Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

source: azure_iot_hub/trunk/wolfssl-3.15.7/wolfcrypt/src/dsa.c@ 388

Last change on this file since 388 was 388, checked in by coas-nagasima, 5 years ago
Azure IoT Hub Device C SDK を使ったサンプルの追加
Property svn:eol-style set to `native` Property svn:keywords set to `Id` Property svn:mime-type set to `text/x-csrc`
File size: 21.4 KB

Line
1	/* dsa.c
2	*
3	* Copyright (C) 2006-2017 wolfSSL Inc.
4	*
5	* This file is part of wolfSSL.
6	*
7	* wolfSSL is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License as published by
9	* the Free Software Foundation; either version 2 of the License, or
10	* (at your option) any later version.
11	*
12	* wolfSSL is distributed in the hope that it will be useful,
13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	* GNU General Public License for more details.
16	*
17	* You should have received a copy of the GNU General Public License
18	* along with this program; if not, write to the Free Software
19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20	*/
21
22
23	#ifdef HAVE_CONFIG_H
24	#include <config.h>
25	#endif
26
27	#include <wolfssl/wolfcrypt/settings.h>
28
29	#ifndef NO_DSA
30
31	#include <wolfssl/wolfcrypt/random.h>
32	#include <wolfssl/wolfcrypt/integer.h>
33	#include <wolfssl/wolfcrypt/error-crypt.h>
34	#include <wolfssl/wolfcrypt/logging.h>
35	#include <wolfssl/wolfcrypt/sha.h>
36	#include <wolfssl/wolfcrypt/dsa.h>
37
38	#ifdef NO_INLINE
39	#include <wolfssl/wolfcrypt/misc.h>
40	#else
41	#define WOLFSSL_MISC_INCLUDED
42	#include <wolfcrypt/src/misc.c>
43	#endif
44
45
46	enum {
47	DSA_HALF_SIZE = 20, /* r and s size */
48	DSA_SIG_SIZE = 40 /* signature size */
49	};
50
51
52
53	int wc_InitDsaKey(DsaKey* key)
54	{
55	if (key == NULL)
56	return BAD_FUNC_ARG;
57
58	key->type = -1; /* haven't decided yet */
59	key->heap = NULL;
60
61	return mp_init_multi(
62	/* public alloc parts */
63	&key->p,
64	&key->q,
65	&key->g,
66	&key->y,
67
68	/* private alloc parts */
69	&key->x,
70	NULL
71	);
72	}
73
74
75	int wc_InitDsaKey_h(DsaKey* key, void* h)
76	{
77	int ret = wc_InitDsaKey(key);
78	if (ret == 0)
79	key->heap = h;
80
81	return ret;
82	}
83
84
85	void wc_FreeDsaKey(DsaKey* key)
86	{
87	if (key == NULL)
88	return;
89
90	if (key->type == DSA_PRIVATE)
91	mp_forcezero(&key->x);
92
93	mp_clear(&key->x);
94	mp_clear(&key->y);
95	mp_clear(&key->g);
96	mp_clear(&key->q);
97	mp_clear(&key->p);
98	}
99
100
101	/* validate that (L,N) match allowed sizes from FIPS 186-4, Section 4.2.
102	* modLen - represents L, the size of p (prime modulus) in bits
103	* divLen - represents N, the size of q (prime divisor) in bits
104	* return 0 on success, -1 on error */
105	static int CheckDsaLN(int modLen, int divLen)
106	{
107	int ret = -1;
108
109	switch (modLen) {
110	case 1024:
111	if (divLen == 160)
112	ret = 0;
113	break;
114	case 2048:
115	if (divLen == 224 \|\| divLen == 256)
116	ret = 0;
117	break;
118	case 3072:
119	if (divLen == 256)
120	ret = 0;
121	break;
122	default:
123	break;
124	}
125
126	return ret;
127	}
128
129
130	#ifdef WOLFSSL_KEY_GEN
131
132	/* Create DSA key pair (&dsa->x, &dsa->y)
133	*
134	* Based on NIST FIPS 186-4,
135	* "B.1.1 Key Pair Generation Using Extra Random Bits"
136	*
137	* rng - pointer to initialized WC_RNG structure
138	* dsa - pointer to initialized DsaKey structure, will hold generated key
139	*
140	* return 0 on success, negative on error */
141	int wc_MakeDsaKey(WC_RNG rng, DsaKey dsa)
142	{
143	byte* cBuf;
144	int qSz, pSz, cSz, err;
145	mp_int tmpQ;
146
147	if (rng == NULL \|\| dsa == NULL)
148	return BAD_FUNC_ARG;
149
150	qSz = mp_unsigned_bin_size(&dsa->q);
151	pSz = mp_unsigned_bin_size(&dsa->p);
152
153	/* verify (L,N) pair bit lengths */
154	if (CheckDsaLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0)
155	return BAD_FUNC_ARG;
156
157	/* generate extra 64 bits so that bias from mod function is negligible */
158	cSz = qSz + (64 / WOLFSSL_BIT_SIZE);
159	cBuf = (byte*)XMALLOC(cSz, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
160	if (cBuf == NULL) {
161	return MEMORY_E;
162	}
163
164	if ((err = mp_init_multi(&dsa->x, &dsa->y, &tmpQ, NULL, NULL, NULL))
165	!= MP_OKAY) {
166	XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
167	return err;
168	}
169
170	do {
171	/* generate N+64 bits (c) from RBG into &dsa->x, making sure positive.
172	* Hash_DRBG uses SHA-256 which matches maximum
173	* requested_security_strength of (L,N) */
174	err = wc_RNG_GenerateBlock(rng, cBuf, cSz);
175	if (err != MP_OKAY) {
176	mp_clear(&dsa->x);
177	mp_clear(&dsa->y);
178	mp_clear(&tmpQ);
179	XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
180	return err;
181	}
182
183	err = mp_read_unsigned_bin(&dsa->x, cBuf, cSz);
184	if (err != MP_OKAY) {
185	mp_clear(&dsa->x);
186	mp_clear(&dsa->y);
187	mp_clear(&tmpQ);
188	XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
189	return err;
190	}
191	} while (mp_cmp_d(&dsa->x, 1) != MP_GT);
192
193	XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
194
195	/* tmpQ = q - 1 */
196	if (err == MP_OKAY)
197	err = mp_copy(&dsa->q, &tmpQ);
198
199	if (err == MP_OKAY)
200	err = mp_sub_d(&tmpQ, 1, &tmpQ);
201
202	/* x = c mod (q-1), &dsa->x holds c */
203	if (err == MP_OKAY)
204	err = mp_mod(&dsa->x, &tmpQ, &dsa->x);
205
206	/* x = c mod (q-1) + 1 */
207	if (err == MP_OKAY)
208	err = mp_add_d(&dsa->x, 1, &dsa->x);
209
210	/* public key : y = g^x mod p */
211	if (err == MP_OKAY)
212	err = mp_exptmod(&dsa->g, &dsa->x, &dsa->p, &dsa->y);
213
214	if (err == MP_OKAY)
215	dsa->type = DSA_PRIVATE;
216
217	if (err != MP_OKAY) {
218	mp_clear(&dsa->x);
219	mp_clear(&dsa->y);
220	}
221	mp_clear(&tmpQ);
222
223	return err;
224	}
225
226
227	/* modulus_size in bits */
228	int wc_MakeDsaParameters(WC_RNG rng, int modulus_size, DsaKey dsa)
229	{
230	mp_int tmp, tmp2;
231	int err, msize, qsize,
232	loop_check_prime = 0,
233	check_prime = MP_NO;
234	unsigned char *buf;
235
236	if (rng == NULL \|\| dsa == NULL)
237	return BAD_FUNC_ARG;
238
239	/* set group size in bytes from modulus size
240	* FIPS 186-4 defines valid values (1024, 160) (2048, 256) (3072, 256)
241	*/
242	switch (modulus_size) {
243	case 1024:
244	qsize = 20;
245	break;
246	case 2048:
247	case 3072:
248	qsize = 32;
249	break;
250	default:
251	return BAD_FUNC_ARG;
252	}
253
254	/* modulus size in bytes */
255	msize = modulus_size / WOLFSSL_BIT_SIZE;
256
257	/* allocate ram */
258	buf = (unsigned char *)XMALLOC(msize - qsize,
259	dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
260	if (buf == NULL) {
261	return MEMORY_E;
262	}
263
264	/* make a random string that will be multplied against q */
265	err = wc_RNG_GenerateBlock(rng, buf, msize - qsize);
266	if (err != MP_OKAY) {
267	XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
268	return err;
269	}
270
271	/* force magnitude */
272	buf[0] \|= 0xC0;
273
274	/* force even */
275	buf[msize - qsize - 1] &= ~1;
276
277	if (mp_init_multi(&tmp2, &dsa->p, &dsa->q, 0, 0, 0) != MP_OKAY) {
278	mp_clear(&dsa->q);
279	XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
280	return MP_INIT_E;
281	}
282
283	err = mp_read_unsigned_bin(&tmp2, buf, msize - qsize);
284	if (err != MP_OKAY) {
285	mp_clear(&dsa->q);
286	mp_clear(&dsa->p);
287	mp_clear(&tmp2);
288	XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
289	return err;
290	}
291	XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
292
293	/* make our prime q */
294	err = mp_rand_prime(&dsa->q, qsize, rng, NULL);
295	if (err != MP_OKAY) {
296	mp_clear(&dsa->q);
297	mp_clear(&dsa->p);
298	mp_clear(&tmp2);
299	return err;
300	}
301
302	/* p = random * q */
303	err = mp_mul(&dsa->q, &tmp2, &dsa->p);
304	if (err != MP_OKAY) {
305	mp_clear(&dsa->q);
306	mp_clear(&dsa->p);
307	mp_clear(&tmp2);
308	return err;
309	}
310
311	/* p = random * q + 1, so q is a prime divisor of p-1 */
312	err = mp_add_d(&dsa->p, 1, &dsa->p);
313	if (err != MP_OKAY) {
314	mp_clear(&dsa->q);
315	mp_clear(&dsa->p);
316	mp_clear(&tmp2);
317	return err;
318	}
319
320	if (mp_init(&tmp) != MP_OKAY) {
321	mp_clear(&dsa->q);
322	mp_clear(&dsa->p);
323	mp_clear(&tmp2);
324	return MP_INIT_E;
325	}
326
327	/* tmp = 2q */
328	err = mp_add(&dsa->q, &dsa->q, &tmp);
329	if (err != MP_OKAY) {
330	mp_clear(&dsa->q);
331	mp_clear(&dsa->p);
332	mp_clear(&tmp);
333	mp_clear(&tmp2);
334	return err;
335	}
336
337	/* loop until p is prime */
338	while (check_prime == MP_NO) {
339	err = mp_prime_is_prime_ex(&dsa->p, 8, &check_prime, rng);
340	if (err != MP_OKAY) {
341	mp_clear(&dsa->q);
342	mp_clear(&dsa->p);
343	mp_clear(&tmp);
344	mp_clear(&tmp2);
345	return err;
346	}
347
348	if (check_prime != MP_YES) {
349	/* p += 2q */
350	err = mp_add(&tmp, &dsa->p, &dsa->p);
351	if (err != MP_OKAY) {
352	mp_clear(&dsa->q);
353	mp_clear(&dsa->p);
354	mp_clear(&tmp);
355	mp_clear(&tmp2);
356	return err;
357	}
358
359	loop_check_prime++;
360	}
361	}
362
363	/* tmp2 += (2*loop_check_prime)
364	* to have p = (q * tmp2) + 1 prime
365	*/
366	if (loop_check_prime) {
367	err = mp_add_d(&tmp2, 2*loop_check_prime, &tmp2);
368	if (err != MP_OKAY) {
369	mp_clear(&dsa->q);
370	mp_clear(&dsa->p);
371	mp_clear(&tmp);
372	mp_clear(&tmp2);
373	return err;
374	}
375	}
376
377	if (mp_init(&dsa->g) != MP_OKAY) {
378	mp_clear(&dsa->q);
379	mp_clear(&dsa->p);
380	mp_clear(&tmp);
381	mp_clear(&tmp2);
382	return MP_INIT_E;
383	}
384
385	/* find a value g for which g^tmp2 != 1 */
386	if (mp_set(&dsa->g, 1) != MP_OKAY) {
387	mp_clear(&dsa->q);
388	mp_clear(&dsa->p);
389	mp_clear(&tmp);
390	mp_clear(&tmp2);
391	return MP_INIT_E;
392	}
393
394	do {
395	err = mp_add_d(&dsa->g, 1, &dsa->g);
396	if (err != MP_OKAY) {
397	mp_clear(&dsa->q);
398	mp_clear(&dsa->p);
399	mp_clear(&dsa->g);
400	mp_clear(&tmp);
401	mp_clear(&tmp2);
402	return err;
403	}
404
405	err = mp_exptmod(&dsa->g, &tmp2, &dsa->p, &tmp);
406	if (err != MP_OKAY) {
407	mp_clear(&dsa->q);
408	mp_clear(&dsa->p);
409	mp_clear(&dsa->g);
410	mp_clear(&tmp);
411	mp_clear(&tmp2);
412	return err;
413	}
414
415	} while (mp_cmp_d(&tmp, 1) == MP_EQ);
416
417	/* at this point tmp generates a group of order q mod p */
418	mp_exch(&tmp, &dsa->g);
419
420	mp_clear(&tmp);
421	mp_clear(&tmp2);
422
423	return MP_OKAY;
424	}
425	#endif /* WOLFSSL_KEY_GEN */
426
427
428	static int _DsaImportParamsRaw(DsaKey* dsa, const char* p, const char* q,
429	const char* g, int trusted, WC_RNG* rng)
430	{
431	int err;
432	word32 pSz, qSz;
433
434	if (dsa == NULL \|\| p == NULL \|\| q == NULL \|\| g == NULL)
435	return BAD_FUNC_ARG;
436
437	/* read p */
438	err = mp_read_radix(&dsa->p, p, MP_RADIX_HEX);
439	if (err == MP_OKAY && !trusted) {
440	int isPrime = 1;
441	if (rng == NULL)
442	err = mp_prime_is_prime(&dsa->p, 8, &isPrime);
443	else
444	err = mp_prime_is_prime_ex(&dsa->p, 8, &isPrime, rng);
445
446	if (err == MP_OKAY) {
447	if (!isPrime)
448	err = DH_CHECK_PUB_E;
449	}
450	}
451
452	/* read q */
453	if (err == MP_OKAY)
454	err = mp_read_radix(&dsa->q, q, MP_RADIX_HEX);
455
456	/* read g */
457	if (err == MP_OKAY)
458	err = mp_read_radix(&dsa->g, g, MP_RADIX_HEX);
459
460	/* verify (L,N) pair bit lengths */
461	pSz = mp_unsigned_bin_size(&dsa->p);
462	qSz = mp_unsigned_bin_size(&dsa->q);
463
464	if (CheckDsaLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0) {
465	WOLFSSL_MSG("Invalid DSA p or q parameter size");
466	err = BAD_FUNC_ARG;
467	}
468
469	if (err != MP_OKAY) {
470	mp_clear(&dsa->p);
471	mp_clear(&dsa->q);
472	mp_clear(&dsa->g);
473	}
474
475	return err;
476	}
477
478
479	/* Import raw DSA parameters into DsaKey structure for use with wc_MakeDsaKey(),
480	* input parameters (p,q,g) should be represented as ASCII hex values.
481	*
482	* dsa - pointer to initialized DsaKey structure
483	* p - DSA (p) parameter, ASCII hex string
484	* pSz - length of p
485	* q - DSA (q) parameter, ASCII hex string
486	* qSz - length of q
487	* g - DSA (g) parameter, ASCII hex string
488	* gSz - length of g
489	*
490	* returns 0 on success, negative upon failure
491	*/
492	int wc_DsaImportParamsRaw(DsaKey* dsa, const char* p, const char* q,
493	const char* g)
494	{
495	return _DsaImportParamsRaw(dsa, p, q, g, 1, NULL);
496	}
497
498
499	/* Import raw DSA parameters into DsaKey structure for use with wc_MakeDsaKey(),
500	* input parameters (p,q,g) should be represented as ASCII hex values. Check
501	* that the p value is probably prime.
502	*
503	* dsa - pointer to initialized DsaKey structure
504	* p - DSA (p) parameter, ASCII hex string
505	* pSz - length of p
506	* q - DSA (q) parameter, ASCII hex string
507	* qSz - length of q
508	* g - DSA (g) parameter, ASCII hex string
509	* gSz - length of g
510	* trusted - trust that p is OK
511	* rng - random number generator for the prime test
512	*
513	* returns 0 on success, negative upon failure
514	*/
515	int wc_DsaImportParamsRawCheck(DsaKey* dsa, const char* p, const char* q,
516	const char* g, int trusted, WC_RNG* rng)
517	{
518	return _DsaImportParamsRaw(dsa, p, q, g, trusted, rng);
519	}
520
521
522	/* Export raw DSA parameters from DsaKey structure
523	*
524	* dsa - pointer to initialized DsaKey structure
525	* p - output location for DSA (p) parameter
526	* pSz - [IN/OUT] size of output buffer for p, size of p
527	* q - output location for DSA (q) parameter
528	* qSz - [IN/OUT] size of output buffer for q, size of q
529	* g - output location for DSA (g) parameter
530	* gSz - [IN/OUT] size of output buffer for g, size of g
531	*
532	* If p, q, and g pointers are all passed in as NULL, the function
533	* will set pSz, qSz, and gSz to the required output buffer sizes for p,
534	* q, and g. In this case, the function will return LENGTH_ONLY_E.
535	*
536	* returns 0 on success, negative upon failure
537	*/
538	int wc_DsaExportParamsRaw(DsaKey* dsa, byte* p, word32* pSz,
539	byte* q, word32* qSz, byte* g, word32* gSz)
540	{
541	int err;
542	word32 pLen, qLen, gLen;
543
544	if (dsa == NULL \|\| pSz == NULL \|\| qSz == NULL \|\| gSz == NULL)
545	return BAD_FUNC_ARG;
546
547	/* get required output buffer sizes */
548	pLen = mp_unsigned_bin_size(&dsa->p);
549	qLen = mp_unsigned_bin_size(&dsa->q);
550	gLen = mp_unsigned_bin_size(&dsa->g);
551
552	/* return buffer sizes and LENGTH_ONLY_E if buffers are NULL */
553	if (p == NULL && q == NULL && g == NULL) {
554	*pSz = pLen;
555	*qSz = qLen;
556	*gSz = gLen;
557	return LENGTH_ONLY_E;
558	}
559
560	if (p == NULL \|\| q == NULL \|\| g == NULL)
561	return BAD_FUNC_ARG;
562
563	/* export p */
564	if (*pSz < pLen) {
565	WOLFSSL_MSG("Output buffer for DSA p parameter too small, "
566	"required size placed into pSz");
567	*pSz = pLen;
568	return BUFFER_E;
569	}
570	*pSz = pLen;
571	err = mp_to_unsigned_bin(&dsa->p, p);
572
573	/* export q */
574	if (err == MP_OKAY) {
575	if (*qSz < qLen) {
576	WOLFSSL_MSG("Output buffer for DSA q parameter too small, "
577	"required size placed into qSz");
578	*qSz = qLen;
579	return BUFFER_E;
580	}
581	*qSz = qLen;
582	err = mp_to_unsigned_bin(&dsa->q, q);
583	}
584
585	/* export g */
586	if (err == MP_OKAY) {
587	if (*gSz < gLen) {
588	WOLFSSL_MSG("Output buffer for DSA g parameter too small, "
589	"required size placed into gSz");
590	*gSz = gLen;
591	return BUFFER_E;
592	}
593	*gSz = gLen;
594	err = mp_to_unsigned_bin(&dsa->g, g);
595	}
596
597	return err;
598	}
599
600
601	/* Export raw DSA key (x, y) from DsaKey structure
602	*
603	* dsa - pointer to initialized DsaKey structure
604	* x - output location for private key
605	* xSz - [IN/OUT] size of output buffer for x, size of x
606	* y - output location for public key
607	* ySz - [IN/OUT] size of output buffer for y, size of y
608	*
609	* If x and y pointers are all passed in as NULL, the function
610	* will set xSz and ySz to the required output buffer sizes for x
611	* and y. In this case, the function will return LENGTH_ONLY_E.
612	*
613	* returns 0 on success, negative upon failure
614	*/
615	int wc_DsaExportKeyRaw(DsaKey* dsa, byte* x, word32* xSz, byte* y, word32* ySz)
616	{
617	int err;
618	word32 xLen, yLen;
619
620	if (dsa == NULL \|\| xSz == NULL \|\| ySz == NULL)
621	return BAD_FUNC_ARG;
622
623	/* get required output buffer sizes */
624	xLen = mp_unsigned_bin_size(&dsa->x);
625	yLen = mp_unsigned_bin_size(&dsa->y);
626
627	/* return buffer sizes and LENGTH_ONLY_E if buffers are NULL */
628	if (x == NULL && y == NULL) {
629	*xSz = xLen;
630	*ySz = yLen;
631	return LENGTH_ONLY_E;
632	}
633
634	if (x == NULL \|\| y == NULL)
635	return BAD_FUNC_ARG;
636
637	/* export x */
638	if (*xSz < xLen) {
639	WOLFSSL_MSG("Output buffer for DSA private key (x) too small, "
640	"required size placed into xSz");
641	*xSz = xLen;
642	return BUFFER_E;
643	}
644	*xSz = xLen;
645	err = mp_to_unsigned_bin(&dsa->x, x);
646
647	/* export y */
648	if (err == MP_OKAY) {
649	if (*ySz < yLen) {
650	WOLFSSL_MSG("Output buffer to DSA public key (y) too small, "
651	"required size placed into ySz");
652	*ySz = yLen;
653	return BUFFER_E;
654	}
655	*ySz = yLen;
656	err = mp_to_unsigned_bin(&dsa->y, y);
657	}
658
659	return err;
660	}
661
662
663	int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, WC_RNG* rng)
664	{
665	mp_int k, kInv, r, s, H;
666	int ret, sz;
667	byte buffer[DSA_HALF_SIZE];
668	byte* tmp; /* initial output pointer */
669
670	if (digest == NULL \|\| out == NULL \|\| key == NULL \|\| rng == NULL) {
671	return BAD_FUNC_ARG;
672	}
673
674	tmp = out;
675
676	sz = min((int)sizeof(buffer), mp_unsigned_bin_size(&key->q));
677
678	if (mp_init_multi(&k, &kInv, &r, &s, &H, 0) != MP_OKAY)
679	return MP_INIT_E;
680
681	do {
682	/* generate k */
683	ret = wc_RNG_GenerateBlock(rng, buffer, sz);
684	if (ret != 0)
685	return ret;
686
687	buffer[0] \|= 0x0C;
688
689	if (mp_read_unsigned_bin(&k, buffer, sz) != MP_OKAY)
690	ret = MP_READ_E;
691
692	/* k is a random numnber and it should be less than q
693	* if k greater than repeat
694	*/
695	} while (mp_cmp(&k, &key->q) != MP_LT);
696
697	if (ret == 0 && mp_cmp_d(&k, 1) != MP_GT)
698	ret = MP_CMP_E;
699
700	/* inverse k mod q */
701	if (ret == 0 && mp_invmod(&k, &key->q, &kInv) != MP_OKAY)
702	ret = MP_INVMOD_E;
703
704	/* generate r, r = (g exp k mod p) mod q */
705	if (ret == 0 && mp_exptmod(&key->g, &k, &key->p, &r) != MP_OKAY)
706	ret = MP_EXPTMOD_E;
707
708	if (ret == 0 && mp_mod(&r, &key->q, &r) != MP_OKAY)
709	ret = MP_MOD_E;
710
711	/* generate H from sha digest */
712	if (ret == 0 && mp_read_unsigned_bin(&H, digest,WC_SHA_DIGEST_SIZE) != MP_OKAY)
713	ret = MP_READ_E;
714
715	/* generate s, s = (kInv * (H + xr)) % q /
716	if (ret == 0 && mp_mul(&key->x, &r, &s) != MP_OKAY)
717	ret = MP_MUL_E;
718
719	if (ret == 0 && mp_add(&s, &H, &s) != MP_OKAY)
720	ret = MP_ADD_E;
721
722	if (ret == 0 && mp_mulmod(&s, &kInv, &key->q, &s) != MP_OKAY)
723	ret = MP_MULMOD_E;
724
725	/* detect zero r or s */
726	if (ret == 0 && (mp_iszero(&r) == MP_YES \|\| mp_iszero(&s) == MP_YES))
727	ret = MP_ZERO_E;
728
729	/* write out */
730	if (ret == 0) {
731	int rSz = mp_unsigned_bin_size(&r);
732	int sSz = mp_unsigned_bin_size(&s);
733
734	while (rSz++ < DSA_HALF_SIZE) {
735	out++ = 0x00; / pad front with zeros */
736	}
737
738	if (mp_to_unsigned_bin(&r, out) != MP_OKAY)
739	ret = MP_TO_E;
740	else {
741	out = tmp + DSA_HALF_SIZE; /* advance to s in output */
742	while (sSz++ < DSA_HALF_SIZE) {
743	out++ = 0x00; / pad front with zeros */
744	}
745	ret = mp_to_unsigned_bin(&s, out);
746	}
747	}
748
749	mp_clear(&H);
750	mp_clear(&s);
751	mp_clear(&r);
752	mp_clear(&kInv);
753	mp_clear(&k);
754
755	return ret;
756	}
757
758
759	int wc_DsaVerify(const byte* digest, const byte* sig, DsaKey* key, int* answer)
760	{
761	mp_int w, u1, u2, v, r, s;
762	int ret = 0;
763
764	if (digest == NULL \|\| sig == NULL \|\| key == NULL \|\| answer == NULL) {
765	return BAD_FUNC_ARG;
766	}
767
768	if (mp_init_multi(&w, &u1, &u2, &v, &r, &s) != MP_OKAY)
769	return MP_INIT_E;
770
771	/* set r and s from signature */
772	if (mp_read_unsigned_bin(&r, sig, DSA_HALF_SIZE) != MP_OKAY \|\|
773	mp_read_unsigned_bin(&s, sig + DSA_HALF_SIZE, DSA_HALF_SIZE) != MP_OKAY)
774	ret = MP_READ_E;
775
776	/* sanity checks */
777	if (ret == 0) {
778	if (mp_iszero(&r) == MP_YES \|\| mp_iszero(&s) == MP_YES \|\|
779	mp_cmp(&r, &key->q) != MP_LT \|\| mp_cmp(&s, &key->q) != MP_LT) {
780	ret = MP_ZERO_E;
781	}
782	}
783
784	/* put H into u1 from sha digest */
785	if (ret == 0 && mp_read_unsigned_bin(&u1,digest,WC_SHA_DIGEST_SIZE) != MP_OKAY)
786	ret = MP_READ_E;
787
788	/* w = s invmod q */
789	if (ret == 0 && mp_invmod(&s, &key->q, &w) != MP_OKAY)
790	ret = MP_INVMOD_E;
791
792	/* u1 = (H * w) % q */
793	if (ret == 0 && mp_mulmod(&u1, &w, &key->q, &u1) != MP_OKAY)
794	ret = MP_MULMOD_E;
795
796	/* u2 = (r * w) % q */
797	if (ret == 0 && mp_mulmod(&r, &w, &key->q, &u2) != MP_OKAY)
798	ret = MP_MULMOD_E;
799
800	/* verify v = ((g^u1 * y^u2) mod p) mod q */
801	if (ret == 0 && mp_exptmod(&key->g, &u1, &key->p, &u1) != MP_OKAY)
802	ret = MP_EXPTMOD_E;
803
804	if (ret == 0 && mp_exptmod(&key->y, &u2, &key->p, &u2) != MP_OKAY)
805	ret = MP_EXPTMOD_E;
806
807	if (ret == 0 && mp_mulmod(&u1, &u2, &key->p, &v) != MP_OKAY)
808	ret = MP_MULMOD_E;
809
810	if (ret == 0 && mp_mod(&v, &key->q, &v) != MP_OKAY)
811	ret = MP_MULMOD_E;
812
813	/* do they match */
814	if (ret == 0 && mp_cmp(&r, &v) == MP_EQ)
815	*answer = 1;
816	else
817	*answer = 0;
818
819	mp_clear(&s);
820	mp_clear(&r);
821	mp_clear(&u1);
822	mp_clear(&u2);
823	mp_clear(&w);
824	mp_clear(&v);
825
826	return ret;
827	}
828
829
830	#endif /* NO_DSA */
831

Note: See TracBrowser for help on using the repository browser.

Download in other formats: