d, 0xea, 0x73, 0x3d, 0xf6,
				654	0xf6, 0x62, 0xc9, 0x2a, 0xe7, 0x65, 0x56, 0xe7, 0x55, 0xd1, 0x0c, 0x64,
				655	0xe6, 0xa5, 0x09, 0x68, 0xf6, 0x7f, 0xc6, 0xea, 0x73, 0xd0, 0xdc, 0xa8,
				656	0x56, 0x9b, 0xe2, 0xba, 0x20, 0x4e, 0x23, 0x58, 0x0d, 0x8b, 0xca, 0x2f,
				657	0x49, 0x75, 0xb3, 0x02, 0x01, 0x02
				658	};
Hanno Becker	8b0f9e6	2019-05-31 17:28:59 +0100	[diff] [blame]	659	#endif /* MBEDTLS_PEM_PARSE_C */
Manuel Pégourié-Gonnard	53585ee	2015-06-25 08:52:25 +0200	[diff] [blame]	660
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	661	static const size_t mbedtls_test_dhm_params_len = sizeof(mbedtls_test_dhm_params);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	662
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	663	/*
				664	* Checkup routine
				665	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	666	int mbedtls_dhm_self_test(int verbose)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	667	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	668	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	669	mbedtls_dhm_context dhm;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	670
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	671	mbedtls_dhm_init(&dhm);
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	672
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	673	if (verbose != 0) {
				674	mbedtls_printf(" DHM parameter load: ");
				675	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	676
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	677	if ((ret = mbedtls_dhm_parse_dhm(&dhm,
				678	(const unsigned char *) mbedtls_test_dhm_params,
				679	mbedtls_test_dhm_params_len)) != 0) {
				680	if (verbose != 0) {
				681	mbedtls_printf("failed\n");
				682	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	683
Manuel Pégourié-Gonnard	b196fc2	2014-07-09 16:53:29 +0200	[diff] [blame]	684	ret = 1;
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	685	goto exit;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	686	}
				687
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	688	if (verbose != 0) {
				689	mbedtls_printf("passed\n\n");
				690	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	691
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	692	exit:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	693	mbedtls_dhm_free(&dhm);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	694
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	695	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	696	}
				697
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	698	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	699
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	700	#endif /* MBEDTLS_DHM_C */