[crypto/dh] side channel hardening for computing DH shared keys Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13783)

commit: 22aa4a3afb53984201c84970ec03b251d0117f00 [log] [tgz]
author: Billy Brumley <bbrumley@gmail.com> Tue Jan 05 13:08:09 2021 +0200
committer: Tomas Mraz <tmraz@fedoraproject.org> Fri Jan 08 12:12:03 2021 +0100
tree: 83497733c346024d8f3cb6c0dd77c03684db335b
parent: d0afb30ef3950cacff50ec539e90073b95a276df [diff] [blame]
diff --git a/doc/man3/DH_generate_key.pod b/doc/man3/DH_generate_key.pod
index 7cc9e84..c5b5861 100644
--- a/doc/man3/DH_generate_key.pod
+++ b/doc/man3/DH_generate_key.pod

@@ -2,7 +2,8 @@
 
 =head1 NAME
 
-DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange
+DH_generate_key, DH_compute_key, DH_compute_key_padded - perform
+Diffie-Hellman key exchange
 
 =head1 SYNOPSIS
 
@@ -14,18 +15,20 @@
 
  int DH_generate_key(DH *dh);
 
- int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
+ int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
+
+ int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh);
 
 =head1 DESCRIPTION
 
-Both of the functions described on this page are deprecated.
+All of the functions described on this page are deprecated.
 Applications should instead use L<EVP_PKEY_derive_init(3)>
 and L<EVP_PKEY_derive(3)>.
 
 DH_generate_key() performs the first step of a Diffie-Hellman key
 exchange by generating private and public DH values. By calling
-DH_compute_key(), these are combined with the other party's public
-value to compute the shared key.
+DH_compute_key() or DH_compute_key_padded(), these are combined with
+the other party's public value to compute the shared key.
 
 DH_generate_key() expects B<dh> to contain the shared parameters
 B<dh-E<gt>p> and B<dh-E<gt>g>. It generates a random private DH value
@@ -36,6 +39,14 @@
 DH_compute_key() computes the shared secret from the private DH value
 in B<dh> and the other party's public value in B<pub_key> and stores
 it in B<key>. B<key> must point to B<DH_size(dh)> bytes of memory.
+The padding style is RFC 5246 (8.1.2) that strips leading zero bytes.
+It is not constant time due to the leading zero bytes being stripped.
+The return value should be considered public.
+
+DH_compute_key_padded() is similar but stores a fixed number of bytes.
+The padding style is NIST SP 800-56A (C.1) that retains leading zero bytes.
+It is constant time due to the leading zero bytes being retained.
+The return value should be considered public.
 
 =head1 RETURN VALUES
 
@@ -44,6 +55,8 @@
 DH_compute_key() returns the size of the shared secret on success, -1
 on error.
 
+DH_compute_key_padded() returns B<DH_size(dh)> on success, -1 on error.
+
 The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
@@ -53,7 +66,9 @@
 
 =head1 HISTORY
 
-Both of these functions were deprecated in OpenSSL 3.0.
+DH_compute_key_padded() was added in OpenSSL 1.0.2.
+
+All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
commit	22aa4a3afb53984201c84970ec03b251d0117f00	[log] [tgz]
author	Billy Brumley <bbrumley@gmail.com>	Tue Jan 05 13:08:09 2021 +0200
committer	Tomas Mraz <tmraz@fedoraproject.org>	Fri Jan 08 12:12:03 2021 +0100
tree	83497733c346024d8f3cb6c0dd77c03684db335b
parent	d0afb30ef3950cacff50ec539e90073b95a276df [diff] [blame]