[u/mdw/catacomb] / dsa-verify.c

/* -*-c-*-
 *
 * $Id: dsa-verify.c,v 1.1 1999/11/19 19:28:00 mdw Exp $
 *
 * DSA signature verification
 *
 * (c) 1999 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 * 
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------* 
 *
 * $Log: dsa-verify.c,v $
 * Revision 1.1  1999/11/19 19:28:00  mdw
 * Implementation of the Digital Signature Algorithm.
 *
 */

/*----- Header files ------------------------------------------------------*/

#include "dsa.h"
#include "mp.h"
#include "mpmont.h"

/*----- Main code ---------------------------------------------------------*/

/* --- @dsa_vrfy@ --- *
 *
 * Arguments:	@const dsa_param *dp@ = pointer to DSA parameters
 *		@const mp *y@ = public verification key
 *		@const mp *m@ = message which was signed
 *		@const mp *r, *s@ = the signature
 *
 * Returns:	Zero if the signature is a forgery, nonzero if it's valid.
 *
 * Use:		Verifies a DSA digital signature.
 */

#define SHOW(x) do { fputs(#x " = ", stdout); mp_writefile(x, stdout, 16); fputc('\n', stdout); } while (0)

int dsa_vrfy(const dsa_param *dp, const mp *y,
	     const mp *m, const mp *r, const mp *s)
{
  mpmont pm, qm;
  mp *w;
  mpmont_factor f[2];
  int ok;

  /* --- Ensure that all of the signature bits are in range --- */

  if ((r->f | s->f) & MP_NEG)
    return (0);
  if (MP_CMP(r, >=, dp->q) || MP_CMP(s, >=, dp->q))
    return (0);

  /* --- Set up Montgomery contexts --- */

  mpmont_create(&pm, dp->p);
  mpmont_create(&qm, dp->q);

  /* --- Compute %$w = s^{-1} \bmod q$% --- */

  {
    mp *z;
    mp_gcd(0, 0, &z, dp->q, (mp *)s);
    w = mpmont_mul(&qm, MP_NEW, z, qm.r2);
    mp_drop(z);
  }

  /* --- Compute %$wr%$ and %$wm$% --- */

  f[0].exp = mpmont_mul(&qm, MP_NEW, w, m);
  f[1].exp = mpmont_mul(&qm, MP_NEW, w, r);
  mp_drop(w);
  mpmont_destroy(&qm);

  /* --- Do the exponentiation and take residue mod @q@ --- */

  f[0].base = dp->g;
  f[1].base = (mp *)y;
  w = mpmont_mexp(&pm, f, 2);
  mp_div(0, &w, w, dp->q);
  ok = MP_CMP(w, ==, r);

  /* --- Tidy up --- */

  mp_drop(w);
  mp_drop(f[0].exp);
  mp_drop(f[1].exp);
  mpmont_destroy(&pm);
  return (ok);
}

/* --- @dsa_verify@ --- *
 *
 * Arguments:	@const dsa_param *dp@ = pointer to DSA parameters
 *		@const mp *y@ = public verification key
 *		@const void *m@ = pointer to message block
 *		@size_t msz@ = size of message block
 *		@const void *r@ = pointer to @r@ signature half
 *		@size_t rsz@ = size of @r@
 *		@const void *s@ = pointer to @s@ signature half
 *		@size_t ssz@ = size of @s@
 *
 * Returns:	Zero if the signature is a forgery, nonzero if it's valid.
 *
 * Use:		Verifies a DSA digital signature.
 */

int dsa_verify(const dsa_param *dp, const mp *y,
	       const void *m, size_t msz,
	       const void *r, size_t rsz,
	       const void *s, size_t ssz)
{
  mp *mm = mp_loadb(MP_NEW, m, msz);
  mp *rm = mp_loadb(MP_NEW, r, rsz);
  mp *sm = mp_loadb(MP_NEW, s, ssz);
  int ok = dsa_vrfy(dp, y, mm, rm, sm);
  mp_drop(mm);
  mp_drop(rm);
  mp_drop(sm);
  return (ok);
}

/*----- Test rig ----------------------------------------------------------*/

#ifdef TEST_RIG

#include <mLib/testrig.h>

#include "sha.h"

static int verify(int good, dstr *v)
{
  dsa_param dp;
  mp *y;
  sha_ctx c;
  octet hash[SHA_HASHSZ];
  int ok = 1;
  int rc;

  dp.q = *(mp **)v[0].buf;
  dp.p = *(mp **)v[1].buf;
  dp.g = *(mp **)v[2].buf;
  y = *(mp **)v[3].buf;

  sha_init(&c);
  sha_hash(&c, v[4].buf, v[4].len);
  sha_done(&c, hash);

  rc = dsa_verify(&dp, y, hash, sizeof(hash),
		  v[5].buf, v[5].len, v[6].buf, v[6].len);

  if (!rc != !good) {
    if (good)
      fputs("\n*** verification failed", stderr);
    else
      fputs("\n*** verification succeeded", stderr);
    fputs("\nq = ", stderr); mp_writefile(dp.q, stderr, 16);
    fputs("\np = ", stderr); mp_writefile(dp.p, stderr, 16);
    fputs("\ng = ", stderr); mp_writefile(dp.g, stderr, 16);
    fputs("\ny = ", stderr); mp_writefile(y, stderr, 16);
    fprintf(stderr, "\nmessage = `%s'", v[4].buf);
    fputs("\nr = ", stderr); type_hex.dump(&v[5], stderr);
    fputs("\ns = ", stderr); type_hex.dump(&v[6], stderr);
    fputc('\n', stderr);
    ok = 0;
  }

  mp_drop(dp.p);
  mp_drop(dp.q);
  mp_drop(dp.g);
  mp_drop(y);
  return (ok);
}

static int vgood(dstr *v) { return verify(1, v); }
static int vbad(dstr *v) { return verify(0, v); }

static test_chunk tests[] = {
  { "verify-good", vgood,
    { &type_mp, &type_mp, &type_mp, &type_mp,
      &type_string, &type_hex, &type_hex, 0 } },
  { "verify-bad", vbad,
    { &type_mp, &type_mp, &type_mp, &type_mp,
      &type_string, &type_hex, &type_hex, 0 } },
  { 0, 0, { 0 } }
};

int main(int argc, char *argv[])
{
  sub_init();
  test_run(argc, argv, tests, SRCDIR "/tests/dsa");
  return (0);
}

#endif

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
8b810a45	1	/* --c--
	2	*
	3	* $Id: dsa-verify.c,v 1.1 1999/11/19 19:28:00 mdw Exp $
	4	*
	5	* DSA signature verification
	6	*
	7	* (c) 1999 Straylight/Edgeware
	8	*/
	9
	10	/----- Licensing notice --------------------------------------------------
	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
	18	*
	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
	23	*
	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
	30	/----- Revision history --------------------------------------------------
	31	*
	32	* $Log: dsa-verify.c,v $
	33	* Revision 1.1 1999/11/19 19:28:00 mdw
	34	* Implementation of the Digital Signature Algorithm.
	35	*
	36	*/
	37
	38	/----- Header files ------------------------------------------------------/
	39
	40	#include "dsa.h"
	41	#include "mp.h"
	42	#include "mpmont.h"
	43
	44	/----- Main code ---------------------------------------------------------/
	45
	46	/* --- @dsa_vrfy@ --- *
	47	*
	48	* Arguments: @const dsa_param *dp@ = pointer to DSA parameters
	49	* @const mp *y@ = public verification key
	50	* @const mp *m@ = message which was signed
	51	* @const mp r, s@ = the signature
	52	*
	53	* Returns: Zero if the signature is a forgery, nonzero if it's valid.
	54	*
	55	* Use: Verifies a DSA digital signature.
	56	*/
	57
	58	#define SHOW(x) do { fputs(#x " = ", stdout); mp_writefile(x, stdout, 16); fputc('\n', stdout); } while (0)
	59
	60	int dsa_vrfy(const dsa_param dp, const mp y,
	61	const mp m, const mp r, const mp *s)
	62	{
	63	mpmont pm, qm;
	64	mp *w;
65	mpmont_factor f[2];
66	int ok;
67
68	/* --- Ensure that all of the signature bits are in range --- */
69
70	if ((r->f \| s->f) & MP_NEG)
71	return (0);
72	if (MP_CMP(r, >=, dp->q) \|\| MP_CMP(s, >=, dp->q))
73	return (0);
74
75	/* --- Set up Montgomery contexts --- */
76
77	mpmont_create(&pm, dp->p);
78	mpmont_create(&qm, dp->q);
79
80	/* --- Compute %$w = s^{-1} \bmod q$% --- */
81
82	{
83	mp *z;
84	mp_gcd(0, 0, &z, dp->q, (mp *)s);
85	w = mpmont_mul(&qm, MP_NEW, z, qm.r2);
86	mp_drop(z);
87	}
88
89	/* --- Compute %$wr%$ and %$wm$% --- */
90
91	f[0].exp = mpmont_mul(&qm, MP_NEW, w, m);
92	f[1].exp = mpmont_mul(&qm, MP_NEW, w, r);
93	mp_drop(w);
94	mpmont_destroy(&qm);
95
96	/* --- Do the exponentiation and take residue mod @q@ --- */
97
98	f[0].base = dp->g;
99	f[1].base = (mp *)y;
100	w = mpmont_mexp(&pm, f, 2);
101	mp_div(0, &w, w, dp->q);
102	ok = MP_CMP(w, ==, r);
103
104	/* --- Tidy up --- */
105
106	mp_drop(w);
107	mp_drop(f[0].exp);
108	mp_drop(f[1].exp);
109	mpmont_destroy(&pm);
110	return (ok);
111	}
112
113	/* --- @dsa_verify@ --- *
114	*
115	* Arguments: @const dsa_param *dp@ = pointer to DSA parameters
116	* @const mp *y@ = public verification key
117	* @const void *m@ = pointer to message block
118	* @size_t msz@ = size of message block
119	* @const void *r@ = pointer to @r@ signature half
120	* @size_t rsz@ = size of @r@
121	* @const void *s@ = pointer to @s@ signature half
122	* @size_t ssz@ = size of @s@
123	*
124	* Returns: Zero if the signature is a forgery, nonzero if it's valid.
125	*
126	* Use: Verifies a DSA digital signature.
127	*/
128
129	int dsa_verify(const dsa_param dp, const mp y,
130	const void *m, size_t msz,
131	const void *r, size_t rsz,
132	const void *s, size_t ssz)
133	{
134	mp *mm = mp_loadb(MP_NEW, m, msz);
135	mp *rm = mp_loadb(MP_NEW, r, rsz);
136	mp *sm = mp_loadb(MP_NEW, s, ssz);
137	int ok = dsa_vrfy(dp, y, mm, rm, sm);
138	mp_drop(mm);
139	mp_drop(rm);
140	mp_drop(sm);
141	return (ok);
142	}
143
144	/----- Test rig ----------------------------------------------------------/
145
146	#ifdef TEST_RIG
147
148	#include <mLib/testrig.h>
149
150	#include "sha.h"
151
152	static int verify(int good, dstr *v)
153	{
154	dsa_param dp;
155	mp *y;
156	sha_ctx c;
157	octet hash[SHA_HASHSZ];
158	int ok = 1;
159	int rc;
160
161	dp.q = (mp *)v[0].buf;
162	dp.p = (mp *)v[1].buf;
163	dp.g = (mp *)v[2].buf;
164	y = (mp *)v[3].buf;
165
166	sha_init(&c);
167	sha_hash(&c, v[4].buf, v[4].len);
168	sha_done(&c, hash);
169
170	rc = dsa_verify(&dp, y, hash, sizeof(hash),
171	v[5].buf, v[5].len, v[6].buf, v[6].len);
172
173	if (!rc != !good) {
174	if (good)
175	fputs("\n*** verification failed", stderr);
176	else
177	fputs("\n*** verification succeeded", stderr);
178	fputs("\nq = ", stderr); mp_writefile(dp.q, stderr, 16);
179	fputs("\np = ", stderr); mp_writefile(dp.p, stderr, 16);
180	fputs("\ng = ", stderr); mp_writefile(dp.g, stderr, 16);
181	fputs("\ny = ", stderr); mp_writefile(y, stderr, 16);
182	fprintf(stderr, "\nmessage = `%s'", v[4].buf);
183	fputs("\nr = ", stderr); type_hex.dump(&v[5], stderr);
184	fputs("\ns = ", stderr); type_hex.dump(&v[6], stderr);
185	fputc('\n', stderr);
186	ok = 0;
187	}
188
189	mp_drop(dp.p);
190	mp_drop(dp.q);
191	mp_drop(dp.g);
192	mp_drop(y);
193	return (ok);
194	}
195
196	static int vgood(dstr *v) { return verify(1, v); }
197	static int vbad(dstr *v) { return verify(0, v); }
198
199	static test_chunk tests[] = {
200	{ "verify-good", vgood,
201	{ &type_mp, &type_mp, &type_mp, &type_mp,
202	&type_string, &type_hex, &type_hex, 0 } },
203	{ "verify-bad", vbad,
204	{ &type_mp, &type_mp, &type_mp, &type_mp,
205	&type_string, &type_hex, &type_hex, 0 } },
206	{ 0, 0, { 0 } }
207	};
208
209	int main(int argc, char *argv[])
210	{
211	sub_init();
212	test_run(argc, argv, tests, SRCDIR "/tests/dsa");
213	return (0);
214	}
215
216	#endif
217
218	/----- That's all, folks -------------------------------------------------/