engines/ccgost/gost_sign.c - chromiumos/third_party/openssl - Git at Google

 /**********************************************************************
  *                          gost_sign.c                               *
  *             Copyright (c) 2005-2006 Cryptocom LTD                  *
  *         This file is distributed under the same license as OpenSSL *
  *                                                                    *
  *       Implementation of GOST R 34.10-94 signature algorithm        *
  *       for OpenSSL                                                  *
  *          Requires OpenSSL 0.9.9 for compilation                    *
  **********************************************************************/
 #include <string.h>
 #include <openssl/rand.h>
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
 #include <openssl/evp.h>

 #include "gost_params.h"
 #include "gost_lcl.h"
 #include "e_gost_err.h"

 #ifdef DEBUG_SIGN
 void dump_signature(const char *message,const unsigned char *buffer,size_t len)
 	{
 	size_t i;
 	fprintf(stderr,"signature %s Length=%d",message,len);
 	for (i=0; i<len; i++)
 		{
 		if (i% 16 ==0) fputc('\n',stderr);
 		fprintf (stderr," %02x",buffer[i]);
 		}
 	fprintf(stderr,"\nEnd of signature\n");
 	}

 void dump_dsa_sig(const char *message, DSA_SIG *sig)
 	{
 	fprintf(stderr,"%s\nR=",message);
 	BN_print_fp(stderr,sig->r);
 	fprintf(stderr,"\nS=");
 	BN_print_fp(stderr,sig->s);
 	fprintf(stderr,"\n");
 	}

 #else

 #define dump_signature(a,b,c)
 #define dump_dsa_sig(a,b)
 #endif

 /*
  * Computes signature and returns it as DSA_SIG structure
  */
 DSA_SIG *gost_do_sign(const unsigned char *dgst,int dlen, DSA *dsa)
 	{
 	BIGNUM *k=NULL,*tmp=NULL,*tmp2=NULL;
 	DSA_SIG *newsig = DSA_SIG_new();
 	BIGNUM *md = hashsum2bn(dgst);
 	/* check if H(M) mod q is zero */
 	BN_CTX *ctx=BN_CTX_new();
 	BN_CTX_start(ctx);
 	if (!newsig)
 		{
 		GOSTerr(GOST_F_GOST_DO_SIGN,GOST_R_NO_MEMORY);
 		goto err;
 		}
 	tmp=BN_CTX_get(ctx);
 	k = BN_CTX_get(ctx);
 	tmp2 = BN_CTX_get(ctx);
 	BN_mod(tmp,md,dsa->q,ctx);
 	if (BN_is_zero(tmp))
 		{
 		BN_one(md);
 		}
 	do
 		{
 		do
 			{
 			/*Generate random number k less than q*/
 			BN_rand_range(k,dsa->q);
 			/* generate r = (a^x mod p) mod q */
 			BN_mod_exp(tmp,dsa->g, k, dsa->p,ctx);
 			if (!(newsig->r)) newsig->r=BN_new();
 			BN_mod(newsig->r,tmp,dsa->q,ctx);
 			}
 		while (BN_is_zero(newsig->r));
 		/* generate s = (xr + k(Hm)) mod q */
 		BN_mod_mul(tmp,dsa->priv_key,newsig->r,dsa->q,ctx);
 		BN_mod_mul(tmp2,k,md,dsa->q,ctx);
 		if (!newsig->s) newsig->s=BN_new();
 		BN_mod_add(newsig->s,tmp,tmp2,dsa->q,ctx);
 		}
 	while (BN_is_zero(newsig->s));
 	err:
 	BN_free(md);
 	BN_CTX_end(ctx);
 	BN_CTX_free(ctx);
 	return newsig;
 	}


 /*
  * Packs signature according to Cryptocom rules
  * and frees up DSA_SIG structure
  */
 /*
 int pack_sign_cc(DSA_SIG *s,int order,unsigned char *sig, size_t *siglen)
 	{
 	*siglen = 2*order;
 	memset(sig,0,*siglen);
 	store_bignum(s->r, sig,order);
 	store_bignum(s->s, sig + order,order);
 	dump_signature("serialized",sig,*siglen);
 	DSA_SIG_free(s);
 	return 1;
 	}
 */
 /*
  * Packs signature according to Cryptopro rules
  * and frees up DSA_SIG structure
  */
 int pack_sign_cp(DSA_SIG *s,int order,unsigned char *sig, size_t *siglen)
 	{
 	*siglen = 2*order;
 	memset(sig,0,*siglen);
 	store_bignum(s->s, sig, order);
 	store_bignum(s->r, sig+order,order);
 	dump_signature("serialized",sig,*siglen);
 	DSA_SIG_free(s);
 	return 1;
 	}

 /*
  * Verifies signature passed as DSA_SIG structure
  *
  */

 int gost_do_verify(const unsigned char *dgst, int dgst_len,
 	DSA_SIG *sig, DSA *dsa)
 	{
 	BIGNUM *md, *tmp=NULL;
 	BIGNUM *q2=NULL;
 	BIGNUM *u=NULL,*v=NULL,*z1=NULL,*z2=NULL;
 	BIGNUM *tmp2=NULL,*tmp3=NULL;
 	int ok;
 	BN_CTX *ctx = BN_CTX_new();

 	BN_CTX_start(ctx);
 	if (BN_cmp(sig->s,dsa->q)>=1||
 		BN_cmp(sig->r,dsa->q)>=1)
 		{
 		GOSTerr(GOST_F_GOST_DO_VERIFY,GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q);
 		return 0;
 		}
 	md=hashsum2bn(dgst);

 	tmp=BN_CTX_get(ctx);
 	v=BN_CTX_get(ctx);
 	q2=BN_CTX_get(ctx);
 	z1=BN_CTX_get(ctx);
 	z2=BN_CTX_get(ctx);
 	tmp2=BN_CTX_get(ctx);
 	tmp3=BN_CTX_get(ctx);
 	u = BN_CTX_get(ctx);

 	BN_mod(tmp,md,dsa->q,ctx);
 	if (BN_is_zero(tmp))
 		{
 		BN_one(md);
 		}
 	BN_copy(q2,dsa->q);
 	BN_sub_word(q2,2);
 	BN_mod_exp(v,md,q2,dsa->q,ctx);
 	BN_mod_mul(z1,sig->s,v,dsa->q,ctx);
 	BN_sub(tmp,dsa->q,sig->r);
 	BN_mod_mul(z2,tmp,v,dsa->p,ctx);
 	BN_mod_exp(tmp,dsa->g,z1,dsa->p,ctx);
 	BN_mod_exp(tmp2,dsa->pub_key,z2,dsa->p,ctx);
 	BN_mod_mul(tmp3,tmp,tmp2,dsa->p,ctx);
 	BN_mod(u,tmp3,dsa->q,ctx);
 	ok= BN_cmp(u,sig->r);

 	BN_free(md);
 	BN_CTX_end(ctx);
 	BN_CTX_free(ctx);
 	if (ok!=0)
 		{
 		GOSTerr(GOST_F_GOST_DO_VERIFY,GOST_R_SIGNATURE_MISMATCH);
 		}
 	return (ok==0);
 	}

 /*
  * Computes public keys for GOST R 34.10-94 algorithm
  *
  */
 int gost94_compute_public(DSA *dsa)
 	{
 	/* Now fill algorithm parameters with correct values */
 	BN_CTX *ctx = BN_CTX_new();
 	if (!dsa->g)
 		{
 		GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC,GOST_R_KEY_IS_NOT_INITALIZED);
 		return 0;
 		}
 	/* Compute public key  y = a^x mod p */
 	dsa->pub_key=BN_new();
 	BN_mod_exp(dsa->pub_key, dsa->g,dsa->priv_key,dsa->p,ctx);
 	BN_CTX_free(ctx);
 	return 1;
 	}

 /*
  * Fill GOST 94 params, searching them in R3410_paramset array
  * by nid of paramset
  *
  */
 int fill_GOST94_params(DSA *dsa,int nid)
 	{
 	R3410_params *params=R3410_paramset;
 	while (params->nid!=NID_undef && params->nid !=nid) params++;
 	if (params->nid == NID_undef)
 		{
 		GOSTerr(GOST_F_FILL_GOST94_PARAMS,GOST_R_UNSUPPORTED_PARAMETER_SET);
 		return 0;
 		}
 #define dump_signature(a,b,c)
 	if (dsa->p) { BN_free(dsa->p); }
 	dsa->p=NULL;
 	BN_dec2bn(&(dsa->p),params->p);
 	if (dsa->q) { BN_free(dsa->q); }
 	dsa->q=NULL;
 	BN_dec2bn(&(dsa->q),params->q);
 	if (dsa->g) { BN_free(dsa->g); }
 	dsa->g=NULL;
 	BN_dec2bn(&(dsa->g),params->a);
 	return 1;
 	}

 /*
  *  Generate GOST R 34.10-94 keypair
  *
  *
  */
 int gost_sign_keygen(DSA *dsa)
 	{
 	dsa->priv_key = BN_new();
 	BN_rand_range(dsa->priv_key,dsa->q);
 	return gost94_compute_public( dsa);
 	}

 /* Unpack signature according to cryptocom rules  */
 /*
 DSA_SIG *unpack_cc_signature(const unsigned char *sig,size_t siglen)
 	{
 	DSA_SIG *s;
 	s = DSA_SIG_new();
 	if (s == NULL)
 		{
 		GOSTerr(GOST_F_UNPACK_CC_SIGNATURE,GOST_R_NO_MEMORY);
 		return(NULL);
 		}
 	s->r = getbnfrombuf(sig, siglen/2);
 	s->s = getbnfrombuf(sig + siglen/2, siglen/2);
 	return s;
 	}
 */
 /* Unpack signature according to cryptopro rules  */
 DSA_SIG *unpack_cp_signature(const unsigned char *sig,size_t siglen)
 	{
 	DSA_SIG *s;

 	s = DSA_SIG_new();
 	if (s == NULL)
 		{
 		GOSTerr(GOST_F_UNPACK_CP_SIGNATURE,GOST_R_NO_MEMORY);
 		return NULL;
 		}
 	s->s = getbnfrombuf(sig , siglen/2);
 	s->r = getbnfrombuf(sig + siglen/2, siglen/2);
 	return s;
 	}

 /* Convert little-endian byte array into bignum */
 BIGNUM *hashsum2bn(const unsigned char *dgst)
 	{
 	unsigned char buf[32];
 	int i;
 	for (i=0;i<32;i++)
 		{
 		buf[31-i]=dgst[i];
 		}
 	return getbnfrombuf(buf,32);
 	}

 /* Convert byte buffer to bignum, skipping leading zeros*/
 BIGNUM *getbnfrombuf(const unsigned char *buf,size_t len)
 	{
 	while (*buf==0&&len>0)
 		{
 		buf++; len--;
 		}
 	if (len)
 		{
 		return BN_bin2bn(buf,len,NULL);
 		}
 	else
 		{
 		BIGNUM *b=BN_new();
 		BN_zero(b);
 		return b;
 		}
 	}

 /* Pack bignum into byte buffer of given size, filling all leading bytes
  * by zeros */
 int store_bignum(BIGNUM *bn, unsigned char *buf,int len)
 	{
 	int bytes = BN_num_bytes(bn);
 	if (bytes>len) return 0;
 	memset(buf,0,len);
 	BN_bn2bin(bn,buf+len-bytes);
 	return 1;
 	}
	/**********************************************************************
	* gost_sign.c *
	* Copyright (c) 2005-2006 Cryptocom LTD *
	* This file is distributed under the same license as OpenSSL *
	* *
	* Implementation of GOST R 34.10-94 signature algorithm *
	* for OpenSSL *
	* Requires OpenSSL 0.9.9 for compilation *
	**********************************************************************/
	#include <string.h>
	#include <openssl/rand.h>
	#include <openssl/bn.h>
	#include <openssl/dsa.h>
	#include <openssl/evp.h>

	#include "gost_params.h"
	#include "gost_lcl.h"
	#include "e_gost_err.h"

	#ifdef DEBUG_SIGN
	void dump_signature(const char message,const unsigned char buffer,size_t len)
	{
	size_t i;
	fprintf(stderr,"signature %s Length=%d",message,len);
	for (i=0; i<len; i++)
	{
	if (i% 16 ==0) fputc('\n',stderr);
	fprintf (stderr," %02x",buffer[i]);
	}
	fprintf(stderr,"\nEnd of signature\n");
	}

	void dump_dsa_sig(const char message, DSA_SIG sig)
	{
	fprintf(stderr,"%s\nR=",message);
	BN_print_fp(stderr,sig->r);
	fprintf(stderr,"\nS=");
	BN_print_fp(stderr,sig->s);
	fprintf(stderr,"\n");
	}

	#else

	#define dump_signature(a,b,c)
	#define dump_dsa_sig(a,b)
	#endif

	/*
	* Computes signature and returns it as DSA_SIG structure
	*/
	DSA_SIG gost_do_sign(const unsigned char dgst,int dlen, DSA *dsa)
	{
	BIGNUM k=NULL,tmp=NULL,*tmp2=NULL;
	DSA_SIG *newsig = DSA_SIG_new();
	BIGNUM *md = hashsum2bn(dgst);
	/* check if H(M) mod q is zero */
	BN_CTX *ctx=BN_CTX_new();
	BN_CTX_start(ctx);
	if (!newsig)
	{
	GOSTerr(GOST_F_GOST_DO_SIGN,GOST_R_NO_MEMORY);
	goto err;
	}
	tmp=BN_CTX_get(ctx);
	k = BN_CTX_get(ctx);
	tmp2 = BN_CTX_get(ctx);
	BN_mod(tmp,md,dsa->q,ctx);
	if (BN_is_zero(tmp))
	{
	BN_one(md);
	}
	do
	{
	do
	{
	/Generate random number k less than q/
	BN_rand_range(k,dsa->q);
	/* generate r = (a^x mod p) mod q */
	BN_mod_exp(tmp,dsa->g, k, dsa->p,ctx);
	if (!(newsig->r)) newsig->r=BN_new();
	BN_mod(newsig->r,tmp,dsa->q,ctx);
	}
	while (BN_is_zero(newsig->r));
	/* generate s = (xr + k(Hm)) mod q */
	BN_mod_mul(tmp,dsa->priv_key,newsig->r,dsa->q,ctx);
	BN_mod_mul(tmp2,k,md,dsa->q,ctx);
	if (!newsig->s) newsig->s=BN_new();
	BN_mod_add(newsig->s,tmp,tmp2,dsa->q,ctx);
	}
	while (BN_is_zero(newsig->s));
	err:
	BN_free(md);
	BN_CTX_end(ctx);
	BN_CTX_free(ctx);
	return newsig;
	}


	/*
	* Packs signature according to Cryptocom rules
	* and frees up DSA_SIG structure
	*/
	/*
	int pack_sign_cc(DSA_SIG s,int order,unsigned char sig, size_t *siglen)
	{
	siglen = 2order;
	memset(sig,0,*siglen);
	store_bignum(s->r, sig,order);
	store_bignum(s->s, sig + order,order);
	dump_signature("serialized",sig,*siglen);
	DSA_SIG_free(s);
	return 1;
	}
	*/
	/*
	* Packs signature according to Cryptopro rules
	* and frees up DSA_SIG structure
	*/
	int pack_sign_cp(DSA_SIG s,int order,unsigned char sig, size_t *siglen)
	{
	siglen = 2order;
	memset(sig,0,*siglen);
	store_bignum(s->s, sig, order);
	store_bignum(s->r, sig+order,order);
	dump_signature("serialized",sig,*siglen);
	DSA_SIG_free(s);
	return 1;
	}

	/*
	* Verifies signature passed as DSA_SIG structure
	*
	*/

	int gost_do_verify(const unsigned char *dgst, int dgst_len,
	DSA_SIG sig, DSA dsa)
	{
	BIGNUM md, tmp=NULL;
	BIGNUM *q2=NULL;
	BIGNUM u=NULL,v=NULL,z1=NULL,z2=NULL;
	BIGNUM tmp2=NULL,tmp3=NULL;
	int ok;
	BN_CTX *ctx = BN_CTX_new();

	BN_CTX_start(ctx);
	if (BN_cmp(sig->s,dsa->q)>=1\|\|
	BN_cmp(sig->r,dsa->q)>=1)
	{
	GOSTerr(GOST_F_GOST_DO_VERIFY,GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q);
	return 0;
	}
	md=hashsum2bn(dgst);

	tmp=BN_CTX_get(ctx);
	v=BN_CTX_get(ctx);
	q2=BN_CTX_get(ctx);
	z1=BN_CTX_get(ctx);
	z2=BN_CTX_get(ctx);
	tmp2=BN_CTX_get(ctx);
	tmp3=BN_CTX_get(ctx);
	u = BN_CTX_get(ctx);

	BN_mod(tmp,md,dsa->q,ctx);
	if (BN_is_zero(tmp))
	{
	BN_one(md);
	}
	BN_copy(q2,dsa->q);
	BN_sub_word(q2,2);
	BN_mod_exp(v,md,q2,dsa->q,ctx);
	BN_mod_mul(z1,sig->s,v,dsa->q,ctx);
	BN_sub(tmp,dsa->q,sig->r);
	BN_mod_mul(z2,tmp,v,dsa->p,ctx);
	BN_mod_exp(tmp,dsa->g,z1,dsa->p,ctx);
	BN_mod_exp(tmp2,dsa->pub_key,z2,dsa->p,ctx);
	BN_mod_mul(tmp3,tmp,tmp2,dsa->p,ctx);
	BN_mod(u,tmp3,dsa->q,ctx);
	ok= BN_cmp(u,sig->r);

	BN_free(md);
	BN_CTX_end(ctx);
	BN_CTX_free(ctx);
	if (ok!=0)
	{
	GOSTerr(GOST_F_GOST_DO_VERIFY,GOST_R_SIGNATURE_MISMATCH);
	}
	return (ok==0);
	}

	/*
	* Computes public keys for GOST R 34.10-94 algorithm
	*
	*/
	int gost94_compute_public(DSA *dsa)
	{
	/* Now fill algorithm parameters with correct values */
	BN_CTX *ctx = BN_CTX_new();
	if (!dsa->g)
	{
	GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC,GOST_R_KEY_IS_NOT_INITALIZED);
	return 0;
	}
	/* Compute public key y = a^x mod p */
	dsa->pub_key=BN_new();
	BN_mod_exp(dsa->pub_key, dsa->g,dsa->priv_key,dsa->p,ctx);
	BN_CTX_free(ctx);
	return 1;
	}

	/*
	* Fill GOST 94 params, searching them in R3410_paramset array
	* by nid of paramset
	*
	*/
	int fill_GOST94_params(DSA *dsa,int nid)
	{
	R3410_params *params=R3410_paramset;
	while (params->nid!=NID_undef && params->nid !=nid) params++;
	if (params->nid == NID_undef)
	{
	GOSTerr(GOST_F_FILL_GOST94_PARAMS,GOST_R_UNSUPPORTED_PARAMETER_SET);
	return 0;
	}
	#define dump_signature(a,b,c)
	if (dsa->p) { BN_free(dsa->p); }
	dsa->p=NULL;
	BN_dec2bn(&(dsa->p),params->p);
	if (dsa->q) { BN_free(dsa->q); }
	dsa->q=NULL;
	BN_dec2bn(&(dsa->q),params->q);
	if (dsa->g) { BN_free(dsa->g); }
	dsa->g=NULL;
	BN_dec2bn(&(dsa->g),params->a);
	return 1;
	}

	/*
	* Generate GOST R 34.10-94 keypair
	*
	*
	*/
	int gost_sign_keygen(DSA *dsa)
	{
	dsa->priv_key = BN_new();
	BN_rand_range(dsa->priv_key,dsa->q);
	return gost94_compute_public( dsa);
	}

	/* Unpack signature according to cryptocom rules */
	/*
	DSA_SIG unpack_cc_signature(const unsigned char sig,size_t siglen)
	{
	DSA_SIG *s;
	s = DSA_SIG_new();
	if (s == NULL)
	{
	GOSTerr(GOST_F_UNPACK_CC_SIGNATURE,GOST_R_NO_MEMORY);
	return(NULL);
	}
	s->r = getbnfrombuf(sig, siglen/2);
	s->s = getbnfrombuf(sig + siglen/2, siglen/2);
	return s;
	}
	*/
	/* Unpack signature according to cryptopro rules */
	DSA_SIG unpack_cp_signature(const unsigned char sig,size_t siglen)
	{
	DSA_SIG *s;

	s = DSA_SIG_new();
	if (s == NULL)
	{
	GOSTerr(GOST_F_UNPACK_CP_SIGNATURE,GOST_R_NO_MEMORY);
	return NULL;
	}
	s->s = getbnfrombuf(sig , siglen/2);
	s->r = getbnfrombuf(sig + siglen/2, siglen/2);
	return s;
	}

	/* Convert little-endian byte array into bignum */
	BIGNUM hashsum2bn(const unsigned char dgst)
	{
	unsigned char buf[32];
	int i;
	for (i=0;i<32;i++)
	{
	buf[31-i]=dgst[i];
	}
	return getbnfrombuf(buf,32);
	}

	/* Convert byte buffer to bignum, skipping leading zeros*/
	BIGNUM getbnfrombuf(const unsigned char buf,size_t len)
	{
	while (*buf==0&&len>0)
	{
	buf++; len--;
	}
	if (len)
	{
	return BN_bin2bn(buf,len,NULL);
	}
	else
	{
	BIGNUM *b=BN_new();
	BN_zero(b);
	return b;
	}
	}

	/* Pack bignum into byte buffer of given size, filling all leading bytes
	* by zeros */
	int store_bignum(BIGNUM bn, unsigned char buf,int len)
	{
	int bytes = BN_num_bytes(bn);
	if (bytes>len) return 0;
	memset(buf,0,len);
	BN_bn2bin(bn,buf+len-bytes);
	return 1;
	}