kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5289 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 9c3b120b61
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9c3b120b61'
${ noResults }
boringssl/crypto/dsa/dsa.c

982 lines
24 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  *

  57.  * The DSS routines are based on patches supplied by

  58.  * Steven Schoch <schoch@sheba.arc.nasa.gov>. */

  59. 

  60. #include <openssl/dsa.h>

  61. 

  62. #include <string.h>

  63. 

  64. #include <openssl/bn.h>

  65. #include <openssl/dh.h>

  66. #include <openssl/digest.h>

  67. #include <openssl/engine.h>

  68. #include <openssl/err.h>

  69. #include <openssl/ex_data.h>

  70. #include <openssl/mem.h>

  71. #include <openssl/rand.h>

  72. #include <openssl/sha.h>

  73. #include <openssl/thread.h>

  74. 

  75. #include "../fipsmodule/bn/internal.h"

  76. #include "../internal.h"

  77. 

  78. 

  79. #define OPENSSL_DSA_MAX_MODULUS_BITS 10000

  80. 

  81. // Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of

  82. // Rabin-Miller

  83. #define DSS_prime_checks 50

  84. 

  85. static int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,

  86.                           BIGNUM **out_r);

  87. 

  88. static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;

  89. 

  90. DSA *DSA_new(void) {

  91.   DSA *dsa = OPENSSL_malloc(sizeof(DSA));

  92.   if (dsa == NULL) {

  93.     OPENSSL_PUT_ERROR(DSA, ERR_R_MALLOC_FAILURE);

  94.     return NULL;

  95.   }

  96. 

  97.   OPENSSL_memset(dsa, 0, sizeof(DSA));

  98. 

  99.   dsa->references = 1;

  100. 

  101.   CRYPTO_MUTEX_init(&dsa->method_mont_lock);

  102.   CRYPTO_new_ex_data(&dsa->ex_data);

  103. 

  104.   return dsa;

  105. }

  106. 

  107. void DSA_free(DSA *dsa) {

  108.   if (dsa == NULL) {

  109.     return;

  110.   }

  111. 

  112.   if (!CRYPTO_refcount_dec_and_test_zero(&dsa->references)) {

  113.     return;

  114.   }

  115. 

  116.   CRYPTO_free_ex_data(&g_ex_data_class, dsa, &dsa->ex_data);

  117. 

  118.   BN_clear_free(dsa->p);

  119.   BN_clear_free(dsa->q);

  120.   BN_clear_free(dsa->g);

  121.   BN_clear_free(dsa->pub_key);

  122.   BN_clear_free(dsa->priv_key);

  123.   BN_MONT_CTX_free(dsa->method_mont_p);

  124.   BN_MONT_CTX_free(dsa->method_mont_q);

  125.   CRYPTO_MUTEX_cleanup(&dsa->method_mont_lock);

  126.   OPENSSL_free(dsa);

  127. }

  128. 

  129. int DSA_up_ref(DSA *dsa) {

  130.   CRYPTO_refcount_inc(&dsa->references);

  131.   return 1;

  132. }

  133. 

  134. void DSA_get0_key(const DSA *dsa, const BIGNUM **out_pub_key,

  135.                   const BIGNUM **out_priv_key) {

  136.   if (out_pub_key != NULL) {

  137.     *out_pub_key = dsa->pub_key;

  138.   }

  139.   if (out_priv_key != NULL) {

  140.     *out_priv_key = dsa->priv_key;

  141.   }

  142. }

  143. 

  144. void DSA_get0_pqg(const DSA *dsa, const BIGNUM **out_p, const BIGNUM **out_q,

  145.                   const BIGNUM **out_g) {

  146.   if (out_p != NULL) {

  147.     *out_p = dsa->p;

  148.   }

  149.   if (out_q != NULL) {

  150.     *out_q = dsa->q;

  151.   }

  152.   if (out_g != NULL) {

  153.     *out_g = dsa->g;

  154.   }

  155. }

  156. 

  157. int DSA_set0_key(DSA *dsa, BIGNUM *pub_key, BIGNUM *priv_key) {

  158.   if (dsa->pub_key == NULL && pub_key == NULL) {

  159.     return 0;

  160.   }

  161. 

  162.   if (pub_key != NULL) {

  163.     BN_free(dsa->pub_key);

  164.     dsa->pub_key = pub_key;

  165.   }

  166.   if (priv_key != NULL) {

  167.     BN_free(dsa->priv_key);

  168.     dsa->priv_key = priv_key;

  169.   }

  170. 

  171.   return 1;

  172. }

  173. 

  174. int DSA_set0_pqg(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g) {

  175.   if ((dsa->p == NULL && p == NULL) ||

  176.       (dsa->q == NULL && q == NULL) ||

  177.       (dsa->g == NULL && g == NULL)) {

  178.     return 0;

  179.   }

  180. 

  181.   if (p != NULL) {

  182.     BN_free(dsa->p);

  183.     dsa->p = p;

  184.   }

  185.   if (q != NULL) {

  186.     BN_free(dsa->q);

  187.     dsa->q = q;

  188.   }

  189.   if (g != NULL) {

  190.     BN_free(dsa->g);

  191.     dsa->g = g;

  192.   }

  193. 

  194.   return 1;

  195. }

  196. 

  197. int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,

  198.                                size_t seed_len, int *out_counter,

  199.                                unsigned long *out_h, BN_GENCB *cb) {

  200.   int ok = 0;

  201.   unsigned char seed[SHA256_DIGEST_LENGTH];

  202.   unsigned char md[SHA256_DIGEST_LENGTH];

  203.   unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];

  204.   BIGNUM *r0, *W, *X, *c, *test;

  205.   BIGNUM *g = NULL, *q = NULL, *p = NULL;

  206.   BN_MONT_CTX *mont = NULL;

  207.   int k, n = 0, m = 0;

  208.   unsigned i;

  209.   int counter = 0;

  210.   int r = 0;

  211.   BN_CTX *ctx = NULL;

  212.   unsigned int h = 2;

  213.   unsigned qsize;

  214.   const EVP_MD *evpmd;

  215. 

  216.   evpmd = (bits >= 2048) ? EVP_sha256() : EVP_sha1();

  217.   qsize = EVP_MD_size(evpmd);

  218. 

  219.   if (bits < 512) {

  220.     bits = 512;

  221.   }

  222. 

  223.   bits = (bits + 63) / 64 * 64;

  224. 

  225.   if (seed_in != NULL) {

  226.     if (seed_len < (size_t)qsize) {

  227.       return 0;

  228.     }

  229.     if (seed_len > (size_t)qsize) {

  230.       // Only consume as much seed as is expected.

  231.       seed_len = qsize;

  232.     }

  233.     OPENSSL_memcpy(seed, seed_in, seed_len);

  234.   }

  235. 

  236.   ctx = BN_CTX_new();

  237.   if (ctx == NULL) {

  238.     goto err;

  239.   }

  240.   BN_CTX_start(ctx);

  241. 

  242.   r0 = BN_CTX_get(ctx);

  243.   g = BN_CTX_get(ctx);

  244.   W = BN_CTX_get(ctx);

  245.   q = BN_CTX_get(ctx);

  246.   X = BN_CTX_get(ctx);

  247.   c = BN_CTX_get(ctx);

  248.   p = BN_CTX_get(ctx);

  249.   test = BN_CTX_get(ctx);

  250. 

  251.   if (test == NULL || !BN_lshift(test, BN_value_one(), bits - 1)) {

  252.     goto err;

  253.   }

  254. 

  255.   for (;;) {

  256.     // Find q.

  257.     for (;;) {

  258.       // step 1

  259.       if (!BN_GENCB_call(cb, 0, m++)) {

  260.         goto err;

  261.       }

  262. 

  263.       int use_random_seed = (seed_in == NULL);

  264.       if (use_random_seed) {

  265.         if (!RAND_bytes(seed, qsize)) {

  266.           goto err;

  267.         }

  268.       } else {

  269.         // If we come back through, use random seed next time.

  270.         seed_in = NULL;

  271.       }

  272.       OPENSSL_memcpy(buf, seed, qsize);

  273.       OPENSSL_memcpy(buf2, seed, qsize);

  274.       // precompute "SEED + 1" for step 7:

  275.       for (i = qsize - 1; i < qsize; i--) {

  276.         buf[i]++;

  277.         if (buf[i] != 0) {

  278.           break;

  279.         }

  280.       }

  281. 

  282.       // step 2

  283.       if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL) ||

  284.           !EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) {

  285.         goto err;

  286.       }

  287.       for (i = 0; i < qsize; i++) {

  288.         md[i] ^= buf2[i];

  289.       }

  290. 

  291.       // step 3

  292.       md[0] |= 0x80;

  293.       md[qsize - 1] |= 0x01;

  294.       if (!BN_bin2bn(md, qsize, q)) {

  295.         goto err;

  296.       }

  297. 

  298.       // step 4

  299.       r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed, cb);

  300.       if (r > 0) {

  301.         break;

  302.       }

  303.       if (r != 0) {

  304.         goto err;

  305.       }

  306. 

  307.       // do a callback call

  308.       // step 5

  309.     }

  310. 

  311.     if (!BN_GENCB_call(cb, 2, 0) || !BN_GENCB_call(cb, 3, 0)) {

  312.       goto err;

  313.     }

  314. 

  315.     // step 6

  316.     counter = 0;

  317.     // "offset = 2"

  318. 

  319.     n = (bits - 1) / 160;

  320. 

  321.     for (;;) {

  322.       if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) {

  323.         goto err;

  324.       }

  325. 

  326.       // step 7

  327.       BN_zero(W);

  328.       // now 'buf' contains "SEED + offset - 1"

  329.       for (k = 0; k <= n; k++) {

  330.         // obtain "SEED + offset + k" by incrementing:

  331.         for (i = qsize - 1; i < qsize; i--) {

  332.           buf[i]++;

  333.           if (buf[i] != 0) {

  334.             break;

  335.           }

  336.         }

  337. 

  338.         if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) {

  339.           goto err;

  340.         }

  341. 

  342.         // step 8

  343.         if (!BN_bin2bn(md, qsize, r0) ||

  344.             !BN_lshift(r0, r0, (qsize << 3) * k) ||

  345.             !BN_add(W, W, r0)) {

  346.           goto err;

  347.         }

  348.       }

  349. 

  350.       // more of step 8

  351.       if (!BN_mask_bits(W, bits - 1) ||

  352.           !BN_copy(X, W) ||

  353.           !BN_add(X, X, test)) {

  354.         goto err;

  355.       }

  356. 

  357.       // step 9

  358.       if (!BN_lshift1(r0, q) ||

  359.           !BN_mod(c, X, r0, ctx) ||

  360.           !BN_sub(r0, c, BN_value_one()) ||

  361.           !BN_sub(p, X, r0)) {

  362.         goto err;

  363.       }

  364. 

  365.       // step 10

  366.       if (BN_cmp(p, test) >= 0) {

  367.         // step 11

  368.         r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);

  369.         if (r > 0) {

  370.           goto end;  // found it

  371.         }

  372.         if (r != 0) {

  373.           goto err;

  374.         }

  375.       }

  376. 

  377.       // step 13

  378.       counter++;

  379.       // "offset = offset + n + 1"

  380. 

  381.       // step 14

  382.       if (counter >= 4096) {

  383.         break;

  384.       }

  385.     }

  386.   }

  387. end:

  388.   if (!BN_GENCB_call(cb, 2, 1)) {

  389.     goto err;

  390.   }

  391. 

  392.   // We now need to generate g

  393.   // Set r0=(p-1)/q

  394.   if (!BN_sub(test, p, BN_value_one()) ||

  395.       !BN_div(r0, NULL, test, q, ctx)) {

  396.     goto err;

  397.   }

  398. 

  399.   mont = BN_MONT_CTX_new_for_modulus(p, ctx);

  400.   if (mont == NULL ||

  401.       !BN_set_word(test, h)) {

  402.     goto err;

  403.   }

  404. 

  405.   for (;;) {

  406.     // g=test^r0%p

  407.     if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont)) {

  408.       goto err;

  409.     }

  410.     if (!BN_is_one(g)) {

  411.       break;

  412.     }

  413.     if (!BN_add(test, test, BN_value_one())) {

  414.       goto err;

  415.     }

  416.     h++;

  417.   }

  418. 

  419.   if (!BN_GENCB_call(cb, 3, 1)) {

  420.     goto err;

  421.   }

  422. 

  423.   ok = 1;

  424. 

  425. err:

  426.   if (ok) {

  427.     BN_free(dsa->p);

  428.     BN_free(dsa->q);

  429.     BN_free(dsa->g);

  430.     dsa->p = BN_dup(p);

  431.     dsa->q = BN_dup(q);

  432.     dsa->g = BN_dup(g);

  433.     if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {

  434.       ok = 0;

  435.       goto err;

  436.     }

  437.     if (out_counter != NULL) {

  438.       *out_counter = counter;

  439.     }

  440.     if (out_h != NULL) {

  441.       *out_h = h;

  442.     }

  443.   }

  444. 

  445.   if (ctx) {

  446.     BN_CTX_end(ctx);

  447.     BN_CTX_free(ctx);

  448.   }

  449. 

  450.   BN_MONT_CTX_free(mont);

  451. 

  452.   return ok;

  453. }

  454. 

  455. DSA *DSAparams_dup(const DSA *dsa) {

  456.   DSA *ret = DSA_new();

  457.   if (ret == NULL) {

  458.     return NULL;

  459.   }

  460.   ret->p = BN_dup(dsa->p);

  461.   ret->q = BN_dup(dsa->q);

  462.   ret->g = BN_dup(dsa->g);

  463.   if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {

  464.     DSA_free(ret);

  465.     return NULL;

  466.   }

  467.   return ret;

  468. }

  469. 

  470. int DSA_generate_key(DSA *dsa) {

  471.   int ok = 0;

  472.   BN_CTX *ctx = NULL;

  473.   BIGNUM *pub_key = NULL, *priv_key = NULL;

  474. 

  475.   ctx = BN_CTX_new();

  476.   if (ctx == NULL) {

  477.     goto err;

  478.   }

  479. 

  480.   priv_key = dsa->priv_key;

  481.   if (priv_key == NULL) {

  482.     priv_key = BN_new();

  483.     if (priv_key == NULL) {

  484.       goto err;

  485.     }

  486.   }

  487. 

  488.   if (!BN_rand_range_ex(priv_key, 1, dsa->q)) {

  489.     goto err;

  490.   }

  491. 

  492.   pub_key = dsa->pub_key;

  493.   if (pub_key == NULL) {

  494.     pub_key = BN_new();

  495.     if (pub_key == NULL) {

  496.       goto err;

  497.     }

  498.   }

  499. 

  500.   if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, &dsa->method_mont_lock,

  501.                               dsa->p, ctx) ||

  502.       !BN_mod_exp_mont_consttime(pub_key, dsa->g, priv_key, dsa->p, ctx,

  503.                                  dsa->method_mont_p)) {

  504.     goto err;

  505.   }

  506. 

  507.   dsa->priv_key = priv_key;

  508.   dsa->pub_key = pub_key;

  509.   ok = 1;

  510. 

  511. err:

  512.   if (dsa->pub_key == NULL) {

  513.     BN_free(pub_key);

  514.   }

  515.   if (dsa->priv_key == NULL) {

  516.     BN_free(priv_key);

  517.   }

  518.   BN_CTX_free(ctx);

  519. 

  520.   return ok;

  521. }

  522. 

  523. DSA_SIG *DSA_SIG_new(void) {

  524.   DSA_SIG *sig;

  525.   sig = OPENSSL_malloc(sizeof(DSA_SIG));

  526.   if (!sig) {

  527.     return NULL;

  528.   }

  529.   sig->r = NULL;

  530.   sig->s = NULL;

  531.   return sig;

  532. }

  533. 

  534. void DSA_SIG_free(DSA_SIG *sig) {

  535.   if (!sig) {

  536.     return;

  537.   }

  538. 

  539.   BN_free(sig->r);

  540.   BN_free(sig->s);

  541.   OPENSSL_free(sig);

  542. }

  543. 

  544. // mod_mul_consttime sets |r| to |a| * |b| modulo |mont->N|, treating |a| and

  545. // |b| as secret. This function internally uses Montgomery reduction, but

  546. // neither inputs nor outputs are in Montgomery form.

  547. static int mod_mul_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,

  548.                              const BN_MONT_CTX *mont, BN_CTX *ctx) {

  549.   BN_CTX_start(ctx);

  550.   BIGNUM *tmp = BN_CTX_get(ctx);

  551.   // |BN_mod_mul_montgomery| removes a factor of R, so we cancel it with a

  552.   // single |BN_to_montgomery| which adds one factor of R.

  553.   int ok = tmp != NULL &&

  554.            BN_to_montgomery(tmp, a, mont, ctx) &&

  555.            BN_mod_mul_montgomery(r, tmp, b, mont, ctx);

  556.   BN_CTX_end(ctx);

  557.   return ok;

  558. }

  559. 

  560. DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) {

  561.   BIGNUM *kinv = NULL, *r = NULL, *s = NULL;

  562.   BIGNUM m;

  563.   BIGNUM xr;

  564.   BN_CTX *ctx = NULL;

  565.   int reason = ERR_R_BN_LIB;

  566.   DSA_SIG *ret = NULL;

  567. 

  568.   BN_init(&m);

  569.   BN_init(&xr);

  570. 

  571.   if (!dsa->p || !dsa->q || !dsa->g) {

  572.     reason = DSA_R_MISSING_PARAMETERS;

  573.     goto err;

  574.   }

  575. 

  576.   // We only support DSA keys that are a multiple of 8 bits. (This is a weaker

  577.   // check than the one in |DSA_do_check_signature|, which only allows 160-,

  578.   // 224-, and 256-bit keys.

  579.   if (BN_num_bits(dsa->q) % 8 != 0) {

  580.     reason = DSA_R_BAD_Q_VALUE;

  581.     goto err;

  582.   }

  583. 

  584.   s = BN_new();

  585.   if (s == NULL) {

  586.     goto err;

  587.   }

  588.   ctx = BN_CTX_new();

  589.   if (ctx == NULL) {

  590.     goto err;

  591.   }

  592. 

  593. redo:

  594.   if (!dsa_sign_setup(dsa, ctx, &kinv, &r)) {

  595.     goto err;

  596.   }

  597. 

  598.   if (digest_len > BN_num_bytes(dsa->q)) {

  599.     // If the digest length is greater than the size of |dsa->q| use the

  600.     // BN_num_bits(dsa->q) leftmost bits of the digest, see FIPS 186-3, 4.2.

  601.     // Note the above check that |dsa->q| is a multiple of 8 bits.

  602.     digest_len = BN_num_bytes(dsa->q);

  603.   }

  604. 

  605.   if (BN_bin2bn(digest, digest_len, &m) == NULL) {

  606.     goto err;

  607.   }

  608. 

  609.   // |m| is bounded by 2^(num_bits(q)), which is slightly looser than q. This

  610.   // violates |bn_mod_add_consttime| and |mod_mul_consttime|'s preconditions.

  611.   // (The underlying algorithms could accept looser bounds, but we reduce for

  612.   // simplicity.)

  613.   size_t q_width = bn_minimal_width(dsa->q);

  614.   if (!bn_resize_words(&m, q_width) ||

  615.       !bn_resize_words(&xr, q_width)) {

  616.     goto err;

  617.   }

  618.   bn_reduce_once_in_place(m.d, 0 /* no carry word */, dsa->q->d,

  619.                           xr.d /* scratch space */, q_width);

  620. 

  621.   // Compute s = inv(k) (m + xr) mod q. Note |dsa->method_mont_q| is

  622.   // initialized by |dsa_sign_setup|.

  623.   if (!mod_mul_consttime(&xr, dsa->priv_key, r, dsa->method_mont_q, ctx) ||

  624.       !bn_mod_add_consttime(s, &xr, &m, dsa->q, ctx) ||

  625.       !mod_mul_consttime(s, s, kinv, dsa->method_mont_q, ctx)) {

  626.     goto err;

  627.   }

  628. 

  629.   // Redo if r or s is zero as required by FIPS 186-3: this is

  630.   // very unlikely.

  631.   if (BN_is_zero(r) || BN_is_zero(s)) {

  632.     goto redo;

  633.   }

  634.   ret = DSA_SIG_new();

  635.   if (ret == NULL) {

  636.     goto err;

  637.   }

  638.   ret->r = r;

  639.   ret->s = s;

  640. 

  641. err:

  642.   if (ret == NULL) {

  643.     OPENSSL_PUT_ERROR(DSA, reason);

  644.     BN_free(r);

  645.     BN_free(s);

  646.   }

  647.   BN_CTX_free(ctx);

  648.   BN_clear_free(&m);

  649.   BN_clear_free(&xr);

  650.   BN_clear_free(kinv);

  651. 

  652.   return ret;

  653. }

  654. 

  655. int DSA_do_verify(const uint8_t *digest, size_t digest_len, DSA_SIG *sig,

  656.                   const DSA *dsa) {

  657.   int valid;

  658.   if (!DSA_do_check_signature(&valid, digest, digest_len, sig, dsa)) {

  659.     return -1;

  660.   }

  661.   return valid;

  662. }

  663. 

  664. int DSA_do_check_signature(int *out_valid, const uint8_t *digest,

  665.                            size_t digest_len, DSA_SIG *sig, const DSA *dsa) {

  666.   BN_CTX *ctx;

  667.   BIGNUM u1, u2, t1;

  668.   int ret = 0;

  669.   unsigned i;

  670. 

  671.   *out_valid = 0;

  672. 

  673.   if (!dsa->p || !dsa->q || !dsa->g) {

  674.     OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);

  675.     return 0;

  676.   }

  677. 

  678.   i = BN_num_bits(dsa->q);

  679.   // FIPS 186-3 allows only different sizes for q.

  680.   if (i != 160 && i != 224 && i != 256) {

  681.     OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);

  682.     return 0;

  683.   }

  684. 

  685.   if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {

  686.     OPENSSL_PUT_ERROR(DSA, DSA_R_MODULUS_TOO_LARGE);

  687.     return 0;

  688.   }

  689. 

  690.   BN_init(&u1);

  691.   BN_init(&u2);

  692.   BN_init(&t1);

  693. 

  694.   ctx = BN_CTX_new();

  695.   if (ctx == NULL) {

  696.     goto err;

  697.   }

  698. 

  699.   if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||

  700.       BN_ucmp(sig->r, dsa->q) >= 0) {

  701.     ret = 1;

  702.     goto err;

  703.   }

  704.   if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||

  705.       BN_ucmp(sig->s, dsa->q) >= 0) {

  706.     ret = 1;

  707.     goto err;

  708.   }

  709. 

  710.   // Calculate W = inv(S) mod Q

  711.   // save W in u2

  712.   if (BN_mod_inverse(&u2, sig->s, dsa->q, ctx) == NULL) {

  713.     goto err;

  714.   }

  715. 

  716.   // save M in u1

  717.   if (digest_len > (i >> 3)) {

  718.     // if the digest length is greater than the size of q use the

  719.     // BN_num_bits(dsa->q) leftmost bits of the digest, see

  720.     // fips 186-3, 4.2

  721.     digest_len = (i >> 3);

  722.   }

  723. 

  724.   if (BN_bin2bn(digest, digest_len, &u1) == NULL) {

  725.     goto err;

  726.   }

  727. 

  728.   // u1 = M * w mod q

  729.   if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) {

  730.     goto err;

  731.   }

  732. 

  733.   // u2 = r * w mod q

  734.   if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) {

  735.     goto err;

  736.   }

  737. 

  738.   if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,

  739.                               (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->p,

  740.                               ctx)) {

  741.     goto err;

  742.   }

  743. 

  744.   if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx,

  745.                         dsa->method_mont_p)) {

  746.     goto err;

  747.   }

  748. 

  749.   // BN_copy(&u1,&t1);

  750.   // let u1 = u1 mod q

  751.   if (!BN_mod(&u1, &t1, dsa->q, ctx)) {

  752.     goto err;

  753.   }

  754. 

  755.   // V is now in u1.  If the signature is correct, it will be

  756.   // equal to R.

  757.   *out_valid = BN_ucmp(&u1, sig->r) == 0;

  758.   ret = 1;

  759. 

  760. err:

  761.   if (ret != 1) {

  762.     OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);

  763.   }

  764.   BN_CTX_free(ctx);

  765.   BN_free(&u1);

  766.   BN_free(&u2);

  767.   BN_free(&t1);

  768. 

  769.   return ret;

  770. }

  771. 

  772. int DSA_sign(int type, const uint8_t *digest, size_t digest_len,

  773.              uint8_t *out_sig, unsigned int *out_siglen, const DSA *dsa) {

  774.   DSA_SIG *s;

  775. 

  776.   s = DSA_do_sign(digest, digest_len, dsa);

  777.   if (s == NULL) {

  778.     *out_siglen = 0;

  779.     return 0;

  780.   }

  781. 

  782.   *out_siglen = i2d_DSA_SIG(s, &out_sig);

  783.   DSA_SIG_free(s);

  784.   return 1;

  785. }

  786. 

  787. int DSA_verify(int type, const uint8_t *digest, size_t digest_len,

  788.                const uint8_t *sig, size_t sig_len, const DSA *dsa) {

  789.   int valid;

  790.   if (!DSA_check_signature(&valid, digest, digest_len, sig, sig_len, dsa)) {

  791.     return -1;

  792.   }

  793.   return valid;

  794. }

  795. 

  796. int DSA_check_signature(int *out_valid, const uint8_t *digest,

  797.                         size_t digest_len, const uint8_t *sig, size_t sig_len,

  798.                         const DSA *dsa) {

  799.   DSA_SIG *s = NULL;

  800.   int ret = 0;

  801.   uint8_t *der = NULL;

  802. 

  803.   s = DSA_SIG_new();

  804.   if (s == NULL) {

  805.     goto err;

  806.   }

  807. 

  808.   const uint8_t *sigp = sig;

  809.   if (d2i_DSA_SIG(&s, &sigp, sig_len) == NULL || sigp != sig + sig_len) {

  810.     goto err;

  811.   }

  812. 

  813.   // Ensure that the signature uses DER and doesn't have trailing garbage.

  814.   int der_len = i2d_DSA_SIG(s, &der);

  815.   if (der_len < 0 || (size_t)der_len != sig_len ||

  816.       OPENSSL_memcmp(sig, der, sig_len)) {

  817.     goto err;

  818.   }

  819. 

  820.   ret = DSA_do_check_signature(out_valid, digest, digest_len, s, dsa);

  821. 

  822. err:

  823.   OPENSSL_free(der);

  824.   DSA_SIG_free(s);

  825.   return ret;

  826. }

  827. 

  828. // der_len_len returns the number of bytes needed to represent a length of |len|

  829. // in DER.

  830. static size_t der_len_len(size_t len) {

  831.   if (len < 0x80) {

  832.     return 1;

  833.   }

  834.   size_t ret = 1;

  835.   while (len > 0) {

  836.     ret++;

  837.     len >>= 8;

  838.   }

  839.   return ret;

  840. }

  841. 

  842. int DSA_size(const DSA *dsa) {

  843.   size_t order_len = BN_num_bytes(dsa->q);

  844.   // Compute the maximum length of an |order_len| byte integer. Defensively

  845.   // assume that the leading 0x00 is included.

  846.   size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;

  847.   if (integer_len < order_len) {

  848.     return 0;

  849.   }

  850.   // A DSA signature is two INTEGERs.

  851.   size_t value_len = 2 * integer_len;

  852.   if (value_len < integer_len) {

  853.     return 0;

  854.   }

  855.   // Add the header.

  856.   size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;

  857.   if (ret < value_len) {

  858.     return 0;

  859.   }

  860.   return ret;

  861. }

  862. 

  863. static int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,

  864.                           BIGNUM **out_r) {

  865.   BN_CTX *ctx;

  866.   BIGNUM k, *kinv = NULL, *r = NULL;

  867.   int ret = 0;

  868. 

  869.   if (!dsa->p || !dsa->q || !dsa->g) {

  870.     OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);

  871.     return 0;

  872.   }

  873. 

  874.   BN_init(&k);

  875. 

  876.   ctx = ctx_in;

  877.   if (ctx == NULL) {

  878.     ctx = BN_CTX_new();

  879.     if (ctx == NULL) {

  880.       goto err;

  881.     }

  882.   }

  883. 

  884.   r = BN_new();

  885.   kinv = BN_new();

  886.   if (r == NULL || kinv == NULL ||

  887.       // Get random k

  888.       !BN_rand_range_ex(&k, 1, dsa->q) ||

  889.       !BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,

  890.                               (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->p,

  891.                               ctx) ||

  892.       !BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_q,

  893.                               (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->q,

  894.                               ctx) ||

  895.       // Compute r = (g^k mod p) mod q

  896.       !BN_mod_exp_mont_consttime(r, dsa->g, &k, dsa->p, ctx,

  897.                                  dsa->method_mont_p) ||

  898.       // Note |BN_mod| below is not constant-time and may leak information about

  899.       // |r|. |dsa->p| may be significantly larger than |dsa->q|, so this is not

  900.       // easily performed in constant-time with Montgomery reduction.

  901.       //

  902.       // However, |r| at this point is g^k (mod p). It is almost the value of

  903.       // |r| revealed in the signature anyway (g^k (mod p) (mod q)), going from

  904.       // it to |k| would require computing a discrete log.

  905.       !BN_mod(r, r, dsa->q, ctx) ||

  906.       // Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little

  907.       // Theorem.

  908.       !bn_mod_inverse_prime(kinv, &k, dsa->q, ctx, dsa->method_mont_q)) {

  909.     goto err;

  910.   }

  911. 

  912.   BN_clear_free(*out_kinv);

  913.   *out_kinv = kinv;

  914.   kinv = NULL;

  915.   BN_clear_free(*out_r);

  916.   *out_r = r;

  917.   ret = 1;

  918. 

  919. err:

  920.   if (!ret) {

  921.     OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);

  922.     if (r != NULL) {

  923.       BN_clear_free(r);

  924.     }

  925.   }

  926. 

  927.   if (ctx_in == NULL) {

  928.     BN_CTX_free(ctx);

  929.   }

  930.   BN_clear_free(&k);

  931.   BN_clear_free(kinv);

  932.   return ret;

  933. }

  934. 

  935. int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,

  936.                          CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {

  937.   int index;

  938.   if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,

  939.                                free_func)) {

  940.     return -1;

  941.   }

  942.   return index;

  943. }

  944. 

  945. int DSA_set_ex_data(DSA *dsa, int idx, void *arg) {

  946.   return CRYPTO_set_ex_data(&dsa->ex_data, idx, arg);

  947. }

  948. 

  949. void *DSA_get_ex_data(const DSA *dsa, int idx) {

  950.   return CRYPTO_get_ex_data(&dsa->ex_data, idx);

  951. }

  952. 

  953. DH *DSA_dup_DH(const DSA *dsa) {

  954.   if (dsa == NULL) {

  955.     return NULL;

  956.   }

  957. 

  958.   DH *ret = DH_new();

  959.   if (ret == NULL) {

  960.     goto err;

  961.   }

  962.   if (dsa->q != NULL) {

  963.     ret->priv_length = BN_num_bits(dsa->q);

  964.     if ((ret->q = BN_dup(dsa->q)) == NULL) {

  965.       goto err;

  966.     }

  967.   }

  968.   if ((dsa->p != NULL && (ret->p = BN_dup(dsa->p)) == NULL) ||

  969.       (dsa->g != NULL && (ret->g = BN_dup(dsa->g)) == NULL) ||

  970.       (dsa->pub_key != NULL && (ret->pub_key = BN_dup(dsa->pub_key)) == NULL) ||

  971.       (dsa->priv_key != NULL &&

  972.        (ret->priv_key = BN_dup(dsa->priv_key)) == NULL)) {

  973.     goto err;

  974.   }

  975. 

  976.   return ret;

  977. 

  978. err:

  979.   DH_free(ret);

  980.   return NULL;

  981. }