DSA *DSA_generate_parameters(int bits,
unsigned char *seed_in, int seed_len,
int *counter_ret, unsigned long *h_ret,
void (*callback)(int, int, void *),
void *cb_arg)
{
int ok=0;
unsigned char seed[SHA_DIGEST_LENGTH];
unsigned char md[SHA_DIGEST_LENGTH];
unsigned char buf[SHA_DIGEST_LENGTH],buf2[SHA_DIGEST_LENGTH];
BIGNUM *r0,*W,*X,*c,*test;
BIGNUM *g=NULL,*q=NULL,*p=NULL;
BN_MONT_CTX *mont=NULL;
int k,n=0,i,b,m=0;
int counter=0;
int r=0;
BN_CTX *ctx=NULL,*ctx2=NULL,*ctx3=NULL;
unsigned int h=2;
DSA *ret=NULL;
if (bits < 512) bits=512;
bits=(bits+63)/64*64;
if (seed_len < 20)
seed_in = NULL; /* seed buffer too small -- ignore */
if (seed_len > 20)
seed_len = 20; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
* but our internal buffers are restricted to 160 bits*/
if ((seed_in != NULL) && (seed_len == 20))
memcpy(seed,seed_in,seed_len);
if ((ctx=BN_CTX_new()) == NULL) goto err;
if ((ctx2=BN_CTX_new()) == NULL) goto err;
if ((ctx3=BN_CTX_new()) == NULL) goto err;
if ((ret=DSA_new()) == NULL) goto err;
if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
BN_CTX_start(ctx2);
r0 = BN_CTX_get(ctx2);
g = BN_CTX_get(ctx2);
W = BN_CTX_get(ctx2);
q = BN_CTX_get(ctx2);
X = BN_CTX_get(ctx2);
c = BN_CTX_get(ctx2);
p = BN_CTX_get(ctx2);
test = BN_CTX_get(ctx2);
if (test == NULL) goto err;
if (!BN_lshift(test,BN_value_one(),bits-1)) goto err;
for (;;)
{
for (;;) /* find q */
{
int seed_is_random;
/* step 1 */
if (callback != NULL) callback(0,m++,cb_arg);
if (!seed_len)
{
RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH);
seed_is_random = 1;
}
else
{
seed_is_random = 0;
seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
}
memcpy(buf,seed,SHA_DIGEST_LENGTH);
memcpy(buf2,seed,SHA_DIGEST_LENGTH);
/* precompute "SEED + 1" for step 7: */
for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
{
buf[i]++;
if (buf[i] != 0) break;
}
/* step 2 */
EVP_Digest(seed,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL);
EVP_Digest(buf,SHA_DIGEST_LENGTH,buf2,NULL,HASH, NULL);
for (i=0; i<SHA_DIGEST_LENGTH; i++)
md[i]^=buf2[i];
/* step 3 */
md[0]|=0x80;
md[SHA_DIGEST_LENGTH-1]|=0x01;
if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err;
/* step 4 */
r = BN_is_prime_fasttest(q, DSS_prime_checks, callback, ctx3, cb_arg, seed_is_random);
if (r > 0)
break;
if (r != 0)
goto err;
/* do a callback call */
/* step 5 */
}
if (callback != NULL) callback(2,0,cb_arg);
if (callback != NULL) callback(3,0,cb_arg);
/* step 6 */
counter=0;
/* "offset = 2" */
n=(bits-1)/160;
b=(bits-1)-n*160;
for (;;)
{
if (callback != NULL && counter != 0)
callback(0,counter,cb_arg);
/* step 7 */
if (!BN_zero(W)) goto err;
/* now 'buf' contains "SEED + offset - 1" */
for (k=0; k<=n; k++)
{
/* obtain "SEED + offset + k" by incrementing: */
for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
{
buf[i]++;
if (buf[i] != 0) break;
}
EVP_Digest(buf,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL);
/* step 8 */
if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
goto err;
if (!BN_lshift(r0,r0,160*k)) goto err;
if (!BN_add(W,W,r0)) goto err;
}
/* more of step 8 */
if (!BN_mask_bits(W,bits-1)) goto err;
if (!BN_copy(X,W)) goto err;
if (!BN_add(X,X,test)) goto err;
/* step 9 */
if (!BN_lshift1(r0,q)) goto err;
if (!BN_mod(c,X,r0,ctx)) goto err;
if (!BN_sub(r0,c,BN_value_one())) goto err;
if (!BN_sub(p,X,r0)) goto err;
/* step 10 */
if (BN_cmp(p,test) >= 0)
{
/* step 11 */
r = BN_is_prime_fasttest(p, DSS_prime_checks, callback, ctx3, cb_arg, 1);
if (r > 0)
goto end; /* found it */
if (r != 0)
goto err;
}
/* step 13 */
counter++;
/* "offset = offset + n + 1" */
/* step 14 */
if (counter >= 4096) break;
}
}
end:
if (callback != NULL) callback(2,1,cb_arg);
/* We now need to generate g */
/* Set r0=(p-1)/q */
if (!BN_sub(test,p,BN_value_one())) goto err;
if (!BN_div(r0,NULL,test,q,ctx)) goto err;
if (!BN_set_word(test,h)) goto err;
if (!BN_MONT_CTX_set(mont,p,ctx)) goto err;
for (;;)
{
/* g=test^r0%p */
if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err;
if (!BN_is_one(g)) break;
if (!BN_add(test,test,BN_value_one())) goto err;
h++;
}
if (callback != NULL) callback(3,1,cb_arg);
ok=1;
err:
if (!ok)
{
if (ret != NULL) DSA_free(ret);
}
else
{
ret->p=BN_dup(p);
ret->q=BN_dup(q);
ret->g=BN_dup(g);
if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
{
ok=0;
goto err;
}
if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20);
if (counter_ret != NULL) *counter_ret=counter;
if (h_ret != NULL) *h_ret=h;
}
if (ctx != NULL) BN_CTX_free(ctx);
if (ctx2 != NULL)
{
BN_CTX_end(ctx2);
BN_CTX_free(ctx2);
}
if (ctx3 != NULL) BN_CTX_free(ctx3);
if (mont != NULL) BN_MONT_CTX_free(mont);
return(ok?ret:NULL);
}
int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
int do_trial_division, BN_GENCB *cb) {
int i, j, ret = -1;
int k;
BN_CTX *ctx = NULL;
BIGNUM *A1, *A1_odd, *check; /* taken from ctx */
BN_MONT_CTX *mont = NULL;
const BIGNUM *A = NULL;
if (BN_cmp(a, BN_value_one()) <= 0) {
return 0;
}
if (checks == BN_prime_checks) {
checks = BN_prime_checks_for_size(BN_num_bits(a));
}
/* first look for small factors */
if (!BN_is_odd(a)) {
/* a is even => a is prime if and only if a == 2 */
return BN_is_word(a, 2);
}
if (do_trial_division) {
for (i = 1; i < NUMPRIMES; i++) {
if (BN_mod_word(a, primes[i]) == 0) {
return 0;
}
}
if (!BN_GENCB_call(cb, 1, -1)) {
goto err;
}
}
if (ctx_passed != NULL) {
ctx = ctx_passed;
} else if ((ctx = BN_CTX_new()) == NULL) {
goto err;
}
BN_CTX_start(ctx);
/* A := abs(a) */
if (a->neg) {
BIGNUM *t = BN_CTX_get(ctx);
if (t == NULL || !BN_copy(t, a)) {
goto err;
}
t->neg = 0;
A = t;
} else {
A = a;
}
A1 = BN_CTX_get(ctx);
A1_odd = BN_CTX_get(ctx);
check = BN_CTX_get(ctx);
if (check == NULL) {
goto err;
}
/* compute A1 := A - 1 */
if (!BN_copy(A1, A)) {
goto err;
}
if (!BN_sub_word(A1, 1)) {
goto err;
}
if (BN_is_zero(A1)) {
ret = 0;
goto err;
}
/* write A1 as A1_odd * 2^k */
k = 1;
while (!BN_is_bit_set(A1, k)) {
k++;
}
if (!BN_rshift(A1_odd, A1, k)) {
goto err;
}
/* Montgomery setup for computations mod A */
mont = BN_MONT_CTX_new();
if (mont == NULL) {
goto err;
}
if (!BN_MONT_CTX_set(mont, A, ctx)) {
goto err;
}
for (i = 0; i < checks; i++) {
if (!BN_pseudo_rand_range(check, A1)) {
goto err;
}
if (!BN_add_word(check, 1)) {
goto err;
}
/* now 1 <= check < A */
j = witness(check, A, A1, A1_odd, k, ctx, mont);
if (j == -1) {
goto err;
}
if (j) {
ret = 0;
goto err;
}
if (!BN_GENCB_call(cb, 1, i)) {
goto err;
}
}
ret = 1;
err:
if (ctx != NULL) {
BN_CTX_end(ctx);
if (ctx_passed == NULL) {
BN_CTX_free(ctx);
}
}
if (mont != NULL) {
BN_MONT_CTX_free(mont);
}
return ret;
}
int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
{
int ok=0;
unsigned char seed[SHA256_DIGEST_LENGTH];
unsigned char md[SHA256_DIGEST_LENGTH];
unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH];
BIGNUM *r0,*W,*X,*c,*test;
BIGNUM *g=NULL,*q=NULL,*p=NULL;
BN_MONT_CTX *mont=NULL;
int i, k, n=0, m=0, qsize = qbits >> 3;
int counter=0;
int r=0;
BN_CTX *ctx=NULL;
unsigned int h=2;
if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
qsize != SHA256_DIGEST_LENGTH)
/* invalid q size */
return 0;
if (evpmd == NULL)
/* use SHA1 as default */
evpmd = EVP_sha1();
if (bits < 512)
bits = 512;
bits = (bits+63)/64*64;
/* NB: seed_len == 0 is special case: copy generated seed to
* seed_in if it is not NULL.
*/
if (seed_len && (seed_len < (size_t)qsize))
seed_in = NULL; /* seed buffer too small -- ignore */
if (seed_len > (size_t)qsize)
seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
* but our internal buffers are restricted to 160 bits*/
if (seed_in != NULL)
memcpy(seed, seed_in, seed_len);
if ((ctx=BN_CTX_new()) == NULL)
goto err;
if ((mont=BN_MONT_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx);
g = BN_CTX_get(ctx);
W = BN_CTX_get(ctx);
q = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
c = BN_CTX_get(ctx);
p = BN_CTX_get(ctx);
test = BN_CTX_get(ctx);
if (!BN_lshift(test,BN_value_one(),bits-1))
goto err;
for (;;)
{
for (;;) /* find q */
{
int seed_is_random;
/* step 1 */
if(!BN_GENCB_call(cb, 0, m++))
goto err;
if (!seed_len)
{
RAND_pseudo_bytes(seed, qsize);
seed_is_random = 1;
}
else
{
seed_is_random = 0;
seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
}
memcpy(buf , seed, qsize);
memcpy(buf2, seed, qsize);
/* precompute "SEED + 1" for step 7: */
for (i = qsize-1; i >= 0; i--)
{
buf[i]++;
if (buf[i] != 0)
break;
}
/* step 2 */
EVP_Digest(seed, qsize, md, NULL, evpmd, NULL);
EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL);
for (i = 0; i < qsize; i++)
md[i]^=buf2[i];
/* step 3 */
md[0] |= 0x80;
md[qsize-1] |= 0x01;
if (!BN_bin2bn(md, qsize, q))
goto err;
/* step 4 */
r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
seed_is_random, cb);
if (r > 0)
break;
if (r != 0)
goto err;
/* do a callback call */
/* step 5 */
}
if(!BN_GENCB_call(cb, 2, 0)) goto err;
if(!BN_GENCB_call(cb, 3, 0)) goto err;
/* step 6 */
counter=0;
/* "offset = 2" */
n=(bits-1)/160;
for (;;)
{
if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
goto err;
/* step 7 */
BN_zero(W);
/* now 'buf' contains "SEED + offset - 1" */
for (k=0; k<=n; k++)
{
/* obtain "SEED + offset + k" by incrementing: */
for (i = qsize-1; i >= 0; i--)
{
buf[i]++;
if (buf[i] != 0)
break;
}
EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL);
/* step 8 */
if (!BN_bin2bn(md, qsize, r0))
goto err;
if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err;
if (!BN_add(W,W,r0)) goto err;
}
/* more of step 8 */
if (!BN_mask_bits(W,bits-1)) goto err;
if (!BN_copy(X,W)) goto err;
if (!BN_add(X,X,test)) goto err;
/* step 9 */
if (!BN_lshift1(r0,q)) goto err;
if (!BN_mod(c,X,r0,ctx)) goto err;
if (!BN_sub(r0,c,BN_value_one())) goto err;
if (!BN_sub(p,X,r0)) goto err;
/* step 10 */
if (BN_cmp(p,test) >= 0)
{
/* step 11 */
r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
ctx, 1, cb);
if (r > 0)
goto end; /* found it */
if (r != 0)
goto err;
}
/* step 13 */
counter++;
/* "offset = offset + n + 1" */
/* step 14 */
if (counter >= 4096) break;
}
}
end:
if(!BN_GENCB_call(cb, 2, 1))
goto err;
/* We now need to generate g */
/* Set r0=(p-1)/q */
if (!BN_sub(test,p,BN_value_one())) goto err;
if (!BN_div(r0,NULL,test,q,ctx)) goto err;
if (!BN_set_word(test,h)) goto err;
if (!BN_MONT_CTX_set(mont,p,ctx)) goto err;
for (;;)
{
/* g=test^r0%p */
if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err;
if (!BN_is_one(g)) break;
if (!BN_add(test,test,BN_value_one())) goto err;
h++;
}
if(!BN_GENCB_call(cb, 3, 1))
goto err;
ok=1;
err:
if (ok)
{
if(ret->p) BN_free(ret->p);
if(ret->q) BN_free(ret->q);
if(ret->g) BN_free(ret->g);
ret->p=BN_dup(p);
ret->q=BN_dup(q);
ret->g=BN_dup(g);
if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
{
ok=0;
goto err;
}
if (counter_ret != NULL) *counter_ret=counter;
if (h_ret != NULL) *h_ret=h;
}
if(ctx)
{
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
if (mont != NULL) BN_MONT_CTX_free(mont);
return ok;
}
int BN_enhanced_miller_rabin_primality_test(
enum bn_primality_result_t *out_result, const BIGNUM *w, int iterations,
BN_CTX *ctx, BN_GENCB *cb) {
/* Enhanced Miller-Rabin is only valid on odd integers greater than 3. */
if (!BN_is_odd(w) || BN_cmp_word(w, 3) <= 0) {
OPENSSL_PUT_ERROR(BN, BN_R_INVALID_INPUT);
return 0;
}
if (iterations == BN_prime_checks) {
iterations = BN_prime_checks_for_size(BN_num_bits(w));
}
int ret = 0;
BN_MONT_CTX *mont = NULL;
BN_CTX_start(ctx);
BIGNUM *w1 = BN_CTX_get(ctx);
if (w1 == NULL ||
!BN_copy(w1, w) ||
!BN_sub_word(w1, 1)) {
goto err;
}
/* Write w1 as m*2^a (Steps 1 and 2). */
int a = 0;
while (!BN_is_bit_set(w1, a)) {
a++;
}
BIGNUM *m = BN_CTX_get(ctx);
if (m == NULL ||
!BN_rshift(m, w1, a)) {
goto err;
}
BIGNUM *b = BN_CTX_get(ctx);
BIGNUM *g = BN_CTX_get(ctx);
BIGNUM *z = BN_CTX_get(ctx);
BIGNUM *x = BN_CTX_get(ctx);
BIGNUM *x1 = BN_CTX_get(ctx);
if (b == NULL ||
g == NULL ||
z == NULL ||
x == NULL ||
x1 == NULL) {
goto err;
}
/* Montgomery setup for computations mod A */
mont = BN_MONT_CTX_new();
if (mont == NULL ||
!BN_MONT_CTX_set(mont, w, ctx)) {
goto err;
}
/* The following loop performs in inner iteration of the Enhanced Miller-Rabin
* Primality test (Step 4). */
for (int i = 1; i <= iterations; i++) {
/* Step 4.1-4.2 */
if (!BN_rand_range_ex(b, 2, w1)) {
goto err;
}
/* Step 4.3-4.4 */
if (!BN_gcd(g, b, w, ctx)) {
goto err;
}
if (BN_cmp_word(g, 1) > 0) {
*out_result = bn_composite;
ret = 1;
goto err;
}
/* Step 4.5 */
if (!BN_mod_exp_mont(z, b, m, w, ctx, mont)) {
goto err;
}
/* Step 4.6 */
if (BN_is_one(z) || BN_cmp(z, w1) == 0) {
goto loop;
}
/* Step 4.7 */
for (int j = 1; j < a; j++) {
if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
goto err;
}
if (BN_cmp(z, w1) == 0) {
goto loop;
}
if (BN_is_one(z)) {
goto composite;
}
}
/* Step 4.8-4.9 */
if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
goto err;
}
/* Step 4.10-4.11 */
if (!BN_is_one(z) && !BN_copy(x, z)) {
goto err;
}
composite:
/* Step 4.12-4.14 */
if (!BN_copy(x1, x) ||
!BN_sub_word(x1, 1) ||
!BN_gcd(g, x1, w, ctx)) {
goto err;
}
if (BN_cmp_word(g, 1) > 0) {
*out_result = bn_composite;
} else {
*out_result = bn_non_prime_power_composite;
}
ret = 1;
goto err;
loop:
/* Step 4.15 */
if (!BN_GENCB_call(cb, 1, i)) {
goto err;
}
}
*out_result = bn_probably_prime;
ret = 1;
err:
BN_MONT_CTX_free(mont);
BN_CTX_end(ctx);
return ret;
}
static int RSA_eay_public_encrypt(FIPS_RSA_SIZE_T flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
BIGNUM f,ret;
int i,j,k,num=0,r= -1;
unsigned char *buf=NULL;
BN_CTX *ctx=NULL;
BN_init(&f);
BN_init(&ret);
if(FIPS_selftest_failed())
{
FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
goto err;
}
if ((ctx=BN_CTX_new()) == NULL) goto err;
num=BN_num_bytes(rsa->n);
if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
{
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
goto err;
}
switch (padding)
{
case RSA_PKCS1_PADDING:
i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
break;
#ifndef OPENSSL_NO_SHA
case RSA_PKCS1_OAEP_PADDING:
i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
break;
#endif
case RSA_SSLV23_PADDING:
i=RSA_padding_add_SSLv23(buf,num,from,flen);
break;
case RSA_NO_PADDING:
i=RSA_padding_add_none(buf,num,from,flen);
break;
default:
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
goto err;
}
if (i <= 0) goto err;
if (BN_bin2bn(buf,num,&f) == NULL) goto err;
if (BN_ucmp(&f, rsa->n) >= 0)
{
/* usually the padding functions would catch this */
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
goto err;
}
if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
{
BN_MONT_CTX* bn_mont_ctx;
if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
goto err;
if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
{
BN_MONT_CTX_free(bn_mont_ctx);
goto err;
}
if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
{
CRYPTO_w_lock(CRYPTO_LOCK_RSA);
if (rsa->_method_mod_n == NULL)
{
rsa->_method_mod_n = bn_mont_ctx;
bn_mont_ctx = NULL;
}
CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
}
if (bn_mont_ctx)
BN_MONT_CTX_free(bn_mont_ctx);
}
if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
rsa->_method_mod_n)) goto err;
/* put in leading 0 bytes if the number is less than the
* length of the modulus */
j=BN_num_bytes(&ret);
i=BN_bn2bin(&ret,&(to[num-j]));
for (k=0; k<(num-i); k++)
to[k]=0;
r=num;
err:
if (ctx != NULL) BN_CTX_free(ctx);
BN_clear_free(&f);
BN_clear_free(&ret);
if (buf != NULL)
{
OPENSSL_cleanse(buf,num);
OPENSSL_free(buf);
}
return(r);
}
int xDSA_paramgen(DSA *ret, int bits)
{
int ok=0;
unsigned char seed[SHA_DIGEST_LENGTH];
unsigned char md[SHA_DIGEST_LENGTH];
unsigned char buf[SHA_DIGEST_LENGTH], buf2[SHA_DIGEST_LENGTH];
BIGNUM *r0, *W, *X, *c, *test;
BIGNUM *g=NULL, *q=NULL, *p=NULL;
BN_MONT_CTX *mont=NULL;
int k, n=0, i, b;
int counter=0;
int r=0;
BN_CTX *ctx=NULL;
unsigned int h=2;
if (bits < 512)
bits=512;
bits=(bits+63)/64*64;
if ((ctx=BN_CTX_new()) == NULL)
goto err;
if ((mont=BN_MONT_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx);
g = BN_CTX_get(ctx);
W = BN_CTX_get(ctx);
q = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
c = BN_CTX_get(ctx);
p = BN_CTX_get(ctx);
test = BN_CTX_get(ctx);
if (!BN_lshift(test, BN_value_one(), bits-1))
goto err;
for (;;) {
for (;;) /* find q */
{
int seed_is_random;
/* step 1 */
xRAND_bytes(seed, SHA_DIGEST_LENGTH);
seed_is_random = 1;
memcpy(buf, seed, SHA_DIGEST_LENGTH);
memcpy(buf2, seed, SHA_DIGEST_LENGTH);
/* precompute "SEED + 1" for step 7: */
for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--) {
buf[i]++;
if (buf[i] != 0)
break;
}
/* step 2 */
EVP_Digest(seed, SHA_DIGEST_LENGTH, md, NULL, HASH, NULL);
EVP_Digest(buf, SHA_DIGEST_LENGTH, buf2, NULL, HASH, NULL);
for (i=0; i<SHA_DIGEST_LENGTH; i++)
md[i]^=buf2[i];
/* step 3 */
md[0]|=0x80;
md[SHA_DIGEST_LENGTH-1]|=0x01;
if (!BN_bin2bn(md, SHA_DIGEST_LENGTH, q))
goto err;
/* step 4 */
r = xBN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
seed_is_random);
if (r > 0)
break;
if (r != 0)
goto err;
/* do a callback call */
/* step 5 */
}
/* step 6 */
counter=0;
/* "offset = 2" */
n=(bits-1)/160;
b=(bits-1)-n*160;
for (;;) {
/* step 7 */
BN_zero(W);
/* now 'buf' contains "SEED + offset - 1" */
for (k=0; k<=n; k++) {
/* obtain "SEED + offset + k" by incrementing: */
for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--) {
buf[i]++;
if (buf[i] != 0)
break;
}
EVP_Digest(buf, SHA_DIGEST_LENGTH, md, NULL, HASH, NULL);
/* step 8 */
if (!BN_bin2bn(md, SHA_DIGEST_LENGTH, r0))
goto err;
if (!BN_lshift(r0, r0, 160*k))
goto err;
if (!BN_add(W, W, r0))
goto err;
}
/* more of step 8 */
if (!BN_mask_bits(W, bits-1))
goto err;
if (!BN_copy(X, W))
goto err;
if (!BN_add(X, X, test))
goto err;
/* step 9 */
if (!BN_lshift1(r0, q))
goto err;
if (!BN_mod(c,X,r0,ctx))
goto err;
if (!BN_sub(r0, c, BN_value_one()))
goto err;
if (!BN_sub(p, X, r0))
goto err;
/* step 10 */
if (BN_cmp(p, test) >= 0) {
/* step 11 */
r = xBN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1);
if (r > 0)
goto end;
/* found it */
if (r != 0)
goto err;
}
/* step 13 */
counter++;
/* "offset = offset + n + 1" */
/* step 14 */
if (counter >= 4096)
break;
}
}
end:
/* We now need to generate g */
/* Set r0=(p-1)/q */
if (!BN_sub(test, p, BN_value_one()))
goto err;
if (!BN_div(r0, NULL, test, q, ctx))
goto err;
if (!BN_set_word(test, h))
goto err;
if (!BN_MONT_CTX_set(mont, p, ctx))
goto err;
for (;;) {
/* g=test^r0%p */
if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont))
goto err;
if (!BN_is_one(g))
break;
if (!BN_add(test, test, BN_value_one()))
goto err;
h++;
}
ok=1;
err:
if (ok) {
if (ret->p)
BN_free(ret->p);
if (ret->q)
BN_free(ret->q);
if (ret->g)
BN_free(ret->g);
ret->p=BN_dup(p);
ret->q=BN_dup(q);
ret->g=BN_dup(g);
if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
ok=0;
goto err;
}
}
if (ctx) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
if (mont != NULL)
BN_MONT_CTX_free(mont);
return ok;
}
int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
{
if (dest->meth->group_copy == 0) {
ECerr(EC_F_EC_GROUP_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (dest->meth != src->meth) {
ECerr(EC_F_EC_GROUP_COPY, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
if (dest == src)
return 1;
/* Copy precomputed */
dest->pre_comp_type = src->pre_comp_type;
switch (src->pre_comp_type) {
default:
dest->pre_comp.ec = NULL;
break;
#ifdef ECP_NISTZ256_REFERENCE_IMPLEMENTATION
case PCT_nistz256:
dest->pre_comp.nistz256 = EC_nistz256_pre_comp_dup(src->pre_comp.nistz256);
break;
#endif
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
case PCT_nistp224:
dest->pre_comp.nistp224 = EC_nistp224_pre_comp_dup(src->pre_comp.nistp224);
break;
case PCT_nistp256:
dest->pre_comp.nistp256 = EC_nistp256_pre_comp_dup(src->pre_comp.nistp256);
break;
case PCT_nistp521:
dest->pre_comp.nistp521 = EC_nistp521_pre_comp_dup(src->pre_comp.nistp521);
break;
#endif
case PCT_ec:
dest->pre_comp.ec = EC_ec_pre_comp_dup(src->pre_comp.ec);
break;
}
if (src->mont_data != NULL) {
if (dest->mont_data == NULL) {
dest->mont_data = BN_MONT_CTX_new();
if (dest->mont_data == NULL)
return 0;
}
if (!BN_MONT_CTX_copy(dest->mont_data, src->mont_data))
return 0;
} else {
/* src->generator == NULL */
BN_MONT_CTX_free(dest->mont_data);
dest->mont_data = NULL;
}
if (src->generator != NULL) {
if (dest->generator == NULL) {
dest->generator = EC_POINT_new(dest);
if (dest->generator == NULL)
return 0;
}
if (!EC_POINT_copy(dest->generator, src->generator))
return 0;
} else {
/* src->generator == NULL */
EC_POINT_clear_free(dest->generator);
dest->generator = NULL;
}
if ((src->meth->flags & EC_FLAGS_CUSTOM_CURVE) == 0) {
if (!BN_copy(dest->order, src->order))
return 0;
if (!BN_copy(dest->cofactor, src->cofactor))
return 0;
}
dest->curve_name = src->curve_name;
dest->asn1_flag = src->asn1_flag;
dest->asn1_form = src->asn1_form;
if (src->seed) {
OPENSSL_free(dest->seed);
dest->seed = OPENSSL_malloc(src->seed_len);
if (dest->seed == NULL)
return 0;
if (!memcpy(dest->seed, src->seed, src->seed_len))
return 0;
dest->seed_len = src->seed_len;
} else {
OPENSSL_free(dest->seed);
dest->seed = NULL;
dest->seed_len = 0;
}
return dest->meth->group_copy(dest, src);
}
/*
* Refer to FIPS 186-4 C.3.2 Enhanced Miller-Rabin Probabilistic Primality Test.
* OR C.3.1 Miller-Rabin Probabilistic Primality Test (if enhanced is zero).
* The Step numbers listed in the code refer to the enhanced case.
*
* if enhanced is set, then status returns one of the following:
* BN_PRIMETEST_PROBABLY_PRIME
* BN_PRIMETEST_COMPOSITE_WITH_FACTOR
* BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME
* if enhanced is zero, then status returns either
* BN_PRIMETEST_PROBABLY_PRIME or
* BN_PRIMETEST_COMPOSITE
*
* returns 0 if there was an error, otherwise it returns 1.
*/
int bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx,
BN_GENCB *cb, int enhanced, int *status)
{
int i, j, a, ret = 0;
BIGNUM *g, *w1, *w3, *x, *m, *z, *b;
BN_MONT_CTX *mont = NULL;
/* w must be odd */
if (!BN_is_odd(w))
return 0;
BN_CTX_start(ctx);
g = BN_CTX_get(ctx);
w1 = BN_CTX_get(ctx);
w3 = BN_CTX_get(ctx);
x = BN_CTX_get(ctx);
m = BN_CTX_get(ctx);
z = BN_CTX_get(ctx);
b = BN_CTX_get(ctx);
if (!(b != NULL
/* w1 := w - 1 */
&& BN_copy(w1, w)
&& BN_sub_word(w1, 1)
/* w3 := w - 3 */
&& BN_copy(w3, w)
&& BN_sub_word(w3, 3)))
goto err;
/* check w is larger than 3, otherwise the random b will be too small */
if (BN_is_zero(w3) || BN_is_negative(w3))
goto err;
/* (Step 1) Calculate largest integer 'a' such that 2^a divides w-1 */
a = 1;
while (!BN_is_bit_set(w1, a))
a++;
/* (Step 2) m = (w-1) / 2^a */
if (!BN_rshift(m, w1, a))
goto err;
/* Montgomery setup for computations mod a */
mont = BN_MONT_CTX_new();
if (mont == NULL || !BN_MONT_CTX_set(mont, w, ctx))
goto err;
if (iterations == BN_prime_checks)
iterations = BN_prime_checks_for_size(BN_num_bits(w));
/* (Step 4) */
for (i = 0; i < iterations; ++i) {
/* (Step 4.1) obtain a Random string of bits b where 1 < b < w-1 */
if (!BN_priv_rand_range(b, w3) || !BN_add_word(b, 2)) /* 1 < b < w-1 */
goto err;
if (enhanced) {
/* (Step 4.3) */
if (!BN_gcd(g, b, w, ctx))
goto err;
/* (Step 4.4) */
if (!BN_is_one(g)) {
*status = BN_PRIMETEST_COMPOSITE_WITH_FACTOR;
ret = 1;
goto err;
}
}
/* (Step 4.5) z = b^m mod w */
if (!BN_mod_exp_mont(z, b, m, w, ctx, mont))
goto err;
/* (Step 4.6) if (z = 1 or z = w-1) */
if (BN_is_one(z) || BN_cmp(z, w1) == 0)
goto outer_loop;
/* (Step 4.7) for j = 1 to a-1 */
for (j = 1; j < a ; ++j) {
/* (Step 4.7.1 - 4.7.2) x = z. z = x^2 mod w */
if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx))
goto err;
/* (Step 4.7.3) */
if (BN_cmp(z, w1) == 0)
goto outer_loop;
/* (Step 4.7.4) */
if (BN_is_one(z))
goto composite;
}
/* At this point z = b^((w-1)/2) mod w */
/* (Steps 4.8 - 4.9) x = z, z = x^2 mod w */
if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx))
goto err;
/* (Step 4.10) */
if (BN_is_one(z))
goto composite;
/* (Step 4.11) x = b^(w-1) mod w */
if (!BN_copy(x, z))
goto err;
composite:
if (enhanced) {
/* (Step 4.1.2) g = GCD(x-1, w) */
if (!BN_sub_word(x, 1) || !BN_gcd(g, x, w, ctx))
goto err;
/* (Steps 4.1.3 - 4.1.4) */
if (BN_is_one(g))
*status = BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME;
else
*status = BN_PRIMETEST_COMPOSITE_WITH_FACTOR;
} else {
*status = BN_PRIMETEST_COMPOSITE;
}
ret = 1;
goto err;
outer_loop: ;
/* (Step 4.1.5) */
if (!BN_GENCB_call(cb, 1, i))
goto err;
}
/* (Step 5) */
*status = BN_PRIMETEST_PROBABLY_PRIME;
ret = 1;
err:
BN_clear(g);
BN_clear(w1);
BN_clear(w3);
BN_clear(x);
BN_clear(m);
BN_clear(z);
BN_clear(b);
BN_CTX_end(ctx);
BN_MONT_CTX_free(mont);
return ret;
}
int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p,
const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
BN_CTX *new_ctx = NULL;
BN_MONT_CTX *mont = NULL;
BIGNUM *one = NULL;
int ret = 0;
if (group->mont != NULL) {
BN_MONT_CTX_free(group->mont);
group->mont = NULL;
}
if (group->one != NULL) {
BN_free(group->one);
group->one = NULL;
}
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) {
return 0;
}
}
mont = BN_MONT_CTX_new();
if (mont == NULL) {
goto err;
}
if (!BN_MONT_CTX_set(mont, p, ctx)) {
OPENSSL_PUT_ERROR(EC, ec_GFp_mont_group_set_curve, ERR_R_BN_LIB);
goto err;
}
one = BN_new();
if (one == NULL || !BN_to_montgomery(one, BN_value_one(), mont, ctx)) {
goto err;
}
group->mont = mont;
mont = NULL;
group->one = one;
one = NULL;
ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
if (!ret) {
BN_MONT_CTX_free(group->mont);
group->mont = NULL;
BN_free(group->one);
group->one = NULL;
}
err:
if (new_ctx != NULL) {
BN_CTX_free(new_ctx);
}
if (mont != NULL) {
BN_MONT_CTX_free(mont);
}
if (one != NULL) {
BN_free(one);
}
return ret;
}
static int dsa_builtin_paramgen(DSA *ret, int bits,
unsigned char *seed_in, int seed_len,
int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
{
int ok=0;
unsigned char seed[SHA_DIGEST_LENGTH];
unsigned char md[SHA_DIGEST_LENGTH];
unsigned char buf[SHA_DIGEST_LENGTH],buf2[SHA_DIGEST_LENGTH];
BIGNUM *r0,*W,*X,*c,*test;
BIGNUM *g=NULL,*q=NULL,*p=NULL;
BN_MONT_CTX *mont=NULL;
int k,n=0,i,b,m=0;
int counter=0;
int r=0;
BN_CTX *ctx=NULL;
unsigned int h=2;
if(FIPS_selftest_failed())
{
FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN,
FIPS_R_FIPS_SELFTEST_FAILED);
goto err;
}
if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
{
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL);
goto err;
}
if (bits < 512) bits=512;
bits=(bits+63)/64*64;
/* NB: seed_len == 0 is special case: copy generated seed to
* seed_in if it is not NULL.
*/
if (seed_len && (seed_len < 20))
seed_in = NULL; /* seed buffer too small -- ignore */
if (seed_len > 20)
seed_len = 20; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
* but our internal buffers are restricted to 160 bits*/
if ((seed_in != NULL) && (seed_len == 20))
{
memcpy(seed,seed_in,seed_len);
/* set seed_in to NULL to avoid it being copied back */
seed_in = NULL;
}
if ((ctx=BN_CTX_new()) == NULL) goto err;
if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx);
g = BN_CTX_get(ctx);
W = BN_CTX_get(ctx);
q = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
c = BN_CTX_get(ctx);
p = BN_CTX_get(ctx);
test = BN_CTX_get(ctx);
if (!BN_lshift(test,BN_value_one(),bits-1))
goto err;
for (;;)
{
for (;;) /* find q */
{
int seed_is_random;
/* step 1 */
if(!BN_GENCB_call(cb, 0, m++))
goto err;
if (!seed_len)
{
RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH);
seed_is_random = 1;
}
else
{
seed_is_random = 0;
seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
}
memcpy(buf,seed,SHA_DIGEST_LENGTH);
memcpy(buf2,seed,SHA_DIGEST_LENGTH);
/* precompute "SEED + 1" for step 7: */
for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
{
buf[i]++;
if (buf[i] != 0) break;
}
/* step 2 */
EVP_Digest(seed,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL);
EVP_Digest(buf,SHA_DIGEST_LENGTH,buf2,NULL,HASH, NULL);
for (i=0; i<SHA_DIGEST_LENGTH; i++)
md[i]^=buf2[i];
/* step 3 */
md[0]|=0x80;
md[SHA_DIGEST_LENGTH-1]|=0x01;
if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err;
/* step 4 */
r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
seed_is_random, cb);
if (r > 0)
break;
if (r != 0)
goto err;
/* do a callback call */
/* step 5 */
}
if(!BN_GENCB_call(cb, 2, 0)) goto err;
if(!BN_GENCB_call(cb, 3, 0)) goto err;
/* step 6 */
counter=0;
/* "offset = 2" */
n=(bits-1)/160;
b=(bits-1)-n*160;
for (;;)
{
if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
goto err;
/* step 7 */
BN_zero(W);
/* now 'buf' contains "SEED + offset - 1" */
for (k=0; k<=n; k++)
{
/* obtain "SEED + offset + k" by incrementing: */
for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
{
buf[i]++;
if (buf[i] != 0) break;
}
EVP_Digest(buf,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL);
/* step 8 */
if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
goto err;
if (!BN_lshift(r0,r0,160*k)) goto err;
if (!BN_add(W,W,r0)) goto err;
}
/* more of step 8 */
if (!BN_mask_bits(W,bits-1)) goto err;
if (!BN_copy(X,W)) goto err;
if (!BN_add(X,X,test)) goto err;
/* step 9 */
if (!BN_lshift1(r0,q)) goto err;
if (!BN_mod(c,X,r0,ctx)) goto err;
if (!BN_sub(r0,c,BN_value_one())) goto err;
if (!BN_sub(p,X,r0)) goto err;
/* step 10 */
if (BN_cmp(p,test) >= 0)
{
/* step 11 */
r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
ctx, 1, cb);
if (r > 0)
goto end; /* found it */
if (r != 0)
goto err;
}
/* step 13 */
counter++;
/* "offset = offset + n + 1" */
/* step 14 */
if (counter >= 4096) break;
}
}
end:
if(!BN_GENCB_call(cb, 2, 1))
goto err;
/* We now need to generate g */
/* Set r0=(p-1)/q */
if (!BN_sub(test,p,BN_value_one())) goto err;
if (!BN_div(r0,NULL,test,q,ctx)) goto err;
if (!BN_set_word(test,h)) goto err;
if (!BN_MONT_CTX_set(mont,p,ctx)) goto err;
for (;;)
{
/* g=test^r0%p */
if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err;
if (!BN_is_one(g)) break;
if (!BN_add(test,test,BN_value_one())) goto err;
h++;
}
if(!BN_GENCB_call(cb, 3, 1))
goto err;
ok=1;
err:
if (ok)
{
if(ret->p) BN_free(ret->p);
if(ret->q) BN_free(ret->q);
if(ret->g) BN_free(ret->g);
ret->p=BN_dup(p);
ret->q=BN_dup(q);
ret->g=BN_dup(g);
if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
{
ok=0;
goto err;
}
if (seed_in != NULL) memcpy(seed_in,seed,20);
if (counter_ret != NULL) *counter_ret=counter;
if (h_ret != NULL) *h_ret=h;
}
if(ctx)
{
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
if (mont != NULL) BN_MONT_CTX_free(mont);
return ok;
}
int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
{
EC_EXTRA_DATA *d;
if (dest->meth->group_copy == 0) {
ECerr(EC_F_EC_GROUP_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (dest->meth != src->meth) {
ECerr(EC_F_EC_GROUP_COPY, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
if (dest == src)
return 1;
EC_EX_DATA_free_all_data(&dest->extra_data);
for (d = src->extra_data; d != NULL; d = d->next) {
void *t = d->dup_func(d->data);
if (t == NULL)
return 0;
if (!EC_EX_DATA_set_data
(&dest->extra_data, t, d->dup_func, d->free_func,
d->clear_free_func))
return 0;
}
if (EC_GROUP_VERSION(src) && src->mont_data != NULL) {
if (dest->mont_data == NULL) {
dest->mont_data = BN_MONT_CTX_new();
if (dest->mont_data == NULL)
return 0;
}
if (!BN_MONT_CTX_copy(dest->mont_data, src->mont_data))
return 0;
} else {
/* src->generator == NULL */
if (EC_GROUP_VERSION(dest) && dest->mont_data != NULL) {
BN_MONT_CTX_free(dest->mont_data);
dest->mont_data = NULL;
}
}
if (src->generator != NULL) {
if (dest->generator == NULL) {
dest->generator = EC_POINT_new(dest);
if (dest->generator == NULL)
return 0;
}
if (!EC_POINT_copy(dest->generator, src->generator))
return 0;
} else {
/* src->generator == NULL */
if (dest->generator != NULL) {
EC_POINT_clear_free(dest->generator);
dest->generator = NULL;
}
}
if (!BN_copy(&dest->order, &src->order))
return 0;
if (!BN_copy(&dest->cofactor, &src->cofactor))
return 0;
dest->curve_name = src->curve_name;
dest->asn1_flag = src->asn1_flag;
dest->asn1_form = src->asn1_form;
if (src->seed) {
if (dest->seed)
OPENSSL_free(dest->seed);
dest->seed = OPENSSL_malloc(src->seed_len);
if (dest->seed == NULL)
return 0;
if (!memcpy(dest->seed, src->seed, src->seed_len))
return 0;
dest->seed_len = src->seed_len;
} else {
if (dest->seed)
OPENSSL_free(dest->seed);
dest->seed = NULL;
dest->seed_len = 0;
}
return dest->meth->group_copy(dest, src);
}
static int dsa_finish(DSA *dsa)
{
if(dsa->method_mont_p)
BN_MONT_CTX_free(dsa->method_mont_p);
return(1);
}
static int dh_finish(DH *dh)
{
if(dh->method_mont_p)
BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
return(1);
}
int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
unsigned char *seed_out,
int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
{
int ok=-1;
unsigned char *seed = NULL;
unsigned char md[EVP_MAX_MD_SIZE];
int mdsize;
BIGNUM *r0,*W,*X,*c,*test;
BIGNUM *g=NULL,*q=NULL,*p=NULL;
BN_MONT_CTX *mont=NULL;
int i, k, n=0, m=0, qsize = N >> 3;
int counter=0;
int r=0;
BN_CTX *ctx=NULL;
unsigned int h=2;
#ifdef OPENSSL_FIPS
if(FIPS_selftest_failed())
{
FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2,
FIPS_R_FIPS_SELFTEST_FAILED);
goto err;
}
if (!fips_check_dsa_prng(ret, L, N))
goto err;
#endif
if (evpmd == NULL)
{
if (N == 160)
evpmd = EVP_sha1();
else if (N == 224)
evpmd = EVP_sha224();
else
evpmd = EVP_sha256();
}
mdsize = M_EVP_MD_size(evpmd);
if (seed_len == 0)
seed_len = mdsize;
seed = OPENSSL_malloc(seed_len);
if (!seed)
goto err;
if (seed_in)
memcpy(seed, seed_in, seed_len);
if ((ctx=BN_CTX_new()) == NULL)
goto err;
if ((mont=BN_MONT_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx);
g = BN_CTX_get(ctx);
W = BN_CTX_get(ctx);
q = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
c = BN_CTX_get(ctx);
p = BN_CTX_get(ctx);
test = BN_CTX_get(ctx);
if (!BN_lshift(test,BN_value_one(),L-1))
goto err;
for (;;)
{
for (;;) /* find q */
{
unsigned char *pmd;
/* step 1 */
if(!BN_GENCB_call(cb, 0, m++))
goto err;
if (!seed_in)
{
if (RAND_pseudo_bytes(seed, seed_len) < 0)
goto err;
}
/* step 2 */
if (!EVP_Digest(seed, seed_len, md, NULL, evpmd, NULL))
goto err;
/* Take least significant bits of md */
if (mdsize > qsize)
pmd = md + mdsize - qsize;
else
pmd = md;
if (mdsize < qsize)
memset(md + mdsize, 0, qsize - mdsize);
/* step 3 */
pmd[0] |= 0x80;
pmd[qsize-1] |= 0x01;
if (!BN_bin2bn(pmd, qsize, q))
goto err;
/* step 4 */
r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
seed_in ? 1 : 0, cb);
if (r > 0)
break;
if (r != 0)
goto err;
/* Provided seed didn't produce a prime: error */
if (seed_in)
{
ok = 0;
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME);
goto err;
}
/* do a callback call */
/* step 5 */
}
/* Copy seed to seed_out before we mess with it */
if (seed_out)
memcpy(seed_out, seed, seed_len);
if(!BN_GENCB_call(cb, 2, 0)) goto err;
if(!BN_GENCB_call(cb, 3, 0)) goto err;
/* step 6 */
counter=0;
/* "offset = 1" */
n=(L-1)/(mdsize << 3);
for (;;)
{
if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
goto err;
/* step 7 */
BN_zero(W);
/* now 'buf' contains "SEED + offset - 1" */
for (k=0; k<=n; k++)
{
/* obtain "SEED + offset + k" by incrementing: */
for (i = seed_len-1; i >= 0; i--)
{
seed[i]++;
if (seed[i] != 0)
break;
}
if (!EVP_Digest(seed, seed_len, md ,NULL, evpmd,
NULL))
goto err;
/* step 8 */
if (!BN_bin2bn(md, mdsize, r0))
goto err;
if (!BN_lshift(r0,r0,(mdsize << 3)*k)) goto err;
if (!BN_add(W,W,r0)) goto err;
}
/* more of step 8 */
if (!BN_mask_bits(W,L-1)) goto err;
if (!BN_copy(X,W)) goto err;
if (!BN_add(X,X,test)) goto err;
/* step 9 */
if (!BN_lshift1(r0,q)) goto err;
if (!BN_mod(c,X,r0,ctx)) goto err;
if (!BN_sub(r0,c,BN_value_one())) goto err;
if (!BN_sub(p,X,r0)) goto err;
/* step 10 */
if (BN_cmp(p,test) >= 0)
{
/* step 11 */
r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
ctx, 1, cb);
if (r > 0)
goto end; /* found it */
if (r != 0)
goto err;
}
/* step 13 */
counter++;
/* "offset = offset + n + 1" */
/* step 14 */
if (counter >= 4096) break;
}
}
end:
if(!BN_GENCB_call(cb, 2, 1))
goto err;
/* We now need to generate g */
/* Set r0=(p-1)/q */
if (!BN_sub(test,p,BN_value_one())) goto err;
if (!BN_div(r0,NULL,test,q,ctx)) goto err;
if (!BN_set_word(test,h)) goto err;
if (!BN_MONT_CTX_set(mont,p,ctx)) goto err;
for (;;)
{
/* g=test^r0%p */
if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err;
if (!BN_is_one(g)) break;
if (!BN_add(test,test,BN_value_one())) goto err;
h++;
}
if(!BN_GENCB_call(cb, 3, 1))
goto err;
ok=1;
err:
if (ok == 1)
{
if(ret->p) BN_free(ret->p);
if(ret->q) BN_free(ret->q);
if(ret->g) BN_free(ret->g);
ret->p=BN_dup(p);
ret->q=BN_dup(q);
ret->g=BN_dup(g);
if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
{
ok=-1;
goto err;
}
if (counter_ret != NULL) *counter_ret=counter;
if (h_ret != NULL) *h_ret=h;
}
if (seed)
OPENSSL_free(seed);
if(ctx)
{
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
if (mont != NULL) BN_MONT_CTX_free(mont);
return ok;
}
int BN_is_prime_fasttest(const BIGNUM *a, int checks,
void (*callback)(int,int,void *),
BN_CTX *ctx_passed, void *cb_arg,
int do_trial_division)
{
int i, j, ret = -1;
int k;
BN_CTX *ctx = NULL;
BIGNUM *A1, *A1_odd, *check; /* taken from ctx */
BN_MONT_CTX *mont = NULL;
const BIGNUM *A = NULL;
if (BN_cmp(a, BN_value_one()) <= 0)
return 0;
if (checks == BN_prime_checks)
checks = BN_prime_checks_for_size(BN_num_bits(a));
/* first look for small factors */
if (!BN_is_odd(a))
return 0;
if (do_trial_division)
{
for (i = 1; i < NUMPRIMES; i++)
if (BN_mod_word(a, primes[i]) == 0)
return 0;
if (callback != NULL) callback(1, -1, cb_arg);
}
if (ctx_passed != NULL)
ctx = ctx_passed;
else
if ((ctx=BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
/* A := abs(a) */
if (a->neg)
{
BIGNUM *t;
if ((t = BN_CTX_get(ctx)) == NULL) goto err;
BN_copy(t, a);
t->neg = 0;
A = t;
}
else
A = a;
A1 = BN_CTX_get(ctx);
A1_odd = BN_CTX_get(ctx);
check = BN_CTX_get(ctx);
if (check == NULL) goto err;
/* compute A1 := A - 1 */
if (!BN_copy(A1, A))
goto err;
if (!BN_sub_word(A1, 1))
goto err;
if (BN_is_zero(A1))
{
ret = 0;
goto err;
}
/* write A1 as A1_odd * 2^k */
k = 1;
while (!BN_is_bit_set(A1, k))
k++;
if (!BN_rshift(A1_odd, A1, k))
goto err;
/* Montgomery setup for computations mod A */
mont = BN_MONT_CTX_new();
if (mont == NULL)
goto err;
if (!BN_MONT_CTX_set(mont, A, ctx))
goto err;
for (i = 0; i < checks; i++)
{
if (!BN_pseudo_rand_range(check, A1))
goto err;
if (!BN_add_word(check, 1))
goto err;
/* now 1 <= check < A */
j = witness(check, A, A1, A1_odd, k, ctx, mont);
if (j == -1) goto err;
if (j)
{
ret=0;
goto err;
}
if (callback != NULL) callback(1,i,cb_arg);
}
ret=1;
err:
if (ctx != NULL)
{
BN_CTX_end(ctx);
if (ctx_passed == NULL)
BN_CTX_free(ctx);
}
if (mont != NULL)
BN_MONT_CTX_free(mont);
return(ret);
}
int test_mont(BIO *bp, BN_CTX *ctx)
{
BIGNUM a,b,c,d,A,B;
BIGNUM n;
int i;
BN_MONT_CTX *mont;
BN_init(&a);
BN_init(&b);
BN_init(&c);
BN_init(&d);
BN_init(&A);
BN_init(&B);
BN_init(&n);
mont=BN_MONT_CTX_new();
BN_bntest_rand(&a,100,0,0); /**/
BN_bntest_rand(&b,100,0,0); /**/
for (i=0; i<num2; i++)
{
int bits = (200*(i+1))/num2;
if (bits == 0)
continue;
BN_bntest_rand(&n,bits,0,1);
BN_MONT_CTX_set(mont,&n,ctx);
BN_nnmod(&a,&a,&n,ctx);
BN_nnmod(&b,&b,&n,ctx);
BN_to_montgomery(&A,&a,mont,ctx);
BN_to_montgomery(&B,&b,mont,ctx);
BN_mod_mul_montgomery(&c,&A,&B,mont,ctx);/**/
BN_from_montgomery(&A,&c,mont,ctx);/**/
if (bp != NULL)
{
if (!results)
{
#ifdef undef
fprintf(stderr,"%d * %d %% %d\n",
BN_num_bits(&a),
BN_num_bits(&b),
BN_num_bits(mont->N));
#endif
BN_print(bp,&a);
BIO_puts(bp," * ");
BN_print(bp,&b);
BIO_puts(bp," % ");
BN_print(bp,&(mont->N));
BIO_puts(bp," - ");
}
BN_print(bp,&A);
BIO_puts(bp,"\n");
}
BN_mod_mul(&d,&a,&b,&n,ctx);
BN_sub(&d,&d,&A);
if(!BN_is_zero(&d))
{
fprintf(stderr,"Montgomery multiplication test failed!\n");
return 0;
}
}
BN_MONT_CTX_free(mont);
BN_free(&a);
BN_free(&b);
BN_free(&c);
BN_free(&d);
BN_free(&A);
BN_free(&B);
BN_free(&n);
return(1);
}
static int
dh_finish(DH *dh)
{
BN_MONT_CTX_free(dh->method_mont_p);
return 1;
}
int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
{
int i,j,k,bits,bits1,bits2,ret=0,wstart,wend,window,xvalue,yvalue;
int start=1,ts=0,x,y;
BIGNUM *d,*aa1,*aa2,*r;
BIGNUM val[EXP2_TABLE_SIZE][EXP2_TABLE_SIZE];
BN_MONT_CTX *mont=NULL;
bn_check_top(a1);
bn_check_top(p1);
bn_check_top(a2);
bn_check_top(p2);
bn_check_top(m);
if (!(m->d[0] & 1))
{
BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
return(0);
}
bits1=BN_num_bits(p1);
bits2=BN_num_bits(p2);
if ((bits1 == 0) && (bits2 == 0))
{
BN_one(rr);
return(1);
}
BN_CTX_start(ctx);
d = BN_CTX_get(ctx);
r = BN_CTX_get(ctx);
if (d == NULL || r == NULL) goto err;
bits=(bits1 > bits2)?bits1:bits2;
/* If this is not done, things will break in the montgomery
* part */
if (in_mont != NULL)
mont=in_mont;
else
{
if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
}
BN_init(&(val[0][0]));
BN_init(&(val[1][1]));
BN_init(&(val[0][1]));
BN_init(&(val[1][0]));
ts=1;
if (BN_ucmp(a1,m) >= 0)
{
BN_mod(&(val[1][0]),a1,m,ctx);
aa1= &(val[1][0]);
}
else
aa1=a1;
if (BN_ucmp(a2,m) >= 0)
{
BN_mod(&(val[0][1]),a2,m,ctx);
aa2= &(val[0][1]);
}
else
aa2=a2;
if (!BN_to_montgomery(&(val[1][0]),aa1,mont,ctx)) goto err;
if (!BN_to_montgomery(&(val[0][1]),aa2,mont,ctx)) goto err;
if (!BN_mod_mul_montgomery(&(val[1][1]),
&(val[1][0]),&(val[0][1]),mont,ctx))
goto err;
#if 0
if (bits <= 20) /* This is probably 3 or 0x10001, so just do singles */
window=1;
else if (bits > 250)
window=5; /* max size of window */
else if (bits >= 120)
window=4;
else
window=3;
#else
window=EXP2_TABLE_BITS;
#endif
k=1<<window;
for (x=0; x<k; x++)
{
if (x >= 2)
{
BN_init(&(val[x][0]));
BN_init(&(val[x][1]));
if (!BN_mod_mul_montgomery(&(val[x][0]),
&(val[1][0]),&(val[x-1][0]),mont,ctx)) goto err;
if (!BN_mod_mul_montgomery(&(val[x][1]),
&(val[1][0]),&(val[x-1][1]),mont,ctx)) goto err;
}
for (y=2; y<k; y++)
{
BN_init(&(val[x][y]));
if (!BN_mod_mul_montgomery(&(val[x][y]),
&(val[x][y-1]),&(val[0][1]),mont,ctx))
goto err;
}
}
ts=k;
start=1; /* This is used to avoid multiplication etc
* when there is only the value '1' in the
* buffer. */
xvalue=0; /* The 'x value' of the window */
yvalue=0; /* The 'y value' of the window */
wstart=bits-1; /* The top bit of the window */
wend=0; /* The bottom bit of the window */
if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
for (;;)
{
xvalue=BN_is_bit_set(p1,wstart);
yvalue=BN_is_bit_set(p2,wstart);
if (!(xvalue || yvalue))
{
if (!start)
{
if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
goto err;
}
wstart--;
if (wstart < 0) break;
continue;
}
/* We now have wstart on a 'set' bit, we now need to work out
* how bit a window to do. To do this we need to scan
* forward until the last set bit before the end of the
* window */
j=wstart;
/* xvalue=BN_is_bit_set(p1,wstart); already set */
/* yvalue=BN_is_bit_set(p1,wstart); already set */
wend=0;
for (i=1; i<window; i++)
{
if (wstart-i < 0) break;
xvalue+=xvalue;
xvalue|=BN_is_bit_set(p1,wstart-i);
yvalue+=yvalue;
yvalue|=BN_is_bit_set(p2,wstart-i);
}
/* i is the size of the current window */
/* add the 'bytes above' */
if (!start)
for (j=0; j<i; j++)
{
if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
goto err;
}
/* wvalue will be an odd number < 2^window */
if (xvalue || yvalue)
{
if (!BN_mod_mul_montgomery(r,r,&(val[xvalue][yvalue]),
mont,ctx)) goto err;
}
/* move the 'window' down further */
wstart-=i;
start=0;
if (wstart < 0) break;
}
BN_from_montgomery(rr,r,mont,ctx);
ret=1;
err:
if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
BN_CTX_end(ctx);
for (i=0; i<ts; i++)
{
for (j=0; j<ts; j++)
{
BN_clear_free(&(val[i][j]));
}
}
return(ret);
}