1 /**********************************************************************
3 * Copyright (c) 2005-2006 Cryptocom LTD *
4 * This file is distributed under the same license as OpenSSL *
6 * Implementation of GOST R 34.10-94 signature algorithm *
8 * Requires OpenSSL 0.9.9 for compilation *
9 **********************************************************************/
11 #include <openssl/rand.h>
12 #include <openssl/bn.h>
13 #include <openssl/dsa.h>
14 #include <openssl/evp.h>
15 #include <openssl/err.h>
17 #include "gost_params.h"
19 #include "e_gost_err.h"
22 void dump_signature(const char *message, const unsigned char *buffer,
26 fprintf(stderr, "signature %s Length=%d", message, len);
27 for (i = 0; i < len; i++) {
30 fprintf(stderr, " %02x", buffer[i]);
32 fprintf(stderr, "\nEnd of signature\n");
35 void dump_dsa_sig(const char *message, DSA_SIG *sig)
37 fprintf(stderr, "%s\nR=", message);
38 BN_print_fp(stderr, sig->r);
39 fprintf(stderr, "\nS=");
40 BN_print_fp(stderr, sig->s);
41 fprintf(stderr, "\n");
46 # define dump_signature(a,b,c)
47 # define dump_dsa_sig(a,b)
51 * Computes signature and returns it as DSA_SIG structure
53 DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
55 BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL;
56 DSA_SIG *newsig = NULL, *ret = NULL;
58 /* check if H(M) mod q is zero */
61 OPENSSL_assert(dgst != NULL && dsa != NULL && dlen == 32);
65 GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE);
70 md = hashsum2bn(dgst, dlen);
71 newsig = DSA_SIG_new();
73 GOSTerr(GOST_F_GOST_DO_SIGN, GOST_R_NO_MEMORY);
76 tmp = BN_CTX_get(ctx);
78 tmp2 = BN_CTX_get(ctx);
79 if (!tmp || !k || !tmp2) {
80 GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE);
83 BN_mod(tmp, md, dsa->q, ctx);
84 if (BN_is_zero(tmp)) {
90 * Generate random number k less than q
92 BN_rand_range(k, dsa->q);
93 /* generate r = (a^x mod p) mod q */
94 BN_mod_exp(tmp, dsa->g, k, dsa->p, ctx);
98 GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE);
102 BN_mod(newsig->r, tmp, dsa->q, ctx);
104 while (BN_is_zero(newsig->r));
105 /* generate s = (xr + k(Hm)) mod q */
106 BN_mod_mul(tmp, dsa->priv_key, newsig->r, dsa->q, ctx);
107 BN_mod_mul(tmp2, k, md, dsa->q, ctx);
109 newsig->s = BN_new();
111 GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE);
115 BN_mod_add(newsig->s, tmp, tmp2, dsa->q, ctx);
117 while (BN_is_zero(newsig->s));
125 if (!ret && newsig) {
126 DSA_SIG_free(newsig);
132 * Packs signature according to Cryptocom rules
133 * and frees up DSA_SIG structure
136 int pack_sign_cc(DSA_SIG *s,int order,unsigned char *sig, size_t *siglen)
139 memset(sig,0,*siglen);
140 store_bignum(s->r, sig,order);
141 store_bignum(s->s, sig + order,order);
142 dump_signature("serialized",sig,*siglen);
148 * Packs signature according to Cryptopro rules
149 * and frees up DSA_SIG structure
151 int pack_sign_cp(DSA_SIG *s, int order, unsigned char *sig, size_t *siglen)
154 memset(sig, 0, *siglen);
155 store_bignum(s->s, sig, order);
156 store_bignum(s->r, sig + order, order);
157 dump_signature("serialized", sig, *siglen);
163 * Verifies signature passed as DSA_SIG structure
167 int gost_do_verify(const unsigned char *dgst, int dgst_len,
168 DSA_SIG *sig, DSA *dsa)
170 BIGNUM *md = NULL, *tmp = NULL;
172 BIGNUM *u = NULL, *v = NULL, *z1 = NULL, *z2 = NULL;
173 BIGNUM *tmp2 = NULL, *tmp3 = NULL;
177 OPENSSL_assert(dgst != NULL && dgst_len == 32 && sig != NULL && dsa != NULL);
178 if (BN_cmp(sig->s, dsa->q) >= 1 || BN_cmp(sig->r, dsa->q) >= 1) {
179 GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q);
185 GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE);
191 md = hashsum2bn(dgst, dgst_len);
192 tmp = BN_CTX_get(ctx);
194 q2 = BN_CTX_get(ctx);
195 z1 = BN_CTX_get(ctx);
196 z2 = BN_CTX_get(ctx);
197 tmp2 = BN_CTX_get(ctx);
198 tmp3 = BN_CTX_get(ctx);
200 if (!tmp || !v || !q2 || !z1 || !z2 || !tmp2 || !tmp3 || !u) {
201 GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE);
205 BN_mod(tmp, md, dsa->q, ctx);
206 if (BN_is_zero(tmp)) {
211 BN_mod_exp(v, md, q2, dsa->q, ctx);
212 BN_mod_mul(z1, sig->s, v, dsa->q, ctx);
213 BN_sub(tmp, dsa->q, sig->r);
214 BN_mod_mul(z2, tmp, v, dsa->p, ctx);
215 BN_mod_exp(tmp, dsa->g, z1, dsa->p, ctx);
216 BN_mod_exp(tmp2, dsa->pub_key, z2, dsa->p, ctx);
217 BN_mod_mul(tmp3, tmp, tmp2, dsa->p, ctx);
218 BN_mod(u, tmp3, dsa->q, ctx);
219 ok = (BN_cmp(u, sig->r) == 0);
222 GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_MISMATCH);
233 * Computes public keys for GOST R 34.10-94 algorithm
236 int gost94_compute_public(DSA *dsa)
238 /* Now fill algorithm parameters with correct values */
240 if (!dsa || !dsa->g) {
241 GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, GOST_R_KEY_IS_NOT_INITALIZED);
247 GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE);
251 dsa->pub_key = BN_new();
253 GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE);
257 /* Compute public key y = a^x mod p */
258 BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx);
264 * Fill GOST 94 params, searching them in R3410_paramset array
268 int fill_GOST94_params(DSA *dsa, int nid)
270 R3410_params *params = R3410_paramset;
271 if (!dsa || nid == NID_undef) {
272 GOSTerr(GOST_F_FILL_GOST94_PARAMS, GOST_R_UNSUPPORTED_PARAMETER_SET);
276 while (params->nid != NID_undef && params->nid != nid)
278 if (params->nid == NID_undef) {
279 GOSTerr(GOST_F_FILL_GOST94_PARAMS, GOST_R_UNSUPPORTED_PARAMETER_SET);
283 BN_dec2bn(&(dsa->p), params->p);
284 BN_dec2bn(&(dsa->q), params->q);
285 BN_dec2bn(&(dsa->g), params->a);
290 * Generate GOST R 34.10-94 keypair
294 int gost_sign_keygen(DSA *dsa)
296 OPENSSL_assert(dsa != NULL);
298 dsa->priv_key = BN_new();
299 if (!dsa->priv_key) {
300 GOSTerr(GOST_F_GOST_SIGN_KEYGEN, ERR_R_MALLOC_FAILURE);
303 BN_rand_range(dsa->priv_key, dsa->q);
304 return gost94_compute_public(dsa);
307 /* Unpack signature according to cryptocom rules */
309 DSA_SIG *unpack_cc_signature(const unsigned char *sig,size_t siglen)
315 GOSTerr(GOST_F_UNPACK_CC_SIGNATURE,GOST_R_NO_MEMORY);
318 s->r = getbnfrombuf(sig, siglen/2);
319 s->s = getbnfrombuf(sig + siglen/2, siglen/2);
323 /* Unpack signature according to cryptopro rules */
324 DSA_SIG *unpack_cp_signature(const unsigned char *sig, size_t siglen)
330 GOSTerr(GOST_F_UNPACK_CP_SIGNATURE, GOST_R_NO_MEMORY);
333 s->s = getbnfrombuf(sig, siglen / 2);
334 s->r = getbnfrombuf(sig + siglen / 2, siglen / 2);
338 /* Convert little-endian byte array into bignum */
339 BIGNUM *hashsum2bn(const unsigned char *dgst, int len)
341 unsigned char buf[64];
344 if (len > sizeof(buf))
347 for (i = 0; i < len; i++) {
348 buf[len - i - 1] = dgst[i];
350 return getbnfrombuf(buf, len);
353 /* Convert byte buffer to bignum, skipping leading zeros*/
354 BIGNUM *getbnfrombuf(const unsigned char *buf, size_t len)
356 while (*buf == 0 && len > 0) {
361 return BN_bin2bn(buf, len, NULL);
363 BIGNUM *b = BN_new();
370 * Pack bignum into byte buffer of given size, filling all leading bytes by
373 int store_bignum(BIGNUM *bn, unsigned char *buf, int len)
375 int bytes = BN_num_bytes(bn);
379 BN_bn2bin(bn, buf + len - bytes);