dsa_ossl.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466
  1. /*
  2. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * DSA low level APIs are deprecated for public use, but still ok for
  11. * internal use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <stdio.h>
  15. #include "internal/cryptlib.h"
  16. #include "crypto/bn.h"
  17. #include <openssl/bn.h>
  18. #include <openssl/sha.h>
  19. #include "dsa_local.h"
  20. #include <openssl/asn1.h>
  21. static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
  22. static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
  23. BIGNUM **rp);
  24. static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
  25. BIGNUM **rp, const unsigned char *dgst, int dlen);
  26. static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
  27. DSA_SIG *sig, DSA *dsa);
  28. static int dsa_init(DSA *dsa);
  29. static int dsa_finish(DSA *dsa);
  30. static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
  31. BN_CTX *ctx);
  32. static DSA_METHOD openssl_dsa_meth = {
  33. "OpenSSL DSA method",
  34. dsa_do_sign,
  35. dsa_sign_setup_no_digest,
  36. dsa_do_verify,
  37. NULL, /* dsa_mod_exp, */
  38. NULL, /* dsa_bn_mod_exp, */
  39. dsa_init,
  40. dsa_finish,
  41. DSA_FLAG_FIPS_METHOD,
  42. NULL,
  43. NULL,
  44. NULL
  45. };
  46. static const DSA_METHOD *default_DSA_method = &openssl_dsa_meth;
  47. #ifndef FIPS_MODULE
  48. void DSA_set_default_method(const DSA_METHOD *meth)
  49. {
  50. default_DSA_method = meth;
  51. }
  52. #endif /* FIPS_MODULE */
  53. const DSA_METHOD *DSA_get_default_method(void)
  54. {
  55. return default_DSA_method;
  56. }
  57. const DSA_METHOD *DSA_OpenSSL(void)
  58. {
  59. return &openssl_dsa_meth;
  60. }
  61. DSA_SIG *dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa)
  62. {
  63. BIGNUM *kinv = NULL;
  64. BIGNUM *m, *blind, *blindm, *tmp;
  65. BN_CTX *ctx = NULL;
  66. int reason = ERR_R_BN_LIB;
  67. DSA_SIG *ret = NULL;
  68. int rv = 0;
  69. if (dsa->params.p == NULL
  70. || dsa->params.q == NULL
  71. || dsa->params.g == NULL) {
  72. reason = DSA_R_MISSING_PARAMETERS;
  73. goto err;
  74. }
  75. if (dsa->priv_key == NULL) {
  76. reason = DSA_R_MISSING_PRIVATE_KEY;
  77. goto err;
  78. }
  79. ret = DSA_SIG_new();
  80. if (ret == NULL)
  81. goto err;
  82. ret->r = BN_new();
  83. ret->s = BN_new();
  84. if (ret->r == NULL || ret->s == NULL)
  85. goto err;
  86. ctx = BN_CTX_new_ex(dsa->libctx);
  87. if (ctx == NULL)
  88. goto err;
  89. m = BN_CTX_get(ctx);
  90. blind = BN_CTX_get(ctx);
  91. blindm = BN_CTX_get(ctx);
  92. tmp = BN_CTX_get(ctx);
  93. if (tmp == NULL)
  94. goto err;
  95. redo:
  96. if (!dsa_sign_setup(dsa, ctx, &kinv, &ret->r, dgst, dlen))
  97. goto err;
  98. if (dlen > BN_num_bytes(dsa->params.q))
  99. /*
  100. * if the digest length is greater than the size of q use the
  101. * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
  102. * 4.2
  103. */
  104. dlen = BN_num_bytes(dsa->params.q);
  105. if (BN_bin2bn(dgst, dlen, m) == NULL)
  106. goto err;
  107. /*
  108. * The normal signature calculation is:
  109. *
  110. * s := k^-1 * (m + r * priv_key) mod q
  111. *
  112. * We will blind this to protect against side channel attacks
  113. *
  114. * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q
  115. */
  116. /* Generate a blinding value */
  117. do {
  118. if (!BN_priv_rand_ex(blind, BN_num_bits(dsa->params.q) - 1,
  119. BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, ctx))
  120. goto err;
  121. } while (BN_is_zero(blind));
  122. BN_set_flags(blind, BN_FLG_CONSTTIME);
  123. BN_set_flags(blindm, BN_FLG_CONSTTIME);
  124. BN_set_flags(tmp, BN_FLG_CONSTTIME);
  125. /* tmp := blind * priv_key * r mod q */
  126. if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->params.q, ctx))
  127. goto err;
  128. if (!BN_mod_mul(tmp, tmp, ret->r, dsa->params.q, ctx))
  129. goto err;
  130. /* blindm := blind * m mod q */
  131. if (!BN_mod_mul(blindm, blind, m, dsa->params.q, ctx))
  132. goto err;
  133. /* s : = (blind * priv_key * r) + (blind * m) mod q */
  134. if (!BN_mod_add_quick(ret->s, tmp, blindm, dsa->params.q))
  135. goto err;
  136. /* s := s * k^-1 mod q */
  137. if (!BN_mod_mul(ret->s, ret->s, kinv, dsa->params.q, ctx))
  138. goto err;
  139. /* s:= s * blind^-1 mod q */
  140. if (BN_mod_inverse(blind, blind, dsa->params.q, ctx) == NULL)
  141. goto err;
  142. if (!BN_mod_mul(ret->s, ret->s, blind, dsa->params.q, ctx))
  143. goto err;
  144. /*
  145. * Redo if r or s is zero as required by FIPS 186-3: this is very
  146. * unlikely.
  147. */
  148. if (BN_is_zero(ret->r) || BN_is_zero(ret->s))
  149. goto redo;
  150. rv = 1;
  151. err:
  152. if (rv == 0) {
  153. ERR_raise(ERR_LIB_DSA, reason);
  154. DSA_SIG_free(ret);
  155. ret = NULL;
  156. }
  157. BN_CTX_free(ctx);
  158. BN_clear_free(kinv);
  159. return ret;
  160. }
  161. static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
  162. {
  163. return dsa_do_sign_int(dgst, dlen, dsa);
  164. }
  165. static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in,
  166. BIGNUM **kinvp, BIGNUM **rp)
  167. {
  168. return dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0);
  169. }
  170. static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
  171. BIGNUM **kinvp, BIGNUM **rp,
  172. const unsigned char *dgst, int dlen)
  173. {
  174. BN_CTX *ctx = NULL;
  175. BIGNUM *k, *kinv = NULL, *r = *rp;
  176. BIGNUM *l;
  177. int ret = 0;
  178. int q_bits, q_words;
  179. if (!dsa->params.p || !dsa->params.q || !dsa->params.g) {
  180. ERR_raise(ERR_LIB_DSA, DSA_R_MISSING_PARAMETERS);
  181. return 0;
  182. }
  183. /* Reject obviously invalid parameters */
  184. if (BN_is_zero(dsa->params.p)
  185. || BN_is_zero(dsa->params.q)
  186. || BN_is_zero(dsa->params.g)) {
  187. ERR_raise(ERR_LIB_DSA, DSA_R_INVALID_PARAMETERS);
  188. return 0;
  189. }
  190. if (dsa->priv_key == NULL) {
  191. ERR_raise(ERR_LIB_DSA, DSA_R_MISSING_PRIVATE_KEY);
  192. return 0;
  193. }
  194. k = BN_new();
  195. l = BN_new();
  196. if (k == NULL || l == NULL)
  197. goto err;
  198. if (ctx_in == NULL) {
  199. /* if you don't pass in ctx_in you get a default libctx */
  200. if ((ctx = BN_CTX_new_ex(NULL)) == NULL)
  201. goto err;
  202. } else
  203. ctx = ctx_in;
  204. /* Preallocate space */
  205. q_bits = BN_num_bits(dsa->params.q);
  206. q_words = bn_get_top(dsa->params.q);
  207. if (!bn_wexpand(k, q_words + 2)
  208. || !bn_wexpand(l, q_words + 2))
  209. goto err;
  210. /* Get random k */
  211. do {
  212. if (dgst != NULL) {
  213. /*
  214. * We calculate k from SHA512(private_key + H(message) + random).
  215. * This protects the private key from a weak PRNG.
  216. */
  217. if (!BN_generate_dsa_nonce(k, dsa->params.q, dsa->priv_key, dgst,
  218. dlen, ctx))
  219. goto err;
  220. } else if (!BN_priv_rand_range_ex(k, dsa->params.q, ctx))
  221. goto err;
  222. } while (BN_is_zero(k));
  223. BN_set_flags(k, BN_FLG_CONSTTIME);
  224. BN_set_flags(l, BN_FLG_CONSTTIME);
  225. if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
  226. if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
  227. dsa->lock, dsa->params.p, ctx))
  228. goto err;
  229. }
  230. /* Compute r = (g^k mod p) mod q */
  231. /*
  232. * We do not want timing information to leak the length of k, so we
  233. * compute G^k using an equivalent scalar of fixed bit-length.
  234. *
  235. * We unconditionally perform both of these additions to prevent a
  236. * small timing information leakage. We then choose the sum that is
  237. * one bit longer than the modulus.
  238. *
  239. * There are some concerns about the efficacy of doing this. More
  240. * specifically refer to the discussion starting with:
  241. * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
  242. * The fix is to rework BN so these gymnastics aren't required.
  243. */
  244. if (!BN_add(l, k, dsa->params.q)
  245. || !BN_add(k, l, dsa->params.q))
  246. goto err;
  247. BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
  248. if ((dsa)->meth->bn_mod_exp != NULL) {
  249. if (!dsa->meth->bn_mod_exp(dsa, r, dsa->params.g, k, dsa->params.p,
  250. ctx, dsa->method_mont_p))
  251. goto err;
  252. } else {
  253. if (!BN_mod_exp_mont(r, dsa->params.g, k, dsa->params.p, ctx,
  254. dsa->method_mont_p))
  255. goto err;
  256. }
  257. if (!BN_mod(r, r, dsa->params.q, ctx))
  258. goto err;
  259. /* Compute part of 's = inv(k) (m + xr) mod q' */
  260. if ((kinv = dsa_mod_inverse_fermat(k, dsa->params.q, ctx)) == NULL)
  261. goto err;
  262. BN_clear_free(*kinvp);
  263. *kinvp = kinv;
  264. kinv = NULL;
  265. ret = 1;
  266. err:
  267. if (!ret)
  268. ERR_raise(ERR_LIB_DSA, ERR_R_BN_LIB);
  269. if (ctx != ctx_in)
  270. BN_CTX_free(ctx);
  271. BN_clear_free(k);
  272. BN_clear_free(l);
  273. return ret;
  274. }
  275. static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
  276. DSA_SIG *sig, DSA *dsa)
  277. {
  278. BN_CTX *ctx;
  279. BIGNUM *u1, *u2, *t1;
  280. BN_MONT_CTX *mont = NULL;
  281. const BIGNUM *r, *s;
  282. int ret = -1, i;
  283. if (dsa->params.p == NULL
  284. || dsa->params.q == NULL
  285. || dsa->params.g == NULL) {
  286. ERR_raise(ERR_LIB_DSA, DSA_R_MISSING_PARAMETERS);
  287. return -1;
  288. }
  289. i = BN_num_bits(dsa->params.q);
  290. /* fips 186-3 allows only different sizes for q */
  291. if (i != 160 && i != 224 && i != 256) {
  292. ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
  293. return -1;
  294. }
  295. if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
  296. ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
  297. return -1;
  298. }
  299. u1 = BN_new();
  300. u2 = BN_new();
  301. t1 = BN_new();
  302. ctx = BN_CTX_new_ex(NULL); /* verify does not need a libctx */
  303. if (u1 == NULL || u2 == NULL || t1 == NULL || ctx == NULL)
  304. goto err;
  305. DSA_SIG_get0(sig, &r, &s);
  306. if (BN_is_zero(r) || BN_is_negative(r) ||
  307. BN_ucmp(r, dsa->params.q) >= 0) {
  308. ret = 0;
  309. goto err;
  310. }
  311. if (BN_is_zero(s) || BN_is_negative(s) ||
  312. BN_ucmp(s, dsa->params.q) >= 0) {
  313. ret = 0;
  314. goto err;
  315. }
  316. /*
  317. * Calculate W = inv(S) mod Q save W in u2
  318. */
  319. if ((BN_mod_inverse(u2, s, dsa->params.q, ctx)) == NULL)
  320. goto err;
  321. /* save M in u1 */
  322. if (dgst_len > (i >> 3))
  323. /*
  324. * if the digest length is greater than the size of q use the
  325. * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
  326. * 4.2
  327. */
  328. dgst_len = (i >> 3);
  329. if (BN_bin2bn(dgst, dgst_len, u1) == NULL)
  330. goto err;
  331. /* u1 = M * w mod q */
  332. if (!BN_mod_mul(u1, u1, u2, dsa->params.q, ctx))
  333. goto err;
  334. /* u2 = r * w mod q */
  335. if (!BN_mod_mul(u2, r, u2, dsa->params.q, ctx))
  336. goto err;
  337. if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
  338. mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
  339. dsa->lock, dsa->params.p, ctx);
  340. if (!mont)
  341. goto err;
  342. }
  343. if (dsa->meth->dsa_mod_exp != NULL) {
  344. if (!dsa->meth->dsa_mod_exp(dsa, t1, dsa->params.g, u1, dsa->pub_key, u2,
  345. dsa->params.p, ctx, mont))
  346. goto err;
  347. } else {
  348. if (!BN_mod_exp2_mont(t1, dsa->params.g, u1, dsa->pub_key, u2,
  349. dsa->params.p, ctx, mont))
  350. goto err;
  351. }
  352. /* let u1 = u1 mod q */
  353. if (!BN_mod(u1, t1, dsa->params.q, ctx))
  354. goto err;
  355. /*
  356. * V is now in u1. If the signature is correct, it will be equal to R.
  357. */
  358. ret = (BN_ucmp(u1, r) == 0);
  359. err:
  360. if (ret < 0)
  361. ERR_raise(ERR_LIB_DSA, ERR_R_BN_LIB);
  362. BN_CTX_free(ctx);
  363. BN_free(u1);
  364. BN_free(u2);
  365. BN_free(t1);
  366. return ret;
  367. }
  368. static int dsa_init(DSA *dsa)
  369. {
  370. dsa->flags |= DSA_FLAG_CACHE_MONT_P;
  371. ossl_ffc_params_init(&dsa->params);
  372. dsa->dirty_cnt++;
  373. return 1;
  374. }
  375. static int dsa_finish(DSA *dsa)
  376. {
  377. BN_MONT_CTX_free(dsa->method_mont_p);
  378. return 1;
  379. }
  380. /*
  381. * Compute the inverse of k modulo q.
  382. * Since q is prime, Fermat's Little Theorem applies, which reduces this to
  383. * mod-exp operation. Both the exponent and modulus are public information
  384. * so a mod-exp that doesn't leak the base is sufficient. A newly allocated
  385. * BIGNUM is returned which the caller must free.
  386. */
  387. static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
  388. BN_CTX *ctx)
  389. {
  390. BIGNUM *res = NULL;
  391. BIGNUM *r, *e;
  392. if ((r = BN_new()) == NULL)
  393. return NULL;
  394. BN_CTX_start(ctx);
  395. if ((e = BN_CTX_get(ctx)) != NULL
  396. && BN_set_word(r, 2)
  397. && BN_sub(e, q, r)
  398. && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
  399. res = r;
  400. else
  401. BN_free(r);
  402. BN_CTX_end(ctx);
  403. return res;
  404. }