1 /* 2 * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include "internal/ffc.h" 11 12 /* 13 * SP800-56Ar3 5.6.1.1.4 Key pair generation by testing candidates. 14 * Generates a private key in the interval [1, min(2 ^ N - 1, q - 1)]. 15 * 16 * ctx must be set up with a libctx (for fips mode). 17 * params contains the FFC domain parameters p, q and g (for DH or DSA). 18 * N is the maximum bit length of the generated private key, 19 * s is the security strength. 20 * priv_key is the returned private key, 21 */ 22 int ossl_ffc_generate_private_key(BN_CTX *ctx, const FFC_PARAMS *params, 23 int N, int s, BIGNUM *priv) 24 { 25 int ret = 0, qbits = BN_num_bits(params->q); 26 BIGNUM *m, *two_powN = NULL; 27 28 /* Deal with the edge cases where the value of N and/or s is not set */ 29 if (s == 0) 30 goto err; 31 if (N == 0) 32 N = params->keylength ? params->keylength : 2 * s; 33 34 /* Step (2) : check range of N */ 35 if (N < 2 * s || N > qbits) 36 return 0; 37 38 two_powN = BN_new(); 39 /* 2^N */ 40 if (two_powN == NULL || !BN_lshift(two_powN, BN_value_one(), N)) 41 goto err; 42 43 /* Step (5) : M = min(2 ^ N, q) */ 44 m = (BN_cmp(two_powN, params->q) > 0) ? params->q : two_powN; 45 46 do { 47 /* Steps (3, 4 & 7) : c + 1 = 1 + random[0..2^N - 1] */ 48 if (!BN_priv_rand_range_ex(priv, two_powN, 0, ctx) 49 || !BN_add_word(priv, 1)) 50 goto err; 51 /* Step (6) : loop if c > M - 2 (i.e. c + 1 >= M) */ 52 if (BN_cmp(priv, m) < 0) 53 break; 54 } while (1); 55 56 ret = 1; 57 err: 58 BN_free(two_powN); 59 return ret; 60 } 61