1/* fips_dsa_sign.c */ 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2007. 4 */ 5/* ==================================================================== 6 * Copyright (c) 2007 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59#include <string.h> 60#include <openssl/evp.h> 61#include <openssl/dsa.h> 62#include <openssl/err.h> 63#include <openssl/sha.h> 64#include <openssl/bn.h> 65 66#ifdef OPENSSL_FIPS 67 68/* FIPS versions of DSA_sign() and DSA_verify(). 69 * These include a tiny ASN1 encoder/decoder to handle the specific 70 * case of a DSA signature. 71 */ 72 73#if 0 74int FIPS_dsa_size(DSA *r) 75 { 76 int ilen; 77 ilen = BN_num_bytes(r->q); 78 if (ilen > 20) 79 return -1; 80 /* If MSB set need padding byte */ 81 ilen ++; 82 /* Also need 2 bytes INTEGER header for r and s plus 83 * 2 bytes SEQUENCE header making 6 in total. 84 */ 85 return ilen * 2 + 6; 86 } 87#endif 88 89/* Tiny ASN1 encoder for DSA_SIG structure. We can assume r, s smaller than 90 * 0x80 octets as by the DSA standards they will be less than 2^160 91 */ 92 93int FIPS_dsa_sig_encode(unsigned char *out, DSA_SIG *sig) 94 { 95 int rlen, slen, rpad, spad, seqlen; 96 rlen = BN_num_bytes(sig->r); 97 if (rlen > 20) 98 return -1; 99 if (BN_num_bits(sig->r) & 0x7) 100 rpad = 0; 101 else 102 rpad = 1; 103 slen = BN_num_bytes(sig->s); 104 if (slen > 20) 105 return -1; 106 if (BN_num_bits(sig->s) & 0x7) 107 spad = 0; 108 else 109 spad = 1; 110 /* Length of SEQUENCE, (1 tag + 1 len octet) * 2 + content octets */ 111 seqlen = rlen + rpad + slen + spad + 4; 112 /* Actual encoded length: include SEQUENCE header */ 113 if (!out) 114 return seqlen + 2; 115 116 /* Output SEQUENCE header */ 117 *out++ = V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED; 118 *out++ = (unsigned char)seqlen; 119 120 /* Output r */ 121 *out++ = V_ASN1_INTEGER; 122 *out++ = (unsigned char)(rlen + rpad); 123 if (rpad) 124 *out++ = 0; 125 BN_bn2bin(sig->r, out); 126 out += rlen; 127 128 /* Output s */ 129 *out++ = V_ASN1_INTEGER; 130 *out++ = (unsigned char)(slen + spad); 131 if (spad) 132 *out++ = 0; 133 BN_bn2bin(sig->s, out); 134 return seqlen + 2; 135 } 136 137/* Companion DSA_SIG decoder */ 138 139int FIPS_dsa_sig_decode(DSA_SIG *sig, const unsigned char *in, int inlen) 140 { 141 int seqlen, rlen, slen; 142 const unsigned char *rbin; 143 /* Sanity check */ 144 145 /* Need SEQUENCE tag */ 146 if (*in++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) 147 return 0; 148 /* Get length octet */ 149 seqlen = *in++; 150 /* Check sensible length value */ 151 if (seqlen < 4 || seqlen > 0x7F) 152 return 0; 153 /* Check INTEGER tag */ 154 if (*in++ != V_ASN1_INTEGER) 155 return 0; 156 rlen = *in++; 157 seqlen -= 2 + rlen; 158 /* Check sensible seqlen value */ 159 if (seqlen < 2) 160 return 0; 161 rbin = in; 162 in += rlen; 163 /* Check INTEGER tag */ 164 if (*in++ != V_ASN1_INTEGER) 165 return 0; 166 slen = *in++; 167 /* Remaining bytes of SEQUENCE should exactly match 168 * encoding of s 169 */ 170 if (seqlen != (slen + 2)) 171 return 0; 172 if (!sig->r && !(sig->r = BN_new())) 173 return 0; 174 if (!sig->s && !(sig->s = BN_new())) 175 return 0; 176 if (!BN_bin2bn(rbin, rlen, sig->r)) 177 return 0; 178 if (!BN_bin2bn(in, slen, sig->s)) 179 return 0; 180 return 1; 181 } 182 183static int fips_dsa_sign(int type, const unsigned char *x, int y, 184 unsigned char *sig, unsigned int *siglen, EVP_MD_SVCTX *sv) 185 { 186 DSA *dsa = sv->key; 187 unsigned char dig[EVP_MAX_MD_SIZE]; 188 unsigned int dlen; 189 DSA_SIG *s; 190 EVP_DigestFinal_ex(sv->mctx, dig, &dlen); 191 s=dsa->meth->dsa_do_sign(dig,dlen,dsa); 192 OPENSSL_cleanse(dig, dlen); 193 if (s == NULL) 194 { 195 *siglen=0; 196 return 0; 197 } 198 *siglen= FIPS_dsa_sig_encode(sig, s); 199 DSA_SIG_free(s); 200 if (*siglen < 0) 201 return 0; 202 return 1; 203 } 204 205static int fips_dsa_verify(int type, const unsigned char *x, int y, 206 const unsigned char *sigbuf, unsigned int siglen, EVP_MD_SVCTX *sv) 207 { 208 DSA *dsa = sv->key; 209 DSA_SIG *s; 210 int ret=-1; 211 unsigned char dig[EVP_MAX_MD_SIZE]; 212 unsigned int dlen; 213 214 s = DSA_SIG_new(); 215 if (s == NULL) 216 return ret; 217 if (!FIPS_dsa_sig_decode(s,sigbuf,siglen)) 218 goto err; 219 EVP_DigestFinal_ex(sv->mctx, dig, &dlen); 220 ret=dsa->meth->dsa_do_verify(dig,dlen,s,dsa); 221 OPENSSL_cleanse(dig, dlen); 222err: 223 DSA_SIG_free(s); 224 return ret; 225 } 226 227static int init(EVP_MD_CTX *ctx) 228 { return SHA1_Init(ctx->md_data); } 229 230static int update(EVP_MD_CTX *ctx,const void *data,size_t count) 231 { return SHA1_Update(ctx->md_data,data,count); } 232 233static int final(EVP_MD_CTX *ctx,unsigned char *md) 234 { return SHA1_Final(md,ctx->md_data); } 235 236static const EVP_MD dss1_md= 237 { 238 NID_dsa, 239 NID_dsaWithSHA1, 240 SHA_DIGEST_LENGTH, 241 EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX, 242 init, 243 update, 244 final, 245 NULL, 246 NULL, 247 (evp_sign_method *)fips_dsa_sign, 248 (evp_verify_method *)fips_dsa_verify, 249 {EVP_PKEY_DSA,EVP_PKEY_DSA2,EVP_PKEY_DSA3, EVP_PKEY_DSA4,0}, 250 SHA_CBLOCK, 251 sizeof(EVP_MD *)+sizeof(SHA_CTX), 252 }; 253 254const EVP_MD *EVP_dss1(void) 255 { 256 return(&dss1_md); 257 } 258#endif 259