1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis */
2 /* SPDX-License-Identifier: Unlicense */
3 #include "tomcrypt_private.h"
4
5 /**
6 @file dsa_verify_hash.c
7 DSA implementation, verify a signature, Tom St Denis
8 */
9
10
11 #ifdef LTC_MDSA
12
13 /**
14 Verify a DSA signature
15 @param r DSA "r" parameter
16 @param s DSA "s" parameter
17 @param hash The hash that was signed
18 @param hashlen The length of the hash that was signed
19 @param stat [out] The result of the signature verification, 1==valid, 0==invalid
20 @param key The corresponding public DSA key
21 @return CRYPT_OK if successful (even if the signature is invalid)
22 */
dsa_verify_hash_raw(void * r,void * s,const unsigned char * hash,unsigned long hashlen,int * stat,const dsa_key * key)23 int dsa_verify_hash_raw( void *r, void *s,
24 const unsigned char *hash, unsigned long hashlen,
25 int *stat, const dsa_key *key)
26 {
27 void *w, *v, *u1, *u2;
28 int err;
29
30 LTC_ARGCHK(r != NULL);
31 LTC_ARGCHK(s != NULL);
32 LTC_ARGCHK(stat != NULL);
33 LTC_ARGCHK(key != NULL);
34
35 /* default to invalid signature */
36 *stat = 0;
37
38 /* init our variables */
39 if ((err = mp_init_multi(&w, &v, &u1, &u2, LTC_NULL)) != CRYPT_OK) {
40 return err;
41 }
42
43 /* neither r or s can be null or >q*/
44 if (mp_cmp_d(r, 0) != LTC_MP_GT || mp_cmp_d(s, 0) != LTC_MP_GT || mp_cmp(r, key->q) != LTC_MP_LT || mp_cmp(s, key->q) != LTC_MP_LT) {
45 err = CRYPT_INVALID_PACKET;
46 goto error;
47 }
48
49 /* FIPS 186-4 4.7: use leftmost min(bitlen(q), bitlen(hash)) bits of 'hash' */
50 hashlen = MIN(hashlen, (unsigned long)(key->qord));
51
52 /* w = 1/s mod q */
53 if ((err = mp_invmod(s, key->q, w)) != CRYPT_OK) { goto error; }
54
55 /* u1 = m * w mod q */
56 if ((err = mp_read_unsigned_bin(u1, (unsigned char *)hash, hashlen)) != CRYPT_OK) { goto error; }
57 if ((err = mp_mulmod(u1, w, key->q, u1)) != CRYPT_OK) { goto error; }
58
59 /* u2 = r*w mod q */
60 if ((err = mp_mulmod(r, w, key->q, u2)) != CRYPT_OK) { goto error; }
61
62 /* v = g^u1 * y^u2 mod p mod q */
63 if ((err = mp_exptmod(key->g, u1, key->p, u1)) != CRYPT_OK) { goto error; }
64 if ((err = mp_exptmod(key->y, u2, key->p, u2)) != CRYPT_OK) { goto error; }
65 if ((err = mp_mulmod(u1, u2, key->p, v)) != CRYPT_OK) { goto error; }
66 if ((err = mp_mod(v, key->q, v)) != CRYPT_OK) { goto error; }
67
68 /* if r = v then we're set */
69 if (mp_cmp(r, v) == LTC_MP_EQ) {
70 *stat = 1;
71 }
72
73 err = CRYPT_OK;
74 error:
75 mp_clear_multi(w, v, u1, u2, LTC_NULL);
76 return err;
77 }
78
79 /**
80 Verify a DSA signature
81 @param sig The signature
82 @param siglen The length of the signature (octets)
83 @param hash The hash that was signed
84 @param hashlen The length of the hash that was signed
85 @param stat [out] The result of the signature verification, 1==valid, 0==invalid
86 @param key The corresponding public DSA key
87 @return CRYPT_OK if successful (even if the signature is invalid)
88 */
dsa_verify_hash(const unsigned char * sig,unsigned long siglen,const unsigned char * hash,unsigned long hashlen,int * stat,const dsa_key * key)89 int dsa_verify_hash(const unsigned char *sig, unsigned long siglen,
90 const unsigned char *hash, unsigned long hashlen,
91 int *stat, const dsa_key *key)
92 {
93 int err;
94 void *r, *s;
95 ltc_asn1_list sig_seq[2];
96 unsigned long reallen = 0;
97
98 LTC_ARGCHK(stat != NULL);
99 *stat = 0; /* must be set before the first return */
100
101 if ((err = mp_init_multi(&r, &s, LTC_NULL)) != CRYPT_OK) {
102 return err;
103 }
104
105 LTC_SET_ASN1(sig_seq, 0, LTC_ASN1_INTEGER, r, 1UL);
106 LTC_SET_ASN1(sig_seq, 1, LTC_ASN1_INTEGER, s, 1UL);
107
108 err = der_decode_sequence_strict(sig, siglen, sig_seq, 2);
109 if (err != CRYPT_OK) {
110 goto LBL_ERR;
111 }
112
113 err = der_length_sequence(sig_seq, 2, &reallen);
114 if (err != CRYPT_OK || reallen != siglen) {
115 goto LBL_ERR;
116 }
117
118 /* do the op */
119 err = dsa_verify_hash_raw(r, s, hash, hashlen, stat, key);
120
121 LBL_ERR:
122 mp_clear_multi(r, s, LTC_NULL);
123 return err;
124 }
125
126 #endif
127
128