ossl-dh.c   [plain text]


/*
 * Copyright (c) 2011-12 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the Institute nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include "ossl-config.h"

#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "krb5-types.h"
#include "rfc2459_asn1.h"

#include "ossl-dh.h"

/**
 * @page page_dh DH - Diffie-Hellman key exchange
 *
 * Diffie-Hellman key exchange is a protocol that allows two parties
 * to establish a shared secret key.
 *
 * Include and example how to use DH_new() and friends here.
 *
 */

/**
 * Create a new DH object using DH_new_method(NULL), see DH_new_method().
 *
 * @return a newly allocated DH object.
 *
 */
DH *
DH_new(void)
{
	return (DH_new_method(NULL));
}


/**
 * Create a new DH object from the given engine, if the NULL is used,
 * the default engine is used. Free the DH object with DH_free().
 *
 * @param engine The engine to use to allocate the DH object.
 *
 * @return a newly allocated DH object.
 *
 */
DH *
DH_new_method(ENGINE *engine)
{
	DH *dh;

	dh = calloc(1, sizeof(*dh));
	if (dh == NULL) {
		return (NULL);
	}

	dh->references = 1;

	if (engine) {
		ENGINE_up_ref(engine);
		dh->engine = engine;
	} else {
		dh->engine = ENGINE_get_default_DH();
	}

	if (dh->engine) {
		dh->meth = ENGINE_get_DH(dh->engine);
		if (dh->meth == NULL) {
			ENGINE_finish(engine);
			free(dh);
			return (0);
		}
	}

	if (dh->meth == NULL) {
		dh->meth = DH_get_default_method();
	}

	(*dh->meth->init)(dh);

	return (dh);
}


/**
 * Free a DH object and release related resources, like ENGINE, that
 * the object was using.
 *
 * @param dh object to be freed.
 *
 */
void
DH_free(DH *dh)
{
	if (dh->references <= 0) {
		abort();
	}

	if (--dh->references > 0) {
		return;
	}

	(*dh->meth->finish)(dh);

	if (dh->engine) {
		ENGINE_finish(dh->engine);
	}

#define free_if(f)    if (f) { BN_clear_free(f); }
	free_if(dh->p);
	free_if(dh->g);
	free_if(dh->pub_key);
	free_if(dh->priv_key);
	free_if(dh->q);
	free_if(dh->j);
	free_if(dh->counter);
#undef free_if

	memset(dh, 0, sizeof(*dh));
	free(dh);
}


/**
 * Add a reference to the DH object. The object should be free with
 * DH_free() to drop the reference.
 *
 * @param dh the object to increase the reference count too.
 *
 * @return the updated reference count, can't safely be used except
 * for debug printing.
 *
 */
int
DH_up_ref(DH *dh)
{
	return (++dh->references);
}


/**
 * The maximum output size of the DH_compute_key() function.
 *
 * @param dh The DH object to get the size from.
 *
 * @return the maximum size in bytes of the out data.
 *
 */
int
DH_size(const DH *dh)
{
	return ((int)((BN_num_bits(dh->p) + 7) / 8));
}


/**
 * Set the data index idx in the DH object to data.
 *
 * @param dh DH object.
 * @param idx index to set the data for.
 * @param data data to store for the index idx.
 *
 * @return 1 on success.
 *
 */
int
DH_set_ex_data(DH *dh, int idx, void *data)
{
	dh->ex_data.sk = data;
	return (1);
}


/**
 * Get the data for index idx in the DH object.
 *
 * @param dh DH object.
 * @param idx index to get the data for.
 *
 * @return the object store in index idx
 *
 */
void *
DH_get_ex_data(DH *dh, int idx)
{
	return (dh->ex_data.sk);
}


/**
 * Generate DH parameters for the DH object give parameters.
 *
 * @param dh The DH object to generate parameters for.
 * @param prime_len length of the prime
 * @param generator generator, g
 * @param cb Callback parameters to show progress, can be NULL.
 *
 * @return the maximum size in bytes of the out data.
 *
 */
int
DH_generate_parameters_ex(DH *dh, int prime_len, int generator, BN_GENCB *cb)
{
	if (dh->meth->generate_params) {
		return (dh->meth->generate_params(dh, prime_len, generator, cb));
	}
	return (0);
}


/**
 * Check that the public key is sane.
 *
 * @param dh the local peer DH parameters.
 * @param pub_key the remote peer public key parameters.
 * @param codes return that the failures of the pub_key are.
 *
 * @return 1 on success, 0 on failure and *codes is set the the
 * combined fail check for the public key
 *
 */
int
DH_check_pubkey(const DH *dh, const BIGNUM *pub_key, int *codes)
{
	BIGNUM *bn = NULL, *sum = NULL;
	int ret = 0;

	*codes = 0;

	/**
	 * Checks that the function performs are:
	 * - pub_key is not negative
	 */

	if (BN_is_negative(pub_key)) {
		goto out;
	}

	/**
	 * - pub_key > 1    and    pub_key < p - 1,
	 *    to avoid small subgroups attack.
	 */

	bn = BN_new();
	if (bn == NULL) {
		goto out;
	}

	if (!BN_set_word(bn, 1)) {
		goto out;
	}

	if (BN_cmp(bn, pub_key) >= 0) {
		*codes |= DH_CHECK_PUBKEY_TOO_SMALL;
	}

	sum = BN_new();
	if (sum == NULL) {
		goto out;
	}

	BN_uadd(sum, pub_key, bn);

	if (BN_cmp(sum, dh->p) >= 0) {
		*codes |= DH_CHECK_PUBKEY_TOO_LARGE;
	}

	/**
	 * - if g == 2, pub_key have more then one bit set,
	 *   if bits set is 1, log_2(pub_key) is trival
	 */

	if (!BN_set_word(bn, 2)) {
		goto out;
	}

	if (BN_cmp(bn, dh->g) == 0) {
		unsigned i, n = BN_num_bits(pub_key);
		unsigned bits = 0;

		for (i = 0; i <= n; i++) {
			if (BN_is_bit_set(pub_key, i)) {
				bits++;
			}
		}

		if (bits < 2) {
			*codes |= DH_CHECK_PUBKEY_TOO_SMALL;
			goto out;
		}
	}

	ret = 1;
out:
	if (bn) {
		BN_free(bn);
	}
	if (sum) {
		BN_free(sum);
	}

	return (ret);
}


/**
 * Generate a new DH private-public key pair. The dh parameter must be
 * allocted first with DH_new(). dh->p and dp->g must be set.
 *
 * @param dh dh parameter.
 *
 * @return 1 on success.
 *
 */
int
DH_generate_key(DH *dh)
{
	return (dh->meth->generate_key(dh));
}


/**
 * Complute the shared secret key.
 *
 * @param shared_key the resulting shared key, need to be at least
 * DH_size() large.
 * @param peer_pub_key the peer's public key.
 * @param dh the dh key pair.
 *
 */
int
DH_compute_key(unsigned char *shared_key,
    const BIGNUM *peer_pub_key, DH *dh)
{
	int codes;

	/**
	 * Checks that the pubkey passed in is valid using
	 * DH_check_pubkey().
	 */

	if (!DH_check_pubkey(dh, peer_pub_key, &codes) || (codes != 0)) {
		return (-1);
	}

	return (dh->meth->compute_key(shared_key, peer_pub_key, dh));
}


/**
 * Set a new method for the DH keypair.
 *
 * @param dh dh parameter.
 * @param method the new method for the DH parameter.
 *
 * @return 1 on success.
 *
 */
int
DH_set_method(DH *dh, const DH_METHOD *method)
{
	(*dh->meth->finish)(dh);
	if (dh->engine) {
		ENGINE_finish(dh->engine);
		dh->engine = NULL;
	}
	dh->meth = method;
	(*dh->meth->init)(dh);
	return (1);
}


/*
 * DH Null
 */
static int
dh_null_generate_key(DH *dh)
{
	return (0);
}


static int
dh_null_compute_key(unsigned char *shared, const BIGNUM *pub, DH *dh)
{
	return (0);
}


static int
dh_null_init(DH *dh)
{
	return (1);
}


static int
dh_null_finish(DH *dh)
{
	return (1);
}


static int
dh_null_generate_params(DH *dh, int prime_num, int len, BN_GENCB *cb)
{
	return (0);
}


static const DH_METHOD dh_null_method =
{
	.name = "OSSLShim null DH",
	.generate_key = dh_null_generate_key,
	.compute_key = dh_null_compute_key,
	.bn_mod_exp = NULL,
	.init = dh_null_init,
	.finish = dh_null_finish,
	.flags = 0,
	.app_data = NULL,
	.generate_params = dh_null_generate_params
};

/*
 * XXX <rdar://problem/10771223> and <rdar://problem/10771188> are
 *  blocking the use of CommonCrypto's DH code.
 */
#if  !defined(PR_10771223_FIXED) || !defined(PR_10771188_FIXED)
extern const DH_METHOD _ossl_dh_eay_method;
static const DH_METHOD *dh_default_method = &_ossl_dh_eay_method;
#elif HAVE_COMMONCRYPTO_COMMONDH_H
extern const DH_METHOD _ossl_dh_cc_method;
static const DH_METHOD *dh_default_method = &_ossl_dh_cc_method;
#elif HAVE_CDSA
extern const DH_METHOD _ossl_dh_cdsa_method;
static const DH_METHOD *dh_default_method = &_ossl_dh_cdsa_method;
#elif defined(__APPLE_TARGET_EMBEDDED__)
static const DH_METHOD *dh_default_method = &dh_null_method;
#elif defined(HEIM_HC_SF)
extern const DH_METHOD _hc_dh_sf_method;
static const DH_METHOD *dh_default_method = &_hc_dh_sf_method;
#elif defined(HEIM_HC_LTM)
extern const DH_METHOD _hc_dh_ltm_method;
static const DH_METHOD *dh_default_method = &_hc_dh_ltm_method;
#else
static const DH_METHOD *dh_default_method = &dh_null_method;
#endif

/**
 * Return the dummy DH implementation.
 *
 */
const DH_METHOD *
DH_null_method(void)
{
	return (&dh_null_method);
}


/**
 * Set the default DH implementation.
 *
 * @param meth pointer to a DH_METHOD.
 *
 */
void
DH_set_default_method(const DH_METHOD *meth)
{
	dh_default_method = meth;
}


/**
 * Return the default DH implementation.
 *
 * @return pointer to a DH_METHOD.
 *
 */
const DH_METHOD *
DH_get_default_method(void)
{
	return (dh_default_method);
}


/*
 *
 */
static int
bn2heim_int(BIGNUM *bn, heim_integer *integer)
{
	integer->length = BN_num_bytes(bn);
	integer->data = malloc(integer->length);
	if (integer->data == NULL) {
		integer->length = 0;
		return (ENOMEM);
	}
	BN_bn2bin(bn, integer->data);
	integer->negative = BN_is_negative(bn);
	return (0);
}


/**
 *
 */
int
i2d_DHparams(DH *dh, unsigned char **pp)
{
	DHParameter data;
	size_t size;
	int ret;

	memset(&data, 0, sizeof(data));

	if (bn2heim_int(dh->p, &data.prime) ||
	    bn2heim_int(dh->g, &data.base)) {
		free_DHParameter(&data);
		return (-1);
	}

	if (pp == NULL) {
		size = length_DHParameter(&data);
		free_DHParameter(&data);
	} else {
		void *p;
		size_t len;

		ASN1_MALLOC_ENCODE(DHParameter, p, len, &data, &size, ret);
		free_DHParameter(&data);
		if (ret) {
			return (-1);
		}
		if (len != size) {
			abort();
			return (-1);
		}

		memcpy((char *)*pp, p, size);
		free(p);

		*pp += size;
	}

	return (size);
}