OLD | NEW |
1 /* crypto/dsa/dsa_gen.c */ | 1 /* crypto/dsa/dsa_gen.c */ |
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 * All rights reserved. | 3 * All rights reserved. |
4 * | 4 * |
5 * This package is an SSL implementation written | 5 * This package is an SSL implementation written |
6 * by Eric Young (eay@cryptsoft.com). | 6 * by Eric Young (eay@cryptsoft.com). |
7 * The implementation was written so as to conform with Netscapes SSL. | 7 * The implementation was written so as to conform with Netscapes SSL. |
8 * | 8 * |
9 * This library is free for commercial and non-commercial use as long as | 9 * This library is free for commercial and non-commercial use as long as |
10 * the following conditions are aheared to. The following conditions | 10 * the following conditions are aheared to. The following conditions |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
67 * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in | 67 * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in |
68 * FIPS PUB 180-1) */ | 68 * FIPS PUB 180-1) */ |
69 #define HASH EVP_sha1() | 69 #define HASH EVP_sha1() |
70 #endif | 70 #endif |
71 | 71 |
72 #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_SHA is defined */ | 72 #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_SHA is defined */ |
73 | 73 |
74 #ifndef OPENSSL_NO_SHA | 74 #ifndef OPENSSL_NO_SHA |
75 | 75 |
76 #include <stdio.h> | 76 #include <stdio.h> |
77 #include <time.h> | |
78 #include "cryptlib.h" | 77 #include "cryptlib.h" |
79 #include <openssl/evp.h> | 78 #include <openssl/evp.h> |
80 #include <openssl/bn.h> | 79 #include <openssl/bn.h> |
81 #include <openssl/dsa.h> | |
82 #include <openssl/rand.h> | 80 #include <openssl/rand.h> |
83 #include <openssl/sha.h> | 81 #include <openssl/sha.h> |
84 | 82 #include "dsa_locl.h" |
85 #ifndef OPENSSL_FIPS | |
86 | |
87 static int dsa_builtin_paramgen(DSA *ret, int bits, | |
88 » » unsigned char *seed_in, int seed_len, | |
89 » » int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); | |
90 | 83 |
91 int DSA_generate_parameters_ex(DSA *ret, int bits, | 84 int DSA_generate_parameters_ex(DSA *ret, int bits, |
92 » » unsigned char *seed_in, int seed_len, | 85 » » const unsigned char *seed_in, int seed_len, |
93 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) | 86 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) |
94 { | 87 { |
95 if(ret->meth->dsa_paramgen) | 88 if(ret->meth->dsa_paramgen) |
96 return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, | 89 return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, |
97 counter_ret, h_ret, cb); | 90 counter_ret, h_ret, cb); |
98 » return dsa_builtin_paramgen(ret, bits, seed_in, seed_len, | 91 » else |
99 » » » counter_ret, h_ret, cb); | 92 » » { |
| 93 » » const EVP_MD *evpmd; |
| 94 » » size_t qbits = bits >= 2048 ? 256 : 160; |
| 95 |
| 96 » » if (bits >= 2048) |
| 97 » » » { |
| 98 » » » qbits = 256; |
| 99 » » » evpmd = EVP_sha256(); |
| 100 » » » } |
| 101 » » else |
| 102 » » » { |
| 103 » » » qbits = 160; |
| 104 » » » evpmd = EVP_sha1(); |
| 105 » » » } |
| 106 |
| 107 » » return dsa_builtin_paramgen(ret, bits, qbits, evpmd, |
| 108 » » » » seed_in, seed_len, counter_ret, h_ret, cb); |
| 109 » » } |
100 } | 110 } |
101 | 111 |
102 static int dsa_builtin_paramgen(DSA *ret, int bits, | 112 int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, |
103 » » unsigned char *seed_in, int seed_len, | 113 » const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len, |
104 » » int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) | 114 » int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) |
105 { | 115 { |
106 int ok=0; | 116 int ok=0; |
107 » unsigned char seed[SHA_DIGEST_LENGTH]; | 117 » unsigned char seed[SHA256_DIGEST_LENGTH]; |
108 » unsigned char md[SHA_DIGEST_LENGTH]; | 118 » unsigned char md[SHA256_DIGEST_LENGTH]; |
109 » unsigned char buf[SHA_DIGEST_LENGTH],buf2[SHA_DIGEST_LENGTH]; | 119 » unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH]; |
110 BIGNUM *r0,*W,*X,*c,*test; | 120 BIGNUM *r0,*W,*X,*c,*test; |
111 BIGNUM *g=NULL,*q=NULL,*p=NULL; | 121 BIGNUM *g=NULL,*q=NULL,*p=NULL; |
112 BN_MONT_CTX *mont=NULL; | 122 BN_MONT_CTX *mont=NULL; |
113 » int k,n=0,i,b,m=0; | 123 » int i, k, n=0, m=0, qsize = qbits >> 3; |
114 int counter=0; | 124 int counter=0; |
115 int r=0; | 125 int r=0; |
116 BN_CTX *ctx=NULL; | 126 BN_CTX *ctx=NULL; |
117 unsigned int h=2; | 127 unsigned int h=2; |
118 | 128 |
119 » if (bits < 512) bits=512; | 129 » if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH && |
120 » bits=(bits+63)/64*64; | 130 » qsize != SHA256_DIGEST_LENGTH) |
| 131 » » /* invalid q size */ |
| 132 » » return 0; |
| 133 |
| 134 » if (evpmd == NULL) |
| 135 » » /* use SHA1 as default */ |
| 136 » » evpmd = EVP_sha1(); |
| 137 |
| 138 » if (bits < 512) |
| 139 » » bits = 512; |
| 140 |
| 141 » bits = (bits+63)/64*64; |
121 | 142 |
122 /* NB: seed_len == 0 is special case: copy generated seed to | 143 /* NB: seed_len == 0 is special case: copy generated seed to |
123 * seed_in if it is not NULL. | 144 * seed_in if it is not NULL. |
124 */ | 145 */ |
125 » if (seed_len && (seed_len < 20)) | 146 » if (seed_len && (seed_len < (size_t)qsize)) |
126 » » seed_in = NULL; /* seed buffer too small -- ignore */ | 147 » » seed_in = NULL;»» /* seed buffer too small -- ignore */ |
127 » if (seed_len > 20) | 148 » if (seed_len > (size_t)qsize) |
128 » » seed_len = 20; /* App. 2.2 of FIPS PUB 186 allows larger SEED, | 149 » » seed_len = qsize;» /* App. 2.2 of FIPS PUB 186 allows large
r SEED, |
129 » » * but our internal buffers are restricted to 160
bits*/ | 150 » » » » » * but our internal buffers are restrict
ed to 160 bits*/ |
130 » if ((seed_in != NULL) && (seed_len == 20)) | 151 » if (seed_in != NULL) |
131 » » { | 152 » » memcpy(seed, seed_in, seed_len); |
132 » » memcpy(seed,seed_in,seed_len); | |
133 » » /* set seed_in to NULL to avoid it being copied back */ | |
134 » » seed_in = NULL; | |
135 » » } | |
136 | 153 |
137 » if ((ctx=BN_CTX_new()) == NULL) goto err; | 154 » if ((ctx=BN_CTX_new()) == NULL) |
| 155 » » goto err; |
138 | 156 |
139 » if ((mont=BN_MONT_CTX_new()) == NULL) goto err; | 157 » if ((mont=BN_MONT_CTX_new()) == NULL) |
| 158 » » goto err; |
140 | 159 |
141 BN_CTX_start(ctx); | 160 BN_CTX_start(ctx); |
142 r0 = BN_CTX_get(ctx); | 161 r0 = BN_CTX_get(ctx); |
143 g = BN_CTX_get(ctx); | 162 g = BN_CTX_get(ctx); |
144 W = BN_CTX_get(ctx); | 163 W = BN_CTX_get(ctx); |
145 q = BN_CTX_get(ctx); | 164 q = BN_CTX_get(ctx); |
146 X = BN_CTX_get(ctx); | 165 X = BN_CTX_get(ctx); |
147 c = BN_CTX_get(ctx); | 166 c = BN_CTX_get(ctx); |
148 p = BN_CTX_get(ctx); | 167 p = BN_CTX_get(ctx); |
149 test = BN_CTX_get(ctx); | 168 test = BN_CTX_get(ctx); |
150 | 169 |
151 if (!BN_lshift(test,BN_value_one(),bits-1)) | 170 if (!BN_lshift(test,BN_value_one(),bits-1)) |
152 goto err; | 171 goto err; |
153 | 172 |
154 for (;;) | 173 for (;;) |
155 { | 174 { |
156 for (;;) /* find q */ | 175 for (;;) /* find q */ |
157 { | 176 { |
158 int seed_is_random; | 177 int seed_is_random; |
159 | 178 |
160 /* step 1 */ | 179 /* step 1 */ |
161 if(!BN_GENCB_call(cb, 0, m++)) | 180 if(!BN_GENCB_call(cb, 0, m++)) |
162 goto err; | 181 goto err; |
163 | 182 |
164 if (!seed_len) | 183 if (!seed_len) |
165 { | 184 { |
166 » » » » RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH); | 185 » » » » RAND_pseudo_bytes(seed, qsize); |
167 seed_is_random = 1; | 186 seed_is_random = 1; |
168 } | 187 } |
169 else | 188 else |
170 { | 189 { |
171 seed_is_random = 0; | 190 seed_is_random = 0; |
172 seed_len=0; /* use random seed if 'seed_in' turn
s out to be bad*/ | 191 seed_len=0; /* use random seed if 'seed_in' turn
s out to be bad*/ |
173 } | 192 } |
174 » » » memcpy(buf,seed,SHA_DIGEST_LENGTH); | 193 » » » memcpy(buf , seed, qsize); |
175 » » » memcpy(buf2,seed,SHA_DIGEST_LENGTH); | 194 » » » memcpy(buf2, seed, qsize); |
176 /* precompute "SEED + 1" for step 7: */ | 195 /* precompute "SEED + 1" for step 7: */ |
177 » » » for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--) | 196 » » » for (i = qsize-1; i >= 0; i--) |
178 { | 197 { |
179 buf[i]++; | 198 buf[i]++; |
180 » » » » if (buf[i] != 0) break; | 199 » » » » if (buf[i] != 0) |
| 200 » » » » » break; |
181 } | 201 } |
182 | 202 |
183 /* step 2 */ | 203 /* step 2 */ |
184 » » » EVP_Digest(seed,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL); | 204 » » » EVP_Digest(seed, qsize, md, NULL, evpmd, NULL); |
185 » » » EVP_Digest(buf,SHA_DIGEST_LENGTH,buf2,NULL,HASH, NULL); | 205 » » » EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL); |
186 » » » for (i=0; i<SHA_DIGEST_LENGTH; i++) | 206 » » » for (i = 0; i < qsize; i++) |
187 md[i]^=buf2[i]; | 207 md[i]^=buf2[i]; |
188 | 208 |
189 /* step 3 */ | 209 /* step 3 */ |
190 » » » md[0]|=0x80; | 210 » » » md[0] |= 0x80; |
191 » » » md[SHA_DIGEST_LENGTH-1]|=0x01; | 211 » » » md[qsize-1] |= 0x01; |
192 » » » if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err; | 212 » » » if (!BN_bin2bn(md, qsize, q)) |
| 213 » » » » goto err; |
193 | 214 |
194 /* step 4 */ | 215 /* step 4 */ |
195 r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, | 216 r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, |
196 seed_is_random, cb); | 217 seed_is_random, cb); |
197 if (r > 0) | 218 if (r > 0) |
198 break; | 219 break; |
199 if (r != 0) | 220 if (r != 0) |
200 goto err; | 221 goto err; |
201 | 222 |
202 /* do a callback call */ | 223 /* do a callback call */ |
203 /* step 5 */ | 224 /* step 5 */ |
204 } | 225 } |
205 | 226 |
206 if(!BN_GENCB_call(cb, 2, 0)) goto err; | 227 if(!BN_GENCB_call(cb, 2, 0)) goto err; |
207 if(!BN_GENCB_call(cb, 3, 0)) goto err; | 228 if(!BN_GENCB_call(cb, 3, 0)) goto err; |
208 | 229 |
209 /* step 6 */ | 230 /* step 6 */ |
210 counter=0; | 231 counter=0; |
211 /* "offset = 2" */ | 232 /* "offset = 2" */ |
212 | 233 |
213 n=(bits-1)/160; | 234 n=(bits-1)/160; |
214 b=(bits-1)-n*160; | |
215 | 235 |
216 for (;;) | 236 for (;;) |
217 { | 237 { |
218 if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) | 238 if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) |
219 goto err; | 239 goto err; |
220 | 240 |
221 /* step 7 */ | 241 /* step 7 */ |
222 BN_zero(W); | 242 BN_zero(W); |
223 /* now 'buf' contains "SEED + offset - 1" */ | 243 /* now 'buf' contains "SEED + offset - 1" */ |
224 for (k=0; k<=n; k++) | 244 for (k=0; k<=n; k++) |
225 { | 245 { |
226 /* obtain "SEED + offset + k" by incrementing: *
/ | 246 /* obtain "SEED + offset + k" by incrementing: *
/ |
227 » » » » for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--) | 247 » » » » for (i = qsize-1; i >= 0; i--) |
228 { | 248 { |
229 buf[i]++; | 249 buf[i]++; |
230 » » » » » if (buf[i] != 0) break; | 250 » » » » » if (buf[i] != 0) |
| 251 » » » » » » break; |
231 } | 252 } |
232 | 253 |
233 » » » » EVP_Digest(buf,SHA_DIGEST_LENGTH,md,NULL,HASH, N
ULL); | 254 » » » » EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL); |
234 | 255 |
235 /* step 8 */ | 256 /* step 8 */ |
236 » » » » if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) | 257 » » » » if (!BN_bin2bn(md, qsize, r0)) |
237 goto err; | 258 goto err; |
238 » » » » if (!BN_lshift(r0,r0,160*k)) goto err; | 259 » » » » if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err; |
239 if (!BN_add(W,W,r0)) goto err; | 260 if (!BN_add(W,W,r0)) goto err; |
240 } | 261 } |
241 | 262 |
242 /* more of step 8 */ | 263 /* more of step 8 */ |
243 if (!BN_mask_bits(W,bits-1)) goto err; | 264 if (!BN_mask_bits(W,bits-1)) goto err; |
244 if (!BN_copy(X,W)) goto err; | 265 if (!BN_copy(X,W)) goto err; |
245 if (!BN_add(X,X,test)) goto err; | 266 if (!BN_add(X,X,test)) goto err; |
246 | 267 |
247 /* step 9 */ | 268 /* step 9 */ |
248 if (!BN_lshift1(r0,q)) goto err; | 269 if (!BN_lshift1(r0,q)) goto err; |
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
302 if(ret->q) BN_free(ret->q); | 323 if(ret->q) BN_free(ret->q); |
303 if(ret->g) BN_free(ret->g); | 324 if(ret->g) BN_free(ret->g); |
304 ret->p=BN_dup(p); | 325 ret->p=BN_dup(p); |
305 ret->q=BN_dup(q); | 326 ret->q=BN_dup(q); |
306 ret->g=BN_dup(g); | 327 ret->g=BN_dup(g); |
307 if (ret->p == NULL || ret->q == NULL || ret->g == NULL) | 328 if (ret->p == NULL || ret->q == NULL || ret->g == NULL) |
308 { | 329 { |
309 ok=0; | 330 ok=0; |
310 goto err; | 331 goto err; |
311 } | 332 } |
312 if (seed_in != NULL) memcpy(seed_in,seed,20); | |
313 if (counter_ret != NULL) *counter_ret=counter; | 333 if (counter_ret != NULL) *counter_ret=counter; |
314 if (h_ret != NULL) *h_ret=h; | 334 if (h_ret != NULL) *h_ret=h; |
315 } | 335 } |
316 if(ctx) | 336 if(ctx) |
317 { | 337 { |
318 BN_CTX_end(ctx); | 338 BN_CTX_end(ctx); |
319 BN_CTX_free(ctx); | 339 BN_CTX_free(ctx); |
320 } | 340 } |
321 if (mont != NULL) BN_MONT_CTX_free(mont); | 341 if (mont != NULL) BN_MONT_CTX_free(mont); |
322 return ok; | 342 return ok; |
323 } | 343 } |
324 #endif | 344 #endif |
325 #endif | |
OLD | NEW |