diff options
| author | Billy Brumley <bbrumley@gmail.com> | 2021-01-08 13:45:49 +0200 |
|---|---|---|
| committer | Nicola Tuveri <nic.tuv@gmail.com> | 2021-01-10 21:58:39 +0200 |
| commit | 6e3ba20dc49ccbf12ff4c27a4d8b84dcbeb71654 (patch) | |
| tree | d721be08df7f857c86e30e5788b83689db1f725d /doc | |
| parent | 212d7118a788e332dae4123d40f65ea6e24044d2 (diff) | |
[crypto/dh] side channel hardening for computing DH shared keys (1.1.1)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13772)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man3/DH_generate_key.pod | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/doc/man3/DH_generate_key.pod b/doc/man3/DH_generate_key.pod index 297e7fbf47..fab14d77e8 100644 --- a/doc/man3/DH_generate_key.pod +++ b/doc/man3/DH_generate_key.pod @@ -2,7 +2,8 @@ =head1 NAME -DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange +DH_generate_key, DH_compute_key, DH_compute_key_padded - perform +Diffie-Hellman key exchange =head1 SYNOPSIS @@ -10,14 +11,16 @@ DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange int DH_generate_key(DH *dh); - int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); + int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); + + int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh); =head1 DESCRIPTION DH_generate_key() performs the first step of a Diffie-Hellman key exchange by generating private and public DH values. By calling -DH_compute_key(), these are combined with the other party's public -value to compute the shared key. +DH_compute_key() or DH_compute_key_padded(), these are combined with +the other party's public value to compute the shared key. DH_generate_key() expects B<dh> to contain the shared parameters B<dh-E<gt>p> and B<dh-E<gt>g>. It generates a random private DH value @@ -28,6 +31,14 @@ published. DH_compute_key() computes the shared secret from the private DH value in B<dh> and the other party's public value in B<pub_key> and stores it in B<key>. B<key> must point to B<DH_size(dh)> bytes of memory. +The padding style is RFC 5246 (8.1.2) that strips leading zero bytes. +It is not constant time due to the leading zero bytes being stripped. +The return value should be considered public. + +DH_compute_key_padded() is similar but stores a fixed number of bytes. +The padding style is NIST SP 800-56A (C.1) that retains leading zero bytes. +It is constant time due to the leading zero bytes being retained. +The return value should be considered public. =head1 RETURN VALUES @@ -36,12 +47,18 @@ DH_generate_key() returns 1 on success, 0 otherwise. DH_compute_key() returns the size of the shared secret on success, -1 on error. +DH_compute_key_padded() returns B<DH_size(dh)> on success, -1 on error. + The error codes can be obtained by L<ERR_get_error(3)>. =head1 SEE ALSO L<DH_new(3)>, L<ERR_get_error(3)>, L<RAND_bytes(3)>, L<DH_size(3)> +=head1 HISTORY + +DH_compute_key_padded() was added in OpenSSL 1.0.2. + =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. |