/security/nss/lib/freebl/pqg.c

http://github.com/zpao/v8monkey · C · 717 lines · 478 code · 20 blank · 219 comment · 70 complexity · 06e8862edb0bbded6b86209b8cb0c086 MD5 · raw file

  1. /* ***** BEGIN LICENSE BLOCK *****
  2. * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3. *
  4. * The contents of this file are subject to the Mozilla Public License Version
  5. * 1.1 (the "License"); you may not use this file except in compliance with
  6. * the License. You may obtain a copy of the License at
  7. * http://www.mozilla.org/MPL/
  8. *
  9. * Software distributed under the License is distributed on an "AS IS" basis,
  10. * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  11. * for the specific language governing rights and limitations under the
  12. * License.
  13. *
  14. * The Original Code is the Netscape security libraries.
  15. *
  16. * The Initial Developer of the Original Code is
  17. * Netscape Communications Corporation.
  18. * Portions created by the Initial Developer are Copyright (C) 1994-2000
  19. * the Initial Developer. All Rights Reserved.
  20. *
  21. * Contributor(s):
  22. *
  23. * Alternatively, the contents of this file may be used under the terms of
  24. * either the GNU General Public License Version 2 or later (the "GPL"), or
  25. * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  26. * in which case the provisions of the GPL or the LGPL are applicable instead
  27. * of those above. If you wish to allow use of your version of this file only
  28. * under the terms of either the GPL or the LGPL, and not to allow others to
  29. * use your version of this file under the terms of the MPL, indicate your
  30. * decision by deleting the provisions above and replace them with the notice
  31. * and other provisions required by the GPL or the LGPL. If you do not delete
  32. * the provisions above, a recipient may use your version of this file under
  33. * the terms of any one of the MPL, the GPL or the LGPL.
  34. *
  35. * ***** END LICENSE BLOCK ***** */
  36. /*
  37. * PQG parameter generation/verification. Based on FIPS 186-1.
  38. *
  39. * $Id: pqg.c,v 1.17 2009/03/26 23:16:37 glen.beasley%sun.com Exp $
  40. */
  41. #ifdef FREEBL_NO_DEPEND
  42. #include "stubs.h"
  43. #endif
  44. #include "prerr.h"
  45. #include "secerr.h"
  46. #include "prtypes.h"
  47. #include "blapi.h"
  48. #include "secitem.h"
  49. #include "mpi.h"
  50. #include "mpprime.h"
  51. #include "mplogic.h"
  52. #include "secmpi.h"
  53. #define MAX_ITERATIONS 1000 /* Maximum number of iterations of primegen */
  54. #define PQG_Q_PRIMALITY_TESTS 18 /* from HAC table 4.4 */
  55. #define PQG_P_PRIMALITY_TESTS 5 /* from HAC table 4.4 */
  56. /* XXX to be replaced by define in blapit.h */
  57. #define BITS_IN_Q 160
  58. /* For FIPS-compliance testing.
  59. ** The following array holds the seed defined in FIPS 186-1 appendix 5.
  60. ** This seed is used to generate P and Q according to appendix 2; use of
  61. ** this seed will exactly generate the PQG specified in appendix 2.
  62. */
  63. #ifdef FIPS_186_1_A5_TEST
  64. static const unsigned char fips_186_1_a5_pqseed[] = {
  65. 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8,
  66. 0xb6, 0x21, 0x1b, 0x40, 0x62, 0xba, 0x32, 0x24,
  67. 0xe0, 0x42, 0x7d, 0xd3
  68. };
  69. #endif
  70. /* Get a seed for generating P and Q. If in testing mode, copy in the
  71. ** seed from FIPS 186-1 appendix 5. Otherwise, obtain bytes from the
  72. ** global random number generator.
  73. */
  74. static SECStatus
  75. getPQseed(SECItem *seed, PRArenaPool* arena)
  76. {
  77. SECStatus rv;
  78. if (!seed->data) {
  79. seed->data = (unsigned char*)PORT_ArenaZAlloc(arena, seed->len);
  80. }
  81. if (!seed->data) {
  82. PORT_SetError(SEC_ERROR_NO_MEMORY);
  83. return SECFailure;
  84. }
  85. #ifdef FIPS_186_1_A5_TEST
  86. memcpy(seed->data, fips_186_1_a5_pqseed, seed->len);
  87. return SECSuccess;
  88. #else
  89. rv = RNG_GenerateGlobalRandomBytes(seed->data, seed->len);
  90. /*
  91. * NIST CMVP disallows a sequence of 20 bytes with the most
  92. * significant byte equal to 0. Perhaps they interpret
  93. * "a sequence of at least 160 bits" as "a number >= 2^159".
  94. * So we always set the most significant bit to 1. (bug 334533)
  95. */
  96. seed->data[0] |= 0x80;
  97. return rv;
  98. #endif
  99. }
  100. /* Generate a candidate h value. If in testing mode, use the h value
  101. ** specified in FIPS 186-1 appendix 5, h = 2. Otherwise, obtain bytes
  102. ** from the global random number generator.
  103. */
  104. static SECStatus
  105. generate_h_candidate(SECItem *hit, mp_int *H)
  106. {
  107. SECStatus rv = SECSuccess;
  108. mp_err err = MP_OKAY;
  109. #ifdef FIPS_186_1_A5_TEST
  110. memset(hit->data, 0, hit->len);
  111. hit->data[hit->len-1] = 0x02;
  112. #else
  113. rv = RNG_GenerateGlobalRandomBytes(hit->data, hit->len);
  114. #endif
  115. if (rv)
  116. return SECFailure;
  117. err = mp_read_unsigned_octets(H, hit->data, hit->len);
  118. if (err) {
  119. MP_TO_SEC_ERROR(err);
  120. return SECFailure;
  121. }
  122. return SECSuccess;
  123. }
  124. /* Compute SHA[(SEED + addend) mod 2**g]
  125. ** Result is placed in shaOutBuf.
  126. ** This computation is used in steps 2 and 7 of FIPS 186 Appendix 2.2 .
  127. */
  128. static SECStatus
  129. addToSeedThenSHA(const SECItem * seed,
  130. unsigned long addend,
  131. int g,
  132. unsigned char * shaOutBuf)
  133. {
  134. SECItem str = { 0, 0, 0 };
  135. mp_int s, sum, modulus, tmp;
  136. mp_err err = MP_OKAY;
  137. SECStatus rv = SECSuccess;
  138. MP_DIGITS(&s) = 0;
  139. MP_DIGITS(&sum) = 0;
  140. MP_DIGITS(&modulus) = 0;
  141. MP_DIGITS(&tmp) = 0;
  142. CHECK_MPI_OK( mp_init(&s) );
  143. CHECK_MPI_OK( mp_init(&sum) );
  144. CHECK_MPI_OK( mp_init(&modulus) );
  145. SECITEM_TO_MPINT(*seed, &s); /* s = seed */
  146. /* seed += addend */
  147. if (addend < MP_DIGIT_MAX) {
  148. CHECK_MPI_OK( mp_add_d(&s, (mp_digit)addend, &s) );
  149. } else {
  150. CHECK_MPI_OK( mp_init(&tmp) );
  151. CHECK_MPI_OK( mp_set_ulong(&tmp, addend) );
  152. CHECK_MPI_OK( mp_add(&s, &tmp, &s) );
  153. }
  154. CHECK_MPI_OK( mp_div_2d(&s, (mp_digit)g, NULL, &sum) );/*sum = s mod 2**g */
  155. MPINT_TO_SECITEM(&sum, &str, NULL);
  156. rv = SHA1_HashBuf(shaOutBuf, str.data, str.len); /* SHA1 hash result */
  157. cleanup:
  158. mp_clear(&s);
  159. mp_clear(&sum);
  160. mp_clear(&modulus);
  161. mp_clear(&tmp);
  162. if (str.data)
  163. SECITEM_ZfreeItem(&str, PR_FALSE);
  164. if (err) {
  165. MP_TO_SEC_ERROR(err);
  166. return SECFailure;
  167. }
  168. return rv;
  169. }
  170. /*
  171. ** Perform steps 2 and 3 of FIPS 186, appendix 2.2.
  172. ** Generate Q from seed.
  173. */
  174. static SECStatus
  175. makeQfromSeed(
  176. unsigned int g, /* input. Length of seed in bits. */
  177. const SECItem * seed, /* input. */
  178. mp_int * Q) /* output. */
  179. {
  180. unsigned char sha1[SHA1_LENGTH];
  181. unsigned char sha2[SHA1_LENGTH];
  182. unsigned char U[SHA1_LENGTH];
  183. SECStatus rv = SECSuccess;
  184. mp_err err = MP_OKAY;
  185. int i;
  186. /* ******************************************************************
  187. ** Step 2.
  188. ** "Compute U = SHA[SEED] XOR SHA[(SEED+1) mod 2**g]."
  189. **/
  190. CHECK_SEC_OK( SHA1_HashBuf(sha1, seed->data, seed->len) );
  191. CHECK_SEC_OK( addToSeedThenSHA(seed, 1, g, sha2) );
  192. for (i=0; i<SHA1_LENGTH; ++i)
  193. U[i] = sha1[i] ^ sha2[i];
  194. /* ******************************************************************
  195. ** Step 3.
  196. ** "Form Q from U by setting the most signficant bit (the 2**159 bit)
  197. ** and the least signficant bit to 1. In terms of boolean operations,
  198. ** Q = U OR 2**159 OR 1. Note that 2**159 < Q < 2**160."
  199. */
  200. U[0] |= 0x80; /* U is MSB first */
  201. U[SHA1_LENGTH-1] |= 0x01;
  202. err = mp_read_unsigned_octets(Q, U, SHA1_LENGTH);
  203. cleanup:
  204. memset(U, 0, SHA1_LENGTH);
  205. memset(sha1, 0, SHA1_LENGTH);
  206. memset(sha2, 0, SHA1_LENGTH);
  207. if (err) {
  208. MP_TO_SEC_ERROR(err);
  209. return SECFailure;
  210. }
  211. return rv;
  212. }
  213. /* Perform steps 7, 8 and 9 of FIPS 186, appendix 2.2.
  214. ** Generate P from Q, seed, L, and offset.
  215. */
  216. static SECStatus
  217. makePfromQandSeed(
  218. unsigned int L, /* Length of P in bits. Per FIPS 186. */
  219. unsigned int offset, /* Per FIPS 186, appendix 2.2. */
  220. unsigned int g, /* input. Length of seed in bits. */
  221. const SECItem * seed, /* input. */
  222. const mp_int * Q, /* input. */
  223. mp_int * P) /* output. */
  224. {
  225. unsigned int k; /* Per FIPS 186, appendix 2.2. */
  226. unsigned int n; /* Per FIPS 186, appendix 2.2. */
  227. mp_digit b; /* Per FIPS 186, appendix 2.2. */
  228. unsigned char V_k[SHA1_LENGTH];
  229. mp_int W, X, c, twoQ, V_n, tmp;
  230. mp_err err = MP_OKAY;
  231. SECStatus rv = SECSuccess;
  232. /* Initialize bignums */
  233. MP_DIGITS(&W) = 0;
  234. MP_DIGITS(&X) = 0;
  235. MP_DIGITS(&c) = 0;
  236. MP_DIGITS(&twoQ) = 0;
  237. MP_DIGITS(&V_n) = 0;
  238. MP_DIGITS(&tmp) = 0;
  239. CHECK_MPI_OK( mp_init(&W) );
  240. CHECK_MPI_OK( mp_init(&X) );
  241. CHECK_MPI_OK( mp_init(&c) );
  242. CHECK_MPI_OK( mp_init(&twoQ) );
  243. CHECK_MPI_OK( mp_init(&tmp) );
  244. CHECK_MPI_OK( mp_init(&V_n) );
  245. /* L - 1 = n*160 + b */
  246. n = (L - 1) / BITS_IN_Q;
  247. b = (L - 1) % BITS_IN_Q;
  248. /* ******************************************************************
  249. ** Step 7.
  250. ** "for k = 0 ... n let
  251. ** V_k = SHA[(SEED + offset + k) mod 2**g]."
  252. **
  253. ** Step 8.
  254. ** "Let W be the integer
  255. ** W = V_0 + (V_1 * 2**160) + ... + (V_n-1 * 2**((n-1)*160))
  256. ** + ((V_n mod 2**b) * 2**(n*160))
  257. */
  258. for (k=0; k<n; ++k) { /* Do the first n terms of V_k */
  259. /* Do step 7 for iteration k.
  260. ** V_k = SHA[(seed + offset + k) mod 2**g]
  261. */
  262. CHECK_SEC_OK( addToSeedThenSHA(seed, offset + k, g, V_k) );
  263. /* Do step 8 for iteration k.
  264. ** W += V_k * 2**(k*160)
  265. */
  266. OCTETS_TO_MPINT(V_k, &tmp, SHA1_LENGTH); /* get bignum V_k */
  267. CHECK_MPI_OK( mpl_lsh(&tmp, &tmp, k*160) ); /* tmp = V_k << k*160 */
  268. CHECK_MPI_OK( mp_add(&W, &tmp, &W) ); /* W += tmp */
  269. }
  270. /* Step 8, continued.
  271. ** [W += ((V_n mod 2**b) * 2**(n*160))]
  272. */
  273. CHECK_SEC_OK( addToSeedThenSHA(seed, offset + n, g, V_k) );
  274. OCTETS_TO_MPINT(V_k, &V_n, SHA1_LENGTH); /* get bignum V_n */
  275. CHECK_MPI_OK( mp_div_2d(&V_n, b, NULL, &tmp) ); /* tmp = V_n mod 2**b */
  276. CHECK_MPI_OK( mpl_lsh(&tmp, &tmp, n*160) ); /* tmp = tmp << n*160 */
  277. CHECK_MPI_OK( mp_add(&W, &tmp, &W) ); /* W += tmp */
  278. /* Step 8, continued.
  279. ** "and let X = W + 2**(L-1).
  280. ** Note that 0 <= W < 2**(L-1) and hence 2**(L-1) <= X < 2**L."
  281. */
  282. CHECK_MPI_OK( mpl_set_bit(&X, (mp_size)(L-1), 1) ); /* X = 2**(L-1) */
  283. CHECK_MPI_OK( mp_add(&X, &W, &X) ); /* X += W */
  284. /*************************************************************
  285. ** Step 9.
  286. ** "Let c = X mod 2q and set p = X - (c - 1).
  287. ** Note that p is congruent to 1 mod 2q."
  288. */
  289. CHECK_MPI_OK( mp_mul_2(Q, &twoQ) ); /* 2q */
  290. CHECK_MPI_OK( mp_mod(&X, &twoQ, &c) ); /* c = X mod 2q */
  291. CHECK_MPI_OK( mp_sub_d(&c, 1, &c) ); /* c -= 1 */
  292. CHECK_MPI_OK( mp_sub(&X, &c, P) ); /* P = X - c */
  293. cleanup:
  294. mp_clear(&W);
  295. mp_clear(&X);
  296. mp_clear(&c);
  297. mp_clear(&twoQ);
  298. mp_clear(&V_n);
  299. mp_clear(&tmp);
  300. if (err) {
  301. MP_TO_SEC_ERROR(err);
  302. return SECFailure;
  303. }
  304. return rv;
  305. }
  306. /*
  307. ** Generate G from h, P, and Q.
  308. */
  309. static SECStatus
  310. makeGfromH(const mp_int *P, /* input. */
  311. const mp_int *Q, /* input. */
  312. mp_int *H, /* input and output. */
  313. mp_int *G, /* output. */
  314. PRBool *passed)
  315. {
  316. mp_int exp, pm1;
  317. mp_err err = MP_OKAY;
  318. SECStatus rv = SECSuccess;
  319. *passed = PR_FALSE;
  320. MP_DIGITS(&exp) = 0;
  321. MP_DIGITS(&pm1) = 0;
  322. CHECK_MPI_OK( mp_init(&exp) );
  323. CHECK_MPI_OK( mp_init(&pm1) );
  324. CHECK_MPI_OK( mp_sub_d(P, 1, &pm1) ); /* P - 1 */
  325. if ( mp_cmp(H, &pm1) >= 0) /* H >= P-1 */
  326. CHECK_MPI_OK( mp_sub(H, &pm1, H) ); /* H = H mod (P-1) */
  327. /* Let b = 2**n (smallest power of 2 greater than P).
  328. ** Since P-1 >= b/2, and H < b, quotient(H/(P-1)) = 0 or 1
  329. ** so the above operation safely computes H mod (P-1)
  330. */
  331. /* Check for H = to 0 or 1. Regen H if so. (Regen means return error). */
  332. if (mp_cmp_d(H, 1) <= 0) {
  333. rv = SECFailure;
  334. goto cleanup;
  335. }
  336. /* Compute G, according to the equation G = (H ** ((P-1)/Q)) mod P */
  337. CHECK_MPI_OK( mp_div(&pm1, Q, &exp, NULL) ); /* exp = (P-1)/Q */
  338. CHECK_MPI_OK( mp_exptmod(H, &exp, P, G) ); /* G = H ** exp mod P */
  339. /* Check for G == 0 or G == 1, return error if so. */
  340. if (mp_cmp_d(G, 1) <= 0) {
  341. rv = SECFailure;
  342. goto cleanup;
  343. }
  344. *passed = PR_TRUE;
  345. cleanup:
  346. mp_clear(&exp);
  347. mp_clear(&pm1);
  348. if (err) {
  349. MP_TO_SEC_ERROR(err);
  350. rv = SECFailure;
  351. }
  352. return rv;
  353. }
  354. SECStatus
  355. PQG_ParamGen(unsigned int j, PQGParams **pParams, PQGVerify **pVfy)
  356. {
  357. unsigned int L; /* Length of P in bits. Per FIPS 186. */
  358. unsigned int seedBytes;
  359. if (j > 8 || !pParams || !pVfy) {
  360. PORT_SetError(SEC_ERROR_INVALID_ARGS);
  361. return SECFailure;
  362. }
  363. L = 512 + (j * 64); /* bits in P */
  364. seedBytes = L/8;
  365. return PQG_ParamGenSeedLen(j, seedBytes, pParams, pVfy);
  366. }
  367. /* This code uses labels and gotos, so that it can follow the numbered
  368. ** steps in the algorithms from FIPS 186 appendix 2.2 very closely,
  369. ** and so that the correctness of this code can be easily verified.
  370. ** So, please forgive the ugly c code.
  371. **/
  372. SECStatus
  373. PQG_ParamGenSeedLen(unsigned int j, unsigned int seedBytes,
  374. PQGParams **pParams, PQGVerify **pVfy)
  375. {
  376. unsigned int L; /* Length of P in bits. Per FIPS 186. */
  377. unsigned int n; /* Per FIPS 186, appendix 2.2. */
  378. unsigned int b; /* Per FIPS 186, appendix 2.2. */
  379. unsigned int g; /* Per FIPS 186, appendix 2.2. */
  380. unsigned int counter; /* Per FIPS 186, appendix 2.2. */
  381. unsigned int offset; /* Per FIPS 186, appendix 2.2. */
  382. SECItem *seed; /* Per FIPS 186, appendix 2.2. */
  383. PRArenaPool *arena = NULL;
  384. PQGParams *params = NULL;
  385. PQGVerify *verify = NULL;
  386. PRBool passed;
  387. SECItem hit = { 0, 0, 0 };
  388. mp_int P, Q, G, H, l;
  389. mp_err err = MP_OKAY;
  390. SECStatus rv = SECFailure;
  391. int iterations = 0;
  392. if (j > 8 || seedBytes < 20 || !pParams || !pVfy) {
  393. PORT_SetError(SEC_ERROR_INVALID_ARGS);
  394. return SECFailure;
  395. }
  396. /* Initialize an arena for the params. */
  397. arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
  398. if (!arena) {
  399. PORT_SetError(SEC_ERROR_NO_MEMORY);
  400. return SECFailure;
  401. }
  402. params = (PQGParams *)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
  403. if (!params) {
  404. PORT_SetError(SEC_ERROR_NO_MEMORY);
  405. PORT_FreeArena(arena, PR_TRUE);
  406. return SECFailure;
  407. }
  408. params->arena = arena;
  409. /* Initialize an arena for the verify. */
  410. arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
  411. if (!arena) {
  412. PORT_SetError(SEC_ERROR_NO_MEMORY);
  413. PORT_FreeArena(params->arena, PR_TRUE);
  414. return SECFailure;
  415. }
  416. verify = (PQGVerify *)PORT_ArenaZAlloc(arena, sizeof(PQGVerify));
  417. if (!verify) {
  418. PORT_SetError(SEC_ERROR_NO_MEMORY);
  419. PORT_FreeArena(arena, PR_TRUE);
  420. PORT_FreeArena(params->arena, PR_TRUE);
  421. return SECFailure;
  422. }
  423. verify->arena = arena;
  424. seed = &verify->seed;
  425. arena = NULL;
  426. /* Initialize bignums */
  427. MP_DIGITS(&P) = 0;
  428. MP_DIGITS(&Q) = 0;
  429. MP_DIGITS(&G) = 0;
  430. MP_DIGITS(&H) = 0;
  431. MP_DIGITS(&l) = 0;
  432. CHECK_MPI_OK( mp_init(&P) );
  433. CHECK_MPI_OK( mp_init(&Q) );
  434. CHECK_MPI_OK( mp_init(&G) );
  435. CHECK_MPI_OK( mp_init(&H) );
  436. CHECK_MPI_OK( mp_init(&l) );
  437. /* Compute lengths. */
  438. L = 512 + (j * 64); /* bits in P */
  439. n = (L - 1) / BITS_IN_Q; /* BITS_IN_Q is 160 */
  440. b = (L - 1) % BITS_IN_Q;
  441. g = seedBytes * BITS_PER_BYTE; /* bits in seed, NOT G of PQG. */
  442. step_1:
  443. /* ******************************************************************
  444. ** Step 1.
  445. ** "Choose an abitrary sequence of at least 160 bits and call it SEED.
  446. ** Let g be the length of SEED in bits."
  447. */
  448. if (++iterations > MAX_ITERATIONS) { /* give up after a while */
  449. PORT_SetError(SEC_ERROR_NEED_RANDOM);
  450. goto cleanup;
  451. }
  452. seed->len = seedBytes;
  453. CHECK_SEC_OK( getPQseed(seed, verify->arena) );
  454. /* ******************************************************************
  455. ** Step 2.
  456. ** "Compute U = SHA[SEED] XOR SHA[(SEED+1) mod 2**g]."
  457. **
  458. ** Step 3.
  459. ** "Form Q from U by setting the most signficant bit (the 2**159 bit)
  460. ** and the least signficant bit to 1. In terms of boolean operations,
  461. ** Q = U OR 2**159 OR 1. Note that 2**159 < Q < 2**160."
  462. */
  463. CHECK_SEC_OK( makeQfromSeed(g, seed, &Q) );
  464. /* ******************************************************************
  465. ** Step 4.
  466. ** "Use a robust primality testing algorithm to test whether q is prime."
  467. **
  468. ** Appendix 2.1 states that a Rabin test with at least 50 iterations
  469. ** "will give an acceptable probability of error."
  470. */
  471. /*CHECK_SEC_OK( prm_RabinTest(&Q, &passed) );*/
  472. err = mpp_pprime(&Q, PQG_Q_PRIMALITY_TESTS);
  473. passed = (err == MP_YES) ? SECSuccess : SECFailure;
  474. /* ******************************************************************
  475. ** Step 5. "If q is not prime, goto step 1."
  476. */
  477. if (passed != SECSuccess)
  478. goto step_1;
  479. /* ******************************************************************
  480. ** Step 6. "Let counter = 0 and offset = 2."
  481. */
  482. counter = 0;
  483. offset = 2;
  484. step_7:
  485. /* ******************************************************************
  486. ** Step 7.
  487. ** "for k = 0 ... n let
  488. ** V_k = SHA[(SEED + offset + k) mod 2**g]."
  489. **
  490. ** Step 8.
  491. ** "Let W be the sum of (V_k * 2**(k*160)) for k = 0 ... n
  492. ** and let X = W + 2**(L-1).
  493. ** Note that 0 <= W < 2**(L-1) and hence 2**(L-1) <= X < 2**L."
  494. **
  495. ** Step 9.
  496. ** "Let c = X mod 2q and set p = X - (c - 1).
  497. ** Note that p is congruent to 1 mod 2q."
  498. */
  499. CHECK_SEC_OK( makePfromQandSeed(L, offset, g, seed, &Q, &P) );
  500. /*************************************************************
  501. ** Step 10.
  502. ** "if p < 2**(L-1), then goto step 13."
  503. */
  504. CHECK_MPI_OK( mpl_set_bit(&l, (mp_size)(L-1), 1) ); /* l = 2**(L-1) */
  505. if (mp_cmp(&P, &l) < 0)
  506. goto step_13;
  507. /************************************************************
  508. ** Step 11.
  509. ** "Perform a robust primality test on p."
  510. */
  511. /*CHECK_SEC_OK( prm_RabinTest(&P, &passed) );*/
  512. err = mpp_pprime(&P, PQG_P_PRIMALITY_TESTS);
  513. passed = (err == MP_YES) ? SECSuccess : SECFailure;
  514. /* ******************************************************************
  515. ** Step 12. "If p passes the test performed in step 11, go to step 15."
  516. */
  517. if (passed == SECSuccess)
  518. goto step_15;
  519. step_13:
  520. /* ******************************************************************
  521. ** Step 13. "Let counter = counter + 1 and offset = offset + n + 1."
  522. */
  523. counter++;
  524. offset += n + 1;
  525. /* ******************************************************************
  526. ** Step 14. "If counter >= 4096 goto step 1, otherwise go to step 7."
  527. */
  528. if (counter >= 4096)
  529. goto step_1;
  530. goto step_7;
  531. step_15:
  532. /* ******************************************************************
  533. ** Step 15.
  534. ** "Save the value of SEED and the value of counter for use
  535. ** in certifying the proper generation of p and q."
  536. */
  537. /* Generate h. */
  538. SECITEM_AllocItem(NULL, &hit, L/8); /* h is no longer than p */
  539. if (!hit.data) goto cleanup;
  540. do {
  541. /* loop generate h until 1<h<p-1 and (h**[(p-1)/q])mod p > 1 */
  542. CHECK_SEC_OK( generate_h_candidate(&hit, &H) );
  543. CHECK_SEC_OK( makeGfromH(&P, &Q, &H, &G, &passed) );
  544. } while (passed != PR_TRUE);
  545. /* All generation is done. Now, save the PQG params. */
  546. MPINT_TO_SECITEM(&P, &params->prime, params->arena);
  547. MPINT_TO_SECITEM(&Q, &params->subPrime, params->arena);
  548. MPINT_TO_SECITEM(&G, &params->base, params->arena);
  549. MPINT_TO_SECITEM(&H, &verify->h, verify->arena);
  550. verify->counter = counter;
  551. *pParams = params;
  552. *pVfy = verify;
  553. cleanup:
  554. mp_clear(&P);
  555. mp_clear(&Q);
  556. mp_clear(&G);
  557. mp_clear(&H);
  558. mp_clear(&l);
  559. if (err) {
  560. MP_TO_SEC_ERROR(err);
  561. rv = SECFailure;
  562. }
  563. if (rv) {
  564. PORT_FreeArena(params->arena, PR_TRUE);
  565. PORT_FreeArena(verify->arena, PR_TRUE);
  566. }
  567. if (hit.data) {
  568. SECITEM_FreeItem(&hit, PR_FALSE);
  569. }
  570. return rv;
  571. }
  572. SECStatus
  573. PQG_VerifyParams(const PQGParams *params,
  574. const PQGVerify *vfy, SECStatus *result)
  575. {
  576. SECStatus rv = SECSuccess;
  577. int passed;
  578. unsigned int g, n, L, offset;
  579. mp_int P, Q, G, P_, Q_, G_, r, h;
  580. mp_err err = MP_OKAY;
  581. int j;
  582. #define CHECKPARAM(cond) \
  583. if (!(cond)) { \
  584. *result = SECFailure; \
  585. goto cleanup; \
  586. }
  587. if (!params || !vfy || !result) {
  588. PORT_SetError(SEC_ERROR_INVALID_ARGS);
  589. return SECFailure;
  590. }
  591. MP_DIGITS(&P) = 0;
  592. MP_DIGITS(&Q) = 0;
  593. MP_DIGITS(&G) = 0;
  594. MP_DIGITS(&P_) = 0;
  595. MP_DIGITS(&Q_) = 0;
  596. MP_DIGITS(&G_) = 0;
  597. MP_DIGITS(&r) = 0;
  598. MP_DIGITS(&h) = 0;
  599. CHECK_MPI_OK( mp_init(&P) );
  600. CHECK_MPI_OK( mp_init(&Q) );
  601. CHECK_MPI_OK( mp_init(&G) );
  602. CHECK_MPI_OK( mp_init(&P_) );
  603. CHECK_MPI_OK( mp_init(&Q_) );
  604. CHECK_MPI_OK( mp_init(&G_) );
  605. CHECK_MPI_OK( mp_init(&r) );
  606. CHECK_MPI_OK( mp_init(&h) );
  607. *result = SECSuccess;
  608. SECITEM_TO_MPINT(params->prime, &P);
  609. SECITEM_TO_MPINT(params->subPrime, &Q);
  610. SECITEM_TO_MPINT(params->base, &G);
  611. /* 1. Q is 160 bits long. */
  612. CHECKPARAM( mpl_significant_bits(&Q) == 160 );
  613. /* 2. P is one of the 9 valid lengths. */
  614. L = mpl_significant_bits(&P);
  615. j = PQG_PBITS_TO_INDEX(L);
  616. CHECKPARAM( j >= 0 && j <= 8 );
  617. /* 3. G < P */
  618. CHECKPARAM( mp_cmp(&G, &P) < 0 );
  619. /* 4. P % Q == 1 */
  620. CHECK_MPI_OK( mp_mod(&P, &Q, &r) );
  621. CHECKPARAM( mp_cmp_d(&r, 1) == 0 );
  622. /* 5. Q is prime */
  623. CHECKPARAM( mpp_pprime(&Q, PQG_Q_PRIMALITY_TESTS) == MP_YES );
  624. /* 6. P is prime */
  625. CHECKPARAM( mpp_pprime(&P, PQG_P_PRIMALITY_TESTS) == MP_YES );
  626. /* Steps 7-12 are done only if the optional PQGVerify is supplied. */
  627. /* 7. counter < 4096 */
  628. CHECKPARAM( vfy->counter < 4096 );
  629. /* 8. g >= 160 and g < 2048 (g is length of seed in bits) */
  630. g = vfy->seed.len * 8;
  631. CHECKPARAM( g >= 160 && g < 2048 );
  632. /* 9. Q generated from SEED matches Q in PQGParams. */
  633. CHECK_SEC_OK( makeQfromSeed(g, &vfy->seed, &Q_) );
  634. CHECKPARAM( mp_cmp(&Q, &Q_) == 0 );
  635. /* 10. P generated from (L, counter, g, SEED, Q) matches P in PQGParams. */
  636. n = (L - 1) / BITS_IN_Q;
  637. offset = vfy->counter * (n + 1) + 2;
  638. CHECK_SEC_OK( makePfromQandSeed(L, offset, g, &vfy->seed, &Q, &P_) );
  639. CHECKPARAM( mp_cmp(&P, &P_) == 0 );
  640. /* Next two are optional: if h == 0 ignore */
  641. if (vfy->h.len == 0) goto cleanup;
  642. /* 11. 1 < h < P-1 */
  643. SECITEM_TO_MPINT(vfy->h, &h);
  644. CHECK_MPI_OK( mpl_set_bit(&P, 0, 0) ); /* P is prime, p-1 == zero 1st bit */
  645. CHECKPARAM( mp_cmp_d(&h, 1) > 0 && mp_cmp(&h, &P) );
  646. CHECK_MPI_OK( mpl_set_bit(&P, 0, 1) ); /* set it back */
  647. /* 12. G generated from h matches G in PQGParams. */
  648. CHECK_SEC_OK( makeGfromH(&P, &Q, &h, &G_, &passed) );
  649. CHECKPARAM( passed && mp_cmp(&G, &G_) == 0 );
  650. cleanup:
  651. mp_clear(&P);
  652. mp_clear(&Q);
  653. mp_clear(&G);
  654. mp_clear(&P_);
  655. mp_clear(&Q_);
  656. mp_clear(&G_);
  657. mp_clear(&r);
  658. mp_clear(&h);
  659. if (err) {
  660. MP_TO_SEC_ERROR(err);
  661. rv = SECFailure;
  662. }
  663. return rv;
  664. }
  665. /**************************************************************************
  666. * Free the PQGParams struct and the things it points to. *
  667. **************************************************************************/
  668. void
  669. PQG_DestroyParams(PQGParams *params)
  670. {
  671. if (params == NULL)
  672. return;
  673. if (params->arena != NULL) {
  674. PORT_FreeArena(params->arena, PR_FALSE); /* don't zero it */
  675. } else {
  676. SECITEM_FreeItem(&params->prime, PR_FALSE); /* don't free prime */
  677. SECITEM_FreeItem(&params->subPrime, PR_FALSE); /* don't free subPrime */
  678. SECITEM_FreeItem(&params->base, PR_FALSE); /* don't free base */
  679. PORT_Free(params);
  680. }
  681. }
  682. /**************************************************************************
  683. * Free the PQGVerify struct and the things it points to. *
  684. **************************************************************************/
  685. void
  686. PQG_DestroyVerify(PQGVerify *vfy)
  687. {
  688. if (vfy == NULL)
  689. return;
  690. if (vfy->arena != NULL) {
  691. PORT_FreeArena(vfy->arena, PR_FALSE); /* don't zero it */
  692. } else {
  693. SECITEM_FreeItem(&vfy->seed, PR_FALSE); /* don't free seed */
  694. SECITEM_FreeItem(&vfy->h, PR_FALSE); /* don't free h */
  695. PORT_Free(vfy);
  696. }
  697. }