Diffie-Hellman密钥交换——使用openssl编程

DH密钥交换算法，是第一个提出的公开密钥算法，它比RSA还要早提出。它使得在公开的不可信信道安全地交换密钥成为可能。但DH算法无法抵御中间人攻击，必须借用数字签名才足够安全。

下面是使用openssl进行DH密钥交换的示例程序：

/*
* dh.cc
* - Show the usage of Diffie-Hellman. (in key management)
* - Read Diffie-Hellman parameters from a file* - Example:
*   ./dh dh1024.pem
*/

#include 
#include 
#include 
#include 
#include 
#include 

int main(int argc, char** argv) {
    FILE* fp;
    DH* dh1;
    DH* dh2;
    int i;

    // check usage
    if (argc != 2) {
        fprintf(stderr, "%s \n", argv[0]);
        exit(-1);
    }

    // open the PEM file and generate the DH keys
    fp = fopen(argv[1], "r");
    if (fp == NULL) {
        fprintf(stderr, "Unable to open %s for DH params\n", argv[1]);
        return NULL;
    }
    if ((dh1 = PEM_read_DHparams(fp, NULL, NULL, NULL)) == NULL) {
        fprintf(stderr, "Unable to read parameters\n");
        return NULL;
    }                                                         
    fclose(fp);

    fp = fopen(argv[1], "r");
    if (fp == NULL) {
        fprintf(stderr, "Unable to open %s for DH params\n", argv[1]);
        return NULL;
    }
    if ((dh2 = PEM_read_DHparams(fp, NULL, NULL, NULL)) == NULL) {
        fprintf(stderr, "Unable to read parameters\n");
        return NULL;
    }                                                         
    fclose(fp);

    if (!DH_generate_key(dh1)) {
        fprintf(stderr, "Unable to generate public/private keys\n");
        return NULL;
    }
    if (!DH_generate_key(dh2)) {
        fprintf(stderr, "Unable to generate public/private keys\n");
        return NULL;
    }

    // key exchange
    unsigned char* key1 = (unsigned char*)calloc(DH_size(dh1),
            sizeof(unsigned char));
    unsigned char* key2 = (unsigned char*)calloc(DH_size(dh2),
            sizeof(unsigned char));
    DH_compute_key(key1, dh2->pub_key, dh1);
    DH_compute_key(key2, dh1->pub_key, dh2);

    // print
    printf("DH's p = %s\n", BN_bn2hex(dh1->p));
    printf("DH's g = %s\n", BN_bn2hex(dh1->g));
    printf("key1 = ");
    for (i=0; i> 4) & 0xf, key1[i] & 0xf);
    }
    printf("\n");
    printf("key2 = ");
    for (i=0; i> 4) & 0xf, key2[i] & 0xf);
    }
    printf("\n");

    return 0;
}

编译Makefile:

CC=g++
CFLAGS=-Wall -g -O2
LIBS=-lcrypto

all: dh

dh: dh.cc
    $(CC) $(CFLAGS) dh.cc -o $@ $(LIBS)

clean:
    @rm -f dh