1 /* Diffie-Hellman Key Agreement Method [RFC2631]
2 *
3 * Copyright (c) 2016, Intel Corporation
4 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
12 #include <linux/module.h>
13 #include <crypto/internal/kpp.h>
14 #include <crypto/kpp.h>
15 #include <crypto/dh.h>
16 #include <linux/mpi.h>
17
18 struct dh_ctx {
19 MPI p; /* Value is guaranteed to be set. */
20 MPI q; /* Value is optional. */
21 MPI g; /* Value is guaranteed to be set. */
22 MPI xa; /* Value is guaranteed to be set. */
23 };
24
dh_clear_ctx(struct dh_ctx * ctx)25 static void dh_clear_ctx(struct dh_ctx *ctx)
26 {
27 mpi_free(ctx->p);
28 mpi_free(ctx->q);
29 mpi_free(ctx->g);
30 mpi_free(ctx->xa);
31 memset(ctx, 0, sizeof(*ctx));
32 }
33
34 /*
35 * If base is g we compute the public key
36 * ya = g^xa mod p; [RFC2631 sec 2.1.1]
37 * else if base if the counterpart public key we compute the shared secret
38 * ZZ = yb^xa mod p; [RFC2631 sec 2.1.1]
39 */
_compute_val(const struct dh_ctx * ctx,MPI base,MPI val)40 static int _compute_val(const struct dh_ctx *ctx, MPI base, MPI val)
41 {
42 /* val = base^xa mod p */
43 return mpi_powm(val, base, ctx->xa, ctx->p);
44 }
45
dh_get_ctx(struct crypto_kpp * tfm)46 static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)
47 {
48 return kpp_tfm_ctx(tfm);
49 }
50
dh_check_params_length(unsigned int p_len)51 static int dh_check_params_length(unsigned int p_len)
52 {
53 return (p_len < 1536) ? -EINVAL : 0;
54 }
55
dh_set_params(struct dh_ctx * ctx,struct dh * params)56 static int dh_set_params(struct dh_ctx *ctx, struct dh *params)
57 {
58 if (dh_check_params_length(params->p_size << 3))
59 return -EINVAL;
60
61 ctx->p = mpi_read_raw_data(params->p, params->p_size);
62 if (!ctx->p)
63 return -EINVAL;
64
65 if (params->q && params->q_size) {
66 ctx->q = mpi_read_raw_data(params->q, params->q_size);
67 if (!ctx->q)
68 return -EINVAL;
69 }
70
71 ctx->g = mpi_read_raw_data(params->g, params->g_size);
72 if (!ctx->g)
73 return -EINVAL;
74
75 return 0;
76 }
77
dh_set_secret(struct crypto_kpp * tfm,const void * buf,unsigned int len)78 static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
79 unsigned int len)
80 {
81 struct dh_ctx *ctx = dh_get_ctx(tfm);
82 struct dh params;
83
84 /* Free the old MPI key if any */
85 dh_clear_ctx(ctx);
86
87 if (crypto_dh_decode_key(buf, len, ¶ms) < 0)
88 goto err_clear_ctx;
89
90 if (dh_set_params(ctx, ¶ms) < 0)
91 goto err_clear_ctx;
92
93 ctx->xa = mpi_read_raw_data(params.key, params.key_size);
94 if (!ctx->xa)
95 goto err_clear_ctx;
96
97 return 0;
98
99 err_clear_ctx:
100 dh_clear_ctx(ctx);
101 return -EINVAL;
102 }
103
104 /*
105 * SP800-56A public key verification:
106 *
107 * * If Q is provided as part of the domain paramenters, a full validation
108 * according to SP800-56A section 5.6.2.3.1 is performed.
109 *
110 * * If Q is not provided, a partial validation according to SP800-56A section
111 * 5.6.2.3.2 is performed.
112 */
dh_is_pubkey_valid(struct dh_ctx * ctx,MPI y)113 static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y)
114 {
115 if (unlikely(!ctx->p))
116 return -EINVAL;
117
118 /*
119 * Step 1: Verify that 2 <= y <= p - 2.
120 *
121 * The upper limit check is actually y < p instead of y < p - 1
122 * as the mpi_sub_ui function is yet missing.
123 */
124 if (mpi_cmp_ui(y, 1) < 1 || mpi_cmp(y, ctx->p) >= 0)
125 return -EINVAL;
126
127 /* Step 2: Verify that 1 = y^q mod p */
128 if (ctx->q) {
129 MPI val = mpi_alloc(0);
130 int ret;
131
132 if (!val)
133 return -ENOMEM;
134
135 ret = mpi_powm(val, y, ctx->q, ctx->p);
136
137 if (ret) {
138 mpi_free(val);
139 return ret;
140 }
141
142 ret = mpi_cmp_ui(val, 1);
143
144 mpi_free(val);
145
146 if (ret != 0)
147 return -EINVAL;
148 }
149
150 return 0;
151 }
152
dh_compute_value(struct kpp_request * req)153 static int dh_compute_value(struct kpp_request *req)
154 {
155 struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
156 struct dh_ctx *ctx = dh_get_ctx(tfm);
157 MPI base, val = mpi_alloc(0);
158 int ret = 0;
159 int sign;
160
161 if (!val)
162 return -ENOMEM;
163
164 if (unlikely(!ctx->xa)) {
165 ret = -EINVAL;
166 goto err_free_val;
167 }
168
169 if (req->src) {
170 base = mpi_read_raw_from_sgl(req->src, req->src_len);
171 if (!base) {
172 ret = -EINVAL;
173 goto err_free_val;
174 }
175 ret = dh_is_pubkey_valid(ctx, base);
176 if (ret)
177 goto err_free_base;
178 } else {
179 base = ctx->g;
180 }
181
182 ret = _compute_val(ctx, base, val);
183 if (ret)
184 goto err_free_base;
185
186 ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
187 if (ret)
188 goto err_free_base;
189
190 if (sign < 0)
191 ret = -EBADMSG;
192 err_free_base:
193 if (req->src)
194 mpi_free(base);
195 err_free_val:
196 mpi_free(val);
197 return ret;
198 }
199
dh_max_size(struct crypto_kpp * tfm)200 static unsigned int dh_max_size(struct crypto_kpp *tfm)
201 {
202 struct dh_ctx *ctx = dh_get_ctx(tfm);
203
204 return mpi_get_size(ctx->p);
205 }
206
dh_exit_tfm(struct crypto_kpp * tfm)207 static void dh_exit_tfm(struct crypto_kpp *tfm)
208 {
209 struct dh_ctx *ctx = dh_get_ctx(tfm);
210
211 dh_clear_ctx(ctx);
212 }
213
214 static struct kpp_alg dh = {
215 .set_secret = dh_set_secret,
216 .generate_public_key = dh_compute_value,
217 .compute_shared_secret = dh_compute_value,
218 .max_size = dh_max_size,
219 .exit = dh_exit_tfm,
220 .base = {
221 .cra_name = "dh",
222 .cra_driver_name = "dh-generic",
223 .cra_priority = 100,
224 .cra_module = THIS_MODULE,
225 .cra_ctxsize = sizeof(struct dh_ctx),
226 },
227 };
228
dh_init(void)229 static int dh_init(void)
230 {
231 return crypto_register_kpp(&dh);
232 }
233
dh_exit(void)234 static void dh_exit(void)
235 {
236 crypto_unregister_kpp(&dh);
237 }
238
239 module_init(dh_init);
240 module_exit(dh_exit);
241 MODULE_ALIAS_CRYPTO("dh");
242 MODULE_LICENSE("GPL");
243 MODULE_DESCRIPTION("DH generic algorithm");
244