1 // SPDX-License-Identifier: BSD-2-Clause
2 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
3  *
4  * LibTomCrypt is a library that provides various cryptographic
5  * algorithms in a highly modular and flexible manner.
6  *
7  * The library is free for all purposes without any express
8  * guarantee it works.
9  */
10 #include "tomcrypt_private.h"
11 
12 /**
13    @file dsa_verify_hash.c
14    DSA implementation, verify a signature, Tom St Denis
15 */
16 
17 
18 #ifdef LTC_MDSA
19 
20 /**
21   Verify a DSA signature
22   @param r        DSA "r" parameter
23   @param s        DSA "s" parameter
24   @param hash     The hash that was signed
25   @param hashlen  The length of the hash that was signed
26   @param stat     [out] The result of the signature verification, 1==valid, 0==invalid
27   @param key      The corresponding public DSA key
28   @return CRYPT_OK if successful (even if the signature is invalid)
29 */
dsa_verify_hash_raw(void * r,void * s,const unsigned char * hash,unsigned long hashlen,int * stat,const dsa_key * key)30 int dsa_verify_hash_raw(         void   *r,          void   *s,
31                     const unsigned char *hash, unsigned long hashlen,
32                                     int *stat, const dsa_key *key)
33 {
34    void          *w, *v, *u1, *u2;
35    int           err;
36 
37    LTC_ARGCHK(r    != NULL);
38    LTC_ARGCHK(s    != NULL);
39    LTC_ARGCHK(stat != NULL);
40    LTC_ARGCHK(key  != NULL);
41 
42    /* default to invalid signature */
43    *stat = 0;
44 
45    /* init our variables */
46    if ((err = mp_init_multi(&w, &v, &u1, &u2, NULL)) != CRYPT_OK) {
47       return err;
48    }
49 
50    /* neither r or s can be null or >q*/
51    if (mp_cmp_d(r, 0) != LTC_MP_GT || mp_cmp_d(s, 0) != LTC_MP_GT || mp_cmp(r, key->q) != LTC_MP_LT || mp_cmp(s, key->q) != LTC_MP_LT) {
52       err = CRYPT_INVALID_PACKET;
53       goto error;
54    }
55 
56    /* FIPS 186-4 4.7: use leftmost min(bitlen(q), bitlen(hash)) bits of 'hash' */
57    hashlen = MIN(hashlen, (unsigned long)(key->qord));
58 
59    /* w = 1/s mod q */
60    if ((err = mp_invmod(s, key->q, w)) != CRYPT_OK)                                       { goto error; }
61 
62    /* u1 = m * w mod q */
63    if ((err = mp_read_unsigned_bin(u1, (unsigned char *)hash, hashlen)) != CRYPT_OK)      { goto error; }
64    if ((err = mp_mulmod(u1, w, key->q, u1)) != CRYPT_OK)                                  { goto error; }
65 
66    /* u2 = r*w mod q */
67    if ((err = mp_mulmod(r, w, key->q, u2)) != CRYPT_OK)                                   { goto error; }
68 
69    /* v = g^u1 * y^u2 mod p mod q */
70    if ((err = mp_exptmod(key->g, u1, key->p, u1)) != CRYPT_OK)                            { goto error; }
71    if ((err = mp_exptmod(key->y, u2, key->p, u2)) != CRYPT_OK)                            { goto error; }
72    if ((err = mp_mulmod(u1, u2, key->p, v)) != CRYPT_OK)                                  { goto error; }
73    if ((err = mp_mod(v, key->q, v)) != CRYPT_OK)                                          { goto error; }
74 
75    /* if r = v then we're set */
76    if (mp_cmp(r, v) == LTC_MP_EQ) {
77       *stat = 1;
78    }
79 
80    err = CRYPT_OK;
81 error:
82    mp_clear_multi(w, v, u1, u2, NULL);
83    return err;
84 }
85 
86 /**
87   Verify a DSA signature
88   @param sig      The signature
89   @param siglen   The length of the signature (octets)
90   @param hash     The hash that was signed
91   @param hashlen  The length of the hash that was signed
92   @param stat     [out] The result of the signature verification, 1==valid, 0==invalid
93   @param key      The corresponding public DSA key
94   @return CRYPT_OK if successful (even if the signature is invalid)
95 */
dsa_verify_hash(const unsigned char * sig,unsigned long siglen,const unsigned char * hash,unsigned long hashlen,int * stat,const dsa_key * key)96 int dsa_verify_hash(const unsigned char *sig,        unsigned long  siglen,
97                     const unsigned char *hash,       unsigned long  hashlen,
98                           int           *stat, const dsa_key       *key)
99 {
100    int    err;
101    void   *r, *s;
102    ltc_asn1_list sig_seq[2];
103    unsigned long reallen = 0;
104 
105    LTC_ARGCHK(stat != NULL);
106    *stat = 0; /* must be set before the first return */
107 
108    if ((err = mp_init_multi(&r, &s, NULL)) != CRYPT_OK) {
109       return err;
110    }
111 
112    LTC_SET_ASN1(sig_seq, 0, LTC_ASN1_INTEGER, r, 1UL);
113    LTC_SET_ASN1(sig_seq, 1, LTC_ASN1_INTEGER, s, 1UL);
114 
115    err = der_decode_sequence_strict(sig, siglen, sig_seq, 2);
116    if (err != CRYPT_OK) {
117       goto LBL_ERR;
118    }
119 
120    err = der_length_sequence(sig_seq, 2, &reallen);
121    if (err != CRYPT_OK || reallen != siglen) {
122       goto LBL_ERR;
123    }
124 
125    /* do the op */
126    err = dsa_verify_hash_raw(r, s, hash, hashlen, stat, key);
127 
128 LBL_ERR:
129    mp_clear_multi(r, s, NULL);
130    return err;
131 }
132 
133 #endif
134 
135 
136 /* ref:         $Format:%D$ */
137 /* git commit:  $Format:%H$ */
138 /* commit time: $Format:%ai$ */
139