dsa_ossl.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include "crypto/bn.h"
  12. #include <openssl/bn.h>
  13. #include <openssl/sha.h>
  14. #include "dsa_local.h"
  15. #include <openssl/asn1.h>
  16. static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
  17. static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
  18. BIGNUM **rp);
  19. static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
  20. BIGNUM **rp, const unsigned char *dgst, int dlen);
  21. static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
  22. DSA_SIG *sig, DSA *dsa);
  23. static int dsa_init(DSA *dsa);
  24. static int dsa_finish(DSA *dsa);
  25. static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
  26. BN_CTX *ctx);
  27. static DSA_METHOD openssl_dsa_meth = {
  28. "OpenSSL DSA method",
  29. dsa_do_sign,
  30. dsa_sign_setup_no_digest,
  31. dsa_do_verify,
  32. NULL, /* dsa_mod_exp, */
  33. NULL, /* dsa_bn_mod_exp, */
  34. dsa_init,
  35. dsa_finish,
  36. DSA_FLAG_FIPS_METHOD,
  37. NULL,
  38. NULL,
  39. NULL
  40. };
  41. static const DSA_METHOD *default_DSA_method = &openssl_dsa_meth;
  42. void DSA_set_default_method(const DSA_METHOD *meth)
  43. {
  44. default_DSA_method = meth;
  45. }
  46. const DSA_METHOD *DSA_get_default_method(void)
  47. {
  48. return default_DSA_method;
  49. }
  50. const DSA_METHOD *DSA_OpenSSL(void)
  51. {
  52. return &openssl_dsa_meth;
  53. }
  54. static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
  55. {
  56. BIGNUM *kinv = NULL;
  57. BIGNUM *m, *blind, *blindm, *tmp;
  58. BN_CTX *ctx = NULL;
  59. int reason = ERR_R_BN_LIB;
  60. DSA_SIG *ret = NULL;
  61. int rv = 0;
  62. if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
  63. reason = DSA_R_MISSING_PARAMETERS;
  64. goto err;
  65. }
  66. if (dsa->priv_key == NULL) {
  67. reason = DSA_R_MISSING_PRIVATE_KEY;
  68. goto err;
  69. }
  70. ret = DSA_SIG_new();
  71. if (ret == NULL)
  72. goto err;
  73. ret->r = BN_new();
  74. ret->s = BN_new();
  75. if (ret->r == NULL || ret->s == NULL)
  76. goto err;
  77. ctx = BN_CTX_new();
  78. if (ctx == NULL)
  79. goto err;
  80. m = BN_CTX_get(ctx);
  81. blind = BN_CTX_get(ctx);
  82. blindm = BN_CTX_get(ctx);
  83. tmp = BN_CTX_get(ctx);
  84. if (tmp == NULL)
  85. goto err;
  86. redo:
  87. if (!dsa_sign_setup(dsa, ctx, &kinv, &ret->r, dgst, dlen))
  88. goto err;
  89. if (dlen > BN_num_bytes(dsa->q))
  90. /*
  91. * if the digest length is greater than the size of q use the
  92. * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
  93. * 4.2
  94. */
  95. dlen = BN_num_bytes(dsa->q);
  96. if (BN_bin2bn(dgst, dlen, m) == NULL)
  97. goto err;
  98. /*
  99. * The normal signature calculation is:
  100. *
  101. * s := k^-1 * (m + r * priv_key) mod q
  102. *
  103. * We will blind this to protect against side channel attacks
  104. *
  105. * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q
  106. */
  107. /* Generate a blinding value */
  108. do {
  109. if (!BN_priv_rand(blind, BN_num_bits(dsa->q) - 1,
  110. BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY))
  111. goto err;
  112. } while (BN_is_zero(blind));
  113. BN_set_flags(blind, BN_FLG_CONSTTIME);
  114. BN_set_flags(blindm, BN_FLG_CONSTTIME);
  115. BN_set_flags(tmp, BN_FLG_CONSTTIME);
  116. /* tmp := blind * priv_key * r mod q */
  117. if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx))
  118. goto err;
  119. if (!BN_mod_mul(tmp, tmp, ret->r, dsa->q, ctx))
  120. goto err;
  121. /* blindm := blind * m mod q */
  122. if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx))
  123. goto err;
  124. /* s : = (blind * priv_key * r) + (blind * m) mod q */
  125. if (!BN_mod_add_quick(ret->s, tmp, blindm, dsa->q))
  126. goto err;
  127. /* s := s * k^-1 mod q */
  128. if (!BN_mod_mul(ret->s, ret->s, kinv, dsa->q, ctx))
  129. goto err;
  130. /* s:= s * blind^-1 mod q */
  131. if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL)
  132. goto err;
  133. if (!BN_mod_mul(ret->s, ret->s, blind, dsa->q, ctx))
  134. goto err;
  135. /*
  136. * Redo if r or s is zero as required by FIPS 186-3: this is very
  137. * unlikely.
  138. */
  139. if (BN_is_zero(ret->r) || BN_is_zero(ret->s))
  140. goto redo;
  141. rv = 1;
  142. err:
  143. if (rv == 0) {
  144. DSAerr(DSA_F_DSA_DO_SIGN, reason);
  145. DSA_SIG_free(ret);
  146. ret = NULL;
  147. }
  148. BN_CTX_free(ctx);
  149. BN_clear_free(kinv);
  150. return ret;
  151. }
  152. static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in,
  153. BIGNUM **kinvp, BIGNUM **rp)
  154. {
  155. return dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0);
  156. }
  157. static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
  158. BIGNUM **kinvp, BIGNUM **rp,
  159. const unsigned char *dgst, int dlen)
  160. {
  161. BN_CTX *ctx = NULL;
  162. BIGNUM *k, *kinv = NULL, *r = *rp;
  163. BIGNUM *l;
  164. int ret = 0;
  165. int q_bits, q_words;
  166. if (!dsa->p || !dsa->q || !dsa->g) {
  167. DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
  168. return 0;
  169. }
  170. /* Reject obviously invalid parameters */
  171. if (BN_is_zero(dsa->p) || BN_is_zero(dsa->q) || BN_is_zero(dsa->g)) {
  172. DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_INVALID_PARAMETERS);
  173. return 0;
  174. }
  175. if (dsa->priv_key == NULL) {
  176. DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PRIVATE_KEY);
  177. return 0;
  178. }
  179. k = BN_new();
  180. l = BN_new();
  181. if (k == NULL || l == NULL)
  182. goto err;
  183. if (ctx_in == NULL) {
  184. if ((ctx = BN_CTX_new()) == NULL)
  185. goto err;
  186. } else
  187. ctx = ctx_in;
  188. /* Preallocate space */
  189. q_bits = BN_num_bits(dsa->q);
  190. q_words = bn_get_top(dsa->q);
  191. if (!bn_wexpand(k, q_words + 2)
  192. || !bn_wexpand(l, q_words + 2))
  193. goto err;
  194. /* Get random k */
  195. do {
  196. if (dgst != NULL) {
  197. /*
  198. * We calculate k from SHA512(private_key + H(message) + random).
  199. * This protects the private key from a weak PRNG.
  200. */
  201. if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst,
  202. dlen, ctx))
  203. goto err;
  204. } else if (!BN_priv_rand_range(k, dsa->q))
  205. goto err;
  206. } while (BN_is_zero(k));
  207. BN_set_flags(k, BN_FLG_CONSTTIME);
  208. BN_set_flags(l, BN_FLG_CONSTTIME);
  209. if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
  210. if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
  211. dsa->lock, dsa->p, ctx))
  212. goto err;
  213. }
  214. /* Compute r = (g^k mod p) mod q */
  215. /*
  216. * We do not want timing information to leak the length of k, so we
  217. * compute G^k using an equivalent scalar of fixed bit-length.
  218. *
  219. * We unconditionally perform both of these additions to prevent a
  220. * small timing information leakage. We then choose the sum that is
  221. * one bit longer than the modulus.
  222. *
  223. * There are some concerns about the efficacy of doing this. More
  224. * specifically refer to the discussion starting with:
  225. * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
  226. * The fix is to rework BN so these gymnastics aren't required.
  227. */
  228. if (!BN_add(l, k, dsa->q)
  229. || !BN_add(k, l, dsa->q))
  230. goto err;
  231. BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
  232. if ((dsa)->meth->bn_mod_exp != NULL) {
  233. if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
  234. dsa->method_mont_p))
  235. goto err;
  236. } else {
  237. if (!BN_mod_exp_mont(r, dsa->g, k, dsa->p, ctx, dsa->method_mont_p))
  238. goto err;
  239. }
  240. if (!BN_mod(r, r, dsa->q, ctx))
  241. goto err;
  242. /* Compute part of 's = inv(k) (m + xr) mod q' */
  243. if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
  244. goto err;
  245. BN_clear_free(*kinvp);
  246. *kinvp = kinv;
  247. kinv = NULL;
  248. ret = 1;
  249. err:
  250. if (!ret)
  251. DSAerr(DSA_F_DSA_SIGN_SETUP, ERR_R_BN_LIB);
  252. if (ctx != ctx_in)
  253. BN_CTX_free(ctx);
  254. BN_clear_free(k);
  255. BN_clear_free(l);
  256. return ret;
  257. }
  258. static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
  259. DSA_SIG *sig, DSA *dsa)
  260. {
  261. BN_CTX *ctx;
  262. BIGNUM *u1, *u2, *t1;
  263. BN_MONT_CTX *mont = NULL;
  264. const BIGNUM *r, *s;
  265. int ret = -1, i;
  266. if (!dsa->p || !dsa->q || !dsa->g) {
  267. DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MISSING_PARAMETERS);
  268. return -1;
  269. }
  270. i = BN_num_bits(dsa->q);
  271. /* fips 186-3 allows only different sizes for q */
  272. if (i != 160 && i != 224 && i != 256) {
  273. DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
  274. return -1;
  275. }
  276. if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
  277. DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
  278. return -1;
  279. }
  280. u1 = BN_new();
  281. u2 = BN_new();
  282. t1 = BN_new();
  283. ctx = BN_CTX_new();
  284. if (u1 == NULL || u2 == NULL || t1 == NULL || ctx == NULL)
  285. goto err;
  286. DSA_SIG_get0(sig, &r, &s);
  287. if (BN_is_zero(r) || BN_is_negative(r) ||
  288. BN_ucmp(r, dsa->q) >= 0) {
  289. ret = 0;
  290. goto err;
  291. }
  292. if (BN_is_zero(s) || BN_is_negative(s) ||
  293. BN_ucmp(s, dsa->q) >= 0) {
  294. ret = 0;
  295. goto err;
  296. }
  297. /*
  298. * Calculate W = inv(S) mod Q save W in u2
  299. */
  300. if ((BN_mod_inverse(u2, s, dsa->q, ctx)) == NULL)
  301. goto err;
  302. /* save M in u1 */
  303. if (dgst_len > (i >> 3))
  304. /*
  305. * if the digest length is greater than the size of q use the
  306. * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
  307. * 4.2
  308. */
  309. dgst_len = (i >> 3);
  310. if (BN_bin2bn(dgst, dgst_len, u1) == NULL)
  311. goto err;
  312. /* u1 = M * w mod q */
  313. if (!BN_mod_mul(u1, u1, u2, dsa->q, ctx))
  314. goto err;
  315. /* u2 = r * w mod q */
  316. if (!BN_mod_mul(u2, r, u2, dsa->q, ctx))
  317. goto err;
  318. if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
  319. mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
  320. dsa->lock, dsa->p, ctx);
  321. if (!mont)
  322. goto err;
  323. }
  324. if (dsa->meth->dsa_mod_exp != NULL) {
  325. if (!dsa->meth->dsa_mod_exp(dsa, t1, dsa->g, u1, dsa->pub_key, u2,
  326. dsa->p, ctx, mont))
  327. goto err;
  328. } else {
  329. if (!BN_mod_exp2_mont(t1, dsa->g, u1, dsa->pub_key, u2, dsa->p, ctx,
  330. mont))
  331. goto err;
  332. }
  333. /* let u1 = u1 mod q */
  334. if (!BN_mod(u1, t1, dsa->q, ctx))
  335. goto err;
  336. /*
  337. * V is now in u1. If the signature is correct, it will be equal to R.
  338. */
  339. ret = (BN_ucmp(u1, r) == 0);
  340. err:
  341. if (ret < 0)
  342. DSAerr(DSA_F_DSA_DO_VERIFY, ERR_R_BN_LIB);
  343. BN_CTX_free(ctx);
  344. BN_free(u1);
  345. BN_free(u2);
  346. BN_free(t1);
  347. return ret;
  348. }
  349. static int dsa_init(DSA *dsa)
  350. {
  351. dsa->flags |= DSA_FLAG_CACHE_MONT_P;
  352. return 1;
  353. }
  354. static int dsa_finish(DSA *dsa)
  355. {
  356. BN_MONT_CTX_free(dsa->method_mont_p);
  357. return 1;
  358. }
  359. /*
  360. * Compute the inverse of k modulo q.
  361. * Since q is prime, Fermat's Little Theorem applies, which reduces this to
  362. * mod-exp operation. Both the exponent and modulus are public information
  363. * so a mod-exp that doesn't leak the base is sufficient. A newly allocated
  364. * BIGNUM is returned which the caller must free.
  365. */
  366. static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
  367. BN_CTX *ctx)
  368. {
  369. BIGNUM *res = NULL;
  370. BIGNUM *r, *e;
  371. if ((r = BN_new()) == NULL)
  372. return NULL;
  373. BN_CTX_start(ctx);
  374. if ((e = BN_CTX_get(ctx)) != NULL
  375. && BN_set_word(r, 2)
  376. && BN_sub(e, q, r)
  377. && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
  378. res = r;
  379. else
  380. BN_free(r);
  381. BN_CTX_end(ctx);
  382. return res;
  383. }