A local copy of OpenSSL from GitHub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

372 lines
10 KiB

  1. /*
  2. * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
  10. #include <stdio.h>
  11. #include "internal/cryptlib.h"
  12. #include <openssl/bn.h>
  13. #include <openssl/sha.h>
  14. #include "dsa_locl.h"
  15. #include <openssl/rand.h>
  16. #include <openssl/asn1.h>
  17. static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
  18. static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
  19. BIGNUM **rp);
  20. static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
  21. BIGNUM **rp, const unsigned char *dgst, int dlen);
  22. static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
  23. DSA_SIG *sig, DSA *dsa);
  24. static int dsa_init(DSA *dsa);
  25. static int dsa_finish(DSA *dsa);
  26. static DSA_METHOD openssl_dsa_meth = {
  27. "OpenSSL DSA method",
  28. dsa_do_sign,
  29. dsa_sign_setup_no_digest,
  30. dsa_do_verify,
  31. NULL, /* dsa_mod_exp, */
  32. NULL, /* dsa_bn_mod_exp, */
  33. dsa_init,
  34. dsa_finish,
  35. DSA_FLAG_FIPS_METHOD,
  36. NULL,
  37. NULL,
  38. NULL
  39. };
  40. /*-
  41. * These macro wrappers replace attempts to use the dsa_mod_exp() and
  42. * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
  43. * having a the macro work as an expression by bundling an "err_instr". So;
  44. *
  45. * if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
  46. * dsa->method_mont_p)) goto err;
  47. *
  48. * can be replaced by;
  49. *
  50. * DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
  51. * dsa->method_mont_p);
  52. */
  53. #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
  54. do { \
  55. int _tmp_res53; \
  56. if ((dsa)->meth->dsa_mod_exp) \
  57. _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
  58. (a2), (p2), (m), (ctx), (in_mont)); \
  59. else \
  60. _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
  61. (m), (ctx), (in_mont)); \
  62. if (!_tmp_res53) err_instr; \
  63. } while(0)
  64. #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
  65. do { \
  66. int _tmp_res53; \
  67. if ((dsa)->meth->bn_mod_exp) \
  68. _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
  69. (m), (ctx), (m_ctx)); \
  70. else \
  71. _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
  72. if (!_tmp_res53) err_instr; \
  73. } while(0)
  74. const DSA_METHOD *DSA_OpenSSL(void)
  75. {
  76. return &openssl_dsa_meth;
  77. }
  78. static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
  79. {
  80. BIGNUM *kinv = NULL;
  81. BIGNUM *m;
  82. BIGNUM *xr;
  83. BIGNUM *r, *s;
  84. BN_CTX *ctx = NULL;
  85. int reason = ERR_R_BN_LIB;
  86. DSA_SIG *ret = NULL;
  87. int rv = 0;
  88. m = BN_new();
  89. xr = BN_new();
  90. if (m == NULL || xr == NULL)
  91. goto err;
  92. if (!dsa->p || !dsa->q || !dsa->g) {
  93. reason = DSA_R_MISSING_PARAMETERS;
  94. goto err;
  95. }
  96. ret = DSA_SIG_new();
  97. if (ret == NULL)
  98. goto err;
  99. DSA_SIG_get0(&r, &s, ret);
  100. ctx = BN_CTX_new();
  101. if (ctx == NULL)
  102. goto err;
  103. redo:
  104. if (!dsa_sign_setup(dsa, ctx, &kinv, &r, dgst, dlen))
  105. goto err;
  106. if (dlen > BN_num_bytes(dsa->q))
  107. /*
  108. * if the digest length is greater than the size of q use the
  109. * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
  110. * 4.2
  111. */
  112. dlen = BN_num_bytes(dsa->q);
  113. if (BN_bin2bn(dgst, dlen, m) == NULL)
  114. goto err;
  115. /* Compute s = inv(k) (m + xr) mod q */
  116. if (!BN_mod_mul(xr, dsa->priv_key, r, dsa->q, ctx))
  117. goto err; /* s = xr */
  118. if (!BN_add(s, xr, m))
  119. goto err; /* s = m + xr */
  120. if (BN_cmp(s, dsa->q) > 0)
  121. if (!BN_sub(s, s, dsa->q))
  122. goto err;
  123. if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
  124. goto err;
  125. /*
  126. * Redo if r or s is zero as required by FIPS 186-3: this is very
  127. * unlikely.
  128. */
  129. if (BN_is_zero(r) || BN_is_zero(s))
  130. goto redo;
  131. rv = 1;
  132. err:
  133. if (rv == 0) {
  134. DSAerr(DSA_F_DSA_DO_SIGN, reason);
  135. DSA_SIG_free(ret);
  136. ret = NULL;
  137. }
  138. BN_CTX_free(ctx);
  139. BN_clear_free(m);
  140. BN_clear_free(xr);
  141. BN_clear_free(kinv);
  142. return ret;
  143. }
  144. static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in,
  145. BIGNUM **kinvp, BIGNUM **rp)
  146. {
  147. return dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0);
  148. }
  149. static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
  150. BIGNUM **kinvp, BIGNUM **rp,
  151. const unsigned char *dgst, int dlen)
  152. {
  153. BN_CTX *ctx = NULL;
  154. BIGNUM *k, *kq, *K, *kinv = NULL, *r = *rp;
  155. int ret = 0;
  156. if (!dsa->p || !dsa->q || !dsa->g) {
  157. DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
  158. return 0;
  159. }
  160. k = BN_new();
  161. kq = BN_new();
  162. if (k == NULL || kq == NULL)
  163. goto err;
  164. if (ctx_in == NULL) {
  165. if ((ctx = BN_CTX_new()) == NULL)
  166. goto err;
  167. } else
  168. ctx = ctx_in;
  169. /* Get random k */
  170. do {
  171. if (dgst != NULL) {
  172. /*
  173. * We calculate k from SHA512(private_key + H(message) + random).
  174. * This protects the private key from a weak PRNG.
  175. */
  176. if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst,
  177. dlen, ctx))
  178. goto err;
  179. } else if (!BN_rand_range(k, dsa->q))
  180. goto err;
  181. } while (BN_is_zero(k));
  182. if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
  183. BN_set_flags(k, BN_FLG_CONSTTIME);
  184. }
  185. if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
  186. if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
  187. dsa->lock, dsa->p, ctx))
  188. goto err;
  189. }
  190. /* Compute r = (g^k mod p) mod q */
  191. if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
  192. if (!BN_copy(kq, k))
  193. goto err;
  194. /*
  195. * We do not want timing information to leak the length of k, so we
  196. * compute g^k using an equivalent exponent of fixed length. (This
  197. * is a kludge that we need because the BN_mod_exp_mont() does not
  198. * let us specify the desired timing behaviour.)
  199. */
  200. if (!BN_add(kq, kq, dsa->q))
  201. goto err;
  202. if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) {
  203. if (!BN_add(kq, kq, dsa->q))
  204. goto err;
  205. }
  206. K = kq;
  207. } else {
  208. K = k;
  209. }
  210. DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
  211. dsa->method_mont_p);
  212. if (!BN_mod(r, r, dsa->q, ctx))
  213. goto err;
  214. /* Compute part of 's = inv(k) (m + xr) mod q' */
  215. if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
  216. goto err;
  217. BN_clear_free(*kinvp);
  218. *kinvp = kinv;
  219. kinv = NULL;
  220. ret = 1;
  221. err:
  222. if (!ret)
  223. DSAerr(DSA_F_DSA_SIGN_SETUP, ERR_R_BN_LIB);
  224. if (ctx != ctx_in)
  225. BN_CTX_free(ctx);
  226. BN_clear_free(k);
  227. BN_clear_free(kq);
  228. return ret;
  229. }
  230. static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
  231. DSA_SIG *sig, DSA *dsa)
  232. {
  233. BN_CTX *ctx;
  234. BIGNUM *u1, *u2, *t1;
  235. BN_MONT_CTX *mont = NULL;
  236. BIGNUM *r, *s;
  237. int ret = -1, i;
  238. if (!dsa->p || !dsa->q || !dsa->g) {
  239. DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MISSING_PARAMETERS);
  240. return -1;
  241. }
  242. i = BN_num_bits(dsa->q);
  243. /* fips 186-3 allows only different sizes for q */
  244. if (i != 160 && i != 224 && i != 256) {
  245. DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
  246. return -1;
  247. }
  248. if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
  249. DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
  250. return -1;
  251. }
  252. u1 = BN_new();
  253. u2 = BN_new();
  254. t1 = BN_new();
  255. ctx = BN_CTX_new();
  256. if (u1 == NULL || u2 == NULL || t1 == NULL || ctx == NULL)
  257. goto err;
  258. DSA_SIG_get0(&r, &s, sig);
  259. if (BN_is_zero(r) || BN_is_negative(r) ||
  260. BN_ucmp(r, dsa->q) >= 0) {
  261. ret = 0;
  262. goto err;
  263. }
  264. if (BN_is_zero(s) || BN_is_negative(s) ||
  265. BN_ucmp(s, dsa->q) >= 0) {
  266. ret = 0;
  267. goto err;
  268. }
  269. /*
  270. * Calculate W = inv(S) mod Q save W in u2
  271. */
  272. if ((BN_mod_inverse(u2, s, dsa->q, ctx)) == NULL)
  273. goto err;
  274. /* save M in u1 */
  275. if (dgst_len > (i >> 3))
  276. /*
  277. * if the digest length is greater than the size of q use the
  278. * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
  279. * 4.2
  280. */
  281. dgst_len = (i >> 3);
  282. if (BN_bin2bn(dgst, dgst_len, u1) == NULL)
  283. goto err;
  284. /* u1 = M * w mod q */
  285. if (!BN_mod_mul(u1, u1, u2, dsa->q, ctx))
  286. goto err;
  287. /* u2 = r * w mod q */
  288. if (!BN_mod_mul(u2, r, u2, dsa->q, ctx))
  289. goto err;
  290. if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
  291. mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
  292. dsa->lock, dsa->p, ctx);
  293. if (!mont)
  294. goto err;
  295. }
  296. DSA_MOD_EXP(goto err, dsa, t1, dsa->g, u1, dsa->pub_key, u2, dsa->p, ctx,
  297. mont);
  298. /* BN_copy(&u1,&t1); */
  299. /* let u1 = u1 mod q */
  300. if (!BN_mod(u1, t1, dsa->q, ctx))
  301. goto err;
  302. /*
  303. * V is now in u1. If the signature is correct, it will be equal to R.
  304. */
  305. ret = (BN_ucmp(u1, r) == 0);
  306. err:
  307. if (ret < 0)
  308. DSAerr(DSA_F_DSA_DO_VERIFY, ERR_R_BN_LIB);
  309. BN_CTX_free(ctx);
  310. BN_free(u1);
  311. BN_free(u2);
  312. BN_free(t1);
  313. return (ret);
  314. }
  315. static int dsa_init(DSA *dsa)
  316. {
  317. dsa->flags |= DSA_FLAG_CACHE_MONT_P;
  318. return (1);
  319. }
  320. static int dsa_finish(DSA *dsa)
  321. {
  322. BN_MONT_CTX_free(dsa->method_mont_p);
  323. return (1);
  324. }