src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c

   1 /*
   2  * Copyright (C) 1998-2002  D. Hugh Redelmeier.
   3  * Copyright (C) 1999, 2000, 2001  Henry Spencer.
   4  * Copyright (C) 2010 Tobias Brunner
   5  * Copyright (C) 2005-2008 Martin Willi
   6  * Copyright (C) 2005 Jan Hutter
   7  * Hochschule fuer Technik Rapperswil
   8  *
   9  * This program is free software; you can redistribute it and/or modify it
  10  * under the terms of the GNU General Public License as published by the
  11  * Free Software Foundation; either version 2 of the License, or (at your
  12  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  13  *
  14  * This program is distributed in the hope that it will be useful, but
  15  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  16  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  17  * for more details.
  18  */
  19
  20 #include <gmp.h>
  21
  22 #include "gmp_diffie_hellman.h"
  23
  24 #include <debug.h>
  25
  26 #ifdef HAVE_MPZ_POWM_SEC
  27 # undef mpz_powm
  28 # define mpz_powm mpz_powm_sec
  29 #endif
  30
  31 typedef struct private_gmp_diffie_hellman_t private_gmp_diffie_hellman_t;
  32
  33 /**
  34  * Private data of an gmp_diffie_hellman_t object.
  35  */
  36 struct private_gmp_diffie_hellman_t {
  37         /**
  38          * Public gmp_diffie_hellman_t interface.
  39          */
  40         gmp_diffie_hellman_t public;
  41
  42         /**
  43          * Diffie Hellman group number.
  44          */
  45         u_int16_t group;
  46
  47         /*
  48          * Generator value.
  49          */
  50         mpz_t g;
  51
  52         /**
  53          * My private value.
  54          */
  55         mpz_t xa;
  56
  57         /**
  58          * My public value.
  59          */
  60         mpz_t ya;
  61
  62         /**
  63          * Other public value.
  64          */
  65         mpz_t yb;
  66
  67         /**
  68          * Shared secret.
  69          */
  70         mpz_t zz;
  71
  72         /**
  73          * Modulus.
  74          */
  75         mpz_t p;
  76
  77         /**
  78          * Modulus length.
  79          */
  80         size_t p_len;
  81
  82         /**
  83          * True if shared secret is computed and stored in my_public_value.
  84          */
  85         bool computed;
  86 };
  87
  88 /**
  89  * Implementation of gmp_diffie_hellman_t.set_other_public_value.
  90  */
  91 static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t value)
  92 {
  93         mpz_t p_min_1;
  94
  95         mpz_init(p_min_1);
  96         mpz_sub_ui(p_min_1, this->p, 1);
  97
  98         mpz_import(this->yb, value.len, 1, 1, 1, 0, value.ptr);
  99
 100         /* check public value:
 101          * 1. 0 or 1 is invalid as 0^a = 0 and 1^a = 1
 102          * 2. a public value larger or equal the modulus is invalid */
 103         if (mpz_cmp_ui(this->yb, 1) > 0 &&
 104                 mpz_cmp(this->yb, p_min_1) < 0)
 105         {
 106 #ifdef EXTENDED_DH_TEST
 107                 /* 3. test if y ^ q mod p = 1, where q = (p - 1)/2. */
 108                 mpz_t q, one;
 109
 110                 mpz_init(q);
 111                 mpz_init(one);
 112                 mpz_fdiv_q_2exp(q, p_min_1, 1);
 113                 mpz_powm(one, this->yb, q, this->p);
 114                 mpz_clear(q);
 115                 if (mpz_cmp_ui(one, 1) == 0)
 116                 {
 117                         mpz_powm(this->zz, this->yb, this->xa, this->p);
 118                         this->computed = TRUE;
 119                 }
 120                 else
 121                 {
 122                         DBG1(DBG_LIB, "public DH value verification failed:"
 123                                  " y ^ q mod p != 1");
 124                 }
 125                 mpz_clear(one);
 126 #else
 127                 mpz_powm(this->zz, this->yb, this->xa, this->p);
 128                 this->computed = TRUE;
 129 #endif
 130         }
 131         else
 132         {
 133                 DBG1(DBG_LIB, "public DH value verification failed:"
 134                          " y < 2 || y > p - 1 ");
 135         }
 136         mpz_clear(p_min_1);
 137 }
 138
 139 /**
 140  * Implementation of gmp_diffie_hellman_t.get_my_public_value.
 141  */
 142 static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *value)
 143 {
 144         value->len = this->p_len;
 145         value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya);
 146         if (value->ptr == NULL)
 147         {
 148                 value->len = 0;
 149         }
 150 }
 151
 152 /**
 153  * Implementation of gmp_diffie_hellman_t.get_shared_secret.
 154  */
 155 static status_t get_shared_secret(private_gmp_diffie_hellman_t *this, chunk_t *secret)
 156 {
 157         if (!this->computed)
 158         {
 159                 return FAILED;
 160         }
 161         secret->len = this->p_len;
 162         secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz);
 163         if (secret->ptr == NULL)
 164         {
 165                 return FAILED;
 166         }
 167         return SUCCESS;
 168 }
 169
 170 /**
 171  * Implementation of gmp_diffie_hellman_t.get_dh_group.
 172  */
 173 static diffie_hellman_group_t get_dh_group(private_gmp_diffie_hellman_t *this)
 174 {
 175         return this->group;
 176 }
 177
 178 /**
 179  * Implementation of gmp_diffie_hellman_t.destroy.
 180  */
 181 static void destroy(private_gmp_diffie_hellman_t *this)
 182 {
 183         mpz_clear(this->p);
 184         mpz_clear(this->xa);
 185         mpz_clear(this->ya);
 186         mpz_clear(this->yb);
 187         mpz_clear(this->zz);
 188         mpz_clear(this->g);
 189         free(this);
 190 }
 191
 192 /*
 193  * Described in header.
 194  */
 195 gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 196 {
 197         private_gmp_diffie_hellman_t *this;
 198         diffie_hellman_params_t *params;
 199         rng_t *rng;
 200         chunk_t random;
 201
 202         params = diffie_hellman_get_params(group);
 203         if (!params)
 204         {
 205                 return NULL;
 206         }
 207
 208         this = malloc_thing(private_gmp_diffie_hellman_t);
 209
 210         /* public functions */
 211         this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
 212         this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
 213         this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
 214         this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
 215         this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
 216
 217         /* private variables */
 218         this->group = group;
 219         mpz_init(this->p);
 220         mpz_init(this->yb);
 221         mpz_init(this->ya);
 222         mpz_init(this->xa);
 223         mpz_init(this->zz);
 224         mpz_init(this->g);
 225
 226         this->computed = FALSE;
 227         this->p_len = params->prime.len;
 228         mpz_import(this->p, params->prime.len, 1, 1, 1, 0, params->prime.ptr);
 229         mpz_import(this->g, params->generator.len, 1, 1, 1, 0, params->generator.ptr);
 230
 231         rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 232         if (!rng)
 233         {
 234                 DBG1(DBG_LIB, "no RNG found for quality %N", rng_quality_names,
 235                          RNG_STRONG);
 236                 destroy(this);
 237                 return NULL;
 238         }
 239
 240         rng->allocate_bytes(rng, params->exp_len, &random);
 241         rng->destroy(rng);
 242
 243         if (params->exp_len == this->p_len)
 244         {
 245                 /* achieve bitsof(p)-1 by setting MSB to 0 */
 246                 *random.ptr &= 0x7F;
 247         }
 248         mpz_import(this->xa, random.len, 1, 1, 1, 0, random.ptr);
 249         chunk_free(&random);
 250         DBG2(DBG_LIB, "size of DH secret exponent: %u bits",
 251                  mpz_sizeinbase(this->xa, 2));
 252
 253         mpz_powm(this->ya, this->g, this->xa, this->p);
 254
 255         return &this->public;
 256 }
 257