dsa_ossl.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448
  1. /* crypto/dsa/dsa_ossl.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
  59. #define OPENSSL_FIPSAPI
  60. #include <stdio.h>
  61. #include "cryptlib.h"
  62. #include <openssl/bn.h>
  63. #include <openssl/sha.h>
  64. #include <openssl/dsa.h>
  65. #include <openssl/rand.h>
  66. #include <openssl/asn1.h>
  67. #ifdef OPENSSL_FIPS
  68. #include <openssl/fips.h>
  69. #endif
  70. static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
  71. static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
  72. static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
  73. DSA *dsa);
  74. static int dsa_init(DSA *dsa);
  75. static int dsa_finish(DSA *dsa);
  76. static DSA_METHOD openssl_dsa_meth = {
  77. "OpenSSL DSA method",
  78. dsa_do_sign,
  79. dsa_sign_setup,
  80. dsa_do_verify,
  81. NULL, /* dsa_mod_exp, */
  82. NULL, /* dsa_bn_mod_exp, */
  83. dsa_init,
  84. dsa_finish,
  85. DSA_FLAG_FIPS_METHOD,
  86. NULL,
  87. NULL,
  88. NULL
  89. };
  90. /* These macro wrappers replace attempts to use the dsa_mod_exp() and
  91. * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
  92. * having a the macro work as an expression by bundling an "err_instr". So;
  93. *
  94. * if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
  95. * dsa->method_mont_p)) goto err;
  96. *
  97. * can be replaced by;
  98. *
  99. * DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
  100. * dsa->method_mont_p);
  101. */
  102. #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
  103. do { \
  104. int _tmp_res53; \
  105. if((dsa)->meth->dsa_mod_exp) \
  106. _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
  107. (a2), (p2), (m), (ctx), (in_mont)); \
  108. else \
  109. _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
  110. (m), (ctx), (in_mont)); \
  111. if(!_tmp_res53) err_instr; \
  112. } while(0)
  113. #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
  114. do { \
  115. int _tmp_res53; \
  116. if((dsa)->meth->bn_mod_exp) \
  117. _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
  118. (m), (ctx), (m_ctx)); \
  119. else \
  120. _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
  121. if(!_tmp_res53) err_instr; \
  122. } while(0)
  123. const DSA_METHOD *DSA_OpenSSL(void)
  124. {
  125. return &openssl_dsa_meth;
  126. }
  127. static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
  128. {
  129. BIGNUM *kinv=NULL,*r=NULL,*s=NULL;
  130. BIGNUM m;
  131. BIGNUM xr;
  132. BN_CTX *ctx=NULL;
  133. int reason=ERR_R_BN_LIB;
  134. DSA_SIG *ret=NULL;
  135. int noredo = 0;
  136. #ifdef OPENSSL_FIPS
  137. if(FIPS_selftest_failed())
  138. {
  139. FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
  140. return NULL;
  141. }
  142. if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
  143. && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
  144. {
  145. DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
  146. return NULL;
  147. }
  148. if (!fips_check_dsa_prng(dsa, 0, 0))
  149. goto err;
  150. #endif
  151. BN_init(&m);
  152. BN_init(&xr);
  153. if (!dsa->p || !dsa->q || !dsa->g)
  154. {
  155. reason=DSA_R_MISSING_PARAMETERS;
  156. goto err;
  157. }
  158. s=BN_new();
  159. if (s == NULL) goto err;
  160. ctx=BN_CTX_new();
  161. if (ctx == NULL) goto err;
  162. redo:
  163. if ((dsa->kinv == NULL) || (dsa->r == NULL))
  164. {
  165. if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r)) goto err;
  166. }
  167. else
  168. {
  169. kinv=dsa->kinv;
  170. dsa->kinv=NULL;
  171. r=dsa->r;
  172. dsa->r=NULL;
  173. noredo = 1;
  174. }
  175. if (dlen > BN_num_bytes(dsa->q))
  176. /* if the digest length is greater than the size of q use the
  177. * BN_num_bits(dsa->q) leftmost bits of the digest, see
  178. * fips 186-3, 4.2 */
  179. dlen = BN_num_bytes(dsa->q);
  180. if (BN_bin2bn(dgst,dlen,&m) == NULL)
  181. goto err;
  182. /* Compute s = inv(k) (m + xr) mod q */
  183. if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
  184. if (!BN_add(s, &xr, &m)) goto err; /* s = m + xr */
  185. if (BN_cmp(s,dsa->q) > 0)
  186. if (!BN_sub(s,s,dsa->q)) goto err;
  187. if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
  188. ret=DSA_SIG_new();
  189. if (ret == NULL) goto err;
  190. /* Redo if r or s is zero as required by FIPS 186-3: this is
  191. * very unlikely.
  192. */
  193. if (BN_is_zero(r) || BN_is_zero(s))
  194. {
  195. if (noredo)
  196. {
  197. reason = DSA_R_NEED_NEW_SETUP_VALUES;
  198. goto err;
  199. }
  200. goto redo;
  201. }
  202. ret->r = r;
  203. ret->s = s;
  204. err:
  205. if (!ret)
  206. {
  207. DSAerr(DSA_F_DSA_DO_SIGN,reason);
  208. BN_free(r);
  209. BN_free(s);
  210. }
  211. if (ctx != NULL) BN_CTX_free(ctx);
  212. BN_clear_free(&m);
  213. BN_clear_free(&xr);
  214. if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
  215. BN_clear_free(kinv);
  216. return(ret);
  217. }
  218. static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
  219. {
  220. BN_CTX *ctx;
  221. BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
  222. int ret=0;
  223. if (!dsa->p || !dsa->q || !dsa->g)
  224. {
  225. DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS);
  226. return 0;
  227. }
  228. BN_init(&k);
  229. BN_init(&kq);
  230. if (ctx_in == NULL)
  231. {
  232. if ((ctx=BN_CTX_new()) == NULL) goto err;
  233. }
  234. else
  235. ctx=ctx_in;
  236. if ((r=BN_new()) == NULL) goto err;
  237. /* Get random k */
  238. do
  239. if (!BN_rand_range(&k, dsa->q)) goto err;
  240. while (BN_is_zero(&k));
  241. if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
  242. {
  243. BN_set_flags(&k, BN_FLG_CONSTTIME);
  244. }
  245. if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
  246. {
  247. if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
  248. CRYPTO_LOCK_DSA,
  249. dsa->p, ctx))
  250. goto err;
  251. }
  252. /* Compute r = (g^k mod p) mod q */
  253. if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
  254. {
  255. if (!BN_copy(&kq, &k)) goto err;
  256. /* We do not want timing information to leak the length of k,
  257. * so we compute g^k using an equivalent exponent of fixed length.
  258. *
  259. * (This is a kludge that we need because the BN_mod_exp_mont()
  260. * does not let us specify the desired timing behaviour.) */
  261. if (!BN_add(&kq, &kq, dsa->q)) goto err;
  262. if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
  263. {
  264. if (!BN_add(&kq, &kq, dsa->q)) goto err;
  265. }
  266. K = &kq;
  267. }
  268. else
  269. {
  270. K = &k;
  271. }
  272. DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
  273. dsa->method_mont_p);
  274. if (!BN_mod(r,r,dsa->q,ctx)) goto err;
  275. /* Compute part of 's = inv(k) (m + xr) mod q' */
  276. if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
  277. if (*kinvp != NULL) BN_clear_free(*kinvp);
  278. *kinvp=kinv;
  279. kinv=NULL;
  280. if (*rp != NULL) BN_clear_free(*rp);
  281. *rp=r;
  282. ret=1;
  283. err:
  284. if (!ret)
  285. {
  286. DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
  287. if (r != NULL)
  288. BN_clear_free(r);
  289. }
  290. if (ctx_in == NULL) BN_CTX_free(ctx);
  291. BN_clear_free(&k);
  292. BN_clear_free(&kq);
  293. return(ret);
  294. }
  295. static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
  296. DSA *dsa)
  297. {
  298. BN_CTX *ctx;
  299. BIGNUM u1,u2,t1;
  300. BN_MONT_CTX *mont=NULL;
  301. int ret = -1, i;
  302. if (!dsa->p || !dsa->q || !dsa->g)
  303. {
  304. DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MISSING_PARAMETERS);
  305. return -1;
  306. }
  307. i = BN_num_bits(dsa->q);
  308. /* fips 186-3 allows only different sizes for q */
  309. if (i != 160 && i != 224 && i != 256)
  310. {
  311. DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
  312. return -1;
  313. }
  314. #ifdef OPENSSL_FIPS
  315. if(FIPS_selftest_failed())
  316. {
  317. FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
  318. return -1;
  319. }
  320. if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
  321. && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
  322. {
  323. DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
  324. return -1;
  325. }
  326. #endif
  327. if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
  328. {
  329. DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
  330. return -1;
  331. }
  332. BN_init(&u1);
  333. BN_init(&u2);
  334. BN_init(&t1);
  335. if ((ctx=BN_CTX_new()) == NULL) goto err;
  336. if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
  337. BN_ucmp(sig->r, dsa->q) >= 0)
  338. {
  339. ret = 0;
  340. goto err;
  341. }
  342. if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||
  343. BN_ucmp(sig->s, dsa->q) >= 0)
  344. {
  345. ret = 0;
  346. goto err;
  347. }
  348. /* Calculate W = inv(S) mod Q
  349. * save W in u2 */
  350. if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
  351. /* save M in u1 */
  352. if (dgst_len > (i >> 3))
  353. /* if the digest length is greater than the size of q use the
  354. * BN_num_bits(dsa->q) leftmost bits of the digest, see
  355. * fips 186-3, 4.2 */
  356. dgst_len = (i >> 3);
  357. if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;
  358. /* u1 = M * w mod q */
  359. if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;
  360. /* u2 = r * w mod q */
  361. if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
  362. if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
  363. {
  364. mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
  365. CRYPTO_LOCK_DSA, dsa->p, ctx);
  366. if (!mont)
  367. goto err;
  368. }
  369. DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);
  370. /* BN_copy(&u1,&t1); */
  371. /* let u1 = u1 mod q */
  372. if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
  373. /* V is now in u1. If the signature is correct, it will be
  374. * equal to R. */
  375. ret=(BN_ucmp(&u1, sig->r) == 0);
  376. err:
  377. /* XXX: surely this is wrong - if ret is 0, it just didn't verify;
  378. there is no error in BN. Test should be ret == -1 (Ben) */
  379. if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
  380. if (ctx != NULL) BN_CTX_free(ctx);
  381. BN_free(&u1);
  382. BN_free(&u2);
  383. BN_free(&t1);
  384. return(ret);
  385. }
  386. static int dsa_init(DSA *dsa)
  387. {
  388. dsa->flags|=DSA_FLAG_CACHE_MONT_P;
  389. return(1);
  390. }
  391. static int dsa_finish(DSA *dsa)
  392. {
  393. if(dsa->method_mont_p)
  394. BN_MONT_CTX_free(dsa->method_mont_p);
  395. return(1);
  396. }