1// SPDX-License-Identifier: GPL-2.0-or-later
  2/*  Diffie-Hellman Key Agreement Method [RFC2631]
  3 *
  4 * Copyright (c) 2016, Intel Corporation
  5 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>
  6 */
  7
  8#include <linux/module.h>
  9#include <crypto/internal/kpp.h>
 10#include <crypto/kpp.h>
 11#include <crypto/dh.h>
 12#include <linux/fips.h>
 13#include <linux/mpi.h>
 14
 15struct dh_ctx {
 16	MPI p;	/* Value is guaranteed to be set. */
 17	MPI q;	/* Value is optional. */
 18	MPI g;	/* Value is guaranteed to be set. */
 19	MPI xa;	/* Value is guaranteed to be set. */
 20};
 21
 22static void dh_clear_ctx(struct dh_ctx *ctx)
 23{
 24	mpi_free(ctx->p);
 25	mpi_free(ctx->q);
 26	mpi_free(ctx->g);
 27	mpi_free(ctx->xa);
 28	memset(ctx, 0, sizeof(*ctx));
 29}
 30
 31/*
 32 * If base is g we compute the public key
 33 *	ya = g^xa mod p; [RFC2631 sec 2.1.1]
 34 * else if base if the counterpart public key we compute the shared secret
 35 *	ZZ = yb^xa mod p; [RFC2631 sec 2.1.1]
 36 */
 37static int _compute_val(const struct dh_ctx *ctx, MPI base, MPI val)
 38{
 39	/* val = base^xa mod p */
 40	return mpi_powm(val, base, ctx->xa, ctx->p);
 41}
 42
 43static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)
 44{
 45	return kpp_tfm_ctx(tfm);
 46}
 47
 48static int dh_check_params_length(unsigned int p_len)
 49{
 50	return (p_len < 1536) ? -EINVAL : 0;
 51}
 52
 53static int dh_set_params(struct dh_ctx *ctx, struct dh *params)
 54{
 55	if (dh_check_params_length(params->p_size << 3))
 56		return -EINVAL;
 57
 58	ctx->p = mpi_read_raw_data(params->p, params->p_size);
 59	if (!ctx->p)
 60		return -EINVAL;
 61
 62	if (params->q && params->q_size) {
 63		ctx->q = mpi_read_raw_data(params->q, params->q_size);
 64		if (!ctx->q)
 65			return -EINVAL;
 66	}
 67
 68	ctx->g = mpi_read_raw_data(params->g, params->g_size);
 69	if (!ctx->g)
 70		return -EINVAL;
 71
 72	return 0;
 73}
 74
 75static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
 76			 unsigned int len)
 77{
 78	struct dh_ctx *ctx = dh_get_ctx(tfm);
 79	struct dh params;
 80
 81	/* Free the old MPI key if any */
 82	dh_clear_ctx(ctx);
 83
 84	if (crypto_dh_decode_key(buf, len, &params) < 0)
 85		goto err_clear_ctx;
 86
 87	if (dh_set_params(ctx, &params) < 0)
 88		goto err_clear_ctx;
 89
 90	ctx->xa = mpi_read_raw_data(params.key, params.key_size);
 91	if (!ctx->xa)
 92		goto err_clear_ctx;
 93
 94	return 0;
 95
 96err_clear_ctx:
 97	dh_clear_ctx(ctx);
 98	return -EINVAL;
 99}
100
101/*
102 * SP800-56A public key verification:
103 *
104 * * If Q is provided as part of the domain paramenters, a full validation
105 *   according to SP800-56A section 5.6.2.3.1 is performed.
106 *
107 * * If Q is not provided, a partial validation according to SP800-56A section
108 *   5.6.2.3.2 is performed.
109 */
110static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y)
111{
112	if (unlikely(!ctx->p))
113		return -EINVAL;
114
115	/*
116	 * Step 1: Verify that 2 <= y <= p - 2.
117	 *
118	 * The upper limit check is actually y < p instead of y < p - 1
119	 * as the mpi_sub_ui function is yet missing.
120	 */
121	if (mpi_cmp_ui(y, 1) < 1 || mpi_cmp(y, ctx->p) >= 0)
122		return -EINVAL;
123
124	/* Step 2: Verify that 1 = y^q mod p */
125	if (ctx->q) {
126		MPI val = mpi_alloc(0);
127		int ret;
128
129		if (!val)
130			return -ENOMEM;
131
132		ret = mpi_powm(val, y, ctx->q, ctx->p);
133
134		if (ret) {
135			mpi_free(val);
136			return ret;
137		}
138
139		ret = mpi_cmp_ui(val, 1);
140
141		mpi_free(val);
142
143		if (ret != 0)
144			return -EINVAL;
145	}
146
147	return 0;
148}
149
150static int dh_compute_value(struct kpp_request *req)
151{
152	struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
153	struct dh_ctx *ctx = dh_get_ctx(tfm);
154	MPI base, val = mpi_alloc(0);
155	int ret = 0;
156	int sign;
157
158	if (!val)
159		return -ENOMEM;
160
161	if (unlikely(!ctx->xa)) {
162		ret = -EINVAL;
163		goto err_free_val;
164	}
165
166	if (req->src) {
167		base = mpi_read_raw_from_sgl(req->src, req->src_len);
168		if (!base) {
169			ret = -EINVAL;
170			goto err_free_val;
171		}
172		ret = dh_is_pubkey_valid(ctx, base);
173		if (ret)
174			goto err_free_base;
175	} else {
176		base = ctx->g;
177	}
178
179	ret = _compute_val(ctx, base, val);
180	if (ret)
181		goto err_free_base;
182
183	if (fips_enabled) {
184		/* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */
185		if (req->src) {
186			MPI pone;
187
188			/* z <= 1 */
189			if (mpi_cmp_ui(val, 1) < 1) {
190				ret = -EBADMSG;
191				goto err_free_base;
192			}
193
194			/* z == p - 1 */
195			pone = mpi_alloc(0);
196
197			if (!pone) {
198				ret = -ENOMEM;
199				goto err_free_base;
200			}
201
202			ret = mpi_sub_ui(pone, ctx->p, 1);
203			if (!ret && !mpi_cmp(pone, val))
204				ret = -EBADMSG;
205
206			mpi_free(pone);
207
208			if (ret)
209				goto err_free_base;
210
211		/* SP800-56A rev 3 5.6.2.1.3 key check */
212		} else {
213			if (dh_is_pubkey_valid(ctx, val)) {
214				ret = -EAGAIN;
215				goto err_free_val;
216			}
217		}
218	}
219
220	ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
221	if (ret)
222		goto err_free_base;
223
224	if (sign < 0)
225		ret = -EBADMSG;
226err_free_base:
227	if (req->src)
228		mpi_free(base);
229err_free_val:
230	mpi_free(val);
231	return ret;
232}
233
234static unsigned int dh_max_size(struct crypto_kpp *tfm)
235{
236	struct dh_ctx *ctx = dh_get_ctx(tfm);
237
238	return mpi_get_size(ctx->p);
239}
240
241static void dh_exit_tfm(struct crypto_kpp *tfm)
242{
243	struct dh_ctx *ctx = dh_get_ctx(tfm);
244
245	dh_clear_ctx(ctx);
246}
247
248static struct kpp_alg dh = {
249	.set_secret = dh_set_secret,
250	.generate_public_key = dh_compute_value,
251	.compute_shared_secret = dh_compute_value,
252	.max_size = dh_max_size,
253	.exit = dh_exit_tfm,
254	.base = {
255		.cra_name = "dh",
256		.cra_driver_name = "dh-generic",
257		.cra_priority = 100,
258		.cra_module = THIS_MODULE,
259		.cra_ctxsize = sizeof(struct dh_ctx),
260	},
261};
262
263static int dh_init(void)
264{
265	return crypto_register_kpp(&dh);
266}
267
268static void dh_exit(void)
269{
270	crypto_unregister_kpp(&dh);
271}
272
273subsys_initcall(dh_init);
274module_exit(dh_exit);
275MODULE_ALIAS_CRYPTO("dh");
276MODULE_LICENSE("GPL");
277MODULE_DESCRIPTION("DH generic algorithm");

  1// SPDX-License-Identifier: GPL-2.0-or-later
  2/*  Diffie-Hellman Key Agreement Method [RFC2631]
  3 *
  4 * Copyright (c) 2016, Intel Corporation
  5 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>
  6 */
  7
  8#include <linux/module.h>
  9#include <crypto/internal/kpp.h>
 10#include <crypto/kpp.h>
 11#include <crypto/dh.h>
 
 12#include <linux/mpi.h>
 13
 14struct dh_ctx {
 15	MPI p;	/* Value is guaranteed to be set. */
 16	MPI q;	/* Value is optional. */
 17	MPI g;	/* Value is guaranteed to be set. */
 18	MPI xa;	/* Value is guaranteed to be set. */
 19};
 20
 21static void dh_clear_ctx(struct dh_ctx *ctx)
 22{
 23	mpi_free(ctx->p);
 24	mpi_free(ctx->q);
 25	mpi_free(ctx->g);
 26	mpi_free(ctx->xa);
 27	memset(ctx, 0, sizeof(*ctx));
 28}
 29
 30/*
 31 * If base is g we compute the public key
 32 *	ya = g^xa mod p; [RFC2631 sec 2.1.1]
 33 * else if base if the counterpart public key we compute the shared secret
 34 *	ZZ = yb^xa mod p; [RFC2631 sec 2.1.1]
 35 */
 36static int _compute_val(const struct dh_ctx *ctx, MPI base, MPI val)
 37{
 38	/* val = base^xa mod p */
 39	return mpi_powm(val, base, ctx->xa, ctx->p);
 40}
 41
 42static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)
 43{
 44	return kpp_tfm_ctx(tfm);
 45}
 46
 47static int dh_check_params_length(unsigned int p_len)
 48{
 49	return (p_len < 1536) ? -EINVAL : 0;
 50}
 51
 52static int dh_set_params(struct dh_ctx *ctx, struct dh *params)
 53{
 54	if (dh_check_params_length(params->p_size << 3))
 55		return -EINVAL;
 56
 57	ctx->p = mpi_read_raw_data(params->p, params->p_size);
 58	if (!ctx->p)
 59		return -EINVAL;
 60
 61	if (params->q && params->q_size) {
 62		ctx->q = mpi_read_raw_data(params->q, params->q_size);
 63		if (!ctx->q)
 64			return -EINVAL;
 65	}
 66
 67	ctx->g = mpi_read_raw_data(params->g, params->g_size);
 68	if (!ctx->g)
 69		return -EINVAL;
 70
 71	return 0;
 72}
 73
 74static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
 75			 unsigned int len)
 76{
 77	struct dh_ctx *ctx = dh_get_ctx(tfm);
 78	struct dh params;
 79
 80	/* Free the old MPI key if any */
 81	dh_clear_ctx(ctx);
 82
 83	if (crypto_dh_decode_key(buf, len, &params) < 0)
 84		goto err_clear_ctx;
 85
 86	if (dh_set_params(ctx, &params) < 0)
 87		goto err_clear_ctx;
 88
 89	ctx->xa = mpi_read_raw_data(params.key, params.key_size);
 90	if (!ctx->xa)
 91		goto err_clear_ctx;
 92
 93	return 0;
 94
 95err_clear_ctx:
 96	dh_clear_ctx(ctx);
 97	return -EINVAL;
 98}
 99
100/*
101 * SP800-56A public key verification:
102 *
103 * * If Q is provided as part of the domain paramenters, a full validation
104 *   according to SP800-56A section 5.6.2.3.1 is performed.
105 *
106 * * If Q is not provided, a partial validation according to SP800-56A section
107 *   5.6.2.3.2 is performed.
108 */
109static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y)
110{
111	if (unlikely(!ctx->p))
112		return -EINVAL;
113
114	/*
115	 * Step 1: Verify that 2 <= y <= p - 2.
116	 *
117	 * The upper limit check is actually y < p instead of y < p - 1
118	 * as the mpi_sub_ui function is yet missing.
119	 */
120	if (mpi_cmp_ui(y, 1) < 1 || mpi_cmp(y, ctx->p) >= 0)
121		return -EINVAL;
122
123	/* Step 2: Verify that 1 = y^q mod p */
124	if (ctx->q) {
125		MPI val = mpi_alloc(0);
126		int ret;
127
128		if (!val)
129			return -ENOMEM;
130
131		ret = mpi_powm(val, y, ctx->q, ctx->p);
132
133		if (ret) {
134			mpi_free(val);
135			return ret;
136		}
137
138		ret = mpi_cmp_ui(val, 1);
139
140		mpi_free(val);
141
142		if (ret != 0)
143			return -EINVAL;
144	}
145
146	return 0;
147}
148
149static int dh_compute_value(struct kpp_request *req)
150{
151	struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
152	struct dh_ctx *ctx = dh_get_ctx(tfm);
153	MPI base, val = mpi_alloc(0);
154	int ret = 0;
155	int sign;
156
157	if (!val)
158		return -ENOMEM;
159
160	if (unlikely(!ctx->xa)) {
161		ret = -EINVAL;
162		goto err_free_val;
163	}
164
165	if (req->src) {
166		base = mpi_read_raw_from_sgl(req->src, req->src_len);
167		if (!base) {
168			ret = -EINVAL;
169			goto err_free_val;
170		}
171		ret = dh_is_pubkey_valid(ctx, base);
172		if (ret)
173			goto err_free_base;
174	} else {
175		base = ctx->g;
176	}
177
178	ret = _compute_val(ctx, base, val);
179	if (ret)
180		goto err_free_base;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
181
182	ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
183	if (ret)
184		goto err_free_base;
185
186	if (sign < 0)
187		ret = -EBADMSG;
188err_free_base:
189	if (req->src)
190		mpi_free(base);
191err_free_val:
192	mpi_free(val);
193	return ret;
194}
195
196static unsigned int dh_max_size(struct crypto_kpp *tfm)
197{
198	struct dh_ctx *ctx = dh_get_ctx(tfm);
199
200	return mpi_get_size(ctx->p);
201}
202
203static void dh_exit_tfm(struct crypto_kpp *tfm)
204{
205	struct dh_ctx *ctx = dh_get_ctx(tfm);
206
207	dh_clear_ctx(ctx);
208}
209
210static struct kpp_alg dh = {
211	.set_secret = dh_set_secret,
212	.generate_public_key = dh_compute_value,
213	.compute_shared_secret = dh_compute_value,
214	.max_size = dh_max_size,
215	.exit = dh_exit_tfm,
216	.base = {
217		.cra_name = "dh",
218		.cra_driver_name = "dh-generic",
219		.cra_priority = 100,
220		.cra_module = THIS_MODULE,
221		.cra_ctxsize = sizeof(struct dh_ctx),
222	},
223};
224
225static int dh_init(void)
226{
227	return crypto_register_kpp(&dh);
228}
229
230static void dh_exit(void)
231{
232	crypto_unregister_kpp(&dh);
233}
234
235subsys_initcall(dh_init);
236module_exit(dh_exit);
237MODULE_ALIAS_CRYPTO("dh");
238MODULE_LICENSE("GPL");
239MODULE_DESCRIPTION("DH generic algorithm");