src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c

   1 /*
   2  * Copyright (C) 1998-2002  D. Hugh Redelmeier.
   3  * Copyright (C) 1999, 2000, 2001  Henry Spencer.
   4  * Copyright (C) 2010 Tobias Brunner
   5  * Copyright (C) 2005-2008 Martin Willi
   6  * Copyright (C) 2005 Jan Hutter
   7  * Hochschule fuer Technik Rapperswil
   8  *
   9  * This program is free software; you can redistribute it and/or modify it
  10  * under the terms of the GNU General Public License as published by the
  11  * Free Software Foundation; either version 2 of the License, or (at your
  12  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  13  *
  14  * This program is distributed in the hope that it will be useful, but
  15  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  16  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  17  * for more details.
  18  */
  19
  20 #include <gmp.h>
  21
  22 #include "gmp_diffie_hellman.h"
  23
  24 #include <utils/debug.h>
  25
  26 #ifdef HAVE_MPZ_POWM_SEC
  27 # undef mpz_powm
  28 # define mpz_powm mpz_powm_sec
  29 #endif
  30
  31 typedef struct private_gmp_diffie_hellman_t private_gmp_diffie_hellman_t;
  32
  33 /**
  34  * Private data of an gmp_diffie_hellman_t object.
  35  */
  36 struct private_gmp_diffie_hellman_t {
  37         /**
  38          * Public gmp_diffie_hellman_t interface.
  39          */
  40         gmp_diffie_hellman_t public;
  41
  42         /**
  43          * Diffie Hellman group number.
  44          */
  45         diffie_hellman_group_t group;
  46
  47         /*
  48          * Generator value.
  49          */
  50         mpz_t g;
  51
  52         /**
  53          * My private value.
  54          */
  55         mpz_t xa;
  56
  57         /**
  58          * My public value.
  59          */
  60         mpz_t ya;
  61
  62         /**
  63          * Other public value.
  64          */
  65         mpz_t yb;
  66
  67         /**
  68          * Shared secret.
  69          */
  70         mpz_t zz;
  71
  72         /**
  73          * Modulus.
  74          */
  75         mpz_t p;
  76
  77         /**
  78          * Modulus length.
  79          */
  80         size_t p_len;
  81
  82         /**
  83          * True if shared secret is computed and stored in my_public_value.
  84          */
  85         bool computed;
  86 };
  87
  88 METHOD(diffie_hellman_t, set_other_public_value, bool,
  89         private_gmp_diffie_hellman_t *this, chunk_t value)
  90 {
  91         mpz_t p_min_1;
  92
  93         mpz_init(p_min_1);
  94         mpz_sub_ui(p_min_1, this->p, 1);
  95
  96         mpz_import(this->yb, value.len, 1, 1, 1, 0, value.ptr);
  97
  98         /* check public value:
  99          * 1. 0 or 1 is invalid as 0^a = 0 and 1^a = 1
 100          * 2. a public value larger or equal the modulus is invalid */
 101         if (mpz_cmp_ui(this->yb, 1) > 0 &&
 102                 mpz_cmp(this->yb, p_min_1) < 0)
 103         {
 104 #ifdef EXTENDED_DH_TEST
 105                 /* 3. test if y ^ q mod p = 1, where q = (p - 1)/2. */
 106                 mpz_t q, one;
 107                 diffie_hellman_params_t *params;
 108
 109                 mpz_init(q);
 110                 mpz_init(one);
 111
 112                 params = diffie_hellman_get_params(this->group);
 113                 if (!params->subgroup.len)
 114                 {
 115                         mpz_fdiv_q_2exp(q, p_min_1, 1);
 116                 }
 117                 else
 118                 {
 119                         mpz_import(q, params->subgroup.len, 1, 1, 1, 0, params->subgroup.ptr);
 120                 }
 121                 mpz_powm(one, this->yb, q, this->p);
 122                 mpz_clear(q);
 123                 if (mpz_cmp_ui(one, 1) == 0)
 124                 {
 125                         mpz_powm(this->zz, this->yb, this->xa, this->p);
 126                         this->computed = TRUE;
 127                 }
 128                 else
 129                 {
 130                         DBG1(DBG_LIB, "public DH value verification failed:"
 131                                  " y ^ q mod p != 1");
 132                 }
 133                 mpz_clear(one);
 134 #else
 135                 mpz_powm(this->zz, this->yb, this->xa, this->p);
 136                 this->computed = TRUE;
 137 #endif
 138         }
 139         else
 140         {
 141                 DBG1(DBG_LIB, "public DH value verification failed:"
 142                          " y < 2 || y > p - 1 ");
 143         }
 144         mpz_clear(p_min_1);
 145         return this->computed;
 146 }
 147
 148 METHOD(diffie_hellman_t, get_my_public_value, bool,
 149         private_gmp_diffie_hellman_t *this,chunk_t *value)
 150 {
 151         value->len = this->p_len;
 152         value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya);
 153         if (value->ptr == NULL)
 154         {
 155                 value->len = 0;
 156         }
 157         return TRUE;
 158 }
 159
 160 METHOD(diffie_hellman_t, get_shared_secret, bool,
 161         private_gmp_diffie_hellman_t *this, chunk_t *secret)
 162 {
 163         if (!this->computed)
 164         {
 165                 return FALSE;
 166         }
 167         secret->len = this->p_len;
 168         secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz);
 169         if (secret->ptr == NULL)
 170         {
 171                 return FALSE;
 172         }
 173         return TRUE;
 174 }
 175
 176 METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
 177         private_gmp_diffie_hellman_t *this)
 178 {
 179         return this->group;
 180 }
 181
 182 METHOD(diffie_hellman_t, destroy, void,
 183         private_gmp_diffie_hellman_t *this)
 184 {
 185         mpz_clear(this->p);
 186         mpz_clear(this->xa);
 187         mpz_clear(this->ya);
 188         mpz_clear(this->yb);
 189         mpz_clear(this->zz);
 190         mpz_clear(this->g);
 191         free(this);
 192 }
 193
 194 /**
 195  * Generic internal constructor
 196  */
 197 static gmp_diffie_hellman_t *create_generic(diffie_hellman_group_t group,
 198                                                                                         size_t exp_len, chunk_t g, chunk_t p)
 199 {
 200         private_gmp_diffie_hellman_t *this;
 201         chunk_t random;
 202         rng_t *rng;
 203
 204         INIT(this,
 205                 .public = {
 206                         .dh = {
 207                                 .get_shared_secret = _get_shared_secret,
 208                                 .set_other_public_value = _set_other_public_value,
 209                                 .get_my_public_value = _get_my_public_value,
 210                                 .get_dh_group = _get_dh_group,
 211                                 .destroy = _destroy,
 212                         },
 213                 },
 214                 .group = group,
 215                 .p_len = p.len,
 216         );
 217
 218         mpz_init(this->p);
 219         mpz_init(this->yb);
 220         mpz_init(this->ya);
 221         mpz_init(this->xa);
 222         mpz_init(this->zz);
 223         mpz_init(this->g);
 224         mpz_import(this->g, g.len, 1, 1, 1, 0, g.ptr);
 225         mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr);
 226
 227         rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 228         if (!rng)
 229         {
 230                 DBG1(DBG_LIB, "no RNG found for quality %N", rng_quality_names,
 231                          RNG_STRONG);
 232                 destroy(this);
 233                 return NULL;
 234         }
 235         if (!rng->allocate_bytes(rng, exp_len, &random))
 236         {
 237                 DBG1(DBG_LIB, "failed to allocate DH secret");
 238                 rng->destroy(rng);
 239                 destroy(this);
 240                 return NULL;
 241         }
 242         rng->destroy(rng);
 243
 244         if (exp_len == this->p_len)
 245         {
 246                 /* achieve bitsof(p)-1 by setting MSB to 0 */
 247                 *random.ptr &= 0x7F;
 248         }
 249         mpz_import(this->xa, random.len, 1, 1, 1, 0, random.ptr);
 250         chunk_free(&random);
 251         DBG2(DBG_LIB, "size of DH secret exponent: %u bits",
 252                  mpz_sizeinbase(this->xa, 2));
 253
 254         mpz_powm(this->ya, this->g, this->xa, this->p);
 255
 256         return &this->public;
 257 }
 258
 259 /*
 260  * Described in header.
 261  */
 262 gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 263 {
 264         diffie_hellman_params_t *params;
 265
 266         params = diffie_hellman_get_params(group);
 267         if (!params)
 268         {
 269                 return NULL;
 270         }
 271         return create_generic(group, params->exp_len,
 272                                                   params->generator, params->prime);
 273 }
 274
 275
 276 gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom(
 277                                                         diffie_hellman_group_t group, chunk_t g, chunk_t p)
 278 {
 279         if (group == MODP_CUSTOM)
 280         {
 281                 return create_generic(MODP_CUSTOM, p.len, g, p);
 282         }
 283         return NULL;
 284 }