xref: /openbmc/linux/crypto/dh.c (revision f220d3eb)
1 /*  Diffie-Hellman Key Agreement Method [RFC2631]
2  *
3  * Copyright (c) 2016, Intel Corporation
4  * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11 
12 #include <linux/module.h>
13 #include <crypto/internal/kpp.h>
14 #include <crypto/kpp.h>
15 #include <crypto/dh.h>
16 #include <linux/mpi.h>
17 
18 struct dh_ctx {
19 	MPI p;	/* Value is guaranteed to be set. */
20 	MPI q;	/* Value is optional. */
21 	MPI g;	/* Value is guaranteed to be set. */
22 	MPI xa;	/* Value is guaranteed to be set. */
23 };
24 
25 static void dh_clear_ctx(struct dh_ctx *ctx)
26 {
27 	mpi_free(ctx->p);
28 	mpi_free(ctx->q);
29 	mpi_free(ctx->g);
30 	mpi_free(ctx->xa);
31 	memset(ctx, 0, sizeof(*ctx));
32 }
33 
34 /*
35  * If base is g we compute the public key
36  *	ya = g^xa mod p; [RFC2631 sec 2.1.1]
37  * else if base if the counterpart public key we compute the shared secret
38  *	ZZ = yb^xa mod p; [RFC2631 sec 2.1.1]
39  */
40 static int _compute_val(const struct dh_ctx *ctx, MPI base, MPI val)
41 {
42 	/* val = base^xa mod p */
43 	return mpi_powm(val, base, ctx->xa, ctx->p);
44 }
45 
46 static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)
47 {
48 	return kpp_tfm_ctx(tfm);
49 }
50 
51 static int dh_check_params_length(unsigned int p_len)
52 {
53 	return (p_len < 1536) ? -EINVAL : 0;
54 }
55 
56 static int dh_set_params(struct dh_ctx *ctx, struct dh *params)
57 {
58 	if (dh_check_params_length(params->p_size << 3))
59 		return -EINVAL;
60 
61 	ctx->p = mpi_read_raw_data(params->p, params->p_size);
62 	if (!ctx->p)
63 		return -EINVAL;
64 
65 	if (params->q && params->q_size) {
66 		ctx->q = mpi_read_raw_data(params->q, params->q_size);
67 		if (!ctx->q)
68 			return -EINVAL;
69 	}
70 
71 	ctx->g = mpi_read_raw_data(params->g, params->g_size);
72 	if (!ctx->g)
73 		return -EINVAL;
74 
75 	return 0;
76 }
77 
78 static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
79 			 unsigned int len)
80 {
81 	struct dh_ctx *ctx = dh_get_ctx(tfm);
82 	struct dh params;
83 
84 	/* Free the old MPI key if any */
85 	dh_clear_ctx(ctx);
86 
87 	if (crypto_dh_decode_key(buf, len, &params) < 0)
88 		goto err_clear_ctx;
89 
90 	if (dh_set_params(ctx, &params) < 0)
91 		goto err_clear_ctx;
92 
93 	ctx->xa = mpi_read_raw_data(params.key, params.key_size);
94 	if (!ctx->xa)
95 		goto err_clear_ctx;
96 
97 	return 0;
98 
99 err_clear_ctx:
100 	dh_clear_ctx(ctx);
101 	return -EINVAL;
102 }
103 
104 /*
105  * SP800-56A public key verification:
106  *
107  * * If Q is provided as part of the domain paramenters, a full validation
108  *   according to SP800-56A section 5.6.2.3.1 is performed.
109  *
110  * * If Q is not provided, a partial validation according to SP800-56A section
111  *   5.6.2.3.2 is performed.
112  */
113 static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y)
114 {
115 	if (unlikely(!ctx->p))
116 		return -EINVAL;
117 
118 	/*
119 	 * Step 1: Verify that 2 <= y <= p - 2.
120 	 *
121 	 * The upper limit check is actually y < p instead of y < p - 1
122 	 * as the mpi_sub_ui function is yet missing.
123 	 */
124 	if (mpi_cmp_ui(y, 1) < 1 || mpi_cmp(y, ctx->p) >= 0)
125 		return -EINVAL;
126 
127 	/* Step 2: Verify that 1 = y^q mod p */
128 	if (ctx->q) {
129 		MPI val = mpi_alloc(0);
130 		int ret;
131 
132 		if (!val)
133 			return -ENOMEM;
134 
135 		ret = mpi_powm(val, y, ctx->q, ctx->p);
136 
137 		if (ret) {
138 			mpi_free(val);
139 			return ret;
140 		}
141 
142 		ret = mpi_cmp_ui(val, 1);
143 
144 		mpi_free(val);
145 
146 		if (ret != 0)
147 			return -EINVAL;
148 	}
149 
150 	return 0;
151 }
152 
153 static int dh_compute_value(struct kpp_request *req)
154 {
155 	struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
156 	struct dh_ctx *ctx = dh_get_ctx(tfm);
157 	MPI base, val = mpi_alloc(0);
158 	int ret = 0;
159 	int sign;
160 
161 	if (!val)
162 		return -ENOMEM;
163 
164 	if (unlikely(!ctx->xa)) {
165 		ret = -EINVAL;
166 		goto err_free_val;
167 	}
168 
169 	if (req->src) {
170 		base = mpi_read_raw_from_sgl(req->src, req->src_len);
171 		if (!base) {
172 			ret = -EINVAL;
173 			goto err_free_val;
174 		}
175 		ret = dh_is_pubkey_valid(ctx, base);
176 		if (ret)
177 			goto err_free_base;
178 	} else {
179 		base = ctx->g;
180 	}
181 
182 	ret = _compute_val(ctx, base, val);
183 	if (ret)
184 		goto err_free_base;
185 
186 	ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
187 	if (ret)
188 		goto err_free_base;
189 
190 	if (sign < 0)
191 		ret = -EBADMSG;
192 err_free_base:
193 	if (req->src)
194 		mpi_free(base);
195 err_free_val:
196 	mpi_free(val);
197 	return ret;
198 }
199 
200 static unsigned int dh_max_size(struct crypto_kpp *tfm)
201 {
202 	struct dh_ctx *ctx = dh_get_ctx(tfm);
203 
204 	return mpi_get_size(ctx->p);
205 }
206 
207 static void dh_exit_tfm(struct crypto_kpp *tfm)
208 {
209 	struct dh_ctx *ctx = dh_get_ctx(tfm);
210 
211 	dh_clear_ctx(ctx);
212 }
213 
214 static struct kpp_alg dh = {
215 	.set_secret = dh_set_secret,
216 	.generate_public_key = dh_compute_value,
217 	.compute_shared_secret = dh_compute_value,
218 	.max_size = dh_max_size,
219 	.exit = dh_exit_tfm,
220 	.base = {
221 		.cra_name = "dh",
222 		.cra_driver_name = "dh-generic",
223 		.cra_priority = 100,
224 		.cra_module = THIS_MODULE,
225 		.cra_ctxsize = sizeof(struct dh_ctx),
226 	},
227 };
228 
229 static int dh_init(void)
230 {
231 	return crypto_register_kpp(&dh);
232 }
233 
234 static void dh_exit(void)
235 {
236 	crypto_unregister_kpp(&dh);
237 }
238 
239 module_init(dh_init);
240 module_exit(dh_exit);
241 MODULE_ALIAS_CRYPTO("dh");
242 MODULE_LICENSE("GPL");
243 MODULE_DESCRIPTION("DH generic algorithm");
244