1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Diffie-Hellman Key Agreement Method [RFC2631] 3 * 4 * Copyright (c) 2016, Intel Corporation 5 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com> 6 */ 7 8 #include <linux/module.h> 9 #include <crypto/internal/kpp.h> 10 #include <crypto/kpp.h> 11 #include <crypto/dh.h> 12 #include <linux/fips.h> 13 #include <linux/mpi.h> 14 15 struct dh_ctx { 16 MPI p; /* Value is guaranteed to be set. */ 17 MPI q; /* Value is optional. */ 18 MPI g; /* Value is guaranteed to be set. */ 19 MPI xa; /* Value is guaranteed to be set. */ 20 }; 21 22 static void dh_clear_ctx(struct dh_ctx *ctx) 23 { 24 mpi_free(ctx->p); 25 mpi_free(ctx->q); 26 mpi_free(ctx->g); 27 mpi_free(ctx->xa); 28 memset(ctx, 0, sizeof(*ctx)); 29 } 30 31 /* 32 * If base is g we compute the public key 33 * ya = g^xa mod p; [RFC2631 sec 2.1.1] 34 * else if base if the counterpart public key we compute the shared secret 35 * ZZ = yb^xa mod p; [RFC2631 sec 2.1.1] 36 */ 37 static int _compute_val(const struct dh_ctx *ctx, MPI base, MPI val) 38 { 39 /* val = base^xa mod p */ 40 return mpi_powm(val, base, ctx->xa, ctx->p); 41 } 42 43 static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm) 44 { 45 return kpp_tfm_ctx(tfm); 46 } 47 48 static int dh_check_params_length(unsigned int p_len) 49 { 50 return (p_len < 1536) ? -EINVAL : 0; 51 } 52 53 static int dh_set_params(struct dh_ctx *ctx, struct dh *params) 54 { 55 if (dh_check_params_length(params->p_size << 3)) 56 return -EINVAL; 57 58 ctx->p = mpi_read_raw_data(params->p, params->p_size); 59 if (!ctx->p) 60 return -EINVAL; 61 62 if (params->q && params->q_size) { 63 ctx->q = mpi_read_raw_data(params->q, params->q_size); 64 if (!ctx->q) 65 return -EINVAL; 66 } 67 68 ctx->g = mpi_read_raw_data(params->g, params->g_size); 69 if (!ctx->g) 70 return -EINVAL; 71 72 return 0; 73 } 74 75 static int dh_set_secret(struct crypto_kpp *tfm, const void *buf, 76 unsigned int len) 77 { 78 struct dh_ctx *ctx = dh_get_ctx(tfm); 79 struct dh params; 80 81 /* Free the old MPI key if any */ 82 dh_clear_ctx(ctx); 83 84 if (crypto_dh_decode_key(buf, len, ¶ms) < 0) 85 goto err_clear_ctx; 86 87 if (dh_set_params(ctx, ¶ms) < 0) 88 goto err_clear_ctx; 89 90 ctx->xa = mpi_read_raw_data(params.key, params.key_size); 91 if (!ctx->xa) 92 goto err_clear_ctx; 93 94 return 0; 95 96 err_clear_ctx: 97 dh_clear_ctx(ctx); 98 return -EINVAL; 99 } 100 101 /* 102 * SP800-56A public key verification: 103 * 104 * * If Q is provided as part of the domain paramenters, a full validation 105 * according to SP800-56A section 5.6.2.3.1 is performed. 106 * 107 * * If Q is not provided, a partial validation according to SP800-56A section 108 * 5.6.2.3.2 is performed. 109 */ 110 static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y) 111 { 112 if (unlikely(!ctx->p)) 113 return -EINVAL; 114 115 /* 116 * Step 1: Verify that 2 <= y <= p - 2. 117 * 118 * The upper limit check is actually y < p instead of y < p - 1 119 * as the mpi_sub_ui function is yet missing. 120 */ 121 if (mpi_cmp_ui(y, 1) < 1 || mpi_cmp(y, ctx->p) >= 0) 122 return -EINVAL; 123 124 /* Step 2: Verify that 1 = y^q mod p */ 125 if (ctx->q) { 126 MPI val = mpi_alloc(0); 127 int ret; 128 129 if (!val) 130 return -ENOMEM; 131 132 ret = mpi_powm(val, y, ctx->q, ctx->p); 133 134 if (ret) { 135 mpi_free(val); 136 return ret; 137 } 138 139 ret = mpi_cmp_ui(val, 1); 140 141 mpi_free(val); 142 143 if (ret != 0) 144 return -EINVAL; 145 } 146 147 return 0; 148 } 149 150 static int dh_compute_value(struct kpp_request *req) 151 { 152 struct crypto_kpp *tfm = crypto_kpp_reqtfm(req); 153 struct dh_ctx *ctx = dh_get_ctx(tfm); 154 MPI base, val = mpi_alloc(0); 155 int ret = 0; 156 int sign; 157 158 if (!val) 159 return -ENOMEM; 160 161 if (unlikely(!ctx->xa)) { 162 ret = -EINVAL; 163 goto err_free_val; 164 } 165 166 if (req->src) { 167 base = mpi_read_raw_from_sgl(req->src, req->src_len); 168 if (!base) { 169 ret = -EINVAL; 170 goto err_free_val; 171 } 172 ret = dh_is_pubkey_valid(ctx, base); 173 if (ret) 174 goto err_free_base; 175 } else { 176 base = ctx->g; 177 } 178 179 ret = _compute_val(ctx, base, val); 180 if (ret) 181 goto err_free_base; 182 183 if (fips_enabled) { 184 /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */ 185 if (req->src) { 186 MPI pone; 187 188 /* z <= 1 */ 189 if (mpi_cmp_ui(val, 1) < 1) { 190 ret = -EBADMSG; 191 goto err_free_base; 192 } 193 194 /* z == p - 1 */ 195 pone = mpi_alloc(0); 196 197 if (!pone) { 198 ret = -ENOMEM; 199 goto err_free_base; 200 } 201 202 ret = mpi_sub_ui(pone, ctx->p, 1); 203 if (!ret && !mpi_cmp(pone, val)) 204 ret = -EBADMSG; 205 206 mpi_free(pone); 207 208 if (ret) 209 goto err_free_base; 210 211 /* SP800-56A rev 3 5.6.2.1.3 key check */ 212 } else { 213 if (dh_is_pubkey_valid(ctx, val)) { 214 ret = -EAGAIN; 215 goto err_free_val; 216 } 217 } 218 } 219 220 ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign); 221 if (ret) 222 goto err_free_base; 223 224 if (sign < 0) 225 ret = -EBADMSG; 226 err_free_base: 227 if (req->src) 228 mpi_free(base); 229 err_free_val: 230 mpi_free(val); 231 return ret; 232 } 233 234 static unsigned int dh_max_size(struct crypto_kpp *tfm) 235 { 236 struct dh_ctx *ctx = dh_get_ctx(tfm); 237 238 return mpi_get_size(ctx->p); 239 } 240 241 static void dh_exit_tfm(struct crypto_kpp *tfm) 242 { 243 struct dh_ctx *ctx = dh_get_ctx(tfm); 244 245 dh_clear_ctx(ctx); 246 } 247 248 static struct kpp_alg dh = { 249 .set_secret = dh_set_secret, 250 .generate_public_key = dh_compute_value, 251 .compute_shared_secret = dh_compute_value, 252 .max_size = dh_max_size, 253 .exit = dh_exit_tfm, 254 .base = { 255 .cra_name = "dh", 256 .cra_driver_name = "dh-generic", 257 .cra_priority = 100, 258 .cra_module = THIS_MODULE, 259 .cra_ctxsize = sizeof(struct dh_ctx), 260 }, 261 }; 262 263 static int dh_init(void) 264 { 265 return crypto_register_kpp(&dh); 266 } 267 268 static void dh_exit(void) 269 { 270 crypto_unregister_kpp(&dh); 271 } 272 273 subsys_initcall(dh_init); 274 module_exit(dh_exit); 275 MODULE_ALIAS_CRYPTO("dh"); 276 MODULE_LICENSE("GPL"); 277 MODULE_DESCRIPTION("DH generic algorithm"); 278