1/* crypto/dh/dh_key.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to.  The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 *    notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 *    notice, this list of conditions and the following disclaimer in the
30 *    documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 *    must display the following acknowledgement:
33 *    "This product includes cryptographic software written by
34 *     Eric Young (eay@cryptsoft.com)"
35 *    The word 'cryptographic' can be left out if the rouines from the library
36 *    being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 *    the apps directory (application code) you must include an acknowledgement:
39 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/rand.h>
63#include <openssl/dh.h>
64
65static int generate_key(DH *dh);
66static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
67static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
68			const BIGNUM *a, const BIGNUM *p,
69			const BIGNUM *m, BN_CTX *ctx,
70			BN_MONT_CTX *m_ctx);
71static int dh_init(DH *dh);
72static int dh_finish(DH *dh);
73
74int DH_generate_key(DH *dh)
75	{
76	return dh->meth->generate_key(dh);
77	}
78
79int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
80	{
81	return dh->meth->compute_key(key, pub_key, dh);
82	}
83
84static DH_METHOD dh_ossl = {
85"OpenSSL DH Method",
86generate_key,
87compute_key,
88dh_bn_mod_exp,
89dh_init,
90dh_finish,
910,
92NULL,
93NULL
94};
95
96const DH_METHOD *DH_OpenSSL(void)
97{
98	return &dh_ossl;
99}
100
101static int generate_key(DH *dh)
102	{
103	int ok=0;
104	int generate_new_key=0;
105	unsigned l;
106	BN_CTX *ctx;
107	BN_MONT_CTX *mont=NULL;
108	BIGNUM *pub_key=NULL,*priv_key=NULL;
109
110	ctx = BN_CTX_new();
111	if (ctx == NULL) goto err;
112
113	if (dh->priv_key == NULL)
114		{
115		priv_key=BN_new();
116		if (priv_key == NULL) goto err;
117		generate_new_key=1;
118		}
119	else
120		priv_key=dh->priv_key;
121
122	if (dh->pub_key == NULL)
123		{
124		pub_key=BN_new();
125		if (pub_key == NULL) goto err;
126		}
127	else
128		pub_key=dh->pub_key;
129
130
131	if (dh->flags & DH_FLAG_CACHE_MONT_P)
132		{
133		mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
134				CRYPTO_LOCK_DH, dh->p, ctx);
135		if (!mont)
136			goto err;
137		}
138
139	if (generate_new_key)
140		{
141		l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
142		if (!BN_rand(priv_key, l, 0, 0)) goto err;
143		}
144
145	{
146		BIGNUM local_prk;
147		BIGNUM *prk;
148
149		if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
150			{
151			BN_init(&local_prk);
152			prk = &local_prk;
153			BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
154			}
155		else
156			prk = priv_key;
157
158		if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err;
159	}
160
161	dh->pub_key=pub_key;
162	dh->priv_key=priv_key;
163	ok=1;
164err:
165	if (ok != 1)
166		DHerr(DH_F_GENERATE_KEY,ERR_R_BN_LIB);
167
168	if ((pub_key != NULL)  && (dh->pub_key == NULL))  BN_free(pub_key);
169	if ((priv_key != NULL) && (dh->priv_key == NULL)) BN_free(priv_key);
170	BN_CTX_free(ctx);
171	return(ok);
172	}
173
174static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
175	{
176	BN_CTX *ctx=NULL;
177	BN_MONT_CTX *mont=NULL;
178	BIGNUM *tmp;
179	int ret= -1;
180        int check_result;
181
182	if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS)
183		{
184		DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
185		goto err;
186		}
187
188	ctx = BN_CTX_new();
189	if (ctx == NULL) goto err;
190	BN_CTX_start(ctx);
191	tmp = BN_CTX_get(ctx);
192
193	if (dh->priv_key == NULL)
194		{
195		DHerr(DH_F_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);
196		goto err;
197		}
198
199	if (dh->flags & DH_FLAG_CACHE_MONT_P)
200		{
201		mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
202				CRYPTO_LOCK_DH, dh->p, ctx);
203		if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
204			{
205			/* XXX */
206			BN_set_flags(dh->priv_key, BN_FLG_EXP_CONSTTIME);
207			}
208		if (!mont)
209			goto err;
210		}
211
212        if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result)
213		{
214		DHerr(DH_F_COMPUTE_KEY,DH_R_INVALID_PUBKEY);
215		goto err;
216		}
217
218	if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))
219		{
220		DHerr(DH_F_COMPUTE_KEY,ERR_R_BN_LIB);
221		goto err;
222		}
223
224	ret=BN_bn2bin(tmp,key);
225err:
226	if (ctx != NULL)
227		{
228		BN_CTX_end(ctx);
229		BN_CTX_free(ctx);
230		}
231	return(ret);
232	}
233
234static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
235			const BIGNUM *a, const BIGNUM *p,
236			const BIGNUM *m, BN_CTX *ctx,
237			BN_MONT_CTX *m_ctx)
238	{
239	/* If a is only one word long and constant time is false, use the faster
240	 * exponenentiation function.
241	 */
242	if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0))
243		{
244		BN_ULONG A = a->d[0];
245		return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx);
246		}
247	else
248		return BN_mod_exp_mont(r,a,p,m,ctx,m_ctx);
249	}
250
251
252static int dh_init(DH *dh)
253	{
254	dh->flags |= DH_FLAG_CACHE_MONT_P;
255	return(1);
256	}
257
258static int dh_finish(DH *dh)
259	{
260	if(dh->method_mont_p)
261		BN_MONT_CTX_free(dh->method_mont_p);
262	return(1);
263	}
264