kris
/
boringssl
1
0
포크 0
코드 이슈 0 풀 리퀘스트 0 릴리즈 0 위키 활동
25개 이상의 토픽을 선택하실 수 없습니다. Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4666 커밋
12 브랜치
38 MiB
 
 
 
 
 
 
트리: 23c25d5b3a
브랜치 태그
${ item.name }
${ searchTerm } 브랜치 생성
from '23c25d5b3a'
${ noResults }
boringssl/crypto/dsa/dsa.c

997 lines
23 KiB
Raw Blame 히스토리 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  *

  57.  * The DSS routines are based on patches supplied by

  58.  * Steven Schoch <schoch@sheba.arc.nasa.gov>. */

  59. 

  60. #include <openssl/dsa.h>

  61. 

  62. #include <string.h>

  63. 

  64. #include <openssl/bn.h>

  65. #include <openssl/dh.h>

  66. #include <openssl/digest.h>

  67. #include <openssl/engine.h>

  68. #include <openssl/err.h>

  69. #include <openssl/ex_data.h>

  70. #include <openssl/mem.h>

  71. #include <openssl/rand.h>

  72. #include <openssl/sha.h>

  73. #include <openssl/thread.h>

  74. 

  75. #include "../fipsmodule/bn/internal.h"

  76. #include "../internal.h"

  77. 

  78. 

  79. #define OPENSSL_DSA_MAX_MODULUS_BITS 10000

  80. 

  81. // Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of

  82. // Rabin-Miller

  83. #define DSS_prime_checks 50

  84. 

  85. static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;

  86. 

  87. DSA *DSA_new(void) {

  88.   DSA *dsa = OPENSSL_malloc(sizeof(DSA));

  89.   if (dsa == NULL) {

  90.     OPENSSL_PUT_ERROR(DSA, ERR_R_MALLOC_FAILURE);

  91.     return NULL;

  92.   }

  93. 

  94.   OPENSSL_memset(dsa, 0, sizeof(DSA));

  95. 

  96.   dsa->references = 1;

  97. 

  98.   CRYPTO_MUTEX_init(&dsa->method_mont_lock);

  99.   CRYPTO_new_ex_data(&dsa->ex_data);

  100. 

  101.   return dsa;

  102. }

  103. 

  104. void DSA_free(DSA *dsa) {

  105.   if (dsa == NULL) {

  106.     return;

  107.   }

  108. 

  109.   if (!CRYPTO_refcount_dec_and_test_zero(&dsa->references)) {

  110.     return;

  111.   }

  112. 

  113.   CRYPTO_free_ex_data(&g_ex_data_class, dsa, &dsa->ex_data);

  114. 

  115.   BN_clear_free(dsa->p);

  116.   BN_clear_free(dsa->q);

  117.   BN_clear_free(dsa->g);

  118.   BN_clear_free(dsa->pub_key);

  119.   BN_clear_free(dsa->priv_key);

  120.   BN_clear_free(dsa->kinv);

  121.   BN_clear_free(dsa->r);

  122.   BN_MONT_CTX_free(dsa->method_mont_p);

  123.   BN_MONT_CTX_free(dsa->method_mont_q);

  124.   CRYPTO_MUTEX_cleanup(&dsa->method_mont_lock);

  125.   OPENSSL_free(dsa);

  126. }

  127. 

  128. int DSA_up_ref(DSA *dsa) {

  129.   CRYPTO_refcount_inc(&dsa->references);

  130.   return 1;

  131. }

  132. 

  133. void DSA_get0_key(const DSA *dsa, const BIGNUM **out_pub_key,

  134.                   const BIGNUM **out_priv_key) {

  135.   if (out_pub_key != NULL) {

  136.     *out_pub_key = dsa->pub_key;

  137.   }

  138.   if (out_priv_key != NULL) {

  139.     *out_priv_key = dsa->priv_key;

  140.   }

  141. }

  142. 

  143. void DSA_get0_pqg(const DSA *dsa, const BIGNUM **out_p, const BIGNUM **out_q,

  144.                   const BIGNUM **out_g) {

  145.   if (out_p != NULL) {

  146.     *out_p = dsa->p;

  147.   }

  148.   if (out_q != NULL) {

  149.     *out_q = dsa->q;

  150.   }

  151.   if (out_g != NULL) {

  152.     *out_g = dsa->g;

  153.   }

  154. }

  155. 

  156. int DSA_set0_key(DSA *dsa, BIGNUM *pub_key, BIGNUM *priv_key) {

  157.   if (dsa->pub_key == NULL && pub_key == NULL) {

  158.     return 0;

  159.   }

  160. 

  161.   if (pub_key != NULL) {

  162.     BN_free(dsa->pub_key);

  163.     dsa->pub_key = pub_key;

  164.   }

  165.   if (priv_key != NULL) {

  166.     BN_free(dsa->priv_key);

  167.     dsa->priv_key = priv_key;

  168.   }

  169. 

  170.   return 1;

  171. }

  172. 

  173. int DSA_set0_pqg(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g) {

  174.   if ((dsa->p == NULL && p == NULL) ||

  175.       (dsa->q == NULL && q == NULL) ||

  176.       (dsa->g == NULL && g == NULL)) {

  177.     return 0;

  178.   }

  179. 

  180.   if (p != NULL) {

  181.     BN_free(dsa->p);

  182.     dsa->p = p;

  183.   }

  184.   if (q != NULL) {

  185.     BN_free(dsa->q);

  186.     dsa->q = q;

  187.   }

  188.   if (g != NULL) {

  189.     BN_free(dsa->g);

  190.     dsa->g = g;

  191.   }

  192. 

  193.   return 1;

  194. }

  195. 

  196. int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,

  197.                                size_t seed_len, int *out_counter,

  198.                                unsigned long *out_h, BN_GENCB *cb) {

  199.   int ok = 0;

  200.   unsigned char seed[SHA256_DIGEST_LENGTH];

  201.   unsigned char md[SHA256_DIGEST_LENGTH];

  202.   unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];

  203.   BIGNUM *r0, *W, *X, *c, *test;

  204.   BIGNUM *g = NULL, *q = NULL, *p = NULL;

  205.   BN_MONT_CTX *mont = NULL;

  206.   int k, n = 0, m = 0;

  207.   unsigned i;

  208.   int counter = 0;

  209.   int r = 0;

  210.   BN_CTX *ctx = NULL;

  211.   unsigned int h = 2;

  212.   unsigned qsize;

  213.   const EVP_MD *evpmd;

  214. 

  215.   evpmd = (bits >= 2048) ? EVP_sha256() : EVP_sha1();

  216.   qsize = EVP_MD_size(evpmd);

  217. 

  218.   if (bits < 512) {

  219.     bits = 512;

  220.   }

  221. 

  222.   bits = (bits + 63) / 64 * 64;

  223. 

  224.   if (seed_in != NULL) {

  225.     if (seed_len < (size_t)qsize) {

  226.       return 0;

  227.     }

  228.     if (seed_len > (size_t)qsize) {

  229.       // Only consume as much seed as is expected.

  230.       seed_len = qsize;

  231.     }

  232.     OPENSSL_memcpy(seed, seed_in, seed_len);

  233.   }

  234. 

  235.   ctx = BN_CTX_new();

  236.   if (ctx == NULL) {

  237.     goto err;

  238.   }

  239.   BN_CTX_start(ctx);

  240. 

  241.   mont = BN_MONT_CTX_new();

  242.   if (mont == NULL) {

  243.     goto err;

  244.   }

  245. 

  246.   r0 = BN_CTX_get(ctx);

  247.   g = BN_CTX_get(ctx);

  248.   W = BN_CTX_get(ctx);

  249.   q = BN_CTX_get(ctx);

  250.   X = BN_CTX_get(ctx);

  251.   c = BN_CTX_get(ctx);

  252.   p = BN_CTX_get(ctx);

  253.   test = BN_CTX_get(ctx);

  254. 

  255.   if (test == NULL || !BN_lshift(test, BN_value_one(), bits - 1)) {

  256.     goto err;

  257.   }

  258. 

  259.   for (;;) {

  260.     // Find q.

  261.     for (;;) {

  262.       // step 1

  263.       if (!BN_GENCB_call(cb, 0, m++)) {

  264.         goto err;

  265.       }

  266. 

  267.       int use_random_seed = (seed_in == NULL);

  268.       if (use_random_seed) {

  269.         if (!RAND_bytes(seed, qsize)) {

  270.           goto err;

  271.         }

  272.       } else {

  273.         // If we come back through, use random seed next time.

  274.         seed_in = NULL;

  275.       }

  276.       OPENSSL_memcpy(buf, seed, qsize);

  277.       OPENSSL_memcpy(buf2, seed, qsize);

  278.       // precompute "SEED + 1" for step 7:

  279.       for (i = qsize - 1; i < qsize; i--) {

  280.         buf[i]++;

  281.         if (buf[i] != 0) {

  282.           break;

  283.         }

  284.       }

  285. 

  286.       // step 2

  287.       if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL) ||

  288.           !EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) {

  289.         goto err;

  290.       }

  291.       for (i = 0; i < qsize; i++) {

  292.         md[i] ^= buf2[i];

  293.       }

  294. 

  295.       // step 3

  296.       md[0] |= 0x80;

  297.       md[qsize - 1] |= 0x01;

  298.       if (!BN_bin2bn(md, qsize, q)) {

  299.         goto err;

  300.       }

  301. 

  302.       // step 4

  303.       r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed, cb);

  304.       if (r > 0) {

  305.         break;

  306.       }

  307.       if (r != 0) {

  308.         goto err;

  309.       }

  310. 

  311.       // do a callback call

  312.       // step 5

  313.     }

  314. 

  315.     if (!BN_GENCB_call(cb, 2, 0) || !BN_GENCB_call(cb, 3, 0)) {

  316.       goto err;

  317.     }

  318. 

  319.     // step 6

  320.     counter = 0;

  321.     // "offset = 2"

  322. 

  323.     n = (bits - 1) / 160;

  324. 

  325.     for (;;) {

  326.       if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) {

  327.         goto err;

  328.       }

  329. 

  330.       // step 7

  331.       BN_zero(W);

  332.       // now 'buf' contains "SEED + offset - 1"

  333.       for (k = 0; k <= n; k++) {

  334.         // obtain "SEED + offset + k" by incrementing:

  335.         for (i = qsize - 1; i < qsize; i--) {

  336.           buf[i]++;

  337.           if (buf[i] != 0) {

  338.             break;

  339.           }

  340.         }

  341. 

  342.         if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) {

  343.           goto err;

  344.         }

  345. 

  346.         // step 8

  347.         if (!BN_bin2bn(md, qsize, r0) ||

  348.             !BN_lshift(r0, r0, (qsize << 3) * k) ||

  349.             !BN_add(W, W, r0)) {

  350.           goto err;

  351.         }

  352.       }

  353. 

  354.       // more of step 8

  355.       if (!BN_mask_bits(W, bits - 1) ||

  356.           !BN_copy(X, W) ||

  357.           !BN_add(X, X, test)) {

  358.         goto err;

  359.       }

  360. 

  361.       // step 9

  362.       if (!BN_lshift1(r0, q) ||

  363.           !BN_mod(c, X, r0, ctx) ||

  364.           !BN_sub(r0, c, BN_value_one()) ||

  365.           !BN_sub(p, X, r0)) {

  366.         goto err;

  367.       }

  368. 

  369.       // step 10

  370.       if (BN_cmp(p, test) >= 0) {

  371.         // step 11

  372.         r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);

  373.         if (r > 0) {

  374.           goto end;  // found it

  375.         }

  376.         if (r != 0) {

  377.           goto err;

  378.         }

  379.       }

  380. 

  381.       // step 13

  382.       counter++;

  383.       // "offset = offset + n + 1"

  384. 

  385.       // step 14

  386.       if (counter >= 4096) {

  387.         break;

  388.       }

  389.     }

  390.   }

  391. end:

  392.   if (!BN_GENCB_call(cb, 2, 1)) {

  393.     goto err;

  394.   }

  395. 

  396.   // We now need to generate g

  397.   // Set r0=(p-1)/q

  398.   if (!BN_sub(test, p, BN_value_one()) ||

  399.       !BN_div(r0, NULL, test, q, ctx)) {

  400.     goto err;

  401.   }

  402. 

  403.   if (!BN_set_word(test, h) ||

  404.       !BN_MONT_CTX_set(mont, p, ctx)) {

  405.     goto err;

  406.   }

  407. 

  408.   for (;;) {

  409.     // g=test^r0%p

  410.     if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont)) {

  411.       goto err;

  412.     }

  413.     if (!BN_is_one(g)) {

  414.       break;

  415.     }

  416.     if (!BN_add(test, test, BN_value_one())) {

  417.       goto err;

  418.     }

  419.     h++;

  420.   }

  421. 

  422.   if (!BN_GENCB_call(cb, 3, 1)) {

  423.     goto err;

  424.   }

  425. 

  426.   ok = 1;

  427. 

  428. err:

  429.   if (ok) {

  430.     BN_free(dsa->p);

  431.     BN_free(dsa->q);

  432.     BN_free(dsa->g);

  433.     dsa->p = BN_dup(p);

  434.     dsa->q = BN_dup(q);

  435.     dsa->g = BN_dup(g);

  436.     if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {

  437.       ok = 0;

  438.       goto err;

  439.     }

  440.     if (out_counter != NULL) {

  441.       *out_counter = counter;

  442.     }

  443.     if (out_h != NULL) {

  444.       *out_h = h;

  445.     }

  446.   }

  447. 

  448.   if (ctx) {

  449.     BN_CTX_end(ctx);

  450.     BN_CTX_free(ctx);

  451.   }

  452. 

  453.   BN_MONT_CTX_free(mont);

  454. 

  455.   return ok;

  456. }

  457. 

  458. DSA *DSAparams_dup(const DSA *dsa) {

  459.   DSA *ret = DSA_new();

  460.   if (ret == NULL) {

  461.     return NULL;

  462.   }

  463.   ret->p = BN_dup(dsa->p);

  464.   ret->q = BN_dup(dsa->q);

  465.   ret->g = BN_dup(dsa->g);

  466.   if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {

  467.     DSA_free(ret);

  468.     return NULL;

  469.   }

  470.   return ret;

  471. }

  472. 

  473. int DSA_generate_key(DSA *dsa) {

  474.   int ok = 0;

  475.   BN_CTX *ctx = NULL;

  476.   BIGNUM *pub_key = NULL, *priv_key = NULL;

  477. 

  478.   ctx = BN_CTX_new();

  479.   if (ctx == NULL) {

  480.     goto err;

  481.   }

  482. 

  483.   priv_key = dsa->priv_key;

  484.   if (priv_key == NULL) {

  485.     priv_key = BN_new();

  486.     if (priv_key == NULL) {

  487.       goto err;

  488.     }

  489.   }

  490. 

  491.   if (!BN_rand_range_ex(priv_key, 1, dsa->q)) {

  492.     goto err;

  493.   }

  494. 

  495.   pub_key = dsa->pub_key;

  496.   if (pub_key == NULL) {

  497.     pub_key = BN_new();

  498.     if (pub_key == NULL) {

  499.       goto err;

  500.     }

  501.   }

  502. 

  503.   if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, &dsa->method_mont_lock,

  504.                               dsa->p, ctx) ||

  505.       !BN_mod_exp_mont_consttime(pub_key, dsa->g, priv_key, dsa->p, ctx,

  506.                                  dsa->method_mont_p)) {

  507.     goto err;

  508.   }

  509. 

  510.   dsa->priv_key = priv_key;

  511.   dsa->pub_key = pub_key;

  512.   ok = 1;

  513. 

  514. err:

  515.   if (dsa->pub_key == NULL) {

  516.     BN_free(pub_key);

  517.   }

  518.   if (dsa->priv_key == NULL) {

  519.     BN_free(priv_key);

  520.   }

  521.   BN_CTX_free(ctx);

  522. 

  523.   return ok;

  524. }

  525. 

  526. DSA_SIG *DSA_SIG_new(void) {

  527.   DSA_SIG *sig;

  528.   sig = OPENSSL_malloc(sizeof(DSA_SIG));

  529.   if (!sig) {

  530.     return NULL;

  531.   }

  532.   sig->r = NULL;

  533.   sig->s = NULL;

  534.   return sig;

  535. }

  536. 

  537. void DSA_SIG_free(DSA_SIG *sig) {

  538.   if (!sig) {

  539.     return;

  540.   }

  541. 

  542.   BN_free(sig->r);

  543.   BN_free(sig->s);

  544.   OPENSSL_free(sig);

  545. }

  546. 

  547. DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, DSA *dsa) {

  548.   BIGNUM *kinv = NULL, *r = NULL, *s = NULL;

  549.   BIGNUM m;

  550.   BIGNUM xr;

  551.   BN_CTX *ctx = NULL;

  552.   int reason = ERR_R_BN_LIB;

  553.   DSA_SIG *ret = NULL;

  554.   int noredo = 0;

  555. 

  556.   BN_init(&m);

  557.   BN_init(&xr);

  558. 

  559.   if (!dsa->p || !dsa->q || !dsa->g) {

  560.     reason = DSA_R_MISSING_PARAMETERS;

  561.     goto err;

  562.   }

  563. 

  564.   s = BN_new();

  565.   if (s == NULL) {

  566.     goto err;

  567.   }

  568.   ctx = BN_CTX_new();

  569.   if (ctx == NULL) {

  570.     goto err;

  571.   }

  572. 

  573. redo:

  574.   if (dsa->kinv == NULL || dsa->r == NULL) {

  575.     if (!DSA_sign_setup(dsa, ctx, &kinv, &r)) {

  576.       goto err;

  577.     }

  578.   } else {

  579.     kinv = dsa->kinv;

  580.     dsa->kinv = NULL;

  581.     r = dsa->r;

  582.     dsa->r = NULL;

  583.     noredo = 1;

  584.   }

  585. 

  586.   if (digest_len > BN_num_bytes(dsa->q)) {

  587.     // if the digest length is greater than the size of q use the

  588.     // BN_num_bits(dsa->q) leftmost bits of the digest, see

  589.     // fips 186-3, 4.2

  590.     digest_len = BN_num_bytes(dsa->q);

  591.   }

  592. 

  593.   if (BN_bin2bn(digest, digest_len, &m) == NULL) {

  594.     goto err;

  595.   }

  596. 

  597.   // Compute  s = inv(k) (m + xr) mod q

  598.   if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) {

  599.     goto err;  // s = xr

  600.   }

  601.   if (!BN_add(s, &xr, &m)) {

  602.     goto err;  // s = m + xr

  603.   }

  604.   if (BN_cmp(s, dsa->q) > 0) {

  605.     if (!BN_sub(s, s, dsa->q)) {

  606.       goto err;

  607.     }

  608.   }

  609.   if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) {

  610.     goto err;

  611.   }

  612. 

  613.   // Redo if r or s is zero as required by FIPS 186-3: this is

  614.   // very unlikely.

  615.   if (BN_is_zero(r) || BN_is_zero(s)) {

  616.     if (noredo) {

  617.       reason = DSA_R_NEED_NEW_SETUP_VALUES;

  618.       goto err;

  619.     }

  620.     goto redo;

  621.   }

  622.   ret = DSA_SIG_new();

  623.   if (ret == NULL) {

  624.     goto err;

  625.   }

  626.   ret->r = r;

  627.   ret->s = s;

  628. 

  629. err:

  630.   if (ret == NULL) {

  631.     OPENSSL_PUT_ERROR(DSA, reason);

  632.     BN_free(r);

  633.     BN_free(s);

  634.   }

  635.   BN_CTX_free(ctx);

  636.   BN_clear_free(&m);

  637.   BN_clear_free(&xr);

  638.   BN_clear_free(kinv);

  639. 

  640.   return ret;

  641. }

  642. 

  643. int DSA_do_verify(const uint8_t *digest, size_t digest_len, DSA_SIG *sig,

  644.                   const DSA *dsa) {

  645.   int valid;

  646.   if (!DSA_do_check_signature(&valid, digest, digest_len, sig, dsa)) {

  647.     return -1;

  648.   }

  649.   return valid;

  650. }

  651. 

  652. int DSA_do_check_signature(int *out_valid, const uint8_t *digest,

  653.                            size_t digest_len, DSA_SIG *sig, const DSA *dsa) {

  654.   BN_CTX *ctx;

  655.   BIGNUM u1, u2, t1;

  656.   int ret = 0;

  657.   unsigned i;

  658. 

  659.   *out_valid = 0;

  660. 

  661.   if (!dsa->p || !dsa->q || !dsa->g) {

  662.     OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);

  663.     return 0;

  664.   }

  665. 

  666.   i = BN_num_bits(dsa->q);

  667.   // fips 186-3 allows only different sizes for q

  668.   if (i != 160 && i != 224 && i != 256) {

  669.     OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);

  670.     return 0;

  671.   }

  672. 

  673.   if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {

  674.     OPENSSL_PUT_ERROR(DSA, DSA_R_MODULUS_TOO_LARGE);

  675.     return 0;

  676.   }

  677. 

  678.   BN_init(&u1);

  679.   BN_init(&u2);

  680.   BN_init(&t1);

  681. 

  682.   ctx = BN_CTX_new();

  683.   if (ctx == NULL) {

  684.     goto err;

  685.   }

  686. 

  687.   if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||

  688.       BN_ucmp(sig->r, dsa->q) >= 0) {

  689.     ret = 1;

  690.     goto err;

  691.   }

  692.   if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||

  693.       BN_ucmp(sig->s, dsa->q) >= 0) {

  694.     ret = 1;

  695.     goto err;

  696.   }

  697. 

  698.   // Calculate W = inv(S) mod Q

  699.   // save W in u2

  700.   if (BN_mod_inverse(&u2, sig->s, dsa->q, ctx) == NULL) {

  701.     goto err;

  702.   }

  703. 

  704.   // save M in u1

  705.   if (digest_len > (i >> 3)) {

  706.     // if the digest length is greater than the size of q use the

  707.     // BN_num_bits(dsa->q) leftmost bits of the digest, see

  708.     // fips 186-3, 4.2

  709.     digest_len = (i >> 3);

  710.   }

  711. 

  712.   if (BN_bin2bn(digest, digest_len, &u1) == NULL) {

  713.     goto err;

  714.   }

  715. 

  716.   // u1 = M * w mod q

  717.   if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) {

  718.     goto err;

  719.   }

  720. 

  721.   // u2 = r * w mod q

  722.   if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) {

  723.     goto err;

  724.   }

  725. 

  726.   if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,

  727.                               (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->p,

  728.                               ctx)) {

  729.     goto err;

  730.   }

  731. 

  732.   if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx,

  733.                         dsa->method_mont_p)) {

  734.     goto err;

  735.   }

  736. 

  737.   // BN_copy(&u1,&t1);

  738.   // let u1 = u1 mod q

  739.   if (!BN_mod(&u1, &t1, dsa->q, ctx)) {

  740.     goto err;

  741.   }

  742. 

  743.   // V is now in u1.  If the signature is correct, it will be

  744.   // equal to R.

  745.   *out_valid = BN_ucmp(&u1, sig->r) == 0;

  746.   ret = 1;

  747. 

  748. err:

  749.   if (ret != 1) {

  750.     OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);

  751.   }

  752.   BN_CTX_free(ctx);

  753.   BN_free(&u1);

  754.   BN_free(&u2);

  755.   BN_free(&t1);

  756. 

  757.   return ret;

  758. }

  759. 

  760. int DSA_sign(int type, const uint8_t *digest, size_t digest_len,

  761.              uint8_t *out_sig, unsigned int *out_siglen, DSA *dsa) {

  762.   DSA_SIG *s;

  763. 

  764.   s = DSA_do_sign(digest, digest_len, dsa);

  765.   if (s == NULL) {

  766.     *out_siglen = 0;

  767.     return 0;

  768.   }

  769. 

  770.   *out_siglen = i2d_DSA_SIG(s, &out_sig);

  771.   DSA_SIG_free(s);

  772.   return 1;

  773. }

  774. 

  775. int DSA_verify(int type, const uint8_t *digest, size_t digest_len,

  776.                const uint8_t *sig, size_t sig_len, const DSA *dsa) {

  777.   int valid;

  778.   if (!DSA_check_signature(&valid, digest, digest_len, sig, sig_len, dsa)) {

  779.     return -1;

  780.   }

  781.   return valid;

  782. }

  783. 

  784. int DSA_check_signature(int *out_valid, const uint8_t *digest,

  785.                         size_t digest_len, const uint8_t *sig, size_t sig_len,

  786.                         const DSA *dsa) {

  787.   DSA_SIG *s = NULL;

  788.   int ret = 0;

  789.   uint8_t *der = NULL;

  790. 

  791.   s = DSA_SIG_new();

  792.   if (s == NULL) {

  793.     goto err;

  794.   }

  795. 

  796.   const uint8_t *sigp = sig;

  797.   if (d2i_DSA_SIG(&s, &sigp, sig_len) == NULL || sigp != sig + sig_len) {

  798.     goto err;

  799.   }

  800. 

  801.   // Ensure that the signature uses DER and doesn't have trailing garbage.

  802.   int der_len = i2d_DSA_SIG(s, &der);

  803.   if (der_len < 0 || (size_t)der_len != sig_len ||

  804.       OPENSSL_memcmp(sig, der, sig_len)) {

  805.     goto err;

  806.   }

  807. 

  808.   ret = DSA_do_check_signature(out_valid, digest, digest_len, s, dsa);

  809. 

  810. err:

  811.   OPENSSL_free(der);

  812.   DSA_SIG_free(s);

  813.   return ret;

  814. }

  815. 

  816. // der_len_len returns the number of bytes needed to represent a length of |len|

  817. // in DER.

  818. static size_t der_len_len(size_t len) {

  819.   if (len < 0x80) {

  820.     return 1;

  821.   }

  822.   size_t ret = 1;

  823.   while (len > 0) {

  824.     ret++;

  825.     len >>= 8;

  826.   }

  827.   return ret;

  828. }

  829. 

  830. int DSA_size(const DSA *dsa) {

  831.   size_t order_len = BN_num_bytes(dsa->q);

  832.   // Compute the maximum length of an |order_len| byte integer. Defensively

  833.   // assume that the leading 0x00 is included.

  834.   size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;

  835.   if (integer_len < order_len) {

  836.     return 0;

  837.   }

  838.   // A DSA signature is two INTEGERs.

  839.   size_t value_len = 2 * integer_len;

  840.   if (value_len < integer_len) {

  841.     return 0;

  842.   }

  843.   // Add the header.

  844.   size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;

  845.   if (ret < value_len) {

  846.     return 0;

  847.   }

  848.   return ret;

  849. }

  850. 

  851. int DSA_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,

  852.                    BIGNUM **out_r) {

  853.   BN_CTX *ctx;

  854.   BIGNUM k, kq, *kinv = NULL, *r = NULL;

  855.   int ret = 0;

  856. 

  857.   if (!dsa->p || !dsa->q || !dsa->g) {

  858.     OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);

  859.     return 0;

  860.   }

  861. 

  862.   BN_init(&k);

  863.   BN_init(&kq);

  864. 

  865.   ctx = ctx_in;

  866.   if (ctx == NULL) {

  867.     ctx = BN_CTX_new();

  868.     if (ctx == NULL) {

  869.       goto err;

  870.     }

  871.   }

  872. 

  873.   r = BN_new();

  874.   if (r == NULL) {

  875.     goto err;

  876.   }

  877. 

  878.   // Get random k

  879.   if (!BN_rand_range_ex(&k, 1, dsa->q)) {

  880.     goto err;

  881.   }

  882. 

  883.   if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,

  884.                               (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->p,

  885.                               ctx) ||

  886.       !BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_q,

  887.                               (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->q,

  888.                               ctx)) {

  889.     goto err;

  890.   }

  891. 

  892.   // Compute r = (g^k mod p) mod q

  893.   if (!BN_copy(&kq, &k)) {

  894.     goto err;

  895.   }

  896. 

  897.   // We do not want timing information to leak the length of k,

  898.   // so we compute g^k using an equivalent exponent of fixed length.

  899.   //

  900.   // (This is a kludge that we need because the BN_mod_exp_mont()

  901.   // does not let us specify the desired timing behaviour.)

  902. 

  903.   if (!BN_add(&kq, &kq, dsa->q)) {

  904.     goto err;

  905.   }

  906.   if (BN_num_bits(&kq) <= BN_num_bits(dsa->q) && !BN_add(&kq, &kq, dsa->q)) {

  907.     goto err;

  908.   }

  909. 

  910.   if (!BN_mod_exp_mont_consttime(r, dsa->g, &kq, dsa->p, ctx,

  911.                                  dsa->method_mont_p)) {

  912.     goto err;

  913.   }

  914.   if (!BN_mod(r, r, dsa->q, ctx)) {

  915.     goto err;

  916.   }

  917. 

  918.   // Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little

  919.   // Theorem.

  920.   kinv = BN_new();

  921.   if (kinv == NULL ||

  922.       !bn_mod_inverse_prime(kinv, &k, dsa->q, ctx, dsa->method_mont_q)) {

  923.     goto err;

  924.   }

  925. 

  926.   BN_clear_free(*out_kinv);

  927.   *out_kinv = kinv;

  928.   kinv = NULL;

  929.   BN_clear_free(*out_r);

  930.   *out_r = r;

  931.   ret = 1;

  932. 

  933. err:

  934.   if (!ret) {

  935.     OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);

  936.     if (r != NULL) {

  937.       BN_clear_free(r);

  938.     }

  939.   }

  940. 

  941.   if (ctx_in == NULL) {

  942.     BN_CTX_free(ctx);

  943.   }

  944.   BN_clear_free(&k);

  945.   BN_clear_free(&kq);

  946.   BN_clear_free(kinv);

  947.   return ret;

  948. }

  949. 

  950. int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,

  951.                          CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {

  952.   int index;

  953.   if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,

  954.                                free_func)) {

  955.     return -1;

  956.   }

  957.   return index;

  958. }

  959. 

  960. int DSA_set_ex_data(DSA *dsa, int idx, void *arg) {

  961.   return CRYPTO_set_ex_data(&dsa->ex_data, idx, arg);

  962. }

  963. 

  964. void *DSA_get_ex_data(const DSA *dsa, int idx) {

  965.   return CRYPTO_get_ex_data(&dsa->ex_data, idx);

  966. }

  967. 

  968. DH *DSA_dup_DH(const DSA *dsa) {

  969.   if (dsa == NULL) {

  970.     return NULL;

  971.   }

  972. 

  973.   DH *ret = DH_new();

  974.   if (ret == NULL) {

  975.     goto err;

  976.   }

  977.   if (dsa->q != NULL) {

  978.     ret->priv_length = BN_num_bits(dsa->q);

  979.     if ((ret->q = BN_dup(dsa->q)) == NULL) {

  980.       goto err;

  981.     }

  982.   }

  983.   if ((dsa->p != NULL && (ret->p = BN_dup(dsa->p)) == NULL) ||

  984.       (dsa->g != NULL && (ret->g = BN_dup(dsa->g)) == NULL) ||

  985.       (dsa->pub_key != NULL && (ret->pub_key = BN_dup(dsa->pub_key)) == NULL) ||

  986.       (dsa->priv_key != NULL &&

  987.        (ret->priv_key = BN_dup(dsa->priv_key)) == NULL)) {

  988.     goto err;

  989.   }

  990. 

  991.   return ret;

  992. 

  993. err:

  994.   DH_free(ret);

  995.   return NULL;

  996. }