crypto/dh/dh_impl.c

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 */

/*
 * This file contains DH helper routines common to
 * the PKCS11 soft token code and the kernel DH code.
 */

#include <sys/types.h>
#include <sys/sysmacros.h>
#include <bignum.h>

#ifdef _KERNEL
#include <sys/param.h>
#else
#include <strings.h>
#include <cryptoutil.h>
#endif

#include <sys/crypto/common.h>
#include <des/des_impl.h>
#include "dh_impl.h"


static CK_RV
convert_rv(BIG_ERR_CODE err)
{
    switch (err) {

    case BIG_OK:
        return (CKR_OK);

    case BIG_NO_MEM:
        return (CKR_HOST_MEMORY);

    case BIG_NO_RANDOM:
        return (CKR_DEVICE_ERROR);

    case BIG_INVALID_ARGS:
        return (CKR_ARGUMENTS_BAD);

    case BIG_DIV_BY_0:
    default:
        return (CKR_GENERAL_ERROR);
    }
}

/* size is in bits */
static BIG_ERR_CODE
DH_key_init(DHkey *key, int size)
{
    BIG_ERR_CODE err = BIG_OK;
    int len;

    len = BITLEN2BIGNUMLEN(size);
    key->size = size;

    if ((err = big_init(&(key->p), len)) != BIG_OK)
        return (err);
    if ((err = big_init(&(key->g), len)) != BIG_OK)
        goto ret1;
    if ((err = big_init(&(key->x), len)) != BIG_OK)
        goto ret2;
    if ((err = big_init(&(key->y), len)) != BIG_OK)
        goto ret3;

    return (BIG_OK);

ret3:
    big_finish(&(key->x));
ret2:
    big_finish(&(key->g));
ret1:
    big_finish(&(key->p));
    return (err);
}

static void
DH_key_finish(DHkey *key)
{

    big_finish(&(key->y));
    big_finish(&(key->x));
    big_finish(&(key->g));
    big_finish(&(key->p));

}

/*
 * Generate DH key pair x and y, given prime p and base g.
 * Can optionally provided bit length of x, not to exceed bit length of p.
 *
 * For those not familiar with DH keys, there are 4 components:
 * p - a known prime
 * g - the base 0 < g < p
 * x - a random number 0 < x < p-1, or if a smaller value is desired,
 *     2^(len-1) <= x < 2^(len)
 * y = g^x mod p, this implies 0 < y < p.  That is important!
 */
CK_RV
dh_genkey_pair(DHbytekey *bkey)
{
    CK_RV       rv = CKR_OK;
    BIG_ERR_CODE    brv;
    uint32_t    primebit_len;
    DHkey       dhkey;
    int     (*rf)(void *, size_t);
    uint32_t    prime_bytes;

    if (bkey == NULL)
        return (CKR_ARGUMENTS_BAD);

    /* Must have prime and base set, value bits can be 0 or non-0 */
    if (bkey->prime_bits == 0 || bkey->prime == NULL ||
        bkey->base_bytes == 0 || bkey->base == NULL)
        return (CKR_ARGUMENTS_BAD);

    prime_bytes = CRYPTO_BITS2BYTES(bkey->prime_bits);

    if ((prime_bytes < MIN_DH_KEYLENGTH_IN_BYTES) ||
        (prime_bytes > MAX_DH_KEYLENGTH_IN_BYTES)) {
        return (CKR_KEY_SIZE_RANGE);
    }

    /*
     * Initialize the DH key.
     * Note: big_extend takes length in words.
     */
    if ((brv = DH_key_init(&dhkey, bkey->prime_bits)) != BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }

    /* Convert prime p to bignum. */
    if ((brv = big_extend(&(dhkey.p), CHARLEN2BIGNUMLEN(prime_bytes))) !=
        BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }
    bytestring2bignum(&(dhkey.p), bkey->prime, prime_bytes);

    /* Convert base g to bignum. */
    if ((brv = big_extend(&(dhkey.g),
        CHARLEN2BIGNUMLEN(bkey->base_bytes))) != BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }
    bytestring2bignum(&(dhkey.g), bkey->base, bkey->base_bytes);

    /* Base g cannot be greater than prime p. */
    if (big_cmp_abs(&(dhkey.g), &(dhkey.p)) >= 0) {
        rv = CKR_ATTRIBUTE_VALUE_INVALID;
        goto ret;
    }

    /*
     * The intention of selecting a private-value length is to reduce
     * the computation time for key agreement, while maintaining a
     * given level of security.
     */

    /* Maximum bit length for private-value x is bit length of prime p */
    primebit_len = big_bitlength(&(dhkey.p));

    if (bkey->value_bits == 0)
        bkey->value_bits = primebit_len;

    if (bkey->value_bits > primebit_len) {
        rv = CKR_ATTRIBUTE_VALUE_INVALID;
        goto ret;
    }

    /* Generate DH key pair private and public values. */
    if ((brv = big_extend(&(dhkey.x), BITLEN2BIGNUMLEN(bkey->value_bits)))
        != BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }

    if ((brv = big_extend(&(dhkey.y), CHARLEN2BIGNUMLEN(prime_bytes)))
        != BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }

    /*
     * The big integer of the private value shall be generated privately
     * and randomly.
     */
    rf = bkey->rfunc;
    if (rf == NULL) {
#ifdef _KERNEL
        rf = random_get_pseudo_bytes;
#else
        rf = pkcs11_get_urandom;
#endif
    }

    if ((brv = big_random(&(dhkey.x), bkey->value_bits, rf)) != BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }

    /*
     * The base g shall be raised to the private value x modulo p to
     * give an integer y, the integer public value, i.e. y = (g^x) mod p.
     */
    if ((brv = big_modexp(&(dhkey.y), &(dhkey.g), &(dhkey.x),
        &(dhkey.p), NULL)) != BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }

    bignum2bytestring(bkey->private_x, &(dhkey.x),
        CRYPTO_BITS2BYTES(bkey->value_bits));
    bignum2bytestring(bkey->public_y, &(dhkey.y), prime_bytes);

ret:
    DH_key_finish(&dhkey);

    return (rv);
}

/*
 * DH key derive operation, flag is ignored in userland
 */
CK_RV
dh_key_derive(DHbytekey *bkey, uint32_t key_type,   /* = CKK_KEY_TYPE */
    uchar_t *secretkey, uint32_t *secretkey_len,    /* derived secret */
    int flag)
{
    CK_RV       rv = CKR_OK;
    BIG_ERR_CODE    brv;
    DHkey       dhkey;
    uchar_t     *s = NULL;
    uint32_t    s_bytes = 0;
    uint32_t    prime_bytes;
    uint32_t    value_bytes;
    size_t      s_alloc;

    if (bkey == NULL)
        return (CKR_ARGUMENTS_BAD);

    /* Must have prime, private value and public value */
    if (bkey->prime_bits == 0 || bkey->prime == NULL ||
        bkey->value_bits == 0 || bkey->private_x == NULL ||
        bkey->public_y == NULL)
        return (CKR_ARGUMENTS_BAD);

    if (secretkey == NULL) {
        return (CKR_ARGUMENTS_BAD);
    }

    prime_bytes = CRYPTO_BITS2BYTES(bkey->prime_bits);
    value_bytes = CRYPTO_BITS2BYTES(bkey->value_bits);

    /*
     * Initialize the DH key.
     * Note: big_extend takes length in words.
     */
    if ((brv = DH_key_init(&dhkey, bkey->prime_bits)) != BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }

    /* Convert prime p to bignum. */
    if ((brv = big_extend(&(dhkey.p), CHARLEN2BIGNUMLEN(prime_bytes))) !=
        BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }
    bytestring2bignum(&(dhkey.p), bkey->prime, prime_bytes);

    /* Convert private-value x to bignum. */
    if ((brv = big_extend(&(dhkey.x), CHARLEN2BIGNUMLEN(value_bytes))) !=
        BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }
    bytestring2bignum(&(dhkey.x), bkey->private_x, value_bytes);

    /* Convert public-value y to bignum. */
    if ((brv = big_extend(&(dhkey.y), CHARLEN2BIGNUMLEN(prime_bytes))) !=
        BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }
    bytestring2bignum(&(dhkey.y), bkey->public_y, prime_bytes);

    /*
     * Recycle base g as a temporary variable to compute the derived
     * secret value which is "g" = (y^x) mod p.  (Not recomputing g.)
     */
    if ((brv = big_extend(&(dhkey.g), CHARLEN2BIGNUMLEN(prime_bytes))) !=
        BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }

    if ((brv = big_modexp(&(dhkey.g), &(dhkey.y), &(dhkey.x),
        &(dhkey.p), NULL)) != BIG_OK) {
        rv = convert_rv(brv);
        goto ret;
    }

    s_alloc = P2ROUNDUP_TYPED(prime_bytes, sizeof (BIG_CHUNK_TYPE), size_t);

#ifdef _KERNEL
    if ((s = kmem_alloc(s_alloc, flag)) == NULL) {
        rv = CKR_HOST_MEMORY;
        goto ret;
    }
#else
    if ((s = malloc(s_alloc)) == NULL) {
        rv = CKR_HOST_MEMORY;
        goto ret;
    }
#endif
    s_bytes = dhkey.g.len * (int)sizeof (BIG_CHUNK_TYPE);
    bignum2bytestring(s, &(dhkey.g), s_bytes);

    switch (key_type) {

    case CKK_DES:
        *secretkey_len = DES_KEYSIZE;
        break;
    case CKK_DES2:
        *secretkey_len = DES2_KEYSIZE;
        break;
    case CKK_DES3:
        *secretkey_len = DES3_KEYSIZE;
        break;
    case CKK_RC4:
    case CKK_AES:
    case CKK_GENERIC_SECRET:
        /* use provided secret key length, if any */
        break;
    default:
        /* invalid key type */
        rv = CKR_ATTRIBUTE_TYPE_INVALID;
        goto ret;
    }

    if (*secretkey_len == 0) {
        *secretkey_len = s_bytes;
    }

    if (*secretkey_len > s_bytes) {
        rv = CKR_ATTRIBUTE_VALUE_INVALID;
        goto ret;
    }

    /*
     * The truncation removes bytes from the leading end of the
     * secret value.
     */
    (void) memcpy(secretkey, (s + s_bytes - *secretkey_len),
        *secretkey_len);

ret:
    if (s != NULL)
#ifdef _KERNEL
        kmem_free(s, s_alloc);
#else
        free(s);
#endif

    DH_key_finish(&dhkey);

    return (rv);
}