- Timestamp:
- Jun 22, 2021, 9:00:19 PM (3 years ago)
- Location:
- azure_iot_hub_f767zi/trunk/wolfssl-4.7.0
- Files:
-
- 1 edited
- 1 moved
Legend:
- Unmodified
- Added
- Removed
-
azure_iot_hub_f767zi/trunk/wolfssl-4.7.0/wolfcrypt/src/dsa.c
r457 r464 41 41 #define WOLFSSL_MISC_INCLUDED 42 42 #include <wolfcrypt/src/misc.c> 43 #endif 44 45 #ifdef _MSC_VER 46 /* disable for while(0) cases (MSVC bug) */ 47 #pragma warning(disable:4127) 43 48 #endif 44 49 … … 408 413 409 414 /* at this point tmp generates a group of order q mod p */ 415 #ifndef USE_FAST_MATH 416 /* Exchanging is quick when the data pointer can be copied. */ 410 417 mp_exch(&tmp, &dsa->g); 418 #else 419 mp_copy(&tmp, &dsa->g); 420 #endif 411 421 412 422 mp_clear(&tmp); … … 655 665 int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, WC_RNG* rng) 656 666 { 657 mp_int k, kInv, r, s, H; 667 #ifdef WOLFSSL_SMALL_STACK 668 mp_int *k = (mp_int *)XMALLOC(sizeof *k, 669 key->heap, DYNAMIC_TYPE_TMP_BUFFER); 670 mp_int *kInv = (mp_int *)XMALLOC(sizeof *kInv, 671 key->heap, DYNAMIC_TYPE_TMP_BUFFER); 672 mp_int *r = (mp_int *)XMALLOC(sizeof *r, 673 key->heap, DYNAMIC_TYPE_TMP_BUFFER); 674 mp_int *s = (mp_int *)XMALLOC(sizeof *s, 675 key->heap, DYNAMIC_TYPE_TMP_BUFFER); 676 mp_int *H = (mp_int *)XMALLOC(sizeof *H, 677 key->heap, DYNAMIC_TYPE_TMP_BUFFER); 658 678 #ifndef WOLFSSL_MP_INVMOD_CONSTANT_TIME 659 mp_int b; 679 mp_int *b = (mp_int *)XMALLOC(sizeof *b, 680 key->heap, DYNAMIC_TYPE_TMP_BUFFER); 681 #endif 682 byte *buffer = (byte *)XMALLOC(DSA_HALF_SIZE, key->heap, 683 DYNAMIC_TYPE_TMP_BUFFER); 684 #else 685 mp_int k[1], kInv[1], r[1], s[1], H[1]; 686 #ifndef WOLFSSL_MP_INVMOD_CONSTANT_TIME 687 mp_int b[1]; 688 #endif 689 byte buffer[DSA_HALF_SIZE]; 660 690 #endif 661 691 mp_int* qMinus1; 662 int ret = 0, sz; 663 byte buffer[DSA_HALF_SIZE]; 692 int ret = 0, sz = 0; 664 693 byte* tmp; /* initial output pointer */ 665 694 666 if (digest == NULL || out == NULL || key == NULL || rng == NULL) { 667 return BAD_FUNC_ARG; 668 } 669 670 tmp = out; 671 672 sz = min((int)sizeof(buffer), mp_unsigned_bin_size(&key->q)); 673 695 do { 674 696 #ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME 675 if (mp_init_multi(&k, &kInv, &r, &s, &H, 0) != MP_OKAY)697 if (mp_init_multi(k, kInv, r, s, H, 0) != MP_OKAY) 676 698 #else 677 if (mp_init_multi(&k, &kInv, &r, &s, &H, &b) != MP_OKAY) 678 #endif 679 { 680 return MP_INIT_E; 681 } 682 qMinus1 = &kInv; 683 684 /* NIST FIPS 186-4: B.2.2 685 * Per-Message Secret Number Generation by Testing Candidates 686 * Generate k in range [1, q-1]. 687 * Check that k is less than q-1: range [0, q-2]. 688 * Add 1 to k: range [1, q-1]. 689 */ 690 if (mp_sub_d(&key->q, 1, qMinus1)) 691 ret = MP_SUB_E; 692 693 if (ret == 0) { 699 if (mp_init_multi(k, kInv, r, s, H, b) != MP_OKAY) 700 #endif 701 { 702 ret = MP_INIT_E; 703 break; 704 } 705 706 #ifdef WOLFSSL_SMALL_STACK 707 if ((k == NULL) || 708 (kInv == NULL) || 709 (r == NULL) || 710 (s == NULL) || 711 (H == NULL) 712 #ifndef WOLFSSL_MP_INVMOD_CONSTANT_TIME 713 || (b == NULL) 714 #endif 715 || (buffer == NULL)) { 716 ret = MEMORY_E; 717 break; 718 } 719 #endif 720 721 if (digest == NULL || out == NULL || key == NULL || rng == NULL) { 722 ret = BAD_FUNC_ARG; 723 break; 724 } 725 726 sz = min(DSA_HALF_SIZE, mp_unsigned_bin_size(&key->q)); 727 tmp = out; 728 qMinus1 = kInv; 729 730 /* NIST FIPS 186-4: B.2.2 731 * Per-Message Secret Number Generation by Testing Candidates 732 * Generate k in range [1, q-1]. 733 * Check that k is less than q-1: range [0, q-2]. 734 * Add 1 to k: range [1, q-1]. 735 */ 736 if (mp_sub_d(&key->q, 1, qMinus1)) { 737 ret = MP_SUB_E; 738 break; 739 } 740 694 741 do { 695 742 /* Step 4: generate k */ 696 ret = wc_RNG_GenerateBlock(rng, buffer, sz); 743 if ((ret = wc_RNG_GenerateBlock(rng, buffer, sz))) { 744 break; 745 } 697 746 698 747 /* Step 5 */ 699 if ( ret == 0 && mp_read_unsigned_bin(&k, buffer, sz) != MP_OKAY)748 if (mp_read_unsigned_bin(k, buffer, sz) != MP_OKAY) { 700 749 ret = MP_READ_E; 750 break; 751 } 701 752 702 753 /* k is a random numnber and it should be less than q-1 703 754 * if k greater than repeat 704 755 */ 705 /* Step 6 */ 706 } while (ret == 0 && mp_cmp(&k, qMinus1) != MP_LT); 707 } 708 /* Step 7 */ 709 if (ret == 0 && mp_add_d(&k, 1, &k) != MP_OKAY) 710 ret = MP_MOD_E; 756 /* Step 6 */ 757 } while (mp_cmp(k, qMinus1) != MP_LT); 758 759 if (ret != 0) 760 break; 761 762 /* Step 7 */ 763 if (mp_add_d(k, 1, k) != MP_OKAY) { 764 ret = MP_MOD_E; 765 break; 766 } 711 767 712 768 #ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME 713 /* inverse k mod q */ 714 if (ret == 0 && mp_invmod(&k, &key->q, &kInv) != MP_OKAY) 715 ret = MP_INVMOD_E; 716 717 /* generate r, r = (g exp k mod p) mod q */ 718 if (ret == 0 && mp_exptmod_ex(&key->g, &k, key->q.used, &key->p, 719 &r) != MP_OKAY) { 720 ret = MP_EXPTMOD_E; 721 } 722 723 if (ret == 0 && mp_mod(&r, &key->q, &r) != MP_OKAY) 724 ret = MP_MOD_E; 725 726 /* generate H from sha digest */ 727 if (ret == 0 && mp_read_unsigned_bin(&H, digest,WC_SHA_DIGEST_SIZE) != MP_OKAY) 728 ret = MP_READ_E; 729 730 /* generate s, s = (kInv * (H + x*r)) % q */ 731 if (ret == 0 && mp_mul(&key->x, &r, &s) != MP_OKAY) 732 ret = MP_MUL_E; 733 734 if (ret == 0 && mp_add(&s, &H, &s) != MP_OKAY) 735 ret = MP_ADD_E; 736 737 if (ret == 0 && mp_mulmod(&s, &kInv, &key->q, &s) != MP_OKAY) 738 ret = MP_MULMOD_E; 769 /* inverse k mod q */ 770 if (mp_invmod(k, &key->q, kInv) != MP_OKAY) { 771 ret = MP_INVMOD_E; 772 break; 773 } 774 775 /* generate r, r = (g exp k mod p) mod q */ 776 if (mp_exptmod_ex(&key->g, k, key->q.used, &key->p, r) != MP_OKAY) { 777 ret = MP_EXPTMOD_E; 778 break; 779 } 780 781 if (mp_mod(r, &key->q, r) != MP_OKAY) { 782 ret = MP_MOD_E; 783 break; 784 } 785 786 /* generate H from sha digest */ 787 if (mp_read_unsigned_bin(H, digest,WC_SHA_DIGEST_SIZE) != MP_OKAY) { 788 ret = MP_READ_E; 789 break; 790 } 791 792 /* generate s, s = (kInv * (H + x*r)) % q */ 793 if (mp_mul(&key->x, r, s) != MP_OKAY) { 794 ret = MP_MUL_E; 795 break; 796 } 797 798 if (mp_add(s, H, s) != MP_OKAY) { 799 ret = MP_ADD_E; 800 break; 801 } 802 803 if (mp_mulmod(s, kInv, &key->q, s) != MP_OKAY) { 804 ret = MP_MULMOD_E; 805 break; 806 } 739 807 #else 740 /* Blinding value 741 * Generate b in range [1, q-1]. 742 */ 743 if (ret == 0) { 808 /* Blinding value 809 * Generate b in range [1, q-1]. 810 */ 744 811 do { 745 ret = wc_RNG_GenerateBlock(rng, buffer, sz); 746 if (ret == 0 && mp_read_unsigned_bin(&b, buffer, sz) != MP_OKAY) 812 if ((ret = wc_RNG_GenerateBlock(rng, buffer, sz))) { 813 break; 814 } 815 if (mp_read_unsigned_bin(b, buffer, sz) != MP_OKAY) { 747 816 ret = MP_READ_E; 748 } while (ret == 0 && mp_cmp(&b, qMinus1) != MP_LT); 749 } 750 if (ret == 0 && mp_add_d(&b, 1, &b) != MP_OKAY) 751 ret = MP_MOD_E; 752 753 /* set H from sha digest */ 754 if (ret == 0 && mp_read_unsigned_bin(&H, digest, 755 WC_SHA_DIGEST_SIZE) != MP_OKAY) { 756 ret = MP_READ_E; 757 } 758 759 /* generate r, r = (g exp k mod p) mod q */ 760 if (ret == 0 && mp_exptmod_ex(&key->g, &k, key->q.used, &key->p, 761 &r) != MP_OKAY) { 762 ret = MP_EXPTMOD_E; 763 } 764 765 /* calculate s = (H + xr)/k 766 = b.(H/k.b + x.r/k.b) */ 767 768 /* k = k.b */ 769 if (ret == 0 && mp_mulmod(&k, &b, &key->q, &k) != MP_OKAY) 770 ret = MP_MULMOD_E; 771 772 /* kInv = 1/k.b mod q */ 773 if (ret == 0 && mp_invmod(&k, &key->q, &kInv) != MP_OKAY) 774 ret = MP_INVMOD_E; 775 776 if (ret == 0 && mp_mod(&r, &key->q, &r) != MP_OKAY) 777 ret = MP_MOD_E; 778 779 /* s = x.r */ 780 if (ret == 0 && mp_mul(&key->x, &r, &s) != MP_OKAY) 781 ret = MP_MUL_E; 782 783 /* s = x.r/k.b */ 784 if (ret == 0 && mp_mulmod(&s, &kInv, &key->q, &s) != MP_OKAY) 785 ret = MP_MULMOD_E; 786 787 /* H = H/k.b */ 788 if (ret == 0 && mp_mulmod(&H, &kInv, &key->q, &H) != MP_OKAY) 789 ret = MP_MULMOD_E; 790 791 /* s = H/k.b + x.r/k.b 792 = (H + x.r)/k.b */ 793 if (ret == 0 && mp_add(&s, &H, &s) != MP_OKAY) 794 ret = MP_ADD_E; 795 796 /* s = b.(e + x.r)/k.b 797 = (e + x.r)/k */ 798 if (ret == 0 && mp_mulmod(&s, &b, &key->q, &s) != MP_OKAY) 799 ret = MP_MULMOD_E; 800 801 /* s = (e + x.r)/k */ 802 if (ret == 0 && mp_mod(&s, &key->q, &s) != MP_OKAY) 803 ret = MP_MOD_E; 804 #endif 805 806 /* detect zero r or s */ 807 if (ret == 0 && (mp_iszero(&r) == MP_YES || mp_iszero(&s) == MP_YES)) 808 ret = MP_ZERO_E; 809 810 /* write out */ 811 if (ret == 0) { 812 int rSz = mp_unsigned_bin_size(&r); 813 int sSz = mp_unsigned_bin_size(&s); 814 815 while (rSz++ < DSA_HALF_SIZE) { 816 *out++ = 0x00; /* pad front with zeros */ 817 } 818 819 if (mp_to_unsigned_bin(&r, out) != MP_OKAY) 820 ret = MP_TO_E; 821 else { 822 out = tmp + DSA_HALF_SIZE; /* advance to s in output */ 823 while (sSz++ < DSA_HALF_SIZE) { 817 break; 818 } 819 } while (mp_cmp(b, qMinus1) != MP_LT); 820 821 if (ret != 0) 822 break; 823 824 if (mp_add_d(b, 1, b) != MP_OKAY) { 825 ret = MP_MOD_E; 826 break; 827 } 828 829 /* set H from sha digest */ 830 if (mp_read_unsigned_bin(H, digest, WC_SHA_DIGEST_SIZE) != MP_OKAY) { 831 ret = MP_READ_E; 832 break; 833 } 834 835 /* generate r, r = (g exp k mod p) mod q */ 836 if (mp_exptmod_ex(&key->g, k, key->q.used, &key->p, r) != MP_OKAY) { 837 ret = MP_EXPTMOD_E; 838 break; 839 } 840 841 /* calculate s = (H + xr)/k = b.(H/k.b + x.r/k.b) */ 842 843 /* k = k.b */ 844 if (mp_mulmod(k, b, &key->q, k) != MP_OKAY) { 845 ret = MP_MULMOD_E; 846 break; 847 } 848 849 /* kInv = 1/k.b mod q */ 850 if (mp_invmod(k, &key->q, kInv) != MP_OKAY) { 851 ret = MP_INVMOD_E; 852 break; 853 } 854 855 if (mp_mod(r, &key->q, r) != MP_OKAY) { 856 ret = MP_MOD_E; 857 break; 858 } 859 860 /* s = x.r */ 861 if (mp_mul(&key->x, r, s) != MP_OKAY) { 862 ret = MP_MUL_E; 863 break; 864 } 865 866 /* s = x.r/k.b */ 867 if (mp_mulmod(s, kInv, &key->q, s) != MP_OKAY) { 868 ret = MP_MULMOD_E; 869 break; 870 } 871 872 /* H = H/k.b */ 873 if (mp_mulmod(H, kInv, &key->q, H) != MP_OKAY) { 874 ret = MP_MULMOD_E; 875 break; 876 } 877 878 /* s = H/k.b + x.r/k.b = (H + x.r)/k.b */ 879 if (mp_add(s, H, s) != MP_OKAY) { 880 ret = MP_ADD_E; 881 break; 882 } 883 884 /* s = b.(e + x.r)/k.b = (e + x.r)/k */ 885 if (mp_mulmod(s, b, &key->q, s) != MP_OKAY) { 886 ret = MP_MULMOD_E; 887 break; 888 } 889 890 /* s = (e + x.r)/k */ 891 if (mp_mod(s, &key->q, s) != MP_OKAY) { 892 ret = MP_MOD_E; 893 break; 894 } 895 #endif 896 897 /* detect zero r or s */ 898 if ((mp_iszero(r) == MP_YES) || (mp_iszero(s) == MP_YES)) { 899 ret = MP_ZERO_E; 900 break; 901 } 902 903 /* write out */ 904 { 905 int rSz = mp_unsigned_bin_size(r); 906 int sSz = mp_unsigned_bin_size(s); 907 908 while (rSz++ < DSA_HALF_SIZE) { 824 909 *out++ = 0x00; /* pad front with zeros */ 825 910 } 826 ret = mp_to_unsigned_bin(&s, out); 827 } 828 } 829 830 ForceZero(buffer, sz); 831 mp_forcezero(&kInv); 832 mp_forcezero(&k); 911 912 if (mp_to_unsigned_bin(r, out) != MP_OKAY) 913 ret = MP_TO_E; 914 else { 915 out = tmp + DSA_HALF_SIZE; /* advance to s in output */ 916 while (sSz++ < DSA_HALF_SIZE) { 917 *out++ = 0x00; /* pad front with zeros */ 918 } 919 ret = mp_to_unsigned_bin(s, out); 920 } 921 } 922 } while (0); 923 924 #ifdef WOLFSSL_SMALL_STACK 925 if (k) { 926 if (ret != MP_INIT_E) 927 mp_forcezero(k); 928 XFREE(k, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 929 } 930 if (kInv) { 931 if (ret != MP_INIT_E) 932 mp_forcezero(kInv); 933 XFREE(kInv, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 934 } 935 if (r) { 936 if (ret != MP_INIT_E) 937 mp_clear(r); 938 XFREE(r, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 939 } 940 if (s) { 941 if (ret != MP_INIT_E) 942 mp_clear(s); 943 XFREE(s, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 944 } 945 if (H) { 946 if (ret != MP_INIT_E) 947 mp_clear(H); 948 XFREE(H, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 949 } 833 950 #ifndef WOLFSSL_MP_INVMOD_CONSTANT_TIME 834 mp_forcezero(&b); 835 836 mp_clear(&b); 837 #endif 838 mp_clear(&H); 839 mp_clear(&s); 840 mp_clear(&r); 841 mp_clear(&kInv); 842 mp_clear(&k); 951 if (b) { 952 if (ret != MP_INIT_E) 953 mp_forcezero(b); 954 XFREE(b, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 955 } 956 #endif 957 if (buffer) { 958 ForceZero(buffer, sz); 959 XFREE(buffer, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 960 } 961 #else /* !WOLFSSL_SMALL_STACK */ 962 if (ret != MP_INIT_E) { 963 ForceZero(buffer, sz); 964 mp_forcezero(kInv); 965 mp_forcezero(k); 966 #ifndef WOLFSSL_MP_INVMOD_CONSTANT_TIME 967 mp_forcezero(b); 968 #endif 969 mp_clear(H); 970 mp_clear(s); 971 mp_clear(r); 972 } 973 #endif 843 974 844 975 return ret; … … 848 979 int wc_DsaVerify(const byte* digest, const byte* sig, DsaKey* key, int* answer) 849 980 { 850 mp_int w, u1, u2, v, r, s; 981 #ifdef WOLFSSL_SMALL_STACK 982 mp_int *w = (mp_int *)XMALLOC(sizeof *w, 983 key->heap, DYNAMIC_TYPE_TMP_BUFFER); 984 mp_int *u1 = (mp_int *)XMALLOC(sizeof *u1, 985 key->heap, DYNAMIC_TYPE_TMP_BUFFER); 986 mp_int *u2 = (mp_int *)XMALLOC(sizeof *u2, 987 key->heap, DYNAMIC_TYPE_TMP_BUFFER); 988 mp_int *v = (mp_int *)XMALLOC(sizeof *v, 989 key->heap, DYNAMIC_TYPE_TMP_BUFFER); 990 mp_int *r = (mp_int *)XMALLOC(sizeof *r, 991 key->heap, DYNAMIC_TYPE_TMP_BUFFER); 992 mp_int *s = (mp_int *)XMALLOC(sizeof *s, 993 key->heap, DYNAMIC_TYPE_TMP_BUFFER); 994 #else 995 mp_int w[1], u1[1], u2[1], v[1], r[1], s[1]; 996 #endif 851 997 int ret = 0; 852 998 853 if (digest == NULL || sig == NULL || key == NULL || answer == NULL) { 854 return BAD_FUNC_ARG; 855 } 856 857 if (mp_init_multi(&w, &u1, &u2, &v, &r, &s) != MP_OKAY) 858 return MP_INIT_E; 859 860 /* set r and s from signature */ 861 if (mp_read_unsigned_bin(&r, sig, DSA_HALF_SIZE) != MP_OKAY || 862 mp_read_unsigned_bin(&s, sig + DSA_HALF_SIZE, DSA_HALF_SIZE) != MP_OKAY) 863 ret = MP_READ_E; 864 865 /* sanity checks */ 866 if (ret == 0) { 867 if (mp_iszero(&r) == MP_YES || mp_iszero(&s) == MP_YES || 868 mp_cmp(&r, &key->q) != MP_LT || mp_cmp(&s, &key->q) != MP_LT) { 999 do { 1000 if (mp_init_multi(w, u1, u2, v, r, s) != MP_OKAY) { 1001 ret = MP_INIT_E; 1002 break; 1003 } 1004 1005 if (digest == NULL || sig == NULL || key == NULL || answer == NULL) { 1006 ret = BAD_FUNC_ARG; 1007 break; 1008 } 1009 1010 #ifdef WOLFSSL_SMALL_STACK 1011 if ((w == NULL) || 1012 (u1 == NULL) || 1013 (u2 == NULL) || 1014 (v == NULL) || 1015 (r == NULL) || 1016 (s == NULL)) { 1017 ret = MEMORY_E; 1018 break; 1019 } 1020 #endif 1021 1022 /* set r and s from signature */ 1023 if (mp_read_unsigned_bin(r, sig, DSA_HALF_SIZE) != MP_OKAY || 1024 mp_read_unsigned_bin(s, sig + DSA_HALF_SIZE, DSA_HALF_SIZE) != MP_OKAY) { 1025 ret = MP_READ_E; 1026 break; 1027 } 1028 1029 /* sanity checks */ 1030 if (mp_iszero(r) == MP_YES || mp_iszero(s) == MP_YES || 1031 mp_cmp(r, &key->q) != MP_LT || mp_cmp(s, &key->q) != MP_LT) { 869 1032 ret = MP_ZERO_E; 870 } 871 } 872 873 /* put H into u1 from sha digest */ 874 if (ret == 0 && mp_read_unsigned_bin(&u1,digest,WC_SHA_DIGEST_SIZE) != MP_OKAY) 875 ret = MP_READ_E; 876 877 /* w = s invmod q */ 878 if (ret == 0 && mp_invmod(&s, &key->q, &w) != MP_OKAY) 879 ret = MP_INVMOD_E; 880 881 /* u1 = (H * w) % q */ 882 if (ret == 0 && mp_mulmod(&u1, &w, &key->q, &u1) != MP_OKAY) 883 ret = MP_MULMOD_E; 884 885 /* u2 = (r * w) % q */ 886 if (ret == 0 && mp_mulmod(&r, &w, &key->q, &u2) != MP_OKAY) 887 ret = MP_MULMOD_E; 888 889 /* verify v = ((g^u1 * y^u2) mod p) mod q */ 890 if (ret == 0 && mp_exptmod(&key->g, &u1, &key->p, &u1) != MP_OKAY) 891 ret = MP_EXPTMOD_E; 892 893 if (ret == 0 && mp_exptmod(&key->y, &u2, &key->p, &u2) != MP_OKAY) 894 ret = MP_EXPTMOD_E; 895 896 if (ret == 0 && mp_mulmod(&u1, &u2, &key->p, &v) != MP_OKAY) 897 ret = MP_MULMOD_E; 898 899 if (ret == 0 && mp_mod(&v, &key->q, &v) != MP_OKAY) 900 ret = MP_MULMOD_E; 901 902 /* do they match */ 903 if (ret == 0 && mp_cmp(&r, &v) == MP_EQ) 904 *answer = 1; 905 else 906 *answer = 0; 907 908 mp_clear(&s); 909 mp_clear(&r); 910 mp_clear(&u1); 911 mp_clear(&u2); 912 mp_clear(&w); 913 mp_clear(&v); 1033 break; 1034 } 1035 1036 /* put H into u1 from sha digest */ 1037 if (mp_read_unsigned_bin(u1,digest,WC_SHA_DIGEST_SIZE) != MP_OKAY) { 1038 ret = MP_READ_E; 1039 break; 1040 } 1041 1042 /* w = s invmod q */ 1043 if (mp_invmod(s, &key->q, w) != MP_OKAY) { 1044 ret = MP_INVMOD_E; 1045 break; 1046 } 1047 1048 /* u1 = (H * w) % q */ 1049 if (mp_mulmod(u1, w, &key->q, u1) != MP_OKAY) { 1050 ret = MP_MULMOD_E; 1051 break; 1052 } 1053 1054 /* u2 = (r * w) % q */ 1055 if (mp_mulmod(r, w, &key->q, u2) != MP_OKAY) { 1056 ret = MP_MULMOD_E; 1057 break; 1058 } 1059 1060 /* verify v = ((g^u1 * y^u2) mod p) mod q */ 1061 if (mp_exptmod(&key->g, u1, &key->p, u1) != MP_OKAY) { 1062 ret = MP_EXPTMOD_E; 1063 break; 1064 } 1065 1066 if (mp_exptmod(&key->y, u2, &key->p, u2) != MP_OKAY) { 1067 ret = MP_EXPTMOD_E; 1068 break; 1069 } 1070 1071 if (mp_mulmod(u1, u2, &key->p, v) != MP_OKAY) { 1072 ret = MP_MULMOD_E; 1073 break; 1074 } 1075 1076 if (mp_mod(v, &key->q, v) != MP_OKAY) { 1077 ret = MP_MULMOD_E; 1078 break; 1079 } 1080 1081 /* do they match */ 1082 if (mp_cmp(r, v) == MP_EQ) 1083 *answer = 1; 1084 else 1085 *answer = 0; 1086 } while (0); 1087 1088 #ifdef WOLFSSL_SMALL_STACK 1089 if (s) { 1090 if (ret != MP_INIT_E) 1091 mp_clear(s); 1092 XFREE(s, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 1093 } 1094 if (r) { 1095 if (ret != MP_INIT_E) 1096 mp_clear(r); 1097 XFREE(r, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 1098 } 1099 if (u1) { 1100 if (ret != MP_INIT_E) 1101 mp_clear(u1); 1102 XFREE(u1, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 1103 } 1104 if (u2) { 1105 if (ret != MP_INIT_E) 1106 mp_clear(u2); 1107 XFREE(u2, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 1108 } 1109 if (w) { 1110 if (ret != MP_INIT_E) 1111 mp_clear(w); 1112 XFREE(w, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 1113 } 1114 if (v) { 1115 if (ret != MP_INIT_E) 1116 mp_clear(v); 1117 XFREE(v, key->heap, DYNAMIC_TYPE_TMP_BUFFER); 1118 } 1119 #else 1120 if (ret != MP_INIT_E) { 1121 mp_clear(s); 1122 mp_clear(r); 1123 mp_clear(u1); 1124 mp_clear(u2); 1125 mp_clear(w); 1126 mp_clear(v); 1127 } 1128 #endif 914 1129 915 1130 return ret;
Note:
See TracChangeset
for help on using the changeset viewer.