kris
/
boringssl
1
0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 0 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
1387 Revīzijas
12 Atzari
38 MiB
 
 
 
 
 
 
Koks: cff0b90cbb
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no 'cff0b90cbb'
${ noResults }
boringssl/crypto/dsa/dsa_impl.c

747 rindas
17 KiB
Neapstrādāts Vainot Vēsture 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  *

  57.  * The DSS routines are based on patches supplied by

  58.  * Steven Schoch <schoch@sheba.arc.nasa.gov>. */

  59. 

  60. #include <openssl/dsa.h>

  61. 

  62. #include <string.h>

  63. 

  64. #include <openssl/bn.h>

  65. #include <openssl/digest.h>

  66. #include <openssl/err.h>

  67. #include <openssl/rand.h>

  68. #include <openssl/sha.h>

  69. #include <openssl/thread.h>

  70. 

  71. #include "internal.h"

  72. 

  73. #define OPENSSL_DSA_MAX_MODULUS_BITS 10000

  74. 

  75. /* Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of

  76.  * Rabin-Miller */

  77. #define DSS_prime_checks 50

  78. 

  79. static int sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,

  80.                       BIGNUM **rp, const uint8_t *digest, size_t digest_len) {

  81.   BN_CTX *ctx;

  82.   BIGNUM k, kq, *K, *kinv = NULL, *r = NULL;

  83.   int ret = 0;

  84. 

  85.   if (!dsa->p || !dsa->q || !dsa->g) {

  86.     OPENSSL_PUT_ERROR(DSA, sign_setup, DSA_R_MISSING_PARAMETERS);

  87.     return 0;

  88.   }

  89. 

  90.   BN_init(&k);

  91.   BN_init(&kq);

  92. 

  93.   ctx = ctx_in;

  94.   if (ctx == NULL) {

  95.     ctx = BN_CTX_new();

  96.     if (ctx == NULL) {

  97.       goto err;

  98.     }

  99.   }

  100. 

  101.   r = BN_new();

  102.   if (r == NULL) {

  103.     goto err;

  104.   }

  105. 

  106.   /* Get random k */

  107.   do {

  108.     /* If possible, we'll include the private key and message digest in the k

  109.      * generation. The |digest| argument is only empty if |DSA_sign_setup| is

  110.      * being used. */

  111.     int ok;

  112. 

  113.     if (digest_len > 0) {

  114.       ok = BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, digest, digest_len,

  115.                                  ctx);

  116.     } else {

  117.       ok = BN_rand_range(&k, dsa->q);

  118.     }

  119.     if (!ok) {

  120.       goto err;

  121.     }

  122.   } while (BN_is_zero(&k));

  123. 

  124.   BN_set_flags(&k, BN_FLG_CONSTTIME);

  125. 

  126.   if (BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,

  127.                              (CRYPTO_MUTEX *)&dsa->method_mont_p_lock, dsa->p,

  128.                              ctx) == NULL) {

  129.     goto err;

  130.   }

  131. 

  132.   /* Compute r = (g^k mod p) mod q */

  133.   if (!BN_copy(&kq, &k)) {

  134.     goto err;

  135.   }

  136. 

  137.   /* We do not want timing information to leak the length of k,

  138.    * so we compute g^k using an equivalent exponent of fixed length.

  139.    *

  140.    * (This is a kludge that we need because the BN_mod_exp_mont()

  141.    * does not let us specify the desired timing behaviour.) */

  142. 

  143.   if (!BN_add(&kq, &kq, dsa->q)) {

  144.     goto err;

  145.   }

  146.   if (BN_num_bits(&kq) <= BN_num_bits(dsa->q) && !BN_add(&kq, &kq, dsa->q)) {

  147.     goto err;

  148.   }

  149. 

  150.   K = &kq;

  151. 

  152.   if (!BN_mod_exp_mont(r, dsa->g, K, dsa->p, ctx, dsa->method_mont_p)) {

  153.     goto err;

  154.   }

  155.   if (!BN_mod(r, r, dsa->q, ctx)) {

  156.     goto err;

  157.   }

  158. 

  159.   /* Compute  part of 's = inv(k) (m + xr) mod q' */

  160.   kinv = BN_mod_inverse(NULL, &k, dsa->q, ctx);

  161.   if (kinv == NULL) {

  162.     goto err;

  163.   }

  164. 

  165.   BN_clear_free(*kinvp);

  166.   *kinvp = kinv;

  167.   kinv = NULL;

  168.   BN_clear_free(*rp);

  169.   *rp = r;

  170.   ret = 1;

  171. 

  172. err:

  173.   if (!ret) {

  174.     OPENSSL_PUT_ERROR(DSA, sign_setup, ERR_R_BN_LIB);

  175.     if (r != NULL) {

  176.       BN_clear_free(r);

  177.     }

  178.   }

  179. 

  180.   if (ctx_in == NULL) {

  181.     BN_CTX_free(ctx);

  182.   }

  183.   BN_clear_free(&k);

  184.   BN_clear_free(&kq);

  185.   return ret;

  186. }

  187. 

  188. static DSA_SIG *sign(const uint8_t *digest, size_t digest_len, DSA *dsa) {

  189.   BIGNUM *kinv = NULL, *r = NULL, *s = NULL;

  190.   BIGNUM m;

  191.   BIGNUM xr;

  192.   BN_CTX *ctx = NULL;

  193.   int reason = ERR_R_BN_LIB;

  194.   DSA_SIG *ret = NULL;

  195.   int noredo = 0;

  196. 

  197.   BN_init(&m);

  198.   BN_init(&xr);

  199. 

  200.   if (!dsa->p || !dsa->q || !dsa->g) {

  201.     reason = DSA_R_MISSING_PARAMETERS;

  202.     goto err;

  203.   }

  204. 

  205.   s = BN_new();

  206.   if (s == NULL) {

  207.     goto err;

  208.   }

  209.   ctx = BN_CTX_new();

  210.   if (ctx == NULL) {

  211.     goto err;

  212.   }

  213. 

  214. redo:

  215.   if (dsa->kinv == NULL || dsa->r == NULL) {

  216.     if (!DSA_sign_setup(dsa, ctx, &kinv, &r)) {

  217.       goto err;

  218.     }

  219.   } else {

  220.     kinv = dsa->kinv;

  221.     dsa->kinv = NULL;

  222.     r = dsa->r;

  223.     dsa->r = NULL;

  224.     noredo = 1;

  225.   }

  226. 

  227.   if (digest_len > BN_num_bytes(dsa->q)) {

  228.     /* if the digest length is greater than the size of q use the

  229.      * BN_num_bits(dsa->q) leftmost bits of the digest, see

  230.      * fips 186-3, 4.2 */

  231.     digest_len = BN_num_bytes(dsa->q);

  232.   }

  233. 

  234.   if (BN_bin2bn(digest, digest_len, &m) == NULL) {

  235.     goto err;

  236.   }

  237. 

  238.   /* Compute  s = inv(k) (m + xr) mod q */

  239.   if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) {

  240.     goto err; /* s = xr */

  241.   }

  242.   if (!BN_add(s, &xr, &m)) {

  243.     goto err; /* s = m + xr */

  244.   }

  245.   if (BN_cmp(s, dsa->q) > 0) {

  246.     if (!BN_sub(s, s, dsa->q)) {

  247.       goto err;

  248.     }

  249.   }

  250.   if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) {

  251.     goto err;

  252.   }

  253. 

  254.   ret = DSA_SIG_new();

  255.   if (ret == NULL) {

  256.     goto err;

  257.   }

  258.   /* Redo if r or s is zero as required by FIPS 186-3: this is

  259.    * very unlikely. */

  260.   if (BN_is_zero(r) || BN_is_zero(s)) {

  261.     if (noredo) {

  262.       reason = DSA_R_NEED_NEW_SETUP_VALUES;

  263.       goto err;

  264.     }

  265.     goto redo;

  266.   }

  267.   ret->r = r;

  268.   ret->s = s;

  269. 

  270. err:

  271.   if (!ret) {

  272.     OPENSSL_PUT_ERROR(DSA, sign, reason);

  273.     BN_free(r);

  274.     BN_free(s);

  275.   }

  276.   BN_CTX_free(ctx);

  277.   BN_clear_free(&m);

  278.   BN_clear_free(&xr);

  279.   BN_clear_free(kinv);

  280. 

  281.   return ret;

  282. }

  283. 

  284. static int verify(int *out_valid, const uint8_t *dgst, size_t digest_len,

  285.                   DSA_SIG *sig, const DSA *dsa) {

  286.   BN_CTX *ctx;

  287.   BIGNUM u1, u2, t1;

  288.   BN_MONT_CTX *mont = NULL;

  289.   int ret = 0;

  290.   unsigned i;

  291. 

  292.   *out_valid = 0;

  293. 

  294.   if (!dsa->p || !dsa->q || !dsa->g) {

  295.     OPENSSL_PUT_ERROR(DSA, verify, DSA_R_MISSING_PARAMETERS);

  296.     return 0;

  297.   }

  298. 

  299.   i = BN_num_bits(dsa->q);

  300.   /* fips 186-3 allows only different sizes for q */

  301.   if (i != 160 && i != 224 && i != 256) {

  302.     OPENSSL_PUT_ERROR(DSA, verify, DSA_R_BAD_Q_VALUE);

  303.     return 0;

  304.   }

  305. 

  306.   if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {

  307.     OPENSSL_PUT_ERROR(DSA, verify, DSA_R_MODULUS_TOO_LARGE);

  308.     return 0;

  309.   }

  310. 

  311.   BN_init(&u1);

  312.   BN_init(&u2);

  313.   BN_init(&t1);

  314. 

  315.   ctx = BN_CTX_new();

  316.   if (ctx == NULL) {

  317.     goto err;

  318.   }

  319. 

  320.   if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||

  321.       BN_ucmp(sig->r, dsa->q) >= 0) {

  322.     ret = 1;

  323.     goto err;

  324.   }

  325.   if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||

  326.       BN_ucmp(sig->s, dsa->q) >= 0) {

  327.     ret = 1;

  328.     goto err;

  329.   }

  330. 

  331.   /* Calculate W = inv(S) mod Q

  332.    * save W in u2 */

  333.   if (BN_mod_inverse(&u2, sig->s, dsa->q, ctx) == NULL) {

  334.     goto err;

  335.   }

  336. 

  337.   /* save M in u1 */

  338.   if (digest_len > (i >> 3)) {

  339.     /* if the digest length is greater than the size of q use the

  340.      * BN_num_bits(dsa->q) leftmost bits of the digest, see

  341.      * fips 186-3, 4.2 */

  342.     digest_len = (i >> 3);

  343.   }

  344. 

  345.   if (BN_bin2bn(dgst, digest_len, &u1) == NULL) {

  346.     goto err;

  347.   }

  348. 

  349.   /* u1 = M * w mod q */

  350.   if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) {

  351.     goto err;

  352.   }

  353. 

  354.   /* u2 = r * w mod q */

  355.   if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) {

  356.     goto err;

  357.   }

  358. 

  359.   mont = BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,

  360.                                 (CRYPTO_MUTEX *)&dsa->method_mont_p_lock,

  361.                                 dsa->p, ctx);

  362.   if (!mont) {

  363.     goto err;

  364.   }

  365. 

  366.   if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx,

  367.                         mont)) {

  368.     goto err;

  369.   }

  370. 

  371.   /* BN_copy(&u1,&t1); */

  372.   /* let u1 = u1 mod q */

  373.   if (!BN_mod(&u1, &t1, dsa->q, ctx)) {

  374.     goto err;

  375.   }

  376. 

  377.   /* V is now in u1.  If the signature is correct, it will be

  378.    * equal to R. */

  379.   *out_valid = BN_ucmp(&u1, sig->r) == 0;

  380.   ret = 1;

  381. 

  382. err:

  383.   if (ret != 1) {

  384.     OPENSSL_PUT_ERROR(DSA, verify, ERR_R_BN_LIB);

  385.   }

  386.   BN_CTX_free(ctx);

  387.   BN_free(&u1);

  388.   BN_free(&u2);

  389.   BN_free(&t1);

  390. 

  391.   return ret;

  392. }

  393. 

  394. static int keygen(DSA *dsa) {

  395.   int ok = 0;

  396.   BN_CTX *ctx = NULL;

  397.   BIGNUM *pub_key = NULL, *priv_key = NULL;

  398.   BIGNUM prk;

  399. 

  400.   ctx = BN_CTX_new();

  401.   if (ctx == NULL) {

  402.     goto err;

  403.   }

  404. 

  405.   priv_key = dsa->priv_key;

  406.   if (priv_key == NULL) {

  407.     priv_key = BN_new();

  408.     if (priv_key == NULL) {

  409.       goto err;

  410.     }

  411.   }

  412. 

  413.   do {

  414.     if (!BN_rand_range(priv_key, dsa->q)) {

  415.       goto err;

  416.     }

  417.   } while (BN_is_zero(priv_key));

  418. 

  419.   pub_key = dsa->pub_key;

  420.   if (pub_key == NULL) {

  421.     pub_key = BN_new();

  422.     if (pub_key == NULL) {

  423.       goto err;

  424.     }

  425.   }

  426. 

  427.   BN_init(&prk);

  428.   BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);

  429. 

  430.   if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx)) {

  431.     goto err;

  432.   }

  433. 

  434.   dsa->priv_key = priv_key;

  435.   dsa->pub_key = pub_key;

  436.   ok = 1;

  437. 

  438. err:

  439.   if (dsa->pub_key == NULL) {

  440.     BN_free(pub_key);

  441.   }

  442.   if (dsa->priv_key == NULL) {

  443.     BN_free(priv_key);

  444.   }

  445.   BN_CTX_free(ctx);

  446. 

  447.   return ok;

  448. }

  449. 

  450. static int paramgen(DSA *ret, unsigned bits, const uint8_t *seed_in,

  451.                     size_t seed_len, int *counter_ret, unsigned long *h_ret,

  452.                     BN_GENCB *cb) {

  453.   int ok = 0;

  454.   unsigned char seed[SHA256_DIGEST_LENGTH];

  455.   unsigned char md[SHA256_DIGEST_LENGTH];

  456.   unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];

  457.   BIGNUM *r0, *W, *X, *c, *test;

  458.   BIGNUM *g = NULL, *q = NULL, *p = NULL;

  459.   BN_MONT_CTX *mont = NULL;

  460.   int k, n = 0, m = 0;

  461.   unsigned i;

  462.   int counter = 0;

  463.   int r = 0;

  464.   BN_CTX *ctx = NULL;

  465.   unsigned int h = 2;

  466.   unsigned qbits, qsize;

  467.   const EVP_MD *evpmd;

  468. 

  469.   if (bits >= 2048) {

  470.     qbits = 256;

  471.     evpmd = EVP_sha256();

  472.   } else {

  473.     qbits = 160;

  474.     evpmd = EVP_sha1();

  475.   }

  476.   qsize = qbits / 8;

  477. 

  478.   if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&

  479.       qsize != SHA256_DIGEST_LENGTH) {

  480.     /* invalid q size */

  481.     return 0;

  482.   }

  483. 

  484.   if (bits < 512) {

  485.     bits = 512;

  486.   }

  487. 

  488.   bits = (bits + 63) / 64 * 64;

  489. 

  490.   /* NB: seed_len == 0 is special case: copy generated seed to

  491.    * seed_in if it is not NULL. */

  492.   if (seed_len && (seed_len < (size_t)qsize)) {

  493.     seed_in = NULL; /* seed buffer too small -- ignore */

  494.   }

  495.   if (seed_len > (size_t)qsize) {

  496.     seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,

  497.                        * but our internal buffers are restricted to 160 bits*/

  498.   }

  499.   if (seed_in != NULL) {

  500.     memcpy(seed, seed_in, seed_len);

  501.   }

  502. 

  503.   ctx = BN_CTX_new();

  504.   mont = BN_MONT_CTX_new();

  505.   if (ctx == NULL || mont == NULL) {

  506.     goto err;

  507.   }

  508. 

  509.   BN_CTX_start(ctx);

  510.   r0 = BN_CTX_get(ctx);

  511.   g = BN_CTX_get(ctx);

  512.   W = BN_CTX_get(ctx);

  513.   q = BN_CTX_get(ctx);

  514.   X = BN_CTX_get(ctx);

  515.   c = BN_CTX_get(ctx);

  516.   p = BN_CTX_get(ctx);

  517.   test = BN_CTX_get(ctx);

  518. 

  519.   if (!BN_lshift(test, BN_value_one(), bits - 1)) {

  520.     goto err;

  521.   }

  522. 

  523.   for (;;) {

  524.     /* Find q. */

  525.     for (;;) {

  526.       int seed_is_random;

  527. 

  528.       /* step 1 */

  529.       if (!BN_GENCB_call(cb, 0, m++)) {

  530.         goto err;

  531.       }

  532. 

  533.       if (!seed_len) {

  534.         if (!RAND_bytes(seed, qsize)) {

  535.           goto err;

  536.         }

  537.         seed_is_random = 1;

  538.       } else {

  539.         seed_is_random = 0;

  540.         seed_len = 0; /* use random seed if 'seed_in' turns out to be bad*/

  541.       }

  542.       memcpy(buf, seed, qsize);

  543.       memcpy(buf2, seed, qsize);

  544.       /* precompute "SEED + 1" for step 7: */

  545.       for (i = qsize - 1; i < qsize; i--) {

  546.         buf[i]++;

  547.         if (buf[i] != 0) {

  548.           break;

  549.         }

  550.       }

  551. 

  552.       /* step 2 */

  553.       if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL) ||

  554.           !EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) {

  555.         goto err;

  556.       }

  557.       for (i = 0; i < qsize; i++) {

  558.         md[i] ^= buf2[i];

  559.       }

  560. 

  561.       /* step 3 */

  562.       md[0] |= 0x80;

  563.       md[qsize - 1] |= 0x01;

  564.       if (!BN_bin2bn(md, qsize, q)) {

  565.         goto err;

  566.       }

  567. 

  568.       /* step 4 */

  569.       r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, seed_is_random, cb);

  570.       if (r > 0) {

  571.         break;

  572.       }

  573.       if (r != 0) {

  574.         goto err;

  575.       }

  576. 

  577.       /* do a callback call */

  578.       /* step 5 */

  579.     }

  580. 

  581.     if (!BN_GENCB_call(cb, 2, 0) || !BN_GENCB_call(cb, 3, 0)) {

  582.       goto err;

  583.     }

  584. 

  585.     /* step 6 */

  586.     counter = 0;

  587.     /* "offset = 2" */

  588. 

  589.     n = (bits - 1) / 160;

  590. 

  591.     for (;;) {

  592.       if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) {

  593.         goto err;

  594.       }

  595. 

  596.       /* step 7 */

  597.       BN_zero(W);

  598.       /* now 'buf' contains "SEED + offset - 1" */

  599.       for (k = 0; k <= n; k++) {

  600.         /* obtain "SEED + offset + k" by incrementing: */

  601.         for (i = qsize - 1; i < qsize; i--) {

  602.           buf[i]++;

  603.           if (buf[i] != 0) {

  604.             break;

  605.           }

  606.         }

  607. 

  608.         if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) {

  609.           goto err;

  610.         }

  611. 

  612.         /* step 8 */

  613.         if (!BN_bin2bn(md, qsize, r0) ||

  614.             !BN_lshift(r0, r0, (qsize << 3) * k) ||

  615.             !BN_add(W, W, r0)) {

  616.           goto err;

  617.         }

  618.       }

  619. 

  620.       /* more of step 8 */

  621.       if (!BN_mask_bits(W, bits - 1) ||

  622.           !BN_copy(X, W) ||

  623.           !BN_add(X, X, test)) {

  624.         goto err;

  625.       }

  626. 

  627.       /* step 9 */

  628.       if (!BN_lshift1(r0, q) ||

  629.           !BN_mod(c, X, r0, ctx) ||

  630.           !BN_sub(r0, c, BN_value_one()) ||

  631.           !BN_sub(p, X, r0)) {

  632.         goto err;

  633.       }

  634. 

  635.       /* step 10 */

  636.       if (BN_cmp(p, test) >= 0) {

  637.         /* step 11 */

  638.         r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);

  639.         if (r > 0) {

  640.           goto end; /* found it */

  641.         }

  642.         if (r != 0) {

  643.           goto err;

  644.         }

  645.       }

  646. 

  647.       /* step 13 */

  648.       counter++;

  649.       /* "offset = offset + n + 1" */

  650. 

  651.       /* step 14 */

  652.       if (counter >= 4096) {

  653.         break;

  654.       }

  655.     }

  656.   }

  657. end:

  658.   if (!BN_GENCB_call(cb, 2, 1)) {

  659.     goto err;

  660.   }

  661. 

  662.   /* We now need to generate g */

  663.   /* Set r0=(p-1)/q */

  664.   if (!BN_sub(test, p, BN_value_one()) ||

  665.       !BN_div(r0, NULL, test, q, ctx)) {

  666.     goto err;

  667.   }

  668. 

  669.   if (!BN_set_word(test, h) ||

  670.       !BN_MONT_CTX_set(mont, p, ctx)) {

  671.     goto err;

  672.   }

  673. 

  674.   for (;;) {

  675.     /* g=test^r0%p */

  676.     if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont)) {

  677.       goto err;

  678.     }

  679.     if (!BN_is_one(g)) {

  680.       break;

  681.     }

  682.     if (!BN_add(test, test, BN_value_one())) {

  683.       goto err;

  684.     }

  685.     h++;

  686.   }

  687. 

  688.   if (!BN_GENCB_call(cb, 3, 1)) {

  689.     goto err;

  690.   }

  691. 

  692.   ok = 1;

  693. 

  694. err:

  695.   if (ok) {

  696.     BN_free(ret->p);

  697.     BN_free(ret->q);

  698.     BN_free(ret->g);

  699.     ret->p = BN_dup(p);

  700.     ret->q = BN_dup(q);

  701.     ret->g = BN_dup(g);

  702.     if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {

  703.       ok = 0;

  704.       goto err;

  705.     }

  706.     if (counter_ret != NULL) {

  707.       *counter_ret = counter;

  708.     }

  709.     if (h_ret != NULL) {

  710.       *h_ret = h;

  711.     }

  712.   }

  713. 

  714.   if (ctx) {

  715.     BN_CTX_end(ctx);

  716.     BN_CTX_free(ctx);

  717.   }

  718. 

  719.   BN_MONT_CTX_free(mont);

  720. 

  721.   return ok;

  722. }

  723. 

  724. static int finish(DSA *dsa) {

  725.   BN_MONT_CTX_free(dsa->method_mont_p);

  726.   dsa->method_mont_p = NULL;

  727.   return 1;

  728. }

  729. 

  730. const struct dsa_method DSA_default_method = {

  731.   {

  732.     0 /* references */,

  733.     1 /* is_static */,

  734.   },

  735.   NULL /* app_data */,

  736. 

  737.   NULL /* init */,

  738.   finish /* finish */,

  739. 

  740.   sign,

  741.   sign_setup,

  742.   verify,

  743. 

  744.   paramgen,

  745.   keygen,

  746. };