Update NSS to NSS 3.14 pre-release snapshot 2012-06-26 01:00:00 PDT.

mozilla/security/nss/lib/freebl/dsa.c

 /*
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /* $Id: dsa.c,v 1.23 2012/06/12 16:39:00 rrelyea%redhat.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "prerror.h"
 #include "secerr.h"
 
 #include "prtypes.h"
 #include "prinit.h"
 #include "blapi.h"
 #include "nssilock.h"
 #include "secitem.h"
 #include "blapi.h"
 #include "mpi.h"
 #include "secmpi.h"
+#include "pqg.h"
 
  /* XXX to be replaced by define in blapit.h */
 #define NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE 2048
 
 /*
  * FIPS 186-2 requires result from random output to be reduced mod q when 
  * generating random numbers for DSA. 
  *
  * Input: w, 2*qLen bytes
  *        q, qLen bytes
@@ skipping 39 matching lines @@
 }
 
 /*
  * FIPS 186-2 requires result from random output to be reduced mod q when 
  * generating random numbers for DSA. 
  */
 SECStatus
 FIPS186Change_ReduceModQForDSA(const unsigned char *w,
                                const unsigned char *q,
                                unsigned char *xj) {
-    return fips186Change_ReduceModQForDSA(w, q, DSA_SUBPRIME_LEN, xj);
+    return fips186Change_ReduceModQForDSA(w, q, DSA1_SUBPRIME_LEN, xj);
 }
 
 /*
  * The core of Algorithm 1 of FIPS 186-2 Change Notice 1.
  *
  * We no longer support FIPS 186-2 RNG. This function was exported
  * for power-up self tests and FIPS tests. Keep this stub, which fails,
  * to prevent crashes, but also to signal to test code that FIPS 186-2
  * RNG is no longer supported.
  */
@@ skipping 27 matching lines @@
     SECItem w;
     const PRUint8 * q = qItem->data;
     unsigned int qLen = qItem->len;
 
     if (*q == 0) {
         ++q;
         --qLen;
     }
     if (maxDestLen < qLen) {
         /* This condition can occur when DSA_SignDigest is passed a group
-           with a subprime that is larger than DSA_SUBPRIME_LEN. */
+           with a subprime that is larger than DSA_MAX_SUBPRIME_LEN. */
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     w.data = NULL; /* otherwise SECITEM_AllocItem asserts */
     if (!SECITEM_AllocItem(NULL, &w, 2*qLen)) {
         return SECFailure;
     }
     *destLen = qLen;
 
     rv = RNG_GenerateGlobalRandomBytes(w.data, w.len);
@@ skipping 131 matching lines @@
 **      both of which are encoded into a single DSAPrivateKey struct.
 **      "params" is a pointer to the PQG parameters for the domain
 **      Uses a random seed.
 */
 SECStatus 
 DSA_NewKey(const PQGParams *params, DSAPrivateKey **privKey)
 {
     SECItem seed;
     SECStatus rv;
 
+    rv = PQG_Check(params);
+    if (rv != SECSuccess) {
+        return rv;
+    }
     seed.data = NULL;
 
     rv = DSA_NewRandom(NULL, &params->subPrime, &seed);
     if (rv == SECSuccess) {
-        if (seed.len != DSA_SUBPRIME_LEN) {
+        if (seed.len != PQG_GetLength(&params->subPrime)) {
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             rv = SECFailure;
         } else {
             rv = dsa_NewKeyExtended(params, &seed, privKey);
         }
     }
     SECITEM_FreeItem(&seed, PR_FALSE);
     return rv;
 }
 
-/* For FIPS compliance testing. Seed must be exactly 20 bytes long */
+/* For FIPS compliance testing. Seed must be exactly the size of subPrime  */
 SECStatus 
 DSA_NewKeyFromSeed(const PQGParams *params, 
                    const unsigned char *seed,
                    DSAPrivateKey **privKey)
 {
-    /* TODO: check Q size */
     SECItem seedItem;
     seedItem.data = (unsigned char*) seed;
-    seedItem.len = DSA_SUBPRIME_LEN;
+    seedItem.len = PQG_GetLength(&params->subPrime);
     return dsa_NewKeyExtended(params, &seedItem, privKey);
 }
 
 static SECStatus 
 dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
                const unsigned char *kb)
 {
     mp_int p, q, g;  /* PQG parameters */
     mp_int x, k;     /* private key & pseudo-random integer */
     mp_int r, s;     /* tuple (r, s) is signature) */
     mp_err err   = MP_OKAY;
     SECStatus rv = SECSuccess;
+    unsigned int dsa_subprime_len, dsa_signature_len, offset;
+    SECItem localDigest;
+    unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN];
+    
 
-    /* FIPS-compliance dictates that digest is a SHA1 hash. */
+    /* FIPS-compliance dictates that digest is a SHA hash. */
     /* Check args. */
-    if (!key || !signature || !digest ||
-        (signature->len < DSA_SIGNATURE_LEN) ||
-        (digest->len != SHA1_LENGTH)) {
+    if (!key || !signature || !digest) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
+    dsa_subprime_len = PQG_GetLength(&key->params.subPrime);
+    dsa_signature_len = dsa_subprime_len*2;
+    if ((signature->len < dsa_signature_len) ||
+        (digest->len > HASH_LENGTH_MAX)  ||
+        (digest->len < SHA1_LENGTH)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* DSA accepts digests not equal to dsa_subprime_len, if the 
+     * digests are greater, then they are truncated to the size of 
+     * dsa_subprime_len, using the left most bits. If they are less
+     * then they are padded on the left.*/
+    PORT_Memset(localDigestData, 0, dsa_subprime_len);
+    offset = (digest->len < dsa_subprime_len) ? 
+                        (dsa_subprime_len - digest->len) : 0;
+    PORT_Memcpy(localDigestData+offset, digest->data, 
+                dsa_subprime_len - offset);
+    localDigest.data = localDigestData;
+    localDigest.len = dsa_subprime_len;
+
     /* Initialize MPI integers. */
     MP_DIGITS(&p) = 0;
     MP_DIGITS(&q) = 0;
     MP_DIGITS(&g) = 0;
     MP_DIGITS(&x) = 0;
     MP_DIGITS(&k) = 0;
     MP_DIGITS(&r) = 0;
     MP_DIGITS(&s) = 0;
     CHECK_MPI_OK( mp_init(&p) );
     CHECK_MPI_OK( mp_init(&q) );
     CHECK_MPI_OK( mp_init(&g) );
     CHECK_MPI_OK( mp_init(&x) );
     CHECK_MPI_OK( mp_init(&k) );
     CHECK_MPI_OK( mp_init(&r) );
     CHECK_MPI_OK( mp_init(&s) );
     /*
     ** Convert stored PQG and private key into MPI integers.
     */
     SECITEM_TO_MPINT(key->params.prime,    &p);
     SECITEM_TO_MPINT(key->params.subPrime, &q);
     SECITEM_TO_MPINT(key->params.base,     &g);
     SECITEM_TO_MPINT(key->privateValue,    &x);
-    OCTETS_TO_MPINT(kb, &k, DSA_SUBPRIME_LEN);
+    OCTETS_TO_MPINT(kb, &k, dsa_subprime_len);
     /*
     ** FIPS 186-1, Section 5, Step 1
     **
     ** r = (g**k mod p) mod q
     */
     CHECK_MPI_OK( mp_exptmod(&g, &k, &p, &r) ); /* r = g**k mod p */
     CHECK_MPI_OK(     mp_mod(&r, &q, &r) );     /* r = r mod q    */
     /*                                  
     ** FIPS 186-1, Section 5, Step 2
     **
-    ** s = (k**-1 * (SHA1(M) + x*r)) mod q
+    ** s = (k**-1 * (HASH(M) + x*r)) mod q
     */
-    SECITEM_TO_MPINT(*digest, &s);         /* s = SHA1(M)     */
+    SECITEM_TO_MPINT(localDigest, &s);          /* s = HASH(M)     */
     CHECK_MPI_OK( mp_invmod(&k, &q, &k) );      /* k = k**-1 mod q */
     CHECK_MPI_OK( mp_mulmod(&x, &r, &q, &x) );  /* x = x * r mod q */
     CHECK_MPI_OK( mp_addmod(&s, &x, &q, &s) );  /* s = s + x mod q */
     CHECK_MPI_OK( mp_mulmod(&s, &k, &q, &s) );  /* s = s * k mod q */
     /*
     ** verify r != 0 and s != 0
     ** mentioned as optional in FIPS 186-1.
     */
     if (mp_cmp_z(&r) == 0 || mp_cmp_z(&s) == 0) {
         PORT_SetError(SEC_ERROR_NEED_RANDOM);
         rv = SECFailure;
         goto cleanup;
     }
     /*
     ** Step 4
     **
     ** Signature is tuple (r, s)
     */
-    err = mp_to_fixlen_octets(&r, signature->data, DSA_SUBPRIME_LEN);
+    err = mp_to_fixlen_octets(&r, signature->data, dsa_subprime_len);
     if (err < 0) goto cleanup; 
-    err = mp_to_fixlen_octets(&s, signature->data + DSA_SUBPRIME_LEN, 
-                                  DSA_SUBPRIME_LEN);
+    err = mp_to_fixlen_octets(&s, signature->data + dsa_subprime_len, 
+                                  dsa_subprime_len);
     if (err < 0) goto cleanup; 
     err = MP_OKAY;
-    signature->len = DSA_SIGNATURE_LEN;
+    signature->len = dsa_signature_len;
 cleanup:
+    PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN);
     mp_clear(&p);
     mp_clear(&q);
     mp_clear(&g);
     mp_clear(&x);
     mp_clear(&k);
     mp_clear(&r);
     mp_clear(&s);
     if (err) {
         translate_mpi_error(err);
         rv = SECFailure;
     }
     return rv;
 }
 
 /* signature is caller-supplied buffer of at least 40 bytes.
 ** On input,  signature->len == size of buffer to hold signature.
 **            digest->len    == size of digest.
 ** On output, signature->len == size of signature in buffer.
 ** Uses a random seed.
 */
 SECStatus 
 DSA_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest)
 {
     SECStatus rv;
     int       retries = 10;
-    unsigned char kSeed[DSA_SUBPRIME_LEN];
+    unsigned char kSeed[DSA_MAX_SUBPRIME_LEN];
     unsigned int kSeedLen = 0;
     unsigned int i;
+    unsigned int dsa_subprime_len = PQG_GetLength(&key->params.subPrime);
     PRBool    good;
 
     PORT_SetError(0);
     do {
         rv = dsa_GenerateGlobalRandomBytes(&key->params.subPrime,
                                            kSeed, &kSeedLen, sizeof kSeed);
         if (rv != SECSuccess) 
             break;
-        if (kSeedLen != DSA_SUBPRIME_LEN) {
+        if (kSeedLen != dsa_subprime_len) {
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             rv = SECFailure;
             break;
         }
         /* Disallow a value of 0 for k. */
         good = PR_FALSE;
         for (i = 0; i < kSeedLen; i++) {
             if (kSeed[i] != 0) {
                 good = PR_TRUE;
                 break;
@@ skipping 23 matching lines @@
 }
 
 /* signature is caller-supplied buffer of at least 20 bytes.
 ** On input,  signature->len == size of buffer to hold signature.
 **            digest->len    == size of digest.
 */
 SECStatus 
 DSA_VerifyDigest(DSAPublicKey *key, const SECItem *signature, 
                  const SECItem *digest)
 {
-    /* FIPS-compliance dictates that digest is a SHA1 hash. */
+    /* FIPS-compliance dictates that digest is a SHA hash. */
     mp_int p, q, g;      /* PQG parameters */
     mp_int r_, s_;       /* tuple (r', s') is received signature) */
     mp_int u1, u2, v, w; /* intermediate values used in verification */
     mp_int y;            /* public key */
     mp_err err;
+    int dsa_subprime_len, dsa_signature_len, offset;
+    SECItem localDigest;
+    unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN];
     SECStatus verified = SECFailure;
 
     /* Check args. */
-    if (!key || !signature || !digest ||
-        (signature->len != DSA_SIGNATURE_LEN) ||
-        (digest->len != SHA1_LENGTH)) {
+    if (!key || !signature || !digest ) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
+
+    dsa_subprime_len = PQG_GetLength(&key->params.subPrime);
+    dsa_signature_len = dsa_subprime_len*2;
+    if ((signature->len != dsa_signature_len) ||
+        (digest->len > HASH_LENGTH_MAX)  ||
+        (digest->len < SHA1_LENGTH)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* DSA accepts digests not equal to dsa_subprime_len, if the 
+     * digests are greater, than they are truncated to the size of 
+     * dsa_subprime_len, using the left most bits. If they are less
+     * then they are padded on the left.*/
+    PORT_Memset(localDigestData, 0, dsa_subprime_len);
+    offset = (digest->len < dsa_subprime_len) ? 
+                        (dsa_subprime_len - digest->len) : 0;
+    PORT_Memcpy(localDigestData+offset, digest->data, 
+                dsa_subprime_len - offset);
+    localDigest.data = localDigestData;
+    localDigest.len = dsa_subprime_len;
+
     /* Initialize MPI integers. */
     MP_DIGITS(&p)  = 0;
     MP_DIGITS(&q)  = 0;
     MP_DIGITS(&g)  = 0;
     MP_DIGITS(&y)  = 0;
     MP_DIGITS(&r_) = 0;
     MP_DIGITS(&s_) = 0;
     MP_DIGITS(&u1) = 0;
     MP_DIGITS(&u2) = 0;
     MP_DIGITS(&v)  = 0;
@@ skipping 11 matching lines @@
     /*
     ** Convert stored PQG and public key into MPI integers.
     */
     SECITEM_TO_MPINT(key->params.prime,    &p);
     SECITEM_TO_MPINT(key->params.subPrime, &q);
     SECITEM_TO_MPINT(key->params.base,     &g);
     SECITEM_TO_MPINT(key->publicValue,     &y);
     /*
     ** Convert received signature (r', s') into MPI integers.
     */
-    OCTETS_TO_MPINT(signature->data, &r_, DSA_SUBPRIME_LEN);
-    OCTETS_TO_MPINT(signature->data + DSA_SUBPRIME_LEN, &s_, DSA_SUBPRIME_LEN);
+    OCTETS_TO_MPINT(signature->data, &r_, dsa_subprime_len);
+    OCTETS_TO_MPINT(signature->data + dsa_subprime_len, &s_, dsa_subprime_len);
     /*
     ** Verify that 0 < r' < q and 0 < s' < q
     */
     if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 ||
         mp_cmp(&r_, &q) >= 0 || mp_cmp(&s_, &q) >= 0) {
         /* err is zero here. */
         PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
         goto cleanup; /* will return verified == SECFailure */
     }
     /*
     ** FIPS 186-1, Section 6, Step 1
     **
     ** w = (s')**-1 mod q
     */
     CHECK_MPI_OK( mp_invmod(&s_, &q, &w) );      /* w = (s')**-1 mod q */
     /*
     ** FIPS 186-1, Section 6, Step 2
     **
-    ** u1 = ((SHA1(M')) * w) mod q
+    ** u1 = ((Hash(M')) * w) mod q
     */
-    SECITEM_TO_MPINT(*digest, &u1);              /* u1 = SHA1(M')     */
+    SECITEM_TO_MPINT(localDigest, &u1);              /* u1 = HASH(M')     */
     CHECK_MPI_OK( mp_mulmod(&u1, &w, &q, &u1) ); /* u1 = u1 * w mod q */
     /*
     ** FIPS 186-1, Section 6, Step 3
     **
     ** u2 = ((r') * w) mod q
     */
     CHECK_MPI_OK( mp_mulmod(&r_, &w, &q, &u2) );
     /*
     ** FIPS 186-1, Section 6, Step 4
     **
@@ skipping 21 matching lines @@
     mp_clear(&s_);
     mp_clear(&u1);
     mp_clear(&u2);
     mp_clear(&v);
     mp_clear(&w);
     if (err) {
         translate_mpi_error(err);
     }
     return verified;
 }