crypto/dh.c at v5.0-rc4 · tjh.dev/kernel

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / crypto / dh.c
at v5.0-rc4 243 lines 5.0 kB view raw
wrap content
  1/*  Diffie-Hellman Key Agreement Method [RFC2631]
  2 *
  3 * Copyright (c) 2016, Intel Corporation
  4 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>
  5 *
  6 * This program is free software; you can redistribute it and/or
  7 * modify it under the terms of the GNU General Public License
  8 * as published by the Free Software Foundation; either version
  9 * 2 of the License, or (at your option) any later version.
 10 */
 11
 12#include <linux/module.h>
 13#include <crypto/internal/kpp.h>
 14#include <crypto/kpp.h>
 15#include <crypto/dh.h>
 16#include <linux/mpi.h>
 17
 18struct dh_ctx {
 19	MPI p;	/* Value is guaranteed to be set. */
 20	MPI q;	/* Value is optional. */
 21	MPI g;	/* Value is guaranteed to be set. */
 22	MPI xa;	/* Value is guaranteed to be set. */
 23};
 24
 25static void dh_clear_ctx(struct dh_ctx *ctx)
 26{
 27	mpi_free(ctx->p);
 28	mpi_free(ctx->q);
 29	mpi_free(ctx->g);
 30	mpi_free(ctx->xa);
 31	memset(ctx, 0, sizeof(*ctx));
 32}
 33
 34/*
 35 * If base is g we compute the public key
 36 *	ya = g^xa mod p; [RFC2631 sec 2.1.1]
 37 * else if base if the counterpart public key we compute the shared secret
 38 *	ZZ = yb^xa mod p; [RFC2631 sec 2.1.1]
 39 */
 40static int _compute_val(const struct dh_ctx *ctx, MPI base, MPI val)
 41{
 42	/* val = base^xa mod p */
 43	return mpi_powm(val, base, ctx->xa, ctx->p);
 44}
 45
 46static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)
 47{
 48	return kpp_tfm_ctx(tfm);
 49}
 50
 51static int dh_check_params_length(unsigned int p_len)
 52{
 53	return (p_len < 1536) ? -EINVAL : 0;
 54}
 55
 56static int dh_set_params(struct dh_ctx *ctx, struct dh *params)
 57{
 58	if (dh_check_params_length(params->p_size << 3))
 59		return -EINVAL;
 60
 61	ctx->p = mpi_read_raw_data(params->p, params->p_size);
 62	if (!ctx->p)
 63		return -EINVAL;
 64
 65	if (params->q && params->q_size) {
 66		ctx->q = mpi_read_raw_data(params->q, params->q_size);
 67		if (!ctx->q)
 68			return -EINVAL;
 69	}
 70
 71	ctx->g = mpi_read_raw_data(params->g, params->g_size);
 72	if (!ctx->g)
 73		return -EINVAL;
 74
 75	return 0;
 76}
 77
 78static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
 79			 unsigned int len)
 80{
 81	struct dh_ctx *ctx = dh_get_ctx(tfm);
 82	struct dh params;
 83
 84	/* Free the old MPI key if any */
 85	dh_clear_ctx(ctx);
 86
 87	if (crypto_dh_decode_key(buf, len, &params) < 0)
 88		goto err_clear_ctx;
 89
 90	if (dh_set_params(ctx, &params) < 0)
 91		goto err_clear_ctx;
 92
 93	ctx->xa = mpi_read_raw_data(params.key, params.key_size);
 94	if (!ctx->xa)
 95		goto err_clear_ctx;
 96
 97	return 0;
 98
 99err_clear_ctx:
100	dh_clear_ctx(ctx);
101	return -EINVAL;
102}
103
104/*
105 * SP800-56A public key verification:
106 *
107 * * If Q is provided as part of the domain paramenters, a full validation
108 *   according to SP800-56A section 5.6.2.3.1 is performed.
109 *
110 * * If Q is not provided, a partial validation according to SP800-56A section
111 *   5.6.2.3.2 is performed.
112 */
113static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y)
114{
115	if (unlikely(!ctx->p))
116		return -EINVAL;
117
118	/*
119	 * Step 1: Verify that 2 <= y <= p - 2.
120	 *
121	 * The upper limit check is actually y < p instead of y < p - 1
122	 * as the mpi_sub_ui function is yet missing.
123	 */
124	if (mpi_cmp_ui(y, 1) < 1 || mpi_cmp(y, ctx->p) >= 0)
125		return -EINVAL;
126
127	/* Step 2: Verify that 1 = y^q mod p */
128	if (ctx->q) {
129		MPI val = mpi_alloc(0);
130		int ret;
131
132		if (!val)
133			return -ENOMEM;
134
135		ret = mpi_powm(val, y, ctx->q, ctx->p);
136
137		if (ret) {
138			mpi_free(val);
139			return ret;
140		}
141
142		ret = mpi_cmp_ui(val, 1);
143
144		mpi_free(val);
145
146		if (ret != 0)
147			return -EINVAL;
148	}
149
150	return 0;
151}
152
153static int dh_compute_value(struct kpp_request *req)
154{
155	struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
156	struct dh_ctx *ctx = dh_get_ctx(tfm);
157	MPI base, val = mpi_alloc(0);
158	int ret = 0;
159	int sign;
160
161	if (!val)
162		return -ENOMEM;
163
164	if (unlikely(!ctx->xa)) {
165		ret = -EINVAL;
166		goto err_free_val;
167	}
168
169	if (req->src) {
170		base = mpi_read_raw_from_sgl(req->src, req->src_len);
171		if (!base) {
172			ret = -EINVAL;
173			goto err_free_val;
174		}
175		ret = dh_is_pubkey_valid(ctx, base);
176		if (ret)
177			goto err_free_base;
178	} else {
179		base = ctx->g;
180	}
181
182	ret = _compute_val(ctx, base, val);
183	if (ret)
184		goto err_free_base;
185
186	ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
187	if (ret)
188		goto err_free_base;
189
190	if (sign < 0)
191		ret = -EBADMSG;
192err_free_base:
193	if (req->src)
194		mpi_free(base);
195err_free_val:
196	mpi_free(val);
197	return ret;
198}
199
200static unsigned int dh_max_size(struct crypto_kpp *tfm)
201{
202	struct dh_ctx *ctx = dh_get_ctx(tfm);
203
204	return mpi_get_size(ctx->p);
205}
206
207static void dh_exit_tfm(struct crypto_kpp *tfm)
208{
209	struct dh_ctx *ctx = dh_get_ctx(tfm);
210
211	dh_clear_ctx(ctx);
212}
213
214static struct kpp_alg dh = {
215	.set_secret = dh_set_secret,
216	.generate_public_key = dh_compute_value,
217	.compute_shared_secret = dh_compute_value,
218	.max_size = dh_max_size,
219	.exit = dh_exit_tfm,
220	.base = {
221		.cra_name = "dh",
222		.cra_driver_name = "dh-generic",
223		.cra_priority = 100,
224		.cra_module = THIS_MODULE,
225		.cra_ctxsize = sizeof(struct dh_ctx),
226	},
227};
228
229static int dh_init(void)
230{
231	return crypto_register_kpp(&dh);
232}
233
234static void dh_exit(void)
235{
236	crypto_unregister_kpp(&dh);
237}
238
239module_init(dh_init);
240module_exit(dh_exit);
241MODULE_ALIAS_CRYPTO("dh");
242MODULE_LICENSE("GPL");
243MODULE_DESCRIPTION("DH generic algorithm");
Configure Feed

Configure Feed
