From: Mark Wooding Date: Fri, 1 Feb 2008 18:29:17 +0000 (+0000) Subject: gdsa: Fix the conversion of hashes to integers to conform to the spec. X-Git-Url: https://git.distorted.org.uk/u/mdw/catacomb/commitdiff_plain/c97fbcf9622edc35b594bf574f553f7f13c21164 gdsa: Fix the conversion of hashes to integers to conform to the spec. The spec is obviously insane. --- diff --git a/Makefile.m4 b/Makefile.m4 index 5d5420a..812d210 100644 --- a/Makefile.m4 +++ b/Makefile.m4 @@ -230,7 +230,7 @@ define(`PGEN_SOURCES', rsa-priv.c rsa-pub.c rsa-gen.c rsa-recover.c rsa-fetch.c \ oaep.c pkcs1.c pss.c \ dh-gen.c dh-limlee.c dh-kcdsa.c dh-check.c dh-fetch.c dh-param.c \ - dsarand.c dsa-sign.c dsa-verify.c dsa-gen.c dsa-check.c \ + dsarand.c dsa-misc.c dsa-sign.c dsa-verify.c dsa-gen.c dsa-check.c \ gdsa.c gkcdsa.c \ key-data.c key-flags.c key-text.c key-binary.c key-pass.c \ key-pack.c key-misc.c key-file.c key-attr.c key-io.c key-moan.c \ diff --git a/dsa-misc.c b/dsa-misc.c new file mode 100644 index 0000000..4d8bc2a --- /dev/null +++ b/dsa-misc.c @@ -0,0 +1,64 @@ +/* -*-c-*- + * + * Useful functions for doing DSA + * + * (c) 2008 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Header files ------------------------------------------------------*/ + +#include "dsa.h" + +/*----- Main code ---------------------------------------------------------*/ + +/* --- @dsa_h2n@ --- * + * + * Arguments: @mp *d@ = destination integer + * @mp *r@ = order of the DSA group + * @const void *h@ = pointer to message hash + * @size_t hsz@ = size (in bytes) of the hash output + * + * Returns: Resulting integer. + * + * Use: Converts a hash to an integer in the demented way necessary + * for DSA/ECDSA. This is, of course, completely insane, but + * there you go. + */ + +mp *dsa_h2n(mp *d, mp *r, const void *h, size_t hsz) +{ + size_t n = mp_bits(r); + size_t l = hsz; + size_t s = 0; + + if (n < 8*l) { + l = (n + 7)/8; + s = 8*l - n; + } + d = mp_loadb(d, h, l); + if (s) + d = mp_lsr(d, d, s); + return (d); +} + +/*----- That's all, folks -------------------------------------------------*/ diff --git a/dsa-sign.c b/dsa-sign.c index c4117bc..9d30dd9 100644 --- a/dsa-sign.c +++ b/dsa-sign.c @@ -106,7 +106,7 @@ void dsa_sign(dsa_param *dp, mp *a, const void *m, size_t msz, const void *k, size_t ksz, void *r, size_t rsz, void *s, size_t ssz) { - mp *mm = mp_loadb(MP_NEW, m, msz); + mp *mm = dsa_h2n(MP_NEW, dp->q, m, msz); mp *km = mp_loadb(MP_NEW, k, ksz); mp *rm = MP_NEW, *sm = MP_NEW; dsa_mksig(dp, a, mm, km, &rm, &sm); diff --git a/dsa-verify.c b/dsa-verify.c index ec40b27..90895b4 100644 --- a/dsa-verify.c +++ b/dsa-verify.c @@ -119,7 +119,7 @@ int dsa_verify(const dsa_param *dp, mp *y, const void *r, size_t rsz, const void *s, size_t ssz) { - mp *mm = mp_loadb(MP_NEW, m, msz); + mp *mm = dsa_h2n(MP_NEW, dp->q, m, msz); mp *rm = mp_loadb(MP_NEW, r, rsz); mp *sm = mp_loadb(MP_NEW, s, ssz); int ok = dsa_vrfy(dp, y, mm, rm, sm); diff --git a/dsa.h b/dsa.h index 3cd65f5..43ff845 100644 --- a/dsa.h +++ b/dsa.h @@ -176,6 +176,22 @@ extern int dsa_gen(dsa_param */*dp*/, unsigned /*ql*/, unsigned /*pl*/, extern int dsa_checkparam(keycheck */*kc*/, const dsa_param */*dp*/, const dsa_seed */*ds*/); +/* --- @dsa_h2n@ --- * + * + * Arguments: @mp *d@ = destination integer + * @mp *r@ = order of the DSA group + * @const void *h@ = pointer to message hash + * @size_t hsz@ = size (in bytes) of the hash output + * + * Returns: Resulting integer. + * + * Use: Converts a hash to an integer in the demented way necessary + * for DSA/ECDSA. This is, of course, completely insane, but + * there you go. + */ + +extern mp *dsa_h2n(mp */*d*/, mp */*r*/, const void */*h*/, size_t /*hsz*/); + /* --- @dsa_mksig@ --- * * * Arguments: @const dsa_param *dp@ = pointer to DSA parameters diff --git a/gdsa.c b/gdsa.c index 10f6b6d..83f4d06 100644 --- a/gdsa.c +++ b/gdsa.c @@ -79,7 +79,7 @@ void gdsa_endhash(const gdsa *c, ghash *h) { ; } void gdsa_sign(const gdsa *c, gdsa_sig *s, const void *m, mp *k) { group *g = c->g; - mp *mr = mp_loadb(MP_NEW, m, c->h->hashsz); + mp *mr = dsa_h2n(MP_NEW, g->r, m, c->h->hashsz); ge *z = G_CREATE(g); mp *sr = s->r, *ss = s->s; mpbarrett b; @@ -128,7 +128,7 @@ int gdsa_verify(const gdsa *c, const gdsa_sig *s, const void *m) return (-1); mpbarrett_create(&b, g->r); h = mp_modinv(MP_NEW, s->s, g->r); e[0].base = g->g; e[1].base = c->p; - t = mp_loadb(MP_NEW, m, c->h->hashsz); mp_div(0, &t, t, g->r); + t = dsa_h2n(MP_NEW, g->r, m, c->h->hashsz); mp_div(0, &t, t, g->r); t = mp_mul(t, t, h); e[0].exp = t = mpbarrett_reduce(&b, t, t); h = mp_mul(h, s->r, h); e[1].exp = h = mpbarrett_reduce(&b, h, h); w = G_CREATE(g); G_MEXP(g, w, e, 2); diff --git a/tests/gdsa b/tests/gdsa index 6627d47..45df0b3 100644 --- a/tests/gdsa +++ b/tests/gdsa @@ -82,6 +82,15 @@ sign { 0x8d68905434b020ccb849e17a03a5c441d2a104aaf523699c1cc7a93174d21d9c 0xb30f954bfb624041e56f09ece884c17c74f866c24149bba0712303a9530142a6 0x1076bd32f298aaffa8c6242d881d928b1c4e0f5ad7e8ce3c4d815fe348a9666a; + + # --- Test for over-long hash --- + + "ec { sect131r1 }" sha + 0x85bd9fd28a7e7f915891208fbb2b05c0 + "An example message" + 0xee98d38c001731403af6fbf77356f8ea + 0x1cba36e768c0247d537a744b7ea62e3b9 + 0x216e5d02a0b1fb11d6d2fc4b383dcb168; } verify { @@ -206,4 +215,28 @@ verify { 0xb30f954bfb624041e56f09ece884c17c74f866c24149bba0712303a9530142a6 0x1076bd32f298aaffa8c6242d881d928b1c4e0f5ad7e8ce3c4d815fe348a9666a 0; + + # --- Test for over-long hash --- + + "ec { sect131r1 }" sha + "0x2218ba2b57a7821be97c0015b797d82fe, 0x666aed14fd7a2abf867c6fa222ab26fcc" + "An example message" + 0x1cba36e768c0247d537a744b7ea62e3b9 + 0x216e5d02a0b1fb11d6d2fc4b383dcb168 + 0; + + "ec { sect131r1 }" sha + "0x2218ba2b57a7821be97c0015b797d82fe, 0x666aed14fd7a2abf867c6fa222ab26fcc" + "An example messag" + 0x1cba36e768c0247d537a744b7ea62e3b9 + 0x216e5d02a0b1fb11d6d2fc4b383dcb168 + -1; + + "ec { nist-b163 }" sha512 + "0x385a32536d1cb46d10cf3034a3dd39eb25e4f5123, + 0x29ee1edfa37d0f306c4da17b8d883f01ce3be4d46" + "qpwmoeqpofaosdaspdpqoweopdoagnqornifnasd" + 0x0231b6a807f6af1aee0598768b3fabb863d14a7f8d + 0x01c2f638e9dffe03b562e48ca4e1a380cf8c3055f1 + 0; }