dsa_gen.c revision 55714 
1/* crypto/dsa/dsa_gen.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to.  The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 *    notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 *    notice, this list of conditions and the following disclaimer in the
30 *    documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 *    must display the following acknowledgement:
33 *    "This product includes cryptographic software written by
34 *     Eric Young (eay@cryptsoft.com)"
35 *    The word 'cryptographic' can be left out if the rouines from the library
36 *    being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 *    the apps directory (application code) you must include an acknowledgement:
39 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#undef GENUINE_DSA
60
61#ifdef GENUINE_DSA
62#define HASH    SHA
63#else
64#define HASH    SHA1
65#endif
66
67#ifndef NO_SHA
68#include <stdio.h>
69#include <time.h>
70#include "cryptlib.h"
71#include <openssl/sha.h>
72#include <openssl/bn.h>
73#include <openssl/dsa.h>
74#include <openssl/rand.h>
75
76DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
77	     int *counter_ret, unsigned long *h_ret, void (*callback)(),
78	     char *cb_arg)
79	{
80	int ok=0;
81	unsigned char seed[SHA_DIGEST_LENGTH];
82	unsigned char md[SHA_DIGEST_LENGTH];
83	unsigned char buf[SHA_DIGEST_LENGTH],buf2[SHA_DIGEST_LENGTH];
84	BIGNUM *r0,*W,*X,*c,*test;
85	BIGNUM *g=NULL,*q=NULL,*p=NULL;
86	BN_MONT_CTX *mont=NULL;
87	int k,n=0,i,b,m=0;
88	int counter=0;
89	BN_CTX *ctx=NULL,*ctx2=NULL;
90	unsigned int h=2;
91	DSA *ret=NULL;
92
93	if (bits < 512) bits=512;
94	bits=(bits+63)/64*64;
95
96	if ((seed_in != NULL) && (seed_len == 20))
97		memcpy(seed,seed_in,seed_len);
98
99	if ((ctx=BN_CTX_new()) == NULL) goto err;
100	if ((ctx2=BN_CTX_new()) == NULL) goto err;
101	if ((ret=DSA_new()) == NULL) goto err;
102
103	if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
104
105	r0= &(ctx2->bn[0]);
106	g= &(ctx2->bn[1]);
107	W= &(ctx2->bn[2]);
108	q= &(ctx2->bn[3]);
109	X= &(ctx2->bn[4]);
110	c= &(ctx2->bn[5]);
111	p= &(ctx2->bn[6]);
112	test= &(ctx2->bn[7]);
113
114	BN_lshift(test,BN_value_one(),bits-1);
115
116	for (;;)
117		{
118		for (;;)
119			{
120			/* step 1 */
121			if (callback != NULL) callback(0,m++,cb_arg);
122
123			if (!seed_len)
124				RAND_bytes(seed,SHA_DIGEST_LENGTH);
125			else
126				seed_len=0;
127
128			memcpy(buf,seed,SHA_DIGEST_LENGTH);
129			memcpy(buf2,seed,SHA_DIGEST_LENGTH);
130			for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
131				{
132				buf[i]++;
133				if (buf[i] != 0) break;
134				}
135
136			/* step 2 */
137			HASH(seed,SHA_DIGEST_LENGTH,md);
138			HASH(buf,SHA_DIGEST_LENGTH,buf2);
139			for (i=0; i<SHA_DIGEST_LENGTH; i++)
140				md[i]^=buf2[i];
141
142			/* step 3 */
143			md[0]|=0x80;
144			md[SHA_DIGEST_LENGTH-1]|=0x01;
145			if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) abort();
146
147			/* step 4 */
148			if (DSA_is_prime(q,callback,cb_arg) > 0) break;
149			/* do a callback call */
150			/* step 5 */
151			}
152
153		if (callback != NULL) callback(2,0,cb_arg);
154		if (callback != NULL) callback(3,0,cb_arg);
155
156		/* step 6 */
157		counter=0;
158
159		n=(bits-1)/160;
160		b=(bits-1)-n*160;
161
162		for (;;)
163			{
164			/* step 7 */
165			BN_zero(W);
166			for (k=0; k<=n; k++)
167				{
168				for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
169					{
170					buf[i]++;
171					if (buf[i] != 0) break;
172					}
173
174				HASH(buf,SHA_DIGEST_LENGTH,md);
175
176				/* step 8 */
177				if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) abort();
178				BN_lshift(r0,r0,160*k);
179				BN_add(W,W,r0);
180				}
181
182			/* more of step 8 */
183			BN_mask_bits(W,bits-1);
184			BN_copy(X,W); /* this should be ok */
185			BN_add(X,X,test); /* this should be ok */
186
187			/* step 9 */
188			BN_lshift1(r0,q);
189			BN_mod(c,X,r0,ctx);
190			BN_sub(r0,c,BN_value_one());
191			BN_sub(p,X,r0);
192
193			/* step 10 */
194			if (BN_cmp(p,test) >= 0)
195				{
196				/* step 11 */
197				if (DSA_is_prime(p,callback,cb_arg) > 0)
198					goto end;
199				}
200
201			/* step 13 */
202			counter++;
203
204			/* step 14 */
205			if (counter >= 4096) break;
206
207			if (callback != NULL) callback(0,counter,cb_arg);
208			}
209		}
210end:
211	if (callback != NULL) callback(2,1,cb_arg);
212
213	/* We now need to gernerate g */
214	/* Set r0=(p-1)/q */
215	BN_sub(test,p,BN_value_one());
216	BN_div(r0,NULL,test,q,ctx);
217
218	BN_set_word(test,h);
219	BN_MONT_CTX_set(mont,p,ctx);
220
221	for (;;)
222		{
223		/* g=test^r0%p */
224		BN_mod_exp_mont(g,test,r0,p,ctx,mont);
225		if (!BN_is_one(g)) break;
226		BN_add(test,test,BN_value_one());
227		h++;
228		}
229
230	if (callback != NULL) callback(3,1,cb_arg);
231
232	ok=1;
233err:
234	if (!ok)
235		{
236		if (ret != NULL) DSA_free(ret);
237		}
238	else
239		{
240		ret->p=BN_dup(p);
241		ret->q=BN_dup(q);
242		ret->g=BN_dup(g);
243		if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20);
244		if (counter_ret != NULL) *counter_ret=counter;
245		if (h_ret != NULL) *h_ret=h;
246		}
247	if (ctx != NULL) BN_CTX_free(ctx);
248	if (ctx != NULL) BN_CTX_free(ctx2);
249	if (mont != NULL) BN_MONT_CTX_free(mont);
250	return(ok?ret:NULL);
251	}
252
253int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg)
254	{
255	int ok= -1,j,i,n;
256	BN_CTX *ctx=NULL,*ctx2=NULL;
257	BIGNUM *w_1,*b,*m,*z,*tmp,*mont_1;
258	int a;
259	BN_MONT_CTX *mont=NULL;
260
261	if (!BN_is_bit_set(w,0)) return(0);
262
263	if ((ctx=BN_CTX_new()) == NULL) goto err;
264	if ((ctx2=BN_CTX_new()) == NULL) goto err;
265	if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
266
267	m=   &(ctx2->bn[2]);
268	b=   &(ctx2->bn[3]);
269	z=   &(ctx2->bn[4]);
270	w_1= &(ctx2->bn[5]);
271	tmp= &(ctx2->bn[6]);
272	mont_1= &(ctx2->bn[7]);
273
274	/* step 1 */
275	n=50;
276
277	/* step 2 */
278	if (!BN_sub(w_1,w,BN_value_one())) goto err;
279	for (a=1; !BN_is_bit_set(w_1,a); a++)
280		;
281	if (!BN_rshift(m,w_1,a)) goto err;
282
283	BN_MONT_CTX_set(mont,w,ctx);
284	BN_to_montgomery(mont_1,BN_value_one(),mont,ctx);
285	BN_to_montgomery(w_1,w_1,mont,ctx);
286	for (i=1; i < n; i++)
287		{
288		/* step 3 */
289		BN_rand(b,BN_num_bits(w)-2/*-1*/,0,0);
290		/* BN_set_word(b,0x10001L); */
291
292		/* step 4 */
293		j=0;
294		if (!BN_mod_exp_mont(z,b,m,w,ctx,mont)) goto err;
295
296		if (!BN_to_montgomery(z,z,mont,ctx)) goto err;
297
298		/* step 5 */
299		for (;;)
300			{
301			if (((j == 0) && (BN_cmp(z,mont_1) == 0)) ||
302				(BN_cmp(z,w_1) == 0))
303				break;
304
305			/* step 6 */
306			if ((j > 0) && (BN_cmp(z,mont_1) == 0))
307				{
308				ok=0;
309				goto err;
310				}
311
312			j++;
313			if (j >= a)
314				{
315				ok=0;
316				goto err;
317				}
318
319			if (!BN_mod_mul_montgomery(z,z,z,mont,ctx)) goto err;
320			if (callback != NULL) callback(1,j,cb_arg);
321			}
322		}
323
324	ok=1;
325err:
326	if (ok == -1) DSAerr(DSA_F_DSA_IS_PRIME,ERR_R_BN_LIB);
327	BN_CTX_free(ctx);
328	BN_CTX_free(ctx2);
329	BN_MONT_CTX_free(mont);
330
331	return(ok);
332	}
333#endif
334