1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Diffie-Hellman Key Agreement Method [RFC2631]
4 * Copyright (c) 2016, Intel Corporation
5 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>
8 #include <linux/module.h>
9 #include <crypto/internal/kpp.h>
10 #include <crypto/kpp.h>
11 #include <crypto/dh.h>
12 #include <linux/fips.h>
13 #include <linux/mpi.h>
16 MPI p; /* Value is guaranteed to be set. */
17 MPI q; /* Value is optional. */
18 MPI g; /* Value is guaranteed to be set. */
19 MPI xa; /* Value is guaranteed to be set. */
22 static inline void dh_clear_params(struct dh_ctx *ctx)
29 static inline void dh_clear_key(struct dh_ctx *ctx)
32 memset(ctx, 0, sizeof(*ctx));
35 static void dh_clear_ctx(struct dh_ctx *ctx)
42 * If base is g we compute the public key
43 * ya = g^xa mod p; [RFC2631 sec 2.1.1]
44 * else if base if the counterpart public key we compute the shared secret
45 * ZZ = yb^xa mod p; [RFC2631 sec 2.1.1]
47 static int _compute_val(const struct dh_ctx *ctx, MPI base, MPI val)
49 /* val = base^xa mod p */
50 return mpi_powm(val, base, ctx->xa, ctx->p);
53 static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)
55 return kpp_tfm_ctx(tfm);
58 static int dh_check_params_length(unsigned int p_len)
60 return (p_len < 1536) ? -EINVAL : 0;
63 static int dh_set_params(struct dh_ctx *ctx, struct dh *params)
65 /* If DH parameters are not given, do not check them. */
66 if (!params->p_size && !params->g_size)
69 if (dh_check_params_length(params->p_size << 3))
72 ctx->p = mpi_read_raw_data(params->p, params->p_size);
76 if (params->q && params->q_size) {
77 ctx->q = mpi_read_raw_data(params->q, params->q_size);
82 ctx->g = mpi_read_raw_data(params->g, params->g_size);
89 static int dh_set_params_pkcs3(struct crypto_kpp *tfm, const void *param,
90 unsigned int param_len)
92 struct dh_ctx *ctx = dh_get_ctx(tfm);
93 struct dh parsed_params;
96 /* Free the old parameter if any */
99 ret = dh_parse_params_pkcs3(&parsed_params, param, param_len);
103 return dh_set_params(ctx, &parsed_params);
106 static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
109 struct dh_ctx *ctx = dh_get_ctx(tfm);
112 /* Free the old MPI key if any */
115 if (crypto_dh_decode_key(buf, len, ¶ms) < 0)
118 if (dh_set_params(ctx, ¶ms) < 0)
121 ctx->xa = mpi_read_raw_data(params.key, params.key_size);
133 * SP800-56A public key verification:
135 * * If Q is provided as part of the domain paramenters, a full validation
136 * according to SP800-56A section 5.6.2.3.1 is performed.
138 * * If Q is not provided, a partial validation according to SP800-56A section
139 * 5.6.2.3.2 is performed.
141 static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y)
143 if (unlikely(!ctx->p))
147 * Step 1: Verify that 2 <= y <= p - 2.
149 * The upper limit check is actually y < p instead of y < p - 1
150 * as the mpi_sub_ui function is yet missing.
152 if (mpi_cmp_ui(y, 1) < 1 || mpi_cmp(y, ctx->p) >= 0)
155 /* Step 2: Verify that 1 = y^q mod p */
157 MPI val = mpi_alloc(0);
163 ret = mpi_powm(val, y, ctx->q, ctx->p);
170 ret = mpi_cmp_ui(val, 1);
181 static int dh_compute_value(struct kpp_request *req)
183 struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
184 struct dh_ctx *ctx = dh_get_ctx(tfm);
185 MPI base, val = mpi_alloc(0);
192 if (unlikely(!ctx->xa || !ctx->p || !ctx->g)) {
198 base = mpi_read_raw_from_sgl(req->src, req->src_len);
203 ret = dh_is_pubkey_valid(ctx, base);
210 ret = _compute_val(ctx, base, val);
215 /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */
220 if (mpi_cmp_ui(val, 1) < 1) {
233 ret = mpi_sub_ui(pone, ctx->p, 1);
234 if (!ret && !mpi_cmp(pone, val))
242 /* SP800-56A rev 3 5.6.2.1.3 key check */
244 if (dh_is_pubkey_valid(ctx, val)) {
251 ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
265 static unsigned int dh_max_size(struct crypto_kpp *tfm)
267 struct dh_ctx *ctx = dh_get_ctx(tfm);
269 return mpi_get_size(ctx->p);
272 static void dh_exit_tfm(struct crypto_kpp *tfm)
274 struct dh_ctx *ctx = dh_get_ctx(tfm);
279 static struct kpp_alg dh = {
280 .set_params = dh_set_params_pkcs3,
281 .set_secret = dh_set_secret,
282 .generate_public_key = dh_compute_value,
283 .compute_shared_secret = dh_compute_value,
284 .max_size = dh_max_size,
288 .cra_driver_name = "dh-generic",
290 .cra_module = THIS_MODULE,
291 .cra_ctxsize = sizeof(struct dh_ctx),
295 static int dh_init(void)
297 return crypto_register_kpp(&dh);
300 static void dh_exit(void)
302 crypto_unregister_kpp(&dh);
305 subsys_initcall(dh_init);
306 module_exit(dh_exit);
307 MODULE_ALIAS_CRYPTO("dh");
308 MODULE_LICENSE("GPL");
309 MODULE_DESCRIPTION("DH generic algorithm");