diff options
author | Ulf Möller <ulf@openssl.org> | 2000-01-27 19:31:26 +0000 |
---|---|---|
committer | Ulf Möller <ulf@openssl.org> | 2000-01-27 19:31:26 +0000 |
commit | 38e33cef15e7965ad9fd9db4b08fb2f5dc1bc573 (patch) | |
tree | 27216af3df8adcdc381475ca7011f43fcf34e7fe /crypto | |
parent | 0c23524963064a3bf8206b28c97f88e157d29fa7 (diff) |
Document DSA and SHA.
New function BN_pseudo_rand().
Use BN_prime_checks_size(BN_num_bits(w)) rounds of Miller-Rabin when
generating DSA primes (why not use BN_is_prime()?)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/bn/bn.h | 19 | ||||
-rw-r--r-- | crypto/bn/bn_prime.c | 20 | ||||
-rw-r--r-- | crypto/bn/bn_rand.c | 24 | ||||
-rw-r--r-- | crypto/dsa/dsa.h | 4 | ||||
-rw-r--r-- | crypto/dsa/dsa_gen.c | 23 | ||||
-rw-r--r-- | crypto/dsa/dsatest.c | 2 | ||||
-rw-r--r-- | crypto/sha/sha1dgst.c | 2 | ||||
-rw-r--r-- | crypto/sha/sha_dgst.c | 2 |
8 files changed, 61 insertions, 35 deletions
diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index 9c92d76b41..aade57988c 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -286,6 +286,25 @@ typedef struct bn_recp_ctx_st #define BN_prime_checks 0 /* default: select number of iterations based on the size of the number */ + +/* number of Miller-Rabin iterations for an error rate of less than 2^-80 + * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook + * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; + * original paper: Damgaard, Landrock, Pomerance: Average case error estimates + * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */ +#define BN_prime_checks_size(b) ((b) >= 1300 ? 2 : \ + (b) >= 850 ? 3 : \ + (b) >= 650 ? 4 : \ + (b) >= 550 ? 5 : \ + (b) >= 450 ? 6 : \ + (b) >= 400 ? 7 : \ + (b) >= 350 ? 8 : \ + (b) >= 300 ? 9 : \ + (b) >= 250 ? 12 : \ + (b) >= 200 ? 15 : \ + (b) >= 150 ? 18 : \ + /* b >= 100 */ 27) + #define BN_num_bytes(a) ((BN_num_bits(a)+7)/8) #define BN_is_word(a,w) (((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w))) #define BN_is_zero(a) (((a)->top == 0) || BN_is_word(a,0)) diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index e22851ddf4..84f0699b9b 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -68,24 +68,6 @@ */ #include "bn_prime.h" -/* number of Miller-Rabin iterations for an error rate of less than 2^-80 - * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook - * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; - * original paper: Damgaard, Landrock, Pomerance: Average case error estimates - * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */ -#define BN_prime_checks_size(b) ((b) >= 1300 ? 2 : \ - (b) >= 850 ? 3 : \ - (b) >= 650 ? 4 : \ - (b) >= 550 ? 5 : \ - (b) >= 450 ? 6 : \ - (b) >= 400 ? 7 : \ - (b) >= 350 ? 8 : \ - (b) >= 300 ? 9 : \ - (b) >= 250 ? 12 : \ - (b) >= 200 ? 15 : \ - (b) >= 150 ? 18 : \ - /* b >= 100 */ 27) - static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx,BN_CTX *ctx2, BN_MONT_CTX *mont); static int probable_prime(BIGNUM *rnd, int bits); @@ -203,7 +185,7 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), for (i=0; i<checks; i++) { - if (!BN_rand(check,BN_num_bits(a)-1,0,0)) goto err; + if (!BN_pseudo_rand(check,BN_num_bits(a)-1,0,0)) goto err; j=witness(check,a,ctx,ctx2,mont); if (j == -1) goto err; if (j) diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index b567b43a6f..dd6f6c9e44 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -62,7 +62,7 @@ #include "bn_lcl.h" #include <openssl/rand.h> -int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) +static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) { unsigned char *buf=NULL; int ret=0,bit,bytes,mask; @@ -83,8 +83,17 @@ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) time(&tim); RAND_add(&tim,sizeof(tim),0); - if (RAND_bytes(buf,(int)bytes) <= 0) - goto err; + if (pseudorand) + { + if (RAND_pseudo_bytes(buf, bytes) == -1) + goto err; + } + else + { + if (RAND_bytes(buf, bytes) <= 0) + goto err; + } + if (top) { if (bit == 0) @@ -116,3 +125,12 @@ err: return(ret); } +int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) + { + return bnrand(1, rnd, bits, top, bottom); + } + +int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) + { + return bnrand(0, rnd, bits, top, bottom); + } diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h index a68d3f6681..3da104b6dd 100644 --- a/crypto/dsa/dsa.h +++ b/crypto/dsa/dsa.h @@ -182,7 +182,7 @@ DSA * d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); DSA * d2i_DSAparams(DSA **a, unsigned char **pp, long length); DSA * DSA_generate_parameters(int bits, unsigned char *seed,int seed_len, int *counter_ret, unsigned long *h_ret,void - (*callback)(),char *cb_arg); + (*callback)(),void *cb_arg); int DSA_generate_key(DSA *a); int i2d_DSAPublicKey(DSA *a, unsigned char **pp); int i2d_DSAPrivateKey(DSA *a, unsigned char **pp); @@ -197,7 +197,7 @@ int DSAparams_print_fp(FILE *fp, DSA *x); int DSA_print_fp(FILE *bp, DSA *x, int off); #endif -int DSA_is_prime(BIGNUM *q,void (*callback)(),char *cb_arg); +int DSA_is_prime(BIGNUM *q,void (*callback)(),void *cb_arg); #ifndef NO_DH /* Convert DSA structure (key or just parameters) into DH structure diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index 57435a9be2..5df9132dd8 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -75,7 +75,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, int *counter_ret, unsigned long *h_ret, void (*callback)(), - char *cb_arg) + void *cb_arg) { int ok=0; unsigned char seed[SHA_DIGEST_LENGTH]; @@ -93,6 +93,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, if (bits < 512) bits=512; bits=(bits+63)/64*64; + if (seed_len < 20) seed_in = NULL; if ((seed_in != NULL) && (seed_len == 20)) memcpy(seed,seed_in,seed_len); @@ -142,10 +143,10 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, /* step 3 */ md[0]|=0x80; md[SHA_DIGEST_LENGTH-1]|=0x01; - if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) abort(); + if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err; /* step 4 */ - if (DSA_is_prime(q,callback,cb_arg) > 0) break; + if (BN_is_prime(q,BN_prime_checks,callback,NULL,cb_arg) > 0) break; /* do a callback call */ /* step 5 */ } @@ -174,7 +175,8 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, HASH(buf,SHA_DIGEST_LENGTH,md); /* step 8 */ - if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) abort(); + if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) + goto err; BN_lshift(r0,r0,160*k); BN_add(W,W,r0); } @@ -194,7 +196,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, if (BN_cmp(p,test) >= 0) { /* step 11 */ - if (DSA_is_prime(p,callback,cb_arg) > 0) + if (BN_is_prime(p,BN_prime_checks,callback,NULL,cb_arg) > 0) goto end; } @@ -210,7 +212,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, end: if (callback != NULL) callback(2,1,cb_arg); - /* We now need to gernerate g */ + /* We now need to generate g */ /* Set r0=(p-1)/q */ BN_sub(test,p,BN_value_one()); BN_div(r0,NULL,test,q,ctx); @@ -250,7 +252,7 @@ err: return(ok?ret:NULL); } -int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg) +int DSA_is_prime(BIGNUM *w, void (*callback)(), void *cb_arg) { int ok= -1,j,i,n; BN_CTX *ctx=NULL,*ctx2=NULL; @@ -258,7 +260,7 @@ int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg) int a; BN_MONT_CTX *mont=NULL; - if (!BN_is_bit_set(w,0)) return(0); + if (!BN_is_odd(w)) return(0); if ((ctx=BN_CTX_new()) == NULL) goto err; if ((ctx2=BN_CTX_new()) == NULL) goto err; @@ -272,7 +274,7 @@ int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg) mont_1= &(ctx2->bn[7]); /* step 1 */ - n=50; + n=BN_prime_checks_size(BN_num_bits(w)); /* step 2 */ if (!BN_sub(w_1,w,BN_value_one())) goto err; @@ -286,7 +288,8 @@ int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg) for (i=1; i < n; i++) { /* step 3 */ - BN_rand(b,BN_num_bits(w)-2/*-1*/,0,0); + if (!BN_pseudo_rand(b,BN_num_bits(w)-2/*-1*/,0,0)) + goto err; /* BN_set_word(b,0x10001L); */ /* step 4 */ diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c index 220f71c260..a30dae6b72 100644 --- a/crypto/dsa/dsatest.c +++ b/crypto/dsa/dsatest.c @@ -141,7 +141,7 @@ int main(int argc, char **argv) CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); BIO_printf(bio_err,"test generation of DSA parameters\n"); - BIO_printf(bio_err,"expect '.*' followed by 5 lines of '.'s and '+'s\n"); + BIO_printf(bio_err,"expect '.*' followed by 3 lines of '.'s and '+'s\n"); dsa=DSA_generate_parameters(512,seed,20,&counter,&h,dsa_cb, (char *)bio_err); diff --git a/crypto/sha/sha1dgst.c b/crypto/sha/sha1dgst.c index 141daf0846..dc008124e2 100644 --- a/crypto/sha/sha1dgst.c +++ b/crypto/sha/sha1dgst.c @@ -65,6 +65,8 @@ char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT; +/* The implementation is in ../md32_common.h */ + #include "sha_locl.h" #endif diff --git a/crypto/sha/sha_dgst.c b/crypto/sha/sha_dgst.c index 81bce0c150..1aade357d1 100644 --- a/crypto/sha/sha_dgst.c +++ b/crypto/sha/sha_dgst.c @@ -65,6 +65,8 @@ char *SHA_version="SHA" OPENSSL_VERSION_PTEXT; +/* The implementation is in ../md32_common.h */ + #include "sha_locl.h" #endif |