LCOV - code coverage report
Current view: top level - crypto - s2n_dhe.c (source / functions) Hit Total Coverage
Test: unit_test_coverage.info Lines: 200 218 91.7 %
Date: 2026-07-04 07:27:58 Functions: 17 17 100.0 %
Branches: 92 280 32.9 %

           Branch data     Line data    Source code
       1                 :            : /*
       2                 :            :  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
       3                 :            :  *
       4                 :            :  * Licensed under the Apache License, Version 2.0 (the "License").
       5                 :            :  * You may not use this file except in compliance with the License.
       6                 :            :  * A copy of the License is located at
       7                 :            :  *
       8                 :            :  *  http://aws.amazon.com/apache2.0
       9                 :            :  *
      10                 :            :  * or in the "license" file accompanying this file. This file is distributed
      11                 :            :  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
      12                 :            :  * express or implied. See the License for the specific language governing
      13                 :            :  * permissions and limitations under the License.
      14                 :            :  */
      15                 :            : 
      16                 :            : #include "crypto/s2n_dhe.h"
      17                 :            : 
      18                 :            : #include <openssl/bn.h>
      19                 :            : #include <openssl/dh.h>
      20                 :            : #include <openssl/evp.h>
      21                 :            : #include <stdint.h>
      22                 :            : 
      23                 :            : #include "crypto/s2n_openssl.h"
      24                 :            : #include "error/s2n_errno.h"
      25                 :            : #include "stuffer/s2n_stuffer.h"
      26                 :            : #include "utils/s2n_blob.h"
      27                 :            : #include "utils/s2n_mem.h"
      28                 :            : #include "utils/s2n_safety.h"
      29                 :            : 
      30                 :            : #define S2N_MIN_DH_PRIME_SIZE_BYTES (2048 / 8)
      31                 :            : 
      32                 :            : /* Caller is not responsible for freeing values returned by these accessors
      33                 :            :  * Per https://www.openssl.org/docs/man1.1.0/crypto/DH_get0_pqg.html
      34                 :            :  */
      35                 :            : static const BIGNUM *s2n_get_Ys_dh_param(struct s2n_dh_params *dh_params)
      36                 :        151 : {
      37                 :        151 :     const BIGNUM *Ys = NULL;
      38                 :            : 
      39                 :            : /* DH made opaque in Openssl 1.1.0 */
      40                 :        151 : #if S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
      41                 :        151 :     DH_get0_key(dh_params->dh, &Ys, NULL);
      42                 :            : #else
      43                 :            :     Ys = dh_params->dh->pub_key;
      44                 :            : #endif
      45                 :            : 
      46                 :        151 :     return Ys;
      47                 :        151 : }
      48                 :            : 
      49                 :            : static const BIGNUM *s2n_get_p_dh_param(struct s2n_dh_params *dh_params)
      50                 :        362 : {
      51                 :        362 :     const BIGNUM *p = NULL;
      52                 :        362 : #if S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
      53                 :        362 :     DH_get0_pqg(dh_params->dh, &p, NULL, NULL);
      54                 :            : #else
      55                 :            :     p = dh_params->dh->p;
      56                 :            : #endif
      57                 :            : 
      58                 :        362 :     return p;
      59                 :        362 : }
      60                 :            : 
      61                 :            : /* Pad the shared secret with leading zeros to a constant length equal to
      62                 :            :  * expected_size. DH_compute_key may return fewer bytes when the result has
      63                 :            :  * leading zeros, and a variable-length output could theoretically leak
      64                 :            :  * information about the shared secret via timing.
      65                 :            :  *
      66                 :            :  * DH_compute_key_padded exists to handle this, but is only available in
      67                 :            :  * certain libcrypto implementations (OpenSSL 1.1.0+). We pad manually
      68                 :            :  * for portability across all supported libcryptos.
      69                 :            :  */
      70                 :            : static void s2n_dh_pad_shared_secret(struct s2n_blob *shared_key, int computed_size, int expected_size)
      71                 :         48 : {
      72                 :         48 :     int padding = expected_size - computed_size;
      73                 :         48 :     memmove(shared_key->data + padding, shared_key->data, computed_size);
      74                 :         48 :     memset(shared_key->data, 0, padding);
      75                 :         48 :     shared_key->size = expected_size;
      76                 :         48 : }
      77                 :            : 
      78                 :            : static const BIGNUM *s2n_get_g_dh_param(struct s2n_dh_params *dh_params)
      79                 :        285 : {
      80                 :        285 :     const BIGNUM *g = NULL;
      81                 :        285 : #if S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
      82                 :        285 :     DH_get0_pqg(dh_params->dh, NULL, NULL, &g);
      83                 :            : #else
      84                 :            :     g = dh_params->dh->g;
      85                 :            : #endif
      86                 :            : 
      87                 :        285 :     return g;
      88                 :        285 : }
      89                 :            : 
      90                 :            : static int s2n_check_p_g_dh_params(struct s2n_dh_params *dh_params)
      91                 :        260 : {
      92 [ -  + ][ #  # ]:        260 :     POSIX_ENSURE_REF(dh_params);
      93 [ -  + ][ #  # ]:        260 :     POSIX_ENSURE_REF(dh_params->dh);
      94                 :            : 
      95                 :        260 :     const BIGNUM *p = s2n_get_p_dh_param(dh_params);
      96                 :        260 :     const BIGNUM *g = s2n_get_g_dh_param(dh_params);
      97                 :            : 
      98 [ -  + ][ #  # ]:        260 :     POSIX_ENSURE_REF(g);
      99 [ #  # ][ -  + ]:        260 :     POSIX_ENSURE_REF(p);
     100                 :            : 
     101 [ -  + ][ #  # ]:        260 :     S2N_ERROR_IF(DH_size(dh_params->dh) < S2N_MIN_DH_PRIME_SIZE_BYTES, S2N_ERR_DH_PARAMS_CREATE);
     102 [ -  + ][ #  # ]:        260 :     S2N_ERROR_IF(BN_is_zero(g), S2N_ERR_DH_PARAMS_CREATE);
     103 [ -  + ][ #  # ]:        260 :     S2N_ERROR_IF(BN_is_zero(p), S2N_ERR_DH_PARAMS_CREATE);
     104                 :            : 
     105                 :        260 :     return S2N_SUCCESS;
     106                 :        260 : }
     107                 :            : 
     108                 :            : static int s2n_check_pub_key_dh_params(struct s2n_dh_params *dh_params)
     109                 :         78 : {
     110                 :         78 :     const BIGNUM *pub_key = s2n_get_Ys_dh_param(dh_params);
     111 [ #  # ][ -  + ]:         78 :     POSIX_ENSURE_REF(pub_key);
     112                 :            : 
     113                 :            :     /*
     114                 :            :      * https://www.rfc-editor.org/rfc/rfc2631#section-2.1.5
     115                 :            :      *
     116                 :            :      * The following algorithm MAY be used to validate a received public
     117                 :            :      * key y.
     118                 :            :      *
     119                 :            :      * 1. Verify that y lies within the interval [2,p-1].
     120                 :            :      *    If it does not, the key is invalid.
     121                 :            :      *
     122                 :            :      * This check is optional per the RFC, but applied here as
     123                 :            :      * defense-in-depth to reject degenerate public key values.
     124                 :            :      */
     125 [ -  + ][ #  # ]:         78 :     S2N_ERROR_IF(BN_is_zero(pub_key), S2N_ERR_DH_PARAMS_CREATE);
     126 [ +  + ][ +  - ]:         78 :     S2N_ERROR_IF(BN_is_one(pub_key), S2N_ERR_DH_PARAMS_CREATE);
     127                 :            : 
     128                 :         77 :     const BIGNUM *p = s2n_get_p_dh_param(dh_params);
     129 [ #  # ][ -  + ]:         77 :     POSIX_ENSURE_REF(p);
     130                 :            : 
     131                 :         77 :     BIGNUM *p_minus_one = BN_dup(p);
     132 [ -  + ][ #  # ]:         77 :     POSIX_ENSURE_REF(p_minus_one);
     133         [ -  + ]:         77 :     if (!BN_sub_word(p_minus_one, 1)) {
     134                 :          0 :         BN_free(p_minus_one);
     135         [ #  # ]:          0 :         POSIX_BAIL(S2N_ERR_DH_PARAMS_CREATE);
     136                 :          0 :     }
     137                 :         77 :     int cmp = BN_cmp(pub_key, p_minus_one);
     138                 :         77 :     BN_free(p_minus_one);
     139 [ +  + ][ +  - ]:         77 :     S2N_ERROR_IF(cmp > 0, S2N_ERR_DH_PARAMS_CREATE);
     140                 :            : 
     141                 :         76 :     return S2N_SUCCESS;
     142                 :         77 : }
     143                 :            : 
     144                 :            : static int s2n_set_p_g_Ys_dh_params(struct s2n_dh_params *dh_params, struct s2n_blob *p, struct s2n_blob *g,
     145                 :            :         struct s2n_blob *Ys)
     146                 :         28 : {
     147 [ -  + ][ #  # ]:         28 :     POSIX_ENSURE(p->size <= INT_MAX, S2N_ERR_INTEGER_OVERFLOW);
     148 [ -  + ][ #  # ]:         28 :     POSIX_ENSURE(g->size <= INT_MAX, S2N_ERR_INTEGER_OVERFLOW);
     149 [ #  # ][ -  + ]:         28 :     POSIX_ENSURE(Ys->size <= INT_MAX, S2N_ERR_INTEGER_OVERFLOW);
     150                 :         28 :     BIGNUM *bn_p = BN_bin2bn((const unsigned char *) p->data, p->size, NULL);
     151                 :         28 :     BIGNUM *bn_g = BN_bin2bn((const unsigned char *) g->data, g->size, NULL);
     152                 :         28 :     BIGNUM *bn_Ys = BN_bin2bn((const unsigned char *) Ys->data, Ys->size, NULL);
     153                 :            : 
     154                 :         28 : #if S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
     155                 :            :     /* Per https://www.openssl.org/docs/man1.1.0/crypto/DH_get0_pqg.html:
     156                 :            :         * values that have been passed in should not be freed directly after this function has been called
     157                 :            :         */
     158 [ -  + ][ #  # ]:         28 :     POSIX_GUARD_OSSL(DH_set0_pqg(dh_params->dh, bn_p, NULL, bn_g), S2N_ERR_DH_PARAMS_CREATE);
     159                 :            : 
     160                 :            :     /* Same as DH_set0_pqg */
     161 [ -  + ][ #  # ]:         28 :     POSIX_GUARD_OSSL(DH_set0_key(dh_params->dh, bn_Ys, NULL), S2N_ERR_DH_PARAMS_CREATE);
     162                 :            : #else
     163                 :            :     dh_params->dh->p = bn_p;
     164                 :            :     dh_params->dh->g = bn_g;
     165                 :            :     dh_params->dh->pub_key = bn_Ys;
     166                 :            : #endif
     167                 :            : 
     168                 :         28 :     return S2N_SUCCESS;
     169                 :         28 : }
     170                 :            : 
     171                 :            : int s2n_check_all_dh_params(struct s2n_dh_params *dh_params)
     172                 :         78 : {
     173         [ -  + ]:         78 :     POSIX_GUARD(s2n_check_p_g_dh_params(dh_params));
     174         [ +  + ]:         78 :     POSIX_GUARD(s2n_check_pub_key_dh_params(dh_params));
     175                 :            : 
     176                 :         76 :     return S2N_SUCCESS;
     177                 :         78 : }
     178                 :            : 
     179                 :            : int s2n_pkcs3_to_dh_params(struct s2n_dh_params *dh_params, struct s2n_blob *pkcs3)
     180                 :         84 : {
     181 [ #  # ][ -  + ]:         84 :     POSIX_ENSURE_REF(dh_params);
     182 [ -  + ][ +  - ]:         84 :     POSIX_PRECONDITION(s2n_blob_validate(pkcs3));
     183                 :         84 :     DEFER_CLEANUP(struct s2n_dh_params temp_dh_params = { 0 }, s2n_dh_params_free);
     184                 :            : 
     185                 :         84 :     uint8_t *original_ptr = pkcs3->data;
     186                 :         84 :     temp_dh_params.dh = d2i_DHparams(NULL, (const unsigned char **) (void *) &pkcs3->data, pkcs3->size);
     187                 :            : 
     188         [ -  + ]:         84 :     POSIX_GUARD(s2n_check_p_g_dh_params(&temp_dh_params));
     189                 :            : 
     190         [ +  - ]:         84 :     if (pkcs3->data) {
     191 [ -  + ][ #  # ]:         84 :         POSIX_ENSURE_GTE(pkcs3->data, original_ptr);
     192 [ -  + ][ #  # ]:         84 :         POSIX_ENSURE((uint32_t) (pkcs3->data - original_ptr) == pkcs3->size, S2N_ERR_INVALID_PKCS3);
     193                 :         84 :     }
     194                 :            : 
     195                 :         84 :     pkcs3->data = original_ptr;
     196                 :            : 
     197                 :            :     /* Require at least 2048 bits for the DH size */
     198 [ -  + ][ #  # ]:         84 :     POSIX_ENSURE(DH_size(temp_dh_params.dh) >= S2N_MIN_DH_PRIME_SIZE_BYTES, S2N_ERR_DH_TOO_SMALL);
     199                 :            : 
     200                 :            :     /* Check the generator and prime */
     201         [ -  + ]:         84 :     POSIX_GUARD(s2n_dh_params_check(&temp_dh_params));
     202                 :            : 
     203                 :         84 :     dh_params->dh = temp_dh_params.dh;
     204                 :            : 
     205                 :         84 :     ZERO_TO_DISABLE_DEFER_CLEANUP(temp_dh_params);
     206                 :            : 
     207                 :         84 :     return S2N_SUCCESS;
     208                 :         84 : }
     209                 :            : 
     210                 :            : int s2n_dh_p_g_Ys_to_dh_params(struct s2n_dh_params *server_dh_params, struct s2n_blob *p, struct s2n_blob *g,
     211                 :            :         struct s2n_blob *Ys)
     212                 :         28 : {
     213 [ #  # ][ -  + ]:         28 :     POSIX_ENSURE_REF(server_dh_params);
     214 [ -  + ][ +  - ]:         28 :     POSIX_PRECONDITION(s2n_blob_validate(p));
     215 [ -  + ][ +  - ]:         28 :     POSIX_PRECONDITION(s2n_blob_validate(g));
     216 [ -  + ][ +  - ]:         28 :     POSIX_PRECONDITION(s2n_blob_validate(Ys));
     217                 :            : 
     218                 :         28 :     server_dh_params->dh = DH_new();
     219 [ -  + ][ #  # ]:         28 :     POSIX_ENSURE(server_dh_params->dh != NULL, S2N_ERR_DH_PARAMS_CREATE);
     220                 :            : 
     221         [ -  + ]:         28 :     POSIX_GUARD(s2n_set_p_g_Ys_dh_params(server_dh_params, p, g, Ys));
     222         [ +  + ]:         28 :     POSIX_GUARD(s2n_check_all_dh_params(server_dh_params));
     223                 :            : 
     224                 :         26 :     return S2N_SUCCESS;
     225                 :         28 : }
     226                 :            : 
     227                 :            : int s2n_dh_params_to_p_g_Ys(struct s2n_dh_params *server_dh_params, struct s2n_stuffer *out, struct s2n_blob *output)
     228                 :         25 : {
     229         [ -  + ]:         25 :     POSIX_GUARD(s2n_check_all_dh_params(server_dh_params));
     230 [ -  + ][ +  - ]:         25 :     POSIX_PRECONDITION(s2n_stuffer_validate(out));
     231 [ -  + ][ +  - ]:         25 :     POSIX_PRECONDITION(s2n_blob_validate(output));
     232                 :            : 
     233                 :         25 :     const BIGNUM *bn_p = s2n_get_p_dh_param(server_dh_params);
     234                 :         25 :     const BIGNUM *bn_g = s2n_get_g_dh_param(server_dh_params);
     235                 :         25 :     const BIGNUM *bn_Ys = s2n_get_Ys_dh_param(server_dh_params);
     236                 :            : 
     237                 :         25 :     uint16_t p_size = BN_num_bytes(bn_p);
     238                 :         25 :     uint16_t g_size = BN_num_bytes(bn_g);
     239                 :         25 :     uint16_t Ys_size = BN_num_bytes(bn_Ys);
     240                 :         25 :     uint8_t *p = NULL;
     241                 :         25 :     uint8_t *g = NULL;
     242                 :         25 :     uint8_t *Ys = NULL;
     243                 :            : 
     244                 :         25 :     output->data = s2n_stuffer_raw_write(out, 0);
     245 [ -  + ][ #  # ]:         25 :     POSIX_ENSURE_REF(output->data);
     246                 :            : 
     247         [ -  + ]:         25 :     POSIX_GUARD(s2n_stuffer_write_uint16(out, p_size));
     248                 :         25 :     p = s2n_stuffer_raw_write(out, p_size);
     249 [ -  + ][ #  # ]:         25 :     POSIX_ENSURE_REF(p);
     250 [ #  # ][ -  + ]:         25 :     POSIX_ENSURE(BN_bn2bin(bn_p, p) == p_size, S2N_ERR_DH_SERIALIZING);
     251                 :            : 
     252         [ -  + ]:         25 :     POSIX_GUARD(s2n_stuffer_write_uint16(out, g_size));
     253                 :         25 :     g = s2n_stuffer_raw_write(out, g_size);
     254 [ -  + ][ #  # ]:         25 :     POSIX_ENSURE_REF(g);
     255 [ #  # ][ -  + ]:         25 :     POSIX_ENSURE(BN_bn2bin(bn_g, g) == g_size, S2N_ERR_DH_SERIALIZING);
     256                 :            : 
     257         [ -  + ]:         25 :     POSIX_GUARD(s2n_stuffer_write_uint16(out, Ys_size));
     258                 :         25 :     Ys = s2n_stuffer_raw_write(out, Ys_size);
     259 [ -  + ][ #  # ]:         25 :     POSIX_ENSURE_REF(Ys);
     260 [ #  # ][ -  + ]:         25 :     POSIX_ENSURE(BN_bn2bin(bn_Ys, Ys) == Ys_size, S2N_ERR_DH_SERIALIZING);
     261                 :            : 
     262                 :         25 :     output->size = p_size + 2 + g_size + 2 + Ys_size + 2;
     263                 :            : 
     264                 :         25 :     return S2N_SUCCESS;
     265                 :         25 : }
     266                 :            : 
     267                 :            : int s2n_dh_compute_shared_secret_as_client(struct s2n_dh_params *server_dh_params, struct s2n_stuffer *Yc_out,
     268                 :            :         struct s2n_blob *shared_key)
     269                 :         24 : {
     270                 :         24 :     struct s2n_dh_params client_params = { 0 };
     271                 :         24 :     uint8_t *client_pub_key = NULL;
     272                 :         24 :     uint16_t client_pub_key_size = 0;
     273                 :         24 :     int shared_key_size = 0;
     274                 :            : 
     275         [ -  + ]:         24 :     POSIX_GUARD(s2n_dh_params_check(server_dh_params));
     276         [ -  + ]:         24 :     POSIX_GUARD(s2n_dh_params_copy(server_dh_params, &client_params));
     277         [ -  + ]:         24 :     POSIX_GUARD(s2n_dh_generate_ephemeral_key(&client_params));
     278         [ -  + ]:         24 :     POSIX_GUARD(s2n_alloc(shared_key, DH_size(server_dh_params->dh)));
     279                 :            : 
     280                 :         24 :     const BIGNUM *client_pub_key_bn = s2n_get_Ys_dh_param(&client_params);
     281 [ -  + ][ #  # ]:         24 :     POSIX_ENSURE_REF(client_pub_key_bn);
     282                 :         24 :     client_pub_key_size = BN_num_bytes(client_pub_key_bn);
     283         [ -  + ]:         24 :     POSIX_GUARD(s2n_stuffer_write_uint16(Yc_out, client_pub_key_size));
     284                 :         24 :     client_pub_key = s2n_stuffer_raw_write(Yc_out, client_pub_key_size);
     285         [ -  + ]:         24 :     if (client_pub_key == NULL) {
     286         [ #  # ]:          0 :         POSIX_GUARD(s2n_free(shared_key));
     287         [ #  # ]:          0 :         POSIX_GUARD(s2n_dh_params_free(&client_params));
     288         [ #  # ]:          0 :         POSIX_BAIL(S2N_ERR_DH_WRITING_PUBLIC_KEY);
     289                 :          0 :     }
     290                 :            : 
     291         [ -  + ]:         24 :     if (BN_bn2bin(client_pub_key_bn, client_pub_key) != client_pub_key_size) {
     292         [ #  # ]:          0 :         POSIX_GUARD(s2n_free(shared_key));
     293         [ #  # ]:          0 :         POSIX_GUARD(s2n_dh_params_free(&client_params));
     294         [ #  # ]:          0 :         POSIX_BAIL(S2N_ERR_DH_COPYING_PUBLIC_KEY);
     295                 :          0 :     }
     296                 :            : 
     297                 :            :     /* server_dh_params already validated */
     298                 :         24 :     const BIGNUM *server_pub_key_bn = s2n_get_Ys_dh_param(server_dh_params);
     299                 :         24 :     int server_dh_params_size = DH_size(server_dh_params->dh);
     300                 :         24 :     shared_key_size = DH_compute_key(shared_key->data, server_pub_key_bn, client_params.dh);
     301         [ -  + ]:         24 :     if (shared_key_size < 0) {
     302         [ #  # ]:          0 :         POSIX_GUARD(s2n_free(shared_key));
     303         [ #  # ]:          0 :         POSIX_GUARD(s2n_dh_params_free(&client_params));
     304         [ #  # ]:          0 :         POSIX_BAIL(S2N_ERR_DH_SHARED_SECRET);
     305                 :          0 :     }
     306                 :            : 
     307                 :         24 :     s2n_dh_pad_shared_secret(shared_key, shared_key_size, server_dh_params_size);
     308                 :            : 
     309         [ -  + ]:         24 :     POSIX_GUARD(s2n_dh_params_free(&client_params));
     310                 :            : 
     311                 :         24 :     return S2N_SUCCESS;
     312                 :         24 : }
     313                 :            : 
     314                 :            : int s2n_dh_compute_shared_secret_as_server(struct s2n_dh_params *server_dh_params, struct s2n_stuffer *Yc_in,
     315                 :            :         struct s2n_blob *shared_key)
     316                 :         25 : {
     317                 :         25 :     uint16_t Yc_length = 0;
     318                 :         25 :     struct s2n_blob Yc = { 0 };
     319                 :         25 :     int shared_key_size = 0;
     320                 :         25 :     BIGNUM *pub_key = NULL;
     321                 :            : 
     322         [ -  + ]:         25 :     POSIX_GUARD(s2n_check_all_dh_params(server_dh_params));
     323                 :         25 :     int server_dh_params_size = DH_size(server_dh_params->dh);
     324 [ -  + ][ #  # ]:         25 :     POSIX_ENSURE(server_dh_params_size <= INT32_MAX, S2N_ERR_INTEGER_OVERFLOW);
     325                 :            : 
     326                 :            :     /*
     327                 :            :      * As defined in https://www.rfc-editor.org/rfc/rfc5246#section-7.4.7.2,
     328                 :            :      * the client's DH public value (Yc) is sent as a variable-length opaque value.
     329                 :            :      * Validate that Yc_length does not exceed the DH group size to prevent
     330                 :            :      * unnecessary computation and memory allocation on oversized keys.
     331                 :            :      *
     332                 :            :      * According to https://www.rfc-editor.org/rfc/rfc2631#section-2.1.5,
     333                 :            :      * the valid range of Yc is [2, p-1]. When encoding a BIGNUM to bytes,
     334                 :            :      * leading zeros are often stripped, in which case Yc_length might be
     335                 :            :      * less than server_dh_params_size.
     336                 :            :      */
     337         [ -  + ]:         25 :     POSIX_GUARD(s2n_stuffer_read_uint16(Yc_in, &Yc_length));
     338 [ #  # ][ -  + ]:         25 :     POSIX_ENSURE(Yc_length > 0, S2N_ERR_DH_SHARED_SECRET);
     339 [ +  + ][ +  - ]:         25 :     POSIX_ENSURE((int) Yc_length <= server_dh_params_size, S2N_ERR_DH_SHARED_SECRET);
     340                 :            : 
     341                 :         24 :     Yc.size = Yc_length;
     342                 :         24 :     Yc.data = s2n_stuffer_raw_read(Yc_in, Yc.size);
     343 [ -  + ][ #  # ]:         24 :     POSIX_ENSURE_REF(Yc.data);
     344                 :            : 
     345                 :         24 :     pub_key = BN_bin2bn((const unsigned char *) Yc.data, Yc.size, NULL);
     346 [ -  + ][ #  # ]:         24 :     POSIX_ENSURE_REF(pub_key);
     347         [ -  + ]:         24 :     POSIX_GUARD(s2n_alloc(shared_key, server_dh_params_size));
     348                 :            : 
     349                 :         24 :     shared_key_size = DH_compute_key(shared_key->data, pub_key, server_dh_params->dh);
     350         [ -  + ]:         24 :     if (shared_key_size <= 0) {
     351                 :          0 :         BN_free(pub_key);
     352         [ #  # ]:          0 :         POSIX_BAIL(S2N_ERR_DH_SHARED_SECRET);
     353                 :          0 :     }
     354                 :            : 
     355                 :         24 :     s2n_dh_pad_shared_secret(shared_key, shared_key_size, server_dh_params_size);
     356                 :            : 
     357                 :         24 :     BN_free(pub_key);
     358                 :            : 
     359                 :         24 :     return S2N_SUCCESS;
     360                 :         24 : }
     361                 :            : 
     362                 :            : int s2n_dh_params_check(struct s2n_dh_params *dh_params)
     363                 :        108 : {
     364 [ #  # ][ -  + ]:        108 :     POSIX_ENSURE_REF(dh_params);
     365 [ -  + ][ #  # ]:        108 :     POSIX_ENSURE_REF(dh_params->dh);
     366                 :        108 :     int codes = 0;
     367                 :            : 
     368 [ -  + ][ #  # ]:        108 :     POSIX_GUARD_OSSL(DH_check(dh_params->dh, &codes), S2N_ERR_DH_PARAMETER_CHECK);
     369 [ #  # ][ -  + ]:        108 :     POSIX_ENSURE(codes == 0, S2N_ERR_DH_PARAMETER_CHECK);
     370                 :            : 
     371                 :        108 :     return S2N_SUCCESS;
     372                 :        108 : }
     373                 :            : 
     374                 :            : int s2n_dh_params_copy(struct s2n_dh_params *from, struct s2n_dh_params *to)
     375                 :         48 : {
     376         [ -  + ]:         48 :     POSIX_GUARD(s2n_check_p_g_dh_params(from));
     377 [ #  # ][ -  + ]:         48 :     POSIX_ENSURE_REF(to);
     378                 :            : 
     379                 :         48 :     to->dh = DHparams_dup(from->dh);
     380 [ #  # ][ -  + ]:         48 :     POSIX_ENSURE(to->dh != NULL, S2N_ERR_DH_COPYING_PARAMETERS);
     381                 :            : 
     382                 :         48 :     return S2N_SUCCESS;
     383                 :         48 : }
     384                 :            : 
     385                 :            : int s2n_dh_generate_ephemeral_key(struct s2n_dh_params *dh_params)
     386                 :         50 : {
     387         [ -  + ]:         50 :     POSIX_GUARD(s2n_check_p_g_dh_params(dh_params));
     388                 :            : 
     389 [ #  # ][ -  + ]:         50 :     POSIX_GUARD_OSSL(DH_generate_key(dh_params->dh), S2N_ERR_DH_GENERATING_PARAMETERS);
     390                 :            : 
     391                 :         50 :     return S2N_SUCCESS;
     392                 :         50 : }
     393                 :            : 
     394                 :            : int s2n_dh_params_free(struct s2n_dh_params *dh_params)
     395                 :    3548924 : {
     396 [ -  + ][ #  # ]:    3548924 :     POSIX_ENSURE_REF(dh_params);
     397                 :    3548924 :     DH_free(dh_params->dh);
     398                 :    3548924 :     dh_params->dh = NULL;
     399                 :            : 
     400                 :    3548924 :     return S2N_SUCCESS;
     401                 :    3548924 : }

Generated by: LCOV version 1.14