/src/botan/src/lib/math/numbertheory/dsa_gen.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * DSA Parameter Generation |
3 | | * (C) 1999-2007 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #include <botan/internal/primality.h> |
9 | | |
10 | | #include <botan/hash.h> |
11 | | #include <botan/numthry.h> |
12 | | #include <botan/reducer.h> |
13 | | #include <botan/rng.h> |
14 | | #include <botan/internal/fmt.h> |
15 | | |
16 | | namespace Botan { |
17 | | |
18 | | namespace { |
19 | | |
20 | | /* |
21 | | * Check if this size is allowed by FIPS 186-3 |
22 | | */ |
23 | 0 | bool fips186_3_valid_size(size_t pbits, size_t qbits) { |
24 | 0 | if(qbits == 160) { |
25 | 0 | return (pbits == 1024); |
26 | 0 | } |
27 | | |
28 | 0 | if(qbits == 224) { |
29 | 0 | return (pbits == 2048); |
30 | 0 | } |
31 | | |
32 | 0 | if(qbits == 256) { |
33 | 0 | return (pbits == 2048 || pbits == 3072); |
34 | 0 | } |
35 | | |
36 | 0 | return false; |
37 | 0 | } |
38 | | |
39 | | // qbits assumed to be a valid size for FIPS param gen |
40 | 0 | std::string hash_function_for(size_t qbits) { |
41 | 0 | if(qbits == 160) { |
42 | 0 | return "SHA-1"; |
43 | 0 | } |
44 | | |
45 | 0 | return "SHA-" + std::to_string(qbits); |
46 | 0 | } |
47 | | |
48 | | } // namespace |
49 | | |
50 | | /* |
51 | | * Attempt DSA prime generation with given seed |
52 | | */ |
53 | | bool generate_dsa_primes(RandomNumberGenerator& rng, |
54 | | BigInt& p, |
55 | | BigInt& q, |
56 | | size_t pbits, |
57 | | size_t qbits, |
58 | | const std::vector<uint8_t>& seed_c, |
59 | 0 | size_t offset) { |
60 | 0 | if(!fips186_3_valid_size(pbits, qbits)) { |
61 | 0 | throw Invalid_Argument(fmt("FIPS 186-3 does not allow DSA domain parameters of {}/{} bits long", pbits, qbits)); |
62 | 0 | } |
63 | | |
64 | 0 | if(seed_c.size() * 8 < qbits) { |
65 | 0 | throw Invalid_Argument( |
66 | 0 | fmt("Generating a DSA parameter set with a {} bit long q requires a seed at least as many bits long", qbits)); |
67 | 0 | } |
68 | | |
69 | 0 | const std::string hash_name = hash_function_for(qbits); |
70 | 0 | auto hash = HashFunction::create_or_throw(hash_name); |
71 | |
|
72 | 0 | const size_t HASH_SIZE = hash->output_length(); |
73 | |
|
74 | 0 | class Seed final { |
75 | 0 | public: |
76 | 0 | explicit Seed(const std::vector<uint8_t>& s) : m_seed(s) {} |
77 | |
|
78 | 0 | const std::vector<uint8_t>& value() const { return m_seed; } |
79 | |
|
80 | 0 | Seed& operator++() { |
81 | 0 | for(size_t j = m_seed.size(); j > 0; --j) { |
82 | 0 | if(++m_seed[j - 1]) { |
83 | 0 | break; |
84 | 0 | } |
85 | 0 | } |
86 | 0 | return (*this); |
87 | 0 | } |
88 | |
|
89 | 0 | private: |
90 | 0 | std::vector<uint8_t> m_seed; |
91 | 0 | }; |
92 | |
|
93 | 0 | Seed seed(seed_c); |
94 | |
|
95 | 0 | q._assign_from_bytes(hash->process(seed.value())); |
96 | 0 | q.set_bit(qbits - 1); |
97 | 0 | q.set_bit(0); |
98 | |
|
99 | 0 | if(!is_prime(q, rng, 128, true)) { |
100 | 0 | return false; |
101 | 0 | } |
102 | | |
103 | 0 | const size_t n = (pbits - 1) / (HASH_SIZE * 8), b = (pbits - 1) % (HASH_SIZE * 8); |
104 | |
|
105 | 0 | BigInt X; |
106 | 0 | std::vector<uint8_t> V(HASH_SIZE * (n + 1)); |
107 | |
|
108 | 0 | Modular_Reducer mod_2q(2 * q); |
109 | |
|
110 | 0 | for(size_t j = 0; j != 4 * pbits; ++j) { |
111 | 0 | for(size_t k = 0; k <= n; ++k) { |
112 | 0 | ++seed; |
113 | 0 | hash->update(seed.value()); |
114 | 0 | hash->final(&V[HASH_SIZE * (n - k)]); |
115 | 0 | } |
116 | |
|
117 | 0 | if(j >= offset) { |
118 | 0 | X._assign_from_bytes(std::span{V}.subspan(HASH_SIZE - 1 - b / 8)); |
119 | 0 | X.set_bit(pbits - 1); |
120 | |
|
121 | 0 | p = X - (mod_2q.reduce(X) - 1); |
122 | |
|
123 | 0 | if(p.bits() == pbits && is_prime(p, rng, 128, true)) { |
124 | 0 | return true; |
125 | 0 | } |
126 | 0 | } |
127 | 0 | } |
128 | 0 | return false; |
129 | 0 | } |
130 | | |
131 | | /* |
132 | | * Generate DSA Primes |
133 | | */ |
134 | 0 | std::vector<uint8_t> generate_dsa_primes(RandomNumberGenerator& rng, BigInt& p, BigInt& q, size_t pbits, size_t qbits) { |
135 | 0 | while(true) { |
136 | 0 | std::vector<uint8_t> seed(qbits / 8); |
137 | 0 | rng.randomize(seed.data(), seed.size()); |
138 | |
|
139 | 0 | if(generate_dsa_primes(rng, p, q, pbits, qbits, seed)) { |
140 | 0 | return seed; |
141 | 0 | } |
142 | 0 | } |
143 | 0 | } |
144 | | |
145 | | } // namespace Botan |