1/* crypto/dh/dh_key.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to.  The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 *    notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 *    notice, this list of conditions and the following disclaimer in the
30 *    documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 *    must display the following acknowledgement:
33 *    "This product includes cryptographic software written by
34 *     Eric Young (eay@cryptsoft.com)"
35 *    The word 'cryptographic' can be left out if the rouines from the library
36 *    being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 *    the apps directory (application code) you must include an acknowledgement:
39 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rand.h>
63#include <openssl/dh.h>
64
65#ifndef OPENSSL_FIPS
66
67static int generate_key(DH *dh);
68static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
69static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
70			const BIGNUM *a, const BIGNUM *p,
71			const BIGNUM *m, BN_CTX *ctx,
72			BN_MONT_CTX *m_ctx);
73static int dh_init(DH *dh);
74static int dh_finish(DH *dh);
75
76int DH_generate_key(DH *dh)
77	{
78	return dh->meth->generate_key(dh);
79	}
80
81int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
82	{
83	return dh->meth->compute_key(key, pub_key, dh);
84	}
85
86static DH_METHOD dh_ossl = {
87"OpenSSL DH Method",
88generate_key,
89compute_key,
90dh_bn_mod_exp,
91dh_init,
92dh_finish,
930,
94NULL
95};
96
97const DH_METHOD *DH_OpenSSL(void)
98{
99	return &dh_ossl;
100}
101
102static int generate_key(DH *dh)
103	{
104	int ok=0;
105	int generate_new_key=0;
106	unsigned l;
107	BN_CTX *ctx;
108	BN_MONT_CTX *mont;
109	BIGNUM *pub_key=NULL,*priv_key=NULL;
110
111	ctx = BN_CTX_new();
112	if (ctx == NULL) goto err;
113
114	if (dh->priv_key == NULL)
115		{
116		priv_key=BN_new();
117		if (priv_key == NULL) goto err;
118		generate_new_key=1;
119		}
120	else
121		priv_key=dh->priv_key;
122
123	if (dh->pub_key == NULL)
124		{
125		pub_key=BN_new();
126		if (pub_key == NULL) goto err;
127		}
128	else
129		pub_key=dh->pub_key;
130
131	if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
132		{
133		if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
134			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
135				dh->p,ctx)) goto err;
136		}
137	mont=(BN_MONT_CTX *)dh->method_mont_p;
138
139	if (generate_new_key)
140		{
141		l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
142		if (!BN_rand(priv_key, l, 0, 0)) goto err;
143		}
144	if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont))
145		goto err;
146
147	dh->pub_key=pub_key;
148	dh->priv_key=priv_key;
149	ok=1;
150err:
151	if (ok != 1)
152		DHerr(DH_F_DH_GENERATE_KEY,ERR_R_BN_LIB);
153
154	if ((pub_key != NULL)  && (dh->pub_key == NULL))  BN_free(pub_key);
155	if ((priv_key != NULL) && (dh->priv_key == NULL)) BN_free(priv_key);
156	BN_CTX_free(ctx);
157	return(ok);
158	}
159
160static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
161	{
162	BN_CTX *ctx;
163	BN_MONT_CTX *mont;
164	BIGNUM *tmp;
165	int ret= -1;
166
167	ctx = BN_CTX_new();
168	if (ctx == NULL) goto err;
169	BN_CTX_start(ctx);
170	tmp = BN_CTX_get(ctx);
171
172	if (dh->priv_key == NULL)
173		{
174		DHerr(DH_F_DH_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);
175		goto err;
176		}
177	if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
178		{
179		if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
180			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
181				dh->p,ctx)) goto err;
182		}
183
184	mont=(BN_MONT_CTX *)dh->method_mont_p;
185	if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))
186		{
187		DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB);
188		goto err;
189		}
190
191	ret=BN_bn2bin(tmp,key);
192err:
193	BN_CTX_end(ctx);
194	BN_CTX_free(ctx);
195	return(ret);
196	}
197
198static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
199			const BIGNUM *a, const BIGNUM *p,
200			const BIGNUM *m, BN_CTX *ctx,
201			BN_MONT_CTX *m_ctx)
202	{
203	if (a->top == 1)
204		{
205		BN_ULONG A = a->d[0];
206		return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx);
207		}
208	else
209		return BN_mod_exp_mont(r,a,p,m,ctx,m_ctx);
210	}
211
212
213static int dh_init(DH *dh)
214	{
215	dh->flags |= DH_FLAG_CACHE_MONT_P;
216	return(1);
217	}
218
219static int dh_finish(DH *dh)
220	{
221	if(dh->method_mont_p)
222		BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
223	return(1);
224	}
225
226#endif
227