Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

dsa.c@ 457

Last change on this file since 457 was 457, checked in by coas-nagasima, 4 years ago
ファイルを追加
Property svn:eol-style set to `native` Property svn:mime-type set to `text/x-csrc;charset=UTF-8`
File size: 24.1 KB

Line
1	/* dsa.c
2	*
3	* Copyright (C) 2006-2020 wolfSSL Inc.
4	*
5	* This file is part of wolfSSL.
6	*
7	* wolfSSL is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License as published by
9	* the Free Software Foundation; either version 2 of the License, or
10	* (at your option) any later version.
11	*
12	* wolfSSL is distributed in the hope that it will be useful,
13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	* GNU General Public License for more details.
16	*
17	* You should have received a copy of the GNU General Public License
18	* along with this program; if not, write to the Free Software
19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20	*/
21
22
23	#ifdef HAVE_CONFIG_H
24	#include <config.h>
25	#endif
26
27	#include <wolfssl/wolfcrypt/settings.h>
28
29	#ifndef NO_DSA
30
31	#include <wolfssl/wolfcrypt/random.h>
32	#include <wolfssl/wolfcrypt/integer.h>
33	#include <wolfssl/wolfcrypt/error-crypt.h>
34	#include <wolfssl/wolfcrypt/logging.h>
35	#include <wolfssl/wolfcrypt/sha.h>
36	#include <wolfssl/wolfcrypt/dsa.h>
37
38	#ifdef NO_INLINE
39	#include <wolfssl/wolfcrypt/misc.h>
40	#else
41	#define WOLFSSL_MISC_INCLUDED
42	#include <wolfcrypt/src/misc.c>
43	#endif
44
45	int wc_InitDsaKey(DsaKey* key)
46	{
47	if (key == NULL)
48	return BAD_FUNC_ARG;
49
50	key->type = -1; /* haven't decided yet */
51	key->heap = NULL;
52
53	return mp_init_multi(
54	/* public alloc parts */
55	&key->p,
56	&key->q,
57	&key->g,
58	&key->y,
59
60	/* private alloc parts */
61	&key->x,
62	NULL
63	);
64	}
65
66
67	int wc_InitDsaKey_h(DsaKey* key, void* h)
68	{
69	int ret = wc_InitDsaKey(key);
70	if (ret == 0)
71	key->heap = h;
72
73	return ret;
74	}
75
76
77	void wc_FreeDsaKey(DsaKey* key)
78	{
79	if (key == NULL)
80	return;
81
82	if (key->type == DSA_PRIVATE)
83	mp_forcezero(&key->x);
84
85	mp_clear(&key->x);
86	mp_clear(&key->y);
87	mp_clear(&key->g);
88	mp_clear(&key->q);
89	mp_clear(&key->p);
90	}
91
92
93	/* validate that (L,N) match allowed sizes from FIPS 186-4, Section 4.2.
94	* modLen - represents L, the size of p (prime modulus) in bits
95	* divLen - represents N, the size of q (prime divisor) in bits
96	* return 0 on success, -1 on error */
97	static int CheckDsaLN(int modLen, int divLen)
98	{
99	int ret = -1;
100
101	switch (modLen) {
102	case 1024:
103	if (divLen == 160)
104	ret = 0;
105	break;
106	case 2048:
107	if (divLen == 224 \|\| divLen == 256)
108	ret = 0;
109	break;
110	case 3072:
111	if (divLen == 256)
112	ret = 0;
113	break;
114	default:
115	break;
116	}
117
118	return ret;
119	}
120
121
122	#ifdef WOLFSSL_KEY_GEN
123
124	/* Create DSA key pair (&dsa->x, &dsa->y)
125	*
126	* Based on NIST FIPS 186-4,
127	* "B.1.1 Key Pair Generation Using Extra Random Bits"
128	*
129	* rng - pointer to initialized WC_RNG structure
130	* dsa - pointer to initialized DsaKey structure, will hold generated key
131	*
132	* return 0 on success, negative on error */
133	int wc_MakeDsaKey(WC_RNG rng, DsaKey dsa)
134	{
135	byte* cBuf;
136	int qSz, pSz, cSz, err;
137	mp_int tmpQ;
138
139	if (rng == NULL \|\| dsa == NULL)
140	return BAD_FUNC_ARG;
141
142	qSz = mp_unsigned_bin_size(&dsa->q);
143	pSz = mp_unsigned_bin_size(&dsa->p);
144
145	/* verify (L,N) pair bit lengths */
146	if (CheckDsaLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0)
147	return BAD_FUNC_ARG;
148
149	/* generate extra 64 bits so that bias from mod function is negligible */
150	cSz = qSz + (64 / WOLFSSL_BIT_SIZE);
151	cBuf = (byte*)XMALLOC(cSz, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
152	if (cBuf == NULL) {
153	return MEMORY_E;
154	}
155
156	if ((err = mp_init_multi(&dsa->x, &dsa->y, &tmpQ, NULL, NULL, NULL))
157	!= MP_OKAY) {
158	XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
159	return err;
160	}
161
162	do {
163	/* generate N+64 bits (c) from RBG into &dsa->x, making sure positive.
164	* Hash_DRBG uses SHA-256 which matches maximum
165	* requested_security_strength of (L,N) */
166	err = wc_RNG_GenerateBlock(rng, cBuf, cSz);
167	if (err != MP_OKAY) {
168	mp_clear(&dsa->x);
169	mp_clear(&dsa->y);
170	mp_clear(&tmpQ);
171	XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
172	return err;
173	}
174
175	err = mp_read_unsigned_bin(&dsa->x, cBuf, cSz);
176	if (err != MP_OKAY) {
177	mp_clear(&dsa->x);
178	mp_clear(&dsa->y);
179	mp_clear(&tmpQ);
180	XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
181	return err;
182	}
183	} while (mp_cmp_d(&dsa->x, 1) != MP_GT);
184
185	XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
186
187	/* tmpQ = q - 1 */
188	if (err == MP_OKAY)
189	err = mp_copy(&dsa->q, &tmpQ);
190
191	if (err == MP_OKAY)
192	err = mp_sub_d(&tmpQ, 1, &tmpQ);
193
194	/* x = c mod (q-1), &dsa->x holds c */
195	if (err == MP_OKAY)
196	err = mp_mod(&dsa->x, &tmpQ, &dsa->x);
197
198	/* x = c mod (q-1) + 1 */
199	if (err == MP_OKAY)
200	err = mp_add_d(&dsa->x, 1, &dsa->x);
201
202	/* public key : y = g^x mod p */
203	if (err == MP_OKAY)
204	err = mp_exptmod_ex(&dsa->g, &dsa->x, dsa->q.used, &dsa->p, &dsa->y);
205
206	if (err == MP_OKAY)
207	dsa->type = DSA_PRIVATE;
208
209	if (err != MP_OKAY) {
210	mp_clear(&dsa->x);
211	mp_clear(&dsa->y);
212	}
213	mp_clear(&tmpQ);
214
215	return err;
216	}
217
218
219	/* modulus_size in bits */
220	int wc_MakeDsaParameters(WC_RNG rng, int modulus_size, DsaKey dsa)
221	{
222	mp_int tmp, tmp2;
223	int err, msize, qsize,
224	loop_check_prime = 0,
225	check_prime = MP_NO;
226	unsigned char *buf;
227
228	if (rng == NULL \|\| dsa == NULL)
229	return BAD_FUNC_ARG;
230
231	/* set group size in bytes from modulus size
232	* FIPS 186-4 defines valid values (1024, 160) (2048, 256) (3072, 256)
233	*/
234	switch (modulus_size) {
235	case 1024:
236	qsize = 20;
237	break;
238	case 2048:
239	case 3072:
240	qsize = 32;
241	break;
242	default:
243	return BAD_FUNC_ARG;
244	}
245
246	/* modulus size in bytes */
247	msize = modulus_size / WOLFSSL_BIT_SIZE;
248
249	/* allocate ram */
250	buf = (unsigned char *)XMALLOC(msize - qsize,
251	dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
252	if (buf == NULL) {
253	return MEMORY_E;
254	}
255
256	/* make a random string that will be multiplied against q */
257	err = wc_RNG_GenerateBlock(rng, buf, msize - qsize);
258	if (err != MP_OKAY) {
259	XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
260	return err;
261	}
262
263	/* force magnitude */
264	buf[0] \|= 0xC0;
265
266	/* force even */
267	buf[msize - qsize - 1] &= ~1;
268
269	if (mp_init_multi(&tmp2, &dsa->p, &dsa->q, 0, 0, 0) != MP_OKAY) {
270	mp_clear(&dsa->q);
271	XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
272	return MP_INIT_E;
273	}
274
275	err = mp_read_unsigned_bin(&tmp2, buf, msize - qsize);
276	if (err != MP_OKAY) {
277	mp_clear(&dsa->q);
278	mp_clear(&dsa->p);
279	mp_clear(&tmp2);
280	XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
281	return err;
282	}
283	XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
284
285	/* make our prime q */
286	err = mp_rand_prime(&dsa->q, qsize, rng, NULL);
287	if (err != MP_OKAY) {
288	mp_clear(&dsa->q);
289	mp_clear(&dsa->p);
290	mp_clear(&tmp2);
291	return err;
292	}
293
294	/* p = random * q */
295	err = mp_mul(&dsa->q, &tmp2, &dsa->p);
296	if (err != MP_OKAY) {
297	mp_clear(&dsa->q);
298	mp_clear(&dsa->p);
299	mp_clear(&tmp2);
300	return err;
301	}
302
303	/* p = random * q + 1, so q is a prime divisor of p-1 */
304	err = mp_add_d(&dsa->p, 1, &dsa->p);
305	if (err != MP_OKAY) {
306	mp_clear(&dsa->q);
307	mp_clear(&dsa->p);
308	mp_clear(&tmp2);
309	return err;
310	}
311
312	if (mp_init(&tmp) != MP_OKAY) {
313	mp_clear(&dsa->q);
314	mp_clear(&dsa->p);
315	mp_clear(&tmp2);
316	return MP_INIT_E;
317	}
318
319	/* tmp = 2q */
320	err = mp_add(&dsa->q, &dsa->q, &tmp);
321	if (err != MP_OKAY) {
322	mp_clear(&dsa->q);
323	mp_clear(&dsa->p);
324	mp_clear(&tmp);
325	mp_clear(&tmp2);
326	return err;
327	}
328
329	/* loop until p is prime */
330	while (check_prime == MP_NO) {
331	err = mp_prime_is_prime_ex(&dsa->p, 8, &check_prime, rng);
332	if (err != MP_OKAY) {
333	mp_clear(&dsa->q);
334	mp_clear(&dsa->p);
335	mp_clear(&tmp);
336	mp_clear(&tmp2);
337	return err;
338	}
339
340	if (check_prime != MP_YES) {
341	/* p += 2q */
342	err = mp_add(&tmp, &dsa->p, &dsa->p);
343	if (err != MP_OKAY) {
344	mp_clear(&dsa->q);
345	mp_clear(&dsa->p);
346	mp_clear(&tmp);
347	mp_clear(&tmp2);
348	return err;
349	}
350
351	loop_check_prime++;
352	}
353	}
354
355	/* tmp2 += (2*loop_check_prime)
356	* to have p = (q * tmp2) + 1 prime
357	*/
358	if (loop_check_prime) {
359	err = mp_add_d(&tmp2, 2*loop_check_prime, &tmp2);
360	if (err != MP_OKAY) {
361	mp_clear(&dsa->q);
362	mp_clear(&dsa->p);
363	mp_clear(&tmp);
364	mp_clear(&tmp2);
365	return err;
366	}
367	}
368
369	if (mp_init(&dsa->g) != MP_OKAY) {
370	mp_clear(&dsa->q);
371	mp_clear(&dsa->p);
372	mp_clear(&tmp);
373	mp_clear(&tmp2);
374	return MP_INIT_E;
375	}
376
377	/* find a value g for which g^tmp2 != 1 */
378	if (mp_set(&dsa->g, 1) != MP_OKAY) {
379	mp_clear(&dsa->q);
380	mp_clear(&dsa->p);
381	mp_clear(&tmp);
382	mp_clear(&tmp2);
383	return MP_INIT_E;
384	}
385
386	do {
387	err = mp_add_d(&dsa->g, 1, &dsa->g);
388	if (err != MP_OKAY) {
389	mp_clear(&dsa->q);
390	mp_clear(&dsa->p);
391	mp_clear(&dsa->g);
392	mp_clear(&tmp);
393	mp_clear(&tmp2);
394	return err;
395	}
396
397	err = mp_exptmod(&dsa->g, &tmp2, &dsa->p, &tmp);
398	if (err != MP_OKAY) {
399	mp_clear(&dsa->q);
400	mp_clear(&dsa->p);
401	mp_clear(&dsa->g);
402	mp_clear(&tmp);
403	mp_clear(&tmp2);
404	return err;
405	}
406
407	} while (mp_cmp_d(&tmp, 1) == MP_EQ);
408
409	/* at this point tmp generates a group of order q mod p */
410	mp_exch(&tmp, &dsa->g);
411
412	mp_clear(&tmp);
413	mp_clear(&tmp2);
414
415	return MP_OKAY;
416	}
417	#endif /* WOLFSSL_KEY_GEN */
418
419
420	static int _DsaImportParamsRaw(DsaKey* dsa, const char* p, const char* q,
421	const char* g, int trusted, WC_RNG* rng)
422	{
423	int err;
424	word32 pSz, qSz;
425
426	if (dsa == NULL \|\| p == NULL \|\| q == NULL \|\| g == NULL)
427	return BAD_FUNC_ARG;
428
429	/* read p */
430	err = mp_read_radix(&dsa->p, p, MP_RADIX_HEX);
431	if (err == MP_OKAY && !trusted) {
432	int isPrime = 1;
433	if (rng == NULL)
434	err = mp_prime_is_prime(&dsa->p, 8, &isPrime);
435	else
436	err = mp_prime_is_prime_ex(&dsa->p, 8, &isPrime, rng);
437
438	if (err == MP_OKAY) {
439	if (!isPrime)
440	err = DH_CHECK_PUB_E;
441	}
442	}
443
444	/* read q */
445	if (err == MP_OKAY)
446	err = mp_read_radix(&dsa->q, q, MP_RADIX_HEX);
447
448	/* read g */
449	if (err == MP_OKAY)
450	err = mp_read_radix(&dsa->g, g, MP_RADIX_HEX);
451
452	/* verify (L,N) pair bit lengths */
453	pSz = mp_unsigned_bin_size(&dsa->p);
454	qSz = mp_unsigned_bin_size(&dsa->q);
455
456	if (CheckDsaLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0) {
457	WOLFSSL_MSG("Invalid DSA p or q parameter size");
458	err = BAD_FUNC_ARG;
459	}
460
461	if (err != MP_OKAY) {
462	mp_clear(&dsa->p);
463	mp_clear(&dsa->q);
464	mp_clear(&dsa->g);
465	}
466
467	return err;
468	}
469
470
471	/* Import raw DSA parameters into DsaKey structure for use with wc_MakeDsaKey(),
472	* input parameters (p,q,g) should be represented as ASCII hex values.
473	*
474	* dsa - pointer to initialized DsaKey structure
475	* p - DSA (p) parameter, ASCII hex string
476	* pSz - length of p
477	* q - DSA (q) parameter, ASCII hex string
478	* qSz - length of q
479	* g - DSA (g) parameter, ASCII hex string
480	* gSz - length of g
481	*
482	* returns 0 on success, negative upon failure
483	*/
484	int wc_DsaImportParamsRaw(DsaKey* dsa, const char* p, const char* q,
485	const char* g)
486	{
487	return _DsaImportParamsRaw(dsa, p, q, g, 1, NULL);
488	}
489
490
491	/* Import raw DSA parameters into DsaKey structure for use with wc_MakeDsaKey(),
492	* input parameters (p,q,g) should be represented as ASCII hex values. Check
493	* that the p value is probably prime.
494	*
495	* dsa - pointer to initialized DsaKey structure
496	* p - DSA (p) parameter, ASCII hex string
497	* pSz - length of p
498	* q - DSA (q) parameter, ASCII hex string
499	* qSz - length of q
500	* g - DSA (g) parameter, ASCII hex string
501	* gSz - length of g
502	* trusted - trust that p is OK
503	* rng - random number generator for the prime test
504	*
505	* returns 0 on success, negative upon failure
506	*/
507	int wc_DsaImportParamsRawCheck(DsaKey* dsa, const char* p, const char* q,
508	const char* g, int trusted, WC_RNG* rng)
509	{
510	return _DsaImportParamsRaw(dsa, p, q, g, trusted, rng);
511	}
512
513
514	/* Export raw DSA parameters from DsaKey structure
515	*
516	* dsa - pointer to initialized DsaKey structure
517	* p - output location for DSA (p) parameter
518	* pSz - [IN/OUT] size of output buffer for p, size of p
519	* q - output location for DSA (q) parameter
520	* qSz - [IN/OUT] size of output buffer for q, size of q
521	* g - output location for DSA (g) parameter
522	* gSz - [IN/OUT] size of output buffer for g, size of g
523	*
524	* If p, q, and g pointers are all passed in as NULL, the function
525	* will set pSz, qSz, and gSz to the required output buffer sizes for p,
526	* q, and g. In this case, the function will return LENGTH_ONLY_E.
527	*
528	* returns 0 on success, negative upon failure
529	*/
530	int wc_DsaExportParamsRaw(DsaKey* dsa, byte* p, word32* pSz,
531	byte* q, word32* qSz, byte* g, word32* gSz)
532	{
533	int err;
534	word32 pLen, qLen, gLen;
535
536	if (dsa == NULL \|\| pSz == NULL \|\| qSz == NULL \|\| gSz == NULL)
537	return BAD_FUNC_ARG;
538
539	/* get required output buffer sizes */
540	pLen = mp_unsigned_bin_size(&dsa->p);
541	qLen = mp_unsigned_bin_size(&dsa->q);
542	gLen = mp_unsigned_bin_size(&dsa->g);
543
544	/* return buffer sizes and LENGTH_ONLY_E if buffers are NULL */
545	if (p == NULL && q == NULL && g == NULL) {
546	*pSz = pLen;
547	*qSz = qLen;
548	*gSz = gLen;
549	return LENGTH_ONLY_E;
550	}
551
552	if (p == NULL \|\| q == NULL \|\| g == NULL)
553	return BAD_FUNC_ARG;
554
555	/* export p */
556	if (*pSz < pLen) {
557	WOLFSSL_MSG("Output buffer for DSA p parameter too small, "
558	"required size placed into pSz");
559	*pSz = pLen;
560	return BUFFER_E;
561	}
562	*pSz = pLen;
563	err = mp_to_unsigned_bin(&dsa->p, p);
564
565	/* export q */
566	if (err == MP_OKAY) {
567	if (*qSz < qLen) {
568	WOLFSSL_MSG("Output buffer for DSA q parameter too small, "
569	"required size placed into qSz");
570	*qSz = qLen;
571	return BUFFER_E;
572	}
573	*qSz = qLen;
574	err = mp_to_unsigned_bin(&dsa->q, q);
575	}
576
577	/* export g */
578	if (err == MP_OKAY) {
579	if (*gSz < gLen) {
580	WOLFSSL_MSG("Output buffer for DSA g parameter too small, "
581	"required size placed into gSz");
582	*gSz = gLen;
583	return BUFFER_E;
584	}
585	*gSz = gLen;
586	err = mp_to_unsigned_bin(&dsa->g, g);
587	}
588
589	return err;
590	}
591
592
593	/* Export raw DSA key (x, y) from DsaKey structure
594	*
595	* dsa - pointer to initialized DsaKey structure
596	* x - output location for private key
597	* xSz - [IN/OUT] size of output buffer for x, size of x
598	* y - output location for public key
599	* ySz - [IN/OUT] size of output buffer for y, size of y
600	*
601	* If x and y pointers are all passed in as NULL, the function
602	* will set xSz and ySz to the required output buffer sizes for x
603	* and y. In this case, the function will return LENGTH_ONLY_E.
604	*
605	* returns 0 on success, negative upon failure
606	*/
607	int wc_DsaExportKeyRaw(DsaKey* dsa, byte* x, word32* xSz, byte* y, word32* ySz)
608	{
609	int err;
610	word32 xLen, yLen;
611
612	if (dsa == NULL \|\| xSz == NULL \|\| ySz == NULL)
613	return BAD_FUNC_ARG;
614
615	/* get required output buffer sizes */
616	xLen = mp_unsigned_bin_size(&dsa->x);
617	yLen = mp_unsigned_bin_size(&dsa->y);
618
619	/* return buffer sizes and LENGTH_ONLY_E if buffers are NULL */
620	if (x == NULL && y == NULL) {
621	*xSz = xLen;
622	*ySz = yLen;
623	return LENGTH_ONLY_E;
624	}
625
626	if (x == NULL \|\| y == NULL)
627	return BAD_FUNC_ARG;
628
629	/* export x */
630	if (*xSz < xLen) {
631	WOLFSSL_MSG("Output buffer for DSA private key (x) too small, "
632	"required size placed into xSz");
633	*xSz = xLen;
634	return BUFFER_E;
635	}
636	*xSz = xLen;
637	err = mp_to_unsigned_bin(&dsa->x, x);
638
639	/* export y */
640	if (err == MP_OKAY) {
641	if (*ySz < yLen) {
642	WOLFSSL_MSG("Output buffer to DSA public key (y) too small, "
643	"required size placed into ySz");
644	*ySz = yLen;
645	return BUFFER_E;
646	}
647	*ySz = yLen;
648	err = mp_to_unsigned_bin(&dsa->y, y);
649	}
650
651	return err;
652	}
653
654
655	int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, WC_RNG* rng)
656	{
657	mp_int k, kInv, r, s, H;
658	#ifndef WOLFSSL_MP_INVMOD_CONSTANT_TIME
659	mp_int b;
660	#endif
661	mp_int* qMinus1;
662	int ret = 0, sz;
663	byte buffer[DSA_HALF_SIZE];
664	byte* tmp; /* initial output pointer */
665
666	if (digest == NULL \|\| out == NULL \|\| key == NULL \|\| rng == NULL) {
667	return BAD_FUNC_ARG;
668	}
669
670	tmp = out;
671
672	sz = min((int)sizeof(buffer), mp_unsigned_bin_size(&key->q));
673
674	#ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME
675	if (mp_init_multi(&k, &kInv, &r, &s, &H, 0) != MP_OKAY)
676	#else
677	if (mp_init_multi(&k, &kInv, &r, &s, &H, &b) != MP_OKAY)
678	#endif
679	{
680	return MP_INIT_E;
681	}
682	qMinus1 = &kInv;
683
684	/* NIST FIPS 186-4: B.2.2
685	* Per-Message Secret Number Generation by Testing Candidates
686	* Generate k in range [1, q-1].
687	* Check that k is less than q-1: range [0, q-2].
688	* Add 1 to k: range [1, q-1].
689	*/
690	if (mp_sub_d(&key->q, 1, qMinus1))
691	ret = MP_SUB_E;
692
693	if (ret == 0) {
694	do {
695	/* Step 4: generate k */
696	ret = wc_RNG_GenerateBlock(rng, buffer, sz);
697
698	/* Step 5 */
699	if (ret == 0 && mp_read_unsigned_bin(&k, buffer, sz) != MP_OKAY)
700	ret = MP_READ_E;
701
702	/* k is a random numnber and it should be less than q-1
703	* if k greater than repeat
704	*/
705	/* Step 6 */
706	} while (ret == 0 && mp_cmp(&k, qMinus1) != MP_LT);
707	}
708	/* Step 7 */
709	if (ret == 0 && mp_add_d(&k, 1, &k) != MP_OKAY)
710	ret = MP_MOD_E;
711
712	#ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME
713	/* inverse k mod q */
714	if (ret == 0 && mp_invmod(&k, &key->q, &kInv) != MP_OKAY)
715	ret = MP_INVMOD_E;
716
717	/* generate r, r = (g exp k mod p) mod q */
718	if (ret == 0 && mp_exptmod_ex(&key->g, &k, key->q.used, &key->p,
719	&r) != MP_OKAY) {
720	ret = MP_EXPTMOD_E;
721	}
722
723	if (ret == 0 && mp_mod(&r, &key->q, &r) != MP_OKAY)
724	ret = MP_MOD_E;
725
726	/* generate H from sha digest */
727	if (ret == 0 && mp_read_unsigned_bin(&H, digest,WC_SHA_DIGEST_SIZE) != MP_OKAY)
728	ret = MP_READ_E;
729
730	/* generate s, s = (kInv * (H + xr)) % q /
731	if (ret == 0 && mp_mul(&key->x, &r, &s) != MP_OKAY)
732	ret = MP_MUL_E;
733
734	if (ret == 0 && mp_add(&s, &H, &s) != MP_OKAY)
735	ret = MP_ADD_E;
736
737	if (ret == 0 && mp_mulmod(&s, &kInv, &key->q, &s) != MP_OKAY)
738	ret = MP_MULMOD_E;
739	#else
740	/* Blinding value
741	* Generate b in range [1, q-1].
742	*/
743	if (ret == 0) {
744	do {
745	ret = wc_RNG_GenerateBlock(rng, buffer, sz);
746	if (ret == 0 && mp_read_unsigned_bin(&b, buffer, sz) != MP_OKAY)
747	ret = MP_READ_E;
748	} while (ret == 0 && mp_cmp(&b, qMinus1) != MP_LT);
749	}
750	if (ret == 0 && mp_add_d(&b, 1, &b) != MP_OKAY)
751	ret = MP_MOD_E;
752
753	/* set H from sha digest */
754	if (ret == 0 && mp_read_unsigned_bin(&H, digest,
755	WC_SHA_DIGEST_SIZE) != MP_OKAY) {
756	ret = MP_READ_E;
757	}
758
759	/* generate r, r = (g exp k mod p) mod q */
760	if (ret == 0 && mp_exptmod_ex(&key->g, &k, key->q.used, &key->p,
761	&r) != MP_OKAY) {
762	ret = MP_EXPTMOD_E;
763	}
764
765	/* calculate s = (H + xr)/k
766	= b.(H/k.b + x.r/k.b) */
767
768	/* k = k.b */
769	if (ret == 0 && mp_mulmod(&k, &b, &key->q, &k) != MP_OKAY)
770	ret = MP_MULMOD_E;
771
772	/* kInv = 1/k.b mod q */
773	if (ret == 0 && mp_invmod(&k, &key->q, &kInv) != MP_OKAY)
774	ret = MP_INVMOD_E;
775
776	if (ret == 0 && mp_mod(&r, &key->q, &r) != MP_OKAY)
777	ret = MP_MOD_E;
778
779	/* s = x.r */
780	if (ret == 0 && mp_mul(&key->x, &r, &s) != MP_OKAY)
781	ret = MP_MUL_E;
782
783	/* s = x.r/k.b */
784	if (ret == 0 && mp_mulmod(&s, &kInv, &key->q, &s) != MP_OKAY)
785	ret = MP_MULMOD_E;
786
787	/* H = H/k.b */
788	if (ret == 0 && mp_mulmod(&H, &kInv, &key->q, &H) != MP_OKAY)
789	ret = MP_MULMOD_E;
790
791	/* s = H/k.b + x.r/k.b
792	= (H + x.r)/k.b */
793	if (ret == 0 && mp_add(&s, &H, &s) != MP_OKAY)
794	ret = MP_ADD_E;
795
796	/* s = b.(e + x.r)/k.b
797	= (e + x.r)/k */
798	if (ret == 0 && mp_mulmod(&s, &b, &key->q, &s) != MP_OKAY)
799	ret = MP_MULMOD_E;
800
801	/* s = (e + x.r)/k */
802	if (ret == 0 && mp_mod(&s, &key->q, &s) != MP_OKAY)
803	ret = MP_MOD_E;
804	#endif
805
806	/* detect zero r or s */
807	if (ret == 0 && (mp_iszero(&r) == MP_YES \|\| mp_iszero(&s) == MP_YES))
808	ret = MP_ZERO_E;
809
810	/* write out */
811	if (ret == 0) {
812	int rSz = mp_unsigned_bin_size(&r);
813	int sSz = mp_unsigned_bin_size(&s);
814
815	while (rSz++ < DSA_HALF_SIZE) {
816	out++ = 0x00; / pad front with zeros */
817	}
818
819	if (mp_to_unsigned_bin(&r, out) != MP_OKAY)
820	ret = MP_TO_E;
821	else {
822	out = tmp + DSA_HALF_SIZE; /* advance to s in output */
823	while (sSz++ < DSA_HALF_SIZE) {
824	out++ = 0x00; / pad front with zeros */
825	}
826	ret = mp_to_unsigned_bin(&s, out);
827	}
828	}
829
830	ForceZero(buffer, sz);
831	mp_forcezero(&kInv);
832	mp_forcezero(&k);
833	#ifndef WOLFSSL_MP_INVMOD_CONSTANT_TIME
834	mp_forcezero(&b);
835
836	mp_clear(&b);
837	#endif
838	mp_clear(&H);
839	mp_clear(&s);
840	mp_clear(&r);
841	mp_clear(&kInv);
842	mp_clear(&k);
843
844	return ret;
845	}
846
847
848	int wc_DsaVerify(const byte* digest, const byte* sig, DsaKey* key, int* answer)
849	{
850	mp_int w, u1, u2, v, r, s;
851	int ret = 0;
852
853	if (digest == NULL \|\| sig == NULL \|\| key == NULL \|\| answer == NULL) {
854	return BAD_FUNC_ARG;
855	}
856
857	if (mp_init_multi(&w, &u1, &u2, &v, &r, &s) != MP_OKAY)
858	return MP_INIT_E;
859
860	/* set r and s from signature */
861	if (mp_read_unsigned_bin(&r, sig, DSA_HALF_SIZE) != MP_OKAY \|\|
862	mp_read_unsigned_bin(&s, sig + DSA_HALF_SIZE, DSA_HALF_SIZE) != MP_OKAY)
863	ret = MP_READ_E;
864
865	/* sanity checks */
866	if (ret == 0) {
867	if (mp_iszero(&r) == MP_YES \|\| mp_iszero(&s) == MP_YES \|\|
868	mp_cmp(&r, &key->q) != MP_LT \|\| mp_cmp(&s, &key->q) != MP_LT) {
869	ret = MP_ZERO_E;
870	}
871	}
872
873	/* put H into u1 from sha digest */
874	if (ret == 0 && mp_read_unsigned_bin(&u1,digest,WC_SHA_DIGEST_SIZE) != MP_OKAY)
875	ret = MP_READ_E;
876
877	/* w = s invmod q */
878	if (ret == 0 && mp_invmod(&s, &key->q, &w) != MP_OKAY)
879	ret = MP_INVMOD_E;
880
881	/* u1 = (H * w) % q */
882	if (ret == 0 && mp_mulmod(&u1, &w, &key->q, &u1) != MP_OKAY)
883	ret = MP_MULMOD_E;
884
885	/* u2 = (r * w) % q */
886	if (ret == 0 && mp_mulmod(&r, &w, &key->q, &u2) != MP_OKAY)
887	ret = MP_MULMOD_E;
888
889	/* verify v = ((g^u1 * y^u2) mod p) mod q */
890	if (ret == 0 && mp_exptmod(&key->g, &u1, &key->p, &u1) != MP_OKAY)
891	ret = MP_EXPTMOD_E;
892
893	if (ret == 0 && mp_exptmod(&key->y, &u2, &key->p, &u2) != MP_OKAY)
894	ret = MP_EXPTMOD_E;
895
896	if (ret == 0 && mp_mulmod(&u1, &u2, &key->p, &v) != MP_OKAY)
897	ret = MP_MULMOD_E;
898
899	if (ret == 0 && mp_mod(&v, &key->q, &v) != MP_OKAY)
900	ret = MP_MULMOD_E;
901
902	/* do they match */
903	if (ret == 0 && mp_cmp(&r, &v) == MP_EQ)
904	*answer = 1;
905	else
906	*answer = 0;
907
908	mp_clear(&s);
909	mp_clear(&r);
910	mp_clear(&u1);
911	mp_clear(&u2);
912	mp_clear(&w);
913	mp_clear(&v);
914
915	return ret;
916	}
917
918
919	#endif /* NO_DSA */
920

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: azure_iot_hub_f767zi/trunk/wolfssl-4.4.0/wolfcrypt/src/dsa.c@ 457

Download in other formats: