[Acc] [PATCH 07/22] uadk_provider:fix dh insufficient performance

27 May 2025

From: Zhushuai Yin <yinzhushuai@huawei.com>

The code should not use only q to randomly generate prikeys.
Otherwise, the prikey length is too long and the performance is affected.

Signed-off-by: Zhushuai Yin <yinzhushuai@huawei.com>
Signed-off-by: JiangShui Yang <yangjiangshui@h-partners.com>
---
 src/uadk_prov_dh.c  |  84 ++++++++++++++++------
 src/uadk_prov_ffc.c | 170 ++++++++++++++++++++++++++++++++++++++------
 src/uadk_prov_ffc.h |  38 +++++++++-
 3 files changed, 246 insertions(+), 46 deletions(-)

diff --git a/src/uadk_prov_dh.c b/src/uadk_prov_dh.c
index 1cb4b45..cb40cff 100644
--- a/src/uadk_prov_dh.c
+++ b/src/uadk_prov_dh.c
@@ -482,36 +482,74 @@ static void uadk_DH_set_flags(DH *dh, int flags)
 	dh->flags |= flags;
 }
 
+static int uadk_dh_gen_prikey_undef(const DH *dh, BIGNUM *new_prikey)
+{
+	int bits;
+
+	bits = uadk_DH_get_length(dh) ?
+			uadk_DH_get_length(dh) : BN_num_bits(uadk_DH_get0_p(dh)) - 1;
+	if (!BN_priv_rand(new_prikey, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) {
+		fprintf(stderr, "failed to BN_priv_rand\n");
+		return UADK_P_FAIL;
+	}
+	return UADK_P_SUCCESS;
+}
+
 static int dh_gen_rand_prikey(const DH *dh, BIGNUM *new_prikey)
 {
-	const BIGNUM *q = uadk_DH_get0_q(dh);
-	int bits, cnt;
+	int qbits, max_strength, n, cnt = 0;
+	BIGNUM *m, *two_powN = NULL;
 
-	if (q) {
-		cnt = 0;
-		do {
-			if (!BN_priv_rand_range(new_prikey, q)) {
-				fprintf(stderr, "failed to BN_priv_rand_range\n");
-				return UADK_P_FAIL;
-			}
+	n = dh->length;
+	if (DH_get_nid(dh) == NID_undef || dh->params.q == NULL)
+		return uadk_dh_gen_prikey_undef(dh, new_prikey);
 
-			cnt++;
-			if (cnt > RAND_MAX_CNT) {
-				fprintf(stderr, "failed to get appropriate prikey, timeout\n");
-				return UADK_P_FAIL;
-			}
-		} while (BN_is_zero(new_prikey) || BN_is_one(new_prikey));
-	} else {
-		bits = uadk_DH_get_length(dh) ?
-		       uadk_DH_get_length(dh) : BN_num_bits(uadk_DH_get0_p(dh)) - 1;
-		if (!BN_priv_rand(new_prikey, bits, BN_RAND_TOP_ONE,
-				  BN_RAND_BOTTOM_ANY)) {
-			fprintf(stderr, "failed to BN_priv_rand\n");
-			return UADK_P_FAIL;
-		}
+	max_strength = ossl_ifc_ffc_compute_security_bits(BN_num_bits(dh->params.p));
+	/* Deal with the edge cases where the value of n and/or s is not set */
+	if (dh->length > BN_num_bits(dh->params.q) || max_strength == 0)
+		return UADK_P_FAIL;
+
+	if (n == 0)
+		n = dh->params.keylength ? dh->params.keylength : (max_strength << 1);
+
+	qbits = BN_num_bits(dh->params.q);
+	/* Step (2) : check range of n */
+	if (n < (max_strength << 1) || n > qbits) {
+		fprintf(stderr, "n is invalid!\n");
+		return UADK_P_FAIL;
 	}
 
+	two_powN = BN_new();
+	/* 2^n */
+	if (two_powN == NULL || !BN_lshift(two_powN, BN_value_one(), n)) {
+		fprintf(stderr, "failed to BN_new or two_powN is zero\n");
+		goto err;
+	}
+
+	/* Step (5) : M = min(2 ^ n, q) */
+	m = (BN_cmp(two_powN, dh->params.q) > 0) ? dh->params.q : two_powN;
+
+	do {
+		if (!BN_priv_rand_range_ex(new_prikey, two_powN, 0, NULL)
+			|| !BN_add_word(new_prikey, 1)) {
+			fprintf(stderr, "failed to BN_priv_rand_range_ex\n");
+			goto err;
+		}
+		/* Step (6) : loop if c > M - 2 (i.e. c + 1 >= M) */
+		if (BN_cmp(new_prikey, m) < 0)
+			break;
+
+		if (cnt++ > RAND_MAX_CNT) {
+			fprintf(stderr, "failed to get appropriate prikey, timeout\n");
+			goto err;
+		}
+	} while (1);
+
+	BN_free(two_powN);
 	return UADK_P_SUCCESS;
+err:
+	BN_free(two_powN);
+	return UADK_P_FAIL;
 }
 
 static int uadk_prov_dh_prepare_prikey(struct uadk_dh_sess *dh_sess, const DH *dh, BIGNUM **prikey)
diff --git a/src/uadk_prov_ffc.c b/src/uadk_prov_ffc.c
index 015c1b9..a760a72 100644
--- a/src/uadk_prov_ffc.c
+++ b/src/uadk_prov_ffc.c
@@ -34,7 +34,7 @@
  */
 static const BN_ULONG modp_1536_p[] = {
 	BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCA237327, 0xF1746C08),
-	BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
+	BN_DEF((0x4ABC9804), (0x670C354E)), BN_DEF((0x7096966D), (0x9ED52907)),
 	BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
 	BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
 	BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
@@ -80,32 +80,32 @@ static const BN_ULONG modp_2048_p[] = {
 	BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
 	BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
 	BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
-	BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
+	BN_DEF((0xA163BF05), (0xC2007CB8)), BN_DEF(0xECE45B3D, 0x49286651),
 	BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
 	BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
-	BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
+	BN_DEF((0x625E7EC6), (0xE485B576)), BN_DEF(0x6D51C245, 0x4FE1356D),
 	BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
-	BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
+	BN_DEF((0x8E3404DD), (0x514A0879)), BN_DEF(0x3B139B22, 0x020BBEA6),
 	BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
 	BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
 };
 /* q = (p - 1) / 2 */
 static const BN_ULONG modp_2048_q[] = {
 	BN_DEF(0xFFFFFFFF,  0x7FFFFFFF), BN_DEF(0x45565534,  0x0AB9472D),
-	BN_DEF(0x4C7D0288,  0x8AE9130C), BN_DEF(0x754AB572,  0x1CCAA4BE),
+	BN_DEF((0x4C7D0288),  0x8AE9130C), BN_DEF(0x754AB572,  0x1CCAA4BE),
 	BN_DEF(0x4AAC0B8C,  0xEF15E5FB), BN_DEF(0x37A62964,  0xDAE2AEF8),
 	BN_DEF(0x7603D147,  0xCD93C1D1), BN_DEF(0x0C074301,  0xF1CF3B96),
 	BN_DEF(0x171B671D,  0x19482F23), BN_DEF(0x650C10BE,  0x78BA3604),
-	BN_DEF(0x255E4C02,  0xB3861AA7), BN_DEF(0xB84B4B36,  0xCF6A9483),
+	BN_DEF((0x255E4C02),  0xB3861AA7), BN_DEF(0xB84B4B36,  0xCF6A9483),
 	BN_DEF(0x1042A95D,  0x0E3179AB), BN_DEF(0xEE51D6CB,  0xC1B2AE91),
 	BN_DEF(0x7E9267AF,  0x348B1FD4), BN_DEF(0x0E2AE9CD,  0xCC6D241B),
 	BN_DEF(0x50B1DF82,  0xE1003E5C), BN_DEF(0xF6722D9E,  0x24943328),
 	BN_DEF(0xBE258FF3,  0xD74F9208), BN_DEF(0xAD44CFD2,  0xF71C35FD),
-	BN_DEF(0x7A035BF6,  0x85FFAE5B), BN_DEF(0xD31BF6B5,  0x7A262174),
+	BN_DEF((0x7A035BF6),  0x85FFAE5B), BN_DEF(0xD31BF6B5,  0x7A262174),
 	BN_DEF(0x312F3F63,  0xF242DABB), BN_DEF(0xB6A8E122,  0xA7F09AB6),
 	BN_DEF(0xF92F8A1B,  0x98158536), BN_DEF(0xE69D218D,  0xF7CA8CD9),
 	BN_DEF(0xC71A026E,  0x28A5043C), BN_DEF(0x1D89CD91,  0x0105DF53),
-	BN_DEF(0x4533E63A,  0x94812704), BN_DEF(0xC06E0E68,  0x62633145),
+	BN_DEF((0x4533E63A),  0x94812704), BN_DEF(0xC06E0E68,  0x62633145),
 	BN_DEF(0x10B4611A,  0xE487ED51), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
 };
 
@@ -132,14 +132,14 @@ static const BN_ULONG modp_3072_p[] = {
 	BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08),
 	BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
 	BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
-	BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
+	BN_DEF((0xFD24CF5F), (0x69163FA8)), BN_DEF(0x1C55D39A, 0x98DA4836),
 	BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
-	BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
+	BN_DEF((0x7C4B1FE6), (0xAE9F2411)), BN_DEF(0x5A899FA5, 0xEE386BFB),
 	BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
 	BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
 	BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
 	BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
-	BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
+	BN_DEF((0x8A67CC74), (0x29024E08)), BN_DEF(0x80DC1CD1, 0xC4C6628B),
 	BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
 };
 /* q = (p - 1) / 2 */
@@ -154,18 +154,18 @@ static const BN_ULONG modp_3072_q[] = {
 	BN_DEF(0x2C6DF785,  0x767DC282), BN_DEF(0xEF8E5D32,  0xD42A90D5),
 	BN_DEF(0x82283D19,  0xD6998B86), BN_DEF(0x45556216,  0x0AB9472D),
 	BN_DEF(0x4C7D0288,  0x8AE9130C), BN_DEF(0x754AB572,  0x1CCAA4BE),
-	BN_DEF(0x4AAC0B8C,  0xEF15E5FB), BN_DEF(0x37A62964,  0xDAE2AEF8),
+	BN_DEF(0x4AAC0B8C,  (0xEF15E5FB)), BN_DEF(0x37A62964,  0xDAE2AEF8),
 	BN_DEF(0x7603D147,  0xCD93C1D1), BN_DEF(0x0C074301,  0xF1CF3B96),
 	BN_DEF(0x171B671D,  0x19482F23), BN_DEF(0x650C10BE,  0x78BA3604),
-	BN_DEF(0x255E4C02,  0xB3861AA7), BN_DEF(0xB84B4B36,  0xCF6A9483),
+	BN_DEF(0x255E4C02,  (0xB3861AA7)), BN_DEF(0xB84B4B36,  0xCF6A9483),
 	BN_DEF(0x1042A95D,  0x0E3179AB), BN_DEF(0xEE51D6CB,  0xC1B2AE91),
 	BN_DEF(0x7E9267AF,  0x348B1FD4), BN_DEF(0x0E2AE9CD,  0xCC6D241B),
 	BN_DEF(0x50B1DF82,  0xE1003E5C), BN_DEF(0xF6722D9E,  0x24943328),
 	BN_DEF(0xBE258FF3,  0xD74F9208), BN_DEF(0xAD44CFD2,  0xF71C35FD),
-	BN_DEF(0x7A035BF6,  0x85FFAE5B), BN_DEF(0xD31BF6B5,  0x7A262174),
+	BN_DEF(0x7A035BF6,  (0x85FFAE5B)), BN_DEF(0xD31BF6B5,  0x7A262174),
 	BN_DEF(0x312F3F63,  0xF242DABB), BN_DEF(0xB6A8E122,  0xA7F09AB6),
 	BN_DEF(0xF92F8A1B,  0x98158536), BN_DEF(0xE69D218D,  0xF7CA8CD9),
-	BN_DEF(0xC71A026E,  0x28A5043C), BN_DEF(0x1D89CD91,  0x0105DF53),
+	BN_DEF(0xC71A026E,  (0x28A5043C)), BN_DEF(0x1D89CD91,  0x0105DF53),
 	BN_DEF(0x4533E63A,  0x94812704), BN_DEF(0xC06E0E68,  0x62633145),
 	BN_DEF(0x10B4611A,  0xE487ED51), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
 };
@@ -201,14 +201,14 @@ static const BN_ULONG modp_4096_p[] = {
 	BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08),
 	BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
 	BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
-	BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
+	BN_DEF((0xFD24CF5F), 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
 	BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
-	BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
+	BN_DEF(0x7C4B1FE6, (0xAE9F2411)), BN_DEF(0x5A899FA5, 0xEE386BFB),
 	BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
-	BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
+	BN_DEF((0x625E7EC6), 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
 	BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
 	BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
-	BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
+	BN_DEF(0x8A67CC74, (0x29024E08)), BN_DEF(0x80DC1CD1, 0xC4C6628B),
 	BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
 };
 /* q = (p - 1) / 2 */
@@ -233,15 +233,15 @@ static const BN_ULONG modp_4096_q[] = {
 	BN_DEF(0x4C7D0288,  0x8AE9130C), BN_DEF(0x754AB572,  0x1CCAA4BE),
 	BN_DEF(0x4AAC0B8C,  0xEF15E5FB), BN_DEF(0x37A62964,  0xDAE2AEF8),
 	BN_DEF(0x7603D147,  0xCD93C1D1), BN_DEF(0x0C074301,  0xF1CF3B96),
-	BN_DEF(0x171B671D,  0x19482F23), BN_DEF(0x650C10BE,  0x78BA3604),
+	BN_DEF(0x171B671D,  0x19482F23), BN_DEF(0x650C10BE,  (0x78BA3604)),
 	BN_DEF(0x255E4C02,  0xB3861AA7), BN_DEF(0xB84B4B36,  0xCF6A9483),
 	BN_DEF(0x1042A95D,  0x0E3179AB), BN_DEF(0xEE51D6CB,  0xC1B2AE91),
 	BN_DEF(0x7E9267AF,  0x348B1FD4), BN_DEF(0x0E2AE9CD,  0xCC6D241B),
-	BN_DEF(0x50B1DF82,  0xE1003E5C), BN_DEF(0xF6722D9E,  0x24943328),
+	BN_DEF(0x50B1DF82,  0xE1003E5C), BN_DEF(0xF6722D9E,  (0x24943328)),
 	BN_DEF(0xBE258FF3,  0xD74F9208), BN_DEF(0xAD44CFD2,  0xF71C35FD),
 	BN_DEF(0x7A035BF6,  0x85FFAE5B), BN_DEF(0xD31BF6B5,  0x7A262174),
 	BN_DEF(0x312F3F63,  0xF242DABB), BN_DEF(0xB6A8E122,  0xA7F09AB6),
-	BN_DEF(0xF92F8A1B,  0x98158536), BN_DEF(0xE69D218D,  0xF7CA8CD9),
+	BN_DEF(0xF92F8A1B,  0x98158536), BN_DEF(0xE69D218D,  (0xF7CA8CD9)),
 	BN_DEF(0xC71A026E,  0x28A5043C), BN_DEF(0x1D89CD91,  0x0105DF53),
 	BN_DEF(0x4533E63A,  0x94812704), BN_DEF(0xC06E0E68,  0x62633145),
 	BN_DEF(0x10B4611A,  0xE487ED51), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
@@ -1886,3 +1886,129 @@ int ossl_ffc_params_FIPS186_4_generate(OSSL_LIB_CTX *libctx, FFC_PARAMS *params,
 						    FFC_PARAM_MODE_GENERATE,
 						    type, L, N, res, cb);
 }
+
+/*
+ * Multiply two scaled integers together and rescale the result.
+ */
+static ossl_inline uint64_t mul2(uint64_t a, uint64_t b)
+{
+	return a * b / DH_SCALE;
+}
+
+/*
+ * Calculate the natural logarithm of a 64 bit scaled integer.
+ * This is done by calculating a base two logarithm and scaling.
+ * The maximum logarithm (base 2) is 64 and this reduces base e, so
+ * a 32 bit result should not overflow.  The argument passed must be
+ * greater than unity so we don't need to handle negative results.
+ */
+static uint32_t ilog_e(uint64_t v)
+{
+	uint32_t i, r = 0;
+
+	/*
+	 * Scale down the value into the range 1 .. 2.
+	 *
+	 * If fractional numbers need to be processed, another loop needs
+	 * to go here that checks v < scale and if so multiplies it by 2 and
+	 * reduces r by scale.  This also means making r signed.
+	 */
+	while (v >= (DH_C1_923 << 1)) {
+		v >>= 1;
+		r += DH_C1_923;
+	}
+	for (i = (DH_C1_923 >> 1); i != 0; i = (i >> 1)) {
+		v = mul2(v, v);
+		if (v >= (DH_C1_923 << 1)) {
+			v >>= 1;
+			r += i;
+		}
+	}
+	r = (r * (uint64_t)DH_C1_923) / DH_LOG_E;
+	return r;
+}
+
+/*
+ * Calculate the cube root of a 64 bit scaled integer.
+ * Although the cube root of a 64 bit number does fit into a 32 bit unsigned
+ * integer, this is not guaranteed after scaling, so this function has a
+ * 64 bit return.  This uses the shifting nth root algorithm with some
+ * algebraic simplifications.
+ */
+static uint64_t icbrt64(uint64_t x)
+{
+	uint64_t r = 0;
+	uint64_t b;
+	int s;
+
+	for (s = DH_MAX_EXPONENT; s >= 0; s -= DH_EXPONENT_SHIFT_3) {
+		r <<= 1;
+		b = DH_EXPONENT_SHIFT_3 * r * (r + 1) + 1;
+		if ((x >> s) >= b) {
+			x -= b << s;
+			r++;
+		}
+	}
+	return r * DH_CBRT_SCALE;
+}
+
+uint16_t ossl_ifc_ffc_compute_security_bits(int n)
+{
+	uint16_t y, cap;
+	uint32_t lx;
+	uint64_t x;
+
+	/*
+	 * Look for common values as listed in standards.
+	 * These values are not exactly equal to the results from the formulae in
+	 * the standards but are defined to be canonical.
+	 */
+	switch (n) {
+	case DH_STANDARDS_P_2048BIT:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
+		return DH_P_SECURITY_112BITS;
+	case DH_STANDARDS_P_3072BIT:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
+		return DH_P_SECURITY_128BITS;
+	case DH_STANDARDS_P_4096BIT:      /* SP 800-56B rev 2 Appendix D */
+		return DH_P_SECURITY_152BITS;
+	case DH_STANDARDS_P_6144BIT:      /* SP 800-56B rev 2 Appendix D */
+		return DH_P_SECURITY_176BITS;
+	case DH_STANDARDS_P_7680BIT:      /* FIPS 140-2 IG 7.5 */
+		return DH_P_SECURITY_192BITS;
+	case DH_STANDARDS_P_8192BIT:      /* SP 800-56B rev 2 Appendix D */
+		return DH_P_SECURITY_200BITS;
+	case DH_STANDARDS_P_15360BIT:     /* FIPS 140-2 IG 7.5 */
+		return DH_P_SECURITY_256BITS;
+	}
+
+	/*
+	 * The first incorrect result (i.e. not accurate or off by one low) occurs
+	 * for n = 699668.  The true value here is 1200.  Instead of using this n
+	 * as the check threshold, the smallest n such that the correct result is
+	 * 1200 is used instead.
+	 */
+	if (n >= DH_STANDARDS_P_MAX_BIT)
+		return DH_P_SECURITY_1200BITS;
+	if (n < DH_STANDARDS_P_MIN_BIT)
+		return 0;
+
+	/*
+	 * To ensure that the output is non-decreasing with respect to n,
+	 * a cap needs to be applied to the two values where the function over
+	 * estimates the strength (according to the above fast path).
+	 */
+	if (n <= DH_STANDARDS_P_7680BIT)
+		cap = DH_P_SECURITY_192BITS;
+	else if (n <= DH_STANDARDS_P_15360BIT)
+		cap = DH_P_SECURITY_256BITS;
+	else
+		cap = DH_P_SECURITY_1200BITS;
+
+	x = n * DH_LOG_2;
+	lx = ilog_e(x);
+	y = (uint16_t)((mul2(DH_C1_923, icbrt64(mul2(mul2(x, lx), lx))) - DH_C4_690)
+			/ DH_LOG_2);
+	y = (y + DH_CAI_NUM4) & ~DH_CAI_NUM7;
+	if (y > cap)
+		y = cap;
+	return y;
+}
diff --git a/src/uadk_prov_ffc.h b/src/uadk_prov_ffc.h
index d63a5ce..1e1536a 100644
--- a/src/uadk_prov_ffc.h
+++ b/src/uadk_prov_ffc.h
@@ -106,6 +106,42 @@
 			0, BN_FLG_STATIC_DATA		\
 	}					\
 
+/* Define some constants, none exceed 32 bits */
+#define DH_LOG_2					0x02c5c8
+#define DH_LOG_E					0x05c551
+#define DH_C1_923					0x07b126
+#define DH_C4_690					0x12c28f
+#define DH_CBRT_SCALE				(1 << (2 * 18 / 3))
+#define DH_SCALE					(1 << 18)
+#define DH_MAX_EXPONENT				63
+#define DH_EXPONENT_SHIFT_3			3
+
+/* modulus size */
+#define DH_STANDARDS_P_2048BIT		2048
+#define DH_STANDARDS_P_3072BIT		3072
+#define DH_STANDARDS_P_4096BIT		4096
+#define DH_STANDARDS_P_6144BIT		6144
+#define DH_STANDARDS_P_7680BIT		7680
+#define DH_STANDARDS_P_8192BIT		8192
+#define DH_STANDARDS_P_15360BIT		15360
+#define DH_STANDARDS_P_MAX_BIT		687737
+#define DH_STANDARDS_P_MIN_BIT		8
+
+
+/* security bits */
+#define DH_P_SECURITY_112BITS		112
+#define DH_P_SECURITY_128BITS		128
+#define DH_P_SECURITY_152BITS		152
+#define DH_P_SECURITY_176BITS		176
+#define DH_P_SECURITY_192BITS		192
+#define DH_P_SECURITY_200BITS		200
+#define DH_P_SECURITY_256BITS		256
+#define DH_P_SECURITY_1200BITS		1200
+
+/* constant adjustment item */
+#define DH_CAI_NUM4		4
+#define DH_CAI_NUM7		7
+
 /*
  * Finite field cryptography (FFC) domain parameters are used by DH and DSA.
  * Refer to FIPS186_4 Appendix A & B.
@@ -325,5 +361,5 @@ int ossl_ffc_params_FIPS186_2_gen_verify(OSSL_LIB_CTX *libctx,
 int ossl_ffc_params_FIPS186_4_generate(OSSL_LIB_CTX *libctx, FFC_PARAMS *params,
 				       int type, size_t L, size_t N,
 				       int *res, BN_GENCB *cb);
-
+uint16_t ossl_ifc_ffc_compute_security_bits(int n);
 #endif
-- 
2.33.0

    

[Acc] [PATCH 07/22] uadk_provider:fix dh insufficient performance

Qi Tao