| The Android Open Source Project | 656d9c7 | 2009-03-03 19:30:25 -0800 | [diff] [blame] | 1 | /* crypto/dsa/dsa_gen.c */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. |
| 4 | * |
| 5 | * This package is an SSL implementation written |
| 6 | * by Eric Young (eay@cryptsoft.com). |
| 7 | * The implementation was written so as to conform with Netscapes SSL. |
| 8 | * |
| 9 | * This library is free for commercial and non-commercial use as long as |
| 10 | * the following conditions are aheared to. The following conditions |
| 11 | * apply to all code found in this distribution, be it the RC4, RSA, |
| 12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
| 13 | * included with this distribution is covered by the same copyright terms |
| 14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
| 15 | * |
| 16 | * Copyright remains Eric Young's, and as such any Copyright notices in |
| 17 | * the code are not to be removed. |
| 18 | * If this package is used in a product, Eric Young should be given attribution |
| 19 | * as the author of the parts of the library used. |
| 20 | * This can be in the form of a textual message at program startup or |
| 21 | * in documentation (online or textual) provided with the package. |
| 22 | * |
| 23 | * Redistribution and use in source and binary forms, with or without |
| 24 | * modification, are permitted provided that the following conditions |
| 25 | * are met: |
| 26 | * 1. Redistributions of source code must retain the copyright |
| 27 | * notice, this list of conditions and the following disclaimer. |
| 28 | * 2. Redistributions in binary form must reproduce the above copyright |
| 29 | * notice, this list of conditions and the following disclaimer in the |
| 30 | * documentation and/or other materials provided with the distribution. |
| 31 | * 3. All advertising materials mentioning features or use of this software |
| 32 | * must display the following acknowledgement: |
| 33 | * "This product includes cryptographic software written by |
| 34 | * Eric Young (eay@cryptsoft.com)" |
| 35 | * The word 'cryptographic' can be left out if the rouines from the library |
| 36 | * being used are not cryptographic related :-). |
| 37 | * 4. If you include any Windows specific code (or a derivative thereof) from |
| 38 | * the apps directory (application code) you must include an acknowledgement: |
| 39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
| 40 | * |
| 41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
| 42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 51 | * SUCH DAMAGE. |
| 52 | * |
| 53 | * The licence and distribution terms for any publically available version or |
| 54 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
| 55 | * copied and put under another distribution licence |
| 56 | * [including the GNU Public Licence.] |
| 57 | */ |
| 58 | |
| 59 | #undef GENUINE_DSA |
| 60 | |
| 61 | #ifdef GENUINE_DSA |
| 62 | /* Parameter generation follows the original release of FIPS PUB 186, |
| 63 | * Appendix 2.2 (i.e. use SHA as defined in FIPS PUB 180) */ |
| 64 | #define HASH EVP_sha() |
| 65 | #else |
| 66 | /* Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186, |
| 67 | * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in |
| 68 | * FIPS PUB 180-1) */ |
| 69 | #define HASH EVP_sha1() |
| 70 | #endif |
| 71 | |
| 72 | #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_SHA is defined */ |
| 73 | |
| 74 | #ifndef OPENSSL_NO_SHA |
| 75 | |
| 76 | #include <stdio.h> |
| 77 | #include <time.h> |
| 78 | #include "cryptlib.h" |
| 79 | #include <openssl/evp.h> |
| 80 | #include <openssl/bn.h> |
| 81 | #include <openssl/dsa.h> |
| 82 | #include <openssl/rand.h> |
| 83 | #include <openssl/sha.h> |
| 84 | |
| Nagendra Modadugu | e45f106 | 2009-09-30 11:36:48 -0700 | [diff] [blame] | 85 | #ifndef OPENSSL_FIPS |
| 86 | |
| The Android Open Source Project | 656d9c7 | 2009-03-03 19:30:25 -0800 | [diff] [blame] | 87 | static int dsa_builtin_paramgen(DSA *ret, int bits, |
| 88 | unsigned char *seed_in, int seed_len, |
| 89 | int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); |
| 90 | |
| 91 | int DSA_generate_parameters_ex(DSA *ret, int bits, |
| 92 | unsigned char *seed_in, int seed_len, |
| 93 | int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) |
| 94 | { |
| 95 | if(ret->meth->dsa_paramgen) |
| 96 | return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, |
| 97 | counter_ret, h_ret, cb); |
| 98 | return dsa_builtin_paramgen(ret, bits, seed_in, seed_len, |
| 99 | counter_ret, h_ret, cb); |
| 100 | } |
| 101 | |
| 102 | static int dsa_builtin_paramgen(DSA *ret, int bits, |
| 103 | unsigned char *seed_in, int seed_len, |
| 104 | int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) |
| 105 | { |
| 106 | int ok=0; |
| 107 | unsigned char seed[SHA_DIGEST_LENGTH]; |
| 108 | unsigned char md[SHA_DIGEST_LENGTH]; |
| 109 | unsigned char buf[SHA_DIGEST_LENGTH],buf2[SHA_DIGEST_LENGTH]; |
| 110 | BIGNUM *r0,*W,*X,*c,*test; |
| 111 | BIGNUM *g=NULL,*q=NULL,*p=NULL; |
| 112 | BN_MONT_CTX *mont=NULL; |
| 113 | int k,n=0,i,b,m=0; |
| 114 | int counter=0; |
| 115 | int r=0; |
| 116 | BN_CTX *ctx=NULL; |
| 117 | unsigned int h=2; |
| 118 | |
| 119 | if (bits < 512) bits=512; |
| 120 | bits=(bits+63)/64*64; |
| 121 | |
| 122 | /* NB: seed_len == 0 is special case: copy generated seed to |
| 123 | * seed_in if it is not NULL. |
| 124 | */ |
| 125 | if (seed_len && (seed_len < 20)) |
| 126 | seed_in = NULL; /* seed buffer too small -- ignore */ |
| 127 | if (seed_len > 20) |
| 128 | seed_len = 20; /* App. 2.2 of FIPS PUB 186 allows larger SEED, |
| 129 | * but our internal buffers are restricted to 160 bits*/ |
| 130 | if ((seed_in != NULL) && (seed_len == 20)) |
| 131 | { |
| 132 | memcpy(seed,seed_in,seed_len); |
| 133 | /* set seed_in to NULL to avoid it being copied back */ |
| 134 | seed_in = NULL; |
| 135 | } |
| 136 | |
| 137 | if ((ctx=BN_CTX_new()) == NULL) goto err; |
| 138 | |
| 139 | if ((mont=BN_MONT_CTX_new()) == NULL) goto err; |
| 140 | |
| 141 | BN_CTX_start(ctx); |
| 142 | r0 = BN_CTX_get(ctx); |
| 143 | g = BN_CTX_get(ctx); |
| 144 | W = BN_CTX_get(ctx); |
| 145 | q = BN_CTX_get(ctx); |
| 146 | X = BN_CTX_get(ctx); |
| 147 | c = BN_CTX_get(ctx); |
| 148 | p = BN_CTX_get(ctx); |
| 149 | test = BN_CTX_get(ctx); |
| 150 | |
| 151 | if (!BN_lshift(test,BN_value_one(),bits-1)) |
| 152 | goto err; |
| 153 | |
| 154 | for (;;) |
| 155 | { |
| 156 | for (;;) /* find q */ |
| 157 | { |
| 158 | int seed_is_random; |
| 159 | |
| 160 | /* step 1 */ |
| 161 | if(!BN_GENCB_call(cb, 0, m++)) |
| 162 | goto err; |
| 163 | |
| 164 | if (!seed_len) |
| 165 | { |
| 166 | RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH); |
| 167 | seed_is_random = 1; |
| 168 | } |
| 169 | else |
| 170 | { |
| 171 | seed_is_random = 0; |
| 172 | seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/ |
| 173 | } |
| 174 | memcpy(buf,seed,SHA_DIGEST_LENGTH); |
| 175 | memcpy(buf2,seed,SHA_DIGEST_LENGTH); |
| 176 | /* precompute "SEED + 1" for step 7: */ |
| 177 | for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--) |
| 178 | { |
| 179 | buf[i]++; |
| 180 | if (buf[i] != 0) break; |
| 181 | } |
| 182 | |
| 183 | /* step 2 */ |
| 184 | EVP_Digest(seed,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL); |
| 185 | EVP_Digest(buf,SHA_DIGEST_LENGTH,buf2,NULL,HASH, NULL); |
| 186 | for (i=0; i<SHA_DIGEST_LENGTH; i++) |
| 187 | md[i]^=buf2[i]; |
| 188 | |
| 189 | /* step 3 */ |
| 190 | md[0]|=0x80; |
| 191 | md[SHA_DIGEST_LENGTH-1]|=0x01; |
| 192 | if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err; |
| 193 | |
| 194 | /* step 4 */ |
| 195 | r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, |
| 196 | seed_is_random, cb); |
| 197 | if (r > 0) |
| 198 | break; |
| 199 | if (r != 0) |
| 200 | goto err; |
| 201 | |
| 202 | /* do a callback call */ |
| 203 | /* step 5 */ |
| 204 | } |
| 205 | |
| 206 | if(!BN_GENCB_call(cb, 2, 0)) goto err; |
| 207 | if(!BN_GENCB_call(cb, 3, 0)) goto err; |
| 208 | |
| 209 | /* step 6 */ |
| 210 | counter=0; |
| 211 | /* "offset = 2" */ |
| 212 | |
| 213 | n=(bits-1)/160; |
| 214 | b=(bits-1)-n*160; |
| 215 | |
| 216 | for (;;) |
| 217 | { |
| 218 | if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) |
| 219 | goto err; |
| 220 | |
| 221 | /* step 7 */ |
| 222 | BN_zero(W); |
| 223 | /* now 'buf' contains "SEED + offset - 1" */ |
| 224 | for (k=0; k<=n; k++) |
| 225 | { |
| 226 | /* obtain "SEED + offset + k" by incrementing: */ |
| 227 | for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--) |
| 228 | { |
| 229 | buf[i]++; |
| 230 | if (buf[i] != 0) break; |
| 231 | } |
| 232 | |
| 233 | EVP_Digest(buf,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL); |
| 234 | |
| 235 | /* step 8 */ |
| 236 | if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) |
| 237 | goto err; |
| 238 | if (!BN_lshift(r0,r0,160*k)) goto err; |
| 239 | if (!BN_add(W,W,r0)) goto err; |
| 240 | } |
| 241 | |
| 242 | /* more of step 8 */ |
| 243 | if (!BN_mask_bits(W,bits-1)) goto err; |
| 244 | if (!BN_copy(X,W)) goto err; |
| 245 | if (!BN_add(X,X,test)) goto err; |
| 246 | |
| 247 | /* step 9 */ |
| 248 | if (!BN_lshift1(r0,q)) goto err; |
| 249 | if (!BN_mod(c,X,r0,ctx)) goto err; |
| 250 | if (!BN_sub(r0,c,BN_value_one())) goto err; |
| 251 | if (!BN_sub(p,X,r0)) goto err; |
| 252 | |
| 253 | /* step 10 */ |
| 254 | if (BN_cmp(p,test) >= 0) |
| 255 | { |
| 256 | /* step 11 */ |
| 257 | r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, |
| 258 | ctx, 1, cb); |
| 259 | if (r > 0) |
| 260 | goto end; /* found it */ |
| 261 | if (r != 0) |
| 262 | goto err; |
| 263 | } |
| 264 | |
| 265 | /* step 13 */ |
| 266 | counter++; |
| 267 | /* "offset = offset + n + 1" */ |
| 268 | |
| 269 | /* step 14 */ |
| 270 | if (counter >= 4096) break; |
| 271 | } |
| 272 | } |
| 273 | end: |
| 274 | if(!BN_GENCB_call(cb, 2, 1)) |
| 275 | goto err; |
| 276 | |
| 277 | /* We now need to generate g */ |
| 278 | /* Set r0=(p-1)/q */ |
| 279 | if (!BN_sub(test,p,BN_value_one())) goto err; |
| 280 | if (!BN_div(r0,NULL,test,q,ctx)) goto err; |
| 281 | |
| 282 | if (!BN_set_word(test,h)) goto err; |
| 283 | if (!BN_MONT_CTX_set(mont,p,ctx)) goto err; |
| 284 | |
| 285 | for (;;) |
| 286 | { |
| 287 | /* g=test^r0%p */ |
| 288 | if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err; |
| 289 | if (!BN_is_one(g)) break; |
| 290 | if (!BN_add(test,test,BN_value_one())) goto err; |
| 291 | h++; |
| 292 | } |
| 293 | |
| 294 | if(!BN_GENCB_call(cb, 3, 1)) |
| 295 | goto err; |
| 296 | |
| 297 | ok=1; |
| 298 | err: |
| 299 | if (ok) |
| 300 | { |
| 301 | if(ret->p) BN_free(ret->p); |
| 302 | if(ret->q) BN_free(ret->q); |
| 303 | if(ret->g) BN_free(ret->g); |
| 304 | ret->p=BN_dup(p); |
| 305 | ret->q=BN_dup(q); |
| 306 | ret->g=BN_dup(g); |
| 307 | if (ret->p == NULL || ret->q == NULL || ret->g == NULL) |
| 308 | { |
| 309 | ok=0; |
| 310 | goto err; |
| 311 | } |
| 312 | if (seed_in != NULL) memcpy(seed_in,seed,20); |
| 313 | if (counter_ret != NULL) *counter_ret=counter; |
| 314 | if (h_ret != NULL) *h_ret=h; |
| 315 | } |
| 316 | if(ctx) |
| 317 | { |
| 318 | BN_CTX_end(ctx); |
| 319 | BN_CTX_free(ctx); |
| 320 | } |
| 321 | if (mont != NULL) BN_MONT_CTX_free(mont); |
| 322 | return ok; |
| 323 | } |
| 324 | #endif |
| Nagendra Modadugu | e45f106 | 2009-09-30 11:36:48 -0700 | [diff] [blame] | 325 | #endif |