bn_x931p.c 6.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272
  1. /* bn_x931p.c */
  2. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  3. * project 2005.
  4. */
  5. /* ====================================================================
  6. * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
  7. *
  8. * Redistribution and use in source and binary forms, with or without
  9. * modification, are permitted provided that the following conditions
  10. * are met:
  11. *
  12. * 1. Redistributions of source code must retain the above copyright
  13. * notice, this list of conditions and the following disclaimer.
  14. *
  15. * 2. Redistributions in binary form must reproduce the above copyright
  16. * notice, this list of conditions and the following disclaimer in
  17. * the documentation and/or other materials provided with the
  18. * distribution.
  19. *
  20. * 3. All advertising materials mentioning features or use of this
  21. * software must display the following acknowledgment:
  22. * "This product includes software developed by the OpenSSL Project
  23. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24. *
  25. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26. * endorse or promote products derived from this software without
  27. * prior written permission. For written permission, please contact
  28. * licensing@OpenSSL.org.
  29. *
  30. * 5. Products derived from this software may not be called "OpenSSL"
  31. * nor may "OpenSSL" appear in their names without prior written
  32. * permission of the OpenSSL Project.
  33. *
  34. * 6. Redistributions of any form whatsoever must retain the following
  35. * acknowledgment:
  36. * "This product includes software developed by the OpenSSL Project
  37. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38. *
  39. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50. * OF THE POSSIBILITY OF SUCH DAMAGE.
  51. * ====================================================================
  52. *
  53. * This product includes cryptographic software written by Eric Young
  54. * (eay@cryptsoft.com). This product includes software written by Tim
  55. * Hudson (tjh@cryptsoft.com).
  56. *
  57. */
  58. #include <stdio.h>
  59. #include <openssl/bn.h>
  60. /* X9.31 routines for prime derivation */
  61. /* X9.31 prime derivation. This is used to generate the primes pi
  62. * (p1, p2, q1, q2) from a parameter Xpi by checking successive odd
  63. * integers.
  64. */
  65. static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx,
  66. BN_GENCB *cb)
  67. {
  68. int i = 0;
  69. if (!BN_copy(pi, Xpi))
  70. return 0;
  71. if (!BN_is_odd(pi) && !BN_add_word(pi, 1))
  72. return 0;
  73. for(;;)
  74. {
  75. i++;
  76. BN_GENCB_call(cb, 0, i);
  77. /* NB 27 MR is specificed in X9.31 */
  78. if (BN_is_prime_fasttest_ex(pi, 27, ctx, 1, cb))
  79. break;
  80. if (!BN_add_word(pi, 2))
  81. return 0;
  82. }
  83. BN_GENCB_call(cb, 2, i);
  84. return 1;
  85. }
  86. /* This is the main X9.31 prime derivation function. From parameters
  87. * Xp1, Xp2 and Xp derive the prime p. If the parameters p1 or p2 are
  88. * not NULL they will be returned too: this is needed for testing.
  89. */
  90. int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
  91. const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
  92. const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb)
  93. {
  94. int ret = 0;
  95. BIGNUM *t, *p1p2, *pm1;
  96. /* Only even e supported */
  97. if (!BN_is_odd(e))
  98. return 0;
  99. BN_CTX_start(ctx);
  100. if (!p1)
  101. p1 = BN_CTX_get(ctx);
  102. if (!p2)
  103. p2 = BN_CTX_get(ctx);
  104. t = BN_CTX_get(ctx);
  105. p1p2 = BN_CTX_get(ctx);
  106. pm1 = BN_CTX_get(ctx);
  107. if (!bn_x931_derive_pi(p1, Xp1, ctx, cb))
  108. goto err;
  109. if (!bn_x931_derive_pi(p2, Xp2, ctx, cb))
  110. goto err;
  111. if (!BN_mul(p1p2, p1, p2, ctx))
  112. goto err;
  113. /* First set p to value of Rp */
  114. if (!BN_mod_inverse(p, p2, p1, ctx))
  115. goto err;
  116. if (!BN_mul(p, p, p2, ctx))
  117. goto err;
  118. if (!BN_mod_inverse(t, p1, p2, ctx))
  119. goto err;
  120. if (!BN_mul(t, t, p1, ctx))
  121. goto err;
  122. if (!BN_sub(p, p, t))
  123. goto err;
  124. if (p->neg && !BN_add(p, p, p1p2))
  125. goto err;
  126. /* p now equals Rp */
  127. if (!BN_mod_sub(p, p, Xp, p1p2, ctx))
  128. goto err;
  129. if (!BN_add(p, p, Xp))
  130. goto err;
  131. /* p now equals Yp0 */
  132. for (;;)
  133. {
  134. int i = 1;
  135. BN_GENCB_call(cb, 0, i++);
  136. if (!BN_copy(pm1, p))
  137. goto err;
  138. if (!BN_sub_word(pm1, 1))
  139. goto err;
  140. if (!BN_gcd(t, pm1, e, ctx))
  141. goto err;
  142. if (BN_is_one(t)
  143. /* X9.31 specifies 8 MR and 1 Lucas test or any prime test
  144. * offering similar or better guarantees 50 MR is considerably
  145. * better.
  146. */
  147. && BN_is_prime_fasttest_ex(p, 50, ctx, 1, cb))
  148. break;
  149. if (!BN_add(p, p, p1p2))
  150. goto err;
  151. }
  152. BN_GENCB_call(cb, 3, 0);
  153. ret = 1;
  154. err:
  155. BN_CTX_end(ctx);
  156. return ret;
  157. }
  158. /* Generate pair of paramters Xp, Xq for X9.31 prime generation.
  159. * Note: nbits paramter is sum of number of bits in both.
  160. */
  161. int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
  162. {
  163. BIGNUM *t;
  164. int i;
  165. /* Number of bits for each prime is of the form
  166. * 512+128s for s = 0, 1, ...
  167. */
  168. if ((nbits < 1024) || (nbits & 0xff))
  169. return 0;
  170. nbits >>= 1;
  171. /* The random value Xp must be between sqrt(2) * 2^(nbits-1) and
  172. * 2^nbits - 1. By setting the top two bits we ensure that the lower
  173. * bound is exceeded.
  174. */
  175. if (!BN_rand(Xp, nbits, 1, 0))
  176. return 0;
  177. BN_CTX_start(ctx);
  178. t = BN_CTX_get(ctx);
  179. for (i = 0; i < 1000; i++)
  180. {
  181. if (!BN_rand(Xq, nbits, 1, 0))
  182. return 0;
  183. /* Check that |Xp - Xq| > 2^(nbits - 100) */
  184. BN_sub(t, Xp, Xq);
  185. if (BN_num_bits(t) > (nbits - 100))
  186. break;
  187. }
  188. BN_CTX_end(ctx);
  189. if (i < 1000)
  190. return 1;
  191. return 0;
  192. }
  193. /* Generate primes using X9.31 algorithm. Of the values p, p1, p2, Xp1
  194. * and Xp2 only 'p' needs to be non-NULL. If any of the others are not NULL
  195. * the relevant parameter will be stored in it.
  196. *
  197. * Due to the fact that |Xp - Xq| > 2^(nbits - 100) must be satisfied Xp and Xq
  198. * are generated using the previous function and supplied as input.
  199. */
  200. int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
  201. BIGNUM *Xp1, BIGNUM *Xp2,
  202. const BIGNUM *Xp,
  203. const BIGNUM *e, BN_CTX *ctx,
  204. BN_GENCB *cb)
  205. {
  206. int ret = 0;
  207. BN_CTX_start(ctx);
  208. if (!Xp1)
  209. Xp1 = BN_CTX_get(ctx);
  210. if (!Xp2)
  211. Xp2 = BN_CTX_get(ctx);
  212. if (!BN_rand(Xp1, 101, 0, 0))
  213. goto error;
  214. if (!BN_rand(Xp2, 101, 0, 0))
  215. goto error;
  216. if (!BN_X931_derive_prime_ex(p, p1, p2, Xp, Xp1, Xp2, e, ctx, cb))
  217. goto error;
  218. ret = 1;
  219. error:
  220. BN_CTX_end(ctx);
  221. return ret;
  222. }