3 * Copyright (C) 2006-2012 Sawtooth Consulting Ltd.
5 * This file is part of CyaSSL.
7 * CyaSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * CyaSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
28 #include <cyassl/ctaocrypt/dsa.h>
29 #include <cyassl/ctaocrypt/sha.h>
30 #include <cyassl/ctaocrypt/random.h>
31 #include <cyassl/ctaocrypt/error.h>
35 DSA_HALF_SIZE = 20, /* r and s size */
36 DSA_SIG_SIZE = 40 /* signature size */
42 static INLINE word32 min(word32 a, word32 b)
50 void InitDsaKey(DsaKey* key)
52 key->type = -1; /* haven't decided yet */
54 /* TomsFastMath doesn't use memory allocation */
56 key->p.dp = 0; /* public alloc parts */
61 key->x.dp = 0; /* private alloc parts */
66 void FreeDsaKey(DsaKey* key)
69 /* TomsFastMath doesn't use memory allocation */
71 if (key->type == DSA_PRIVATE)
81 int DsaSign(const byte* digest, byte* out, DsaKey* key, RNG* rng)
83 mp_int k, kInv, r, s, H;
85 byte buffer[DSA_HALF_SIZE];
87 if (mp_init_multi(&k, &kInv, &r, &s, &H, 0) != MP_OKAY)
90 sz = min(sizeof(buffer), mp_unsigned_bin_size(&key->q));
93 RNG_GenerateBlock(rng, buffer, sz);
96 if (mp_read_unsigned_bin(&k, buffer, sz) != MP_OKAY)
99 if (mp_cmp_d(&k, 1) != MP_GT)
102 /* inverse k mod q */
103 if (ret == 0 && mp_invmod(&k, &key->q, &kInv) != MP_OKAY)
106 /* generate r, r = (g exp k mod p) mod q */
107 if (ret == 0 && mp_exptmod(&key->g, &k, &key->p, &r) != MP_OKAY)
110 if (ret == 0 && mp_mod(&r, &key->q, &r) != MP_OKAY)
113 /* generate H from sha digest */
114 if (ret == 0 && mp_read_unsigned_bin(&H, digest,SHA_DIGEST_SIZE) != MP_OKAY)
117 /* generate s, s = (kInv * (H + x*r)) % q */
118 if (ret == 0 && mp_mul(&key->x, &r, &s) != MP_OKAY)
121 if (ret == 0 && mp_add(&s, &H, &s) != MP_OKAY)
124 if (ret == 0 && mp_mulmod(&s, &kInv, &key->q, &s) != MP_OKAY)
129 int rSz = mp_unsigned_bin_size(&r);
130 int sSz = mp_unsigned_bin_size(&s);
132 if (rSz == DSA_HALF_SIZE - 1) {
137 if (mp_to_unsigned_bin(&r, out) != MP_OKAY)
140 if (sSz == DSA_HALF_SIZE - 1) {
144 ret = mp_to_unsigned_bin(&s, out + rSz);
158 int DsaVerify(const byte* digest, const byte* sig, DsaKey* key, int* answer)
160 mp_int w, u1, u2, v, r, s;
163 if (mp_init_multi(&w, &u1, &u2, &v, &r, &s) != MP_OKAY)
166 /* set r and s from signature */
167 if (mp_read_unsigned_bin(&r, sig, DSA_HALF_SIZE) != MP_OKAY ||
168 mp_read_unsigned_bin(&s, sig + DSA_HALF_SIZE, DSA_HALF_SIZE) != MP_OKAY)
174 /* put H into u1 from sha digest */
175 if (ret == 0 && mp_read_unsigned_bin(&u1,digest,SHA_DIGEST_SIZE) != MP_OKAY)
179 if (ret == 0 && mp_invmod(&s, &key->q, &w) != MP_OKAY)
182 /* u1 = (H * w) % q */
183 if (ret == 0 && mp_mulmod(&u1, &w, &key->q, &u1) != MP_OKAY)
186 /* u2 = (r * w) % q */
187 if (ret == 0 && mp_mulmod(&r, &w, &key->q, &u2) != MP_OKAY)
190 /* verify v = ((g^u1 * y^u2) mod p) mod q */
191 if (ret == 0 && mp_exptmod(&key->g, &u1, &key->p, &u1) != MP_OKAY)
194 if (ret == 0 && mp_exptmod(&key->y, &u2, &key->p, &u2) != MP_OKAY)
197 if (ret == 0 && mp_mulmod(&u1, &u2, &key->p, &v) != MP_OKAY)
200 if (ret == 0 && mp_mod(&v, &key->q, &v) != MP_OKAY)
204 if (ret == 0 && mp_cmp(&r, &v) == MP_EQ)