[catacomb] / pub / dsa.h

/* -*-c-*-
 *
 * Digital Signature Algorithm
 *
 * (c) 1999 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

#ifndef CATACOMB_DSA_H
#define CATACOMB_DSA_H

#ifdef __cplusplus
  extern "C" {
#endif

/*----- Notes on the Digital Signature Algorithm --------------------------*
 *
 * The Digital Signature Algorithm was designed by the NSA for US Government
 * use.  It's defined in FIPS 186-1.  Whether it's covered by patents is
 * under dispute, although it looks relatively clear.  It produces compact
 * signatures, and is relatively easy to compute.  It seems strong, if
 * appropriate parameters are chosen.
 */

/*----- Header files ------------------------------------------------------*/

#include <mLib/macros.h>

#ifndef CATACOMB_DH_H
#  include "dh.h"
#endif

#ifndef CATACOMB_GRAND_H
#  include "grand.h"
#endif

#ifndef CATACOMB_KEY_H
#  include "key.h"
#endif

#ifndef CATACOMB_KEYCHECK_H
#  include "keycheck.h"
#endif

#ifndef CATACOMB_MP_H
#  include "mp.h"
#endif

#ifndef CATACOMB_PGEN_H
#  include "pgen.h"
#endif

/*----- Data structures ---------------------------------------------------*/

/* --- The parameters and keys are the same as for Diffie-Hellman --- */

typedef dh_param dsa_param;
typedef dh_pub dsa_pub;
typedef dh_priv dsa_priv;

/* --- DSA key seed structure --- */

typedef struct dsa_seed {
  void *p;				/* Pointer to seed material */
  size_t sz;				/* Size of seed material */
  unsigned count;			/* Iterations to find @p@ */
} dsa_seed;

/* --- DSA signature structure --- *
 *
 * This is the recommended structure for a DSA signature.  The actual signing
 * function can cope with arbitrary-sized objects given appropriate
 * parameters, however.
 */

#define DSA_SIGLEN 20

typedef struct dsa_sig {
  octet r[DSA_SIGLEN];			/* 160-bit @r@ value */
  octet s[DSA_SIGLEN];			/* 160-bit @s@ value */
} dsa_sig;

/*----- Key fetching ------------------------------------------------------*/

#define dsa_paramfetch dh_paramfetch
#define dsa_pubfetch dh_pubfetch
#define dsa_privfetch dh_privfetch

#define DSA_PARAMFETCHSZ DH_PARAMFETCHSZ
#define DSA_PUBFETCHSZ DH_PUBFETCHSZ
#define DSA_PRIVFETCHSZ DH_PRIVFETCHSZ

#define dsa_paramfree dh_paramfree
#define dsa_pubfree dh_pubfree
#define dsa_privfree dh_privfree

/*----- DSA stepper -------------------------------------------------------*/

typedef struct dsa_stepctx {

  /* --- To be initialized by the client --- */

  grand *r;				/* Random number generator */
  mp *q;				/* Force @p@ to be a multiple */
  size_t bits;				/* Number of bits in the result */
  unsigned or;				/* OR mask for low order bits */
  unsigned count;			/* Counts the number of steps made */
  void *seedbuf;			/* Pointer to seed buffer */
} dsa_stepctx;

/* --- @dsa_step@ --- *
 *
 * The stepper chooses random integers, ensures that they are a multiple of
 * @q@ (if specified), sets the low-order bits, and then tests for
 * divisibility by small primes.
 */

extern pgen_proc dsa_step;

/*----- Functions provided ------------------------------------------------*/

/* --- @dsa_gen@ --- *
 *
 * Arguments:	@dsa_param *dp@ = where to store parameters
 *		@unsigned ql@ = length of @q@ in bits
 *		@unsigned pl@ = length of @p@ in bits
 *		@unsigned steps@ = number of steps to find @q@
 *		@const void *k@ = pointer to key material
 *		@size_t sz@ = size of key material
 *		@dsa_seed *sd@ = optional pointer for output seed information
 *		@pgen_proc *event@ = event handler function
 *		@void *ectx@ = argument for event handler
 *
 * Returns:	@PGEN_DONE@ if everything worked ok; @PGEN_ABORT@ otherwise.
 *
 * Use:		Generates the DSA shared parameters from a given seed value.
 *		This can take quite a long time.
 *
 *		The algorithm used is a compatible extension of the method
 *		described in the DSA standard, FIPS 186.  The standard
 *		requires that %$q$% be 160 bits in size (i.e., @ql == 160@)
 *		and that the length of %$p$% be %$L = 512 + 64l$% for some
 *		%$l$%.  Neither limitation applies to this implementation.
 */

extern int dsa_gen(dsa_param */*dp*/, unsigned /*ql*/, unsigned /*pl*/,
		   unsigned /*steps*/, const void */*k*/, size_t /*sz*/,
		   dsa_seed */*sd*/, pgen_proc */*event*/, void */*ectx*/);

/* --- @dsa_checkparam@ --- *
 *
 * Arguments:	@keycheck *kc@ = keycheck state
 *		@const dsa_param *dp@ = pointer to the parameter set
 *		@const dsa_seed *ds@ = pointer to seed information
 *
 * Returns:	Zero if all OK, or return status from function.
 *
 * Use:		Checks a set of DSA parameters for consistency and security.
 */

extern int dsa_checkparam(keycheck */*kc*/, const dsa_param */*dp*/,
			  const dsa_seed */*ds*/);

/* --- @dsa_h2n@ --- *
 *
 * Arguments:	@mp *d@ = destination integer
 *		@mp *r@ = order of the DSA group
 *		@const void *h@ = pointer to message hash
 *		@size_t hsz@ = size (in bytes) of the hash output
 *
 * Returns:	Resulting integer.
 *
 * Use:		Converts a hash to an integer in the demented way necessary
 *		for DSA/ECDSA.  This is, of course, completely insane, but
 *		there you go.
 */

extern mp *dsa_h2n(mp */*d*/, mp */*r*/, const void */*h*/, size_t /*hsz*/);

/* --- @dsa_nonce@ --- *
 *
 * Arguments:	@mp *d@ = destination integer
 *		@mp *q@ = order of the DSA group
 *		@mp *x@ = secret key
 *		@const octet *m@ = message hash
 *		@const gchash *ch@ = hash class
 *		@grand *r@ = random bit source, or null
 *
 * Returns:	A nonce.
 *
 * Use:		Generates a nonce for use in DSA (or another Fiat--Shamir
 *		signature scheme).
 */

extern mp *dsa_nonce(mp */*d*/, mp */*q*/, mp */*x*/, const octet */*m*/,
		     const gchash */*ch*/, grand */*r*/);

/* --- @dsa_mksig@ --- *
 *
 * Arguments:	@const dsa_param *dp@ = pointer to DSA parameters
 *		@mp *a@ = secret signing key
 *		@mp *m@ = message to be signed
 *		@mp *k@ = random data
 *		@mp **rr, **ss@ = where to put output parameters
 *
 * Returns:	---
 *
 * Use:		Computes a DSA signature of a message.
 *
 *		This function is deprecated.  It's really rather badly
 *		designed, and hard to use securely (and hard to fix).  Please
 *		use @gdsa_sign@ instead.
 */

extern
#ifndef CATACOMB_DSAIMPL
  DEPRECATED("please use `gdsa_sign' instead")
#endif
  void dsa_mksig(const dsa_param */*dp*/, mp */*a*/, mp */*m*/, mp */*k*/,
		 mp **/*rr*/, mp **/*ss*/);

/* --- @dsa_sign@ --- *
 *
 * Arguments:	@dsa_param *dp@ = pointer to DSA parameters
 *		@mp *a@ = pointer to secret signing key
 *		@const void *m@ = pointer to message
 *		@size_t msz@ = size of the message
 *		@const void *k@ = secret random data for securing signature
 *		@size_t ksz@ = size of secret data
 *		@void *r@ = pointer to output space for @r@
 *		@size_t rsz@ = size of output space for @r@
 *		@void *s@ = pointer to output space for @s@
 *		@size_t ssz@ = size of output space for @s@
 *
 * Returns:	---
 *
 * Use:		Signs a message, storing the results in a big-endian binary
 *		form.
 *
 *		This function is deprecated.  It's really rather badly
 *		designed, and hard to use securely (and hard to fix).  Please
 *		use @gdsa_sign@ instead.
 */

extern
#ifndef CATACOMB_DSAIMPL
  DEPRECATED("please use `gdsa_sign' instead")
#endif
  void dsa_sign(dsa_param */*dp*/, mp */*a*/,
		const void */*m*/, size_t /*msz*/,
		const void */*k*/, size_t /*ksz*/,
		void */*r*/, size_t /*rsz*/, void */*s*/, size_t /*ssz*/);

/* --- @dsa_vrfy@ --- *
 *
 * Arguments:	@const dsa_param *dp@ = pointer to DSA parameters
 *		@mp *y@ = public verification key
 *		@mp *m@ = message which was signed
 *		@mp *r, *s@ = the signature
 *
 * Returns:	Zero if the signature is a forgery, nonzero if it's valid.
 *
 * Use:		Verifies a DSA digital signature.
 */

extern int dsa_vrfy(const dsa_param */*dp*/, mp */*y*/,
		    mp */*m*/, mp */*r*/, mp */*s*/);

/* --- @dsa_verify@ --- *
 *
 * Arguments:	@const dsa_param *dp@ = pointer to DSA parameters
 *		@mp *y@ = public verification key
 *		@const void *m@ = pointer to message block
 *		@size_t msz@ = size of message block
 *		@const void *r@ = pointer to @r@ signature half
 *		@size_t rsz@ = size of @r@
 *		@const void *s@ = pointer to @s@ signature half
 *		@size_t ssz@ = size of @s@
 *
 * Returns:	Zero if the signature is a forgery, nonzero if it's valid.
 *
 * Use:		Verifies a DSA digital signature.
 */

extern int dsa_verify(const dsa_param */*dp*/, mp */*y*/,
		      const void */*m*/, size_t /*msz*/,
		      const void */*r*/, size_t /*rsz*/,
		      const void */*s*/, size_t /*ssz*/);

/*----- That's all, folks -------------------------------------------------*/

#ifdef __cplusplus
  }
#endif

#endif
Commit	Line	Data
8b810a45	1	/* --c--
8b810a45	2	*
8b810a45	3	* Digital Signature Algorithm
	4	*
	5	* (c) 1999 Straylight/Edgeware
	6	*/
	7
45c0fd36	8	/----- Licensing notice --------------------------------------------------
8b810a45	9	*
	10	* This file is part of Catacomb.
	11	*
	12	* Catacomb is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU Library General Public License as
	14	* published by the Free Software Foundation; either version 2 of the
	15	* License, or (at your option) any later version.
45c0fd36	16	*
8b810a45	17	* Catacomb is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU Library General Public License for more details.
45c0fd36	21	*
8b810a45	22	* You should have received a copy of the GNU Library General Public
	23	* License along with Catacomb; if not, write to the Free
	24	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	25	* MA 02111-1307, USA.
	26	*/
	27
b3f05084	28	#ifndef CATACOMB_DSA_H
b3f05084	29	#define CATACOMB_DSA_H
8b810a45	30
	31	#ifdef __cplusplus
	32	extern "C" {
	33	#endif
	34
	35	/----- Notes on the Digital Signature Algorithm --------------------------
	36	*
	37	* The Digital Signature Algorithm was designed by the NSA for US Government
	38	* use. It's defined in FIPS 186-1. Whether it's covered by patents is
	39	* under dispute, although it looks relatively clear. It produces compact
	40	* signatures, and is relatively easy to compute. It seems strong, if
	41	* appropriate parameters are chosen.
	42	*/
	43
	44	/----- Header files ------------------------------------------------------/
	45
92381410 MW	46	#include <mLib/macros.h>
92381410 MW	47
827e6c99	48	#ifndef CATACOMB_DH_H
	49	# include "dh.h"
	50	#endif
	51
aa00f6fb MW	52	#ifndef CATACOMB_GRAND_H
	53	# include "grand.h"
	54	#endif
	55
80a2ff16	56	#ifndef CATACOMB_KEY_H
	57	# include "key.h"
	58	#endif
	59
600127f0	60	#ifndef CATACOMB_KEYCHECK_H
	61	# include "keycheck.h"
	62	#endif
	63
b3f05084	64	#ifndef CATACOMB_MP_H
8b810a45	65	# include "mp.h"
8b810a45	66	#endif
45c0fd36	67
b04a7659	68	#ifndef CATACOMB_PGEN_H
	69	# include "pgen.h"
	70	#endif
8b810a45	71
	72	/----- Data structures ---------------------------------------------------/
	73
827e6c99	74	/* --- The parameters and keys are the same as for Diffie-Hellman --- */
80a2ff16	75
827e6c99	76	typedef dh_param dsa_param;
	77	typedef dh_pub dsa_pub;
	78	typedef dh_priv dsa_priv;
80a2ff16	79
600127f0	80	/* --- DSA key seed structure --- */
	81
	82	typedef struct dsa_seed {
	83	void p; / Pointer to seed material */
	84	size_t sz; /* Size of seed material */
	85	unsigned count; /* Iterations to find @p@ */
	86	} dsa_seed;
	87
8b810a45	88	/* --- DSA signature structure --- *
	89	*
	90	* This is the recommended structure for a DSA signature. The actual signing
	91	* function can cope with arbitrary-sized objects given appropriate
	92	* parameters, however.
	93	*/
	94
	95	#define DSA_SIGLEN 20
	96
	97	typedef struct dsa_sig {
	98	octet r[DSA_SIGLEN]; /* 160-bit @r@ value */
	99	octet s[DSA_SIGLEN]; /* 160-bit @s@ value */
	100	} dsa_sig;
	101
80a2ff16	102	/----- Key fetching ------------------------------------------------------/
80a2ff16	103
827e6c99	104	#define dsa_paramfetch dh_paramfetch
	105	#define dsa_pubfetch dh_pubfetch
	106	#define dsa_privfetch dh_privfetch
80a2ff16	107
827e6c99	108	#define DSA_PARAMFETCHSZ DH_PARAMFETCHSZ
	109	#define DSA_PUBFETCHSZ DH_PUBFETCHSZ
	110	#define DSA_PRIVFETCHSZ DH_PRIVFETCHSZ
b92da8eb	111
827e6c99	112	#define dsa_paramfree dh_paramfree
	113	#define dsa_pubfree dh_pubfree
	114	#define dsa_privfree dh_privfree
b92da8eb	115
b04a7659	116	/----- DSA stepper -------------------------------------------------------/
	117
	118	typedef struct dsa_stepctx {
	119
	120	/* --- To be initialized by the client --- */
	121
	122	grand r; / Random number generator */
	123	mp q; / Force @p@ to be a multiple */
	124	size_t bits; /* Number of bits in the result */
	125	unsigned or; /* OR mask for low order bits */
600127f0	126	unsigned count; /* Counts the number of steps made */
600127f0	127	void seedbuf; / Pointer to seed buffer */
b04a7659	128	} dsa_stepctx;
	129
	130	/* --- @dsa_step@ --- *
	131	*
	132	* The stepper chooses random integers, ensures that they are a multiple of
	133	* @q@ (if specified), sets the low-order bits, and then tests for
	134	* divisibility by small primes.
	135	*/
	136
ab6ce636	137	extern pgen_proc dsa_step;
b04a7659	138
8b810a45	139	/----- Functions provided ------------------------------------------------/
8b810a45	140
827e6c99	141	/* --- @dsa_gen@ --- *
8b810a45	142	*
8b810a45	143	* Arguments: @dsa_param *dp@ = where to store parameters
b04a7659	144	* @unsigned ql@ = length of @q@ in bits
	145	* @unsigned pl@ = length of @p@ in bits
	146	* @unsigned steps@ = number of steps to find @q@
8b810a45	147	* @const void *k@ = pointer to key material
8b810a45	148	* @size_t sz@ = size of key material
600127f0	149	* @dsa_seed *sd@ = optional pointer for output seed information
b04a7659	150	* @pgen_proc *event@ = event handler function
b04a7659	151	* @void *ectx@ = argument for event handler
8b810a45	152	*
b04a7659	153	* Returns: @PGEN_DONE@ if everything worked ok; @PGEN_ABORT@ otherwise.
8b810a45	154	*
8b810a45	155	* Use: Generates the DSA shared parameters from a given seed value.
b04a7659	156	* This can take quite a long time.
	157	*
	158	* The algorithm used is a compatible extension of the method
	159	* described in the DSA standard, FIPS 186. The standard
	160	* requires that %$q$% be 160 bits in size (i.e., @ql == 160@)
	161	* and that the length of %$p$% be %$L = 512 + 64l$% for some
	162	* %$l$%. Neither limitation applies to this implementation.
8b810a45	163	*/
8b810a45	164
827e6c99	165	extern int dsa_gen(dsa_param /dp/, unsigned /ql/, unsigned /pl*/,
827e6c99	166	unsigned /steps/, const void /k/, size_t /sz*/,
600127f0	167	dsa_seed /sd/, pgen_proc /event/, void /ectx*/);
	168
	169	/* --- @dsa_checkparam@ --- *
	170	*
	171	* Arguments: @keycheck *kc@ = keycheck state
	172	* @const dsa_param *dp@ = pointer to the parameter set
	173	* @const dsa_seed *ds@ = pointer to seed information
	174	*
	175	* Returns: Zero if all OK, or return status from function.
	176	*
	177	* Use: Checks a set of DSA parameters for consistency and security.
	178	*/
	179
	180	extern int dsa_checkparam(keycheck /kc/, const dsa_param /dp/,
	181	const dsa_seed /ds*/);
8b810a45	182
c97fbcf9 MW	183	/* --- @dsa_h2n@ --- *
	184	*
	185	* Arguments: @mp *d@ = destination integer
	186	* @mp *r@ = order of the DSA group
	187	* @const void *h@ = pointer to message hash
	188	* @size_t hsz@ = size (in bytes) of the hash output
	189	*
	190	* Returns: Resulting integer.
	191	*
	192	* Use: Converts a hash to an integer in the demented way necessary
	193	* for DSA/ECDSA. This is, of course, completely insane, but
	194	* there you go.
	195	*/
	196
	197	extern mp dsa_h2n(mp /d/, mp /r/, const void /h/, size_t /hsz/);
	198
77fdf13a MW	199	/* --- @dsa_nonce@ --- *
	200	*
	201	* Arguments: @mp *d@ = destination integer
	202	* @mp *q@ = order of the DSA group
	203	* @mp *x@ = secret key
	204	* @const octet *m@ = message hash
49a7bf52	205	* @const gchash *ch@ = hash class
77fdf13a MW	206	* @grand *r@ = random bit source, or null
	207	*
	208	* Returns: A nonce.
	209	*
	210	* Use: Generates a nonce for use in DSA (or another Fiat--Shamir
	211	* signature scheme).
	212	*/
	213
	214	extern mp dsa_nonce(mp /d/, mp /q/, mp /x/, const octet /m*/,
	215	const gchash /ch/, grand /r/);
	216
8b810a45	217	/* --- @dsa_mksig@ --- *
	218	*
	219	* Arguments: @const dsa_param *dp@ = pointer to DSA parameters
b3f05084	220	* @mp *a@ = secret signing key
	221	* @mp *m@ = message to be signed
	222	* @mp *k@ = random data
8b810a45	223	* @mp rr, ss@ = where to put output parameters
	224	*
	225	* Returns: ---
	226	*
	227	* Use: Computes a DSA signature of a message.
92381410 MW	228	*
	229	* This function is deprecated. It's really rather badly
	230	* designed, and hard to use securely (and hard to fix). Please
	231	* use @gdsa_sign@ instead.
8b810a45	232	*/
8b810a45	233
92381410 MW	234	extern
	235	#ifndef CATACOMB_DSAIMPL
	236	DEPRECATED("please use `gdsa_sign' instead")
	237	#endif
	238	void dsa_mksig(const dsa_param /dp/, mp /a/, mp /m/, mp /k/,
	239	mp */rr/, mp /ss*/);
8b810a45	240
	241	/* --- @dsa_sign@ --- *
	242	*
	243	* Arguments: @dsa_param *dp@ = pointer to DSA parameters
	244	* @mp *a@ = pointer to secret signing key
	245	* @const void *m@ = pointer to message
	246	* @size_t msz@ = size of the message
	247	* @const void *k@ = secret random data for securing signature
	248	* @size_t ksz@ = size of secret data
	249	* @void *r@ = pointer to output space for @r@
	250	* @size_t rsz@ = size of output space for @r@
	251	* @void *s@ = pointer to output space for @s@
	252	* @size_t ssz@ = size of output space for @s@
	253	*
	254	* Returns: ---
	255	*
	256	* Use: Signs a message, storing the results in a big-endian binary
	257	* form.
92381410 MW	258	*
	259	* This function is deprecated. It's really rather badly
	260	* designed, and hard to use securely (and hard to fix). Please
	261	* use @gdsa_sign@ instead.
8b810a45	262	*/
8b810a45	263
92381410 MW	264	extern
	265	#ifndef CATACOMB_DSAIMPL
	266	DEPRECATED("please use `gdsa_sign' instead")
	267	#endif
	268	void dsa_sign(dsa_param /dp/, mp /a/,
	269	const void /m/, size_t /msz*/,
	270	const void /k/, size_t /ksz*/,
	271	void /r/, size_t /rsz/, void /s/, size_t /ssz/);
8b810a45	272
	273	/* --- @dsa_vrfy@ --- *
	274	*
	275	* Arguments: @const dsa_param *dp@ = pointer to DSA parameters
b3f05084	276	* @mp *y@ = public verification key
	277	* @mp *m@ = message which was signed
	278	* @mp r, s@ = the signature
8b810a45	279	*
	280	* Returns: Zero if the signature is a forgery, nonzero if it's valid.
	281	*
	282	* Use: Verifies a DSA digital signature.
	283	*/
	284
b3f05084	285	extern int dsa_vrfy(const dsa_param /dp/, mp /y/,
b3f05084	286	mp /m/, mp /r/, mp /s*/);
8b810a45	287
	288	/* --- @dsa_verify@ --- *
	289	*
	290	* Arguments: @const dsa_param *dp@ = pointer to DSA parameters
b3f05084	291	* @mp *y@ = public verification key
8b810a45	292	* @const void *m@ = pointer to message block
	293	* @size_t msz@ = size of message block
	294	* @const void *r@ = pointer to @r@ signature half
	295	* @size_t rsz@ = size of @r@
	296	* @const void *s@ = pointer to @s@ signature half
	297	* @size_t ssz@ = size of @s@
	298	*
	299	* Returns: Zero if the signature is a forgery, nonzero if it's valid.
	300	*
	301	* Use: Verifies a DSA digital signature.
	302	*/
	303
b3f05084	304	extern int dsa_verify(const dsa_param /dp/, mp /y/,
b92da8eb	305	const void /m/, size_t /msz*/,
	306	const void /r/, size_t /rsz*/,
	307	const void /s/, size_t /ssz*/);
8b810a45	308
	309	/----- That's all, folks -------------------------------------------------/
	310
	311	#ifdef __cplusplus
	312	}
	313	#endif
	314
	315	#endif