spiped 0.0.0

data/ext/spiped/spiped-source/libcperciva/crypto/crypto_aes_aesni.c

@@ -0,0 +1,229 @@
+#include "cpusupport.h"
+#ifdef CPUSUPPORT_X86_AESNI
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wmmintrin.h>
+
+#include "insecure_memzero.h"
+#include "warnp.h"
+
+#include "crypto_aes_aesni.h"
+
+/* Expanded-key structure. */
+struct crypto_aes_key_aesni {
+	__m128i rkeys[15];
+	size_t nr;
+};
+
+/* Compute an AES-128 round key. */
+#define MKRKEY128(rkeys, i, rcon) do {				\
+	__m128i _s = rkeys[i - 1];				\
+	__m128i _t = rkeys[i - 1];				\
+	_s = _mm_xor_si128(_s, _mm_slli_si128(_s, 4));		\
+	_s = _mm_xor_si128(_s, _mm_slli_si128(_s, 8));		\
+	_t = _mm_aeskeygenassist_si128(_t, rcon);		\
+	_t = _mm_shuffle_epi32(_t, 0xff);			\
+	rkeys[i] = _mm_xor_si128(_s, _t);			\
+} while (0)
+
+/**
+ * crypto_aes_key_expand_128_aesni(key, rkeys):
+ * Expand the 128-bit AES key ${key} into the 11 round keys ${rkeys}.  This
+ * implementation uses x86 AESNI instructions, and should only be used if
+ * CPUSUPPORT_X86_AESNI is defined and cpusupport_x86_aesni() returns nonzero.
+ */
+static void
+crypto_aes_key_expand_128_aesni(const uint8_t key[16], __m128i rkeys[11])
+{
+
+	/* The first round key is just the key. */
+	/**
+	 * XXX Compiler breakage:
+	 * The intrinsic defined by Intel for _mm_loadu_si128 defines it as
+	 * taking a (const __m128i *) parameter.  This forces us to write a
+	 * bug: The cast to (const __m128i *) is invalid since it increases
+	 * the alignment requirement of the pointer.  Alas, until compilers
+	 * get fixed intrinsics, all we can do is code the bug and require
+	 * that alignment-requirement-increasing compiler warnings get
+	 * disabled.
+	 */
+	rkeys[0] = _mm_loadu_si128((const __m128i *)&key[0]);
+
+	/*
+	 * Each of the remaining round keys are computed from the preceding
+	 * round key: rotword+subword+rcon (provided as aeskeygenassist) to
+	 * compute the 'temp' value, then xor with 1, 2, 3, or all 4 of the
+	 * 32-bit words from the preceding round key.  Unfortunately, 'rcon'
+	 * is encoded as an immediate value, so we need to write the loop out
+	 * ourselves rather than allowing the compiler to expand it.
+	 */
+	MKRKEY128(rkeys, 1, 0x01);
+	MKRKEY128(rkeys, 2, 0x02);
+	MKRKEY128(rkeys, 3, 0x04);
+	MKRKEY128(rkeys, 4, 0x08);
+	MKRKEY128(rkeys, 5, 0x10);
+	MKRKEY128(rkeys, 6, 0x20);
+	MKRKEY128(rkeys, 7, 0x40);
+	MKRKEY128(rkeys, 8, 0x80);
+	MKRKEY128(rkeys, 9, 0x1b);
+	MKRKEY128(rkeys, 10, 0x36);
+}
+
+/* Compute an AES-256 round key. */
+#define MKRKEY256(rkeys, i, shuffle, rcon)	do {		\
+	__m128i _s = rkeys[i - 2];				\
+	__m128i _t = rkeys[i - 1];				\
+	_s = _mm_xor_si128(_s, _mm_slli_si128(_s, 4));		\
+	_s = _mm_xor_si128(_s, _mm_slli_si128(_s, 8));		\
+	_t = _mm_aeskeygenassist_si128(_t, rcon);		\
+	_t = _mm_shuffle_epi32(_t, shuffle);			\
+	rkeys[i] = _mm_xor_si128(_s, _t);			\
+} while (0)
+
+/**
+ * crypto_aes_key_expand_256_aesni(key, rkeys):
+ * Expand the 256-bit AES key ${key} into the 15 round keys ${rkeys}.  This
+ * implementation uses x86 AESNI instructions, and should only be used if
+ * CPUSUPPORT_X86_AESNI is defined and cpusupport_x86_aesni() returns nonzero.
+ */
+static void
+crypto_aes_key_expand_256_aesni(const uint8_t key[32], __m128i rkeys[15])
+{
+
+	/* The first two round keys are just the key. */
+	/**
+	 * XXX Compiler breakage:
+	 * The intrinsic defined by Intel for _mm_loadu_si128 defines it as
+	 * taking a (const __m128i *) parameter.  This forces us to write a
+	 * bug: The cast to (const __m128i *) is invalid since it increases
+	 * the alignment requirement of the pointer.  Alas, until compilers
+	 * get fixed intrinsics, all we can do is code the bug and require
+	 * that alignment-requirement-increasing compiler warnings get
+	 * disabled.
+	 */
+	rkeys[0] = _mm_loadu_si128((const __m128i *)&key[0]);
+	rkeys[1] = _mm_loadu_si128((const __m128i *)&key[16]);
+
+	/*
+	 * Each of the remaining round keys are computed from the preceding
+	 * pair of keys.  Even rounds use rotword+subword+rcon, while odd
+	 * rounds just use subword; the aeskeygenassist instruction computes
+	 * both, and we use 0xff or 0xaa to select the one we need.  The rcon
+	 * value used is irrelevant for odd rounds since we ignore the value
+	 * which it feeds into.  Unfortunately, the 'shuffle' and 'rcon'
+	 * values are encoded into the instructions as immediates, so we need
+	 * to write the loop out ourselves rather than allowing the compiler
+	 * to expand it.
+	 */
+	MKRKEY256(rkeys, 2, 0xff, 0x01);
+	MKRKEY256(rkeys, 3, 0xaa, 0x00);
+	MKRKEY256(rkeys, 4, 0xff, 0x02);
+	MKRKEY256(rkeys, 5, 0xaa, 0x00);
+	MKRKEY256(rkeys, 6, 0xff, 0x04);
+	MKRKEY256(rkeys, 7, 0xaa, 0x00);
+	MKRKEY256(rkeys, 8, 0xff, 0x08);
+	MKRKEY256(rkeys, 9, 0xaa, 0x00);
+	MKRKEY256(rkeys, 10, 0xff, 0x10);
+	MKRKEY256(rkeys, 11, 0xaa, 0x00);
+	MKRKEY256(rkeys, 12, 0xff, 0x20);
+	MKRKEY256(rkeys, 13, 0xaa, 0x00);
+	MKRKEY256(rkeys, 14, 0xff, 0x40);
+}
+
+/**
+ * crypto_aes_key_expand_aesni(key, len):
+ * Expand the ${len}-byte AES key ${key} into a structure which can be passed
+ * to crypto_aes_encrypt_block_aesni.  The length must be 16 or 32.  This
+ * implementation uses x86 AESNI instructions, and should only be used if
+ * CPUSUPPORT_X86_AESNI is defined and cpusupport_x86_aesni() returns nonzero.
+ */
+void *
+crypto_aes_key_expand_aesni(const uint8_t * key, size_t len)
+{
+	struct crypto_aes_key_aesni * kexp;
+
+	/* Allocate structure. */
+	if ((kexp = malloc(sizeof(struct crypto_aes_key_aesni))) == NULL)
+		goto err0;
+
+	/* Compute round keys. */
+	if (len == 16) {
+		kexp->nr = 10;
+		crypto_aes_key_expand_128_aesni(key, kexp->rkeys);
+	} else if (len == 32) {
+		kexp->nr = 14;
+		crypto_aes_key_expand_256_aesni(key, kexp->rkeys);
+	} else {
+		warn0("Unsupported AES key length: %zu bytes", len);
+		goto err1;
+	}
+
+	/* Success! */
+	return (kexp);
+
+err1:
+	free(kexp);
+err0:
+	/* Failure! */
+	return (NULL);
+}
+
+/**
+ * crypto_aes_encrypt_block_aesni(in, out, key):
+ * Using the expanded AES key ${key}, encrypt the block ${in} and write the
+ * resulting ciphertext to ${out}.  This implementation uses x86 AESNI
+ * instructions, and should only be used if CPUSUPPORT_X86_AESNI is defined
+ * and cpusupport_x86_aesni() returns nonzero.
+ */
+void
+crypto_aes_encrypt_block_aesni(const uint8_t * in, uint8_t * out,
+    const void * key)
+{
+	const struct crypto_aes_key_aesni * _key = key;
+	const __m128i * aes_key = _key->rkeys;
+	__m128i aes_state;
+	size_t nr = _key->nr;
+
+	aes_state = _mm_loadu_si128((const __m128i *)in);
+	aes_state = _mm_xor_si128(aes_state, aes_key[0]);
+	aes_state = _mm_aesenc_si128(aes_state, aes_key[1]);
+	aes_state = _mm_aesenc_si128(aes_state, aes_key[2]);
+	aes_state = _mm_aesenc_si128(aes_state, aes_key[3]);
+	aes_state = _mm_aesenc_si128(aes_state, aes_key[4]);
+	aes_state = _mm_aesenc_si128(aes_state, aes_key[5]);
+	aes_state = _mm_aesenc_si128(aes_state, aes_key[6]);
+	aes_state = _mm_aesenc_si128(aes_state, aes_key[7]);
+	aes_state = _mm_aesenc_si128(aes_state, aes_key[8]);
+	aes_state = _mm_aesenc_si128(aes_state, aes_key[9]);
+	if (nr > 10) {
+		aes_state = _mm_aesenc_si128(aes_state, aes_key[10]);
+		aes_state = _mm_aesenc_si128(aes_state, aes_key[11]);
+
+		if (nr > 12) {
+			aes_state = _mm_aesenc_si128(aes_state, aes_key[12]);
+			aes_state = _mm_aesenc_si128(aes_state, aes_key[13]);
+		}
+	}
+
+	aes_state = _mm_aesenclast_si128(aes_state, aes_key[nr]);
+	_mm_storeu_si128((__m128i *)out, aes_state);
+}
+
+/**
+ * crypto_aes_key_free_aesni(key):
+ * Free the expanded AES key ${key}.
+ */
+void
+crypto_aes_key_free_aesni(void * key)
+{
+
+	/* Attempt to zero the expanded key. */
+	insecure_memzero(key, sizeof(struct crypto_aes_key_aesni));
+
+	/* Free the key. */
+	free(key);
+}
+
+#endif /* CPUSUPPORT_X86_AESNI */

data/ext/spiped/spiped-source/libcperciva/crypto/crypto_aes_aesni.h

@@ -0,0 +1,31 @@
+#ifndef _CRYPTO_AES_AESNI_H_
+#define _CRYPTO_AES_AESNI_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+/**
+ * crypto_aes_key_expand_aesni(key, len):
+ * Expand the ${len}-byte AES key ${key} into a structure which can be passed
+ * to crypto_aes_encrypt_block_aesni.  The length must be 16 or 32.  This
+ * implementation uses x86 AESNI instructions, and should only be used if
+ * CPUSUPPORT_X86_AESNI is defined and cpusupport_x86_aesni() returns nonzero.
+ */
+void * crypto_aes_key_expand_aesni(const uint8_t *, size_t);
+
+/**
+ * crypto_aes_encrypt_block_aesni(in, out, key):
+ * Using the expanded AES key ${key}, encrypt the block ${in} and write the
+ * resulting ciphertext to ${out}.  This implementation uses x86 AESNI
+ * instructions, and should only be used if CPUSUPPORT_X86_AESNI is defined
+ * and cpusupport_x86_aesni() returns nonzero.
+ */
+void crypto_aes_encrypt_block_aesni(const uint8_t *, uint8_t *, const void *);
+
+/**
+ * crypto_aes_key_free_aesni(key):
+ * Free the expanded AES key ${key}.
+ */
+void crypto_aes_key_free_aesni(void *);
+
+#endif /* !_CRYPTO_AES_AESNI_H_ */

data/ext/spiped/spiped-source/libcperciva/crypto/crypto_aesctr.c

@@ -0,0 +1,124 @@
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "crypto_aes.h"
+#include "sysendian.h"
+
+#include "crypto_aesctr.h"
+
+struct crypto_aesctr {
+	const struct crypto_aes_key * key;
+	uint64_t nonce;
+	uint64_t bytectr;
+	uint8_t buf[16];
+};
+
+/**
+ * crypto_aesctr_init(key, nonce):
+ * Prepare to encrypt/decrypt data with AES in CTR mode, using the provided
+ * expanded key and nonce.  The key provided must remain valid for the
+ * lifetime of the stream.
+ */
+struct crypto_aesctr *
+crypto_aesctr_init(const struct crypto_aes_key * key, uint64_t nonce)
+{
+	struct crypto_aesctr * stream;
+
+	/* Allocate memory. */
+	if ((stream = malloc(sizeof(struct crypto_aesctr))) == NULL)
+		goto err0;
+
+	/* Initialize values. */
+	stream->key = key;
+	stream->nonce = nonce;
+	stream->bytectr = 0;
+
+	/* Success! */
+	return (stream);
+
+err0:
+	/* Failure! */
+	return (NULL);
+}
+
+/**
+ * crypto_aesctr_stream(stream, inbuf, outbuf, buflen):
+ * Generate the next ${buflen} bytes of the AES-CTR stream and xor them with
+ * bytes from ${inbuf}, writing the result into ${outbuf}.  If the buffers
+ * ${inbuf} and ${outbuf} overlap, they must be identical.
+ */
+void
+crypto_aesctr_stream(struct crypto_aesctr * stream, const uint8_t * inbuf,
+    uint8_t * outbuf, size_t buflen)
+{
+	uint8_t pblk[16];
+	size_t pos;
+	int bytemod;
+
+	for (pos = 0; pos < buflen; pos++) {
+		/* How far through the buffer are we? */
+		bytemod = stream->bytectr % 16;
+
+		/* Generate a block of cipherstream if needed. */
+		if (bytemod == 0) {
+			be64enc(pblk, stream->nonce);
+			be64enc(pblk + 8, stream->bytectr / 16);
+			crypto_aes_encrypt_block(pblk, stream->buf,
+			    stream->key);
+		}
+
+		/* Encrypt a byte. */
+		outbuf[pos] = inbuf[pos] ^ stream->buf[bytemod];
+
+		/* Move to the next byte of cipherstream. */
+		stream->bytectr += 1;
+	}
+}
+
+/**
+ * crypto_aesctr_free(stream):
+ * Free the provided stream object.
+ */
+void
+crypto_aesctr_free(struct crypto_aesctr * stream)
+{
+	int i;
+
+	/* Be compatible with free(NULL). */
+	if (stream == NULL)
+		return;
+
+	/* Zero potentially sensitive information. */
+	for (i = 0; i < 16; i++)
+		stream->buf[i] = 0;
+	stream->bytectr = stream->nonce = 0;
+
+	/* Free the stream. */
+	free(stream);
+}
+
+/**
+ * crypto_aesctr_buf(key, nonce, inbuf, outbuf, buflen):
+ * Equivalent to init(key, nonce); stream(inbuf, outbuf, buflen); free.
+ */
+void
+crypto_aesctr_buf(const struct crypto_aes_key * key, uint64_t nonce,
+    const uint8_t * inbuf, uint8_t * outbuf, size_t buflen)
+{
+	struct crypto_aesctr stream_rec;
+	struct crypto_aesctr * stream = &stream_rec;
+	int i;
+
+	/* Initialize values. */
+	stream->key = key;
+	stream->nonce = nonce;
+	stream->bytectr = 0;
+
+	/* Perform the encryption. */
+	crypto_aesctr_stream(stream, inbuf, outbuf, buflen);
+
+	/* Zero potentially sensitive information. */
+	for (i = 0; i < 16; i++)
+		stream->buf[i] = 0;
+	stream->bytectr = stream->nonce = 0;
+}

data/ext/spiped/spiped-source/libcperciva/crypto/crypto_aesctr.h

@@ -0,0 +1,41 @@
+#ifndef _CRYPTO_AESCTR_H_
+#define _CRYPTO_AESCTR_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* Opaque type. */
+struct crypto_aes_key;
+
+/**
+ * crypto_aesctr_init(key, nonce):
+ * Prepare to encrypt/decrypt data with AES in CTR mode, using the provided
+ * expanded key and nonce.  The key provided must remain valid for the
+ * lifetime of the stream.
+ */
+struct crypto_aesctr * crypto_aesctr_init(const struct crypto_aes_key *,
+    uint64_t);
+
+/**
+ * crypto_aesctr_stream(stream, inbuf, outbuf, buflen):
+ * Generate the next ${buflen} bytes of the AES-CTR stream and xor them with
+ * bytes from ${inbuf}, writing the result into ${outbuf}.  If the buffers
+ * ${inbuf} and ${outbuf} overlap, they must be identical.
+ */
+void crypto_aesctr_stream(struct crypto_aesctr *, const uint8_t *,
+    uint8_t *, size_t);
+
+/**
+ * crypto_aesctr_free(stream):
+ * Free the provided stream object.
+ */
+void crypto_aesctr_free(struct crypto_aesctr *);
+
+/**
+ * crypto_aesctr_buf(key, nonce, inbuf, outbuf, buflen):
+ * Equivalent to init(key, nonce); stream(inbuf, outbuf, buflen); free.
+ */
+void crypto_aesctr_buf(const struct crypto_aes_key *, uint64_t,
+    const uint8_t *, uint8_t *, size_t);
+
+#endif /* !_CRYPTO_AESCTR_H_ */

data/ext/spiped/spiped-source/libcperciva/crypto/crypto_dh.c

@@ -0,0 +1,293 @@
+#include <stdint.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/err.h>
+
+#include "warnp.h"
+
+#include "crypto_entropy.h"
+#include "crypto_dh_group14.h"
+
+#include "crypto_dh.h"
+
+static int blinded_modexp(uint8_t r[CRYPTO_DH_PUBLEN], BIGNUM * a,
+    const uint8_t priv[CRYPTO_DH_PRIVLEN]);
+
+/* Big-endian representation of 2^256. */
+static uint8_t two_exp_256[] = {
+	0x01,
+	0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00
+};
+
+/**
+ * blinded_modexp(r, a, priv):
+ * Compute ${r} = ${a}^(2^258 + ${priv}), where ${r} and ${priv} are treated
+ * as big-endian integers; and avoid leaking timing data in this process.
+ */
+static int
+blinded_modexp(uint8_t r[CRYPTO_DH_PUBLEN], BIGNUM * a,
+    const uint8_t priv[CRYPTO_DH_PRIVLEN])
+{
+	BIGNUM * two_exp_256_bn;
+	BIGNUM * priv_bn;
+	uint8_t blinding[CRYPTO_DH_PRIVLEN];
+	BIGNUM * blinding_bn;
+	BIGNUM * priv_blinded;
+	BIGNUM * m_bn;
+	BN_CTX * ctx;
+	BIGNUM * r1;
+	BIGNUM * r2;
+	size_t rlen;
+
+	/* Construct 2^256 in BN representation. */
+	if ((two_exp_256_bn = BN_bin2bn(two_exp_256, 33, NULL)) == NULL) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err0;
+	}
+
+	/* Construct 2^258 + ${priv} in BN representation. */
+	if ((priv_bn = BN_bin2bn(priv, CRYPTO_DH_PRIVLEN, NULL)) == NULL) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err1;
+	}
+	if ((!BN_add(priv_bn, priv_bn, two_exp_256_bn)) ||
+	    (!BN_add(priv_bn, priv_bn, two_exp_256_bn)) ||
+	    (!BN_add(priv_bn, priv_bn, two_exp_256_bn)) ||
+	    (!BN_add(priv_bn, priv_bn, two_exp_256_bn))) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err2;
+	}
+
+	/* Generate blinding exponent. */
+	if (crypto_entropy_read(blinding, CRYPTO_DH_PRIVLEN))
+		goto err2;
+	if ((blinding_bn = BN_bin2bn(blinding,
+	    CRYPTO_DH_PRIVLEN, NULL)) == NULL) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err2;
+	}
+	if (!BN_add(blinding_bn, blinding_bn, two_exp_256_bn)) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err3;
+	}
+
+	/* Generate blinded exponent. */
+	if ((priv_blinded = BN_new()) == NULL) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err3;
+	}
+	if (!BN_sub(priv_blinded, priv_bn, blinding_bn)) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err4;
+	}
+
+	/* Construct group #14 modulus in BN representation. */
+	if ((m_bn = BN_bin2bn(crypto_dh_group14, 256, NULL)) == NULL) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err4;
+	}
+
+	/* Allocate BN context. */
+	if ((ctx = BN_CTX_new()) == NULL) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err5;
+	}
+
+	/* Allocate space for storing results of exponentiations. */
+	if ((r1 = BN_new()) == NULL) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err6;
+	}
+	if ((r2 = BN_new()) == NULL) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err7;
+	}
+
+	/* Perform modular exponentiations. */
+	if (!BN_mod_exp(r1, a, blinding_bn, m_bn, ctx)) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err8;
+	}
+	if (!BN_mod_exp(r2, a, priv_blinded, m_bn, ctx)) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err8;
+	}
+
+	/* Compute final result and export to big-endian integer format. */
+	if (!BN_mod_mul(r1, r1, r2, m_bn, ctx)) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err8;
+	}
+	rlen = BN_num_bytes(r1);
+	if (rlen > CRYPTO_DH_PUBLEN) {
+		warn0("Exponent result too large!");
+		goto err8;
+	}
+	memset(r, 0, CRYPTO_DH_PUBLEN - rlen);
+	BN_bn2bin(r1, r + CRYPTO_DH_PUBLEN - rlen);
+
+	/* Free space allocated by BN_new. */
+	BN_clear_free(r2);
+	BN_clear_free(r1);
+
+	/* Free context allocated by BN_CTX_new. */
+	BN_CTX_free(ctx);
+
+	/* Free space allocated by BN_bin2bn. */
+	BN_free(m_bn);
+
+	/* Free space allocated by BN_new. */
+	BN_clear_free(priv_blinded);
+
+	/* Free space allocated by BN_bin2bn. */
+	BN_clear_free(blinding_bn);
+	BN_clear_free(priv_bn);
+	BN_free(two_exp_256_bn);
+
+	/* Success! */
+	return (0);
+
+err8:
+	BN_clear_free(r2);
+err7:
+	BN_clear_free(r1);
+err6:
+	BN_CTX_free(ctx);
+err5:
+	BN_free(m_bn);
+err4:
+	BN_clear_free(priv_blinded);
+err3:
+	BN_clear_free(blinding_bn);
+err2:
+	BN_clear_free(priv_bn);
+err1:
+	BN_free(two_exp_256_bn);
+err0:
+	/* Failure! */
+	return (-1);
+}
+
+/**
+ * crypto_dh_generate_pub(pub, priv):
+ * Compute ${pub} equal to 2^(2^258 + ${priv}) in Diffie-Hellman group #14.
+ */
+int
+crypto_dh_generate_pub(uint8_t pub[CRYPTO_DH_PUBLEN],
+    const uint8_t priv[CRYPTO_DH_PRIVLEN])
+{
+	BIGNUM * two;
+
+	/* Generate BN representation for 2. */
+	if ((two = BN_new()) == NULL) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err0;
+	}
+	if (!BN_set_word(two, 2)) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err1;
+	}
+
+	/* Compute pub = two^(2^258 + priv). */
+	if (blinded_modexp(pub, two, priv))
+		goto err1;
+
+	/* Free storage allocated by BN_new. */
+	BN_free(two);
+
+	/* Success! */
+	return (0);
+
+err1:
+	BN_free(two);
+err0:
+	/* Failure! */
+	return (-1);
+}
+
+/**
+ * crypto_dh_generate(pub, priv):
+ * Generate a 256-bit private key ${priv}, and compute ${pub} equal to
+ * 2^(2^258 + ${priv}) mod p where p is the Diffie-Hellman group #14 modulus.
+ * Both values are stored as big-endian integers.
+ */
+int
+crypto_dh_generate(uint8_t pub[CRYPTO_DH_PUBLEN],
+    uint8_t priv[CRYPTO_DH_PRIVLEN])
+{
+
+	/* Generate a random private key. */
+	if (crypto_entropy_read(priv, CRYPTO_DH_PRIVLEN))
+		goto err0;
+
+	/* Compute the public key. */
+	if (crypto_dh_generate_pub(pub, priv))
+		goto err0;
+
+	/* Success! */
+	return (0);
+
+err0:
+	/* Failure! */
+	return (-1);
+}
+
+/**
+ * crypto_dh_compute(pub, priv, key):
+ * In the Diffie-Hellman group #14, compute ${pub}^(2^258 + ${priv}) and
+ * write the result into ${key}.  All values are big-endian.  Note that the
+ * value ${pub} is the public key produced by the call to crypto_dh_generate
+ * made by the *other* participant in the key exchange.
+ */
+int
+crypto_dh_compute(const uint8_t pub[CRYPTO_DH_PUBLEN],
+    const uint8_t priv[CRYPTO_DH_PRIVLEN], uint8_t key[CRYPTO_DH_KEYLEN])
+{
+	BIGNUM * a;
+
+	/* Convert ${pub} into BN representation. */
+	if ((a = BN_bin2bn(pub, CRYPTO_DH_PUBLEN, NULL)) == NULL) {
+		warn0("%s", ERR_error_string(ERR_get_error(), NULL));
+		goto err0;
+	}
+
+	/* Compute key = pub^(2^258 + priv). */
+	if (blinded_modexp(key, a, priv))
+		goto err1;
+
+	/* Free storage allocated by BN_bin2bn. */
+	BN_free(a);
+
+	/* Success! */
+	return (0);
+
+err1:
+	BN_free(a);
+err0:
+	/* Failure! */
+	return (-1);
+}
+
+/**
+ * crypto_dh_sanitycheck(pub):
+ * Sanity-check the Diffie-Hellman public value ${pub} by checking that it
+ * is less than the group #14 modulus.  Return 0 if sane, -1 if insane.
+ */
+int
+crypto_dh_sanitycheck(const uint8_t pub[CRYPTO_DH_PUBLEN])
+{
+
+	if (memcmp(pub, crypto_dh_group14, 256) >= 0)
+		return (-1);
+
+	/* Value is sane. */
+	return (0);
+}