cryptlib  3.4.1
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Properties Macros
ctx_dsa.c
Go to the documentation of this file.
1 /****************************************************************************
2 * *
3 * cryptlib DSA Encryption Routines *
4 * Copyright Peter Gutmann 1995-2005 *
5 * *
6 ****************************************************************************/
7 
8 #define PKC_CONTEXT /* Indicate that we're working with PKC contexts */
9 #if defined( INC_ALL )
10  #include "crypt.h"
11  #include "context.h"
12 #else
13  #include "crypt.h"
14  #include "context/context.h"
15 #endif /* Compiler-specific includes */
16 
17 #ifdef USE_DSA
18 
19 /****************************************************************************
20 * *
21 * Predefined DSA p, q, and g Parameters *
22 * *
23 ****************************************************************************/
24 
25 /* We never use shared DSA parameters because they allow forgery of
26  signatures on certificates. This works as follows: Suppose that the
27  certificate contains a copy of the certificate signer's DSA parameters,
28  and the verifier of the certificate has a copy of the signer's public key
29  but not the signer's DSA parameters (which are shared with other keys).
30  If the verifier uses the DSA parameters from the certificate along with
31  the signer's public key to verify the signature on the certificate, then
32  an attacker can create bogus certificates by choosing a random u and
33  finding its inverse v modulo q (uv is congruent to 1 modulo q). Then
34  take the certificate signer's public key g^x and compute g' = (g^x)^u.
35  Then g'^v = g^x. Using the DSA parameters p, q, g', the signer's public
36  key corresponds to the private key v, which the attacker knows. The
37  attacker can then create a bogus certificate, put parameters (p, q, g')
38  in it, and sign it with the DSA private key v to create an apparently
39  valid certificate. This works with the DSA OID that makes p, q, and g
40  unauthenticated public parameters and y the public key, but not the one
41  that makes p, q, g, and y the public key */
42 
43 /****************************************************************************
44 * *
45 * Algorithm Self-test *
46 * *
47 ****************************************************************************/
48 
49 /* Since we're doing the self-test using the FIPS 186 values we use the
50  following fixed k and hash values rather than a randomly-generated
51  value */
52 
53 static const BYTE FAR_BSS shaM[] = {
54  0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A,
55  0xBA, 0x3E, 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C,
56  0x9C, 0xD0, 0xD8, 0x9D
57  };
58 
59 static const BYTE FAR_BSS kVal[] = {
60  0x35, 0x8D, 0xAD, 0x57, 0x14, 0x62, 0x71, 0x0F,
61  0x50, 0xE2, 0x54, 0xCF, 0x1A, 0x37, 0x6B, 0x2B,
62  0xDE, 0xAA, 0xDF, 0xBF
63  };
64 
65 /* Perform a pairwise consistency test on a public/private key pair */
66 
67 CHECK_RETVAL_BOOL STDC_NONNULL_ARG( ( 1 ) ) \
68 static BOOLEAN pairwiseConsistencyTest( CONTEXT_INFO *contextInfoPtr )
69  {
70  const CAPABILITY_INFO *capabilityInfoPtr = contextInfoPtr->capabilityInfo;
71  DLP_PARAMS dlpParams;
72  BYTE buffer[ 128 + 8 ];
73  int sigSize, status;
74 
75  assert( isWritePtr( contextInfoPtr, sizeof( CONTEXT_INFO ) ) );
76 
77  /* Generate a signature with the private key */
78  setDLPParams( &dlpParams, shaM, 20, buffer, 128 );
79  dlpParams.inLen2 = -999;
80  status = capabilityInfoPtr->signFunction( contextInfoPtr,
81  ( BYTE * ) &dlpParams, sizeof( DLP_PARAMS ) );
82  if( cryptStatusError( status ) )
83  return( FALSE );
84 
85  /* Verify the signature with the public key */
86  sigSize = dlpParams.outLen;
87  setDLPParams( &dlpParams, shaM, 20, NULL, 0 );
88  dlpParams.inParam2 = buffer;
89  dlpParams.inLen2 = sigSize;
90  status = capabilityInfoPtr->sigCheckFunction( contextInfoPtr,
91  ( BYTE * ) &dlpParams, sizeof( DLP_PARAMS ) );
92  return( cryptStatusOK( status ) ? TRUE : FALSE );
93  }
94 
95 #ifndef CONFIG_NO_SELFTEST
96 
97 /* Test the DSA implementation using the sample key and hash from FIPS 186
98  (we actually use a generated 1024-bit key because the FIPS 186 key at
99  512 bits is too short to load). Because a lot of the high-level
100  encryption routines don't exist yet, we cheat a bit and set up a dummy
101  encryption context with just enough information for the following code to
102  work */
103 
104 typedef struct {
105  const int pLen; const BYTE p[ 128 ];
106  const int qLen; const BYTE q[ 20 ];
107  const int gLen; const BYTE g[ 128 ];
108  const int xLen; const BYTE x[ 20 ];
109  const int yLen; const BYTE y[ 128 ];
110  } DLP_KEY;
111 
112 #if 0 /* FIPS 186 test key is too small to be loaded */
113 
114 static const DLP_PRIVKEY FAR_BSS dlpTestKey = {
115  /* p */
116  64,
117  { 0x8D, 0xF2, 0xA4, 0x94, 0x49, 0x22, 0x76, 0xAA,
118  0x3D, 0x25, 0x75, 0x9B, 0xB0, 0x68, 0x69, 0xCB,
119  0xEA, 0xC0, 0xD8, 0x3A, 0xFB, 0x8D, 0x0C, 0xF7,
120  0xCB, 0xB8, 0x32, 0x4F, 0x0D, 0x78, 0x82, 0xE5,
121  0xD0, 0x76, 0x2F, 0xC5, 0xB7, 0x21, 0x0E, 0xAF,
122  0xC2, 0xE9, 0xAD, 0xAC, 0x32, 0xAB, 0x7A, 0xAC,
123  0x49, 0x69, 0x3D, 0xFB, 0xF8, 0x37, 0x24, 0xC2,
124  0xEC, 0x07, 0x36, 0xEE, 0x31, 0xC8, 0x02, 0x91 },
125  /* q */
126  20,
127  { 0xC7, 0x73, 0x21, 0x8C, 0x73, 0x7E, 0xC8, 0xEE,
128  0x99, 0x3B, 0x4F, 0x2D, 0xED, 0x30, 0xF4, 0x8E,
129  0xDA, 0xCE, 0x91, 0x5F },
130  /* g */
131  64,
132  { 0x62, 0x6D, 0x02, 0x78, 0x39, 0xEA, 0x0A, 0x13,
133  0x41, 0x31, 0x63, 0xA5, 0x5B, 0x4C, 0xB5, 0x00,
134  0x29, 0x9D, 0x55, 0x22, 0x95, 0x6C, 0xEF, 0xCB,
135  0x3B, 0xFF, 0x10, 0xF3, 0x99, 0xCE, 0x2C, 0x2E,
136  0x71, 0xCB, 0x9D, 0xE5, 0xFA, 0x24, 0xBA, 0xBF,
137  0x58, 0xE5, 0xB7, 0x95, 0x21, 0x92, 0x5C, 0x9C,
138  0xC4, 0x2E, 0x9F, 0x6F, 0x46, 0x4B, 0x08, 0x8C,
139  0xC5, 0x72, 0xAF, 0x53, 0xE6, 0xD7, 0x88, 0x02 },
140  /* x */
141  20,
142  { 0x20, 0x70, 0xB3, 0x22, 0x3D, 0xBA, 0x37, 0x2F,
143  0xDE, 0x1C, 0x0F, 0xFC, 0x7B, 0x2E, 0x3B, 0x49,
144  0x8B, 0x26, 0x06, 0x14 },
145  /* y */
146  64,
147  { 0x19, 0x13, 0x18, 0x71, 0xD7, 0x5B, 0x16, 0x12,
148  0xA8, 0x19, 0xF2, 0x9D, 0x78, 0xD1, 0xB0, 0xD7,
149  0x34, 0x6F, 0x7A, 0xA7, 0x7B, 0xB6, 0x2A, 0x85,
150  0x9B, 0xFD, 0x6C, 0x56, 0x75, 0xDA, 0x9D, 0x21,
151  0x2D, 0x3A, 0x36, 0xEF, 0x16, 0x72, 0xEF, 0x66,
152  0x0B, 0x8C, 0x7C, 0x25, 0x5C, 0xC0, 0xEC, 0x74,
153  0x85, 0x8F, 0xBA, 0x33, 0xF4, 0x4C, 0x06, 0x69,
154  0x96, 0x30, 0xA7, 0x6B, 0x03, 0x0E, 0xE3, 0x33 }
155  };
156 #endif /* 0 */
157 
158 static const DLP_KEY FAR_BSS dlpTestKey = {
159  /* p */
160  128,
161  { 0x04, 0x4C, 0xDD, 0x5D, 0xB6, 0xED, 0x23, 0xAE,
162  0xB2, 0xA7, 0x59, 0xE6, 0xF8, 0x3D, 0xA6, 0x27,
163  0x85, 0xF2, 0xFE, 0xE2, 0xE8, 0xF3, 0xDA, 0xA3,
164  0x7B, 0xD6, 0x48, 0xD4, 0x44, 0xCA, 0x6E, 0x10,
165  0x97, 0x6C, 0x1D, 0x6C, 0x39, 0xA7, 0x0C, 0x88,
166  0x8E, 0x1F, 0xDD, 0xF7, 0x59, 0x69, 0xDA, 0x36,
167  0xDD, 0xB8, 0x3E, 0x1A, 0xD2, 0x91, 0x3E, 0x30,
168  0xB1, 0xB5, 0xC2, 0xBC, 0xA9, 0xA3, 0xA5, 0xDE,
169  0xC7, 0xCF, 0x51, 0x2C, 0x1B, 0x89, 0xD0, 0x71,
170  0xE3, 0x71, 0xBB, 0x50, 0x86, 0x26, 0x32, 0x9F,
171  0xF5, 0x4A, 0x9C, 0xB1, 0x78, 0x7B, 0x47, 0x1F,
172  0x19, 0xC7, 0x26, 0x22, 0x15, 0x62, 0x71, 0xAB,
173  0xD7, 0x25, 0xA5, 0xE4, 0x68, 0x71, 0x93, 0x5D,
174  0x1F, 0x29, 0x01, 0x05, 0x9C, 0x57, 0x3A, 0x09,
175  0xB0, 0xB8, 0xE4, 0xD2, 0x37, 0x90, 0x36, 0x2F,
176  0xBF, 0x1E, 0x74, 0xB4, 0x6B, 0xE4, 0x66, 0x07 },
177 
178  /* q */
179  20,
180  { 0xFD, 0xD9, 0xC8, 0x5F, 0x73, 0x62, 0xC9, 0x79,
181  0xEF, 0xD5, 0x09, 0x07, 0x02, 0xE7, 0xF2, 0x90,
182  0x97, 0x13, 0x26, 0x1D },
183 
184  /* g */
185  128,
186  { 0x02, 0x4E, 0xDD, 0x0D, 0x7F, 0x4D, 0xB1, 0x42,
187  0x01, 0x50, 0xE7, 0x9A, 0x65, 0x73, 0x8B, 0x31,
188  0x24, 0x6B, 0xC6, 0x74, 0xA7, 0x68, 0x26, 0x11,
189  0x06, 0x3C, 0x96, 0xA9, 0xA6, 0x23, 0x12, 0x79,
190  0xC4, 0xEE, 0x21, 0x88, 0xDD, 0xE3, 0xF0, 0x37,
191  0xCE, 0x3E, 0x54, 0x53, 0x57, 0x03, 0x30, 0xE4,
192  0xD3, 0xAB, 0x39, 0x4E, 0x39, 0xDC, 0xA2, 0x88,
193  0x82, 0xF6, 0xE8, 0xBA, 0xAC, 0xF5, 0x7D, 0x2F,
194  0x23, 0x9A, 0x09, 0x94, 0xB2, 0x89, 0xA2, 0xC9,
195  0x7C, 0xBE, 0x4D, 0x48, 0x0E, 0x59, 0x51, 0xB8,
196  0x7D, 0x99, 0x88, 0x79, 0xA8, 0x13, 0x0E, 0x12,
197  0x56, 0x9D, 0x4B, 0x2E, 0xE0, 0xE1, 0x37, 0x78,
198  0x6F, 0xCC, 0x4D, 0x97, 0xA9, 0x02, 0x0E, 0xD2,
199  0x43, 0x83, 0xEC, 0x4F, 0xC2, 0x70, 0xEF, 0x16,
200  0xDE, 0xBF, 0xBA, 0xD1, 0x6C, 0x8A, 0x36, 0xEE,
201  0x42, 0x41, 0xE9, 0xE7, 0x66, 0xAE, 0x46, 0x3B },
202 
203  /* x */
204  20,
205  { 0xD9, 0x41, 0x29, 0xF7, 0x40, 0x32, 0x09, 0x71,
206  0xB8, 0xE2, 0xB8, 0xCB, 0x74, 0x46, 0x0B, 0xD4,
207  0xF2, 0xAB, 0x54, 0xA1 },
208 
209  /* y */
210  128,
211  { 0x01, 0x7E, 0x16, 0x5B, 0x65, 0x51, 0x0A, 0xDA,
212  0x82, 0x1A, 0xD9, 0xF4, 0x1E, 0x66, 0x6D, 0x7D,
213  0x23, 0xA6, 0x28, 0x2F, 0xE6, 0xC2, 0x03, 0x8E,
214  0x8C, 0xAB, 0xC2, 0x08, 0x87, 0xC9, 0xE8, 0x51,
215  0x0A, 0x37, 0x1E, 0xD4, 0x41, 0x7F, 0xA2, 0xC5,
216  0x48, 0x26, 0xB7, 0xF6, 0xC2, 0x6F, 0xB2, 0xF8,
217  0xF9, 0x43, 0x43, 0xF9, 0xDA, 0xAB, 0xA2, 0x59,
218  0x27, 0xBA, 0xC9, 0x1C, 0x8C, 0xAB, 0xC4, 0x90,
219  0x27, 0xE1, 0x10, 0x39, 0x6F, 0xD2, 0xCD, 0x7C,
220  0xD1, 0x0B, 0xFA, 0x28, 0xD2, 0x7A, 0x7B, 0x52,
221  0x8A, 0xA0, 0x5A, 0x0F, 0x10, 0xF7, 0xBA, 0xFD,
222  0x33, 0x0C, 0x3C, 0xCE, 0xE5, 0xF2, 0xF6, 0x92,
223  0xED, 0x04, 0xBF, 0xD3, 0xF8, 0x3D, 0x39, 0xCC,
224  0xAA, 0xCC, 0x0B, 0xB2, 0x6B, 0xD8, 0xB2, 0x8A,
225  0x5C, 0xCE, 0xDA, 0xF9, 0xE1, 0xA7, 0x23, 0x50,
226  0xDC, 0xCE, 0xA4, 0xD5, 0xA5, 0x4F, 0x08, 0x0F }
227  };
228 
229 CHECK_RETVAL \
230 static int selfTest( void )
231  {
232  CONTEXT_INFO contextInfo;
233  PKC_INFO contextData, *pkcInfo = &contextData;
234  int status;
235 
236  /* Initialise the key components */
237  status = staticInitContext( &contextInfo, CONTEXT_PKC,
238  getDSACapability(), &contextData,
239  sizeof( PKC_INFO ), NULL );
240  if( cryptStatusError( status ) )
241  return( CRYPT_ERROR_FAILED );
242  status = importBignum( &pkcInfo->dlpParam_p, dlpTestKey.p,
243  dlpTestKey.pLen, DLPPARAM_MIN_P,
244  DLPPARAM_MAX_P, NULL, KEYSIZE_CHECK_PKC );
245  if( cryptStatusOK( status ) )
246  status = importBignum( &pkcInfo->dlpParam_q, dlpTestKey.q,
247  dlpTestKey.qLen, DLPPARAM_MIN_Q,
248  DLPPARAM_MAX_Q, &pkcInfo->dlpParam_p,
249  KEYSIZE_CHECK_NONE );
250  if( cryptStatusOK( status ) )
251  status = importBignum( &pkcInfo->dlpParam_g, dlpTestKey.g,
252  dlpTestKey.gLen, DLPPARAM_MIN_G,
253  DLPPARAM_MAX_G, &pkcInfo->dlpParam_p,
254  KEYSIZE_CHECK_NONE );
255  if( cryptStatusOK( status ) )
256  status = importBignum( &pkcInfo->dlpParam_y, dlpTestKey.y,
257  dlpTestKey.yLen, DLPPARAM_MIN_Y,
258  DLPPARAM_MAX_Y, &pkcInfo->dlpParam_p,
259  KEYSIZE_CHECK_NONE );
260  if( cryptStatusOK( status ) )
261  status = importBignum( &pkcInfo->dlpParam_x, dlpTestKey.x,
262  dlpTestKey.xLen, DLPPARAM_MIN_X,
263  DLPPARAM_MAX_X, &pkcInfo->dlpParam_p,
264  KEYSIZE_CHECK_NONE );
265  if( cryptStatusError( status ) )
266  retIntError();
267 
268  /* Perform the test sign/sig.check of the FIPS 186 test values */
269  status = contextInfo.capabilityInfo->initKeyFunction( &contextInfo, NULL, 0 );
270  if( cryptStatusOK( status ) && \
271  !pairwiseConsistencyTest( &contextInfo ) )
272  status = CRYPT_ERROR_FAILED;
273 
274  /* Clean up */
275  staticDestroyContext( &contextInfo );
276 
277  return( status );
278  }
279 #else
280  #define selfTest NULL
281 #endif /* !CONFIG_NO_SELFTEST */
282 
283 /****************************************************************************
284 * *
285 * Create/Check a Signature *
286 * *
287 ****************************************************************************/
288 
289 /* Since DSA signature generation produces two values and the cryptEncrypt()
290  model only provides for passing a byte string in and out (or, more
291  specifically, the internal bignum data can't be exported to the outside
292  world) we need to encode the resulting data into a flat format. This is
293  done by encoding the output as an X9.31 Dss-Sig record:
294 
295  Dss-Sig ::= SEQUENCE {
296  r INTEGER,
297  s INTEGER
298  }
299 
300  The input is the 160-bit hash, usually SHA but possibly also RIPEMD-160 */
301 
302 /* The size of each DSA signature component - 160 bits */
303 
304 #define DSA_SIGPART_SIZE 20
305 
306 /* Sign a single block of data */
307 
308 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \
309 static int sign( INOUT CONTEXT_INFO *contextInfoPtr,
310  INOUT_BUFFER_FIXED( noBytes ) BYTE *buffer,
311  IN_LENGTH_FIXED( sizeof( DLP_PARAMS ) ) int noBytes )
312  {
313  PKC_INFO *pkcInfo = contextInfoPtr->ctxPKC;
314  DLP_PARAMS *dlpParams = ( DLP_PARAMS * ) buffer;
315  BIGNUM *p = &pkcInfo->dlpParam_p, *q = &pkcInfo->dlpParam_q;
316  BIGNUM *g = &pkcInfo->dlpParam_g, *x = &pkcInfo->dlpParam_x;
317  BIGNUM *hash = &pkcInfo->tmp1, *k = &pkcInfo->tmp2, *kInv = &pkcInfo->tmp3;
318  BIGNUM *r = &pkcInfo->dlpTmp1, *s = &pkcInfo->dlpTmp2;
319  int bnStatus = BN_STATUS, status;
320 
321  assert( isWritePtr( contextInfoPtr, sizeof( CONTEXT_INFO ) ) );
322  assert( isWritePtr( dlpParams, sizeof( DLP_PARAMS ) ) );
323  assert( isReadPtr( dlpParams->inParam1, dlpParams->inLen1 ) );
324  assert( isWritePtr( dlpParams->outParam, dlpParams->outLen ) );
325 
326  REQUIRES( noBytes == sizeof( DLP_PARAMS ) );
327  REQUIRES( dlpParams->inLen1 == DSA_SIGPART_SIZE );
328  REQUIRES( dlpParams->inParam2 == NULL && \
329  ( dlpParams->inLen2 == 0 || dlpParams->inLen2 == -999 ) );
330  REQUIRES( dlpParams->outLen >= ( 2 + DSA_SIGPART_SIZE ) * 2 && \
331  dlpParams->outLen < MAX_INTLENGTH_SHORT );
332 
333  /* Generate the secret random value k. During the initial self-test
334  the random data pool may not exist yet, and may in fact never exist in
335  a satisfactory condition if there isn't enough randomness present in
336  the system to generate cryptographically strong random numbers. To
337  bypass this problem, if the caller passes in a second length parameter
338  of -999 we know that it's an internal self-test call and use a fixed
339  bit pattern for k that avoids having to call generateBignum() (this
340  also means that we can use the FIPS 186 self-test value for k). This
341  is a somewhat ugly use of 'magic numbers', but it's safe because this
342  function can only be called internally, so all we need to trap is
343  accidental use of the parameter which is normally unused */
344  if( dlpParams->inLen2 == -999 )
345  {
346  status = importBignum( k, ( BYTE * ) kVal, DSA_SIGPART_SIZE,
347  DSA_SIGPART_SIZE, DSA_SIGPART_SIZE, NULL,
348  KEYSIZE_CHECK_NONE );
349  }
350  else
351  {
352  /* Generate the random value k. FIPS 186 requires (Appendix 3)
353  that this be done with:
354 
355  k = G(t,KKEY) mod q
356 
357  where G(t,c) produces a 160-bit output, however this produces a
358  slight bias in k that that allows the private key x to be
359  recovered once sufficient signatures have been generated. The
360  difficulty of recovering x depends on the number of signatures
361  generated, the number of bits leaked, the how recent the attack
362  is (they get better over time). The best reference for this is
363  probably "The Insecurity of the Digital Signature Algorithm with
364  Partially Known Nonces" by Phong Nguyen and Igor Shparlinski, but
365  as a rule of thumb even three or four known bits and a handful of
366  signatures is enough to allow recovery of x. Because of this we
367  start with a value which is DLP_OVERFLOW_SIZE bytes larger than q
368  and then do the reduction, eliminating the bias.
369 
370  In theory we could also add (meaning "mix in" rather than
371  strictly "arithmetically add") the message hash to k to curtail
372  problems where the RNG value repeats, but the heavy-duty self-
373  checking of the RNG makes it somewhat unlikely that this
374  condition would go undetected. The one time when this can occur
375  is when we're running in a VM and get rolled back, but it seems a
376  bit uncertain how far down we want to chase this: at how many
377  other locations in the code do we need to include Rube Goldberg
378  protections against rollback? Under what conditions can rollback
379  occur? When can rollback occur? */
380  status = generateBignum( k, bytesToBits( DSA_SIGPART_SIZE + \
381  DLP_OVERFLOW_SIZE ), 0x80, 0 );
382  }
383  if( cryptStatusError( status ) )
384  return( status );
385  if( contextInfoPtr->flags & CONTEXT_FLAG_SIDECHANNELPROTECTION )
386  {
387  /* Use constant-time modexp() to protect the secret random value
388  from timing channels. We could also use blinding, but neither of
389  these measures are actually terribly useful because we're using a
390  random exponent each time so the timing information isn't of much
391  use to an attacker */
392  BN_set_flags( k, BN_FLG_EXP_CONSTTIME );
393  }
394  CK( BN_mod( k, k, q, /* Reduce k to the correct range */
395  pkcInfo->bnCTX ) );
396  if( bnStatusError( bnStatus ) )
397  return( getBnStatus( bnStatus ) );
398 
399  /* Make sure that the result isn't zero (or more generally less than 64
400  bits). Admittedly the chances of this are infinitesimally small
401  (2^-160 or less for a value of zero, 2^-96 for 64 bits) but someone's
402  bound to complain if we don't check */
403  ENSURES( BN_num_bytes( k ) > 8 );
404 
405  /* Get the hash as a bignum. The range checking for the resulting value
406  is a bit odd, we need to take "the leftmost sizeof( q ) bits of the
407  hash" as the input, to handle this we require that the bit size of q
408  be at least as large as the (nominal) bit size of the hash */
409  if( dlpParams->inLen1 > BN_num_bytes( q ) )
410  return( CRYPT_ERROR_BADDATA );
411  status = importBignum( hash, ( BYTE * ) dlpParams->inParam1,
412  DSA_SIGPART_SIZE, DSA_SIGPART_SIZE / 2,
413  DSA_SIGPART_SIZE, NULL, KEYSIZE_CHECK_NONE );
414  if( cryptStatusError( status ) )
415  return( status );
416 
417  /* r = ( g ^ k mod p ) mod q */
418  CK( BN_mod_exp_mont( r, g, k, p, pkcInfo->bnCTX,
419  &pkcInfo->dlpParam_mont_p ) );
420  CK( BN_mod( r, r, q, pkcInfo->bnCTX ) );
421  if( bnStatusError( bnStatus ) )
422  return( getBnStatus( bnStatus ) );
423 
424  /* s = k^-1 * ( hash + x * r ) mod q */
425  CKPTR( BN_mod_inverse( kInv, k, q, /* temp = k^-1 mod q */
426  pkcInfo->bnCTX ) );
427  CK( BN_mod_mul( s, x, r, q, /* s = ( x * r ) mod q */
428  pkcInfo->bnCTX ) );
429  CK( BN_add( s, s, hash ) ); /* s = s + hash */
430  if( BN_cmp( s, q ) > 0 ) /* if s > q */
431  CK( BN_sub( s, s, q ) ); /* s = s - q (fast mod) */
432  CK( BN_mod_mul( s, s, kInv, q, /* s = k^-1 * ( hash + x * r ) mod q */
433  pkcInfo->bnCTX ) );
434  if( bnStatusError( bnStatus ) )
435  return( getBnStatus( bnStatus ) );
436 
437  /* Check that neither r = 0 or s = 0. See the earlier comment where k
438  is checked for the real necessity of this check */
439  ENSURES( !BN_is_zero( r ) && !BN_is_zero( s ) );
440 
441  /* Encode the result as a DL data block */
442  status = pkcInfo->encodeDLValuesFunction( dlpParams->outParam,
443  dlpParams->outLen, &dlpParams->outLen,
444  r, s, dlpParams->formatType );
445  if( cryptStatusError( status ) )
446  return( status );
447 
448  /* Perform side-channel attack checks if necessary */
449  if( ( contextInfoPtr->flags & CONTEXT_FLAG_SIDECHANNELPROTECTION ) && \
450  cryptStatusError( calculateBignumChecksum( pkcInfo,
451  CRYPT_ALGO_DSA ) ) )
452  {
453  return( CRYPT_ERROR_FAILED );
454  }
455  return( CRYPT_OK );
456  }
457 
458 /* Signature check a single block of data */
459 
460 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \
461 static int sigCheck( INOUT CONTEXT_INFO *contextInfoPtr,
462  IN_BUFFER( noBytes ) BYTE *buffer,
463  IN_LENGTH_FIXED( sizeof( DLP_PARAMS ) ) int noBytes )
464  {
465  PKC_INFO *pkcInfo = contextInfoPtr->ctxPKC;
466  DLP_PARAMS *dlpParams = ( DLP_PARAMS * ) buffer;
467  BIGNUM *p = &pkcInfo->dlpParam_p, *q = &pkcInfo->dlpParam_q;
468  BIGNUM *g = &pkcInfo->dlpParam_g, *y = &pkcInfo->dlpParam_y;
469  BIGNUM *r = &pkcInfo->tmp1, *s = &pkcInfo->tmp2;
470  BIGNUM *u1 = &pkcInfo->tmp3, *u2 = &pkcInfo->dlpTmp1; /* Doubles as w */
471  int bnStatus = BN_STATUS, status;
472 
473  assert( isWritePtr( contextInfoPtr, sizeof( CONTEXT_INFO ) ) );
474  assert( isWritePtr( dlpParams, sizeof( DLP_PARAMS ) ) );
475  assert( isReadPtr( dlpParams->inParam1, dlpParams->inLen1 ) );
476  assert( isReadPtr( dlpParams->inParam2, dlpParams->inLen2 ) );
477 
478  REQUIRES( noBytes == sizeof( DLP_PARAMS ) );
479  REQUIRES( ( dlpParams->formatType == CRYPT_FORMAT_CRYPTLIB && \
480  ( dlpParams->inLen2 >= 42 && dlpParams->inLen2 <= 128 ) ) || \
481  ( dlpParams->formatType == CRYPT_FORMAT_PGP && \
482  ( dlpParams->inLen2 >= 42 && dlpParams->inLen2 <= 44 ) ) || \
483  ( dlpParams->formatType == CRYPT_IFORMAT_SSH && \
484  dlpParams->inLen2 == 40 ) );
485  REQUIRES( dlpParams->inLen1 == 20 );
486  REQUIRES( dlpParams->outParam == NULL && dlpParams->outLen == 0 );
487 
488  /* Decode the values from a DL data block and make sure that r and s are
489  valid, i.e. r, s = [1...q-1] */
490  status = pkcInfo->decodeDLValuesFunction( dlpParams->inParam2,
491  dlpParams->inLen2, r, s, q,
492  dlpParams->formatType );
493  if( cryptStatusError( status ) )
494  return( status );
495 
496  /* Get the hash as a bignum. The range checking for the resulting value
497  is a bit odd, we need to take "the leftmost sizeof( q ) bits of the
498  hash" as the input, to handle this we require that the bit size of q
499  be at least as large as the (nominal) bit size of the hash */
500  if( dlpParams->inLen1 > BN_num_bytes( q ) )
501  return( CRYPT_ERROR_BADDATA );
502  status = importBignum( u1, ( BYTE * ) dlpParams->inParam1,
503  DSA_SIGPART_SIZE, DSA_SIGPART_SIZE / 2,
504  DSA_SIGPART_SIZE, NULL, KEYSIZE_CHECK_NONE );
505  if( cryptStatusError( status ) )
506  return( status );
507 
508  /* w = s^-1 mod q */
509  CKPTR( BN_mod_inverse( u2, s, q, /* w = s^-1 mod q */
510  pkcInfo->bnCTX ) );
511  if( bnStatusError( bnStatus ) )
512  return( getBnStatus( bnStatus ) );
513 
514  /* u1 = ( hash * w ) mod q */
515  CK( BN_mod_mul( u1, u1, u2, q, /* u1 = ( hash * w ) mod q */
516  pkcInfo->bnCTX ) );
517  if( bnStatusError( bnStatus ) )
518  return( getBnStatus( bnStatus ) );
519 
520  /* u2 = ( r * w ) mod q */
521  CK( BN_mod_mul( u2, r, u2, q, /* u2 = ( r * w ) mod q */
522  pkcInfo->bnCTX ) );
523  if( bnStatusError( bnStatus ) )
524  return( getBnStatus( bnStatus ) );
525 
526  /* v = ( ( ( g^u1 ) * ( y^u2 ) ) mod p ) mod q */
527  CK( BN_mod_exp2_mont( u2, g, u1, y, u2, p, pkcInfo->bnCTX,
528  &pkcInfo->dlpParam_mont_p ) );
529  CK( BN_mod( s, u2, q, pkcInfo->bnCTX ) );
530  if( bnStatusError( bnStatus ) )
531  return( getBnStatus( bnStatus ) );
532 
533  /* If r == s then the signature is good */
534  if( BN_cmp( r, s ) )
535  return( CRYPT_ERROR_SIGNATURE );
536 
537  /* Perform side-channel attack checks if necessary */
538  if( ( contextInfoPtr->flags & CONTEXT_FLAG_SIDECHANNELPROTECTION ) && \
539  cryptStatusError( calculateBignumChecksum( pkcInfo,
540  CRYPT_ALGO_DSA ) ) )
541  {
542  return( CRYPT_ERROR_FAILED );
543  }
544  return( CRYPT_OK );
545  }
546 
547 /****************************************************************************
548 * *
549 * Key Management *
550 * *
551 ****************************************************************************/
552 
553 /* Load key components into an encryption context */
554 
555 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \
556 static int initKey( INOUT CONTEXT_INFO *contextInfoPtr,
557  IN_BUFFER_OPT( keyLength ) const void *key,
558  IN_LENGTH_SHORT_OPT const int keyLength )
559  {
560  assert( isWritePtr( contextInfoPtr, sizeof( CONTEXT_INFO ) ) );
561  assert( ( key == NULL && keyLength == 0 ) || \
562  ( isReadPtr( key, keyLength ) && \
563  keyLength == sizeof( CRYPT_PKCINFO_DLP ) ) );
564 
565  REQUIRES( ( key == NULL && keyLength == 0 ) || \
566  ( key != NULL && keyLength == sizeof( CRYPT_PKCINFO_DLP ) ) );
567 
568 #ifndef USE_FIPS140
569  /* Load the key component from the external representation into the
570  internal bignums unless we're doing an internal load */
571  if( key != NULL )
572  {
573  PKC_INFO *pkcInfo = contextInfoPtr->ctxPKC;
574  const CRYPT_PKCINFO_DLP *dsaKey = ( CRYPT_PKCINFO_DLP * ) key;
575  int status;
576 
577  contextInfoPtr->flags |= ( dsaKey->isPublicKey ) ? \
578  CONTEXT_FLAG_ISPUBLICKEY : CONTEXT_FLAG_ISPRIVATEKEY;
579  status = importBignum( &pkcInfo->dlpParam_p, dsaKey->p,
580  bitsToBytes( dsaKey->pLen ),
581  DLPPARAM_MIN_P, DLPPARAM_MAX_P, NULL,
582  KEYSIZE_CHECK_PKC );
583  if( cryptStatusOK( status ) )
584  status = importBignum( &pkcInfo->dlpParam_q, dsaKey->q,
585  bitsToBytes( dsaKey->qLen ),
586  DLPPARAM_MIN_Q, DLPPARAM_MAX_Q,
587  &pkcInfo->dlpParam_p,
588  KEYSIZE_CHECK_NONE );
589  if( cryptStatusOK( status ) )
590  status = importBignum( &pkcInfo->dlpParam_g, dsaKey->g,
591  bitsToBytes( dsaKey->gLen ),
592  DLPPARAM_MIN_G, DLPPARAM_MAX_G,
593  &pkcInfo->dlpParam_p,
594  KEYSIZE_CHECK_NONE );
595  if( cryptStatusOK( status ) )
596  status = importBignum( &pkcInfo->dlpParam_y, dsaKey->y,
597  bitsToBytes( dsaKey->yLen ),
598  DLPPARAM_MIN_Y, DLPPARAM_MAX_Y,
599  &pkcInfo->dlpParam_p,
600  KEYSIZE_CHECK_NONE );
601  if( cryptStatusOK( status ) && !dsaKey->isPublicKey )
602  status = importBignum( &pkcInfo->dlpParam_x, dsaKey->x,
603  bitsToBytes( dsaKey->xLen ),
604  DLPPARAM_MIN_X, DLPPARAM_MAX_X,
605  &pkcInfo->dlpParam_p,
606  KEYSIZE_CHECK_NONE );
607  contextInfoPtr->flags |= CONTEXT_FLAG_PBO;
608  if( cryptStatusError( status ) )
609  return( status );
610  }
611 #endif /* USE_FIPS140 */
612 
613  /* Complete the key checking and setup */
614  return( initCheckDLPkey( contextInfoPtr, FALSE, FALSE ) );
615  }
616 
617 /* Generate a key into an encryption context */
618 
619 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \
620 static int generateKey( INOUT CONTEXT_INFO *contextInfoPtr,
621  IN_LENGTH_SHORT_MIN( MIN_PKCSIZE * 8 ) \
622  const int keySizeBits )
623  {
624  int status;
625 
626  assert( isWritePtr( contextInfoPtr, sizeof( CONTEXT_INFO ) ) );
627 
628  REQUIRES( keySizeBits >= bytesToBits( MIN_PKCSIZE ) && \
629  keySizeBits <= bytesToBits( CRYPT_MAX_PKCSIZE ) );
630 
631  status = generateDLPkey( contextInfoPtr, ( keySizeBits / 64 ) * 64 );
632  if( cryptStatusOK( status ) &&
633 #ifndef USE_FIPS140
634  ( contextInfoPtr->flags & CONTEXT_FLAG_SIDECHANNELPROTECTION ) &&
635 #endif /* USE_FIPS140 */
636  !pairwiseConsistencyTest( contextInfoPtr ) )
637  {
638  DEBUG_DIAG(( "Consistency check of freshly-generated DSA key "
639  "failed" ));
640  assert( DEBUG_WARN );
641  status = CRYPT_ERROR_FAILED;
642  }
643  return( status );
644  }
645 
646 /****************************************************************************
647 * *
648 * Capability Access Routines *
649 * *
650 ****************************************************************************/
651 
652 static const CAPABILITY_INFO FAR_BSS capabilityInfo = {
653  CRYPT_ALGO_DSA, bitsToBytes( 0 ), "DSA", 3,
654  MIN_PKCSIZE, bitsToBytes( 1024 ), CRYPT_MAX_PKCSIZE,
655  selfTest, getDefaultInfo, NULL, NULL, initKey, generateKey,
656  NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
657  sign, sigCheck
658  };
659 
660 const CAPABILITY_INFO *getDSACapability( void )
661  {
662  return( &capabilityInfo );
663  }
664 
665 #endif /* USE_DSA */
Generated on Thu Jan 10 2013 10:00:45 for cryptlib by   doxygen 1.8.2