[thirdparty/openssl.git] / crypto / dsa / dsa_ossl.c

/* crypto/dsa/dsa_ossl.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */

#define OPENSSL_FIPSAPI

#include <stdio.h>
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/sha.h>
#include <openssl/dsa.h>
#include <openssl/rand.h>
#include <openssl/asn1.h>
#ifdef OPENSSL_FIPS
#include <openssl/fips.h>
#endif

static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
			 DSA *dsa);
static int dsa_init(DSA *dsa);
static int dsa_finish(DSA *dsa);

static DSA_METHOD openssl_dsa_meth = {
"OpenSSL DSA method",
dsa_do_sign,
dsa_sign_setup,
dsa_do_verify,
NULL, /* dsa_mod_exp, */
NULL, /* dsa_bn_mod_exp, */
dsa_init,
dsa_finish,
DSA_FLAG_FIPS_METHOD,
NULL,
NULL,
NULL
};

/* These macro wrappers replace attempts to use the dsa_mod_exp() and
 * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
 * having a the macro work as an expression by bundling an "err_instr". So;
 * 
 *     if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
 *                 dsa->method_mont_p)) goto err;
 *
 * can be replaced by;
 *
 *     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
 *                 dsa->method_mont_p);
 */

#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
	do { \
	int _tmp_res53; \
	if((dsa)->meth->dsa_mod_exp) \
		_tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
				(a2), (p2), (m), (ctx), (in_mont)); \
	else \
		_tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
				(m), (ctx), (in_mont)); \
	if(!_tmp_res53) err_instr; \
	} while(0)
#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
	do { \
	int _tmp_res53; \
	if((dsa)->meth->bn_mod_exp) \
		_tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
				(m), (ctx), (m_ctx)); \
	else \
		_tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
	if(!_tmp_res53) err_instr; \
	} while(0)

const DSA_METHOD *DSA_OpenSSL(void)
{
	return &openssl_dsa_meth;
}

static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
	{
	BIGNUM *kinv=NULL,*r=NULL,*s=NULL;
	BIGNUM m;
	BIGNUM xr;
	BN_CTX *ctx=NULL;
	int reason=ERR_R_BN_LIB;
	DSA_SIG *ret=NULL;
	int noredo = 0;

#ifdef OPENSSL_FIPS
	if(FIPS_selftest_failed())
	    {
	    FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
	    return NULL;
	    }

	if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
		&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
		{
		DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
		return NULL;
		}
	if (!fips_check_dsa_prng(dsa, 0, 0))
		goto err;
#endif

	BN_init(&m);
	BN_init(&xr);

	if (!dsa->p || !dsa->q || !dsa->g)
		{
		reason=DSA_R_MISSING_PARAMETERS;
		goto err;
		}

	s=BN_new();
	if (s == NULL) goto err;
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;
redo:
	if ((dsa->kinv == NULL) || (dsa->r == NULL))
		{
		if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r)) goto err;
		}
	else
		{
		kinv=dsa->kinv;
		dsa->kinv=NULL;
		r=dsa->r;
		dsa->r=NULL;
		noredo = 1;
		}

	
	if (dlen > BN_num_bytes(dsa->q))
		/* if the digest length is greater than the size of q use the
		 * BN_num_bits(dsa->q) leftmost bits of the digest, see
		 * fips 186-3, 4.2 */
		dlen = BN_num_bytes(dsa->q);
	if (BN_bin2bn(dgst,dlen,&m) == NULL)
		goto err;

	/* Compute  s = inv(k) (m + xr) mod q */
	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
	if (!BN_add(s, &xr, &m)) goto err;		/* s = m + xr */
	if (BN_cmp(s,dsa->q) > 0)
		if (!BN_sub(s,s,dsa->q)) goto err;
	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;

	ret=DSA_SIG_new();
	if (ret == NULL) goto err;
	/* Redo if r or s is zero as required by FIPS 186-3: this is
	 * very unlikely.
	 */
	if (BN_is_zero(r) || BN_is_zero(s))
		{
		if (noredo)
			{
			reason = DSA_R_NEED_NEW_SETUP_VALUES;
			goto err;
			}
		goto redo;
		}
	ret->r = r;
	ret->s = s;
	
err:
	if (!ret)
		{
		DSAerr(DSA_F_DSA_DO_SIGN,reason);
		BN_free(r);
		BN_free(s);
		}
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&m);
	BN_clear_free(&xr);
	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
	    BN_clear_free(kinv);
	return(ret);
	}

static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
	{
	BN_CTX *ctx;
	BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
	int ret=0;

	if (!dsa->p || !dsa->q || !dsa->g)
		{
		DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS);
		return 0;
		}

	BN_init(&k);
	BN_init(&kq);

	if (ctx_in == NULL)
		{
		if ((ctx=BN_CTX_new()) == NULL) goto err;
		}
	else
		ctx=ctx_in;

	if ((r=BN_new()) == NULL) goto err;

	/* Get random k */
	do
		if (!BN_rand_range(&k, dsa->q)) goto err;
	while (BN_is_zero(&k));
	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
		{
		BN_set_flags(&k, BN_FLG_CONSTTIME);
		}

	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
		{
		if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
						CRYPTO_LOCK_DSA,
						dsa->p, ctx))
			goto err;
		}

	/* Compute r = (g^k mod p) mod q */

	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
		{
		if (!BN_copy(&kq, &k)) goto err;

		/* We do not want timing information to leak the length of k,
		 * so we compute g^k using an equivalent exponent of fixed length.
		 *
		 * (This is a kludge that we need because the BN_mod_exp_mont()
		 * does not let us specify the desired timing behaviour.) */

		if (!BN_add(&kq, &kq, dsa->q)) goto err;
		if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
			{
			if (!BN_add(&kq, &kq, dsa->q)) goto err;
			}

		K = &kq;
		}
	else
		{
		K = &k;
		}
	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
			dsa->method_mont_p);
	if (!BN_mod(r,r,dsa->q,ctx)) goto err;

	/* Compute  part of 's = inv(k) (m + xr) mod q' */
	if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;

	if (*kinvp != NULL) BN_clear_free(*kinvp);
	*kinvp=kinv;
	kinv=NULL;
	if (*rp != NULL) BN_clear_free(*rp);
	*rp=r;
	ret=1;
err:
	if (!ret)
		{
		DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
		if (r != NULL)
			BN_clear_free(r);
		}
	if (ctx_in == NULL) BN_CTX_free(ctx);
	BN_clear_free(&k);
	BN_clear_free(&kq);
	return(ret);
	}

static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
			 DSA *dsa)
	{
	BN_CTX *ctx;
	BIGNUM u1,u2,t1;
	BN_MONT_CTX *mont=NULL;
	int ret = -1, i;
	if (!dsa->p || !dsa->q || !dsa->g)
		{
		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MISSING_PARAMETERS);
		return -1;
		}

	i = BN_num_bits(dsa->q);
	/* fips 186-3 allows only different sizes for q */
	if (i != 160 && i != 224 && i != 256)
		{
		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
		return -1;
		}

#ifdef OPENSSL_FIPS
	if(FIPS_selftest_failed())
	    {
	    FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
	    return -1;
	    }

	if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
		&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
		{
		DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
		return -1;
		}
#endif

	if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
		{
		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
		return -1;
		}
	BN_init(&u1);
	BN_init(&u2);
	BN_init(&t1);

	if ((ctx=BN_CTX_new()) == NULL) goto err;

	if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
	    BN_ucmp(sig->r, dsa->q) >= 0)
		{
		ret = 0;
		goto err;
		}
	if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||
	    BN_ucmp(sig->s, dsa->q) >= 0)
		{
		ret = 0;
		goto err;
		}

	/* Calculate W = inv(S) mod Q
	 * save W in u2 */
	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;

	/* save M in u1 */
	if (dgst_len > (i >> 3))
		/* if the digest length is greater than the size of q use the
		 * BN_num_bits(dsa->q) leftmost bits of the digest, see
		 * fips 186-3, 4.2 */
		dgst_len = (i >> 3);
	if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;

	/* u1 = M * w mod q */
	if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;

	/* u2 = r * w mod q */
	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;


	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
		{
		mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
					CRYPTO_LOCK_DSA, dsa->p, ctx);
		if (!mont)
			goto err;
		}


	DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);
	/* BN_copy(&u1,&t1); */
	/* let u1 = u1 mod q */
	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;

	/* V is now in u1.  If the signature is correct, it will be
	 * equal to R. */
	ret=(BN_ucmp(&u1, sig->r) == 0);

	err:
	/* XXX: surely this is wrong - if ret is 0, it just didn't verify;
	   there is no error in BN. Test should be ret == -1 (Ben) */
	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_free(&u1);
	BN_free(&u2);
	BN_free(&t1);
	return(ret);
	}

static int dsa_init(DSA *dsa)
{
	dsa->flags|=DSA_FLAG_CACHE_MONT_P;
	return(1);
}

static int dsa_finish(DSA *dsa)
{
	if(dsa->method_mont_p)
		BN_MONT_CTX_free(dsa->method_mont_p);
	return(1);
}
Commit	Line	Data
c0711f7f DSH	1	/* crypto/dsa/dsa_ossl.c */
	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
	8	*
	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	15	*
	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
	22	*
	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
	37	* 4. If you include any Windows specific code (or a derivative thereof) from
	38	* the apps directory (application code) you must include an acknowledgement:
	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*
	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
	58
	59	/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
	60
14ae26f2 DSH	61	#define OPENSSL_FIPSAPI
14ae26f2 DSH	62
c0711f7f DSH	63	#include <stdio.h>
	64	#include "cryptlib.h"
	65	#include <openssl/bn.h>
357d5de5	66	#include <openssl/sha.h>
c0711f7f DSH	67	#include <openssl/dsa.h>
	68	#include <openssl/rand.h>
	69	#include <openssl/asn1.h>
20818e00 DSH	70	#ifdef OPENSSL_FIPS
	71	#include <openssl/fips.h>
	72	#endif
c0711f7f DSH	73
c0711f7f DSH	74	static DSA_SIG dsa_do_sign(const unsigned char dgst, int dlen, DSA *dsa);
ce1b4fe1	75	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp);
c0711f7f	76	static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
84948b39	77	DSA *dsa);
c0711f7f DSH	78	static int dsa_init(DSA *dsa);
c0711f7f DSH	79	static int dsa_finish(DSA *dsa);
c0711f7f DSH	80
	81	static DSA_METHOD openssl_dsa_meth = {
	82	"OpenSSL DSA method",
	83	dsa_do_sign,
	84	dsa_sign_setup,
	85	dsa_do_verify,
879650b8 GT	86	NULL, /* dsa_mod_exp, */
879650b8 GT	87	NULL, /* dsa_bn_mod_exp, */
c0711f7f DSH	88	dsa_init,
c0711f7f DSH	89	dsa_finish,
20818e00	90	DSA_FLAG_FIPS_METHOD,
0e4aa0d2 GT	91	NULL,
0e4aa0d2 GT	92	NULL,
c0711f7f DSH	93	NULL
	94	};
	95
879650b8 GT	96	/* These macro wrappers replace attempts to use the dsa_mod_exp() and
	97	* bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
	98	* having a the macro work as an expression by bundling an "err_instr". So;
	99	*
	100	* if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
	101	* dsa->method_mont_p)) goto err;
	102	*
	103	* can be replaced by;
	104	*
	105	* DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
	106	* dsa->method_mont_p);
	107	*/
	108
	109	#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
	110	do { \
	111	int _tmp_res53; \
	112	if((dsa)->meth->dsa_mod_exp) \
	113	_tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
	114	(a2), (p2), (m), (ctx), (in_mont)); \
	115	else \
	116	_tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
	117	(m), (ctx), (in_mont)); \
	118	if(!_tmp_res53) err_instr; \
	119	} while(0)
	120	#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
	121	do { \
	122	int _tmp_res53; \
	123	if((dsa)->meth->bn_mod_exp) \
	124	_tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
	125	(m), (ctx), (m_ctx)); \
	126	else \
	127	_tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
	128	if(!_tmp_res53) err_instr; \
	129	} while(0)
	130
a4aba800	131	const DSA_METHOD *DSA_OpenSSL(void)
c0711f7f DSH	132	{
	133	return &openssl_dsa_meth;
	134	}
	135
	136	static DSA_SIG dsa_do_sign(const unsigned char dgst, int dlen, DSA *dsa)
	137	{
	138	BIGNUM kinv=NULL,r=NULL,*s=NULL;
	139	BIGNUM m;
	140	BIGNUM xr;
	141	BN_CTX *ctx=NULL;
b900a6b4	142	int reason=ERR_R_BN_LIB;
c0711f7f	143	DSA_SIG *ret=NULL;
245a7eee	144	int noredo = 0;
c0711f7f	145
20818e00 DSH	146	#ifdef OPENSSL_FIPS
	147	if(FIPS_selftest_failed())
	148	{
	149	FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
	150	return NULL;
	151	}
	152
c2fd5989	153	if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
cac4fb58	154	&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
20818e00 DSH	155	{
	156	DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
	157	return NULL;
	158	}
cac4fb58 DSH	159	if (!fips_check_dsa_prng(dsa, 0, 0))
cac4fb58 DSH	160	goto err;
20818e00 DSH	161	#endif
20818e00 DSH	162
a74333f9 LJ	163	BN_init(&m);
	164	BN_init(&xr);
	165
c962479b DSH	166	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)
	167	{
	168	reason=DSA_R_MISSING_PARAMETERS;
	169	goto err;
	170	}
a74333f9	171
c0711f7f DSH	172	s=BN_new();
c0711f7f DSH	173	if (s == NULL) goto err;
c0711f7f DSH	174	ctx=BN_CTX_new();
c0711f7f DSH	175	if (ctx == NULL) goto err;
245a7eee	176	redo:
c0711f7f DSH	177	if ((dsa->kinv == NULL) \|\| (dsa->r == NULL))
c0711f7f DSH	178	{
e990b4f8	179	if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r)) goto err;
c0711f7f DSH	180	}
	181	else
	182	{
	183	kinv=dsa->kinv;
	184	dsa->kinv=NULL;
	185	r=dsa->r;
	186	dsa->r=NULL;
245a7eee	187	noredo = 1;
c0711f7f DSH	188	}
c0711f7f DSH	189
b900a6b4 NL	190
b900a6b4 NL	191	if (dlen > BN_num_bytes(dsa->q))
357d5de5 NL	192	/* if the digest length is greater than the size of q use the
	193	* BN_num_bits(dsa->q) leftmost bits of the digest, see
	194	* fips 186-3, 4.2 */
b900a6b4 NL	195	dlen = BN_num_bytes(dsa->q);
	196	if (BN_bin2bn(dgst,dlen,&m) == NULL)
	197	goto err;
c0711f7f DSH	198
	199	/* Compute s = inv(k) (m + xr) mod q */
	200	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
	201	if (!BN_add(s, &xr, &m)) goto err; /* s = m + xr */
	202	if (BN_cmp(s,dsa->q) > 0)
776654ad	203	if (!BN_sub(s,s,dsa->q)) goto err;
c0711f7f	204	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
71fa4513	205
c0711f7f DSH	206	ret=DSA_SIG_new();
c0711f7f DSH	207	if (ret == NULL) goto err;
245a7eee DSH	208	/* Redo if r or s is zero as required by FIPS 186-3: this is
	209	* very unlikely.
	210	*/
	211	if (BN_is_zero(r) \|\| BN_is_zero(s))
	212	{
	213	if (noredo)
	214	{
	215	reason = DSA_R_NEED_NEW_SETUP_VALUES;
	216	goto err;
	217	}
	218	goto redo;
	219	}
c0711f7f DSH	220	ret->r = r;
	221	ret->s = s;
	222
	223	err:
	224	if (!ret)
	225	{
	226	DSAerr(DSA_F_DSA_DO_SIGN,reason);
	227	BN_free(r);
	228	BN_free(s);
	229	}
	230	if (ctx != NULL) BN_CTX_free(ctx);
	231	BN_clear_free(&m);
	232	BN_clear_free(&xr);
	233	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
	234	BN_clear_free(kinv);
	235	return(ret);
	236	}
	237
ce1b4fe1	238	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
c0711f7f DSH	239	{
c0711f7f DSH	240	BN_CTX *ctx;
0ebfcc8f	241	BIGNUM k,kq,K,kinv=NULL,*r=NULL;
c0711f7f DSH	242	int ret=0;
c0711f7f DSH	243
c962479b DSH	244	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)
	245	{
	246	DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS);
	247	return 0;
	248	}
a74333f9 LJ	249
a74333f9 LJ	250	BN_init(&k);
0ebfcc8f	251	BN_init(&kq);
a74333f9	252
c0711f7f DSH	253	if (ctx_in == NULL)
	254	{
	255	if ((ctx=BN_CTX_new()) == NULL) goto err;
	256	}
	257	else
	258	ctx=ctx_in;
	259
c0711f7f	260	if ((r=BN_new()) == NULL) goto err;
c0711f7f DSH	261
c0711f7f DSH	262	/* Get random k */
35ed8cb8	263	do
e3068929	264	if (!BN_rand_range(&k, dsa->q)) goto err;
35ed8cb8	265	while (BN_is_zero(&k));
46a64376 BM	266	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
46a64376 BM	267	{
bd31fb21	268	BN_set_flags(&k, BN_FLG_CONSTTIME);
46a64376	269	}
c0711f7f	270
6ec8e63a	271	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
c0711f7f	272	{
879b1980	273	if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
6ec8e63a DSH	274	CRYPTO_LOCK_DSA,
	275	dsa->p, ctx))
	276	goto err;
c0711f7f DSH	277	}
	278
	279	/* Compute r = (g^k mod p) mod q */
0ebfcc8f BM	280
	281	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
	282	{
	283	if (!BN_copy(&kq, &k)) goto err;
	284
	285	/* We do not want timing information to leak the length of k,
	286	* so we compute g^k using an equivalent exponent of fixed length.
	287	*
	288	* (This is a kludge that we need because the BN_mod_exp_mont()
	289	* does not let us specify the desired timing behaviour.) */
	290
	291	if (!BN_add(&kq, &kq, dsa->q)) goto err;
	292	if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
	293	{
	294	if (!BN_add(&kq, &kq, dsa->q)) goto err;
	295	}
	296
	297	K = &kq;
	298	}
	299	else
	300	{
	301	K = &k;
	302	}
	303	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
879b1980	304	dsa->method_mont_p);
c0711f7f DSH	305	if (!BN_mod(r,r,dsa->q,ctx)) goto err;
	306
	307	/* Compute part of 's = inv(k) (m + xr) mod q' */
	308	if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
	309
	310	if (kinvp != NULL) BN_clear_free(kinvp);
	311	*kinvp=kinv;
	312	kinv=NULL;
	313	if (rp != NULL) BN_clear_free(rp);
	314	*rp=r;
	315	ret=1;
	316	err:
	317	if (!ret)
	318	{
	319	DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
67b6f1ca NL	320	if (r != NULL)
67b6f1ca NL	321	BN_clear_free(r);
c0711f7f DSH	322	}
c0711f7f DSH	323	if (ctx_in == NULL) BN_CTX_free(ctx);
c0711f7f	324	BN_clear_free(&k);
0ebfcc8f	325	BN_clear_free(&kq);
c0711f7f DSH	326	return(ret);
	327	}
	328
	329	static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
84948b39	330	DSA *dsa)
c0711f7f DSH	331	{
	332	BN_CTX *ctx;
	333	BIGNUM u1,u2,t1;
	334	BN_MONT_CTX *mont=NULL;
b900a6b4	335	int ret = -1, i;
c962479b DSH	336	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)
	337	{
	338	DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MISSING_PARAMETERS);
	339	return -1;
	340	}
c0711f7f	341
357d5de5 NL	342	i = BN_num_bits(dsa->q);
	343	/* fips 186-3 allows only different sizes for q */
	344	if (i != 160 && i != 224 && i != 256)
5e3225cc BM	345	{
	346	DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
	347	return -1;
	348	}
	349
20818e00 DSH	350	#ifdef OPENSSL_FIPS
	351	if(FIPS_selftest_failed())
	352	{
	353	FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
	354	return -1;
	355	}
	356
c2fd5989	357	if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
69a80f7d	358	&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
20818e00 DSH	359	{
	360	DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
	361	return -1;
	362	}
	363	#endif
	364
5e3225cc BM	365	if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
	366	{
	367	DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
	368	return -1;
	369	}
c0711f7f DSH	370	BN_init(&u1);
	371	BN_init(&u2);
	372	BN_init(&t1);
	373
a74333f9 LJ	374	if ((ctx=BN_CTX_new()) == NULL) goto err;
a74333f9 LJ	375
ff22e913	376	if (BN_is_zero(sig->r) \|\| BN_is_negative(sig->r) \|\|
b53e44e5	377	BN_ucmp(sig->r, dsa->q) >= 0)
c458a331 BM	378	{
	379	ret = 0;
	380	goto err;
	381	}
ff22e913	382	if (BN_is_zero(sig->s) \|\| BN_is_negative(sig->s) \|\|
b53e44e5	383	BN_ucmp(sig->s, dsa->q) >= 0)
c458a331 BM	384	{
	385	ret = 0;
	386	goto err;
	387	}
	388
c0711f7f DSH	389	/* Calculate W = inv(S) mod Q
	390	* save W in u2 */
	391	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
	392
	393	/* save M in u1 */
b900a6b4	394	if (dgst_len > (i >> 3))
357d5de5 NL	395	/* if the digest length is greater than the size of q use the
	396	* BN_num_bits(dsa->q) leftmost bits of the digest, see
	397	* fips 186-3, 4.2 */
b900a6b4 NL	398	dgst_len = (i >> 3);
b900a6b4 NL	399	if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;
c0711f7f DSH	400
	401	/* u1 = M * w mod q */
	402	if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;
	403
	404	/* u2 = r * w mod q */
	405	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
	406
6ec8e63a DSH	407
6ec8e63a DSH	408	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
c0711f7f	409	{
879b1980	410	mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
6ec8e63a DSH	411	CRYPTO_LOCK_DSA, dsa->p, ctx);
	412	if (!mont)
	413	goto err;
c0711f7f	414	}
c0711f7f	415
879650b8 GT	416
879650b8 GT	417	DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);
c0711f7f DSH	418	/* BN_copy(&u1,&t1); */
	419	/* let u1 = u1 mod q */
	420	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
879650b8	421
c0711f7f DSH	422	/* V is now in u1. If the signature is correct, it will be
	423	* equal to R. */
	424	ret=(BN_ucmp(&u1, sig->r) == 0);
	425
	426	err:
b0ac0a8e	427	/* XXX: surely this is wrong - if ret is 0, it just didn't verify;
e9ad6665	428	there is no error in BN. Test should be ret == -1 (Ben) */
c0711f7f DSH	429	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
	430	if (ctx != NULL) BN_CTX_free(ctx);
	431	BN_free(&u1);
	432	BN_free(&u2);
	433	BN_free(&t1);
	434	return(ret);
	435	}
	436
	437	static int dsa_init(DSA *dsa)
	438	{
13066cee	439	dsa->flags\|=DSA_FLAG_CACHE_MONT_P;
c0711f7f DSH	440	return(1);
	441	}
	442
	443	static int dsa_finish(DSA *dsa)
	444	{
13066cee	445	if(dsa->method_mont_p)
879b1980	446	BN_MONT_CTX_free(dsa->method_mont_p);
c0711f7f DSH	447	return(1);
	448	}
	449