2 * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 __RCSID("$Heimdal: dh.c 22397 2008-01-01 20:20:31Z lha $"
48 * @page page_dh DH - Diffie-Hellman key exchange
50 * Diffie-Hellman key exchange is a protocol that allows two parties
51 * to establish a shared secret key.
53 * Include and example how to use DH_new() and friends here.
55 * See the library functions here: @ref hcrypto_dh
59 * Create a new DH object using DH_new_method(NULL), see DH_new_method().
61 * @return a newly allocated DH object.
69 return DH_new_method(NULL
);
73 * Create a new DH object from the given engine, if the NULL is used,
74 * the default engine is used. Free the DH object with DH_free().
76 * @param engine The engine to use to allocate the DH object.
78 * @return a newly allocated DH object.
84 DH_new_method(ENGINE
*engine
)
88 dh
= calloc(1, sizeof(*dh
));
95 ENGINE_up_ref(engine
);
98 dh
->engine
= ENGINE_get_default_DH();
102 dh
->meth
= ENGINE_get_DH(dh
->engine
);
103 if (dh
->meth
== NULL
) {
104 ENGINE_finish(engine
);
110 if (dh
->meth
== NULL
)
111 dh
->meth
= DH_get_default_method();
113 (*dh
->meth
->init
)(dh
);
119 * Free a DH object and release related resources, like ENGINE, that
120 * the object was using.
122 * @param dh object to be freed.
124 * @ingroup hcrypto_dh
130 if (dh
->references
<= 0)
133 if (--dh
->references
> 0)
136 (*dh
->meth
->finish
)(dh
);
139 ENGINE_finish(dh
->engine
);
141 #define free_if(f) if (f) { BN_free(f); }
144 free_if(dh
->pub_key
);
145 free_if(dh
->priv_key
);
148 free_if(dh
->counter
);
151 memset(dh
, 0, sizeof(*dh
));
156 * Add a reference to the DH object. The object should be free with
157 * DH_free() to drop the reference.
159 * @param dh the object to increase the reference count too.
161 * @return the updated reference count, can't safely be used except
162 * for debug printing.
164 * @ingroup hcrypto_dh
170 return ++dh
->references
;
174 * The maximum output size of the DH_compute_key() function.
176 * @param dh The DH object to get the size from.
178 * @return the maximum size in bytes of the out data.
180 * @ingroup hcrypto_dh
184 DH_size(const DH
*dh
)
186 return BN_num_bytes(dh
->p
);
190 * Set the data index idx in the DH object to data.
192 * @param dh DH object.
193 * @param idx index to set the data for.
194 * @param data data to store for the index idx.
196 * @return 1 on success.
198 * @ingroup hcrypto_dh
202 DH_set_ex_data(DH
*dh
, int idx
, void *data
)
204 dh
->ex_data
.sk
= data
;
209 * Get the data for index idx in the DH object.
211 * @param dh DH object.
212 * @param idx index to get the data for.
214 * @return the object store in index idx
216 * @ingroup hcrypto_dh
220 DH_get_ex_data(DH
*dh
, int idx
)
222 return dh
->ex_data
.sk
;
226 * Generate DH parameters for the DH object give parameters.
228 * @param dh The DH object to generate parameters for.
229 * @param prime_len length of the prime
230 * @param generator generator, g
231 * @param cb Callback parameters to show progress, can be NULL.
233 * @return the maximum size in bytes of the out data.
235 * @ingroup hcrypto_dh
239 DH_generate_parameters_ex(DH
*dh
, int prime_len
, int generator
, BN_GENCB
*cb
)
241 if (dh
->meth
->generate_params
)
242 return dh
->meth
->generate_params(dh
, prime_len
, generator
, cb
);
247 * Check that the public key is sane.
249 * @param dh the local peer DH parameters.
250 * @param pub_key the remote peer public key parameters.
251 * @param codes return that the failures of the pub_key are.
253 * @return 1 on success, 0 on failure and *codes is set the the
254 * combined fail check for the public key
256 * @ingroup hcrypto_dh
260 DH_check_pubkey(const DH
*dh
, const BIGNUM
*pub_key
, int *codes
)
262 BIGNUM
*bn
= NULL
, *sum
= NULL
;
268 * Checks that the function performs are:
269 * - pub_key is not negative
272 if (BN_is_negative(pub_key
))
276 * - pub_key > 1 and pub_key < p - 1,
277 * to avoid small subgroups attack.
284 if (!BN_set_word(bn
, 1))
287 if (BN_cmp(bn
, pub_key
) >= 0)
288 *codes
|= DH_CHECK_PUBKEY_TOO_SMALL
;
294 BN_uadd(sum
, pub_key
, bn
);
296 if (BN_cmp(sum
, dh
->p
) >= 0)
297 *codes
|= DH_CHECK_PUBKEY_TOO_LARGE
;
300 * - if g == 2, pub_key have more then one bit set,
301 * if bits set is 1, log_2(pub_key) is trival
304 if (!BN_set_word(bn
, 2))
307 if (BN_cmp(bn
, pub_key
) == 0) {
308 unsigned i
, n
= BN_num_bits(pub_key
);
311 for (i
= 0; i
<= n
; i
++)
312 if (BN_is_bit_set(pub_key
, i
))
316 *codes
|= DH_CHECK_PUBKEY_TOO_SMALL
;
332 * Generate a new DH private-public key pair. The dh parameter must be
333 * allocted first with DH_new(). dh->p and dp->g must be set.
335 * @param dh dh parameter.
337 * @return 1 on success.
339 * @ingroup hcrypto_dh
343 DH_generate_key(DH
*dh
)
345 return dh
->meth
->generate_key(dh
);
349 * Complute the shared secret key.
351 * @param shared_key the resulting shared key, need to be at least
353 * @param peer_pub_key the peer's public key.
354 * @param dh the dh key pair.
356 * @return 1 on success.
358 * @ingroup hcrypto_dh
362 DH_compute_key(unsigned char *shared_key
,
363 const BIGNUM
*peer_pub_key
, DH
*dh
)
368 * Checks that the pubkey passed in is valid using
372 if (!DH_check_pubkey(dh
, peer_pub_key
, &codes
) || codes
!= 0)
375 return dh
->meth
->compute_key(shared_key
, peer_pub_key
, dh
);
379 * Set a new method for the DH keypair.
381 * @param dh dh parameter.
382 * @param method the new method for the DH parameter.
384 * @return 1 on success.
386 * @ingroup hcrypto_dh
390 DH_set_method(DH
*dh
, const DH_METHOD
*method
)
392 (*dh
->meth
->finish
)(dh
);
394 ENGINE_finish(dh
->engine
);
398 (*dh
->meth
->init
)(dh
);
407 dh_null_generate_key(DH
*dh
)
413 dh_null_compute_key(unsigned char *shared
,const BIGNUM
*pub
, DH
*dh
)
425 dh_null_finish(DH
*dh
)
431 dh_null_generate_params(DH
*dh
, int prime_num
, int len
, BN_GENCB
*cb
)
436 static const DH_METHOD dh_null_method
= {
438 dh_null_generate_key
,
445 dh_null_generate_params
448 extern const DH_METHOD _hc_dh_imath_method
;
449 static const DH_METHOD
*dh_default_method
= &_hc_dh_imath_method
;
452 * Return the dummy DH implementation.
454 * @return pointer to a DH_METHOD.
456 * @ingroup hcrypto_dh
462 return &dh_null_method
;
466 * Set the default DH implementation.
468 * @param meth pointer to a DH_METHOD.
470 * @ingroup hcrypto_dh
474 DH_set_default_method(const DH_METHOD
*meth
)
476 dh_default_method
= meth
;
480 * Return the default DH implementation.
482 * @return pointer to a DH_METHOD.
484 * @ingroup hcrypto_dh
488 DH_get_default_method(void)
490 return dh_default_method
;