1 /* $OpenBSD: dsa_gen.c,v 1.32 2024/05/11 06:43:50 tb Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_SHA is defined */
60
61 #ifndef OPENSSL_NO_SHA
62
63 #include <stdio.h>
64 #include <stdlib.h>
65 #include <string.h>
66
67 #include <openssl/bn.h>
68 #include <openssl/evp.h>
69 #include <openssl/sha.h>
70
71 #include "bn_local.h"
72 #include "dsa_local.h"
73
74 int
DSA_generate_parameters_ex(DSA * ret,int bits,const unsigned char * seed_in,int seed_len,int * counter_ret,unsigned long * h_ret,BN_GENCB * cb)75 DSA_generate_parameters_ex(DSA *ret, int bits, const unsigned char *seed_in,
76 int seed_len, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
77 {
78 const EVP_MD *evpmd;
79 size_t qbits;
80
81 if (bits >= 2048) {
82 qbits = 256;
83 evpmd = EVP_sha256();
84 } else {
85 qbits = 160;
86 evpmd = EVP_sha1();
87 }
88
89 return dsa_builtin_paramgen(ret, bits, qbits, evpmd, seed_in, seed_len,
90 NULL, counter_ret, h_ret, cb);
91 }
92 LCRYPTO_ALIAS(DSA_generate_parameters_ex);
93
94 int
dsa_builtin_paramgen(DSA * ret,size_t bits,size_t qbits,const EVP_MD * evpmd,const unsigned char * seed_in,size_t seed_len,unsigned char * seed_out,int * counter_ret,unsigned long * h_ret,BN_GENCB * cb)95 dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd,
96 const unsigned char *seed_in, size_t seed_len, unsigned char *seed_out,
97 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
98 {
99 int ok = 0;
100 unsigned char seed[SHA256_DIGEST_LENGTH];
101 unsigned char md[SHA256_DIGEST_LENGTH];
102 unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];
103 BIGNUM *r0, *W, *X, *c, *test;
104 BIGNUM *g = NULL, *q = NULL, *p = NULL;
105 BN_MONT_CTX *mont = NULL;
106 int i, k, n = 0, m = 0, qsize = qbits >> 3;
107 int counter = 0;
108 int r = 0;
109 BN_CTX *ctx = NULL;
110 unsigned int h = 2;
111
112 if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
113 qsize != SHA256_DIGEST_LENGTH)
114 /* invalid q size */
115 return 0;
116
117 if (evpmd == NULL)
118 /* use SHA1 as default */
119 evpmd = EVP_sha1();
120
121 if (bits < 512)
122 bits = 512;
123
124 bits = (bits + 63) / 64 * 64;
125
126 if (seed_len < (size_t)qsize) {
127 seed_in = NULL; /* seed buffer too small -- ignore */
128 seed_len = 0;
129 }
130 /*
131 * App. 2.2 of FIPS PUB 186 allows larger SEED,
132 * but our internal buffers are restricted to 160 bits
133 */
134 if (seed_len > (size_t)qsize)
135 seed_len = qsize;
136 if (seed_in != NULL)
137 memcpy(seed, seed_in, seed_len);
138 else if (seed_len != 0)
139 goto err;
140
141 if ((mont = BN_MONT_CTX_new()) == NULL)
142 goto err;
143
144 if ((ctx = BN_CTX_new()) == NULL)
145 goto err;
146
147 BN_CTX_start(ctx);
148
149 if ((r0 = BN_CTX_get(ctx)) == NULL)
150 goto err;
151 if ((g = BN_CTX_get(ctx)) == NULL)
152 goto err;
153 if ((W = BN_CTX_get(ctx)) == NULL)
154 goto err;
155 if ((q = BN_CTX_get(ctx)) == NULL)
156 goto err;
157 if ((X = BN_CTX_get(ctx)) == NULL)
158 goto err;
159 if ((c = BN_CTX_get(ctx)) == NULL)
160 goto err;
161 if ((p = BN_CTX_get(ctx)) == NULL)
162 goto err;
163 if ((test = BN_CTX_get(ctx)) == NULL)
164 goto err;
165
166 if (!BN_lshift(test, BN_value_one(), bits - 1))
167 goto err;
168
169 for (;;) {
170 for (;;) { /* find q */
171 int seed_is_random;
172
173 /* step 1 */
174 if (!BN_GENCB_call(cb, 0, m++))
175 goto err;
176
177 if (seed_len == 0) {
178 arc4random_buf(seed, qsize);
179 seed_is_random = 1;
180 } else {
181 seed_is_random = 0;
182 /* use random seed if 'seed_in' turns out
183 to be bad */
184 seed_len = 0;
185 }
186 memcpy(buf, seed, qsize);
187 memcpy(buf2, seed, qsize);
188 /* precompute "SEED + 1" for step 7: */
189 for (i = qsize - 1; i >= 0; i--) {
190 buf[i]++;
191 if (buf[i] != 0)
192 break;
193 }
194
195 /* step 2 */
196 if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
197 goto err;
198 if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
199 goto err;
200 for (i = 0; i < qsize; i++)
201 md[i] ^= buf2[i];
202
203 /* step 3 */
204 md[0] |= 0x80;
205 md[qsize - 1] |= 0x01;
206 if (!BN_bin2bn(md, qsize, q))
207 goto err;
208
209 /* step 4 */
210 r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
211 seed_is_random, cb);
212 if (r > 0)
213 break;
214 if (r != 0)
215 goto err;
216
217 /* do a callback call */
218 /* step 5 */
219 }
220
221 if (!BN_GENCB_call(cb, 2, 0))
222 goto err;
223 if (!BN_GENCB_call(cb, 3, 0))
224 goto err;
225
226 /* step 6 */
227 counter = 0;
228 /* "offset = 2" */
229
230 n = (bits - 1) / 160;
231
232 for (;;) {
233 if (counter != 0 && !BN_GENCB_call(cb, 0, counter))
234 goto err;
235
236 /* step 7 */
237 BN_zero(W);
238 /* now 'buf' contains "SEED + offset - 1" */
239 for (k = 0; k <= n; k++) {
240 /* obtain "SEED + offset + k" by incrementing: */
241 for (i = qsize - 1; i >= 0; i--) {
242 buf[i]++;
243 if (buf[i] != 0)
244 break;
245 }
246
247 if (!EVP_Digest(buf, qsize, md ,NULL, evpmd,
248 NULL))
249 goto err;
250
251 /* step 8 */
252 if (!BN_bin2bn(md, qsize, r0))
253 goto err;
254 if (!BN_lshift(r0, r0, (qsize << 3) * k))
255 goto err;
256 if (!BN_add(W, W, r0))
257 goto err;
258 }
259
260 /* more of step 8 */
261 if (!BN_mask_bits(W, bits - 1))
262 goto err;
263 if (!bn_copy(X, W))
264 goto err;
265 if (!BN_add(X, X, test))
266 goto err;
267
268 /* step 9 */
269 if (!BN_lshift1(r0, q))
270 goto err;
271 if (!BN_mod_ct(c, X, r0, ctx))
272 goto err;
273 if (!BN_sub(r0, c, BN_value_one()))
274 goto err;
275 if (!BN_sub(p, X, r0))
276 goto err;
277
278 /* step 10 */
279 if (BN_cmp(p, test) >= 0) {
280 /* step 11 */
281 r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
282 ctx, 1, cb);
283 if (r > 0)
284 goto end; /* found it */
285 if (r != 0)
286 goto err;
287 }
288
289 /* step 13 */
290 counter++;
291 /* "offset = offset + n + 1" */
292
293 /* step 14 */
294 if (counter >= 4096)
295 break;
296 }
297 }
298 end:
299 if (!BN_GENCB_call(cb, 2, 1))
300 goto err;
301
302 /* We now need to generate g */
303 /* Set r0=(p-1)/q */
304 if (!BN_sub(test, p, BN_value_one()))
305 goto err;
306 if (!BN_div_ct(r0, NULL, test, q, ctx))
307 goto err;
308
309 if (!BN_set_word(test, h))
310 goto err;
311 if (!BN_MONT_CTX_set(mont, p, ctx))
312 goto err;
313
314 for (;;) {
315 /* g=test^r0%p */
316 if (!BN_mod_exp_mont_ct(g, test, r0, p, ctx, mont))
317 goto err;
318 if (!BN_is_one(g))
319 break;
320 if (!BN_add(test, test, BN_value_one()))
321 goto err;
322 h++;
323 }
324
325 if (!BN_GENCB_call(cb, 3, 1))
326 goto err;
327
328 ok = 1;
329 err:
330 if (ok) {
331 BN_free(ret->p);
332 BN_free(ret->q);
333 BN_free(ret->g);
334 ret->p = BN_dup(p);
335 ret->q = BN_dup(q);
336 ret->g = BN_dup(g);
337 if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
338 ok = 0;
339 goto err;
340 }
341 if (counter_ret != NULL)
342 *counter_ret = counter;
343 if (h_ret != NULL)
344 *h_ret = h;
345 if (seed_out != NULL)
346 memcpy(seed_out, seed, qsize);
347 }
348 BN_CTX_end(ctx);
349 BN_CTX_free(ctx);
350 BN_MONT_CTX_free(mont);
351
352 return ok;
353 }
354
355 #endif
356