2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * For the prime check..
12 * FIPS 186-4 Section C.3 Table C.1
13 * Returns the minimum number of Miller Rabin iterations for a L,N pair
14 * (where L = len(p), N = len(q))
21 * BN_check_prime() uses:
22 * 64 iterations for L <= 2048 OR
23 * 128 iterations for L > 2048
24 * So this satisfies the requirement.
27 #include <string.h> /* memset */
28 #include <openssl/sha.h> /* SHA_DIGEST_LENGTH */
29 #include <openssl/rand.h>
30 #include "crypto/bn.h"
31 #include "internal/ffc.h"
34 * Verify that the passed in L, N pair for DH or DSA is valid.
35 * Returns 0 if invalid, otherwise it returns the security strength.
37 static int ffc_validate_LN(size_t L
, size_t N
, int type
)
39 if (type
== FFC_PARAM_TYPE_DH
) {
40 /* Valid DH L,N parameters from SP800-56Ar3 5.5.1 Table 1 */
41 if (L
== 2048 && (N
== 224 || N
== 256))
43 } else if (type
== FFC_PARAM_TYPE_DSA
) {
44 /* Valid DSA L,N parameters from FIPS 186-4 Section 4.2 */
45 if (L
== 1024 && N
== 160)
47 if (L
== 2048 && (N
== 224 || N
== 256))
49 if (L
== 3072 && N
== 256)
55 /* FIPS186-4 A.2.1 Unverifiable Generation of Generator g */
56 static int generate_unverifiable_g(BN_CTX
*ctx
, BN_MONT_CTX
*mont
, BIGNUM
*g
,
57 BIGNUM
*hbn
, const BIGNUM
*p
,
58 const BIGNUM
*e
,const BIGNUM
*pm1
,
63 /* Step (2): choose h (where 1 < h)*/
64 if (!BN_set_word(hbn
, h
))
68 /* Step (3): g = h^e % p */
69 if (!BN_mod_exp_mont(g
, hbn
, e
, p
, ctx
, mont
))
71 /* Step (4): Finish if g > 1 */
72 if (BN_cmp(g
, BN_value_one()) > 0)
75 /* Step (2) Choose any h in the range 1 < h < (p-1) */
76 if (!BN_add_word(hbn
, 1) || BN_cmp(hbn
, pm1
) >= 0)
85 * FIPS186-4 A.2 Generation of canonical generator g.
87 * It requires the following values as input:
88 * 'evpmd' digest, 'p' prime, 'e' cofactor, gindex and seed.
89 * tmp is a passed in temporary BIGNUM.
90 * mont is used in a BN_mod_exp_mont() with a modulus of p.
91 * Returns a value in g.
93 static int generate_canonical_g(BN_CTX
*ctx
, BN_MONT_CTX
*mont
,
94 const EVP_MD
*evpmd
, BIGNUM
*g
, BIGNUM
*tmp
,
95 const BIGNUM
*p
, const BIGNUM
*e
,
96 int gindex
, unsigned char *seed
, size_t seedlen
)
100 unsigned char md
[EVP_MAX_MD_SIZE
];
101 EVP_MD_CTX
*mctx
= NULL
;
104 mdsize
= EVP_MD_size(evpmd
);
108 mctx
= EVP_MD_CTX_new();
113 * A.2.3 Step (4) & (5)
114 * A.2.4 Step (6) & (7)
115 * counter = 0; counter += 1
117 for (counter
= 1; counter
<= 0xFFFF; ++counter
) {
119 * A.2.3 Step (7) & (8) & (9)
120 * A.2.4 Step (9) & (10) & (11)
121 * W = Hash(seed || "ggen" || index || counter)
124 static const unsigned char ggen
[4] = { 0x67, 0x67, 0x65, 0x6e };
126 md
[0] = (unsigned char)(gindex
& 0xff);
127 md
[1] = (unsigned char)((counter
>> 8) & 0xff);
128 md
[2] = (unsigned char)(counter
& 0xff);
129 if (!EVP_DigestInit_ex(mctx
, evpmd
, NULL
)
130 || !EVP_DigestUpdate(mctx
, seed
, seedlen
)
131 || !EVP_DigestUpdate(mctx
, ggen
, sizeof(ggen
))
132 || !EVP_DigestUpdate(mctx
, md
, 3)
133 || !EVP_DigestFinal_ex(mctx
, md
, NULL
)
134 || (BN_bin2bn(md
, mdsize
, tmp
) == NULL
)
135 || !BN_mod_exp_mont(g
, tmp
, e
, p
, ctx
, mont
))
136 break; /* exit on failure */
140 * Found a value for g if (g >= 2)
142 if (BN_cmp(g
, BN_value_one()) > 0) {
147 EVP_MD_CTX_free(mctx
);
151 /* Generation of p is the same for FIPS 186-4 & FIPS 186-2 */
152 static int generate_p(BN_CTX
*ctx
, const EVP_MD
*evpmd
, int max_counter
, int n
,
153 unsigned char *buf
, size_t buf_len
, const BIGNUM
*q
,
154 BIGNUM
*p
, int L
, BN_GENCB
*cb
, int *counter
,
159 unsigned char md
[EVP_MAX_MD_SIZE
];
161 BIGNUM
*W
, *X
, *tmp
, *c
, *test
;
167 test
= BN_CTX_get(ctx
);
168 tmp
= BN_CTX_get(ctx
);
172 if (!BN_lshift(test
, BN_value_one(), L
- 1))
175 mdsize
= EVP_MD_size(evpmd
);
179 /* A.1.1.2 Step (10) AND
181 * offset = 1 (this is handled below)
184 * A.1.1.2 Step (11) AND
187 for (i
= 0; i
<= max_counter
; i
++) {
188 if ((i
!= 0) && !BN_GENCB_call(cb
, 0, i
))
192 /* seed_tmp buffer contains "seed + offset - 1" */
193 for (j
= 0; j
<= n
; j
++) {
194 /* obtain "seed + offset + j" by incrementing by 1: */
195 for (k
= (int)buf_len
- 1; k
>= 0; k
--) {
201 * A.1.1.2 Step (11.1) AND
202 * A.1.1.3 Step (13.1)
203 * tmp = V(j) = Hash((seed + offset + j) % 2^seedlen)
205 if (!EVP_Digest(buf
, buf_len
, md
, NULL
, evpmd
, NULL
)
206 || (BN_bin2bn(md
, mdsize
, tmp
) == NULL
)
208 * A.1.1.2 Step (11.2)
209 * A.1.1.3 Step (13.2)
210 * W += V(j) * 2^(outlen * j)
212 || !BN_lshift(tmp
, tmp
, (mdsize
<< 3) * j
)
213 || !BN_add(W
, W
, tmp
))
218 * A.1.1.2 Step (11.3) AND
219 * A.1.1.3 Step (13.3)
220 * X = W + 2^(L-1) where W < 2^(L-1)
222 if (!BN_mask_bits(W
, L
- 1)
224 || !BN_add(X
, X
, test
)
226 * A.1.1.2 Step (11.4) AND
227 * A.1.1.3 Step (13.4)
230 || !BN_lshift1(tmp
, q
)
231 || !BN_mod(c
, X
, tmp
, ctx
)
233 * A.1.1.2 Step (11.5) AND
234 * A.1.1.3 Step (13.5)
237 || !BN_sub(tmp
, c
, BN_value_one())
238 || !BN_sub(p
, X
, tmp
))
242 * A.1.1.2 Step (11.6) AND
243 * A.1.1.3 Step (13.6)
244 * if (p < 2 ^ (L-1)) continue
245 * This makes sure the top bit is set.
247 if (BN_cmp(p
, test
) >= 0) {
249 * A.1.1.2 Step (11.7) AND
250 * A.1.1.3 Step (13.7)
252 * (This also makes sure the bottom bit is set)
254 r
= BN_check_prime(p
, ctx
, cb
);
255 /* A.1.1.2 Step (11.8) : Return if p is prime */
258 ret
= 1; /* return success */
264 /* Step (11.9) : offset = offset + n + 1 is done auto-magically */
266 /* No prime P found */
268 *res
|= FFC_CHECK_P_NOT_PRIME
;
274 static int generate_q_fips186_4(BN_CTX
*ctx
, BIGNUM
*q
, const EVP_MD
*evpmd
,
275 int qsize
, unsigned char *seed
, size_t seedlen
,
276 int generate_seed
, int *retm
, int *res
,
281 unsigned char md
[EVP_MAX_MD_SIZE
];
282 int mdsize
= EVP_MD_size(evpmd
);
284 OPENSSL_CTX
*libctx
= bn_get_lib_ctx(ctx
);
288 if(!BN_GENCB_call(cb
, 0, m
++))
291 /* A.1.1.2 Step (5) : generate seed with size seed_len */
293 && RAND_bytes_ex(libctx
, seed
, (int)seedlen
) < 0)
296 * A.1.1.2 Step (6) AND
298 * U = Hash(seed) % (2^(N-1))
300 if (!EVP_Digest(seed
, seedlen
, md
, NULL
, evpmd
, NULL
))
302 /* Take least significant bits of md */
304 pmd
= md
+ mdsize
- qsize
;
308 memset(md
+ mdsize
, 0, qsize
- mdsize
);
311 * A.1.1.2 Step (7) AND
313 * q = U + 2^(N-1) + (1 - U %2) (This sets top and bottom bits)
316 pmd
[qsize
-1] |= 0x01;
317 if (!BN_bin2bn(pmd
, qsize
, q
))
321 * A.1.1.2 Step (8) AND
325 r
= BN_check_prime(q
, ctx
, cb
);
331 * A.1.1.3 Step (9) : If the provided seed didn't produce a prime q
334 if (!generate_seed
) {
335 *res
|= FFC_CHECK_Q_NOT_PRIME
;
340 /* A.1.1.2 Step (9) : if q is not prime, try another q */
347 static int generate_q_fips186_2(BN_CTX
*ctx
, BIGNUM
*q
, const EVP_MD
*evpmd
,
348 unsigned char *buf
, unsigned char *seed
,
349 size_t qsize
, int generate_seed
, int *retm
,
350 int *res
, BN_GENCB
*cb
)
352 unsigned char buf2
[EVP_MAX_MD_SIZE
];
353 unsigned char md
[EVP_MAX_MD_SIZE
];
354 int i
, r
, ret
= 0, m
= *retm
;
355 OPENSSL_CTX
*libctx
= bn_get_lib_ctx(ctx
);
360 if (!BN_GENCB_call(cb
, 0, m
++))
363 if (generate_seed
&& RAND_bytes_ex(libctx
, seed
, (int)qsize
) <= 0)
366 memcpy(buf
, seed
, qsize
);
367 memcpy(buf2
, seed
, qsize
);
369 /* precompute "SEED + 1" for step 7: */
370 for (i
= (int)qsize
- 1; i
>= 0; i
--) {
377 if (!EVP_Digest(seed
, qsize
, md
, NULL
, evpmd
, NULL
))
379 if (!EVP_Digest(buf
, qsize
, buf2
, NULL
, evpmd
, NULL
))
381 for (i
= 0; i
< (int)qsize
; i
++)
386 md
[qsize
- 1] |= 0x01;
387 if (!BN_bin2bn(md
, (int)qsize
, q
))
391 r
= BN_check_prime(q
, ctx
, cb
);
398 goto err
; /* Exit if error */
399 /* Try another iteration if it wasnt prime - was in old code.. */
407 static EVP_MD
*fetch_default_md(OPENSSL_CTX
*libctx
, size_t N
)
418 return name
!= NULL
? EVP_MD_fetch(libctx
, name
, "") : NULL
;
422 * FIPS 186-4 FFC parameter generation (as defined in Appendix A).
423 * The same code is used for validation (when validate_flags != 0)
425 * The primes p & q are generated/validated using:
426 * A.1.1.2 Generation of probable primes p & q using approved hash.
427 * A.1.1.3 Validation of generated probable primes
429 * Generator 'g' has 2 types in FIPS 186-4:
430 * (1) A.2.1 unverifiable generation of generator g.
431 * A.2.2 Assurance of the validity of unverifiable generator g.
432 * (2) A.2.3 Verifiable Canonical Generation of the generator g.
433 * A.2.4 Validation for Canonical Generation of the generator g.
436 * (1) is only a partial validation of g, The validation of (2) requires
437 * the seed and index used during generation as input.
439 * params: used to pass in values for generation and validation.
440 * For generation of p & q:
441 * - This is skipped if p & q are passed in.
442 * - If the seed is passed in then generation of p & q uses this seed (and if
443 * this fails an error will occur).
444 * - Otherwise the seed is generated, and values of p & q are generated and
445 * the value of seed and counter are optionally returned.
446 * For the generation of g (after the generation of p, q):
447 * - If the seed has been generated or passed in and a valid gindex is passed
448 * in then canonical generation of g is used otherwise unverifiable
449 * generation of g is chosen.
450 * For validation of p & q:
451 * - p, q, and the seed and counter used for generation must be passed in.
452 * For validation of g:
453 * - For a partial validation : p, q and g are required.
454 * - For a canonical validation : the gindex and seed used for generation are
456 * type: The key type - FFC_PARAM_TYPE_DSA or FFC_PARAM_TYPE_DH.
457 * L: is the size of the prime p in bits (e.g 2048)
458 * N: is the size of the prime q in bits (e.g 256)
459 * evpmd: is the digest to use, If this value is NULL, then the digest is chosen
460 * using the value of N.
462 * or generation: FFC_PARAMS_GENERATE.
463 * For validation one of:
464 * -FFC_PARAMS_VALIDATE_PQ
465 * -FFC_PARAMS_VALIDATE_G
466 * -FFC_PARAMS_VALIDATE_ALL
467 * res: A returned failure reason (One of FFC_CHECK_XXXX),
468 * or 0 for general failures.
469 * cb: A callback (can be NULL) that is called during different phases
472 * - FFC_PARAMS_RET_STATUS_FAILED: if there was an error, or validation failed.
473 * - FFC_PARAMS_RET_STATUS_SUCCESS if the generation or validation succeeded.
474 * - FFC_PARAMS_RET_STATUS_UNVERIFIABLE_G if the validation of G succeeded,
475 * but G is unverifiable.
477 int ffc_params_FIPS186_4_gen_verify(OPENSSL_CTX
*libctx
, FFC_PARAMS
*params
,
478 int type
, size_t L
, size_t N
,
479 const EVP_MD
*evpmd
, int validate_flags
,
480 int *res
, BN_GENCB
*cb
)
482 int ok
= FFC_PARAMS_RET_STATUS_FAILED
;
483 unsigned char *seed
= NULL
, *seed_tmp
= NULL
;
484 int mdsize
, counter
= 0, pcounter
= 0, r
= 0;
486 BIGNUM
*tmp
, *pm1
, *e
, *test
;
487 BIGNUM
*g
= NULL
, *q
= NULL
, *p
= NULL
;
488 BN_MONT_CTX
*mont
= NULL
;
489 int n
= 0, m
= 0, qsize
= N
>> 3;
490 int canonical_g
= 0, hret
= -1;
492 EVP_MD_CTX
*mctx
= NULL
;
493 int generate
= (validate_flags
== 0);
494 EVP_MD
*evpmd_fetch
= NULL
;
499 * A.1.1.2 Step (1) AND
501 * Check that the L,N pair is an acceptable pair.
503 if (L
<= N
|| !ffc_validate_LN(L
, N
, type
)) {
504 *res
= FFC_CHECK_BAD_LN_PAIR
;
508 mctx
= EVP_MD_CTX_new();
513 evpmd_fetch
= fetch_default_md(libctx
, N
);
517 mdsize
= EVP_MD_size(evpmd
);
521 if ((ctx
= BN_CTX_new_ex(libctx
)) == NULL
)
526 pm1
= BN_CTX_get(ctx
);
528 test
= BN_CTX_get(ctx
);
529 tmp
= BN_CTX_get(ctx
);
533 seedlen
= params
->seedlen
;
535 seedlen
= (size_t)mdsize
;
536 /* If the seed was passed in - use this value as the seed */
537 if (params
->seed
!= NULL
)
541 /* For generation: p & q must both be NULL or NON-NULL */
542 if ((params
->p
== NULL
) != (params
->q
== NULL
)) {
543 *res
= FFC_CHECK_INVALID_PQ
;
547 /* Validation of p,q requires seed and counter to be valid */
548 if ((validate_flags
& FFC_PARAMS_VALIDATE_PQ
) != 0) {
549 if (seed
== NULL
|| params
->pcounter
< 0) {
550 *res
= FFC_CHECK_MISSING_SEED_OR_COUNTER
;
554 if ((validate_flags
& FFC_PARAMS_VALIDATE_G
) != 0) {
555 /* validation of g also requires g to be set */
556 if (params
->g
== NULL
) {
557 *res
= FFC_CHECK_INVALID_G
;
564 * If p & q are passed in and
565 * validate_flags = 0 then skip the generation of PQ.
566 * validate_flags = VALIDATE_G then also skip the validation of PQ.
568 if (params
->p
!= NULL
&& ((validate_flags
& FFC_PARAMS_VALIDATE_PQ
) == 0)) {
569 /* p and q already exists so only generate g */
573 /* otherwise fall thru to validate p & q */
576 /* p & q will be used for generation and validation */
583 * A.1.1.2 Step (2) AND
585 * Return invalid if seedlen < N
587 if ((seedlen
* 8) < N
) {
588 *res
= FFC_CHECK_INVALID_SEED_SIZE
;
592 seed_tmp
= OPENSSL_malloc(seedlen
);
593 if (seed_tmp
== NULL
)
597 /* Validation requires the seed to be supplied */
598 if (validate_flags
) {
599 *res
= FFC_CHECK_MISSING_SEED_OR_COUNTER
;
602 /* if the seed is not supplied then alloc a seed buffer */
603 seed
= OPENSSL_malloc(seedlen
);
608 /* A.1.1.2 Step (11): max loop count = 4L - 1 */
610 /* Validation requires the counter to be supplied */
611 if (validate_flags
) {
612 /* A.1.1.3 Step (4) : if (counter > (4L -1)) return INVALID */
613 if (params
->pcounter
> counter
) {
614 *res
= FFC_CHECK_INVALID_COUNTER
;
617 counter
= params
->pcounter
;
621 * A.1.1.2 Step (3) AND
623 * n = floor(L / hash_outlen) - 1
625 n
= (L
- 1 ) / (mdsize
<< 3);
627 /* Calculate 2^(L-1): Used in step A.1.1.2 Step (11.3) */
628 if (!BN_lshift(test
, BN_value_one(), L
- 1))
632 if (!generate_q_fips186_4(ctx
, q
, evpmd
, qsize
, seed
, seedlen
,
633 seed
!= params
->seed
, &m
, res
, cb
))
635 /* A.1.1.3 Step (9): Verify that q matches the expected value */
636 if (validate_flags
&& (BN_cmp(q
, params
->q
) != 0)) {
637 *res
= FFC_CHECK_Q_MISMATCH
;
640 if(!BN_GENCB_call(cb
, 2, 0))
642 if(!BN_GENCB_call(cb
, 3, 0))
645 memcpy(seed_tmp
, seed
, seedlen
);
646 r
= generate_p(ctx
, evpmd
, counter
, n
, seed_tmp
, seedlen
, q
, p
, L
, cb
,
654 * If we get here we failed to get a p for the given seed. If the
655 * seed is not random then it needs to fail (as it will always fail).
657 if (seed
== params
->seed
) {
658 *res
= FFC_CHECK_P_NOT_PRIME
;
662 if(!BN_GENCB_call(cb
, 2, 1))
665 * Gets here if we found p.
666 * A.1.1.3 Step (14): return error if i != counter OR computed_p != known_p.
668 if (validate_flags
&& (pcounter
!= counter
|| (BN_cmp(p
, params
->p
) != 0)))
671 /* If validating p & q only then skip the g validation test */
672 if ((validate_flags
& FFC_PARAMS_VALIDATE_ALL
) == FFC_PARAMS_VALIDATE_PQ
)
675 if ((mont
= BN_MONT_CTX_new()) == NULL
)
677 if (!BN_MONT_CTX_set(mont
, p
, ctx
))
680 if (((validate_flags
& FFC_PARAMS_VALIDATE_G
) != 0)
681 && !ffc_params_validate_unverifiable_g(ctx
, mont
, p
, q
, params
->g
,
689 * e = (p - 1) / q (i.e- Cofactor 'e' is given by p = q * e + 1)
691 if (!(BN_sub(pm1
, p
, BN_value_one()) && BN_div(e
, NULL
, pm1
, q
, ctx
)))
694 /* Canonical g requires a seed and index to be set */
695 if ((seed
!= NULL
) && (params
->gindex
!= FFC_UNVERIFIABLE_GINDEX
)) {
697 if (!generate_canonical_g(ctx
, mont
, evpmd
, g
, tmp
, p
, e
,
698 params
->gindex
, seed
, seedlen
)) {
699 *res
= FFC_CHECK_INVALID_G
;
702 /* A.2.4 Step (13): Return valid if computed_g == g */
703 if (validate_flags
&& BN_cmp(g
, params
->g
) != 0) {
704 *res
= FFC_CHECK_G_MISMATCH
;
707 } else if (generate
) {
708 if (!generate_unverifiable_g(ctx
, mont
, g
, tmp
, p
, e
, pm1
, &hret
))
712 if (!BN_GENCB_call(cb
, 3, 1))
716 if (p
!= params
->p
) {
718 params
->p
= BN_dup(p
);
720 if (q
!= params
->q
) {
722 params
->q
= BN_dup(q
);
724 if (g
!= params
->g
) {
726 params
->g
= BN_dup(g
);
728 if (params
->p
== NULL
|| params
->q
== NULL
|| params
->g
== NULL
)
730 if (!ffc_params_set_validate_params(params
, seed
, seedlen
, pcounter
))
735 if ((validate_flags
& FFC_PARAMS_VALIDATE_G
) != 0 && (canonical_g
== 0))
736 /* Return for the case where g is partially valid */
737 ok
= FFC_PARAMS_RET_STATUS_UNVERIFIABLE_G
;
739 ok
= FFC_PARAMS_RET_STATUS_SUCCESS
;
741 if (seed
!= params
->seed
)
743 OPENSSL_free(seed_tmp
);
747 BN_MONT_CTX_free(mont
);
748 EVP_MD_free(evpmd_fetch
);
749 EVP_MD_CTX_free(mctx
);
753 int ffc_params_FIPS186_2_gen_verify(OPENSSL_CTX
*libctx
, FFC_PARAMS
*params
,
754 int type
, size_t L
, size_t N
,
755 const EVP_MD
*evpmd
, int validate_flags
,
756 int *res
, BN_GENCB
*cb
)
758 int ok
= FFC_PARAMS_RET_STATUS_FAILED
;
759 unsigned char seed
[SHA256_DIGEST_LENGTH
];
760 unsigned char buf
[SHA256_DIGEST_LENGTH
];
761 BIGNUM
*r0
, *test
, *tmp
, *g
= NULL
, *q
= NULL
, *p
= NULL
;
762 BN_MONT_CTX
*mont
= NULL
;
763 size_t qsize
= N
>> 3;
765 int counter
= 0, pcounter
= 0, use_random_seed
;
769 int generate
= (validate_flags
== 0);
770 unsigned char *seed_in
= params
->seed
;
771 size_t seed_len
= params
->seedlen
;
772 EVP_MD
*evpmd_fetch
= NULL
;
777 * FIPS 186-4 states that validation can only be done for this pair.
778 * (Even though the original spec allowed L = 512 + 64*j (j = 0.. 8))
780 if (L
!= 1024 || N
!= 160) {
781 *res
= FFC_CHECK_BAD_LN_PAIR
;
782 return FFC_PARAMS_RET_STATUS_FAILED
;
785 if (qsize
!= SHA_DIGEST_LENGTH
786 && qsize
!= SHA224_DIGEST_LENGTH
787 && qsize
!= SHA256_DIGEST_LENGTH
) {
789 *res
= FFC_CHECK_INVALID_Q_VALUE
;
790 return FFC_PARAMS_RET_STATUS_FAILED
;
794 evpmd_fetch
= fetch_default_md(libctx
, qsize
* 8);
797 rv
= EVP_MD_size(evpmd
);
806 L
= (L
+ 63) / 64 * 64;
808 if (seed_in
!= NULL
) {
809 if (seed_len
< qsize
) {
810 *res
= FFC_CHECK_INVALID_SEED_SIZE
;
813 if (seed_len
> qsize
) {
814 /* Only consume as much seed as is expected. */
817 memcpy(seed
, seed_in
, seed_len
);
820 ctx
= BN_CTX_new_ex(libctx
);
826 r0
= BN_CTX_get(ctx
);
830 tmp
= BN_CTX_get(ctx
);
831 test
= BN_CTX_get(ctx
);
835 if (!BN_lshift(test
, BN_value_one(), L
- 1))
839 /* For generation: p & q must both be NULL or NON-NULL */
840 if ((params
->p
!= NULL
) != (params
->q
!= NULL
)) {
841 *res
= FFC_CHECK_INVALID_PQ
;
845 if ((validate_flags
& FFC_PARAMS_VALIDATE_PQ
) != 0) {
846 /* Validation of p,q requires seed and counter to be valid */
847 if (seed_in
== NULL
|| params
->pcounter
< 0) {
848 *res
= FFC_CHECK_MISSING_SEED_OR_COUNTER
;
852 if ((validate_flags
& FFC_PARAMS_VALIDATE_G
) != 0) {
853 /* validation of g also requires g to be set */
854 if (params
->g
== NULL
) {
855 *res
= FFC_CHECK_INVALID_G
;
861 if (params
->p
!= NULL
&& ((validate_flags
& FFC_PARAMS_VALIDATE_PQ
) == 0)) {
862 /* p and q already exists so only generate g */
866 /* otherwise fall thru to validate p and q */
869 use_random_seed
= (seed_in
== NULL
);
871 if (!generate_q_fips186_2(ctx
, q
, evpmd
, buf
, seed
, qsize
,
872 use_random_seed
, &m
, res
, cb
))
875 if (!BN_GENCB_call(cb
, 2, 0))
877 if (!BN_GENCB_call(cb
, 3, 0))
882 counter
= 4 * L
- 1; /* Was 4096 */
883 /* Validation requires the counter to be supplied */
884 if (validate_flags
) {
885 if (params
->pcounter
> counter
) {
886 *res
= FFC_CHECK_INVALID_COUNTER
;
889 counter
= params
->pcounter
;
892 rv
= generate_p(ctx
, evpmd
, counter
, n
, buf
, qsize
, q
, p
, L
, cb
,
895 break; /* found it */
898 /* This is what the old code did - probably not a good idea! */
902 if (!BN_GENCB_call(cb
, 2, 1))
905 if (validate_flags
) {
906 if (pcounter
!= counter
) {
907 *res
= FFC_CHECK_COUNTER_MISMATCH
;
910 if (BN_cmp(p
, params
->p
) != 0) {
911 *res
= FFC_CHECK_P_MISMATCH
;
915 /* If validating p & q only then skip the g validation test */
916 if ((validate_flags
& FFC_PARAMS_VALIDATE_ALL
) == FFC_PARAMS_VALIDATE_PQ
)
919 if ((mont
= BN_MONT_CTX_new()) == NULL
)
921 if (!BN_MONT_CTX_set(mont
, p
, ctx
))
925 /* We now need to generate g */
926 /* set test = p - 1 */
927 if (!BN_sub(test
, p
, BN_value_one()))
929 /* Set r0 = (p - 1) / q */
930 if (!BN_div(r0
, NULL
, test
, q
, ctx
))
932 if (!generate_unverifiable_g(ctx
, mont
, g
, tmp
, p
, r0
, test
, &hret
))
934 } else if (((validate_flags
& FFC_PARAMS_VALIDATE_G
) != 0)
935 && !ffc_params_validate_unverifiable_g(ctx
, mont
, p
, q
,
936 params
->g
, tmp
, res
)) {
940 if (!BN_GENCB_call(cb
, 3, 1))
944 if (p
!= params
->p
) {
946 params
->p
= BN_dup(p
);
948 if (q
!= params
->q
) {
950 params
->q
= BN_dup(q
);
952 if (g
!= params
->g
) {
954 params
->g
= BN_dup(g
);
956 if (params
->p
== NULL
|| params
->q
== NULL
|| params
->g
== NULL
)
958 if (!ffc_params_set_validate_params(params
, seed
, qsize
, pcounter
))
963 if ((validate_flags
& FFC_PARAMS_VALIDATE_G
) != 0)
964 ok
= FFC_PARAMS_RET_STATUS_UNVERIFIABLE_G
;
966 ok
= FFC_PARAMS_RET_STATUS_SUCCESS
;
971 EVP_MD_free(evpmd_fetch
);
972 BN_MONT_CTX_free(mont
);
976 int ffc_params_FIPS186_4_generate(OPENSSL_CTX
*libctx
, FFC_PARAMS
*params
,
977 int type
, size_t L
, size_t N
,
978 const EVP_MD
*evpmd
, int *res
, BN_GENCB
*cb
)
980 return ffc_params_FIPS186_4_gen_verify(libctx
, params
, type
, L
, N
, evpmd
, 0,
984 /* This should no longer be used in FIPS mode */
985 int ffc_params_FIPS186_2_generate(OPENSSL_CTX
*libctx
, FFC_PARAMS
*params
,
986 int type
, size_t L
, size_t N
,
987 const EVP_MD
*evpmd
, int *res
, BN_GENCB
*cb
)
989 return ffc_params_FIPS186_2_gen_verify(libctx
, params
, type
, L
, N
, evpmd
,