grpc 0.12.0 → 0.13.0.pre1.1

data/third_party/boringssl/crypto/des/internal.h

@@ -0,0 +1,212 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#ifndef OPENSSL_HEADER_DES_INTERNAL_H
+#define OPENSSL_HEADER_DES_INTERNAL_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+#define c2l(c, l)                                                 \
+  (l = ((uint32_t)(*((c)++))), l |= ((uint32_t)(*((c)++))) << 8L, \
+   l |= ((uint32_t)(*((c)++))) << 16L, l |= ((uint32_t)(*((c)++))) << 24L)
+
+#define l2c(l, c)                                   \
+  (*((c)++) = (unsigned char)(((l)) & 0xff),        \
+   *((c)++) = (unsigned char)(((l) >> 8L) & 0xff),  \
+   *((c)++) = (unsigned char)(((l) >> 16L) & 0xff), \
+   *((c)++) = (unsigned char)(((l) >> 24L) & 0xff))
+
+/* NOTE - c is not incremented as per c2l */
+#define c2ln(c, l1, l2, n)                   \
+  {                                          \
+    c += n;                                  \
+    l1 = l2 = 0;                             \
+    switch (n) {                             \
+      case 8:                                \
+        l2 = ((uint32_t)(*(--(c)))) << 24L;  \
+      case 7:                                \
+        l2 |= ((uint32_t)(*(--(c)))) << 16L; \
+      case 6:                                \
+        l2 |= ((uint32_t)(*(--(c)))) << 8L;  \
+      case 5:                                \
+        l2 |= ((uint32_t)(*(--(c))));        \
+      case 4:                                \
+        l1 = ((uint32_t)(*(--(c)))) << 24L;  \
+      case 3:                                \
+        l1 |= ((uint32_t)(*(--(c)))) << 16L; \
+      case 2:                                \
+        l1 |= ((uint32_t)(*(--(c)))) << 8L;  \
+      case 1:                                \
+        l1 |= ((uint32_t)(*(--(c))));        \
+    }                                        \
+  }
+
+/* NOTE - c is not incremented as per l2c */
+#define l2cn(l1, l2, c, n)                                \
+  {                                                       \
+    c += n;                                               \
+    switch (n) {                                          \
+      case 8:                                             \
+        *(--(c)) = (unsigned char)(((l2) >> 24L) & 0xff); \
+      case 7:                                             \
+        *(--(c)) = (unsigned char)(((l2) >> 16L) & 0xff); \
+      case 6:                                             \
+        *(--(c)) = (unsigned char)(((l2) >> 8L) & 0xff);  \
+      case 5:                                             \
+        *(--(c)) = (unsigned char)(((l2)) & 0xff);        \
+      case 4:                                             \
+        *(--(c)) = (unsigned char)(((l1) >> 24L) & 0xff); \
+      case 3:                                             \
+        *(--(c)) = (unsigned char)(((l1) >> 16L) & 0xff); \
+      case 2:                                             \
+        *(--(c)) = (unsigned char)(((l1) >> 8L) & 0xff);  \
+      case 1:                                             \
+        *(--(c)) = (unsigned char)(((l1)) & 0xff);        \
+    }                                                     \
+  }
+
+/* IP and FP
+ * The problem is more of a geometric problem that random bit fiddling.
+ 0  1  2  3  4  5  6  7      62 54 46 38 30 22 14  6
+ 8  9 10 11 12 13 14 15      60 52 44 36 28 20 12  4
+16 17 18 19 20 21 22 23      58 50 42 34 26 18 10  2
+24 25 26 27 28 29 30 31  to  56 48 40 32 24 16  8  0
+
+32 33 34 35 36 37 38 39      63 55 47 39 31 23 15  7
+40 41 42 43 44 45 46 47      61 53 45 37 29 21 13  5
+48 49 50 51 52 53 54 55      59 51 43 35 27 19 11  3
+56 57 58 59 60 61 62 63      57 49 41 33 25 17  9  1
+
+The output has been subject to swaps of the form
+0 1 -> 3 1 but the odd and even bits have been put into
+2 3    2 0
+different words.  The main trick is to remember that
+t=((l>>size)^r)&(mask);
+r^=t;
+l^=(t<<size);
+can be used to swap and move bits between words.
+
+So l =  0  1  2  3  r = 16 17 18 19
+        4  5  6  7      20 21 22 23
+        8  9 10 11      24 25 26 27
+       12 13 14 15      28 29 30 31
+becomes (for size == 2 and mask == 0x3333)
+   t =   2^16  3^17 -- --   l =  0  1 16 17  r =  2  3 18 19
+         6^20  7^21 -- --        4  5 20 21       6  7 22 23
+        10^24 11^25 -- --        8  9 24 25      10 11 24 25
+        14^28 15^29 -- --       12 13 28 29      14 15 28 29
+
+Thanks for hints from Richard Outerbridge - he told me IP&FP
+could be done in 15 xor, 10 shifts and 5 ands.
+When I finally started to think of the problem in 2D
+I first got ~42 operations without xors.  When I remembered
+how to use xors :-) I got it to its final state.
+*/
+#define PERM_OP(a, b, t, n, m) \
+  ((t) = ((((a) >> (n)) ^ (b)) & (m)), (b) ^= (t), (a) ^= ((t) << (n)))
+
+#define IP(l, r)                        \
+  {                                     \
+    uint32_t tt;                        \
+    PERM_OP(r, l, tt, 4, 0x0f0f0f0fL);  \
+    PERM_OP(l, r, tt, 16, 0x0000ffffL); \
+    PERM_OP(r, l, tt, 2, 0x33333333L);  \
+    PERM_OP(l, r, tt, 8, 0x00ff00ffL);  \
+    PERM_OP(r, l, tt, 1, 0x55555555L);  \
+  }
+
+#define FP(l, r)                        \
+  {                                     \
+    uint32_t tt;                        \
+    PERM_OP(l, r, tt, 1, 0x55555555L);  \
+    PERM_OP(r, l, tt, 8, 0x00ff00ffL);  \
+    PERM_OP(l, r, tt, 2, 0x33333333L);  \
+    PERM_OP(r, l, tt, 16, 0x0000ffffL); \
+    PERM_OP(l, r, tt, 4, 0x0f0f0f0fL);  \
+  }
+
+#define LOAD_DATA(ks, R, S, u, t, E0, E1) \
+  u = R ^ ks->subkeys[S][0];              \
+  t = R ^ ks->subkeys[S][1]
+
+#define D_ENCRYPT(ks, LL, R, S)                                                \
+  {                                                                            \
+    LOAD_DATA(ks, R, S, u, t, E0, E1);                                         \
+    t = ROTATE(t, 4);                                                          \
+    LL ^=                                                                      \
+        DES_SPtrans[0][(u >> 2L) & 0x3f] ^ DES_SPtrans[2][(u >> 10L) & 0x3f] ^ \
+        DES_SPtrans[4][(u >> 18L) & 0x3f] ^                                    \
+        DES_SPtrans[6][(u >> 26L) & 0x3f] ^ DES_SPtrans[1][(t >> 2L) & 0x3f] ^ \
+        DES_SPtrans[3][(t >> 10L) & 0x3f] ^                                    \
+        DES_SPtrans[5][(t >> 18L) & 0x3f] ^ DES_SPtrans[7][(t >> 26L) & 0x3f]; \
+  }
+
+#define ITERATIONS 16
+#define HALF_ITERATIONS 8
+
+#define ROTATE(a, n) (((a) >> (n)) + ((a) << (32 - (n))))
+
+
+#if defined(__cplusplus)
+} /* extern C */
+#endif
+
+#endif /* OPENSSL_HEADER_DES_INTERNAL_H */

data/third_party/boringssl/crypto/dh/check.c

@@ -0,0 +1,180 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#include <openssl/dh.h>
+
+#include <openssl/bn.h>
+
+#include "internal.h"
+
+
+int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) {
+  int ok = 0;
+  BIGNUM q;
+
+  *ret = 0;
+  BN_init(&q);
+  if (!BN_set_word(&q, 1)) {
+    goto err;
+  }
+
+  if (BN_cmp(pub_key, &q) <= 0) {
+    *ret |= DH_CHECK_PUBKEY_TOO_SMALL;
+  }
+  if (!BN_copy(&q, dh->p) ||
+      !BN_sub_word(&q, 1)) {
+    goto err;
+  }
+  if (BN_cmp(pub_key, &q) >= 0) {
+    *ret |= DH_CHECK_PUBKEY_TOO_LARGE;
+  }
+
+  ok = 1;
+
+err:
+  BN_free(&q);
+  return ok;
+}
+
+
+int DH_check(const DH *dh, int *ret) {
+  /* Check that p is a safe prime and if g is 2, 3 or 5, check that it is a
+   * suitable generator where:
+   *   for 2, p mod 24 == 11
+   *   for 3, p mod 12 == 5
+   *   for 5, p mod 10 == 3 or 7
+   * should hold.
+   */
+  int ok = 0;
+  BN_CTX *ctx = NULL;
+  BN_ULONG l;
+  BIGNUM *t1 = NULL, *t2 = NULL;
+
+  *ret = 0;
+  ctx = BN_CTX_new();
+  if (ctx == NULL) {
+    goto err;
+  }
+  BN_CTX_start(ctx);
+  t1 = BN_CTX_get(ctx);
+  if (t1 == NULL) {
+    goto err;
+  }
+  t2 = BN_CTX_get(ctx);
+  if (t2 == NULL) {
+    goto err;
+  }
+
+  if (dh->q) {
+    if (BN_cmp(dh->g, BN_value_one()) <= 0) {
+      *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
+    } else if (BN_cmp(dh->g, dh->p) >= 0) {
+      *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
+    } else {
+      /* Check g^q == 1 mod p */
+      if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx)) {
+        goto err;
+      }
+      if (!BN_is_one(t1)) {
+        *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
+      }
+    }
+    if (!BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL)) {
+      *ret |= DH_CHECK_Q_NOT_PRIME;
+    }
+    /* Check p == 1 mod q  i.e. q divides p - 1 */
+    if (!BN_div(t1, t2, dh->p, dh->q, ctx)) {
+      goto err;
+    }
+    if (!BN_is_one(t2)) {
+      *ret |= DH_CHECK_INVALID_Q_VALUE;
+    }
+    if (dh->j && BN_cmp(dh->j, t1)) {
+      *ret |= DH_CHECK_INVALID_J_VALUE;
+    }
+  } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
+    l = BN_mod_word(dh->p, 24);
+    if (l != 11) {
+      *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
+    }
+  } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
+    l = BN_mod_word(dh->p, 10);
+    if (l != 3 && l != 7) {
+      *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
+    }
+  } else {
+    *ret |= DH_CHECK_UNABLE_TO_CHECK_GENERATOR;
+  }
+
+  if (!BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL)) {
+    *ret |= DH_CHECK_P_NOT_PRIME;
+  } else if (!dh->q) {
+    if (!BN_rshift1(t1, dh->p)) {
+      goto err;
+    }
+    if (!BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL)) {
+      *ret |= DH_CHECK_P_NOT_SAFE_PRIME;
+    }
+  }
+  ok = 1;
+
+err:
+  if (ctx != NULL) {
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
+  }
+  return ok;
+}

data/third_party/boringssl/crypto/dh/dh.c

@@ -0,0 +1,463 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#include <openssl/dh.h>
+
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/buf.h>
+#include <openssl/err.h>
+#include <openssl/ex_data.h>
+#include <openssl/mem.h>
+#include <openssl/thread.h>
+
+#include "internal.h"
+#include "../internal.h"
+
+
+#define OPENSSL_DH_MAX_MODULUS_BITS 10000
+
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
+
+DH *DH_new(void) {
+  DH *dh = (DH *)OPENSSL_malloc(sizeof(DH));
+  if (dh == NULL) {
+    OPENSSL_PUT_ERROR(DH, ERR_R_MALLOC_FAILURE);
+    return NULL;
+  }
+
+  memset(dh, 0, sizeof(DH));
+
+  CRYPTO_MUTEX_init(&dh->method_mont_p_lock);
+
+  dh->references = 1;
+  CRYPTO_new_ex_data(&dh->ex_data);
+
+  return dh;
+}
+
+void DH_free(DH *dh) {
+  if (dh == NULL) {
+    return;
+  }
+
+  if (!CRYPTO_refcount_dec_and_test_zero(&dh->references)) {
+    return;
+  }
+
+  CRYPTO_free_ex_data(&g_ex_data_class, dh, &dh->ex_data);
+
+  BN_MONT_CTX_free(dh->method_mont_p);
+  BN_clear_free(dh->p);
+  BN_clear_free(dh->g);
+  BN_clear_free(dh->q);
+  BN_clear_free(dh->j);
+  OPENSSL_free(dh->seed);
+  BN_clear_free(dh->counter);
+  BN_clear_free(dh->pub_key);
+  BN_clear_free(dh->priv_key);
+  CRYPTO_MUTEX_cleanup(&dh->method_mont_p_lock);
+
+  OPENSSL_free(dh);
+}
+
+int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, BN_GENCB *cb) {
+  /* We generate DH parameters as follows
+   * find a prime q which is prime_bits/2 bits long.
+   * p=(2*q)+1 or (p-1)/2 = q
+   * For this case, g is a generator if
+   * g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
+   * Since the factors of p-1 are q and 2, we just need to check
+   * g^2 mod p != 1 and g^q mod p != 1.
+   *
+   * Having said all that,
+   * there is another special case method for the generators 2, 3 and 5.
+   * for 2, p mod 24 == 11
+   * for 3, p mod 12 == 5  <<<<< does not work for safe primes.
+   * for 5, p mod 10 == 3 or 7
+   *
+   * Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
+   * special generators and for answering some of my questions.
+   *
+   * I've implemented the second simple method :-).
+   * Since DH should be using a safe prime (both p and q are prime),
+   * this generator function can take a very very long time to run.
+   */
+
+  /* Actually there is no reason to insist that 'generator' be a generator.
+   * It's just as OK (and in some sense better) to use a generator of the
+   * order-q subgroup.
+   */
+
+  BIGNUM *t1, *t2;
+  int g, ok = 0;
+  BN_CTX *ctx = NULL;
+
+  ctx = BN_CTX_new();
+  if (ctx == NULL) {
+    goto err;
+  }
+  BN_CTX_start(ctx);
+  t1 = BN_CTX_get(ctx);
+  t2 = BN_CTX_get(ctx);
+  if (t1 == NULL || t2 == NULL) {
+    goto err;
+  }
+
+  /* Make sure |dh| has the necessary elements */
+  if (dh->p == NULL) {
+    dh->p = BN_new();
+    if (dh->p == NULL) {
+      goto err;
+    }
+  }
+  if (dh->g == NULL) {
+    dh->g = BN_new();
+    if (dh->g == NULL) {
+      goto err;
+    }
+  }
+
+  if (generator <= 1) {
+    OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
+    goto err;
+  }
+  if (generator == DH_GENERATOR_2) {
+    if (!BN_set_word(t1, 24)) {
+      goto err;
+    }
+    if (!BN_set_word(t2, 11)) {
+      goto err;
+    }
+    g = 2;
+  } else if (generator == DH_GENERATOR_5) {
+    if (!BN_set_word(t1, 10)) {
+      goto err;
+    }
+    if (!BN_set_word(t2, 3)) {
+      goto err;
+    }
+    /* BN_set_word(t3,7); just have to miss
+     * out on these ones :-( */
+    g = 5;
+  } else {
+    /* in the general case, don't worry if 'generator' is a
+     * generator or not: since we are using safe primes,
+     * it will generate either an order-q or an order-2q group,
+     * which both is OK */
+    if (!BN_set_word(t1, 2)) {
+      goto err;
+    }
+    if (!BN_set_word(t2, 1)) {
+      goto err;
+    }
+    g = generator;
+  }
+
+  if (!BN_generate_prime_ex(dh->p, prime_bits, 1, t1, t2, cb)) {
+    goto err;
+  }
+  if (!BN_GENCB_call(cb, 3, 0)) {
+    goto err;
+  }
+  if (!BN_set_word(dh->g, g)) {
+    goto err;
+  }
+  ok = 1;
+
+err:
+  if (!ok) {
+    OPENSSL_PUT_ERROR(DH, ERR_R_BN_LIB);
+  }
+
+  if (ctx != NULL) {
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
+  }
+  return ok;
+}
+
+int DH_generate_key(DH *dh) {
+  int ok = 0;
+  int generate_new_key = 0;
+  unsigned l;
+  BN_CTX *ctx = NULL;
+  BN_MONT_CTX *mont = NULL;
+  BIGNUM *pub_key = NULL, *priv_key = NULL;
+  BIGNUM local_priv;
+
+  if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+    OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE);
+    goto err;
+  }
+
+  ctx = BN_CTX_new();
+  if (ctx == NULL) {
+    goto err;
+  }
+
+  if (dh->priv_key == NULL) {
+    priv_key = BN_new();
+    if (priv_key == NULL) {
+      goto err;
+    }
+    generate_new_key = 1;
+  } else {
+    priv_key = dh->priv_key;
+  }
+
+  if (dh->pub_key == NULL) {
+    pub_key = BN_new();
+    if (pub_key == NULL) {
+      goto err;
+    }
+  } else {
+    pub_key = dh->pub_key;
+  }
+
+  mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, &dh->method_mont_p_lock,
+                                dh->p, ctx);
+  if (!mont) {
+    goto err;
+  }
+
+  if (generate_new_key) {
+    if (dh->q) {
+      do {
+        if (!BN_rand_range(priv_key, dh->q)) {
+          goto err;
+        }
+      } while (BN_is_zero(priv_key) || BN_is_one(priv_key));
+    } else {
+      /* secret exponent length */
+      DH_check_standard_parameters(dh);
+      l = dh->priv_length ? dh->priv_length : BN_num_bits(dh->p) - 1;
+      if (!BN_rand(priv_key, l, 0, 0)) {
+        goto err;
+      }
+    }
+  }
+
+  BN_with_flags(&local_priv, priv_key, BN_FLG_CONSTTIME);
+  if (!BN_mod_exp_mont(pub_key, dh->g, &local_priv, dh->p, ctx, mont)) {
+    goto err;
+  }
+
+  dh->pub_key = pub_key;
+  dh->priv_key = priv_key;
+  ok = 1;
+
+err:
+  if (ok != 1) {
+    OPENSSL_PUT_ERROR(DH, ERR_R_BN_LIB);
+  }
+
+  if (dh->pub_key == NULL) {
+    BN_free(pub_key);
+  }
+  if (dh->priv_key == NULL) {
+    BN_free(priv_key);
+  }
+  BN_CTX_free(ctx);
+  return ok;
+}
+
+int DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) {
+  BN_CTX *ctx = NULL;
+  BN_MONT_CTX *mont = NULL;
+  BIGNUM *shared_key;
+  int ret = -1;
+  int check_result;
+  BIGNUM local_priv;
+
+  if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+    OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE);
+    goto err;
+  }
+
+  ctx = BN_CTX_new();
+  if (ctx == NULL) {
+    goto err;
+  }
+  BN_CTX_start(ctx);
+  shared_key = BN_CTX_get(ctx);
+  if (shared_key == NULL) {
+    goto err;
+  }
+
+  if (dh->priv_key == NULL) {
+    OPENSSL_PUT_ERROR(DH, DH_R_NO_PRIVATE_VALUE);
+    goto err;
+  }
+
+  mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, &dh->method_mont_p_lock,
+                                dh->p, ctx);
+  if (!mont) {
+    goto err;
+  }
+
+  if (!DH_check_pub_key(dh, peers_key, &check_result) || check_result) {
+    OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PUBKEY);
+    goto err;
+  }
+
+  BN_with_flags(&local_priv, dh->priv_key, BN_FLG_CONSTTIME);
+  if (!BN_mod_exp_mont(shared_key, peers_key, &local_priv, dh->p, ctx,
+                       mont)) {
+    OPENSSL_PUT_ERROR(DH, ERR_R_BN_LIB);
+    goto err;
+  }
+
+  ret = BN_bn2bin(shared_key, out);
+
+err:
+  if (ctx != NULL) {
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
+  }
+
+  return ret;
+}
+
+int DH_size(const DH *dh) { return BN_num_bytes(dh->p); }
+
+unsigned DH_num_bits(const DH *dh) { return BN_num_bits(dh->p); }
+
+int DH_up_ref(DH *dh) {
+  CRYPTO_refcount_inc(&dh->references);
+  return 1;
+}
+
+static int int_dh_bn_cpy(BIGNUM **dst, const BIGNUM *src) {
+  BIGNUM *a = NULL;
+
+  if (src) {
+    a = BN_dup(src);
+    if (!a) {
+      return 0;
+    }
+  }
+
+  BN_free(*dst);
+  *dst = a;
+  return 1;
+}
+
+static int int_dh_param_copy(DH *to, const DH *from, int is_x942) {
+  if (is_x942 == -1) {
+    is_x942 = !!from->q;
+  }
+  if (!int_dh_bn_cpy(&to->p, from->p) ||
+      !int_dh_bn_cpy(&to->g, from->g)) {
+    return 0;
+  }
+
+  if (!is_x942) {
+    return 1;
+  }
+
+  if (!int_dh_bn_cpy(&to->q, from->q) ||
+      !int_dh_bn_cpy(&to->j, from->j)) {
+    return 0;
+  }
+
+  OPENSSL_free(to->seed);
+  to->seed = NULL;
+  to->seedlen = 0;
+
+  if (from->seed) {
+    to->seed = BUF_memdup(from->seed, from->seedlen);
+    if (!to->seed) {
+      return 0;
+    }
+    to->seedlen = from->seedlen;
+  }
+
+  return 1;
+}
+
+DH *DHparams_dup(const DH *dh) {
+  DH *ret = DH_new();
+  if (!ret) {
+    return NULL;
+  }
+
+  if (!int_dh_param_copy(ret, dh, -1)) {
+    DH_free(ret);
+    return NULL;
+  }
+
+  return ret;
+}
+
+int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
+                        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
+  int index;
+  if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, dup_func,
+                               free_func)) {
+    return -1;
+  }
+  return index;
+}
+
+int DH_set_ex_data(DH *d, int idx, void *arg) {
+  return CRYPTO_set_ex_data(&d->ex_data, idx, arg);
+}
+
+void *DH_get_ex_data(DH *d, int idx) {
+  return CRYPTO_get_ex_data(&d->ex_data, idx);
+}