2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/rand.h>
14 #include "internal/bn_int.h"
16 static int generate_key(DH
*dh
);
17 static int compute_key(unsigned char *key
, const BIGNUM
*pub_key
, DH
*dh
);
18 static int dh_bn_mod_exp(const DH
*dh
, BIGNUM
*r
,
19 const BIGNUM
*a
, const BIGNUM
*p
,
20 const BIGNUM
*m
, BN_CTX
*ctx
, BN_MONT_CTX
*m_ctx
);
21 static int dh_init(DH
*dh
);
22 static int dh_finish(DH
*dh
);
24 int DH_generate_key(DH
*dh
)
26 return dh
->meth
->generate_key(dh
);
29 int DH_compute_key(unsigned char *key
, const BIGNUM
*pub_key
, DH
*dh
)
31 return dh
->meth
->compute_key(key
, pub_key
, dh
);
34 int DH_compute_key_padded(unsigned char *key
, const BIGNUM
*pub_key
, DH
*dh
)
37 rv
= dh
->meth
->compute_key(key
, pub_key
, dh
);
40 pad
= BN_num_bytes(dh
->p
) - rv
;
42 memmove(key
+ pad
, key
, rv
);
48 static DH_METHOD dh_ossl
= {
60 const DH_METHOD
*DH_OpenSSL(void)
65 static int generate_key(DH
*dh
)
68 int generate_new_key
= 0;
71 BN_MONT_CTX
*mont
= NULL
;
72 BIGNUM
*pub_key
= NULL
, *priv_key
= NULL
;
78 if (dh
->priv_key
== NULL
) {
79 priv_key
= BN_secure_new();
84 priv_key
= dh
->priv_key
;
86 if (dh
->pub_key
== NULL
) {
91 pub_key
= dh
->pub_key
;
93 if (dh
->flags
& DH_FLAG_CACHE_MONT_P
) {
94 mont
= BN_MONT_CTX_set_locked(&dh
->method_mont_p
,
95 dh
->lock
, dh
->p
, ctx
);
100 if (generate_new_key
) {
103 if (!BN_rand_range(priv_key
, dh
->q
))
106 while (BN_is_zero(priv_key
) || BN_is_one(priv_key
));
108 /* secret exponent length */
109 l
= dh
->length
? dh
->length
: BN_num_bits(dh
->p
) - 1;
110 if (!BN_rand(priv_key
, l
, 0, 0))
116 BIGNUM
*local_prk
= NULL
;
119 if ((dh
->flags
& DH_FLAG_NO_EXP_CONSTTIME
) == 0) {
120 local_prk
= prk
= BN_new();
121 if (local_prk
== NULL
)
123 BN_with_flags(prk
, priv_key
, BN_FLG_CONSTTIME
);
128 if (!dh
->meth
->bn_mod_exp(dh
, pub_key
, dh
->g
, prk
, dh
->p
, ctx
, mont
)) {
132 /* We MUST free local_prk before any further use of priv_key */
136 dh
->pub_key
= pub_key
;
137 dh
->priv_key
= priv_key
;
141 DHerr(DH_F_GENERATE_KEY
, ERR_R_BN_LIB
);
143 if (pub_key
!= dh
->pub_key
)
145 if (priv_key
!= dh
->priv_key
)
151 static int compute_key(unsigned char *key
, const BIGNUM
*pub_key
, DH
*dh
)
154 BN_MONT_CTX
*mont
= NULL
;
159 if (BN_num_bits(dh
->p
) > OPENSSL_DH_MAX_MODULUS_BITS
) {
160 DHerr(DH_F_COMPUTE_KEY
, DH_R_MODULUS_TOO_LARGE
);
168 tmp
= BN_CTX_get(ctx
);
170 if (dh
->priv_key
== NULL
) {
171 DHerr(DH_F_COMPUTE_KEY
, DH_R_NO_PRIVATE_VALUE
);
175 if (dh
->flags
& DH_FLAG_CACHE_MONT_P
) {
176 mont
= BN_MONT_CTX_set_locked(&dh
->method_mont_p
,
177 dh
->lock
, dh
->p
, ctx
);
178 if ((dh
->flags
& DH_FLAG_NO_EXP_CONSTTIME
) == 0) {
180 BN_set_flags(dh
->priv_key
, BN_FLG_CONSTTIME
);
186 if (!DH_check_pub_key(dh
, pub_key
, &check_result
) || check_result
) {
187 DHerr(DH_F_COMPUTE_KEY
, DH_R_INVALID_PUBKEY
);
192 meth
->bn_mod_exp(dh
, tmp
, pub_key
, dh
->priv_key
, dh
->p
, ctx
, mont
)) {
193 DHerr(DH_F_COMPUTE_KEY
, ERR_R_BN_LIB
);
197 ret
= BN_bn2bin(tmp
, key
);
206 static int dh_bn_mod_exp(const DH
*dh
, BIGNUM
*r
,
207 const BIGNUM
*a
, const BIGNUM
*p
,
208 const BIGNUM
*m
, BN_CTX
*ctx
, BN_MONT_CTX
*m_ctx
)
211 * If a is only one word long and constant time is false, use the faster
212 * exponentiation function.
214 if (bn_get_top(a
) == 1 && ((dh
->flags
& DH_FLAG_NO_EXP_CONSTTIME
) != 0)) {
215 BN_ULONG A
= bn_get_words(a
)[0];
216 return BN_mod_exp_mont_word(r
, A
, p
, m
, ctx
, m_ctx
);
218 return BN_mod_exp_mont(r
, a
, p
, m
, ctx
, m_ctx
);
221 static int dh_init(DH
*dh
)
223 dh
->flags
|= DH_FLAG_CACHE_MONT_P
;
227 static int dh_finish(DH
*dh
)
229 BN_MONT_CTX_free(dh
->method_mont_p
);