diff options
| author | miod <> | 2014-07-09 10:16:24 +0000 |
|---|---|---|
| committer | miod <> | 2014-07-09 10:16:24 +0000 |
| commit | 8d28b2bf57f7e00739466371d21495941076bf89 (patch) | |
| tree | 9316d73cdc8c916f7b3c4bf0de6c3ad956b5f6da /src/lib/libcrypto/dsa/dsa_ossl.c | |
| parent | 54273e9b127b0bf3d689158719a7a7ca58ac6f75 (diff) | |
| download | openbsd-8d28b2bf57f7e00739466371d21495941076bf89.tar.gz openbsd-8d28b2bf57f7e00739466371d21495941076bf89.tar.bz2 openbsd-8d28b2bf57f7e00739466371d21495941076bf89.zip | |
KNF
Diffstat (limited to 'src/lib/libcrypto/dsa/dsa_ossl.c')
| -rw-r--r-- | src/lib/libcrypto/dsa/dsa_ossl.c | 392 |
1 files changed, 206 insertions, 186 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c index 61a20f41a7..17119eb187 100644 --- a/src/lib/libcrypto/dsa/dsa_ossl.c +++ b/src/lib/libcrypto/dsa/dsa_ossl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dsa_ossl.c,v 1.18 2014/06/27 06:07:35 deraadt Exp $ */ | 1 | /* $OpenBSD: dsa_ossl.c,v 1.19 2014/07/09 10:16:24 miod Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -67,9 +67,10 @@ | |||
| 67 | #include <openssl/asn1.h> | 67 | #include <openssl/asn1.h> |
| 68 | 68 | ||
| 69 | static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); | 69 | static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); |
| 70 | static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); | 70 | static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, |
| 71 | BIGNUM **rp); | ||
| 71 | static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, | 72 | static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, |
| 72 | DSA *dsa); | 73 | DSA *dsa); |
| 73 | static int dsa_init(DSA *dsa); | 74 | static int dsa_init(DSA *dsa); |
| 74 | static int dsa_finish(DSA *dsa); | 75 | static int dsa_finish(DSA *dsa); |
| 75 | 76 | ||
| @@ -82,7 +83,8 @@ static DSA_METHOD openssl_dsa_meth = { | |||
| 82 | .finish = dsa_finish | 83 | .finish = dsa_finish |
| 83 | }; | 84 | }; |
| 84 | 85 | ||
| 85 | /* These macro wrappers replace attempts to use the dsa_mod_exp() and | 86 | /* |
| 87 | * These macro wrappers replace attempts to use the dsa_mod_exp() and | ||
| 86 | * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of | 88 | * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of |
| 87 | * having a the macro work as an expression by bundling an "err_instr". So; | 89 | * having a the macro work as an expression by bundling an "err_instr". So; |
| 88 | * | 90 | * |
| @@ -96,315 +98,333 @@ static DSA_METHOD openssl_dsa_meth = { | |||
| 96 | */ | 98 | */ |
| 97 | 99 | ||
| 98 | #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \ | 100 | #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \ |
| 99 | do { \ | 101 | do { \ |
| 100 | int _tmp_res53; \ | 102 | int _tmp_res53; \ |
| 101 | if((dsa)->meth->dsa_mod_exp) \ | 103 | if ((dsa)->meth->dsa_mod_exp) \ |
| 102 | _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), \ | 104 | _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), \ |
| 103 | (a1), (p1), (a2), (p2), (m), (ctx), (in_mont)); \ | 105 | (a1), (p1), (a2), (p2), (m), (ctx), (in_mont)); \ |
| 104 | else \ | 106 | else \ |
| 105 | _tmp_res53 = BN_mod_exp2_mont((rr), (a1), \ | 107 | _tmp_res53 = BN_mod_exp2_mont((rr), (a1), \ |
| 106 | (p1), (a2), (p2), (m), (ctx), (in_mont)); \ | 108 | (p1), (a2), (p2), (m), (ctx), (in_mont)); \ |
| 107 | if(!_tmp_res53) \ | 109 | if (!_tmp_res53) \ |
| 108 | err_instr; \ | 110 | err_instr; \ |
| 109 | } while(0) | 111 | } while(0) |
| 110 | 112 | ||
| 111 | #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \ | 113 | #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \ |
| 112 | do { \ | 114 | do { \ |
| 113 | int _tmp_res53; \ | 115 | int _tmp_res53; \ |
| 114 | if((dsa)->meth->bn_mod_exp) \ | 116 | if ((dsa)->meth->bn_mod_exp) \ |
| 115 | _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), \ | 117 | _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), \ |
| 116 | (a), (p), (m), (ctx), (m_ctx)); \ | 118 | (a), (p), (m), (ctx), (m_ctx)); \ |
| 117 | else \ | 119 | else \ |
| 118 | _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), \ | 120 | _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), \ |
| 119 | (ctx), (m_ctx)); \ | 121 | (ctx), (m_ctx)); \ |
| 120 | if(!_tmp_res53) \ | 122 | if (!_tmp_res53) \ |
| 121 | err_instr; \ | 123 | err_instr; \ |
| 122 | } while(0) | 124 | } while(0) |
| 123 | 125 | ||
| 124 | const DSA_METHOD *DSA_OpenSSL(void) | 126 | const DSA_METHOD * |
| 127 | DSA_OpenSSL(void) | ||
| 125 | { | 128 | { |
| 126 | return &openssl_dsa_meth; | 129 | return &openssl_dsa_meth; |
| 127 | } | 130 | } |
| 128 | 131 | ||
| 129 | static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) | 132 | static DSA_SIG * |
| 130 | { | 133 | dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) |
| 131 | BIGNUM *kinv=NULL,*r=NULL,*s=NULL; | 134 | { |
| 135 | BIGNUM *kinv = NULL, *r = NULL, *s = NULL; | ||
| 132 | BIGNUM m; | 136 | BIGNUM m; |
| 133 | BIGNUM xr; | 137 | BIGNUM xr; |
| 134 | BN_CTX *ctx=NULL; | 138 | BN_CTX *ctx = NULL; |
| 135 | int reason=ERR_R_BN_LIB; | 139 | int reason = ERR_R_BN_LIB; |
| 136 | DSA_SIG *ret=NULL; | 140 | DSA_SIG *ret = NULL; |
| 137 | int noredo = 0; | 141 | int noredo = 0; |
| 138 | 142 | ||
| 139 | BN_init(&m); | 143 | BN_init(&m); |
| 140 | BN_init(&xr); | 144 | BN_init(&xr); |
| 141 | 145 | ||
| 142 | if (!dsa->p || !dsa->q || !dsa->g) | 146 | if (!dsa->p || !dsa->q || !dsa->g) { |
| 143 | { | 147 | reason = DSA_R_MISSING_PARAMETERS; |
| 144 | reason=DSA_R_MISSING_PARAMETERS; | ||
| 145 | goto err; | 148 | goto err; |
| 146 | } | 149 | } |
| 147 | 150 | ||
| 148 | s=BN_new(); | 151 | s = BN_new(); |
| 149 | if (s == NULL) goto err; | 152 | if (s == NULL) |
| 150 | ctx=BN_CTX_new(); | 153 | goto err; |
| 151 | if (ctx == NULL) goto err; | 154 | ctx = BN_CTX_new(); |
| 155 | if (ctx == NULL) | ||
| 156 | goto err; | ||
| 152 | redo: | 157 | redo: |
| 153 | if ((dsa->kinv == NULL) || (dsa->r == NULL)) | 158 | if (dsa->kinv == NULL || dsa->r == NULL) { |
| 154 | { | 159 | if (!DSA_sign_setup(dsa, ctx, &kinv, &r)) |
| 155 | if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err; | 160 | goto err; |
| 156 | } | 161 | } else { |
| 157 | else | 162 | kinv = dsa->kinv; |
| 158 | { | 163 | dsa->kinv = NULL; |
| 159 | kinv=dsa->kinv; | 164 | r = dsa->r; |
| 160 | dsa->kinv=NULL; | 165 | dsa->r = NULL; |
| 161 | r=dsa->r; | ||
| 162 | dsa->r=NULL; | ||
| 163 | noredo = 1; | 166 | noredo = 1; |
| 164 | } | 167 | } |
| 165 | 168 | ||
| 166 | 169 | ||
| 170 | /* | ||
| 171 | * If the digest length is greater than the size of q use the | ||
| 172 | * BN_num_bits(dsa->q) leftmost bits of the digest, see | ||
| 173 | * fips 186-3, 4.2 | ||
| 174 | */ | ||
| 167 | if (dlen > BN_num_bytes(dsa->q)) | 175 | if (dlen > BN_num_bytes(dsa->q)) |
| 168 | /* if the digest length is greater than the size of q use the | ||
| 169 | * BN_num_bits(dsa->q) leftmost bits of the digest, see | ||
| 170 | * fips 186-3, 4.2 */ | ||
| 171 | dlen = BN_num_bytes(dsa->q); | 176 | dlen = BN_num_bytes(dsa->q); |
| 172 | if (BN_bin2bn(dgst,dlen,&m) == NULL) | 177 | if (BN_bin2bn(dgst,dlen,&m) == NULL) |
| 173 | goto err; | 178 | goto err; |
| 174 | 179 | ||
| 175 | /* Compute s = inv(k) (m + xr) mod q */ | 180 | /* Compute s = inv(k) (m + xr) mod q */ |
| 176 | if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */ | 181 | if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) /* s = xr */ |
| 177 | if (!BN_add(s, &xr, &m)) goto err; /* s = m + xr */ | 182 | goto err; |
| 178 | if (BN_cmp(s,dsa->q) > 0) | 183 | if (!BN_add(s, &xr, &m)) /* s = m + xr */ |
| 179 | if (!BN_sub(s,s,dsa->q)) goto err; | 184 | goto err; |
| 180 | if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err; | 185 | if (BN_cmp(s, dsa->q) > 0) |
| 181 | 186 | if (!BN_sub(s, s, dsa->q)) | |
| 182 | ret=DSA_SIG_new(); | 187 | goto err; |
| 183 | if (ret == NULL) goto err; | 188 | if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) |
| 184 | /* Redo if r or s is zero as required by FIPS 186-3: this is | 189 | goto err; |
| 190 | |||
| 191 | ret = DSA_SIG_new(); | ||
| 192 | if (ret == NULL) | ||
| 193 | goto err; | ||
| 194 | /* | ||
| 195 | * Redo if r or s is zero as required by FIPS 186-3: this is | ||
| 185 | * very unlikely. | 196 | * very unlikely. |
| 186 | */ | 197 | */ |
| 187 | if (BN_is_zero(r) || BN_is_zero(s)) | 198 | if (BN_is_zero(r) || BN_is_zero(s)) { |
| 188 | { | 199 | if (noredo) { |
| 189 | if (noredo) | ||
| 190 | { | ||
| 191 | reason = DSA_R_NEED_NEW_SETUP_VALUES; | 200 | reason = DSA_R_NEED_NEW_SETUP_VALUES; |
| 192 | goto err; | 201 | goto err; |
| 193 | } | ||
| 194 | goto redo; | ||
| 195 | } | 202 | } |
| 203 | goto redo; | ||
| 204 | } | ||
| 196 | ret->r = r; | 205 | ret->r = r; |
| 197 | ret->s = s; | 206 | ret->s = s; |
| 198 | 207 | ||
| 199 | err: | 208 | err: |
| 200 | if (!ret) | 209 | if (!ret) { |
| 201 | { | 210 | DSAerr(DSA_F_DSA_DO_SIGN, reason); |
| 202 | DSAerr(DSA_F_DSA_DO_SIGN,reason); | ||
| 203 | BN_free(r); | 211 | BN_free(r); |
| 204 | BN_free(s); | 212 | BN_free(s); |
| 205 | } | 213 | } |
| 206 | if (ctx != NULL) BN_CTX_free(ctx); | 214 | if (ctx != NULL) |
| 215 | BN_CTX_free(ctx); | ||
| 207 | BN_clear_free(&m); | 216 | BN_clear_free(&m); |
| 208 | BN_clear_free(&xr); | 217 | BN_clear_free(&xr); |
| 209 | if (kinv != NULL) /* dsa->kinv is NULL now if we used it */ | 218 | if (kinv != NULL) /* dsa->kinv is NULL now if we used it */ |
| 210 | BN_clear_free(kinv); | 219 | BN_clear_free(kinv); |
| 211 | return(ret); | 220 | return ret; |
| 212 | } | 221 | } |
| 213 | 222 | ||
| 214 | static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | 223 | static int |
| 215 | { | 224 | dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) |
| 225 | { | ||
| 216 | BN_CTX *ctx; | 226 | BN_CTX *ctx; |
| 217 | BIGNUM k,kq,*K,*kinv=NULL,*r=NULL; | 227 | BIGNUM k, kq, *K, *kinv = NULL, *r = NULL; |
| 218 | int ret=0; | 228 | int ret = 0; |
| 219 | 229 | ||
| 220 | if (!dsa->p || !dsa->q || !dsa->g) | 230 | if (!dsa->p || !dsa->q || !dsa->g) { |
| 221 | { | 231 | DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); |
| 222 | DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS); | ||
| 223 | return 0; | 232 | return 0; |
| 224 | } | 233 | } |
| 225 | 234 | ||
| 226 | BN_init(&k); | 235 | BN_init(&k); |
| 227 | BN_init(&kq); | 236 | BN_init(&kq); |
| 228 | 237 | ||
| 229 | if (ctx_in == NULL) | 238 | if (ctx_in == NULL) { |
| 230 | { | 239 | if ((ctx = BN_CTX_new()) == NULL) |
| 231 | if ((ctx=BN_CTX_new()) == NULL) goto err; | 240 | goto err; |
| 232 | } | 241 | } else |
| 233 | else | 242 | ctx = ctx_in; |
| 234 | ctx=ctx_in; | ||
| 235 | 243 | ||
| 236 | if ((r=BN_new()) == NULL) goto err; | 244 | if ((r = BN_new()) == NULL) |
| 245 | goto err; | ||
| 237 | 246 | ||
| 238 | /* Get random k */ | 247 | /* Get random k */ |
| 239 | do | 248 | do { |
| 240 | if (!BN_rand_range(&k, dsa->q)) goto err; | 249 | if (!BN_rand_range(&k, dsa->q)) |
| 241 | while (BN_is_zero(&k)); | 250 | goto err; |
| 242 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) | 251 | } while (BN_is_zero(&k)); |
| 243 | { | 252 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { |
| 244 | BN_set_flags(&k, BN_FLG_CONSTTIME); | 253 | BN_set_flags(&k, BN_FLG_CONSTTIME); |
| 245 | } | 254 | } |
| 246 | 255 | ||
| 247 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) | 256 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { |
| 248 | { | ||
| 249 | if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, | 257 | if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, |
| 250 | CRYPTO_LOCK_DSA, | 258 | CRYPTO_LOCK_DSA, dsa->p, ctx)) |
| 251 | dsa->p, ctx)) | ||
| 252 | goto err; | 259 | goto err; |
| 253 | } | 260 | } |
| 254 | 261 | ||
| 255 | /* Compute r = (g^k mod p) mod q */ | 262 | /* Compute r = (g^k mod p) mod q */ |
| 256 | 263 | ||
| 257 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) | 264 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { |
| 258 | { | 265 | if (!BN_copy(&kq, &k)) |
| 259 | if (!BN_copy(&kq, &k)) goto err; | 266 | goto err; |
| 260 | 267 | ||
| 261 | /* We do not want timing information to leak the length of k, | 268 | /* |
| 262 | * so we compute g^k using an equivalent exponent of fixed length. | 269 | * We do not want timing information to leak the length of k, |
| 270 | * so we compute g^k using an equivalent exponent of fixed | ||
| 271 | * length. | ||
| 263 | * | 272 | * |
| 264 | * (This is a kludge that we need because the BN_mod_exp_mont() | 273 | * (This is a kludge that we need because the BN_mod_exp_mont() |
| 265 | * does not let us specify the desired timing behaviour.) */ | 274 | * does not let us specify the desired timing behaviour.) |
| 275 | */ | ||
| 266 | 276 | ||
| 267 | if (!BN_add(&kq, &kq, dsa->q)) goto err; | 277 | if (!BN_add(&kq, &kq, dsa->q)) |
| 268 | if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) | 278 | goto err; |
| 269 | { | 279 | if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) { |
| 270 | if (!BN_add(&kq, &kq, dsa->q)) goto err; | 280 | if (!BN_add(&kq, &kq, dsa->q)) |
| 271 | } | 281 | goto err; |
| 282 | } | ||
| 272 | 283 | ||
| 273 | K = &kq; | 284 | K = &kq; |
| 274 | } | 285 | } else { |
| 275 | else | ||
| 276 | { | ||
| 277 | K = &k; | 286 | K = &k; |
| 278 | } | 287 | } |
| 279 | DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, | 288 | DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, |
| 280 | dsa->method_mont_p); | 289 | dsa->method_mont_p); |
| 281 | if (!BN_mod(r,r,dsa->q,ctx)) goto err; | 290 | if (!BN_mod(r,r,dsa->q,ctx)) |
| 291 | goto err; | ||
| 282 | 292 | ||
| 283 | /* Compute part of 's = inv(k) (m + xr) mod q' */ | 293 | /* Compute part of 's = inv(k) (m + xr) mod q' */ |
| 284 | if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err; | 294 | if ((kinv = BN_mod_inverse(NULL, &k, dsa->q, ctx)) == NULL) |
| 285 | 295 | goto err; | |
| 286 | if (*kinvp != NULL) BN_clear_free(*kinvp); | 296 | |
| 287 | *kinvp=kinv; | 297 | if (*kinvp != NULL) |
| 288 | kinv=NULL; | 298 | BN_clear_free(*kinvp); |
| 289 | if (*rp != NULL) BN_clear_free(*rp); | 299 | *kinvp = kinv; |
| 290 | *rp=r; | 300 | kinv = NULL; |
| 291 | ret=1; | 301 | if (*rp != NULL) |
| 302 | BN_clear_free(*rp); | ||
| 303 | *rp = r; | ||
| 304 | ret = 1; | ||
| 292 | err: | 305 | err: |
| 293 | if (!ret) | 306 | if (!ret) { |
| 294 | { | 307 | DSAerr(DSA_F_DSA_SIGN_SETUP, ERR_R_BN_LIB); |
| 295 | DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB); | ||
| 296 | if (r != NULL) | 308 | if (r != NULL) |
| 297 | BN_clear_free(r); | 309 | BN_clear_free(r); |
| 298 | } | 310 | } |
| 299 | if (ctx_in == NULL) BN_CTX_free(ctx); | 311 | if (ctx_in == NULL) |
| 312 | BN_CTX_free(ctx); | ||
| 300 | BN_clear_free(&k); | 313 | BN_clear_free(&k); |
| 301 | BN_clear_free(&kq); | 314 | BN_clear_free(&kq); |
| 302 | return(ret); | 315 | return ret; |
| 303 | } | 316 | } |
| 304 | 317 | ||
| 305 | static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, | 318 | static int |
| 306 | DSA *dsa) | 319 | dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) |
| 307 | { | 320 | { |
| 308 | BN_CTX *ctx; | 321 | BN_CTX *ctx; |
| 309 | BIGNUM u1,u2,t1; | 322 | BIGNUM u1, u2, t1; |
| 310 | BN_MONT_CTX *mont=NULL; | 323 | BN_MONT_CTX *mont = NULL; |
| 311 | int ret = -1, i; | 324 | int ret = -1, i; |
| 312 | if (!dsa->p || !dsa->q || !dsa->g) | 325 | |
| 313 | { | 326 | if (!dsa->p || !dsa->q || !dsa->g) { |
| 314 | DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MISSING_PARAMETERS); | 327 | DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MISSING_PARAMETERS); |
| 315 | return -1; | 328 | return -1; |
| 316 | } | 329 | } |
| 317 | 330 | ||
| 318 | i = BN_num_bits(dsa->q); | 331 | i = BN_num_bits(dsa->q); |
| 319 | /* fips 186-3 allows only different sizes for q */ | 332 | /* fips 186-3 allows only different sizes for q */ |
| 320 | if (i != 160 && i != 224 && i != 256) | 333 | if (i != 160 && i != 224 && i != 256) { |
| 321 | { | 334 | DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE); |
| 322 | DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE); | ||
| 323 | return -1; | 335 | return -1; |
| 324 | } | 336 | } |
| 325 | 337 | ||
| 326 | if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) | 338 | if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { |
| 327 | { | 339 | DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE); |
| 328 | DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE); | ||
| 329 | return -1; | 340 | return -1; |
| 330 | } | 341 | } |
| 331 | BN_init(&u1); | 342 | BN_init(&u1); |
| 332 | BN_init(&u2); | 343 | BN_init(&u2); |
| 333 | BN_init(&t1); | 344 | BN_init(&t1); |
| 334 | 345 | ||
| 335 | if ((ctx=BN_CTX_new()) == NULL) goto err; | 346 | if ((ctx = BN_CTX_new()) == NULL) |
| 347 | goto err; | ||
| 336 | 348 | ||
| 337 | if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || | 349 | if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || |
| 338 | BN_ucmp(sig->r, dsa->q) >= 0) | 350 | BN_ucmp(sig->r, dsa->q) >= 0) { |
| 339 | { | ||
| 340 | ret = 0; | 351 | ret = 0; |
| 341 | goto err; | 352 | goto err; |
| 342 | } | 353 | } |
| 343 | if (BN_is_zero(sig->s) || BN_is_negative(sig->s) || | 354 | if (BN_is_zero(sig->s) || BN_is_negative(sig->s) || |
| 344 | BN_ucmp(sig->s, dsa->q) >= 0) | 355 | BN_ucmp(sig->s, dsa->q) >= 0) { |
| 345 | { | ||
| 346 | ret = 0; | 356 | ret = 0; |
| 347 | goto err; | 357 | goto err; |
| 348 | } | 358 | } |
| 349 | 359 | ||
| 350 | /* Calculate W = inv(S) mod Q | 360 | /* Calculate W = inv(S) mod Q |
| 351 | * save W in u2 */ | 361 | * save W in u2 */ |
| 352 | if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err; | 362 | if ((BN_mod_inverse(&u2, sig->s, dsa->q, ctx)) == NULL) |
| 363 | goto err; | ||
| 353 | 364 | ||
| 354 | /* save M in u1 */ | 365 | /* save M in u1 */ |
| 366 | /* | ||
| 367 | * If the digest length is greater than the size of q use the | ||
| 368 | * BN_num_bits(dsa->q) leftmost bits of the digest, see | ||
| 369 | * fips 186-3, 4.2 | ||
| 370 | */ | ||
| 355 | if (dgst_len > (i >> 3)) | 371 | if (dgst_len > (i >> 3)) |
| 356 | /* if the digest length is greater than the size of q use the | ||
| 357 | * BN_num_bits(dsa->q) leftmost bits of the digest, see | ||
| 358 | * fips 186-3, 4.2 */ | ||
| 359 | dgst_len = (i >> 3); | 372 | dgst_len = (i >> 3); |
| 360 | if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err; | 373 | if (BN_bin2bn(dgst, dgst_len, &u1) == NULL) |
| 374 | goto err; | ||
| 361 | 375 | ||
| 362 | /* u1 = M * w mod q */ | 376 | /* u1 = M * w mod q */ |
| 363 | if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err; | 377 | if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) |
| 378 | goto err; | ||
| 364 | 379 | ||
| 365 | /* u2 = r * w mod q */ | 380 | /* u2 = r * w mod q */ |
| 366 | if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err; | 381 | if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) |
| 382 | goto err; | ||
| 367 | 383 | ||
| 368 | 384 | ||
| 369 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) | 385 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { |
| 370 | { | ||
| 371 | mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p, | 386 | mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p, |
| 372 | CRYPTO_LOCK_DSA, dsa->p, ctx); | 387 | CRYPTO_LOCK_DSA, dsa->p, ctx); |
| 373 | if (!mont) | 388 | if (!mont) |
| 374 | goto err; | 389 | goto err; |
| 375 | } | 390 | } |
| 376 | |||
| 377 | 391 | ||
| 378 | DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont); | 392 | DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, |
| 393 | ctx, mont); | ||
| 379 | /* BN_copy(&u1,&t1); */ | 394 | /* BN_copy(&u1,&t1); */ |
| 380 | /* let u1 = u1 mod q */ | 395 | /* let u1 = u1 mod q */ |
| 381 | if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err; | 396 | if (!BN_mod(&u1, &t1, dsa->q, ctx)) |
| 397 | goto err; | ||
| 382 | 398 | ||
| 383 | /* V is now in u1. If the signature is correct, it will be | 399 | /* V is now in u1. If the signature is correct, it will be |
| 384 | * equal to R. */ | 400 | * equal to R. */ |
| 385 | ret=(BN_ucmp(&u1, sig->r) == 0); | 401 | ret = BN_ucmp(&u1, sig->r) == 0; |
| 386 | 402 | ||
| 387 | err: | 403 | err: |
| 388 | /* XXX: surely this is wrong - if ret is 0, it just didn't verify; | 404 | /* XXX: surely this is wrong - if ret is 0, it just didn't verify; |
| 389 | there is no error in BN. Test should be ret == -1 (Ben) */ | 405 | there is no error in BN. Test should be ret == -1 (Ben) */ |
| 390 | if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB); | 406 | if (ret != 1) |
| 391 | if (ctx != NULL) BN_CTX_free(ctx); | 407 | DSAerr(DSA_F_DSA_DO_VERIFY, ERR_R_BN_LIB); |
| 408 | if (ctx != NULL) | ||
| 409 | BN_CTX_free(ctx); | ||
| 392 | BN_free(&u1); | 410 | BN_free(&u1); |
| 393 | BN_free(&u2); | 411 | BN_free(&u2); |
| 394 | BN_free(&t1); | 412 | BN_free(&t1); |
| 395 | return(ret); | 413 | return ret; |
| 396 | } | 414 | } |
| 397 | 415 | ||
| 398 | static int dsa_init(DSA *dsa) | 416 | static int |
| 417 | dsa_init(DSA *dsa) | ||
| 399 | { | 418 | { |
| 400 | dsa->flags|=DSA_FLAG_CACHE_MONT_P; | 419 | dsa->flags |= DSA_FLAG_CACHE_MONT_P; |
| 401 | return(1); | 420 | return 1; |
| 402 | } | 421 | } |
| 403 | 422 | ||
| 404 | static int dsa_finish(DSA *dsa) | 423 | static int |
| 424 | dsa_finish(DSA *dsa) | ||
| 405 | { | 425 | { |
| 406 | if(dsa->method_mont_p) | 426 | if (dsa->method_mont_p) |
| 407 | BN_MONT_CTX_free(dsa->method_mont_p); | 427 | BN_MONT_CTX_free(dsa->method_mont_p); |
| 408 | return(1); | 428 | return 1; |
| 409 | } | 429 | } |
| 410 | 430 | ||