Blame - src/crypto/dsa/dsa.c - platform/external/boringssl

blob: 58126c3747f3736cedc4b4927c90caadd9c5d7b0 [file] [log] [blame]

Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	1	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
				2	* All rights reserved.
				3	*
				4	* This package is an SSL implementation written
				5	* by Eric Young (eay@cryptsoft.com).
				6	* The implementation was written so as to conform with Netscapes SSL.
				7	*
				8	* This library is free for commercial and non-commercial use as long as
				9	* the following conditions are aheared to. The following conditions
				10	* apply to all code found in this distribution, be it the RC4, RSA,
				11	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
				12	* included with this distribution is covered by the same copyright terms
				13	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
				14	*
				15	* Copyright remains Eric Young's, and as such any Copyright notices in
				16	* the code are not to be removed.
				17	* If this package is used in a product, Eric Young should be given attribution
				18	* as the author of the parts of the library used.
				19	* This can be in the form of a textual message at program startup or
				20	* in documentation (online or textual) provided with the package.
				21	*
				22	* Redistribution and use in source and binary forms, with or without
				23	* modification, are permitted provided that the following conditions
				24	* are met:
				25	* 1. Redistributions of source code must retain the copyright
				26	* notice, this list of conditions and the following disclaimer.
				27	* 2. Redistributions in binary form must reproduce the above copyright
				28	* notice, this list of conditions and the following disclaimer in the
				29	* documentation and/or other materials provided with the distribution.
				30	* 3. All advertising materials mentioning features or use of this software
				31	* must display the following acknowledgement:
				32	* "This product includes cryptographic software written by
				33	* Eric Young (eay@cryptsoft.com)"
				34	* The word 'cryptographic' can be left out if the rouines from the library
				35	* being used are not cryptographic related :-).
				36	* 4. If you include any Windows specific code (or a derivative thereof) from
				37	* the apps directory (application code) you must include an acknowledgement:
				38	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
				39	*
				40	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
				41	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
				42	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
				43	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
				44	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
				45	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
				46	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
				47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
				48	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
				49	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
				50	* SUCH DAMAGE.
				51	*
				52	* The licence and distribution terms for any publically available version or
				53	* derivative of this code cannot be changed. i.e. this code cannot simply be
				54	* copied and put under another distribution licence
				55	* [including the GNU Public Licence.]
				56	*
				57	* The DSS routines are based on patches supplied by
				58	* Steven Schoch <schoch@sheba.arc.nasa.gov>. */
				59
				60	#include <openssl/dsa.h>
				61
				62	#include <string.h>
				63
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	64	#include <openssl/bn.h>
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	65	#include <openssl/dh.h>
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	66	#include <openssl/digest.h>
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	67	#include <openssl/engine.h>
				68	#include <openssl/err.h>
				69	#include <openssl/ex_data.h>
				70	#include <openssl/mem.h>
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	71	#include <openssl/rand.h>
				72	#include <openssl/sha.h>
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	73	#include <openssl/thread.h>
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	74
Robert Sloan	8ff0355	2017-06-14 12:40:58 -0700	[diff] [blame^]	75	#include "../fipsmodule/bn/internal.h"
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	76	#include "../internal.h"
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	77
				78
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	79	#define OPENSSL_DSA_MAX_MODULUS_BITS 10000
				80
				81	/* Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
				82	* Rabin-Miller */
				83	#define DSS_prime_checks 50
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	84
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	85	static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
				86
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	87	DSA *DSA_new(void) {
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	88	DSA *dsa = OPENSSL_malloc(sizeof(DSA));
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	89	if (dsa == NULL) {
Kenny Root	b849459	2015-09-25 02:29:14 +0000	[diff] [blame]	90	OPENSSL_PUT_ERROR(DSA, ERR_R_MALLOC_FAILURE);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	91	return NULL;
				92	}
				93
Robert Sloan	69939df	2017-01-09 10:53:07 -0800	[diff] [blame]	94	OPENSSL_memset(dsa, 0, sizeof(DSA));
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	95
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	96	dsa->references = 1;
				97
David Benjamin	c895d6b	2016-08-11 13:26:41 -0400	[diff] [blame]	98	CRYPTO_MUTEX_init(&dsa->method_mont_lock);
Adam Langley	4139edb	2016-01-13 15:00:54 -0800	[diff] [blame]	99	CRYPTO_new_ex_data(&dsa->ex_data);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	100
				101	return dsa;
				102	}
				103
				104	void DSA_free(DSA *dsa) {
				105	if (dsa == NULL) {
				106	return;
				107	}
				108
Adam Langley	f4e4272	2015-06-04 17:45:09 -0700	[diff] [blame]	109	if (!CRYPTO_refcount_dec_and_test_zero(&dsa->references)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	110	return;
				111	}
				112
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	113	CRYPTO_free_ex_data(&g_ex_data_class, dsa, &dsa->ex_data);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	114
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	115	BN_clear_free(dsa->p);
				116	BN_clear_free(dsa->q);
				117	BN_clear_free(dsa->g);
				118	BN_clear_free(dsa->pub_key);
				119	BN_clear_free(dsa->priv_key);
				120	BN_clear_free(dsa->kinv);
				121	BN_clear_free(dsa->r);
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	122	BN_MONT_CTX_free(dsa->method_mont_p);
David Benjamin	c895d6b	2016-08-11 13:26:41 -0400	[diff] [blame]	123	BN_MONT_CTX_free(dsa->method_mont_q);
				124	CRYPTO_MUTEX_cleanup(&dsa->method_mont_lock);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	125	OPENSSL_free(dsa);
				126	}
				127
				128	int DSA_up_ref(DSA *dsa) {
Adam Langley	f4e4272	2015-06-04 17:45:09 -0700	[diff] [blame]	129	CRYPTO_refcount_inc(&dsa->references);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	130	return 1;
				131	}
				132
David Benjamin	c895d6b	2016-08-11 13:26:41 -0400	[diff] [blame]	133	void DSA_get0_key(const DSA dsa, const BIGNUM *out_pub_key,
				134	const BIGNUM **out_priv_key) {
				135	if (out_pub_key != NULL) {
				136	*out_pub_key = dsa->pub_key;
				137	}
				138	if (out_priv_key != NULL) {
				139	*out_priv_key = dsa->priv_key;
				140	}
				141	}
				142
				143	void DSA_get0_pqg(const DSA dsa, const BIGNUM out_p, const BIGNUM *out_q,
				144	const BIGNUM **out_g) {
				145	if (out_p != NULL) {
				146	*out_p = dsa->p;
				147	}
				148	if (out_q != NULL) {
				149	*out_q = dsa->q;
				150	}
				151	if (out_g != NULL) {
				152	*out_g = dsa->g;
				153	}
				154	}
				155
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	156	int DSA_generate_parameters_ex(DSA dsa, unsigned bits, const uint8_t seed_in,
				157	size_t seed_len, int *out_counter,
				158	unsigned long out_h, BN_GENCB cb) {
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	159	int ok = 0;
				160	unsigned char seed[SHA256_DIGEST_LENGTH];
				161	unsigned char md[SHA256_DIGEST_LENGTH];
				162	unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];
				163	BIGNUM r0, W, X, c, *test;
				164	BIGNUM g = NULL, q = NULL, *p = NULL;
				165	BN_MONT_CTX *mont = NULL;
				166	int k, n = 0, m = 0;
				167	unsigned i;
				168	int counter = 0;
				169	int r = 0;
				170	BN_CTX *ctx = NULL;
				171	unsigned int h = 2;
				172	unsigned qsize;
				173	const EVP_MD *evpmd;
				174
				175	evpmd = (bits >= 2048) ? EVP_sha256() : EVP_sha1();
				176	qsize = EVP_MD_size(evpmd);
				177
				178	if (bits < 512) {
				179	bits = 512;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	180	}
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	181
				182	bits = (bits + 63) / 64 * 64;
				183
				184	if (seed_in != NULL) {
				185	if (seed_len < (size_t)qsize) {
				186	return 0;
				187	}
				188	if (seed_len > (size_t)qsize) {
				189	/* Only consume as much seed as is expected. */
				190	seed_len = qsize;
				191	}
Robert Sloan	69939df	2017-01-09 10:53:07 -0800	[diff] [blame]	192	OPENSSL_memcpy(seed, seed_in, seed_len);
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	193	}
				194
				195	ctx = BN_CTX_new();
				196	if (ctx == NULL) {
				197	goto err;
				198	}
				199	BN_CTX_start(ctx);
				200
				201	mont = BN_MONT_CTX_new();
				202	if (mont == NULL) {
				203	goto err;
				204	}
				205
				206	r0 = BN_CTX_get(ctx);
				207	g = BN_CTX_get(ctx);
				208	W = BN_CTX_get(ctx);
				209	q = BN_CTX_get(ctx);
				210	X = BN_CTX_get(ctx);
				211	c = BN_CTX_get(ctx);
				212	p = BN_CTX_get(ctx);
				213	test = BN_CTX_get(ctx);
				214
				215	if (test == NULL \|\| !BN_lshift(test, BN_value_one(), bits - 1)) {
				216	goto err;
				217	}
				218
				219	for (;;) {
				220	/* Find q. */
				221	for (;;) {
				222	/* step 1 */
				223	if (!BN_GENCB_call(cb, 0, m++)) {
				224	goto err;
				225	}
				226
				227	int use_random_seed = (seed_in == NULL);
				228	if (use_random_seed) {
				229	if (!RAND_bytes(seed, qsize)) {
				230	goto err;
				231	}
				232	} else {
				233	/* If we come back through, use random seed next time. */
				234	seed_in = NULL;
				235	}
Robert Sloan	69939df	2017-01-09 10:53:07 -0800	[diff] [blame]	236	OPENSSL_memcpy(buf, seed, qsize);
				237	OPENSSL_memcpy(buf2, seed, qsize);
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	238	/* precompute "SEED + 1" for step 7: */
				239	for (i = qsize - 1; i < qsize; i--) {
				240	buf[i]++;
				241	if (buf[i] != 0) {
				242	break;
				243	}
				244	}
				245
				246	/* step 2 */
				247	if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL) \|\|
				248	!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) {
				249	goto err;
				250	}
				251	for (i = 0; i < qsize; i++) {
				252	md[i] ^= buf2[i];
				253	}
				254
				255	/* step 3 */
				256	md[0] \|= 0x80;
				257	md[qsize - 1] \|= 0x01;
				258	if (!BN_bin2bn(md, qsize, q)) {
				259	goto err;
				260	}
				261
				262	/* step 4 */
				263	r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed, cb);
				264	if (r > 0) {
				265	break;
				266	}
				267	if (r != 0) {
				268	goto err;
				269	}
				270
				271	/* do a callback call */
				272	/* step 5 */
				273	}
				274
				275	if (!BN_GENCB_call(cb, 2, 0) \|\| !BN_GENCB_call(cb, 3, 0)) {
				276	goto err;
				277	}
				278
				279	/* step 6 */
				280	counter = 0;
				281	/* "offset = 2" */
				282
				283	n = (bits - 1) / 160;
				284
				285	for (;;) {
				286	if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) {
				287	goto err;
				288	}
				289
				290	/* step 7 */
				291	BN_zero(W);
				292	/* now 'buf' contains "SEED + offset - 1" */
				293	for (k = 0; k <= n; k++) {
				294	/* obtain "SEED + offset + k" by incrementing: */
				295	for (i = qsize - 1; i < qsize; i--) {
				296	buf[i]++;
				297	if (buf[i] != 0) {
				298	break;
				299	}
				300	}
				301
				302	if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) {
				303	goto err;
				304	}
				305
				306	/* step 8 */
				307	if (!BN_bin2bn(md, qsize, r0) \|\|
				308	!BN_lshift(r0, r0, (qsize << 3) * k) \|\|
				309	!BN_add(W, W, r0)) {
				310	goto err;
				311	}
				312	}
				313
				314	/* more of step 8 */
				315	if (!BN_mask_bits(W, bits - 1) \|\|
				316	!BN_copy(X, W) \|\|
				317	!BN_add(X, X, test)) {
				318	goto err;
				319	}
				320
				321	/* step 9 */
				322	if (!BN_lshift1(r0, q) \|\|
				323	!BN_mod(c, X, r0, ctx) \|\|
				324	!BN_sub(r0, c, BN_value_one()) \|\|
				325	!BN_sub(p, X, r0)) {
				326	goto err;
				327	}
				328
				329	/* step 10 */
				330	if (BN_cmp(p, test) >= 0) {
				331	/* step 11 */
				332	r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);
				333	if (r > 0) {
				334	goto end; /* found it */
				335	}
				336	if (r != 0) {
				337	goto err;
				338	}
				339	}
				340
				341	/* step 13 */
				342	counter++;
				343	/* "offset = offset + n + 1" */
				344
				345	/* step 14 */
				346	if (counter >= 4096) {
				347	break;
				348	}
				349	}
				350	}
				351	end:
				352	if (!BN_GENCB_call(cb, 2, 1)) {
				353	goto err;
				354	}
				355
				356	/* We now need to generate g */
				357	/* Set r0=(p-1)/q */
				358	if (!BN_sub(test, p, BN_value_one()) \|\|
				359	!BN_div(r0, NULL, test, q, ctx)) {
				360	goto err;
				361	}
				362
				363	if (!BN_set_word(test, h) \|\|
				364	!BN_MONT_CTX_set(mont, p, ctx)) {
				365	goto err;
				366	}
				367
				368	for (;;) {
				369	/* g=test^r0%p */
				370	if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont)) {
				371	goto err;
				372	}
				373	if (!BN_is_one(g)) {
				374	break;
				375	}
				376	if (!BN_add(test, test, BN_value_one())) {
				377	goto err;
				378	}
				379	h++;
				380	}
				381
				382	if (!BN_GENCB_call(cb, 3, 1)) {
				383	goto err;
				384	}
				385
				386	ok = 1;
				387
				388	err:
				389	if (ok) {
				390	BN_free(dsa->p);
				391	BN_free(dsa->q);
				392	BN_free(dsa->g);
				393	dsa->p = BN_dup(p);
				394	dsa->q = BN_dup(q);
				395	dsa->g = BN_dup(g);
				396	if (dsa->p == NULL \|\| dsa->q == NULL \|\| dsa->g == NULL) {
				397	ok = 0;
				398	goto err;
				399	}
				400	if (out_counter != NULL) {
				401	*out_counter = counter;
				402	}
				403	if (out_h != NULL) {
				404	*out_h = h;
				405	}
				406	}
				407
				408	if (ctx) {
				409	BN_CTX_end(ctx);
				410	BN_CTX_free(ctx);
				411	}
				412
				413	BN_MONT_CTX_free(mont);
				414
				415	return ok;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	416	}
				417
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	418	DSA DSAparams_dup(const DSA dsa) {
				419	DSA *ret = DSA_new();
				420	if (ret == NULL) {
				421	return NULL;
				422	}
				423	ret->p = BN_dup(dsa->p);
				424	ret->q = BN_dup(dsa->q);
				425	ret->g = BN_dup(dsa->g);
				426	if (ret->p == NULL \|\| ret->q == NULL \|\| ret->g == NULL) {
				427	DSA_free(ret);
				428	return NULL;
				429	}
				430	return ret;
				431	}
				432
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	433	int DSA_generate_key(DSA *dsa) {
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	434	int ok = 0;
				435	BN_CTX *ctx = NULL;
				436	BIGNUM pub_key = NULL, priv_key = NULL;
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	437
				438	ctx = BN_CTX_new();
				439	if (ctx == NULL) {
				440	goto err;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	441	}
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	442
				443	priv_key = dsa->priv_key;
				444	if (priv_key == NULL) {
				445	priv_key = BN_new();
				446	if (priv_key == NULL) {
				447	goto err;
				448	}
				449	}
				450
David Benjamin	c895d6b	2016-08-11 13:26:41 -0400	[diff] [blame]	451	if (!BN_rand_range_ex(priv_key, 1, dsa->q)) {
				452	goto err;
				453	}
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	454
				455	pub_key = dsa->pub_key;
				456	if (pub_key == NULL) {
				457	pub_key = BN_new();
				458	if (pub_key == NULL) {
				459	goto err;
				460	}
				461	}
				462
David Benjamin	c895d6b	2016-08-11 13:26:41 -0400	[diff] [blame]	463	if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, &dsa->method_mont_lock,
				464	dsa->p, ctx) \|\|
Steven Valdez	b0b45c6	2017-01-17 16:23:54 -0500	[diff] [blame]	465	!BN_mod_exp_mont_consttime(pub_key, dsa->g, priv_key, dsa->p, ctx,
David Benjamin	c895d6b	2016-08-11 13:26:41 -0400	[diff] [blame]	466	dsa->method_mont_p)) {
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	467	goto err;
				468	}
				469
				470	dsa->priv_key = priv_key;
				471	dsa->pub_key = pub_key;
				472	ok = 1;
				473
				474	err:
				475	if (dsa->pub_key == NULL) {
				476	BN_free(pub_key);
				477	}
				478	if (dsa->priv_key == NULL) {
				479	BN_free(priv_key);
				480	}
				481	BN_CTX_free(ctx);
				482
				483	return ok;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	484	}
				485
				486	DSA_SIG *DSA_SIG_new(void) {
				487	DSA_SIG *sig;
				488	sig = OPENSSL_malloc(sizeof(DSA_SIG));
				489	if (!sig) {
				490	return NULL;
				491	}
				492	sig->r = NULL;
				493	sig->s = NULL;
				494	return sig;
				495	}
				496
				497	void DSA_SIG_free(DSA_SIG *sig) {
				498	if (!sig) {
				499	return;
				500	}
				501
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	502	BN_free(sig->r);
				503	BN_free(sig->s);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	504	OPENSSL_free(sig);
				505	}
				506
				507	DSA_SIG DSA_do_sign(const uint8_t digest, size_t digest_len, DSA *dsa) {
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	508	BIGNUM kinv = NULL, r = NULL, *s = NULL;
				509	BIGNUM m;
				510	BIGNUM xr;
				511	BN_CTX *ctx = NULL;
				512	int reason = ERR_R_BN_LIB;
				513	DSA_SIG *ret = NULL;
				514	int noredo = 0;
				515
				516	BN_init(&m);
				517	BN_init(&xr);
				518
				519	if (!dsa->p \|\| !dsa->q \|\| !dsa->g) {
				520	reason = DSA_R_MISSING_PARAMETERS;
				521	goto err;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	522	}
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	523
				524	s = BN_new();
				525	if (s == NULL) {
				526	goto err;
				527	}
				528	ctx = BN_CTX_new();
				529	if (ctx == NULL) {
				530	goto err;
				531	}
				532
				533	redo:
				534	if (dsa->kinv == NULL \|\| dsa->r == NULL) {
				535	if (!DSA_sign_setup(dsa, ctx, &kinv, &r)) {
				536	goto err;
				537	}
				538	} else {
				539	kinv = dsa->kinv;
				540	dsa->kinv = NULL;
				541	r = dsa->r;
				542	dsa->r = NULL;
				543	noredo = 1;
				544	}
				545
				546	if (digest_len > BN_num_bytes(dsa->q)) {
				547	/* if the digest length is greater than the size of q use the
				548	* BN_num_bits(dsa->q) leftmost bits of the digest, see
				549	* fips 186-3, 4.2 */
				550	digest_len = BN_num_bytes(dsa->q);
				551	}
				552
				553	if (BN_bin2bn(digest, digest_len, &m) == NULL) {
				554	goto err;
				555	}
				556
				557	/* Compute s = inv(k) (m + xr) mod q */
				558	if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) {
				559	goto err; /* s = xr */
				560	}
				561	if (!BN_add(s, &xr, &m)) {
				562	goto err; /* s = m + xr */
				563	}
				564	if (BN_cmp(s, dsa->q) > 0) {
				565	if (!BN_sub(s, s, dsa->q)) {
				566	goto err;
				567	}
				568	}
				569	if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) {
				570	goto err;
				571	}
				572
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	573	/* Redo if r or s is zero as required by FIPS 186-3: this is
				574	* very unlikely. */
				575	if (BN_is_zero(r) \|\| BN_is_zero(s)) {
				576	if (noredo) {
				577	reason = DSA_R_NEED_NEW_SETUP_VALUES;
				578	goto err;
				579	}
				580	goto redo;
				581	}
Adam Langley	4139edb	2016-01-13 15:00:54 -0800	[diff] [blame]	582	ret = DSA_SIG_new();
				583	if (ret == NULL) {
				584	goto err;
				585	}
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	586	ret->r = r;
				587	ret->s = s;
				588
				589	err:
Adam Langley	4139edb	2016-01-13 15:00:54 -0800	[diff] [blame]	590	if (ret == NULL) {
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	591	OPENSSL_PUT_ERROR(DSA, reason);
				592	BN_free(r);
				593	BN_free(s);
				594	}
				595	BN_CTX_free(ctx);
				596	BN_clear_free(&m);
				597	BN_clear_free(&xr);
				598	BN_clear_free(kinv);
				599
				600	return ret;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	601	}
				602
				603	int DSA_do_verify(const uint8_t digest, size_t digest_len, DSA_SIG sig,
				604	const DSA *dsa) {
				605	int valid;
				606	if (!DSA_do_check_signature(&valid, digest, digest_len, sig, dsa)) {
				607	return -1;
				608	}
				609	return valid;
				610	}
				611
				612	int DSA_do_check_signature(int out_valid, const uint8_t digest,
				613	size_t digest_len, DSA_SIG sig, const DSA dsa) {
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	614	BN_CTX *ctx;
				615	BIGNUM u1, u2, t1;
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	616	int ret = 0;
				617	unsigned i;
				618
				619	*out_valid = 0;
				620
				621	if (!dsa->p \|\| !dsa->q \|\| !dsa->g) {
				622	OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);
				623	return 0;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	624	}
				625
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	626	i = BN_num_bits(dsa->q);
				627	/* fips 186-3 allows only different sizes for q */
				628	if (i != 160 && i != 224 && i != 256) {
				629	OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);
				630	return 0;
				631	}
				632
				633	if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
				634	OPENSSL_PUT_ERROR(DSA, DSA_R_MODULUS_TOO_LARGE);
				635	return 0;
				636	}
				637
				638	BN_init(&u1);
				639	BN_init(&u2);
				640	BN_init(&t1);
				641
				642	ctx = BN_CTX_new();
				643	if (ctx == NULL) {
				644	goto err;
				645	}
				646
				647	if (BN_is_zero(sig->r) \|\| BN_is_negative(sig->r) \|\|
				648	BN_ucmp(sig->r, dsa->q) >= 0) {
				649	ret = 1;
				650	goto err;
				651	}
				652	if (BN_is_zero(sig->s) \|\| BN_is_negative(sig->s) \|\|
				653	BN_ucmp(sig->s, dsa->q) >= 0) {
				654	ret = 1;
				655	goto err;
				656	}
				657
				658	/* Calculate W = inv(S) mod Q
				659	* save W in u2 */
				660	if (BN_mod_inverse(&u2, sig->s, dsa->q, ctx) == NULL) {
				661	goto err;
				662	}
				663
				664	/* save M in u1 */
				665	if (digest_len > (i >> 3)) {
				666	/* if the digest length is greater than the size of q use the
				667	* BN_num_bits(dsa->q) leftmost bits of the digest, see
				668	* fips 186-3, 4.2 */
				669	digest_len = (i >> 3);
				670	}
				671
				672	if (BN_bin2bn(digest, digest_len, &u1) == NULL) {
				673	goto err;
				674	}
				675
				676	/* u1 = M * w mod q */
				677	if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) {
				678	goto err;
				679	}
				680
				681	/* u2 = r * w mod q */
				682	if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) {
				683	goto err;
				684	}
				685
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	686	if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
David Benjamin	c895d6b	2016-08-11 13:26:41 -0400	[diff] [blame]	687	(CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->p,
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	688	ctx)) {
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	689	goto err;
				690	}
				691
				692	if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx,
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	693	dsa->method_mont_p)) {
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	694	goto err;
				695	}
				696
				697	/* BN_copy(&u1,&t1); */
				698	/* let u1 = u1 mod q */
				699	if (!BN_mod(&u1, &t1, dsa->q, ctx)) {
				700	goto err;
				701	}
				702
				703	/* V is now in u1. If the signature is correct, it will be
				704	* equal to R. */
				705	*out_valid = BN_ucmp(&u1, sig->r) == 0;
				706	ret = 1;
				707
				708	err:
				709	if (ret != 1) {
				710	OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);
				711	}
				712	BN_CTX_free(ctx);
				713	BN_free(&u1);
				714	BN_free(&u2);
				715	BN_free(&t1);
				716
				717	return ret;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	718	}
				719
				720	int DSA_sign(int type, const uint8_t *digest, size_t digest_len,
				721	uint8_t out_sig, unsigned int out_siglen, DSA *dsa) {
				722	DSA_SIG *s;
				723
				724	s = DSA_do_sign(digest, digest_len, dsa);
				725	if (s == NULL) {
				726	*out_siglen = 0;
				727	return 0;
				728	}
				729
				730	*out_siglen = i2d_DSA_SIG(s, &out_sig);
				731	DSA_SIG_free(s);
				732	return 1;
				733	}
				734
				735	int DSA_verify(int type, const uint8_t *digest, size_t digest_len,
				736	const uint8_t sig, size_t sig_len, const DSA dsa) {
				737	int valid;
				738	if (!DSA_check_signature(&valid, digest, digest_len, sig, sig_len, dsa)) {
				739	return -1;
				740	}
				741	return valid;
				742	}
				743
				744	int DSA_check_signature(int out_valid, const uint8_t digest,
				745	size_t digest_len, const uint8_t *sig, size_t sig_len,
				746	const DSA *dsa) {
				747	DSA_SIG *s = NULL;
				748	int ret = 0;
				749	uint8_t *der = NULL;
				750
				751	s = DSA_SIG_new();
				752	if (s == NULL) {
				753	goto err;
				754	}
				755
				756	const uint8_t *sigp = sig;
				757	if (d2i_DSA_SIG(&s, &sigp, sig_len) == NULL \|\| sigp != sig + sig_len) {
				758	goto err;
				759	}
				760
				761	/* Ensure that the signature uses DER and doesn't have trailing garbage. */
				762	int der_len = i2d_DSA_SIG(s, &der);
Robert Sloan	69939df	2017-01-09 10:53:07 -0800	[diff] [blame]	763	if (der_len < 0 \|\| (size_t)der_len != sig_len \|\|
				764	OPENSSL_memcmp(sig, der, sig_len)) {
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	765	goto err;
				766	}
				767
				768	ret = DSA_do_check_signature(out_valid, digest, digest_len, s, dsa);
				769
				770	err:
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	771	OPENSSL_free(der);
				772	DSA_SIG_free(s);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	773	return ret;
				774	}
				775
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	776	/* der_len_len returns the number of bytes needed to represent a length of \|len\|
				777	* in DER. */
				778	static size_t der_len_len(size_t len) {
				779	if (len < 0x80) {
				780	return 1;
				781	}
				782	size_t ret = 1;
				783	while (len > 0) {
				784	ret++;
				785	len >>= 8;
				786	}
				787	return ret;
				788	}
				789
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	790	int DSA_size(const DSA *dsa) {
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	791	size_t order_len = BN_num_bytes(dsa->q);
				792	/* Compute the maximum length of an \|order_len\| byte integer. Defensively
				793	* assume that the leading 0x00 is included. */
				794	size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;
				795	if (integer_len < order_len) {
				796	return 0;
				797	}
				798	/* A DSA signature is two INTEGERs. */
				799	size_t value_len = 2 * integer_len;
				800	if (value_len < integer_len) {
				801	return 0;
				802	}
				803	/* Add the header. */
				804	size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;
				805	if (ret < value_len) {
				806	return 0;
				807	}
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	808	return ret;
				809	}
				810
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	811	int DSA_sign_setup(const DSA dsa, BN_CTX ctx_in, BIGNUM **out_kinv,
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	812	BIGNUM **out_r) {
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	813	BN_CTX *ctx;
Robert Sloan	69939df	2017-01-09 10:53:07 -0800	[diff] [blame]	814	BIGNUM k, kq, kinv = NULL, r = NULL;
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	815	int ret = 0;
				816
				817	if (!dsa->p \|\| !dsa->q \|\| !dsa->g) {
				818	OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);
				819	return 0;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	820	}
				821
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	822	BN_init(&k);
				823	BN_init(&kq);
				824
				825	ctx = ctx_in;
				826	if (ctx == NULL) {
				827	ctx = BN_CTX_new();
				828	if (ctx == NULL) {
				829	goto err;
				830	}
				831	}
				832
				833	r = BN_new();
				834	if (r == NULL) {
				835	goto err;
				836	}
				837
				838	/* Get random k */
David Benjamin	c895d6b	2016-08-11 13:26:41 -0400	[diff] [blame]	839	if (!BN_rand_range_ex(&k, 1, dsa->q)) {
				840	goto err;
				841	}
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	842
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	843	if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
David Benjamin	c895d6b	2016-08-11 13:26:41 -0400	[diff] [blame]	844	(CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->p,
				845	ctx) \|\|
				846	!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_q,
				847	(CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->q,
David Benjamin	4969cc9	2016-04-22 15:02:23 -0400	[diff] [blame]	848	ctx)) {
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	849	goto err;
				850	}
				851
				852	/* Compute r = (g^k mod p) mod q */
				853	if (!BN_copy(&kq, &k)) {
				854	goto err;
				855	}
				856
				857	/* We do not want timing information to leak the length of k,
				858	* so we compute g^k using an equivalent exponent of fixed length.
				859	*
				860	* (This is a kludge that we need because the BN_mod_exp_mont()
				861	* does not let us specify the desired timing behaviour.) */
				862
				863	if (!BN_add(&kq, &kq, dsa->q)) {
				864	goto err;
				865	}
				866	if (BN_num_bits(&kq) <= BN_num_bits(dsa->q) && !BN_add(&kq, &kq, dsa->q)) {
				867	goto err;
				868	}
				869
David Benjamin	c895d6b	2016-08-11 13:26:41 -0400	[diff] [blame]	870	if (!BN_mod_exp_mont_consttime(r, dsa->g, &kq, dsa->p, ctx,
				871	dsa->method_mont_p)) {
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	872	goto err;
				873	}
				874	if (!BN_mod(r, r, dsa->q, ctx)) {
				875	goto err;
				876	}
				877
David Benjamin	c895d6b	2016-08-11 13:26:41 -0400	[diff] [blame]	878	/* Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little
				879	* Theorem. */
				880	kinv = BN_new();
				881	if (kinv == NULL \|\|
Robert Sloan	69939df	2017-01-09 10:53:07 -0800	[diff] [blame]	882	!bn_mod_inverse_prime(kinv, &k, dsa->q, ctx, dsa->method_mont_q)) {
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	883	goto err;
				884	}
				885
				886	BN_clear_free(*out_kinv);
				887	*out_kinv = kinv;
				888	kinv = NULL;
				889	BN_clear_free(*out_r);
				890	*out_r = r;
				891	ret = 1;
				892
				893	err:
				894	if (!ret) {
				895	OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);
				896	if (r != NULL) {
				897	BN_clear_free(r);
				898	}
				899	}
				900
				901	if (ctx_in == NULL) {
				902	BN_CTX_free(ctx);
				903	}
				904	BN_clear_free(&k);
				905	BN_clear_free(&kq);
Robert Sloan	69939df	2017-01-09 10:53:07 -0800	[diff] [blame]	906	BN_clear_free(kinv);
Adam Langley	fad6327	2015-11-12 12:15:39 -0800	[diff] [blame]	907	return ret;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	908	}
				909
Adam Langley	4139edb	2016-01-13 15:00:54 -0800	[diff] [blame]	910	int DSA_get_ex_new_index(long argl, void argp, CRYPTO_EX_unused unused,
Robert Sloan	8ff0355	2017-06-14 12:40:58 -0700	[diff] [blame^]	911	CRYPTO_EX_dup dup_unused, CRYPTO_EX_free free_func) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	912	int index;
Robert Sloan	8ff0355	2017-06-14 12:40:58 -0700	[diff] [blame^]	913	if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
Adam Langley	4139edb	2016-01-13 15:00:54 -0800	[diff] [blame]	914	free_func)) {
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	915	return -1;
				916	}
				917	return index;
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	918	}
				919
				920	int DSA_set_ex_data(DSA d, int idx, void arg) {
				921	return CRYPTO_set_ex_data(&d->ex_data, idx, arg);
				922	}
				923
				924	void DSA_get_ex_data(const DSA d, int idx) {
				925	return CRYPTO_get_ex_data(&d->ex_data, idx);
				926	}
				927
				928	DH DSA_dup_DH(const DSA r) {
				929	DH *ret = NULL;
				930
				931	if (r == NULL) {
				932	goto err;
				933	}
				934	ret = DH_new();
				935	if (ret == NULL) {
				936	goto err;
				937	}
				938	if (r->q != NULL) {
				939	ret->priv_length = BN_num_bits(r->q);
				940	if ((ret->q = BN_dup(r->q)) == NULL) {
				941	goto err;
				942	}
				943	}
				944	if ((r->p != NULL && (ret->p = BN_dup(r->p)) == NULL) \|\|
				945	(r->g != NULL && (ret->g = BN_dup(r->g)) == NULL) \|\|
				946	(r->pub_key != NULL && (ret->pub_key = BN_dup(r->pub_key)) == NULL) \|\|
				947	(r->priv_key != NULL && (ret->priv_key = BN_dup(r->priv_key)) == NULL)) {
				948	goto err;
				949	}
				950
				951	return ret;
				952
				953	err:
Adam Langley	e9ada86	2015-05-11 17:20:37 -0700	[diff] [blame]	954	DH_free(ret);
Adam Langley	d9e397b	2015-01-22 14:27:53 -0800	[diff] [blame]	955	return NULL;
				956	}