Blame - library/dhm.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: 174137d54db8317ef2ce29f2b77cef01fa6cf444 [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* Diffie-Hellman-Merkle key exchange
				3	*
Bence Szépkúti	1e14827	2020-08-07 13:07:28 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard	37ff140	2015-09-04 14:21:07 +0200	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0
				6	*
				7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				8	* not use this file except in compliance with the License.
				9	* You may obtain a copy of the License at
				10	*
				11	* http://www.apache.org/licenses/LICENSE-2.0
				12	*
				13	* Unless required by applicable law or agreed to in writing, software
				14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				16	* See the License for the specific language governing permissions and
				17	* limitations under the License.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	18	*/
				19	/*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	20	* The following sources were referenced in the design of this implementation
				21	* of the Diffie-Hellman-Merkle algorithm:
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	22	*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	23	* [1] Handbook of Applied Cryptography - 1997, Chapter 12
				24	* Menezes, van Oorschot and Vanstone
				25	*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	26	*/
				27
Gilles Peskine	db09ef6	2020-06-03 01:43:33 +0200	[diff] [blame]	28	#include "common.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	29
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	30	#if defined(MBEDTLS_DHM_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	31
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	32	#include "mbedtls/dhm.h"
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	33	#include "mbedtls/platform_util.h"
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	34	#include "mbedtls/error.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	35
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	36	#include <string.h>
				37
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	38	#if defined(MBEDTLS_PEM_PARSE_C)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	39	#include "mbedtls/pem.h"
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	40	#endif
				41
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	42	#if defined(MBEDTLS_ASN1_PARSE_C)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	43	#include "mbedtls/asn1.h"
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	44	#endif
				45
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	46	#include "mbedtls/platform.h"
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	47
Reuven Levin	1f35ca9	2017-12-07 10:09:32 +0000	[diff] [blame]	48	#if !defined(MBEDTLS_DHM_ALT)
Paul Bakker	3461772	2014-06-13 17:20:13 +0200	[diff] [blame]	49
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	50	/*
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	51	* helper to validate the mbedtls_mpi size and import it
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	52	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	53	static int dhm_read_bignum(mbedtls_mpi *X,
				54	unsigned char **p,
				55	const unsigned char *end)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	56	{
				57	int ret, n;
				58
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	59	if (end - *p < 2) {
				60	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				61	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	62
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	63	n = ((p)[0] << 8) \| (p)[1];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	64	(*p) += 2;
				65
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	66	if ((int) (end - *p) < n) {
				67	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				68	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	69
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	70	if ((ret = mbedtls_mpi_read_binary(X, *p, n)) != 0) {
				71	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED, ret);
				72	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	73
				74	(*p) += n;
				75
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	76	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	77	}
				78
				79	/*
Paul Bakker	aec37cb	2012-04-26 18:59:59 +0000	[diff] [blame]	80	* Verify sanity of parameter with regards to P
Paul Bakker	345a6fe	2011-02-28 21:20:02 +0000	[diff] [blame]	81	*
Paul Bakker	aec37cb	2012-04-26 18:59:59 +0000	[diff] [blame]	82	* Parameter should be: 2 <= public_param <= P - 2
Paul Bakker	345a6fe	2011-02-28 21:20:02 +0000	[diff] [blame]	83	*
Janos Follath	aa325d7	2017-09-20 15:33:24 +0100	[diff] [blame]	84	* This means that we need to return an error if
Janos Follath	1ad1c6d	2017-09-21 09:02:11 +0100	[diff] [blame]	85	* public_param < 2 or public_param > P-2
Janos Follath	aa325d7	2017-09-20 15:33:24 +0100	[diff] [blame]	86	*
Paul Bakker	345a6fe	2011-02-28 21:20:02 +0000	[diff] [blame]	87	* For more information on the attack, see:
				88	* http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
				89	* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	90	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	91	static int dhm_check_range(const mbedtls_mpi param, const mbedtls_mpi P)
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	92	{
Gilles Peskine	8e38acc	2021-03-31 22:56:43 +0200	[diff] [blame]	93	mbedtls_mpi U;
Janos Follath	aa325d7	2017-09-20 15:33:24 +0100	[diff] [blame]	94	int ret = 0;
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	95
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	96	mbedtls_mpi_init(&U);
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	97
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	98	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&U, P, 2));
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	99
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	100	if (mbedtls_mpi_cmp_int(param, 2) < 0 \|\|
				101	mbedtls_mpi_cmp_mpi(param, &U) > 0) {
Janos Follath	aa325d7	2017-09-20 15:33:24 +0100	[diff] [blame]	102	ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	103	}
				104
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	105	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	106	mbedtls_mpi_free(&U);
				107	return ret;
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	108	}
				109
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	110	void mbedtls_dhm_init(mbedtls_dhm_context *ctx)
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	111	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	112	memset(ctx, 0, sizeof(mbedtls_dhm_context));
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	113	}
				114
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	115	size_t mbedtls_dhm_get_bitlen(const mbedtls_dhm_context *ctx)
Gilles Peskine	487bbf6	2021-05-27 22:17:07 +0200	[diff] [blame]	116	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	117	return mbedtls_mpi_bitlen(&ctx->P);
Gilles Peskine	487bbf6	2021-05-27 22:17:07 +0200	[diff] [blame]	118	}
				119
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	120	size_t mbedtls_dhm_get_len(const mbedtls_dhm_context *ctx)
Gilles Peskine	487bbf6	2021-05-27 22:17:07 +0200	[diff] [blame]	121	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	122	return mbedtls_mpi_size(&ctx->P);
Gilles Peskine	487bbf6	2021-05-27 22:17:07 +0200	[diff] [blame]	123	}
				124
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	125	int mbedtls_dhm_get_value(const mbedtls_dhm_context *ctx,
				126	mbedtls_dhm_parameter param,
				127	mbedtls_mpi *dest)
Gilles Peskine	71acc6e	2021-05-27 22:50:53 +0200	[diff] [blame]	128	{
				129	const mbedtls_mpi *src = NULL;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	130	switch (param) {
Gilles Peskine	71acc6e	2021-05-27 22:50:53 +0200	[diff] [blame]	131	case MBEDTLS_DHM_PARAM_P:
				132	src = &ctx->P;
				133	break;
				134	case MBEDTLS_DHM_PARAM_G:
				135	src = &ctx->G;
				136	break;
				137	case MBEDTLS_DHM_PARAM_X:
				138	src = &ctx->X;
				139	break;
				140	case MBEDTLS_DHM_PARAM_GX:
				141	src = &ctx->GX;
				142	break;
				143	case MBEDTLS_DHM_PARAM_GY:
				144	src = &ctx->GY;
				145	break;
				146	case MBEDTLS_DHM_PARAM_K:
				147	src = &ctx->K;
				148	break;
				149	default:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	150	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Gilles Peskine	71acc6e	2021-05-27 22:50:53 +0200	[diff] [blame]	151	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	152	return mbedtls_mpi_copy(dest, src);
Gilles Peskine	71acc6e	2021-05-27 22:50:53 +0200	[diff] [blame]	153	}
				154
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	155	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	156	* Parse the ServerKeyExchange parameters
				157	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	158	int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
				159	unsigned char **p,
				160	const unsigned char *end)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	161	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	162	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	163
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	164	if ((ret = dhm_read_bignum(&ctx->P, p, end)) != 0 \|\|
				165	(ret = dhm_read_bignum(&ctx->G, p, end)) != 0 \|\|
				166	(ret = dhm_read_bignum(&ctx->GY, p, end)) != 0) {
				167	return ret;
				168	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	169
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	170	if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0) {
				171	return ret;
				172	}
Paul Bakker	345a6fe	2011-02-28 21:20:02 +0000	[diff] [blame]	173
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	174	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	175	}
				176
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	177	/*
Gilles Peskine	da7ee01	2021-03-31 23:04:50 +0200	[diff] [blame]	178	* Pick a random R in the range [2, M-2] for blinding or key generation.
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	179	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	180	static int dhm_random_below(mbedtls_mpi R, const mbedtls_mpi M,
				181	int (f_rng)(void , unsigned char , size_t), void p_rng)
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	182	{
Gilles Peskine	da7ee01	2021-03-31 23:04:50 +0200	[diff] [blame]	183	int ret;
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	184
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	185	MBEDTLS_MPI_CHK(mbedtls_mpi_random(R, 3, M, f_rng, p_rng));
				186	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(R, R, 1));
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	187
				188	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	189	return ret;
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	190	}
				191
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	192	static int dhm_make_common(mbedtls_dhm_context *ctx, int x_size,
				193	int (f_rng)(void , unsigned char *, size_t),
				194	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	195	{
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	196	int ret = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	197
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	198	if (mbedtls_mpi_cmp_int(&ctx->P, 0) == 0) {
				199	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
Paul Bakker	aec37cb	2012-04-26 18:59:59 +0000	[diff] [blame]	200	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	201	if (x_size < 0) {
				202	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				203	}
				204
				205	if ((unsigned) x_size < mbedtls_mpi_size(&ctx->P)) {
				206	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->X, x_size, f_rng, p_rng));
				207	} else {
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	208	/* Generate X as large as possible ( <= P - 2 ) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	209	ret = dhm_random_below(&ctx->X, &ctx->P, f_rng, p_rng);
				210	if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
				211	return MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED;
				212	}
				213	if (ret != 0) {
				214	return ret;
				215	}
Gilles Peskine	17f1a26	2021-03-31 22:48:14 +0200	[diff] [blame]	216	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	217
Paul Bakker	ff7fe67	2010-07-18 09:45:05 +0000	[diff] [blame]	218	/*
				219	* Calculate GX = G^X mod P
				220	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	221	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->GX, &ctx->G, &ctx->X,
				222	&ctx->P, &ctx->RP));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	223
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	224	if ((ret = dhm_check_range(&ctx->GX, &ctx->P)) != 0) {
				225	return ret;
				226	}
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	227
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	228	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	229	return ret;
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	230	}
				231
				232	/*
				233	* Setup and write the ServerKeyExchange parameters
				234	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	235	int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx, int x_size,
				236	unsigned char output, size_t olen,
				237	int (f_rng)(void , unsigned char *, size_t),
				238	void *p_rng)
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	239	{
				240	int ret;
				241	size_t n1, n2, n3;
				242	unsigned char *p;
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	243
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	244	ret = dhm_make_common(ctx, x_size, f_rng, p_rng);
				245	if (ret != 0) {
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	246	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	247	}
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	248
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	249	/*
Gilles Peskine	03299dc	2021-04-13 22:10:24 +0200	[diff] [blame]	250	* Export P, G, GX. RFC 5246 §4.4 states that "leading zero octets are
				251	* not required". We omit leading zeros for compactness.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	252	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	253	#define DHM_MPI_EXPORT(X, n) \
Hanno Becker	e71ad12	2017-09-28 10:32:25 +0100	[diff] [blame]	254	do { \
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	255	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary((X), \
				256	p + 2, \
				257	(n))); \
				258	*p++ = MBEDTLS_BYTE_1(n); \
				259	*p++ = MBEDTLS_BYTE_0(n); \
				260	p += (n); \
				261	} while (0)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	262
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	263	n1 = mbedtls_mpi_size(&ctx->P);
				264	n2 = mbedtls_mpi_size(&ctx->G);
				265	n3 = mbedtls_mpi_size(&ctx->GX);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	266
				267	p = output;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	268	DHM_MPI_EXPORT(&ctx->P, n1);
				269	DHM_MPI_EXPORT(&ctx->G, n2);
				270	DHM_MPI_EXPORT(&ctx->GX, n3);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	271
Hanno Becker	e71ad12	2017-09-28 10:32:25 +0100	[diff] [blame]	272	*olen = p - output;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	273
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	274	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	275	if (ret != 0 && ret > -128) {
				276	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED, ret);
				277	}
				278	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	279	}
				280
				281	/*
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	282	* Set prime modulus and generator
				283	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	284	int mbedtls_dhm_set_group(mbedtls_dhm_context *ctx,
				285	const mbedtls_mpi *P,
				286	const mbedtls_mpi *G)
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	287	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	288	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	289
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	290	if ((ret = mbedtls_mpi_copy(&ctx->P, P)) != 0 \|\|
				291	(ret = mbedtls_mpi_copy(&ctx->G, G)) != 0) {
				292	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_SET_GROUP_FAILED, ret);
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	293	}
				294
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	295	return 0;
Hanno Becker	8880e75	2017-10-04 13:15:08 +0100	[diff] [blame]	296	}
				297
				298	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	299	* Import the peer's public value G^Y
				300	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	301	int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
				302	const unsigned char *input, size_t ilen)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	303	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	304	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	305
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	306	if (ilen < 1 \|\| ilen > mbedtls_dhm_get_len(ctx)) {
				307	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				308	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	309
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	310	if ((ret = mbedtls_mpi_read_binary(&ctx->GY, input, ilen)) != 0) {
				311	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED, ret);
				312	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	313
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	314	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	315	}
				316
				317	/*
				318	* Create own private value X and export G^X
				319	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	320	int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
				321	unsigned char *output, size_t olen,
				322	int (f_rng)(void , unsigned char *, size_t),
				323	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	324	{
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	325	int ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	326
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	327	if (olen < 1 \|\| olen > mbedtls_dhm_get_len(ctx)) {
				328	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				329	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	330
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	331	ret = dhm_make_common(ctx, x_size, f_rng, p_rng);
				332	if (ret == MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED) {
				333	return MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED;
				334	}
				335	if (ret != 0) {
Gilles Peskine	cb660f2	2021-03-31 22:35:13 +0200	[diff] [blame]	336	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	337	}
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	338
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	339	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->GX, output, olen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	340
				341	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	342	if (ret != 0 && ret > -128) {
				343	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED, ret);
				344	}
				345	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	346	}
				347
Manuel Pégourié-Gonnard	9f58c4b	2020-06-25 12:34:58 +0200	[diff] [blame]	348
				349	/*
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	350	* Use the blinding method and optimisation suggested in section 10 of:
				351	* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
Manuel Pégourié-Gonnard	998930a	2015-04-03 13:48:06 +0200	[diff] [blame]	352	* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	353	* Berlin Heidelberg, 1996. p. 104-113.
				354	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	355	static int dhm_update_blinding(mbedtls_dhm_context *ctx,
				356	int (f_rng)(void , unsigned char , size_t), void p_rng)
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	357	{
Manuel Pégourié-Gonnard	9f58c4b	2020-06-25 12:34:58 +0200	[diff] [blame]	358	int ret;
Manuel Pégourié-Gonnard	af72167	2020-06-25 12:47:22 +0200	[diff] [blame]	359	mbedtls_mpi R;
				360
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	361	mbedtls_mpi_init(&R);
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	362
				363	/*
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	364	* Don't use any blinding the first time a particular X is used,
				365	* but remember it to use blinding next time.
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	366	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	367	if (mbedtls_mpi_cmp_mpi(&ctx->X, &ctx->pX) != 0) {
				368	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&ctx->pX, &ctx->X));
				369	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vi, 1));
				370	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vf, 1));
Manuel Pégourié-Gonnard	ed8a02b	2013-09-04 16:39:03 +0200	[diff] [blame]	371
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	372	return 0;
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	373	}
				374
				375	/*
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	376	* Ok, we need blinding. Can we re-use existing values?
				377	* If yes, just update them by squaring them.
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	378	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	379	if (mbedtls_mpi_cmp_int(&ctx->Vi, 1) != 0) {
				380	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
				381	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->P));
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	382
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	383	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
				384	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	385
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	386	return 0;
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	387	}
				388
				389	/*
				390	* We need to generate blinding values from scratch
				391	*/
				392
Gilles Peskine	7b2b66e	2021-03-31 22:50:57 +0200	[diff] [blame]	393	/* Vi = random( 2, P-2 ) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	394	MBEDTLS_MPI_CHK(dhm_random_below(&ctx->Vi, &ctx->P, f_rng, p_rng));
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	395
Manuel Pégourié-Gonnard	af72167	2020-06-25 12:47:22 +0200	[diff] [blame]	396	/* Vf = Vi^-X mod P
				397	* First compute Vi^-1 = R * (R Vi)^-1, (avoiding leaks from inv_mod),
				398	* then elevate to the Xth power. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	399	MBEDTLS_MPI_CHK(dhm_random_below(&R, &ctx->P, f_rng, p_rng));
				400	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vi, &R));
				401	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
				402	MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->Vf, &ctx->Vf, &ctx->P));
				403	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &R));
				404	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
Manuel Pégourié-Gonnard	15d5de1	2013-09-17 11:34:11 +0200	[diff] [blame]	405
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	406	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP));
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	407
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	408	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	409	mbedtls_mpi_free(&R);
Manuel Pégourié-Gonnard	af72167	2020-06-25 12:47:22 +0200	[diff] [blame]	410
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	411	return ret;
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	412	}
				413
				414	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	415	* Derive and export the shared secret (G^Y)^X mod P
				416	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	417	int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
				418	unsigned char output, size_t output_size, size_t olen,
				419	int (f_rng)(void , unsigned char *, size_t),
				420	void *p_rng)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	421	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	422	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	423	mbedtls_mpi GYb;
Manuel Pégourié-Gonnard	2d62764	2013-09-04 14:22:07 +0200	[diff] [blame]	424
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	425	if (f_rng == NULL) {
				426	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				427	}
Manuel Pégourié-Gonnard	1a87722	2021-06-15 11:29:26 +0200	[diff] [blame]	428
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	429	if (output_size < mbedtls_dhm_get_len(ctx)) {
				430	return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
				431	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	432
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	433	if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0) {
				434	return ret;
				435	}
Paul Bakker	c47840e	2011-02-20 16:37:30 +0000	[diff] [blame]	436
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	437	mbedtls_mpi_init(&GYb);
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	438
				439	/* Blind peer's value */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	440	MBEDTLS_MPI_CHK(dhm_update_blinding(ctx, f_rng, p_rng));
				441	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&GYb, &ctx->GY, &ctx->Vi));
				442	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&GYb, &GYb, &ctx->P));
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	443
				444	/* Do modular exponentiation */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	445	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->K, &GYb, &ctx->X,
				446	&ctx->P, &ctx->RP));
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	447
				448	/* Unblind secret value */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	449	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->K, &ctx->K, &ctx->Vf));
				450	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->K, &ctx->K, &ctx->P));
Manuel Pégourié-Gonnard	143b502	2013-09-04 16:29:59 +0200	[diff] [blame]	451
Gilles Peskine	03299dc	2021-04-13 22:10:24 +0200	[diff] [blame]	452	/* Output the secret without any leading zero byte. This is mandatory
				453	* for TLS per RFC 5246 §8.1.2. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	454	*olen = mbedtls_mpi_size(&ctx->K);
				455	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->K, output, *olen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	456
				457	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	458	mbedtls_mpi_free(&GYb);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	459
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	460	if (ret != 0) {
				461	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED, ret);
				462	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	463
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	464	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	465	}
				466
				467	/*
				468	* Free the components of a DHM key
				469	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	470	void mbedtls_dhm_free(mbedtls_dhm_context *ctx)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	471	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	472	if (ctx == NULL) {
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	473	return;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	474	}
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	475
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	476	mbedtls_mpi_free(&ctx->pX);
				477	mbedtls_mpi_free(&ctx->Vf);
				478	mbedtls_mpi_free(&ctx->Vi);
				479	mbedtls_mpi_free(&ctx->RP);
				480	mbedtls_mpi_free(&ctx->K);
				481	mbedtls_mpi_free(&ctx->GY);
				482	mbedtls_mpi_free(&ctx->GX);
				483	mbedtls_mpi_free(&ctx->X);
				484	mbedtls_mpi_free(&ctx->G);
				485	mbedtls_mpi_free(&ctx->P);
Manuel Pégourié-Gonnard	b72b4ed	2013-09-13 13:55:26 +0200	[diff] [blame]	486
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	487	mbedtls_platform_zeroize(ctx, sizeof(mbedtls_dhm_context));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	488	}
				489
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	490	#if defined(MBEDTLS_ASN1_PARSE_C)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	491	/*
				492	* Parse DHM parameters
				493	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	494	int mbedtls_dhm_parse_dhm(mbedtls_dhm_context dhm, const unsigned char dhmin,
				495	size_t dhminlen)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	496	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	497	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	498	size_t len;
				499	unsigned char p, end;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	500	#if defined(MBEDTLS_PEM_PARSE_C)
				501	mbedtls_pem_context pem;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	502	#endif /* MBEDTLS_PEM_PARSE_C */
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	503
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	504	#if defined(MBEDTLS_PEM_PARSE_C)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	505	mbedtls_pem_init(&pem);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	506
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	507	/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	508	if (dhminlen == 0 \|\| dhmin[dhminlen - 1] != '\0') {
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	509	ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	510	} else {
				511	ret = mbedtls_pem_read_buffer(&pem,
				512	"-----BEGIN DH PARAMETERS-----",
				513	"-----END DH PARAMETERS-----",
				514	dhmin, NULL, 0, &dhminlen);
				515	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	516
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	517	if (ret == 0) {
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	518	/*
				519	* Was PEM encoded
				520	*/
				521	dhminlen = pem.buflen;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	522	} else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	523	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	524	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	525
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	526	p = (ret == 0) ? pem.buf : (unsigned char *) dhmin;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	527	#else
				528	p = (unsigned char *) dhmin;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	529	#endif /* MBEDTLS_PEM_PARSE_C */
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	530	end = p + dhminlen;
				531
				532	/*
				533	* DHParams ::= SEQUENCE {
Daniel Kahn Gillmor	2ed8173	2015-04-03 13:09:24 -0400	[diff] [blame]	534	* prime INTEGER, -- P
				535	* generator INTEGER, -- g
				536	* privateValueLength INTEGER OPTIONAL
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	537	* }
				538	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	539	if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
				540	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE)) != 0) {
				541	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	542	goto exit;
				543	}
				544
				545	end = p + len;
				546
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	547	if ((ret = mbedtls_asn1_get_mpi(&p, end, &dhm->P)) != 0 \|\|
				548	(ret = mbedtls_asn1_get_mpi(&p, end, &dhm->G)) != 0) {
				549	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	550	goto exit;
				551	}
				552
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	553	if (p != end) {
Manuel Pégourié-Gonnard	de9b363	2015-04-17 20:06:31 +0200	[diff] [blame]	554	/* This might be the optional privateValueLength.
				555	* If so, we can cleanly discard it */
				556	mbedtls_mpi rec;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	557	mbedtls_mpi_init(&rec);
				558	ret = mbedtls_asn1_get_mpi(&p, end, &rec);
				559	mbedtls_mpi_free(&rec);
				560	if (ret != 0) {
				561	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
Daniel Kahn Gillmor	2ed8173	2015-04-03 13:09:24 -0400	[diff] [blame]	562	goto exit;
				563	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	564	if (p != end) {
				565	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT,
				566	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
Daniel Kahn Gillmor	2ed8173	2015-04-03 13:09:24 -0400	[diff] [blame]	567	goto exit;
				568	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	569	}
				570
				571	ret = 0;
				572
				573	exit:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	574	#if defined(MBEDTLS_PEM_PARSE_C)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	575	mbedtls_pem_free(&pem);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	576	#endif
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	577	if (ret != 0) {
				578	mbedtls_dhm_free(dhm);
				579	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	580
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	581	return ret;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	582	}
				583
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	584	#if defined(MBEDTLS_FS_IO)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	585	/*
				586	* Load all data from a file into a given buffer.
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	587	*
				588	* The file is expected to contain either PEM or DER encoded data.
				589	* A terminating null byte is always appended. It is included in the announced
				590	* length only if the data looks like it is PEM encoded.
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	591	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	592	static int load_file(const char path, unsigned char buf, size_t n)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	593	{
				594	FILE *f;
				595	long size;
				596
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	597	if ((f = fopen(path, "rb")) == NULL) {
				598	return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
				599	}
Gilles Peskine	da0913b	2022-06-30 17:03:40 +0200	[diff] [blame]	600	/* The data loaded here is public, so don't bother disabling buffering. */
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	601
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	602	fseek(f, 0, SEEK_END);
				603	if ((size = ftell(f)) == -1) {
				604	fclose(f);
				605	return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	606	}
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	607	fseek(f, 0, SEEK_SET);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	608
				609	*n = (size_t) size;
				610
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	611	if (*n + 1 == 0 \|\|
				612	(buf = mbedtls_calloc(1, n + 1)) == NULL) {
				613	fclose(f);
				614	return MBEDTLS_ERR_DHM_ALLOC_FAILED;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	615	}
				616
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	617	if (fread(buf, 1, n, f) != *n) {
				618	fclose(f);
Andres Amaya Garcia	bdbca7b	2017-06-23 16:23:21 +0100	[diff] [blame]	619
Tom Cosgrove	ca8c61b	2023-07-17 15:17:40 +0100	[diff] [blame^]	620	mbedtls_zeroize_and_free(buf, n + 1);
Andres Amaya Garcia	bdbca7b	2017-06-23 16:23:21 +0100	[diff] [blame]	621
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	622	return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	623	}
				624
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	625	fclose(f);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	626
				627	(buf)[n] = '\0';
				628
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	629	if (strstr((const char ) buf, "-----BEGIN ") != NULL) {
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	630	++*n;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	631	}
Manuel Pégourié-Gonnard	43b37cb	2015-05-12 11:20:10 +0200	[diff] [blame]	632
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	633	return 0;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	634	}
				635
				636	/*
				637	* Load and parse DHM parameters
				638	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	639	int mbedtls_dhm_parse_dhmfile(mbedtls_dhm_context dhm, const char path)
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	640	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	641	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	642	size_t n;
				643	unsigned char *buf;
				644
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	645	if ((ret = load_file(path, &buf, &n)) != 0) {
				646	return ret;
				647	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	648
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	649	ret = mbedtls_dhm_parse_dhm(dhm, buf, n);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	650
Tom Cosgrove	ca8c61b	2023-07-17 15:17:40 +0100	[diff] [blame^]	651	mbedtls_zeroize_and_free(buf, n);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	652
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	653	return ret;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	654	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	655	#endif /* MBEDTLS_FS_IO */
				656	#endif /* MBEDTLS_ASN1_PARSE_C */
nirekh01	49762fa	2017-12-25 06:46:48 +0000	[diff] [blame]	657	#endif /* MBEDTLS_DHM_ALT */
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	658
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	659	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	660
Hanno Becker	8b0f9e6	2019-05-31 17:28:59 +0100	[diff] [blame]	661	#if defined(MBEDTLS_PEM_PARSE_C)
Manuel Pégourié-Gonnard	53585ee	2015-06-25 08:52:25 +0200	[diff] [blame]	662	static const char mbedtls_test_dhm_params[] =
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	663	"-----BEGIN DH PARAMETERS-----\r\n"
				664	"MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n"
				665	"1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n"
				666	"9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
				667	"-----END DH PARAMETERS-----\r\n";
Hanno Becker	8b0f9e6	2019-05-31 17:28:59 +0100	[diff] [blame]	668	#else /* MBEDTLS_PEM_PARSE_C */
				669	static const char mbedtls_test_dhm_params[] = {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	670	0x30, 0x81, 0x87, 0x02, 0x81, 0x81, 0x00, 0x9e, 0x35, 0xf4, 0x30, 0x44,
				671	0x3a, 0x09, 0x90, 0x4f, 0x3a, 0x39, 0xa9, 0x79, 0x79, 0x7d, 0x07, 0x0d,
				672	0xf5, 0x33, 0x78, 0xe7, 0x9c, 0x24, 0x38, 0xbe, 0xf4, 0xe7, 0x61, 0xf3,
				673	0xc7, 0x14, 0x55, 0x33, 0x28, 0x58, 0x9b, 0x04, 0x1c, 0x80, 0x9b, 0xe1,
				674	0xd6, 0xc6, 0xb5, 0xf1, 0xfc, 0x9f, 0x47, 0xd3, 0xa2, 0x54, 0x43, 0x18,
				675	0x82, 0x53, 0xa9, 0x92, 0xa5, 0x68, 0x18, 0xb3, 0x7b, 0xa9, 0xde, 0x5a,
				676	0x40, 0xd3, 0x62, 0xe5, 0x6e, 0xff, 0x0b, 0xe5, 0x41, 0x74, 0x74, 0xc1,
				677	0x25, 0xc1, 0x99, 0x27, 0x2c, 0x8f, 0xe4, 0x1d, 0xea, 0x73, 0x3d, 0xf6,
				678	0xf6, 0x62, 0xc9, 0x2a, 0xe7, 0x65, 0x56, 0xe7, 0x55, 0xd1, 0x0c, 0x64,
				679	0xe6, 0xa5, 0x09, 0x68, 0xf6, 0x7f, 0xc6, 0xea, 0x73, 0xd0, 0xdc, 0xa8,
				680	0x56, 0x9b, 0xe2, 0xba, 0x20, 0x4e, 0x23, 0x58, 0x0d, 0x8b, 0xca, 0x2f,
				681	0x49, 0x75, 0xb3, 0x02, 0x01, 0x02
				682	};
Hanno Becker	8b0f9e6	2019-05-31 17:28:59 +0100	[diff] [blame]	683	#endif /* MBEDTLS_PEM_PARSE_C */
Manuel Pégourié-Gonnard	53585ee	2015-06-25 08:52:25 +0200	[diff] [blame]	684
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	685	static const size_t mbedtls_test_dhm_params_len = sizeof(mbedtls_test_dhm_params);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	686
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	687	/*
				688	* Checkup routine
				689	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	690	int mbedtls_dhm_self_test(int verbose)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	691	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	692	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	693	mbedtls_dhm_context dhm;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	694
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	695	mbedtls_dhm_init(&dhm);
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	696
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	697	if (verbose != 0) {
				698	mbedtls_printf(" DHM parameter load: ");
				699	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	700
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	701	if ((ret = mbedtls_dhm_parse_dhm(&dhm,
				702	(const unsigned char *) mbedtls_test_dhm_params,
				703	mbedtls_test_dhm_params_len)) != 0) {
				704	if (verbose != 0) {
				705	mbedtls_printf("failed\n");
				706	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	707
Manuel Pégourié-Gonnard	b196fc2	2014-07-09 16:53:29 +0200	[diff] [blame]	708	ret = 1;
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	709	goto exit;
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	710	}
				711
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	712	if (verbose != 0) {
				713	mbedtls_printf("passed\n\n");
				714	}
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	715
Paul Bakker	8f870b0	2014-06-20 13:32:38 +0200	[diff] [blame]	716	exit:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	717	mbedtls_dhm_free(&dhm);
Paul Bakker	40ce79f	2013-09-15 17:43:54 +0200	[diff] [blame]	718
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	719	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	720	}
				721
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	722	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	723
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	724	#endif /* MBEDTLS_DHM_C */