This commit was manufactured by cvs2git to create branch 'unlabeled-1.1.1'.

author: cvs2svn <admin@example.com> 2002-05-15 02:29:24 +0000
committer: cvs2svn <admin@example.com> 2002-05-15 02:29:24 +0000
commit: 027351f729b9e837200dae6e1520cda6577ab930 (patch)
tree: e25a717057aa4529e433fc3b1fac8d4df8db3a5c /src/lib/libcrypto/dsa/dsa_ossl.c
parent: aeeae06a79815dc190061534d47236cec09f9e32 (diff)
download: openbsd-027351f729b9e837200dae6e1520cda6577ab930.tar.gz
openbsd-027351f729b9e837200dae6e1520cda6577ab930.tar.bz2
openbsd-027351f729b9e837200dae6e1520cda6577ab930.zip
1 files changed, 321 insertions, 0 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
new file mode 100644
index 0000000000..b51cf6ad8d
--- /dev/null
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -0,0 +1,321 @@
+/* crypto/dsa/dsa_ossl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rand.h>
+#include <openssl/asn1.h>
+static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
+static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
+                  DSA *dsa);
+static int dsa_init(DSA *dsa);
+static int dsa_finish(DSA *dsa);
+static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+                BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *in_mont);
+static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                                const BIGNUM *m, BN_CTX *ctx,
+                                BN_MONT_CTX *m_ctx);
+static DSA_METHOD openssl_dsa_meth = {
+"OpenSSL DSA method",
+dsa_do_sign,
+dsa_sign_setup,
+dsa_do_verify,
+dsa_mod_exp,
+dsa_bn_mod_exp,
+dsa_init,
+dsa_finish,
+0,
+NULL
+};
+DSA_METHOD *DSA_OpenSSL(void)
+{
+        return &openssl_dsa_meth;
+}
+static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+        {
+        BIGNUM *kinv=NULL,*r=NULL,*s=NULL;
+        BIGNUM m;
+        BIGNUM xr;
+        BN_CTX *ctx=NULL;
+        int i,reason=ERR_R_BN_LIB;
+        DSA_SIG *ret=NULL;
+        BN_init(&m);
+        BN_init(&xr);
+        s=BN_new();
+        if (s == NULL) goto err;
+        i=BN_num_bytes(dsa->q); /* should be 20 */
+        if ((dlen > i) || (dlen > 50))
+                {
+                reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
+                goto err;
+                }
+        ctx=BN_CTX_new();
+        if (ctx == NULL) goto err;
+        if ((dsa->kinv == NULL) || (dsa->r == NULL))
+                {
+                if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
+                }
+        else
+                {
+                kinv=dsa->kinv;
+                dsa->kinv=NULL;
+                r=dsa->r;
+                dsa->r=NULL;
+                }
+        if (BN_bin2bn(dgst,dlen,&m) == NULL) goto err;
+        /* Compute  s = inv(k) (m + xr) mod q */
+        if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
+        if (!BN_add(s, &xr, &m)) goto err;              /* s = m + xr */
+        if (BN_cmp(s,dsa->q) > 0)
+                BN_sub(s,s,dsa->q);
+        if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
+        ret=DSA_SIG_new();
+        if (ret == NULL) goto err;
+        ret->r = r;
+        ret->s = s;
+        
+err:
+        if (!ret)
+                {
+                DSAerr(DSA_F_DSA_DO_SIGN,reason);
+                BN_free(r);
+                BN_free(s);
+                }
+        if (ctx != NULL) BN_CTX_free(ctx);
+        BN_clear_free(&m);
+        BN_clear_free(&xr);
+        if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
+            BN_clear_free(kinv);
+        return(ret);
+        }
+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
+        {
+        BN_CTX *ctx;
+        BIGNUM k,*kinv=NULL,*r=NULL;
+        int ret=0;
+        if (ctx_in == NULL)
+                {
+                if ((ctx=BN_CTX_new()) == NULL) goto err;
+                }
+        else
+                ctx=ctx_in;
+        BN_init(&k);
+        if ((r=BN_new()) == NULL) goto err;
+        kinv=NULL;
+        /* Get random k */
+        for (;;)
+                {
+                if (!BN_rand(&k, BN_num_bits(dsa->q), 1, 0)) goto err;
+                if (BN_cmp(&k,dsa->q) >= 0)
+                        BN_sub(&k,&k,dsa->q);
+                if (!BN_is_zero(&k)) break;
+                }
+        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+                {
+                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
+                                dsa->p,ctx)) goto err;
+                }
+        /* Compute r = (g^k mod p) mod q */
+        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
+                (BN_MONT_CTX *)dsa->method_mont_p)) goto err;
+        if (!BN_mod(r,r,dsa->q,ctx)) goto err;
+        /* Compute  part of 's = inv(k) (m + xr) mod q' */
+        if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
+        if (*kinvp != NULL) BN_clear_free(*kinvp);
+        *kinvp=kinv;
+        kinv=NULL;
+        if (*rp != NULL) BN_clear_free(*rp);
+        *rp=r;
+        ret=1;
+err:
+        if (!ret)
+                {
+                DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
+                if (kinv != NULL) BN_clear_free(kinv);
+                if (r != NULL) BN_clear_free(r);
+                }
+        if (ctx_in == NULL) BN_CTX_free(ctx);
+        if (kinv != NULL) BN_clear_free(kinv);
+        BN_clear_free(&k);
+        return(ret);
+        }
+static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
+                  DSA *dsa)
+        {
+        BN_CTX *ctx;
+        BIGNUM u1,u2,t1;
+        BN_MONT_CTX *mont=NULL;
+        int ret = -1;
+        if ((ctx=BN_CTX_new()) == NULL) goto err;
+        BN_init(&u1);
+        BN_init(&u2);
+        BN_init(&t1);
+        /* Calculate W = inv(S) mod Q
+         * save W in u2 */
+        if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
+        /* save M in u1 */
+        if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;
+        /* u1 = M * w mod q */
+        if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;
+        /* u2 = r * w mod q */
+        if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
+        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+                {
+                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
+                                dsa->p,ctx)) goto err;
+                }
+        mont=(BN_MONT_CTX *)dsa->method_mont_p;
+#if 0
+        {
+        BIGNUM t2;
+        BN_init(&t2);
+        /* v = ( g^u1 * y^u2 mod p ) mod q */
+        /* let t1 = g ^ u1 mod p */
+        if (!BN_mod_exp_mont(&t1,dsa->g,&u1,dsa->p,ctx,mont)) goto err;
+        /* let t2 = y ^ u2 mod p */
+        if (!BN_mod_exp_mont(&t2,dsa->pub_key,&u2,dsa->p,ctx,mont)) goto err;
+        /* let u1 = t1 * t2 mod p */
+        if (!BN_mod_mul(&u1,&t1,&t2,dsa->p,ctx)) goto err_bn;
+        BN_free(&t2);
+        }
+        /* let u1 = u1 mod q */
+        if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err;
+#else
+        {
+        if (!dsa->meth->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2,
+                                                dsa->p,ctx,mont)) goto err;
+        /* BN_copy(&u1,&t1); */
+        /* let u1 = u1 mod q */
+        if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
+        }
+#endif
+        /* V is now in u1.  If the signature is correct, it will be
+         * equal to R. */
+        ret=(BN_ucmp(&u1, sig->r) == 0);
+        err:
+        if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
+        if (ctx != NULL) BN_CTX_free(ctx);
+        BN_free(&u1);
+        BN_free(&u2);
+        BN_free(&t1);
+        return(ret);
+        }
+static int dsa_init(DSA *dsa)
+{
+        dsa->flags|=DSA_FLAG_CACHE_MONT_P;
+        return(1);
+}
+static int dsa_finish(DSA *dsa)
+{
+        if(dsa->method_mont_p)
+                BN_MONT_CTX_free((BN_MONT_CTX *)dsa->method_mont_p);
+        return(1);
+}
+static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+                BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *in_mont)
+{
+        return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont);
+}
+        
+static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                                const BIGNUM *m, BN_CTX *ctx,
+                                BN_MONT_CTX *m_ctx)
+{
+        return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+}
author	cvs2svn <admin@example.com>	2002-05-15 02:29:24 +0000
committer	cvs2svn <admin@example.com>	2002-05-15 02:29:24 +0000
commit	027351f729b9e837200dae6e1520cda6577ab930 (patch)
tree	e25a717057aa4529e433fc3b1fac8d4df8db3a5c /src/lib/libcrypto/dsa/dsa_ossl.c
parent	aeeae06a79815dc190061534d47236cec09f9e32 (diff)
download	openbsd-027351f729b9e837200dae6e1520cda6577ab930.tar.gz openbsd-027351f729b9e837200dae6e1520cda6577ab930.tar.bz2 openbsd-027351f729b9e837200dae6e1520cda6577ab930.zip

diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c new file mode 100644 index 0000000000..b51cf6ad8d --- /dev/null +++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -0,0 +1,321 @@
	1	/* crypto/dsa/dsa_ossl.c */
	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
	8	*
	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	15	*
	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
	22	*
	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
	37	* 4. If you include any Windows specific code (or a derivative thereof) from
	38	* the apps directory (application code) you must include an acknowledgement:
	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*
	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
	58
	59	/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
	60
	61	#include <stdio.h>
	62	#include "cryptlib.h"
	63	#include <openssl/bn.h>
	64	#include <openssl/dsa.h>
	65	#include <openssl/rand.h>
	66	#include <openssl/asn1.h>
	67
	68	static DSA_SIG dsa_do_sign(const unsigned char dgst, int dlen, DSA *dsa);
	69	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp);
	70	static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
	71	DSA *dsa);
	72	static int dsa_init(DSA *dsa);
	73	static int dsa_finish(DSA *dsa);
	74	static int dsa_mod_exp(DSA dsa, BIGNUM rr, BIGNUM a1, BIGNUM p1,
	75	BIGNUM a2, BIGNUM p2, BIGNUM m, BN_CTX ctx,
	76	BN_MONT_CTX *in_mont);
	77	static int dsa_bn_mod_exp(DSA dsa, BIGNUM r, BIGNUM a, const BIGNUM p,
	78	const BIGNUM m, BN_CTX ctx,
	79	BN_MONT_CTX *m_ctx);
	80
	81	static DSA_METHOD openssl_dsa_meth = {
	82	"OpenSSL DSA method",
	83	dsa_do_sign,
	84	dsa_sign_setup,
	85	dsa_do_verify,
	86	dsa_mod_exp,
	87	dsa_bn_mod_exp,
	88	dsa_init,
	89	dsa_finish,
	90	0,
	91	NULL
	92	};
	93
	94	DSA_METHOD *DSA_OpenSSL(void)
	95	{
	96	return &openssl_dsa_meth;
	97	}
	98
	99	static DSA_SIG dsa_do_sign(const unsigned char dgst, int dlen, DSA *dsa)
	100	{
	101	BIGNUM kinv=NULL,r=NULL,*s=NULL;
	102	BIGNUM m;
	103	BIGNUM xr;
	104	BN_CTX *ctx=NULL;
	105	int i,reason=ERR_R_BN_LIB;
	106	DSA_SIG *ret=NULL;
	107
	108	BN_init(&m);
	109	BN_init(&xr);
	110	s=BN_new();
	111	if (s == NULL) goto err;
	112
	113	i=BN_num_bytes(dsa->q); /* should be 20 */
	114	if ((dlen > i) \|\| (dlen > 50))
	115	{
	116	reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
	117	goto err;
	118	}
	119
	120	ctx=BN_CTX_new();
	121	if (ctx == NULL) goto err;
	122
	123	if ((dsa->kinv == NULL) \|\| (dsa->r == NULL))
	124	{
	125	if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
	126	}
	127	else
	128	{
	129	kinv=dsa->kinv;
	130	dsa->kinv=NULL;
	131	r=dsa->r;
	132	dsa->r=NULL;
	133	}
	134
	135	if (BN_bin2bn(dgst,dlen,&m) == NULL) goto err;
	136
	137	/* Compute s = inv(k) (m + xr) mod q */
	138	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
	139	if (!BN_add(s, &xr, &m)) goto err; /* s = m + xr */
	140	if (BN_cmp(s,dsa->q) > 0)
	141	BN_sub(s,s,dsa->q);
	142	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
	143
	144	ret=DSA_SIG_new();
	145	if (ret == NULL) goto err;
	146	ret->r = r;
	147	ret->s = s;
	148
	149	err:
	150	if (!ret)
	151	{
	152	DSAerr(DSA_F_DSA_DO_SIGN,reason);
	153	BN_free(r);
	154	BN_free(s);
	155	}
	156	if (ctx != NULL) BN_CTX_free(ctx);
	157	BN_clear_free(&m);
	158	BN_clear_free(&xr);
	159	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
	160	BN_clear_free(kinv);
	161	return(ret);
	162	}
	163
	164	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
	165	{
	166	BN_CTX *ctx;
	167	BIGNUM k,kinv=NULL,r=NULL;
	168	int ret=0;
	169
	170	if (ctx_in == NULL)
	171	{
	172	if ((ctx=BN_CTX_new()) == NULL) goto err;
	173	}
	174	else
	175	ctx=ctx_in;
	176
	177	BN_init(&k);
	178	if ((r=BN_new()) == NULL) goto err;
	179	kinv=NULL;
	180
	181	/* Get random k */
	182	for (;;)
	183	{
	184	if (!BN_rand(&k, BN_num_bits(dsa->q), 1, 0)) goto err;
	185	if (BN_cmp(&k,dsa->q) >= 0)
	186	BN_sub(&k,&k,dsa->q);
	187	if (!BN_is_zero(&k)) break;
	188	}
	189
	190	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
	191	{
	192	if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
	193	if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
	194	dsa->p,ctx)) goto err;
	195	}
	196
	197	/* Compute r = (g^k mod p) mod q */
	198	if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
	199	(BN_MONT_CTX *)dsa->method_mont_p)) goto err;
	200	if (!BN_mod(r,r,dsa->q,ctx)) goto err;
	201
	202	/* Compute part of 's = inv(k) (m + xr) mod q' */
	203	if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
	204
	205	if (kinvp != NULL) BN_clear_free(kinvp);
	206	*kinvp=kinv;
	207	kinv=NULL;
	208	if (rp != NULL) BN_clear_free(rp);
	209	*rp=r;
	210	ret=1;
	211	err:
	212	if (!ret)
	213	{
	214	DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
	215	if (kinv != NULL) BN_clear_free(kinv);
	216	if (r != NULL) BN_clear_free(r);
	217	}
	218	if (ctx_in == NULL) BN_CTX_free(ctx);
	219	if (kinv != NULL) BN_clear_free(kinv);
	220	BN_clear_free(&k);
	221	return(ret);
	222	}
	223
	224	static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
	225	DSA *dsa)
	226	{
	227	BN_CTX *ctx;
	228	BIGNUM u1,u2,t1;
	229	BN_MONT_CTX *mont=NULL;
	230	int ret = -1;
	231
	232	if ((ctx=BN_CTX_new()) == NULL) goto err;
	233	BN_init(&u1);
	234	BN_init(&u2);
	235	BN_init(&t1);
	236
	237	/* Calculate W = inv(S) mod Q
	238	* save W in u2 */
	239	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
	240
	241	/* save M in u1 */
	242	if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;
	243
	244	/* u1 = M * w mod q */
	245	if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;
	246
	247	/* u2 = r * w mod q */
	248	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
	249
	250	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
	251	{
	252	if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
	253	if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
	254	dsa->p,ctx)) goto err;
	255	}
	256	mont=(BN_MONT_CTX *)dsa->method_mont_p;
	257
	258	#if 0
	259	{
	260	BIGNUM t2;
	261
	262	BN_init(&t2);
	263	/* v = ( g^u1 * y^u2 mod p ) mod q */
	264	/* let t1 = g ^ u1 mod p */
	265	if (!BN_mod_exp_mont(&t1,dsa->g,&u1,dsa->p,ctx,mont)) goto err;
	266	/* let t2 = y ^ u2 mod p */
	267	if (!BN_mod_exp_mont(&t2,dsa->pub_key,&u2,dsa->p,ctx,mont)) goto err;
	268	/* let u1 = t1 * t2 mod p */
	269	if (!BN_mod_mul(&u1,&t1,&t2,dsa->p,ctx)) goto err_bn;
	270	BN_free(&t2);
	271	}
	272	/* let u1 = u1 mod q */
	273	if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err;
	274	#else
	275	{
	276	if (!dsa->meth->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2,
	277	dsa->p,ctx,mont)) goto err;
	278	/* BN_copy(&u1,&t1); */
	279	/* let u1 = u1 mod q */
	280	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
	281	}
	282	#endif
	283	/* V is now in u1. If the signature is correct, it will be
	284	* equal to R. */
	285	ret=(BN_ucmp(&u1, sig->r) == 0);
	286
	287	err:
	288	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
	289	if (ctx != NULL) BN_CTX_free(ctx);
	290	BN_free(&u1);
	291	BN_free(&u2);
	292	BN_free(&t1);
	293	return(ret);
	294	}
	295
	296	static int dsa_init(DSA *dsa)
	297	{
	298	dsa->flags\|=DSA_FLAG_CACHE_MONT_P;
	299	return(1);
	300	}
	301
	302	static int dsa_finish(DSA *dsa)
	303	{
	304	if(dsa->method_mont_p)
	305	BN_MONT_CTX_free((BN_MONT_CTX *)dsa->method_mont_p);
	306	return(1);
	307	}
	308
	309	static int dsa_mod_exp(DSA dsa, BIGNUM rr, BIGNUM a1, BIGNUM p1,
	310	BIGNUM a2, BIGNUM p2, BIGNUM m, BN_CTX ctx,
	311	BN_MONT_CTX *in_mont)
	312	{
	313	return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont);
	314	}
	315
	316	static int dsa_bn_mod_exp(DSA dsa, BIGNUM r, BIGNUM a, const BIGNUM p,
	317	const BIGNUM m, BN_CTX ctx,
	318	BN_MONT_CTX *m_ctx)
	319	{
	320	return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
	321	}