[thirdparty/openssl.git] / crypto / dh / dh_key.c

/*
 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include "dh_local.h"
#include "crypto/bn.h"
#include "crypto/dh.h"

#ifndef FIPS_MODE
static int generate_key(DH *dh);
#endif /* FIPS_MODE */

static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
                         const BIGNUM *a, const BIGNUM *p,
                         const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
static int dh_init(DH *dh);
static int dh_finish(DH *dh);

int dh_compute_key(OPENSSL_CTX *libctx, unsigned char *key,
                   const BIGNUM *pub_key, DH *dh)
{
    BN_CTX *ctx = NULL;
    BN_MONT_CTX *mont = NULL;
    BIGNUM *tmp;
    int ret = -1;
#ifndef FIPS_MODE
    int check_result;
#endif

    if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
        DHerr(0, DH_R_MODULUS_TOO_LARGE);
        goto err;
    }

    if (BN_num_bits(dh->p) < DH_MIN_MODULUS_BITS) {
        DHerr(0, DH_R_MODULUS_TOO_SMALL);
        return 0;
    }

    ctx = BN_CTX_new_ex(libctx);
    if (ctx == NULL)
        goto err;
    BN_CTX_start(ctx);
    tmp = BN_CTX_get(ctx);
    if (tmp == NULL)
        goto err;

    if (dh->priv_key == NULL) {
        DHerr(0, DH_R_NO_PRIVATE_VALUE);
        goto err;
    }

    if (dh->flags & DH_FLAG_CACHE_MONT_P) {
        mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
                                      dh->lock, dh->p, ctx);
        BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
        if (!mont)
            goto err;
    }
/* TODO(3.0) : Solve in a PR related to Key validation for DH */
#ifndef FIPS_MODE
    if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result) {
        DHerr(0, DH_R_INVALID_PUBKEY);
        goto err;
    }
#endif
    if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key, dh->p, ctx,
                              mont)) {
        DHerr(0, ERR_R_BN_LIB);
        goto err;
    }

    ret = BN_bn2bin(tmp, key);
 err:
    BN_CTX_end(ctx);
    BN_CTX_free(ctx);
    return ret;
}

static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
    return dh_compute_key(NULL, key, pub_key, dh);
}

int dh_compute_key_padded(OPENSSL_CTX *libctx, unsigned char *key,
                          const BIGNUM *pub_key, DH *dh)
{
    int rv, pad;

#ifdef FIPS_MODE
    rv = dh_compute_key(libctx, key, pub_key, dh);
#else
    rv = dh->meth->compute_key(key, pub_key, dh);
#endif
    if (rv <= 0)
        return rv;
    pad = BN_num_bytes(dh->p) - rv;
    if (pad > 0) {
        memmove(key + pad, key, rv);
        memset(key, 0, pad);
    }
    return rv + pad;
}

#ifndef FIPS_MODE
int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
    return dh->meth->compute_key(key, pub_key, dh);
}

int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
    return dh_compute_key_padded(NULL, key, pub_key, dh);
}
#endif

static DH_METHOD dh_ossl = {
    "OpenSSL DH Method",
#ifndef FIPS_MODE
    generate_key,
#else
    NULL, /* TODO(3.0) : solve this in a keygen related PR */
#endif
    compute_key,
    dh_bn_mod_exp,
    dh_init,
    dh_finish,
    DH_FLAG_FIPS_METHOD,
    NULL,
    NULL
};

static const DH_METHOD *default_DH_method = &dh_ossl;

const DH_METHOD *DH_OpenSSL(void)
{
    return &dh_ossl;
}

const DH_METHOD *DH_get_default_method(void)
{
    return default_DH_method;
}

static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
                         const BIGNUM *a, const BIGNUM *p,
                         const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
    return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
}

static int dh_init(DH *dh)
{
    dh->flags |= DH_FLAG_CACHE_MONT_P;
    return 1;
}

static int dh_finish(DH *dh)
{
    BN_MONT_CTX_free(dh->method_mont_p);
    return 1;
}

#ifndef FIPS_MODE

void DH_set_default_method(const DH_METHOD *meth)
{
    default_DH_method = meth;
}

int DH_generate_key(DH *dh)
{
    return dh->meth->generate_key(dh);
}

static int generate_key(DH *dh)
{
    int ok = 0;
    int generate_new_key = 0;
    unsigned l;
    BN_CTX *ctx = NULL;
    BN_MONT_CTX *mont = NULL;
    BIGNUM *pub_key = NULL, *priv_key = NULL;

    if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
        DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
        return 0;
    }

    if (BN_num_bits(dh->p) < DH_MIN_MODULUS_BITS) {
        DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_SMALL);
        return 0;
    }

    ctx = BN_CTX_new();
    if (ctx == NULL)
        goto err;

    if (dh->priv_key == NULL) {
        priv_key = BN_secure_new();
        if (priv_key == NULL)
            goto err;
        generate_new_key = 1;
    } else
        priv_key = dh->priv_key;

    if (dh->pub_key == NULL) {
        pub_key = BN_new();
        if (pub_key == NULL)
            goto err;
    } else
        pub_key = dh->pub_key;

    if (dh->flags & DH_FLAG_CACHE_MONT_P) {
        mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
                                      dh->lock, dh->p, ctx);
        if (!mont)
            goto err;
    }

    if (generate_new_key) {
        if (dh->q) {
            do {
                if (!BN_priv_rand_range(priv_key, dh->q))
                    goto err;
            }
            while (BN_is_zero(priv_key) || BN_is_one(priv_key));
        } else {
            /* secret exponent length */
            l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
            if (!BN_priv_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
                goto err;
            /*
             * We handle just one known case where g is a quadratic non-residue:
             * for g = 2: p % 8 == 3
             */
            if (BN_is_word(dh->g, DH_GENERATOR_2) && !BN_is_bit_set(dh->p, 2)) {
                /* clear bit 0, since it won't be a secret anyway */
                if (!BN_clear_bit(priv_key, 0))
                    goto err;
            }
        }
    }

    {
        BIGNUM *prk = BN_new();

        if (prk == NULL)
            goto err;
        BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);

        if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
            BN_clear_free(prk);
            goto err;
        }
        /* We MUST free prk before any further use of priv_key */
        BN_clear_free(prk);
    }

    dh->pub_key = pub_key;
    dh->priv_key = priv_key;
    dh->dirty_cnt++;
    ok = 1;
 err:
    if (ok != 1)
        DHerr(DH_F_GENERATE_KEY, ERR_R_BN_LIB);

    if (pub_key != dh->pub_key)
        BN_free(pub_key);
    if (priv_key != dh->priv_key)
        BN_free(priv_key);
    BN_CTX_free(ctx);
    return ok;
}

int dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
{
    int err_reason = DH_R_BN_ERROR;
    BIGNUM *pubkey = NULL;
    const BIGNUM *p;
    size_t p_size;

    if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
        goto err;
    DH_get0_pqg(dh, &p, NULL, NULL);
    if (p == NULL || (p_size = BN_num_bytes(p)) == 0) {
        err_reason = DH_R_NO_PARAMETERS_SET;
        goto err;
    }
    /*
     * As per Section 4.2.8.1 of RFC 8446 fail if DHE's
     * public key is of size not equal to size of p
     */
    if (BN_is_zero(pubkey) || p_size != len) {
        err_reason = DH_R_INVALID_PUBKEY;
        goto err;
    }
    if (DH_set0_key(dh, pubkey, NULL) != 1)
        goto err;
    return 1;
err:
    DHerr(DH_F_DH_BUF2KEY, err_reason);
    BN_free(pubkey);
    return 0;
}

size_t dh_key2buf(const DH *dh, unsigned char **pbuf_out)
{
    const BIGNUM *pubkey;
    unsigned char *pbuf;
    const BIGNUM *p;
    int p_size;

    DH_get0_pqg(dh, &p, NULL, NULL);
    DH_get0_key(dh, &pubkey, NULL);
    if (p == NULL || pubkey == NULL
            || (p_size = BN_num_bytes(p)) == 0
            || BN_num_bytes(pubkey) == 0) {
        DHerr(DH_F_DH_KEY2BUF, DH_R_INVALID_PUBKEY);
        return 0;
    }
    if ((pbuf = OPENSSL_malloc(p_size)) == NULL) {
        DHerr(DH_F_DH_KEY2BUF, ERR_R_MALLOC_FAILURE);
        return 0;
    }
    /*
     * As per Section 4.2.8.1 of RFC 8446 left pad public
     * key with zeros to the size of p
     */
    if (BN_bn2binpad(pubkey, pbuf, p_size) < 0) {
        OPENSSL_free(pbuf);
        DHerr(DH_F_DH_KEY2BUF, DH_R_BN_ERROR);
        return 0;
    }
    *pbuf_out = pbuf;
    return p_size;
}
#endif /* FIPS_MODE */
Commit	Line	Data
aa6bb135	1	/*
a38c878c	2	* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
d02b48c6	3	*
e38873f5	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
aa6bb135 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
d02b48c6 RE	8	*/
	9
	10	#include <stdio.h>
b39fc560	11	#include "internal/cryptlib.h"
706457b7	12	#include "dh_local.h"
25f2138b	13	#include "crypto/bn.h"
62f49b90	14	#include "crypto/dh.h"
d02b48c6	15
62f49b90	16	#ifndef FIPS_MODE
13066cee	17	static int generate_key(DH *dh);
62f49b90 SL	18	#endif /* FIPS_MODE */
62f49b90 SL	19
f971ccb2	20	static int dh_bn_mod_exp(const DH dh, BIGNUM r,
0f113f3e MC	21	const BIGNUM a, const BIGNUM p,
0f113f3e MC	22	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);
13066cee DSH	23	static int dh_init(DH *dh);
	24	static int dh_finish(DH *dh);
	25
62f49b90 SL	26	int dh_compute_key(OPENSSL_CTX libctx, unsigned char key,
62f49b90 SL	27	const BIGNUM pub_key, DH dh)
0f113f3e	28	{
62f49b90 SL	29	BN_CTX *ctx = NULL;
	30	BN_MONT_CTX *mont = NULL;
	31	BIGNUM *tmp;
	32	int ret = -1;
	33	#ifndef FIPS_MODE
	34	int check_result;
	35	#endif
	36
	37	if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
	38	DHerr(0, DH_R_MODULUS_TOO_LARGE);
	39	goto err;
	40	}
	41
	42	if (BN_num_bits(dh->p) < DH_MIN_MODULUS_BITS) {
	43	DHerr(0, DH_R_MODULUS_TOO_SMALL);
	44	return 0;
	45	}
	46
	47	ctx = BN_CTX_new_ex(libctx);
	48	if (ctx == NULL)
	49	goto err;
	50	BN_CTX_start(ctx);
	51	tmp = BN_CTX_get(ctx);
	52	if (tmp == NULL)
	53	goto err;
	54
	55	if (dh->priv_key == NULL) {
	56	DHerr(0, DH_R_NO_PRIVATE_VALUE);
	57	goto err;
	58	}
	59
	60	if (dh->flags & DH_FLAG_CACHE_MONT_P) {
	61	mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
	62	dh->lock, dh->p, ctx);
	63	BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
	64	if (!mont)
	65	goto err;
	66	}
	67	/* TODO(3.0) : Solve in a PR related to Key validation for DH */
	68	#ifndef FIPS_MODE
	69	if (!DH_check_pub_key(dh, pub_key, &check_result) \|\| check_result) {
	70	DHerr(0, DH_R_INVALID_PUBKEY);
	71	goto err;
	72	}
	73	#endif
	74	if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key, dh->p, ctx,
	75	mont)) {
	76	DHerr(0, ERR_R_BN_LIB);
	77	goto err;
	78	}
	79
	80	ret = BN_bn2bin(tmp, key);
	81	err:
	82	BN_CTX_end(ctx);
	83	BN_CTX_free(ctx);
	84	return ret;
0f113f3e	85	}
13066cee	86
62f49b90	87	static int compute_key(unsigned char key, const BIGNUM pub_key, DH *dh)
0f113f3e	88	{
62f49b90	89	return dh_compute_key(NULL, key, pub_key, dh);
0f113f3e	90	}
13066cee	91
62f49b90 SL	92	int dh_compute_key_padded(OPENSSL_CTX libctx, unsigned char key,
62f49b90 SL	93	const BIGNUM pub_key, DH dh)
0f113f3e MC	94	{
0f113f3e MC	95	int rv, pad;
62f49b90 SL	96
	97	#ifdef FIPS_MODE
	98	rv = dh_compute_key(libctx, key, pub_key, dh);
	99	#else
0f113f3e	100	rv = dh->meth->compute_key(key, pub_key, dh);
62f49b90	101	#endif
0f113f3e MC	102	if (rv <= 0)
	103	return rv;
	104	pad = BN_num_bytes(dh->p) - rv;
	105	if (pad > 0) {
	106	memmove(key + pad, key, rv);
	107	memset(key, 0, pad);
	108	}
	109	return rv + pad;
	110	}
bc91494e	111
62f49b90 SL	112	#ifndef FIPS_MODE
	113	int DH_compute_key(unsigned char key, const BIGNUM pub_key, DH *dh)
	114	{
	115	return dh->meth->compute_key(key, pub_key, dh);
	116	}
	117
	118	int DH_compute_key_padded(unsigned char key, const BIGNUM pub_key, DH *dh)
	119	{
	120	return dh_compute_key_padded(NULL, key, pub_key, dh);
	121	}
	122	#endif
	123
13066cee	124	static DH_METHOD dh_ossl = {
0f113f3e	125	"OpenSSL DH Method",
62f49b90	126	#ifndef FIPS_MODE
0f113f3e	127	generate_key,
62f49b90 SL	128	#else
	129	NULL, /* TODO(3.0) : solve this in a keygen related PR */
	130	#endif
0f113f3e MC	131	compute_key,
	132	dh_bn_mod_exp,
	133	dh_init,
	134	dh_finish,
	135	DH_FLAG_FIPS_METHOD,
	136	NULL,
	137	NULL
13066cee DSH	138	};
13066cee DSH	139
076fc555 RS	140	static const DH_METHOD *default_DH_method = &dh_ossl;
076fc555 RS	141
f971ccb2	142	const DH_METHOD *DH_OpenSSL(void)
13066cee	143	{
0f113f3e	144	return &dh_ossl;
13066cee DSH	145	}
13066cee DSH	146
62f49b90 SL	147	const DH_METHOD *DH_get_default_method(void)
	148	{
	149	return default_DH_method;
	150	}
	151
	152	static int dh_bn_mod_exp(const DH dh, BIGNUM r,
	153	const BIGNUM a, const BIGNUM p,
	154	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx)
	155	{
	156	return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
	157	}
	158
	159	static int dh_init(DH *dh)
	160	{
	161	dh->flags \|= DH_FLAG_CACHE_MONT_P;
	162	return 1;
	163	}
	164
	165	static int dh_finish(DH *dh)
	166	{
	167	BN_MONT_CTX_free(dh->method_mont_p);
	168	return 1;
	169	}
	170
	171	#ifndef FIPS_MODE
	172
076fc555 RS	173	void DH_set_default_method(const DH_METHOD *meth)
	174	{
	175	default_DH_method = meth;
	176	}
	177
62f49b90	178	int DH_generate_key(DH *dh)
076fc555	179	{
62f49b90	180	return dh->meth->generate_key(dh);
076fc555 RS	181	}
076fc555 RS	182
13066cee	183	static int generate_key(DH *dh)
0f113f3e MC	184	{
	185	int ok = 0;
	186	int generate_new_key = 0;
	187	unsigned l;
91f7361f	188	BN_CTX *ctx = NULL;
0f113f3e MC	189	BN_MONT_CTX *mont = NULL;
0f113f3e MC	190	BIGNUM pub_key = NULL, priv_key = NULL;
d02b48c6	191
91f7361f GV	192	if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
	193	DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
	194	return 0;
	195	}
	196
6de1fe90 BE	197	if (BN_num_bits(dh->p) < DH_MIN_MODULUS_BITS) {
	198	DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_SMALL);
	199	return 0;
	200	}
	201
0f113f3e MC	202	ctx = BN_CTX_new();
	203	if (ctx == NULL)
	204	goto err;
d02b48c6	205
0f113f3e	206	if (dh->priv_key == NULL) {
74924dcb	207	priv_key = BN_secure_new();
0f113f3e MC	208	if (priv_key == NULL)
	209	goto err;
	210	generate_new_key = 1;
	211	} else
	212	priv_key = dh->priv_key;
d02b48c6	213
0f113f3e MC	214	if (dh->pub_key == NULL) {
	215	pub_key = BN_new();
	216	if (pub_key == NULL)
	217	goto err;
	218	} else
	219	pub_key = dh->pub_key;
d02b48c6	220
0f113f3e MC	221	if (dh->flags & DH_FLAG_CACHE_MONT_P) {
0f113f3e MC	222	mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
d188a536	223	dh->lock, dh->p, ctx);
0f113f3e MC	224	if (!mont)
	225	goto err;
	226	}
6ec8e63a	227
0f113f3e MC	228	if (generate_new_key) {
	229	if (dh->q) {
	230	do {
ddc6a5c8	231	if (!BN_priv_rand_range(priv_key, dh->q))
0f113f3e MC	232	goto err;
	233	}
	234	while (BN_is_zero(priv_key) \|\| BN_is_one(priv_key));
	235	} else {
	236	/* secret exponent length */
	237	l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
ddc6a5c8	238	if (!BN_priv_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
0f113f3e	239	goto err;
a38c878c BE	240	/*
	241	* We handle just one known case where g is a quadratic non-residue:
	242	* for g = 2: p % 8 == 3
	243	*/
	244	if (BN_is_word(dh->g, DH_GENERATOR_2) && !BN_is_bit_set(dh->p, 2)) {
	245	/* clear bit 0, since it won't be a secret anyway */
	246	if (!BN_clear_bit(priv_key, 0))
	247	goto err;
	248	}
0f113f3e MC	249	}
0f113f3e MC	250	}
dfeab068	251
0f113f3e	252	{
5584f65a	253	BIGNUM *prk = BN_new();
46a64376	254
5584f65a MC	255	if (prk == NULL)
	256	goto err;
	257	BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
46a64376	258
0f113f3e	259	if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
a38c878c	260	BN_clear_free(prk);
0f113f3e MC	261	goto err;
0f113f3e MC	262	}
5584f65a	263	/* We MUST free prk before any further use of priv_key */
a38c878c	264	BN_clear_free(prk);
0f113f3e	265	}
46a64376	266
0f113f3e MC	267	dh->pub_key = pub_key;
0f113f3e MC	268	dh->priv_key = priv_key;
8b84b075	269	dh->dirty_cnt++;
0f113f3e MC	270	ok = 1;
	271	err:
	272	if (ok != 1)
	273	DHerr(DH_F_GENERATE_KEY, ERR_R_BN_LIB);
d02b48c6	274
23a1d5e9	275	if (pub_key != dh->pub_key)
0f113f3e	276	BN_free(pub_key);
23a1d5e9	277	if (priv_key != dh->priv_key)
0f113f3e MC	278	BN_free(priv_key);
0f113f3e MC	279	BN_CTX_free(ctx);
26a7d938	280	return ok;
0f113f3e	281	}
d02b48c6	282
9aaecbfc	283	int dh_buf2key(DH dh, const unsigned char buf, size_t len)
	284	{
	285	int err_reason = DH_R_BN_ERROR;
	286	BIGNUM *pubkey = NULL;
	287	const BIGNUM *p;
	288	size_t p_size;
	289
	290	if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
	291	goto err;
	292	DH_get0_pqg(dh, &p, NULL, NULL);
	293	if (p == NULL \|\| (p_size = BN_num_bytes(p)) == 0) {
	294	err_reason = DH_R_NO_PARAMETERS_SET;
	295	goto err;
	296	}
	297	/*
	298	* As per Section 4.2.8.1 of RFC 8446 fail if DHE's
	299	* public key is of size not equal to size of p
	300	*/
	301	if (BN_is_zero(pubkey) \|\| p_size != len) {
	302	err_reason = DH_R_INVALID_PUBKEY;
	303	goto err;
	304	}
	305	if (DH_set0_key(dh, pubkey, NULL) != 1)
	306	goto err;
	307	return 1;
	308	err:
	309	DHerr(DH_F_DH_BUF2KEY, err_reason);
	310	BN_free(pubkey);
	311	return 0;
	312	}
	313
	314	size_t dh_key2buf(const DH dh, unsigned char *pbuf_out)
	315	{
	316	const BIGNUM *pubkey;
	317	unsigned char *pbuf;
	318	const BIGNUM *p;
	319	int p_size;
	320
	321	DH_get0_pqg(dh, &p, NULL, NULL);
	322	DH_get0_key(dh, &pubkey, NULL);
	323	if (p == NULL \|\| pubkey == NULL
	324	\|\| (p_size = BN_num_bytes(p)) == 0
	325	\|\| BN_num_bytes(pubkey) == 0) {
	326	DHerr(DH_F_DH_KEY2BUF, DH_R_INVALID_PUBKEY);
	327	return 0;
	328	}
	329	if ((pbuf = OPENSSL_malloc(p_size)) == NULL) {
	330	DHerr(DH_F_DH_KEY2BUF, ERR_R_MALLOC_FAILURE);
	331	return 0;
	332	}
	333	/*
	334	* As per Section 4.2.8.1 of RFC 8446 left pad public
	335	* key with zeros to the size of p
	336	*/
	337	if (BN_bn2binpad(pubkey, pbuf, p_size) < 0) {
	338	OPENSSL_free(pbuf);
	339	DHerr(DH_F_DH_KEY2BUF, DH_R_BN_ERROR);
	340	return 0;
	341	}
	342	*pbuf_out = pbuf;
	343	return p_size;
	344	}
62f49b90	345	#endif /* FIPS_MODE */