kris
/
boringssl
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
3169 Revize
12 Větve
38 MiB
 
 
 
 
 
 
Strom: 4c4ff02fe8
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „4c4ff02fe8“
${ noResults }
boringssl/crypto/dsa/dsa.c

965 řádky
22 KiB
Surový Blame Historie 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  *

  57.  * The DSS routines are based on patches supplied by

  58.  * Steven Schoch <schoch@sheba.arc.nasa.gov>. */

  59. 

  60. #include <openssl/dsa.h>

  61. 

  62. #include <string.h>

  63. 

  64. #include <openssl/bn.h>

  65. #include <openssl/dh.h>

  66. #include <openssl/digest.h>

  67. #include <openssl/engine.h>

  68. #include <openssl/err.h>

  69. #include <openssl/ex_data.h>

  70. #include <openssl/mem.h>

  71. #include <openssl/rand.h>

  72. #include <openssl/sha.h>

  73. #include <openssl/thread.h>

  74. 

  75. #include "../internal.h"

  76. 

  77. 

  78. #define OPENSSL_DSA_MAX_MODULUS_BITS 10000

  79. 

  80. /* Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of

  81.  * Rabin-Miller */

  82. #define DSS_prime_checks 50

  83. 

  84. static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;

  85. 

  86. DSA *DSA_new(void) {

  87.   DSA *dsa = OPENSSL_malloc(sizeof(DSA));

  88.   if (dsa == NULL) {

  89.     OPENSSL_PUT_ERROR(DSA, ERR_R_MALLOC_FAILURE);

  90.     return NULL;

  91.   }

  92. 

  93.   memset(dsa, 0, sizeof(DSA));

  94. 

  95.   dsa->references = 1;

  96. 

  97.   CRYPTO_MUTEX_init(&dsa->method_mont_lock);

  98.   CRYPTO_new_ex_data(&dsa->ex_data);

  99. 

  100.   return dsa;

  101. }

  102. 

  103. void DSA_free(DSA *dsa) {

  104.   if (dsa == NULL) {

  105.     return;

  106.   }

  107. 

  108.   if (!CRYPTO_refcount_dec_and_test_zero(&dsa->references)) {

  109.     return;

  110.   }

  111. 

  112.   CRYPTO_free_ex_data(&g_ex_data_class, dsa, &dsa->ex_data);

  113. 

  114.   BN_clear_free(dsa->p);

  115.   BN_clear_free(dsa->q);

  116.   BN_clear_free(dsa->g);

  117.   BN_clear_free(dsa->pub_key);

  118.   BN_clear_free(dsa->priv_key);

  119.   BN_clear_free(dsa->kinv);

  120.   BN_clear_free(dsa->r);

  121.   BN_MONT_CTX_free(dsa->method_mont_p);

  122.   BN_MONT_CTX_free(dsa->method_mont_q);

  123.   CRYPTO_MUTEX_cleanup(&dsa->method_mont_lock);

  124.   OPENSSL_free(dsa);

  125. }

  126. 

  127. int DSA_up_ref(DSA *dsa) {

  128.   CRYPTO_refcount_inc(&dsa->references);

  129.   return 1;

  130. }

  131. 

  132. void DSA_get0_key(const DSA *dsa, const BIGNUM **out_pub_key,

  133.                   const BIGNUM **out_priv_key) {

  134.   if (out_pub_key != NULL) {

  135.     *out_pub_key = dsa->pub_key;

  136.   }

  137.   if (out_priv_key != NULL) {

  138.     *out_priv_key = dsa->priv_key;

  139.   }

  140. }

  141. 

  142. void DSA_get0_pqg(const DSA *dsa, const BIGNUM **out_p, const BIGNUM **out_q,

  143.                   const BIGNUM **out_g) {

  144.   if (out_p != NULL) {

  145.     *out_p = dsa->p;

  146.   }

  147.   if (out_q != NULL) {

  148.     *out_q = dsa->q;

  149.   }

  150.   if (out_g != NULL) {

  151.     *out_g = dsa->g;

  152.   }

  153. }

  154. 

  155. int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,

  156.                                size_t seed_len, int *out_counter,

  157.                                unsigned long *out_h, BN_GENCB *cb) {

  158.   int ok = 0;

  159.   unsigned char seed[SHA256_DIGEST_LENGTH];

  160.   unsigned char md[SHA256_DIGEST_LENGTH];

  161.   unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];

  162.   BIGNUM *r0, *W, *X, *c, *test;

  163.   BIGNUM *g = NULL, *q = NULL, *p = NULL;

  164.   BN_MONT_CTX *mont = NULL;

  165.   int k, n = 0, m = 0;

  166.   unsigned i;

  167.   int counter = 0;

  168.   int r = 0;

  169.   BN_CTX *ctx = NULL;

  170.   unsigned int h = 2;

  171.   unsigned qsize;

  172.   const EVP_MD *evpmd;

  173. 

  174.   evpmd = (bits >= 2048) ? EVP_sha256() : EVP_sha1();

  175.   qsize = EVP_MD_size(evpmd);

  176. 

  177.   if (bits < 512) {

  178.     bits = 512;

  179.   }

  180. 

  181.   bits = (bits + 63) / 64 * 64;

  182. 

  183.   if (seed_in != NULL) {

  184.     if (seed_len < (size_t)qsize) {

  185.       return 0;

  186.     }

  187.     if (seed_len > (size_t)qsize) {

  188.       /* Only consume as much seed as is expected. */

  189.       seed_len = qsize;

  190.     }

  191.     memcpy(seed, seed_in, seed_len);

  192.   }

  193. 

  194.   ctx = BN_CTX_new();

  195.   if (ctx == NULL) {

  196.     goto err;

  197.   }

  198.   BN_CTX_start(ctx);

  199. 

  200.   mont = BN_MONT_CTX_new();

  201.   if (mont == NULL) {

  202.     goto err;

  203.   }

  204. 

  205.   r0 = BN_CTX_get(ctx);

  206.   g = BN_CTX_get(ctx);

  207.   W = BN_CTX_get(ctx);

  208.   q = BN_CTX_get(ctx);

  209.   X = BN_CTX_get(ctx);

  210.   c = BN_CTX_get(ctx);

  211.   p = BN_CTX_get(ctx);

  212.   test = BN_CTX_get(ctx);

  213. 

  214.   if (test == NULL || !BN_lshift(test, BN_value_one(), bits - 1)) {

  215.     goto err;

  216.   }

  217. 

  218.   for (;;) {

  219.     /* Find q. */

  220.     for (;;) {

  221.       /* step 1 */

  222.       if (!BN_GENCB_call(cb, 0, m++)) {

  223.         goto err;

  224.       }

  225. 

  226.       int use_random_seed = (seed_in == NULL);

  227.       if (use_random_seed) {

  228.         if (!RAND_bytes(seed, qsize)) {

  229.           goto err;

  230.         }

  231.       } else {

  232.         /* If we come back through, use random seed next time. */

  233.         seed_in = NULL;

  234.       }

  235.       memcpy(buf, seed, qsize);

  236.       memcpy(buf2, seed, qsize);

  237.       /* precompute "SEED + 1" for step 7: */

  238.       for (i = qsize - 1; i < qsize; i--) {

  239.         buf[i]++;

  240.         if (buf[i] != 0) {

  241.           break;

  242.         }

  243.       }

  244. 

  245.       /* step 2 */

  246.       if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL) ||

  247.           !EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) {

  248.         goto err;

  249.       }

  250.       for (i = 0; i < qsize; i++) {

  251.         md[i] ^= buf2[i];

  252.       }

  253. 

  254.       /* step 3 */

  255.       md[0] |= 0x80;

  256.       md[qsize - 1] |= 0x01;

  257.       if (!BN_bin2bn(md, qsize, q)) {

  258.         goto err;

  259.       }

  260. 

  261.       /* step 4 */

  262.       r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed, cb);

  263.       if (r > 0) {

  264.         break;

  265.       }

  266.       if (r != 0) {

  267.         goto err;

  268.       }

  269. 

  270.       /* do a callback call */

  271.       /* step 5 */

  272.     }

  273. 

  274.     if (!BN_GENCB_call(cb, 2, 0) || !BN_GENCB_call(cb, 3, 0)) {

  275.       goto err;

  276.     }

  277. 

  278.     /* step 6 */

  279.     counter = 0;

  280.     /* "offset = 2" */

  281. 

  282.     n = (bits - 1) / 160;

  283. 

  284.     for (;;) {

  285.       if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) {

  286.         goto err;

  287.       }

  288. 

  289.       /* step 7 */

  290.       BN_zero(W);

  291.       /* now 'buf' contains "SEED + offset - 1" */

  292.       for (k = 0; k <= n; k++) {

  293.         /* obtain "SEED + offset + k" by incrementing: */

  294.         for (i = qsize - 1; i < qsize; i--) {

  295.           buf[i]++;

  296.           if (buf[i] != 0) {

  297.             break;

  298.           }

  299.         }

  300. 

  301.         if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) {

  302.           goto err;

  303.         }

  304. 

  305.         /* step 8 */

  306.         if (!BN_bin2bn(md, qsize, r0) ||

  307.             !BN_lshift(r0, r0, (qsize << 3) * k) ||

  308.             !BN_add(W, W, r0)) {

  309.           goto err;

  310.         }

  311.       }

  312. 

  313.       /* more of step 8 */

  314.       if (!BN_mask_bits(W, bits - 1) ||

  315.           !BN_copy(X, W) ||

  316.           !BN_add(X, X, test)) {

  317.         goto err;

  318.       }

  319. 

  320.       /* step 9 */

  321.       if (!BN_lshift1(r0, q) ||

  322.           !BN_mod(c, X, r0, ctx) ||

  323.           !BN_sub(r0, c, BN_value_one()) ||

  324.           !BN_sub(p, X, r0)) {

  325.         goto err;

  326.       }

  327. 

  328.       /* step 10 */

  329.       if (BN_cmp(p, test) >= 0) {

  330.         /* step 11 */

  331.         r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);

  332.         if (r > 0) {

  333.           goto end; /* found it */

  334.         }

  335.         if (r != 0) {

  336.           goto err;

  337.         }

  338.       }

  339. 

  340.       /* step 13 */

  341.       counter++;

  342.       /* "offset = offset + n + 1" */

  343. 

  344.       /* step 14 */

  345.       if (counter >= 4096) {

  346.         break;

  347.       }

  348.     }

  349.   }

  350. end:

  351.   if (!BN_GENCB_call(cb, 2, 1)) {

  352.     goto err;

  353.   }

  354. 

  355.   /* We now need to generate g */

  356.   /* Set r0=(p-1)/q */

  357.   if (!BN_sub(test, p, BN_value_one()) ||

  358.       !BN_div(r0, NULL, test, q, ctx)) {

  359.     goto err;

  360.   }

  361. 

  362.   if (!BN_set_word(test, h) ||

  363.       !BN_MONT_CTX_set(mont, p, ctx)) {

  364.     goto err;

  365.   }

  366. 

  367.   for (;;) {

  368.     /* g=test^r0%p */

  369.     if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont)) {

  370.       goto err;

  371.     }

  372.     if (!BN_is_one(g)) {

  373.       break;

  374.     }

  375.     if (!BN_add(test, test, BN_value_one())) {

  376.       goto err;

  377.     }

  378.     h++;

  379.   }

  380. 

  381.   if (!BN_GENCB_call(cb, 3, 1)) {

  382.     goto err;

  383.   }

  384. 

  385.   ok = 1;

  386. 

  387. err:

  388.   if (ok) {

  389.     BN_free(dsa->p);

  390.     BN_free(dsa->q);

  391.     BN_free(dsa->g);

  392.     dsa->p = BN_dup(p);

  393.     dsa->q = BN_dup(q);

  394.     dsa->g = BN_dup(g);

  395.     if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {

  396.       ok = 0;

  397.       goto err;

  398.     }

  399.     if (out_counter != NULL) {

  400.       *out_counter = counter;

  401.     }

  402.     if (out_h != NULL) {

  403.       *out_h = h;

  404.     }

  405.   }

  406. 

  407.   if (ctx) {

  408.     BN_CTX_end(ctx);

  409.     BN_CTX_free(ctx);

  410.   }

  411. 

  412.   BN_MONT_CTX_free(mont);

  413. 

  414.   return ok;

  415. }

  416. 

  417. DSA *DSAparams_dup(const DSA *dsa) {

  418.   DSA *ret = DSA_new();

  419.   if (ret == NULL) {

  420.     return NULL;

  421.   }

  422.   ret->p = BN_dup(dsa->p);

  423.   ret->q = BN_dup(dsa->q);

  424.   ret->g = BN_dup(dsa->g);

  425.   if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {

  426.     DSA_free(ret);

  427.     return NULL;

  428.   }

  429.   return ret;

  430. }

  431. 

  432. int DSA_generate_key(DSA *dsa) {

  433.   int ok = 0;

  434.   BN_CTX *ctx = NULL;

  435.   BIGNUM *pub_key = NULL, *priv_key = NULL;

  436.   BIGNUM prk;

  437. 

  438.   ctx = BN_CTX_new();

  439.   if (ctx == NULL) {

  440.     goto err;

  441.   }

  442. 

  443.   priv_key = dsa->priv_key;

  444.   if (priv_key == NULL) {

  445.     priv_key = BN_new();

  446.     if (priv_key == NULL) {

  447.       goto err;

  448.     }

  449.   }

  450. 

  451.   if (!BN_rand_range_ex(priv_key, 1, dsa->q)) {

  452.     goto err;

  453.   }

  454. 

  455.   pub_key = dsa->pub_key;

  456.   if (pub_key == NULL) {

  457.     pub_key = BN_new();

  458.     if (pub_key == NULL) {

  459.       goto err;

  460.     }

  461.   }

  462. 

  463.   BN_init(&prk);

  464.   BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);

  465. 

  466.   if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, &dsa->method_mont_lock,

  467.                               dsa->p, ctx) ||

  468.       !BN_mod_exp_mont_consttime(pub_key, dsa->g, &prk, dsa->p, ctx,

  469.                                  dsa->method_mont_p)) {

  470.     goto err;

  471.   }

  472. 

  473.   dsa->priv_key = priv_key;

  474.   dsa->pub_key = pub_key;

  475.   ok = 1;

  476. 

  477. err:

  478.   if (dsa->pub_key == NULL) {

  479.     BN_free(pub_key);

  480.   }

  481.   if (dsa->priv_key == NULL) {

  482.     BN_free(priv_key);

  483.   }

  484.   BN_CTX_free(ctx);

  485. 

  486.   return ok;

  487. }

  488. 

  489. DSA_SIG *DSA_SIG_new(void) {

  490.   DSA_SIG *sig;

  491.   sig = OPENSSL_malloc(sizeof(DSA_SIG));

  492.   if (!sig) {

  493.     return NULL;

  494.   }

  495.   sig->r = NULL;

  496.   sig->s = NULL;

  497.   return sig;

  498. }

  499. 

  500. void DSA_SIG_free(DSA_SIG *sig) {

  501.   if (!sig) {

  502.     return;

  503.   }

  504. 

  505.   BN_free(sig->r);

  506.   BN_free(sig->s);

  507.   OPENSSL_free(sig);

  508. }

  509. 

  510. DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, DSA *dsa) {

  511.   BIGNUM *kinv = NULL, *r = NULL, *s = NULL;

  512.   BIGNUM m;

  513.   BIGNUM xr;

  514.   BN_CTX *ctx = NULL;

  515.   int reason = ERR_R_BN_LIB;

  516.   DSA_SIG *ret = NULL;

  517.   int noredo = 0;

  518. 

  519.   BN_init(&m);

  520.   BN_init(&xr);

  521. 

  522.   if (!dsa->p || !dsa->q || !dsa->g) {

  523.     reason = DSA_R_MISSING_PARAMETERS;

  524.     goto err;

  525.   }

  526. 

  527.   s = BN_new();

  528.   if (s == NULL) {

  529.     goto err;

  530.   }

  531.   ctx = BN_CTX_new();

  532.   if (ctx == NULL) {

  533.     goto err;

  534.   }

  535. 

  536. redo:

  537.   if (dsa->kinv == NULL || dsa->r == NULL) {

  538.     if (!DSA_sign_setup(dsa, ctx, &kinv, &r)) {

  539.       goto err;

  540.     }

  541.   } else {

  542.     kinv = dsa->kinv;

  543.     dsa->kinv = NULL;

  544.     r = dsa->r;

  545.     dsa->r = NULL;

  546.     noredo = 1;

  547.   }

  548. 

  549.   if (digest_len > BN_num_bytes(dsa->q)) {

  550.     /* if the digest length is greater than the size of q use the

  551.      * BN_num_bits(dsa->q) leftmost bits of the digest, see

  552.      * fips 186-3, 4.2 */

  553.     digest_len = BN_num_bytes(dsa->q);

  554.   }

  555. 

  556.   if (BN_bin2bn(digest, digest_len, &m) == NULL) {

  557.     goto err;

  558.   }

  559. 

  560.   /* Compute  s = inv(k) (m + xr) mod q */

  561.   if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) {

  562.     goto err; /* s = xr */

  563.   }

  564.   if (!BN_add(s, &xr, &m)) {

  565.     goto err; /* s = m + xr */

  566.   }

  567.   if (BN_cmp(s, dsa->q) > 0) {

  568.     if (!BN_sub(s, s, dsa->q)) {

  569.       goto err;

  570.     }

  571.   }

  572.   if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) {

  573.     goto err;

  574.   }

  575. 

  576.   /* Redo if r or s is zero as required by FIPS 186-3: this is

  577.    * very unlikely. */

  578.   if (BN_is_zero(r) || BN_is_zero(s)) {

  579.     if (noredo) {

  580.       reason = DSA_R_NEED_NEW_SETUP_VALUES;

  581.       goto err;

  582.     }

  583.     goto redo;

  584.   }

  585.   ret = DSA_SIG_new();

  586.   if (ret == NULL) {

  587.     goto err;

  588.   }

  589.   ret->r = r;

  590.   ret->s = s;

  591. 

  592. err:

  593.   if (ret == NULL) {

  594.     OPENSSL_PUT_ERROR(DSA, reason);

  595.     BN_free(r);

  596.     BN_free(s);

  597.   }

  598.   BN_CTX_free(ctx);

  599.   BN_clear_free(&m);

  600.   BN_clear_free(&xr);

  601.   BN_clear_free(kinv);

  602. 

  603.   return ret;

  604. }

  605. 

  606. int DSA_do_verify(const uint8_t *digest, size_t digest_len, DSA_SIG *sig,

  607.                   const DSA *dsa) {

  608.   int valid;

  609.   if (!DSA_do_check_signature(&valid, digest, digest_len, sig, dsa)) {

  610.     return -1;

  611.   }

  612.   return valid;

  613. }

  614. 

  615. int DSA_do_check_signature(int *out_valid, const uint8_t *digest,

  616.                            size_t digest_len, DSA_SIG *sig, const DSA *dsa) {

  617.   BN_CTX *ctx;

  618.   BIGNUM u1, u2, t1;

  619.   int ret = 0;

  620.   unsigned i;

  621. 

  622.   *out_valid = 0;

  623. 

  624.   if (!dsa->p || !dsa->q || !dsa->g) {

  625.     OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);

  626.     return 0;

  627.   }

  628. 

  629.   i = BN_num_bits(dsa->q);

  630.   /* fips 186-3 allows only different sizes for q */

  631.   if (i != 160 && i != 224 && i != 256) {

  632.     OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);

  633.     return 0;

  634.   }

  635. 

  636.   if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {

  637.     OPENSSL_PUT_ERROR(DSA, DSA_R_MODULUS_TOO_LARGE);

  638.     return 0;

  639.   }

  640. 

  641.   BN_init(&u1);

  642.   BN_init(&u2);

  643.   BN_init(&t1);

  644. 

  645.   ctx = BN_CTX_new();

  646.   if (ctx == NULL) {

  647.     goto err;

  648.   }

  649. 

  650.   if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||

  651.       BN_ucmp(sig->r, dsa->q) >= 0) {

  652.     ret = 1;

  653.     goto err;

  654.   }

  655.   if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||

  656.       BN_ucmp(sig->s, dsa->q) >= 0) {

  657.     ret = 1;

  658.     goto err;

  659.   }

  660. 

  661.   /* Calculate W = inv(S) mod Q

  662.    * save W in u2 */

  663.   if (BN_mod_inverse(&u2, sig->s, dsa->q, ctx) == NULL) {

  664.     goto err;

  665.   }

  666. 

  667.   /* save M in u1 */

  668.   if (digest_len > (i >> 3)) {

  669.     /* if the digest length is greater than the size of q use the

  670.      * BN_num_bits(dsa->q) leftmost bits of the digest, see

  671.      * fips 186-3, 4.2 */

  672.     digest_len = (i >> 3);

  673.   }

  674. 

  675.   if (BN_bin2bn(digest, digest_len, &u1) == NULL) {

  676.     goto err;

  677.   }

  678. 

  679.   /* u1 = M * w mod q */

  680.   if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) {

  681.     goto err;

  682.   }

  683. 

  684.   /* u2 = r * w mod q */

  685.   if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) {

  686.     goto err;

  687.   }

  688. 

  689.   if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,

  690.                               (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->p,

  691.                               ctx)) {

  692.     goto err;

  693.   }

  694. 

  695.   if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx,

  696.                         dsa->method_mont_p)) {

  697.     goto err;

  698.   }

  699. 

  700.   /* BN_copy(&u1,&t1); */

  701.   /* let u1 = u1 mod q */

  702.   if (!BN_mod(&u1, &t1, dsa->q, ctx)) {

  703.     goto err;

  704.   }

  705. 

  706.   /* V is now in u1.  If the signature is correct, it will be

  707.    * equal to R. */

  708.   *out_valid = BN_ucmp(&u1, sig->r) == 0;

  709.   ret = 1;

  710. 

  711. err:

  712.   if (ret != 1) {

  713.     OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);

  714.   }

  715.   BN_CTX_free(ctx);

  716.   BN_free(&u1);

  717.   BN_free(&u2);

  718.   BN_free(&t1);

  719. 

  720.   return ret;

  721. }

  722. 

  723. int DSA_sign(int type, const uint8_t *digest, size_t digest_len,

  724.              uint8_t *out_sig, unsigned int *out_siglen, DSA *dsa) {

  725.   DSA_SIG *s;

  726. 

  727.   s = DSA_do_sign(digest, digest_len, dsa);

  728.   if (s == NULL) {

  729.     *out_siglen = 0;

  730.     return 0;

  731.   }

  732. 

  733.   *out_siglen = i2d_DSA_SIG(s, &out_sig);

  734.   DSA_SIG_free(s);

  735.   return 1;

  736. }

  737. 

  738. int DSA_verify(int type, const uint8_t *digest, size_t digest_len,

  739.                const uint8_t *sig, size_t sig_len, const DSA *dsa) {

  740.   int valid;

  741.   if (!DSA_check_signature(&valid, digest, digest_len, sig, sig_len, dsa)) {

  742.     return -1;

  743.   }

  744.   return valid;

  745. }

  746. 

  747. int DSA_check_signature(int *out_valid, const uint8_t *digest,

  748.                         size_t digest_len, const uint8_t *sig, size_t sig_len,

  749.                         const DSA *dsa) {

  750.   DSA_SIG *s = NULL;

  751.   int ret = 0;

  752.   uint8_t *der = NULL;

  753. 

  754.   s = DSA_SIG_new();

  755.   if (s == NULL) {

  756.     goto err;

  757.   }

  758. 

  759.   const uint8_t *sigp = sig;

  760.   if (d2i_DSA_SIG(&s, &sigp, sig_len) == NULL || sigp != sig + sig_len) {

  761.     goto err;

  762.   }

  763. 

  764.   /* Ensure that the signature uses DER and doesn't have trailing garbage. */

  765.   int der_len = i2d_DSA_SIG(s, &der);

  766.   if (der_len < 0 || (size_t)der_len != sig_len || memcmp(sig, der, sig_len)) {

  767.     goto err;

  768.   }

  769. 

  770.   ret = DSA_do_check_signature(out_valid, digest, digest_len, s, dsa);

  771. 

  772. err:

  773.   OPENSSL_free(der);

  774.   DSA_SIG_free(s);

  775.   return ret;

  776. }

  777. 

  778. /* der_len_len returns the number of bytes needed to represent a length of |len|

  779.  * in DER. */

  780. static size_t der_len_len(size_t len) {

  781.   if (len < 0x80) {

  782.     return 1;

  783.   }

  784.   size_t ret = 1;

  785.   while (len > 0) {

  786.     ret++;

  787.     len >>= 8;

  788.   }

  789.   return ret;

  790. }

  791. 

  792. int DSA_size(const DSA *dsa) {

  793.   size_t order_len = BN_num_bytes(dsa->q);

  794.   /* Compute the maximum length of an |order_len| byte integer. Defensively

  795.    * assume that the leading 0x00 is included. */

  796.   size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;

  797.   if (integer_len < order_len) {

  798.     return 0;

  799.   }

  800.   /* A DSA signature is two INTEGERs. */

  801.   size_t value_len = 2 * integer_len;

  802.   if (value_len < integer_len) {

  803.     return 0;

  804.   }

  805.   /* Add the header. */

  806.   size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;

  807.   if (ret < value_len) {

  808.     return 0;

  809.   }

  810.   return ret;

  811. }

  812. 

  813. int DSA_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,

  814.                    BIGNUM **out_r) {

  815.   BN_CTX *ctx;

  816.   BIGNUM k, kq, qm2, *kinv = NULL, *r = NULL;

  817.   int ret = 0;

  818. 

  819.   if (!dsa->p || !dsa->q || !dsa->g) {

  820.     OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);

  821.     return 0;

  822.   }

  823. 

  824.   BN_init(&k);

  825.   BN_init(&kq);

  826.   BN_init(&qm2);

  827. 

  828.   ctx = ctx_in;

  829.   if (ctx == NULL) {

  830.     ctx = BN_CTX_new();

  831.     if (ctx == NULL) {

  832.       goto err;

  833.     }

  834.   }

  835. 

  836.   r = BN_new();

  837.   if (r == NULL) {

  838.     goto err;

  839.   }

  840. 

  841.   /* Get random k */

  842.   if (!BN_rand_range_ex(&k, 1, dsa->q)) {

  843.     goto err;

  844.   }

  845. 

  846.   BN_set_flags(&k, BN_FLG_CONSTTIME);

  847. 

  848.   if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,

  849.                               (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->p,

  850.                               ctx) ||

  851.       !BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_q,

  852.                               (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->q,

  853.                               ctx)) {

  854.     goto err;

  855.   }

  856. 

  857.   /* Compute r = (g^k mod p) mod q */

  858.   if (!BN_copy(&kq, &k)) {

  859.     goto err;

  860.   }

  861. 

  862.   /* We do not want timing information to leak the length of k,

  863.    * so we compute g^k using an equivalent exponent of fixed length.

  864.    *

  865.    * (This is a kludge that we need because the BN_mod_exp_mont()

  866.    * does not let us specify the desired timing behaviour.) */

  867. 

  868.   if (!BN_add(&kq, &kq, dsa->q)) {

  869.     goto err;

  870.   }

  871.   if (BN_num_bits(&kq) <= BN_num_bits(dsa->q) && !BN_add(&kq, &kq, dsa->q)) {

  872.     goto err;

  873.   }

  874. 

  875.   BN_set_flags(&kq, BN_FLG_CONSTTIME);

  876.   if (!BN_mod_exp_mont_consttime(r, dsa->g, &kq, dsa->p, ctx,

  877.                                  dsa->method_mont_p)) {

  878.     goto err;

  879.   }

  880.   if (!BN_mod(r, r, dsa->q, ctx)) {

  881.     goto err;

  882.   }

  883. 

  884.   /* Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little

  885.    * Theorem. */

  886.   kinv = BN_new();

  887.   if (kinv == NULL ||

  888.       !BN_set_word(&qm2, 2) ||

  889.       !BN_sub(&qm2, dsa->q, &qm2) ||

  890.       !BN_mod_exp_mont(kinv, &k, &qm2, dsa->q, ctx, dsa->method_mont_q)) {

  891.     goto err;

  892.   }

  893. 

  894.   BN_clear_free(*out_kinv);

  895.   *out_kinv = kinv;

  896.   kinv = NULL;

  897.   BN_clear_free(*out_r);

  898.   *out_r = r;

  899.   ret = 1;

  900. 

  901. err:

  902.   if (!ret) {

  903.     OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);

  904.     if (r != NULL) {

  905.       BN_clear_free(r);

  906.     }

  907.   }

  908. 

  909.   if (ctx_in == NULL) {

  910.     BN_CTX_free(ctx);

  911.   }

  912.   BN_clear_free(&k);

  913.   BN_clear_free(&kq);

  914.   BN_free(&qm2);

  915.   return ret;

  916. }

  917. 

  918. int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,

  919.                          CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {

  920.   int index;

  921.   if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, dup_func,

  922.                                free_func)) {

  923.     return -1;

  924.   }

  925.   return index;

  926. }

  927. 

  928. int DSA_set_ex_data(DSA *d, int idx, void *arg) {

  929.   return CRYPTO_set_ex_data(&d->ex_data, idx, arg);

  930. }

  931. 

  932. void *DSA_get_ex_data(const DSA *d, int idx) {

  933.   return CRYPTO_get_ex_data(&d->ex_data, idx);

  934. }

  935. 

  936. DH *DSA_dup_DH(const DSA *r) {

  937.   DH *ret = NULL;

  938. 

  939.   if (r == NULL) {

  940.     goto err;

  941.   }

  942.   ret = DH_new();

  943.   if (ret == NULL) {

  944.     goto err;

  945.   }

  946.   if (r->q != NULL) {

  947.     ret->priv_length = BN_num_bits(r->q);

  948.     if ((ret->q = BN_dup(r->q)) == NULL) {

  949.       goto err;

  950.     }

  951.   }

  952.   if ((r->p != NULL && (ret->p = BN_dup(r->p)) == NULL) ||

  953.       (r->g != NULL && (ret->g = BN_dup(r->g)) == NULL) ||

  954.       (r->pub_key != NULL && (ret->pub_key = BN_dup(r->pub_key)) == NULL) ||

  955.       (r->priv_key != NULL && (ret->priv_key = BN_dup(r->priv_key)) == NULL)) {

  956.       goto err;

  957.   }

  958. 

  959.   return ret;

  960. 

  961. err:

  962.   DH_free(ret);

  963.   return NULL;

  964. }