| 1 | =pod
|
|---|
| 2 |
|
|---|
| 3 | =head1 NAME
|
|---|
| 4 |
|
|---|
| 5 | DH_generate_key, DH_compute_key, DH_compute_key_padded - perform
|
|---|
| 6 | Diffie-Hellman key exchange
|
|---|
| 7 |
|
|---|
| 8 | =head1 SYNOPSIS
|
|---|
| 9 |
|
|---|
| 10 | #include <openssl/dh.h>
|
|---|
| 11 |
|
|---|
| 12 | The following functions have been deprecated since OpenSSL 3.0, and can be
|
|---|
| 13 | hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
|
|---|
| 14 | see L<openssl_user_macros(7)>:
|
|---|
| 15 |
|
|---|
| 16 | int DH_generate_key(DH *dh);
|
|---|
| 17 |
|
|---|
| 18 | int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
|
|---|
| 19 |
|
|---|
| 20 | int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh);
|
|---|
| 21 |
|
|---|
| 22 | =head1 DESCRIPTION
|
|---|
| 23 |
|
|---|
| 24 | All of the functions described on this page are deprecated.
|
|---|
| 25 | Applications should instead use L<EVP_PKEY_derive_init(3)>
|
|---|
| 26 | and L<EVP_PKEY_derive(3)>.
|
|---|
| 27 |
|
|---|
| 28 | DH_generate_key() performs the first step of a Diffie-Hellman key
|
|---|
| 29 | exchange by generating private and public DH values. By calling
|
|---|
| 30 | DH_compute_key() or DH_compute_key_padded(), these are combined with
|
|---|
| 31 | the other party's public value to compute the shared key.
|
|---|
| 32 |
|
|---|
| 33 | DH_generate_key() expects B<dh> to contain the shared parameters
|
|---|
| 34 | B<dh-E<gt>p> and B<dh-E<gt>g>. It generates a random private DH value
|
|---|
| 35 | unless B<dh-E<gt>priv_key> is already set, and computes the
|
|---|
| 36 | corresponding public value B<dh-E<gt>pub_key>, which can then be
|
|---|
| 37 | published.
|
|---|
| 38 |
|
|---|
| 39 | DH_compute_key() computes the shared secret from the private DH value
|
|---|
| 40 | in B<dh> and the other party's public value in B<pub_key> and stores
|
|---|
| 41 | it in B<key>. B<key> must point to B<DH_size(dh)> bytes of memory.
|
|---|
| 42 | The padding style is RFC 5246 (8.1.2) that strips leading zero bytes.
|
|---|
| 43 | It is not constant time due to the leading zero bytes being stripped.
|
|---|
| 44 | The return value should be considered public.
|
|---|
| 45 |
|
|---|
| 46 | DH_compute_key_padded() is similar but stores a fixed number of bytes.
|
|---|
| 47 | The padding style is NIST SP 800-56A (C.1) that retains leading zero bytes.
|
|---|
| 48 | It is constant time due to the leading zero bytes being retained.
|
|---|
| 49 | The return value should be considered public.
|
|---|
| 50 |
|
|---|
| 51 | =head1 RETURN VALUES
|
|---|
| 52 |
|
|---|
| 53 | DH_generate_key() returns 1 on success, 0 otherwise.
|
|---|
| 54 |
|
|---|
| 55 | DH_compute_key() returns the size of the shared secret on success, -1
|
|---|
| 56 | on error.
|
|---|
| 57 |
|
|---|
| 58 | DH_compute_key_padded() returns B<DH_size(dh)> on success, -1 on error.
|
|---|
| 59 |
|
|---|
| 60 | The error codes can be obtained by L<ERR_get_error(3)>.
|
|---|
| 61 |
|
|---|
| 62 | =head1 SEE ALSO
|
|---|
| 63 |
|
|---|
| 64 | L<EVP_PKEY_derive(3)>,
|
|---|
| 65 | L<DH_new(3)>, L<ERR_get_error(3)>, L<RAND_bytes(3)>, L<DH_size(3)>
|
|---|
| 66 |
|
|---|
| 67 | =head1 HISTORY
|
|---|
| 68 |
|
|---|
| 69 | DH_compute_key_padded() was added in OpenSSL 1.0.2.
|
|---|
| 70 |
|
|---|
| 71 | All of these functions were deprecated in OpenSSL 3.0.
|
|---|
| 72 |
|
|---|
| 73 | =head1 COPYRIGHT
|
|---|
| 74 |
|
|---|
| 75 | Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 76 |
|
|---|
| 77 | Licensed under the Apache License 2.0 (the "License"). You may not use
|
|---|
| 78 | this file except in compliance with the License. You can obtain a copy
|
|---|
| 79 | in the file LICENSE in the source distribution or at
|
|---|
| 80 | L<https://www.openssl.org/source/license.html>.
|
|---|
| 81 |
|
|---|
| 82 | =cut
|
|---|
