As with RSA, which was modified recently, this change makes it possible to

override key-generation implementations by placing handlers in the methods
for DSA and DH. Also, parameter generation for DSA and DH is possible by
another new handler for each method.

CHANGES

@@ -4,6 +4,12 @@
 
  Changes between 0.9.7 and 0.9.8  [xx XXX xxxx]
 
+  *) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
+     and DH_METHOD (eg. by ENGINE implementations) to override the normal
+     software implementations. For DSA and DH, parameter generation can
+     also be overriden by providing the appropriate method callbacks.
+     [Geoff Thorpe]
+
   *) Change the "progress" mechanism used in key-generation and
      primality testing to functions that take a new BN_GENCB pointer in
      place of callback/argument pairs. The new API functions have "_ex"

crypto/dh/dh.h

@@ -91,6 +91,8 @@ typedef struct dh_method {
 	int (*finish)(DH *dh);
 	int flags;
 	char *app_data;
+	/* If this is non-NULL, it will be used to generate parameters */
+	int (*generate_params)(DH *dh, int prime_len, int generator, BN_GENCB *cb);
 } DH_METHOD;
 
 struct dh_st

crypto/dh/dh_gen.c

@@ -66,6 +66,15 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 
+static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb);
+
+int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb)
+	{
+	if(ret->meth->generate_params)
+		return ret->meth->generate_params(ret, prime_len, generator, cb);
+	return dh_builtin_genparams(ret, prime_len, generator, cb);
+	}
+
 /* We generate DH parameters as follows
  * find a prime q which is prime_len/2 bits long.
  * p=(2*q)+1 or (p-1)/2 = q
@@ -91,7 +100,7 @@
  * It's just as OK (and in some sense better) to use a generator of the
  * order-q subgroup.
  */
-int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb)
+static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb)
 	{
 	BIGNUM *t1,*t2;
 	int g,ok= -1;

crypto/dh/dh_key.c

@@ -90,6 +90,7 @@ dh_bn_mod_exp,
 dh_init,
 dh_finish,
 0,
+NULL,
 NULL
 };
 

crypto/dsa/dsa.h

@@ -110,6 +110,13 @@ typedef struct dsa_method {
 	int (*finish)(DSA *dsa);
 	int flags;
 	char *app_data;
+	/* If this is non-NULL, it is used to generate DSA parameters */
+	int (*dsa_paramgen)(DSA *dsa, int bits,
+			unsigned char *seed, int seed_len,
+			int *counter_ret, unsigned long *h_ret,
+			BN_GENCB *cb);
+	/* If this is non-NULL, it is used to generate DSA keys */
+	int (*dsa_keygen)(DSA *dsa);
 } DSA_METHOD;
 
 struct dsa_st

crypto/dsa/dsa_gen.c

@@ -80,10 +80,25 @@
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 
+static int dsa_builtin_paramgen(DSA *ret, int bits,
+		unsigned char *seed_in, int seed_len,
+		int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
+
 int DSA_generate_parameters_ex(DSA *ret, int bits,
 		unsigned char *seed_in, int seed_len,
 		int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
 	{
+	if(ret->meth->dsa_paramgen)
+		return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
+				counter_ret, h_ret, cb);
+	return dsa_builtin_paramgen(ret, bits, seed_in, seed_len,
+			counter_ret, h_ret, cb);
+	}
+
+static int dsa_builtin_paramgen(DSA *ret, int bits,
+		unsigned char *seed_in, int seed_len,
+		int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
+	{
 	int ok=0;
 	unsigned char seed[SHA_DIGEST_LENGTH];
 	unsigned char md[SHA_DIGEST_LENGTH];

crypto/dsa/dsa_key.c

@@ -64,7 +64,16 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 
+static int dsa_builtin_keygen(DSA *dsa);
+
 int DSA_generate_key(DSA *dsa)
+	{
+	if(dsa->meth->dsa_keygen)
+		return dsa->meth->dsa_keygen(dsa);
+	return dsa_builtin_keygen(dsa);
+	}
+
+static int dsa_builtin_keygen(DSA *dsa)
 	{
 	int ok=0;
 	BN_CTX *ctx=NULL;

crypto/dsa/dsa_ossl.c

@@ -89,6 +89,8 @@ dsa_bn_mod_exp,
 dsa_init,
 dsa_finish,
 0,
+NULL,
+NULL,
 NULL
 };
 

engines/e_aep.c

@@ -190,7 +190,9 @@ static DSA_METHOD aep_dsa =
 	NULL,                /* init */
 	NULL,                /* finish */
 	0,                   /* flags */
-	NULL                 /* app_data */
+	NULL,                /* app_data */
+	NULL,                /* dsa_paramgen */
+	NULL                 /* dsa_keygen */
 	};
 #endif
 
@@ -205,6 +207,7 @@ static DH_METHOD aep_dh =
 	NULL,
 	NULL,
 	0,
+	NULL,
 	NULL
 	};
 #endif

engines/e_atalla.c

@@ -154,7 +154,9 @@ static DSA_METHOD atalla_dsa =
 	NULL, /* init */
 	NULL, /* finish */
 	0, /* flags */
-	NULL /* app_data */
+	NULL, /* app_data */
+	NULL, /* dsa_paramgen */
+	NULL /* dsa_keygen */
 	};
 #endif
 
@@ -169,6 +171,7 @@ static DH_METHOD atalla_dh =
 	NULL,
 	NULL,
 	0,
+	NULL,
 	NULL
 	};
 #endif

engines/e_cswift.c

@@ -172,7 +172,9 @@ static DSA_METHOD cswift_dsa =
 	NULL, /* init */
 	NULL, /* finish */
 	0, /* flags */
-	NULL /* app_data */
+	NULL, /* app_data */
+	NULL, /* dsa_paramgen */
+	NULL /* dsa_keygen */
 	};
 #endif
 
@@ -187,6 +189,7 @@ static DH_METHOD cswift_dh =
 	NULL,
 	NULL,
 	0,
+	NULL,
 	NULL
 	};
 #endif

engines/e_ncipher.c

@@ -201,6 +201,7 @@ static DH_METHOD hwcrhk_dh =
 	NULL,
 	NULL,
 	0,
+	NULL,
 	NULL
 	};
 #endif

engines/e_nuron.c

@@ -287,7 +287,9 @@ static DSA_METHOD nuron_dsa =
 	NULL, /* init */
 	NULL, /* finish */
 	0, /* flags */
-	NULL /* app_data */
+	NULL, /* app_data */
+	NULL, /* dsa_paramgen */
+	NULL /* dsa_keygen */
 	};
 #endif
 
@@ -301,6 +303,7 @@ static DH_METHOD nuron_dh =
 	NULL,
 	NULL,
 	0,
+	NULL,
 	NULL
 	};
 #endif

engines/e_sureware.c

@@ -145,7 +145,8 @@ static DH_METHOD surewarehk_dh =
 	NULL, /* init*/
 	NULL, /* finish*/
 	0,    /* flags*/
-	NULL 
+	NULL,
+	NULL
 	};
 #endif
 
@@ -194,6 +195,8 @@ static DSA_METHOD surewarehk_dsa =
 	NULL,/*finish*/
 	0,
 	NULL,
+	NULL,
+	NULL
 	};
 #endif
 

engines/e_ubsec.c

@@ -162,7 +162,9 @@ static DSA_METHOD ubsec_dsa =
 	NULL, /* init */
 	NULL, /* finish */
 	0, /* flags */
-	NULL /* app_data */
+	NULL, /* app_data */
+	NULL, /* dsa_paramgen */
+	NULL /* dsa_keygen */
 	};
 #endif
 
@@ -177,6 +179,7 @@ static DH_METHOD ubsec_dh =
 	NULL,
 	NULL,
 	0,
+	NULL,
 	NULL
 	};
 #endif