« back to all changes in this revision
Viewing changes to cipher/dsa.c
- browse files at revision 1.2.3
- compare with another revision
- download diff
- download tarball
- view history from revision 1.2.3
- Committer: Bazaar Package Importer
- Author(s): Andreas Metzler
- Date: 2009-02-21 13:46:58 UTC
- mto: (1.1.6 upstream) (2.1.3 squeeze)
- mto: This revision was merged to the branch mainline in revision 18.
- Revision ID: james.westby@ubuntu.com-20090221134658-855twvcr4ezk2ron
ImportĀ upstreamĀ versionĀ 1.4.4
- files added:
- cipher/hash-common.c
- random
- files removed:
- BUGS
- files modified:
- AUTHORS
added
removed
cipher/dsa.c
1
/* dsa.c - DSA signature scheme
1
/* dsa.c - DSA signature algorithm
2
2
* Copyright (C) 1998, 2000, 2001, 2002, 2003,
3
* 2006 Free Software Foundation, Inc.
3
* 2006, 2008 Free Software Foundation, Inc.
4
4
*
5
5
* This file is part of Libgcrypt.
6
6
*
15
15
* GNU Lesser General Public License for more details.
16
16
*
17
17
* You should have received a copy of the GNU Lesser General Public
18
* License along with this program; if not, write to the Free Software
19
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
18
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
20
19
*/
21
20
22
21
#include <config.h>
23
22
#include <stdio.h>
24
23
#include <stdlib.h>
25
24
#include <string.h>
26
#include <assert.h>
27
25
28
26
#include "g10lib.h"
29
27
#include "mpi.h"
48
46
} DSA_secret_key;
49
47
50
48
49
/* A structure used to hold domain parameters. */
50
typedef struct
51
{
52
gcry_mpi_t p; /* prime */
53
gcry_mpi_t q; /* group order */
54
gcry_mpi_t g; /* group generator */
55
} dsa_domain_t;
56
57
58
/* A sample 1024 bit DSA key used for the selftests. */
59
static const char sample_secret_key[] =
60
"(private-key"
61
" (dsa"
62
" (p #00AD7C0025BA1A15F775F3F2D673718391D00456978D347B33D7B49E7F32EDAB"
63
" 96273899DD8B2BB46CD6ECA263FAF04A28903503D59062A8865D2AE8ADFB5191"
64
" CF36FFB562D0E2F5809801A1F675DAE59698A9E01EFE8D7DCFCA084F4C6F5A44"
65
" 44D499A06FFAEA5E8EF5E01F2FD20A7B7EF3F6968AFBA1FB8D91F1559D52D8777B#)"
66
" (q #00EB7B5751D25EBBB7BD59D920315FD840E19AEBF9#)"
67
" (g #1574363387FDFD1DDF38F4FBE135BB20C7EE4772FB94C337AF86EA8E49666503"
68
" AE04B6BE81A2F8DD095311E0217ACA698A11E6C5D33CCDAE71498ED35D13991E"
69
" B02F09AB40BD8F4C5ED8C75DA779D0AE104BC34C960B002377068AB4B5A1F984"
70
" 3FBA91F537F1B7CAC4D8DD6D89B0D863AF7025D549F9C765D2FC07EE208F8D15#)"
71
" (y #64B11EF8871BE4AB572AA810D5D3CA11A6CDBC637A8014602C72960DB135BF46"
72
" A1816A724C34F87330FC9E187C5D66897A04535CC2AC9164A7150ABFA8179827"
73
" 6E45831AB811EEE848EBB24D9F5F2883B6E5DDC4C659DEF944DCFD80BF4D0A20"
74
" 42CAA7DC289F0C5A9D155F02D3D551DB741A81695B74D4C8F477F9C7838EB0FB#)"
75
" (x #11D54E4ADBD3034160F2CED4B7CD292A4EBF3EC0#)))";
76
/* A sample 1024 bit DSA key used for the selftests (public only). */
77
static const char sample_public_key[] =
78
"(public-key"
79
" (dsa"
80
" (p #00AD7C0025BA1A15F775F3F2D673718391D00456978D347B33D7B49E7F32EDAB"
81
" 96273899DD8B2BB46CD6ECA263FAF04A28903503D59062A8865D2AE8ADFB5191"
82
" CF36FFB562D0E2F5809801A1F675DAE59698A9E01EFE8D7DCFCA084F4C6F5A44"
83
" 44D499A06FFAEA5E8EF5E01F2FD20A7B7EF3F6968AFBA1FB8D91F1559D52D8777B#)"
84
" (q #00EB7B5751D25EBBB7BD59D920315FD840E19AEBF9#)"
85
" (g #1574363387FDFD1DDF38F4FBE135BB20C7EE4772FB94C337AF86EA8E49666503"
86
" AE04B6BE81A2F8DD095311E0217ACA698A11E6C5D33CCDAE71498ED35D13991E"
87
" B02F09AB40BD8F4C5ED8C75DA779D0AE104BC34C960B002377068AB4B5A1F984"
88
" 3FBA91F537F1B7CAC4D8DD6D89B0D863AF7025D549F9C765D2FC07EE208F8D15#)"
89
" (y #64B11EF8871BE4AB572AA810D5D3CA11A6CDBC637A8014602C72960DB135BF46"
90
" A1816A724C34F87330FC9E187C5D66897A04535CC2AC9164A7150ABFA8179827"
91
" 6E45831AB811EEE848EBB24D9F5F2883B6E5DDC4C659DEF944DCFD80BF4D0A20"
92
" 42CAA7DC289F0C5A9D155F02D3D551DB741A81695B74D4C8F477F9C7838EB0FB#)))";
93
94
95
96
51
97
static gcry_mpi_t gen_k (gcry_mpi_t q);
52
static void test_keys (DSA_secret_key *sk, unsigned qbits);
98
static int test_keys (DSA_secret_key *sk, unsigned int qbits);
53
99
static int check_secret_key (DSA_secret_key *sk);
54
100
static gpg_err_code_t generate (DSA_secret_key *sk,
55
101
unsigned int nbits,
56
102
unsigned int qbits,
103
int transient_key,
104
dsa_domain_t *domain,
57
105
gcry_mpi_t **ret_factors);
58
106
static void sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input,
59
107
DSA_secret_key *skey);
145
193
}
146
194
147
195
148
static void
149
test_keys( DSA_secret_key *sk, unsigned qbits )
196
/* Check that a freshly generated key actually works. Returns 0 on success. */
197
static int
198
test_keys (DSA_secret_key *sk, unsigned int qbits)
150
199
{
200
int result = -1; /* Default to failure. */
151
201
DSA_public_key pk;
152
gcry_mpi_t test = gcry_mpi_new ( qbits );
153
gcry_mpi_t out1_a = gcry_mpi_new ( qbits );
154
gcry_mpi_t out1_b = gcry_mpi_new ( qbits );
202
gcry_mpi_t data = gcry_mpi_new (qbits);
203
gcry_mpi_t sig_a = gcry_mpi_new (qbits);
204
gcry_mpi_t sig_b = gcry_mpi_new (qbits);
155
205
206
/* Put the relevant parameters into a public key structure. */
156
207
pk.p = sk->p;
157
208
pk.q = sk->q;
158
209
pk.g = sk->g;
159
210
pk.y = sk->y;
160
gcry_mpi_randomize( test, qbits, GCRY_WEAK_RANDOM );
161
162
sign( out1_a, out1_b, test, sk );
163
if( !verify( out1_a, out1_b, test, &pk ) )
164
log_fatal("DSA:: sign, verify failed\n");
165
166
gcry_mpi_release ( test );
167
gcry_mpi_release ( out1_a );
168
gcry_mpi_release ( out1_b );
211
212
/* Create a random plaintext. */
213
gcry_mpi_randomize (data, qbits, GCRY_WEAK_RANDOM);
214
215
/* Sign DATA using the secret key. */
216
sign (sig_a, sig_b, data, sk);
217
218
/* Verify the signature using the public key. */
219
if ( !verify (sig_a, sig_b, data, &pk) )
220
goto leave; /* Signature does not match. */
221
222
/* Modify the data and check that the signing fails. */
223
gcry_mpi_add_ui (data, data, 1);
224
if ( verify (sig_a, sig_b, data, &pk) )
225
goto leave; /* Signature matches but should not. */
226
227
result = 0; /* The test succeeded. */
228
229
leave:
230
gcry_mpi_release (sig_b);
231
gcry_mpi_release (sig_a);
232
gcry_mpi_release (data);
233
return result;
169
234
}
170
235
171
236
172
237
173
238
/*
174
Generate a DSA key pair with a key of size NBITS.
239
Generate a DSA key pair with a key of size NBITS. If transient_key
240
is true the key is generated using the standard RNG and not the
241
very secure one.
242
175
243
Returns: 2 structures filled with all needed values
176
244
and an array with the n-1 factors of (p-1)
177
245
*/
178
246
static gpg_err_code_t
179
247
generate (DSA_secret_key *sk, unsigned int nbits, unsigned int qbits,
180
gcry_mpi_t **ret_factors )
248
int transient_key, dsa_domain_t *domain, gcry_mpi_t **ret_factors )
181
249
{
182
250
gcry_mpi_t p; /* the prime */
183
251
gcry_mpi_t q; /* the 160 bit prime factor */
186
254
gcry_mpi_t x; /* the secret exponent */
187
255
gcry_mpi_t h, e; /* helper */
188
256
unsigned char *rndbuf;
257
gcry_random_level_t random_level;
189
258
190
259
if (qbits)
191
260
; /* Caller supplied qbits. Use this value. */
207
276
if (nbits < 2*qbits || nbits > 15360)
208
277
return GPG_ERR_INV_VALUE;
209
278
210
p = _gcry_generate_elg_prime( 1, nbits, qbits, NULL, ret_factors );
211
/* get q out of factors */
212
q = mpi_copy((*ret_factors)[0]);
213
if( mpi_get_nbits(q) != qbits )
214
BUG();
215
216
/* Find a generator g (h and e are helpers).
217
e = (p-1)/q */
218
e = mpi_alloc( mpi_get_nlimbs(p) );
219
mpi_sub_ui( e, p, 1 );
220
mpi_fdiv_q( e, e, q );
221
g = mpi_alloc( mpi_get_nlimbs(p) );
222
h = mpi_alloc_set_ui( 1 ); /* we start with 2 */
223
do
224
{
225
mpi_add_ui( h, h, 1 );
226
/* g = h^e mod p */
227
gcry_mpi_powm( g, h, e, p );
228
}
229
while( !mpi_cmp_ui( g, 1 ) ); /* continue until g != 1 */
230
231
/* Select a random number which has these properties:
279
if (fips_mode ())
280
{
281
if (nbits < 1024)
282
return GPG_ERR_INV_VALUE;
283
if (transient_key)
284
return GPG_ERR_INV_VALUE;
285
}
286
287
if (domain->p && domain->q && domain->g)
288
{
289
/* Domain parameters are given; use them. */
290
p = mpi_copy (domain->p);
291
q = mpi_copy (domain->q);
292
g = mpi_copy (domain->g);
293
gcry_assert (mpi_get_nbits (p) == nbits);
294
gcry_assert (mpi_get_nbits (q) == qbits);
295
h = mpi_alloc (0);
296
e = NULL;
297
}
298
else
299
{
300
/* Generate new domain parameters. */
301
p = _gcry_generate_elg_prime (1, nbits, qbits, NULL, ret_factors);
302
/* Get q out of factors. */
303
q = mpi_copy ((*ret_factors)[0]);
304
gcry_assert (mpi_get_nbits (q) == qbits);
305
306
/* Find a generator g (h and e are helpers).
307
e = (p-1)/q */
308
e = mpi_alloc (mpi_get_nlimbs (p));
309
mpi_sub_ui (e, p, 1);
310
mpi_fdiv_q (e, e, q);
311
g = mpi_alloc (mpi_get_nlimbs (p));
312
h = mpi_alloc_set_ui (1); /* (We start with 2.) */
313
do
314
{
315
mpi_add_ui (h, h, 1);
316
/* g = h^e mod p */
317
gcry_mpi_powm (g, h, e, p);
318
}
319
while (!mpi_cmp_ui (g, 1)); /* Continue until g != 1. */
320
}
321
322
/* Select a random number X with the property:
232
323
* 0 < x < q-1
233
* This must be a very good random number because this
234
* is the secret part. */
235
if( DBG_CIPHER )
236
log_debug("choosing a random x ");
237
assert( qbits >= 160 );
324
* This must be a very good random number because this is the secret
325
* part. The random quality depends on the transient_key flag. */
326
random_level = transient_key ? GCRY_STRONG_RANDOM : GCRY_VERY_STRONG_RANDOM;
327
if (DBG_CIPHER)
328
log_debug("choosing a random x%s", transient_key? " (transient-key)":"");
329
gcry_assert( qbits >= 160 );
238
330
x = mpi_alloc_secure( mpi_get_nlimbs(q) );
239
331
mpi_sub_ui( h, q, 1 ); /* put q-1 into h */
240
332
rndbuf = NULL;
243
335
if( DBG_CIPHER )
244
336
progress('.');
245
337
if( !rndbuf )
246
rndbuf = gcry_random_bytes_secure( (qbits+7)/8,
247
GCRY_VERY_STRONG_RANDOM );
338
rndbuf = gcry_random_bytes_secure ((qbits+7)/8, random_level);
248
339
else
249
340
{ /* Change only some of the higher bits (= 2 bytes)*/
250
char *r = gcry_random_bytes_secure (2, GCRY_VERY_STRONG_RANDOM);
341
char *r = gcry_random_bytes_secure (2, random_level);
251
342
memcpy(rndbuf, r, 2 );
252
343
gcry_free(r);
253
344
}
267
358
if( DBG_CIPHER )
268
359
{
269
360
progress('\n');
270
log_mpidump("dsa p= ", p );
271
log_mpidump("dsa q= ", q );
272
log_mpidump("dsa g= ", g );
273
log_mpidump("dsa y= ", y );
274
log_mpidump("dsa x= ", x );
361
log_mpidump("dsa p", p );
362
log_mpidump("dsa q", q );
363
log_mpidump("dsa g", g );
364
log_mpidump("dsa y", y );
365
log_mpidump("dsa x", x );
275
366
}
276
367
277
368
/* Copy the stuff to the key structures. */
282
373
sk->x = x;
283
374
284
375
/* Now we can test our keys (this should never fail!). */
285
test_keys( sk, qbits );
376
if ( test_keys (sk, qbits) )
377
{
378
gcry_mpi_release (sk->p); sk->p = NULL;
379
gcry_mpi_release (sk->q); sk->q = NULL;
380
gcry_mpi_release (sk->g); sk->g = NULL;
381
gcry_mpi_release (sk->y); sk->y = NULL;
382
gcry_mpi_release (sk->x); sk->x = NULL;
383
fips_signal_error ("self-test after key generation failed");
384
return GPG_ERR_SELFTEST_FAILED;
385
}
286
386
return 0;
287
387
}
288
388
289
389
390
/* Generate a DSA key pair with a key of size NBITS using the
391
algorithm given in FIPS-186-3. If USE_FIPS186_2 is true,
392
FIPS-186-2 is used and thus the length is restricted to 1024/160.
393
If DERIVEPARMS is not NULL it may contain a seed value. If domain
394
parameters are specified in DOMAIN, DERIVEPARMS may not be given
395
and NBITS and QBITS must match the specified domain parameters. */
396
static gpg_err_code_t
397
generate_fips186 (DSA_secret_key *sk, unsigned int nbits, unsigned int qbits,
398
gcry_sexp_t deriveparms, int use_fips186_2,
399
dsa_domain_t *domain,
400
int *r_counter, void **r_seed, size_t *r_seedlen,
401
gcry_mpi_t *r_h)
402
{
403
gpg_err_code_t ec;
404
struct {
405
gcry_sexp_t sexp;
406
const void *seed;
407
size_t seedlen;
408
} initial_seed = { NULL, NULL, 0 };
409
gcry_mpi_t prime_q = NULL;
410
gcry_mpi_t prime_p = NULL;
411
gcry_mpi_t value_g = NULL; /* The generator. */
412
gcry_mpi_t value_y = NULL; /* g^x mod p */
413
gcry_mpi_t value_x = NULL; /* The secret exponent. */
414
gcry_mpi_t value_h = NULL; /* Helper. */
415
gcry_mpi_t value_e = NULL; /* Helper. */
416
417
/* Preset return values. */
418
*r_counter = 0;
419
*r_seed = NULL;
420
*r_seedlen = 0;
421
*r_h = NULL;
422
423
/* Derive QBITS from NBITS if requested */
424
if (!qbits)
425
{
426
if (nbits == 1024)
427
qbits = 160;
428
else if (nbits == 2048)
429
qbits = 224;
430
else if (nbits == 3072)
431
qbits = 256;
432
}
433
434
/* Check that QBITS and NBITS match the standard. Note that FIPS
435
186-3 uses N for QBITS and L for NBITS. */
436
if (nbits == 1024 && qbits == 160)
437
;
438
else if (nbits == 2048 && qbits == 224)
439
;
440
else if (nbits == 2048 && qbits == 256)
441
;
442
else if (nbits == 3072 && qbits == 256)
443
;
444
else
445
return GPG_ERR_INV_VALUE;
446
447
if (domain->p && domain->q && domain->g)
448
{
449
/* Domain parameters are given; use them. */
450
prime_p = mpi_copy (domain->p);
451
prime_q = mpi_copy (domain->q);
452
value_g = mpi_copy (domain->g);
453
gcry_assert (mpi_get_nbits (prime_p) == nbits);
454
gcry_assert (mpi_get_nbits (prime_q) == qbits);
455
gcry_assert (!deriveparms);
456
ec = 0;
457
}
458
else
459
{
460
/* Generate new domain parameters. */
461
462
/* Get an initial seed value. */
463
if (deriveparms)
464
{
465
initial_seed.sexp = gcry_sexp_find_token (deriveparms, "seed", 0);
466
if (initial_seed.sexp)
467
initial_seed.seed = gcry_sexp_nth_data (initial_seed.sexp, 1,
468
&initial_seed.seedlen);
469
}
470
471
/* Fixme: Enable 186-3 after it has been approved and after fixing
472
the generation function. */
473
/* if (use_fips186_2) */
474
(void)use_fips186_2;
475
ec = _gcry_generate_fips186_2_prime (nbits, qbits,
476
initial_seed.seed,
477
initial_seed.seedlen,
478
&prime_q, &prime_p,
479
r_counter,
480
r_seed, r_seedlen);
481
/* else */
482
/* ec = _gcry_generate_fips186_3_prime (nbits, qbits, NULL, 0, */
483
/* &prime_q, &prime_p, */
484
/* r_counter, */
485
/* r_seed, r_seedlen, NULL); */
486
gcry_sexp_release (initial_seed.sexp);
487
if (ec)
488
goto leave;
489
490
/* Find a generator g (h and e are helpers).
491
e = (p-1)/q */
492
value_e = mpi_alloc_like (prime_p);
493
mpi_sub_ui (value_e, prime_p, 1);
494
mpi_fdiv_q (value_e, value_e, prime_q );
495
value_g = mpi_alloc_like (prime_p);
496
value_h = mpi_alloc_set_ui (1);
497
do
498
{
499
mpi_add_ui (value_h, value_h, 1);
500
/* g = h^e mod p */
501
mpi_powm (value_g, value_h, value_e, prime_p);
502
}
503
while (!mpi_cmp_ui (value_g, 1)); /* Continue until g != 1. */
504
}
505
506
507
/* Select a random number x with: 0 < x < q */
508
value_x = gcry_mpi_snew (qbits);
509
do
510
{
511
if( DBG_CIPHER )
512
progress('.');
513
gcry_mpi_randomize (value_x, qbits, GCRY_VERY_STRONG_RANDOM);
514
mpi_clear_highbit (value_x, qbits+1);
515
}
516
while (!(mpi_cmp_ui (value_x, 0) > 0 && mpi_cmp (value_x, prime_q) < 0));
517
518
/* y = g^x mod p */
519
value_y = mpi_alloc_like (prime_p);
520
gcry_mpi_powm (value_y, value_g, value_x, prime_p);
521
522
if (DBG_CIPHER)
523
{
524
progress('\n');
525
log_mpidump("dsa p", prime_p );
526
log_mpidump("dsa q", prime_q );
527
log_mpidump("dsa g", value_g );
528
log_mpidump("dsa y", value_y );
529
log_mpidump("dsa x", value_x );
530
log_mpidump("dsa h", value_h );
531
}
532
533
/* Copy the stuff to the key structures. */
534
sk->p = prime_p; prime_p = NULL;
535
sk->q = prime_q; prime_q = NULL;
536
sk->g = value_g; value_g = NULL;
537
sk->y = value_y; value_y = NULL;
538
sk->x = value_x; value_x = NULL;
539
*r_h = value_h; value_h = NULL;
540
541
leave:
542
gcry_mpi_release (prime_p);
543
gcry_mpi_release (prime_q);
544
gcry_mpi_release (value_g);
545
gcry_mpi_release (value_y);
546
gcry_mpi_release (value_x);
547
gcry_mpi_release (value_h);
548
gcry_mpi_release (value_e);
549
550
/* As a last step test this keys (this should never fail of course). */
551
if (!ec && test_keys (sk, qbits) )
552
{
553
gcry_mpi_release (sk->p); sk->p = NULL;
554
gcry_mpi_release (sk->q); sk->q = NULL;
555
gcry_mpi_release (sk->g); sk->g = NULL;
556
gcry_mpi_release (sk->y); sk->y = NULL;
557
gcry_mpi_release (sk->x); sk->x = NULL;
558
fips_signal_error ("self-test after key generation failed");
559
ec = GPG_ERR_SELFTEST_FAILED;
560
}
561
562
if (ec)
563
{
564
*r_counter = 0;
565
gcry_free (*r_seed); *r_seed = NULL;
566
*r_seedlen = 0;
567
gcry_mpi_release (*r_h); *r_h = NULL;
568
}
569
570
return ec;
571
}
572
573
290
574
291
575
/*
292
576
Test whether the secret key is valid.
391
675
************** interface ******************
392
676
*********************************************/
393
677
394
gcry_err_code_t
395
_gcry_dsa_generate (int algo, unsigned int nbits, unsigned long dummy,
396
gcry_mpi_t *skey, gcry_mpi_t **retfactors)
397
{
398
gpg_err_code_t err;
399
DSA_secret_key sk;
400
401
(void)algo;
402
(void)dummy;
403
404
err = generate (&sk, nbits, 0, retfactors);
405
if (!err)
406
{
407
skey[0] = sk.p;
408
skey[1] = sk.q;
409
skey[2] = sk.g;
410
skey[3] = sk.y;
411
skey[4] = sk.x;
412
}
413
414
return err;
415
}
416
417
418
/* We don't want to break our API. Thus we use a hack in pubkey.c to
419
link directly to this function. Note that we can't reuse the dummy
420
parameter because we can't be sure that applicaions accidently pass
421
a USE_E (that is for what dummy is used with RSA) to a DSA
422
generation. */
423
gcry_err_code_t
424
_gcry_dsa_generate2 (int algo, unsigned int nbits, unsigned int qbits,
425
unsigned long dummy,
426
gcry_mpi_t *skey, gcry_mpi_t **retfactors)
427
{
428
gpg_err_code_t err;
429
DSA_secret_key sk;
430
431
(void)algo;
432
(void)dummy;
433
434
err = generate (&sk, nbits, qbits, retfactors);
435
if (!err)
436
{
437
skey[0] = sk.p;
438
skey[1] = sk.q;
439
skey[2] = sk.g;
440
skey[3] = sk.y;
441
skey[4] = sk.x;
442
}
443
444
return err;
445
}
446
447
448
gcry_err_code_t
449
_gcry_dsa_check_secret_key (int algo, gcry_mpi_t *skey)
678
static gcry_err_code_t
679
dsa_generate_ext (int algo, unsigned int nbits, unsigned long evalue,
680
const gcry_sexp_t genparms,
681
gcry_mpi_t *skey, gcry_mpi_t **retfactors,
682
gcry_sexp_t *r_extrainfo)
683
{
684
gpg_err_code_t ec;
685
DSA_secret_key sk;
686
gcry_sexp_t l1;
687
unsigned int qbits = 0;
688
gcry_sexp_t deriveparms = NULL;
689
gcry_sexp_t seedinfo = NULL;
690
int transient_key = 0;
691
int use_fips186_2 = 0;
692
int use_fips186 = 0;
693
dsa_domain_t domain;
694
695
(void)algo; /* No need to check it. */
696
(void)evalue; /* Not required for DSA. */
697
698
memset (&domain, 0, sizeof domain);
699
700
if (genparms)
701
{
702
gcry_sexp_t domainsexp;
703
704
/* Parse the optional qbits element. */
705
l1 = gcry_sexp_find_token (genparms, "qbits", 0);
706
if (l1)
707
{
708
char buf[50];
709
const char *s;
710
size_t n;
711
712
s = gcry_sexp_nth_data (l1, 1, &n);
713
if (!s || n >= DIM (buf) - 1 )
714
{
715
gcry_sexp_release (l1);
716
return GPG_ERR_INV_OBJ; /* No value or value too large. */
717
}
718
memcpy (buf, s, n);
719
buf[n] = 0;
720
qbits = (unsigned int)strtoul (buf, NULL, 0);
721
gcry_sexp_release (l1);
722
}
723
724
/* Parse the optional transient-key flag. */
725
l1 = gcry_sexp_find_token (genparms, "transient-key", 0);
726
if (l1)
727
{
728
transient_key = 1;
729
gcry_sexp_release (l1);
730
}
731
732
/* Get the optional derive parameters. */
733
deriveparms = gcry_sexp_find_token (genparms, "derive-parms", 0);
734
735
/* Parse the optional "use-fips186" flags. */
736
l1 = gcry_sexp_find_token (genparms, "use-fips186", 0);
737
if (l1)
738
{
739
use_fips186 = 1;
740
gcry_sexp_release (l1);
741
}
742
l1 = gcry_sexp_find_token (genparms, "use-fips186-2", 0);
743
if (l1)
744
{
745
use_fips186_2 = 1;
746
gcry_sexp_release (l1);
747
}
748
749
/* Check whether domain parameters are given. */
750
domainsexp = gcry_sexp_find_token (genparms, "domain", 0);
751
if (domainsexp)
752
{
753
/* DERIVEPARMS can't be used together with domain
754
parameters. NBITS abnd QBITS may not be specified
755
because there values are derived from the domain
756
parameters. */
757
if (deriveparms || qbits || nbits)
758
{
759
gcry_sexp_release (domainsexp);
760
gcry_sexp_release (deriveparms);
761
return GPG_ERR_INV_VALUE;
762
}
763
764
/* Put all domain parameters into the domain object. */
765
l1 = gcry_sexp_find_token (domainsexp, "p", 0);
766
domain.p = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
767
gcry_sexp_release (l1);
768
l1 = gcry_sexp_find_token (domainsexp, "q", 0);
769
domain.q = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
770
gcry_sexp_release (l1);
771
l1 = gcry_sexp_find_token (domainsexp, "g", 0);
772
domain.g = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
773
gcry_sexp_release (l1);
774
gcry_sexp_release (domainsexp);
775
776
/* Check that all domain parameters are available. */
777
if (!domain.p || !domain.q || !domain.g)
778
{
779
gcry_mpi_release (domain.p);
780
gcry_mpi_release (domain.q);
781
gcry_mpi_release (domain.g);
782
gcry_sexp_release (deriveparms);
783
return GPG_ERR_MISSING_VALUE;
784
}
785
786
/* Get NBITS and QBITS from the domain parameters. */
787
nbits = mpi_get_nbits (domain.p);
788
qbits = mpi_get_nbits (domain.q);
789
}
790
}
791
792
if (deriveparms || use_fips186 || use_fips186_2 || fips_mode ())
793
{
794
int counter;
795
void *seed;
796
size_t seedlen;
797
gcry_mpi_t h_value;
798
799
ec = generate_fips186 (&sk, nbits, qbits, deriveparms, use_fips186_2,
800
&domain,
801
&counter, &seed, &seedlen, &h_value);
802
gcry_sexp_release (deriveparms);
803
if (!ec && h_value)
804
{
805
/* Format the seed-values unless domain parameters are used
806
for which a H_VALUE of NULL is an indication. */
807
ec = gpg_err_code (gcry_sexp_build
808
(&seedinfo, NULL,
809
"(seed-values(counter %d)(seed %b)(h %m))",
810
counter, (int)seedlen, seed, h_value));
811
if (ec)
812
{
813
gcry_mpi_release (sk.p); sk.p = NULL;
814
gcry_mpi_release (sk.q); sk.q = NULL;
815
gcry_mpi_release (sk.g); sk.g = NULL;
816
gcry_mpi_release (sk.y); sk.y = NULL;
817
gcry_mpi_release (sk.x); sk.x = NULL;
818
}
819
gcry_free (seed);
820
gcry_mpi_release (h_value);
821
}
822
}
823
else
824
{
825
ec = generate (&sk, nbits, qbits, transient_key, &domain, retfactors);
826
}
827
828
gcry_mpi_release (domain.p);
829
gcry_mpi_release (domain.q);
830
gcry_mpi_release (domain.g);
831
832
if (!ec)
833
{
834
skey[0] = sk.p;
835
skey[1] = sk.q;
836
skey[2] = sk.g;
837
skey[3] = sk.y;
838
skey[4] = sk.x;
839
840
if (!r_extrainfo)
841
{
842
/* Old style interface - return the factors - if any - at
843
retfactors. */
844
}
845
else if (!*retfactors && !seedinfo)
846
{
847
/* No factors and no seedinfo, thus there is nothing to return. */
848
*r_extrainfo = NULL;
849
}
850
else
851
{
852
/* Put the factors into extrainfo and set retfactors to NULL
853
to make use of the new interface. Note that the factors
854
are not confidential thus we can store them in standard
855
memory. */
856
int nfactors, i, j;
857
char *p;
858
char *format = NULL;
859
void **arg_list = NULL;
860
861
for (nfactors=0; *retfactors && (*retfactors)[nfactors]; nfactors++)
862
;
863
/* Allocate space for the format string:
864
"(misc-key-info%S(pm1-factors%m))"
865
with one "%m" for each factor and construct it. */
866
format = gcry_malloc (50 + 2*nfactors);
867
if (!format)
868
ec = gpg_err_code_from_syserror ();
869
else
870
{
871
p = stpcpy (format, "(misc-key-info");
872
if (seedinfo)
873
p = stpcpy (p, "%S");
874
if (nfactors)
875
{
876
p = stpcpy (p, "(pm1-factors");
877
for (i=0; i < nfactors; i++)
878
p = stpcpy (p, "%m");
879
p = stpcpy (p, ")");
880
}
881
p = stpcpy (p, ")");
882
883
/* Allocate space for the list of factors plus one for
884
an S-expression plus an extra NULL entry for safety
885
and fill it with the factors. */
886
arg_list = gcry_calloc (nfactors+1+1, sizeof *arg_list);
887
if (!arg_list)
888
ec = gpg_err_code_from_syserror ();
889
else
890
{
891
i = 0;
892
if (seedinfo)
893
arg_list[i++] = &seedinfo;
894
for (j=0; j < nfactors; j++)
895
arg_list[i++] = (*retfactors) + j;
896
arg_list[i] = NULL;
897
898
ec = gpg_err_code (gcry_sexp_build_array
899
(r_extrainfo, NULL, format, arg_list));
900
}
901
}
902
903
gcry_free (arg_list);
904
gcry_free (format);
905
for (i=0; i < nfactors; i++)
906
{
907
gcry_mpi_release ((*retfactors)[i]);
908
(*retfactors)[i] = NULL;
909
}
910
*retfactors = NULL;
911
if (ec)
912
{
913
for (i=0; i < 5; i++)
914
{
915
gcry_mpi_release (skey[i]);
916
skey[i] = NULL;
917
}
918
}
919
}
920
}
921
922
gcry_sexp_release (seedinfo);
923
return ec;
924
}
925
926
927
static gcry_err_code_t
928
dsa_generate (int algo, unsigned int nbits, unsigned long evalue,
929
gcry_mpi_t *skey, gcry_mpi_t **retfactors)
930
{
931
(void)evalue;
932
return dsa_generate_ext (algo, nbits, 0, NULL, skey, retfactors, NULL);
933
}
934
935
936
937
static gcry_err_code_t
938
dsa_check_secret_key (int algo, gcry_mpi_t *skey)
450
939
{
451
940
gcry_err_code_t err = GPG_ERR_NO_ERROR;
452
941
DSA_secret_key sk;
470
959
}
471
960
472
961
473
gcry_err_code_t
474
_gcry_dsa_sign (int algo, gcry_mpi_t *resarr, gcry_mpi_t data, gcry_mpi_t *skey)
962
static gcry_err_code_t
963
dsa_sign (int algo, gcry_mpi_t *resarr, gcry_mpi_t data, gcry_mpi_t *skey)
475
964
{
476
965
gcry_err_code_t err = GPG_ERR_NO_ERROR;
477
966
DSA_secret_key sk;
496
985
return err;
497
986
}
498
987
499
gcry_err_code_t
500
_gcry_dsa_verify (int algo, gcry_mpi_t hash, gcry_mpi_t *data, gcry_mpi_t *pkey,
501
int (*cmp) (void *, gcry_mpi_t), void *opaquev)
988
static gcry_err_code_t
989
dsa_verify (int algo, gcry_mpi_t hash, gcry_mpi_t *data, gcry_mpi_t *pkey,
990
int (*cmp) (void *, gcry_mpi_t), void *opaquev)
502
991
{
503
992
gcry_err_code_t err = GPG_ERR_NO_ERROR;
504
993
DSA_public_key pk;
523
1012
}
524
1013
525
1014
526
unsigned int
527
_gcry_dsa_get_nbits (int algo, gcry_mpi_t *pkey)
1015
static unsigned int
1016
dsa_get_nbits (int algo, gcry_mpi_t *pkey)
528
1017
{
529
1018
(void)algo;
530
1019
531
1020
return mpi_get_nbits (pkey[0]);
532
1021
}
533
1022
1023
1024
1025
/*
1026
Self-test section.
1027
*/
1028
1029
static const char *
1030
selftest_sign_1024 (gcry_sexp_t pkey, gcry_sexp_t skey)
1031
{
1032
static const char sample_data[] =
1033
"(data (flags pkcs1)"
1034
" (hash sha1 #a0b1c2d3e4f500102030405060708090a1b2c3d4#))";
1035
static const char sample_data_bad[] =
1036
"(data (flags pkcs1)"
1037
" (hash sha1 #a0b1c2d3e4f510102030405060708090a1b2c3d4#))";
1038
1039
const char *errtxt = NULL;
1040
gcry_error_t err;
1041
gcry_sexp_t data = NULL;
1042
gcry_sexp_t data_bad = NULL;
1043
gcry_sexp_t sig = NULL;
1044
1045
err = gcry_sexp_sscan (&data, NULL,
1046
sample_data, strlen (sample_data));
1047
if (!err)
1048
err = gcry_sexp_sscan (&data_bad, NULL,
1049
sample_data_bad, strlen (sample_data_bad));
1050
if (err)
1051
{
1052
errtxt = "converting data failed";
1053
goto leave;
1054
}
1055
1056
err = gcry_pk_sign (&sig, data, skey);
1057
if (err)
1058
{
1059
errtxt = "signing failed";
1060
goto leave;
1061
}
1062
err = gcry_pk_verify (sig, data, pkey);
1063
if (err)
1064
{
1065
errtxt = "verify failed";
1066
goto leave;
1067
}
1068
err = gcry_pk_verify (sig, data_bad, pkey);
1069
if (gcry_err_code (err) != GPG_ERR_BAD_SIGNATURE)
1070
{
1071
errtxt = "bad signature not detected";
1072
goto leave;
1073
}
1074
1075
1076
leave:
1077
gcry_sexp_release (sig);
1078
gcry_sexp_release (data_bad);
1079
gcry_sexp_release (data);
1080
return errtxt;
1081
}
1082
1083
1084
static gpg_err_code_t
1085
selftests_dsa (selftest_report_func_t report)
1086
{
1087
const char *what;
1088
const char *errtxt;
1089
gcry_error_t err;
1090
gcry_sexp_t skey = NULL;
1091
gcry_sexp_t pkey = NULL;
1092
1093
/* Convert the S-expressions into the internal representation. */
1094
what = "convert";
1095
err = gcry_sexp_sscan (&skey, NULL,
1096
sample_secret_key, strlen (sample_secret_key));
1097
if (!err)
1098
err = gcry_sexp_sscan (&pkey, NULL,
1099
sample_public_key, strlen (sample_public_key));
1100
if (err)
1101
{
1102
errtxt = gcry_strerror (err);
1103
goto failed;
1104
}
1105
1106
what = "key consistency";
1107
err = gcry_pk_testkey (skey);
1108
if (err)
1109
{
1110
errtxt = gcry_strerror (err);
1111
goto failed;
1112
}
1113
1114
what = "sign";
1115
errtxt = selftest_sign_1024 (pkey, skey);
1116
if (errtxt)
1117
goto failed;
1118
1119
gcry_sexp_release (pkey);
1120
gcry_sexp_release (skey);
1121
return 0; /* Succeeded. */
1122
1123
failed:
1124
gcry_sexp_release (pkey);
1125
gcry_sexp_release (skey);
1126
if (report)
1127
report ("pubkey", GCRY_PK_DSA, what, errtxt);
1128
return GPG_ERR_SELFTEST_FAILED;
1129
}
1130
1131
1132
/* Run a full self-test for ALGO and return 0 on success. */
1133
static gpg_err_code_t
1134
run_selftests (int algo, int extended, selftest_report_func_t report)
1135
{
1136
gpg_err_code_t ec;
1137
1138
(void)extended;
1139
1140
switch (algo)
1141
{
1142
case GCRY_PK_DSA:
1143
ec = selftests_dsa (report);
1144
break;
1145
default:
1146
ec = GPG_ERR_PUBKEY_ALGO;
1147
break;
1148
1149
}
1150
return ec;
1151
}
1152
1153
1154
1155
534
1156
static const char *dsa_names[] =
535
1157
{
536
1158
"dsa",
543
1165
"DSA", dsa_names,
544
1166
"pqgy", "pqgyx", "", "rs", "pqgy",
545
1167
GCRY_PK_USAGE_SIGN,
546
_gcry_dsa_generate,
547
_gcry_dsa_check_secret_key,
548
NULL,
549
NULL,
550
_gcry_dsa_sign,
551
_gcry_dsa_verify,
552
_gcry_dsa_get_nbits,
1168
dsa_generate,
1169
dsa_check_secret_key,
1170
NULL,
1171
NULL,
1172
dsa_sign,
1173
dsa_verify,
1174
dsa_get_nbits
1175
};
1176
pk_extra_spec_t _gcry_pubkey_extraspec_dsa =
1177
{
1178
run_selftests,
1179
dsa_generate_ext
553
1180
};
554
1181
Loggerhead is a web-based interface for Breezy
Version: 2.0.1