| Index: mozilla/security/nss/lib/freebl/dsa.c
|
| ===================================================================
|
| --- mozilla/security/nss/lib/freebl/dsa.c (revision 191424)
|
| +++ mozilla/security/nss/lib/freebl/dsa.c (working copy)
|
| @@ -1,632 +0,0 @@
|
| -/*
|
| - *
|
| - * This Source Code Form is subject to the terms of the Mozilla Public
|
| - * License, v. 2.0. If a copy of the MPL was not distributed with this
|
| - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
| -/* $Id: dsa.c,v 1.23 2012/06/12 16:39:00 rrelyea%redhat.com Exp $ */
|
| -
|
| -#ifdef FREEBL_NO_DEPEND
|
| -#include "stubs.h"
|
| -#endif
|
| -
|
| -#include "prerror.h"
|
| -#include "secerr.h"
|
| -
|
| -#include "prtypes.h"
|
| -#include "prinit.h"
|
| -#include "blapi.h"
|
| -#include "nssilock.h"
|
| -#include "secitem.h"
|
| -#include "blapi.h"
|
| -#include "mpi.h"
|
| -#include "secmpi.h"
|
| -#include "pqg.h"
|
| -
|
| - /* XXX to be replaced by define in blapit.h */
|
| -#define NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE 2048
|
| -
|
| -/*
|
| - * FIPS 186-2 requires result from random output to be reduced mod q when
|
| - * generating random numbers for DSA.
|
| - *
|
| - * Input: w, 2*qLen bytes
|
| - * q, qLen bytes
|
| - * Output: xj, qLen bytes
|
| - */
|
| -static SECStatus
|
| -fips186Change_ReduceModQForDSA(const PRUint8 *w, const PRUint8 *q,
|
| - unsigned int qLen, PRUint8 * xj)
|
| -{
|
| - mp_int W, Q, Xj;
|
| - mp_err err;
|
| - SECStatus rv = SECSuccess;
|
| -
|
| - /* Initialize MPI integers. */
|
| - MP_DIGITS(&W) = 0;
|
| - MP_DIGITS(&Q) = 0;
|
| - MP_DIGITS(&Xj) = 0;
|
| - CHECK_MPI_OK( mp_init(&W) );
|
| - CHECK_MPI_OK( mp_init(&Q) );
|
| - CHECK_MPI_OK( mp_init(&Xj) );
|
| - /*
|
| - * Convert input arguments into MPI integers.
|
| - */
|
| - CHECK_MPI_OK( mp_read_unsigned_octets(&W, w, 2*qLen) );
|
| - CHECK_MPI_OK( mp_read_unsigned_octets(&Q, q, qLen) );
|
| -
|
| - /*
|
| - * Algorithm 1 of FIPS 186-2 Change Notice 1, Step 3.3
|
| - *
|
| - * xj = (w0 || w1) mod q
|
| - */
|
| - CHECK_MPI_OK( mp_mod(&W, &Q, &Xj) );
|
| - CHECK_MPI_OK( mp_to_fixlen_octets(&Xj, xj, qLen) );
|
| -cleanup:
|
| - mp_clear(&W);
|
| - mp_clear(&Q);
|
| - mp_clear(&Xj);
|
| - if (err) {
|
| - MP_TO_SEC_ERROR(err);
|
| - rv = SECFailure;
|
| - }
|
| - return rv;
|
| -}
|
| -
|
| -/*
|
| - * FIPS 186-2 requires result from random output to be reduced mod q when
|
| - * generating random numbers for DSA.
|
| - */
|
| -SECStatus
|
| -FIPS186Change_ReduceModQForDSA(const unsigned char *w,
|
| - const unsigned char *q,
|
| - unsigned char *xj) {
|
| - return fips186Change_ReduceModQForDSA(w, q, DSA1_SUBPRIME_LEN, xj);
|
| -}
|
| -
|
| -/*
|
| - * The core of Algorithm 1 of FIPS 186-2 Change Notice 1.
|
| - *
|
| - * We no longer support FIPS 186-2 RNG. This function was exported
|
| - * for power-up self tests and FIPS tests. Keep this stub, which fails,
|
| - * to prevent crashes, but also to signal to test code that FIPS 186-2
|
| - * RNG is no longer supported.
|
| - */
|
| -SECStatus
|
| -FIPS186Change_GenerateX(PRUint8 *XKEY, const PRUint8 *XSEEDj,
|
| - PRUint8 *x_j)
|
| -{
|
| - PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
|
| - return SECFailure;
|
| -}
|
| -
|
| -/*
|
| - * Specialized RNG for DSA
|
| - *
|
| - * As per Algorithm 1 of FIPS 186-2 Change Notice 1, in step 3.3 the value
|
| - * Xj should be reduced mod q, a 160-bit prime number. Since this parameter
|
| - * is only meaningful in the context of DSA, the above RNG functions
|
| - * were implemented without it. They are re-implemented below for use
|
| - * with DSA.
|
| - */
|
| -
|
| -/*
|
| -** Generate some random bytes, using the global random number generator
|
| -** object. In DSA mode, so there is a q.
|
| -*/
|
| -static SECStatus
|
| -dsa_GenerateGlobalRandomBytes(const SECItem * qItem, PRUint8 * dest,
|
| - unsigned int * destLen, unsigned int maxDestLen)
|
| -{
|
| - SECStatus rv;
|
| - SECItem w;
|
| - const PRUint8 * q = qItem->data;
|
| - unsigned int qLen = qItem->len;
|
| -
|
| - if (*q == 0) {
|
| - ++q;
|
| - --qLen;
|
| - }
|
| - if (maxDestLen < qLen) {
|
| - /* This condition can occur when DSA_SignDigest is passed a group
|
| - with a subprime that is larger than DSA_MAX_SUBPRIME_LEN. */
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| - return SECFailure;
|
| - }
|
| - w.data = NULL; /* otherwise SECITEM_AllocItem asserts */
|
| - if (!SECITEM_AllocItem(NULL, &w, 2*qLen)) {
|
| - return SECFailure;
|
| - }
|
| - *destLen = qLen;
|
| -
|
| - rv = RNG_GenerateGlobalRandomBytes(w.data, w.len);
|
| - if (rv == SECSuccess) {
|
| - rv = fips186Change_ReduceModQForDSA(w.data, q, qLen, dest);
|
| - }
|
| -
|
| - SECITEM_FreeItem(&w, PR_FALSE);
|
| - return rv;
|
| -}
|
| -
|
| -static void translate_mpi_error(mp_err err)
|
| -{
|
| - MP_TO_SEC_ERROR(err);
|
| -}
|
| -
|
| -static SECStatus
|
| -dsa_NewKeyExtended(const PQGParams *params, const SECItem * seed,
|
| - DSAPrivateKey **privKey)
|
| -{
|
| - mp_int p, g;
|
| - mp_int x, y;
|
| - mp_err err;
|
| - PRArenaPool *arena;
|
| - DSAPrivateKey *key;
|
| - /* Check args. */
|
| - if (!params || !privKey || !seed || !seed->data) {
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| - return SECFailure;
|
| - }
|
| - /* Initialize an arena for the DSA key. */
|
| - arena = PORT_NewArena(NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE);
|
| - if (!arena) {
|
| - PORT_SetError(SEC_ERROR_NO_MEMORY);
|
| - return SECFailure;
|
| - }
|
| - key = (DSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DSAPrivateKey));
|
| - if (!key) {
|
| - PORT_SetError(SEC_ERROR_NO_MEMORY);
|
| - PORT_FreeArena(arena, PR_TRUE);
|
| - return SECFailure;
|
| - }
|
| - key->params.arena = arena;
|
| - /* Initialize MPI integers. */
|
| - MP_DIGITS(&p) = 0;
|
| - MP_DIGITS(&g) = 0;
|
| - MP_DIGITS(&x) = 0;
|
| - MP_DIGITS(&y) = 0;
|
| - CHECK_MPI_OK( mp_init(&p) );
|
| - CHECK_MPI_OK( mp_init(&g) );
|
| - CHECK_MPI_OK( mp_init(&x) );
|
| - CHECK_MPI_OK( mp_init(&y) );
|
| - /* Copy over the PQG params */
|
| - CHECK_MPI_OK( SECITEM_CopyItem(arena, &key->params.prime,
|
| - ¶ms->prime) );
|
| - CHECK_MPI_OK( SECITEM_CopyItem(arena, &key->params.subPrime,
|
| - ¶ms->subPrime) );
|
| - CHECK_MPI_OK( SECITEM_CopyItem(arena, &key->params.base, ¶ms->base) );
|
| - /* Convert stored p, g, and received x into MPI integers. */
|
| - SECITEM_TO_MPINT(params->prime, &p);
|
| - SECITEM_TO_MPINT(params->base, &g);
|
| - OCTETS_TO_MPINT(seed->data, &x, seed->len);
|
| - /* Store x in private key */
|
| - SECITEM_AllocItem(arena, &key->privateValue, seed->len);
|
| - PORT_Memcpy(key->privateValue.data, seed->data, seed->len);
|
| - /* Compute public key y = g**x mod p */
|
| - CHECK_MPI_OK( mp_exptmod(&g, &x, &p, &y) );
|
| - /* Store y in public key */
|
| - MPINT_TO_SECITEM(&y, &key->publicValue, arena);
|
| - *privKey = key;
|
| - key = NULL;
|
| -cleanup:
|
| - mp_clear(&p);
|
| - mp_clear(&g);
|
| - mp_clear(&x);
|
| - mp_clear(&y);
|
| - if (key)
|
| - PORT_FreeArena(key->params.arena, PR_TRUE);
|
| - if (err) {
|
| - translate_mpi_error(err);
|
| - return SECFailure;
|
| - }
|
| - return SECSuccess;
|
| -}
|
| -
|
| -SECStatus
|
| -DSA_NewRandom(PLArenaPool * arena, const SECItem * q, SECItem * seed)
|
| -{
|
| - int retries = 10;
|
| - unsigned int i;
|
| - PRBool good;
|
| -
|
| - if (q == NULL || q->data == NULL || q->len == 0 ||
|
| - (q->data[0] == 0 && q->len == 1)) {
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| - return SECFailure;
|
| - }
|
| -
|
| - if (!SECITEM_AllocItem(arena, seed, q->len)) {
|
| - return SECFailure;
|
| - }
|
| -
|
| - do {
|
| - /* Generate seed bytes for x according to FIPS 186-1 appendix 3 */
|
| - if (dsa_GenerateGlobalRandomBytes(q, seed->data, &seed->len,
|
| - seed->len)) {
|
| - goto loser;
|
| - }
|
| - /* Disallow values of 0 and 1 for x. */
|
| - good = PR_FALSE;
|
| - for (i = 0; i < seed->len-1; i++) {
|
| - if (seed->data[i] != 0) {
|
| - good = PR_TRUE;
|
| - break;
|
| - }
|
| - }
|
| - if (!good && seed->data[i] > 1) {
|
| - good = PR_TRUE;
|
| - }
|
| - } while (!good && --retries > 0);
|
| -
|
| - if (!good) {
|
| - PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
| -loser: if (arena != NULL) {
|
| - SECITEM_FreeItem(seed, PR_FALSE);
|
| - }
|
| - return SECFailure;
|
| - }
|
| -
|
| - return SECSuccess;
|
| -}
|
| -
|
| -/*
|
| -** Generate and return a new DSA public and private key pair,
|
| -** both of which are encoded into a single DSAPrivateKey struct.
|
| -** "params" is a pointer to the PQG parameters for the domain
|
| -** Uses a random seed.
|
| -*/
|
| -SECStatus
|
| -DSA_NewKey(const PQGParams *params, DSAPrivateKey **privKey)
|
| -{
|
| - SECItem seed;
|
| - SECStatus rv;
|
| -
|
| - rv = PQG_Check(params);
|
| - if (rv != SECSuccess) {
|
| - return rv;
|
| - }
|
| - seed.data = NULL;
|
| -
|
| - rv = DSA_NewRandom(NULL, ¶ms->subPrime, &seed);
|
| - if (rv == SECSuccess) {
|
| - if (seed.len != PQG_GetLength(¶ms->subPrime)) {
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| - rv = SECFailure;
|
| - } else {
|
| - rv = dsa_NewKeyExtended(params, &seed, privKey);
|
| - }
|
| - }
|
| - SECITEM_FreeItem(&seed, PR_FALSE);
|
| - return rv;
|
| -}
|
| -
|
| -/* For FIPS compliance testing. Seed must be exactly the size of subPrime */
|
| -SECStatus
|
| -DSA_NewKeyFromSeed(const PQGParams *params,
|
| - const unsigned char *seed,
|
| - DSAPrivateKey **privKey)
|
| -{
|
| - SECItem seedItem;
|
| - seedItem.data = (unsigned char*) seed;
|
| - seedItem.len = PQG_GetLength(¶ms->subPrime);
|
| - return dsa_NewKeyExtended(params, &seedItem, privKey);
|
| -}
|
| -
|
| -static SECStatus
|
| -dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
|
| - const unsigned char *kb)
|
| -{
|
| - mp_int p, q, g; /* PQG parameters */
|
| - mp_int x, k; /* private key & pseudo-random integer */
|
| - mp_int r, s; /* tuple (r, s) is signature) */
|
| - mp_err err = MP_OKAY;
|
| - SECStatus rv = SECSuccess;
|
| - unsigned int dsa_subprime_len, dsa_signature_len, offset;
|
| - SECItem localDigest;
|
| - unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN];
|
| -
|
| -
|
| - /* FIPS-compliance dictates that digest is a SHA hash. */
|
| - /* Check args. */
|
| - if (!key || !signature || !digest) {
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| - return SECFailure;
|
| - }
|
| -
|
| - dsa_subprime_len = PQG_GetLength(&key->params.subPrime);
|
| - dsa_signature_len = dsa_subprime_len*2;
|
| - if ((signature->len < dsa_signature_len) ||
|
| - (digest->len > HASH_LENGTH_MAX) ||
|
| - (digest->len < SHA1_LENGTH)) {
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| - return SECFailure;
|
| - }
|
| -
|
| - /* DSA accepts digests not equal to dsa_subprime_len, if the
|
| - * digests are greater, then they are truncated to the size of
|
| - * dsa_subprime_len, using the left most bits. If they are less
|
| - * then they are padded on the left.*/
|
| - PORT_Memset(localDigestData, 0, dsa_subprime_len);
|
| - offset = (digest->len < dsa_subprime_len) ?
|
| - (dsa_subprime_len - digest->len) : 0;
|
| - PORT_Memcpy(localDigestData+offset, digest->data,
|
| - dsa_subprime_len - offset);
|
| - localDigest.data = localDigestData;
|
| - localDigest.len = dsa_subprime_len;
|
| -
|
| - /* Initialize MPI integers. */
|
| - MP_DIGITS(&p) = 0;
|
| - MP_DIGITS(&q) = 0;
|
| - MP_DIGITS(&g) = 0;
|
| - MP_DIGITS(&x) = 0;
|
| - MP_DIGITS(&k) = 0;
|
| - MP_DIGITS(&r) = 0;
|
| - MP_DIGITS(&s) = 0;
|
| - CHECK_MPI_OK( mp_init(&p) );
|
| - CHECK_MPI_OK( mp_init(&q) );
|
| - CHECK_MPI_OK( mp_init(&g) );
|
| - CHECK_MPI_OK( mp_init(&x) );
|
| - CHECK_MPI_OK( mp_init(&k) );
|
| - CHECK_MPI_OK( mp_init(&r) );
|
| - CHECK_MPI_OK( mp_init(&s) );
|
| - /*
|
| - ** Convert stored PQG and private key into MPI integers.
|
| - */
|
| - SECITEM_TO_MPINT(key->params.prime, &p);
|
| - SECITEM_TO_MPINT(key->params.subPrime, &q);
|
| - SECITEM_TO_MPINT(key->params.base, &g);
|
| - SECITEM_TO_MPINT(key->privateValue, &x);
|
| - OCTETS_TO_MPINT(kb, &k, dsa_subprime_len);
|
| - /*
|
| - ** FIPS 186-1, Section 5, Step 1
|
| - **
|
| - ** r = (g**k mod p) mod q
|
| - */
|
| - CHECK_MPI_OK( mp_exptmod(&g, &k, &p, &r) ); /* r = g**k mod p */
|
| - CHECK_MPI_OK( mp_mod(&r, &q, &r) ); /* r = r mod q */
|
| - /*
|
| - ** FIPS 186-1, Section 5, Step 2
|
| - **
|
| - ** s = (k**-1 * (HASH(M) + x*r)) mod q
|
| - */
|
| - SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */
|
| - CHECK_MPI_OK( mp_invmod(&k, &q, &k) ); /* k = k**-1 mod q */
|
| - CHECK_MPI_OK( mp_mulmod(&x, &r, &q, &x) ); /* x = x * r mod q */
|
| - CHECK_MPI_OK( mp_addmod(&s, &x, &q, &s) ); /* s = s + x mod q */
|
| - CHECK_MPI_OK( mp_mulmod(&s, &k, &q, &s) ); /* s = s * k mod q */
|
| - /*
|
| - ** verify r != 0 and s != 0
|
| - ** mentioned as optional in FIPS 186-1.
|
| - */
|
| - if (mp_cmp_z(&r) == 0 || mp_cmp_z(&s) == 0) {
|
| - PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
| - rv = SECFailure;
|
| - goto cleanup;
|
| - }
|
| - /*
|
| - ** Step 4
|
| - **
|
| - ** Signature is tuple (r, s)
|
| - */
|
| - err = mp_to_fixlen_octets(&r, signature->data, dsa_subprime_len);
|
| - if (err < 0) goto cleanup;
|
| - err = mp_to_fixlen_octets(&s, signature->data + dsa_subprime_len,
|
| - dsa_subprime_len);
|
| - if (err < 0) goto cleanup;
|
| - err = MP_OKAY;
|
| - signature->len = dsa_signature_len;
|
| -cleanup:
|
| - PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN);
|
| - mp_clear(&p);
|
| - mp_clear(&q);
|
| - mp_clear(&g);
|
| - mp_clear(&x);
|
| - mp_clear(&k);
|
| - mp_clear(&r);
|
| - mp_clear(&s);
|
| - if (err) {
|
| - translate_mpi_error(err);
|
| - rv = SECFailure;
|
| - }
|
| - return rv;
|
| -}
|
| -
|
| -/* signature is caller-supplied buffer of at least 40 bytes.
|
| -** On input, signature->len == size of buffer to hold signature.
|
| -** digest->len == size of digest.
|
| -** On output, signature->len == size of signature in buffer.
|
| -** Uses a random seed.
|
| -*/
|
| -SECStatus
|
| -DSA_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest)
|
| -{
|
| - SECStatus rv;
|
| - int retries = 10;
|
| - unsigned char kSeed[DSA_MAX_SUBPRIME_LEN];
|
| - unsigned int kSeedLen = 0;
|
| - unsigned int i;
|
| - unsigned int dsa_subprime_len = PQG_GetLength(&key->params.subPrime);
|
| - PRBool good;
|
| -
|
| - PORT_SetError(0);
|
| - do {
|
| - rv = dsa_GenerateGlobalRandomBytes(&key->params.subPrime,
|
| - kSeed, &kSeedLen, sizeof kSeed);
|
| - if (rv != SECSuccess)
|
| - break;
|
| - if (kSeedLen != dsa_subprime_len) {
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| - rv = SECFailure;
|
| - break;
|
| - }
|
| - /* Disallow a value of 0 for k. */
|
| - good = PR_FALSE;
|
| - for (i = 0; i < kSeedLen; i++) {
|
| - if (kSeed[i] != 0) {
|
| - good = PR_TRUE;
|
| - break;
|
| - }
|
| - }
|
| - if (!good) {
|
| - PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
| - rv = SECFailure;
|
| - continue;
|
| - }
|
| - rv = dsa_SignDigest(key, signature, digest, kSeed);
|
| - } while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM &&
|
| - --retries > 0);
|
| - return rv;
|
| -}
|
| -
|
| -/* For FIPS compliance testing. Seed must be exactly 20 bytes. */
|
| -SECStatus
|
| -DSA_SignDigestWithSeed(DSAPrivateKey * key,
|
| - SECItem * signature,
|
| - const SECItem * digest,
|
| - const unsigned char * seed)
|
| -{
|
| - SECStatus rv;
|
| - rv = dsa_SignDigest(key, signature, digest, seed);
|
| - return rv;
|
| -}
|
| -
|
| -/* signature is caller-supplied buffer of at least 20 bytes.
|
| -** On input, signature->len == size of buffer to hold signature.
|
| -** digest->len == size of digest.
|
| -*/
|
| -SECStatus
|
| -DSA_VerifyDigest(DSAPublicKey *key, const SECItem *signature,
|
| - const SECItem *digest)
|
| -{
|
| - /* FIPS-compliance dictates that digest is a SHA hash. */
|
| - mp_int p, q, g; /* PQG parameters */
|
| - mp_int r_, s_; /* tuple (r', s') is received signature) */
|
| - mp_int u1, u2, v, w; /* intermediate values used in verification */
|
| - mp_int y; /* public key */
|
| - mp_err err;
|
| - int dsa_subprime_len, dsa_signature_len, offset;
|
| - SECItem localDigest;
|
| - unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN];
|
| - SECStatus verified = SECFailure;
|
| -
|
| - /* Check args. */
|
| - if (!key || !signature || !digest ) {
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| - return SECFailure;
|
| - }
|
| -
|
| - dsa_subprime_len = PQG_GetLength(&key->params.subPrime);
|
| - dsa_signature_len = dsa_subprime_len*2;
|
| - if ((signature->len != dsa_signature_len) ||
|
| - (digest->len > HASH_LENGTH_MAX) ||
|
| - (digest->len < SHA1_LENGTH)) {
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| - return SECFailure;
|
| - }
|
| -
|
| - /* DSA accepts digests not equal to dsa_subprime_len, if the
|
| - * digests are greater, than they are truncated to the size of
|
| - * dsa_subprime_len, using the left most bits. If they are less
|
| - * then they are padded on the left.*/
|
| - PORT_Memset(localDigestData, 0, dsa_subprime_len);
|
| - offset = (digest->len < dsa_subprime_len) ?
|
| - (dsa_subprime_len - digest->len) : 0;
|
| - PORT_Memcpy(localDigestData+offset, digest->data,
|
| - dsa_subprime_len - offset);
|
| - localDigest.data = localDigestData;
|
| - localDigest.len = dsa_subprime_len;
|
| -
|
| - /* Initialize MPI integers. */
|
| - MP_DIGITS(&p) = 0;
|
| - MP_DIGITS(&q) = 0;
|
| - MP_DIGITS(&g) = 0;
|
| - MP_DIGITS(&y) = 0;
|
| - MP_DIGITS(&r_) = 0;
|
| - MP_DIGITS(&s_) = 0;
|
| - MP_DIGITS(&u1) = 0;
|
| - MP_DIGITS(&u2) = 0;
|
| - MP_DIGITS(&v) = 0;
|
| - MP_DIGITS(&w) = 0;
|
| - CHECK_MPI_OK( mp_init(&p) );
|
| - CHECK_MPI_OK( mp_init(&q) );
|
| - CHECK_MPI_OK( mp_init(&g) );
|
| - CHECK_MPI_OK( mp_init(&y) );
|
| - CHECK_MPI_OK( mp_init(&r_) );
|
| - CHECK_MPI_OK( mp_init(&s_) );
|
| - CHECK_MPI_OK( mp_init(&u1) );
|
| - CHECK_MPI_OK( mp_init(&u2) );
|
| - CHECK_MPI_OK( mp_init(&v) );
|
| - CHECK_MPI_OK( mp_init(&w) );
|
| - /*
|
| - ** Convert stored PQG and public key into MPI integers.
|
| - */
|
| - SECITEM_TO_MPINT(key->params.prime, &p);
|
| - SECITEM_TO_MPINT(key->params.subPrime, &q);
|
| - SECITEM_TO_MPINT(key->params.base, &g);
|
| - SECITEM_TO_MPINT(key->publicValue, &y);
|
| - /*
|
| - ** Convert received signature (r', s') into MPI integers.
|
| - */
|
| - OCTETS_TO_MPINT(signature->data, &r_, dsa_subprime_len);
|
| - OCTETS_TO_MPINT(signature->data + dsa_subprime_len, &s_, dsa_subprime_len);
|
| - /*
|
| - ** Verify that 0 < r' < q and 0 < s' < q
|
| - */
|
| - if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 ||
|
| - mp_cmp(&r_, &q) >= 0 || mp_cmp(&s_, &q) >= 0) {
|
| - /* err is zero here. */
|
| - PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
| - goto cleanup; /* will return verified == SECFailure */
|
| - }
|
| - /*
|
| - ** FIPS 186-1, Section 6, Step 1
|
| - **
|
| - ** w = (s')**-1 mod q
|
| - */
|
| - CHECK_MPI_OK( mp_invmod(&s_, &q, &w) ); /* w = (s')**-1 mod q */
|
| - /*
|
| - ** FIPS 186-1, Section 6, Step 2
|
| - **
|
| - ** u1 = ((Hash(M')) * w) mod q
|
| - */
|
| - SECITEM_TO_MPINT(localDigest, &u1); /* u1 = HASH(M') */
|
| - CHECK_MPI_OK( mp_mulmod(&u1, &w, &q, &u1) ); /* u1 = u1 * w mod q */
|
| - /*
|
| - ** FIPS 186-1, Section 6, Step 3
|
| - **
|
| - ** u2 = ((r') * w) mod q
|
| - */
|
| - CHECK_MPI_OK( mp_mulmod(&r_, &w, &q, &u2) );
|
| - /*
|
| - ** FIPS 186-1, Section 6, Step 4
|
| - **
|
| - ** v = ((g**u1 * y**u2) mod p) mod q
|
| - */
|
| - CHECK_MPI_OK( mp_exptmod(&g, &u1, &p, &g) ); /* g = g**u1 mod p */
|
| - CHECK_MPI_OK( mp_exptmod(&y, &u2, &p, &y) ); /* y = y**u2 mod p */
|
| - CHECK_MPI_OK( mp_mulmod(&g, &y, &p, &v) ); /* v = g * y mod p */
|
| - CHECK_MPI_OK( mp_mod(&v, &q, &v) ); /* v = v mod q */
|
| - /*
|
| - ** Verification: v == r'
|
| - */
|
| - if (mp_cmp(&v, &r_)) {
|
| - PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
| - verified = SECFailure; /* Signature failed to verify. */
|
| - } else {
|
| - verified = SECSuccess; /* Signature verified. */
|
| - }
|
| -cleanup:
|
| - mp_clear(&p);
|
| - mp_clear(&q);
|
| - mp_clear(&g);
|
| - mp_clear(&y);
|
| - mp_clear(&r_);
|
| - mp_clear(&s_);
|
| - mp_clear(&u1);
|
| - mp_clear(&u2);
|
| - mp_clear(&v);
|
| - mp_clear(&w);
|
| - if (err) {
|
| - translate_mpi_error(err);
|
| - }
|
| - return verified;
|
| -}
|
|
|
Chromium Code Reviews
Issue 14249009:
Change the NSS and NSPR source tree to the new directory structure to be (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/