[thirdparty/openssl.git] / crypto / dsa / dsa_ossl.c

/* crypto/dsa/dsa_ossl.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */

#include <stdio.h>
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/sha.h>
#include <openssl/dsa.h>
#include <openssl/rand.h>
#include <openssl/asn1.h>

static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
			 DSA *dsa);
static int dsa_init(DSA *dsa);
static int dsa_finish(DSA *dsa);

static DSA_METHOD openssl_dsa_meth = {
"OpenSSL DSA method",
dsa_do_sign,
dsa_sign_setup,
dsa_do_verify,
NULL, /* dsa_mod_exp, */
NULL, /* dsa_bn_mod_exp, */
dsa_init,
dsa_finish,
0,
NULL,
NULL,
NULL
};

/*-
 * These macro wrappers replace attempts to use the dsa_mod_exp() and
 * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
 * having a the macro work as an expression by bundling an "err_instr". So;
 * 
 *     if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
 *                 dsa->method_mont_p)) goto err;
 *
 * can be replaced by;
 *
 *     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
 *                 dsa->method_mont_p);
 */

#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
	do { \
	int _tmp_res53; \
	if((dsa)->meth->dsa_mod_exp) \
		_tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
				(a2), (p2), (m), (ctx), (in_mont)); \
	else \
		_tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
				(m), (ctx), (in_mont)); \
	if(!_tmp_res53) err_instr; \
	} while(0)
#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
	do { \
	int _tmp_res53; \
	if((dsa)->meth->bn_mod_exp) \
		_tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
				(m), (ctx), (m_ctx)); \
	else \
		_tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
	if(!_tmp_res53) err_instr; \
	} while(0)

const DSA_METHOD *DSA_OpenSSL(void)
{
	return &openssl_dsa_meth;
}

static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
	{
	BIGNUM *kinv=NULL,*r=NULL,*s=NULL;
	BIGNUM m;
	BIGNUM xr;
	BN_CTX *ctx=NULL;
	int reason=ERR_R_BN_LIB;
	DSA_SIG *ret=NULL;
	int noredo = 0;

	BN_init(&m);
	BN_init(&xr);

	if (!dsa->p || !dsa->q || !dsa->g)
		{
		reason=DSA_R_MISSING_PARAMETERS;
		goto err;
		}

	s=BN_new();
	if (s == NULL) goto err;
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;
redo:
	if ((dsa->kinv == NULL) || (dsa->r == NULL))
		{
		if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
		}
	else
		{
		kinv=dsa->kinv;
		dsa->kinv=NULL;
		r=dsa->r;
		dsa->r=NULL;
		noredo = 1;
		}

	
	if (dlen > BN_num_bytes(dsa->q))
		/* if the digest length is greater than the size of q use the
		 * BN_num_bits(dsa->q) leftmost bits of the digest, see
		 * fips 186-3, 4.2 */
		dlen = BN_num_bytes(dsa->q);
	if (BN_bin2bn(dgst,dlen,&m) == NULL)
		goto err;

	/* Compute  s = inv(k) (m + xr) mod q */
	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
	if (!BN_add(s, &xr, &m)) goto err;		/* s = m + xr */
	if (BN_cmp(s,dsa->q) > 0)
		if (!BN_sub(s,s,dsa->q)) goto err;
	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;

	ret=DSA_SIG_new();
	if (ret == NULL) goto err;
	/* Redo if r or s is zero as required by FIPS 186-3: this is
	 * very unlikely.
	 */
	if (BN_is_zero(r) || BN_is_zero(s))
		{
		if (noredo)
			{
			reason = DSA_R_NEED_NEW_SETUP_VALUES;
			goto err;
			}
		goto redo;
		}
	ret->r = r;
	ret->s = s;
	
err:
	if (!ret)
		{
		DSAerr(DSA_F_DSA_DO_SIGN,reason);
		BN_free(r);
		BN_free(s);
		}
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&m);
	BN_clear_free(&xr);
	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
	    BN_clear_free(kinv);
	return(ret);
	}

static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
	{
	BN_CTX *ctx;
	BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
	int ret=0;

	if (!dsa->p || !dsa->q || !dsa->g)
		{
		DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS);
		return 0;
		}

	BN_init(&k);
	BN_init(&kq);

	if (ctx_in == NULL)
		{
		if ((ctx=BN_CTX_new()) == NULL) goto err;
		}
	else
		ctx=ctx_in;

	if ((r=BN_new()) == NULL) goto err;

	/* Get random k */
	do
		if (!BN_rand_range(&k, dsa->q)) goto err;
	while (BN_is_zero(&k));
	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
		{
		BN_set_flags(&k, BN_FLG_CONSTTIME);
		}

	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
		{
		if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
						CRYPTO_LOCK_DSA,
						dsa->p, ctx))
			goto err;
		}

	/* Compute r = (g^k mod p) mod q */

	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
		{
		if (!BN_copy(&kq, &k)) goto err;

		/* We do not want timing information to leak the length of k,
		 * so we compute g^k using an equivalent exponent of fixed length.
		 *
		 * (This is a kludge that we need because the BN_mod_exp_mont()
		 * does not let us specify the desired timing behaviour.) */

		if (!BN_add(&kq, &kq, dsa->q)) goto err;
		if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
			{
			if (!BN_add(&kq, &kq, dsa->q)) goto err;
			}

		K = &kq;
		}
	else
		{
		K = &k;
		}
	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
			dsa->method_mont_p);
	if (!BN_mod(r,r,dsa->q,ctx)) goto err;

	/* Compute  part of 's = inv(k) (m + xr) mod q' */
	if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;

	if (*kinvp != NULL) BN_clear_free(*kinvp);
	*kinvp=kinv;
	kinv=NULL;
	if (*rp != NULL) BN_clear_free(*rp);
	*rp=r;
	ret=1;
err:
	if (!ret)
		{
		DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
		if (r != NULL)
			BN_clear_free(r);
		}
	if (ctx_in == NULL) BN_CTX_free(ctx);
	BN_clear_free(&k);
	BN_clear_free(&kq);
	return(ret);
	}

static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
			 DSA *dsa)
	{
	BN_CTX *ctx;
	BIGNUM u1,u2,t1;
	BN_MONT_CTX *mont=NULL;
	int ret = -1, i;
	if (!dsa->p || !dsa->q || !dsa->g)
		{
		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MISSING_PARAMETERS);
		return -1;
		}

	i = BN_num_bits(dsa->q);
	/* fips 186-3 allows only different sizes for q */
	if (i != 160 && i != 224 && i != 256)
		{
		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
		return -1;
		}

	if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
		{
		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
		return -1;
		}
	BN_init(&u1);
	BN_init(&u2);
	BN_init(&t1);

	if ((ctx=BN_CTX_new()) == NULL) goto err;

	if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
	    BN_ucmp(sig->r, dsa->q) >= 0)
		{
		ret = 0;
		goto err;
		}
	if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||
	    BN_ucmp(sig->s, dsa->q) >= 0)
		{
		ret = 0;
		goto err;
		}

	/* Calculate W = inv(S) mod Q
	 * save W in u2 */
	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;

	/* save M in u1 */
	if (dgst_len > (i >> 3))
		/* if the digest length is greater than the size of q use the
		 * BN_num_bits(dsa->q) leftmost bits of the digest, see
		 * fips 186-3, 4.2 */
		dgst_len = (i >> 3);
	if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;

	/* u1 = M * w mod q */
	if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;

	/* u2 = r * w mod q */
	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;


	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
		{
		mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
					CRYPTO_LOCK_DSA, dsa->p, ctx);
		if (!mont)
			goto err;
		}


	DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);
	/* BN_copy(&u1,&t1); */
	/* let u1 = u1 mod q */
	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;

	/* V is now in u1.  If the signature is correct, it will be
	 * equal to R. */
	ret=(BN_ucmp(&u1, sig->r) == 0);

	err:
	/* XXX: surely this is wrong - if ret is 0, it just didn't verify;
	   there is no error in BN. Test should be ret == -1 (Ben) */
	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_free(&u1);
	BN_free(&u2);
	BN_free(&t1);
	return(ret);
	}

static int dsa_init(DSA *dsa)
{
	dsa->flags|=DSA_FLAG_CACHE_MONT_P;
	return(1);
}

static int dsa_finish(DSA *dsa)
{
	if(dsa->method_mont_p)
		BN_MONT_CTX_free(dsa->method_mont_p);
	return(1);
}
Commit	Line	Data
c0711f7f DSH	1	/* crypto/dsa/dsa_ossl.c */
	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
	8	*
	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	15	*
	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
	22	*
	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
	37	* 4. If you include any Windows specific code (or a derivative thereof) from
	38	* the apps directory (application code) you must include an acknowledgement:
	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*
	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
	58
	59	/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
	60
	61	#include <stdio.h>
	62	#include "cryptlib.h"
	63	#include <openssl/bn.h>
357d5de5	64	#include <openssl/sha.h>
c0711f7f DSH	65	#include <openssl/dsa.h>
	66	#include <openssl/rand.h>
	67	#include <openssl/asn1.h>
	68
	69	static DSA_SIG dsa_do_sign(const unsigned char dgst, int dlen, DSA *dsa);
ce1b4fe1	70	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp);
c0711f7f	71	static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
84948b39	72	DSA *dsa);
c0711f7f DSH	73	static int dsa_init(DSA *dsa);
c0711f7f DSH	74	static int dsa_finish(DSA *dsa);
c0711f7f DSH	75
	76	static DSA_METHOD openssl_dsa_meth = {
	77	"OpenSSL DSA method",
	78	dsa_do_sign,
	79	dsa_sign_setup,
	80	dsa_do_verify,
879650b8 GT	81	NULL, /* dsa_mod_exp, */
879650b8 GT	82	NULL, /* dsa_bn_mod_exp, */
c0711f7f DSH	83	dsa_init,
	84	dsa_finish,
	85	0,
0e4aa0d2 GT	86	NULL,
0e4aa0d2 GT	87	NULL,
c0711f7f DSH	88	NULL
	89	};
	90
3e9a08ec TH	91	/*-
3e9a08ec TH	92	* These macro wrappers replace attempts to use the dsa_mod_exp() and
879650b8 GT	93	* bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
	94	* having a the macro work as an expression by bundling an "err_instr". So;
	95	*
	96	* if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
	97	* dsa->method_mont_p)) goto err;
	98	*
	99	* can be replaced by;
	100	*
	101	* DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
	102	* dsa->method_mont_p);
	103	*/
	104
	105	#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
	106	do { \
	107	int _tmp_res53; \
	108	if((dsa)->meth->dsa_mod_exp) \
	109	_tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
	110	(a2), (p2), (m), (ctx), (in_mont)); \
	111	else \
	112	_tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
	113	(m), (ctx), (in_mont)); \
	114	if(!_tmp_res53) err_instr; \
	115	} while(0)
	116	#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
	117	do { \
	118	int _tmp_res53; \
	119	if((dsa)->meth->bn_mod_exp) \
	120	_tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
	121	(m), (ctx), (m_ctx)); \
	122	else \
	123	_tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
	124	if(!_tmp_res53) err_instr; \
	125	} while(0)
	126
a4aba800	127	const DSA_METHOD *DSA_OpenSSL(void)
c0711f7f DSH	128	{
	129	return &openssl_dsa_meth;
	130	}
	131
	132	static DSA_SIG dsa_do_sign(const unsigned char dgst, int dlen, DSA *dsa)
	133	{
	134	BIGNUM kinv=NULL,r=NULL,*s=NULL;
	135	BIGNUM m;
	136	BIGNUM xr;
	137	BN_CTX *ctx=NULL;
b900a6b4	138	int reason=ERR_R_BN_LIB;
c0711f7f	139	DSA_SIG *ret=NULL;
c31945e6	140	int noredo = 0;
c0711f7f	141
a74333f9 LJ	142	BN_init(&m);
	143	BN_init(&xr);
	144
c962479b DSH	145	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)
	146	{
	147	reason=DSA_R_MISSING_PARAMETERS;
	148	goto err;
	149	}
a74333f9	150
c0711f7f DSH	151	s=BN_new();
c0711f7f DSH	152	if (s == NULL) goto err;
c0711f7f DSH	153	ctx=BN_CTX_new();
c0711f7f DSH	154	if (ctx == NULL) goto err;
c31945e6	155	redo:
c0711f7f DSH	156	if ((dsa->kinv == NULL) \|\| (dsa->r == NULL))
	157	{
	158	if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
	159	}
	160	else
	161	{
	162	kinv=dsa->kinv;
	163	dsa->kinv=NULL;
	164	r=dsa->r;
	165	dsa->r=NULL;
c31945e6	166	noredo = 1;
c0711f7f DSH	167	}
c0711f7f DSH	168
b900a6b4 NL	169
b900a6b4 NL	170	if (dlen > BN_num_bytes(dsa->q))
357d5de5 NL	171	/* if the digest length is greater than the size of q use the
	172	* BN_num_bits(dsa->q) leftmost bits of the digest, see
	173	* fips 186-3, 4.2 */
b900a6b4 NL	174	dlen = BN_num_bytes(dsa->q);
	175	if (BN_bin2bn(dgst,dlen,&m) == NULL)
	176	goto err;
c0711f7f DSH	177
	178	/* Compute s = inv(k) (m + xr) mod q */
	179	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
	180	if (!BN_add(s, &xr, &m)) goto err; /* s = m + xr */
	181	if (BN_cmp(s,dsa->q) > 0)
7770da4b	182	if (!BN_sub(s,s,dsa->q)) goto err;
c0711f7f DSH	183	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
	184
	185	ret=DSA_SIG_new();
	186	if (ret == NULL) goto err;
c31945e6 DSH	187	/* Redo if r or s is zero as required by FIPS 186-3: this is
	188	* very unlikely.
	189	*/
	190	if (BN_is_zero(r) \|\| BN_is_zero(s))
	191	{
	192	if (noredo)
	193	{
	194	reason = DSA_R_NEED_NEW_SETUP_VALUES;
	195	goto err;
	196	}
	197	goto redo;
	198	}
c0711f7f DSH	199	ret->r = r;
	200	ret->s = s;
	201
	202	err:
	203	if (!ret)
	204	{
	205	DSAerr(DSA_F_DSA_DO_SIGN,reason);
	206	BN_free(r);
	207	BN_free(s);
	208	}
	209	if (ctx != NULL) BN_CTX_free(ctx);
	210	BN_clear_free(&m);
	211	BN_clear_free(&xr);
	212	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
	213	BN_clear_free(kinv);
	214	return(ret);
	215	}
	216
ce1b4fe1	217	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
c0711f7f DSH	218	{
c0711f7f DSH	219	BN_CTX *ctx;
0ebfcc8f	220	BIGNUM k,kq,K,kinv=NULL,*r=NULL;
c0711f7f DSH	221	int ret=0;
c0711f7f DSH	222
c962479b DSH	223	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)
	224	{
	225	DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS);
	226	return 0;
	227	}
a74333f9 LJ	228
a74333f9 LJ	229	BN_init(&k);
0ebfcc8f	230	BN_init(&kq);
a74333f9	231
c0711f7f DSH	232	if (ctx_in == NULL)
	233	{
	234	if ((ctx=BN_CTX_new()) == NULL) goto err;
	235	}
	236	else
	237	ctx=ctx_in;
	238
c0711f7f	239	if ((r=BN_new()) == NULL) goto err;
c0711f7f DSH	240
c0711f7f DSH	241	/* Get random k */
35ed8cb8	242	do
e3068929	243	if (!BN_rand_range(&k, dsa->q)) goto err;
35ed8cb8	244	while (BN_is_zero(&k));
46a64376 BM	245	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
46a64376 BM	246	{
bd31fb21	247	BN_set_flags(&k, BN_FLG_CONSTTIME);
46a64376	248	}
c0711f7f	249
6ec8e63a	250	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
c0711f7f	251	{
879b1980	252	if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
6ec8e63a DSH	253	CRYPTO_LOCK_DSA,
	254	dsa->p, ctx))
	255	goto err;
c0711f7f DSH	256	}
	257
	258	/* Compute r = (g^k mod p) mod q */
0ebfcc8f BM	259
	260	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
	261	{
	262	if (!BN_copy(&kq, &k)) goto err;
	263
	264	/* We do not want timing information to leak the length of k,
	265	* so we compute g^k using an equivalent exponent of fixed length.
	266	*
	267	* (This is a kludge that we need because the BN_mod_exp_mont()
	268	* does not let us specify the desired timing behaviour.) */
	269
	270	if (!BN_add(&kq, &kq, dsa->q)) goto err;
	271	if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
	272	{
	273	if (!BN_add(&kq, &kq, dsa->q)) goto err;
	274	}
	275
	276	K = &kq;
	277	}
	278	else
	279	{
	280	K = &k;
	281	}
	282	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
879b1980	283	dsa->method_mont_p);
c0711f7f DSH	284	if (!BN_mod(r,r,dsa->q,ctx)) goto err;
	285
	286	/* Compute part of 's = inv(k) (m + xr) mod q' */
	287	if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
	288
	289	if (kinvp != NULL) BN_clear_free(kinvp);
	290	*kinvp=kinv;
	291	kinv=NULL;
	292	if (rp != NULL) BN_clear_free(rp);
	293	*rp=r;
	294	ret=1;
	295	err:
	296	if (!ret)
	297	{
	298	DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
67b6f1ca NL	299	if (r != NULL)
67b6f1ca NL	300	BN_clear_free(r);
c0711f7f DSH	301	}
c0711f7f DSH	302	if (ctx_in == NULL) BN_CTX_free(ctx);
c0711f7f	303	BN_clear_free(&k);
0ebfcc8f	304	BN_clear_free(&kq);
c0711f7f DSH	305	return(ret);
	306	}
	307
	308	static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
84948b39	309	DSA *dsa)
c0711f7f DSH	310	{
	311	BN_CTX *ctx;
	312	BIGNUM u1,u2,t1;
	313	BN_MONT_CTX *mont=NULL;
b900a6b4	314	int ret = -1, i;
c962479b DSH	315	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)
	316	{
	317	DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MISSING_PARAMETERS);
	318	return -1;
	319	}
c0711f7f	320
357d5de5 NL	321	i = BN_num_bits(dsa->q);
	322	/* fips 186-3 allows only different sizes for q */
	323	if (i != 160 && i != 224 && i != 256)
5e3225cc BM	324	{
	325	DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
	326	return -1;
	327	}
	328
	329	if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
	330	{
	331	DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
	332	return -1;
	333	}
c0711f7f DSH	334	BN_init(&u1);
	335	BN_init(&u2);
	336	BN_init(&t1);
	337
a74333f9 LJ	338	if ((ctx=BN_CTX_new()) == NULL) goto err;
a74333f9 LJ	339
ff22e913	340	if (BN_is_zero(sig->r) \|\| BN_is_negative(sig->r) \|\|
b53e44e5	341	BN_ucmp(sig->r, dsa->q) >= 0)
c458a331 BM	342	{
	343	ret = 0;
	344	goto err;
	345	}
ff22e913	346	if (BN_is_zero(sig->s) \|\| BN_is_negative(sig->s) \|\|
b53e44e5	347	BN_ucmp(sig->s, dsa->q) >= 0)
c458a331 BM	348	{
	349	ret = 0;
	350	goto err;
	351	}
	352
c0711f7f DSH	353	/* Calculate W = inv(S) mod Q
	354	* save W in u2 */
	355	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
	356
	357	/* save M in u1 */
b900a6b4	358	if (dgst_len > (i >> 3))
357d5de5 NL	359	/* if the digest length is greater than the size of q use the
	360	* BN_num_bits(dsa->q) leftmost bits of the digest, see
	361	* fips 186-3, 4.2 */
b900a6b4 NL	362	dgst_len = (i >> 3);
b900a6b4 NL	363	if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;
c0711f7f DSH	364
	365	/* u1 = M * w mod q */
	366	if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;
	367
	368	/* u2 = r * w mod q */
	369	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
	370
6ec8e63a DSH	371
6ec8e63a DSH	372	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
c0711f7f	373	{
879b1980	374	mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
6ec8e63a DSH	375	CRYPTO_LOCK_DSA, dsa->p, ctx);
	376	if (!mont)
	377	goto err;
c0711f7f	378	}
c0711f7f	379
879650b8 GT	380
879650b8 GT	381	DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);
c0711f7f DSH	382	/* BN_copy(&u1,&t1); */
	383	/* let u1 = u1 mod q */
	384	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
879650b8	385
c0711f7f DSH	386	/* V is now in u1. If the signature is correct, it will be
	387	* equal to R. */
	388	ret=(BN_ucmp(&u1, sig->r) == 0);
	389
	390	err:
b0ac0a8e	391	/* XXX: surely this is wrong - if ret is 0, it just didn't verify;
e9ad6665	392	there is no error in BN. Test should be ret == -1 (Ben) */
c0711f7f DSH	393	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
	394	if (ctx != NULL) BN_CTX_free(ctx);
	395	BN_free(&u1);
	396	BN_free(&u2);
	397	BN_free(&t1);
	398	return(ret);
	399	}
	400
	401	static int dsa_init(DSA *dsa)
	402	{
13066cee	403	dsa->flags\|=DSA_FLAG_CACHE_MONT_P;
c0711f7f DSH	404	return(1);
	405	}
	406
	407	static int dsa_finish(DSA *dsa)
	408	{
13066cee	409	if(dsa->method_mont_p)
879b1980	410	BN_MONT_CTX_free(dsa->method_mont_p);
c0711f7f DSH	411	return(1);
	412	}
	413