Blame - library/dhm.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: 2e512223637a9bed2587f35d65894363fa9d02e2 [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* Diffie-Hellman-Merkle key exchange
				3	*
Bence Szépkúti	1e14827	2020-08-07 13:07:28 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard	37ff140	2015-09-04 14:21:07 +0200	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0
				6	*
				7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				8	* not use this file except in compliance with the License.
				9	* You may obtain a copy of the License at
				10	*
				11	* http://www.apache.org/licenses/LICENSE-2.0
				12	*
				13	* Unless required by applicable law or agreed to in writing, software
				14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				16	* See the License for the specific language governing permissions and
				17	* limitations under the License.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	18	*/
				19	/*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	20	* The following sources were referenced in the design of this implementation
				21	* of the Diffie-Hellman-Merkle algorithm:
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	22	*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	23	* [1] Handbook of Applied Cryptography - 1997, Chapter 12
				24	* Menezes, van Oorschot and Vanstone
				25	*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	26	*/
				27
Gilles Peskine	db09ef6	2020-06-03 01:43:33 +0200	[diff] [blame]	28	#include "common.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	29
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	30	#if defined(MBEDTLS_DHM_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	31
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	32	# include "mbedtls/dhm.h"
				33	# include "mbedtls/platform_util.h"
				34	# include "mbedtls/error.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	35
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	36	# include <string.h>
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	37
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	38	# if defined(MBEDTLS_PEM_PARSE_C)
				39	# include "mbedtls/pem.h"
				40	# endif
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	41
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	42	# if defined(MBEDTLS_ASN1_PARSE_C)
				43	# include "mbedtls/asn1.h"
				44	# endif
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	45
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	46	# if defined(MBEDTLS_PLATFORM_C)
				47	# include "mbedtls/platform.h"
				48	# else
				49	# include <stdlib.h>
				50	# include <stdio.h>
				51	# define mbedtls_printf printf
				52	# define mbedtls_calloc calloc
				53	# define mbedtls_free free
				54	# endif
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	55
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	56	# if !defined(MBEDTLS_DHM_ALT)
Paul Bakker	3461772	2014-06-13 17:20:13 +0200	[diff] [blame]	57
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	58	# define DHM_VALIDATE_RET(cond) \
				59	MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_DHM_BAD_INPUT_DATA)
				60	# define DHM_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE(cond)
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	61
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	62	/*
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	63	* helper to validate the mbedtls_mpi size and import it
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	64	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	65	static int
				66	dhm_read_bignum(mbedtls_mpi X, unsigned char p, const unsigned char end)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	67	{
				68	int ret, n;
				69
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	70	if (end - *p < 2)
				71	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	72
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	73	n = ((p)[0] << 8) \| (p)[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	74	(*p) += 2;
				75
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	76	if ((int)(end - *p) < n)
				77	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	78
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	79	if ((ret = mbedtls_mpi_read_binary(X, *p, n)) != 0)
				80	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED, ret);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	81
				82	(*p) += n;
				83
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	84	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	85	}
				86
				87	/*
Paul Bakker	aec37cb	2012-04-26 18:59:59 +0000	[diff] [blame]	88	* Verify sanity of parameter with regards to P
Paul Bakker	345a6fe	2011-02-28 21:20:02 +0000	[diff] [blame]	89	*
Paul Bakker	aec37cb	2012-04-26 18:59:59 +0000	[diff] [blame]	90	* Parameter should be: 2 <= public_param <= P - 2
Paul Bakker	345a6fe	2011-02-28 21:20:02 +0000	[diff] [blame]	91	*
Janos Follath	aa325d7	2017-09-20 15:33:24 +0100	[diff] [blame]	92	* This means that we need to return an error if
Janos Follath	1ad1c6d	2017-09-21 09:02:11 +0100	[diff] [blame]	93	* public_param < 2 or public_param > P-2
Janos Follath	aa325d7	2017-09-20 15:33:24 +0100	[diff] [blame]	94	*
Paul Bakker	345a6fe	2011-02-28 21:20:02 +0000	[diff] [blame]	95	* For more information on the attack, see:
				96	* http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
				97	* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	98	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	99	static int dhm_check_range(const mbedtls_mpi param, const mbedtls_mpi P)
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	100	{
Gilles Peskine	8e38acc	2021-03-31 22:56:43 +0200	[diff] [blame]	101	mbedtls_mpi U;
Janos Follath	aa325d7	2017-09-20 15:33:24 +0100	[diff] [blame]	102	int ret = 0;
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	103
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	104	mbedtls_mpi_init(&U);
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	105
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	106	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&U, P, 2));
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	107
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	108	if (mbedtls_mpi_cmp_int(param, 2) < 0 \|\|
				109	mbedtls_mpi_cmp_mpi(param, &U) > 0) {
Janos Follath	aa325d7	2017-09-20 15:33:24 +0100	[diff] [blame]	110	ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	111	}
				112
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	113	cleanup:
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	114	mbedtls_mpi_free(&U);
				115	return ret;
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	116	}
				117
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	118	void mbedtls_dhm_init(mbedtls_dhm_context *ctx)
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	119	{
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	120	DHM_VALIDATE(ctx != NULL);
				121	memset(ctx, 0, sizeof(mbedtls_dhm_context));
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	122	}
				123
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	124	size_t mbedtls_dhm_get_bitlen(const mbedtls_dhm_context *ctx)
Gilles Peskine	487bbf6	2021-05-27 22:17:07 +0200	[diff] [blame]	125	{
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	126	return mbedtls_mpi_bitlen(&ctx->P);
Gilles Peskine	487bbf6	2021-05-27 22:17:07 +0200	[diff] [blame]	127	}
				128
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	129	size_t mbedtls_dhm_get_len(const mbedtls_dhm_context *ctx)
Gilles Peskine	487bbf6	2021-05-27 22:17:07 +0200	[diff] [blame]	130	{
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	131	return mbedtls_mpi_size(&ctx->P);
Gilles Peskine	487bbf6	2021-05-27 22:17:07 +0200	[diff] [blame]	132	}
				133
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	134	int mbedtls_dhm_get_value(const mbedtls_dhm_context *ctx,
				135	mbedtls_dhm_parameter param,
				136	mbedtls_mpi *dest)
Gilles Peskine	71acc6e	2021-05-27 22:50:53 +0200	[diff] [blame]	137	{
				138	const mbedtls_mpi *src = NULL;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	139	switch (param) {
Gilles Peskine	71acc6e	2021-05-27 22:50:53 +0200	[diff] [blame]	140	case MBEDTLS_DHM_PARAM_P:
				141	src = &ctx->P;
				142	break;
				143	case MBEDTLS_DHM_PARAM_G:
				144	src = &ctx->G;
				145	break;
				146	case MBEDTLS_DHM_PARAM_X:
				147	src = &ctx->X;
				148	break;
				149	case MBEDTLS_DHM_PARAM_GX:
				150	src = &ctx->GX;
				151	break;
				152	case MBEDTLS_DHM_PARAM_GY:
				153	src = &ctx->GY;
				154	break;
				155	case MBEDTLS_DHM_PARAM_K:
				156	src = &ctx->K;
				157	break;
				158	default:
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	159	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Gilles Peskine	71acc6e	2021-05-27 22:50:53 +0200	[diff] [blame]	160	}
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	161	return mbedtls_mpi_copy(dest, src);
Gilles Peskine	71acc6e	2021-05-27 22:50:53 +0200	[diff] [blame]	162	}
				163
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	164	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	165	* Parse the ServerKeyExchange parameters
				166	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	167	int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
				168	unsigned char **p,
				169	const unsigned char *end)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	170	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	171	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	172	DHM_VALIDATE_RET(ctx != NULL);
				173	DHM_VALIDATE_RET(p != NULL && *p != NULL);
				174	DHM_VALIDATE_RET(end != NULL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	175
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	176	if ((ret = dhm_read_bignum(&ctx->P, p, end)) != 0 \|\|
				177	(ret = dhm_read_bignum(&ctx->G, p, end)) != 0 \|\|
				178	(ret = dhm_read_bignum(&ctx->GY, p, end)) != 0)
				179	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	180
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	181	if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0)
				182	return ret;
Paul Bakker	345a6fe	2011-02-28 21:20:02 +0000	[diff] [blame]	183
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	184	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	185	}
				186
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	187	/*
Gilles Peskine	da7ee01	2021-03-31 23:04:50 +0200	[diff] [blame]	188	* Pick a random R in the range [2, M-2] for blinding or key generation.
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	189	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	190	static int dhm_random_below(mbedtls_mpi *R,
				191	const mbedtls_mpi *M,
				192	int (f_rng)(void , unsigned char *, size_t),
				193	void *p_rng)
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	194	{
Gilles Peskine	da7ee01	2021-03-31 23:04:50 +0200	[diff] [blame]	195	int ret;
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	196
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	197	MBEDTLS_MPI_CHK(mbedtls_mpi_random(R, 3, M, f_rng, p_rng));
				198	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(R, R, 1));
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	199
				200	cleanup:
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	201	return ret;
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	202	}
				203
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	204	static int dhm_make_common(mbedtls_dhm_context *ctx,
				205	int x_size,
				206	int (f_rng)(void , unsigned char *, size_t),
				207	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	208	{
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	209	int ret = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	210
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	211	if (mbedtls_mpi_cmp_int(&ctx->P, 0) == 0)
				212	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				213	if (x_size < 0)
				214	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker	b5b20f1	2012-09-16 15:07:49 +0000	[diff] [blame]	215
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	216	if ((unsigned)x_size < mbedtls_mpi_size(&ctx->P)) {
				217	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->X, x_size, f_rng, p_rng));
				218	} else {
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	219	/* Generate X as large as possible ( <= P - 2 ) */
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	220	ret = dhm_random_below(&ctx->X, &ctx->P, f_rng, p_rng);
				221	if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE)
				222	return MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED;
				223	if (ret != 0)
				224	return ret;
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	225	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	226
Paul Bakker	ff7fe67	2010-07-18 09:45:05 +0000	[diff] [blame]	227	/*
				228	* Calculate GX = G^X mod P
				229	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	230	MBEDTLS_MPI_CHK(
				231	mbedtls_mpi_exp_mod(&ctx->GX, &ctx->G, &ctx->X, &ctx->P, &ctx->RP));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	232
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	233	if ((ret = dhm_check_range(&ctx->GX, &ctx->P)) != 0)
				234	return ret;
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	235
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	236	cleanup:
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	237	return ret;
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	238	}
				239
				240	/*
				241	* Setup and write the ServerKeyExchange parameters
				242	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	243	int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx,
				244	int x_size,
				245	unsigned char *output,
				246	size_t *olen,
				247	int (f_rng)(void , unsigned char *, size_t),
				248	void *p_rng)
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	249	{
				250	int ret;
				251	size_t n1, n2, n3;
				252	unsigned char *p;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	253	DHM_VALIDATE_RET(ctx != NULL);
				254	DHM_VALIDATE_RET(output != NULL);
				255	DHM_VALIDATE_RET(olen != NULL);
				256	DHM_VALIDATE_RET(f_rng != NULL);
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	257
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	258	ret = dhm_make_common(ctx, x_size, f_rng, p_rng);
				259	if (ret != 0)
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	260	goto cleanup;
				261
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	262	/*
				263	* Export P, G, GX. RFC 5246 §4.4 states that "leading zero octets are
				264	* not required". We omit leading zeros for compactness.
				265	*/
				266	# define DHM_MPI_EXPORT(X, n) \
				267	do { \
				268	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary((X), p + 2, (n))); \
				269	*p++ = (unsigned char)((n) >> 8); \
				270	*p++ = (unsigned char)((n)); \
				271	p += (n); \
				272	} while (0)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	273
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	274	n1 = mbedtls_mpi_size(&ctx->P);
				275	n2 = mbedtls_mpi_size(&ctx->G);
				276	n3 = mbedtls_mpi_size(&ctx->GX);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	277
				278	p = output;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	279	DHM_MPI_EXPORT(&ctx->P, n1);
				280	DHM_MPI_EXPORT(&ctx->G, n2);
				281	DHM_MPI_EXPORT(&ctx->GX, n3);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	282
Hanno Becker	e71ad12	2017-09-28 10:32:25 +0100	[diff] [blame]	283	*olen = p - output;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	284
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	285	cleanup:
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	286	if (ret != 0 && ret > -128)
				287	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED, ret);
				288	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	289	}
				290
				291	/*
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	292	* Set prime modulus and generator
				293	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	294	int mbedtls_dhm_set_group(mbedtls_dhm_context *ctx,
				295	const mbedtls_mpi *P,
				296	const mbedtls_mpi *G)
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	297	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	298	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	299	DHM_VALIDATE_RET(ctx != NULL);
				300	DHM_VALIDATE_RET(P != NULL);
				301	DHM_VALIDATE_RET(G != NULL);
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	302
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	303	if ((ret = mbedtls_mpi_copy(&ctx->P, P)) != 0 \|\|
				304	(ret = mbedtls_mpi_copy(&ctx->G, G)) != 0) {
				305	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_SET_GROUP_FAILED, ret);
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	306	}
				307
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	308	return 0;
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	309	}
				310
				311	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	312	* Import the peer's public value G^Y
				313	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	314	int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
				315	const unsigned char *input,
				316	size_t ilen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	317	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	318	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	319	DHM_VALIDATE_RET(ctx != NULL);
				320	DHM_VALIDATE_RET(input != NULL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	321
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	322	if (ilen < 1 \|\| ilen > mbedtls_dhm_get_len(ctx))
				323	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	324
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	325	if ((ret = mbedtls_mpi_read_binary(&ctx->GY, input, ilen)) != 0)
				326	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED, ret);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	327
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	328	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	329	}
				330
				331	/*
				332	* Create own private value X and export G^X
				333	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	334	int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx,
				335	int x_size,
				336	unsigned char *output,
				337	size_t olen,
				338	int (f_rng)(void , unsigned char *, size_t),
				339	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	340	{
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	341	int ret;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	342	DHM_VALIDATE_RET(ctx != NULL);
				343	DHM_VALIDATE_RET(output != NULL);
				344	DHM_VALIDATE_RET(f_rng != NULL);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	345
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	346	if (olen < 1 \|\| olen > mbedtls_dhm_get_len(ctx))
				347	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	348
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	349	ret = dhm_make_common(ctx, x_size, f_rng, p_rng);
				350	if (ret == MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED)
				351	return MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED;
				352	if (ret != 0)
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	353	goto cleanup;
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	354
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	355	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->GX, output, olen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	356
				357	cleanup:
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	358	if (ret != 0 && ret > -128)
				359	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED, ret);
				360	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	361	}
				362
Manuel Pégourié-Gonnard	9f58c4b	2020-06-25 12:34:58 +0200	[diff] [blame]	363	/*
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	364	* Use the blinding method and optimisation suggested in section 10 of:
				365	* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
Manuel Pégourié-Gonnard	998930a	2015-04-03 13:48:06 +0200	[diff] [blame]	366	* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	367	* Berlin Heidelberg, 1996. p. 104-113.
				368	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	369	static int dhm_update_blinding(mbedtls_dhm_context *ctx,
				370	int (f_rng)(void , unsigned char *, size_t),
				371	void *p_rng)
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	372	{
Manuel Pégourié-Gonnard	9f58c4b	2020-06-25 12:34:58 +0200	[diff] [blame]	373	int ret;
Manuel Pégourié-Gonnard	af72167	2020-06-25 12:47:22 +0200	[diff] [blame]	374	mbedtls_mpi R;
				375
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	376	mbedtls_mpi_init(&R);
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	377
				378	/*
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	379	* Don't use any blinding the first time a particular X is used,
				380	* but remember it to use blinding next time.
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	381	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	382	if (mbedtls_mpi_cmp_mpi(&ctx->X, &ctx->pX) != 0) {
				383	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&ctx->pX, &ctx->X));
				384	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vi, 1));
				385	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vf, 1));
Manuel Pégourié-Gonnard	ed8a02b	2013-09-04 16:39:03 +0200	[diff] [blame]	386
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	387	return 0;
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	388	}
				389
				390	/*
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	391	* Ok, we need blinding. Can we re-use existing values?
				392	* If yes, just update them by squaring them.
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	393	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	394	if (mbedtls_mpi_cmp_int(&ctx->Vi, 1) != 0) {
				395	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
				396	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->P));
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	397
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	398	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
				399	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	400
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	401	return 0;
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	402	}
				403
				404	/*
				405	* We need to generate blinding values from scratch
				406	*/
				407
Gilles Peskine	7b2b66e	2021-03-31 22:50:57 +0200	[diff] [blame]	408	/* Vi = random( 2, P-2 ) */
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	409	MBEDTLS_MPI_CHK(dhm_random_below(&ctx->Vi, &ctx->P, f_rng, p_rng));
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	410
Manuel Pégourié-Gonnard	af72167	2020-06-25 12:47:22 +0200	[diff] [blame]	411	/* Vf = Vi^-X mod P
				412	* First compute Vi^-1 = R * (R Vi)^-1, (avoiding leaks from inv_mod),
				413	* then elevate to the Xth power. */
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	414	MBEDTLS_MPI_CHK(dhm_random_below(&R, &ctx->P, f_rng, p_rng));
				415	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vi, &R));
				416	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
				417	MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->Vf, &ctx->Vf, &ctx->P));
				418	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &R));
				419	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	420
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	421	MBEDTLS_MPI_CHK(
				422	mbedtls_mpi_exp_mod(&ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP));
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	423
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	424	cleanup:
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	425	mbedtls_mpi_free(&R);
Manuel Pégourié-Gonnard	af72167	2020-06-25 12:47:22 +0200	[diff] [blame]	426
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	427	return ret;
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	428	}
				429
				430	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	431	* Derive and export the shared secret (G^Y)^X mod P
				432	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	433	int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
				434	unsigned char *output,
				435	size_t output_size,
				436	size_t *olen,
				437	int (f_rng)(void , unsigned char *, size_t),
				438	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	439	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	440	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	441	mbedtls_mpi GYb;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	442	DHM_VALIDATE_RET(ctx != NULL);
				443	DHM_VALIDATE_RET(output != NULL);
				444	DHM_VALIDATE_RET(olen != NULL);
Manuel Pégourié-Gonnard	2d62764	2013-09-04 14:22:07 +0200	[diff] [blame]	445
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	446	if (f_rng == NULL)
				447	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard	1a87722	2021-06-15 11:29:26 +0200	[diff] [blame]	448
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	449	if (output_size < mbedtls_dhm_get_len(ctx))
				450	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	451
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	452	if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0)
				453	return ret;
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	454
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	455	mbedtls_mpi_init(&GYb);
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	456
				457	/* Blind peer's value */
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	458	MBEDTLS_MPI_CHK(dhm_update_blinding(ctx, f_rng, p_rng));
				459	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&GYb, &ctx->GY, &ctx->Vi));
				460	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&GYb, &GYb, &ctx->P));
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	461
				462	/* Do modular exponentiation */
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	463	MBEDTLS_MPI_CHK(
				464	mbedtls_mpi_exp_mod(&ctx->K, &GYb, &ctx->X, &ctx->P, &ctx->RP));
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	465
				466	/* Unblind secret value */
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	467	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->K, &ctx->K, &ctx->Vf));
				468	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->K, &ctx->K, &ctx->P));
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	469
Gilles Peskine	03299dc	2021-04-13 22:10:24 +0200	[diff] [blame]	470	/* Output the secret without any leading zero byte. This is mandatory
				471	* for TLS per RFC 5246 §8.1.2. */
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	472	*olen = mbedtls_mpi_size(&ctx->K);
				473	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->K, output, *olen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	474
				475	cleanup:
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	476	mbedtls_mpi_free(&GYb);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	477
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	478	if (ret != 0)
				479	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED, ret);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	480
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	481	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	482	}
				483
				484	/*
				485	* Free the components of a DHM key
				486	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	487	void mbedtls_dhm_free(mbedtls_dhm_context *ctx)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	488	{
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	489	if (ctx == NULL)
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	490	return;
				491
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	492	mbedtls_mpi_free(&ctx->pX);
				493	mbedtls_mpi_free(&ctx->Vf);
				494	mbedtls_mpi_free(&ctx->Vi);
				495	mbedtls_mpi_free(&ctx->RP);
				496	mbedtls_mpi_free(&ctx->K);
				497	mbedtls_mpi_free(&ctx->GY);
				498	mbedtls_mpi_free(&ctx->GX);
				499	mbedtls_mpi_free(&ctx->X);
				500	mbedtls_mpi_free(&ctx->G);
				501	mbedtls_mpi_free(&ctx->P);
Manuel Pégourié-Gonnard	b72b4ed	2013-09-13 13:55:26 +0200	[diff] [blame]	502
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	503	mbedtls_platform_zeroize(ctx, sizeof(mbedtls_dhm_context));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	504	}
				505
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	506	# if defined(MBEDTLS_ASN1_PARSE_C)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	507	/*
				508	* Parse DHM parameters
				509	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	510	int mbedtls_dhm_parse_dhm(mbedtls_dhm_context *dhm,
				511	const unsigned char *dhmin,
				512	size_t dhminlen)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	513	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	514	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	515	size_t len;
				516	unsigned char p, end;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	517	# if defined(MBEDTLS_PEM_PARSE_C)
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	518	mbedtls_pem_context pem;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	519	# endif /* MBEDTLS_PEM_PARSE_C */
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	520
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	521	DHM_VALIDATE_RET(dhm != NULL);
				522	DHM_VALIDATE_RET(dhmin != NULL);
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	523
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	524	# if defined(MBEDTLS_PEM_PARSE_C)
				525	mbedtls_pem_init(&pem);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	526
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	527	/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	528	if (dhminlen == 0 \|\| dhmin[dhminlen - 1] != '\0')
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	529	ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
				530	else
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	531	ret = mbedtls_pem_read_buffer(&pem, "-----BEGIN DH PARAMETERS-----",
				532	"-----END DH PARAMETERS-----", dhmin,
				533	NULL, 0, &dhminlen);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	534
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	535	if (ret == 0) {
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	536	/*
				537	* Was PEM encoded
				538	*/
				539	dhminlen = pem.buflen;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	540	} else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	541	goto exit;
				542
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	543	p = (ret == 0) ? pem.buf : (unsigned char *)dhmin;
				544	# else
				545	p = (unsigned char *)dhmin;
				546	# endif /* MBEDTLS_PEM_PARSE_C */
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	547	end = p + dhminlen;
				548
				549	/*
				550	* DHParams ::= SEQUENCE {
Daniel Kahn Gillmor	2ed8173	2015-04-03 13:09:24 -0400	[diff] [blame]	551	* prime INTEGER, -- P
				552	* generator INTEGER, -- g
				553	* privateValueLength INTEGER OPTIONAL
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	554	* }
				555	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	556	if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
				557	MBEDTLS_ASN1_CONSTRUCTED \|
				558	MBEDTLS_ASN1_SEQUENCE)) != 0) {
				559	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	560	goto exit;
				561	}
				562
				563	end = p + len;
				564
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	565	if ((ret = mbedtls_asn1_get_mpi(&p, end, &dhm->P)) != 0 \|\|
				566	(ret = mbedtls_asn1_get_mpi(&p, end, &dhm->G)) != 0) {
				567	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	568	goto exit;
				569	}
				570
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	571	if (p != end) {
Manuel Pégourié-Gonnard	de9b363	2015-04-17 20:06:31 +0200	[diff] [blame]	572	/* This might be the optional privateValueLength.
				573	* If so, we can cleanly discard it */
				574	mbedtls_mpi rec;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	575	mbedtls_mpi_init(&rec);
				576	ret = mbedtls_asn1_get_mpi(&p, end, &rec);
				577	mbedtls_mpi_free(&rec);
				578	if (ret != 0) {
				579	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
Daniel Kahn Gillmor	2ed8173	2015-04-03 13:09:24 -0400	[diff] [blame]	580	goto exit;
				581	}
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	582	if (p != end) {
				583	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT,
				584	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
Daniel Kahn Gillmor	2ed8173	2015-04-03 13:09:24 -0400	[diff] [blame]	585	goto exit;
				586	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	587	}
				588
				589	ret = 0;
				590
				591	exit:
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	592	# if defined(MBEDTLS_PEM_PARSE_C)
				593	mbedtls_pem_free(&pem);
				594	# endif
				595	if (ret != 0)
				596	mbedtls_dhm_free(dhm);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	597
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	598	return ret;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	599	}
				600
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	601	# if defined(MBEDTLS_FS_IO)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	602	/*
				603	* Load all data from a file into a given buffer.
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	604	*
				605	* The file is expected to contain either PEM or DER encoded data.
				606	* A terminating null byte is always appended. It is included in the announced
				607	* length only if the data looks like it is PEM encoded.
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	608	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	609	static int load_file(const char path, unsigned char buf, size_t n)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	610	{
				611	FILE *f;
				612	long size;
				613
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	614	if ((f = fopen(path, "rb")) == NULL)
				615	return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	616
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	617	fseek(f, 0, SEEK_END);
				618	if ((size = ftell(f)) == -1) {
				619	fclose(f);
				620	return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	621	}
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	622	fseek(f, 0, SEEK_SET);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	623
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	624	*n = (size_t)size;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	625
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	626	if (n + 1 == 0 \|\| (buf = mbedtls_calloc(1, *n + 1)) == NULL) {
				627	fclose(f);
				628	return MBEDTLS_ERR_DHM_ALLOC_FAILED;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	629	}
				630
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	631	if (fread(buf, 1, n, f) != *n) {
				632	fclose(f);
Andres Amaya Garcia	bdbca7b	2017-06-23 16:23:21 +0100	[diff] [blame]	633
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	634	mbedtls_platform_zeroize(buf, n + 1);
				635	mbedtls_free(*buf);
Andres Amaya Garcia	bdbca7b	2017-06-23 16:23:21 +0100	[diff] [blame]	636
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	637	return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	638	}
				639
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	640	fclose(f);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	641
				642	(buf)[n] = '\0';
				643
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	644	if (strstr((const char )buf, "-----BEGIN ") != NULL)
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	645	++*n;
				646
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	647	return 0;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	648	}
				649
				650	/*
				651	* Load and parse DHM parameters
				652	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	653	int mbedtls_dhm_parse_dhmfile(mbedtls_dhm_context dhm, const char path)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	654	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	655	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	656	size_t n;
				657	unsigned char *buf;
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	658	DHM_VALIDATE_RET(dhm != NULL);
				659	DHM_VALIDATE_RET(path != NULL);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	660
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	661	if ((ret = load_file(path, &buf, &n)) != 0)
				662	return ret;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	663
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	664	ret = mbedtls_dhm_parse_dhm(dhm, buf, n);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	665
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	666	mbedtls_platform_zeroize(buf, n);
				667	mbedtls_free(buf);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	668
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	669	return ret;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	670	}
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	671	# endif /* MBEDTLS_FS_IO */
				672	# endif /* MBEDTLS_ASN1_PARSE_C */
				673	# endif /* MBEDTLS_DHM_ALT */
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	674
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	675	# if defined(MBEDTLS_SELF_TEST)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	676
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	677	# if defined(MBEDTLS_PEM_PARSE_C)
Manuel Pégourié-Gonnard	53585ee	2015-06-25 08:52:25 +0200	[diff] [blame]	678	static const char mbedtls_test_dhm_params[] =
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	679	"-----BEGIN DH PARAMETERS-----\r\n"
				680	"MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n"
				681	"1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n"
				682	"9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
				683	"-----END DH PARAMETERS-----\r\n";
				684	# else /* MBEDTLS_PEM_PARSE_C */
Hanno Becker	8b0f9e6	2019-05-31 17:28:59 +0100	[diff] [blame]	685	static const char mbedtls_test_dhm_params[] = {
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	686	0x30, 0x81, 0x87, 0x02, 0x81, 0x81, 0x00, 0x9e, 0x35, 0xf4, 0x30, 0x44,
				687	0x3a, 0x09, 0x90, 0x4f, 0x3a, 0x39, 0xa9, 0x79, 0x79, 0x7d, 0x07, 0x0d,
				688	0xf5, 0x33, 0x78, 0xe7, 0x9c, 0x24, 0x38, 0xbe, 0xf4, 0xe7, 0x61, 0xf3,
				689	0xc7, 0x14, 0x55, 0x33, 0x28, 0x58, 0x9b, 0x04, 0x1c, 0x80, 0x9b, 0xe1,
				690	0xd6, 0xc6, 0xb5, 0xf1, 0xfc, 0x9f, 0x47, 0xd3, 0xa2, 0x54, 0x43, 0x18,
				691	0x82, 0x53, 0xa9, 0x92, 0xa5, 0x68, 0x18, 0xb3, 0x7b, 0xa9, 0xde, 0x5a,
				692	0x40, 0xd3, 0x62, 0xe5, 0x6e, 0xff, 0x0b, 0xe5, 0x41, 0x74, 0x74, 0xc1,
				693	0x25, 0xc1, 0x99, 0x27, 0x2c, 0x8f, 0xe4, 0x1d, 0xea, 0x73, 0x3d, 0xf6,
				694	0xf6, 0x62, 0xc9, 0x2a, 0xe7, 0x65, 0x56, 0xe7, 0x55, 0xd1, 0x0c, 0x64,
				695	0xe6, 0xa5, 0x09, 0x68, 0xf6, 0x7f, 0xc6, 0xea, 0x73, 0xd0, 0xdc, 0xa8,
				696	0x56, 0x9b, 0xe2, 0xba, 0x20, 0x4e, 0x23, 0x58, 0x0d, 0x8b, 0xca, 0x2f,
				697	0x49, 0x75, 0xb3, 0x02, 0x01, 0x02
				698	};
				699	# endif /* MBEDTLS_PEM_PARSE_C */
Manuel Pégourié-Gonnard	53585ee	2015-06-25 08:52:25 +0200	[diff] [blame]	700
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	701	static const size_t mbedtls_test_dhm_params_len =
				702	sizeof(mbedtls_test_dhm_params);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	703
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	704	/*
				705	* Checkup routine
				706	*/
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	707	int mbedtls_dhm_self_test(int verbose)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	708	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	709	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	710	mbedtls_dhm_context dhm;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	711
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	712	mbedtls_dhm_init(&dhm);
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	713
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	714	if (verbose != 0)
				715	mbedtls_printf(" DHM parameter load: ");
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	716
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	717	if ((ret = mbedtls_dhm_parse_dhm(
				718	&dhm, (const unsigned char *)mbedtls_test_dhm_params,
				719	mbedtls_test_dhm_params_len)) != 0) {
				720	if (verbose != 0)
				721	mbedtls_printf("failed\n");
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	722
Manuel Pégourié-Gonnard	b196fc2	2014-07-09 16:53:29 +0200	[diff] [blame]	723	ret = 1;
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	724	goto exit;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	725	}
				726
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	727	if (verbose != 0)
				728	mbedtls_printf("passed\n\n");
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	729
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	730	exit:
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	731	mbedtls_dhm_free(&dhm);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	732
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	733	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	734	}
				735
Mateusz Starzyk	c0eabdc	2021-08-03 14:09:02 +0200	[diff] [blame^]	736	# endif /* MBEDTLS_SELF_TEST */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	737
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	738	#endif /* MBEDTLS_DHM_C */