TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/2.28-sphinx-versioned-documentation / . / programs / pkey / dh_client.c
blob: e9629b00cd30a5cea693876414cdb177c2170388 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * Diffie-Hellman-Merkle key exchange (client side)
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]20#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]21#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]22#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]23#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]24#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]25
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]26#include "mbedtls/platform.h"
Rich Evansf90016a2015-01-19 14:26:37 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
29 defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
30 defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
Janos Follath9fe6f922016-10-07 14:17:56 +0100[diff] [blame]31 defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
32 defined(MBEDTLS_SHA1_C)
Andres AG788aa4a2016-09-14 14:32:09 +0100[diff] [blame]33#include "mbedtls/net_sockets.h"
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]34#include "mbedtls/aes.h"
35#include "mbedtls/dhm.h"
36#include "mbedtls/rsa.h"
37#include "mbedtls/sha1.h"
38#include "mbedtls/entropy.h"
39#include "mbedtls/ctr_drbg.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]40
Rich Evans18b78c72015-02-11 14:06:19 +0000[diff] [blame]41#include <stdio.h>
42#include <string.h>
43#endif
44
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45#define SERVER_NAME "localhost"
Manuel Pégourié-Gonnardc0d74942015-06-23 12:30:57 +0200[diff] [blame]46#define SERVER_PORT "11999"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \
49 !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
50 !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
Janos Follath9fe6f922016-10-07 14:17:56 +0100[diff] [blame]51 !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
52 !defined(MBEDTLS_SHA1_C)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]53int main(void)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]54{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]55 mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]56 "and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
57 "MBEDTLS_SHA256_C and/or MBEDTLS_FS_IO and/or "
58 "MBEDTLS_CTR_DRBG_C not defined.\n");
59 mbedtls_exit(0);
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]60}
61#else
Simon Butcher63cb97e2018-12-06 17:43:31 +0000[diff] [blame]62
Simon Butcher63cb97e2018-12-06 17:43:31 +0000[diff] [blame]63
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]64int main(void)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65{
66 FILE *f;
67
Andres Amaya Garcia898841d2018-04-29 19:23:39 +0100[diff] [blame]68 int ret = 1;
69 int exit_code = MBEDTLS_EXIT_FAILURE;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]70 size_t n, buflen;
Manuel Pégourié-Gonnard5db64322015-06-30 15:40:39 +0200[diff] [blame]71 mbedtls_net_context server_fd;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72
73 unsigned char *p, *end;
Paul Bakker520ea912012-10-24 14:17:01 +0000[diff] [blame]74 unsigned char buf[2048];
Manuel Pégourié-Gonnard102a6202015-08-27 21:51:44 +0200[diff] [blame]75 unsigned char hash[32];
Paul Bakkeref3f8c72013-06-24 13:01:08 +0200[diff] [blame]76 const char *pers = "dh_client";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]77
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]78 mbedtls_entropy_context entropy;
79 mbedtls_ctr_drbg_context ctr_drbg;
80 mbedtls_rsa_context rsa;
81 mbedtls_dhm_context dhm;
82 mbedtls_aes_context aes;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]83
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]84 mbedtls_net_init(&server_fd);
85 mbedtls_rsa_init(&rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_SHA256);
86 mbedtls_dhm_init(&dhm);
87 mbedtls_aes_init(&aes);
88 mbedtls_ctr_drbg_init(&ctr_drbg);
Paul Bakker8cfd9d82014-06-18 11:16:11 +0200[diff] [blame]89
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]90 /*
91 * 1. Setup the RNG
92 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]93 mbedtls_printf("\n . Seeding the random number generator");
94 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]96 mbedtls_entropy_init(&entropy);
97 if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
98 (const unsigned char *) pers,
99 strlen(pers))) != 0) {
100 mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
Paul Bakker508ad5a2011-12-04 17:09:26 +0000[diff] [blame]101 goto exit;
102 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]103
104 /*
105 * 2. Read the server's public RSA key
106 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]107 mbedtls_printf("\n . Reading public key from rsa_pub.txt");
108 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]109
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]110 if ((f = fopen("rsa_pub.txt", "rb")) == NULL) {
111 mbedtls_printf(" failed\n ! Could not open rsa_pub.txt\n" \
112 " ! Please run rsa_genkey first\n\n");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]113 goto exit;
114 }
115
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]116 mbedtls_rsa_init(&rsa, MBEDTLS_RSA_PKCS_V15, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]117
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]118 if ((ret = mbedtls_mpi_read_file(&rsa.N, 16, f)) != 0 ||
119 (ret = mbedtls_mpi_read_file(&rsa.E, 16, f)) != 0) {
120 mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret);
121 fclose(f);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]122 goto exit;
123 }
124
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]125 rsa.len = (mbedtls_mpi_bitlen(&rsa.N) + 7) >> 3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]126
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]127 fclose(f);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]128
129 /*
130 * 3. Initiate the connection
131 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]132 mbedtls_printf("\n . Connecting to tcp/%s/%s", SERVER_NAME,
133 SERVER_PORT);
134 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]135
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]136 if ((ret = mbedtls_net_connect(&server_fd, SERVER_NAME,
137 SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) {
138 mbedtls_printf(" failed\n ! mbedtls_net_connect returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]139 goto exit;
140 }
141
142 /*
143 * 4a. First get the buffer length
144 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]145 mbedtls_printf("\n . Receiving the server's DH parameters");
146 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]147
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]148 memset(buf, 0, sizeof(buf));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]149
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]150 if ((ret = mbedtls_net_recv(&server_fd, buf, 2)) != 2) {
151 mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]152 goto exit;
153 }
154
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]155 n = buflen = (buf[0] << 8) | buf[1];
156 if (buflen < 1 || buflen > sizeof(buf)) {
157 mbedtls_printf(" failed\n ! Got an invalid buffer length\n\n");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]158 goto exit;
159 }
160
161 /*
162 * 4b. Get the DHM parameters: P, G and Ys = G^Xs mod P
163 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]164 memset(buf, 0, sizeof(buf));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]165
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]166 if ((ret = mbedtls_net_recv(&server_fd, buf, n)) != (int) n) {
167 mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]168 goto exit;
169 }
170
171 p = buf, end = buf + buflen;
172
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]173 if ((ret = mbedtls_dhm_read_params(&dhm, &p, end)) != 0) {
174 mbedtls_printf(" failed\n ! mbedtls_dhm_read_params returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]175 goto exit;
176 }
177
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]178 if (dhm.len < 64 || dhm.len > 512) {
179 mbedtls_printf(" failed\n ! Invalid DHM modulus size\n\n");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]180 goto exit;
181 }
182
183 /*
184 * 5. Check that the server's RSA signature matches
Manuel Pégourié-Gonnard6f60cd82015-02-10 10:47:03 +0000[diff] [blame]185 * the SHA-256 hash of (P,G,Ys)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]186 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]187 mbedtls_printf("\n . Verifying the server's RSA signature");
188 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]189
Paul Bakker88f17b82012-04-26 18:52:13 +0000[diff] [blame]190 p += 2;
191
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]192 if ((n = (size_t) (end - p)) != rsa.len) {
193 mbedtls_printf(" failed\n ! Invalid RSA signature size\n\n");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]194 goto exit;
195 }
196
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]197 if ((ret = mbedtls_sha1_ret(buf, (int) (p - 2 - buf), hash)) != 0) {
198 mbedtls_printf(" failed\n ! mbedtls_sha1_ret returned %d\n\n", ret);
Andres Amaya Garcia1ff60f42017-06-28 13:26:36 +0100[diff] [blame]199 goto exit;
200 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]201
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]202 if ((ret = mbedtls_rsa_pkcs1_verify(&rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC,
203 MBEDTLS_MD_SHA256, 0, hash, p)) != 0) {
204 mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205 goto exit;
206 }
207
208 /*
209 * 6. Send our public value: Yc = G ^ Xc mod P
210 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]211 mbedtls_printf("\n . Sending own public value to server");
212 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]213
214 n = dhm.len;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]215 if ((ret = mbedtls_dhm_make_public(&dhm, (int) dhm.len, buf, n,
216 mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
217 mbedtls_printf(" failed\n ! mbedtls_dhm_make_public returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]218 goto exit;
219 }
220
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]221 if ((ret = mbedtls_net_send(&server_fd, buf, n)) != (int) n) {
222 mbedtls_printf(" failed\n ! mbedtls_net_send returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223 goto exit;
224 }
225
226 /*
227 * 7. Derive the shared secret: K = Ys ^ Xc mod P
228 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]229 mbedtls_printf("\n . Shared secret: ");
230 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]231
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]232 if ((ret = mbedtls_dhm_calc_secret(&dhm, buf, sizeof(buf), &n,
233 mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
234 mbedtls_printf(" failed\n ! mbedtls_dhm_calc_secret returned %d\n\n", ret);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]235 goto exit;
236 }
237
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]238 for (n = 0; n < 16; n++) {
239 mbedtls_printf("%02x", buf[n]);
240 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]241
242 /*
243 * 8. Setup the AES-256 decryption key
244 *
245 * This is an overly simplified example; best practice is
246 * to hash the shared secret with a random value to derive
247 * the keying material for the encryption/decryption keys,
248 * IVs and MACs.
249 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]250 mbedtls_printf("...\n . Receiving and decrypting the ciphertext");
251 fflush(stdout);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]252
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]253 ret = mbedtls_aes_setkey_dec(&aes, buf, 256);
254 if (ret != 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]255 goto exit;
256 }
257
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]258 memset(buf, 0, sizeof(buf));
259
260 if ((ret = mbedtls_net_recv(&server_fd, buf, 16)) != 16) {
261 mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret);
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]262 goto exit;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]263 }
264
265 ret = mbedtls_aes_crypt_ecb(&aes, MBEDTLS_AES_DECRYPT, buf, buf);
266 if (ret != 0) {
267 goto exit;
268 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]269 buf[16] = '\0';
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]270 mbedtls_printf("\n . Plaintext is \"%s\"\n\n", (char *) buf);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]271
Andres Amaya Garcia898841d2018-04-29 19:23:39 +0100[diff] [blame]272 exit_code = MBEDTLS_EXIT_SUCCESS;
273
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]274exit:
275
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]276 mbedtls_net_free(&server_fd);
Paul Bakker0c226102014-04-17 16:02:36 +0200[diff] [blame]277
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]278 mbedtls_aes_free(&aes);
279 mbedtls_rsa_free(&rsa);
280 mbedtls_dhm_free(&dhm);
281 mbedtls_ctr_drbg_free(&ctr_drbg);
282 mbedtls_entropy_free(&entropy);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]283
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]284#if defined(_WIN32)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]285 mbedtls_printf(" + Press Enter to exit this program.\n");
286 fflush(stdout); getchar();
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]287#endif
288
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]289 mbedtls_exit(exit_code);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]290}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]291#endif /* MBEDTLS_AES_C && MBEDTLS_DHM_C && MBEDTLS_ENTROPY_C &&
292 MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_SHA256_C &&
293 MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */