strongswan/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c

/*
 * Copyright (C) 2011 Tobias Brunner
 * HSR Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "pkcs11_dh.h"

#include <utils/debug.h>
#include <library.h>
#include <asn1/asn1.h>
#include <asn1/oid.h>

#include "pkcs11_manager.h"

typedef struct private_pkcs11_dh_t private_pkcs11_dh_t;

/**
 * Private data of an pkcs11_dh_t object.
 */
struct private_pkcs11_dh_t {

	/**
	 * Public pkcs11_dh_t interface
	 */
	pkcs11_dh_t public;

	/**
	 * PKCS#11 library
	 */
	pkcs11_library_t *lib;

	/**
	 * Session handle for this object
	 */
	CK_SESSION_HANDLE session;

	/**
	 * Diffie Hellman group number.
	 */
	diffie_hellman_group_t group;

	/**
	 * Handle for own private value
	 */
	CK_OBJECT_HANDLE pri_key;

	/**
	 * Own public value
	 */
	chunk_t pub_key;

	/**
	 * Shared secret
	 */
	chunk_t secret;

	/**
	 * Mechanism to use to generate a key pair
	 */
	CK_MECHANISM_TYPE mech_key;

	/**
	 * Mechanism to use to derive a shared secret
	 */
	CK_MECHANISM_TYPE mech_derive;

};

/**
 * Derive a DH/ECDH shared secret.
 *
 * If this succeeds the shared secret is stored in this->secret.
 */
static bool derive_secret(private_pkcs11_dh_t *this, chunk_t other)
{
	CK_OBJECT_CLASS klass = CKO_SECRET_KEY;
	CK_KEY_TYPE type = CKK_GENERIC_SECRET;
	CK_ATTRIBUTE attr[] = {
		{ CKA_CLASS, &klass, sizeof(klass) },
		{ CKA_KEY_TYPE, &type, sizeof(type) },
	};
	CK_MECHANISM mech = {
		this->mech_derive,
		other.ptr,
		other.len,
	};
	CK_OBJECT_HANDLE secret;
	CK_RV rv;

	rv = this->lib->f->C_DeriveKey(this->session, &mech, this->pri_key,
								   attr, countof(attr), &secret);
	if (rv != CKR_OK)
	{
		DBG1(DBG_CFG, "C_DeriveKey() error: %N", ck_rv_names, rv);
		return FALSE;
	}
	if (!this->lib->get_ck_attribute(this->lib, this->session, secret,
									 CKA_VALUE, &this->secret))
	{
		chunk_free(&this->secret);
		return FALSE;
	}
	return TRUE;
}

METHOD(diffie_hellman_t, set_other_public_value, bool,
	private_pkcs11_dh_t *this, chunk_t value)
{
	if (!diffie_hellman_verify_value(this->group, value))
	{
		return FALSE;
	}

	switch (this->group)
	{
		case ECP_192_BIT:
		case ECP_224_BIT:
		case ECP_256_BIT:
		case ECP_384_BIT:
		case ECP_521_BIT:
		{	/* we expect the public value to just be the concatenated x and y
			 * coordinates, so we tag the value as an uncompressed ECPoint */
			chunk_t tag = chunk_from_chars(0x04);
			chunk_t pubkey = chunk_cata("cc", tag, value);
			CK_ECDH1_DERIVE_PARAMS params = {
				CKD_NULL,
				0,
				NULL,
				pubkey.len,
				pubkey.ptr,
			};
			value = chunk_from_thing(params);
			break;
		}
		default:
			break;
	}
	return derive_secret(this, value);
}

METHOD(diffie_hellman_t, get_my_public_value, bool,
	private_pkcs11_dh_t *this, chunk_t *value)
{
	*value = chunk_clone(this->pub_key);
	return TRUE;
}

METHOD(diffie_hellman_t, get_shared_secret, bool,
	private_pkcs11_dh_t *this, chunk_t *secret)
{
	if (!this->secret.ptr)
	{
		return FALSE;
	}
	*secret = chunk_clone(this->secret);
	return TRUE;
}

METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
	private_pkcs11_dh_t *this)
{
	return this->group;
}

METHOD(diffie_hellman_t, destroy, void,
	private_pkcs11_dh_t *this)
{
	this->lib->f->C_CloseSession(this->session);
	chunk_clear(&this->pub_key);
	chunk_clear(&this->secret);
	free(this);
}

/**
 * Generate a DH/ECDH key pair.
 *
 * If this succeeds, this->pri_key has a handle to the private key and
 * this->pub_key stores the public key.
 */
static bool generate_key_pair(private_pkcs11_dh_t *this, CK_ATTRIBUTE_PTR pub,
							  int pub_len, CK_ATTRIBUTE_PTR pri, int pri_len,
							  CK_ATTRIBUTE_TYPE attr)
{
	CK_MECHANISM mech = {
		this->mech_key,
		NULL,
		0,
	};
	CK_OBJECT_HANDLE pub_key;
	CK_RV rv;

	rv = this->lib->f->C_GenerateKeyPair(this->session, &mech, pub, pub_len,
							pri, pri_len, &pub_key, &this->pri_key);
	if (rv != CKR_OK)
	{
		DBG1(DBG_CFG, "C_GenerateKeyPair() error: %N", ck_rv_names, rv);
		return FALSE;
	}
	if (!this->lib->get_ck_attribute(this->lib, this->session, pub_key,
									 attr, &this->pub_key))
	{
		chunk_free(&this->pub_key);
		return FALSE;
	}
	return TRUE;
}

/**
 * Generate DH key pair.
 */
static bool generate_key_pair_modp(private_pkcs11_dh_t *this, size_t exp_len,
								   chunk_t g, chunk_t p)
{
	CK_BBOOL ck_true = CK_TRUE;
	CK_ATTRIBUTE pub_attr[] = {
		{ CKA_DERIVE, &ck_true, sizeof(ck_true) },
		{ CKA_PRIME, p.ptr, p.len },
		{ CKA_BASE, g.ptr, g.len },
	};
	CK_ULONG bits = exp_len * 8;
	CK_ATTRIBUTE pri_attr[] = {
		{ CKA_DERIVE, &ck_true, sizeof(ck_true) },
		{ CKA_VALUE_BITS, &bits, sizeof(bits) },
	};
	return generate_key_pair(this, pub_attr, countof(pub_attr), pri_attr,
							 countof(pri_attr), CKA_VALUE);
}

/**
 * Generate ECDH key pair.
 */
static bool generate_key_pair_ecp(private_pkcs11_dh_t *this,
								  chunk_t ecparams)
{
	CK_BBOOL ck_true = CK_TRUE;
	CK_ATTRIBUTE pub_attr[] = {
		{ CKA_DERIVE, &ck_true, sizeof(ck_true) },
		{ CKA_EC_PARAMS, ecparams.ptr, ecparams.len },
	};
	CK_ATTRIBUTE pri_attr[] = {
		{ CKA_DERIVE, &ck_true, sizeof(ck_true) },
	};
	chunk_t pub_key;
	if (!generate_key_pair(this, pub_attr, countof(pub_attr), pri_attr,
						   countof(pri_attr), CKA_EC_POINT))
	{
		return FALSE;
	}
	if (this->pub_key.len <= 0 || this->pub_key.ptr[0] != 0x04)
	{	/* we currently only support the point in uncompressed form which
		 * looks like this: 0x04 || x || y */
		chunk_clear(&this->pub_key);
		return FALSE;
	}
	pub_key = chunk_clone(chunk_skip(this->pub_key, 1));
	chunk_clear(&this->pub_key);
	this->pub_key = pub_key;
	return TRUE;
}

/**
 * Find a token we can use for DH/ECDH algorithm
 */
static pkcs11_library_t *find_token(private_pkcs11_dh_t *this,
									CK_SESSION_HANDLE *session)
{
	enumerator_t *tokens, *mechs;
	pkcs11_manager_t *manager;
	pkcs11_library_t *current, *found = NULL;
	CK_MECHANISM_TYPE type;
	CK_SLOT_ID slot;

	manager = lib->get(lib, "pkcs11-manager");
	if (!manager)
	{
		return NULL;
	}
	tokens = manager->create_token_enumerator(manager);
	while (tokens->enumerate(tokens, &current, &slot))
	{
		mechs = current->create_mechanism_enumerator(current, slot);
		while (mechs->enumerate(mechs, &type, NULL))
		{	/* we assume we can generate key pairs if the derive mechanism
			 * is supported */
			if (type == this->mech_derive)
			{
				if (current->f->C_OpenSession(slot, CKF_SERIAL_SESSION,
											  NULL, NULL, session) == CKR_OK)
				{
					found = current;
					break;
				}
			}
		}
		mechs->destroy(mechs);
		if (found)
		{
			break;
		}
	}
	tokens->destroy(tokens);
	return found;
}

/**
 * Generic internal constructor
 */
static private_pkcs11_dh_t *create_generic(diffie_hellman_group_t group,
										   CK_MECHANISM_TYPE key,
										   CK_MECHANISM_TYPE derive)
{
	private_pkcs11_dh_t *this;

	INIT(this,
		.public = {
			.dh = {
				.get_shared_secret = _get_shared_secret,
				.set_other_public_value = _set_other_public_value,
				.get_my_public_value = _get_my_public_value,
				.get_dh_group = _get_dh_group,
				.destroy = _destroy,
			},
		},
		.group = group,
		.mech_key = key,
		.mech_derive = derive,
	);

	this->lib = find_token(this, &this->session);
	if (!this->lib)
	{
		free(this);
		return NULL;
	}
	return this;
}

static pkcs11_dh_t *create_ecp(diffie_hellman_group_t group, chunk_t ecparam)
{
	private_pkcs11_dh_t *this = create_generic(group, CKM_EC_KEY_PAIR_GEN,
											   CKM_ECDH1_DERIVE);

	if (this)
	{
		if (generate_key_pair_ecp(this, ecparam))
		{
			chunk_free(&ecparam);
			return &this->public;
		}
		chunk_free(&ecparam);
		free(this);
	}
	return NULL;
}

/**
 * Constructor for MODP DH
 */
static pkcs11_dh_t *create_modp(diffie_hellman_group_t group, size_t exp_len,
								chunk_t g, chunk_t p)
{
	private_pkcs11_dh_t *this = create_generic(group, CKM_DH_PKCS_KEY_PAIR_GEN,
											   CKM_DH_PKCS_DERIVE);

	if (this)
	{
		if (generate_key_pair_modp(this, exp_len, g, p))
		{
			return &this->public;
		}
		free(this);
	}
	return NULL;
}

/**
 * Lookup the EC params for the given group.
 */
static chunk_t ecparams_lookup(diffie_hellman_group_t group)
{
	switch (group)
	{
		case ECP_192_BIT:
			return asn1_build_known_oid(OID_PRIME192V1);
		case ECP_224_BIT:
			return asn1_build_known_oid(OID_SECT224R1);
		case ECP_256_BIT:
			return asn1_build_known_oid(OID_PRIME256V1);
		case ECP_384_BIT:
			return asn1_build_known_oid(OID_SECT384R1);
		case ECP_521_BIT:
			return asn1_build_known_oid(OID_SECT521R1);
		default:
			break;
	}
	return chunk_empty;
}

/**
 * Described in header.
 */
pkcs11_dh_t *pkcs11_dh_create(diffie_hellman_group_t group, ...)
{
	switch (group)
	{
		case MODP_CUSTOM:
		{
			chunk_t g, p;

			VA_ARGS_GET(group, g, p);
			return create_modp(group, p.len, g, p);
		}
		case ECP_192_BIT:
		case ECP_224_BIT:
		case ECP_256_BIT:
		case ECP_384_BIT:
		case ECP_521_BIT:
		{
			chunk_t params = ecparams_lookup(group);
			if (params.ptr)
			{
				return create_ecp(group, params);
			}
			break;
		}
		default:
		{
			diffie_hellman_params_t *params = diffie_hellman_get_params(group);
			if (params)
			{
				return create_modp(group, params->exp_len, params->generator,
								   params->prime);
			}
			break;
		}
	}
	return NULL;
}