sl@0: /* crypto/dsa/dsa_ossl.c */ sl@0: /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) sl@0: * All rights reserved. sl@0: * sl@0: * This package is an SSL implementation written sl@0: * by Eric Young (eay@cryptsoft.com). sl@0: * The implementation was written so as to conform with Netscapes SSL. sl@0: * sl@0: * This library is free for commercial and non-commercial use as long as sl@0: * the following conditions are aheared to. The following conditions sl@0: * apply to all code found in this distribution, be it the RC4, RSA, sl@0: * lhash, DES, etc., code; not just the SSL code. The SSL documentation sl@0: * included with this distribution is covered by the same copyright terms sl@0: * except that the holder is Tim Hudson (tjh@cryptsoft.com). sl@0: * sl@0: * Copyright remains Eric Young's, and as such any Copyright notices in sl@0: * the code are not to be removed. sl@0: * If this package is used in a product, Eric Young should be given attribution sl@0: * as the author of the parts of the library used. sl@0: * This can be in the form of a textual message at program startup or sl@0: * in documentation (online or textual) provided with the package. sl@0: * sl@0: * Redistribution and use in source and binary forms, with or without sl@0: * modification, are permitted provided that the following conditions sl@0: * are met: sl@0: * 1. Redistributions of source code must retain the copyright sl@0: * notice, this list of conditions and the following disclaimer. sl@0: * 2. Redistributions in binary form must reproduce the above copyright sl@0: * notice, this list of conditions and the following disclaimer in the sl@0: * documentation and/or other materials provided with the distribution. sl@0: * 3. All advertising materials mentioning features or use of this software sl@0: * must display the following acknowledgement: sl@0: * "This product includes cryptographic software written by sl@0: * Eric Young (eay@cryptsoft.com)" sl@0: * The word 'cryptographic' can be left out if the rouines from the library sl@0: * being used are not cryptographic related :-). sl@0: * 4. If you include any Windows specific code (or a derivative thereof) from sl@0: * the apps directory (application code) you must include an acknowledgement: sl@0: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" sl@0: * sl@0: * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND sl@0: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE sl@0: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE sl@0: * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE sl@0: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL sl@0: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS sl@0: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) sl@0: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT sl@0: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY sl@0: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF sl@0: * SUCH DAMAGE. sl@0: * sl@0: * The licence and distribution terms for any publically available version or sl@0: * derivative of this code cannot be changed. i.e. this code cannot simply be sl@0: * copied and put under another distribution licence sl@0: * [including the GNU Public Licence.] sl@0: */ sl@0: sl@0: /* Original version from Steven Schoch */ sl@0: /* sl@0: © Portions copyright (c) 2006 Nokia Corporation. All rights reserved. sl@0: */ sl@0: sl@0: #include sl@0: #include "cryptlib.h" sl@0: #include sl@0: #include sl@0: #include sl@0: #include sl@0: #if (defined(SYMBIAN) && (defined(__WINSCW__) || defined(__WINS__))) sl@0: #include "libcrypto_wsd_macros.h" sl@0: #include "libcrypto_wsd.h" sl@0: #endif sl@0: sl@0: static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); sl@0: static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); sl@0: static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, sl@0: DSA *dsa); sl@0: static int dsa_init(DSA *dsa); sl@0: static int dsa_finish(DSA *dsa); sl@0: sl@0: #ifndef EMULATOR sl@0: static DSA_METHOD openssl_dsa_meth = { sl@0: "OpenSSL DSA method", sl@0: dsa_do_sign, sl@0: dsa_sign_setup, sl@0: dsa_do_verify, sl@0: NULL, /* dsa_mod_exp, */ sl@0: NULL, /* dsa_bn_mod_exp, */ sl@0: dsa_init, sl@0: dsa_finish, sl@0: 0, sl@0: NULL, sl@0: NULL, sl@0: NULL sl@0: }; sl@0: #else sl@0: GET_STATIC_VAR_FROM_TLS(openssl_dsa_meth,dsa_ossl,DSA_METHOD) sl@0: #define openssl_dsa_meth (*GET_WSD_VAR_NAME(openssl_dsa_meth,dsa_ossl, s)()) sl@0: const DSA_METHOD temp_s_openssl_dsa_meth = { sl@0: "OpenSSL DSA method", sl@0: dsa_do_sign, sl@0: dsa_sign_setup, sl@0: dsa_do_verify, sl@0: NULL, /* dsa_mod_exp, */ sl@0: NULL, /* dsa_bn_mod_exp, */ sl@0: dsa_init, sl@0: dsa_finish, sl@0: 0, sl@0: NULL, sl@0: NULL, sl@0: NULL sl@0: }; sl@0: #endif sl@0: sl@0: /* These macro wrappers replace attempts to use the dsa_mod_exp() and sl@0: * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of sl@0: * having a the macro work as an expression by bundling an "err_instr". So; sl@0: * sl@0: * if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx, sl@0: * dsa->method_mont_p)) goto err; sl@0: * sl@0: * can be replaced by; sl@0: * sl@0: * DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx, sl@0: * dsa->method_mont_p); sl@0: */ sl@0: sl@0: #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \ sl@0: do { \ sl@0: int _tmp_res53; \ sl@0: if((dsa)->meth->dsa_mod_exp) \ sl@0: _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \ sl@0: (a2), (p2), (m), (ctx), (in_mont)); \ sl@0: else \ sl@0: _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \ sl@0: (m), (ctx), (in_mont)); \ sl@0: if(!_tmp_res53) err_instr; \ sl@0: } while(0) sl@0: #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \ sl@0: do { \ sl@0: int _tmp_res53; \ sl@0: if((dsa)->meth->bn_mod_exp) \ sl@0: _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \ sl@0: (m), (ctx), (m_ctx)); \ sl@0: else \ sl@0: _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \ sl@0: if(!_tmp_res53) err_instr; \ sl@0: } while(0) sl@0: sl@0: EXPORT_C const DSA_METHOD *DSA_OpenSSL(void) sl@0: { sl@0: return &openssl_dsa_meth; sl@0: } sl@0: sl@0: static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) sl@0: { sl@0: BIGNUM *kinv=NULL,*r=NULL,*s=NULL; sl@0: BIGNUM m; sl@0: BIGNUM xr; sl@0: BN_CTX *ctx=NULL; sl@0: int i,reason=ERR_R_BN_LIB; sl@0: DSA_SIG *ret=NULL; sl@0: sl@0: BN_init(&m); sl@0: BN_init(&xr); sl@0: sl@0: if (!dsa->p || !dsa->q || !dsa->g) sl@0: { sl@0: reason=DSA_R_MISSING_PARAMETERS; sl@0: goto err; sl@0: } sl@0: sl@0: s=BN_new(); sl@0: if (s == NULL) goto err; sl@0: sl@0: i=BN_num_bytes(dsa->q); /* should be 20 */ sl@0: if ((dlen > i) || (dlen > 50)) sl@0: { sl@0: reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE; sl@0: goto err; sl@0: } sl@0: sl@0: ctx=BN_CTX_new(); sl@0: if (ctx == NULL) goto err; sl@0: sl@0: if ((dsa->kinv == NULL) || (dsa->r == NULL)) sl@0: { sl@0: if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err; sl@0: } sl@0: else sl@0: { sl@0: kinv=dsa->kinv; sl@0: dsa->kinv=NULL; sl@0: r=dsa->r; sl@0: dsa->r=NULL; sl@0: } sl@0: sl@0: if (BN_bin2bn(dgst,dlen,&m) == NULL) goto err; sl@0: sl@0: /* Compute s = inv(k) (m + xr) mod q */ sl@0: if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */ sl@0: if (!BN_add(s, &xr, &m)) goto err; /* s = m + xr */ sl@0: if (BN_cmp(s,dsa->q) > 0) sl@0: BN_sub(s,s,dsa->q); sl@0: if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err; sl@0: sl@0: ret=DSA_SIG_new(); sl@0: if (ret == NULL) goto err; sl@0: ret->r = r; sl@0: ret->s = s; sl@0: sl@0: err: sl@0: if (!ret) sl@0: { sl@0: DSAerr(DSA_F_DSA_DO_SIGN,reason); sl@0: BN_free(r); sl@0: BN_free(s); sl@0: } sl@0: if (ctx != NULL) BN_CTX_free(ctx); sl@0: BN_clear_free(&m); sl@0: BN_clear_free(&xr); sl@0: if (kinv != NULL) /* dsa->kinv is NULL now if we used it */ sl@0: BN_clear_free(kinv); sl@0: return(ret); sl@0: } sl@0: sl@0: static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) sl@0: { sl@0: BN_CTX *ctx; sl@0: BIGNUM k,kq,*K,*kinv=NULL,*r=NULL; sl@0: int ret=0; sl@0: sl@0: if (!dsa->p || !dsa->q || !dsa->g) sl@0: { sl@0: DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS); sl@0: return 0; sl@0: } sl@0: sl@0: BN_init(&k); sl@0: BN_init(&kq); sl@0: sl@0: if (ctx_in == NULL) sl@0: { sl@0: if ((ctx=BN_CTX_new()) == NULL) goto err; sl@0: } sl@0: else sl@0: ctx=ctx_in; sl@0: sl@0: if ((r=BN_new()) == NULL) goto err; sl@0: sl@0: /* Get random k */ sl@0: do sl@0: if (!BN_rand_range(&k, dsa->q)) goto err; sl@0: while (BN_is_zero(&k)); sl@0: if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) sl@0: { sl@0: BN_set_flags(&k, BN_FLG_CONSTTIME); sl@0: } sl@0: sl@0: if (dsa->flags & DSA_FLAG_CACHE_MONT_P) sl@0: { sl@0: if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, sl@0: CRYPTO_LOCK_DSA, sl@0: dsa->p, ctx)) sl@0: goto err; sl@0: } sl@0: sl@0: /* Compute r = (g^k mod p) mod q */ sl@0: sl@0: if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) sl@0: { sl@0: if (!BN_copy(&kq, &k)) goto err; sl@0: sl@0: /* We do not want timing information to leak the length of k, sl@0: * so we compute g^k using an equivalent exponent of fixed length. sl@0: * sl@0: * (This is a kludge that we need because the BN_mod_exp_mont() sl@0: * does not let us specify the desired timing behaviour.) */ sl@0: sl@0: if (!BN_add(&kq, &kq, dsa->q)) goto err; sl@0: if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) sl@0: { sl@0: if (!BN_add(&kq, &kq, dsa->q)) goto err; sl@0: } sl@0: sl@0: K = &kq; sl@0: } sl@0: else sl@0: { sl@0: K = &k; sl@0: } sl@0: DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, sl@0: dsa->method_mont_p); sl@0: if (!BN_mod(r,r,dsa->q,ctx)) goto err; sl@0: sl@0: /* Compute part of 's = inv(k) (m + xr) mod q' */ sl@0: if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err; sl@0: sl@0: if (*kinvp != NULL) BN_clear_free(*kinvp); sl@0: *kinvp=kinv; sl@0: kinv=NULL; sl@0: if (*rp != NULL) BN_clear_free(*rp); sl@0: *rp=r; sl@0: ret=1; sl@0: err: sl@0: if (!ret) sl@0: { sl@0: DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB); sl@0: if (kinv != NULL) BN_clear_free(kinv); sl@0: if (r != NULL) BN_clear_free(r); sl@0: } sl@0: if (ctx_in == NULL) BN_CTX_free(ctx); sl@0: if (kinv != NULL) BN_clear_free(kinv); sl@0: BN_clear_free(&k); sl@0: BN_clear_free(&kq); sl@0: return(ret); sl@0: } sl@0: sl@0: static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, sl@0: DSA *dsa) sl@0: { sl@0: BN_CTX *ctx; sl@0: BIGNUM u1,u2,t1; sl@0: BN_MONT_CTX *mont=NULL; sl@0: int ret = -1; sl@0: if (!dsa->p || !dsa->q || !dsa->g) sl@0: { sl@0: DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MISSING_PARAMETERS); sl@0: return -1; sl@0: } sl@0: sl@0: if (BN_num_bits(dsa->q) != 160) sl@0: { sl@0: DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE); sl@0: return -1; sl@0: } sl@0: sl@0: if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) sl@0: { sl@0: DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE); sl@0: return -1; sl@0: } sl@0: sl@0: BN_init(&u1); sl@0: BN_init(&u2); sl@0: BN_init(&t1); sl@0: sl@0: if ((ctx=BN_CTX_new()) == NULL) goto err; sl@0: sl@0: if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || sl@0: BN_ucmp(sig->r, dsa->q) >= 0) sl@0: { sl@0: ret = 0; sl@0: goto err; sl@0: } sl@0: if (BN_is_zero(sig->s) || BN_is_negative(sig->s) || sl@0: BN_ucmp(sig->s, dsa->q) >= 0) sl@0: { sl@0: ret = 0; sl@0: goto err; sl@0: } sl@0: sl@0: /* Calculate W = inv(S) mod Q sl@0: * save W in u2 */ sl@0: if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err; sl@0: sl@0: /* save M in u1 */ sl@0: if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err; sl@0: sl@0: /* u1 = M * w mod q */ sl@0: if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err; sl@0: sl@0: /* u2 = r * w mod q */ sl@0: if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err; sl@0: sl@0: sl@0: if (dsa->flags & DSA_FLAG_CACHE_MONT_P) sl@0: { sl@0: mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p, sl@0: CRYPTO_LOCK_DSA, dsa->p, ctx); sl@0: if (!mont) sl@0: goto err; sl@0: } sl@0: sl@0: sl@0: DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont); sl@0: /* BN_copy(&u1,&t1); */ sl@0: /* let u1 = u1 mod q */ sl@0: if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err; sl@0: sl@0: /* V is now in u1. If the signature is correct, it will be sl@0: * equal to R. */ sl@0: ret=(BN_ucmp(&u1, sig->r) == 0); sl@0: sl@0: err: sl@0: /* XXX: surely this is wrong - if ret is 0, it just didn't verify; sl@0: there is no error in BN. Test should be ret == -1 (Ben) */ sl@0: if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB); sl@0: if (ctx != NULL) BN_CTX_free(ctx); sl@0: BN_free(&u1); sl@0: BN_free(&u2); sl@0: BN_free(&t1); sl@0: return(ret); sl@0: } sl@0: sl@0: static int dsa_init(DSA *dsa) sl@0: { sl@0: dsa->flags|=DSA_FLAG_CACHE_MONT_P; sl@0: return(1); sl@0: } sl@0: sl@0: static int dsa_finish(DSA *dsa) sl@0: { sl@0: if(dsa->method_mont_p) sl@0: BN_MONT_CTX_free(dsa->method_mont_p); sl@0: return(1); sl@0: } sl@0: