net/bluetooth/ecdh_helper.c

   1 /*
   2  * ECDH helper functions - KPP wrappings
   3  *
   4  * Copyright (C) 2017 Intel Corporation
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License version 2 as
   8  * published by the Free Software Foundation;
   9  *
  10  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  11  * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  12  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  13  * IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  14  * CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  18  *
  19  * ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  20  * COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  21  * SOFTWARE IS DISCLAIMED.
  22  */
  23 #include "ecdh_helper.h"
  24
  25 #include <linux/scatterlist.h>
  26 #include <crypto/kpp.h>
  27 #include <crypto/ecdh.h>
  28
  29 struct ecdh_completion {
  30         struct completion completion;
  31         int err;
  32 };
  33
  34 static void ecdh_complete(struct crypto_async_request *req, int err)
  35 {
  36         struct ecdh_completion *res = req->data;
  37
  38         if (err == -EINPROGRESS)
  39                 return;
  40
  41         res->err = err;
  42         complete(&res->completion);
  43 }
  44
  45 static inline void swap_digits(u64 *in, u64 *out, unsigned int ndigits)
  46 {
  47         int i;
  48
  49         for (i = 0; i < ndigits; i++)
  50                 out[i] = __swab64(in[ndigits - 1 - i]);
  51 }
  52
  53 bool compute_ecdh_secret(const u8 public_key[64], const u8 private_key[32],
  54                          u8 secret[32])
  55 {
  56         struct crypto_kpp *tfm;
  57         struct kpp_request *req;
  58         struct ecdh p;
  59         struct ecdh_completion result;
  60         struct scatterlist src, dst;
  61         u8 *tmp, *buf;
  62         unsigned int buf_len;
  63         int err = -ENOMEM;
  64
  65         tmp = kmalloc(64, GFP_KERNEL);
  66         if (!tmp)
  67                 return false;
  68
  69         tfm = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
  70         if (IS_ERR(tfm)) {
  71                 pr_err("alg: kpp: Failed to load tfm for kpp: %ld\n",
  72                        PTR_ERR(tfm));
  73                 goto free_tmp;
  74         }
  75
  76         req = kpp_request_alloc(tfm, GFP_KERNEL);
  77         if (!req)
  78                 goto free_kpp;
  79
  80         init_completion(&result.completion);
  81
  82         /* Security Manager Protocol holds digits in litte-endian order
  83          * while ECC API expect big-endian data
  84          */
  85         swap_digits((u64 *)private_key, (u64 *)tmp, 4);
  86         p.key = (char *)tmp;
  87         p.key_size = 32;
  88         /* Set curve_id */
  89         p.curve_id = ECC_CURVE_NIST_P256;
  90         buf_len = crypto_ecdh_key_len(&p);
  91         buf = kmalloc(buf_len, GFP_KERNEL);
  92         if (!buf) {
  93                 pr_err("alg: kpp: Failed to allocate %d bytes for buf\n",
  94                        buf_len);
  95                 goto free_req;
  96         }
  97         crypto_ecdh_encode_key(buf, buf_len, &p);
  98
  99         /* Set A private Key */
 100         err = crypto_kpp_set_secret(tfm, (void *)buf, buf_len);
 101         if (err)
 102                 goto free_all;
 103
 104         swap_digits((u64 *)public_key, (u64 *)tmp, 4); /* x */
 105         swap_digits((u64 *)&public_key[32], (u64 *)&tmp[32], 4); /* y */
 106
 107         sg_init_one(&src, tmp, 64);
 108         sg_init_one(&dst, secret, 32);
 109         kpp_request_set_input(req, &src, 64);
 110         kpp_request_set_output(req, &dst, 32);
 111         kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
 112                                  ecdh_complete, &result);
 113         err = crypto_kpp_compute_shared_secret(req);
 114         if (err == -EINPROGRESS) {
 115                 wait_for_completion(&result.completion);
 116                 err = result.err;
 117         }
 118         if (err < 0) {
 119                 pr_err("alg: ecdh: compute shared secret failed. err %d\n",
 120                        err);
 121                 goto free_all;
 122         }
 123
 124         swap_digits((u64 *)secret, (u64 *)tmp, 4);
 125         memcpy(secret, tmp, 32);
 126
 127 free_all:
 128         kzfree(buf);
 129 free_req:
 130         kpp_request_free(req);
 131 free_kpp:
 132         crypto_free_kpp(tfm);
 133 free_tmp:
 134         kfree(tmp);
 135         return (err == 0);
 136 }
 137
 138 bool generate_ecdh_keys(u8 public_key[64], u8 private_key[32])
 139 {
 140         struct crypto_kpp *tfm;
 141         struct kpp_request *req;
 142         struct ecdh p;
 143         struct ecdh_completion result;
 144         struct scatterlist dst;
 145         u8 *tmp, *buf;
 146         unsigned int buf_len;
 147         int err = -ENOMEM;
 148         const unsigned short max_tries = 16;
 149         unsigned short tries = 0;
 150
 151         tmp = kmalloc(64, GFP_KERNEL);
 152         if (!tmp)
 153                 return false;
 154
 155         tfm = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
 156         if (IS_ERR(tfm)) {
 157                 pr_err("alg: kpp: Failed to load tfm for kpp: %ld\n",
 158                        PTR_ERR(tfm));
 159                 goto free_tmp;
 160         }
 161
 162         req = kpp_request_alloc(tfm, GFP_KERNEL);
 163         if (!req)
 164                 goto free_kpp;
 165
 166         init_completion(&result.completion);
 167
 168         /* Set curve_id */
 169         p.curve_id = ECC_CURVE_NIST_P256;
 170         p.key_size = 32;
 171         buf_len = crypto_ecdh_key_len(&p);
 172         buf = kmalloc(buf_len, GFP_KERNEL);
 173         if (!buf) {
 174                 pr_err("alg: kpp: Failed to allocate %d bytes for buf\n",
 175                        buf_len);
 176                 goto free_req;
 177         }
 178
 179         do {
 180                 if (tries++ >= max_tries)
 181                         goto free_all;
 182
 183                 /* Set private Key */
 184                 p.key = (char *)private_key;
 185                 crypto_ecdh_encode_key(buf, buf_len, &p);
 186                 err = crypto_kpp_set_secret(tfm, buf, buf_len);
 187                 if (err)
 188                         goto free_all;
 189
 190                 sg_init_one(&dst, tmp, 64);
 191                 kpp_request_set_input(req, NULL, 0);
 192                 kpp_request_set_output(req, &dst, 64);
 193                 kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
 194                                          ecdh_complete, &result);
 195
 196                 err = crypto_kpp_generate_public_key(req);
 197
 198                 if (err == -EINPROGRESS) {
 199                         wait_for_completion(&result.completion);
 200                         err = result.err;
 201                 }
 202
 203                 /* Private key is not valid. Regenerate */
 204                 if (err == -EINVAL)
 205                         continue;
 206
 207                 if (err < 0)
 208                         goto free_all;
 209                 else
 210                         break;
 211
 212         } while (true);
 213
 214         /* Keys are handed back in little endian as expected by Security
 215          * Manager Protocol
 216          */
 217         swap_digits((u64 *)tmp, (u64 *)public_key, 4); /* x */
 218         swap_digits((u64 *)&tmp[32], (u64 *)&public_key[32], 4); /* y */
 219         swap_digits((u64 *)private_key, (u64 *)tmp, 4);
 220         memcpy(private_key, tmp, 32);
 221
 222 free_all:
 223         kzfree(buf);
 224 free_req:
 225         kpp_request_free(req);
 226 free_kpp:
 227         crypto_free_kpp(tfm);
 228 free_tmp:
 229         kfree(tmp);
 230         return (err == 0);
 231 }