[thirdparty/openssl.git] / crypto / dsa / dsa_ossl.c

/* crypto/dsa/dsa_ossl.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */

#define OPENSSL_FIPSAPI

#include <stdio.h>
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/sha.h>
#include <openssl/dsa.h>
#include <openssl/rand.h>
#include <openssl/asn1.h>
#ifdef OPENSSL_FIPS
#include <openssl/fips.h>
#endif

static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
			  BIGNUM **kinvp, BIGNUM **rp,
			  const unsigned char *dgst, int dlen);
static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
			 DSA *dsa);
static int dsa_init(DSA *dsa);
static int dsa_finish(DSA *dsa);

static DSA_METHOD openssl_dsa_meth = {
"OpenSSL DSA method",
dsa_do_sign,
dsa_sign_setup,
dsa_do_verify,
NULL, /* dsa_mod_exp, */
NULL, /* dsa_bn_mod_exp, */
dsa_init,
dsa_finish,
DSA_FLAG_FIPS_METHOD,
NULL,
NULL,
NULL
};

/* These macro wrappers replace attempts to use the dsa_mod_exp() and
 * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
 * having a the macro work as an expression by bundling an "err_instr". So;
 * 
 *     if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
 *                 dsa->method_mont_p)) goto err;
 *
 * can be replaced by;
 *
 *     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
 *                 dsa->method_mont_p);
 */

#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
	do { \
	int _tmp_res53; \
	if((dsa)->meth->dsa_mod_exp) \
		_tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
				(a2), (p2), (m), (ctx), (in_mont)); \
	else \
		_tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
				(m), (ctx), (in_mont)); \
	if(!_tmp_res53) err_instr; \
	} while(0)
#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
	do { \
	int _tmp_res53; \
	if((dsa)->meth->bn_mod_exp) \
		_tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
				(m), (ctx), (m_ctx)); \
	else \
		_tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
	if(!_tmp_res53) err_instr; \
	} while(0)

const DSA_METHOD *DSA_OpenSSL(void)
{
	return &openssl_dsa_meth;
}

static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
	{
	BIGNUM *kinv=NULL,*r=NULL,*s=NULL;
	BIGNUM m;
	BIGNUM xr;
	BN_CTX *ctx=NULL;
	int reason=ERR_R_BN_LIB;
	DSA_SIG *ret=NULL;
	int noredo = 0;

#ifdef OPENSSL_FIPS
	if(FIPS_selftest_failed())
	    {
	    FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
	    return NULL;
	    }

	if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
		&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
		{
		DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
		return NULL;
		}
	if (!fips_check_dsa_prng(dsa, 0, 0))
		goto err;
#endif

	BN_init(&m);
	BN_init(&xr);

	if (!dsa->p || !dsa->q || !dsa->g)
		{
		reason=DSA_R_MISSING_PARAMETERS;
		goto err;
		}

	s=BN_new();
	if (s == NULL) goto err;
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;
redo:
	if ((dsa->kinv == NULL) || (dsa->r == NULL))
		{
		if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r,dgst,dlen))
			goto err;
		}
	else
		{
		kinv=dsa->kinv;
		dsa->kinv=NULL;
		r=dsa->r;
		dsa->r=NULL;
		noredo = 1;
		}

	
	if (dlen > BN_num_bytes(dsa->q))
		/* if the digest length is greater than the size of q use the
		 * BN_num_bits(dsa->q) leftmost bits of the digest, see
		 * fips 186-3, 4.2 */
		dlen = BN_num_bytes(dsa->q);
	if (BN_bin2bn(dgst,dlen,&m) == NULL)
		goto err;

	/* Compute  s = inv(k) (m + xr) mod q */
	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
	if (!BN_add(s, &xr, &m)) goto err;		/* s = m + xr */
	if (BN_cmp(s,dsa->q) > 0)
		if (!BN_sub(s,s,dsa->q)) goto err;
	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;

	ret=DSA_SIG_new();
	if (ret == NULL) goto err;
	/* Redo if r or s is zero as required by FIPS 186-3: this is
	 * very unlikely.
	 */
	if (BN_is_zero(r) || BN_is_zero(s))
		{
		if (noredo)
			{
			reason = DSA_R_NEED_NEW_SETUP_VALUES;
			goto err;
			}
		goto redo;
		}
	ret->r = r;
	ret->s = s;
	
err:
	if (!ret)
		{
		DSAerr(DSA_F_DSA_DO_SIGN,reason);
		BN_free(r);
		BN_free(s);
		}
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&m);
	BN_clear_free(&xr);
	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
	    BN_clear_free(kinv);
	return(ret);
	}

static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
			  BIGNUM **kinvp, BIGNUM **rp,
			  const unsigned char *dgst, int dlen)
	{
	BN_CTX *ctx;
	BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
	int ret=0;

	if (!dsa->p || !dsa->q || !dsa->g)
		{
		DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS);
		return 0;
		}

	BN_init(&k);
	BN_init(&kq);

	if (ctx_in == NULL)
		{
		if ((ctx=BN_CTX_new()) == NULL) goto err;
		}
	else
		ctx=ctx_in;

	if ((r=BN_new()) == NULL) goto err;

	/* Get random k */
	do
		{
#ifndef OPENSSL_NO_SHA512
		if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH)
			{
			/* If DSA_FLAG_NONCE_FROM_HASH is set then we calculate k from
			 * SHA512(private_key + H(message) + random). This protects the
			 * private key from a weak PRNG. */
			if (!BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, dgst,
						   dlen, ctx))
				goto err;
			}
		else
#endif
			if (!BN_rand_range(&k, dsa->q)) goto err;
		} while (BN_is_zero(&k));

	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
		{
		BN_set_flags(&k, BN_FLG_CONSTTIME);
		}

	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
		{
		if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
						CRYPTO_LOCK_DSA,
						dsa->p, ctx))
			goto err;
		}

	/* Compute r = (g^k mod p) mod q */

	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
		{
		if (!BN_copy(&kq, &k)) goto err;

		/* We do not want timing information to leak the length of k,
		 * so we compute g^k using an equivalent exponent of fixed length.
		 *
		 * (This is a kludge that we need because the BN_mod_exp_mont()
		 * does not let us specify the desired timing behaviour.) */

		if (!BN_add(&kq, &kq, dsa->q)) goto err;
		if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
			{
			if (!BN_add(&kq, &kq, dsa->q)) goto err;
			}

		K = &kq;
		}
	else
		{
		K = &k;
		}
	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
			dsa->method_mont_p);
	if (!BN_mod(r,r,dsa->q,ctx)) goto err;

	/* Compute  part of 's = inv(k) (m + xr) mod q' */
	if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;

	if (*kinvp != NULL) BN_clear_free(*kinvp);
	*kinvp=kinv;
	kinv=NULL;
	if (*rp != NULL) BN_clear_free(*rp);
	*rp=r;
	ret=1;
err:
	if (!ret)
		{
		DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
		if (r != NULL)
			BN_clear_free(r);
		}
	if (ctx_in == NULL) BN_CTX_free(ctx);
	BN_clear_free(&k);
	BN_clear_free(&kq);
	return(ret);
	}

static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
			 DSA *dsa)
	{
	BN_CTX *ctx;
	BIGNUM u1,u2,t1;
	BN_MONT_CTX *mont=NULL;
	int ret = -1, i;
	if (!dsa->p || !dsa->q || !dsa->g)
		{
		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MISSING_PARAMETERS);
		return -1;
		}

	i = BN_num_bits(dsa->q);
	/* fips 186-3 allows only different sizes for q */
	if (i != 160 && i != 224 && i != 256)
		{
		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
		return -1;
		}

#ifdef OPENSSL_FIPS
	if(FIPS_selftest_failed())
	    {
	    FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
	    return -1;
	    }

	if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) 
		&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
		{
		DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
		return -1;
		}
#endif

	if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
		{
		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
		return -1;
		}
	BN_init(&u1);
	BN_init(&u2);
	BN_init(&t1);

	if ((ctx=BN_CTX_new()) == NULL) goto err;

	if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
	    BN_ucmp(sig->r, dsa->q) >= 0)
		{
		ret = 0;
		goto err;
		}
	if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||
	    BN_ucmp(sig->s, dsa->q) >= 0)
		{
		ret = 0;
		goto err;
		}

	/* Calculate W = inv(S) mod Q
	 * save W in u2 */
	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;

	/* save M in u1 */
	if (dgst_len > (i >> 3))
		/* if the digest length is greater than the size of q use the
		 * BN_num_bits(dsa->q) leftmost bits of the digest, see
		 * fips 186-3, 4.2 */
		dgst_len = (i >> 3);
	if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;

	/* u1 = M * w mod q */
	if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;

	/* u2 = r * w mod q */
	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;


	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
		{
		mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
					CRYPTO_LOCK_DSA, dsa->p, ctx);
		if (!mont)
			goto err;
		}


	DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);
	/* BN_copy(&u1,&t1); */
	/* let u1 = u1 mod q */
	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;

	/* V is now in u1.  If the signature is correct, it will be
	 * equal to R. */
	ret=(BN_ucmp(&u1, sig->r) == 0);

	err:
	/* XXX: surely this is wrong - if ret is 0, it just didn't verify;
	   there is no error in BN. Test should be ret == -1 (Ben) */
	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_free(&u1);
	BN_free(&u2);
	BN_free(&t1);
	return(ret);
	}

static int dsa_init(DSA *dsa)
{
	dsa->flags|=DSA_FLAG_CACHE_MONT_P;
	return(1);
}

static int dsa_finish(DSA *dsa)
{
	if(dsa->method_mont_p)
		BN_MONT_CTX_free(dsa->method_mont_p);
	return(1);
}
Commit	Line	Data
c0711f7f DSH	1	/* crypto/dsa/dsa_ossl.c */
	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
	8	*
	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	15	*
	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
	22	*
	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
	37	* 4. If you include any Windows specific code (or a derivative thereof) from
	38	* the apps directory (application code) you must include an acknowledgement:
	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*
	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
	58
	59	/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
	60
14ae26f2 DSH	61	#define OPENSSL_FIPSAPI
14ae26f2 DSH	62
c0711f7f DSH	63	#include <stdio.h>
	64	#include "cryptlib.h"
	65	#include <openssl/bn.h>
357d5de5	66	#include <openssl/sha.h>
c0711f7f DSH	67	#include <openssl/dsa.h>
	68	#include <openssl/rand.h>
	69	#include <openssl/asn1.h>
20818e00 DSH	70	#ifdef OPENSSL_FIPS
	71	#include <openssl/fips.h>
	72	#endif
c0711f7f DSH	73
c0711f7f DSH	74	static DSA_SIG dsa_do_sign(const unsigned char dgst, int dlen, DSA *dsa);
8a99cb29 AL	75	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in,
	76	BIGNUM kinvp, BIGNUM rp,
	77	const unsigned char *dgst, int dlen);
c0711f7f	78	static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
84948b39	79	DSA *dsa);
c0711f7f DSH	80	static int dsa_init(DSA *dsa);
c0711f7f DSH	81	static int dsa_finish(DSA *dsa);
c0711f7f DSH	82
	83	static DSA_METHOD openssl_dsa_meth = {
	84	"OpenSSL DSA method",
	85	dsa_do_sign,
	86	dsa_sign_setup,
	87	dsa_do_verify,
879650b8 GT	88	NULL, /* dsa_mod_exp, */
879650b8 GT	89	NULL, /* dsa_bn_mod_exp, */
c0711f7f DSH	90	dsa_init,
c0711f7f DSH	91	dsa_finish,
20818e00	92	DSA_FLAG_FIPS_METHOD,
0e4aa0d2 GT	93	NULL,
0e4aa0d2 GT	94	NULL,
c0711f7f DSH	95	NULL
	96	};
	97
879650b8 GT	98	/* These macro wrappers replace attempts to use the dsa_mod_exp() and
	99	* bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
	100	* having a the macro work as an expression by bundling an "err_instr". So;
	101	*
	102	* if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
	103	* dsa->method_mont_p)) goto err;
	104	*
	105	* can be replaced by;
	106	*
	107	* DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
	108	* dsa->method_mont_p);
	109	*/
	110
	111	#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
	112	do { \
	113	int _tmp_res53; \
	114	if((dsa)->meth->dsa_mod_exp) \
	115	_tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
	116	(a2), (p2), (m), (ctx), (in_mont)); \
	117	else \
	118	_tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
	119	(m), (ctx), (in_mont)); \
	120	if(!_tmp_res53) err_instr; \
	121	} while(0)
	122	#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
	123	do { \
	124	int _tmp_res53; \
	125	if((dsa)->meth->bn_mod_exp) \
	126	_tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
	127	(m), (ctx), (m_ctx)); \
	128	else \
	129	_tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
	130	if(!_tmp_res53) err_instr; \
	131	} while(0)
	132
a4aba800	133	const DSA_METHOD *DSA_OpenSSL(void)
c0711f7f DSH	134	{
	135	return &openssl_dsa_meth;
	136	}
	137
	138	static DSA_SIG dsa_do_sign(const unsigned char dgst, int dlen, DSA *dsa)
	139	{
	140	BIGNUM kinv=NULL,r=NULL,*s=NULL;
	141	BIGNUM m;
	142	BIGNUM xr;
	143	BN_CTX *ctx=NULL;
b900a6b4	144	int reason=ERR_R_BN_LIB;
c0711f7f	145	DSA_SIG *ret=NULL;
245a7eee	146	int noredo = 0;
c0711f7f	147
20818e00 DSH	148	#ifdef OPENSSL_FIPS
	149	if(FIPS_selftest_failed())
	150	{
	151	FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
	152	return NULL;
	153	}
	154
c2fd5989	155	if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
cac4fb58	156	&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
20818e00 DSH	157	{
	158	DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
	159	return NULL;
	160	}
cac4fb58 DSH	161	if (!fips_check_dsa_prng(dsa, 0, 0))
cac4fb58 DSH	162	goto err;
20818e00 DSH	163	#endif
20818e00 DSH	164
a74333f9 LJ	165	BN_init(&m);
	166	BN_init(&xr);
	167
c962479b DSH	168	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)
	169	{
	170	reason=DSA_R_MISSING_PARAMETERS;
	171	goto err;
	172	}
a74333f9	173
c0711f7f DSH	174	s=BN_new();
c0711f7f DSH	175	if (s == NULL) goto err;
c0711f7f DSH	176	ctx=BN_CTX_new();
c0711f7f DSH	177	if (ctx == NULL) goto err;
245a7eee	178	redo:
c0711f7f DSH	179	if ((dsa->kinv == NULL) \|\| (dsa->r == NULL))
c0711f7f DSH	180	{
8a99cb29 AL	181	if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r,dgst,dlen))
8a99cb29 AL	182	goto err;
c0711f7f DSH	183	}
	184	else
	185	{
	186	kinv=dsa->kinv;
	187	dsa->kinv=NULL;
	188	r=dsa->r;
	189	dsa->r=NULL;
245a7eee	190	noredo = 1;
c0711f7f DSH	191	}
c0711f7f DSH	192
b900a6b4 NL	193
b900a6b4 NL	194	if (dlen > BN_num_bytes(dsa->q))
357d5de5 NL	195	/* if the digest length is greater than the size of q use the
	196	* BN_num_bits(dsa->q) leftmost bits of the digest, see
	197	* fips 186-3, 4.2 */
b900a6b4 NL	198	dlen = BN_num_bytes(dsa->q);
	199	if (BN_bin2bn(dgst,dlen,&m) == NULL)
	200	goto err;
c0711f7f DSH	201
	202	/* Compute s = inv(k) (m + xr) mod q */
	203	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
	204	if (!BN_add(s, &xr, &m)) goto err; /* s = m + xr */
	205	if (BN_cmp(s,dsa->q) > 0)
776654ad	206	if (!BN_sub(s,s,dsa->q)) goto err;
c0711f7f	207	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
71fa4513	208
c0711f7f DSH	209	ret=DSA_SIG_new();
c0711f7f DSH	210	if (ret == NULL) goto err;
245a7eee DSH	211	/* Redo if r or s is zero as required by FIPS 186-3: this is
	212	* very unlikely.
	213	*/
	214	if (BN_is_zero(r) \|\| BN_is_zero(s))
	215	{
	216	if (noredo)
	217	{
	218	reason = DSA_R_NEED_NEW_SETUP_VALUES;
	219	goto err;
	220	}
	221	goto redo;
	222	}
c0711f7f DSH	223	ret->r = r;
	224	ret->s = s;
	225
	226	err:
	227	if (!ret)
	228	{
	229	DSAerr(DSA_F_DSA_DO_SIGN,reason);
	230	BN_free(r);
	231	BN_free(s);
	232	}
	233	if (ctx != NULL) BN_CTX_free(ctx);
	234	BN_clear_free(&m);
	235	BN_clear_free(&xr);
	236	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
	237	BN_clear_free(kinv);
	238	return(ret);
	239	}
	240
8a99cb29 AL	241	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in,
	242	BIGNUM kinvp, BIGNUM rp,
	243	const unsigned char *dgst, int dlen)
c0711f7f DSH	244	{
c0711f7f DSH	245	BN_CTX *ctx;
0ebfcc8f	246	BIGNUM k,kq,K,kinv=NULL,*r=NULL;
c0711f7f DSH	247	int ret=0;
c0711f7f DSH	248
c962479b DSH	249	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)
	250	{
	251	DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS);
	252	return 0;
	253	}
a74333f9 LJ	254
a74333f9 LJ	255	BN_init(&k);
0ebfcc8f	256	BN_init(&kq);
a74333f9	257
c0711f7f DSH	258	if (ctx_in == NULL)
	259	{
	260	if ((ctx=BN_CTX_new()) == NULL) goto err;
	261	}
	262	else
	263	ctx=ctx_in;
	264
c0711f7f	265	if ((r=BN_new()) == NULL) goto err;
c0711f7f DSH	266
c0711f7f DSH	267	/* Get random k */
35ed8cb8	268	do
8a99cb29 AL	269	{
	270	#ifndef OPENSSL_NO_SHA512
	271	if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH)
	272	{
	273	/* If DSA_FLAG_NONCE_FROM_HASH is set then we calculate k from
	274	* SHA512(private_key + H(message) + random). This protects the
	275	* private key from a weak PRNG. */
	276	if (!BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, dgst,
	277	dlen, ctx))
	278	goto err;
	279	}
	280	else
	281	#endif
	282	if (!BN_rand_range(&k, dsa->q)) goto err;
	283	} while (BN_is_zero(&k));
	284
46a64376 BM	285	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
46a64376 BM	286	{
bd31fb21	287	BN_set_flags(&k, BN_FLG_CONSTTIME);
46a64376	288	}
c0711f7f	289
6ec8e63a	290	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
c0711f7f	291	{
879b1980	292	if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
6ec8e63a DSH	293	CRYPTO_LOCK_DSA,
	294	dsa->p, ctx))
	295	goto err;
c0711f7f DSH	296	}
	297
	298	/* Compute r = (g^k mod p) mod q */
0ebfcc8f BM	299
	300	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
	301	{
	302	if (!BN_copy(&kq, &k)) goto err;
	303
	304	/* We do not want timing information to leak the length of k,
	305	* so we compute g^k using an equivalent exponent of fixed length.
	306	*
	307	* (This is a kludge that we need because the BN_mod_exp_mont()
	308	* does not let us specify the desired timing behaviour.) */
	309
	310	if (!BN_add(&kq, &kq, dsa->q)) goto err;
	311	if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
	312	{
	313	if (!BN_add(&kq, &kq, dsa->q)) goto err;
	314	}
	315
	316	K = &kq;
	317	}
	318	else
	319	{
	320	K = &k;
	321	}
	322	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
879b1980	323	dsa->method_mont_p);
c0711f7f DSH	324	if (!BN_mod(r,r,dsa->q,ctx)) goto err;
	325
	326	/* Compute part of 's = inv(k) (m + xr) mod q' */
	327	if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
	328
	329	if (kinvp != NULL) BN_clear_free(kinvp);
	330	*kinvp=kinv;
	331	kinv=NULL;
	332	if (rp != NULL) BN_clear_free(rp);
	333	*rp=r;
	334	ret=1;
	335	err:
	336	if (!ret)
	337	{
	338	DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
67b6f1ca NL	339	if (r != NULL)
67b6f1ca NL	340	BN_clear_free(r);
c0711f7f DSH	341	}
c0711f7f DSH	342	if (ctx_in == NULL) BN_CTX_free(ctx);
c0711f7f	343	BN_clear_free(&k);
0ebfcc8f	344	BN_clear_free(&kq);
c0711f7f DSH	345	return(ret);
	346	}
	347
	348	static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
84948b39	349	DSA *dsa)
c0711f7f DSH	350	{
	351	BN_CTX *ctx;
	352	BIGNUM u1,u2,t1;
	353	BN_MONT_CTX *mont=NULL;
b900a6b4	354	int ret = -1, i;
c962479b DSH	355	if (!dsa->p \|\| !dsa->q \|\| !dsa->g)
	356	{
	357	DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MISSING_PARAMETERS);
	358	return -1;
	359	}
c0711f7f	360
357d5de5 NL	361	i = BN_num_bits(dsa->q);
	362	/* fips 186-3 allows only different sizes for q */
	363	if (i != 160 && i != 224 && i != 256)
5e3225cc BM	364	{
	365	DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
	366	return -1;
	367	}
	368
20818e00 DSH	369	#ifdef OPENSSL_FIPS
	370	if(FIPS_selftest_failed())
	371	{
	372	FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
	373	return -1;
	374	}
	375
c2fd5989	376	if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
69a80f7d	377	&& (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
20818e00 DSH	378	{
	379	DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
	380	return -1;
	381	}
	382	#endif
	383
5e3225cc BM	384	if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
	385	{
	386	DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
	387	return -1;
	388	}
c0711f7f DSH	389	BN_init(&u1);
	390	BN_init(&u2);
	391	BN_init(&t1);
	392
a74333f9 LJ	393	if ((ctx=BN_CTX_new()) == NULL) goto err;
a74333f9 LJ	394
ff22e913	395	if (BN_is_zero(sig->r) \|\| BN_is_negative(sig->r) \|\|
b53e44e5	396	BN_ucmp(sig->r, dsa->q) >= 0)
c458a331 BM	397	{
	398	ret = 0;
	399	goto err;
	400	}
ff22e913	401	if (BN_is_zero(sig->s) \|\| BN_is_negative(sig->s) \|\|
b53e44e5	402	BN_ucmp(sig->s, dsa->q) >= 0)
c458a331 BM	403	{
	404	ret = 0;
	405	goto err;
	406	}
	407
c0711f7f DSH	408	/* Calculate W = inv(S) mod Q
	409	* save W in u2 */
	410	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
	411
	412	/* save M in u1 */
b900a6b4	413	if (dgst_len > (i >> 3))
357d5de5 NL	414	/* if the digest length is greater than the size of q use the
	415	* BN_num_bits(dsa->q) leftmost bits of the digest, see
	416	* fips 186-3, 4.2 */
b900a6b4 NL	417	dgst_len = (i >> 3);
b900a6b4 NL	418	if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;
c0711f7f DSH	419
	420	/* u1 = M * w mod q */
	421	if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;
	422
	423	/* u2 = r * w mod q */
	424	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
	425
6ec8e63a DSH	426
6ec8e63a DSH	427	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
c0711f7f	428	{
879b1980	429	mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
6ec8e63a DSH	430	CRYPTO_LOCK_DSA, dsa->p, ctx);
	431	if (!mont)
	432	goto err;
c0711f7f	433	}
c0711f7f	434
879650b8 GT	435
879650b8 GT	436	DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);
c0711f7f DSH	437	/* BN_copy(&u1,&t1); */
	438	/* let u1 = u1 mod q */
	439	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
879650b8	440
c0711f7f DSH	441	/* V is now in u1. If the signature is correct, it will be
	442	* equal to R. */
	443	ret=(BN_ucmp(&u1, sig->r) == 0);
	444
	445	err:
b0ac0a8e	446	/* XXX: surely this is wrong - if ret is 0, it just didn't verify;
e9ad6665	447	there is no error in BN. Test should be ret == -1 (Ben) */
c0711f7f DSH	448	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
	449	if (ctx != NULL) BN_CTX_free(ctx);
	450	BN_free(&u1);
	451	BN_free(&u2);
	452	BN_free(&t1);
	453	return(ret);
	454	}
	455
	456	static int dsa_init(DSA *dsa)
	457	{
13066cee	458	dsa->flags\|=DSA_FLAG_CACHE_MONT_P;
c0711f7f DSH	459	return(1);
	460	}
	461
	462	static int dsa_finish(DSA *dsa)
	463	{
13066cee	464	if(dsa->method_mont_p)
879b1980	465	BN_MONT_CTX_free(dsa->method_mont_p);
c0711f7f DSH	466	return(1);
	467	}
	468