]>
Commit | Line | Data |
---|---|---|
d02b48c6 | 1 | /* crypto/dsa/dsa_gen.c */ |
58964a49 | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
d02b48c6 RE |
3 | * All rights reserved. |
4 | * | |
5 | * This package is an SSL implementation written | |
6 | * by Eric Young (eay@cryptsoft.com). | |
7 | * The implementation was written so as to conform with Netscapes SSL. | |
8 | * | |
9 | * This library is free for commercial and non-commercial use as long as | |
10 | * the following conditions are aheared to. The following conditions | |
11 | * apply to all code found in this distribution, be it the RC4, RSA, | |
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 | * included with this distribution is covered by the same copyright terms | |
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 | * | |
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 | * the code are not to be removed. | |
18 | * If this package is used in a product, Eric Young should be given attribution | |
19 | * as the author of the parts of the library used. | |
20 | * This can be in the form of a textual message at program startup or | |
21 | * in documentation (online or textual) provided with the package. | |
22 | * | |
23 | * Redistribution and use in source and binary forms, with or without | |
24 | * modification, are permitted provided that the following conditions | |
25 | * are met: | |
26 | * 1. Redistributions of source code must retain the copyright | |
27 | * notice, this list of conditions and the following disclaimer. | |
28 | * 2. Redistributions in binary form must reproduce the above copyright | |
29 | * notice, this list of conditions and the following disclaimer in the | |
30 | * documentation and/or other materials provided with the distribution. | |
31 | * 3. All advertising materials mentioning features or use of this software | |
32 | * must display the following acknowledgement: | |
33 | * "This product includes cryptographic software written by | |
34 | * Eric Young (eay@cryptsoft.com)" | |
35 | * The word 'cryptographic' can be left out if the rouines from the library | |
36 | * being used are not cryptographic related :-). | |
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 | * the apps directory (application code) you must include an acknowledgement: | |
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 | * | |
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 | * SUCH DAMAGE. | |
52 | * | |
53 | * The licence and distribution terms for any publically available version or | |
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 | * copied and put under another distribution licence | |
56 | * [including the GNU Public Licence.] | |
57 | */ | |
58 | ||
59 | #undef GENUINE_DSA | |
60 | ||
61 | #ifdef GENUINE_DSA | |
a87030a1 BM |
62 | /* Parameter generation follows the original release of FIPS PUB 186, |
63 | * Appendix 2.2 (i.e. use SHA as defined in FIPS PUB 180) */ | |
323f289c | 64 | #define HASH EVP_sha() |
d02b48c6 | 65 | #else |
a87030a1 BM |
66 | /* Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186, |
67 | * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in | |
68 | * FIPS PUB 180-1) */ | |
323f289c | 69 | #define HASH EVP_sha1() |
d02b48c6 RE |
70 | #endif |
71 | ||
751ff1d3 RL |
72 | #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_SHA is defined */ |
73 | ||
cf1b7d96 | 74 | #ifndef OPENSSL_NO_SHA |
a87030a1 | 75 | |
7c8ced94 | 76 | #define OPENSSL_FIPSAPI |
20818e00 | 77 | |
d02b48c6 | 78 | #include <stdio.h> |
d02b48c6 | 79 | #include "cryptlib.h" |
323f289c | 80 | #include <openssl/evp.h> |
ec577822 | 81 | #include <openssl/bn.h> |
ec577822 | 82 | #include <openssl/rand.h> |
dbad1690 | 83 | #include <openssl/sha.h> |
20818e00 DSH |
84 | #ifdef OPENSSL_FIPS |
85 | #include <openssl/fips.h> | |
86 | #endif | |
87 | ||
357d5de5 | 88 | #include "dsa_locl.h" |
0e4aa0d2 | 89 | |
e9224c71 | 90 | int DSA_generate_parameters_ex(DSA *ret, int bits, |
1457619e | 91 | const unsigned char *seed_in, int seed_len, |
e9224c71 | 92 | int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) |
d02b48c6 | 93 | { |
0e4aa0d2 GT |
94 | if(ret->meth->dsa_paramgen) |
95 | return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, | |
96 | counter_ret, h_ret, cb); | |
357d5de5 NL |
97 | else |
98 | { | |
99 | const EVP_MD *evpmd; | |
100 | size_t qbits = bits >= 2048 ? 256 : 160; | |
101 | ||
102 | if (bits >= 2048) | |
103 | { | |
104 | qbits = 256; | |
105 | evpmd = EVP_sha256(); | |
106 | } | |
107 | else | |
108 | { | |
109 | qbits = 160; | |
110 | evpmd = EVP_sha1(); | |
111 | } | |
112 | ||
113 | return dsa_builtin_paramgen(ret, bits, qbits, evpmd, | |
198ce9a6 | 114 | seed_in, seed_len, NULL, counter_ret, h_ret, cb); |
357d5de5 | 115 | } |
0e4aa0d2 GT |
116 | } |
117 | ||
357d5de5 | 118 | int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, |
1457619e | 119 | const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len, |
198ce9a6 | 120 | unsigned char *seed_out, |
357d5de5 | 121 | int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) |
0e4aa0d2 | 122 | { |
d02b48c6 | 123 | int ok=0; |
357d5de5 NL |
124 | unsigned char seed[SHA256_DIGEST_LENGTH]; |
125 | unsigned char md[SHA256_DIGEST_LENGTH]; | |
126 | unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH]; | |
d02b48c6 RE |
127 | BIGNUM *r0,*W,*X,*c,*test; |
128 | BIGNUM *g=NULL,*q=NULL,*p=NULL; | |
dfeab068 | 129 | BN_MONT_CTX *mont=NULL; |
c8bbd98a | 130 | int i, k, n=0, m=0, qsize = qbits >> 3; |
d02b48c6 | 131 | int counter=0; |
a87030a1 | 132 | int r=0; |
08e1cbc6 | 133 | BN_CTX *ctx=NULL; |
d02b48c6 | 134 | unsigned int h=2; |
d02b48c6 | 135 | |
20818e00 DSH |
136 | #ifdef OPENSSL_FIPS |
137 | if(FIPS_selftest_failed()) | |
138 | { | |
3dd9b31d | 139 | FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN, FIPS_R_FIPS_SELFTEST_FAILED); |
20818e00 DSH |
140 | goto err; |
141 | } | |
142 | ||
143 | if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) | |
144 | { | |
145 | DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL); | |
146 | goto err; | |
147 | } | |
148 | #endif | |
149 | ||
357d5de5 NL |
150 | if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH && |
151 | qsize != SHA256_DIGEST_LENGTH) | |
152 | /* invalid q size */ | |
153 | return 0; | |
d02b48c6 | 154 | |
357d5de5 NL |
155 | if (evpmd == NULL) |
156 | /* use SHA1 as default */ | |
157 | evpmd = EVP_sha1(); | |
d02b48c6 | 158 | |
357d5de5 NL |
159 | if (bits < 512) |
160 | bits = 512; | |
dfeab068 | 161 | |
357d5de5 NL |
162 | bits = (bits+63)/64*64; |
163 | ||
fcd1cb66 DSH |
164 | /* NB: seed_len == 0 is special case: copy generated seed to |
165 | * seed_in if it is not NULL. | |
166 | */ | |
167 | if (seed_len && (seed_len < (size_t)qsize)) | |
357d5de5 | 168 | seed_in = NULL; /* seed buffer too small -- ignore */ |
3627fedb | 169 | if (seed_len > (size_t)qsize) |
357d5de5 NL |
170 | seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED, |
171 | * but our internal buffers are restricted to 160 bits*/ | |
172 | if (seed_in != NULL) | |
173 | memcpy(seed, seed_in, seed_len); | |
174 | ||
175 | if ((ctx=BN_CTX_new()) == NULL) | |
176 | goto err; | |
177 | ||
178 | if ((mont=BN_MONT_CTX_new()) == NULL) | |
179 | goto err; | |
dfeab068 | 180 | |
08e1cbc6 GT |
181 | BN_CTX_start(ctx); |
182 | r0 = BN_CTX_get(ctx); | |
183 | g = BN_CTX_get(ctx); | |
184 | W = BN_CTX_get(ctx); | |
185 | q = BN_CTX_get(ctx); | |
186 | X = BN_CTX_get(ctx); | |
187 | c = BN_CTX_get(ctx); | |
188 | p = BN_CTX_get(ctx); | |
189 | test = BN_CTX_get(ctx); | |
d02b48c6 | 190 | |
41c70d47 DSH |
191 | if (!BN_lshift(test,BN_value_one(),bits-1)) |
192 | goto err; | |
d02b48c6 RE |
193 | |
194 | for (;;) | |
195 | { | |
a87030a1 | 196 | for (;;) /* find q */ |
d02b48c6 | 197 | { |
7865b871 | 198 | int seed_is_random; |
a87030a1 | 199 | |
d02b48c6 | 200 | /* step 1 */ |
e9224c71 GT |
201 | if(!BN_GENCB_call(cb, 0, m++)) |
202 | goto err; | |
d02b48c6 RE |
203 | |
204 | if (!seed_len) | |
a87030a1 | 205 | { |
357d5de5 | 206 | RAND_pseudo_bytes(seed, qsize); |
a87030a1 BM |
207 | seed_is_random = 1; |
208 | } | |
d02b48c6 | 209 | else |
7865b871 BM |
210 | { |
211 | seed_is_random = 0; | |
212 | seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/ | |
213 | } | |
357d5de5 NL |
214 | memcpy(buf , seed, qsize); |
215 | memcpy(buf2, seed, qsize); | |
a87030a1 | 216 | /* precompute "SEED + 1" for step 7: */ |
357d5de5 | 217 | for (i = qsize-1; i >= 0; i--) |
d02b48c6 RE |
218 | { |
219 | buf[i]++; | |
357d5de5 NL |
220 | if (buf[i] != 0) |
221 | break; | |
d02b48c6 RE |
222 | } |
223 | ||
224 | /* step 2 */ | |
b6dcdbfc DSH |
225 | if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL)) |
226 | goto err; | |
227 | if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) | |
228 | goto err; | |
357d5de5 | 229 | for (i = 0; i < qsize; i++) |
d02b48c6 RE |
230 | md[i]^=buf2[i]; |
231 | ||
232 | /* step 3 */ | |
357d5de5 NL |
233 | md[0] |= 0x80; |
234 | md[qsize-1] |= 0x01; | |
235 | if (!BN_bin2bn(md, qsize, q)) | |
236 | goto err; | |
d02b48c6 RE |
237 | |
238 | /* step 4 */ | |
08e1cbc6 | 239 | r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, |
e9224c71 | 240 | seed_is_random, cb); |
a87030a1 | 241 | if (r > 0) |
aff0825c | 242 | break; |
a87030a1 | 243 | if (r != 0) |
aff0825c | 244 | goto err; |
a87030a1 | 245 | |
d02b48c6 RE |
246 | /* do a callback call */ |
247 | /* step 5 */ | |
248 | } | |
249 | ||
e9224c71 GT |
250 | if(!BN_GENCB_call(cb, 2, 0)) goto err; |
251 | if(!BN_GENCB_call(cb, 3, 0)) goto err; | |
d02b48c6 RE |
252 | |
253 | /* step 6 */ | |
254 | counter=0; | |
a87030a1 | 255 | /* "offset = 2" */ |
d02b48c6 RE |
256 | |
257 | n=(bits-1)/160; | |
d02b48c6 RE |
258 | |
259 | for (;;) | |
260 | { | |
e9224c71 GT |
261 | if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) |
262 | goto err; | |
a87030a1 | 263 | |
d02b48c6 | 264 | /* step 7 */ |
c01d2b97 | 265 | BN_zero(W); |
a87030a1 | 266 | /* now 'buf' contains "SEED + offset - 1" */ |
d02b48c6 RE |
267 | for (k=0; k<=n; k++) |
268 | { | |
a87030a1 | 269 | /* obtain "SEED + offset + k" by incrementing: */ |
357d5de5 | 270 | for (i = qsize-1; i >= 0; i--) |
d02b48c6 RE |
271 | { |
272 | buf[i]++; | |
357d5de5 NL |
273 | if (buf[i] != 0) |
274 | break; | |
d02b48c6 RE |
275 | } |
276 | ||
b6dcdbfc DSH |
277 | if (!EVP_Digest(buf, qsize, md ,NULL, evpmd, |
278 | NULL)) | |
279 | goto err; | |
d02b48c6 RE |
280 | |
281 | /* step 8 */ | |
357d5de5 | 282 | if (!BN_bin2bn(md, qsize, r0)) |
38e33cef | 283 | goto err; |
357d5de5 | 284 | if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err; |
41c70d47 | 285 | if (!BN_add(W,W,r0)) goto err; |
d02b48c6 RE |
286 | } |
287 | ||
288 | /* more of step 8 */ | |
41c70d47 DSH |
289 | if (!BN_mask_bits(W,bits-1)) goto err; |
290 | if (!BN_copy(X,W)) goto err; | |
291 | if (!BN_add(X,X,test)) goto err; | |
d02b48c6 RE |
292 | |
293 | /* step 9 */ | |
41c70d47 DSH |
294 | if (!BN_lshift1(r0,q)) goto err; |
295 | if (!BN_mod(c,X,r0,ctx)) goto err; | |
296 | if (!BN_sub(r0,c,BN_value_one())) goto err; | |
297 | if (!BN_sub(p,X,r0)) goto err; | |
d02b48c6 RE |
298 | |
299 | /* step 10 */ | |
300 | if (BN_cmp(p,test) >= 0) | |
301 | { | |
302 | /* step 11 */ | |
e9224c71 | 303 | r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, |
08e1cbc6 | 304 | ctx, 1, cb); |
a87030a1 BM |
305 | if (r > 0) |
306 | goto end; /* found it */ | |
307 | if (r != 0) | |
308 | goto err; | |
d02b48c6 RE |
309 | } |
310 | ||
311 | /* step 13 */ | |
312 | counter++; | |
a87030a1 | 313 | /* "offset = offset + n + 1" */ |
d02b48c6 RE |
314 | |
315 | /* step 14 */ | |
316 | if (counter >= 4096) break; | |
d02b48c6 RE |
317 | } |
318 | } | |
319 | end: | |
e9224c71 GT |
320 | if(!BN_GENCB_call(cb, 2, 1)) |
321 | goto err; | |
d02b48c6 | 322 | |
38e33cef | 323 | /* We now need to generate g */ |
d02b48c6 | 324 | /* Set r0=(p-1)/q */ |
41c70d47 DSH |
325 | if (!BN_sub(test,p,BN_value_one())) goto err; |
326 | if (!BN_div(r0,NULL,test,q,ctx)) goto err; | |
d02b48c6 | 327 | |
41c70d47 DSH |
328 | if (!BN_set_word(test,h)) goto err; |
329 | if (!BN_MONT_CTX_set(mont,p,ctx)) goto err; | |
dfeab068 | 330 | |
d02b48c6 RE |
331 | for (;;) |
332 | { | |
333 | /* g=test^r0%p */ | |
41c70d47 | 334 | if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err; |
d02b48c6 | 335 | if (!BN_is_one(g)) break; |
41c70d47 | 336 | if (!BN_add(test,test,BN_value_one())) goto err; |
d02b48c6 RE |
337 | h++; |
338 | } | |
339 | ||
e9224c71 GT |
340 | if(!BN_GENCB_call(cb, 3, 1)) |
341 | goto err; | |
d02b48c6 RE |
342 | |
343 | ok=1; | |
344 | err: | |
e9224c71 | 345 | if (ok) |
d02b48c6 | 346 | { |
e9224c71 GT |
347 | if(ret->p) BN_free(ret->p); |
348 | if(ret->q) BN_free(ret->q); | |
349 | if(ret->g) BN_free(ret->g); | |
d02b48c6 RE |
350 | ret->p=BN_dup(p); |
351 | ret->q=BN_dup(q); | |
352 | ret->g=BN_dup(g); | |
41c70d47 DSH |
353 | if (ret->p == NULL || ret->q == NULL || ret->g == NULL) |
354 | { | |
355 | ok=0; | |
356 | goto err; | |
357 | } | |
d02b48c6 RE |
358 | if (counter_ret != NULL) *counter_ret=counter; |
359 | if (h_ret != NULL) *h_ret=h; | |
198ce9a6 DSH |
360 | if (seed_out) |
361 | memcpy(seed_out, seed, qsize); | |
d02b48c6 | 362 | } |
08e1cbc6 | 363 | if(ctx) |
9b141126 | 364 | { |
08e1cbc6 GT |
365 | BN_CTX_end(ctx); |
366 | BN_CTX_free(ctx); | |
9b141126 | 367 | } |
dfeab068 | 368 | if (mont != NULL) BN_MONT_CTX_free(mont); |
e9224c71 | 369 | return ok; |
d02b48c6 | 370 | } |
3dd9b31d DSH |
371 | |
372 | /* Permissible parameter values for (L,N): see FIPS186-3 4.2 */ | |
373 | ||
374 | static int dsa2_check_params(size_t L, size_t N) | |
375 | { | |
376 | if (L == 1024 && N == 160) | |
377 | return 1; | |
378 | if (L == 2048 && N == 224) | |
379 | return 1; | |
380 | if (L == 2048 && N == 256) | |
381 | return 1; | |
382 | if (L == 3072 && N == 256) | |
383 | return 1; | |
384 | return 0; | |
385 | } | |
386 | ||
387 | /* This is a parameter generation algorithm for the DSA2 algorithm as | |
388 | * described in FIPS 186-3. | |
389 | */ | |
390 | ||
391 | int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, | |
392 | const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len, | |
393 | unsigned char *seed_out, | |
394 | int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) | |
395 | { | |
396 | int ok=-1; | |
397 | unsigned char *seed = NULL; | |
398 | unsigned char md[EVP_MAX_MD_SIZE]; | |
399 | int mdsize; | |
400 | BIGNUM *r0,*W,*X,*c,*test; | |
401 | BIGNUM *g=NULL,*q=NULL,*p=NULL; | |
402 | BN_MONT_CTX *mont=NULL; | |
403 | int i, k, n=0, m=0, qsize = N >> 3; | |
404 | int counter=0; | |
405 | int r=0; | |
406 | BN_CTX *ctx=NULL; | |
407 | unsigned int h=2; | |
408 | ||
409 | #ifdef OPENSSL_FIPS | |
410 | if(FIPS_selftest_failed()) | |
411 | { | |
412 | FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, | |
413 | FIPS_R_FIPS_SELFTEST_FAILED); | |
414 | goto err; | |
415 | } | |
416 | #endif | |
417 | if (!dsa2_check_params(L, N)) | |
418 | { | |
419 | DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS); | |
420 | ok = 0; | |
421 | goto err; | |
422 | } | |
423 | ||
424 | if (evpmd == NULL) | |
425 | { | |
426 | if (N == 160) | |
427 | evpmd = EVP_sha1(); | |
428 | else if (N == 224) | |
429 | evpmd = EVP_sha224(); | |
430 | else | |
431 | evpmd = EVP_sha256(); | |
432 | } | |
433 | ||
434 | mdsize = M_EVP_MD_size(evpmd); | |
435 | ||
436 | if (seed_len == 0) | |
437 | seed_len = mdsize; | |
438 | ||
439 | seed = OPENSSL_malloc(seed_len); | |
440 | ||
441 | if (!seed) | |
442 | goto err; | |
443 | ||
444 | if (seed_in) | |
445 | memcpy(seed, seed_in, seed_len); | |
446 | ||
447 | if ((ctx=BN_CTX_new()) == NULL) | |
448 | goto err; | |
449 | ||
450 | if ((mont=BN_MONT_CTX_new()) == NULL) | |
451 | goto err; | |
452 | ||
453 | BN_CTX_start(ctx); | |
454 | r0 = BN_CTX_get(ctx); | |
455 | g = BN_CTX_get(ctx); | |
456 | W = BN_CTX_get(ctx); | |
457 | q = BN_CTX_get(ctx); | |
458 | X = BN_CTX_get(ctx); | |
459 | c = BN_CTX_get(ctx); | |
460 | p = BN_CTX_get(ctx); | |
461 | test = BN_CTX_get(ctx); | |
462 | ||
463 | if (!BN_lshift(test,BN_value_one(),L-1)) | |
464 | goto err; | |
465 | for (;;) | |
466 | { | |
467 | for (;;) /* find q */ | |
468 | { | |
469 | unsigned char *pmd; | |
470 | /* step 1 */ | |
471 | if(!BN_GENCB_call(cb, 0, m++)) | |
472 | goto err; | |
473 | ||
474 | if (!seed_in) | |
475 | RAND_pseudo_bytes(seed, qsize); | |
476 | /* step 2 */ | |
477 | if (!EVP_Digest(seed, seed_len, md, NULL, evpmd, NULL)) | |
478 | goto err; | |
479 | /* Take least significant bits of md */ | |
480 | if (mdsize > qsize) | |
481 | pmd = md + mdsize - qsize; | |
482 | else | |
483 | pmd = md; | |
484 | ||
485 | if (mdsize < qsize) | |
486 | memset(md + mdsize, 0, qsize - mdsize); | |
487 | ||
488 | /* step 3 */ | |
489 | pmd[0] |= 0x80; | |
490 | pmd[qsize-1] |= 0x01; | |
491 | if (!BN_bin2bn(pmd, qsize, q)) | |
492 | goto err; | |
493 | ||
494 | /* step 4 */ | |
495 | r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, | |
496 | seed_in ? 1 : 0, cb); | |
497 | if (r > 0) | |
498 | break; | |
499 | if (r != 0) | |
500 | goto err; | |
501 | /* Provided seed didn't produce a prime: error */ | |
502 | if (seed_in) | |
503 | { | |
504 | ok = 0; | |
505 | DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME); | |
506 | goto err; | |
507 | } | |
508 | ||
509 | /* do a callback call */ | |
510 | /* step 5 */ | |
511 | } | |
512 | ||
513 | if(!BN_GENCB_call(cb, 2, 0)) goto err; | |
514 | if(!BN_GENCB_call(cb, 3, 0)) goto err; | |
515 | ||
516 | /* step 6 */ | |
517 | counter=0; | |
518 | /* "offset = 1" */ | |
519 | ||
520 | n=(L-1)/(mdsize << 3); | |
521 | ||
522 | for (;;) | |
523 | { | |
524 | if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) | |
525 | goto err; | |
526 | ||
527 | /* step 7 */ | |
528 | BN_zero(W); | |
529 | /* now 'buf' contains "SEED + offset - 1" */ | |
530 | for (k=0; k<=n; k++) | |
531 | { | |
532 | /* obtain "SEED + offset + k" by incrementing: */ | |
533 | for (i = seed_len-1; i >= 0; i--) | |
534 | { | |
535 | seed[i]++; | |
536 | if (seed[i] != 0) | |
537 | break; | |
538 | } | |
539 | ||
540 | if (!EVP_Digest(seed, seed_len, md ,NULL, evpmd, | |
541 | NULL)) | |
542 | goto err; | |
543 | ||
544 | /* step 8 */ | |
545 | if (!BN_bin2bn(md, mdsize, r0)) | |
546 | goto err; | |
547 | if (!BN_lshift(r0,r0,(mdsize << 3)*k)) goto err; | |
548 | if (!BN_add(W,W,r0)) goto err; | |
549 | } | |
550 | ||
551 | /* more of step 8 */ | |
552 | if (!BN_mask_bits(W,L-1)) goto err; | |
553 | if (!BN_copy(X,W)) goto err; | |
554 | if (!BN_add(X,X,test)) goto err; | |
555 | ||
556 | /* step 9 */ | |
557 | if (!BN_lshift1(r0,q)) goto err; | |
558 | if (!BN_mod(c,X,r0,ctx)) goto err; | |
559 | if (!BN_sub(r0,c,BN_value_one())) goto err; | |
560 | if (!BN_sub(p,X,r0)) goto err; | |
561 | ||
562 | /* step 10 */ | |
563 | if (BN_cmp(p,test) >= 0) | |
564 | { | |
565 | /* step 11 */ | |
566 | r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, | |
567 | ctx, 1, cb); | |
568 | if (r > 0) | |
569 | goto end; /* found it */ | |
570 | if (r != 0) | |
571 | goto err; | |
572 | } | |
573 | ||
574 | /* step 13 */ | |
575 | counter++; | |
576 | /* "offset = offset + n + 1" */ | |
577 | ||
578 | /* step 14 */ | |
579 | if (counter >= 4096) break; | |
580 | } | |
581 | } | |
582 | end: | |
583 | if(!BN_GENCB_call(cb, 2, 1)) | |
584 | goto err; | |
585 | ||
586 | /* We now need to generate g */ | |
587 | /* Set r0=(p-1)/q */ | |
588 | if (!BN_sub(test,p,BN_value_one())) goto err; | |
589 | if (!BN_div(r0,NULL,test,q,ctx)) goto err; | |
590 | ||
591 | if (!BN_set_word(test,h)) goto err; | |
592 | if (!BN_MONT_CTX_set(mont,p,ctx)) goto err; | |
593 | ||
594 | for (;;) | |
595 | { | |
596 | /* g=test^r0%p */ | |
597 | if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err; | |
598 | if (!BN_is_one(g)) break; | |
599 | if (!BN_add(test,test,BN_value_one())) goto err; | |
600 | h++; | |
601 | } | |
602 | ||
603 | if(!BN_GENCB_call(cb, 3, 1)) | |
604 | goto err; | |
605 | ||
606 | ok=1; | |
607 | err: | |
608 | if (ok) | |
609 | { | |
610 | if(ret->p) BN_free(ret->p); | |
611 | if(ret->q) BN_free(ret->q); | |
612 | if(ret->g) BN_free(ret->g); | |
613 | ret->p=BN_dup(p); | |
614 | ret->q=BN_dup(q); | |
615 | ret->g=BN_dup(g); | |
616 | if (ret->p == NULL || ret->q == NULL || ret->g == NULL) | |
617 | { | |
618 | ok=-1; | |
619 | goto err; | |
620 | } | |
621 | if (counter_ret != NULL) *counter_ret=counter; | |
622 | if (h_ret != NULL) *h_ret=h; | |
623 | if (seed_out) | |
624 | memcpy(seed_out, seed, seed_len); | |
625 | } | |
626 | if (seed) | |
627 | OPENSSL_free(seed); | |
628 | if(ctx) | |
629 | { | |
630 | BN_CTX_end(ctx); | |
631 | BN_CTX_free(ctx); | |
632 | } | |
633 | if (mont != NULL) BN_MONT_CTX_free(mont); | |
634 | return ok; | |
635 | } | |
d02f751c | 636 | #endif |