[catacomb] / pub / dh-gen.c

/* -*-c-*-
 *
 * Generate Diffie-Hellman parameters
 *
 * (c) 1999 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include <mLib/macros.h>

#include "dh.h"
#include "grand.h"
#include "mp.h"
#include "mpmont.h"
#include "mprand.h"
#include "pfilt.h"
#include "pgen.h"
#include "prim.h"
#include "rabin.h"

/*----- Main code ---------------------------------------------------------*/

/* --- @dh_gen@ --- *
 *
 * Arguments:	@dh_param *dp@ = pointer to output parameter block
 *		@unsigned ql@ = length of %$q$% in bits, or zero
 *		@unsigned pl@ = length of %$p$% in bits
 *		@unsigned steps@ = number of steps to go
 *		@grand *r@ = random number source
 *		@pgen_proc *event@ = event handler function
 *		@void *ectx@ = argument for the event handler
 *
 * Returns:	@PGEN_DONE@ if it worked, @PGEN_ABORT@ if it didn't.
 *
 * Use:		Generates Diffie-Hellman parameters.
 *
 *		The parameters are a prime %$q$%, relatively small, and a
 *		large prime %$p = kq + 1$% for some %$k$%, together with a
 *		generator %$g$% of the cyclic subgroup of order %$q$%.  These
 *		are actually the same as the DSA parameter set, but the
 *		generation algorithm is different.  Also, if @ql@ is zero,
 *		this algorithm forces %$k = 2$%, and chooses %$g = 4$%.  Make
 *		sure you have something interesting to do if you choose this
 *		option.
 */

int dh_gen(dh_param *dp, unsigned ql, unsigned pl, unsigned steps, grand *r,
	   pgen_proc *event, void *ectx)
{
  /* --- If @ql@ is zero, do the time consuming safe-prime thing --- */

  if (!ql) {
    pgen_simulprime sp[2];
    pgen_simulctx ss;

    mp *m = mprand(MP_NEW, pl - 1, r, 1);
    ss.step = MP_TWO;
    sp[0].mul = MP_ONE; sp[0].add = MP_ZERO; sp[0].f = 0;
    sp[1].mul = MP_TWO; sp[1].add = MP_ONE; sp[1].f = PGENF_KEEP;
    ss.v = sp; ss.n = N(sp);
    dp->q = pgen("p", MP_NEW, m, event, ectx, steps, pgen_simulstep, &ss,
		 PGEN_BAILLIEPSWNTESTS, pgen_simulbailliepswtest, &ss);
    mp_drop(m);
    if (!dp->q) {
      mp_drop(sp[1].u.x);
      return (PGEN_ABORT);
    }
    dp->p = sp[1].u.x;
    dp->g = MP_FOUR;
    return (PGEN_DONE);
  }

  /* --- Otherwise the job is much simpler --- *
   *
   * But doesn't look it...
   */

  else {
    pgen_filterctx c;
    pgen_jumpctx j;
    prim_ctx p;
    int i;
    mp *m = MP_NEW;
    mp *x, *y;

    /* --- Generate @q@ first --- */

    c.step = 2;
    m = mprand(MP_NEW, ql, r, 1);
    dp->q = pgen("q", MP_NEW, m, event, ectx, steps, pgen_filter, &c,
		 PGEN_BAILLIEPSWNTESTS, pgen_bailliepswtest, 0);
    if (!dp->q)
      goto fail_q;

    /* --- Now pick a suitable @p@ --- */

    m = mp_lsl(m, dp->q, 1);
    x = mprand(MP_NEW, pl, r, 0);
    y = MP_NEW; mp_div(0, &y, x, m);
    x = mp_sub(x, x, y);
    x = mp_add(x, x, MP_ONE);
    mp_drop(y);
    pfilt_create(&c.f, m);
    j.j = &c.f;
    dp->p = pgen("p", MP_NEW, x, event, ectx, steps, pgen_jump, &j,
		 PGEN_BAILLIEPSWNTESTS, pgen_bailliepswtest, 0);
    pfilt_destroy(&c.f);
    mp_drop(x);
    if (!dp->p)
      goto fail_p;

    /* --- And finally a suitable @g@ --- */

    mpmont_create(&p.mm, dp->p);
    mp_div(&m, 0, dp->p, dp->q);
    i = 0;
    p.exp = m;
    p.n = 0;
    dp->g = pgen("g", MP_NEW, MP_NEW, event, ectx, 0, prim_step, &i,
		 1, prim_test, &p);
    mpmont_destroy(&p.mm);
    if (!dp->g)
      goto fail_g;
    mp_drop(m);
    return (PGEN_DONE);

    /* --- Tidy up --- */

  fail_g:
    mp_drop(dp->q);
  fail_q:
    mp_drop(dp->p);
  fail_p:
    mp_drop(m);
    return (PGEN_ABORT);
  }
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
052b36d0	1	/* --c--
052b36d0	2	*
052b36d0	3	* Generate Diffie-Hellman parameters
	4	*
	5	* (c) 1999 Straylight/Edgeware
	6	*/
	7
45c0fd36	8	/----- Licensing notice --------------------------------------------------
052b36d0	9	*
	10	* This file is part of Catacomb.
	11	*
	12	* Catacomb is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU Library General Public License as
	14	* published by the Free Software Foundation; either version 2 of the
	15	* License, or (at your option) any later version.
45c0fd36	16	*
052b36d0	17	* Catacomb is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU Library General Public License for more details.
45c0fd36	21	*
052b36d0	22	* You should have received a copy of the GNU Library General Public
	23	* License along with Catacomb; if not, write to the Free
	24	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	25	* MA 02111-1307, USA.
	26	*/
	27
052b36d0	28	/----- Header files ------------------------------------------------------/
052b36d0	29
ed229313 MW	30	#include <mLib/macros.h>
ed229313 MW	31
052b36d0	32	#include "dh.h"
	33	#include "grand.h"
	34	#include "mp.h"
	35	#include "mpmont.h"
	36	#include "mprand.h"
	37	#include "pfilt.h"
	38	#include "pgen.h"
	39	#include "prim.h"
	40	#include "rabin.h"
	41
	42	/----- Main code ---------------------------------------------------------/
	43
	44	/* --- @dh_gen@ --- *
	45	*
	46	* Arguments: @dh_param *dp@ = pointer to output parameter block
	47	* @unsigned ql@ = length of %$q$% in bits, or zero
	48	* @unsigned pl@ = length of %$p$% in bits
	49	* @unsigned steps@ = number of steps to go
	50	* @grand *r@ = random number source
	51	* @pgen_proc *event@ = event handler function
	52	* @void *ectx@ = argument for the event handler
	53	*
	54	* Returns: @PGEN_DONE@ if it worked, @PGEN_ABORT@ if it didn't.
	55	*
	56	* Use: Generates Diffie-Hellman parameters.
	57	*
	58	* The parameters are a prime %$q$%, relatively small, and a
	59	* large prime %$p = kq + 1$% for some %$k$%, together with a
	60	* generator %$g$% of the cyclic subgroup of order %$q$%. These
	61	* are actually the same as the DSA parameter set, but the
	62	* generation algorithm is different. Also, if @ql@ is zero,
	63	* this algorithm forces %$k = 2$%, and chooses %$g = 4$%. Make
	64	* sure you have something interesting to do if you choose this
	65	* option.
	66	*/
	67
	68	int dh_gen(dh_param dp, unsigned ql, unsigned pl, unsigned steps, grand r,
	69	pgen_proc event, void ectx)
	70	{
	71	/* --- If @ql@ is zero, do the time consuming safe-prime thing --- */
	72
	73	if (!ql) {
ed229313 MW	74	pgen_simulprime sp[2];
ed229313 MW	75	pgen_simulctx ss;
052b36d0	76
ed229313 MW	77	mp *m = mprand(MP_NEW, pl - 1, r, 1);
	78	ss.step = MP_TWO;
	79	sp[0].mul = MP_ONE; sp[0].add = MP_ZERO; sp[0].f = 0;
	80	sp[1].mul = MP_TWO; sp[1].add = MP_ONE; sp[1].f = PGENF_KEEP;
	81	ss.v = sp; ss.n = N(sp);
	82	dp->q = pgen("p", MP_NEW, m, event, ectx, steps, pgen_simulstep, &ss,
fbfcb6c0	83	PGEN_BAILLIEPSWNTESTS, pgen_simulbailliepswtest, &ss);
052b36d0	84	mp_drop(m);
ed229313 MW	85	if (!dp->q) {
ed229313 MW	86	mp_drop(sp[1].u.x);
052b36d0	87	return (PGEN_ABORT);
ed229313 MW	88	}
ed229313 MW	89	dp->p = sp[1].u.x;
052b36d0	90	dp->g = MP_FOUR;
	91	return (PGEN_DONE);
	92	}
	93
	94	/* --- Otherwise the job is much simpler --- *
	95	*
	96	* But doesn't look it...
	97	*/
	98
	99	else {
	100	pgen_filterctx c;
	101	pgen_jumpctx j;
052b36d0	102	prim_ctx p;
	103	int i;
	104	mp *m = MP_NEW;
	105	mp x, y;
	106
	107	/* --- Generate @q@ first --- */
	108
	109	c.step = 2;
	110	m = mprand(MP_NEW, ql, r, 1);
	111	dp->q = pgen("q", MP_NEW, m, event, ectx, steps, pgen_filter, &c,
fbfcb6c0	112	PGEN_BAILLIEPSWNTESTS, pgen_bailliepswtest, 0);
052b36d0	113	if (!dp->q)
	114	goto fail_q;
	115
	116	/* --- Now pick a suitable @p@ --- */
	117
	118	m = mp_lsl(m, dp->q, 1);
	119	x = mprand(MP_NEW, pl, r, 0);
	120	y = MP_NEW; mp_div(0, &y, x, m);
	121	x = mp_sub(x, x, y);
	122	x = mp_add(x, x, MP_ONE);
	123	mp_drop(y);
	124	pfilt_create(&c.f, m);
	125	j.j = &c.f;
	126	dp->p = pgen("p", MP_NEW, x, event, ectx, steps, pgen_jump, &j,
fbfcb6c0	127	PGEN_BAILLIEPSWNTESTS, pgen_bailliepswtest, 0);
052b36d0	128	pfilt_destroy(&c.f);
	129	mp_drop(x);
	130	if (!dp->p)
	131	goto fail_p;
	132
	133	/* --- And finally a suitable @g@ --- */
	134
	135	mpmont_create(&p.mm, dp->p);
	136	mp_div(&m, 0, dp->p, dp->q);
	137	i = 0;
f621db36	138	p.exp = m;
052b36d0	139	p.n = 0;
	140	dp->g = pgen("g", MP_NEW, MP_NEW, event, ectx, 0, prim_step, &i,
	141	1, prim_test, &p);
	142	mpmont_destroy(&p.mm);
	143	if (!dp->g)
	144	goto fail_g;
	145	mp_drop(m);
	146	return (PGEN_DONE);
	147
	148	/* --- Tidy up --- */
	149
	150	fail_g:
	151	mp_drop(dp->q);
	152	fail_q:
	153	mp_drop(dp->p);
	154	fail_p:
	155	mp_drop(m);
	156	return (PGEN_ABORT);
	157	}
	158	}
	159
	160	/----- That's all, folks -------------------------------------------------/