2 * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
47 * @page page_dh DH - Diffie-Hellman key exchange
49 * Diffie-Hellman key exchange is a protocol that allows two parties
50 * to establish a shared secret key.
52 * Include and example how to use DH_new() and friends here.
54 * See the library functions here: @ref hcrypto_dh
58 * Create a new DH object using DH_new_method(NULL), see DH_new_method().
60 * @return a newly allocated DH object.
68 return DH_new_method(NULL
);
72 * Create a new DH object from the given engine, if the NULL is used,
73 * the default engine is used. Free the DH object with DH_free().
75 * @param engine The engine to use to allocate the DH object.
77 * @return a newly allocated DH object.
83 DH_new_method(ENGINE
*engine
)
87 dh
= calloc(1, sizeof(*dh
));
94 ENGINE_up_ref(engine
);
97 dh
->engine
= ENGINE_get_default_DH();
101 dh
->meth
= ENGINE_get_DH(dh
->engine
);
102 if (dh
->meth
== NULL
) {
103 ENGINE_finish(engine
);
109 if (dh
->meth
== NULL
)
110 dh
->meth
= DH_get_default_method();
112 (*dh
->meth
->init
)(dh
);
118 * Free a DH object and release related resources, like ENGINE, that
119 * the object was using.
121 * @param dh object to be freed.
123 * @ingroup hcrypto_dh
129 if (dh
->references
<= 0)
132 if (--dh
->references
> 0)
135 (*dh
->meth
->finish
)(dh
);
138 ENGINE_finish(dh
->engine
);
140 #define free_if(f) if (f) { BN_free(f); }
143 free_if(dh
->pub_key
);
144 free_if(dh
->priv_key
);
147 free_if(dh
->counter
);
150 memset(dh
, 0, sizeof(*dh
));
155 * Add a reference to the DH object.
157 * @param dh the object to increase the reference count too.
159 * @return the updated reference count
161 * @ingroup hcrypto_dh
167 return ++dh
->references
;
171 * The maximum output size of the DH_compute_key() function.
173 * @param dh The DH object to get the size from.
175 * @return the maximum size in bytes of the out data.
177 * @ingroup hcrypto_dh
181 DH_size(const DH
*dh
)
183 return BN_num_bytes(dh
->p
);
187 DH_set_ex_data(DH
*dh
, int idx
, void *data
)
189 dh
->ex_data
.sk
= data
;
194 DH_get_ex_data(DH
*dh
, int idx
)
196 return dh
->ex_data
.sk
;
200 * Generate DH parameters for the DH object give parameters.
202 * @param dh The DH object to generate parameters for.
203 * @param prime_len length of the prime
204 * @param generator generator, g
205 * @param cb Callback parameters to show progress, can be NULL.
207 * @return the maximum size in bytes of the out data.
209 * @ingroup hcrypto_dh
213 DH_generate_parameters_ex(DH
*dh
, int prime_len
, int generator
, BN_GENCB
*cb
)
215 if (dh
->meth
->generate_params
)
216 return dh
->meth
->generate_params(dh
, prime_len
, generator
, cb
);
221 * Check that the public key is sane.
223 * @param dh the local peer DH parameters.
224 * @param pub_key the remote peer public key parameters.
225 * @param codes return that the failures of the pub_key are.
227 * @return 1 on success, 0 on failure and *codes is set the the
228 * combined fail check for the public key
230 * @ingroup hcrypto_dh
234 DH_check_pubkey(const DH
*dh
, const BIGNUM
*pub_key
, int *codes
)
236 BIGNUM
*bn
= NULL
, *sum
= NULL
;
242 * Checks that the function performs are:
243 * - pub_key is not negative
246 if (BN_is_negative(pub_key
))
250 * - pub_key > 1 and pub_key < p - 1,
251 * to avoid small subgroups attack.
258 if (!BN_set_word(bn
, 1))
261 if (BN_cmp(bn
, pub_key
) >= 0)
262 *codes
|= DH_CHECK_PUBKEY_TOO_SMALL
;
268 BN_uadd(sum
, pub_key
, bn
);
270 if (BN_cmp(sum
, dh
->p
) >= 0)
271 *codes
|= DH_CHECK_PUBKEY_TOO_LARGE
;
274 * - if g == 2, pub_key have more then one bit set,
275 * if bits set is 1, log_2(pub_key) is trival
278 if (!BN_set_word(bn
, 2))
281 if (BN_cmp(bn
, pub_key
) == 0) {
282 unsigned i
, n
= BN_num_bits(pub_key
);
285 for (i
= 0; i
<= n
; i
++)
286 if (BN_is_bit_set(pub_key
, i
))
290 *codes
|= DH_CHECK_PUBKEY_TOO_SMALL
;
306 * Generate a new DH private-public key pair. The dh parameter must be
307 * allocted first with DH_new().
309 * @param dh dh parameter.
311 * @return 1 on success.
313 * @ingroup hcrypto_dh
317 DH_generate_key(DH
*dh
)
319 return dh
->meth
->generate_key(dh
);
323 * Complute the shared secret key.
325 * @param shared_key the resulting shared key, need to be at least
327 * @param peer_pub_key the peer's public key.
328 * @param dh the dh key pair.
330 * @return 1 on success.
332 * @ingroup hcrypto_dh
336 DH_compute_key(unsigned char *shared_key
,
337 const BIGNUM
*peer_pub_key
, DH
*dh
)
341 if (!DH_check_pubkey(dh
, peer_pub_key
, &codes
) || codes
!= 0)
344 return dh
->meth
->compute_key(shared_key
, peer_pub_key
, dh
);
348 * Set a new method for the DH keypair.
350 * @param dh dh parameter.
351 * @param method the new method for the DH parameter.
353 * @return 1 on success.
355 * @ingroup hcrypto_dh
359 DH_set_method(DH
*dh
, const DH_METHOD
*method
)
361 (*dh
->meth
->finish
)(dh
);
363 ENGINE_finish(dh
->engine
);
367 (*dh
->meth
->init
)(dh
);
376 dh_null_generate_key(DH
*dh
)
382 dh_null_compute_key(unsigned char *shared
,const BIGNUM
*pub
, DH
*dh
)
394 dh_null_finish(DH
*dh
)
400 dh_null_generate_params(DH
*dh
, int prime_num
, int len
, BN_GENCB
*cb
)
405 static const DH_METHOD dh_null_method
= {
407 dh_null_generate_key
,
414 dh_null_generate_params
417 extern const DH_METHOD hc_dh_imath_method
;
418 static const DH_METHOD
*dh_default_method
= &hc_dh_imath_method
;
421 * Return the dummy DH implementation.
423 * @return pointer to a DH_METHOD.
425 * @ingroup hcrypto_dh
431 return &dh_null_method
;
435 * Set the default DH implementation.
437 * @param meth pointer to a DH_METHOD.
439 * @ingroup hcrypto_dh
443 DH_set_default_method(const DH_METHOD
*meth
)
445 dh_default_method
= meth
;
449 * Return the default DH implementation.
451 * @return pointer to a DH_METHOD.
453 * @ingroup hcrypto_dh
457 DH_get_default_method(void)
459 return dh_default_method
;