2 * Copyright (c) 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
44 BN2mpz(mp_int *s, const BIGNUM *bn)
49 len = BN_num_bytes(bn);
52 mp_read_unsigned_bin(s, p, len);
64 size = mp_unsigned_bin_size(s);
66 if (p == NULL && size != 0)
68 mp_to_unsigned_bin(s, p);
70 bn = BN_bin2bn(p, size, NULL);
79 #define DH_NUM_TRIES 10
82 ltm_dh_generate_key(DH *dh)
84 mp_int pub, priv_key, g, p;
85 int have_private_key = (dh->priv_key != NULL);
89 if (dh->p == NULL || dh->g == NULL)
92 while (times++ < DH_NUM_TRIES) {
93 if (!have_private_key) {
94 size_t bits = BN_num_bits(dh->p);
97 BN_free(dh->priv_key);
99 dh->priv_key = BN_new();
100 if (dh->priv_key == NULL)
102 if (!BN_rand(dh->priv_key, bits - 1, 0, 0)) {
103 BN_clear_free(dh->priv_key);
109 BN_free(dh->pub_key);
113 mp_init_multi(&pub, &priv_key, &g, &p, NULL);
115 BN2mpz(&priv_key, dh->priv_key);
119 res = mp_exptmod(&g, &priv_key, &p, &pub);
121 mp_clear_multi(&priv_key, &g, &p, NULL);
125 dh->pub_key = mpz2BN(&pub);
127 if (dh->pub_key == NULL)
130 if (DH_check_pubkey(dh, dh->pub_key, &codes) && codes == 0)
132 if (have_private_key)
136 if (times >= DH_NUM_TRIES) {
137 if (!have_private_key && dh->priv_key) {
138 BN_free(dh->priv_key);
142 BN_free(dh->pub_key);
152 ltm_dh_compute_key(unsigned char *shared, const BIGNUM * pub, DH *dh)
154 mp_int s, priv_key, p, peer_pub;
157 if (dh->pub_key == NULL || dh->g == NULL || dh->priv_key == NULL)
160 mp_init_multi(&s, &priv_key, &p, &peer_pub, NULL);
162 BN2mpz(&peer_pub, pub);
164 /* check if peers pubkey is reasonable */
165 if (mp_isneg(&peer_pub)
166 || mp_cmp(&peer_pub, &p) >= 0
167 || mp_cmp_d(&peer_pub, 1) <= 0)
173 BN2mpz(&priv_key, dh->priv_key);
175 ret = mp_exptmod(&peer_pub, &priv_key, &p, &s);
182 ret = mp_unsigned_bin_size(&s);
183 mp_to_unsigned_bin(&s, shared);
186 mp_clear_multi(&s, &priv_key, &p, &peer_pub, NULL);
192 ltm_dh_generate_params(DH *dh, int a, int b, BN_GENCB *callback)
194 /* groups should already be known, we don't care about this */
205 ltm_dh_finish(DH *dh)
215 const DH_METHOD _hc_dh_ltm_method = {
224 ltm_dh_generate_params
228 * DH implementation using libtommath.
230 * @return the DH_METHOD for the DH implementation using libtommath.
232 * @ingroup hcrypto_dh
238 return &_hc_dh_ltm_method;