mbedtls_dh.c 3.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111
  1. /* Copyright (C) 2017 Fortanix, Inc.
  2. This file is part of Graphene Library OS.
  3. Graphene Library OS is free software: you can redistribute it and/or
  4. modify it under the terms of the GNU Lesser General Public License
  5. as published by the Free Software Foundation, either version 3 of the
  6. License, or (at your option) any later version.
  7. Graphene Library OS is distributed in the hope that it will be useful,
  8. but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. GNU Lesser General Public License for more details.
  11. You should have received a copy of the GNU Lesser General Public License
  12. along with this program. If not, see <http://www.gnu.org/licenses/>. */
  13. #include <errno.h>
  14. #include <limits.h>
  15. #include "api.h"
  16. #include "pal.h"
  17. #include "pal_error.h"
  18. #include "pal_crypto.h"
  19. #include "pal_debug.h"
  20. #include "assert.h"
  21. #define BITS_PER_BYTE 8
  22. /* This is declared in pal_internal.h, but that can't be included here. */
  23. int _DkRandomBitsRead(void *buffer, int size);
  24. /* Wrapper to provide mbedtls the RNG interface it expects. It passes an
  25. * extra context parameter, and expects a return value of 0 for success
  26. * and nonzero for failure. */
  27. static int RandomWrapper(void *private, unsigned char *data, size_t size)
  28. {
  29. __UNUSED(private);
  30. return _DkRandomBitsRead(data, size);
  31. }
  32. int lib_DhInit(LIB_DH_CONTEXT *context)
  33. {
  34. int ret;
  35. mbedtls_dhm_init(context);
  36. /* Configure parameters. Note that custom Diffie-Hellman parameters
  37. * are considered more secure, but require more data be exchanged
  38. * between the two parties to establish the parameters, so we haven't
  39. * implemented that yet. */
  40. ret = mbedtls_mpi_read_string(&context->P, 16 /* radix */,
  41. MBEDTLS_DHM_RFC3526_MODP_2048_P);
  42. if (ret != 0) {
  43. pal_printf("D-H initialization failed: %d\n", ret);
  44. return ret;
  45. }
  46. ret = mbedtls_mpi_read_string(&context->G, 16 /* radix */,
  47. MBEDTLS_DHM_RFC3526_MODP_2048_G);
  48. if (ret != 0) {
  49. pal_printf("D-H initialization failed: %d\n", ret);
  50. return ret;
  51. }
  52. context->len = mbedtls_mpi_size(&context->P);
  53. return 0;
  54. }
  55. int lib_DhCreatePublic(LIB_DH_CONTEXT *context, uint8_t *public,
  56. uint64_t *public_size)
  57. {
  58. int ret;
  59. if (*public_size != DH_SIZE)
  60. return -PAL_ERROR_INVAL;
  61. /* The RNG here is used to generate secret exponent X. */
  62. ret = mbedtls_dhm_make_public(context, context->len, public, *public_size,
  63. RandomWrapper, NULL);
  64. if (ret != 0)
  65. return ret;
  66. /* mbedtls writes leading zeros in the big-endian output to pad to
  67. * public_size, so leave caller's public_size unchanged */
  68. return 0;
  69. }
  70. int lib_DhCalcSecret(LIB_DH_CONTEXT *context, uint8_t *peer, uint64_t peer_size,
  71. uint8_t *secret, uint64_t *secret_size)
  72. {
  73. int ret;
  74. if (*secret_size != DH_SIZE)
  75. return -PAL_ERROR_INVAL;
  76. ret = mbedtls_dhm_read_public(context, peer, peer_size);
  77. if (ret != 0)
  78. return ret;
  79. /* The RNG here is used for blinding against timing attacks if X is
  80. * reused and not used otherwise. mbedtls recommends always passing
  81. * in an RNG. */
  82. return mbedtls_dhm_calc_secret(context, secret, *secret_size, secret_size,
  83. RandomWrapper, NULL);
  84. }
  85. void lib_DhFinal(LIB_DH_CONTEXT *context)
  86. {
  87. /* This call zeros out context for us. */
  88. mbedtls_dhm_free(context);
  89. }