diff options
author | Ulf Möller <ulf@openssl.org> | 2000-01-27 19:31:26 +0000 |
---|---|---|
committer | Ulf Möller <ulf@openssl.org> | 2000-01-27 19:31:26 +0000 |
commit | 38e33cef15e7965ad9fd9db4b08fb2f5dc1bc573 (patch) | |
tree | 27216af3df8adcdc381475ca7011f43fcf34e7fe | |
parent | 0c23524963064a3bf8206b28c97f88e157d29fa7 (diff) |
Document DSA and SHA.
New function BN_pseudo_rand().
Use BN_prime_checks_size(BN_num_bits(w)) rounds of Miller-Rabin when
generating DSA primes (why not use BN_is_prime()?)
32 files changed, 855 insertions, 65 deletions
@@ -2,7 +2,14 @@ OpenSSL CHANGES _______________ - Changes between 0.9.4 and 0.9.5 [xx XXX 1999] + Changes between 0.9.4 and 0.9.5 [xx XXX 2000] + + *) Use BN_prime_checks_size(BN_num_bits(w)) rounds of Miller-Rabin when + generating DSA primes. + [Ulf Möller] + + *) New function BN_pseudo_rand(). + [Ulf Möller] *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable) bignum version of BN_from_montgomery() with the working code from diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index 9c92d76b41..aade57988c 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -286,6 +286,25 @@ typedef struct bn_recp_ctx_st #define BN_prime_checks 0 /* default: select number of iterations based on the size of the number */ + +/* number of Miller-Rabin iterations for an error rate of less than 2^-80 + * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook + * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; + * original paper: Damgaard, Landrock, Pomerance: Average case error estimates + * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */ +#define BN_prime_checks_size(b) ((b) >= 1300 ? 2 : \ + (b) >= 850 ? 3 : \ + (b) >= 650 ? 4 : \ + (b) >= 550 ? 5 : \ + (b) >= 450 ? 6 : \ + (b) >= 400 ? 7 : \ + (b) >= 350 ? 8 : \ + (b) >= 300 ? 9 : \ + (b) >= 250 ? 12 : \ + (b) >= 200 ? 15 : \ + (b) >= 150 ? 18 : \ + /* b >= 100 */ 27) + #define BN_num_bytes(a) ((BN_num_bits(a)+7)/8) #define BN_is_word(a,w) (((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w))) #define BN_is_zero(a) (((a)->top == 0) || BN_is_word(a,0)) diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index e22851ddf4..84f0699b9b 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -68,24 +68,6 @@ */ #include "bn_prime.h" -/* number of Miller-Rabin iterations for an error rate of less than 2^-80 - * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook - * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; - * original paper: Damgaard, Landrock, Pomerance: Average case error estimates - * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */ -#define BN_prime_checks_size(b) ((b) >= 1300 ? 2 : \ - (b) >= 850 ? 3 : \ - (b) >= 650 ? 4 : \ - (b) >= 550 ? 5 : \ - (b) >= 450 ? 6 : \ - (b) >= 400 ? 7 : \ - (b) >= 350 ? 8 : \ - (b) >= 300 ? 9 : \ - (b) >= 250 ? 12 : \ - (b) >= 200 ? 15 : \ - (b) >= 150 ? 18 : \ - /* b >= 100 */ 27) - static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx,BN_CTX *ctx2, BN_MONT_CTX *mont); static int probable_prime(BIGNUM *rnd, int bits); @@ -203,7 +185,7 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), for (i=0; i<checks; i++) { - if (!BN_rand(check,BN_num_bits(a)-1,0,0)) goto err; + if (!BN_pseudo_rand(check,BN_num_bits(a)-1,0,0)) goto err; j=witness(check,a,ctx,ctx2,mont); if (j == -1) goto err; if (j) diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index b567b43a6f..dd6f6c9e44 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -62,7 +62,7 @@ #include "bn_lcl.h" #include <openssl/rand.h> -int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) +static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) { unsigned char *buf=NULL; int ret=0,bit,bytes,mask; @@ -83,8 +83,17 @@ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) time(&tim); RAND_add(&tim,sizeof(tim),0); - if (RAND_bytes(buf,(int)bytes) <= 0) - goto err; + if (pseudorand) + { + if (RAND_pseudo_bytes(buf, bytes) == -1) + goto err; + } + else + { + if (RAND_bytes(buf, bytes) <= 0) + goto err; + } + if (top) { if (bit == 0) @@ -116,3 +125,12 @@ err: return(ret); } +int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) + { + return bnrand(1, rnd, bits, top, bottom); + } + +int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) + { + return bnrand(0, rnd, bits, top, bottom); + } diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h index a68d3f6681..3da104b6dd 100644 --- a/crypto/dsa/dsa.h +++ b/crypto/dsa/dsa.h @@ -182,7 +182,7 @@ DSA * d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); DSA * d2i_DSAparams(DSA **a, unsigned char **pp, long length); DSA * DSA_generate_parameters(int bits, unsigned char *seed,int seed_len, int *counter_ret, unsigned long *h_ret,void - (*callback)(),char *cb_arg); + (*callback)(),void *cb_arg); int DSA_generate_key(DSA *a); int i2d_DSAPublicKey(DSA *a, unsigned char **pp); int i2d_DSAPrivateKey(DSA *a, unsigned char **pp); @@ -197,7 +197,7 @@ int DSAparams_print_fp(FILE *fp, DSA *x); int DSA_print_fp(FILE *bp, DSA *x, int off); #endif -int DSA_is_prime(BIGNUM *q,void (*callback)(),char *cb_arg); +int DSA_is_prime(BIGNUM *q,void (*callback)(),void *cb_arg); #ifndef NO_DH /* Convert DSA structure (key or just parameters) into DH structure diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index 57435a9be2..5df9132dd8 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -75,7 +75,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, int *counter_ret, unsigned long *h_ret, void (*callback)(), - char *cb_arg) + void *cb_arg) { int ok=0; unsigned char seed[SHA_DIGEST_LENGTH]; @@ -93,6 +93,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, if (bits < 512) bits=512; bits=(bits+63)/64*64; + if (seed_len < 20) seed_in = NULL; if ((seed_in != NULL) && (seed_len == 20)) memcpy(seed,seed_in,seed_len); @@ -142,10 +143,10 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, /* step 3 */ md[0]|=0x80; md[SHA_DIGEST_LENGTH-1]|=0x01; - if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) abort(); + if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err; /* step 4 */ - if (DSA_is_prime(q,callback,cb_arg) > 0) break; + if (BN_is_prime(q,BN_prime_checks,callback,NULL,cb_arg) > 0) break; /* do a callback call */ /* step 5 */ } @@ -174,7 +175,8 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, HASH(buf,SHA_DIGEST_LENGTH,md); /* step 8 */ - if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) abort(); + if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) + goto err; BN_lshift(r0,r0,160*k); BN_add(W,W,r0); } @@ -194,7 +196,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, if (BN_cmp(p,test) >= 0) { /* step 11 */ - if (DSA_is_prime(p,callback,cb_arg) > 0) + if (BN_is_prime(p,BN_prime_checks,callback,NULL,cb_arg) > 0) goto end; } @@ -210,7 +212,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, end: if (callback != NULL) callback(2,1,cb_arg); - /* We now need to gernerate g */ + /* We now need to generate g */ /* Set r0=(p-1)/q */ BN_sub(test,p,BN_value_one()); BN_div(r0,NULL,test,q,ctx); @@ -250,7 +252,7 @@ err: return(ok?ret:NULL); } -int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg) +int DSA_is_prime(BIGNUM *w, void (*callback)(), void *cb_arg) { int ok= -1,j,i,n; BN_CTX *ctx=NULL,*ctx2=NULL; @@ -258,7 +260,7 @@ int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg) int a; BN_MONT_CTX *mont=NULL; - if (!BN_is_bit_set(w,0)) return(0); + if (!BN_is_odd(w)) return(0); if ((ctx=BN_CTX_new()) == NULL) goto err; if ((ctx2=BN_CTX_new()) == NULL) goto err; @@ -272,7 +274,7 @@ int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg) mont_1= &(ctx2->bn[7]); /* step 1 */ - n=50; + n=BN_prime_checks_size(BN_num_bits(w)); /* step 2 */ if (!BN_sub(w_1,w,BN_value_one())) goto err; @@ -286,7 +288,8 @@ int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg) for (i=1; i < n; i++) { /* step 3 */ - BN_rand(b,BN_num_bits(w)-2/*-1*/,0,0); + if (!BN_pseudo_rand(b,BN_num_bits(w)-2/*-1*/,0,0)) + goto err; /* BN_set_word(b,0x10001L); */ /* step 4 */ diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c index 220f71c260..a30dae6b72 100644 --- a/crypto/dsa/dsatest.c +++ b/crypto/dsa/dsatest.c @@ -141,7 +141,7 @@ int main(int argc, char **argv) CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); BIO_printf(bio_err,"test generation of DSA parameters\n"); - BIO_printf(bio_err,"expect '.*' followed by 5 lines of '.'s and '+'s\n"); + BIO_printf(bio_err,"expect '.*' followed by 3 lines of '.'s and '+'s\n"); dsa=DSA_generate_parameters(512,seed,20,&counter,&h,dsa_cb, (char *)bio_err); diff --git a/crypto/sha/sha1dgst.c b/crypto/sha/sha1dgst.c index 141daf0846..dc008124e2 100644 --- a/crypto/sha/sha1dgst.c +++ b/crypto/sha/sha1dgst.c @@ -65,6 +65,8 @@ char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT; +/* The implementation is in ../md32_common.h */ + #include "sha_locl.h" #endif diff --git a/crypto/sha/sha_dgst.c b/crypto/sha/sha_dgst.c index 81bce0c150..1aade357d1 100644 --- a/crypto/sha/sha_dgst.c +++ b/crypto/sha/sha_dgst.c @@ -65,6 +65,8 @@ char *SHA_version="SHA" OPENSSL_VERSION_PTEXT; +/* The implementation is in ../md32_common.h */ + #include "sha_locl.h" #endif diff --git a/doc/crypto/BN_mod_mul_montgomery.pod b/doc/crypto/BN_mod_mul_montgomery.pod index dacd83fc39..825a29f979 100644 --- a/doc/crypto/BN_mod_mul_montgomery.pod +++ b/doc/crypto/BN_mod_mul_montgomery.pod @@ -30,7 +30,7 @@ BN_from_montgomery, BN_to_montgomery - Montgomery multiplication These functions implement Montgomery multiplication. They are used automatically when BN_mod_exp(3) is called with suitable input, -but they may be useful when several operations are to be perfomed +but they may be useful when several operations are to be performed using the same modulus. BN_MONT_CTX_new() allocates and initializes a B<BN_MONT_CTX> structure. diff --git a/doc/crypto/BN_rand.pod b/doc/crypto/BN_rand.pod index 0f692684d2..47991b1abc 100644 --- a/doc/crypto/BN_rand.pod +++ b/doc/crypto/BN_rand.pod @@ -2,7 +2,7 @@ =head1 NAME -BN_rand - Generate pseudo-random number +BN_rand, BN_rand_pseudo - Generate pseudo-random number =head1 SYNOPSIS @@ -10,6 +10,8 @@ BN_rand - Generate pseudo-random number int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom); + =head1 DESCRIPTION BN_rand() generates a cryptographically strong pseudo-random number of @@ -18,11 +20,16 @@ two most significant bits of the number will be set to 1, so that the product of two such random numbers will always have 2*B<bits> length. If B<bottom> is true, the number will be odd. +BN_pseudo_rand() does the same, but pseudo-random numbers generated by +this function are not necessarily unpredictable. They can be used for +non-cryptographic purposes and for certain purposes in cryptographic +protocols, but usually not for key generation etc. + The PRNG must be seeded prior to calling BN_rand(). =head1 RETURN VALUES -BN_rand() returns 1 on success, 0 on error. +BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO @@ -33,5 +40,6 @@ L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)> =head1 HISTORY BN_rand() is available in all versions of SSLeay and OpenSSL. +BN_pseudo_rand() was added in OpenSSL 0.9.5. =cut diff --git a/doc/crypto/DH_generate_parameters.pod b/doc/crypto/DH_generate_parameters.pod index 137b3873f9..8102e536f3 100644 --- a/doc/crypto/DH_generate_parameters.pod +++ b/doc/crypto/DH_generate_parameters.pod @@ -52,6 +52,11 @@ suitable prime. The parameters generated by DH_generate_parameters() are not to be used in signature schemes. +=head1 BUGS + +If B<generator> is not 2 or 5, B<dh-E<gt>g>=B<generator> is not +a usable generator. + =head1 SEE ALSO L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_free(3)|DH_free(3)> diff --git a/doc/crypto/DH_get_ex_new_index.pod b/doc/crypto/DH_get_ex_new_index.pod index d52181e83f..4604859f08 100644 --- a/doc/crypto/DH_get_ex_new_index.pod +++ b/doc/crypto/DH_get_ex_new_index.pod @@ -2,33 +2,35 @@ =head1 NAME -DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data - ... +DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data - add application specific data to DH structures =head1 SYNOPSIS #include <openssl/dh.h> - int DH_get_ex_new_index(long argl, char *argp, int (*new_func)(), - int (*dup_func)(), void (*free_func)()); + int DH_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); - int DH_set_ex_data(DH *d, int idx, char *arg); + int DH_set_ex_data(DH *d, int idx, void *arg); char *DH_get_ex_data(DH *d, int idx); =head1 DESCRIPTION -... - -=head1 RETURN VALUES - -... +These functions handle application specific data in DH +structures. Their usage is identical to that of +RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data() +as described in L<RSA_get_ex_new_index(3)>. =head1 SEE ALSO -... +L<RSA_get_ex_new_index()|RSA_get_ex_new_index()>, L<dh(3)|dh(3)> =head1 HISTORY -... +RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data() are +available since OpenSSL 0.9.5. =cut diff --git a/doc/crypto/DH_new.pod b/doc/crypto/DH_new.pod index 9116b9f0df..64624b9d15 100644 --- a/doc/crypto/DH_new.pod +++ b/doc/crypto/DH_new.pod @@ -10,7 +10,7 @@ DH_new, DH_free - allocate and free DH objects DH* DH_new(void); - void DH_free(DH *rsa); + void DH_free(DH *dh); =head1 DESCRIPTION diff --git a/doc/crypto/DSA_SIG_new.pod b/doc/crypto/DSA_SIG_new.pod new file mode 100644 index 0000000000..671655554a --- /dev/null +++ b/doc/crypto/DSA_SIG_new.pod @@ -0,0 +1,39 @@ +=pod + +=head1 NAME + +DSA_SIG_new, DSA_SIG_free - allocate and free DSA signature objects + +=head1 SYNOPSIS + + #include <openssl/dsa.h> + + DSA_SIG *DSA_SIG_new(void); + + void DSA_SIG_free(DSA_SIG *a); + +=head1 DESCRIPTION + +DSA_SIG_new() allocates and initializes a B<DSA_SIG> structure. + +DSA_SIG_free() frees the B<DSA_SIG> structure and its components. The +values are erased before the memory is returned to the system. + +=head1 RETURN VALUES + +If the allocation fails, DSA_SIG_new() returns B<NULL> and sets an +error code that can be obtained by +L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer +to the newly allocated structure. + +DSA_SIG_free() returns no value. + +=head1 SEE ALSO + +L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<DSA_do_sign(3)|DSA_do_sign(3)> + +=head1 HISTORY + +DSA_SIG_new() and DSA_SIG_free() were added in OpenSSL 0.9.3. + +=cut diff --git a/doc/crypto/DSA_do_sign.pod b/doc/crypto/DSA_do_sign.pod new file mode 100644 index 0000000000..9dcf73de16 --- /dev/null +++ b/doc/crypto/DSA_do_sign.pod @@ -0,0 +1,46 @@ +=pod + +=head1 NAME + +DSA_do_sign, DSA_do_verify - Raw DSA signature operations + +=head1 SYNOPSIS + + #include <openssl/dsa.h> + + DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); + + int DSA_do_verify(const unsigned char *dgst, int dgst_len, + DSA_SIG *sig, DSA *dsa); + +=head1 DESCRIPTION + +DSA_do_sign() computes a digital signature on the B<len> byte message +digest B<dgst> using the private key B<dsa> and returns it in a +newly allocated B<DSA_SIG> structure. + +L<DSA_sign_setup(3)|DSA_sign_setup(3)> may be used to precompute part +of the signing operation in case signature generation is +time-critical. + +DSA_do_verify() verifies that the signature B<sig> matches a given +message digest B<dgst> of size B<len>. B<dsa> is the signer's public +key. + +=head1 RETURN VALUES + +DSA_do_sign() returns the signature, NULL on error. DSA_do_verify() +returns 1 for a valid signature, 0 for an incorrect signature and -1 +on error. The error codes can be obtained by +L<ERR_get_error(3)|ERR_get_error(3)>. + +=head1 SEE ALSO + +L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<DSA_SIG_new(3)|DSA_SIG_new(3)>, +L<DSA_sign(3)|DSA_sign(3)> + +=head1 HISTORY + +DSA_do_sign() and DSA_do_verify() were added in OpenSSL 0.9.3. + +=cut diff --git a/doc/crypto/DSA_dup_DH.pod b/doc/crypto/DSA_dup_DH.pod new file mode 100644 index 0000000000..0c15094b56 --- /dev/null +++ b/doc/crypto/DSA_dup_DH.pod @@ -0,0 +1,32 @@ +=pod + +=head1 NAME + +DSA_dup_DH - Create a DH structure out of DSA structure + +=head1 SYNOPSIS + + #include <openssl/dsa.h> + + DH * DSA_dup_DH(DSA *r); + +=head1 DESCRIPTION + +DSA_dup_DH() duplicates DSA parameters/keys as DH parameters/keys. q +is lost during that conversion, but the resulting DH parameters +contain its length. + +=head1 RETURN VALUE + +DSA_dup_DH() returns the new B<DH> structure, and NULL on error. The +error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. + +=head1 SEE ALSO + +L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)> + +=head1 HISTORY + +DSA_dup_DH() was added in OpenSSL 0.9.4. + +=cut diff --git a/doc/crypto/DSA_generate_key.pod b/doc/crypto/DSA_generate_key.pod new file mode 100644 index 0000000000..e253501ef2 --- /dev/null +++ b/doc/crypto/DSA_generate_key.pod @@ -0,0 +1,33 @@ +=pod + +=head1 NAME + +DSA_generate_key - Generate DSA key pair + +=head1 SYNOPSIS + + #include <openssl/dsa.h> + + int DSA_generate_key(DSA *a); + +=head1 DESCRIPTION + +DSA_generate_key() expects B<a> to contain DSA parameters. It generates +a new key pair and stores it in B<a-E<gt>pub_key> and B<a-E<gt>priv_key>. + +The PRNG must be seeded prior to calling DSA_generate_key(). + +=head1 RETURN VALUE + +DSA_generate_key() returns 1 on success, 0 otherwise. +The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. + +=head1 SEE ALSO + +L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DSA_generate_parameters(3)|DSA_generate_parameters(3)> + +=head1 HISTORY + +DSA_generate_key() is available since SSLeay 0.8. + +=cut diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod new file mode 100644 index 0000000000..1058c5eb44 --- /dev/null +++ b/doc/crypto/DSA_generate_parameters.pod @@ -0,0 +1,94 @@ +=pod + +=head1 NAME + +DSA_generate_parameters - Generate DSA parameters + +=head1 SYNOPSIS + + #include <openssl/dsa.h> + + DSA * DSA_generate_parameters(int bits, unsigned char *seed, + int seed_len, int *counter_ret, unsigned long *h_ret, + void (*callback)(), void *cb_arg); + +=head1 DESCRIPTION + +DSA_generate_parameters() generates primes p and q and a generator g +for use in the DSA. + +B<bits> is the length of the prime to be generated; the DSS allows a +maximum of 1024 bits. + +If B<seed> is NULL or B<seed_len> E<lt> 20, the primes will be +generated at random. Otherwise, the seed is used to generate +them. If the given seed does not yield a prime q, a new random +seed is chosen and placed at B<seed>. + +DSA_generate_parameters() places the iteration count in +*B<counter_ret> and a counter used for finding a generator in +*B<h_ret>, unless these are NULL. + +A callback function may be used to provide feedback about the progress +of the key generation. If B<callback> is not B<NULL>, it will be +called as follows: + +=over 4 + +=item * + +When the the m-th candidate for q is generated, B<callback(0, m, +cb_arg)> is called. + +=item * + +B<callback(1, j++, cb_arg)> is called in the inner loop of the +Miller-Rabin primality test. + +=item * + +When a prime q has been found, B<callback(2, 0, cb_arg)> and +B<callback(3, 0, cb_arg)> are called. + +=item * + +While candidates for p are being tested, B<callback(1, j++, cb_arg)> +is called in the inner loop of the Miller-Rabin primality test, then +B<callback(0, counter, cb_arg)> is called when the next candidate +is chosen. + +=item * + +When p has been found, B<callback(2, 1, cb_arg)> is called. + +=item * + +When the generator has been found, B<callback(3, 1, cb_arg)> is called. + +=back + +=head1 RETURN VALUE + +DSA_generate_parameters() returns a pointer to the DSA structure, or +NULL if the parameter generation fails. The error codes can be +obtained by L<ERR_get_error(3)|ERR_get_error(3)>. + +=head1 BUGS + +The deterministic generation of p does not follow the NIST algorithm: +r0 is SHA1(s+k+1), but should be SHA1(s+j+k) with j_0=2, +j_counter=j_counter-1 + n + 1. + +Seed lengths E<gt> 20 are not supported. + +=head1 SEE ALSO + +L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, +L<DSA_free(3)|DSA_free(3)> + +=head1 HISTORY + +DSA_generate_parameters() appeared in SSLeay 0.8. The B<cb_arg> +argument was added in SSLeay 0.9.0. + +=cut diff --git a/doc/crypto/DSA_get_ex_new_index.pod b/doc/crypto/DSA_get_ex_new_index.pod new file mode 100644 index 0000000000..0854567633 --- /dev/null +++ b/doc/crypto/DSA_get_ex_new_index.pod @@ -0,0 +1,36 @@ +=pod + +=head1 NAME + +DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data - add application specific data to DSA structures + +=head1 SYNOPSIS + + #include <openssl/DSA.h> + + int DSA_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + + int DSA_set_ex_data(DSA *d, int idx, void *arg); + + char *DSA_get_ex_data(DSA *d, int idx); + +=head1 DESCRIPTION + +These functions handle application specific data in DSA +structures. Their usage is identical to that of +RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data() +as described in L<RSA_get_ex_new_index(3)>. + +=head1 SEE ALSO + +L<RSA_get_ex_new_index()|RSA_get_ex_new_index()>, L<dsa(3)|dsa(3)> + +=head1 HISTORY + +DH_get_ex_new_index(), DH_set_ex_data() and DH_get_ex_data() are +available since OpenSSL 0.9.5. + +=cut diff --git a/doc/crypto/DSA_new.pod b/doc/crypto/DSA_new.pod new file mode 100644 index 0000000000..7dde54445b --- /dev/null +++ b/doc/crypto/DSA_new.pod @@ -0,0 +1,41 @@ +=pod + +=head1 NAME + +DSA_new, DSA_free - allocate and free DSA objects + +=head1 SYNOPSIS + + #include <openssl/dsa.h> + + DSA* DSA_new(void); + + void DSA_free(DSA *dsa); + +=head1 DESCRIPTION + +DSA_new() allocates and initializes a B<DSA> structure. + +DSA_free() frees the B<DSA> structure and its components. The values are +erased before the memory is returned to the system. + +=head1 RETURN VALUES + +If the allocation fails, DSA_new() returns B<NULL> and sets an error +code that can be obtained by +L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer +to the newly allocated structure. + +DSA_free() returns no value. + +=h |