1 /* primegen.c - prime number generator
2 * Copyright (C) 1998, 2000, 2001, 2002, 2003
3 * 2004, 2008 Free Software Foundation, Inc.
5 * This file is part of Libgcrypt.
7 * Libgcrypt is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU Lesser general Public License as
9 * published by the Free Software Foundation; either version 2.1 of
10 * the License, or (at your option) any later version.
12 * Libgcrypt is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
34 static gcry_mpi_t gen_prime (unsigned int nbits, int secret, int randomlevel,
35 int (*extra_check)(void *, gcry_mpi_t),
36 void *extra_check_arg);
37 static int check_prime( gcry_mpi_t prime, gcry_mpi_t val_2, int rm_rounds,
38 gcry_prime_check_func_t cb_func, void *cb_arg );
39 static int is_prime (gcry_mpi_t n, int steps, unsigned int *count);
40 static void m_out_of_n( char *array, int m, int n );
42 static void (*progress_cb) (void *,const char*,int,int, int );
43 static void *progress_cb_data;
45 /* Note: 2 is not included because it can be tested more easily by
46 looking at bit 0. The last entry in this list is marked by a zero */
47 static ushort small_prime_numbers[] = {
48 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43,
49 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101,
50 103, 107, 109, 113, 127, 131, 137, 139, 149, 151,
51 157, 163, 167, 173, 179, 181, 191, 193, 197, 199,
52 211, 223, 227, 229, 233, 239, 241, 251, 257, 263,
53 269, 271, 277, 281, 283, 293, 307, 311, 313, 317,
54 331, 337, 347, 349, 353, 359, 367, 373, 379, 383,
55 389, 397, 401, 409, 419, 421, 431, 433, 439, 443,
56 449, 457, 461, 463, 467, 479, 487, 491, 499, 503,
57 509, 521, 523, 541, 547, 557, 563, 569, 571, 577,
58 587, 593, 599, 601, 607, 613, 617, 619, 631, 641,
59 643, 647, 653, 659, 661, 673, 677, 683, 691, 701,
60 709, 719, 727, 733, 739, 743, 751, 757, 761, 769,
61 773, 787, 797, 809, 811, 821, 823, 827, 829, 839,
62 853, 857, 859, 863, 877, 881, 883, 887, 907, 911,
63 919, 929, 937, 941, 947, 953, 967, 971, 977, 983,
64 991, 997, 1009, 1013, 1019, 1021, 1031, 1033,
65 1039, 1049, 1051, 1061, 1063, 1069, 1087, 1091,
66 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151,
67 1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213,
68 1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277,
69 1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307,
70 1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399,
71 1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451,
72 1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493,
73 1499, 1511, 1523, 1531, 1543, 1549, 1553, 1559,
74 1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609,
75 1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667,
76 1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733,
77 1741, 1747, 1753, 1759, 1777, 1783, 1787, 1789,
78 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871,
79 1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931,
80 1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997,
81 1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053,
82 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111,
83 2113, 2129, 2131, 2137, 2141, 2143, 2153, 2161,
84 2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243,
85 2251, 2267, 2269, 2273, 2281, 2287, 2293, 2297,
86 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357,
87 2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411,
88 2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473,
89 2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551,
90 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633,
91 2647, 2657, 2659, 2663, 2671, 2677, 2683, 2687,
92 2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729,
93 2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791,
94 2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851,
95 2857, 2861, 2879, 2887, 2897, 2903, 2909, 2917,
96 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999,
97 3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061,
98 3067, 3079, 3083, 3089, 3109, 3119, 3121, 3137,
99 3163, 3167, 3169, 3181, 3187, 3191, 3203, 3209,
100 3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271,
101 3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331,
102 3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391,
103 3407, 3413, 3433, 3449, 3457, 3461, 3463, 3467,
104 3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533,
105 3539, 3541, 3547, 3557, 3559, 3571, 3581, 3583,
106 3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643,
107 3659, 3671, 3673, 3677, 3691, 3697, 3701, 3709,
108 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779,
109 3793, 3797, 3803, 3821, 3823, 3833, 3847, 3851,
110 3853, 3863, 3877, 3881, 3889, 3907, 3911, 3917,
111 3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,
112 4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049,
113 4051, 4057, 4073, 4079, 4091, 4093, 4099, 4111,
114 4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177,
115 4201, 4211, 4217, 4219, 4229, 4231, 4241, 4243,
116 4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297,
117 4327, 4337, 4339, 4349, 4357, 4363, 4373, 4391,
118 4397, 4409, 4421, 4423, 4441, 4447, 4451, 4457,
119 4463, 4481, 4483, 4493, 4507, 4513, 4517, 4519,
120 4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597,
121 4603, 4621, 4637, 4639, 4643, 4649, 4651, 4657,
122 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729,
123 4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799,
124 4801, 4813, 4817, 4831, 4861, 4871, 4877, 4889,
125 4903, 4909, 4919, 4931, 4933, 4937, 4943, 4951,
126 4957, 4967, 4969, 4973, 4987, 4993, 4999,
129 static int no_of_small_prime_numbers = DIM (small_prime_numbers) - 1;
133 /* An object and a list to build up a global pool of primes. See
134 save_pool_prime and get_pool_prime. */
137 struct primepool_s *next;
138 gcry_mpi_t prime; /* If this is NULL the entry is not used. */
140 gcry_random_level_t randomlevel;
142 struct primepool_s *primepool;
143 /* Mutex used to protect access to the primepool. */
144 static ath_mutex_t primepool_lock = ATH_MUTEX_INITIALIZER;
148 /* Save PRIME which has been generated at RANDOMLEVEL for later
149 use. Needs to be called while primepool_lock is being hold. Note
150 that PRIME should be considered released after calling this
153 save_pool_prime (gcry_mpi_t prime, gcry_random_level_t randomlevel)
155 struct primepool_s *item, *item2;
158 for (n=0, item = primepool; item; item = item->next, n++)
161 if (!item && n > 100)
163 /* Remove some of the entries. Our strategy is removing
164 the last third from the list. */
167 for (i=0, item2 = primepool; item2; item2 = item2->next)
171 gcry_mpi_release (item2->prime);
180 item = gcry_calloc (1, sizeof *item);
183 /* Out of memory. Silently giving up. */
184 gcry_mpi_release (prime);
187 item->next = primepool;
191 item->nbits = mpi_get_nbits (prime);
192 item->randomlevel = randomlevel;
196 /* Return a prime for the prime pool or NULL if none has been found.
197 The prime needs to match NBITS and randomlevel. This function needs
198 to be called why the primepool_look is being hold. */
200 get_pool_prime (unsigned int nbits, gcry_random_level_t randomlevel)
202 struct primepool_s *item;
204 for (item = primepool; item; item = item->next)
206 && item->nbits == nbits && item->randomlevel == randomlevel)
208 gcry_mpi_t prime = item->prime;
210 gcry_assert (nbits == mpi_get_nbits (prime));
222 _gcry_register_primegen_progress ( void (*cb)(void *,const char*,int,int,int),
226 progress_cb_data = cb_data;
234 progress_cb ( progress_cb_data, "primegen", c, 0, 0 );
239 * Generate a prime number (stored in secure memory)
242 _gcry_generate_secret_prime (unsigned int nbits,
243 gcry_random_level_t random_level,
244 int (*extra_check)(void*, gcry_mpi_t),
245 void *extra_check_arg)
249 prime = gen_prime (nbits, 1, random_level, extra_check, extra_check_arg);
255 /* Generate a prime number which may be public, i.e. not allocated in
258 _gcry_generate_public_prime (unsigned int nbits,
259 gcry_random_level_t random_level,
260 int (*extra_check)(void*, gcry_mpi_t),
261 void *extra_check_arg)
265 prime = gen_prime (nbits, 0, random_level, extra_check, extra_check_arg);
271 /* Core prime generation function. The algorithm used to generate
272 practically save primes is due to Lim and Lee as described in the
273 CRYPTO '97 proceedings (ISBN3540633847) page 260.
275 NEED_Q_FACTOR: If true make sure that at least one factor is of
276 size qbits. This is for example required for DSA.
277 PRIME_GENERATED: Adresss of a variable where the resulting prime
278 number will be stored.
279 PBITS: Requested size of the prime number. At least 48.
280 QBITS: One factor of the prime needs to be of this size. Maybe 0
281 if this is not required. See also MODE.
282 G: If not NULL an MPI which will receive a generator for the prime
283 for use with Elgamal.
284 RET_FACTORS: if not NULL, an array with all factors are stored at
286 ALL_FACTORS: If set to true all factors of prime-1 are returned.
287 RANDOMLEVEL: How strong should the random numers be.
288 FLAGS: Prime generation bit flags. Currently supported:
289 GCRY_PRIME_FLAG_SECRET - The prime needs to be kept secret.
290 CB_FUNC, CB_ARG: Callback to be used for extra checks.
293 static gcry_err_code_t
294 prime_generate_internal (int need_q_factor,
295 gcry_mpi_t *prime_generated, unsigned int pbits,
296 unsigned int qbits, gcry_mpi_t g,
297 gcry_mpi_t **ret_factors,
298 gcry_random_level_t randomlevel, unsigned int flags,
300 gcry_prime_check_func_t cb_func, void *cb_arg)
302 gcry_err_code_t err = 0;
303 gcry_mpi_t *factors_new = NULL; /* Factors to return to the
305 gcry_mpi_t *factors = NULL; /* Current factors. */
306 gcry_random_level_t poolrandomlevel; /* Random level used for pool primes. */
307 gcry_mpi_t *pool = NULL; /* Pool of primes. */
308 int *pool_in_use = NULL; /* Array with currently used POOL elements. */
309 unsigned char *perms = NULL; /* Permutations of POOL. */
310 gcry_mpi_t q_factor = NULL; /* Used if QBITS is non-zero. */
311 unsigned int fbits = 0; /* Length of prime factors. */
312 unsigned int n = 0; /* Number of factors. */
313 unsigned int m = 0; /* Number of primes in pool. */
314 gcry_mpi_t q = NULL; /* First prime factor. */
315 gcry_mpi_t prime = NULL; /* Prime candidate. */
316 unsigned int nprime = 0; /* Bits of PRIME. */
317 unsigned int req_qbits; /* The original QBITS value. */
318 gcry_mpi_t val_2; /* For check_prime(). */
319 int is_locked = 0; /* Flag to help unlocking the primepool. */
320 unsigned int is_secret = (flags & GCRY_PRIME_FLAG_SECRET);
321 unsigned int count1 = 0, count2 = 0;
322 unsigned int i = 0, j = 0;
325 return GPG_ERR_INV_ARG;
327 /* We won't use a too strong random elvel for the pooled subprimes. */
328 poolrandomlevel = (randomlevel > GCRY_STRONG_RANDOM?
329 GCRY_STRONG_RANDOM : randomlevel);
332 /* If QBITS is not given, assume a reasonable value. */
338 /* Find number of needed prime factors N. */
339 for (n = 1; (pbits - qbits - 1) / n >= qbits; n++)
343 val_2 = mpi_alloc_set_ui (2);
345 if ((! n) || ((need_q_factor) && (n < 2)))
347 err = GPG_ERR_INV_ARG;
353 n--; /* Need one factor less because we want a specific Q-FACTOR. */
354 fbits = (pbits - 2 * req_qbits -1) / n;
355 qbits = pbits - req_qbits - n * fbits;
359 fbits = (pbits - req_qbits -1) / n;
360 qbits = pbits - n * fbits;
364 log_debug ("gen prime: pbits=%u qbits=%u fbits=%u/%u n=%d\n",
365 pbits, req_qbits, qbits, fbits, n);
367 /* Allocate an integer to old the new prime. */
368 prime = gcry_mpi_new (pbits);
370 /* Generate first prime factor. */
371 q = gen_prime (qbits, is_secret, randomlevel, NULL, NULL);
373 /* Generate a specific Q-Factor if requested. */
375 q_factor = gen_prime (req_qbits, is_secret, randomlevel, NULL, NULL);
377 /* Allocate an array to hold all factors + 2 for later usage. */
378 factors = gcry_calloc (n + 2, sizeof (*factors));
381 err = gpg_err_code_from_errno (errno);
385 /* Allocate an array to track pool usage. */
386 pool_in_use = gcry_malloc (n * sizeof *pool_in_use);
389 err = gpg_err_code_from_errno (errno);
392 for (i=0; i < n; i++)
395 /* Make a pool of 3n+5 primes (this is an arbitrary value). We
396 require at least 30 primes for are useful selection process.
398 Fixme: We need to research the best formula for sizing the pool.
401 if (need_q_factor) /* Need some more in this case. */
405 pool = gcry_calloc (m , sizeof (*pool));
408 err = gpg_err_code_from_errno (errno);
412 /* Permutate over the pool of primes until we find a prime of the
417 for (i=0; i < n; i++)
422 /* Allocate new primes. This is done right at the beginning
423 of the loop and if we have later run out of primes. */
424 for (i = 0; i < m; i++)
430 /* Init m_out_of_n(). */
431 perms = gcry_calloc (1, m);
434 err = gpg_err_code_from_errno (errno);
438 if (ath_mutex_lock (&primepool_lock))
440 err = GPG_ERR_INTERNAL;
444 for (i = 0; i < n; i++)
447 /* At a maximum we use strong random for the factors.
448 This saves us a lot of entropy. Given that Q and
449 possible Q-factor are also used in the final prime
450 this should be acceptable. We also don't allocate in
451 secure memory to save on that scare resource too. If
452 Q has been allocated in secure memory, the final
453 prime will be saved there anyway. This is because
454 our MPI routines take care of that. GnuPG has worked
455 this way ever since. */
459 pool[i] = get_pool_prime (fbits, poolrandomlevel);
462 if (ath_mutex_unlock (&primepool_lock))
464 err = GPG_ERR_INTERNAL;
471 pool[i] = gen_prime (fbits, 0, poolrandomlevel, NULL, NULL);
473 factors[i] = pool[i];
475 if (is_locked && ath_mutex_unlock (&primepool_lock))
477 err = GPG_ERR_INTERNAL;
484 /* Get next permutation. */
485 m_out_of_n ( (char*)perms, n, m);
486 if (ath_mutex_lock (&primepool_lock))
488 err = GPG_ERR_INTERNAL;
492 for (i = j = 0; (i < m) && (j < n); i++)
495 /* If the subprime has not yet beed generated do it now. */
496 if (!pool[i] && is_locked)
498 pool[i] = get_pool_prime (fbits, poolrandomlevel);
501 if (ath_mutex_unlock (&primepool_lock))
503 err = GPG_ERR_INTERNAL;
510 pool[i] = gen_prime (fbits, 0, poolrandomlevel, NULL, NULL);
512 factors[j++] = pool[i];
514 if (is_locked && ath_mutex_unlock (&primepool_lock))
516 err = GPG_ERR_INTERNAL;
522 /* Ran out of permutations: Allocate new primes. */
530 /* Generate next prime candidate:
531 p = 2 * q [ * q_factor] * factor_0 * factor_1 * ... * factor_n + 1.
534 mpi_mul_ui (prime, prime, 2);
536 mpi_mul (prime, prime, q_factor);
537 for(i = 0; i < n; i++)
538 mpi_mul (prime, prime, factors[i]);
539 mpi_add_ui (prime, prime, 1);
540 nprime = mpi_get_nbits (prime);
550 q = gen_prime (qbits, is_secret, randomlevel, NULL, NULL);
565 q = gen_prime (qbits, is_secret, randomlevel, NULL, NULL);
572 while (! ((nprime == pbits) && check_prime (prime, val_2, 5,
578 log_mpidump ("prime : ", prime);
579 log_mpidump ("factor q: ", q);
581 log_mpidump ("factor q0: ", q_factor);
582 for (i = 0; i < n; i++)
583 log_mpidump ("factor pi: ", factors[i]);
584 log_debug ("bit sizes: prime=%u, q=%u",
585 mpi_get_nbits (prime), mpi_get_nbits (q));
587 log_debug (", q0=%u", mpi_get_nbits (q_factor));
588 for (i = 0; i < n; i++)
589 log_debug (", p%d=%u", i, mpi_get_nbits (factors[i]));
595 /* Caller wants the factors. */
596 factors_new = gcry_calloc (n + 4, sizeof (*factors_new));
599 err = gpg_err_code_from_errno (errno);
606 factors_new[i++] = gcry_mpi_set_ui (NULL, 2);
607 factors_new[i++] = mpi_copy (q);
609 factors_new[i++] = mpi_copy (q_factor);
611 factors_new[i++] = mpi_copy (factors[j]);
618 factors_new[i++] = mpi_copy (q_factor);
620 factors_new[i] = mpi_copy (factors[i]);
624 factors_new[i] = mpi_copy (factors[i]);
630 /* Create a generator (start with 3). */
631 gcry_mpi_t tmp = mpi_alloc (mpi_get_nlimbs (prime));
632 gcry_mpi_t b = mpi_alloc (mpi_get_nlimbs (prime));
633 gcry_mpi_t pmin1 = mpi_alloc (mpi_get_nlimbs (prime));
636 err = GPG_ERR_NOT_IMPLEMENTED;
640 factors[n + 1] = mpi_alloc_set_ui (2);
641 mpi_sub_ui (pmin1, prime, 1);
645 mpi_add_ui (g, g, 1);
648 log_debug ("checking g:");
654 for (i = 0; i < n + 2; i++)
656 mpi_fdiv_q (tmp, pmin1, factors[i]);
657 /* No mpi_pow(), but it is okay to use this with mod
659 gcry_mpi_powm (b, g, tmp, prime);
660 if (! mpi_cmp_ui (b, 1))
668 mpi_free (factors[n+1]);
682 is_locked = !ath_mutex_lock (&primepool_lock);
683 for(i = 0; i < m; i++)
687 for (j=0; j < n; j++)
688 if (pool_in_use[j] == i)
690 if (j == n && is_locked)
692 /* This pooled subprime has not been used. */
693 save_pool_prime (pool[i], poolrandomlevel);
699 if (is_locked && ath_mutex_unlock (&primepool_lock))
700 err = GPG_ERR_INTERNAL;
704 gcry_free (pool_in_use);
706 gcry_free (factors); /* Factors are shallow copies. */
716 *prime_generated = prime;
718 *ret_factors = factors_new;
724 for (i = 0; factors_new[i]; i++)
725 mpi_free (factors_new[i]);
726 gcry_free (factors_new);
735 /* Generate a prime used for discrete logarithm algorithms; i.e. this
736 prime will be public and no strong random is required. */
738 _gcry_generate_elg_prime (int mode, unsigned pbits, unsigned qbits,
739 gcry_mpi_t g, gcry_mpi_t **ret_factors)
741 gcry_err_code_t err = GPG_ERR_NO_ERROR;
742 gcry_mpi_t prime = NULL;
744 err = prime_generate_internal ((mode == 1), &prime, pbits, qbits, g,
745 ret_factors, GCRY_WEAK_RANDOM, 0, 0,
753 gen_prime (unsigned int nbits, int secret, int randomlevel,
754 int (*extra_check)(void *, gcry_mpi_t), void *extra_check_arg)
756 gcry_mpi_t prime, ptest, pminus1, val_2, val_3, result;
758 unsigned int x, step;
759 unsigned int count1, count2;
762 /* if ( DBG_CIPHER ) */
763 /* log_debug ("generate a prime of %u bits ", nbits ); */
766 log_fatal ("can't generate a prime with less than %d bits\n", 16);
768 mods = gcry_xmalloc( no_of_small_prime_numbers * sizeof *mods );
769 /* Make nbits fit into gcry_mpi_t implementation. */
770 val_2 = mpi_alloc_set_ui( 2 );
771 val_3 = mpi_alloc_set_ui( 3);
772 prime = secret? gcry_mpi_snew ( nbits ): gcry_mpi_new ( nbits );
773 result = mpi_alloc_like( prime );
774 pminus1= mpi_alloc_like( prime );
775 ptest = mpi_alloc_like( prime );
781 /* generate a random number */
782 gcry_mpi_randomize( prime, nbits, randomlevel );
784 /* Set high order bit to 1, set low order bit to 1. If we are
785 generating a secret prime we are most probably doing that
786 for RSA, to make sure that the modulus does have the
787 requested key size we set the 2 high order bits. */
788 mpi_set_highbit (prime, nbits-1);
790 mpi_set_bit (prime, nbits-2);
791 mpi_set_bit(prime, 0);
793 /* Calculate all remainders. */
794 for (i=0; (x = small_prime_numbers[i]); i++ )
795 mods[i] = mpi_fdiv_r_ui(NULL, prime, x);
797 /* Now try some primes starting with prime. */
798 for(step=0; step < 20000; step += 2 )
800 /* Check against all the small primes we have in mods. */
802 for (i=0; (x = small_prime_numbers[i]); i++ )
804 while ( mods[i] + step >= x )
806 if ( !(mods[i] + step) )
810 continue; /* Found a multiple of an already known prime. */
812 mpi_add_ui( ptest, prime, step );
814 /* Do a fast Fermat test now. */
816 mpi_sub_ui( pminus1, ptest, 1);
817 gcry_mpi_powm( result, val_2, pminus1, ptest );
818 if ( !mpi_cmp_ui( result, 1 ) )
820 /* Not composite, perform stronger tests */
821 if (is_prime(ptest, 5, &count2 ))
823 if (!mpi_test_bit( ptest, nbits-1-secret ))
826 log_debug ("overflow in prime generation\n");
827 break; /* Stop loop, continue with a new prime. */
830 if (extra_check && extra_check (extra_check_arg, ptest))
832 /* The extra check told us that this prime is
833 not of the caller's taste. */
849 if (++dotcount == 10 )
855 progress(':'); /* restart with a new random value */
860 * Returns: true if this may be a prime
861 * RM_ROUNDS gives the number of Rabin-Miller tests to run.
864 check_prime( gcry_mpi_t prime, gcry_mpi_t val_2, int rm_rounds,
865 gcry_prime_check_func_t cb_func, void *cb_arg)
869 unsigned int count=0;
871 /* Check against small primes. */
872 for (i=0; (x = small_prime_numbers[i]); i++ )
874 if ( mpi_divisible_ui( prime, x ) )
878 /* A quick Fermat test. */
880 gcry_mpi_t result = mpi_alloc_like( prime );
881 gcry_mpi_t pminus1 = mpi_alloc_like( prime );
882 mpi_sub_ui( pminus1, prime, 1);
883 gcry_mpi_powm( result, val_2, pminus1, prime );
885 if ( mpi_cmp_ui( result, 1 ) )
895 if (!cb_func || cb_func (cb_arg, GCRY_PRIME_CHECK_AT_MAYBE_PRIME, prime))
897 /* Perform stronger tests. */
898 if ( is_prime( prime, rm_rounds, &count ) )
901 || cb_func (cb_arg, GCRY_PRIME_CHECK_AT_GOT_PRIME, prime))
902 return 1; /* Probably a prime. */
911 * Return true if n is probably a prime
914 is_prime (gcry_mpi_t n, int steps, unsigned int *count)
916 gcry_mpi_t x = mpi_alloc( mpi_get_nlimbs( n ) );
917 gcry_mpi_t y = mpi_alloc( mpi_get_nlimbs( n ) );
918 gcry_mpi_t z = mpi_alloc( mpi_get_nlimbs( n ) );
919 gcry_mpi_t nminus1 = mpi_alloc( mpi_get_nlimbs( n ) );
920 gcry_mpi_t a2 = mpi_alloc_set_ui( 2 );
924 unsigned nbits = mpi_get_nbits( n );
926 if (steps < 5) /* Make sure that we do at least 5 rounds. */
929 mpi_sub_ui( nminus1, n, 1 );
931 /* Find q and k, so that n = 1 + 2^k * q . */
932 q = mpi_copy ( nminus1 );
933 k = mpi_trailing_zeros ( q );
934 mpi_tdiv_q_2exp (q, q, k);
936 for (i=0 ; i < steps; i++ )
945 gcry_mpi_randomize( x, nbits, GCRY_WEAK_RANDOM );
947 /* Make sure that the number is smaller than the prime and
948 keep the randomness of the high bit. */
949 if ( mpi_test_bit ( x, nbits-2) )
951 mpi_set_highbit ( x, nbits-2); /* Clear all higher bits. */
955 mpi_set_highbit( x, nbits-2 );
956 mpi_clear_bit( x, nbits-2 );
958 gcry_assert (mpi_cmp (x, nminus1) < 0 && mpi_cmp_ui (x, 1) > 0);
960 gcry_mpi_powm ( y, x, q, n);
961 if ( mpi_cmp_ui(y, 1) && mpi_cmp( y, nminus1 ) )
963 for ( j=1; j < k && mpi_cmp( y, nminus1 ); j++ )
965 gcry_mpi_powm(y, y, a2, n);
966 if( !mpi_cmp_ui( y, 1 ) )
967 goto leave; /* Not a prime. */
969 if (mpi_cmp( y, nminus1 ) )
970 goto leave; /* Not a prime. */
974 rc = 1; /* May be a prime. */
988 /* Given ARRAY of size N with M elements set to true produce a
989 modified array with the next permutation of M elements. Note, that
990 ARRAY is used in a one-bit-per-byte approach. To detected the last
991 permutation it is useful to initialize the array with the first M
992 element set to true and use this test:
993 m_out_of_n (array, m, n);
994 for (i = j = 0; i < n && j < m; i++)
1000 This code is based on the algorithm 452 from the "Collected
1001 Algorithms From ACM, Volume II" by C. N. Liu and D. T. Tang.
1004 m_out_of_n ( char *array, int m, int n )
1006 int i=0, i1=0, j=0, jp=0, j1=0, k1=0, k2=0;
1011 /* Need to handle this simple case separately. */
1014 for (i=0; i < n; i++ )
1029 for (j=1; j < n; j++ )
1031 if ( array[n-1] == array[n-j-1])
1058 else if( array[k2] && array[k2-1] )
1083 for (i=1; i <= jp; i++ )
1105 /* Now complement the two selected bits. */
1106 array[k1-1] = !array[k1-1];
1107 array[k2-1] = !array[k2-1];
1111 /* Generate a new prime number of PRIME_BITS bits and store it in
1112 PRIME. If FACTOR_BITS is non-zero, one of the prime factors of
1113 (prime - 1) / 2 must be FACTOR_BITS bits long. If FACTORS is
1114 non-zero, allocate a new, NULL-terminated array holding the prime
1115 factors and store it in FACTORS. FLAGS might be used to influence
1116 the prime number generation process. */
1118 gcry_prime_generate (gcry_mpi_t *prime, unsigned int prime_bits,
1119 unsigned int factor_bits, gcry_mpi_t **factors,
1120 gcry_prime_check_func_t cb_func, void *cb_arg,
1121 gcry_random_level_t random_level,
1124 gcry_err_code_t err = GPG_ERR_NO_ERROR;
1125 gcry_mpi_t *factors_generated = NULL;
1126 gcry_mpi_t prime_generated = NULL;
1127 unsigned int mode = 0;
1130 return gpg_error (GPG_ERR_INV_ARG);
1133 if (flags & GCRY_PRIME_FLAG_SPECIAL_FACTOR)
1137 err = prime_generate_internal ((mode==1), &prime_generated, prime_bits,
1139 factors? &factors_generated : NULL,
1140 random_level, flags, 1,
1146 /* Additional check. */
1147 if ( !cb_func (cb_arg, GCRY_PRIME_CHECK_AT_FINISH, prime_generated))
1149 /* Failed, deallocate resources. */
1152 mpi_free (prime_generated);
1155 for (i = 0; factors_generated[i]; i++)
1156 mpi_free (factors_generated[i]);
1157 gcry_free (factors_generated);
1159 err = GPG_ERR_GENERAL;
1166 *factors = factors_generated;
1167 *prime = prime_generated;
1170 return gcry_error (err);
1173 /* Check whether the number X is prime. */
1175 gcry_prime_check (gcry_mpi_t x, unsigned int flags)
1177 gcry_err_code_t err = GPG_ERR_NO_ERROR;
1178 gcry_mpi_t val_2 = mpi_alloc_set_ui (2); /* Used by the Fermat test. */
1182 /* We use 64 rounds because the prime we are going to test is not
1183 guaranteed to be a random one. */
1184 if (! check_prime (x, val_2, 64, NULL, NULL))
1185 err = GPG_ERR_NO_PRIME;
1189 return gcry_error (err);
1192 /* Find a generator for PRIME where the factorization of (prime-1) is
1193 in the NULL terminated array FACTORS. Return the generator as a
1194 newly allocated MPI in R_G. If START_G is not NULL, use this as s
1195 atart for the search. Returns 0 on success.*/
1197 gcry_prime_group_generator (gcry_mpi_t *r_g,
1198 gcry_mpi_t prime, gcry_mpi_t *factors,
1201 gcry_mpi_t tmp = gcry_mpi_new (0);
1202 gcry_mpi_t b = gcry_mpi_new (0);
1203 gcry_mpi_t pmin1 = gcry_mpi_new (0);
1204 gcry_mpi_t g = start_g? gcry_mpi_copy (start_g) : gcry_mpi_set_ui (NULL, 3);
1208 if (!factors || !r_g || !prime)
1209 return gpg_error (GPG_ERR_INV_ARG);
1212 for (n=0; factors[n]; n++)
1215 return gpg_error (GPG_ERR_INV_ARG);
1217 /* Extra sanity check - usually disabled. */
1218 /* mpi_set (tmp, factors[0]); */
1219 /* for(i = 1; i < n; i++) */
1220 /* mpi_mul (tmp, tmp, factors[i]); */
1221 /* mpi_add_ui (tmp, tmp, 1); */
1222 /* if (mpi_cmp (prime, tmp)) */
1223 /* return gpg_error (GPG_ERR_INV_ARG); */
1225 gcry_mpi_sub_ui (pmin1, prime, 1);
1231 gcry_mpi_add_ui (g, g, 1);
1235 log_debug ("checking g:");
1242 for (i = 0; i < n; i++)
1244 mpi_fdiv_q (tmp, pmin1, factors[i]);
1245 gcry_mpi_powm (b, g, tmp, prime);
1246 if (! mpi_cmp_ui (b, 1))
1254 gcry_mpi_release (tmp);
1255 gcry_mpi_release (b);
1256 gcry_mpi_release (pmin1);
1262 /* Convenience function to release the factors array. */
1264 gcry_prime_release_factors (gcry_mpi_t *factors)
1270 for (i=0; factors[i]; i++)
1271 mpi_free (factors[i]);
1272 gcry_free (factors);
1278 /* Helper for _gcry_derive_x931_prime. */
1280 find_x931_prime (const gcry_mpi_t pfirst)
1282 gcry_mpi_t val_2 = mpi_alloc_set_ui (2);
1285 prime = gcry_mpi_copy (pfirst);
1286 /* If P is even add 1. */
1287 mpi_set_bit (prime, 0);
1289 /* We use 64 Rabin-Miller rounds which is better and thus
1290 sufficient. We do not have a Lucas test implementaion thus we
1291 can't do it in the X9.31 preferred way of running a few
1292 Rabin-Miller followed by one Lucas test. */
1293 while ( !check_prime (prime, val_2, 64, NULL, NULL) )
1294 mpi_add_ui (prime, prime, 2);
1302 /* Generate a prime using the algorithm from X9.31 appendix B.4.
1304 This function requires that the provided public exponent E is odd.
1305 XP, XP1 and XP2 are the seed values. All values are mandatory.
1307 On success the prime is returned. If R_P1 or R_P2 are given the
1308 internal values P1 and P2 are saved at these addresses. On error
1309 NULL is returned. */
1311 _gcry_derive_x931_prime (const gcry_mpi_t xp,
1312 const gcry_mpi_t xp1, const gcry_mpi_t xp2,
1314 gcry_mpi_t *r_p1, gcry_mpi_t *r_p2)
1316 gcry_mpi_t p1, p2, p1p2, yp0;
1318 if (!xp || !xp1 || !xp2)
1320 if (!e || !mpi_test_bit (e, 0))
1321 return NULL; /* We support only odd values for E. */
1323 p1 = find_x931_prime (xp1);
1324 p2 = find_x931_prime (xp2);
1325 p1p2 = mpi_alloc_like (xp);
1326 mpi_mul (p1p2, p1, p2);
1331 /* r1 = (p2^{-1} mod p1)p2 - (p1^{-1} mod p2) */
1332 tmp = mpi_alloc_like (p1);
1333 mpi_invm (tmp, p2, p1);
1334 mpi_mul (tmp, tmp, p2);
1337 tmp = mpi_alloc_like (p2);
1338 mpi_invm (tmp, p1, p2);
1339 mpi_mul (tmp, tmp, p1);
1340 mpi_sub (r1, r1, tmp);
1342 /* Fixup a negative value. */
1343 if (mpi_is_neg (r1))
1344 mpi_add (r1, r1, p1p2);
1346 /* yp0 = xp + (r1 - xp mod p1*p2) */
1347 yp0 = tmp; tmp = NULL;
1348 mpi_subm (yp0, r1, xp, p1p2);
1349 mpi_add (yp0, yp0, xp);
1352 /* Fixup a negative value. */
1353 if (mpi_cmp (yp0, xp) < 0 )
1354 mpi_add (yp0, yp0, p1p2);
1357 /* yp0 is now the first integer greater than xp with p1 being a
1358 large prime factor of yp0-1 and p2 a large prime factor of yp0+1. */
1360 /* Note that the first example from X9.31 (D.1.1) which uses
1361 (Xq1 #1A5CF72EE770DE50CB09ACCEA9#)
1362 (Xq2 #134E4CAA16D2350A21D775C404#)
1363 (Xq #CC1092495D867E64065DEE3E7955F2EBC7D47A2D
1364 7C9953388F97DDDC3E1CA19C35CA659EDC2FC325
1365 6D29C2627479C086A699A49C4C9CEE7EF7BD1B34
1368 #CC1092495D867E64065DEE3E7955F2EBC7D47A2D
1369 7C9953388F97DDDC3E1CA19C35CA659EDC2FC4E3
1370 BF20CB896EE37E098A906313271422162CB6C642
1373 #CC1092495D867E64065DEE3E7955F2EBC7D47A2D
1374 7C9953388F97DDDC3E1CA19C35CA659EDC2FC2E6
1375 C88FE299D52D78BE405A97E01FD71DD7819ECB91
1377 as stated in the standard. This seems to be a bug in X9.31.
1381 gcry_mpi_t val_2 = mpi_alloc_set_ui (2);
1382 gcry_mpi_t gcdtmp = mpi_alloc_like (yp0);
1385 mpi_sub_ui (p1p2, p1p2, 1); /* Adjust for loop body. */
1386 mpi_sub_ui (yp0, yp0, 1); /* Ditto. */
1389 gcdres = gcry_mpi_gcd (gcdtmp, e, yp0);
1390 mpi_add_ui (yp0, yp0, 1);
1392 progress ('/'); /* gcd (e, yp0-1) != 1 */
1393 else if (check_prime (yp0, val_2, 64, NULL, NULL))
1395 /* We add p1p2-1 because yp0 is incremented after the gcd test. */
1396 mpi_add (yp0, yp0, p1p2);
1418 /* Generate the two prime used for DSA using the algorithm specified
1419 in FIPS 186-2. PBITS is the desired length of the prime P and a
1420 QBITS the length of the prime Q. If SEED is not supplied and
1421 SEEDLEN is 0 the function generates an appropriate SEED. On
1422 success the generated primes are stored at R_Q and R_P, the counter
1423 value is stored at R_COUNTER and the seed actually used for
1424 generation is stored at R_SEED and R_SEEDVALUE. */
1426 _gcry_generate_fips186_2_prime (unsigned int pbits, unsigned int qbits,
1427 const void *seed, size_t seedlen,
1428 gcry_mpi_t *r_q, gcry_mpi_t *r_p,
1430 void **r_seed, size_t *r_seedlen)
1433 unsigned char seed_help_buffer[160/8]; /* Used to hold a generated SEED. */
1434 unsigned char *seed_plus; /* Malloced buffer to hold SEED+x. */
1435 unsigned char digest[160/8]; /* Helper buffer for SHA-1 digest. */
1436 gcry_mpi_t val_2 = NULL; /* Helper for the prime test. */
1437 gcry_mpi_t tmpval = NULL; /* Helper variable. */
1440 unsigned char value_u[160/8];
1441 int value_n, value_b, value_k;
1443 gcry_mpi_t value_w = NULL;
1444 gcry_mpi_t value_x = NULL;
1445 gcry_mpi_t prime_q = NULL;
1446 gcry_mpi_t prime_p = NULL;
1448 /* FIPS 186-2 allows only for 1024/160 bit. */
1449 if (pbits != 1024 || qbits != 160)
1450 return GPG_ERR_INV_KEYLEN;
1452 if (!seed && !seedlen)
1453 ; /* No seed value given: We are asked to generate it. */
1454 else if (!seed || seedlen < qbits/8)
1455 return GPG_ERR_INV_ARG;
1457 /* Allocate a buffer to later compute SEED+some_increment. */
1458 seed_plus = gcry_malloc (seedlen < 20? 20:seedlen);
1461 ec = gpg_err_code_from_syserror ();
1465 val_2 = mpi_alloc_set_ui (2);
1466 value_n = (pbits - 1) / qbits;
1467 value_b = (pbits - 1) - value_n * qbits;
1468 value_w = gcry_mpi_new (pbits);
1469 value_x = gcry_mpi_new (pbits);
1475 /* Step 1: Generate a (new) seed unless one has been supplied. */
1478 seedlen = sizeof seed_help_buffer;
1479 gcry_create_nonce (seed_help_buffer, seedlen);
1480 seed = seed_help_buffer;
1483 /* Step 2: U = sha1(seed) ^ sha1((seed+1) mod 2^{qbits}) */
1484 memcpy (seed_plus, seed, seedlen);
1485 for (i=seedlen-1; i >= 0; i--)
1491 gcry_md_hash_buffer (GCRY_MD_SHA1, value_u, seed, seedlen);
1492 gcry_md_hash_buffer (GCRY_MD_SHA1, digest, seed_plus, seedlen);
1493 for (i=0; i < sizeof value_u; i++)
1494 value_u[i] ^= digest[i];
1496 /* Step 3: Form q from U */
1497 gcry_mpi_release (prime_q); prime_q = NULL;
1498 ec = gpg_err_code (gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG,
1499 value_u, sizeof value_u, NULL));
1502 mpi_set_highbit (prime_q, qbits-1 );
1503 mpi_set_bit (prime_q, 0);
1505 /* Step 4: Test whether Q is prime using 64 round of Rabin-Miller. */
1506 if (check_prime (prime_q, val_2, 64, NULL, NULL))
1507 break; /* Yes, Q is prime. */
1510 seed = NULL; /* Force a new seed at Step 1. */
1513 /* Step 6. Note that we do no use an explicit offset but increment
1514 SEED_PLUS accordingly. SEED_PLUS is currently SEED+1. */
1518 prime_p = gcry_mpi_new (pbits);
1521 /* Step 7: For k = 0,...n let
1522 V_k = sha1(seed+offset+k) mod 2^{qbits}
1523 Step 8: W = V_0 + V_1*2^160 +
1525 + V_{n-1}*2^{(n-1)*160}
1526 + (V_{n} mod 2^b)*2^{n*160}
1528 mpi_set_ui (value_w, 0);
1529 for (value_k=0; value_k <= value_n; value_k++)
1531 /* There is no need to have an explicit offset variable: In
1532 the first round we shall have an offset of 2, this is
1533 achieved by using SEED_PLUS which is already at SEED+1,
1534 thus we just need to increment it once again. The
1535 requirement for the next round is to update offset by N,
1536 which we implictly did at the end of this loop, and then
1537 to add one; this one is the same as in the first round. */
1538 for (i=seedlen-1; i >= 0; i--)
1544 gcry_md_hash_buffer (GCRY_MD_SHA1, digest, seed_plus, seedlen);
1546 gcry_mpi_release (tmpval); tmpval = NULL;
1547 ec = gpg_err_code (gcry_mpi_scan (&tmpval, GCRYMPI_FMT_USG,
1548 digest, sizeof digest, NULL));
1551 if (value_k == value_n)
1552 mpi_clear_highbit (tmpval, value_b); /* (V_n mod 2^b) */
1553 mpi_lshift (tmpval, tmpval, value_k*qbits);
1554 mpi_add (value_w, value_w, tmpval);
1557 /* Step 8 continued: X = W + 2^{L-1} */
1558 mpi_set_ui (value_x, 0);
1559 mpi_set_highbit (value_x, pbits-1);
1560 mpi_add (value_x, value_x, value_w);
1562 /* Step 9: c = X mod 2q, p = X - (c - 1) */
1563 mpi_mul_2exp (tmpval, prime_q, 1);
1564 mpi_mod (tmpval, value_x, tmpval);
1565 mpi_sub_ui (tmpval, tmpval, 1);
1566 mpi_sub (prime_p, value_x, tmpval);
1568 /* Step 10: If p < 2^{L-1} skip the primality test. */
1569 /* Step 11 and 12: Primality test. */
1570 if (mpi_get_nbits (prime_p) >= pbits-1
1571 && check_prime (prime_p, val_2, 64, NULL, NULL) )
1572 break; /* Yes, P is prime, continue with Step 15. */
1574 /* Step 13: counter = counter + 1, offset = offset + n + 1. */
1577 /* Step 14: If counter >= 2^12 goto Step 1. */
1578 if (counter >= 4096)
1582 /* Step 15: Save p, q, counter and seed. */
1583 /* log_debug ("fips186-2 pbits p=%u q=%u counter=%d\n", */
1584 /* mpi_get_nbits (prime_p), mpi_get_nbits (prime_q), counter); */
1585 /* log_printhex("fips186-2 seed:", seed, seedlen); */
1586 /* log_mpidump ("fips186-2 prime p", prime_p); */
1587 /* log_mpidump ("fips186-2 prime q", prime_q); */
1599 *r_counter = counter;
1600 if (r_seed && r_seedlen)
1602 memcpy (seed_plus, seed, seedlen);
1603 *r_seed = seed_plus;
1605 *r_seedlen = seedlen;
1610 gcry_mpi_release (tmpval);
1611 gcry_mpi_release (value_x);
1612 gcry_mpi_release (value_w);
1613 gcry_mpi_release (prime_p);
1614 gcry_mpi_release (prime_q);
1615 gcry_free (seed_plus);
1616 gcry_mpi_release (val_2);
1622 /* WARNING: The code below has not yet been tested! However, it is
1623 not yet used. We need to wait for FIPS 186-3 final and for test
1626 Generate the two prime used for DSA using the algorithm specified
1627 in FIPS 186-3, A.1.1.2. PBITS is the desired length of the prime P
1628 and a QBITS the length of the prime Q. If SEED is not supplied and
1629 SEEDLEN is 0 the function generates an appropriate SEED. On
1630 success the generated primes are stored at R_Q and R_P, the counter
1631 value is stored at R_COUNTER and the seed actually used for
1632 generation is stored at R_SEED and R_SEEDVALUE. The hash algorithm
1633 used is stored at R_HASHALGO.
1635 Note that this function is very similar to the fips186_2 code. Due
1636 to the minor differences, other buffer sizes and for documentarion,
1637 we use a separate function.
1640 _gcry_generate_fips186_3_prime (unsigned int pbits, unsigned int qbits,
1641 const void *seed, size_t seedlen,
1642 gcry_mpi_t *r_q, gcry_mpi_t *r_p,
1644 void **r_seed, size_t *r_seedlen,
1648 unsigned char seed_help_buffer[256/8]; /* Used to hold a generated SEED. */
1649 unsigned char *seed_plus; /* Malloced buffer to hold SEED+x. */
1650 unsigned char digest[256/8]; /* Helper buffer for SHA-1 digest. */
1651 gcry_mpi_t val_2 = NULL; /* Helper for the prime test. */
1652 gcry_mpi_t tmpval = NULL; /* Helper variable. */
1653 int hashalgo; /* The id of the Approved Hash Function. */
1656 unsigned char value_u[256/8];
1657 int value_n, value_b, value_j;
1659 gcry_mpi_t value_w = NULL;
1660 gcry_mpi_t value_x = NULL;
1661 gcry_mpi_t prime_q = NULL;
1662 gcry_mpi_t prime_p = NULL;
1664 gcry_assert (sizeof seed_help_buffer == sizeof digest
1665 && sizeof seed_help_buffer == sizeof value_u);
1667 /* Step 1: Check the requested prime lengths. */
1668 /* Note that due to the size of our buffers QBITS is limited to 256. */
1669 if (pbits == 1024 && qbits == 160)
1670 hashalgo = GCRY_MD_SHA1;
1671 else if (pbits == 2048 && qbits == 224)
1672 hashalgo = GCRY_MD_SHA224;
1673 else if (pbits == 2048 && qbits == 256)
1674 hashalgo = GCRY_MD_SHA256;
1675 else if (pbits == 3072 && qbits == 256)
1676 hashalgo = GCRY_MD_SHA256;
1678 return GPG_ERR_INV_KEYLEN;
1680 /* Also check that the hash algorithm is available. */
1681 ec = gpg_err_code (gcry_md_test_algo (hashalgo));
1684 gcry_assert (qbits/8 <= sizeof digest);
1685 gcry_assert (gcry_md_get_algo_dlen (hashalgo) == qbits/8);
1688 /* Step 2: Check seedlen. */
1689 if (!seed && !seedlen)
1690 ; /* No seed value given: We are asked to generate it. */
1691 else if (!seed || seedlen < qbits/8)
1692 return GPG_ERR_INV_ARG;
1694 /* Allocate a buffer to later compute SEED+some_increment and a few
1695 helper variables. */
1696 seed_plus = gcry_malloc (seedlen < sizeof seed_help_buffer?
1697 sizeof seed_help_buffer : seedlen);
1700 ec = gpg_err_code_from_syserror ();
1703 val_2 = mpi_alloc_set_ui (2);
1704 value_w = gcry_mpi_new (pbits);
1705 value_x = gcry_mpi_new (pbits);
1707 /* Step 3: n = \lceil L / outlen \rceil - 1 */
1708 value_n = (pbits + qbits - 1) / qbits - 1;
1709 /* Step 4: b = L - 1 - (n * outlen) */
1710 value_b = pbits - 1 - (value_n * qbits);
1716 /* Step 5: Generate a (new) seed unless one has been supplied. */
1720 gcry_assert (seedlen <= sizeof seed_help_buffer);
1721 gcry_create_nonce (seed_help_buffer, seedlen);
1722 seed = seed_help_buffer;
1725 /* Step 6: U = hash(seed) */
1726 gcry_md_hash_buffer (hashalgo, value_u, seed, seedlen);
1728 /* Step 7: q = 2^{N-1} + U + 1 - (U mod 2) */
1729 if ( !(value_u[qbits/8-1] & 0x01) )
1731 for (i=qbits/8-1; i >= 0; i--)
1738 gcry_mpi_release (prime_q); prime_q = NULL;
1739 ec = gpg_err_code (gcry_mpi_scan (&prime_q, GCRYMPI_FMT_USG,
1740 value_u, sizeof value_u, NULL));
1743 mpi_set_highbit (prime_q, qbits-1 );
1745 /* Step 8: Test whether Q is prime using 64 round of Rabin-Miller.
1746 According to table C.1 this is sufficient for all
1747 supported prime sizes (i.e. up 3072/256). */
1748 if (check_prime (prime_q, val_2, 64, NULL, NULL))
1749 break; /* Yes, Q is prime. */
1752 seed = NULL; /* Force a new seed at Step 5. */
1755 /* Step 11. Note that we do no use an explicit offset but increment
1756 SEED_PLUS accordingly. */
1757 memcpy (seed_plus, seed, seedlen);
1761 prime_p = gcry_mpi_new (pbits);
1764 /* Step 11.1: For j = 0,...n let
1765 V_j = hash(seed+offset+j)
1766 Step 11.2: W = V_0 + V_1*2^outlen +
1768 + V_{n-1}*2^{(n-1)*outlen}
1769 + (V_{n} mod 2^b)*2^{n*outlen}
1771 mpi_set_ui (value_w, 0);
1772 for (value_j=0; value_j <= value_n; value_j++)
1774 /* There is no need to have an explicit offset variable: In
1775 the first round we shall have an offset of 1 and a j of
1776 0. This is achieved by incrementing SEED_PLUS here. For
1777 the next round offset is implicitly updated by using
1779 for (i=seedlen-1; i >= 0; i--)
1785 gcry_md_hash_buffer (GCRY_MD_SHA1, digest, seed_plus, seedlen);
1787 gcry_mpi_release (tmpval); tmpval = NULL;
1788 ec = gpg_err_code (gcry_mpi_scan (&tmpval, GCRYMPI_FMT_USG,
1789 digest, sizeof digest, NULL));
1792 if (value_j == value_n)
1793 mpi_clear_highbit (tmpval, value_b); /* (V_n mod 2^b) */
1794 mpi_lshift (tmpval, tmpval, value_j*qbits);
1795 mpi_add (value_w, value_w, tmpval);
1798 /* Step 11.3: X = W + 2^{L-1} */
1799 mpi_set_ui (value_x, 0);
1800 mpi_set_highbit (value_x, pbits-1);
1801 mpi_add (value_x, value_x, value_w);
1803 /* Step 11.4: c = X mod 2q */
1804 mpi_mul_2exp (tmpval, prime_q, 1);
1805 mpi_mod (tmpval, value_x, tmpval);
1807 /* Step 11.5: p = X - (c - 1) */
1808 mpi_sub_ui (tmpval, tmpval, 1);
1809 mpi_sub (prime_p, value_x, tmpval);
1811 /* Step 11.6: If p < 2^{L-1} skip the primality test. */
1812 /* Step 11.7 and 11.8: Primality test. */
1813 if (mpi_get_nbits (prime_p) >= pbits-1
1814 && check_prime (prime_p, val_2, 64, NULL, NULL) )
1815 break; /* Yes, P is prime, continue with Step 15. */
1817 /* Step 11.9: counter = counter + 1, offset = offset + n + 1.
1818 If counter >= 4L goto Step 5. */
1820 if (counter >= 4*pbits)
1824 /* Step 12: Save p, q, counter and seed. */
1825 log_debug ("fips186-3 pbits p=%u q=%u counter=%d\n",
1826 mpi_get_nbits (prime_p), mpi_get_nbits (prime_q), counter);
1827 log_printhex("fips186-3 seed:", seed, seedlen);
1828 log_mpidump ("fips186-3 prime p", prime_p);
1829 log_mpidump ("fips186-3 prime q", prime_q);
1841 *r_counter = counter;
1842 if (r_seed && r_seedlen)
1844 memcpy (seed_plus, seed, seedlen);
1845 *r_seed = seed_plus;
1847 *r_seedlen = seedlen;
1850 *r_hashalgo = hashalgo;
1853 gcry_mpi_release (tmpval);
1854 gcry_mpi_release (value_x);
1855 gcry_mpi_release (value_w);
1856 gcry_mpi_release (prime_p);
1857 gcry_mpi_release (prime_q);
1858 gcry_free (seed_plus);
1859 gcry_mpi_release (val_2);
projects / libgcrypt.git / blob