[u/mdw/catacomb] / dsa-sign.c

/* -*-c-*-
 *
 * $Id: dsa-sign.c,v 1.1 1999/11/19 19:28:00 mdw Exp $
 *
 * DSA signing operation
 *
 * (c) 1999 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 * 
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------* 
 *
 * $Log: dsa-sign.c,v $
 * Revision 1.1  1999/11/19 19:28:00  mdw
 * Implementation of the Digital Signature Algorithm.
 *
 */

/*----- Header files ------------------------------------------------------*/

#include "dsa.h"
#include "mp.h"
#include "mpmont.h"

/*----- Main code ---------------------------------------------------------*/

/* --- @dsa_mksig@ --- *
 *
 * Arguments:	@const dsa_param *dp@ = pointer to DSA parameters
 *		@const mp *a@ = secret signing key
 *		@const mp *m@ = message to be signed
 *		@const mp *k@ = random data
 *		@mp **rr, **ss@ = where to put output parameters
 *
 * Returns:	---
 *
 * Use:		Computes a DSA signature of a message.
 */

void dsa_mksig(const dsa_param *dp, const mp *a, const mp *m, const mp *k,
	       mp **rr, mp **ss)
{
  mpmont pm, qm;
  mp *k1, *r;
  mp *rrr, *ar;

  /* --- Create the Montgomery contexts --- */

  mpmont_create(&pm, dp->p);
  mpmont_create(&qm, dp->q);

  /* --- Compute %$r = (g^k \bmod p) \bmod q$% --- */

  r = mpmont_exp(&pm, dp->g, k);
  mp_div(0, &r, r, dp->q);
  *rr = r;

  /* --- Compute %$k^{-1} \bmod q$% --- */

  mp_gcd(0, 0, &k1, dp->q, (mp *)k);

  /* --- Now for %$k^{-1}(m + ar)$% --- */

  rrr = mpmont_mul(&qm, MP_NEW, r, qm.r2);
  ar = mpmont_mul(&qm, MP_NEW, a, rrr);
  ar = mp_add(ar, ar, m);
  if (MP_CMP(ar, >=, dp->q))
    ar = mp_sub(ar, ar, dp->q);
  rrr = mpmont_mul(&qm, rrr, ar, qm.r2);
  ar = mpmont_mul(&qm, ar, rrr, k1);
  *ss = ar;

  /* --- Tidy things up a little --- */

  mp_drop(rrr);
  mp_drop(k1);
  mpmont_destroy(&pm);
  mpmont_destroy(&qm);
}

/* --- @dsa_sign@ --- *
 *
 * Arguments:	@dsa_param *dp@ = pointer to DSA parameters
 *		@mp *a@ = pointer to secret signing key
 *		@const void *m@ = pointer to message
 *		@size_t msz@ = size of the message
 *		@const void *k@ = secret random data for securing signature
 *		@size_t ksz@ = size of secret data
 *		@void *r@ = pointer to output space for @r@
 *		@size_t rsz@ = size of output space for @r@
 *		@void *s@ = pointer to output space for @s@
 *		@size_t ssz@ = size of output space for @s@
 *
 * Returns:	---
 *
 * Use:		Signs a message, storing the results in a big-endian binary
 *		form.
 */

void dsa_sign(dsa_param *dp, mp *a,
	      const void *m, size_t msz, const void *k, size_t ksz,
	      void *r, size_t rsz, void *s, size_t ssz)
{
  mp *mm = mp_loadb(MP_NEW, m, msz);
  mp *km = mp_loadb(MP_NEW, k, ksz);
  mp *rm, *sm;
  dsa_mksig(dp, a, mm, km, &rm, &sm);
  mp_storeb(rm, r, rsz);
  mp_storeb(sm, s, ssz);
  mp_drop(mm); mp_drop(km);
  mp_drop(rm); mp_drop(sm);
}

/*----- Test rig ----------------------------------------------------------*/

#ifdef TEST_RIG

#include <mLib/testrig.h>

#include "sha.h"

static int verify(dstr *v)
{
  dsa_param dp;
  mp *x;
  sha_ctx c;
  octet hash[SHA_HASHSZ];
  dsa_sig s;
  int ok = 1;

  dp.q = *(mp **)v[0].buf;
  dp.p = *(mp **)v[1].buf;
  dp.g = *(mp **)v[2].buf;
  x = *(mp **)v[3].buf;

  sha_init(&c);
  sha_hash(&c, v[4].buf, v[4].len);
  sha_done(&c, hash);

  dsa_sign(&dp, x, hash, sizeof(hash), v[5].buf, v[5].len,
	   s.r, sizeof(s.r), s.s, sizeof(s.s));

  if (v[6].len != sizeof(s.r) || v[7].len != sizeof(s.s) ||
      memcmp(s.r, v[6].buf, sizeof(s.r)) != 0 ||
      memcmp(s.s, v[7].buf, sizeof(s.s)) != 0) {
    fputs("\n*** signature failed", stderr);
    fputs("\nq = ", stderr); mp_writefile(dp.q, stderr, 16);
    fputs("\np = ", stderr); mp_writefile(dp.p, stderr, 16);
    fputs("\ng = ", stderr); mp_writefile(dp.g, stderr, 16);
    fputs("\nx = ", stderr); mp_writefile(x, stderr, 16);
    fprintf(stderr, "\nmessage = `%s'", v[4].buf);
    fputs("\nk = ", stderr); type_hex.dump(&v[5], stderr);
    fputs("\nR = ", stderr); type_hex.dump(&v[6], stderr);
    fputs("\nS = ", stderr); type_hex.dump(&v[7], stderr);

    {
      mp *m = MP_NEW;
      m = mp_loadb(m, hash, sizeof(hash));
      fputs("\nm = ", stderr); mp_writefile(m, stderr, 16);
      m = mp_loadb(m, s.r, sizeof(s.r));
      fputs("\nr = ", stderr); mp_writefile(m, stderr, 16);
      m = mp_loadb(m, s.s, sizeof(s.s));
      fputs("\ns = ", stderr); mp_writefile(m, stderr, 16);
      mp_drop(m);
    }
      
    fputc('\n', stderr);
    ok = 0;
  }

  mp_drop(dp.p);
  mp_drop(dp.q);
  mp_drop(dp.g);
  mp_drop(x);
  return (ok);
}

static test_chunk tests[] = {
  { "sign", verify,
    { &type_mp, &type_mp, &type_mp, &type_mp,
      &type_string, &type_hex, &type_hex, &type_hex, 0 } },
  { 0, 0, { 0 } }
};

int main(int argc, char *argv[])
{
  sub_init();
  test_run(argc, argv, tests, SRCDIR "/tests/dsa");
  return (0);
}

#endif

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
8b810a45	1	/* --c--
	2	*
	3	* $Id: dsa-sign.c,v 1.1 1999/11/19 19:28:00 mdw Exp $
	4	*
	5	* DSA signing operation
	6	*
	7	* (c) 1999 Straylight/Edgeware
	8	*/
	9
	10	/----- Licensing notice --------------------------------------------------
	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
	18	*
	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
	23	*
	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
	30	/----- Revision history --------------------------------------------------
	31	*
	32	* $Log: dsa-sign.c,v $
	33	* Revision 1.1 1999/11/19 19:28:00 mdw
	34	* Implementation of the Digital Signature Algorithm.
	35	*
	36	*/
	37
	38	/----- Header files ------------------------------------------------------/
	39
	40	#include "dsa.h"
	41	#include "mp.h"
	42	#include "mpmont.h"
	43
	44	/----- Main code ---------------------------------------------------------/
	45
	46	/* --- @dsa_mksig@ --- *
	47	*
	48	* Arguments: @const dsa_param *dp@ = pointer to DSA parameters
	49	* @const mp *a@ = secret signing key
	50	* @const mp *m@ = message to be signed
	51	* @const mp *k@ = random data
	52	* @mp rr, ss@ = where to put output parameters
	53	*
	54	* Returns: ---
	55	*
	56	* Use: Computes a DSA signature of a message.
	57	*/
	58
	59	void dsa_mksig(const dsa_param dp, const mp a, const mp m, const mp k,
	60	mp rr, mp ss)
	61	{
	62	mpmont pm, qm;
	63	mp k1, r;
	64	mp rrr, ar;
65
66	/* --- Create the Montgomery contexts --- */
67
68	mpmont_create(&pm, dp->p);
69	mpmont_create(&qm, dp->q);
70
71	/* --- Compute %$r = (g^k \bmod p) \bmod q$% --- */
72
73	r = mpmont_exp(&pm, dp->g, k);
74	mp_div(0, &r, r, dp->q);
75	*rr = r;
76
77	/* --- Compute %$k^{-1} \bmod q$% --- */
78
79	mp_gcd(0, 0, &k1, dp->q, (mp *)k);
80
81	/* --- Now for %$k^{-1}(m + ar)$% --- */
82
83	rrr = mpmont_mul(&qm, MP_NEW, r, qm.r2);
84	ar = mpmont_mul(&qm, MP_NEW, a, rrr);
85	ar = mp_add(ar, ar, m);
86	if (MP_CMP(ar, >=, dp->q))
87	ar = mp_sub(ar, ar, dp->q);
88	rrr = mpmont_mul(&qm, rrr, ar, qm.r2);
89	ar = mpmont_mul(&qm, ar, rrr, k1);
90	*ss = ar;
91
92	/* --- Tidy things up a little --- */
93
94	mp_drop(rrr);
95	mp_drop(k1);
96	mpmont_destroy(&pm);
97	mpmont_destroy(&qm);
98	}
99
100	/* --- @dsa_sign@ --- *
101	*
102	* Arguments: @dsa_param *dp@ = pointer to DSA parameters
103	* @mp *a@ = pointer to secret signing key
104	* @const void *m@ = pointer to message
105	* @size_t msz@ = size of the message
106	* @const void *k@ = secret random data for securing signature
107	* @size_t ksz@ = size of secret data
108	* @void *r@ = pointer to output space for @r@
109	* @size_t rsz@ = size of output space for @r@
110	* @void *s@ = pointer to output space for @s@
111	* @size_t ssz@ = size of output space for @s@
112	*
113	* Returns: ---
114	*
115	* Use: Signs a message, storing the results in a big-endian binary
116	* form.
117	*/
118
119	void dsa_sign(dsa_param dp, mp a,
120	const void m, size_t msz, const void k, size_t ksz,
121	void r, size_t rsz, void s, size_t ssz)
122	{
123	mp *mm = mp_loadb(MP_NEW, m, msz);
124	mp *km = mp_loadb(MP_NEW, k, ksz);
125	mp rm, sm;
126	dsa_mksig(dp, a, mm, km, &rm, &sm);
127	mp_storeb(rm, r, rsz);
128	mp_storeb(sm, s, ssz);
129	mp_drop(mm); mp_drop(km);
130	mp_drop(rm); mp_drop(sm);
131	}
132
133	/----- Test rig ----------------------------------------------------------/
134
135	#ifdef TEST_RIG
136
137	#include <mLib/testrig.h>
138
139	#include "sha.h"
140
141	static int verify(dstr *v)
142	{
143	dsa_param dp;
144	mp *x;
145	sha_ctx c;
146	octet hash[SHA_HASHSZ];
147	dsa_sig s;
148	int ok = 1;
149
150	dp.q = (mp *)v[0].buf;
151	dp.p = (mp *)v[1].buf;
152	dp.g = (mp *)v[2].buf;
153	x = (mp *)v[3].buf;
154
155	sha_init(&c);
156	sha_hash(&c, v[4].buf, v[4].len);
157	sha_done(&c, hash);
158
159	dsa_sign(&dp, x, hash, sizeof(hash), v[5].buf, v[5].len,
160	s.r, sizeof(s.r), s.s, sizeof(s.s));
161
162	if (v[6].len != sizeof(s.r) \|\| v[7].len != sizeof(s.s) \|\|
163	memcmp(s.r, v[6].buf, sizeof(s.r)) != 0 \|\|
164	memcmp(s.s, v[7].buf, sizeof(s.s)) != 0) {
165	fputs("\n*** signature failed", stderr);
166	fputs("\nq = ", stderr); mp_writefile(dp.q, stderr, 16);
167	fputs("\np = ", stderr); mp_writefile(dp.p, stderr, 16);
168	fputs("\ng = ", stderr); mp_writefile(dp.g, stderr, 16);
169	fputs("\nx = ", stderr); mp_writefile(x, stderr, 16);
170	fprintf(stderr, "\nmessage = `%s'", v[4].buf);
171	fputs("\nk = ", stderr); type_hex.dump(&v[5], stderr);
172	fputs("\nR = ", stderr); type_hex.dump(&v[6], stderr);
173	fputs("\nS = ", stderr); type_hex.dump(&v[7], stderr);
174
175	{
176	mp *m = MP_NEW;
177	m = mp_loadb(m, hash, sizeof(hash));
178	fputs("\nm = ", stderr); mp_writefile(m, stderr, 16);
179	m = mp_loadb(m, s.r, sizeof(s.r));
180	fputs("\nr = ", stderr); mp_writefile(m, stderr, 16);
181	m = mp_loadb(m, s.s, sizeof(s.s));
182	fputs("\ns = ", stderr); mp_writefile(m, stderr, 16);
183	mp_drop(m);
184	}
185
186	fputc('\n', stderr);
187	ok = 0;
188	}
189
190	mp_drop(dp.p);
191	mp_drop(dp.q);
192	mp_drop(dp.g);
193	mp_drop(x);
194	return (ok);
195	}
196
197	static test_chunk tests[] = {
198	{ "sign", verify,
199	{ &type_mp, &type_mp, &type_mp, &type_mp,
200	&type_string, &type_hex, &type_hex, &type_hex, 0 } },
201	{ 0, 0, { 0 } }
202	};
203
204	int main(int argc, char *argv[])
205	{
206	sub_init();
207	test_run(argc, argv, tests, SRCDIR "/tests/dsa");
208	return (0);
209	}
210
211	#endif
212
213	/----- That's all, folks -------------------------------------------------/