2014-12-17 14:37:13 -07:00
|
|
|
/* dsa.c
|
|
|
|
|
*
|
2019-03-15 10:37:36 -07:00
|
|
|
* Copyright (C) 2006-2019 wolfSSL Inc.
|
2014-12-17 14:37:13 -07:00
|
|
|
*
|
2016-03-17 16:02:13 -06:00
|
|
|
* This file is part of wolfSSL.
|
2014-12-17 14:37:13 -07:00
|
|
|
*
|
|
|
|
|
* wolfSSL is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* wolfSSL is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
2016-03-17 16:02:13 -06:00
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
2014-12-17 14:37:13 -07:00
|
|
|
*/
|
|
|
|
|
|
2016-03-17 16:02:13 -06:00
|
|
|
|
2014-12-17 14:37:13 -07:00
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
|
#include <config.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
2014-12-31 17:01:27 -07:00
|
|
|
#include <wolfssl/wolfcrypt/settings.h>
|
2014-12-17 14:37:13 -07:00
|
|
|
|
|
|
|
|
#ifndef NO_DSA
|
|
|
|
|
|
2014-12-31 17:01:27 -07:00
|
|
|
#include <wolfssl/wolfcrypt/random.h>
|
2015-07-22 14:18:07 +02:00
|
|
|
#include <wolfssl/wolfcrypt/integer.h>
|
2014-12-31 17:01:27 -07:00
|
|
|
#include <wolfssl/wolfcrypt/error-crypt.h>
|
2015-07-22 14:18:07 +02:00
|
|
|
#include <wolfssl/wolfcrypt/logging.h>
|
|
|
|
|
#include <wolfssl/wolfcrypt/sha.h>
|
|
|
|
|
#include <wolfssl/wolfcrypt/dsa.h>
|
2014-12-17 14:37:13 -07:00
|
|
|
|
2016-12-21 14:05:00 -08:00
|
|
|
#ifdef NO_INLINE
|
|
|
|
|
#include <wolfssl/wolfcrypt/misc.h>
|
|
|
|
|
#else
|
|
|
|
|
#define WOLFSSL_MISC_INCLUDED
|
|
|
|
|
#include <wolfcrypt/src/misc.c>
|
|
|
|
|
#endif
|
|
|
|
|
|
2014-12-17 14:37:13 -07:00
|
|
|
|
|
|
|
|
enum {
|
|
|
|
|
DSA_HALF_SIZE = 20, /* r and s size */
|
|
|
|
|
DSA_SIG_SIZE = 40 /* signature size */
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2017-02-01 10:13:47 -08:00
|
|
|
int wc_InitDsaKey(DsaKey* key)
|
2014-12-17 14:37:13 -07:00
|
|
|
{
|
2017-01-31 16:42:06 -08:00
|
|
|
if (key == NULL)
|
2017-02-01 10:13:47 -08:00
|
|
|
return BAD_FUNC_ARG;
|
2017-01-31 16:42:06 -08:00
|
|
|
|
2014-12-17 14:37:13 -07:00
|
|
|
key->type = -1; /* haven't decided yet */
|
2016-06-04 19:03:48 -06:00
|
|
|
key->heap = NULL;
|
2014-12-17 14:37:13 -07:00
|
|
|
|
2017-02-01 10:13:47 -08:00
|
|
|
return mp_init_multi(
|
|
|
|
|
/* public alloc parts */
|
|
|
|
|
&key->p,
|
|
|
|
|
&key->q,
|
|
|
|
|
&key->g,
|
|
|
|
|
&key->y,
|
|
|
|
|
|
|
|
|
|
/* private alloc parts */
|
|
|
|
|
&key->x,
|
|
|
|
|
NULL
|
|
|
|
|
);
|
2014-12-17 14:37:13 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2016-06-04 19:03:48 -06:00
|
|
|
int wc_InitDsaKey_h(DsaKey* key, void* h)
|
|
|
|
|
{
|
2017-02-01 10:13:47 -08:00
|
|
|
int ret = wc_InitDsaKey(key);
|
|
|
|
|
if (ret == 0)
|
|
|
|
|
key->heap = h;
|
2016-06-04 19:03:48 -06:00
|
|
|
|
2017-02-01 10:13:47 -08:00
|
|
|
return ret;
|
2016-06-04 19:03:48 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2014-12-17 14:37:13 -07:00
|
|
|
void wc_FreeDsaKey(DsaKey* key)
|
|
|
|
|
{
|
2017-01-31 16:42:06 -08:00
|
|
|
if (key == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
2014-12-17 14:37:13 -07:00
|
|
|
if (key->type == DSA_PRIVATE)
|
2017-01-31 16:42:06 -08:00
|
|
|
mp_forcezero(&key->x);
|
|
|
|
|
|
|
|
|
|
mp_clear(&key->x);
|
2014-12-17 14:37:13 -07:00
|
|
|
mp_clear(&key->y);
|
|
|
|
|
mp_clear(&key->g);
|
|
|
|
|
mp_clear(&key->q);
|
|
|
|
|
mp_clear(&key->p);
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-22 14:18:07 +02:00
|
|
|
|
2018-01-04 10:11:23 -07:00
|
|
|
/* validate that (L,N) match allowed sizes from FIPS 186-4, Section 4.2.
|
2018-01-08 17:06:33 -07:00
|
|
|
* modLen - represents L, the size of p (prime modulus) in bits
|
|
|
|
|
* divLen - represents N, the size of q (prime divisor) in bits
|
2018-01-04 10:11:23 -07:00
|
|
|
* return 0 on success, -1 on error */
|
2018-01-08 17:06:33 -07:00
|
|
|
static int CheckDsaLN(int modLen, int divLen)
|
2018-01-04 10:11:23 -07:00
|
|
|
{
|
|
|
|
|
int ret = -1;
|
|
|
|
|
|
2018-01-08 17:06:33 -07:00
|
|
|
switch (modLen) {
|
2018-01-04 10:11:23 -07:00
|
|
|
case 1024:
|
2018-01-08 17:06:33 -07:00
|
|
|
if (divLen == 160)
|
2018-01-04 10:11:23 -07:00
|
|
|
ret = 0;
|
|
|
|
|
break;
|
|
|
|
|
case 2048:
|
2018-01-08 17:06:33 -07:00
|
|
|
if (divLen == 224 || divLen == 256)
|
2018-01-04 10:11:23 -07:00
|
|
|
ret = 0;
|
|
|
|
|
break;
|
|
|
|
|
case 3072:
|
2018-01-08 17:06:33 -07:00
|
|
|
if (divLen == 256)
|
2018-01-04 10:11:23 -07:00
|
|
|
ret = 0;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-08 09:58:03 -07:00
|
|
|
|
|
|
|
|
#ifdef WOLFSSL_KEY_GEN
|
|
|
|
|
|
2018-01-04 10:11:23 -07:00
|
|
|
/* Create DSA key pair (&dsa->x, &dsa->y)
|
|
|
|
|
*
|
|
|
|
|
* Based on NIST FIPS 186-4,
|
|
|
|
|
* "B.1.1 Key Pair Generation Using Extra Random Bits"
|
|
|
|
|
*
|
|
|
|
|
* rng - pointer to initialized WC_RNG structure
|
|
|
|
|
* dsa - pointer to initialized DsaKey structure, will hold generated key
|
|
|
|
|
*
|
|
|
|
|
* return 0 on success, negative on error */
|
2015-08-07 11:53:19 -06:00
|
|
|
int wc_MakeDsaKey(WC_RNG *rng, DsaKey *dsa)
|
2015-07-22 14:18:07 +02:00
|
|
|
{
|
2018-01-04 10:11:23 -07:00
|
|
|
byte* cBuf;
|
|
|
|
|
int qSz, pSz, cSz, err;
|
|
|
|
|
mp_int tmpQ;
|
2015-07-22 14:18:07 +02:00
|
|
|
|
|
|
|
|
if (rng == NULL || dsa == NULL)
|
|
|
|
|
return BAD_FUNC_ARG;
|
|
|
|
|
|
2018-01-04 10:11:23 -07:00
|
|
|
qSz = mp_unsigned_bin_size(&dsa->q);
|
|
|
|
|
pSz = mp_unsigned_bin_size(&dsa->p);
|
|
|
|
|
|
|
|
|
|
/* verify (L,N) pair bit lengths */
|
2018-01-08 17:06:33 -07:00
|
|
|
if (CheckDsaLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0)
|
2015-07-23 13:24:20 +02:00
|
|
|
return BAD_FUNC_ARG;
|
2015-07-22 14:18:07 +02:00
|
|
|
|
2018-01-04 10:11:23 -07:00
|
|
|
/* generate extra 64 bits so that bias from mod function is negligible */
|
2018-01-08 17:06:33 -07:00
|
|
|
cSz = qSz + (64 / WOLFSSL_BIT_SIZE);
|
2018-01-04 10:11:23 -07:00
|
|
|
cBuf = (byte*)XMALLOC(cSz, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
|
if (cBuf == NULL) {
|
2015-07-22 14:18:07 +02:00
|
|
|
return MEMORY_E;
|
2018-01-04 10:11:23 -07:00
|
|
|
}
|
2015-07-22 14:18:07 +02:00
|
|
|
|
2018-01-04 10:11:23 -07:00
|
|
|
if ((err = mp_init_multi(&dsa->x, &dsa->y, &tmpQ, NULL, NULL, NULL))
|
|
|
|
|
!= MP_OKAY) {
|
|
|
|
|
XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
|
return err;
|
2015-07-22 14:18:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
do {
|
2018-01-04 10:11:23 -07:00
|
|
|
/* generate N+64 bits (c) from RBG into &dsa->x, making sure positive.
|
|
|
|
|
* Hash_DRBG uses SHA-256 which matches maximum
|
|
|
|
|
* requested_security_strength of (L,N) */
|
|
|
|
|
err = wc_RNG_GenerateBlock(rng, cBuf, cSz);
|
2015-07-22 14:18:07 +02:00
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->x);
|
2018-01-04 10:11:23 -07:00
|
|
|
mp_clear(&dsa->y);
|
|
|
|
|
mp_clear(&tmpQ);
|
|
|
|
|
XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
2015-07-22 14:18:07 +02:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-04 10:11:23 -07:00
|
|
|
err = mp_read_unsigned_bin(&dsa->x, cBuf, cSz);
|
2015-07-22 14:18:07 +02:00
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->x);
|
2018-01-04 10:11:23 -07:00
|
|
|
mp_clear(&dsa->y);
|
|
|
|
|
mp_clear(&tmpQ);
|
|
|
|
|
XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
2015-07-22 14:18:07 +02:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
} while (mp_cmp_d(&dsa->x, 1) != MP_GT);
|
|
|
|
|
|
2018-01-04 10:11:23 -07:00
|
|
|
XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
2015-07-22 14:18:07 +02:00
|
|
|
|
2018-01-04 10:11:23 -07:00
|
|
|
/* tmpQ = q - 1 */
|
|
|
|
|
if (err == MP_OKAY)
|
|
|
|
|
err = mp_copy(&dsa->q, &tmpQ);
|
|
|
|
|
|
|
|
|
|
if (err == MP_OKAY)
|
|
|
|
|
err = mp_sub_d(&tmpQ, 1, &tmpQ);
|
|
|
|
|
|
|
|
|
|
/* x = c mod (q-1), &dsa->x holds c */
|
|
|
|
|
if (err == MP_OKAY)
|
|
|
|
|
err = mp_mod(&dsa->x, &tmpQ, &dsa->x);
|
|
|
|
|
|
|
|
|
|
/* x = c mod (q-1) + 1 */
|
|
|
|
|
if (err == MP_OKAY)
|
|
|
|
|
err = mp_add_d(&dsa->x, 1, &dsa->x);
|
2015-07-22 14:18:07 +02:00
|
|
|
|
|
|
|
|
/* public key : y = g^x mod p */
|
2018-01-04 10:11:23 -07:00
|
|
|
if (err == MP_OKAY)
|
2019-07-29 09:29:53 +10:00
|
|
|
err = mp_exptmod_ex(&dsa->g, &dsa->x, dsa->q.used, &dsa->p, &dsa->y);
|
2018-01-04 10:11:23 -07:00
|
|
|
|
|
|
|
|
if (err == MP_OKAY)
|
|
|
|
|
dsa->type = DSA_PRIVATE;
|
|
|
|
|
|
2015-07-22 14:18:07 +02:00
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->x);
|
|
|
|
|
mp_clear(&dsa->y);
|
|
|
|
|
}
|
2018-01-04 10:11:23 -07:00
|
|
|
mp_clear(&tmpQ);
|
2015-07-22 14:18:07 +02:00
|
|
|
|
2018-01-04 10:11:23 -07:00
|
|
|
return err;
|
2015-07-22 14:18:07 +02:00
|
|
|
}
|
|
|
|
|
|
2018-01-08 09:58:03 -07:00
|
|
|
|
2015-07-22 14:18:07 +02:00
|
|
|
/* modulus_size in bits */
|
2015-08-07 11:53:19 -06:00
|
|
|
int wc_MakeDsaParameters(WC_RNG *rng, int modulus_size, DsaKey *dsa)
|
2015-07-22 14:18:07 +02:00
|
|
|
{
|
2015-07-23 13:24:20 +02:00
|
|
|
mp_int tmp, tmp2;
|
|
|
|
|
int err, msize, qsize,
|
|
|
|
|
loop_check_prime = 0,
|
|
|
|
|
check_prime = MP_NO;
|
|
|
|
|
unsigned char *buf;
|
2015-07-22 14:18:07 +02:00
|
|
|
|
|
|
|
|
if (rng == NULL || dsa == NULL)
|
|
|
|
|
return BAD_FUNC_ARG;
|
|
|
|
|
|
|
|
|
|
/* set group size in bytes from modulus size
|
|
|
|
|
* FIPS 186-4 defines valid values (1024, 160) (2048, 256) (3072, 256)
|
|
|
|
|
*/
|
|
|
|
|
switch (modulus_size) {
|
|
|
|
|
case 1024:
|
|
|
|
|
qsize = 20;
|
|
|
|
|
break;
|
|
|
|
|
case 2048:
|
|
|
|
|
case 3072:
|
|
|
|
|
qsize = 32;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return BAD_FUNC_ARG;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* modulus size in bytes */
|
2018-01-08 17:06:33 -07:00
|
|
|
msize = modulus_size / WOLFSSL_BIT_SIZE;
|
2015-07-22 14:18:07 +02:00
|
|
|
|
|
|
|
|
/* allocate ram */
|
|
|
|
|
buf = (unsigned char *)XMALLOC(msize - qsize,
|
2016-06-04 19:03:48 -06:00
|
|
|
dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
2015-07-22 14:18:07 +02:00
|
|
|
if (buf == NULL) {
|
|
|
|
|
return MEMORY_E;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-23 13:24:20 +02:00
|
|
|
/* make a random string that will be multplied against q */
|
2015-07-22 14:18:07 +02:00
|
|
|
err = wc_RNG_GenerateBlock(rng, buf, msize - qsize);
|
|
|
|
|
if (err != MP_OKAY) {
|
2016-06-04 19:03:48 -06:00
|
|
|
XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
2015-07-22 14:18:07 +02:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* force magnitude */
|
|
|
|
|
buf[0] |= 0xC0;
|
|
|
|
|
|
|
|
|
|
/* force even */
|
|
|
|
|
buf[msize - qsize - 1] &= ~1;
|
|
|
|
|
|
2015-07-23 13:24:20 +02:00
|
|
|
if (mp_init_multi(&tmp2, &dsa->p, &dsa->q, 0, 0, 0) != MP_OKAY) {
|
2015-07-22 14:18:07 +02:00
|
|
|
mp_clear(&dsa->q);
|
2016-06-04 19:03:48 -06:00
|
|
|
XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
2015-07-22 14:18:07 +02:00
|
|
|
return MP_INIT_E;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = mp_read_unsigned_bin(&tmp2, buf, msize - qsize);
|
|
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&tmp2);
|
2016-06-04 19:03:48 -06:00
|
|
|
XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
2015-07-22 14:18:07 +02:00
|
|
|
return err;
|
|
|
|
|
}
|
2016-06-04 19:03:48 -06:00
|
|
|
XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
2015-07-22 14:18:07 +02:00
|
|
|
|
2015-07-23 13:24:20 +02:00
|
|
|
/* make our prime q */
|
|
|
|
|
err = mp_rand_prime(&dsa->q, qsize, rng, NULL);
|
|
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* p = random * q */
|
2015-07-22 14:18:07 +02:00
|
|
|
err = mp_mul(&dsa->q, &tmp2, &dsa->p);
|
|
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-23 13:24:20 +02:00
|
|
|
/* p = random * q + 1, so q is a prime divisor of p-1 */
|
2015-07-22 14:18:07 +02:00
|
|
|
err = mp_add_d(&dsa->p, 1, &dsa->p);
|
2015-07-23 13:24:20 +02:00
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (mp_init(&tmp) != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
return MP_INIT_E;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* tmp = 2q */
|
|
|
|
|
err = mp_add(&dsa->q, &dsa->q, &tmp);
|
2015-07-22 14:18:07 +02:00
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&tmp);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* loop until p is prime */
|
2015-07-23 13:24:20 +02:00
|
|
|
while (check_prime == MP_NO) {
|
2018-07-12 14:58:19 -07:00
|
|
|
err = mp_prime_is_prime_ex(&dsa->p, 8, &check_prime, rng);
|
2015-07-22 14:18:07 +02:00
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&tmp);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-23 13:24:20 +02:00
|
|
|
if (check_prime != MP_YES) {
|
|
|
|
|
/* p += 2q */
|
|
|
|
|
err = mp_add(&tmp, &dsa->p, &dsa->p);
|
|
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&tmp);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
loop_check_prime++;
|
2015-07-22 14:18:07 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-23 13:24:20 +02:00
|
|
|
/* tmp2 += (2*loop_check_prime)
|
2015-07-22 14:18:07 +02:00
|
|
|
* to have p = (q * tmp2) + 1 prime
|
|
|
|
|
*/
|
2015-07-23 13:24:20 +02:00
|
|
|
if (loop_check_prime) {
|
|
|
|
|
err = mp_add_d(&tmp2, 2*loop_check_prime, &tmp2);
|
2015-07-22 14:18:07 +02:00
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&tmp);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (mp_init(&dsa->g) != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&tmp);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
return MP_INIT_E;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* find a value g for which g^tmp2 != 1 */
|
2017-02-01 10:13:47 -08:00
|
|
|
if (mp_set(&dsa->g, 1) != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&tmp);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
return MP_INIT_E;
|
|
|
|
|
}
|
2015-07-22 14:18:07 +02:00
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
err = mp_add_d(&dsa->g, 1, &dsa->g);
|
|
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&dsa->g);
|
|
|
|
|
mp_clear(&tmp);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = mp_exptmod(&dsa->g, &tmp2, &dsa->p, &tmp);
|
|
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&dsa->g);
|
|
|
|
|
mp_clear(&tmp);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
} while (mp_cmp_d(&tmp, 1) == MP_EQ);
|
|
|
|
|
|
|
|
|
|
/* at this point tmp generates a group of order q mod p */
|
|
|
|
|
mp_exch(&tmp, &dsa->g);
|
|
|
|
|
|
|
|
|
|
mp_clear(&tmp);
|
|
|
|
|
mp_clear(&tmp2);
|
|
|
|
|
|
|
|
|
|
return MP_OKAY;
|
|
|
|
|
}
|
|
|
|
|
#endif /* WOLFSSL_KEY_GEN */
|
|
|
|
|
|
2014-12-17 14:37:13 -07:00
|
|
|
|
2018-07-12 17:22:44 -07:00
|
|
|
static int _DsaImportParamsRaw(DsaKey* dsa, const char* p, const char* q,
|
|
|
|
|
const char* g, int trusted, WC_RNG* rng)
|
2018-01-08 09:58:03 -07:00
|
|
|
{
|
|
|
|
|
int err;
|
|
|
|
|
word32 pSz, qSz;
|
|
|
|
|
|
|
|
|
|
if (dsa == NULL || p == NULL || q == NULL || g == NULL)
|
|
|
|
|
return BAD_FUNC_ARG;
|
|
|
|
|
|
|
|
|
|
/* read p */
|
|
|
|
|
err = mp_read_radix(&dsa->p, p, MP_RADIX_HEX);
|
2018-07-12 17:22:44 -07:00
|
|
|
if (err == MP_OKAY && !trusted) {
|
|
|
|
|
int isPrime = 1;
|
|
|
|
|
if (rng == NULL)
|
|
|
|
|
err = mp_prime_is_prime(&dsa->p, 8, &isPrime);
|
|
|
|
|
else
|
|
|
|
|
err = mp_prime_is_prime_ex(&dsa->p, 8, &isPrime, rng);
|
|
|
|
|
|
|
|
|
|
if (err == MP_OKAY) {
|
|
|
|
|
if (!isPrime)
|
|
|
|
|
err = DH_CHECK_PUB_E;
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-01-08 09:58:03 -07:00
|
|
|
|
|
|
|
|
/* read q */
|
|
|
|
|
if (err == MP_OKAY)
|
|
|
|
|
err = mp_read_radix(&dsa->q, q, MP_RADIX_HEX);
|
|
|
|
|
|
|
|
|
|
/* read g */
|
|
|
|
|
if (err == MP_OKAY)
|
|
|
|
|
err = mp_read_radix(&dsa->g, g, MP_RADIX_HEX);
|
|
|
|
|
|
|
|
|
|
/* verify (L,N) pair bit lengths */
|
|
|
|
|
pSz = mp_unsigned_bin_size(&dsa->p);
|
|
|
|
|
qSz = mp_unsigned_bin_size(&dsa->q);
|
|
|
|
|
|
2018-01-08 17:06:33 -07:00
|
|
|
if (CheckDsaLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0) {
|
2018-01-08 09:58:03 -07:00
|
|
|
WOLFSSL_MSG("Invalid DSA p or q parameter size");
|
|
|
|
|
err = BAD_FUNC_ARG;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (err != MP_OKAY) {
|
|
|
|
|
mp_clear(&dsa->p);
|
|
|
|
|
mp_clear(&dsa->q);
|
|
|
|
|
mp_clear(&dsa->g);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2018-07-12 17:22:44 -07:00
|
|
|
/* Import raw DSA parameters into DsaKey structure for use with wc_MakeDsaKey(),
|
|
|
|
|
* input parameters (p,q,g) should be represented as ASCII hex values.
|
|
|
|
|
*
|
|
|
|
|
* dsa - pointer to initialized DsaKey structure
|
|
|
|
|
* p - DSA (p) parameter, ASCII hex string
|
|
|
|
|
* pSz - length of p
|
|
|
|
|
* q - DSA (q) parameter, ASCII hex string
|
|
|
|
|
* qSz - length of q
|
|
|
|
|
* g - DSA (g) parameter, ASCII hex string
|
|
|
|
|
* gSz - length of g
|
|
|
|
|
*
|
|
|
|
|
* returns 0 on success, negative upon failure
|
|
|
|
|
*/
|
|
|
|
|
int wc_DsaImportParamsRaw(DsaKey* dsa, const char* p, const char* q,
|
|
|
|
|
const char* g)
|
|
|
|
|
{
|
|
|
|
|
return _DsaImportParamsRaw(dsa, p, q, g, 1, NULL);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Import raw DSA parameters into DsaKey structure for use with wc_MakeDsaKey(),
|
|
|
|
|
* input parameters (p,q,g) should be represented as ASCII hex values. Check
|
|
|
|
|
* that the p value is probably prime.
|
|
|
|
|
*
|
|
|
|
|
* dsa - pointer to initialized DsaKey structure
|
|
|
|
|
* p - DSA (p) parameter, ASCII hex string
|
|
|
|
|
* pSz - length of p
|
|
|
|
|
* q - DSA (q) parameter, ASCII hex string
|
|
|
|
|
* qSz - length of q
|
|
|
|
|
* g - DSA (g) parameter, ASCII hex string
|
|
|
|
|
* gSz - length of g
|
|
|
|
|
* trusted - trust that p is OK
|
|
|
|
|
* rng - random number generator for the prime test
|
|
|
|
|
*
|
|
|
|
|
* returns 0 on success, negative upon failure
|
|
|
|
|
*/
|
|
|
|
|
int wc_DsaImportParamsRawCheck(DsaKey* dsa, const char* p, const char* q,
|
|
|
|
|
const char* g, int trusted, WC_RNG* rng)
|
|
|
|
|
{
|
|
|
|
|
return _DsaImportParamsRaw(dsa, p, q, g, trusted, rng);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2018-01-08 09:58:03 -07:00
|
|
|
/* Export raw DSA parameters from DsaKey structure
|
|
|
|
|
*
|
|
|
|
|
* dsa - pointer to initialized DsaKey structure
|
|
|
|
|
* p - output location for DSA (p) parameter
|
|
|
|
|
* pSz - [IN/OUT] size of output buffer for p, size of p
|
|
|
|
|
* q - output location for DSA (q) parameter
|
|
|
|
|
* qSz - [IN/OUT] size of output buffer for q, size of q
|
|
|
|
|
* g - output location for DSA (g) parameter
|
|
|
|
|
* gSz - [IN/OUT] size of output buffer for g, size of g
|
|
|
|
|
*
|
2018-01-10 10:21:58 -07:00
|
|
|
* If p, q, and g pointers are all passed in as NULL, the function
|
|
|
|
|
* will set pSz, qSz, and gSz to the required output buffer sizes for p,
|
|
|
|
|
* q, and g. In this case, the function will return LENGTH_ONLY_E.
|
|
|
|
|
*
|
2018-01-08 09:58:03 -07:00
|
|
|
* returns 0 on success, negative upon failure
|
|
|
|
|
*/
|
|
|
|
|
int wc_DsaExportParamsRaw(DsaKey* dsa, byte* p, word32* pSz,
|
|
|
|
|
byte* q, word32* qSz, byte* g, word32* gSz)
|
|
|
|
|
{
|
|
|
|
|
int err;
|
2018-01-10 10:21:58 -07:00
|
|
|
word32 pLen, qLen, gLen;
|
|
|
|
|
|
|
|
|
|
if (dsa == NULL || pSz == NULL || qSz == NULL || gSz == NULL)
|
|
|
|
|
return BAD_FUNC_ARG;
|
2018-01-08 09:58:03 -07:00
|
|
|
|
2018-01-10 10:21:58 -07:00
|
|
|
/* get required output buffer sizes */
|
|
|
|
|
pLen = mp_unsigned_bin_size(&dsa->p);
|
|
|
|
|
qLen = mp_unsigned_bin_size(&dsa->q);
|
|
|
|
|
gLen = mp_unsigned_bin_size(&dsa->g);
|
|
|
|
|
|
|
|
|
|
/* return buffer sizes and LENGTH_ONLY_E if buffers are NULL */
|
|
|
|
|
if (p == NULL && q == NULL && g == NULL) {
|
|
|
|
|
*pSz = pLen;
|
|
|
|
|
*qSz = qLen;
|
|
|
|
|
*gSz = gLen;
|
|
|
|
|
return LENGTH_ONLY_E;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (p == NULL || q == NULL || g == NULL)
|
2018-01-08 09:58:03 -07:00
|
|
|
return BAD_FUNC_ARG;
|
|
|
|
|
|
|
|
|
|
/* export p */
|
2018-01-10 10:21:58 -07:00
|
|
|
if (*pSz < pLen) {
|
|
|
|
|
WOLFSSL_MSG("Output buffer for DSA p parameter too small, "
|
|
|
|
|
"required size placed into pSz");
|
|
|
|
|
*pSz = pLen;
|
2018-01-08 09:58:03 -07:00
|
|
|
return BUFFER_E;
|
|
|
|
|
}
|
2018-01-10 10:21:58 -07:00
|
|
|
*pSz = pLen;
|
2018-01-08 09:58:03 -07:00
|
|
|
err = mp_to_unsigned_bin(&dsa->p, p);
|
|
|
|
|
|
|
|
|
|
/* export q */
|
|
|
|
|
if (err == MP_OKAY) {
|
2018-01-10 10:21:58 -07:00
|
|
|
if (*qSz < qLen) {
|
|
|
|
|
WOLFSSL_MSG("Output buffer for DSA q parameter too small, "
|
|
|
|
|
"required size placed into qSz");
|
|
|
|
|
*qSz = qLen;
|
2018-01-08 09:58:03 -07:00
|
|
|
return BUFFER_E;
|
|
|
|
|
}
|
2018-01-10 10:21:58 -07:00
|
|
|
*qSz = qLen;
|
2018-01-08 09:58:03 -07:00
|
|
|
err = mp_to_unsigned_bin(&dsa->q, q);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* export g */
|
|
|
|
|
if (err == MP_OKAY) {
|
2018-01-10 10:21:58 -07:00
|
|
|
if (*gSz < gLen) {
|
|
|
|
|
WOLFSSL_MSG("Output buffer for DSA g parameter too small, "
|
|
|
|
|
"required size placed into gSz");
|
|
|
|
|
*gSz = gLen;
|
2018-01-08 09:58:03 -07:00
|
|
|
return BUFFER_E;
|
|
|
|
|
}
|
2018-01-10 10:21:58 -07:00
|
|
|
*gSz = gLen;
|
2018-01-08 09:58:03 -07:00
|
|
|
err = mp_to_unsigned_bin(&dsa->g, g);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Export raw DSA key (x, y) from DsaKey structure
|
|
|
|
|
*
|
|
|
|
|
* dsa - pointer to initialized DsaKey structure
|
|
|
|
|
* x - output location for private key
|
|
|
|
|
* xSz - [IN/OUT] size of output buffer for x, size of x
|
|
|
|
|
* y - output location for public key
|
|
|
|
|
* ySz - [IN/OUT] size of output buffer for y, size of y
|
|
|
|
|
*
|
2018-01-10 10:21:58 -07:00
|
|
|
* If x and y pointers are all passed in as NULL, the function
|
|
|
|
|
* will set xSz and ySz to the required output buffer sizes for x
|
|
|
|
|
* and y. In this case, the function will return LENGTH_ONLY_E.
|
|
|
|
|
*
|
2018-01-08 09:58:03 -07:00
|
|
|
* returns 0 on success, negative upon failure
|
|
|
|
|
*/
|
|
|
|
|
int wc_DsaExportKeyRaw(DsaKey* dsa, byte* x, word32* xSz, byte* y, word32* ySz)
|
|
|
|
|
{
|
|
|
|
|
int err;
|
2018-01-10 10:21:58 -07:00
|
|
|
word32 xLen, yLen;
|
|
|
|
|
|
|
|
|
|
if (dsa == NULL || xSz == NULL || ySz == NULL)
|
|
|
|
|
return BAD_FUNC_ARG;
|
|
|
|
|
|
|
|
|
|
/* get required output buffer sizes */
|
|
|
|
|
xLen = mp_unsigned_bin_size(&dsa->x);
|
|
|
|
|
yLen = mp_unsigned_bin_size(&dsa->y);
|
|
|
|
|
|
|
|
|
|
/* return buffer sizes and LENGTH_ONLY_E if buffers are NULL */
|
|
|
|
|
if (x == NULL && y == NULL) {
|
|
|
|
|
*xSz = xLen;
|
|
|
|
|
*ySz = yLen;
|
|
|
|
|
return LENGTH_ONLY_E;
|
|
|
|
|
}
|
2018-01-08 09:58:03 -07:00
|
|
|
|
2018-01-10 10:21:58 -07:00
|
|
|
if (x == NULL || y == NULL)
|
2018-01-08 09:58:03 -07:00
|
|
|
return BAD_FUNC_ARG;
|
|
|
|
|
|
|
|
|
|
/* export x */
|
2018-01-10 10:21:58 -07:00
|
|
|
if (*xSz < xLen) {
|
|
|
|
|
WOLFSSL_MSG("Output buffer for DSA private key (x) too small, "
|
|
|
|
|
"required size placed into xSz");
|
|
|
|
|
*xSz = xLen;
|
2018-01-08 09:58:03 -07:00
|
|
|
return BUFFER_E;
|
|
|
|
|
}
|
2018-01-10 10:21:58 -07:00
|
|
|
*xSz = xLen;
|
2018-01-08 09:58:03 -07:00
|
|
|
err = mp_to_unsigned_bin(&dsa->x, x);
|
|
|
|
|
|
|
|
|
|
/* export y */
|
|
|
|
|
if (err == MP_OKAY) {
|
2018-01-10 10:21:58 -07:00
|
|
|
if (*ySz < yLen) {
|
|
|
|
|
WOLFSSL_MSG("Output buffer to DSA public key (y) too small, "
|
|
|
|
|
"required size placed into ySz");
|
|
|
|
|
*ySz = yLen;
|
2018-01-08 09:58:03 -07:00
|
|
|
return BUFFER_E;
|
|
|
|
|
}
|
2018-01-10 10:21:58 -07:00
|
|
|
*ySz = yLen;
|
2018-01-08 09:58:03 -07:00
|
|
|
err = mp_to_unsigned_bin(&dsa->y, y);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2015-08-07 11:53:19 -06:00
|
|
|
int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, WC_RNG* rng)
|
2014-12-17 14:37:13 -07:00
|
|
|
{
|
2019-07-26 09:08:23 +10:00
|
|
|
mp_int k, kInv, r, s, H;
|
2019-11-28 11:06:27 +10:00
|
|
|
#ifndef WOLFSSL_MP_INVMOD_CONSTANT_TIME
|
|
|
|
|
mp_int b;
|
|
|
|
|
#endif
|
2019-07-26 09:08:23 +10:00
|
|
|
mp_int* qMinus1;
|
|
|
|
|
int ret = 0, sz;
|
|
|
|
|
byte buffer[DSA_HALF_SIZE];
|
|
|
|
|
byte* tmp; /* initial output pointer */
|
2017-06-13 09:33:42 -06:00
|
|
|
|
|
|
|
|
if (digest == NULL || out == NULL || key == NULL || rng == NULL) {
|
|
|
|
|
return BAD_FUNC_ARG;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmp = out;
|
2014-12-17 14:37:13 -07:00
|
|
|
|
2016-04-01 15:45:53 -07:00
|
|
|
sz = min((int)sizeof(buffer), mp_unsigned_bin_size(&key->q));
|
2017-01-31 16:42:06 -08:00
|
|
|
|
2019-11-28 11:06:27 +10:00
|
|
|
#ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME
|
2014-12-17 14:37:13 -07:00
|
|
|
if (mp_init_multi(&k, &kInv, &r, &s, &H, 0) != MP_OKAY)
|
2019-11-28 11:06:27 +10:00
|
|
|
#else
|
|
|
|
|
if (mp_init_multi(&k, &kInv, &r, &s, &H, &b) != MP_OKAY)
|
|
|
|
|
#endif
|
|
|
|
|
{
|
2014-12-17 14:37:13 -07:00
|
|
|
return MP_INIT_E;
|
2019-11-28 11:06:27 +10:00
|
|
|
}
|
2019-07-26 09:08:23 +10:00
|
|
|
qMinus1 = &kInv;
|
2014-12-17 14:37:13 -07:00
|
|
|
|
2019-07-26 09:08:23 +10:00
|
|
|
/* NIST FIPS 186-4: B.2.2
|
|
|
|
|
* Per-Message Secret Number Generation by Testing Candidates
|
|
|
|
|
* Generate k in range [1, q-1].
|
|
|
|
|
* Check that k is less than q-1: range [0, q-2].
|
|
|
|
|
* Add 1 to k: range [1, q-1].
|
|
|
|
|
*/
|
|
|
|
|
if (mp_sub_d(&key->q, 1, qMinus1))
|
|
|
|
|
ret = MP_SUB_E;
|
|
|
|
|
|
|
|
|
|
if (ret == 0) {
|
|
|
|
|
do {
|
|
|
|
|
/* Step 4: generate k */
|
|
|
|
|
ret = wc_RNG_GenerateBlock(rng, buffer, sz);
|
|
|
|
|
|
|
|
|
|
/* Step 5 */
|
|
|
|
|
if (ret == 0 && mp_read_unsigned_bin(&k, buffer, sz) != MP_OKAY)
|
|
|
|
|
ret = MP_READ_E;
|
|
|
|
|
|
|
|
|
|
/* k is a random numnber and it should be less than q-1
|
|
|
|
|
* if k greater than repeat
|
|
|
|
|
*/
|
|
|
|
|
/* Step 6 */
|
|
|
|
|
} while (ret == 0 && mp_cmp(&k, qMinus1) != MP_LT);
|
|
|
|
|
}
|
|
|
|
|
/* Step 7 */
|
|
|
|
|
if (ret == 0 && mp_add_d(&k, 1, &k) != MP_OKAY)
|
|
|
|
|
ret = MP_MOD_E;
|
2014-12-17 14:37:13 -07:00
|
|
|
|
2019-11-28 11:06:27 +10:00
|
|
|
#ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME
|
2014-12-17 14:37:13 -07:00
|
|
|
/* inverse k mod q */
|
|
|
|
|
if (ret == 0 && mp_invmod(&k, &key->q, &kInv) != MP_OKAY)
|
|
|
|
|
ret = MP_INVMOD_E;
|
|
|
|
|
|
|
|
|
|
/* generate r, r = (g exp k mod p) mod q */
|
2019-07-29 09:29:53 +10:00
|
|
|
if (ret == 0 && mp_exptmod_ex(&key->g, &k, key->q.used, &key->p,
|
|
|
|
|
&r) != MP_OKAY) {
|
2014-12-17 14:37:13 -07:00
|
|
|
ret = MP_EXPTMOD_E;
|
2019-07-29 09:29:53 +10:00
|
|
|
}
|
2014-12-17 14:37:13 -07:00
|
|
|
|
|
|
|
|
if (ret == 0 && mp_mod(&r, &key->q, &r) != MP_OKAY)
|
|
|
|
|
ret = MP_MOD_E;
|
|
|
|
|
|
|
|
|
|
/* generate H from sha digest */
|
2017-09-25 18:47:36 -07:00
|
|
|
if (ret == 0 && mp_read_unsigned_bin(&H, digest,WC_SHA_DIGEST_SIZE) != MP_OKAY)
|
2014-12-17 14:37:13 -07:00
|
|
|
ret = MP_READ_E;
|
|
|
|
|
|
|
|
|
|
/* generate s, s = (kInv * (H + x*r)) % q */
|
|
|
|
|
if (ret == 0 && mp_mul(&key->x, &r, &s) != MP_OKAY)
|
|
|
|
|
ret = MP_MUL_E;
|
|
|
|
|
|
|
|
|
|
if (ret == 0 && mp_add(&s, &H, &s) != MP_OKAY)
|
|
|
|
|
ret = MP_ADD_E;
|
|
|
|
|
|
|
|
|
|
if (ret == 0 && mp_mulmod(&s, &kInv, &key->q, &s) != MP_OKAY)
|
|
|
|
|
ret = MP_MULMOD_E;
|
2019-11-28 11:06:27 +10:00
|
|
|
#else
|
|
|
|
|
/* Blinding value
|
|
|
|
|
* Generate b in range [1, q-1].
|
|
|
|
|
*/
|
|
|
|
|
if (ret == 0) {
|
|
|
|
|
do {
|
|
|
|
|
ret = wc_RNG_GenerateBlock(rng, buffer, sz);
|
|
|
|
|
if (ret == 0 && mp_read_unsigned_bin(&b, buffer, sz) != MP_OKAY)
|
|
|
|
|
ret = MP_READ_E;
|
|
|
|
|
} while (ret == 0 && mp_cmp(&b, qMinus1) != MP_LT);
|
|
|
|
|
}
|
|
|
|
|
if (ret == 0 && mp_add_d(&b, 1, &b) != MP_OKAY)
|
|
|
|
|
ret = MP_MOD_E;
|
|
|
|
|
|
|
|
|
|
/* set H from sha digest */
|
|
|
|
|
if (ret == 0 && mp_read_unsigned_bin(&H, digest,
|
|
|
|
|
WC_SHA_DIGEST_SIZE) != MP_OKAY) {
|
|
|
|
|
ret = MP_READ_E;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* generate r, r = (g exp k mod p) mod q */
|
|
|
|
|
if (ret == 0 && mp_exptmod_ex(&key->g, &k, key->q.used, &key->p,
|
|
|
|
|
&r) != MP_OKAY) {
|
|
|
|
|
ret = MP_EXPTMOD_E;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* calculate s = (H + xr)/k
|
|
|
|
|
= b.(H/k.b + x.r/k.b) */
|
|
|
|
|
|
|
|
|
|
/* k = k.b */
|
|
|
|
|
if (ret == 0 && mp_mulmod(&k, &b, &key->q, &k) != MP_OKAY)
|
|
|
|
|
ret = MP_MULMOD_E;
|
|
|
|
|
|
|
|
|
|
/* kInv = 1/k.b mod q */
|
|
|
|
|
if (ret == 0 && mp_invmod(&k, &key->q, &kInv) != MP_OKAY)
|
|
|
|
|
ret = MP_INVMOD_E;
|
|
|
|
|
|
|
|
|
|
if (ret == 0 && mp_mod(&r, &key->q, &r) != MP_OKAY)
|
|
|
|
|
ret = MP_MOD_E;
|
|
|
|
|
|
|
|
|
|
/* s = x.r */
|
|
|
|
|
if (ret == 0 && mp_mul(&key->x, &r, &s) != MP_OKAY)
|
|
|
|
|
ret = MP_MUL_E;
|
|
|
|
|
|
|
|
|
|
/* s = x.r/k.b */
|
|
|
|
|
if (ret == 0 && mp_mulmod(&s, &kInv, &key->q, &s) != MP_OKAY)
|
|
|
|
|
ret = MP_MULMOD_E;
|
|
|
|
|
|
|
|
|
|
/* H = H/k.b */
|
|
|
|
|
if (ret == 0 && mp_mulmod(&H, &kInv, &key->q, &H) != MP_OKAY)
|
|
|
|
|
ret = MP_MULMOD_E;
|
|
|
|
|
|
|
|
|
|
/* s = H/k.b + x.r/k.b
|
|
|
|
|
= (H + x.r)/k.b */
|
|
|
|
|
if (ret == 0 && mp_add(&s, &H, &s) != MP_OKAY)
|
|
|
|
|
ret = MP_ADD_E;
|
|
|
|
|
|
|
|
|
|
/* s = b.(e + x.r)/k.b
|
|
|
|
|
= (e + x.r)/k */
|
|
|
|
|
if (ret == 0 && mp_mulmod(&s, &b, &key->q, &s) != MP_OKAY)
|
|
|
|
|
ret = MP_MULMOD_E;
|
|
|
|
|
|
|
|
|
|
/* s = (e + x.r)/k */
|
|
|
|
|
if (ret == 0 && mp_mod(&s, &key->q, &s) != MP_OKAY)
|
|
|
|
|
ret = MP_MOD_E;
|
|
|
|
|
#endif
|
2014-12-17 14:37:13 -07:00
|
|
|
|
2016-09-22 12:04:48 -07:00
|
|
|
/* detect zero r or s */
|
|
|
|
|
if (ret == 0 && (mp_iszero(&r) == MP_YES || mp_iszero(&s) == MP_YES))
|
|
|
|
|
ret = MP_ZERO_E;
|
|
|
|
|
|
2014-12-17 14:37:13 -07:00
|
|
|
/* write out */
|
|
|
|
|
if (ret == 0) {
|
|
|
|
|
int rSz = mp_unsigned_bin_size(&r);
|
|
|
|
|
int sSz = mp_unsigned_bin_size(&s);
|
|
|
|
|
|
2016-09-21 18:51:11 -07:00
|
|
|
while (rSz++ < DSA_HALF_SIZE) {
|
|
|
|
|
*out++ = 0x00; /* pad front with zeros */
|
2014-12-17 14:37:13 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (mp_to_unsigned_bin(&r, out) != MP_OKAY)
|
|
|
|
|
ret = MP_TO_E;
|
|
|
|
|
else {
|
2016-09-21 18:51:11 -07:00
|
|
|
out = tmp + DSA_HALF_SIZE; /* advance to s in output */
|
|
|
|
|
while (sSz++ < DSA_HALF_SIZE) {
|
|
|
|
|
*out++ = 0x00; /* pad front with zeros */
|
|
|
|
|
}
|
|
|
|
|
ret = mp_to_unsigned_bin(&s, out);
|
2014-12-17 14:37:13 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-28 11:06:27 +10:00
|
|
|
ForceZero(buffer, sz);
|
|
|
|
|
mp_forcezero(&kInv);
|
|
|
|
|
mp_forcezero(&k);
|
|
|
|
|
#ifndef WOLFSSL_MP_INVMOD_CONSTANT_TIME
|
|
|
|
|
mp_forcezero(&b);
|
|
|
|
|
|
|
|
|
|
mp_clear(&b);
|
|
|
|
|
#endif
|
2014-12-17 14:37:13 -07:00
|
|
|
mp_clear(&H);
|
|
|
|
|
mp_clear(&s);
|
|
|
|
|
mp_clear(&r);
|
|
|
|
|
mp_clear(&kInv);
|
|
|
|
|
mp_clear(&k);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
int wc_DsaVerify(const byte* digest, const byte* sig, DsaKey* key, int* answer)
|
|
|
|
|
{
|
|
|
|
|
mp_int w, u1, u2, v, r, s;
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
2017-06-13 09:33:42 -06:00
|
|
|
if (digest == NULL || sig == NULL || key == NULL || answer == NULL) {
|
|
|
|
|
return BAD_FUNC_ARG;
|
|
|
|
|
}
|
|
|
|
|
|
2014-12-17 14:37:13 -07:00
|
|
|
if (mp_init_multi(&w, &u1, &u2, &v, &r, &s) != MP_OKAY)
|
|
|
|
|
return MP_INIT_E;
|
|
|
|
|
|
|
|
|
|
/* set r and s from signature */
|
|
|
|
|
if (mp_read_unsigned_bin(&r, sig, DSA_HALF_SIZE) != MP_OKAY ||
|
|
|
|
|
mp_read_unsigned_bin(&s, sig + DSA_HALF_SIZE, DSA_HALF_SIZE) != MP_OKAY)
|
|
|
|
|
ret = MP_READ_E;
|
|
|
|
|
|
|
|
|
|
/* sanity checks */
|
2015-05-07 15:10:33 -07:00
|
|
|
if (ret == 0) {
|
|
|
|
|
if (mp_iszero(&r) == MP_YES || mp_iszero(&s) == MP_YES ||
|
|
|
|
|
mp_cmp(&r, &key->q) != MP_LT || mp_cmp(&s, &key->q) != MP_LT) {
|
|
|
|
|
ret = MP_ZERO_E;
|
|
|
|
|
}
|
|
|
|
|
}
|
2014-12-17 14:37:13 -07:00
|
|
|
|
|
|
|
|
/* put H into u1 from sha digest */
|
2017-09-25 18:47:36 -07:00
|
|
|
if (ret == 0 && mp_read_unsigned_bin(&u1,digest,WC_SHA_DIGEST_SIZE) != MP_OKAY)
|
2014-12-17 14:37:13 -07:00
|
|
|
ret = MP_READ_E;
|
|
|
|
|
|
|
|
|
|
/* w = s invmod q */
|
|
|
|
|
if (ret == 0 && mp_invmod(&s, &key->q, &w) != MP_OKAY)
|
|
|
|
|
ret = MP_INVMOD_E;
|
|
|
|
|
|
|
|
|
|
/* u1 = (H * w) % q */
|
|
|
|
|
if (ret == 0 && mp_mulmod(&u1, &w, &key->q, &u1) != MP_OKAY)
|
|
|
|
|
ret = MP_MULMOD_E;
|
|
|
|
|
|
|
|
|
|
/* u2 = (r * w) % q */
|
|
|
|
|
if (ret == 0 && mp_mulmod(&r, &w, &key->q, &u2) != MP_OKAY)
|
|
|
|
|
ret = MP_MULMOD_E;
|
|
|
|
|
|
|
|
|
|
/* verify v = ((g^u1 * y^u2) mod p) mod q */
|
|
|
|
|
if (ret == 0 && mp_exptmod(&key->g, &u1, &key->p, &u1) != MP_OKAY)
|
|
|
|
|
ret = MP_EXPTMOD_E;
|
|
|
|
|
|
|
|
|
|
if (ret == 0 && mp_exptmod(&key->y, &u2, &key->p, &u2) != MP_OKAY)
|
|
|
|
|
ret = MP_EXPTMOD_E;
|
|
|
|
|
|
|
|
|
|
if (ret == 0 && mp_mulmod(&u1, &u2, &key->p, &v) != MP_OKAY)
|
|
|
|
|
ret = MP_MULMOD_E;
|
|
|
|
|
|
|
|
|
|
if (ret == 0 && mp_mod(&v, &key->q, &v) != MP_OKAY)
|
|
|
|
|
ret = MP_MULMOD_E;
|
|
|
|
|
|
|
|
|
|
/* do they match */
|
|
|
|
|
if (ret == 0 && mp_cmp(&r, &v) == MP_EQ)
|
|
|
|
|
*answer = 1;
|
|
|
|
|
else
|
|
|
|
|
*answer = 0;
|
|
|
|
|
|
|
|
|
|
mp_clear(&s);
|
|
|
|
|
mp_clear(&r);
|
|
|
|
|
mp_clear(&u1);
|
|
|
|
|
mp_clear(&u2);
|
|
|
|
|
mp_clear(&w);
|
|
|
|
|
mp_clear(&v);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#endif /* NO_DSA */
|
|
|
|
|
|
