1 /* $OpenBSD: dsa_gen.c,v 1.33 2024/12/05 19:34:46 tb Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_SHA is defined */
60
61 #ifndef OPENSSL_NO_SHA
62
63 #include <stdio.h>
64 #include <stdlib.h>
65 #include <string.h>
66
67 #include <openssl/bn.h>
68 #include <openssl/evp.h>
69 #include <openssl/sha.h>
70
71 #include "bn_local.h"
72 #include "dsa_local.h"
73
74 /*
75 * Primality test according to FIPS PUB 186-4, Appendix C.3. Set the number
76 * to 64 rounds of Miller-Rabin, which corresponds to 128 bits of security.
77 * This is necessary for keys of size >= 3072.
78 * XXX - now that we do BPSW the recommendation is to do 2 for p and 27 for q.
79 */
80 #define DSA_prime_checks 64
81
82 int
DSA_generate_parameters_ex(DSA * ret,int bits,const unsigned char * seed_in,int seed_len,int * counter_ret,unsigned long * h_ret,BN_GENCB * cb)83 DSA_generate_parameters_ex(DSA *ret, int bits, const unsigned char *seed_in,
84 int seed_len, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
85 {
86 const EVP_MD *evpmd;
87 size_t qbits;
88
89 if (bits >= 2048) {
90 qbits = 256;
91 evpmd = EVP_sha256();
92 } else {
93 qbits = 160;
94 evpmd = EVP_sha1();
95 }
96
97 return dsa_builtin_paramgen(ret, bits, qbits, evpmd, seed_in, seed_len,
98 NULL, counter_ret, h_ret, cb);
99 }
100 LCRYPTO_ALIAS(DSA_generate_parameters_ex);
101
102 int
dsa_builtin_paramgen(DSA * ret,size_t bits,size_t qbits,const EVP_MD * evpmd,const unsigned char * seed_in,size_t seed_len,unsigned char * seed_out,int * counter_ret,unsigned long * h_ret,BN_GENCB * cb)103 dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd,
104 const unsigned char *seed_in, size_t seed_len, unsigned char *seed_out,
105 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
106 {
107 int ok = 0;
108 unsigned char seed[SHA256_DIGEST_LENGTH];
109 unsigned char md[SHA256_DIGEST_LENGTH];
110 unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];
111 BIGNUM *r0, *W, *X, *c, *test;
112 BIGNUM *g = NULL, *q = NULL, *p = NULL;
113 BN_MONT_CTX *mont = NULL;
114 int i, k, n = 0, m = 0, qsize = qbits >> 3;
115 int counter = 0;
116 int r = 0;
117 BN_CTX *ctx = NULL;
118 unsigned int h = 2;
119
120 if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
121 qsize != SHA256_DIGEST_LENGTH)
122 /* invalid q size */
123 return 0;
124
125 if (evpmd == NULL)
126 /* use SHA1 as default */
127 evpmd = EVP_sha1();
128
129 if (bits < 512)
130 bits = 512;
131
132 bits = (bits + 63) / 64 * 64;
133
134 if (seed_len < (size_t)qsize) {
135 seed_in = NULL; /* seed buffer too small -- ignore */
136 seed_len = 0;
137 }
138 /*
139 * App. 2.2 of FIPS PUB 186 allows larger SEED,
140 * but our internal buffers are restricted to 160 bits
141 */
142 if (seed_len > (size_t)qsize)
143 seed_len = qsize;
144 if (seed_in != NULL)
145 memcpy(seed, seed_in, seed_len);
146 else if (seed_len != 0)
147 goto err;
148
149 if ((mont = BN_MONT_CTX_new()) == NULL)
150 goto err;
151
152 if ((ctx = BN_CTX_new()) == NULL)
153 goto err;
154
155 BN_CTX_start(ctx);
156
157 if ((r0 = BN_CTX_get(ctx)) == NULL)
158 goto err;
159 if ((g = BN_CTX_get(ctx)) == NULL)
160 goto err;
161 if ((W = BN_CTX_get(ctx)) == NULL)
162 goto err;
163 if ((q = BN_CTX_get(ctx)) == NULL)
164 goto err;
165 if ((X = BN_CTX_get(ctx)) == NULL)
166 goto err;
167 if ((c = BN_CTX_get(ctx)) == NULL)
168 goto err;
169 if ((p = BN_CTX_get(ctx)) == NULL)
170 goto err;
171 if ((test = BN_CTX_get(ctx)) == NULL)
172 goto err;
173
174 if (!BN_lshift(test, BN_value_one(), bits - 1))
175 goto err;
176
177 for (;;) {
178 for (;;) { /* find q */
179 int seed_is_random;
180
181 /* step 1 */
182 if (!BN_GENCB_call(cb, 0, m++))
183 goto err;
184
185 if (seed_len == 0) {
186 arc4random_buf(seed, qsize);
187 seed_is_random = 1;
188 } else {
189 seed_is_random = 0;
190 /* use random seed if 'seed_in' turns out
191 to be bad */
192 seed_len = 0;
193 }
194 memcpy(buf, seed, qsize);
195 memcpy(buf2, seed, qsize);
196 /* precompute "SEED + 1" for step 7: */
197 for (i = qsize - 1; i >= 0; i--) {
198 buf[i]++;
199 if (buf[i] != 0)
200 break;
201 }
202
203 /* step 2 */
204 if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
205 goto err;
206 if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
207 goto err;
208 for (i = 0; i < qsize; i++)
209 md[i] ^= buf2[i];
210
211 /* step 3 */
212 md[0] |= 0x80;
213 md[qsize - 1] |= 0x01;
214 if (!BN_bin2bn(md, qsize, q))
215 goto err;
216
217 /* step 4 */
218 r = BN_is_prime_fasttest_ex(q, DSA_prime_checks, ctx,
219 seed_is_random, cb);
220 if (r > 0)
221 break;
222 if (r != 0)
223 goto err;
224
225 /* do a callback call */
226 /* step 5 */
227 }
228
229 if (!BN_GENCB_call(cb, 2, 0))
230 goto err;
231 if (!BN_GENCB_call(cb, 3, 0))
232 goto err;
233
234 /* step 6 */
235 counter = 0;
236 /* "offset = 2" */
237
238 n = (bits - 1) / 160;
239
240 for (;;) {
241 if (counter != 0 && !BN_GENCB_call(cb, 0, counter))
242 goto err;
243
244 /* step 7 */
245 BN_zero(W);
246 /* now 'buf' contains "SEED + offset - 1" */
247 for (k = 0; k <= n; k++) {
248 /* obtain "SEED + offset + k" by incrementing: */
249 for (i = qsize - 1; i >= 0; i--) {
250 buf[i]++;
251 if (buf[i] != 0)
252 break;
253 }
254
255 if (!EVP_Digest(buf, qsize, md ,NULL, evpmd,
256 NULL))
257 goto err;
258
259 /* step 8 */
260 if (!BN_bin2bn(md, qsize, r0))
261 goto err;
262 if (!BN_lshift(r0, r0, (qsize << 3) * k))
263 goto err;
264 if (!BN_add(W, W, r0))
265 goto err;
266 }
267
268 /* more of step 8 */
269 if (!BN_mask_bits(W, bits - 1))
270 goto err;
271 if (!bn_copy(X, W))
272 goto err;
273 if (!BN_add(X, X, test))
274 goto err;
275
276 /* step 9 */
277 if (!BN_lshift1(r0, q))
278 goto err;
279 if (!BN_mod_ct(c, X, r0, ctx))
280 goto err;
281 if (!BN_sub(r0, c, BN_value_one()))
282 goto err;
283 if (!BN_sub(p, X, r0))
284 goto err;
285
286 /* step 10 */
287 if (BN_cmp(p, test) >= 0) {
288 /* step 11 */
289 r = BN_is_prime_fasttest_ex(p, DSA_prime_checks,
290 ctx, 1, cb);
291 if (r > 0)
292 goto end; /* found it */
293 if (r != 0)
294 goto err;
295 }
296
297 /* step 13 */
298 counter++;
299 /* "offset = offset + n + 1" */
300
301 /* step 14 */
302 if (counter >= 4096)
303 break;
304 }
305 }
306 end:
307 if (!BN_GENCB_call(cb, 2, 1))
308 goto err;
309
310 /* We now need to generate g */
311 /* Set r0=(p-1)/q */
312 if (!BN_sub(test, p, BN_value_one()))
313 goto err;
314 if (!BN_div_ct(r0, NULL, test, q, ctx))
315 goto err;
316
317 if (!BN_set_word(test, h))
318 goto err;
319 if (!BN_MONT_CTX_set(mont, p, ctx))
320 goto err;
321
322 for (;;) {
323 /* g=test^r0%p */
324 if (!BN_mod_exp_mont_ct(g, test, r0, p, ctx, mont))
325 goto err;
326 if (!BN_is_one(g))
327 break;
328 if (!BN_add(test, test, BN_value_one()))
329 goto err;
330 h++;
331 }
332
333 if (!BN_GENCB_call(cb, 3, 1))
334 goto err;
335
336 ok = 1;
337 err:
338 if (ok) {
339 BN_free(ret->p);
340 BN_free(ret->q);
341 BN_free(ret->g);
342 ret->p = BN_dup(p);
343 ret->q = BN_dup(q);
344 ret->g = BN_dup(g);
345 if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
346 ok = 0;
347 goto err;
348 }
349 if (counter_ret != NULL)
350 *counter_ret = counter;
351 if (h_ret != NULL)
352 *h_ret = h;
353 if (seed_out != NULL)
354 memcpy(seed_out, seed, qsize);
355 }
356 BN_CTX_end(ctx);
357 BN_CTX_free(ctx);
358 BN_MONT_CTX_free(mont);
359
360 return ok;
361 }
362
363 #endif
364