1 /*
2  *  Diffie-Hellman-Merkle key exchange (client side)
3  *
4  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  *
19  *  This file is part of mbed TLS (https://tls.mbed.org)
20  */
21 
22 #if !defined(MBEDTLS_CONFIG_FILE)
23 #include "mbedtls/config.h"
24 #else
25 #include MBEDTLS_CONFIG_FILE
26 #endif
27 
28 #if defined(MBEDTLS_PLATFORM_C)
29 #include "mbedtls/platform.h"
30 #else
31 #include <stdio.h>
32 #define mbedtls_printf     printf
33 #define mbedtls_time_t     time_t
34 #endif
35 
36 #if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
37     defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
38     defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
39     defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
40     defined(MBEDTLS_SHA1_C)
41 #include "mbedtls/net_sockets.h"
42 #include "mbedtls/aes.h"
43 #include "mbedtls/dhm.h"
44 #include "mbedtls/rsa.h"
45 #include "mbedtls/sha1.h"
46 #include "mbedtls/entropy.h"
47 #include "mbedtls/ctr_drbg.h"
48 
49 #include <stdio.h>
50 #include <string.h>
51 #endif
52 
53 #define SERVER_NAME "localhost"
54 #define SERVER_PORT "11999"
55 
56 #if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) ||     \
57     !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) ||  \
58     !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) ||    \
59     !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
60     !defined(MBEDTLS_SHA1_C)
main(void)61 int main( void )
62 {
63     mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
64            "and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
65            "MBEDTLS_SHA256_C and/or MBEDTLS_FS_IO and/or "
66            "MBEDTLS_CTR_DRBG_C not defined.\n");
67     return( 0 );
68 }
69 #else
main(void)70 int main( void )
71 {
72     FILE *f;
73 
74     int ret;
75     size_t n, buflen;
76     mbedtls_net_context server_fd;
77 
78     unsigned char *p, *end;
79     unsigned char buf[2048];
80     unsigned char hash[32];
81     const char *pers = "dh_client";
82 
83     mbedtls_entropy_context entropy;
84     mbedtls_ctr_drbg_context ctr_drbg;
85     mbedtls_rsa_context rsa;
86     mbedtls_dhm_context dhm;
87     mbedtls_aes_context aes;
88 
89     mbedtls_net_init( &server_fd );
90     mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_SHA256 );
91     mbedtls_dhm_init( &dhm );
92     mbedtls_aes_init( &aes );
93     mbedtls_ctr_drbg_init( &ctr_drbg );
94 
95     /*
96      * 1. Setup the RNG
97      */
98     mbedtls_printf( "\n  . Seeding the random number generator" );
99     fflush( stdout );
100 
101     mbedtls_entropy_init( &entropy );
102     if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
103                                (const unsigned char *) pers,
104                                strlen( pers ) ) ) != 0 )
105     {
106         mbedtls_printf( " failed\n  ! mbedtls_ctr_drbg_seed returned %d\n", ret );
107         goto exit;
108     }
109 
110     /*
111      * 2. Read the server's public RSA key
112      */
113     mbedtls_printf( "\n  . Reading public key from rsa_pub.txt" );
114     fflush( stdout );
115 
116     if( ( f = fopen( "rsa_pub.txt", "rb" ) ) == NULL )
117     {
118         ret = 1;
119         mbedtls_printf( " failed\n  ! Could not open rsa_pub.txt\n" \
120                 "  ! Please run rsa_genkey first\n\n" );
121         goto exit;
122     }
123 
124     mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
125 
126     if( ( ret = mbedtls_mpi_read_file( &rsa.N, 16, f ) ) != 0 ||
127         ( ret = mbedtls_mpi_read_file( &rsa.E, 16, f ) ) != 0 )
128     {
129         mbedtls_printf( " failed\n  ! mbedtls_mpi_read_file returned %d\n\n", ret );
130         fclose( f );
131         goto exit;
132     }
133 
134     rsa.len = ( mbedtls_mpi_bitlen( &rsa.N ) + 7 ) >> 3;
135 
136     fclose( f );
137 
138     /*
139      * 3. Initiate the connection
140      */
141     mbedtls_printf( "\n  . Connecting to tcp/%s/%s", SERVER_NAME,
142                                              SERVER_PORT );
143     fflush( stdout );
144 
145     if( ( ret = mbedtls_net_connect( &server_fd, SERVER_NAME,
146                                          SERVER_PORT, MBEDTLS_NET_PROTO_TCP ) ) != 0 )
147     {
148         mbedtls_printf( " failed\n  ! mbedtls_net_connect returned %d\n\n", ret );
149         goto exit;
150     }
151 
152     /*
153      * 4a. First get the buffer length
154      */
155     mbedtls_printf( "\n  . Receiving the server's DH parameters" );
156     fflush( stdout );
157 
158     memset( buf, 0, sizeof( buf ) );
159 
160     if( ( ret = mbedtls_net_recv( &server_fd, buf, 2 ) ) != 2 )
161     {
162         mbedtls_printf( " failed\n  ! mbedtls_net_recv returned %d\n\n", ret );
163         goto exit;
164     }
165 
166     n = buflen = ( buf[0] << 8 ) | buf[1];
167     if( buflen < 1 || buflen > sizeof( buf ) )
168     {
169         mbedtls_printf( " failed\n  ! Got an invalid buffer length\n\n" );
170         goto exit;
171     }
172 
173     /*
174      * 4b. Get the DHM parameters: P, G and Ys = G^Xs mod P
175      */
176     memset( buf, 0, sizeof( buf ) );
177 
178     if( ( ret = mbedtls_net_recv( &server_fd, buf, n ) ) != (int) n )
179     {
180         mbedtls_printf( " failed\n  ! mbedtls_net_recv returned %d\n\n", ret );
181         goto exit;
182     }
183 
184     p = buf, end = buf + buflen;
185 
186     if( ( ret = mbedtls_dhm_read_params( &dhm, &p, end ) ) != 0 )
187     {
188         mbedtls_printf( " failed\n  ! mbedtls_dhm_read_params returned %d\n\n", ret );
189         goto exit;
190     }
191 
192     if( dhm.len < 64 || dhm.len > 512 )
193     {
194         ret = 1;
195         mbedtls_printf( " failed\n  ! Invalid DHM modulus size\n\n" );
196         goto exit;
197     }
198 
199     /*
200      * 5. Check that the server's RSA signature matches
201      *    the SHA-256 hash of (P,G,Ys)
202      */
203     mbedtls_printf( "\n  . Verifying the server's RSA signature" );
204     fflush( stdout );
205 
206     p += 2;
207 
208     if( ( n = (size_t) ( end - p ) ) != rsa.len )
209     {
210         ret = 1;
211         mbedtls_printf( " failed\n  ! Invalid RSA signature size\n\n" );
212         goto exit;
213     }
214 
215     mbedtls_sha1( buf, (int)( p - 2 - buf ), hash );
216 
217     if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC,
218                                   MBEDTLS_MD_SHA256, 0, hash, p ) ) != 0 )
219     {
220         mbedtls_printf( " failed\n  ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret );
221         goto exit;
222     }
223 
224     /*
225      * 6. Send our public value: Yc = G ^ Xc mod P
226      */
227     mbedtls_printf( "\n  . Sending own public value to server" );
228     fflush( stdout );
229 
230     n = dhm.len;
231     if( ( ret = mbedtls_dhm_make_public( &dhm, (int) dhm.len, buf, n,
232                                  mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
233     {
234         mbedtls_printf( " failed\n  ! mbedtls_dhm_make_public returned %d\n\n", ret );
235         goto exit;
236     }
237 
238     if( ( ret = mbedtls_net_send( &server_fd, buf, n ) ) != (int) n )
239     {
240         mbedtls_printf( " failed\n  ! mbedtls_net_send returned %d\n\n", ret );
241         goto exit;
242     }
243 
244     /*
245      * 7. Derive the shared secret: K = Ys ^ Xc mod P
246      */
247     mbedtls_printf( "\n  . Shared secret: " );
248     fflush( stdout );
249 
250     if( ( ret = mbedtls_dhm_calc_secret( &dhm, buf, sizeof( buf ), &n,
251                                  mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
252     {
253         mbedtls_printf( " failed\n  ! mbedtls_dhm_calc_secret returned %d\n\n", ret );
254         goto exit;
255     }
256 
257     for( n = 0; n < 16; n++ )
258         mbedtls_printf( "%02x", buf[n] );
259 
260     /*
261      * 8. Setup the AES-256 decryption key
262      *
263      * This is an overly simplified example; best practice is
264      * to hash the shared secret with a random value to derive
265      * the keying material for the encryption/decryption keys,
266      * IVs and MACs.
267      */
268     mbedtls_printf( "...\n  . Receiving and decrypting the ciphertext" );
269     fflush( stdout );
270 
271     mbedtls_aes_setkey_dec( &aes, buf, 256 );
272 
273     memset( buf, 0, sizeof( buf ) );
274 
275     if( ( ret = mbedtls_net_recv( &server_fd, buf, 16 ) ) != 16 )
276     {
277         mbedtls_printf( " failed\n  ! mbedtls_net_recv returned %d\n\n", ret );
278         goto exit;
279     }
280 
281     mbedtls_aes_crypt_ecb( &aes, MBEDTLS_AES_DECRYPT, buf, buf );
282     buf[16] = '\0';
283     mbedtls_printf( "\n  . Plaintext is \"%s\"\n\n", (char *) buf );
284 
285 exit:
286 
287     mbedtls_net_free( &server_fd );
288 
289     mbedtls_aes_free( &aes );
290     mbedtls_rsa_free( &rsa );
291     mbedtls_dhm_free( &dhm );
292     mbedtls_ctr_drbg_free( &ctr_drbg );
293     mbedtls_entropy_free( &entropy );
294 
295 #if defined(_WIN32)
296     mbedtls_printf( "  + Press Enter to exit this program.\n" );
297     fflush( stdout ); getchar();
298 #endif
299 
300     return( ret );
301 }
302 #endif /* MBEDTLS_AES_C && MBEDTLS_DHM_C && MBEDTLS_ENTROPY_C &&
303           MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_SHA256_C &&
304           MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */
305