kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1256 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 160f4ef14c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '160f4ef14c'
${ noResults }
boringssl/crypto/dsa/dsa_impl.c

768 lines
17 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  *

  57.  * The DSS routines are based on patches supplied by

  58.  * Steven Schoch <schoch@sheba.arc.nasa.gov>. */

  59. 

  60. #include <openssl/dsa.h>

  61. 

  62. #include <string.h>

  63. 

  64. #include <openssl/bn.h>

  65. #include <openssl/digest.h>

  66. #include <openssl/err.h>

  67. #include <openssl/rand.h>

  68. #include <openssl/sha.h>

  69. #include <openssl/thread.h>

  70. 

  71. #include "internal.h"

  72. 

  73. #define OPENSSL_DSA_MAX_MODULUS_BITS 10000

  74. 

  75. /* Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of

  76.  * Rabin-Miller */

  77. #define DSS_prime_checks 50

  78. 

  79. static int sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,

  80.                       BIGNUM **rp, const uint8_t *digest, size_t digest_len) {

  81.   BN_CTX *ctx;

  82.   BIGNUM k, kq, *K, *kinv = NULL, *r = NULL;

  83.   int ret = 0;

  84. 

  85.   if (!dsa->p || !dsa->q || !dsa->g) {

  86.     OPENSSL_PUT_ERROR(DSA, sign_setup, DSA_R_MISSING_PARAMETERS);

  87.     return 0;

  88.   }

  89. 

  90.   BN_init(&k);

  91.   BN_init(&kq);

  92. 

  93.   ctx = ctx_in;

  94.   if (ctx == NULL) {

  95.     ctx = BN_CTX_new();

  96.     if (ctx == NULL) {

  97.       goto err;

  98.     }

  99.   }

  100. 

  101.   r = BN_new();

  102.   if (r == NULL) {

  103.     goto err;

  104.   }

  105. 

  106.   /* Get random k */

  107.   do {

  108.     /* If possible, we'll include the private key and message digest in the k

  109.      * generation. The |digest| argument is only empty if |DSA_sign_setup| is

  110.      * being used. */

  111.     int ok;

  112. 

  113.     if (digest_len > 0) {

  114.       ok = BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, digest, digest_len,

  115.                                  ctx);

  116.     } else {

  117.       ok = BN_rand_range(&k, dsa->q);

  118.     }

  119.     if (!ok) {

  120.       goto err;

  121.     }

  122.   } while (BN_is_zero(&k));

  123. 

  124.   BN_set_flags(&k, BN_FLG_CONSTTIME);

  125. 

  126.   if (BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,

  127.                              (CRYPTO_MUTEX *)&dsa->method_mont_p_lock, dsa->p,

  128.                              ctx) == NULL) {

  129.     goto err;

  130.   }

  131. 

  132.   /* Compute r = (g^k mod p) mod q */

  133.   if (!BN_copy(&kq, &k)) {

  134.     goto err;

  135.   }

  136. 

  137.   /* We do not want timing information to leak the length of k,

  138.    * so we compute g^k using an equivalent exponent of fixed length.

  139.    *

  140.    * (This is a kludge that we need because the BN_mod_exp_mont()

  141.    * does not let us specify the desired timing behaviour.) */

  142. 

  143.   if (!BN_add(&kq, &kq, dsa->q)) {

  144.     goto err;

  145.   }

  146.   if (BN_num_bits(&kq) <= BN_num_bits(dsa->q) && !BN_add(&kq, &kq, dsa->q)) {

  147.     goto err;

  148.   }

  149. 

  150.   K = &kq;

  151. 

  152.   if (!BN_mod_exp_mont(r, dsa->g, K, dsa->p, ctx, dsa->method_mont_p)) {

  153.     goto err;

  154.   }

  155.   if (!BN_mod(r, r, dsa->q, ctx)) {

  156.     goto err;

  157.   }

  158. 

  159.   /* Compute  part of 's = inv(k) (m + xr) mod q' */

  160.   kinv = BN_mod_inverse(NULL, &k, dsa->q, ctx);

  161.   if (kinv == NULL) {

  162.     goto err;

  163.   }

  164. 

  165.   if (*kinvp != NULL) {

  166.     BN_clear_free(*kinvp);

  167.   }

  168.   *kinvp = kinv;

  169.   kinv = NULL;

  170.   if (*rp != NULL) {

  171.     BN_clear_free(*rp);

  172.   }

  173.   *rp = r;

  174.   ret = 1;

  175. 

  176. err:

  177.   if (!ret) {

  178.     OPENSSL_PUT_ERROR(DSA, sign_setup, ERR_R_BN_LIB);

  179.     if (r != NULL) {

  180.       BN_clear_free(r);

  181.     }

  182.   }

  183. 

  184.   if (ctx_in == NULL) {

  185.     BN_CTX_free(ctx);

  186.   }

  187.   BN_clear_free(&k);

  188.   BN_clear_free(&kq);

  189.   return ret;

  190. }

  191. 

  192. static DSA_SIG *sign(const uint8_t *digest, size_t digest_len, DSA *dsa) {

  193.   BIGNUM *kinv = NULL, *r = NULL, *s = NULL;

  194.   BIGNUM m;

  195.   BIGNUM xr;

  196.   BN_CTX *ctx = NULL;

  197.   int reason = ERR_R_BN_LIB;

  198.   DSA_SIG *ret = NULL;

  199.   int noredo = 0;

  200. 

  201.   BN_init(&m);

  202.   BN_init(&xr);

  203. 

  204.   if (!dsa->p || !dsa->q || !dsa->g) {

  205.     reason = DSA_R_MISSING_PARAMETERS;

  206.     goto err;

  207.   }

  208. 

  209.   s = BN_new();

  210.   if (s == NULL) {

  211.     goto err;

  212.   }

  213.   ctx = BN_CTX_new();

  214.   if (ctx == NULL) {

  215.     goto err;

  216.   }

  217. 

  218. redo:

  219.   if (dsa->kinv == NULL || dsa->r == NULL) {

  220.     if (!DSA_sign_setup(dsa, ctx, &kinv, &r)) {

  221.       goto err;

  222.     }

  223.   } else {

  224.     kinv = dsa->kinv;

  225.     dsa->kinv = NULL;

  226.     r = dsa->r;

  227.     dsa->r = NULL;

  228.     noredo = 1;

  229.   }

  230. 

  231.   if (digest_len > BN_num_bytes(dsa->q)) {

  232.     /* if the digest length is greater than the size of q use the

  233.      * BN_num_bits(dsa->q) leftmost bits of the digest, see

  234.      * fips 186-3, 4.2 */

  235.     digest_len = BN_num_bytes(dsa->q);

  236.   }

  237. 

  238.   if (BN_bin2bn(digest, digest_len, &m) == NULL) {

  239.     goto err;

  240.   }

  241. 

  242.   /* Compute  s = inv(k) (m + xr) mod q */

  243.   if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) {

  244.     goto err; /* s = xr */

  245.   }

  246.   if (!BN_add(s, &xr, &m)) {

  247.     goto err; /* s = m + xr */

  248.   }

  249.   if (BN_cmp(s, dsa->q) > 0) {

  250.     if (!BN_sub(s, s, dsa->q)) {

  251.       goto err;

  252.     }

  253.   }

  254.   if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) {

  255.     goto err;

  256.   }

  257. 

  258.   ret = DSA_SIG_new();

  259.   if (ret == NULL) {

  260.     goto err;

  261.   }

  262.   /* Redo if r or s is zero as required by FIPS 186-3: this is

  263.    * very unlikely. */

  264.   if (BN_is_zero(r) || BN_is_zero(s)) {

  265.     if (noredo) {

  266.       reason = DSA_R_NEED_NEW_SETUP_VALUES;

  267.       goto err;

  268.     }

  269.     goto redo;

  270.   }

  271.   ret->r = r;

  272.   ret->s = s;

  273. 

  274. err:

  275.   if (!ret) {

  276.     OPENSSL_PUT_ERROR(DSA, sign, reason);

  277.     BN_free(r);

  278.     BN_free(s);

  279.   }

  280.   if (ctx != NULL) {

  281.     BN_CTX_free(ctx);

  282.   }

  283.   BN_clear_free(&m);

  284.   BN_clear_free(&xr);

  285.   if (kinv != NULL) {

  286.     /* dsa->kinv is NULL now if we used it */

  287.     BN_clear_free(kinv);

  288.   }

  289. 

  290.   return ret;

  291. }

  292. 

  293. static int verify(int *out_valid, const uint8_t *dgst, size_t digest_len,

  294.                   DSA_SIG *sig, const DSA *dsa) {

  295.   BN_CTX *ctx;

  296.   BIGNUM u1, u2, t1;

  297.   BN_MONT_CTX *mont = NULL;

  298.   int ret = 0;

  299.   unsigned i;

  300. 

  301.   *out_valid = 0;

  302. 

  303.   if (!dsa->p || !dsa->q || !dsa->g) {

  304.     OPENSSL_PUT_ERROR(DSA, verify, DSA_R_MISSING_PARAMETERS);

  305.     return 0;

  306.   }

  307. 

  308.   i = BN_num_bits(dsa->q);

  309.   /* fips 186-3 allows only different sizes for q */

  310.   if (i != 160 && i != 224 && i != 256) {

  311.     OPENSSL_PUT_ERROR(DSA, verify, DSA_R_BAD_Q_VALUE);

  312.     return 0;

  313.   }

  314. 

  315.   if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {

  316.     OPENSSL_PUT_ERROR(DSA, verify, DSA_R_MODULUS_TOO_LARGE);

  317.     return 0;

  318.   }

  319. 

  320.   BN_init(&u1);

  321.   BN_init(&u2);

  322.   BN_init(&t1);

  323. 

  324.   ctx = BN_CTX_new();

  325.   if (ctx == NULL) {

  326.     goto err;

  327.   }

  328. 

  329.   if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||

  330.       BN_ucmp(sig->r, dsa->q) >= 0) {

  331.     ret = 1;

  332.     goto err;

  333.   }

  334.   if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||

  335.       BN_ucmp(sig->s, dsa->q) >= 0) {

  336.     ret = 1;

  337.     goto err;

  338.   }

  339. 

  340.   /* Calculate W = inv(S) mod Q

  341.    * save W in u2 */

  342.   if (BN_mod_inverse(&u2, sig->s, dsa->q, ctx) == NULL) {

  343.     goto err;

  344.   }

  345. 

  346.   /* save M in u1 */

  347.   if (digest_len > (i >> 3)) {

  348.     /* if the digest length is greater than the size of q use the

  349.      * BN_num_bits(dsa->q) leftmost bits of the digest, see

  350.      * fips 186-3, 4.2 */

  351.     digest_len = (i >> 3);

  352.   }

  353. 

  354.   if (BN_bin2bn(dgst, digest_len, &u1) == NULL) {

  355.     goto err;

  356.   }

  357. 

  358.   /* u1 = M * w mod q */

  359.   if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) {

  360.     goto err;

  361.   }

  362. 

  363.   /* u2 = r * w mod q */

  364.   if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) {

  365.     goto err;

  366.   }

  367. 

  368.   mont = BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,

  369.                                 (CRYPTO_MUTEX *)&dsa->method_mont_p_lock,

  370.                                 dsa->p, ctx);

  371.   if (!mont) {

  372.     goto err;

  373.   }

  374. 

  375.   if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx,

  376.                         mont)) {

  377.     goto err;

  378.   }

  379. 

  380.   /* BN_copy(&u1,&t1); */

  381.   /* let u1 = u1 mod q */

  382.   if (!BN_mod(&u1, &t1, dsa->q, ctx)) {

  383.     goto err;

  384.   }

  385. 

  386.   /* V is now in u1.  If the signature is correct, it will be

  387.    * equal to R. */

  388.   *out_valid = BN_ucmp(&u1, sig->r) == 0;

  389.   ret = 1;

  390. 

  391. err:

  392.   if (ret != 1) {

  393.     OPENSSL_PUT_ERROR(DSA, verify, ERR_R_BN_LIB);

  394.   }

  395.   if (ctx != NULL) {

  396.     BN_CTX_free(ctx);

  397.   }

  398.   BN_free(&u1);

  399.   BN_free(&u2);

  400.   BN_free(&t1);

  401. 

  402.   return ret;

  403. }

  404. 

  405. static int keygen(DSA *dsa) {

  406.   int ok = 0;

  407.   BN_CTX *ctx = NULL;

  408.   BIGNUM *pub_key = NULL, *priv_key = NULL;

  409.   BIGNUM prk;

  410. 

  411.   ctx = BN_CTX_new();

  412.   if (ctx == NULL) {

  413.     goto err;

  414.   }

  415. 

  416.   priv_key = dsa->priv_key;

  417.   if (priv_key == NULL) {

  418.     priv_key = BN_new();

  419.     if (priv_key == NULL) {

  420.       goto err;

  421.     }

  422.   }

  423. 

  424.   do {

  425.     if (!BN_rand_range(priv_key, dsa->q)) {

  426.       goto err;

  427.     }

  428.   } while (BN_is_zero(priv_key));

  429. 

  430.   pub_key = dsa->pub_key;

  431.   if (pub_key == NULL) {

  432.     pub_key = BN_new();

  433.     if (pub_key == NULL) {

  434.       goto err;

  435.     }

  436.   }

  437. 

  438.   BN_init(&prk);

  439.   BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);

  440. 

  441.   if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx)) {

  442.     goto err;

  443.   }

  444. 

  445.   dsa->priv_key = priv_key;

  446.   dsa->pub_key = pub_key;

  447.   ok = 1;

  448. 

  449. err:

  450.   if (pub_key != NULL && dsa->pub_key == NULL) {

  451.     BN_free(pub_key);

  452.   }

  453.   if (priv_key != NULL && dsa->priv_key == NULL) {

  454.     BN_free(priv_key);

  455.   }

  456.   if (ctx != NULL) {

  457.     BN_CTX_free(ctx);

  458.   }

  459. 

  460.   return ok;

  461. }

  462. 

  463. static int paramgen(DSA *ret, unsigned bits, const uint8_t *seed_in,

  464.                     size_t seed_len, int *counter_ret, unsigned long *h_ret,

  465.                     BN_GENCB *cb) {

  466.   int ok = 0;

  467.   unsigned char seed[SHA256_DIGEST_LENGTH];

  468.   unsigned char md[SHA256_DIGEST_LENGTH];

  469.   unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];

  470.   BIGNUM *r0, *W, *X, *c, *test;

  471.   BIGNUM *g = NULL, *q = NULL, *p = NULL;

  472.   BN_MONT_CTX *mont = NULL;

  473.   int k, n = 0, m = 0;

  474.   unsigned i;

  475.   int counter = 0;

  476.   int r = 0;

  477.   BN_CTX *ctx = NULL;

  478.   unsigned int h = 2;

  479.   unsigned qbits, qsize;

  480.   const EVP_MD *evpmd;

  481. 

  482.   if (bits >= 2048) {

  483.     qbits = 256;

  484.     evpmd = EVP_sha256();

  485.   } else {

  486.     qbits = 160;

  487.     evpmd = EVP_sha1();

  488.   }

  489.   qsize = qbits / 8;

  490. 

  491.   if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&

  492.       qsize != SHA256_DIGEST_LENGTH) {

  493.     /* invalid q size */

  494.     return 0;

  495.   }

  496. 

  497.   if (bits < 512) {

  498.     bits = 512;

  499.   }

  500. 

  501.   bits = (bits + 63) / 64 * 64;

  502. 

  503.   /* NB: seed_len == 0 is special case: copy generated seed to

  504.    * seed_in if it is not NULL. */

  505.   if (seed_len && (seed_len < (size_t)qsize)) {

  506.     seed_in = NULL; /* seed buffer too small -- ignore */

  507.   }

  508.   if (seed_len > (size_t)qsize) {

  509.     seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,

  510.                        * but our internal buffers are restricted to 160 bits*/

  511.   }

  512.   if (seed_in != NULL) {

  513.     memcpy(seed, seed_in, seed_len);

  514.   }

  515. 

  516.   ctx = BN_CTX_new();

  517.   mont = BN_MONT_CTX_new();

  518.   if (ctx == NULL || mont == NULL) {

  519.     goto err;

  520.   }

  521. 

  522.   BN_CTX_start(ctx);

  523.   r0 = BN_CTX_get(ctx);

  524.   g = BN_CTX_get(ctx);

  525.   W = BN_CTX_get(ctx);

  526.   q = BN_CTX_get(ctx);

  527.   X = BN_CTX_get(ctx);

  528.   c = BN_CTX_get(ctx);

  529.   p = BN_CTX_get(ctx);

  530.   test = BN_CTX_get(ctx);

  531. 

  532.   if (!BN_lshift(test, BN_value_one(), bits - 1)) {

  533.     goto err;

  534.   }

  535. 

  536.   for (;;) {

  537.     /* Find q. */

  538.     for (;;) {

  539.       int seed_is_random;

  540. 

  541.       /* step 1 */

  542.       if (!BN_GENCB_call(cb, 0, m++)) {

  543.         goto err;

  544.       }

  545. 

  546.       if (!seed_len) {

  547.         if (!RAND_bytes(seed, qsize)) {

  548.           goto err;

  549.         }

  550.         seed_is_random = 1;

  551.       } else {

  552.         seed_is_random = 0;

  553.         seed_len = 0; /* use random seed if 'seed_in' turns out to be bad*/

  554.       }

  555.       memcpy(buf, seed, qsize);

  556.       memcpy(buf2, seed, qsize);

  557.       /* precompute "SEED + 1" for step 7: */

  558.       for (i = qsize - 1; i < qsize; i--) {

  559.         buf[i]++;

  560.         if (buf[i] != 0) {

  561.           break;

  562.         }

  563.       }

  564. 

  565.       /* step 2 */

  566.       if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL) ||

  567.           !EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) {

  568.         goto err;

  569.       }

  570.       for (i = 0; i < qsize; i++) {

  571.         md[i] ^= buf2[i];

  572.       }

  573. 

  574.       /* step 3 */

  575.       md[0] |= 0x80;

  576.       md[qsize - 1] |= 0x01;

  577.       if (!BN_bin2bn(md, qsize, q)) {

  578.         goto err;

  579.       }

  580. 

  581.       /* step 4 */

  582.       r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, seed_is_random, cb);

  583.       if (r > 0) {

  584.         break;

  585.       }

  586.       if (r != 0) {

  587.         goto err;

  588.       }

  589. 

  590.       /* do a callback call */

  591.       /* step 5 */

  592.     }

  593. 

  594.     if (!BN_GENCB_call(cb, 2, 0) || !BN_GENCB_call(cb, 3, 0)) {

  595.       goto err;

  596.     }

  597. 

  598.     /* step 6 */

  599.     counter = 0;

  600.     /* "offset = 2" */

  601. 

  602.     n = (bits - 1) / 160;

  603. 

  604.     for (;;) {

  605.       if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) {

  606.         goto err;

  607.       }

  608. 

  609.       /* step 7 */

  610.       BN_zero(W);

  611.       /* now 'buf' contains "SEED + offset - 1" */

  612.       for (k = 0; k <= n; k++) {

  613.         /* obtain "SEED + offset + k" by incrementing: */

  614.         for (i = qsize - 1; i < qsize; i--) {

  615.           buf[i]++;

  616.           if (buf[i] != 0) {

  617.             break;

  618.           }

  619.         }

  620. 

  621.         if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) {

  622.           goto err;

  623.         }

  624. 

  625.         /* step 8 */

  626.         if (!BN_bin2bn(md, qsize, r0) ||

  627.             !BN_lshift(r0, r0, (qsize << 3) * k) ||

  628.             !BN_add(W, W, r0)) {

  629.           goto err;

  630.         }

  631.       }

  632. 

  633.       /* more of step 8 */

  634.       if (!BN_mask_bits(W, bits - 1) ||

  635.           !BN_copy(X, W) ||

  636.           !BN_add(X, X, test)) {

  637.         goto err;

  638.       }

  639. 

  640.       /* step 9 */

  641.       if (!BN_lshift1(r0, q) ||

  642.           !BN_mod(c, X, r0, ctx) ||

  643.           !BN_sub(r0, c, BN_value_one()) ||

  644.           !BN_sub(p, X, r0)) {

  645.         goto err;

  646.       }

  647. 

  648.       /* step 10 */

  649.       if (BN_cmp(p, test) >= 0) {

  650.         /* step 11 */

  651.         r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);

  652.         if (r > 0) {

  653.           goto end; /* found it */

  654.         }

  655.         if (r != 0) {

  656.           goto err;

  657.         }

  658.       }

  659. 

  660.       /* step 13 */

  661.       counter++;

  662.       /* "offset = offset + n + 1" */

  663. 

  664.       /* step 14 */

  665.       if (counter >= 4096) {

  666.         break;

  667.       }

  668.     }

  669.   }

  670. end:

  671.   if (!BN_GENCB_call(cb, 2, 1)) {

  672.     goto err;

  673.   }

  674. 

  675.   /* We now need to generate g */

  676.   /* Set r0=(p-1)/q */

  677.   if (!BN_sub(test, p, BN_value_one()) ||

  678.       !BN_div(r0, NULL, test, q, ctx)) {

  679.     goto err;

  680.   }

  681. 

  682.   if (!BN_set_word(test, h) ||

  683.       !BN_MONT_CTX_set(mont, p, ctx)) {

  684.     goto err;

  685.   }

  686. 

  687.   for (;;) {

  688.     /* g=test^r0%p */

  689.     if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont)) {

  690.       goto err;

  691.     }

  692.     if (!BN_is_one(g)) {

  693.       break;

  694.     }

  695.     if (!BN_add(test, test, BN_value_one())) {

  696.       goto err;

  697.     }

  698.     h++;

  699.   }

  700. 

  701.   if (!BN_GENCB_call(cb, 3, 1)) {

  702.     goto err;

  703.   }

  704. 

  705.   ok = 1;

  706. 

  707. err:

  708.   if (ok) {

  709.     if (ret->p) {

  710.       BN_free(ret->p);

  711.     }

  712.     if (ret->q) {

  713.       BN_free(ret->q);

  714.     }

  715.     if (ret->g) {

  716.       BN_free(ret->g);

  717.     }

  718.     ret->p = BN_dup(p);

  719.     ret->q = BN_dup(q);

  720.     ret->g = BN_dup(g);

  721.     if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {

  722.       ok = 0;

  723.       goto err;

  724.     }

  725.     if (counter_ret != NULL) {

  726.       *counter_ret = counter;

  727.     }

  728.     if (h_ret != NULL) {

  729.       *h_ret = h;

  730.     }

  731.   }

  732. 

  733.   if (ctx) {

  734.     BN_CTX_end(ctx);

  735.     BN_CTX_free(ctx);

  736.   }

  737. 

  738.   if (mont != NULL) {

  739.     BN_MONT_CTX_free(mont);

  740.   }

  741. 

  742.   return ok;

  743. }

  744. 

  745. static int finish(DSA *dsa) {

  746.   BN_MONT_CTX_free(dsa->method_mont_p);

  747.   dsa->method_mont_p = NULL;

  748.   return 1;

  749. }

  750. 

  751. const struct dsa_method DSA_default_method = {

  752.   {

  753.     0 /* references */,

  754.     1 /* is_static */,

  755.   },

  756.   NULL /* app_data */,

  757. 

  758.   NULL /* init */,

  759.   finish /* finish */,

  760. 

  761.   sign,

  762.   sign_setup,

  763.   verify,

  764. 

  765.   paramgen,

  766.   keygen,

  767. };