1 /* $OpenBSD: moduli.c,v 1.21 2008/06/26 09:19:40 djm Exp $ */ 2 /* 3 * Copyright 1994 Phil Karn <karn@qualcomm.com> 4 * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com> 5 * Copyright 2000 Niels Provos <provos@citi.umich.edu> 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 /* 30 * Two-step process to generate safe primes for DHGEX 31 * 32 * Sieve candidates for "safe" primes, 33 * suitable for use as Diffie-Hellman moduli; 34 * that is, where q = (p-1)/2 is also prime. 35 * 36 * First step: generate candidate primes (memory intensive) 37 * Second step: test primes' safety (processor intensive) 38 */ 39 40 #include <sys/types.h> 41 42 #include <openssl/bn.h> 43 #include <openssl/dh.h> 44 45 #include <stdio.h> 46 #include <stdlib.h> 47 #include <string.h> 48 #include <stdarg.h> 49 #include <time.h> 50 51 #include "xmalloc.h" 52 #include "dh.h" 53 #include "log.h" 54 55 /* 56 * File output defines 57 */ 58 59 /* need line long enough for largest moduli plus headers */ 60 #define QLINESIZE (100+8192) 61 62 /* 63 * Size: decimal. 64 * Specifies the number of the most significant bit (0 to M). 65 * WARNING: internally, usually 1 to N. 66 */ 67 #define QSIZE_MINIMUM (511) 68 69 /* 70 * Prime sieving defines 71 */ 72 73 /* Constant: assuming 8 bit bytes and 32 bit words */ 74 #define SHIFT_BIT (3) 75 #define SHIFT_BYTE (2) 76 #define SHIFT_WORD (SHIFT_BIT+SHIFT_BYTE) 77 #define SHIFT_MEGABYTE (20) 78 #define SHIFT_MEGAWORD (SHIFT_MEGABYTE-SHIFT_BYTE) 79 80 /* 81 * Using virtual memory can cause thrashing. This should be the largest 82 * number that is supported without a large amount of disk activity -- 83 * that would increase the run time from hours to days or weeks! 84 */ 85 #define LARGE_MINIMUM (8UL) /* megabytes */ 86 87 /* 88 * Do not increase this number beyond the unsigned integer bit size. 89 * Due to a multiple of 4, it must be LESS than 128 (yielding 2**30 bits). 90 */ 91 #define LARGE_MAXIMUM (127UL) /* megabytes */ 92 93 /* 94 * Constant: when used with 32-bit integers, the largest sieve prime 95 * has to be less than 2**32. 96 */ 97 #define SMALL_MAXIMUM (0xffffffffUL) 98 99 /* Constant: can sieve all primes less than 2**32, as 65537**2 > 2**32-1. */ 100 #define TINY_NUMBER (1UL<<16) 101 102 /* Ensure enough bit space for testing 2*q. */ 103 #define TEST_MAXIMUM (1UL<<16) 104 #define TEST_MINIMUM (QSIZE_MINIMUM + 1) 105 /* real TEST_MINIMUM (1UL << (SHIFT_WORD - TEST_POWER)) */ 106 #define TEST_POWER (3) /* 2**n, n < SHIFT_WORD */ 107 108 /* bit operations on 32-bit words */ 109 #define BIT_CLEAR(a,n) ((a)[(n)>>SHIFT_WORD] &= ~(1L << ((n) & 31))) 110 #define BIT_SET(a,n) ((a)[(n)>>SHIFT_WORD] |= (1L << ((n) & 31))) 111 #define BIT_TEST(a,n) ((a)[(n)>>SHIFT_WORD] & (1L << ((n) & 31))) 112 113 /* 114 * Prime testing defines 115 */ 116 117 /* Minimum number of primality tests to perform */ 118 #define TRIAL_MINIMUM (4) 119 120 /* 121 * Sieving data (XXX - move to struct) 122 */ 123 124 /* sieve 2**16 */ 125 static u_int32_t *TinySieve, tinybits; 126 127 /* sieve 2**30 in 2**16 parts */ 128 static u_int32_t *SmallSieve, smallbits, smallbase; 129 130 /* sieve relative to the initial value */ 131 static u_int32_t *LargeSieve, largewords, largetries, largenumbers; 132 static u_int32_t largebits, largememory; /* megabytes */ 133 static BIGNUM *largebase; 134 135 int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); 136 int prime_test(FILE *, FILE *, u_int32_t, u_int32_t); 137 138 /* 139 * print moduli out in consistent form, 140 */ 141 static int 142 qfileout(FILE * ofile, u_int32_t otype, u_int32_t otests, u_int32_t otries, 143 u_int32_t osize, u_int32_t ogenerator, BIGNUM * omodulus) 144 { 145 struct tm *gtm; 146 time_t time_now; 147 int res; 148 149 time(&time_now); 150 gtm = gmtime(&time_now); 151 152 res = fprintf(ofile, "%04d%02d%02d%02d%02d%02d %u %u %u %u %x ", 153 gtm->tm_year + 1900, gtm->tm_mon + 1, gtm->tm_mday, 154 gtm->tm_hour, gtm->tm_min, gtm->tm_sec, 155 otype, otests, otries, osize, ogenerator); 156 157 if (res < 0) 158 return (-1); 159 160 if (BN_print_fp(ofile, omodulus) < 1) 161 return (-1); 162 163 res = fprintf(ofile, "\n"); 164 fflush(ofile); 165 166 return (res > 0 ? 0 : -1); 167 } 168 169 170 /* 171 ** Sieve p's and q's with small factors 172 */ 173 static void 174 sieve_large(u_int32_t s) 175 { 176 u_int32_t r, u; 177 178 debug3("sieve_large %u", s); 179 largetries++; 180 /* r = largebase mod s */ 181 r = BN_mod_word(largebase, s); 182 if (r == 0) 183 u = 0; /* s divides into largebase exactly */ 184 else 185 u = s - r; /* largebase+u is first entry divisible by s */ 186 187 if (u < largebits * 2) { 188 /* 189 * The sieve omits p's and q's divisible by 2, so ensure that 190 * largebase+u is odd. Then, step through the sieve in 191 * increments of 2*s 192 */ 193 if (u & 0x1) 194 u += s; /* Make largebase+u odd, and u even */ 195 196 /* Mark all multiples of 2*s */ 197 for (u /= 2; u < largebits; u += s) 198 BIT_SET(LargeSieve, u); 199 } 200 201 /* r = p mod s */ 202 r = (2 * r + 1) % s; 203 if (r == 0) 204 u = 0; /* s divides p exactly */ 205 else 206 u = s - r; /* p+u is first entry divisible by s */ 207 208 if (u < largebits * 4) { 209 /* 210 * The sieve omits p's divisible by 4, so ensure that 211 * largebase+u is not. Then, step through the sieve in 212 * increments of 4*s 213 */ 214 while (u & 0x3) { 215 if (SMALL_MAXIMUM - u < s) 216 return; 217 u += s; 218 } 219 220 /* Mark all multiples of 4*s */ 221 for (u /= 4; u < largebits; u += s) 222 BIT_SET(LargeSieve, u); 223 } 224 } 225 226 /* 227 * list candidates for Sophie-Germain primes (where q = (p-1)/2) 228 * to standard output. 229 * The list is checked against small known primes (less than 2**30). 230 */ 231 int 232 gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start) 233 { 234 BIGNUM *q; 235 u_int32_t j, r, s, t; 236 u_int32_t smallwords = TINY_NUMBER >> 6; 237 u_int32_t tinywords = TINY_NUMBER >> 6; 238 time_t time_start, time_stop; 239 u_int32_t i; 240 int ret = 0; 241 242 largememory = memory; 243 244 if (memory != 0 && 245 (memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) { 246 error("Invalid memory amount (min %ld, max %ld)", 247 LARGE_MINIMUM, LARGE_MAXIMUM); 248 return (-1); 249 } 250 251 /* 252 * Set power to the length in bits of the prime to be generated. 253 * This is changed to 1 less than the desired safe prime moduli p. 254 */ 255 if (power > TEST_MAXIMUM) { 256 error("Too many bits: %u > %lu", power, TEST_MAXIMUM); 257 return (-1); 258 } else if (power < TEST_MINIMUM) { 259 error("Too few bits: %u < %u", power, TEST_MINIMUM); 260 return (-1); 261 } 262 power--; /* decrement before squaring */ 263 264 /* 265 * The density of ordinary primes is on the order of 1/bits, so the 266 * density of safe primes should be about (1/bits)**2. Set test range 267 * to something well above bits**2 to be reasonably sure (but not 268 * guaranteed) of catching at least one safe prime. 269 */ 270 largewords = ((power * power) >> (SHIFT_WORD - TEST_POWER)); 271 272 /* 273 * Need idea of how much memory is available. We don't have to use all 274 * of it. 275 */ 276 if (largememory > LARGE_MAXIMUM) { 277 logit("Limited memory: %u MB; limit %lu MB", 278 largememory, LARGE_MAXIMUM); 279 largememory = LARGE_MAXIMUM; 280 } 281 282 if (largewords <= (largememory << SHIFT_MEGAWORD)) { 283 logit("Increased memory: %u MB; need %u bytes", 284 largememory, (largewords << SHIFT_BYTE)); 285 largewords = (largememory << SHIFT_MEGAWORD); 286 } else if (largememory > 0) { 287 logit("Decreased memory: %u MB; want %u bytes", 288 largememory, (largewords << SHIFT_BYTE)); 289 largewords = (largememory << SHIFT_MEGAWORD); 290 } 291 292 TinySieve = xcalloc(tinywords, sizeof(u_int32_t)); 293 tinybits = tinywords << SHIFT_WORD; 294 295 SmallSieve = xcalloc(smallwords, sizeof(u_int32_t)); 296 smallbits = smallwords << SHIFT_WORD; 297 298 /* 299 * dynamically determine available memory 300 */ 301 while ((LargeSieve = calloc(largewords, sizeof(u_int32_t))) == NULL) 302 largewords -= (1L << (SHIFT_MEGAWORD - 2)); /* 1/4 MB chunks */ 303 304 largebits = largewords << SHIFT_WORD; 305 largenumbers = largebits * 2; /* even numbers excluded */ 306 307 /* validation check: count the number of primes tried */ 308 largetries = 0; 309 if ((q = BN_new()) == NULL) 310 fatal("BN_new failed"); 311 312 /* 313 * Generate random starting point for subprime search, or use 314 * specified parameter. 315 */ 316 if ((largebase = BN_new()) == NULL) 317 fatal("BN_new failed"); 318 if (start == NULL) { 319 if (BN_rand(largebase, power, 1, 1) == 0) 320 fatal("BN_rand failed"); 321 } else { 322 if (BN_copy(largebase, start) == NULL) 323 fatal("BN_copy: failed"); 324 } 325 326 /* ensure odd */ 327 if (BN_set_bit(largebase, 0) == 0) 328 fatal("BN_set_bit: failed"); 329 330 time(&time_start); 331 332 logit("%.24s Sieve next %u plus %u-bit", ctime(&time_start), 333 largenumbers, power); 334 debug2("start point: 0x%s", BN_bn2hex(largebase)); 335 336 /* 337 * TinySieve 338 */ 339 for (i = 0; i < tinybits; i++) { 340 if (BIT_TEST(TinySieve, i)) 341 continue; /* 2*i+3 is composite */ 342 343 /* The next tiny prime */ 344 t = 2 * i + 3; 345 346 /* Mark all multiples of t */ 347 for (j = i + t; j < tinybits; j += t) 348 BIT_SET(TinySieve, j); 349 350 sieve_large(t); 351 } 352 353 /* 354 * Start the small block search at the next possible prime. To avoid 355 * fencepost errors, the last pass is skipped. 356 */ 357 for (smallbase = TINY_NUMBER + 3; 358 smallbase < (SMALL_MAXIMUM - TINY_NUMBER); 359 smallbase += TINY_NUMBER) { 360 for (i = 0; i < tinybits; i++) { 361 if (BIT_TEST(TinySieve, i)) 362 continue; /* 2*i+3 is composite */ 363 364 /* The next tiny prime */ 365 t = 2 * i + 3; 366 r = smallbase % t; 367 368 if (r == 0) { 369 s = 0; /* t divides into smallbase exactly */ 370 } else { 371 /* smallbase+s is first entry divisible by t */ 372 s = t - r; 373 } 374 375 /* 376 * The sieve omits even numbers, so ensure that 377 * smallbase+s is odd. Then, step through the sieve 378 * in increments of 2*t 379 */ 380 if (s & 1) 381 s += t; /* Make smallbase+s odd, and s even */ 382 383 /* Mark all multiples of 2*t */ 384 for (s /= 2; s < smallbits; s += t) 385 BIT_SET(SmallSieve, s); 386 } 387 388 /* 389 * SmallSieve 390 */ 391 for (i = 0; i < smallbits; i++) { 392 if (BIT_TEST(SmallSieve, i)) 393 continue; /* 2*i+smallbase is composite */ 394 395 /* The next small prime */ 396 sieve_large((2 * i) + smallbase); 397 } 398 399 memset(SmallSieve, 0, smallwords << SHIFT_BYTE); 400 } 401 402 time(&time_stop); 403 404 logit("%.24s Sieved with %u small primes in %ld seconds", 405 ctime(&time_stop), largetries, (long) (time_stop - time_start)); 406 407 for (j = r = 0; j < largebits; j++) { 408 if (BIT_TEST(LargeSieve, j)) 409 continue; /* Definitely composite, skip */ 410 411 debug2("test q = largebase+%u", 2 * j); 412 if (BN_set_word(q, 2 * j) == 0) 413 fatal("BN_set_word failed"); 414 if (BN_add(q, q, largebase) == 0) 415 fatal("BN_add failed"); 416 if (qfileout(out, MODULI_TYPE_SOPHIE_GERMAIN, 417 MODULI_TESTS_SIEVE, largetries, 418 (power - 1) /* MSB */, (0), q) == -1) { 419 ret = -1; 420 break; 421 } 422 423 r++; /* count q */ 424 } 425 426 time(&time_stop); 427 428 xfree(LargeSieve); 429 xfree(SmallSieve); 430 xfree(TinySieve); 431 432 logit("%.24s Found %u candidates", ctime(&time_stop), r); 433 434 return (ret); 435 } 436 437 /* 438 * perform a Miller-Rabin primality test 439 * on the list of candidates 440 * (checking both q and p) 441 * The result is a list of so-call "safe" primes 442 */ 443 int 444 prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted) 445 { 446 BIGNUM *q, *p, *a; 447 BN_CTX *ctx; 448 char *cp, *lp; 449 u_int32_t count_in = 0, count_out = 0, count_possible = 0; 450 u_int32_t generator_known, in_tests, in_tries, in_type, in_size; 451 time_t time_start, time_stop; 452 int res; 453 454 if (trials < TRIAL_MINIMUM) { 455 error("Minimum primality trials is %d", TRIAL_MINIMUM); 456 return (-1); 457 } 458 459 time(&time_start); 460 461 if ((p = BN_new()) == NULL) 462 fatal("BN_new failed"); 463 if ((q = BN_new()) == NULL) 464 fatal("BN_new failed"); 465 if ((ctx = BN_CTX_new()) == NULL) 466 fatal("BN_CTX_new failed"); 467 468 debug2("%.24s Final %u Miller-Rabin trials (%x generator)", 469 ctime(&time_start), trials, generator_wanted); 470 471 res = 0; 472 lp = xmalloc(QLINESIZE + 1); 473 while (fgets(lp, QLINESIZE + 1, in) != NULL) { 474 count_in++; 475 if (strlen(lp) < 14 || *lp == '!' || *lp == '#') { 476 debug2("%10u: comment or short line", count_in); 477 continue; 478 } 479 480 /* XXX - fragile parser */ 481 /* time */ 482 cp = &lp[14]; /* (skip) */ 483 484 /* type */ 485 in_type = strtoul(cp, &cp, 10); 486 487 /* tests */ 488 in_tests = strtoul(cp, &cp, 10); 489 490 if (in_tests & MODULI_TESTS_COMPOSITE) { 491 debug2("%10u: known composite", count_in); 492 continue; 493 } 494 495 /* tries */ 496 in_tries = strtoul(cp, &cp, 10); 497 498 /* size (most significant bit) */ 499 in_size = strtoul(cp, &cp, 10); 500 501 /* generator (hex) */ 502 generator_known = strtoul(cp, &cp, 16); 503 504 /* Skip white space */ 505 cp += strspn(cp, " "); 506 507 /* modulus (hex) */ 508 switch (in_type) { 509 case MODULI_TYPE_SOPHIE_GERMAIN: 510 debug2("%10u: (%u) Sophie-Germain", count_in, in_type); 511 a = q; 512 if (BN_hex2bn(&a, cp) == 0) 513 fatal("BN_hex2bn failed"); 514 /* p = 2*q + 1 */ 515 if (BN_lshift(p, q, 1) == 0) 516 fatal("BN_lshift failed"); 517 if (BN_add_word(p, 1) == 0) 518 fatal("BN_add_word failed"); 519 in_size += 1; 520 generator_known = 0; 521 break; 522 case MODULI_TYPE_UNSTRUCTURED: 523 case MODULI_TYPE_SAFE: 524 case MODULI_TYPE_SCHNORR: 525 case MODULI_TYPE_STRONG: 526 case MODULI_TYPE_UNKNOWN: 527 debug2("%10u: (%u)", count_in, in_type); 528 a = p; 529 if (BN_hex2bn(&a, cp) == 0) 530 fatal("BN_hex2bn failed"); 531 /* q = (p-1) / 2 */ 532 if (BN_rshift(q, p, 1) == 0) 533 fatal("BN_rshift failed"); 534 break; 535 default: 536 debug2("Unknown prime type"); 537 break; 538 } 539 540 /* 541 * due to earlier inconsistencies in interpretation, check 542 * the proposed bit size. 543 */ 544 if ((u_int32_t)BN_num_bits(p) != (in_size + 1)) { 545 debug2("%10u: bit size %u mismatch", count_in, in_size); 546 continue; 547 } 548 if (in_size < QSIZE_MINIMUM) { 549 debug2("%10u: bit size %u too short", count_in, in_size); 550 continue; 551 } 552 553 if (in_tests & MODULI_TESTS_MILLER_RABIN) 554 in_tries += trials; 555 else 556 in_tries = trials; 557 558 /* 559 * guess unknown generator 560 */ 561 if (generator_known == 0) { 562 if (BN_mod_word(p, 24) == 11) 563 generator_known = 2; 564 else if (BN_mod_word(p, 12) == 5) 565 generator_known = 3; 566 else { 567 u_int32_t r = BN_mod_word(p, 10); 568 569 if (r == 3 || r == 7) 570 generator_known = 5; 571 } 572 } 573 /* 574 * skip tests when desired generator doesn't match 575 */ 576 if (generator_wanted > 0 && 577 generator_wanted != generator_known) { 578 debug2("%10u: generator %d != %d", 579 count_in, generator_known, generator_wanted); 580 continue; 581 } 582 583 /* 584 * Primes with no known generator are useless for DH, so 585 * skip those. 586 */ 587 if (generator_known == 0) { 588 debug2("%10u: no known generator", count_in); 589 continue; 590 } 591 592 count_possible++; 593 594 /* 595 * The (1/4)^N performance bound on Miller-Rabin is 596 * extremely pessimistic, so don't spend a lot of time 597 * really verifying that q is prime until after we know 598 * that p is also prime. A single pass will weed out the 599 * vast majority of composite q's. 600 */ 601 if (BN_is_prime(q, 1, NULL, ctx, NULL) <= 0) { 602 debug("%10u: q failed first possible prime test", 603 count_in); 604 continue; 605 } 606 607 /* 608 * q is possibly prime, so go ahead and really make sure 609 * that p is prime. If it is, then we can go back and do 610 * the same for q. If p is composite, chances are that 611 * will show up on the first Rabin-Miller iteration so it 612 * doesn't hurt to specify a high iteration count. 613 */ 614 if (!BN_is_prime(p, trials, NULL, ctx, NULL)) { 615 debug("%10u: p is not prime", count_in); 616 continue; 617 } 618 debug("%10u: p is almost certainly prime", count_in); 619 620 /* recheck q more rigorously */ 621 if (!BN_is_prime(q, trials - 1, NULL, ctx, NULL)) { 622 debug("%10u: q is not prime", count_in); 623 continue; 624 } 625 debug("%10u: q is almost certainly prime", count_in); 626 627 if (qfileout(out, MODULI_TYPE_SAFE, 628 in_tests | MODULI_TESTS_MILLER_RABIN, 629 in_tries, in_size, generator_known, p)) { 630 res = -1; 631 break; 632 } 633 634 count_out++; 635 } 636 637 time(&time_stop); 638 xfree(lp); 639 BN_free(p); 640 BN_free(q); 641 BN_CTX_free(ctx); 642 643 logit("%.24s Found %u safe primes of %u candidates in %ld seconds", 644 ctime(&time_stop), count_out, count_possible, 645 (long) (time_stop - time_start)); 646 647 return (res); 648 } 649