/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * Diffie-Hellman parameter generation, key generation, and secret derivation. * KEA secret generation and verification. */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" #endif #include "prerr.h" #include "secerr.h" #include "blapi.h" #include "blapii.h" #include "secitem.h" #include "mpi.h" #include "secmpi.h" #define KEA_DERIVED_SECRET_LEN 128 /* Lengths are in bytes. */ static unsigned int dh_GetSecretKeyLen(unsigned int primeLen) { /* Based on Table 2 in NIST SP 800-57. */ if (primeLen >= 1920) { /* 15360 bits */ return 64; /* 512 bits */ } if (primeLen >= 960) { /* 7680 bits */ return 48; /* 384 bits */ } if (primeLen >= 384) { /* 3072 bits */ return 32; /* 256 bits */ } if (primeLen >= 256) { /* 2048 bits */ return 28; /* 224 bits */ } return 20; /* 160 bits */ } SECStatus DH_GenParam(int primeLen, DHParams **params) { PLArenaPool *arena; DHParams *dhparams; unsigned char *ab = NULL; mp_int p, q, a, h, psub1, test; mp_err err = MP_OKAY; SECStatus rv = SECSuccess; if (!params || primeLen < 0) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE); if (!arena) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } dhparams = (DHParams *)PORT_ArenaZAlloc(arena, sizeof(DHParams)); if (!dhparams) { PORT_SetError(SEC_ERROR_NO_MEMORY); PORT_FreeArena(arena, PR_TRUE); return SECFailure; } dhparams->arena = arena; MP_DIGITS(&p) = 0; MP_DIGITS(&q) = 0; MP_DIGITS(&a) = 0; MP_DIGITS(&h) = 0; MP_DIGITS(&psub1) = 0; MP_DIGITS(&test) = 0; CHECK_MPI_OK(mp_init(&p)); CHECK_MPI_OK(mp_init(&q)); CHECK_MPI_OK(mp_init(&a)); CHECK_MPI_OK(mp_init(&h)); CHECK_MPI_OK(mp_init(&psub1)); CHECK_MPI_OK(mp_init(&test)); /* generate prime with MPI, uses Miller-Rabin to generate safe prime. */ CHECK_SEC_OK(generate_prime(&p, primeLen)); /* construct Sophie-Germain prime q = (p-1)/2. */ CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1)); CHECK_MPI_OK(mp_div_2(&psub1, &q)); /* construct a generator from the prime. */ ab = PORT_Alloc(primeLen); if (!ab) { PORT_SetError(SEC_ERROR_NO_MEMORY); rv = SECFailure; goto cleanup; } /* generate a candidate number a in p's field */ CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(ab, primeLen)); CHECK_MPI_OK(mp_read_unsigned_octets(&a, ab, primeLen)); /* force a < p (note that quot(a/p) <= 1) */ if (mp_cmp(&a, &p) > 0) CHECK_MPI_OK(mp_sub(&a, &p, &a)); do { /* check that a is in the range [2..p-1] */ if (mp_cmp_d(&a, 2) < 0 || mp_cmp(&a, &psub1) >= 0) { /* a is outside of the allowed range. Set a=3 and keep going. */ mp_set(&a, 3); } /* if a**q mod p != 1 then a is a generator */ CHECK_MPI_OK(mp_exptmod(&a, &q, &p, &test)); if (mp_cmp_d(&test, 1) != 0) break; /* increment the candidate and try again. */ CHECK_MPI_OK(mp_add_d(&a, 1, &a)); } while (PR_TRUE); MPINT_TO_SECITEM(&p, &dhparams->prime, arena); MPINT_TO_SECITEM(&a, &dhparams->base, arena); *params = dhparams; cleanup: mp_clear(&p); mp_clear(&q); mp_clear(&a); mp_clear(&h); mp_clear(&psub1); mp_clear(&test); if (ab) { PORT_ZFree(ab, primeLen); } if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } if (rv != SECSuccess) { PORT_FreeArena(arena, PR_TRUE); } return rv; } SECStatus DH_NewKey(DHParams *params, DHPrivateKey **privKey) { PLArenaPool *arena; DHPrivateKey *key; mp_int g, xa, p, Ya; mp_err err = MP_OKAY; SECStatus rv = SECSuccess; if (!params || !privKey) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE); if (!arena) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } key = (DHPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DHPrivateKey)); if (!key) { PORT_SetError(SEC_ERROR_NO_MEMORY); PORT_FreeArena(arena, PR_TRUE); return SECFailure; } key->arena = arena; MP_DIGITS(&g) = 0; MP_DIGITS(&xa) = 0; MP_DIGITS(&p) = 0; MP_DIGITS(&Ya) = 0; CHECK_MPI_OK(mp_init(&g)); CHECK_MPI_OK(mp_init(&xa)); CHECK_MPI_OK(mp_init(&p)); CHECK_MPI_OK(mp_init(&Ya)); /* Set private key's p */ CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->prime, ¶ms->prime)); SECITEM_TO_MPINT(key->prime, &p); /* Set private key's g */ CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->base, ¶ms->base)); SECITEM_TO_MPINT(key->base, &g); /* Generate private key xa */ SECITEM_AllocItem(arena, &key->privateValue, dh_GetSecretKeyLen(params->prime.len)); CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(key->privateValue.data, key->privateValue.len)); SECITEM_TO_MPINT(key->privateValue, &xa); /* xa < p */ CHECK_MPI_OK(mp_mod(&xa, &p, &xa)); /* Compute public key Ya = g ** xa mod p */ CHECK_MPI_OK(mp_exptmod(&g, &xa, &p, &Ya)); MPINT_TO_SECITEM(&Ya, &key->publicValue, key->arena); *privKey = key; cleanup: mp_clear(&g); mp_clear(&xa); mp_clear(&p); mp_clear(&Ya); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } if (rv) { *privKey = NULL; PORT_FreeArena(arena, PR_TRUE); } return rv; } SECStatus DH_Derive(SECItem *publicValue, SECItem *prime, SECItem *privateValue, SECItem *derivedSecret, unsigned int outBytes) { mp_int p, Xa, Yb, ZZ, psub1; mp_err err = MP_OKAY; unsigned int len = 0; unsigned int nb; unsigned char *secret = NULL; if (!publicValue || !publicValue->len || !prime || !prime->len || !privateValue || !privateValue->len || !derivedSecret) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } memset(derivedSecret, 0, sizeof *derivedSecret); MP_DIGITS(&p) = 0; MP_DIGITS(&Xa) = 0; MP_DIGITS(&Yb) = 0; MP_DIGITS(&ZZ) = 0; MP_DIGITS(&psub1) = 0; CHECK_MPI_OK(mp_init(&p)); CHECK_MPI_OK(mp_init(&Xa)); CHECK_MPI_OK(mp_init(&Yb)); CHECK_MPI_OK(mp_init(&ZZ)); CHECK_MPI_OK(mp_init(&psub1)); SECITEM_TO_MPINT(*publicValue, &Yb); SECITEM_TO_MPINT(*privateValue, &Xa); SECITEM_TO_MPINT(*prime, &p); CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1)); /* We assume that the modulus, p, is a safe prime. That is, p = 2q+1 where * q is also a prime. Thus the orders of the subgroups are factors of 2q: * namely 1, 2, q and 2q. * * We check that the peer's public value isn't zero (which isn't in the * group), one (subgroup of order one) or p-1 (subgroup of order 2). We * also check that the public value is less than p, to avoid being fooled * by values like p+1 or 2*p-1. * * Thus we must be operating in the subgroup of size q or 2q. */ if (mp_cmp_d(&Yb, 1) <= 0 || mp_cmp(&Yb, &psub1) >= 0) { err = MP_BADARG; goto cleanup; } /* ZZ = (Yb)**Xa mod p */ CHECK_MPI_OK(mp_exptmod(&Yb, &Xa, &p, &ZZ)); /* number of bytes in the derived secret */ len = mp_unsigned_octet_size(&ZZ); if (len <= 0) { err = MP_BADARG; goto cleanup; } /* * We check to make sure that ZZ is not equal to 0, 1 or -1 mod p. * This helps guard against small subgroup attacks, since an attacker * using a subgroup of size N will produce 0, 1 or -1 with probability 1/N. * When the protocol is executed within a properly large subgroup, the * probability of this result will be negligibly small. For example, * with a safe prime of the form 2q+1, the probability will be 1/q. * * We return MP_BADARG because this is probably the result of a bad * public value or a bad prime having been provided. */ if (mp_cmp_d(&ZZ, 0) == 0 || mp_cmp_d(&ZZ, 1) == 0 || mp_cmp(&ZZ, &psub1) == 0) { err = MP_BADARG; goto cleanup; } /* allocate a buffer which can hold the entire derived secret. */ secret = PORT_Alloc(len); if (secret == NULL) { err = MP_MEM; goto cleanup; } /* grab the derived secret */ err = mp_to_unsigned_octets(&ZZ, secret, len); if (err >= 0) err = MP_OKAY; /* ** if outBytes is 0 take all of the bytes from the derived secret. ** if outBytes is not 0 take exactly outBytes from the derived secret, zero ** pad at the beginning if necessary, and truncate beginning bytes ** if necessary. */ if (outBytes > 0) nb = outBytes; else nb = len; if (SECITEM_AllocItem(NULL, derivedSecret, nb) == NULL) { err = MP_MEM; goto cleanup; } if (len < nb) { unsigned int offset = nb - len; memset(derivedSecret->data, 0, offset); memcpy(derivedSecret->data + offset, secret, len); } else { memcpy(derivedSecret->data, secret + len - nb, nb); } cleanup: mp_clear(&p); mp_clear(&Xa); mp_clear(&Yb); mp_clear(&ZZ); mp_clear(&psub1); if (secret) { /* free the buffer allocated for the full secret. */ PORT_ZFree(secret, len); } if (err) { MP_TO_SEC_ERROR(err); if (derivedSecret->data) PORT_ZFree(derivedSecret->data, derivedSecret->len); return SECFailure; } return SECSuccess; } SECStatus KEA_Derive(SECItem *prime, SECItem *public1, SECItem *public2, SECItem *private1, SECItem *private2, SECItem *derivedSecret) { mp_int p, Y, R, r, x, t, u, w; mp_err err; unsigned char *secret = NULL; unsigned int len = 0, offset; if (!prime || !public1 || !public2 || !private1 || !private2 || !derivedSecret) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } memset(derivedSecret, 0, sizeof *derivedSecret); MP_DIGITS(&p) = 0; MP_DIGITS(&Y) = 0; MP_DIGITS(&R) = 0; MP_DIGITS(&r) = 0; MP_DIGITS(&x) = 0; MP_DIGITS(&t) = 0; MP_DIGITS(&u) = 0; MP_DIGITS(&w) = 0; CHECK_MPI_OK(mp_init(&p)); CHECK_MPI_OK(mp_init(&Y)); CHECK_MPI_OK(mp_init(&R)); CHECK_MPI_OK(mp_init(&r)); CHECK_MPI_OK(mp_init(&x)); CHECK_MPI_OK(mp_init(&t)); CHECK_MPI_OK(mp_init(&u)); CHECK_MPI_OK(mp_init(&w)); SECITEM_TO_MPINT(*prime, &p); SECITEM_TO_MPINT(*public1, &Y); SECITEM_TO_MPINT(*public2, &R); SECITEM_TO_MPINT(*private1, &r); SECITEM_TO_MPINT(*private2, &x); /* t = DH(Y, r, p) = Y ** r mod p */ CHECK_MPI_OK(mp_exptmod(&Y, &r, &p, &t)); /* u = DH(R, x, p) = R ** x mod p */ CHECK_MPI_OK(mp_exptmod(&R, &x, &p, &u)); /* w = (t + u) mod p */ CHECK_MPI_OK(mp_addmod(&t, &u, &p, &w)); /* allocate a buffer for the full derived secret */ len = mp_unsigned_octet_size(&w); secret = PORT_Alloc(len); if (secret == NULL) { err = MP_MEM; goto cleanup; } /* grab the secret */ err = mp_to_unsigned_octets(&w, secret, len); if (err > 0) err = MP_OKAY; /* allocate output buffer */ if (SECITEM_AllocItem(NULL, derivedSecret, KEA_DERIVED_SECRET_LEN) == NULL) { err = MP_MEM; goto cleanup; } memset(derivedSecret->data, 0, derivedSecret->len); /* copy in the 128 lsb of the secret */ if (len >= KEA_DERIVED_SECRET_LEN) { memcpy(derivedSecret->data, secret + (len - KEA_DERIVED_SECRET_LEN), KEA_DERIVED_SECRET_LEN); } else { offset = KEA_DERIVED_SECRET_LEN - len; memcpy(derivedSecret->data + offset, secret, len); } cleanup: mp_clear(&p); mp_clear(&Y); mp_clear(&R); mp_clear(&r); mp_clear(&x); mp_clear(&t); mp_clear(&u); mp_clear(&w); if (secret) PORT_ZFree(secret, len); if (err) { MP_TO_SEC_ERROR(err); if (derivedSecret->data) PORT_ZFree(derivedSecret->data, derivedSecret->len); return SECFailure; } return SECSuccess; } /* Test counts based on the fact the prime and subprime * were given to us */ static int dh_prime_testcount(int prime_length) { if (prime_length < 1024) { return 50; } else if (prime_length < 2048) { return 40; } else if (prime_length < 3072) { return 56; } return 64; } PRBool KEA_PrimeCheck(SECItem *prime) { mp_int p; mp_err err = 0; MP_DIGITS(&p) = 0; CHECK_MPI_OK(mp_init(&p)); SECITEM_TO_MPINT(*prime, &p); CHECK_MPI_OK(mpp_pprime_secure(&p, dh_prime_testcount(prime->len))); cleanup: mp_clear(&p); return err ? PR_FALSE : PR_TRUE; } PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime) { mp_int p, q, y, r; mp_err err; int cmp = 1; /* default is false */ if (!Y || !prime || !subPrime) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } MP_DIGITS(&p) = 0; MP_DIGITS(&q) = 0; MP_DIGITS(&y) = 0; MP_DIGITS(&r) = 0; CHECK_MPI_OK(mp_init(&p)); CHECK_MPI_OK(mp_init(&q)); CHECK_MPI_OK(mp_init(&y)); CHECK_MPI_OK(mp_init(&r)); SECITEM_TO_MPINT(*prime, &p); SECITEM_TO_MPINT(*subPrime, &q); SECITEM_TO_MPINT(*Y, &y); /* compute r = y**q mod p */ CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r)); /* compare to 1 */ cmp = mp_cmp_d(&r, 1); cleanup: mp_clear(&p); mp_clear(&q); mp_clear(&y); mp_clear(&r); if (err) { MP_TO_SEC_ERROR(err); return PR_FALSE; } return (cmp == 0) ? PR_TRUE : PR_FALSE; }