Gitly


1 /*
2  *  PSA FFDH layer on top of Mbed TLS crypto
3  */
4 /*
5  *  Copyright The Mbed TLS Contributors
6  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7  */
8 
9 #include "common.h"
10 
11 #if defined(MBEDTLS_PSA_CRYPTO_C)
12 
13 /* This header is only needed because it defines
14  * MBEDTLS_DHM_RFC7919_FFDHEXXXX_[P|G]_BIN symbols that are used in
15  * mbedtls_psa_ffdh_set_prime_generator(). Apart from that, this module
16  * only uses bignum functions for arithmetic. */
17 #include <mbedtls/dhm.h>
18 
19 #include <psa/crypto.h>
20 #include "psa_crypto_core.h"
21 #include "psa_crypto_ffdh.h"
22 #include "psa_crypto_random_impl.h"
23 #include "mbedtls/platform.h"
24 #include "mbedtls/error.h"
25 
26 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) ||   \
27     defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) ||   \
28     defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \
29     defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
30 static psa_status_t mbedtls_psa_ffdh_set_prime_generator(size_t key_size,
31                                                          mbedtls_mpi *P,
32                                                          mbedtls_mpi *G)
33 {
34     const unsigned char *dhm_P = NULL;
35     const unsigned char *dhm_G = NULL;
36     size_t dhm_size_P = 0;
37     size_t dhm_size_G = 0;
38     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
39 
40     if (P == NULL && G == NULL) {
41         return PSA_ERROR_INVALID_ARGUMENT;
42     }
43 
44 #if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048)
45     static const unsigned char dhm_P_2048[] =
46         MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN;
47     static const unsigned char dhm_G_2048[] =
48         MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN;
49 #endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */
50 #if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072)
51     static const unsigned char dhm_P_3072[] =
52         MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN;
53     static const unsigned char dhm_G_3072[] =
54         MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN;
55 #endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */
56 #if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096)
57     static const unsigned char dhm_P_4096[] =
58         MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN;
59     static const unsigned char dhm_G_4096[] =
60         MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN;
61 #endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */
62 #if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144)
63     static const unsigned char dhm_P_6144[] =
64         MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN;
65     static const unsigned char dhm_G_6144[] =
66         MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN;
67 #endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */
68 #if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192)
69     static const unsigned char dhm_P_8192[] =
70         MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN;
71     static const unsigned char dhm_G_8192[] =
72         MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN;
73 #endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */
74 
75     switch (key_size) {
76 #if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048)
77         case sizeof(dhm_P_2048):
78             dhm_P = dhm_P_2048;
79             dhm_G = dhm_G_2048;
80             dhm_size_P = sizeof(dhm_P_2048);
81             dhm_size_G = sizeof(dhm_G_2048);
82             break;
83 #endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */
84 #if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072)
85         case sizeof(dhm_P_3072):
86             dhm_P = dhm_P_3072;
87             dhm_G = dhm_G_3072;
88             dhm_size_P = sizeof(dhm_P_3072);
89             dhm_size_G = sizeof(dhm_G_3072);
90             break;
91 #endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */
92 #if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096)
93         case sizeof(dhm_P_4096):
94             dhm_P = dhm_P_4096;
95             dhm_G = dhm_G_4096;
96             dhm_size_P = sizeof(dhm_P_4096);
97             dhm_size_G = sizeof(dhm_G_4096);
98             break;
99 #endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */
100 #if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144)
101         case sizeof(dhm_P_6144):
102             dhm_P = dhm_P_6144;
103             dhm_G = dhm_G_6144;
104             dhm_size_P = sizeof(dhm_P_6144);
105             dhm_size_G = sizeof(dhm_G_6144);
106             break;
107 #endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */
108 #if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192)
109         case sizeof(dhm_P_8192):
110             dhm_P = dhm_P_8192;
111             dhm_G = dhm_G_8192;
112             dhm_size_P = sizeof(dhm_P_8192);
113             dhm_size_G = sizeof(dhm_G_8192);
114             break;
115 #endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */
116         default:
117             return PSA_ERROR_INVALID_ARGUMENT;
118     }
119 
120     if (P != NULL) {
121         MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(P, dhm_P,
122                                                 dhm_size_P));
123     }
124     if (G != NULL) {
125         MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(G, dhm_G,
126                                                 dhm_size_G));
127     }
128 
129 cleanup:
130     if (ret != 0) {
131         return mbedtls_to_psa_error(ret);
132     }
133 
134     return PSA_SUCCESS;
135 }
136 #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT ||
137           MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE ||
138           MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
139           MBEDTLS_PSA_BUILTIN_ALG_FFDH */
140 
141 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
142     defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
143 psa_status_t mbedtls_psa_ffdh_export_public_key(
144     const psa_key_attributes_t *attributes,
145     const uint8_t *key_buffer,
146     size_t key_buffer_size,
147     uint8_t *data,
148     size_t data_size,
149     size_t *data_length)
150 {
151     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
152     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
153     mbedtls_mpi GX, G, X, P;
154     psa_key_type_t type = attributes->type;
155 
156     if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
157         if (key_buffer_size > data_size) {
158             return PSA_ERROR_BUFFER_TOO_SMALL;
159         }
160         memcpy(data, key_buffer, key_buffer_size);
161         memset(data + key_buffer_size, 0,
162                data_size - key_buffer_size);
163         *data_length = key_buffer_size;
164         return PSA_SUCCESS;
165     }
166 
167     mbedtls_mpi_init(&GX); mbedtls_mpi_init(&G);
168     mbedtls_mpi_init(&X); mbedtls_mpi_init(&P);
169 
170     size_t key_len = PSA_BITS_TO_BYTES(attributes->bits);
171     if (key_len > data_size) {
172         status = PSA_ERROR_BUFFER_TOO_SMALL;
173         goto cleanup;
174     }
175 
176     status = mbedtls_psa_ffdh_set_prime_generator(key_len, &P, &G);
177 
178     if (status != PSA_SUCCESS) {
179         goto cleanup;
180     }
181 
182     MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
183                                             key_buffer_size));
184 
185     MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&GX, &G, &X, &P, NULL));
186     MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&GX, data, key_len));
187 
188     *data_length = key_len;
189 
190     ret = 0;
191 cleanup:
192     mbedtls_mpi_free(&P); mbedtls_mpi_free(&G);
193     mbedtls_mpi_free(&X); mbedtls_mpi_free(&GX);
194 
195     if (status == PSA_SUCCESS && ret != 0) {
196         status = mbedtls_to_psa_error(ret);
197     }
198 
199     return status;
200 }
201 #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT ||
202           MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY */
203 
204 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE)
205 psa_status_t mbedtls_psa_ffdh_generate_key(
206     const psa_key_attributes_t *attributes,
207     uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
208 {
209     mbedtls_mpi X, P;
210     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
211     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
212     mbedtls_mpi_init(&P); mbedtls_mpi_init(&X);
213     (void) attributes;
214 
215     status = mbedtls_psa_ffdh_set_prime_generator(key_buffer_size, &P, NULL);
216 
217     if (status != PSA_SUCCESS) {
218         goto cleanup;
219     }
220 
221     /* RFC7919: Traditional finite field Diffie-Hellman has each peer choose their
222         secret exponent from the range [2, P-2].
223         Select random value in range [3, P-1] and decrease it by 1. */
224     MBEDTLS_MPI_CHK(mbedtls_mpi_random(&X, 3, &P, mbedtls_psa_get_random,
225                                        MBEDTLS_PSA_RANDOM_STATE));
226     MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&X, &X, 1));
227     MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&X, key_buffer, key_buffer_size));
228     *key_buffer_length = key_buffer_size;
229 
230 cleanup:
231     mbedtls_mpi_free(&P); mbedtls_mpi_free(&X);
232     if (status == PSA_SUCCESS && ret != 0) {
233         return mbedtls_to_psa_error(ret);
234     }
235 
236     return status;
237 }
238 #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE */
239 
240 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT)
241 psa_status_t mbedtls_psa_ffdh_import_key(
242     const psa_key_attributes_t *attributes,
243     const uint8_t *data, size_t data_length,
244     uint8_t *key_buffer, size_t key_buffer_size,
245     size_t *key_buffer_length, size_t *bits)
246 {
247     (void) attributes;
248 
249     if (key_buffer_size < data_length) {
250         return PSA_ERROR_BUFFER_TOO_SMALL;
251     }
252     memcpy(key_buffer, data, data_length);
253     *key_buffer_length = data_length;
254     *bits = PSA_BYTES_TO_BITS(data_length);
255 
256     return PSA_SUCCESS;
257 }
258 #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT */
259 
260 #if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
261 psa_status_t mbedtls_psa_ffdh_key_agreement(
262     const psa_key_attributes_t *attributes,
263     const uint8_t *peer_key,
264     size_t peer_key_length,
265     const uint8_t *key_buffer,
266     size_t key_buffer_size,
267     uint8_t *shared_secret,
268     size_t shared_secret_size,
269     size_t *shared_secret_length)
270 {
271     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
272     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
273     mbedtls_mpi P, X, GY, K;
274     const size_t calculated_shared_secret_size = key_buffer_size;
275 
276     if (!PSA_KEY_TYPE_IS_DH_KEY_PAIR(psa_get_key_type(attributes))) {
277         return PSA_ERROR_INVALID_ARGUMENT;
278     }
279 
280     if (peer_key_length != key_buffer_size) {
281         return PSA_ERROR_INVALID_ARGUMENT;
282     }
283 
284     /* This has been checked by the core, but keep a local check too. */
285     if (calculated_shared_secret_size > shared_secret_size) {
286         return PSA_ERROR_BUFFER_TOO_SMALL;
287     }
288 
289     mbedtls_mpi_init(&P);
290     mbedtls_mpi_init(&X); mbedtls_mpi_init(&GY);
291     mbedtls_mpi_init(&K);
292 
293     status = mbedtls_psa_ffdh_set_prime_generator(
294         PSA_BITS_TO_BYTES(attributes->bits), &P, NULL);
295 
296     if (status != PSA_SUCCESS) {
297         goto cleanup;
298     }
299 
300     MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&GY, peer_key,
301                                             peer_key_length));
302 
303     /* RFC 7919 5.1: validate the peer's public key: 1 < GY < P-1
304      *
305      * This check is sufficient to ensure GY is not of low order, because we're
306      * using a safe prime (that is, q = (p-1) / 2 is also prime), so the only
307      * group elements of low order are 1 and p-1. (Obviously we also want to
308      * exclude 0 that is not a group element, and values >= p as they are not
309      * residues mod p.)
310      *
311      * Note: we know we're using a safe prime because the only FFDH groups
312      * defined by the PSA spec are from RFC 7919 (since version 1.0) and RFC
313      * 3525 (since v1.4, not yet supported in tf-psa-crypto as of writing this
314      * comment), which both use safe primes.
315      *
316      * Note: NIST SP 800-56Ar3 5.7.1.1 (2) has the check on the shared secret,
317      * but checking before is equivalent (unless our secret key is exactly
318      * (p-1)/2, which has negligible probability and can't be influenced by the
319      * adversary). Checking before is cleaner in terms of side channel analysis,
320      * as we haven't loaded our secret yet, so no worries about branches.
321      *
322      * Use X as a temporary, since we haven't loaded it yet.
323      */
324     MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&X, &P, 1)); // x = p - 1
325     if (mbedtls_mpi_cmp_mpi(&GY, &X) >= 0) {
326         status = PSA_ERROR_INVALID_ARGUMENT;
327         goto cleanup;
328     }
329     MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, 1)); // x = 1
330     if (mbedtls_mpi_cmp_mpi(&GY, &X) <= 0) {
331         status = PSA_ERROR_INVALID_ARGUMENT;
332         goto cleanup;
333     }
334 
335     MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
336                                             key_buffer_size));
337 
338     /* Calculate shared secret public key: K = G^(XY) mod P = GY^X mod P */
339     MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&K, &GY, &X, &P, NULL));
340 
341     MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&K, shared_secret,
342                                              calculated_shared_secret_size));
343 
344     *shared_secret_length = calculated_shared_secret_size;
345 
346     ret = 0;
347 
348 cleanup:
349     mbedtls_mpi_free(&P);
350     mbedtls_mpi_free(&X); mbedtls_mpi_free(&GY);
351     mbedtls_mpi_free(&K);
352 
353     if (status == PSA_SUCCESS && ret != 0) {
354         status = mbedtls_to_psa_error(ret);
355     }
356 
357     return status;
358 }
359 #endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
360 
361 #endif /* MBEDTLS_PSA_CRYPTO_C */
362

1	/*
2	* PSA FFDH layer on top of Mbed TLS crypto
3	*/
4	/*
5	* Copyright The Mbed TLS Contributors
6	* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7	*/
8
9	#include "common.h"
10
11	#if defined(MBEDTLS_PSA_CRYPTO_C)
12
13	/ This header is only needed because it defines*
14	* MBEDTLS_DHM_RFC7919_FFDHEXXXX_[P\|G]_BIN symbols that are used in
15	* mbedtls_psa_ffdh_set_prime_generator(). Apart from that, this module
16	* only uses bignum functions for arithmetic. */
17	#include <mbedtls/dhm.h>
18
19	#include <psa/crypto.h>
20	#include "psa_crypto_core.h"
21	#include "psa_crypto_ffdh.h"
22	#include "psa_crypto_random_impl.h"
23	#include "mbedtls/platform.h"
24	#include "mbedtls/error.h"
25
26	#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) \|\| \
27	defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) \|\| \
28	defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) \|\| \
29	defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
30	static psa_status_t mbedtls_psa_ffdh_set_prime_generator(size_t key_size,
31	mbedtls_mpi *P,
32	mbedtls_mpi *G)
33	{
34	const unsigned char *dhm_P = NULL;
35	const unsigned char *dhm_G = NULL;
36	size_t dhm_size_P = 0;
37	size_t dhm_size_G = 0;
38	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
39
40	if (P == NULL && G == NULL) {
41	return PSA_ERROR_INVALID_ARGUMENT;
42	}
43
44	#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048)
45	static const unsigned char dhm_P_2048[] =
46	MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN;
47	static const unsigned char dhm_G_2048[] =
48	MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN;
49	#endif / MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 /
50	#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072)
51	static const unsigned char dhm_P_3072[] =
52	MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN;
53	static const unsigned char dhm_G_3072[] =
54	MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN;
55	#endif / MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 /
56	#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096)
57	static const unsigned char dhm_P_4096[] =
58	MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN;
59	static const unsigned char dhm_G_4096[] =
60	MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN;
61	#endif / MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 /
62	#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144)
63	static const unsigned char dhm_P_6144[] =
64	MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN;
65	static const unsigned char dhm_G_6144[] =
66	MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN;
67	#endif / MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 /
68	#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192)
69	static const unsigned char dhm_P_8192[] =
70	MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN;
71	static const unsigned char dhm_G_8192[] =
72	MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN;
73	#endif / MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 /
74
75	switch (key_size) {
76	#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048)
77	case sizeof(dhm_P_2048):
78	dhm_P = dhm_P_2048;
79	dhm_G = dhm_G_2048;
80	dhm_size_P = sizeof(dhm_P_2048);
81	dhm_size_G = sizeof(dhm_G_2048);
82	break;
83	#endif / MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 /
84	#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072)
85	case sizeof(dhm_P_3072):
86	dhm_P = dhm_P_3072;
87	dhm_G = dhm_G_3072;
88	dhm_size_P = sizeof(dhm_P_3072);
89	dhm_size_G = sizeof(dhm_G_3072);
90	break;
91	#endif / MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 /
92	#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096)
93	case sizeof(dhm_P_4096):
94	dhm_P = dhm_P_4096;
95	dhm_G = dhm_G_4096;
96	dhm_size_P = sizeof(dhm_P_4096);
97	dhm_size_G = sizeof(dhm_G_4096);
98	break;
99	#endif / MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 /
100	#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144)
101	case sizeof(dhm_P_6144):
102	dhm_P = dhm_P_6144;
103	dhm_G = dhm_G_6144;
104	dhm_size_P = sizeof(dhm_P_6144);
105	dhm_size_G = sizeof(dhm_G_6144);
106	break;
107	#endif / MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 /
108	#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192)
109	case sizeof(dhm_P_8192):
110	dhm_P = dhm_P_8192;
111	dhm_G = dhm_G_8192;
112	dhm_size_P = sizeof(dhm_P_8192);
113	dhm_size_G = sizeof(dhm_G_8192);
114	break;
115	#endif / MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 /
116	default:
117	return PSA_ERROR_INVALID_ARGUMENT;
118	}
119
120	if (P != NULL) {
121	MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(P, dhm_P,
122	dhm_size_P));
123	}
124	if (G != NULL) {
125	MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(G, dhm_G,
126	dhm_size_G));
127	}
128
129	cleanup:
130	if (ret != 0) {
131	return mbedtls_to_psa_error(ret);
132	}
133
134	return PSA_SUCCESS;
135	}
136	#endif / MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT \|\|*
137	MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE \|\|
138	MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY \|\|
139	MBEDTLS_PSA_BUILTIN_ALG_FFDH /*
140
141	#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) \|\| \
142	defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
143	psa_status_t mbedtls_psa_ffdh_export_public_key(
144	const psa_key_attributes_t *attributes,
145	const uint8_t *key_buffer,
146	size_t key_buffer_size,
147	uint8_t *data,
148	size_t data_size,
149	size_t *data_length)
150	{
151	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
152	psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
153	mbedtls_mpi GX, G, X, P;
154	psa_key_type_t type = attributes->type;
155
156	if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
157	if (key_buffer_size > data_size) {
158	return PSA_ERROR_BUFFER_TOO_SMALL;
159	}
160	memcpy(data, key_buffer, key_buffer_size);
161	memset(data + key_buffer_size, 0,
162	data_size - key_buffer_size);
163	*data_length = key_buffer_size;
164	return PSA_SUCCESS;
165	}
166
167	mbedtls_mpi_init(&GX); mbedtls_mpi_init(&G);
168	mbedtls_mpi_init(&X); mbedtls_mpi_init(&P);
169
170	size_t key_len = PSA_BITS_TO_BYTES(attributes->bits);
171	if (key_len > data_size) {
172	status = PSA_ERROR_BUFFER_TOO_SMALL;
173	goto cleanup;
174	}
175
176	status = mbedtls_psa_ffdh_set_prime_generator(key_len, &P, &G);
177
178	if (status != PSA_SUCCESS) {
179	goto cleanup;
180	}
181
182	MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
183	key_buffer_size));
184
185	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&GX, &G, &X, &P, NULL));
186	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&GX, data, key_len));
187
188	*data_length = key_len;
189
190	ret = 0;
191	cleanup:
192	mbedtls_mpi_free(&P); mbedtls_mpi_free(&G);
193	mbedtls_mpi_free(&X); mbedtls_mpi_free(&GX);
194
195	if (status == PSA_SUCCESS && ret != 0) {
196	status = mbedtls_to_psa_error(ret);
197	}
198
199	return status;
200	}
201	#endif / MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT \|\|*
202	MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY /*
203
204	#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE)
205	psa_status_t mbedtls_psa_ffdh_generate_key(
206	const psa_key_attributes_t *attributes,
207	uint8_t key_buffer, size_t key_buffer_size, size_t key_buffer_length)
208	{
209	mbedtls_mpi X, P;
210	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
211	psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
212	mbedtls_mpi_init(&P); mbedtls_mpi_init(&X);
213	(void) attributes;
214
215	status = mbedtls_psa_ffdh_set_prime_generator(key_buffer_size, &P, NULL);
216
217	if (status != PSA_SUCCESS) {
218	goto cleanup;
219	}
220
221	/ RFC7919: Traditional finite field Diffie-Hellman has each peer choose their*
222	secret exponent from the range [2, P-2].
223	Select random value in range [3, P-1] and decrease it by 1. /*
224	MBEDTLS_MPI_CHK(mbedtls_mpi_random(&X, 3, &P, mbedtls_psa_get_random,
225	MBEDTLS_PSA_RANDOM_STATE));
226	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&X, &X, 1));
227	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&X, key_buffer, key_buffer_size));
228	*key_buffer_length = key_buffer_size;
229
230	cleanup:
231	mbedtls_mpi_free(&P); mbedtls_mpi_free(&X);
232	if (status == PSA_SUCCESS && ret != 0) {
233	return mbedtls_to_psa_error(ret);
234	}
235
236	return status;
237	}
238	#endif / MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE /
239
240	#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT)
241	psa_status_t mbedtls_psa_ffdh_import_key(
242	const psa_key_attributes_t *attributes,
243	const uint8_t *data, size_t data_length,
244	uint8_t *key_buffer, size_t key_buffer_size,
245	size_t key_buffer_length, size_t bits)
246	{
247	(void) attributes;
248
249	if (key_buffer_size < data_length) {
250	return PSA_ERROR_BUFFER_TOO_SMALL;
251	}
252	memcpy(key_buffer, data, data_length);
253	*key_buffer_length = data_length;
254	*bits = PSA_BYTES_TO_BITS(data_length);
255
256	return PSA_SUCCESS;
257	}
258	#endif / MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT /
259
260	#if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
261	psa_status_t mbedtls_psa_ffdh_key_agreement(
262	const psa_key_attributes_t *attributes,
263	const uint8_t *peer_key,
264	size_t peer_key_length,
265	const uint8_t *key_buffer,
266	size_t key_buffer_size,
267	uint8_t *shared_secret,
268	size_t shared_secret_size,
269	size_t *shared_secret_length)
270	{
271	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
272	psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
273	mbedtls_mpi P, X, GY, K;
274	const size_t calculated_shared_secret_size = key_buffer_size;
275
276	if (!PSA_KEY_TYPE_IS_DH_KEY_PAIR(psa_get_key_type(attributes))) {
277	return PSA_ERROR_INVALID_ARGUMENT;
278	}
279
280	if (peer_key_length != key_buffer_size) {
281	return PSA_ERROR_INVALID_ARGUMENT;
282	}
283
284	/ This has been checked by the core, but keep a local check too. /
285	if (calculated_shared_secret_size > shared_secret_size) {
286	return PSA_ERROR_BUFFER_TOO_SMALL;
287	}
288
289	mbedtls_mpi_init(&P);
290	mbedtls_mpi_init(&X); mbedtls_mpi_init(&GY);
291	mbedtls_mpi_init(&K);
292
293	status = mbedtls_psa_ffdh_set_prime_generator(
294	PSA_BITS_TO_BYTES(attributes->bits), &P, NULL);
295
296	if (status != PSA_SUCCESS) {
297	goto cleanup;
298	}
299
300	MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&GY, peer_key,
301	peer_key_length));
302
303	/ RFC 7919 5.1: validate the peer's public key: 1 < GY < P-1*
304	*
305	* This check is sufficient to ensure GY is not of low order, because we're
306	* using a safe prime (that is, q = (p-1) / 2 is also prime), so the only
307	* group elements of low order are 1 and p-1. (Obviously we also want to
308	* exclude 0 that is not a group element, and values >= p as they are not
309	* residues mod p.)
310	*
311	* Note: we know we're using a safe prime because the only FFDH groups
312	* defined by the PSA spec are from RFC 7919 (since version 1.0) and RFC
313	* 3525 (since v1.4, not yet supported in tf-psa-crypto as of writing this
314	* comment), which both use safe primes.
315	*
316	* Note: NIST SP 800-56Ar3 5.7.1.1 (2) has the check on the shared secret,
317	* but checking before is equivalent (unless our secret key is exactly
318	* (p-1)/2, which has negligible probability and can't be influenced by the
319	* adversary). Checking before is cleaner in terms of side channel analysis,
320	* as we haven't loaded our secret yet, so no worries about branches.
321	*
322	* Use X as a temporary, since we haven't loaded it yet.
323	*/
324	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&X, &P, 1)); // x = p - 1
325	if (mbedtls_mpi_cmp_mpi(&GY, &X) >= 0) {
326	status = PSA_ERROR_INVALID_ARGUMENT;
327	goto cleanup;
328	}
329	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, 1)); // x = 1
330	if (mbedtls_mpi_cmp_mpi(&GY, &X) <= 0) {
331	status = PSA_ERROR_INVALID_ARGUMENT;
332	goto cleanup;
333	}
334
335	MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
336	key_buffer_size));
337
338	/ Calculate shared secret public key: K = G^(XY) mod P = GY^X mod P /
339	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&K, &GY, &X, &P, NULL));
340
341	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&K, shared_secret,
342	calculated_shared_secret_size));
343
344	*shared_secret_length = calculated_shared_secret_size;
345
346	ret = 0;
347
348	cleanup:
349	mbedtls_mpi_free(&P);
350	mbedtls_mpi_free(&X); mbedtls_mpi_free(&GY);
351	mbedtls_mpi_free(&K);
352
353	if (status == PSA_SUCCESS && ret != 0) {
354	status = mbedtls_to_psa_error(ret);
355	}
356
357	return status;
358	}
359	#endif / MBEDTLS_PSA_BUILTIN_ALG_FFDH /
360
361	#endif / MBEDTLS_PSA_CRYPTO_C /
362