/* Check that right shifting actually works for an amount larger than
the number of bits per limb. */
static void
test_rshift (int pass)
{
gcry_mpi_t a, b;
char *result, *result2;
int i;
wherestr = "test_rshift";
show ("checking that rshift works as expected (pass %d)\n", pass);
a = gcry_mpi_new (0);
b = gcry_mpi_new (0);
gcry_mpi_randomize (a, 70, GCRY_WEAK_RANDOM);
for (i=0; i < 75; i++)
{
gcry_mpi_rshift (b, a, i);
result = mpi2bitstr (b, 72);
result2 = mpi2bitstr (a, 72);
rshiftbitstring (result2, i);
if (strcmp (result, result2))
{
show ("got =%s\n", result);
show ("want=%s\n", result2);
fail ("rshift by %d failed\n", i);
}
xfree (result);
xfree (result2);
}
/* Again. This time using in-place operation. */
gcry_mpi_randomize (a, 70, GCRY_WEAK_RANDOM);
for (i=0; i < 75; i++)
{
gcry_mpi_release (b);
b = gcry_mpi_copy (a);
gcry_mpi_rshift (b, b, i);
result = mpi2bitstr (b, 72);
result2 = mpi2bitstr (a, 72);
rshiftbitstring (result2, i);
if (strcmp (result, result2))
{
show ("got =%s\n", result);
show ("want=%s\n", result2);
fail ("in-place rshift by %d failed\n", i);
}
xfree (result2);
xfree (result);
}
gcry_mpi_release (b);
gcry_mpi_release (a);
}
/* Connert the bit string BITS of length NBITS into an octet string
with a length of (QBITS+7)/8 bytes. On success store the result at
R_FRAME. */
static gpg_err_code_t
bits2octets (unsigned char **r_frame,
const void *bits, unsigned int nbits,
gcry_mpi_t q, unsigned int qbits)
{
gpg_err_code_t rc;
gcry_mpi_t z1;
/* z1 = bits2int (b) */
rc = gpg_err_code (gcry_mpi_scan (&z1, GCRYMPI_FMT_USG,
bits, (nbits+7)/8, NULL));
if (rc)
return rc;
if (nbits > qbits)
gcry_mpi_rshift (z1, z1, nbits - qbits);
/* z2 - z1 mod q */
if (mpi_cmp (z1, q) >= 0)
mpi_sub (z1, z1, q);
/* Convert to an octet string. */
rc = int2octets (r_frame, z1, (qbits+7)/8);
mpi_free (z1);
return rc;
}
/*
* Shift A by N bits to the left.
*/
void
gcry_mpi_lshift ( gcry_mpi_t x, gcry_mpi_t a, unsigned int n )
{
unsigned int nlimbs = (n/BITS_PER_MPI_LIMB);
unsigned int nbits = (n%BITS_PER_MPI_LIMB);
if (x == a && !n)
return; /* In-place shift with an amount of zero. */
if ( x != a )
{
/* Copy A to X. */
unsigned int alimbs = a->nlimbs;
int asign = a->sign;
mpi_ptr_t xp, ap;
RESIZE_IF_NEEDED (x, alimbs+nlimbs+1);
xp = x->d;
ap = a->d;
MPN_COPY (xp, ap, alimbs);
x->nlimbs = alimbs;
x->flags = a->flags;
x->sign = asign;
}
if (nlimbs && !nbits)
{
/* Shift a full number of limbs. */
_gcry_mpi_lshift_limbs (x, nlimbs);
}
else if (n)
{
/* We use a very dump approach: Shift left by the number of
limbs plus one and than fix it up by an rshift. */
_gcry_mpi_lshift_limbs (x, nlimbs+1);
gcry_mpi_rshift (x, x, BITS_PER_MPI_LIMB - nbits);
}
MPN_NORMALIZE (x->d, x->nlimbs);
}
/* Compute an ECDSA signature.
* Return the signature struct (r,s) from the message hash. The caller
* must have allocated R and S.
*/
gpg_err_code_t
_gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
gcry_mpi_t r, gcry_mpi_t s,
int flags, int hashalgo)
{
gpg_err_code_t err = 0;
int extraloops = 0;
gcry_mpi_t k, dr, sum, k_1, x;
mpi_point_struct I;
gcry_mpi_t hash;
const void *abuf;
unsigned int abits, qbits;
mpi_ec_t ctx;
if (DBG_CIPHER)
log_mpidump ("ecdsa sign hash ", input );
qbits = mpi_get_nbits (skey->E.n);
/* Convert the INPUT into an MPI if needed. */
if (mpi_is_opaque (input))
{
abuf = gcry_mpi_get_opaque (input, &abits);
err = gpg_err_code (gcry_mpi_scan (&hash, GCRYMPI_FMT_USG,
abuf, (abits+7)/8, NULL));
if (err)
return err;
if (abits > qbits)
gcry_mpi_rshift (hash, hash, abits - qbits);
}
else
hash = input;
k = NULL;
dr = mpi_alloc (0);
sum = mpi_alloc (0);
k_1 = mpi_alloc (0);
x = mpi_alloc (0);
point_init (&I);
ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect,
skey->E.p, skey->E.a, skey->E.b);
/* Two loops to avoid R or S are zero. This is more of a joke than
a real demand because the probability of them being zero is less
than any hardware failure. Some specs however require it. */
do
{
do
{
mpi_free (k);
k = NULL;
if ((flags & PUBKEY_FLAG_RFC6979) && hashalgo)
{
/* Use Pornin's method for deterministic DSA. If this
flag is set, it is expected that HASH is an opaque
MPI with the to be signed hash. That hash is also
used as h1 from 3.2.a. */
if (!mpi_is_opaque (input))
{
err = GPG_ERR_CONFLICT;
goto leave;
}
abuf = gcry_mpi_get_opaque (input, &abits);
err = _gcry_dsa_gen_rfc6979_k (&k, skey->E.n, skey->d,
abuf, (abits+7)/8,
hashalgo, extraloops);
if (err)
goto leave;
extraloops++;
}
else
k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
_gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
{
if (DBG_CIPHER)
log_debug ("ecc sign: Failed to get affine coordinates\n");
err = GPG_ERR_BAD_SIGNATURE;
goto leave;
}
mpi_mod (r, x, skey->E.n); /* r = x mod n */
}
while (!mpi_cmp_ui (r, 0));
mpi_mulm (dr, skey->d, r, skey->E.n); /* dr = d*r mod n */
mpi_addm (sum, hash, dr, skey->E.n); /* sum = hash + (d*r) mod n */
mpi_invm (k_1, k, skey->E.n); /* k_1 = k^(-1) mod n */
mpi_mulm (s, k_1, sum, skey->E.n); /* s = k^(-1)*(hash+(d*r)) mod n */
}
while (!mpi_cmp_ui (s, 0));
if (DBG_CIPHER)
{
log_mpidump ("ecdsa sign result r ", r);
log_mpidump ("ecdsa sign result s ", s);
}
leave:
_gcry_mpi_ec_free (ctx);
point_free (&I);
mpi_free (x);
mpi_free (k_1);
mpi_free (sum);
mpi_free (dr);
mpi_free (k);
if (hash != input)
mpi_free (hash);
return err;
}
/*
* Generate a deterministic secret exponent K less than DSA_Q. H1 is
* the to be signed digest with a length of HLEN bytes. HALGO is the
* algorithm used to create the hash. On success the value for K is
* stored at R_K.
*/
gpg_err_code_t
_gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k,
gcry_mpi_t dsa_q, gcry_mpi_t dsa_x,
const unsigned char *h1, unsigned int hlen,
int halgo, unsigned int extraloops)
{
gpg_err_code_t rc;
unsigned char *V = NULL;
unsigned char *K = NULL;
unsigned char *x_buf = NULL;
unsigned char *h1_buf = NULL;
gcry_md_hd_t hd = NULL;
unsigned char *t = NULL;
gcry_mpi_t k = NULL;
unsigned int tbits, qbits;
int i;
qbits = mpi_get_nbits (dsa_q);
if (!qbits || !h1 || !hlen)
return GPG_ERR_EINVAL;
if (gcry_md_get_algo_dlen (halgo) != hlen)
return GPG_ERR_DIGEST_ALGO;
/* Step b: V = 0x01 0x01 0x01 ... 0x01 */
V = gcry_malloc (hlen);
if (!V)
{
rc = gpg_err_code_from_syserror ();
goto leave;
}
for (i=0; i < hlen; i++)
V[i] = 1;
/* Step c: K = 0x00 0x00 0x00 ... 0x00 */
K = gcry_calloc (1, hlen);
if (!K)
{
rc = gpg_err_code_from_syserror ();
goto leave;
}
rc = int2octets (&x_buf, dsa_x, (qbits+7)/8);
if (rc)
goto leave;
rc = bits2octets (&h1_buf, h1, hlen*8, dsa_q, qbits);
if (rc)
goto leave;
/* Create a handle to compute the HMACs. */
rc = gpg_err_code (gcry_md_open (&hd, halgo,
(GCRY_MD_FLAG_SECURE | GCRY_MD_FLAG_HMAC)));
if (rc)
goto leave;
/* Step d: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) */
rc = gpg_err_code (gcry_md_setkey (hd, K, hlen));
if (rc)
goto leave;
gcry_md_write (hd, V, hlen);
gcry_md_write (hd, "", 1);
gcry_md_write (hd, x_buf, (qbits+7)/8);
gcry_md_write (hd, h1_buf, (qbits+7)/8);
memcpy (K, gcry_md_read (hd, 0), hlen);
/* Step e: V = HMAC_K(V) */
rc = gpg_err_code (gcry_md_setkey (hd, K, hlen));
if (rc)
goto leave;
gcry_md_write (hd, V, hlen);
memcpy (V, gcry_md_read (hd, 0), hlen);
/* Step f: K = HMAC_K(V || 0x01 || int2octets(x) || bits2octets(h1) */
rc = gpg_err_code (gcry_md_setkey (hd, K, hlen));
if (rc)
goto leave;
gcry_md_write (hd, V, hlen);
gcry_md_write (hd, "\x01", 1);
gcry_md_write (hd, x_buf, (qbits+7)/8);
gcry_md_write (hd, h1_buf, (qbits+7)/8);
memcpy (K, gcry_md_read (hd, 0), hlen);
/* Step g: V = HMAC_K(V) */
rc = gpg_err_code (gcry_md_setkey (hd, K, hlen));
if (rc)
goto leave;
gcry_md_write (hd, V, hlen);
memcpy (V, gcry_md_read (hd, 0), hlen);
/* Step h. */
t = gcry_malloc ((qbits+7)/8+hlen);
if (!t)
{
rc = gpg_err_code_from_syserror ();
goto leave;
}
again:
for (tbits = 0; tbits < qbits;)
{
/* V = HMAC_K(V) */
rc = gpg_err_code (gcry_md_setkey (hd, K, hlen));
if (rc)
goto leave;
gcry_md_write (hd, V, hlen);
memcpy (V, gcry_md_read (hd, 0), hlen);
/* T = T || V */
memcpy (t+(tbits+7)/8, V, hlen);
tbits += 8*hlen;
}
/* k = bits2int (T) */
mpi_free (k);
k = NULL;
rc = gpg_err_code (gcry_mpi_scan (&k, GCRYMPI_FMT_USG, t, (tbits+7)/8, NULL));
if (rc)
goto leave;
if (tbits > qbits)
gcry_mpi_rshift (k, k, tbits - qbits);
/* Check: k < q and k > 1 */
if (!(mpi_cmp (k, dsa_q) < 0 && mpi_cmp_ui (k, 0) > 0))
{
/* K = HMAC_K(V || 0x00) */
rc = gpg_err_code (gcry_md_setkey (hd, K, hlen));
if (rc)
goto leave;
gcry_md_write (hd, V, hlen);
gcry_md_write (hd, "", 1);
memcpy (K, gcry_md_read (hd, 0), hlen);
/* V = HMAC_K(V) */
rc = gpg_err_code (gcry_md_setkey (hd, K, hlen));
if (rc)
goto leave;
gcry_md_write (hd, V, hlen);
memcpy (V, gcry_md_read (hd, 0), hlen);
goto again;
}
/* The caller may have requested that we introduce some extra loops.
This is for example useful if the caller wants another value for
K because the last returned one yielded an R of 0. Becuase this
is very unlikely we implement it in a straightforward way. */
if (extraloops)
{
extraloops--;
/* K = HMAC_K(V || 0x00) */
rc = gpg_err_code (gcry_md_setkey (hd, K, hlen));
if (rc)
goto leave;
gcry_md_write (hd, V, hlen);
gcry_md_write (hd, "", 1);
memcpy (K, gcry_md_read (hd, 0), hlen);
/* V = HMAC_K(V) */
rc = gpg_err_code (gcry_md_setkey (hd, K, hlen));
if (rc)
goto leave;
gcry_md_write (hd, V, hlen);
memcpy (V, gcry_md_read (hd, 0), hlen);
goto again;
}
/* log_mpidump (" k", k); */
leave:
gcry_free (t);
gcry_md_close (hd);
gcry_free (h1_buf);
gcry_free (x_buf);
gcry_free (K);
gcry_free (V);
if (rc)
mpi_free (k);
else
*r_k = k;
return rc;
}
