1 /*
2  *  Diffie-Hellman-Merkle key exchange (client side)
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6  */
7 
8 #include "mbedtls/build_info.h"
9 
10 #include "mbedtls/platform.h"
11 /* md.h is included this early since MD_CAN_XXX macros are defined there. */
12 #include "mbedtls/md.h"
13 
14 #if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
15     defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
16     defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
17     defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
18 #include "mbedtls/net_sockets.h"
19 #include "mbedtls/aes.h"
20 #include "mbedtls/dhm.h"
21 #include "mbedtls/rsa.h"
22 #include "mbedtls/sha256.h"
23 #include "mbedtls/entropy.h"
24 #include "mbedtls/ctr_drbg.h"
25 
26 #include <stdio.h>
27 #include <string.h>
28 #endif
29 
30 #define SERVER_NAME "localhost"
31 #define SERVER_PORT "11999"
32 
33 #if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) ||     \
34     !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) ||  \
35     !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) ||    \
36     !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
main(void)37 int main(void)
38 {
39     mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
40                    "and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
41                    "MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or "
42                    "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n");
43     mbedtls_exit(0);
44 }
45 
46 #elif defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
main(void)47 int main(void)
48 {
49     mbedtls_printf("MBEDTLS_BLOCK_CIPHER_NO_DECRYPT defined.\n");
50     mbedtls_exit(0);
51 }
52 #else
53 
54 
main(void)55 int main(void)
56 {
57     FILE *f;
58 
59     int ret = 1;
60     int exit_code = MBEDTLS_EXIT_FAILURE;
61     unsigned int mdlen;
62     size_t n, buflen;
63     mbedtls_net_context server_fd;
64 
65     unsigned char *p, *end;
66     unsigned char buf[2048];
67     unsigned char hash[MBEDTLS_MD_MAX_SIZE];
68     mbedtls_mpi N, E;
69     const char *pers = "dh_client";
70 
71     mbedtls_entropy_context entropy;
72     mbedtls_ctr_drbg_context ctr_drbg;
73     mbedtls_rsa_context rsa;
74     mbedtls_dhm_context dhm;
75     mbedtls_aes_context aes;
76 
77     mbedtls_net_init(&server_fd);
78     mbedtls_dhm_init(&dhm);
79     mbedtls_aes_init(&aes);
80     mbedtls_ctr_drbg_init(&ctr_drbg);
81     mbedtls_mpi_init(&N);
82     mbedtls_mpi_init(&E);
83 
84     /*
85      * 1. Setup the RNG
86      */
87     mbedtls_printf("\n  . Seeding the random number generator");
88     fflush(stdout);
89 
90     mbedtls_entropy_init(&entropy);
91     if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
92                                      (const unsigned char *) pers,
93                                      strlen(pers))) != 0) {
94         mbedtls_printf(" failed\n  ! mbedtls_ctr_drbg_seed returned %d\n", ret);
95         goto exit;
96     }
97 
98     /*
99      * 2. Read the server's public RSA key
100      */
101     mbedtls_printf("\n  . Reading public key from rsa_pub.txt");
102     fflush(stdout);
103 
104     if ((f = fopen("rsa_pub.txt", "rb")) == NULL) {
105         mbedtls_printf(" failed\n  ! Could not open rsa_pub.txt\n" \
106                        "  ! Please run rsa_genkey first\n\n");
107         goto exit;
108     }
109 
110     mbedtls_rsa_init(&rsa);
111     if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
112         (ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 ||
113         (ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E) != 0)) {
114         mbedtls_printf(" failed\n  ! mbedtls_mpi_read_file returned %d\n\n", ret);
115         fclose(f);
116         goto exit;
117     }
118     fclose(f);
119 
120     /*
121      * 3. Initiate the connection
122      */
123     mbedtls_printf("\n  . Connecting to tcp/%s/%s", SERVER_NAME,
124                    SERVER_PORT);
125     fflush(stdout);
126 
127     if ((ret = mbedtls_net_connect(&server_fd, SERVER_NAME,
128                                    SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) {
129         mbedtls_printf(" failed\n  ! mbedtls_net_connect returned %d\n\n", ret);
130         goto exit;
131     }
132 
133     /*
134      * 4a. First get the buffer length
135      */
136     mbedtls_printf("\n  . Receiving the server's DH parameters");
137     fflush(stdout);
138 
139     memset(buf, 0, sizeof(buf));
140 
141     if ((ret = mbedtls_net_recv(&server_fd, buf, 2)) != 2) {
142         mbedtls_printf(" failed\n  ! mbedtls_net_recv returned %d\n\n", ret);
143         goto exit;
144     }
145 
146     n = buflen = (buf[0] << 8) | buf[1];
147     if (buflen < 1 || buflen > sizeof(buf)) {
148         mbedtls_printf(" failed\n  ! Got an invalid buffer length\n\n");
149         goto exit;
150     }
151 
152     /*
153      * 4b. Get the DHM parameters: P, G and Ys = G^Xs mod P
154      */
155     memset(buf, 0, sizeof(buf));
156 
157     if ((ret = mbedtls_net_recv(&server_fd, buf, n)) != (int) n) {
158         mbedtls_printf(" failed\n  ! mbedtls_net_recv returned %d\n\n", ret);
159         goto exit;
160     }
161 
162     p = buf, end = buf + buflen;
163 
164     if ((ret = mbedtls_dhm_read_params(&dhm, &p, end)) != 0) {
165         mbedtls_printf(" failed\n  ! mbedtls_dhm_read_params returned %d\n\n", ret);
166         goto exit;
167     }
168 
169     n = mbedtls_dhm_get_len(&dhm);
170     if (n < 64 || n > 512) {
171         mbedtls_printf(" failed\n  ! Invalid DHM modulus size\n\n");
172         goto exit;
173     }
174 
175     /*
176      * 5. Check that the server's RSA signature matches
177      *    the SHA-256 hash of (P,G,Ys)
178      */
179     mbedtls_printf("\n  . Verifying the server's RSA signature");
180     fflush(stdout);
181 
182     p += 2;
183 
184     if ((n = (size_t) (end - p)) != mbedtls_rsa_get_len(&rsa)) {
185         mbedtls_printf(" failed\n  ! Invalid RSA signature size\n\n");
186         goto exit;
187     }
188 
189     mdlen = (unsigned int) mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256));
190     if (mdlen == 0) {
191         mbedtls_printf(" failed\n  ! Invalid digest type\n\n");
192         goto exit;
193     }
194 
195     if ((ret = mbedtls_sha256(buf, (int) (p - 2 - buf), hash, 0)) != 0) {
196         mbedtls_printf(" failed\n  ! mbedtls_sha256 returned %d\n\n", ret);
197         goto exit;
198     }
199 
200     if ((ret = mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA256,
201                                         mdlen, hash, p)) != 0) {
202         mbedtls_printf(" failed\n  ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret);
203         goto exit;
204     }
205 
206     /*
207      * 6. Send our public value: Yc = G ^ Xc mod P
208      */
209     mbedtls_printf("\n  . Sending own public value to server");
210     fflush(stdout);
211 
212     n = mbedtls_dhm_get_len(&dhm);
213     if ((ret = mbedtls_dhm_make_public(&dhm, (int) n, buf, n,
214                                        mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
215         mbedtls_printf(" failed\n  ! mbedtls_dhm_make_public returned %d\n\n", ret);
216         goto exit;
217     }
218 
219     if ((ret = mbedtls_net_send(&server_fd, buf, n)) != (int) n) {
220         mbedtls_printf(" failed\n  ! mbedtls_net_send returned %d\n\n", ret);
221         goto exit;
222     }
223 
224     /*
225      * 7. Derive the shared secret: K = Ys ^ Xc mod P
226      */
227     mbedtls_printf("\n  . Shared secret: ");
228     fflush(stdout);
229 
230     if ((ret = mbedtls_dhm_calc_secret(&dhm, buf, sizeof(buf), &n,
231                                        mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
232         mbedtls_printf(" failed\n  ! mbedtls_dhm_calc_secret returned %d\n\n", ret);
233         goto exit;
234     }
235 
236     for (n = 0; n < 16; n++) {
237         mbedtls_printf("%02x", buf[n]);
238     }
239 
240     /*
241      * 8. Setup the AES-256 decryption key
242      *
243      * This is an overly simplified example; best practice is
244      * to hash the shared secret with a random value to derive
245      * the keying material for the encryption/decryption keys,
246      * IVs and MACs.
247      */
248     mbedtls_printf("...\n  . Receiving and decrypting the ciphertext");
249     fflush(stdout);
250 
251     ret = mbedtls_aes_setkey_dec(&aes, buf, 256);
252     if (ret != 0) {
253         goto exit;
254     }
255 
256     memset(buf, 0, sizeof(buf));
257 
258     if ((ret = mbedtls_net_recv(&server_fd, buf, 16)) != 16) {
259         mbedtls_printf(" failed\n  ! mbedtls_net_recv returned %d\n\n", ret);
260         goto exit;
261     }
262 
263     ret = mbedtls_aes_crypt_ecb(&aes, MBEDTLS_AES_DECRYPT, buf, buf);
264     if (ret != 0) {
265         goto exit;
266     }
267     buf[16] = '\0';
268     mbedtls_printf("\n  . Plaintext is \"%s\"\n\n", (char *) buf);
269 
270     exit_code = MBEDTLS_EXIT_SUCCESS;
271 
272 exit:
273 
274     mbedtls_net_free(&server_fd);
275 
276     mbedtls_aes_free(&aes);
277     mbedtls_rsa_free(&rsa);
278     mbedtls_dhm_free(&dhm);
279     mbedtls_ctr_drbg_free(&ctr_drbg);
280     mbedtls_entropy_free(&entropy);
281     mbedtls_mpi_free(&N);
282     mbedtls_mpi_free(&E);
283 
284     mbedtls_exit(exit_code);
285 }
286 #endif /* MBEDTLS_AES_C && MBEDTLS_DHM_C && MBEDTLS_ENTROPY_C &&
287           MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 &&
288           MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */
289