1 /* $OpenBSD: moduli.c,v 1.22 2010/11/10 01:33:07 djm Exp $ */ 2 /* 3 * Copyright 1994 Phil Karn <karn (at) qualcomm.com> 4 * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson (at) greendragon.com> 5 * Copyright 2000 Niels Provos <provos (at) citi.umich.edu> 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 /* 30 * Two-step process to generate safe primes for DHGEX 31 * 32 * Sieve candidates for "safe" primes, 33 * suitable for use as Diffie-Hellman moduli; 34 * that is, where q = (p-1)/2 is also prime. 35 * 36 * First step: generate candidate primes (memory intensive) 37 * Second step: test primes' safety (processor intensive) 38 */ 39 40 #include "includes.h" 41 42 #include <sys/types.h> 43 44 #include <openssl/bn.h> 45 #include <openssl/dh.h> 46 47 #include <stdio.h> 48 #include <stdlib.h> 49 #include <string.h> 50 #include <stdarg.h> 51 #include <time.h> 52 53 #include "xmalloc.h" 54 #include "dh.h" 55 #include "log.h" 56 57 #include "openbsd-compat/openssl-compat.h" 58 59 /* 60 * File output defines 61 */ 62 63 /* need line long enough for largest moduli plus headers */ 64 #define QLINESIZE (100+8192) 65 66 /* 67 * Size: decimal. 68 * Specifies the number of the most significant bit (0 to M). 69 * WARNING: internally, usually 1 to N. 70 */ 71 #define QSIZE_MINIMUM (511) 72 73 /* 74 * Prime sieving defines 75 */ 76 77 /* Constant: assuming 8 bit bytes and 32 bit words */ 78 #define SHIFT_BIT (3) 79 #define SHIFT_BYTE (2) 80 #define SHIFT_WORD (SHIFT_BIT+SHIFT_BYTE) 81 #define SHIFT_MEGABYTE (20) 82 #define SHIFT_MEGAWORD (SHIFT_MEGABYTE-SHIFT_BYTE) 83 84 /* 85 * Using virtual memory can cause thrashing. This should be the largest 86 * number that is supported without a large amount of disk activity -- 87 * that would increase the run time from hours to days or weeks! 88 */ 89 #define LARGE_MINIMUM (8UL) /* megabytes */ 90 91 /* 92 * Do not increase this number beyond the unsigned integer bit size. 93 * Due to a multiple of 4, it must be LESS than 128 (yielding 2**30 bits). 94 */ 95 #define LARGE_MAXIMUM (127UL) /* megabytes */ 96 97 /* 98 * Constant: when used with 32-bit integers, the largest sieve prime 99 * has to be less than 2**32. 100 */ 101 #define SMALL_MAXIMUM (0xffffffffUL) 102 103 /* Constant: can sieve all primes less than 2**32, as 65537**2 > 2**32-1. */ 104 #define TINY_NUMBER (1UL<<16) 105 106 /* Ensure enough bit space for testing 2*q. */ 107 #define TEST_MAXIMUM (1UL<<16) 108 #define TEST_MINIMUM (QSIZE_MINIMUM + 1) 109 /* real TEST_MINIMUM (1UL << (SHIFT_WORD - TEST_POWER)) */ 110 #define TEST_POWER (3) /* 2**n, n < SHIFT_WORD */ 111 112 /* bit operations on 32-bit words */ 113 #define BIT_CLEAR(a,n) ((a)[(n)>>SHIFT_WORD] &= ~(1L << ((n) & 31))) 114 #define BIT_SET(a,n) ((a)[(n)>>SHIFT_WORD] |= (1L << ((n) & 31))) 115 #define BIT_TEST(a,n) ((a)[(n)>>SHIFT_WORD] & (1L << ((n) & 31))) 116 117 /* 118 * Prime testing defines 119 */ 120 121 /* Minimum number of primality tests to perform */ 122 #define TRIAL_MINIMUM (4) 123 124 /* 125 * Sieving data (XXX - move to struct) 126 */ 127 128 /* sieve 2**16 */ 129 static u_int32_t *TinySieve, tinybits; 130 131 /* sieve 2**30 in 2**16 parts */ 132 static u_int32_t *SmallSieve, smallbits, smallbase; 133 134 /* sieve relative to the initial value */ 135 static u_int32_t *LargeSieve, largewords, largetries, largenumbers; 136 static u_int32_t largebits, largememory; /* megabytes */ 137 static BIGNUM *largebase; 138 139 int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); 140 int prime_test(FILE *, FILE *, u_int32_t, u_int32_t); 141 142 /* 143 * print moduli out in consistent form, 144 */ 145 static int 146 qfileout(FILE * ofile, u_int32_t otype, u_int32_t otests, u_int32_t otries, 147 u_int32_t osize, u_int32_t ogenerator, BIGNUM * omodulus) 148 { 149 struct tm *gtm; 150 time_t time_now; 151 int res; 152 153 time(&time_now); 154 gtm = gmtime(&time_now); 155 156 res = fprintf(ofile, "%04d%02d%02d%02d%02d%02d %u %u %u %u %x ", 157 gtm->tm_year + 1900, gtm->tm_mon + 1, gtm->tm_mday, 158 gtm->tm_hour, gtm->tm_min, gtm->tm_sec, 159 otype, otests, otries, osize, ogenerator); 160 161 if (res < 0) 162 return (-1); 163 164 if (BN_print_fp(ofile, omodulus) < 1) 165 return (-1); 166 167 res = fprintf(ofile, "\n"); 168 fflush(ofile); 169 170 return (res > 0 ? 0 : -1); 171 } 172 173 174 /* 175 ** Sieve p's and q's with small factors 176 */ 177 static void 178 sieve_large(u_int32_t s) 179 { 180 u_int32_t r, u; 181 182 debug3("sieve_large %u", s); 183 largetries++; 184 /* r = largebase mod s */ 185 r = BN_mod_word(largebase, s); 186 if (r == 0) 187 u = 0; /* s divides into largebase exactly */ 188 else 189 u = s - r; /* largebase+u is first entry divisible by s */ 190 191 if (u < largebits * 2) { 192 /* 193 * The sieve omits p's and q's divisible by 2, so ensure that 194 * largebase+u is odd. Then, step through the sieve in 195 * increments of 2*s 196 */ 197 if (u & 0x1) 198 u += s; /* Make largebase+u odd, and u even */ 199 200 /* Mark all multiples of 2*s */ 201 for (u /= 2; u < largebits; u += s) 202 BIT_SET(LargeSieve, u); 203 } 204 205 /* r = p mod s */ 206 r = (2 * r + 1) % s; 207 if (r == 0) 208 u = 0; /* s divides p exactly */ 209 else 210 u = s - r; /* p+u is first entry divisible by s */ 211 212 if (u < largebits * 4) { 213 /* 214 * The sieve omits p's divisible by 4, so ensure that 215 * largebase+u is not. Then, step through the sieve in 216 * increments of 4*s 217 */ 218 while (u & 0x3) { 219 if (SMALL_MAXIMUM - u < s) 220 return; 221 u += s; 222 } 223 224 /* Mark all multiples of 4*s */ 225 for (u /= 4; u < largebits; u += s) 226 BIT_SET(LargeSieve, u); 227 } 228 } 229 230 /* 231 * list candidates for Sophie-Germain primes (where q = (p-1)/2) 232 * to standard output. 233 * The list is checked against small known primes (less than 2**30). 234 */ 235 int 236 gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start) 237 { 238 BIGNUM *q; 239 u_int32_t j, r, s, t; 240 u_int32_t smallwords = TINY_NUMBER >> 6; 241 u_int32_t tinywords = TINY_NUMBER >> 6; 242 time_t time_start, time_stop; 243 u_int32_t i; 244 int ret = 0; 245 246 largememory = memory; 247 248 if (memory != 0 && 249 (memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) { 250 error("Invalid memory amount (min %ld, max %ld)", 251 LARGE_MINIMUM, LARGE_MAXIMUM); 252 return (-1); 253 } 254 255 /* 256 * Set power to the length in bits of the prime to be generated. 257 * This is changed to 1 less than the desired safe prime moduli p. 258 */ 259 if (power > TEST_MAXIMUM) { 260 error("Too many bits: %u > %lu", power, TEST_MAXIMUM); 261 return (-1); 262 } else if (power < TEST_MINIMUM) { 263 error("Too few bits: %u < %u", power, TEST_MINIMUM); 264 return (-1); 265 } 266 power--; /* decrement before squaring */ 267 268 /* 269 * The density of ordinary primes is on the order of 1/bits, so the 270 * density of safe primes should be about (1/bits)**2. Set test range 271 * to something well above bits**2 to be reasonably sure (but not 272 * guaranteed) of catching at least one safe prime. 273 */ 274 largewords = ((power * power) >> (SHIFT_WORD - TEST_POWER)); 275 276 /* 277 * Need idea of how much memory is available. We don't have to use all 278 * of it. 279 */ 280 if (largememory > LARGE_MAXIMUM) { 281 logit("Limited memory: %u MB; limit %lu MB", 282 largememory, LARGE_MAXIMUM); 283 largememory = LARGE_MAXIMUM; 284 } 285 286 if (largewords <= (largememory << SHIFT_MEGAWORD)) { 287 logit("Increased memory: %u MB; need %u bytes", 288 largememory, (largewords << SHIFT_BYTE)); 289 largewords = (largememory << SHIFT_MEGAWORD); 290 } else if (largememory > 0) { 291 logit("Decreased memory: %u MB; want %u bytes", 292 largememory, (largewords << SHIFT_BYTE)); 293 largewords = (largememory << SHIFT_MEGAWORD); 294 } 295 296 TinySieve = xcalloc(tinywords, sizeof(u_int32_t)); 297 tinybits = tinywords << SHIFT_WORD; 298 299 SmallSieve = xcalloc(smallwords, sizeof(u_int32_t)); 300 smallbits = smallwords << SHIFT_WORD; 301 302 /* 303 * dynamically determine available memory 304 */ 305 while ((LargeSieve = calloc(largewords, sizeof(u_int32_t))) == NULL) 306 largewords -= (1L << (SHIFT_MEGAWORD - 2)); /* 1/4 MB chunks */ 307 308 largebits = largewords << SHIFT_WORD; 309 largenumbers = largebits * 2; /* even numbers excluded */ 310 311 /* validation check: count the number of primes tried */ 312 largetries = 0; 313 if ((q = BN_new()) == NULL) 314 fatal("BN_new failed"); 315 316 /* 317 * Generate random starting point for subprime search, or use 318 * specified parameter. 319 */ 320 if ((largebase = BN_new()) == NULL) 321 fatal("BN_new failed"); 322 if (start == NULL) { 323 if (BN_rand(largebase, power, 1, 1) == 0) 324 fatal("BN_rand failed"); 325 } else { 326 if (BN_copy(largebase, start) == NULL) 327 fatal("BN_copy: failed"); 328 } 329 330 /* ensure odd */ 331 if (BN_set_bit(largebase, 0) == 0) 332 fatal("BN_set_bit: failed"); 333 334 time(&time_start); 335 336 logit("%.24s Sieve next %u plus %u-bit", ctime(&time_start), 337 largenumbers, power); 338 debug2("start point: 0x%s", BN_bn2hex(largebase)); 339 340 /* 341 * TinySieve 342 */ 343 for (i = 0; i < tinybits; i++) { 344 if (BIT_TEST(TinySieve, i)) 345 continue; /* 2*i+3 is composite */ 346 347 /* The next tiny prime */ 348 t = 2 * i + 3; 349 350 /* Mark all multiples of t */ 351 for (j = i + t; j < tinybits; j += t) 352 BIT_SET(TinySieve, j); 353 354 sieve_large(t); 355 } 356 357 /* 358 * Start the small block search at the next possible prime. To avoid 359 * fencepost errors, the last pass is skipped. 360 */ 361 for (smallbase = TINY_NUMBER + 3; 362 smallbase < (SMALL_MAXIMUM - TINY_NUMBER); 363 smallbase += TINY_NUMBER) { 364 for (i = 0; i < tinybits; i++) { 365 if (BIT_TEST(TinySieve, i)) 366 continue; /* 2*i+3 is composite */ 367 368 /* The next tiny prime */ 369 t = 2 * i + 3; 370 r = smallbase % t; 371 372 if (r == 0) { 373 s = 0; /* t divides into smallbase exactly */ 374 } else { 375 /* smallbase+s is first entry divisible by t */ 376 s = t - r; 377 } 378 379 /* 380 * The sieve omits even numbers, so ensure that 381 * smallbase+s is odd. Then, step through the sieve 382 * in increments of 2*t 383 */ 384 if (s & 1) 385 s += t; /* Make smallbase+s odd, and s even */ 386 387 /* Mark all multiples of 2*t */ 388 for (s /= 2; s < smallbits; s += t) 389 BIT_SET(SmallSieve, s); 390 } 391 392 /* 393 * SmallSieve 394 */ 395 for (i = 0; i < smallbits; i++) { 396 if (BIT_TEST(SmallSieve, i)) 397 continue; /* 2*i+smallbase is composite */ 398 399 /* The next small prime */ 400 sieve_large((2 * i) + smallbase); 401 } 402 403 memset(SmallSieve, 0, smallwords << SHIFT_BYTE); 404 } 405 406 time(&time_stop); 407 408 logit("%.24s Sieved with %u small primes in %ld seconds", 409 ctime(&time_stop), largetries, (long) (time_stop - time_start)); 410 411 for (j = r = 0; j < largebits; j++) { 412 if (BIT_TEST(LargeSieve, j)) 413 continue; /* Definitely composite, skip */ 414 415 debug2("test q = largebase+%u", 2 * j); 416 if (BN_set_word(q, 2 * j) == 0) 417 fatal("BN_set_word failed"); 418 if (BN_add(q, q, largebase) == 0) 419 fatal("BN_add failed"); 420 if (qfileout(out, MODULI_TYPE_SOPHIE_GERMAIN, 421 MODULI_TESTS_SIEVE, largetries, 422 (power - 1) /* MSB */, (0), q) == -1) { 423 ret = -1; 424 break; 425 } 426 427 r++; /* count q */ 428 } 429 430 time(&time_stop); 431 432 xfree(LargeSieve); 433 xfree(SmallSieve); 434 xfree(TinySieve); 435 436 logit("%.24s Found %u candidates", ctime(&time_stop), r); 437 438 return (ret); 439 } 440 441 /* 442 * perform a Miller-Rabin primality test 443 * on the list of candidates 444 * (checking both q and p) 445 * The result is a list of so-call "safe" primes 446 */ 447 int 448 prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted) 449 { 450 BIGNUM *q, *p, *a; 451 BN_CTX *ctx; 452 char *cp, *lp; 453 u_int32_t count_in = 0, count_out = 0, count_possible = 0; 454 u_int32_t generator_known, in_tests, in_tries, in_type, in_size; 455 time_t time_start, time_stop; 456 int res; 457 458 if (trials < TRIAL_MINIMUM) { 459 error("Minimum primality trials is %d", TRIAL_MINIMUM); 460 return (-1); 461 } 462 463 time(&time_start); 464 465 if ((p = BN_new()) == NULL) 466 fatal("BN_new failed"); 467 if ((q = BN_new()) == NULL) 468 fatal("BN_new failed"); 469 if ((ctx = BN_CTX_new()) == NULL) 470 fatal("BN_CTX_new failed"); 471 472 debug2("%.24s Final %u Miller-Rabin trials (%x generator)", 473 ctime(&time_start), trials, generator_wanted); 474 475 res = 0; 476 lp = xmalloc(QLINESIZE + 1); 477 while (fgets(lp, QLINESIZE + 1, in) != NULL) { 478 count_in++; 479 if (strlen(lp) < 14 || *lp == '!' || *lp == '#') { 480 debug2("%10u: comment or short line", count_in); 481 continue; 482 } 483 484 /* XXX - fragile parser */ 485 /* time */ 486 cp = &lp[14]; /* (skip) */ 487 488 /* type */ 489 in_type = strtoul(cp, &cp, 10); 490 491 /* tests */ 492 in_tests = strtoul(cp, &cp, 10); 493 494 if (in_tests & MODULI_TESTS_COMPOSITE) { 495 debug2("%10u: known composite", count_in); 496 continue; 497 } 498 499 /* tries */ 500 in_tries = strtoul(cp, &cp, 10); 501 502 /* size (most significant bit) */ 503 in_size = strtoul(cp, &cp, 10); 504 505 /* generator (hex) */ 506 generator_known = strtoul(cp, &cp, 16); 507 508 /* Skip white space */ 509 cp += strspn(cp, " "); 510 511 /* modulus (hex) */ 512 switch (in_type) { 513 case MODULI_TYPE_SOPHIE_GERMAIN: 514 debug2("%10u: (%u) Sophie-Germain", count_in, in_type); 515 a = q; 516 if (BN_hex2bn(&a, cp) == 0) 517 fatal("BN_hex2bn failed"); 518 /* p = 2*q + 1 */ 519 if (BN_lshift(p, q, 1) == 0) 520 fatal("BN_lshift failed"); 521 if (BN_add_word(p, 1) == 0) 522 fatal("BN_add_word failed"); 523 in_size += 1; 524 generator_known = 0; 525 break; 526 case MODULI_TYPE_UNSTRUCTURED: 527 case MODULI_TYPE_SAFE: 528 case MODULI_TYPE_SCHNORR: 529 case MODULI_TYPE_STRONG: 530 case MODULI_TYPE_UNKNOWN: 531 debug2("%10u: (%u)", count_in, in_type); 532 a = p; 533 if (BN_hex2bn(&a, cp) == 0) 534 fatal("BN_hex2bn failed"); 535 /* q = (p-1) / 2 */ 536 if (BN_rshift(q, p, 1) == 0) 537 fatal("BN_rshift failed"); 538 break; 539 default: 540 debug2("Unknown prime type"); 541 break; 542 } 543 544 /* 545 * due to earlier inconsistencies in interpretation, check 546 * the proposed bit size. 547 */ 548 if ((u_int32_t)BN_num_bits(p) != (in_size + 1)) { 549 debug2("%10u: bit size %u mismatch", count_in, in_size); 550 continue; 551 } 552 if (in_size < QSIZE_MINIMUM) { 553 debug2("%10u: bit size %u too short", count_in, in_size); 554 continue; 555 } 556 557 if (in_tests & MODULI_TESTS_MILLER_RABIN) 558 in_tries += trials; 559 else 560 in_tries = trials; 561 562 /* 563 * guess unknown generator 564 */ 565 if (generator_known == 0) { 566 if (BN_mod_word(p, 24) == 11) 567 generator_known = 2; 568 else if (BN_mod_word(p, 12) == 5) 569 generator_known = 3; 570 else { 571 u_int32_t r = BN_mod_word(p, 10); 572 573 if (r == 3 || r == 7) 574 generator_known = 5; 575 } 576 } 577 /* 578 * skip tests when desired generator doesn't match 579 */ 580 if (generator_wanted > 0 && 581 generator_wanted != generator_known) { 582 debug2("%10u: generator %d != %d", 583 count_in, generator_known, generator_wanted); 584 continue; 585 } 586 587 /* 588 * Primes with no known generator are useless for DH, so 589 * skip those. 590 */ 591 if (generator_known == 0) { 592 debug2("%10u: no known generator", count_in); 593 continue; 594 } 595 596 count_possible++; 597 598 /* 599 * The (1/4)^N performance bound on Miller-Rabin is 600 * extremely pessimistic, so don't spend a lot of time 601 * really verifying that q is prime until after we know 602 * that p is also prime. A single pass will weed out the 603 * vast majority of composite q's. 604 */ 605 if (BN_is_prime_ex(q, 1, ctx, NULL) <= 0) { 606 debug("%10u: q failed first possible prime test", 607 count_in); 608 continue; 609 } 610 611 /* 612 * q is possibly prime, so go ahead and really make sure 613 * that p is prime. If it is, then we can go back and do 614 * the same for q. If p is composite, chances are that 615 * will show up on the first Rabin-Miller iteration so it 616 * doesn't hurt to specify a high iteration count. 617 */ 618 if (!BN_is_prime_ex(p, trials, ctx, NULL)) { 619 debug("%10u: p is not prime", count_in); 620 continue; 621 } 622 debug("%10u: p is almost certainly prime", count_in); 623 624 /* recheck q more rigorously */ 625 if (!BN_is_prime_ex(q, trials - 1, ctx, NULL)) { 626 debug("%10u: q is not prime", count_in); 627 continue; 628 } 629 debug("%10u: q is almost certainly prime", count_in); 630 631 if (qfileout(out, MODULI_TYPE_SAFE, 632 in_tests | MODULI_TESTS_MILLER_RABIN, 633 in_tries, in_size, generator_known, p)) { 634 res = -1; 635 break; 636 } 637 638 count_out++; 639 } 640 641 time(&time_stop); 642 xfree(lp); 643 BN_free(p); 644 BN_free(q); 645 BN_CTX_free(ctx); 646 647 logit("%.24s Found %u safe primes of %u candidates in %ld seconds", 648 ctime(&time_stop), count_out, count_possible, 649 (long) (time_stop - time_start)); 650 651 return (res); 652 } 653
