Document the DH library, and make some minor changes along the way.

author: Ulf Möller <ulf@openssl.org> 2000-01-22 20:05:23 +0000
committer: Ulf Möller <ulf@openssl.org> 2000-01-22 20:05:23 +0000
commit: 4486d0cd7a715aed7ca3728aa24413d91666bb68 (patch)
tree: 36342c32d8bd73c31ea5e3d33e9ee7796bab873c /crypto
parent: 09483c58e3b21841d2761ce90b1f12b24f814881 (diff)
download: openssl-4486d0cd7a715aed7ca3728aa24413d91666bb68.tar.gz
7 files changed, 51 insertions, 37 deletions
diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
index dd1d263098..f803f0fea1 100644
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -283,23 +283,8 @@ typedef struct bn_recp_ctx_st
 #define BN_to_montgomery(r,a,mont,ctx)	BN_mod_mul_montgomery(\
 	r,a,&((mont)->RR),(mont),ctx)
 
-/* number of Miller-Rabin iterations for an error rate  of less than 2^-80
- * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook
- * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
- * original paper: Damgaard, Landrock, Pomerance: Average case error estimates
- * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */
-#define BN_prime_checks(b) ((b) >= 1300 ?  2 : \
-                            (b) >=  850 ?  3 : \
-                            (b) >=  650 ?  4 : \
-                            (b) >=  550 ?  5 : \
-                            (b) >=  450 ?  6 : \
-                            (b) >=  400 ?  7 : \
-                            (b) >=  350 ?  8 : \
-                            (b) >=  300 ?  9 : \
-                            (b) >=  250 ? 12 : \
-                            (b) >=  200 ? 15 : \
-                            (b) >=  150 ? 18 : \
-                            /* b >= 100 */ 27)
+#define BN_prime_checks 0 /* default: select number of iterations
+			     based on the size of the number */
 
 #define BN_num_bytes(a)	((BN_num_bits(a)+7)/8)
 #define BN_is_word(a,w)	(((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w)))
diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
index f4f596a481..f82cc1f605 100644
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -62,12 +62,30 @@
 #include "bn_lcl.h"
 #include <openssl/rand.h>
 
-/* The quick seive algorithm approach to weeding out primes is
+/* The quick sieve algorithm approach to weeding out primes is
  * Philip Zimmermann's, as implemented in PGP.  I have had a read of
  * his comments and implemented my own version.
  */
 #include "bn_prime.h"
 
+/* number of Miller-Rabin iterations for an error rate  of less than 2^-80
+ * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook
+ * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
+ * original paper: Damgaard, Landrock, Pomerance: Average case error estimates
+ * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */
+#define BN_prime_checks_size(b) ((b) >= 1300 ?  2 : \
+                                (b) >=  850 ?  3 : \
+                                (b) >=  650 ?  4 : \
+                                (b) >=  550 ?  5 : \
+                                (b) >=  450 ?  6 : \
+                                (b) >=  400 ?  7 : \
+                                (b) >=  350 ?  8 : \
+                                (b) >=  300 ?  9 : \
+                                (b) >=  250 ? 12 : \
+                                (b) >=  200 ? 15 : \
+                                (b) >=  150 ? 18 : \
+                                /* b >= 100 */ 27)
+
 static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx,BN_CTX *ctx2,
 	BN_MONT_CTX *mont);
 static int probable_prime(BIGNUM *rnd, int bits);
@@ -81,9 +99,10 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add,
 	{
 	BIGNUM *rnd=NULL;
 	BIGNUM t;
+	int found=0;
 	int i,j,c1=0;
 	BN_CTX *ctx;
-	int checks = BN_prime_checks(bits);
+	int checks = BN_prime_checks_size(bits);
 
 	ctx=BN_CTX_new();
 	if (ctx == NULL) goto err;
@@ -145,12 +164,12 @@ loop:
 			}
 		}
 	/* we have a prime :-) */
-	ret=rnd;
+	found = 1;
 err:
-	if ((ret == NULL) && (rnd != NULL)) BN_free(rnd);
+	if (!found && (ret == NULL) && (rnd != NULL)) BN_free(rnd);
 	BN_free(&t);
 	if (ctx != NULL) BN_CTX_free(ctx);
-	return(ret);
+	return(found ? rnd : NULL);
 	}
 
 int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *),
@@ -161,6 +180,12 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *),
 	BN_CTX *ctx=NULL,*ctx2=NULL;
 	BN_MONT_CTX *mont=NULL;
 
+	if (checks == BN_prime_checks)
+		{
+		int bits = BN_num_bits(a);
+		checks = BN_prime_checks_size(bits);
+		}
+
 	if (!BN_is_odd(a))
 		return(0);
 	if (ctx_passed != NULL)
diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h
index 5d17a27a2a..c96cdde968 100644
--- a/crypto/dh/dh.h
+++ b/crypto/dh/dh.h
@@ -98,7 +98,7 @@ struct dh_st
 	BIGNUM *p;
 	BIGNUM *g;
 	int length; /* optional */
-	BIGNUM *pub_key;	/* y */
+	BIGNUM *pub_key;	/* g^x */
 	BIGNUM *priv_key;	/* x */
 
 	int flags;
@@ -121,10 +121,14 @@ struct dh_st
 
 /* DH_check error codes */
 #define DH_CHECK_P_NOT_PRIME		0x01
-#define DH_CHECK_P_NOT_STRONG_PRIME	0x02
+#define DH_CHECK_P_NOT_SAFE_PRIME	0x02
 #define DH_UNABLE_TO_CHECK_GENERATOR	0x04
 #define DH_NOT_SUITABLE_GENERATOR	0x08
 
+/* primes p where (p-1)/2 is prime too are called "safe"; we define
+   this for backward compatibility: */
+#define DH_CHECK_P_NOT_STRONG_PRIME	DH_CHECK_P_NOT_SAFE_PRIME
+
 #define DHparams_dup(x) (DH *)ASN1_dup((int (*)())i2d_DHparams, \
 		(char *(*)())d2i_DHparams,(char *)(x))
 #define d2i_DHparams_fp(fp,x) (DH *)ASN1_d2i_fp((char *(*)())DH_new, \
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index a2e7433b9c..7e5cfd8bfc 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -61,7 +61,7 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 
-/* Check that p is a strong prime and
+/* Check that p is a safe prime and
  * if g is 2, 3 or 5, check that is is a suitable generator
  * where
  * for 2, p mod 24 == 11
@@ -88,11 +88,13 @@ int DH_check(DH *dh, int *ret)
 		l=BN_mod_word(dh->p,24);
 		if (l != 11) *ret|=DH_NOT_SUITABLE_GENERATOR;
 		}
-/*	else if (BN_is_word(dh->g,DH_GENERATOR_3))
+#if 0
+	else if (BN_is_word(dh->g,DH_GENERATOR_3))
 		{
 		l=BN_mod_word(dh->p,12);
 		if (l != 5) *ret|=DH_NOT_SUITABLE_GENERATOR;
-		}*/
+		}
+#endif
 	else if (BN_is_word(dh->g,DH_GENERATOR_5))
 		{
 		l=BN_mod_word(dh->p,10);
@@ -102,13 +104,13 @@ int DH_check(DH *dh, int *ret)
 	else
 		*ret|=DH_UNABLE_TO_CHECK_GENERATOR;
 
-	if (!BN_is_prime(dh->p,BN_prime_checks(BN_num_bits(dh->p)),NULL,ctx,NULL))
+	if (!BN_is_prime(dh->p,BN_prime_checks,NULL,ctx,NULL))
 		*ret|=DH_CHECK_P_NOT_PRIME;
 	else
 		{
 		if (!BN_rshift1(q,dh->p)) goto err;
-		if (!BN_is_prime(q,BN_prime_checks(BN_num_bits(q)),NULL,ctx,NULL))
-			*ret|=DH_CHECK_P_NOT_STRONG_PRIME;
+		if (!BN_is_prime(q,BN_prime_checks,NULL,ctx,NULL))
+			*ret|=DH_CHECK_P_NOT_SAFE_PRIME;
 		}
 	ok=1;
 err:
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index b7bcd2c7a4..f0ee43ed87 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -72,14 +72,14 @@
  * Having said all that,
  * there is another special case method for the generators 2, 3 and 5.
  * for 2, p mod 24 == 11
- * for 3, p mod 12 == 5  <<<<< does not work for strong primes.
+ * for 3, p mod 12 == 5  <<<<< does not work for safe primes.
  * for 5, p mod 10 == 3 or 7
  *
  * Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
  * special generators and for answering some of my questions.
  *
  * I've implemented the second simple method :-).
- * Since DH should be using a strong prime (both p and q are prime),
+ * Since DH should be using a safe prime (both p and q are prime),
  * this generator function can take a very very long time to run.
  */
 
@@ -105,7 +105,7 @@ DH *DH_generate_parameters(int prime_len, int generator,
 		BN_set_word(t2,11);
 		g=2;
 		}
-#ifdef undef  /* does not work for strong primes */
+#ifdef undef  /* does not work for safe primes */
 	else if (generator == DH_GENERATOR_3)
 		{
 		BN_set_word(t1,12);
diff --git a/crypto/mem_dbg.c b/crypto/mem_dbg.c
index d084b8c6ca..f3ad5ff235 100644
--- a/crypto/mem_dbg.c
+++ b/crypto/mem_dbg.c
@@ -667,8 +667,6 @@ union void_fn_to_char_u
 	void (*fn_p)();
 	};
 
-static void (*mem_cb)()=NULL;
-
 static void cb_leak(MEM *m, char *cb)
 	{
 	union void_fn_to_char_u mem_callback;
diff --git a/crypto/rsa/rsa_chk.c b/crypto/rsa/rsa_chk.c
index 03497f8463..91b9115798 100644
--- a/crypto/rsa/rsa_chk.c
+++ b/crypto/rsa/rsa_chk.c
@@ -75,7 +75,7 @@ int RSA_check_key(RSA *key)
 		}
 	
 	/* p prime? */
-	r = BN_is_prime(key->p, BN_prime_checks(BN_num_bits(key->p)), NULL, NULL, NULL);
+	r = BN_is_prime(key->p, BN_prime_checks, NULL, NULL, NULL);
 	if (r != 1)
 		{
 		ret = r;
@@ -85,7 +85,7 @@ int RSA_check_key(RSA *key)
 		}
 	
 	/* q prime? */
-	r = BN_is_prime(key->q, BN_prime_checks(BN_num_bits(key->q)), NULL, NULL, NULL);
+	r = BN_is_prime(key->q, BN_prime_checks, NULL, NULL, NULL);
 	if (r != 1)
 		{
 		ret = r;
author	Ulf Möller <ulf@openssl.org>	2000-01-22 20:05:23 +0000
committer	Ulf Möller <ulf@openssl.org>	2000-01-22 20:05:23 +0000
commit	4486d0cd7a715aed7ca3728aa24413d91666bb68 (patch)
tree	36342c32d8bd73c31ea5e3d33e9ee7796bab873c /crypto
parent	09483c58e3b21841d2761ce90b1f12b24f814881 (diff)
download	openssl-4486d0cd7a715aed7ca3728aa24413d91666bb68.tar.gz