]>
Commit | Line | Data |
---|---|---|
a04549cc DSH |
1 | /********************************************************************** |
2 | * gost_sign.c * | |
3 | * Copyright (c) 2005-2006 Cryptocom LTD * | |
4 | * This file is distributed under the same license as OpenSSL * | |
5 | * * | |
8711efb4 | 6 | * Implementation of GOST R 34.10-94 signature algorithm * |
a04549cc DSH |
7 | * for OpenSSL * |
8 | * Requires OpenSSL 0.9.9 for compilation * | |
9 | **********************************************************************/ | |
10 | #include <string.h> | |
11 | #include <openssl/rand.h> | |
12 | #include <openssl/bn.h> | |
13 | #include <openssl/dsa.h> | |
f50ffd10 | 14 | #include <openssl/err.h> |
a04549cc | 15 | #include <openssl/evp.h> |
8817e2e0 | 16 | #include <openssl/err.h> |
a04549cc | 17 | |
926c41bd DSH |
18 | #include "gost_params.h" |
19 | #include "gost_lcl.h" | |
a04549cc DSH |
20 | #include "e_gost_err.h" |
21 | ||
926c41bd | 22 | #ifdef DEBUG_SIGN |
0f113f3e MC |
23 | void dump_signature(const char *message, const unsigned char *buffer, |
24 | size_t len) | |
25 | { | |
26 | size_t i; | |
27 | fprintf(stderr, "signature %s Length=%d", message, len); | |
28 | for (i = 0; i < len; i++) { | |
29 | if (i % 16 == 0) | |
30 | fputc('\n', stderr); | |
31 | fprintf(stderr, " %02x", buffer[i]); | |
32 | } | |
33 | fprintf(stderr, "\nEnd of signature\n"); | |
34 | } | |
a04549cc | 35 | |
926c41bd | 36 | void dump_dsa_sig(const char *message, DSA_SIG *sig) |
0f113f3e MC |
37 | { |
38 | fprintf(stderr, "%s\nR=", message); | |
39 | BN_print_fp(stderr, sig->r); | |
40 | fprintf(stderr, "\nS="); | |
41 | BN_print_fp(stderr, sig->s); | |
42 | fprintf(stderr, "\n"); | |
43 | } | |
a04549cc DSH |
44 | |
45 | #else | |
46 | ||
0f113f3e MC |
47 | # define dump_signature(a,b,c) |
48 | # define dump_dsa_sig(a,b) | |
a04549cc DSH |
49 | #endif |
50 | ||
51 | /* | |
52 | * Computes signature and returns it as DSA_SIG structure | |
53 | */ | |
0f113f3e MC |
54 | DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) |
55 | { | |
56 | BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL; | |
68249414 | 57 | DSA_SIG *newsig = NULL, *ret = NULL; |
0f113f3e MC |
58 | BIGNUM *md = hashsum2bn(dgst); |
59 | /* check if H(M) mod q is zero */ | |
60 | BN_CTX *ctx = BN_CTX_new(); | |
61986d32 | 61 | if (!ctx) { |
8817e2e0 MC |
62 | GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); |
63 | goto err; | |
64 | } | |
0f113f3e | 65 | BN_CTX_start(ctx); |
8817e2e0 | 66 | newsig = DSA_SIG_new(); |
0f113f3e MC |
67 | if (!newsig) { |
68 | GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); | |
69 | goto err; | |
70 | } | |
71 | tmp = BN_CTX_get(ctx); | |
72 | k = BN_CTX_get(ctx); | |
73 | tmp2 = BN_CTX_get(ctx); | |
61986d32 | 74 | if (!tmp || !k || !tmp2) { |
8817e2e0 MC |
75 | GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); |
76 | goto err; | |
77 | } | |
0f113f3e MC |
78 | BN_mod(tmp, md, dsa->q, ctx); |
79 | if (BN_is_zero(tmp)) { | |
80 | BN_one(md); | |
81 | } | |
82 | do { | |
83 | do { | |
84 | /* | |
85 | * Generate random number k less than q | |
86 | */ | |
87 | BN_rand_range(k, dsa->q); | |
88 | /* generate r = (a^x mod p) mod q */ | |
89 | BN_mod_exp(tmp, dsa->g, k, dsa->p, ctx); | |
8817e2e0 | 90 | if (!(newsig->r)) { |
0f113f3e | 91 | newsig->r = BN_new(); |
61986d32 | 92 | if (!newsig->r) { |
8817e2e0 MC |
93 | GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); |
94 | goto err; | |
95 | } | |
96 | } | |
0f113f3e MC |
97 | BN_mod(newsig->r, tmp, dsa->q, ctx); |
98 | } | |
99 | while (BN_is_zero(newsig->r)); | |
100 | /* generate s = (xr + k(Hm)) mod q */ | |
101 | BN_mod_mul(tmp, dsa->priv_key, newsig->r, dsa->q, ctx); | |
102 | BN_mod_mul(tmp2, k, md, dsa->q, ctx); | |
8817e2e0 | 103 | if (!newsig->s) { |
0f113f3e | 104 | newsig->s = BN_new(); |
61986d32 | 105 | if (!newsig->s) { |
8817e2e0 MC |
106 | GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); |
107 | goto err; | |
108 | } | |
109 | } | |
0f113f3e MC |
110 | BN_mod_add(newsig->s, tmp, tmp2, dsa->q, ctx); |
111 | } | |
112 | while (BN_is_zero(newsig->s)); | |
8817e2e0 MC |
113 | |
114 | ret = newsig; | |
0f113f3e MC |
115 | err: |
116 | BN_free(md); | |
61986d32 | 117 | if (ctx) { |
8817e2e0 MC |
118 | BN_CTX_end(ctx); |
119 | BN_CTX_free(ctx); | |
120 | } | |
61986d32 | 121 | if (!ret && newsig) { |
8817e2e0 MC |
122 | DSA_SIG_free(newsig); |
123 | } | |
124 | return ret; | |
0f113f3e | 125 | } |
a04549cc DSH |
126 | |
127 | /* | |
128 | * Packs signature according to Cryptocom rules | |
129 | * and frees up DSA_SIG structure | |
130 | */ | |
1d97c843 | 131 | /*- |
926c41bd | 132 | int pack_sign_cc(DSA_SIG *s,int order,unsigned char *sig, size_t *siglen) |
0f113f3e MC |
133 | { |
134 | *siglen = 2*order; | |
135 | memset(sig,0,*siglen); | |
136 | store_bignum(s->r, sig,order); | |
137 | store_bignum(s->s, sig + order,order); | |
138 | dump_signature("serialized",sig,*siglen); | |
139 | DSA_SIG_free(s); | |
140 | return 1; | |
141 | } | |
10f0c85c | 142 | */ |
a04549cc DSH |
143 | /* |
144 | * Packs signature according to Cryptopro rules | |
145 | * and frees up DSA_SIG structure | |
146 | */ | |
0f113f3e MC |
147 | int pack_sign_cp(DSA_SIG *s, int order, unsigned char *sig, size_t *siglen) |
148 | { | |
149 | *siglen = 2 * order; | |
150 | memset(sig, 0, *siglen); | |
151 | store_bignum(s->s, sig, order); | |
152 | store_bignum(s->r, sig + order, order); | |
153 | dump_signature("serialized", sig, *siglen); | |
154 | DSA_SIG_free(s); | |
155 | return 1; | |
156 | } | |
a04549cc DSH |
157 | |
158 | /* | |
159 | * Verifies signature passed as DSA_SIG structure | |
160 | * | |
926c41bd | 161 | */ |
a04549cc DSH |
162 | |
163 | int gost_do_verify(const unsigned char *dgst, int dgst_len, | |
0f113f3e MC |
164 | DSA_SIG *sig, DSA *dsa) |
165 | { | |
8817e2e0 | 166 | BIGNUM *md = NULL, *tmp = NULL; |
0f113f3e MC |
167 | BIGNUM *q2 = NULL; |
168 | BIGNUM *u = NULL, *v = NULL, *z1 = NULL, *z2 = NULL; | |
169 | BIGNUM *tmp2 = NULL, *tmp3 = NULL; | |
06affe3d | 170 | int ok = 0; |
0f113f3e | 171 | BN_CTX *ctx = BN_CTX_new(); |
61986d32 | 172 | if (!ctx) { |
8817e2e0 MC |
173 | GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE); |
174 | goto err; | |
175 | } | |
0f113f3e MC |
176 | |
177 | BN_CTX_start(ctx); | |
178 | if (BN_cmp(sig->s, dsa->q) >= 1 || BN_cmp(sig->r, dsa->q) >= 1) { | |
179 | GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q); | |
8817e2e0 | 180 | goto err; |
0f113f3e MC |
181 | } |
182 | md = hashsum2bn(dgst); | |
183 | ||
184 | tmp = BN_CTX_get(ctx); | |
185 | v = BN_CTX_get(ctx); | |
186 | q2 = BN_CTX_get(ctx); | |
187 | z1 = BN_CTX_get(ctx); | |
188 | z2 = BN_CTX_get(ctx); | |
189 | tmp2 = BN_CTX_get(ctx); | |
190 | tmp3 = BN_CTX_get(ctx); | |
191 | u = BN_CTX_get(ctx); | |
61986d32 | 192 | if (!tmp || !v || !q2 || !z1 || !z2 || !tmp2 || !tmp3 || !u) { |
8817e2e0 MC |
193 | GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE); |
194 | goto err; | |
195 | } | |
a04549cc | 196 | |
0f113f3e MC |
197 | BN_mod(tmp, md, dsa->q, ctx); |
198 | if (BN_is_zero(tmp)) { | |
199 | BN_one(md); | |
200 | } | |
201 | BN_copy(q2, dsa->q); | |
202 | BN_sub_word(q2, 2); | |
203 | BN_mod_exp(v, md, q2, dsa->q, ctx); | |
204 | BN_mod_mul(z1, sig->s, v, dsa->q, ctx); | |
205 | BN_sub(tmp, dsa->q, sig->r); | |
206 | BN_mod_mul(z2, tmp, v, dsa->p, ctx); | |
207 | BN_mod_exp(tmp, dsa->g, z1, dsa->p, ctx); | |
208 | BN_mod_exp(tmp2, dsa->pub_key, z2, dsa->p, ctx); | |
209 | BN_mod_mul(tmp3, tmp, tmp2, dsa->p, ctx); | |
210 | BN_mod(u, tmp3, dsa->q, ctx); | |
06affe3d | 211 | ok = (BN_cmp(u, sig->r) == 0); |
0f113f3e | 212 | |
06affe3d | 213 | if (!ok) { |
0f113f3e MC |
214 | GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_MISMATCH); |
215 | } | |
8817e2e0 | 216 | err: |
61986d32 VD |
217 | if (md) |
218 | BN_free(md); | |
219 | if (ctx) { | |
8817e2e0 MC |
220 | BN_CTX_end(ctx); |
221 | BN_CTX_free(ctx); | |
222 | } | |
06affe3d | 223 | return ok; |
0f113f3e | 224 | } |
a04549cc DSH |
225 | |
226 | /* | |
227 | * Computes public keys for GOST R 34.10-94 algorithm | |
926c41bd | 228 | * |
a04549cc DSH |
229 | */ |
230 | int gost94_compute_public(DSA *dsa) | |
0f113f3e MC |
231 | { |
232 | /* Now fill algorithm parameters with correct values */ | |
8817e2e0 | 233 | BN_CTX *ctx; |
0f113f3e MC |
234 | if (!dsa->g) { |
235 | GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, GOST_R_KEY_IS_NOT_INITALIZED); | |
236 | return 0; | |
237 | } | |
8817e2e0 | 238 | ctx = BN_CTX_new(); |
61986d32 | 239 | if (!ctx) { |
8817e2e0 MC |
240 | GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); |
241 | return 0; | |
242 | } | |
243 | ||
0f113f3e | 244 | dsa->pub_key = BN_new(); |
61986d32 | 245 | if (!dsa->pub_key) { |
8817e2e0 MC |
246 | GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); |
247 | BN_CTX_free(ctx); | |
248 | return 0; | |
249 | } | |
250 | /* Compute public key y = a^x mod p */ | |
0f113f3e MC |
251 | BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx); |
252 | BN_CTX_free(ctx); | |
253 | return 1; | |
254 | } | |
a04549cc DSH |
255 | |
256 | /* | |
257 | * Fill GOST 94 params, searching them in R3410_paramset array | |
258 | * by nid of paramset | |
926c41bd DSH |
259 | * |
260 | */ | |
0f113f3e MC |
261 | int fill_GOST94_params(DSA *dsa, int nid) |
262 | { | |
263 | R3410_params *params = R3410_paramset; | |
264 | while (params->nid != NID_undef && params->nid != nid) | |
265 | params++; | |
266 | if (params->nid == NID_undef) { | |
267 | GOSTerr(GOST_F_FILL_GOST94_PARAMS, GOST_R_UNSUPPORTED_PARAMETER_SET); | |
268 | return 0; | |
269 | } | |
a04549cc | 270 | #define dump_signature(a,b,c) |
0f113f3e MC |
271 | if (dsa->p) { |
272 | BN_free(dsa->p); | |
273 | } | |
274 | dsa->p = NULL; | |
275 | BN_dec2bn(&(dsa->p), params->p); | |
276 | if (dsa->q) { | |
277 | BN_free(dsa->q); | |
278 | } | |
279 | dsa->q = NULL; | |
280 | BN_dec2bn(&(dsa->q), params->q); | |
281 | if (dsa->g) { | |
282 | BN_free(dsa->g); | |
283 | } | |
284 | dsa->g = NULL; | |
285 | BN_dec2bn(&(dsa->g), params->a); | |
286 | return 1; | |
287 | } | |
a04549cc DSH |
288 | |
289 | /* | |
290 | * Generate GOST R 34.10-94 keypair | |
a04549cc | 291 | * |
926c41bd DSH |
292 | * |
293 | */ | |
294 | int gost_sign_keygen(DSA *dsa) | |
0f113f3e MC |
295 | { |
296 | dsa->priv_key = BN_new(); | |
61986d32 | 297 | if (!dsa->priv_key) { |
8817e2e0 MC |
298 | GOSTerr(GOST_F_GOST_SIGN_KEYGEN, ERR_R_MALLOC_FAILURE); |
299 | return 0; | |
300 | } | |
0f113f3e MC |
301 | BN_rand_range(dsa->priv_key, dsa->q); |
302 | return gost94_compute_public(dsa); | |
303 | } | |
926c41bd | 304 | |
a04549cc | 305 | /* Unpack signature according to cryptocom rules */ |
1d97c843 | 306 | /*- |
926c41bd | 307 | DSA_SIG *unpack_cc_signature(const unsigned char *sig,size_t siglen) |
0f113f3e MC |
308 | { |
309 | DSA_SIG *s; | |
310 | s = DSA_SIG_new(); | |
311 | if (s == NULL) | |
312 | { | |
313 | GOSTerr(GOST_F_UNPACK_CC_SIGNATURE,ERR_R_MALLOC_FAILURE); | |
314 | return(NULL); | |
315 | } | |
316 | s->r = getbnfrombuf(sig, siglen/2); | |
317 | s->s = getbnfrombuf(sig + siglen/2, siglen/2); | |
318 | return s; | |
319 | } | |
10f0c85c | 320 | */ |
a04549cc | 321 | /* Unpack signature according to cryptopro rules */ |
0f113f3e MC |
322 | DSA_SIG *unpack_cp_signature(const unsigned char *sig, size_t siglen) |
323 | { | |
324 | DSA_SIG *s; | |
a04549cc | 325 | |
0f113f3e MC |
326 | s = DSA_SIG_new(); |
327 | if (s == NULL) { | |
328 | GOSTerr(GOST_F_UNPACK_CP_SIGNATURE, ERR_R_MALLOC_FAILURE); | |
329 | return NULL; | |
330 | } | |
331 | s->s = getbnfrombuf(sig, siglen / 2); | |
332 | s->r = getbnfrombuf(sig + siglen / 2, siglen / 2); | |
333 | return s; | |
334 | } | |
926c41bd | 335 | |
a04549cc | 336 | /* Convert little-endian byte array into bignum */ |
926c41bd | 337 | BIGNUM *hashsum2bn(const unsigned char *dgst) |
0f113f3e MC |
338 | { |
339 | unsigned char buf[32]; | |
340 | int i; | |
341 | for (i = 0; i < 32; i++) { | |
342 | buf[31 - i] = dgst[i]; | |
343 | } | |
344 | return getbnfrombuf(buf, 32); | |
345 | } | |
a04549cc DSH |
346 | |
347 | /* Convert byte buffer to bignum, skipping leading zeros*/ | |
0f113f3e MC |
348 | BIGNUM *getbnfrombuf(const unsigned char *buf, size_t len) |
349 | { | |
350 | while (*buf == 0 && len > 0) { | |
351 | buf++; | |
352 | len--; | |
353 | } | |
354 | if (len) { | |
355 | return BN_bin2bn(buf, len, NULL); | |
356 | } else { | |
357 | BIGNUM *b = BN_new(); | |
358 | BN_zero(b); | |
359 | return b; | |
360 | } | |
361 | } | |
926c41bd | 362 | |
0f113f3e MC |
363 | /* |
364 | * Pack bignum into byte buffer of given size, filling all leading bytes by | |
365 | * zeros | |
366 | */ | |
367 | int store_bignum(BIGNUM *bn, unsigned char *buf, int len) | |
368 | { | |
369 | int bytes = BN_num_bytes(bn); | |
370 | if (bytes > len) | |
371 | return 0; | |
372 | memset(buf, 0, len); | |
373 | BN_bn2bin(bn, buf + len - bytes); | |
374 | return 1; | |
375 | } |