/src/libgcrypt/cipher/dsa-common.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* dsa-common.c - Common code for DSA |
2 | | * Copyright (C) 1998, 1999 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2013 g10 Code GmbH |
4 | | * |
5 | | * This file is part of Libgcrypt. |
6 | | * |
7 | | * Libgcrypt is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU Lesser General Public License as |
9 | | * published by the Free Software Foundation; either version 2.1 of |
10 | | * the License, or (at your option) any later version. |
11 | | * |
12 | | * Libgcrypt is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU Lesser General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU Lesser General Public |
18 | | * License along with this program; if not, see <http://www.gnu.org/licenses/>. |
19 | | */ |
20 | | |
21 | | #include <config.h> |
22 | | #include <stdio.h> |
23 | | #include <stdlib.h> |
24 | | #include <string.h> |
25 | | |
26 | | #include "g10lib.h" |
27 | | #include "mpi.h" |
28 | | #include "cipher.h" |
29 | | #include "pubkey-internal.h" |
30 | | |
31 | | |
32 | | /* |
33 | | * Modify K, so that computation time difference can be small, |
34 | | * by making K large enough. |
35 | | * |
36 | | * Originally, (EC)DSA computation requires k where 0 < k < q. Here, |
37 | | * we add q (the order), to keep k in a range: q < k < 2*q (or, |
38 | | * addming more q, to keep k in a range: 2*q < k < 3*q), so that |
39 | | * timing difference of the EC multiply (or exponentiation) operation |
40 | | * can be small. The result of (EC)DSA computation is same. |
41 | | */ |
42 | | void |
43 | | _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits) |
44 | 0 | { |
45 | 0 | gcry_mpi_t k1 = mpi_new (qbits+2); |
46 | |
|
47 | 0 | mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB); |
48 | 0 | k->nlimbs = k->alloced; |
49 | 0 | mpi_add (k, k, q); |
50 | 0 | mpi_add (k1, k, q); |
51 | 0 | mpi_set_cond (k, k1, !mpi_test_bit (k, qbits)); |
52 | |
|
53 | 0 | mpi_free (k1); |
54 | 0 | } |
55 | | |
56 | | /* |
57 | | * Generate a random secret exponent K less than Q. |
58 | | * Note that ECDSA uses this code also to generate D. |
59 | | */ |
60 | | gcry_mpi_t |
61 | | _gcry_dsa_gen_k (gcry_mpi_t q, int security_level) |
62 | 0 | { |
63 | 0 | gcry_mpi_t k = mpi_alloc_secure (mpi_get_nlimbs (q)); |
64 | 0 | unsigned int nbits = mpi_get_nbits (q); |
65 | 0 | unsigned int nbytes = (nbits+7)/8; |
66 | 0 | char *rndbuf = NULL; |
67 | | |
68 | | /* To learn why we don't use mpi_mod to get the requested bit size, |
69 | | read the paper: "The Insecurity of the Digital Signature |
70 | | Algorithm with Partially Known Nonces" by Nguyen and Shparlinski. |
71 | | Journal of Cryptology, New York. Vol 15, nr 3 (2003) */ |
72 | |
|
73 | 0 | if (DBG_CIPHER) |
74 | 0 | log_debug ("choosing a random k of %u bits at seclevel %d\n", |
75 | 0 | nbits, security_level); |
76 | 0 | for (;;) |
77 | 0 | { |
78 | 0 | if ( !rndbuf || nbits < 32 ) |
79 | 0 | { |
80 | 0 | xfree (rndbuf); |
81 | 0 | rndbuf = _gcry_random_bytes_secure (nbytes, security_level); |
82 | 0 | } |
83 | 0 | else |
84 | 0 | { /* Change only some of the higher bits. We could improve |
85 | | this by directly requesting more memory at the first call |
86 | | to get_random_bytes() and use these extra bytes here. |
87 | | However the required management code is more complex and |
88 | | thus we better use this simple method. */ |
89 | 0 | char *pp = _gcry_random_bytes_secure (4, security_level); |
90 | 0 | memcpy (rndbuf, pp, 4); |
91 | 0 | xfree (pp); |
92 | 0 | } |
93 | 0 | _gcry_mpi_set_buffer (k, rndbuf, nbytes, 0); |
94 | | |
95 | | /* Make sure we have the requested number of bits. This code |
96 | | looks a bit funny but it is easy to understand if you |
97 | | consider that mpi_set_highbit clears all higher bits. We |
98 | | don't have a clear_highbit, thus we first set the high bit |
99 | | and then clear it again. */ |
100 | 0 | if (mpi_test_bit (k, nbits-1)) |
101 | 0 | mpi_set_highbit (k, nbits-1); |
102 | 0 | else |
103 | 0 | { |
104 | 0 | mpi_set_highbit (k, nbits-1); |
105 | 0 | mpi_clear_bit (k, nbits-1); |
106 | 0 | } |
107 | |
|
108 | 0 | if (!(mpi_cmp (k, q) < 0)) /* check: k < q */ |
109 | 0 | { |
110 | 0 | if (DBG_CIPHER) |
111 | 0 | log_debug ("\tk too large - again\n"); |
112 | 0 | continue; /* no */ |
113 | 0 | } |
114 | 0 | if (!(mpi_cmp_ui (k, 0) > 0)) /* check: k > 0 */ |
115 | 0 | { |
116 | 0 | if (DBG_CIPHER) |
117 | 0 | log_debug ("\tk is zero - again\n"); |
118 | 0 | continue; /* no */ |
119 | 0 | } |
120 | 0 | break; /* okay */ |
121 | 0 | } |
122 | 0 | xfree (rndbuf); |
123 | |
|
124 | 0 | return k; |
125 | 0 | } |
126 | | |
127 | | |
128 | | /* Turn VALUE into an octet string and store it in an allocated buffer |
129 | | at R_FRAME. If the resulting octet string is shorter than NBYTES |
130 | | the result will be left padded with zeroes. If VALUE does not fit |
131 | | into NBYTES an error code is returned. */ |
132 | | static gpg_err_code_t |
133 | | int2octets (unsigned char **r_frame, gcry_mpi_t value, size_t nbytes) |
134 | 0 | { |
135 | 0 | gpg_err_code_t rc; |
136 | 0 | size_t nframe, noff, n; |
137 | 0 | unsigned char *frame; |
138 | |
|
139 | 0 | rc = _gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, &nframe, value); |
140 | 0 | if (rc) |
141 | 0 | return rc; |
142 | 0 | if (nframe > nbytes) |
143 | 0 | return GPG_ERR_TOO_LARGE; /* Value too long to fit into NBYTES. */ |
144 | | |
145 | 0 | noff = (nframe < nbytes)? nbytes - nframe : 0; |
146 | 0 | n = nframe + noff; |
147 | 0 | frame = mpi_is_secure (value)? xtrymalloc_secure (n) : xtrymalloc (n); |
148 | 0 | if (!frame) |
149 | 0 | return gpg_err_code_from_syserror (); |
150 | 0 | if (noff) |
151 | 0 | memset (frame, 0, noff); |
152 | 0 | nframe += noff; |
153 | 0 | rc = _gcry_mpi_print (GCRYMPI_FMT_USG, frame+noff, nframe-noff, NULL, value); |
154 | 0 | if (rc) |
155 | 0 | { |
156 | 0 | xfree (frame); |
157 | 0 | return rc; |
158 | 0 | } |
159 | | |
160 | 0 | *r_frame = frame; |
161 | 0 | return 0; |
162 | 0 | } |
163 | | |
164 | | |
165 | | /* Connert the bit string BITS of length NBITS into an octet string |
166 | | with a length of (QBITS+7)/8 bytes. On success store the result at |
167 | | R_FRAME. */ |
168 | | static gpg_err_code_t |
169 | | bits2octets (unsigned char **r_frame, |
170 | | const void *bits, unsigned int nbits, |
171 | | gcry_mpi_t q, unsigned int qbits) |
172 | 0 | { |
173 | 0 | gpg_err_code_t rc; |
174 | 0 | gcry_mpi_t z1; |
175 | | |
176 | | /* z1 = bits2int (b) */ |
177 | 0 | rc = _gcry_mpi_scan (&z1, GCRYMPI_FMT_USG, bits, (nbits+7)/8, NULL); |
178 | 0 | if (rc) |
179 | 0 | return rc; |
180 | 0 | if (nbits > qbits) |
181 | 0 | mpi_rshift (z1, z1, nbits - qbits); |
182 | | |
183 | | /* z2 - z1 mod q */ |
184 | 0 | if (mpi_cmp (z1, q) >= 0) |
185 | 0 | mpi_sub (z1, z1, q); |
186 | | |
187 | | /* Convert to an octet string. */ |
188 | 0 | rc = int2octets (r_frame, z1, (qbits+7)/8); |
189 | |
|
190 | 0 | mpi_free (z1); |
191 | 0 | return rc; |
192 | 0 | } |
193 | | |
194 | | |
195 | | /* |
196 | | * Generate a deterministic secret exponent K less than DSA_Q. H1 is |
197 | | * the to be signed digest with a length of HLEN bytes. HALGO is the |
198 | | * algorithm used to create the hash. On success the value for K is |
199 | | * stored at R_K. |
200 | | */ |
201 | | gpg_err_code_t |
202 | | _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k, |
203 | | gcry_mpi_t dsa_q, gcry_mpi_t dsa_x, |
204 | | const unsigned char *h1, unsigned int hlen, |
205 | | int halgo, unsigned int extraloops) |
206 | 0 | { |
207 | 0 | gpg_err_code_t rc; |
208 | 0 | unsigned char *V = NULL; |
209 | 0 | unsigned char *K = NULL; |
210 | 0 | unsigned char *x_buf = NULL; |
211 | 0 | unsigned char *h1_buf = NULL; |
212 | 0 | gcry_md_hd_t hd = NULL; |
213 | 0 | unsigned char *t = NULL; |
214 | 0 | gcry_mpi_t k = NULL; |
215 | 0 | unsigned int tbits, qbits; |
216 | 0 | int i; |
217 | |
|
218 | 0 | qbits = mpi_get_nbits (dsa_q); |
219 | |
|
220 | 0 | if (!qbits || !h1 || !hlen) |
221 | 0 | return GPG_ERR_EINVAL; |
222 | | |
223 | 0 | if (_gcry_md_get_algo_dlen (halgo) != hlen) |
224 | 0 | return GPG_ERR_DIGEST_ALGO; |
225 | | |
226 | | /* Step b: V = 0x01 0x01 0x01 ... 0x01 */ |
227 | 0 | V = xtrymalloc (hlen); |
228 | 0 | if (!V) |
229 | 0 | { |
230 | 0 | rc = gpg_err_code_from_syserror (); |
231 | 0 | goto leave; |
232 | 0 | } |
233 | 0 | for (i=0; i < hlen; i++) |
234 | 0 | V[i] = 1; |
235 | | |
236 | | /* Step c: K = 0x00 0x00 0x00 ... 0x00 */ |
237 | 0 | K = xtrycalloc (1, hlen); |
238 | 0 | if (!K) |
239 | 0 | { |
240 | 0 | rc = gpg_err_code_from_syserror (); |
241 | 0 | goto leave; |
242 | 0 | } |
243 | | |
244 | 0 | rc = int2octets (&x_buf, dsa_x, (qbits+7)/8); |
245 | 0 | if (rc) |
246 | 0 | goto leave; |
247 | | |
248 | 0 | rc = bits2octets (&h1_buf, h1, hlen*8, dsa_q, qbits); |
249 | 0 | if (rc) |
250 | 0 | goto leave; |
251 | | |
252 | | /* Create a handle to compute the HMACs. */ |
253 | 0 | rc = _gcry_md_open (&hd, halgo, (GCRY_MD_FLAG_SECURE | GCRY_MD_FLAG_HMAC)); |
254 | 0 | if (rc) |
255 | 0 | goto leave; |
256 | | |
257 | | /* Step d: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) */ |
258 | 0 | rc = _gcry_md_setkey (hd, K, hlen); |
259 | 0 | if (rc) |
260 | 0 | goto leave; |
261 | 0 | _gcry_md_write (hd, V, hlen); |
262 | 0 | _gcry_md_write (hd, "", 1); |
263 | 0 | _gcry_md_write (hd, x_buf, (qbits+7)/8); |
264 | 0 | _gcry_md_write (hd, h1_buf, (qbits+7)/8); |
265 | 0 | memcpy (K, _gcry_md_read (hd, 0), hlen); |
266 | | |
267 | | /* Step e: V = HMAC_K(V) */ |
268 | 0 | rc = _gcry_md_setkey (hd, K, hlen); |
269 | 0 | if (rc) |
270 | 0 | goto leave; |
271 | 0 | _gcry_md_write (hd, V, hlen); |
272 | 0 | memcpy (V, _gcry_md_read (hd, 0), hlen); |
273 | | |
274 | | /* Step f: K = HMAC_K(V || 0x01 || int2octets(x) || bits2octets(h1) */ |
275 | 0 | rc = _gcry_md_setkey (hd, K, hlen); |
276 | 0 | if (rc) |
277 | 0 | goto leave; |
278 | 0 | _gcry_md_write (hd, V, hlen); |
279 | 0 | _gcry_md_write (hd, "\x01", 1); |
280 | 0 | _gcry_md_write (hd, x_buf, (qbits+7)/8); |
281 | 0 | _gcry_md_write (hd, h1_buf, (qbits+7)/8); |
282 | 0 | memcpy (K, _gcry_md_read (hd, 0), hlen); |
283 | | |
284 | | /* Step g: V = HMAC_K(V) */ |
285 | 0 | rc = _gcry_md_setkey (hd, K, hlen); |
286 | 0 | if (rc) |
287 | 0 | goto leave; |
288 | 0 | _gcry_md_write (hd, V, hlen); |
289 | 0 | memcpy (V, _gcry_md_read (hd, 0), hlen); |
290 | | |
291 | | /* Step h. */ |
292 | 0 | t = xtrymalloc_secure ((qbits+7)/8+hlen); |
293 | 0 | if (!t) |
294 | 0 | { |
295 | 0 | rc = gpg_err_code_from_syserror (); |
296 | 0 | goto leave; |
297 | 0 | } |
298 | | |
299 | 0 | again: |
300 | 0 | for (tbits = 0; tbits < qbits;) |
301 | 0 | { |
302 | | /* V = HMAC_K(V) */ |
303 | 0 | rc = _gcry_md_setkey (hd, K, hlen); |
304 | 0 | if (rc) |
305 | 0 | goto leave; |
306 | 0 | _gcry_md_write (hd, V, hlen); |
307 | 0 | memcpy (V, _gcry_md_read (hd, 0), hlen); |
308 | | |
309 | | /* T = T || V */ |
310 | 0 | memcpy (t+(tbits+7)/8, V, hlen); |
311 | 0 | tbits += 8*hlen; |
312 | 0 | } |
313 | | |
314 | | /* k = bits2int (T) */ |
315 | 0 | mpi_free (k); |
316 | 0 | k = NULL; |
317 | 0 | rc = _gcry_mpi_scan (&k, GCRYMPI_FMT_USG, t, (tbits+7)/8, NULL); |
318 | 0 | if (rc) |
319 | 0 | goto leave; |
320 | 0 | if (tbits > qbits) |
321 | 0 | mpi_rshift (k, k, tbits - qbits); |
322 | | |
323 | | /* Check: k < q and k > 1 */ |
324 | 0 | if (!(mpi_cmp (k, dsa_q) < 0 && mpi_cmp_ui (k, 0) > 0)) |
325 | 0 | { |
326 | | /* K = HMAC_K(V || 0x00) */ |
327 | 0 | rc = _gcry_md_setkey (hd, K, hlen); |
328 | 0 | if (rc) |
329 | 0 | goto leave; |
330 | 0 | _gcry_md_write (hd, V, hlen); |
331 | 0 | _gcry_md_write (hd, "", 1); |
332 | 0 | memcpy (K, _gcry_md_read (hd, 0), hlen); |
333 | | |
334 | | /* V = HMAC_K(V) */ |
335 | 0 | rc = _gcry_md_setkey (hd, K, hlen); |
336 | 0 | if (rc) |
337 | 0 | goto leave; |
338 | 0 | _gcry_md_write (hd, V, hlen); |
339 | 0 | memcpy (V, _gcry_md_read (hd, 0), hlen); |
340 | |
|
341 | 0 | goto again; |
342 | 0 | } |
343 | | |
344 | | /* The caller may have requested that we introduce some extra loops. |
345 | | This is for example useful if the caller wants another value for |
346 | | K because the last returned one yielded an R of 0. Because this |
347 | | is very unlikely we implement it in a straightforward way. */ |
348 | 0 | if (extraloops) |
349 | 0 | { |
350 | 0 | extraloops--; |
351 | | |
352 | | /* K = HMAC_K(V || 0x00) */ |
353 | 0 | rc = _gcry_md_setkey (hd, K, hlen); |
354 | 0 | if (rc) |
355 | 0 | goto leave; |
356 | 0 | _gcry_md_write (hd, V, hlen); |
357 | 0 | _gcry_md_write (hd, "", 1); |
358 | 0 | memcpy (K, _gcry_md_read (hd, 0), hlen); |
359 | | |
360 | | /* V = HMAC_K(V) */ |
361 | 0 | rc = _gcry_md_setkey (hd, K, hlen); |
362 | 0 | if (rc) |
363 | 0 | goto leave; |
364 | 0 | _gcry_md_write (hd, V, hlen); |
365 | 0 | memcpy (V, _gcry_md_read (hd, 0), hlen); |
366 | |
|
367 | 0 | goto again; |
368 | 0 | } |
369 | | |
370 | | /* log_mpidump (" k", k); */ |
371 | | |
372 | 0 | leave: |
373 | 0 | xfree (t); |
374 | 0 | _gcry_md_close (hd); |
375 | 0 | xfree (h1_buf); |
376 | 0 | xfree (x_buf); |
377 | 0 | xfree (K); |
378 | 0 | xfree (V); |
379 | |
|
380 | 0 | if (rc) |
381 | 0 | mpi_free (k); |
382 | 0 | else |
383 | 0 | *r_k = k; |
384 | 0 | return rc; |
385 | 0 | } |
386 | | |
387 | | |
388 | | |
389 | | /* |
390 | | * For DSA/ECDSA, as prehash function, compute hash with HASHALGO for |
391 | | * INPUT. Result hash value is returned in R_HASH as an opaque MPI. |
392 | | * Returns error code. |
393 | | */ |
394 | | gpg_err_code_t |
395 | | _gcry_dsa_compute_hash (gcry_mpi_t *r_hash, gcry_mpi_t input, int hashalgo) |
396 | 0 | { |
397 | 0 | gpg_err_code_t rc = 0; |
398 | 0 | size_t hlen; |
399 | 0 | void *hashbuf; |
400 | 0 | void *abuf; |
401 | 0 | unsigned int abits; |
402 | 0 | unsigned int n; |
403 | |
|
404 | 0 | hlen = _gcry_md_get_algo_dlen (hashalgo); |
405 | 0 | hashbuf = xtrymalloc (hlen); |
406 | 0 | if (!hashbuf) |
407 | 0 | { |
408 | 0 | rc = gpg_err_code_from_syserror (); |
409 | 0 | return rc; |
410 | 0 | } |
411 | | |
412 | 0 | if (mpi_is_opaque (input)) |
413 | 0 | { |
414 | 0 | abuf = mpi_get_opaque (input, &abits); |
415 | 0 | n = (abits+7)/8; |
416 | 0 | _gcry_md_hash_buffer (hashalgo, hashbuf, abuf, n); |
417 | 0 | } |
418 | 0 | else |
419 | 0 | { |
420 | 0 | abits = mpi_get_nbits (input); |
421 | 0 | n = (abits+7)/8; |
422 | 0 | abuf = xtrymalloc (n); |
423 | 0 | if (!abuf) |
424 | 0 | { |
425 | 0 | rc = gpg_err_code_from_syserror (); |
426 | 0 | xfree (hashbuf); |
427 | 0 | return rc; |
428 | 0 | } |
429 | 0 | _gcry_mpi_to_octet_string (NULL, abuf, input, n); |
430 | 0 | _gcry_md_hash_buffer (hashalgo, hashbuf, abuf, n); |
431 | 0 | xfree (abuf); |
432 | 0 | } |
433 | | |
434 | 0 | *r_hash = mpi_set_opaque (NULL, hashbuf, hlen*8); |
435 | 0 | if (!*r_hash) |
436 | 0 | rc = GPG_ERR_INV_OBJ; |
437 | |
|
438 | 0 | return rc; |
439 | 0 | } |
440 | | |
441 | | |
442 | | /* |
443 | | * Truncate opaque hash value to qbits for DSA. |
444 | | * Non-opaque input is not truncated, in hope that user |
445 | | * knows what is passed. It is not possible to correctly |
446 | | * trucate non-opaque inputs. |
447 | | */ |
448 | | gpg_err_code_t |
449 | | _gcry_dsa_normalize_hash (gcry_mpi_t input, |
450 | | gcry_mpi_t *out, |
451 | | unsigned int qbits) |
452 | 0 | { |
453 | 0 | gpg_err_code_t rc = 0; |
454 | 0 | const void *abuf; |
455 | 0 | unsigned int abits; |
456 | 0 | gcry_mpi_t hash; |
457 | |
|
458 | 0 | if (mpi_is_opaque (input)) |
459 | 0 | { |
460 | 0 | abuf = mpi_get_opaque (input, &abits); |
461 | 0 | rc = _gcry_mpi_scan (&hash, GCRYMPI_FMT_USG, abuf, (abits+7)/8, NULL); |
462 | 0 | if (rc) |
463 | 0 | return rc; |
464 | 0 | if (abits > qbits) |
465 | 0 | mpi_rshift (hash, hash, abits - qbits); |
466 | 0 | } |
467 | 0 | else |
468 | 0 | hash = input; |
469 | | |
470 | 0 | *out = hash; |
471 | |
|
472 | 0 | return rc; |
473 | 0 | } |