strongswan/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c

/*
 * Copyright (C) 2010 Tobias Brunner
 * Copyright (C) 2009 Martin Willi
 * Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include <gcrypt.h>

#include "gcrypt_dh.h"

#include <debug.h>

typedef struct private_gcrypt_dh_t private_gcrypt_dh_t;

/**
 * Private data of an gcrypt_dh_t object.
 */
struct private_gcrypt_dh_t {

	/**
	 * Public gcrypt_dh_t interface
	 */
	gcrypt_dh_t public;

	/**
	 * Diffie Hellman group number
	 */
	u_int16_t group;

	/*
	 * Generator value
	 */
	gcry_mpi_t g;

	/**
	 * Own private value
	 */
	gcry_mpi_t xa;

	/**
	 * Own public value
	 */
	gcry_mpi_t ya;

	/**
	 * Other public value
	 */
	gcry_mpi_t yb;

	/**
	 * Shared secret
	 */
	gcry_mpi_t zz;

	/**
	 * Modulus
	 */
	gcry_mpi_t p;

	/**
	 * Modulus length.
	 */
	size_t p_len;
};

/**
 * Implementation of gcrypt_dh_t.set_other_public_value.
 */
static void set_other_public_value(private_gcrypt_dh_t *this, chunk_t value)
{
	gcry_mpi_t p_min_1;
	gcry_error_t err;

	if (this->yb)
	{
		gcry_mpi_release(this->yb);
		this->yb = NULL;
	}
	err = gcry_mpi_scan(&this->yb, GCRYMPI_FMT_USG, value.ptr, value.len, NULL);
	if (err)
	{
		DBG1(DBG_LIB, "importing mpi yb failed: %s", gpg_strerror(err));
		return;
	}

	p_min_1 = gcry_mpi_new(this->p_len * 8);
	gcry_mpi_sub_ui(p_min_1, this->p, 1);

	/* check public value:
	 * 1. 0 or 1 is invalid as 0^a = 0 and 1^a = 1
	 * 2. a public value larger or equal the modulus is invalid */
	if (gcry_mpi_cmp_ui(this->yb, 1) > 0 &&
		gcry_mpi_cmp(this->yb, p_min_1) < 0)
	{
		if (!this->zz)
		{
			this->zz = gcry_mpi_new(this->p_len * 8);
		}
		gcry_mpi_powm(this->zz, this->yb, this->xa, this->p);
	}
	else
	{
		DBG1(DBG_LIB, "public DH value verification failed:"
			 " y < 2 || y > p - 1 ");
	}
	gcry_mpi_release(p_min_1);
}

/**
 * export a gcry_mpi to an allocated chunk of len bytes
 */
static chunk_t export_mpi(gcry_mpi_t value, size_t len)
{
	chunk_t chunk;
	size_t written;

	chunk = chunk_alloc(len);
	gcry_mpi_print(GCRYMPI_FMT_USG, chunk.ptr, chunk.len, &written, value);
	if (written < len)
	{	/* right-align number of written bytes in chunk */
		memmove(chunk.ptr + (len - written), chunk.ptr, written);
		memset(chunk.ptr, 0, len - written);
	}
	return chunk;
}

/**
 * Implementation of gcrypt_dh_t.get_my_public_value.
 */
static void get_my_public_value(private_gcrypt_dh_t *this, chunk_t *value)
{
	*value = export_mpi(this->ya, this->p_len);
}

/**
 * Implementation of gcrypt_dh_t.get_shared_secret.
 */
static status_t get_shared_secret(private_gcrypt_dh_t *this, chunk_t *secret)
{
	if (!this->zz)
	{
		return FAILED;
	}
	*secret = export_mpi(this->zz, this->p_len);
	return SUCCESS;
}

/**
 * Implementation of gcrypt_dh_t.get_dh_group.
 */
static diffie_hellman_group_t get_dh_group(private_gcrypt_dh_t *this)
{
	return this->group;
}

/**
 * Implementation of gcrypt_dh_t.destroy.
 */
static void destroy(private_gcrypt_dh_t *this)
{
	gcry_mpi_release(this->p);
	gcry_mpi_release(this->xa);
	gcry_mpi_release(this->ya);
	gcry_mpi_release(this->g);
	gcry_mpi_release(this->yb);
	gcry_mpi_release(this->zz);
	free(this);
}

/*
 * Described in header.
 */
gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
{
	private_gcrypt_dh_t *this;
	diffie_hellman_params_t *params;
	gcry_error_t err;
	chunk_t random;
	rng_t *rng;

	params = diffie_hellman_get_params(group);
	if (!params)
	{
		return NULL;
	}

	this = malloc_thing(private_gcrypt_dh_t);

	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;

	this->group = group;
	this->p_len = params->prime_len;
	err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG,
						params->prime, params->prime_len, NULL);
	if (err)
	{
		DBG1(DBG_LIB, "importing mpi modulus failed: %s", gpg_strerror(err));
		free(this);
		return NULL;
	}

	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
	if (rng)
	{	/* prefer external randomizer */
		rng->allocate_bytes(rng, params->exp_len, &random);
		rng->destroy(rng);
		err = gcry_mpi_scan(&this->xa, GCRYMPI_FMT_USG,
							random.ptr, random.len, NULL);
		chunk_clear(&random);
		if (err)
		{
			DBG1(DBG_LIB, "importing mpi xa failed: %s", gpg_strerror(err));
			gcry_mpi_release(this->p);
			free(this);
			return NULL;
		}
	}
	else
	{	/* fallback to gcrypt internal randomizer, shouldn't ever happen */
		this->xa = gcry_mpi_new(params->exp_len * 8);
		gcry_mpi_randomize(this->xa, params->exp_len * 8, GCRY_STRONG_RANDOM);
	}
	if (params->exp_len == this->p_len)
	{
		/* achieve bitsof(p)-1 by setting MSB to 0 */
		gcry_mpi_clear_bit(this->xa, params->exp_len * 8 - 1);
	}

	this->g = gcry_mpi_set_ui(NULL, params->generator);
	this->ya = gcry_mpi_new(this->p_len * 8);
	this->yb = NULL;
	this->zz = NULL;

	gcry_mpi_powm(this->ya, this->g, this->xa, this->p);

	return &this->public;
}