Google Git
Sign in
boringssl / boringssl / c7a3c46574e7fc32357b2cc68f961c56c72b0ca4 / . / crypto / dh_extra / params.c
blob: 6023ab125987c38698957dcd2790700b004e2248 [file] [log] [blame]
/* ====================================================================
* Copyright (c) 2011 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com). */
#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include "../fipsmodule/bn/internal.h"
BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *ret) {
static const BN_ULONG kPrime1536Data[] = {
TOBN(0xffffffff, 0xffffffff), TOBN(0xf1746c08, 0xca237327),
TOBN(0x670c354e, 0x4abc9804), TOBN(0x9ed52907, 0x7096966d),
TOBN(0x1c62f356, 0x208552bb), TOBN(0x83655d23, 0xdca3ad96),
TOBN(0x69163fa8, 0xfd24cf5f), TOBN(0x98da4836, 0x1c55d39a),
TOBN(0xc2007cb8, 0xa163bf05), TOBN(0x49286651, 0xece45b3d),
TOBN(0xae9f2411, 0x7c4b1fe6), TOBN(0xee386bfb, 0x5a899fa5),
TOBN(0x0bff5cb6, 0xf406b7ed), TOBN(0xf44c42e9, 0xa637ed6b),
TOBN(0xe485b576, 0x625e7ec6), TOBN(0x4fe1356d, 0x6d51c245),
TOBN(0x302b0a6d, 0xf25f1437), TOBN(0xef9519b3, 0xcd3a431b),
TOBN(0x514a0879, 0x8e3404dd), TOBN(0x020bbea6, 0x3b139b22),
TOBN(0x29024e08, 0x8a67cc74), TOBN(0xc4c6628b, 0x80dc1cd1),
TOBN(0xc90fdaa2, 0x2168c234), TOBN(0xffffffff, 0xffffffff),
};
static const BIGNUM kPrime1536BN = STATIC_BIGNUM(kPrime1536Data);
BIGNUM *alloc = NULL;
if (ret == NULL) {
alloc = BN_new();
if (alloc == NULL) {
return NULL;
}
ret = alloc;
}
if (!BN_copy(ret, &kPrime1536BN)) {
BN_free(alloc);
return NULL;
}
return ret;
}
int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator,
BN_GENCB *cb) {
// We generate DH parameters as follows
// find a prime q which is prime_bits/2 bits long.
// p=(2*q)+1 or (p-1)/2 = q
// For this case, g is a generator if
// g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
// Since the factors of p-1 are q and 2, we just need to check
// g^2 mod p != 1 and g^q mod p != 1.
//
// Having said all that,
// there is another special case method for the generators 2, 3 and 5.
// for 2, p mod 24 == 11
// for 3, p mod 12 == 5 <<<<< does not work for safe primes.
// for 5, p mod 10 == 3 or 7
//
// Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
// special generators and for answering some of my questions.
//
// I've implemented the second simple method :-).
// Since DH should be using a safe prime (both p and q are prime),
// this generator function can take a very very long time to run.
// Actually there is no reason to insist that 'generator' be a generator.
// It's just as OK (and in some sense better) to use a generator of the
// order-q subgroup.
BIGNUM *t1, *t2;
int g, ok = 0;
BN_CTX *ctx = NULL;
ctx = BN_CTX_new();
if (ctx == NULL) {
goto err;
}
BN_CTX_start(ctx);
t1 = BN_CTX_get(ctx);
t2 = BN_CTX_get(ctx);
if (t1 == NULL || t2 == NULL) {
goto err;
}
// Make sure |dh| has the necessary elements
if (dh->p == NULL) {
dh->p = BN_new();
if (dh->p == NULL) {
goto err;
}
}
if (dh->g == NULL) {
dh->g = BN_new();
if (dh->g == NULL) {
goto err;
}
}
if (generator <= 1) {
OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
goto err;
}
if (generator == DH_GENERATOR_2) {
if (!BN_set_word(t1, 24)) {
goto err;
}
if (!BN_set_word(t2, 11)) {
goto err;
}
g = 2;
} else if (generator == DH_GENERATOR_5) {
if (!BN_set_word(t1, 10)) {
goto err;
}
if (!BN_set_word(t2, 3)) {
goto err;
}
// BN_set_word(t3,7); just have to miss
// out on these ones :-(
g = 5;
} else {
// in the general case, don't worry if 'generator' is a
// generator or not: since we are using safe primes,
// it will generate either an order-q or an order-2q group,
// which both is OK
if (!BN_set_word(t1, 2)) {
goto err;
}
if (!BN_set_word(t2, 1)) {
goto err;
}
g = generator;
}
if (!BN_generate_prime_ex(dh->p, prime_bits, 1, t1, t2, cb)) {
goto err;
}
if (!BN_GENCB_call(cb, 3, 0)) {
goto err;
}
if (!BN_set_word(dh->g, g)) {
goto err;
}
ok = 1;
err:
if (!ok) {
OPENSSL_PUT_ERROR(DH, ERR_R_BN_LIB);
}
if (ctx != NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
return ok;
}
static int int_dh_bn_cpy(BIGNUM **dst, const BIGNUM *src) {
BIGNUM *a = NULL;
if (src) {
a = BN_dup(src);
if (!a) {
return 0;
}
}
BN_free(*dst);
*dst = a;
return 1;
}
static int int_dh_param_copy(DH *to, const DH *from, int is_x942) {
if (is_x942 == -1) {
is_x942 = !!from->q;
}
if (!int_dh_bn_cpy(&to->p, from->p) ||
!int_dh_bn_cpy(&to->g, from->g)) {
return 0;
}
if (!is_x942) {
return 1;
}
if (!int_dh_bn_cpy(&to->q, from->q) ||
!int_dh_bn_cpy(&to->j, from->j)) {
return 0;
}
OPENSSL_free(to->seed);
to->seed = NULL;
to->seedlen = 0;
if (from->seed) {
to->seed = OPENSSL_memdup(from->seed, from->seedlen);
if (!to->seed) {
return 0;
}
to->seedlen = from->seedlen;
}
return 1;
}
DH *DHparams_dup(const DH *dh) {
DH *ret = DH_new();
if (!ret) {
return NULL;
}
if (!int_dh_param_copy(ret, dh, -1)) {
DH_free(ret);
return NULL;
}
return ret;
}