dsa_gen.c revision 1.1 
1/* crypto/dsa/dsa_gen.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to.  The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 *    notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 *    notice, this list of conditions and the following disclaimer in the
30 *    documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 *    must display the following acknowledgement:
33 *    "This product includes cryptographic software written by
34 *     Eric Young (eay@cryptsoft.com)"
35 *    The word 'cryptographic' can be left out if the rouines from the library
36 *    being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 *    the apps directory (application code) you must include an acknowledgement:
39 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#undef GENUINE_DSA
60
61#ifdef GENUINE_DSA
62#define HASH    SHA
63#else
64#define HASH    SHA1
65#endif
66
67#include <stdio.h>
68#include <time.h>
69#include "cryptlib.h"
70#include "sha.h"
71#include "bn.h"
72#include "dsa.h"
73#include "rand.h"
74
75DSA *DSA_generate_parameters(bits,seed_in,seed_len,counter_ret,h_ret,callback,
76	cb_arg)
77int bits;
78unsigned char *seed_in;
79int seed_len;
80int *counter_ret;
81unsigned long *h_ret;
82void (*callback)();
83char *cb_arg;
84	{
85	int ok=0;
86	unsigned char seed[SHA_DIGEST_LENGTH];
87	unsigned char md[SHA_DIGEST_LENGTH];
88	unsigned char buf[SHA_DIGEST_LENGTH],buf2[SHA_DIGEST_LENGTH];
89	BIGNUM *r0,*W,*X,*c,*test;
90	BIGNUM *g=NULL,*q=NULL,*p=NULL;
91	int k,n=0,i,b,m=0;
92	int counter=0;
93	BN_CTX *ctx=NULL,*ctx2=NULL;
94	unsigned int h=2;
95	DSA *ret=NULL;
96
97	if (bits < 512) bits=512;
98	bits=(bits+63)/64*64;
99
100	if ((seed_in != NULL) && (seed_len == 20))
101		memcpy(seed,seed_in,seed_len);
102
103	ctx=BN_CTX_new();
104	if (ctx == NULL) goto err;
105	ctx2=BN_CTX_new();
106	if (ctx2 == NULL) goto err;
107	ret=DSA_new();
108	if (ret == NULL) goto err;
109	r0=ctx2->bn[0];
110	g=ctx2->bn[1];
111	W=ctx2->bn[2];
112	q=ctx2->bn[3];
113	X=ctx2->bn[4];
114	c=ctx2->bn[5];
115	p=ctx2->bn[6];
116	test=ctx2->bn[7];
117
118	BN_lshift(test,BN_value_one(),bits-1);
119
120	for (;;)
121		{
122		for (;;)
123			{
124			/* step 1 */
125			if (callback != NULL) callback(0,m++,cb_arg);
126
127			if (!seed_len)
128				RAND_bytes(seed,SHA_DIGEST_LENGTH);
129			else
130				seed_len=0;
131
132			memcpy(buf,seed,SHA_DIGEST_LENGTH);
133			memcpy(buf2,seed,SHA_DIGEST_LENGTH);
134			for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
135				{
136				buf[i]++;
137				if (buf[i] != 0) break;
138				}
139
140			/* step 2 */
141			HASH(seed,SHA_DIGEST_LENGTH,md);
142			HASH(buf,SHA_DIGEST_LENGTH,buf2);
143			for (i=0; i<SHA_DIGEST_LENGTH; i++)
144				md[i]^=buf2[i];
145
146			/* step 3 */
147			md[0]|=0x80;
148			md[SHA_DIGEST_LENGTH-1]|=0x01;
149			if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) abort();
150
151			/* step 4 */
152			if (DSA_is_prime(q,callback,cb_arg) > 0) break;
153			/* do a callback call */
154			/* step 5 */
155			}
156
157		if (callback != NULL) callback(2,0,cb_arg);
158		if (callback != NULL) callback(3,0,cb_arg);
159
160		/* step 6 */
161		counter=0;
162
163		n=(bits-1)/160;
164		b=(bits-1)-n*160;
165
166		for (;;)
167			{
168			/* step 7 */
169			BN_zero(W);
170			for (k=0; k<=n; k++)
171				{
172				for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
173					{
174					buf[i]++;
175					if (buf[i] != 0) break;
176					}
177
178				HASH(buf,SHA_DIGEST_LENGTH,md);
179
180				/* step 8 */
181				if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) abort();
182				BN_lshift(r0,r0,160*k);
183				BN_add(W,W,r0);
184				}
185
186			/* more of step 8 */
187			BN_mask_bits(W,bits-1);
188			BN_copy(X,W); /* this should be ok */
189			BN_add(X,X,test); /* this should be ok */
190
191			/* step 9 */
192			BN_lshift1(r0,q);
193			BN_mod(c,X,r0,ctx);
194			BN_sub(r0,c,BN_value_one());
195			BN_sub(p,X,r0);
196
197			/* step 10 */
198			if (BN_cmp(p,test) >= 0)
199				{
200				/* step 11 */
201				if (DSA_is_prime(p,callback,cb_arg) > 0)
202					goto end;
203				}
204
205			/* step 13 */
206			counter++;
207
208			/* step 14 */
209			if (counter >= 4096) break;
210
211			if (callback != NULL) callback(0,counter,cb_arg);
212			}
213		}
214end:
215	if (callback != NULL) callback(2,1,cb_arg);
216
217	/* We now need to gernerate g */
218	/* Set r0=(p-1)/q */
219        BN_sub(test,p,BN_value_one());
220        BN_div(r0,NULL,test,q,ctx);
221
222	BN_set_word(test,h);
223	for (;;)
224		{
225		/* g=test^r0%p */
226		BN_mod_exp(g,test,r0,p,ctx);
227		if (!BN_is_one(g)) break;
228		BN_add(test,test,BN_value_one());
229		h++;
230		}
231
232	if (callback != NULL) callback(3,1,cb_arg);
233
234	ok=1;
235err:
236	if (!ok)
237		{
238		if (ret != NULL) DSA_free(ret);
239		}
240	else
241		{
242		ret->p=BN_dup(p);
243		ret->q=BN_dup(q);
244		ret->g=BN_dup(g);
245		if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20);
246		if (counter_ret != NULL) *counter_ret=counter;
247		if (h_ret != NULL) *h_ret=h;
248		}
249	BN_CTX_free(ctx);
250	BN_CTX_free(ctx2);
251	return(ok?ret:NULL);
252	}
253
254int DSA_is_prime(w, callback,cb_arg)
255BIGNUM *w;
256void (*callback)();
257char *cb_arg;
258	{
259	int ok= -1,j,i,n;
260	BN_CTX *ctx=NULL,*ctx2=NULL;
261	BIGNUM *w_1,*b,*m,*z;
262	int a;
263
264	if (!BN_is_bit_set(w,0)) return(0);
265
266	ctx=BN_CTX_new();
267	if (ctx == NULL) goto err;
268	ctx2=BN_CTX_new();
269	if (ctx2 == NULL) goto err;
270
271	m=  ctx2->bn[2];
272	b=  ctx2->bn[3];
273	z=  ctx2->bn[4];
274	w_1=ctx2->bn[5];
275
276	/* step 1 */
277	n=50;
278
279	/* step 2 */
280	if (!BN_sub(w_1,w,BN_value_one())) goto err;
281	for (a=1; !BN_is_bit_set(w_1,a); a++)
282		;
283	if (!BN_rshift(m,w_1,a)) goto err;
284
285	for (i=1; i < n; i++)
286		{
287		/* step 3 */
288		BN_rand(b,BN_num_bits(w)-2/*-1*/,0,0);
289		BN_set_word(b,0x10001L);
290
291		/* step 4 */
292		j=0;
293		if (!BN_mod_exp(z,b,m,w,ctx)) goto err;
294
295		/* step 5 */
296		for (;;)
297			{
298			if (((j == 0) && BN_is_one(z)) || (BN_cmp(z,w_1) == 0))
299				break;
300
301			/* step 6 */
302			if ((j > 0) && BN_is_one(z))
303				{
304				ok=0;
305				goto err;
306				}
307
308			j++;
309			if (j >= a)
310				{
311				ok=0;
312				goto err;
313				}
314
315			if (!BN_mod_mul(z,z,z,w,ctx)) goto err;
316			if (callback != NULL) callback(1,j,cb_arg);
317			}
318		}
319
320	ok=1;
321err:
322	if (ok == -1) DSAerr(DSA_F_DSA_IS_PRIME,ERR_R_BN_LIB);
323	BN_CTX_free(ctx);
324	BN_CTX_free(ctx2);
325
326	return(ok);
327	}
328
329