PolarSSL v1.3.9
dhm.c
Go to the documentation of this file.
1 /*
2  * Diffie-Hellman-Merkle key exchange
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * Reference:
27  *
28  * http://www.cacr.math.uwaterloo.ca/hac/ (chapter 12)
29  */
30 
31 #if !defined(POLARSSL_CONFIG_FILE)
32 #include "polarssl/config.h"
33 #else
34 #include POLARSSL_CONFIG_FILE
35 #endif
36 
37 #if defined(POLARSSL_DHM_C)
38 
39 #include "polarssl/dhm.h"
40 
41 #if defined(POLARSSL_PEM_PARSE_C)
42 #include "polarssl/pem.h"
43 #endif
44 
45 #if defined(POLARSSL_ASN1_PARSE_C)
46 #include "polarssl/asn1.h"
47 #endif
48 
49 #if defined(POLARSSL_PLATFORM_C)
50 #include "polarssl/platform.h"
51 #else
52 #include <stdlib.h>
53 #define polarssl_printf printf
54 #define polarssl_malloc malloc
55 #define polarssl_free free
56 #endif
57 
58 /* Implementation that should never be optimized out by the compiler */
59 static void polarssl_zeroize( void *v, size_t n ) {
60  volatile unsigned char *p = v; while( n-- ) *p++ = 0;
61 }
62 
63 /*
64  * helper to validate the mpi size and import it
65  */
66 static int dhm_read_bignum( mpi *X,
67  unsigned char **p,
68  const unsigned char *end )
69 {
70  int ret, n;
71 
72  if( end - *p < 2 )
74 
75  n = ( (*p)[0] << 8 ) | (*p)[1];
76  (*p) += 2;
77 
78  if( (int)( end - *p ) < n )
80 
81  if( ( ret = mpi_read_binary( X, *p, n ) ) != 0 )
83 
84  (*p) += n;
85 
86  return( 0 );
87 }
88 
89 /*
90  * Verify sanity of parameter with regards to P
91  *
92  * Parameter should be: 2 <= public_param <= P - 2
93  *
94  * For more information on the attack, see:
95  * http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
96  * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
97  */
98 static int dhm_check_range( const mpi *param, const mpi *P )
99 {
100  mpi L, U;
102 
103  mpi_init( &L ); mpi_init( &U );
104 
105  MPI_CHK( mpi_lset( &L, 2 ) );
106  MPI_CHK( mpi_sub_int( &U, P, 2 ) );
107 
108  if( mpi_cmp_mpi( param, &L ) >= 0 &&
109  mpi_cmp_mpi( param, &U ) <= 0 )
110  {
111  ret = 0;
112  }
113 
114 cleanup:
115  mpi_free( &L ); mpi_free( &U );
116  return( ret );
117 }
118 
119 void dhm_init( dhm_context *ctx )
120 {
121  memset( ctx, 0, sizeof( dhm_context ) );
122 }
123 
124 /*
125  * Parse the ServerKeyExchange parameters
126  */
127 int dhm_read_params( dhm_context *ctx,
128  unsigned char **p,
129  const unsigned char *end )
130 {
131  int ret;
132 
133  if( ( ret = dhm_read_bignum( &ctx->P, p, end ) ) != 0 ||
134  ( ret = dhm_read_bignum( &ctx->G, p, end ) ) != 0 ||
135  ( ret = dhm_read_bignum( &ctx->GY, p, end ) ) != 0 )
136  return( ret );
137 
138  if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
139  return( ret );
140 
141  ctx->len = mpi_size( &ctx->P );
142 
143  return( 0 );
144 }
145 
146 /*
147  * Setup and write the ServerKeyExchange parameters
148  */
149 int dhm_make_params( dhm_context *ctx, int x_size,
150  unsigned char *output, size_t *olen,
151  int (*f_rng)(void *, unsigned char *, size_t),
152  void *p_rng )
153 {
154  int ret, count = 0;
155  size_t n1, n2, n3;
156  unsigned char *p;
157 
158  if( mpi_cmp_int( &ctx->P, 0 ) == 0 )
160 
161  /*
162  * Generate X as large as possible ( < P )
163  */
164  do
165  {
166  mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
167 
168  while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
169  MPI_CHK( mpi_shift_r( &ctx->X, 1 ) );
170 
171  if( count++ > 10 )
173  }
174  while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
175 
176  /*
177  * Calculate GX = G^X mod P
178  */
179  MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
180  &ctx->P , &ctx->RP ) );
181 
182  if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
183  return( ret );
184 
185  /*
186  * export P, G, GX
187  */
188 #define DHM_MPI_EXPORT(X,n) \
189  MPI_CHK( mpi_write_binary( X, p + 2, n ) ); \
190  *p++ = (unsigned char)( n >> 8 ); \
191  *p++ = (unsigned char)( n ); p += n;
192 
193  n1 = mpi_size( &ctx->P );
194  n2 = mpi_size( &ctx->G );
195  n3 = mpi_size( &ctx->GX );
196 
197  p = output;
198  DHM_MPI_EXPORT( &ctx->P , n1 );
199  DHM_MPI_EXPORT( &ctx->G , n2 );
200  DHM_MPI_EXPORT( &ctx->GX, n3 );
201 
202  *olen = p - output;
203 
204  ctx->len = n1;
205 
206 cleanup:
207 
208  if( ret != 0 )
209  return( POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED + ret );
210 
211  return( 0 );
212 }
213 
214 /*
215  * Import the peer's public value G^Y
216  */
217 int dhm_read_public( dhm_context *ctx,
218  const unsigned char *input, size_t ilen )
219 {
220  int ret;
221 
222  if( ctx == NULL || ilen < 1 || ilen > ctx->len )
224 
225  if( ( ret = mpi_read_binary( &ctx->GY, input, ilen ) ) != 0 )
226  return( POLARSSL_ERR_DHM_READ_PUBLIC_FAILED + ret );
227 
228  return( 0 );
229 }
230 
231 /*
232  * Create own private value X and export G^X
233  */
234 int dhm_make_public( dhm_context *ctx, int x_size,
235  unsigned char *output, size_t olen,
236  int (*f_rng)(void *, unsigned char *, size_t),
237  void *p_rng )
238 {
239  int ret, count = 0;
240 
241  if( ctx == NULL || olen < 1 || olen > ctx->len )
243 
244  if( mpi_cmp_int( &ctx->P, 0 ) == 0 )
246 
247  /*
248  * generate X and calculate GX = G^X mod P
249  */
250  do
251  {
252  mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
253 
254  while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
255  MPI_CHK( mpi_shift_r( &ctx->X, 1 ) );
256 
257  if( count++ > 10 )
259  }
260  while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
261 
262  MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
263  &ctx->P , &ctx->RP ) );
264 
265  if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
266  return( ret );
267 
268  MPI_CHK( mpi_write_binary( &ctx->GX, output, olen ) );
269 
270 cleanup:
271 
272  if( ret != 0 )
273  return( POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED + ret );
274 
275  return( 0 );
276 }
277 
278 /*
279  * Use the blinding method and optimisation suggested in section 10 of:
280  * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
281  * DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
282  * Berlin Heidelberg, 1996. p. 104-113.
283  */
284 static int dhm_update_blinding( dhm_context *ctx,
285  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
286 {
287  int ret, count;
288 
289  /*
290  * Don't use any blinding the first time a particular X is used,
291  * but remember it to use blinding next time.
292  */
293  if( mpi_cmp_mpi( &ctx->X, &ctx->pX ) != 0 )
294  {
295  MPI_CHK( mpi_copy( &ctx->pX, &ctx->X ) );
296  MPI_CHK( mpi_lset( &ctx->Vi, 1 ) );
297  MPI_CHK( mpi_lset( &ctx->Vf, 1 ) );
298 
299  return( 0 );
300  }
301 
302  /*
303  * Ok, we need blinding. Can we re-use existing values?
304  * If yes, just update them by squaring them.
305  */
306  if( mpi_cmp_int( &ctx->Vi, 1 ) != 0 )
307  {
308  MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
309  MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );
310 
311  MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
312  MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
313 
314  return( 0 );
315  }
316 
317  /*
318  * We need to generate blinding values from scratch
319  */
320 
321  /* Vi = random( 2, P-1 ) */
322  count = 0;
323  do
324  {
325  mpi_fill_random( &ctx->Vi, mpi_size( &ctx->P ), f_rng, p_rng );
326 
327  while( mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
328  MPI_CHK( mpi_shift_r( &ctx->Vi, 1 ) );
329 
330  if( count++ > 10 )
332  }
333  while( mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
334 
335  /* Vf = Vi^-X mod P */
336  MPI_CHK( mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
337  MPI_CHK( mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );
338 
339 cleanup:
340  return( ret );
341 }
342 
343 /*
344  * Derive and export the shared secret (G^Y)^X mod P
345  */
346 int dhm_calc_secret( dhm_context *ctx,
347  unsigned char *output, size_t *olen,
348  int (*f_rng)(void *, unsigned char *, size_t),
349  void *p_rng )
350 {
351  int ret;
352  mpi GYb;
353 
354  if( ctx == NULL || *olen < ctx->len )
356 
357  if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
358  return( ret );
359 
360  mpi_init( &GYb );
361 
362  /* Blind peer's value */
363  if( f_rng != NULL )
364  {
365  MPI_CHK( dhm_update_blinding( ctx, f_rng, p_rng ) );
366  MPI_CHK( mpi_mul_mpi( &GYb, &ctx->GY, &ctx->Vi ) );
367  MPI_CHK( mpi_mod_mpi( &GYb, &GYb, &ctx->P ) );
368  }
369  else
370  MPI_CHK( mpi_copy( &GYb, &ctx->GY ) );
371 
372  /* Do modular exponentiation */
373  MPI_CHK( mpi_exp_mod( &ctx->K, &GYb, &ctx->X,
374  &ctx->P, &ctx->RP ) );
375 
376  /* Unblind secret value */
377  if( f_rng != NULL )
378  {
379  MPI_CHK( mpi_mul_mpi( &ctx->K, &ctx->K, &ctx->Vf ) );
380  MPI_CHK( mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
381  }
382 
383  *olen = mpi_size( &ctx->K );
384 
385  MPI_CHK( mpi_write_binary( &ctx->K, output, *olen ) );
386 
387 cleanup:
388  mpi_free( &GYb );
389 
390  if( ret != 0 )
391  return( POLARSSL_ERR_DHM_CALC_SECRET_FAILED + ret );
392 
393  return( 0 );
394 }
395 
396 /*
397  * Free the components of a DHM key
398  */
399 void dhm_free( dhm_context *ctx )
400 {
401  mpi_free( &ctx->pX); mpi_free( &ctx->Vf ); mpi_free( &ctx->Vi );
402  mpi_free( &ctx->RP ); mpi_free( &ctx->K ); mpi_free( &ctx->GY );
403  mpi_free( &ctx->GX ); mpi_free( &ctx->X ); mpi_free( &ctx->G );
404  mpi_free( &ctx->P );
405 
406  polarssl_zeroize( ctx, sizeof( dhm_context ) );
407 }
408 
409 #if defined(POLARSSL_ASN1_PARSE_C)
410 /*
411  * Parse DHM parameters
412  */
413 int dhm_parse_dhm( dhm_context *dhm, const unsigned char *dhmin,
414  size_t dhminlen )
415 {
416  int ret;
417  size_t len;
418  unsigned char *p, *end;
419 #if defined(POLARSSL_PEM_PARSE_C)
420  pem_context pem;
421 
422  pem_init( &pem );
423 
424  ret = pem_read_buffer( &pem,
425  "-----BEGIN DH PARAMETERS-----",
426  "-----END DH PARAMETERS-----",
427  dhmin, NULL, 0, &dhminlen );
428 
429  if( ret == 0 )
430  {
431  /*
432  * Was PEM encoded
433  */
434  dhminlen = pem.buflen;
435  }
437  goto exit;
438 
439  p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin;
440 #else
441  p = (unsigned char *) dhmin;
442 #endif /* POLARSSL_PEM_PARSE_C */
443  end = p + dhminlen;
444 
445  /*
446  * DHParams ::= SEQUENCE {
447  * prime INTEGER, -- P
448  * generator INTEGER, -- g
449  * }
450  */
451  if( ( ret = asn1_get_tag( &p, end, &len,
452  ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
453  {
455  goto exit;
456  }
457 
458  end = p + len;
459 
460  if( ( ret = asn1_get_mpi( &p, end, &dhm->P ) ) != 0 ||
461  ( ret = asn1_get_mpi( &p, end, &dhm->G ) ) != 0 )
462  {
464  goto exit;
465  }
466 
467  if( p != end )
468  {
471  goto exit;
472  }
473 
474  ret = 0;
475 
476  dhm->len = mpi_size( &dhm->P );
477 
478 exit:
479 #if defined(POLARSSL_PEM_PARSE_C)
480  pem_free( &pem );
481 #endif
482  if( ret != 0 )
483  dhm_free( dhm );
484 
485  return( ret );
486 }
487 
488 #if defined(POLARSSL_FS_IO)
489 /*
490  * Load all data from a file into a given buffer.
491  */
492 static int load_file( const char *path, unsigned char **buf, size_t *n )
493 {
494  FILE *f;
495  long size;
496 
497  if( ( f = fopen( path, "rb" ) ) == NULL )
499 
500  fseek( f, 0, SEEK_END );
501  if( ( size = ftell( f ) ) == -1 )
502  {
503  fclose( f );
505  }
506  fseek( f, 0, SEEK_SET );
507 
508  *n = (size_t) size;
509 
510  if( *n + 1 == 0 ||
511  ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
512  {
513  fclose( f );
515  }
516 
517  if( fread( *buf, 1, *n, f ) != *n )
518  {
519  fclose( f );
520  polarssl_free( *buf );
522  }
523 
524  fclose( f );
525 
526  (*buf)[*n] = '\0';
527 
528  return( 0 );
529 }
530 
531 /*
532  * Load and parse DHM parameters
533  */
534 int dhm_parse_dhmfile( dhm_context *dhm, const char *path )
535 {
536  int ret;
537  size_t n;
538  unsigned char *buf;
539 
540  if( ( ret = load_file( path, &buf, &n ) ) != 0 )
541  return( ret );
542 
543  ret = dhm_parse_dhm( dhm, buf, n );
544 
545  polarssl_zeroize( buf, n + 1 );
546  polarssl_free( buf );
547 
548  return( ret );
549 }
550 #endif /* POLARSSL_FS_IO */
551 #endif /* POLARSSL_ASN1_PARSE_C */
552 
553 #if defined(POLARSSL_SELF_TEST)
554 
555 #include "polarssl/certs.h"
556 
557 /*
558  * Checkup routine
559  */
560 int dhm_self_test( int verbose )
561 {
562 #if defined(POLARSSL_CERTS_C)
563  int ret;
564  dhm_context dhm;
565 
566  dhm_init( &dhm );
567 
568  if( verbose != 0 )
569  polarssl_printf( " DHM parameter load: " );
570 
571  if( ( ret = dhm_parse_dhm( &dhm, (const unsigned char *) test_dhm_params,
572  strlen( test_dhm_params ) ) ) != 0 )
573  {
574  if( verbose != 0 )
575  polarssl_printf( "failed\n" );
576 
577  ret = 1;
578  goto exit;
579  }
580 
581  if( verbose != 0 )
582  polarssl_printf( "passed\n\n" );
583 
584 exit:
585  dhm_free( &dhm );
586 
587  return( ret );
588 #else
589  if( verbose != 0 )
590  polarssl_printf( " DHM parameter load: skipped\n" );
591 
592  return( 0 );
593 #endif /* POLARSSL_CERTS_C */
594 }
595 
596 #endif /* POLARSSL_SELF_TEST */
597 
598 #endif /* POLARSSL_DHM_C */
int mpi_cmp_int(const mpi *X, t_sint z)
Compare signed values.
#define POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED
Making of the public value failed.
Definition: dhm.h:39
mpi P
Definition: dhm.h:159
#define POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED
Making of the DHM parameters failed.
Definition: dhm.h:37
#define POLARSSL_ERR_DHM_INVALID_FORMAT
The ASN.1 data is not formatted correctly.
Definition: dhm.h:41
#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH
Actual length differs from expected length.
Definition: asn1.h:57
DHM context structure.
Definition: dhm.h:156
#define POLARSSL_ERR_DHM_CALC_SECRET_FAILED
Calculation of the DHM secret failed.
Definition: dhm.h:40
int mpi_fill_random(mpi *X, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Fill an MPI X with size bytes of random.
#define POLARSSL_ERR_DHM_MALLOC_FAILED
Allocation of memory failed.
Definition: dhm.h:42
int dhm_self_test(int verbose)
Checkup routine.
mpi GX
Definition: dhm.h:162
#define polarssl_free
Definition: platform.h:91
#define ASN1_SEQUENCE
Definition: asn1.h:82
Configuration options (set of defines)
mpi X
Definition: dhm.h:161
#define ASN1_CONSTRUCTED
Definition: asn1.h:92
int mpi_lset(mpi *X, t_sint z)
Set value from integer.
MPI structure.
Definition: bignum.h:182
PolarSSL Platform abstraction layer.
void mpi_init(mpi *X)
Initialize one MPI.
int mpi_cmp_mpi(const mpi *X, const mpi *Y)
Compare signed values.
size_t len
Definition: dhm.h:158
int mpi_shift_r(mpi *X, size_t count)
Right-shift: X >>= count.
int dhm_read_params(dhm_context *ctx, unsigned char **p, const unsigned char *end)
Parse the ServerKeyExchange parameters.
Generic ASN.1 parsing.
#define POLARSSL_ERR_DHM_READ_PUBLIC_FAILED
Reading of the public values failed.
Definition: dhm.h:38
Privacy Enhanced Mail (PEM) decoding.
mpi G
Definition: dhm.h:160
void dhm_init(dhm_context *ctx)
Initialize DHM context.
#define POLARSSL_ERR_DHM_READ_PARAMS_FAILED
Reading of the DHM parameters failed.
Definition: dhm.h:36
int mpi_inv_mod(mpi *X, const mpi *A, const mpi *N)
Modular inverse: X = A^-1 mod N.
mpi GY
Definition: dhm.h:163
void mpi_free(mpi *X)
Unallocate one MPI.
Diffie-Hellman-Merkle key exchange.
int mpi_exp_mod(mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR)
Sliding-window exponentiation: X = A^E mod N.
mpi K
Definition: dhm.h:164
mpi RP
Definition: dhm.h:165
int mpi_read_binary(mpi *X, const unsigned char *buf, size_t buflen)
Import X from unsigned binary data, big endian.
mpi Vi
Definition: dhm.h:166
Sample certificates and DHM parameters for testing.
int dhm_make_public(dhm_context *ctx, int x_size, unsigned char *output, size_t olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Create own private value X and export G^X.
size_t mpi_size(const mpi *X)
Return the total size in bytes.
#define POLARSSL_ERR_DHM_FILE_IO_ERROR
Read/write of file failed.
Definition: dhm.h:43
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
int mpi_mod_mpi(mpi *R, const mpi *A, const mpi *B)
Modulo: R = A mod B.
int asn1_get_tag(unsigned char **p, const unsigned char *end, size_t *len, int tag)
Get the tag and length of the tag.
#define polarssl_printf
Definition: platform.h:109
int mpi_write_binary(const mpi *X, unsigned char *buf, size_t buflen)
Export X into unsigned binary data, big endian.
int dhm_parse_dhm(dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen)
Parse DHM parameters.
void dhm_free(dhm_context *ctx)
Free and clear the components of a DHM key.
#define POLARSSL_ERR_DHM_BAD_INPUT_DATA
Bad input parameters to function.
Definition: dhm.h:35
#define POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT
No PEM header or footer found.
Definition: pem.h:38
int mpi_mul_mpi(mpi *X, const mpi *A, const mpi *B)
Baseline multiplication: X = A * B.
#define polarssl_malloc
Definition: platform.h:90
mpi pX
Definition: dhm.h:168
int asn1_get_mpi(unsigned char **p, const unsigned char *end, mpi *X)
Retrieve a MPI value from an integer ASN.1 tag.
int mpi_sub_int(mpi *X, const mpi *A, t_sint b)
Signed subtraction: X = A - b.
mpi Vf
Definition: dhm.h:167
int dhm_parse_dhmfile(dhm_context *dhm, const char *path)
Load and parse DHM parameters.
int dhm_make_params(dhm_context *ctx, int x_size, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and write the ServerKeyExchange parameters.
#define POLARSSL_ERR_MPI_NOT_ACCEPTABLE
The input arguments are not acceptable.
Definition: bignum.h:62
int dhm_read_public(dhm_context *ctx, const unsigned char *input, size_t ilen)
Import the peer's public value G^Y.
#define MPI_CHK(f)
Definition: bignum.h:65
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.