MercurialSymaptic / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | raw
| help
os/ossrv/ssl/libcrypto/src/crypto/rsa/rsa_gen.c
changeset 0 bde4ae8d615e
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/os/ossrv/ssl/libcrypto/src/crypto/rsa/rsa_gen.c	Fri Jun 15 03:10:57 2012 +0200
     1.3 @@ -0,0 +1,218 @@
     1.4 +/* crypto/rsa/rsa_gen.c */
     1.5 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
     1.6 + * All rights reserved.
     1.7 + *
     1.8 + * This package is an SSL implementation written
     1.9 + * by Eric Young (eay@cryptsoft.com).
    1.10 + * The implementation was written so as to conform with Netscapes SSL.
    1.11 + * 
    1.12 + * This library is free for commercial and non-commercial use as long as
    1.13 + * the following conditions are aheared to.  The following conditions
    1.14 + * apply to all code found in this distribution, be it the RC4, RSA,
    1.15 + * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
    1.16 + * included with this distribution is covered by the same copyright terms
    1.17 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
    1.18 + * 
    1.19 + * Copyright remains Eric Young's, and as such any Copyright notices in
    1.20 + * the code are not to be removed.
    1.21 + * If this package is used in a product, Eric Young should be given attribution
    1.22 + * as the author of the parts of the library used.
    1.23 + * This can be in the form of a textual message at program startup or
    1.24 + * in documentation (online or textual) provided with the package.
    1.25 + * 
    1.26 + * Redistribution and use in source and binary forms, with or without
    1.27 + * modification, are permitted provided that the following conditions
    1.28 + * are met:
    1.29 + * 1. Redistributions of source code must retain the copyright
    1.30 + *    notice, this list of conditions and the following disclaimer.
    1.31 + * 2. Redistributions in binary form must reproduce the above copyright
    1.32 + *    notice, this list of conditions and the following disclaimer in the
    1.33 + *    documentation and/or other materials provided with the distribution.
    1.34 + * 3. All advertising materials mentioning features or use of this software
    1.35 + *    must display the following acknowledgement:
    1.36 + *    "This product includes cryptographic software written by
    1.37 + *     Eric Young (eay@cryptsoft.com)"
    1.38 + *    The word 'cryptographic' can be left out if the rouines from the library
    1.39 + *    being used are not cryptographic related :-).
    1.40 + * 4. If you include any Windows specific code (or a derivative thereof) from 
    1.41 + *    the apps directory (application code) you must include an acknowledgement:
    1.42 + *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
    1.43 + * 
    1.44 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
    1.45 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    1.46 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    1.47 + * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
    1.48 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    1.49 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    1.50 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    1.51 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    1.52 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    1.53 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    1.54 + * SUCH DAMAGE.
    1.55 + * 
    1.56 + * The licence and distribution terms for any publically available version or
    1.57 + * derivative of this code cannot be changed.  i.e. this code cannot simply be
    1.58 + * copied and put under another distribution licence
    1.59 + * [including the GNU Public Licence.]
    1.60 + */
    1.61 +
    1.62 +
    1.63 +/* NB: these functions have been "upgraded", the deprecated versions (which are
    1.64 + * compatibility wrappers using these functions) are in rsa_depr.c.
    1.65 + * - Geoff
    1.66 + */
    1.67 +
    1.68 +#include <stdio.h>
    1.69 +#include <time.h>
    1.70 +#include "cryptlib.h"
    1.71 +#include <openssl/bn.h>
    1.72 +#include <openssl/rsa.h>
    1.73 +
    1.74 +static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
    1.75 +
    1.76 +/* NB: this wrapper would normally be placed in rsa_lib.c and the static
    1.77 + * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
    1.78 + * that we don't introduce a new linker dependency. Eg. any application that
    1.79 + * wasn't previously linking object code related to key-generation won't have to
    1.80 + * now just because key-generation is part of RSA_METHOD. */
    1.81 +EXPORT_C int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
    1.82 +	{
    1.83 +	if(rsa->meth->rsa_keygen)
    1.84 +		return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
    1.85 +	return rsa_builtin_keygen(rsa, bits, e_value, cb);
    1.86 +	}
    1.87 +
    1.88 +static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
    1.89 +	{
    1.90 +	BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
    1.91 +	BIGNUM local_r0,local_d,local_p;
    1.92 +	BIGNUM *pr0,*d,*p;
    1.93 +	int bitsp,bitsq,ok= -1,n=0;
    1.94 +	BN_CTX *ctx=NULL;
    1.95 +
    1.96 +	ctx=BN_CTX_new();
    1.97 +	if (ctx == NULL) goto err;
    1.98 +	BN_CTX_start(ctx);
    1.99 +	r0 = BN_CTX_get(ctx);
   1.100 +	r1 = BN_CTX_get(ctx);
   1.101 +	r2 = BN_CTX_get(ctx);
   1.102 +	r3 = BN_CTX_get(ctx);
   1.103 +	if (r3 == NULL) goto err;
   1.104 +
   1.105 +	bitsp=(bits+1)/2;
   1.106 +	bitsq=bits-bitsp;
   1.107 +
   1.108 +	/* We need the RSA components non-NULL */
   1.109 +	if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
   1.110 +	if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;
   1.111 +	if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;
   1.112 +	if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;
   1.113 +	if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;
   1.114 +	if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;
   1.115 +	if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
   1.116 +	if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
   1.117 +
   1.118 +	BN_copy(rsa->e, e_value);
   1.119 +
   1.120 +	/* generate p and q */
   1.121 +	for (;;)
   1.122 +		{
   1.123 +		if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
   1.124 +			goto err;
   1.125 +		if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
   1.126 +		if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
   1.127 +		if (BN_is_one(r1)) break;
   1.128 +		if(!BN_GENCB_call(cb, 2, n++))
   1.129 +			goto err;
   1.130 +		}
   1.131 +	if(!BN_GENCB_call(cb, 3, 0))
   1.132 +		goto err;
   1.133 +	for (;;)
   1.134 +		{
   1.135 +		/* When generating ridiculously small keys, we can get stuck
   1.136 +		 * continually regenerating the same prime values. Check for
   1.137 +		 * this and bail if it happens 3 times. */
   1.138 +		unsigned int degenerate = 0;
   1.139 +		do
   1.140 +			{
   1.141 +			if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
   1.142 +				goto err;
   1.143 +			} while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
   1.144 +		if(degenerate == 3)
   1.145 +			{
   1.146 +			ok = 0; /* we set our own err */
   1.147 +			RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL);
   1.148 +			goto err;
   1.149 +			}
   1.150 +		if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
   1.151 +		if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
   1.152 +		if (BN_is_one(r1))
   1.153 +			break;
   1.154 +		if(!BN_GENCB_call(cb, 2, n++))
   1.155 +			goto err;
   1.156 +		}
   1.157 +	if(!BN_GENCB_call(cb, 3, 1))
   1.158 +		goto err;
   1.159 +	if (BN_cmp(rsa->p,rsa->q) < 0)
   1.160 +		{
   1.161 +		tmp=rsa->p;
   1.162 +		rsa->p=rsa->q;
   1.163 +		rsa->q=tmp;
   1.164 +		}
   1.165 +
   1.166 +	/* calculate n */
   1.167 +	if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
   1.168 +
   1.169 +	/* calculate d */
   1.170 +	if (!BN_sub(r1,rsa->p,BN_value_one())) goto err;	/* p-1 */
   1.171 +	if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;	/* q-1 */
   1.172 +	if (!BN_mul(r0,r1,r2,ctx)) goto err;	/* (p-1)(q-1) */
   1.173 +	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
   1.174 +		{
   1.175 +		  pr0 = &local_r0;
   1.176 +		  BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
   1.177 +		}
   1.178 +	else
   1.179 +	  pr0 = r0;
   1.180 +	if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err;	/* d */
   1.181 +
   1.182 +	/* set up d for correct BN_FLG_CONSTTIME flag */
   1.183 +	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
   1.184 +		{
   1.185 +		d = &local_d;
   1.186 +		BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
   1.187 +		}
   1.188 +	else
   1.189 +		d = rsa->d;
   1.190 +	/* calculate d mod (p-1) */
   1.191 +	if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err;
   1.192 +
   1.193 +	/* calculate d mod (q-1) */
   1.194 +	if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err;
   1.195 +
   1.196 +	/* calculate inverse of q mod p */
   1.197 +	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
   1.198 +		{
   1.199 +		p = &local_p;
   1.200 +		BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
   1.201 +		}
   1.202 +	else
   1.203 +		p = rsa->p;
   1.204 +	if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
   1.205 +
   1.206 +	ok=1;
   1.207 +err:
   1.208 +	if (ok == -1)
   1.209 +		{
   1.210 +		RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
   1.211 +		ok=0;
   1.212 +		}
   1.213 +	if (ctx != NULL)
   1.214 +		{
   1.215 +		BN_CTX_end(ctx);
   1.216 +		BN_CTX_free(ctx);
   1.217 +		}
   1.218 +
   1.219 +	return ok;
   1.220 +	}
   1.221 +
Symaptic