1/* 2 * Diffie-Hellman-Merkle key exchange (client side) 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7 8#include "mbedtls/build_info.h" 9 10#include "mbedtls/platform.h" 11/* md.h is included this early since MD_CAN_XXX macros are defined there. */ 12#include "mbedtls/md.h" 13 14#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \ 15 defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \ 16 defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \ 17 defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) 18#include "mbedtls/net_sockets.h" 19#include "mbedtls/aes.h" 20#include "mbedtls/dhm.h" 21#include "mbedtls/rsa.h" 22#include "mbedtls/sha256.h" 23#include "mbedtls/entropy.h" 24#include "mbedtls/ctr_drbg.h" 25 26#include <stdio.h> 27#include <string.h> 28#endif 29 30#define SERVER_NAME "localhost" 31#define SERVER_PORT "11999" 32 33#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \ 34 !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \ 35 !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \ 36 !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) 37int main(void) 38{ 39 mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C " 40 "and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " 41 "MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or " 42 "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n"); 43 mbedtls_exit(0); 44} 45 46#elif defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 47int main(void) 48{ 49 mbedtls_printf("MBEDTLS_BLOCK_CIPHER_NO_DECRYPT defined.\n"); 50 mbedtls_exit(0); 51} 52#else 53 54 55int main(void) 56{ 57 FILE *f; 58 59 int ret = 1; 60 int exit_code = MBEDTLS_EXIT_FAILURE; 61 unsigned int mdlen; 62 size_t n, buflen; 63 mbedtls_net_context server_fd; 64 65 unsigned char *p, *end; 66 unsigned char buf[2048]; 67 unsigned char hash[MBEDTLS_MD_MAX_SIZE]; 68 mbedtls_mpi N, E; 69 const char *pers = "dh_client"; 70 71 mbedtls_entropy_context entropy; 72 mbedtls_ctr_drbg_context ctr_drbg; 73 mbedtls_rsa_context rsa; 74 mbedtls_dhm_context dhm; 75 mbedtls_aes_context aes; 76 77 mbedtls_net_init(&server_fd); 78 mbedtls_dhm_init(&dhm); 79 mbedtls_aes_init(&aes); 80 mbedtls_ctr_drbg_init(&ctr_drbg); 81 mbedtls_mpi_init(&N); 82 mbedtls_mpi_init(&E); 83 84 /* 85 * 1. Setup the RNG 86 */ 87 mbedtls_printf("\n . Seeding the random number generator"); 88 fflush(stdout); 89 90 mbedtls_entropy_init(&entropy); 91 if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, 92 (const unsigned char *) pers, 93 strlen(pers))) != 0) { 94 mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret); 95 goto exit; 96 } 97 98 /* 99 * 2. Read the server's public RSA key 100 */ 101 mbedtls_printf("\n . Reading public key from rsa_pub.txt"); 102 fflush(stdout); 103 104 if ((f = fopen("rsa_pub.txt", "rb")) == NULL) { 105 mbedtls_printf(" failed\n ! Could not open rsa_pub.txt\n" \ 106 " ! Please run rsa_genkey first\n\n"); 107 goto exit; 108 } 109 110 mbedtls_rsa_init(&rsa); 111 if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 || 112 (ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 || 113 (ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E) != 0)) { 114 mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret); 115 fclose(f); 116 goto exit; 117 } 118 fclose(f); 119 120 /* 121 * 3. Initiate the connection 122 */ 123 mbedtls_printf("\n . Connecting to tcp/%s/%s", SERVER_NAME, 124 SERVER_PORT); 125 fflush(stdout); 126 127 if ((ret = mbedtls_net_connect(&server_fd, SERVER_NAME, 128 SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) { 129 mbedtls_printf(" failed\n ! mbedtls_net_connect returned %d\n\n", ret); 130 goto exit; 131 } 132 133 /* 134 * 4a. First get the buffer length 135 */ 136 mbedtls_printf("\n . Receiving the server's DH parameters"); 137 fflush(stdout); 138 139 memset(buf, 0, sizeof(buf)); 140 141 if ((ret = mbedtls_net_recv(&server_fd, buf, 2)) != 2) { 142 mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret); 143 goto exit; 144 } 145 146 n = buflen = (buf[0] << 8) | buf[1]; 147 if (buflen < 1 || buflen > sizeof(buf)) { 148 mbedtls_printf(" failed\n ! Got an invalid buffer length\n\n"); 149 goto exit; 150 } 151 152 /* 153 * 4b. Get the DHM parameters: P, G and Ys = G^Xs mod P 154 */ 155 memset(buf, 0, sizeof(buf)); 156 157 if ((ret = mbedtls_net_recv(&server_fd, buf, n)) != (int) n) { 158 mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret); 159 goto exit; 160 } 161 162 p = buf, end = buf + buflen; 163 164 if ((ret = mbedtls_dhm_read_params(&dhm, &p, end)) != 0) { 165 mbedtls_printf(" failed\n ! mbedtls_dhm_read_params returned %d\n\n", ret); 166 goto exit; 167 } 168 169 n = mbedtls_dhm_get_len(&dhm); 170 if (n < 64 || n > 512) { 171 mbedtls_printf(" failed\n ! Invalid DHM modulus size\n\n"); 172 goto exit; 173 } 174 175 /* 176 * 5. Check that the server's RSA signature matches 177 * the SHA-256 hash of (P,G,Ys) 178 */ 179 mbedtls_printf("\n . Verifying the server's RSA signature"); 180 fflush(stdout); 181 182 p += 2; 183 184 if ((n = (size_t) (end - p)) != mbedtls_rsa_get_len(&rsa)) { 185 mbedtls_printf(" failed\n ! Invalid RSA signature size\n\n"); 186 goto exit; 187 } 188 189 mdlen = (unsigned int) mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256)); 190 if (mdlen == 0) { 191 mbedtls_printf(" failed\n ! Invalid digest type\n\n"); 192 goto exit; 193 } 194 195 if ((ret = mbedtls_sha256(buf, (int) (p - 2 - buf), hash, 0)) != 0) { 196 mbedtls_printf(" failed\n ! mbedtls_sha256 returned %d\n\n", ret); 197 goto exit; 198 } 199 200 if ((ret = mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA256, 201 mdlen, hash, p)) != 0) { 202 mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret); 203 goto exit; 204 } 205 206 /* 207 * 6. Send our public value: Yc = G ^ Xc mod P 208 */ 209 mbedtls_printf("\n . Sending own public value to server"); 210 fflush(stdout); 211 212 n = mbedtls_dhm_get_len(&dhm); 213 if ((ret = mbedtls_dhm_make_public(&dhm, (int) n, buf, n, 214 mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) { 215 mbedtls_printf(" failed\n ! mbedtls_dhm_make_public returned %d\n\n", ret); 216 goto exit; 217 } 218 219 if ((ret = mbedtls_net_send(&server_fd, buf, n)) != (int) n) { 220 mbedtls_printf(" failed\n ! mbedtls_net_send returned %d\n\n", ret); 221 goto exit; 222 } 223 224 /* 225 * 7. Derive the shared secret: K = Ys ^ Xc mod P 226 */ 227 mbedtls_printf("\n . Shared secret: "); 228 fflush(stdout); 229 230 if ((ret = mbedtls_dhm_calc_secret(&dhm, buf, sizeof(buf), &n, 231 mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) { 232 mbedtls_printf(" failed\n ! mbedtls_dhm_calc_secret returned %d\n\n", ret); 233 goto exit; 234 } 235 236 for (n = 0; n < 16; n++) { 237 mbedtls_printf("%02x", buf[n]); 238 } 239 240 /* 241 * 8. Setup the AES-256 decryption key 242 * 243 * This is an overly simplified example; best practice is 244 * to hash the shared secret with a random value to derive 245 * the keying material for the encryption/decryption keys, 246 * IVs and MACs. 247 */ 248 mbedtls_printf("...\n . Receiving and decrypting the ciphertext"); 249 fflush(stdout); 250 251 ret = mbedtls_aes_setkey_dec(&aes, buf, 256); 252 if (ret != 0) { 253 goto exit; 254 } 255 256 memset(buf, 0, sizeof(buf)); 257 258 if ((ret = mbedtls_net_recv(&server_fd, buf, 16)) != 16) { 259 mbedtls_printf(" failed\n ! mbedtls_net_recv returned %d\n\n", ret); 260 goto exit; 261 } 262 263 ret = mbedtls_aes_crypt_ecb(&aes, MBEDTLS_AES_DECRYPT, buf, buf); 264 if (ret != 0) { 265 goto exit; 266 } 267 buf[16] = '\0'; 268 mbedtls_printf("\n . Plaintext is \"%s\"\n\n", (char *) buf); 269 270 exit_code = MBEDTLS_EXIT_SUCCESS; 271 272exit: 273 274 mbedtls_net_free(&server_fd); 275 276 mbedtls_aes_free(&aes); 277 mbedtls_rsa_free(&rsa); 278 mbedtls_dhm_free(&dhm); 279 mbedtls_ctr_drbg_free(&ctr_drbg); 280 mbedtls_entropy_free(&entropy); 281 mbedtls_mpi_free(&N); 282 mbedtls_mpi_free(&E); 283 284 mbedtls_exit(exit_code); 285} 286#endif /* MBEDTLS_AES_C && MBEDTLS_DHM_C && MBEDTLS_ENTROPY_C && 287 MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 && 288 MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */ 289