2
0

dsa_ossl.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include "internal/bn_int.h"
  12. #include <openssl/bn.h>
  13. #include <openssl/sha.h>
  14. #include "dsa_locl.h"
  15. #include <openssl/asn1.h>
  16. static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
  17. static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
  18. BIGNUM **rp);
  19. static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
  20. BIGNUM **rp, const unsigned char *dgst, int dlen);
  21. static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
  22. DSA_SIG *sig, DSA *dsa);
  23. static int dsa_init(DSA *dsa);
  24. static int dsa_finish(DSA *dsa);
  25. static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
  26. BN_CTX *ctx);
  27. static DSA_METHOD openssl_dsa_meth = {
  28. "OpenSSL DSA method",
  29. dsa_do_sign,
  30. dsa_sign_setup_no_digest,
  31. dsa_do_verify,
  32. NULL, /* dsa_mod_exp, */
  33. NULL, /* dsa_bn_mod_exp, */
  34. dsa_init,
  35. dsa_finish,
  36. DSA_FLAG_FIPS_METHOD,
  37. NULL,
  38. NULL,
  39. NULL
  40. };
  41. static const DSA_METHOD *default_DSA_method = &openssl_dsa_meth;
  42. void DSA_set_default_method(const DSA_METHOD *meth)
  43. {
  44. default_DSA_method = meth;
  45. }
  46. const DSA_METHOD *DSA_get_default_method(void)
  47. {
  48. return default_DSA_method;
  49. }
  50. const DSA_METHOD *DSA_OpenSSL(void)
  51. {
  52. return &openssl_dsa_meth;
  53. }
  54. static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
  55. {
  56. BIGNUM *kinv = NULL;
  57. BIGNUM *m, *blind, *blindm, *tmp;
  58. BN_CTX *ctx = NULL;
  59. int reason = ERR_R_BN_LIB;
  60. DSA_SIG *ret = NULL;
  61. int rv = 0;
  62. if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
  63. reason = DSA_R_MISSING_PARAMETERS;
  64. goto err;
  65. }
  66. ret = DSA_SIG_new();
  67. if (ret == NULL)
  68. goto err;
  69. ret->r = BN_new();
  70. ret->s = BN_new();
  71. if (ret->r == NULL || ret->s == NULL)
  72. goto err;
  73. ctx = BN_CTX_new();
  74. if (ctx == NULL)
  75. goto err;
  76. m = BN_CTX_get(ctx);
  77. blind = BN_CTX_get(ctx);
  78. blindm = BN_CTX_get(ctx);
  79. tmp = BN_CTX_get(ctx);
  80. if (tmp == NULL)
  81. goto err;
  82. redo:
  83. if (!dsa_sign_setup(dsa, ctx, &kinv, &ret->r, dgst, dlen))
  84. goto err;
  85. if (dlen > BN_num_bytes(dsa->q))
  86. /*
  87. * if the digest length is greater than the size of q use the
  88. * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
  89. * 4.2
  90. */
  91. dlen = BN_num_bytes(dsa->q);
  92. if (BN_bin2bn(dgst, dlen, m) == NULL)
  93. goto err;
  94. /*
  95. * The normal signature calculation is:
  96. *
  97. * s := k^-1 * (m + r * priv_key) mod q
  98. *
  99. * We will blind this to protect against side channel attacks
  100. *
  101. * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q
  102. */
  103. /* Generate a blinding value */
  104. do {
  105. if (!BN_priv_rand(blind, BN_num_bits(dsa->q) - 1,
  106. BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY))
  107. goto err;
  108. } while (BN_is_zero(blind));
  109. BN_set_flags(blind, BN_FLG_CONSTTIME);
  110. BN_set_flags(blindm, BN_FLG_CONSTTIME);
  111. BN_set_flags(tmp, BN_FLG_CONSTTIME);
  112. /* tmp := blind * priv_key * r mod q */
  113. if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx))
  114. goto err;
  115. if (!BN_mod_mul(tmp, tmp, ret->r, dsa->q, ctx))
  116. goto err;
  117. /* blindm := blind * m mod q */
  118. if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx))
  119. goto err;
  120. /* s : = (blind * priv_key * r) + (blind * m) mod q */
  121. if (!BN_mod_add_quick(ret->s, tmp, blindm, dsa->q))
  122. goto err;
  123. /* s := s * k^-1 mod q */
  124. if (!BN_mod_mul(ret->s, ret->s, kinv, dsa->q, ctx))
  125. goto err;
  126. /* s:= s * blind^-1 mod q */
  127. if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL)
  128. goto err;
  129. if (!BN_mod_mul(ret->s, ret->s, blind, dsa->q, ctx))
  130. goto err;
  131. /*
  132. * Redo if r or s is zero as required by FIPS 186-3: this is very
  133. * unlikely.
  134. */
  135. if (BN_is_zero(ret->r) || BN_is_zero(ret->s))
  136. goto redo;
  137. rv = 1;
  138. err:
  139. if (rv == 0) {
  140. DSAerr(DSA_F_DSA_DO_SIGN, reason);
  141. DSA_SIG_free(ret);
  142. ret = NULL;
  143. }
  144. BN_CTX_free(ctx);
  145. BN_clear_free(kinv);
  146. return ret;
  147. }
  148. static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in,
  149. BIGNUM **kinvp, BIGNUM **rp)
  150. {
  151. return dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0);
  152. }
  153. static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
  154. BIGNUM **kinvp, BIGNUM **rp,
  155. const unsigned char *dgst, int dlen)
  156. {
  157. BN_CTX *ctx = NULL;
  158. BIGNUM *k, *kinv = NULL, *r = *rp;
  159. BIGNUM *l;
  160. int ret = 0;
  161. int q_bits, q_words;
  162. if (!dsa->p || !dsa->q || !dsa->g) {
  163. DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
  164. return 0;
  165. }
  166. k = BN_new();
  167. l = BN_new();
  168. if (k == NULL || l == NULL)
  169. goto err;
  170. if (ctx_in == NULL) {
  171. if ((ctx = BN_CTX_new()) == NULL)
  172. goto err;
  173. } else
  174. ctx = ctx_in;
  175. /* Preallocate space */
  176. q_bits = BN_num_bits(dsa->q);
  177. q_words = bn_get_top(dsa->q);
  178. if (!bn_wexpand(k, q_words + 2)
  179. || !bn_wexpand(l, q_words + 2))
  180. goto err;
  181. /* Get random k */
  182. do {
  183. if (dgst != NULL) {
  184. /*
  185. * We calculate k from SHA512(private_key + H(message) + random).
  186. * This protects the private key from a weak PRNG.
  187. */
  188. if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst,
  189. dlen, ctx))
  190. goto err;
  191. } else if (!BN_priv_rand_range(k, dsa->q))
  192. goto err;
  193. } while (BN_is_zero(k));
  194. BN_set_flags(k, BN_FLG_CONSTTIME);
  195. BN_set_flags(l, BN_FLG_CONSTTIME);
  196. if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
  197. if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
  198. dsa->lock, dsa->p, ctx))
  199. goto err;
  200. }
  201. /* Compute r = (g^k mod p) mod q */
  202. /*
  203. * We do not want timing information to leak the length of k, so we
  204. * compute G^k using an equivalent scalar of fixed bit-length.
  205. *
  206. * We unconditionally perform both of these additions to prevent a
  207. * small timing information leakage. We then choose the sum that is
  208. * one bit longer than the modulus.
  209. *
  210. * There are some concerns about the efficacy of doing this. More
  211. * specificly refer to the discussion starting with:
  212. * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
  213. * The fix is to rework BN so these gymnastics aren't required.
  214. */
  215. if (!BN_add(l, k, dsa->q)
  216. || !BN_add(k, l, dsa->q))
  217. goto err;
  218. BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
  219. if ((dsa)->meth->bn_mod_exp != NULL) {
  220. if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
  221. dsa->method_mont_p))
  222. goto err;
  223. } else {
  224. if (!BN_mod_exp_mont(r, dsa->g, k, dsa->p, ctx, dsa->method_mont_p))
  225. goto err;
  226. }
  227. if (!BN_mod(r, r, dsa->q, ctx))
  228. goto err;
  229. /* Compute part of 's = inv(k) (m + xr) mod q' */
  230. if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
  231. goto err;
  232. BN_clear_free(*kinvp);
  233. *kinvp = kinv;
  234. kinv = NULL;
  235. ret = 1;
  236. err:
  237. if (!ret)
  238. DSAerr(DSA_F_DSA_SIGN_SETUP, ERR_R_BN_LIB);
  239. if (ctx != ctx_in)
  240. BN_CTX_free(ctx);
  241. BN_clear_free(k);
  242. BN_clear_free(l);
  243. return ret;
  244. }
  245. static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
  246. DSA_SIG *sig, DSA *dsa)
  247. {
  248. BN_CTX *ctx;
  249. BIGNUM *u1, *u2, *t1;
  250. BN_MONT_CTX *mont = NULL;
  251. const BIGNUM *r, *s;
  252. int ret = -1, i;
  253. if (!dsa->p || !dsa->q || !dsa->g) {
  254. DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MISSING_PARAMETERS);
  255. return -1;
  256. }
  257. i = BN_num_bits(dsa->q);
  258. /* fips 186-3 allows only different sizes for q */
  259. if (i != 160 && i != 224 && i != 256) {
  260. DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
  261. return -1;
  262. }
  263. if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
  264. DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
  265. return -1;
  266. }
  267. u1 = BN_new();
  268. u2 = BN_new();
  269. t1 = BN_new();
  270. ctx = BN_CTX_new();
  271. if (u1 == NULL || u2 == NULL || t1 == NULL || ctx == NULL)
  272. goto err;
  273. DSA_SIG_get0(sig, &r, &s);
  274. if (BN_is_zero(r) || BN_is_negative(r) ||
  275. BN_ucmp(r, dsa->q) >= 0) {
  276. ret = 0;
  277. goto err;
  278. }
  279. if (BN_is_zero(s) || BN_is_negative(s) ||
  280. BN_ucmp(s, dsa->q) >= 0) {
  281. ret = 0;
  282. goto err;
  283. }
  284. /*
  285. * Calculate W = inv(S) mod Q save W in u2
  286. */
  287. if ((BN_mod_inverse(u2, s, dsa->q, ctx)) == NULL)
  288. goto err;
  289. /* save M in u1 */
  290. if (dgst_len > (i >> 3))
  291. /*
  292. * if the digest length is greater than the size of q use the
  293. * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
  294. * 4.2
  295. */
  296. dgst_len = (i >> 3);
  297. if (BN_bin2bn(dgst, dgst_len, u1) == NULL)
  298. goto err;
  299. /* u1 = M * w mod q */
  300. if (!BN_mod_mul(u1, u1, u2, dsa->q, ctx))
  301. goto err;
  302. /* u2 = r * w mod q */
  303. if (!BN_mod_mul(u2, r, u2, dsa->q, ctx))
  304. goto err;
  305. if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
  306. mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
  307. dsa->lock, dsa->p, ctx);
  308. if (!mont)
  309. goto err;
  310. }
  311. if (dsa->meth->dsa_mod_exp != NULL) {
  312. if (!dsa->meth->dsa_mod_exp(dsa, t1, dsa->g, u1, dsa->pub_key, u2,
  313. dsa->p, ctx, mont))
  314. goto err;
  315. } else {
  316. if (!BN_mod_exp2_mont(t1, dsa->g, u1, dsa->pub_key, u2, dsa->p, ctx,
  317. mont))
  318. goto err;
  319. }
  320. /* let u1 = u1 mod q */
  321. if (!BN_mod(u1, t1, dsa->q, ctx))
  322. goto err;
  323. /*
  324. * V is now in u1. If the signature is correct, it will be equal to R.
  325. */
  326. ret = (BN_ucmp(u1, r) == 0);
  327. err:
  328. if (ret < 0)
  329. DSAerr(DSA_F_DSA_DO_VERIFY, ERR_R_BN_LIB);
  330. BN_CTX_free(ctx);
  331. BN_free(u1);
  332. BN_free(u2);
  333. BN_free(t1);
  334. return ret;
  335. }
  336. static int dsa_init(DSA *dsa)
  337. {
  338. dsa->flags |= DSA_FLAG_CACHE_MONT_P;
  339. return 1;
  340. }
  341. static int dsa_finish(DSA *dsa)
  342. {
  343. BN_MONT_CTX_free(dsa->method_mont_p);
  344. return 1;
  345. }
  346. /*
  347. * Compute the inverse of k modulo q.
  348. * Since q is prime, Fermat's Little Theorem applies, which reduces this to
  349. * mod-exp operation. Both the exponent and modulus are public information
  350. * so a mod-exp that doesn't leak the base is sufficient. A newly allocated
  351. * BIGNUM is returned which the caller must free.
  352. */
  353. static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
  354. BN_CTX *ctx)
  355. {
  356. BIGNUM *res = NULL;
  357. BIGNUM *r, *e;
  358. if ((r = BN_new()) == NULL)
  359. return NULL;
  360. BN_CTX_start(ctx);
  361. if ((e = BN_CTX_get(ctx)) != NULL
  362. && BN_set_word(r, 2)
  363. && BN_sub(e, q, r)
  364. && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
  365. res = r;
  366. else
  367. BN_free(r);
  368. BN_CTX_end(ctx);
  369. return res;
  370. }