/src/gnutls/lib/nettle/int/dsa-compute-k.c

Source (jump to first uncovered line)
/*
 * Copyright (C) 2019 Red Hat, Inc.
 *
 * Author: Daiki Ueno
 *
 * This file is part of GNUTLS.
 *
 * The GNUTLS library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
 *
 */

#if HAVE_CONFIG_H
#include "config.h"
#endif

#include "dsa-compute-k.h"

#include "gnutls_int.h"
#include "mem.h"
#include "mpn-base256.h"
#include <string.h>

#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)

/* The maximum size of q, chosen from the fact that we support
 * 521-bit elliptic curve generator and 512-bit DSA subgroup at
 * maximum. */
#define MAX_Q_BITS 521
#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)

#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)

int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
        gnutls_mac_algorithm_t mac, const uint8_t *digest,
        size_t length)
{
  uint8_t V[MAX_HASH_SIZE];
  uint8_t K[MAX_HASH_SIZE];
  uint8_t xp[MAX_Q_SIZE];
  uint8_t tp[MAX_Q_SIZE];
  mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
  mp_bitcnt_t q_bits = mpz_sizeinbase(q, 2);
  mp_size_t qn = mpz_size(q);
  mp_bitcnt_t h_bits = length * 8;
  mp_size_t hn = BITS_TO_LIMBS(h_bits);
  size_t nbytes = (q_bits + 7) / 8;
  const uint8_t c0 = 0x00;
  const uint8_t c1 = 0x01;
  mp_limb_t cy;
  gnutls_hmac_hd_t hd;
  int ret = 0;

  if (unlikely(q_bits > MAX_Q_BITS))
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
  if (unlikely(length > MAX_HASH_SIZE))
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);

  /* int2octets(x) */
  mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);

  /* bits2octets(h) */
  mpn_set_base256(h, hn, digest, length);

  if (hn < qn)
    /* qlen > blen: add zero bits to the left */
    mpn_zero(&h[hn], qn - hn);
  else if (h_bits > q_bits) {
    /* qlen < blen: keep the leftmost qlen bits.  We do this in 2
     * steps because mpn_rshift only accepts shift count in the
     * range 1 to mp_bits_per_limb-1.
     */
    mp_bitcnt_t shift = h_bits - q_bits;

    if (shift / GMP_NUMB_BITS > 0) {
      mpn_copyi(h, &h[shift / GMP_NUMB_BITS], qn);
      hn -= shift / GMP_NUMB_BITS;
    }

    if (shift % GMP_NUMB_BITS > 0)
      mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
  }

  cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
  /* Fall back to addmul_1, if nettle is linked with mini-gmp. */
#ifdef mpn_cnd_add_n
  mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
#else
  mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
#endif
  mpn_get_base256(tp, nbytes, h, qn);

  /* Step b */
  memset(V, c1, length);

  /* Step c */
  memset(K, c0, length);

  /* Step d */
  ret = gnutls_hmac_init(&hd, mac, K, length);
  if (ret < 0)
    goto out;
  ret = gnutls_hmac(hd, V, length);
  if (ret < 0)
    goto out;
  ret = gnutls_hmac(hd, &c0, 1);
  if (ret < 0)
    goto out;
  ret = gnutls_hmac(hd, xp, nbytes);
  if (ret < 0)
    goto out;
  ret = gnutls_hmac(hd, tp, nbytes);
  if (ret < 0)
    goto out;
  gnutls_hmac_deinit(hd, K);

  /* Step e */
  ret = gnutls_hmac_fast(mac, K, length, V, length, V);
  if (ret < 0)
    goto out;

  /* Step f */
  ret = gnutls_hmac_init(&hd, mac, K, length);
  if (ret < 0)
    goto out;
  ret = gnutls_hmac(hd, V, length);
  if (ret < 0)
    goto out;
  ret = gnutls_hmac(hd, &c1, 1);
  if (ret < 0)
    goto out;
  ret = gnutls_hmac(hd, xp, nbytes);
  if (ret < 0)
    goto out;
  ret = gnutls_hmac(hd, tp, nbytes);
  if (ret < 0)
    goto out;
  gnutls_hmac_deinit(hd, K);

  /* Step g */
  ret = gnutls_hmac_fast(mac, K, length, V, length, V);
  if (ret < 0)
    goto out;

  /* Step h */
  for (;;) {
    /* Step 1 */
    size_t tlen = 0;

    /* Step 2 */
    while (tlen < nbytes) {
      size_t remaining = MIN(nbytes - tlen, length);
      ret = gnutls_hmac_fast(mac, K, length, V, length, V);
      if (ret < 0)
        goto out;
      memcpy(&tp[tlen], V, remaining);
      tlen += remaining;
    }

    /* Step 3 */
    mpn_set_base256(h, qn, tp, tlen);
    if (tlen * 8 > q_bits)
      mpn_rshift(h, h, qn, tlen * 8 - q_bits);
    /* Check if k is in [1,q-1] */
    if (!mpn_zero_p(h, qn) &&
        mpn_cmp(h, mpz_limbs_read(q), qn) < 0) {
      mpn_copyi(mpz_limbs_write(k, qn), h, qn);
      mpz_limbs_finish(k, qn);
      break;
    }

    ret = gnutls_hmac_init(&hd, mac, K, length);
    if (ret < 0)
      goto out;
    ret = gnutls_hmac(hd, V, length);
    if (ret < 0)
      goto out;
    ret = gnutls_hmac(hd, &c0, 1);
    if (ret < 0)
      goto out;
    gnutls_hmac_deinit(hd, K);

    ret = gnutls_hmac_fast(mac, K, length, V, length, V);
    if (ret < 0)
      goto out;
  }

out:
  zeroize_key(xp, sizeof(xp));
  zeroize_key(tp, sizeof(tp));

  return ret;
}

Coverage Report

Created: 2024-06-20 06:28

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright (C) 2019 Red Hat, Inc.
3		*
4		* Author: Daiki Ueno
5		*
6		* This file is part of GNUTLS.
7		*
8		* The GNUTLS library is free software; you can redistribute it and/or
9		* modify it under the terms of the GNU Lesser General Public License
10		* as published by the Free Software Foundation; either version 2.1 of
11		* the License, or (at your option) any later version.
12		*
13		* This library is distributed in the hope that it will be useful, but
14		* WITHOUT ANY WARRANTY; without even the implied warranty of
15		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16		* Lesser General Public License for more details.
17		*
18		* You should have received a copy of the GNU Lesser General Public License
19		* along with this program. If not, see <https://www.gnu.org/licenses/>
20		*
21		*/
22
23		#if HAVE_CONFIG_H
24		#include "config.h"
25		#endif
26
27		#include "dsa-compute-k.h"
28
29		#include "gnutls_int.h"
30		#include "mem.h"
31		#include "mpn-base256.h"
32		#include <string.h>
33
34	0	#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
35
36		/* The maximum size of q, chosen from the fact that we support
37		* 521-bit elliptic curve generator and 512-bit DSA subgroup at
38		* maximum. */
39		#define MAX_Q_BITS 521
40		#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
41		#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
42
43		#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
44		#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
45
46		int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
47		gnutls_mac_algorithm_t mac, const uint8_t *digest,
48		size_t length)
49	0	{
50	0	uint8_t V[MAX_HASH_SIZE];
51	0	uint8_t K[MAX_HASH_SIZE];
52	0	uint8_t xp[MAX_Q_SIZE];
53	0	uint8_t tp[MAX_Q_SIZE];
54	0	mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
55	0	mp_bitcnt_t q_bits = mpz_sizeinbase(q, 2);
56	0	mp_size_t qn = mpz_size(q);
57	0	mp_bitcnt_t h_bits = length * 8;
58	0	mp_size_t hn = BITS_TO_LIMBS(h_bits);
59	0	size_t nbytes = (q_bits + 7) / 8;
60	0	const uint8_t c0 = 0x00;
61	0	const uint8_t c1 = 0x01;
62	0	mp_limb_t cy;
63	0	gnutls_hmac_hd_t hd;
64	0	int ret = 0;
65
66	0	if (unlikely(q_bits > MAX_Q_BITS))
67	0	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
68	0	if (unlikely(length > MAX_HASH_SIZE))
69	0	return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
70
71		/* int2octets(x) */
72	0	mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
73
74		/* bits2octets(h) */
75	0	mpn_set_base256(h, hn, digest, length);
76
77	0	if (hn < qn)
78		/* qlen > blen: add zero bits to the left */
79	0	mpn_zero(&h[hn], qn - hn);
80	0	else if (h_bits > q_bits) {
81		/* qlen < blen: keep the leftmost qlen bits. We do this in 2
82		* steps because mpn_rshift only accepts shift count in the
83		* range 1 to mp_bits_per_limb-1.
84		*/
85	0	mp_bitcnt_t shift = h_bits - q_bits;
86
87	0	if (shift / GMP_NUMB_BITS > 0) {
88	0	mpn_copyi(h, &h[shift / GMP_NUMB_BITS], qn);
89	0	hn -= shift / GMP_NUMB_BITS;
90	0	}
91
92	0	if (shift % GMP_NUMB_BITS > 0)
93	0	mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
94	0	}
95
96	0	cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
97		/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
98		#ifdef mpn_cnd_add_n
99		mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
100		#else
101	0	mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
102	0	#endif
103	0	mpn_get_base256(tp, nbytes, h, qn);
104
105		/* Step b */
106	0	memset(V, c1, length);
107
108		/* Step c */
109	0	memset(K, c0, length);
110
111		/* Step d */
112	0	ret = gnutls_hmac_init(&hd, mac, K, length);
113	0	if (ret < 0)
114	0	goto out;
115	0	ret = gnutls_hmac(hd, V, length);
116	0	if (ret < 0)
117	0	goto out;
118	0	ret = gnutls_hmac(hd, &c0, 1);
119	0	if (ret < 0)
120	0	goto out;
121	0	ret = gnutls_hmac(hd, xp, nbytes);
122	0	if (ret < 0)
123	0	goto out;
124	0	ret = gnutls_hmac(hd, tp, nbytes);
125	0	if (ret < 0)
126	0	goto out;
127	0	gnutls_hmac_deinit(hd, K);
128
129		/* Step e */
130	0	ret = gnutls_hmac_fast(mac, K, length, V, length, V);
131	0	if (ret < 0)
132	0	goto out;
133
134		/* Step f */
135	0	ret = gnutls_hmac_init(&hd, mac, K, length);
136	0	if (ret < 0)
137	0	goto out;
138	0	ret = gnutls_hmac(hd, V, length);
139	0	if (ret < 0)
140	0	goto out;
141	0	ret = gnutls_hmac(hd, &c1, 1);
142	0	if (ret < 0)
143	0	goto out;
144	0	ret = gnutls_hmac(hd, xp, nbytes);
145	0	if (ret < 0)
146	0	goto out;
147	0	ret = gnutls_hmac(hd, tp, nbytes);
148	0	if (ret < 0)
149	0	goto out;
150	0	gnutls_hmac_deinit(hd, K);
151
152		/* Step g */
153	0	ret = gnutls_hmac_fast(mac, K, length, V, length, V);
154	0	if (ret < 0)
155	0	goto out;
156
157		/* Step h */
158	0	for (;;) {
159		/* Step 1 */
160	0	size_t tlen = 0;
161
162		/* Step 2 */
163	0	while (tlen < nbytes) {
164	0	size_t remaining = MIN(nbytes - tlen, length);
165	0	ret = gnutls_hmac_fast(mac, K, length, V, length, V);
166	0	if (ret < 0)
167	0	goto out;
168	0	memcpy(&tp[tlen], V, remaining);
169	0	tlen += remaining;
170	0	}
171
172		/* Step 3 */
173	0	mpn_set_base256(h, qn, tp, tlen);
174	0	if (tlen * 8 > q_bits)
175	0	mpn_rshift(h, h, qn, tlen * 8 - q_bits);
176		/* Check if k is in [1,q-1] */
177	0	if (!mpn_zero_p(h, qn) &&
178	0	mpn_cmp(h, mpz_limbs_read(q), qn) < 0) {
179	0	mpn_copyi(mpz_limbs_write(k, qn), h, qn);
180	0	mpz_limbs_finish(k, qn);
181	0	break;
182	0	}
183
184	0	ret = gnutls_hmac_init(&hd, mac, K, length);
185	0	if (ret < 0)
186	0	goto out;
187	0	ret = gnutls_hmac(hd, V, length);
188	0	if (ret < 0)
189	0	goto out;
190	0	ret = gnutls_hmac(hd, &c0, 1);
191	0	if (ret < 0)
192	0	goto out;
193	0	gnutls_hmac_deinit(hd, K);
194
195	0	ret = gnutls_hmac_fast(mac, K, length, V, length, V);
196	0	if (ret < 0)
197	0	goto out;
198	0	}
199
200	0	out:
201	0	zeroize_key(xp, sizeof(xp));
202	0	zeroize_key(tp, sizeof(tp));
203
204	0	return ret;
205	0	}