/src/gnutls/lib/nettle/int/dsa-compute-k.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2019 Red Hat, Inc. |
3 | | * |
4 | | * Author: Daiki Ueno |
5 | | * |
6 | | * This file is part of GNUTLS. |
7 | | * |
8 | | * The GNUTLS library is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public License |
10 | | * as published by the Free Software Foundation; either version 2.1 of |
11 | | * the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
20 | | * |
21 | | */ |
22 | | |
23 | | #if HAVE_CONFIG_H |
24 | | # include "config.h" |
25 | | #endif |
26 | | |
27 | | #include "dsa-compute-k.h" |
28 | | |
29 | | #include "gnutls_int.h" |
30 | | #include "mem.h" |
31 | | #include "mpn-base256.h" |
32 | | #include <string.h> |
33 | | |
34 | 0 | #define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) |
35 | | |
36 | | /* The maximum size of q, chosen from the fact that we support |
37 | | * 521-bit elliptic curve generator and 512-bit DSA subgroup at |
38 | | * maximum. */ |
39 | | #define MAX_Q_BITS 521 |
40 | | #define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8) |
41 | | #define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS) |
42 | | |
43 | | #define MAX_HASH_BITS (MAX_HASH_SIZE * 8) |
44 | | #define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS) |
45 | | |
46 | | int |
47 | | _gnutls_dsa_compute_k(mpz_t k, |
48 | | const mpz_t q, |
49 | | const mpz_t x, |
50 | | gnutls_mac_algorithm_t mac, |
51 | | const uint8_t * digest, size_t length) |
52 | 0 | { |
53 | 0 | uint8_t V[MAX_HASH_SIZE]; |
54 | 0 | uint8_t K[MAX_HASH_SIZE]; |
55 | 0 | uint8_t xp[MAX_Q_SIZE]; |
56 | 0 | uint8_t tp[MAX_Q_SIZE]; |
57 | 0 | mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)]; |
58 | 0 | mp_bitcnt_t q_bits = mpz_sizeinbase(q, 2); |
59 | 0 | mp_size_t qn = mpz_size(q); |
60 | 0 | mp_bitcnt_t h_bits = length * 8; |
61 | 0 | mp_size_t hn = BITS_TO_LIMBS(h_bits); |
62 | 0 | size_t nbytes = (q_bits + 7) / 8; |
63 | 0 | const uint8_t c0 = 0x00; |
64 | 0 | const uint8_t c1 = 0x01; |
65 | 0 | mp_limb_t cy; |
66 | 0 | gnutls_hmac_hd_t hd; |
67 | 0 | int ret = 0; |
68 | |
|
69 | 0 | if (unlikely(q_bits > MAX_Q_BITS)) |
70 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
71 | 0 | if (unlikely(length > MAX_HASH_SIZE)) |
72 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
73 | | |
74 | | /* int2octets(x) */ |
75 | 0 | mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn); |
76 | | |
77 | | /* bits2octets(h) */ |
78 | 0 | mpn_set_base256(h, hn, digest, length); |
79 | |
|
80 | 0 | if (hn < qn) |
81 | | /* qlen > blen: add zero bits to the left */ |
82 | 0 | mpn_zero(&h[hn], qn - hn); |
83 | 0 | else if (h_bits > q_bits) { |
84 | | /* qlen < blen: keep the leftmost qlen bits. We do this in 2 |
85 | | * steps because mpn_rshift only accepts shift count in the |
86 | | * range 1 to mp_bits_per_limb-1. |
87 | | */ |
88 | 0 | mp_bitcnt_t shift = h_bits - q_bits; |
89 | |
|
90 | 0 | if (shift / GMP_NUMB_BITS > 0) { |
91 | 0 | mpn_copyi(h, &h[shift / GMP_NUMB_BITS], qn); |
92 | 0 | hn -= shift / GMP_NUMB_BITS; |
93 | 0 | } |
94 | |
|
95 | 0 | if (shift % GMP_NUMB_BITS > 0) |
96 | 0 | mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS); |
97 | 0 | } |
98 | |
|
99 | 0 | cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn); |
100 | | /* Fall back to addmul_1, if nettle is linked with mini-gmp. */ |
101 | | #ifdef mpn_cnd_add_n |
102 | | mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn); |
103 | | #else |
104 | 0 | mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0); |
105 | 0 | #endif |
106 | 0 | mpn_get_base256(tp, nbytes, h, qn); |
107 | | |
108 | | /* Step b */ |
109 | 0 | memset(V, c1, length); |
110 | | |
111 | | /* Step c */ |
112 | 0 | memset(K, c0, length); |
113 | | |
114 | | /* Step d */ |
115 | 0 | ret = gnutls_hmac_init(&hd, mac, K, length); |
116 | 0 | if (ret < 0) |
117 | 0 | goto out; |
118 | 0 | ret = gnutls_hmac(hd, V, length); |
119 | 0 | if (ret < 0) |
120 | 0 | goto out; |
121 | 0 | ret = gnutls_hmac(hd, &c0, 1); |
122 | 0 | if (ret < 0) |
123 | 0 | goto out; |
124 | 0 | ret = gnutls_hmac(hd, xp, nbytes); |
125 | 0 | if (ret < 0) |
126 | 0 | goto out; |
127 | 0 | ret = gnutls_hmac(hd, tp, nbytes); |
128 | 0 | if (ret < 0) |
129 | 0 | goto out; |
130 | 0 | gnutls_hmac_deinit(hd, K); |
131 | | |
132 | | /* Step e */ |
133 | 0 | ret = gnutls_hmac_fast(mac, K, length, V, length, V); |
134 | 0 | if (ret < 0) |
135 | 0 | goto out; |
136 | | |
137 | | /* Step f */ |
138 | 0 | ret = gnutls_hmac_init(&hd, mac, K, length); |
139 | 0 | if (ret < 0) |
140 | 0 | goto out; |
141 | 0 | ret = gnutls_hmac(hd, V, length); |
142 | 0 | if (ret < 0) |
143 | 0 | goto out; |
144 | 0 | ret = gnutls_hmac(hd, &c1, 1); |
145 | 0 | if (ret < 0) |
146 | 0 | goto out; |
147 | 0 | ret = gnutls_hmac(hd, xp, nbytes); |
148 | 0 | if (ret < 0) |
149 | 0 | goto out; |
150 | 0 | ret = gnutls_hmac(hd, tp, nbytes); |
151 | 0 | if (ret < 0) |
152 | 0 | goto out; |
153 | 0 | gnutls_hmac_deinit(hd, K); |
154 | | |
155 | | /* Step g */ |
156 | 0 | ret = gnutls_hmac_fast(mac, K, length, V, length, V); |
157 | 0 | if (ret < 0) |
158 | 0 | goto out; |
159 | | |
160 | | /* Step h */ |
161 | 0 | for (;;) { |
162 | | /* Step 1 */ |
163 | 0 | size_t tlen = 0; |
164 | | |
165 | | /* Step 2 */ |
166 | 0 | while (tlen < nbytes) { |
167 | 0 | size_t remaining = MIN(nbytes - tlen, length); |
168 | 0 | ret = gnutls_hmac_fast(mac, K, length, V, length, V); |
169 | 0 | if (ret < 0) |
170 | 0 | goto out; |
171 | 0 | memcpy(&tp[tlen], V, remaining); |
172 | 0 | tlen += remaining; |
173 | 0 | } |
174 | | |
175 | | /* Step 3 */ |
176 | 0 | mpn_set_base256(h, qn, tp, tlen); |
177 | 0 | if (tlen * 8 > q_bits) |
178 | 0 | mpn_rshift(h, h, qn, tlen * 8 - q_bits); |
179 | | /* Check if k is in [1,q-1] */ |
180 | 0 | if (!mpn_zero_p(h, qn) && mpn_cmp(h, mpz_limbs_read(q), qn) < 0) { |
181 | 0 | mpn_copyi(mpz_limbs_write(k, qn), h, qn); |
182 | 0 | mpz_limbs_finish(k, qn); |
183 | 0 | break; |
184 | 0 | } |
185 | | |
186 | 0 | ret = gnutls_hmac_init(&hd, mac, K, length); |
187 | 0 | if (ret < 0) |
188 | 0 | goto out; |
189 | 0 | ret = gnutls_hmac(hd, V, length); |
190 | 0 | if (ret < 0) |
191 | 0 | goto out; |
192 | 0 | ret = gnutls_hmac(hd, &c0, 1); |
193 | 0 | if (ret < 0) |
194 | 0 | goto out; |
195 | 0 | gnutls_hmac_deinit(hd, K); |
196 | |
|
197 | 0 | ret = gnutls_hmac_fast(mac, K, length, V, length, V); |
198 | 0 | if (ret < 0) |
199 | 0 | goto out; |
200 | 0 | } |
201 | | |
202 | 0 | out: |
203 | 0 | zeroize_key(xp, sizeof(xp)); |
204 | 0 | zeroize_key(tp, sizeof(tp)); |
205 | |
|
206 | 0 | return ret; |
207 | 0 | } |