xref: /openbsd-src/lib/libcrypto/dsa/dsa_gen.c (revision 62a742911104f98b9185b2c6b6007d9b1c36396c) 
1 /* crypto/dsa/dsa_gen.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 
59 #undef GENUINE_DSA
60 
61 #ifdef GENUINE_DSA
62 #define HASH    SHA
63 #else
64 #define HASH    SHA1
65 #endif
66 
67 #include <stdio.h>
68 #include <time.h>
69 #include "cryptlib.h"
70 #include "sha.h"
71 #include "bn.h"
72 #include "dsa.h"
73 #include "rand.h"
74 
75 DSA *DSA_generate_parameters(bits,seed_in,seed_len,counter_ret,h_ret,callback,
76 	cb_arg)
77 int bits;
78 unsigned char *seed_in;
79 int seed_len;
80 int *counter_ret;
81 unsigned long *h_ret;
82 void (*callback)();
83 char *cb_arg;
84 	{
85 	int ok=0;
86 	unsigned char seed[SHA_DIGEST_LENGTH];
87 	unsigned char md[SHA_DIGEST_LENGTH];
88 	unsigned char buf[SHA_DIGEST_LENGTH],buf2[SHA_DIGEST_LENGTH];
89 	BIGNUM *r0,*W,*X,*c,*test;
90 	BIGNUM *g=NULL,*q=NULL,*p=NULL;
91 	int k,n=0,i,b,m=0;
92 	int counter=0;
93 	BN_CTX *ctx=NULL,*ctx2=NULL;
94 	unsigned int h=2;
95 	DSA *ret=NULL;
96 
97 	if (bits < 512) bits=512;
98 	bits=(bits+63)/64*64;
99 
100 	if ((seed_in != NULL) && (seed_len == 20))
101 		memcpy(seed,seed_in,seed_len);
102 
103 	ctx=BN_CTX_new();
104 	if (ctx == NULL) goto err;
105 	ctx2=BN_CTX_new();
106 	if (ctx2 == NULL) goto err;
107 	ret=DSA_new();
108 	if (ret == NULL) goto err;
109 	r0=ctx2->bn[0];
110 	g=ctx2->bn[1];
111 	W=ctx2->bn[2];
112 	q=ctx2->bn[3];
113 	X=ctx2->bn[4];
114 	c=ctx2->bn[5];
115 	p=ctx2->bn[6];
116 	test=ctx2->bn[7];
117 
118 	BN_lshift(test,BN_value_one(),bits-1);
119 
120 	for (;;)
121 		{
122 		for (;;)
123 			{
124 			/* step 1 */
125 			if (callback != NULL) callback(0,m++,cb_arg);
126 
127 			if (!seed_len)
128 				RAND_bytes(seed,SHA_DIGEST_LENGTH);
129 			else
130 				seed_len=0;
131 
132 			memcpy(buf,seed,SHA_DIGEST_LENGTH);
133 			memcpy(buf2,seed,SHA_DIGEST_LENGTH);
134 			for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
135 				{
136 				buf[i]++;
137 				if (buf[i] != 0) break;
138 				}
139 
140 			/* step 2 */
141 			HASH(seed,SHA_DIGEST_LENGTH,md);
142 			HASH(buf,SHA_DIGEST_LENGTH,buf2);
143 			for (i=0; i<SHA_DIGEST_LENGTH; i++)
144 				md[i]^=buf2[i];
145 
146 			/* step 3 */
147 			md[0]|=0x80;
148 			md[SHA_DIGEST_LENGTH-1]|=0x01;
149 			if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) abort();
150 
151 			/* step 4 */
152 			if (DSA_is_prime(q,callback,cb_arg) > 0) break;
153 			/* do a callback call */
154 			/* step 5 */
155 			}
156 
157 		if (callback != NULL) callback(2,0,cb_arg);
158 		if (callback != NULL) callback(3,0,cb_arg);
159 
160 		/* step 6 */
161 		counter=0;
162 
163 		n=(bits-1)/160;
164 		b=(bits-1)-n*160;
165 
166 		for (;;)
167 			{
168 			/* step 7 */
169 			BN_zero(W);
170 			for (k=0; k<=n; k++)
171 				{
172 				for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
173 					{
174 					buf[i]++;
175 					if (buf[i] != 0) break;
176 					}
177 
178 				HASH(buf,SHA_DIGEST_LENGTH,md);
179 
180 				/* step 8 */
181 				if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) abort();
182 				BN_lshift(r0,r0,160*k);
183 				BN_add(W,W,r0);
184 				}
185 
186 			/* more of step 8 */
187 			BN_mask_bits(W,bits-1);
188 			BN_copy(X,W); /* this should be ok */
189 			BN_add(X,X,test); /* this should be ok */
190 
191 			/* step 9 */
192 			BN_lshift1(r0,q);
193 			BN_mod(c,X,r0,ctx);
194 			BN_sub(r0,c,BN_value_one());
195 			BN_sub(p,X,r0);
196 
197 			/* step 10 */
198 			if (BN_cmp(p,test) >= 0)
199 				{
200 				/* step 11 */
201 				if (DSA_is_prime(p,callback,cb_arg) > 0)
202 					goto end;
203 				}
204 
205 			/* step 13 */
206 			counter++;
207 
208 			/* step 14 */
209 			if (counter >= 4096) break;
210 
211 			if (callback != NULL) callback(0,counter,cb_arg);
212 			}
213 		}
214 end:
215 	if (callback != NULL) callback(2,1,cb_arg);
216 
217 	/* We now need to gernerate g */
218 	/* Set r0=(p-1)/q */
219         BN_sub(test,p,BN_value_one());
220         BN_div(r0,NULL,test,q,ctx);
221 
222 	BN_set_word(test,h);
223 	for (;;)
224 		{
225 		/* g=test^r0%p */
226 		BN_mod_exp(g,test,r0,p,ctx);
227 		if (!BN_is_one(g)) break;
228 		BN_add(test,test,BN_value_one());
229 		h++;
230 		}
231 
232 	if (callback != NULL) callback(3,1,cb_arg);
233 
234 	ok=1;
235 err:
236 	if (!ok)
237 		{
238 		if (ret != NULL) DSA_free(ret);
239 		}
240 	else
241 		{
242 		ret->p=BN_dup(p);
243 		ret->q=BN_dup(q);
244 		ret->g=BN_dup(g);
245 		if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20);
246 		if (counter_ret != NULL) *counter_ret=counter;
247 		if (h_ret != NULL) *h_ret=h;
248 		}
249 	BN_CTX_free(ctx);
250 	BN_CTX_free(ctx2);
251 	return(ok?ret:NULL);
252 	}
253 
254 int DSA_is_prime(w, callback,cb_arg)
255 BIGNUM *w;
256 void (*callback)();
257 char *cb_arg;
258 	{
259 	int ok= -1,j,i,n;
260 	BN_CTX *ctx=NULL,*ctx2=NULL;
261 	BIGNUM *w_1,*b,*m,*z;
262 	int a;
263 
264 	if (!BN_is_bit_set(w,0)) return(0);
265 
266 	ctx=BN_CTX_new();
267 	if (ctx == NULL) goto err;
268 	ctx2=BN_CTX_new();
269 	if (ctx2 == NULL) goto err;
270 
271 	m=  ctx2->bn[2];
272 	b=  ctx2->bn[3];
273 	z=  ctx2->bn[4];
274 	w_1=ctx2->bn[5];
275 
276 	/* step 1 */
277 	n=50;
278 
279 	/* step 2 */
280 	if (!BN_sub(w_1,w,BN_value_one())) goto err;
281 	for (a=1; !BN_is_bit_set(w_1,a); a++)
282 		;
283 	if (!BN_rshift(m,w_1,a)) goto err;
284 
285 	for (i=1; i < n; i++)
286 		{
287 		/* step 3 */
288 		BN_rand(b,BN_num_bits(w)-2/*-1*/,0,0);
289 		BN_set_word(b,0x10001L);
290 
291 		/* step 4 */
292 		j=0;
293 		if (!BN_mod_exp(z,b,m,w,ctx)) goto err;
294 
295 		/* step 5 */
296 		for (;;)
297 			{
298 			if (((j == 0) && BN_is_one(z)) || (BN_cmp(z,w_1) == 0))
299 				break;
300 
301 			/* step 6 */
302 			if ((j > 0) && BN_is_one(z))
303 				{
304 				ok=0;
305 				goto err;
306 				}
307 
308 			j++;
309 			if (j >= a)
310 				{
311 				ok=0;
312 				goto err;
313 				}
314 
315 			if (!BN_mod_mul(z,z,z,w,ctx)) goto err;
316 			if (callback != NULL) callback(1,j,cb_arg);
317 			}
318 		}
319 
320 	ok=1;
321 err:
322 	if (ok == -1) DSAerr(DSA_F_DSA_IS_PRIME,ERR_R_BN_LIB);
323 	BN_CTX_free(ctx);
324 	BN_CTX_free(ctx2);
325 
326 	return(ok);
327 	}
328 
329