Xuyi Wang
/
wolfSSL
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Diff: wolfcrypt/src/dsa.c
- Revision:
- 17:ff9d1e86ad5f
- Parent:
- 16:048e5e270a58
--- a/wolfcrypt/src/dsa.c Tue Nov 19 14:32:16 2019 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,791 +0,0 @@
-/* dsa.c
- *
- * Copyright (C) 2006-2017 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
-
-
-#ifdef HAVE_CONFIG_H
- #include <config.h>
-#endif
-
-#include <wolfssl/wolfcrypt/settings.h>
-
-#ifndef NO_DSA
-
-#include <wolfssl/wolfcrypt/random.h>
-#include <wolfssl/wolfcrypt/integer.h>
-#include <wolfssl/wolfcrypt/error-crypt.h>
-#include <wolfssl/wolfcrypt/logging.h>
-#include <wolfssl/wolfcrypt/sha.h>
-#include <wolfssl/wolfcrypt/dsa.h>
-
-#ifdef NO_INLINE
- #include <wolfssl/wolfcrypt/misc.h>
-#else
- #define WOLFSSL_MISC_INCLUDED
- #include <wolfcrypt/src/misc.c>
-#endif
-
-
-enum {
- DSA_HALF_SIZE = 20, /* r and s size */
- DSA_SIG_SIZE = 40 /* signature size */
-};
-
-
-
-int wc_InitDsaKey(DsaKey* key)
-{
- if (key == NULL)
- return BAD_FUNC_ARG;
-
- key->type = -1; /* haven't decided yet */
- key->heap = NULL;
-
- return mp_init_multi(
- /* public alloc parts */
- &key->p,
- &key->q,
- &key->g,
- &key->y,
-
- /* private alloc parts */
- &key->x,
- NULL
- );
-}
-
-
-int wc_InitDsaKey_h(DsaKey* key, void* h)
-{
- int ret = wc_InitDsaKey(key);
- if (ret == 0)
- key->heap = h;
-
- return ret;
-}
-
-
-void wc_FreeDsaKey(DsaKey* key)
-{
- if (key == NULL)
- return;
-
- if (key->type == DSA_PRIVATE)
- mp_forcezero(&key->x);
-
- mp_clear(&key->x);
- mp_clear(&key->y);
- mp_clear(&key->g);
- mp_clear(&key->q);
- mp_clear(&key->p);
-}
-
-
-/* validate that (L,N) match allowed sizes from FIPS 186-4, Section 4.2.
- * modLen - represents L, the size of p (prime modulus) in bits
- * divLen - represents N, the size of q (prime divisor) in bits
- * return 0 on success, -1 on error */
-static int CheckDsaLN(int modLen, int divLen)
-{
- int ret = -1;
-
- switch (modLen) {
- case 1024:
- if (divLen == 160)
- ret = 0;
- break;
- case 2048:
- if (divLen == 224 || divLen == 256)
- ret = 0;
- break;
- case 3072:
- if (divLen == 256)
- ret = 0;
- break;
- default:
- break;
- }
-
- return ret;
-}
-
-
-#ifdef WOLFSSL_KEY_GEN
-
-/* Create DSA key pair (&dsa->x, &dsa->y)
- *
- * Based on NIST FIPS 186-4,
- * "B.1.1 Key Pair Generation Using Extra Random Bits"
- *
- * rng - pointer to initialized WC_RNG structure
- * dsa - pointer to initialized DsaKey structure, will hold generated key
- *
- * return 0 on success, negative on error */
-int wc_MakeDsaKey(WC_RNG *rng, DsaKey *dsa)
-{
- byte* cBuf;
- int qSz, pSz, cSz, err;
- mp_int tmpQ;
-
- if (rng == NULL || dsa == NULL)
- return BAD_FUNC_ARG;
-
- qSz = mp_unsigned_bin_size(&dsa->q);
- pSz = mp_unsigned_bin_size(&dsa->p);
-
- /* verify (L,N) pair bit lengths */
- if (CheckDsaLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0)
- return BAD_FUNC_ARG;
-
- /* generate extra 64 bits so that bias from mod function is negligible */
- cSz = qSz + (64 / WOLFSSL_BIT_SIZE);
- cBuf = (byte*)XMALLOC(cSz, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
- if (cBuf == NULL) {
- return MEMORY_E;
- }
-
- if ((err = mp_init_multi(&dsa->x, &dsa->y, &tmpQ, NULL, NULL, NULL))
- != MP_OKAY) {
- XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
- return err;
- }
-
- do {
- /* generate N+64 bits (c) from RBG into &dsa->x, making sure positive.
- * Hash_DRBG uses SHA-256 which matches maximum
- * requested_security_strength of (L,N) */
- err = wc_RNG_GenerateBlock(rng, cBuf, cSz);
- if (err != MP_OKAY) {
- mp_clear(&dsa->x);
- mp_clear(&dsa->y);
- mp_clear(&tmpQ);
- XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
- return err;
- }
-
- err = mp_read_unsigned_bin(&dsa->x, cBuf, cSz);
- if (err != MP_OKAY) {
- mp_clear(&dsa->x);
- mp_clear(&dsa->y);
- mp_clear(&tmpQ);
- XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
- return err;
- }
- } while (mp_cmp_d(&dsa->x, 1) != MP_GT);
-
- XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
-
- /* tmpQ = q - 1 */
- if (err == MP_OKAY)
- err = mp_copy(&dsa->q, &tmpQ);
-
- if (err == MP_OKAY)
- err = mp_sub_d(&tmpQ, 1, &tmpQ);
-
- /* x = c mod (q-1), &dsa->x holds c */
- if (err == MP_OKAY)
- err = mp_mod(&dsa->x, &tmpQ, &dsa->x);
-
- /* x = c mod (q-1) + 1 */
- if (err == MP_OKAY)
- err = mp_add_d(&dsa->x, 1, &dsa->x);
-
- /* public key : y = g^x mod p */
- if (err == MP_OKAY)
- err = mp_exptmod(&dsa->g, &dsa->x, &dsa->p, &dsa->y);
-
- if (err == MP_OKAY)
- dsa->type = DSA_PRIVATE;
-
- if (err != MP_OKAY) {
- mp_clear(&dsa->x);
- mp_clear(&dsa->y);
- }
- mp_clear(&tmpQ);
-
- return err;
-}
-
-
-/* modulus_size in bits */
-int wc_MakeDsaParameters(WC_RNG *rng, int modulus_size, DsaKey *dsa)
-{
- mp_int tmp, tmp2;
- int err, msize, qsize,
- loop_check_prime = 0,
- check_prime = MP_NO;
- unsigned char *buf;
-
- if (rng == NULL || dsa == NULL)
- return BAD_FUNC_ARG;
-
- /* set group size in bytes from modulus size
- * FIPS 186-4 defines valid values (1024, 160) (2048, 256) (3072, 256)
- */
- switch (modulus_size) {
- case 1024:
- qsize = 20;
- break;
- case 2048:
- case 3072:
- qsize = 32;
- break;
- default:
- return BAD_FUNC_ARG;
- break;
- }
-
- /* modulus size in bytes */
- msize = modulus_size / WOLFSSL_BIT_SIZE;
-
- /* allocate ram */
- buf = (unsigned char *)XMALLOC(msize - qsize,
- dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
- if (buf == NULL) {
- return MEMORY_E;
- }
-
- /* make a random string that will be multplied against q */
- err = wc_RNG_GenerateBlock(rng, buf, msize - qsize);
- if (err != MP_OKAY) {
- XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
- return err;
- }
-
- /* force magnitude */
- buf[0] |= 0xC0;
-
- /* force even */
- buf[msize - qsize - 1] &= ~1;
-
- if (mp_init_multi(&tmp2, &dsa->p, &dsa->q, 0, 0, 0) != MP_OKAY) {
- mp_clear(&dsa->q);
- XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
- return MP_INIT_E;
- }
-
- err = mp_read_unsigned_bin(&tmp2, buf, msize - qsize);
- if (err != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&tmp2);
- XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
- return err;
- }
- XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
-
- /* make our prime q */
- err = mp_rand_prime(&dsa->q, qsize, rng, NULL);
- if (err != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&tmp2);
- return err;
- }
-
- /* p = random * q */
- err = mp_mul(&dsa->q, &tmp2, &dsa->p);
- if (err != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&tmp2);
- return err;
- }
-
- /* p = random * q + 1, so q is a prime divisor of p-1 */
- err = mp_add_d(&dsa->p, 1, &dsa->p);
- if (err != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&tmp2);
- return err;
- }
-
- if (mp_init(&tmp) != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&tmp2);
- return MP_INIT_E;
- }
-
- /* tmp = 2q */
- err = mp_add(&dsa->q, &dsa->q, &tmp);
- if (err != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&tmp);
- mp_clear(&tmp2);
- return err;
- }
-
- /* loop until p is prime */
- while (check_prime == MP_NO) {
- err = mp_prime_is_prime(&dsa->p, 8, &check_prime);
- if (err != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&tmp);
- mp_clear(&tmp2);
- return err;
- }
-
- if (check_prime != MP_YES) {
- /* p += 2q */
- err = mp_add(&tmp, &dsa->p, &dsa->p);
- if (err != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&tmp);
- mp_clear(&tmp2);
- return err;
- }
-
- loop_check_prime++;
- }
- }
-
- /* tmp2 += (2*loop_check_prime)
- * to have p = (q * tmp2) + 1 prime
- */
- if (loop_check_prime) {
- err = mp_add_d(&tmp2, 2*loop_check_prime, &tmp2);
- if (err != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&tmp);
- mp_clear(&tmp2);
- return err;
- }
- }
-
- if (mp_init(&dsa->g) != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&tmp);
- mp_clear(&tmp2);
- return MP_INIT_E;
- }
-
- /* find a value g for which g^tmp2 != 1 */
- if (mp_set(&dsa->g, 1) != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&tmp);
- mp_clear(&tmp2);
- return MP_INIT_E;
- }
-
- do {
- err = mp_add_d(&dsa->g, 1, &dsa->g);
- if (err != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&dsa->g);
- mp_clear(&tmp);
- mp_clear(&tmp2);
- return err;
- }
-
- err = mp_exptmod(&dsa->g, &tmp2, &dsa->p, &tmp);
- if (err != MP_OKAY) {
- mp_clear(&dsa->q);
- mp_clear(&dsa->p);
- mp_clear(&dsa->g);
- mp_clear(&tmp);
- mp_clear(&tmp2);
- return err;
- }
-
- } while (mp_cmp_d(&tmp, 1) == MP_EQ);
-
- /* at this point tmp generates a group of order q mod p */
- mp_exch(&tmp, &dsa->g);
-
- mp_clear(&tmp);
- mp_clear(&tmp2);
-
- return MP_OKAY;
-}
-#endif /* WOLFSSL_KEY_GEN */
-
-
-/* Import raw DSA parameters into DsaKey structure for use with wc_MakeDsaKey(),
- * input parameters (p,q,g) should be represented as ASCII hex values.
- *
- * dsa - pointer to initialized DsaKey structure
- * p - DSA (p) parameter, ASCII hex string
- * pSz - length of p
- * q - DSA (q) parameter, ASCII hex string
- * qSz - length of q
- * g - DSA (g) parameter, ASCII hex string
- * gSz - length of g
- *
- * returns 0 on success, negative upon failure
- */
-int wc_DsaImportParamsRaw(DsaKey* dsa, const char* p, const char* q,
- const char* g)
-{
- int err;
- word32 pSz, qSz;
-
- if (dsa == NULL || p == NULL || q == NULL || g == NULL)
- return BAD_FUNC_ARG;
-
- /* read p */
- err = mp_read_radix(&dsa->p, p, MP_RADIX_HEX);
-
- /* read q */
- if (err == MP_OKAY)
- err = mp_read_radix(&dsa->q, q, MP_RADIX_HEX);
-
- /* read g */
- if (err == MP_OKAY)
- err = mp_read_radix(&dsa->g, g, MP_RADIX_HEX);
-
- /* verify (L,N) pair bit lengths */
- pSz = mp_unsigned_bin_size(&dsa->p);
- qSz = mp_unsigned_bin_size(&dsa->q);
-
- if (CheckDsaLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0) {
- WOLFSSL_MSG("Invalid DSA p or q parameter size");
- err = BAD_FUNC_ARG;
- }
-
- if (err != MP_OKAY) {
- mp_clear(&dsa->p);
- mp_clear(&dsa->q);
- mp_clear(&dsa->g);
- }
-
- return err;
-}
-
-
-/* Export raw DSA parameters from DsaKey structure
- *
- * dsa - pointer to initialized DsaKey structure
- * p - output location for DSA (p) parameter
- * pSz - [IN/OUT] size of output buffer for p, size of p
- * q - output location for DSA (q) parameter
- * qSz - [IN/OUT] size of output buffer for q, size of q
- * g - output location for DSA (g) parameter
- * gSz - [IN/OUT] size of output buffer for g, size of g
- *
- * If p, q, and g pointers are all passed in as NULL, the function
- * will set pSz, qSz, and gSz to the required output buffer sizes for p,
- * q, and g. In this case, the function will return LENGTH_ONLY_E.
- *
- * returns 0 on success, negative upon failure
- */
-int wc_DsaExportParamsRaw(DsaKey* dsa, byte* p, word32* pSz,
- byte* q, word32* qSz, byte* g, word32* gSz)
-{
- int err;
- word32 pLen, qLen, gLen;
-
- if (dsa == NULL || pSz == NULL || qSz == NULL || gSz == NULL)
- return BAD_FUNC_ARG;
-
- /* get required output buffer sizes */
- pLen = mp_unsigned_bin_size(&dsa->p);
- qLen = mp_unsigned_bin_size(&dsa->q);
- gLen = mp_unsigned_bin_size(&dsa->g);
-
- /* return buffer sizes and LENGTH_ONLY_E if buffers are NULL */
- if (p == NULL && q == NULL && g == NULL) {
- *pSz = pLen;
- *qSz = qLen;
- *gSz = gLen;
- return LENGTH_ONLY_E;
- }
-
- if (p == NULL || q == NULL || g == NULL)
- return BAD_FUNC_ARG;
-
- /* export p */
- if (*pSz < pLen) {
- WOLFSSL_MSG("Output buffer for DSA p parameter too small, "
- "required size placed into pSz");
- *pSz = pLen;
- return BUFFER_E;
- }
- *pSz = pLen;
- err = mp_to_unsigned_bin(&dsa->p, p);
-
- /* export q */
- if (err == MP_OKAY) {
- if (*qSz < qLen) {
- WOLFSSL_MSG("Output buffer for DSA q parameter too small, "
- "required size placed into qSz");
- *qSz = qLen;
- return BUFFER_E;
- }
- *qSz = qLen;
- err = mp_to_unsigned_bin(&dsa->q, q);
- }
-
- /* export g */
- if (err == MP_OKAY) {
- if (*gSz < gLen) {
- WOLFSSL_MSG("Output buffer for DSA g parameter too small, "
- "required size placed into gSz");
- *gSz = gLen;
- return BUFFER_E;
- }
- *gSz = gLen;
- err = mp_to_unsigned_bin(&dsa->g, g);
- }
-
- return err;
-}
-
-
-/* Export raw DSA key (x, y) from DsaKey structure
- *
- * dsa - pointer to initialized DsaKey structure
- * x - output location for private key
- * xSz - [IN/OUT] size of output buffer for x, size of x
- * y - output location for public key
- * ySz - [IN/OUT] size of output buffer for y, size of y
- *
- * If x and y pointers are all passed in as NULL, the function
- * will set xSz and ySz to the required output buffer sizes for x
- * and y. In this case, the function will return LENGTH_ONLY_E.
- *
- * returns 0 on success, negative upon failure
- */
-int wc_DsaExportKeyRaw(DsaKey* dsa, byte* x, word32* xSz, byte* y, word32* ySz)
-{
- int err;
- word32 xLen, yLen;
-
- if (dsa == NULL || xSz == NULL || ySz == NULL)
- return BAD_FUNC_ARG;
-
- /* get required output buffer sizes */
- xLen = mp_unsigned_bin_size(&dsa->x);
- yLen = mp_unsigned_bin_size(&dsa->y);
-
- /* return buffer sizes and LENGTH_ONLY_E if buffers are NULL */
- if (x == NULL && y == NULL) {
- *xSz = xLen;
- *ySz = yLen;
- return LENGTH_ONLY_E;
- }
-
- if (x == NULL || y == NULL)
- return BAD_FUNC_ARG;
-
- /* export x */
- if (*xSz < xLen) {
- WOLFSSL_MSG("Output buffer for DSA private key (x) too small, "
- "required size placed into xSz");
- *xSz = xLen;
- return BUFFER_E;
- }
- *xSz = xLen;
- err = mp_to_unsigned_bin(&dsa->x, x);
-
- /* export y */
- if (err == MP_OKAY) {
- if (*ySz < yLen) {
- WOLFSSL_MSG("Output buffer to DSA public key (y) too small, "
- "required size placed into ySz");
- *ySz = yLen;
- return BUFFER_E;
- }
- *ySz = yLen;
- err = mp_to_unsigned_bin(&dsa->y, y);
- }
-
- return err;
-}
-
-
-int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, WC_RNG* rng)
-{
- mp_int k, kInv, r, s, H;
- int ret, sz;
- byte buffer[DSA_HALF_SIZE];
- byte* tmp; /* initial output pointer */
-
- if (digest == NULL || out == NULL || key == NULL || rng == NULL) {
- return BAD_FUNC_ARG;
- }
-
- tmp = out;
-
- sz = min((int)sizeof(buffer), mp_unsigned_bin_size(&key->q));
-
- if (mp_init_multi(&k, &kInv, &r, &s, &H, 0) != MP_OKAY)
- return MP_INIT_E;
-
- do {
- /* generate k */
- ret = wc_RNG_GenerateBlock(rng, buffer, sz);
- if (ret != 0)
- return ret;
-
- buffer[0] |= 0x0C;
-
- if (mp_read_unsigned_bin(&k, buffer, sz) != MP_OKAY)
- ret = MP_READ_E;
-
- /* k is a random numnber and it should be less than q
- * if k greater than repeat
- */
- } while (mp_cmp(&k, &key->q) != MP_LT);
-
- if (ret == 0 && mp_cmp_d(&k, 1) != MP_GT)
- ret = MP_CMP_E;
-
- /* inverse k mod q */
- if (ret == 0 && mp_invmod(&k, &key->q, &kInv) != MP_OKAY)
- ret = MP_INVMOD_E;
-
- /* generate r, r = (g exp k mod p) mod q */
- if (ret == 0 && mp_exptmod(&key->g, &k, &key->p, &r) != MP_OKAY)
- ret = MP_EXPTMOD_E;
-
- if (ret == 0 && mp_mod(&r, &key->q, &r) != MP_OKAY)
- ret = MP_MOD_E;
-
- /* generate H from sha digest */
- if (ret == 0 && mp_read_unsigned_bin(&H, digest,WC_SHA_DIGEST_SIZE) != MP_OKAY)
- ret = MP_READ_E;
-
- /* generate s, s = (kInv * (H + x*r)) % q */
- if (ret == 0 && mp_mul(&key->x, &r, &s) != MP_OKAY)
- ret = MP_MUL_E;
-
- if (ret == 0 && mp_add(&s, &H, &s) != MP_OKAY)
- ret = MP_ADD_E;
-
- if (ret == 0 && mp_mulmod(&s, &kInv, &key->q, &s) != MP_OKAY)
- ret = MP_MULMOD_E;
-
- /* detect zero r or s */
- if (ret == 0 && (mp_iszero(&r) == MP_YES || mp_iszero(&s) == MP_YES))
- ret = MP_ZERO_E;
-
- /* write out */
- if (ret == 0) {
- int rSz = mp_unsigned_bin_size(&r);
- int sSz = mp_unsigned_bin_size(&s);
-
- while (rSz++ < DSA_HALF_SIZE) {
- *out++ = 0x00; /* pad front with zeros */
- }
-
- if (mp_to_unsigned_bin(&r, out) != MP_OKAY)
- ret = MP_TO_E;
- else {
- out = tmp + DSA_HALF_SIZE; /* advance to s in output */
- while (sSz++ < DSA_HALF_SIZE) {
- *out++ = 0x00; /* pad front with zeros */
- }
- ret = mp_to_unsigned_bin(&s, out);
- }
- }
-
- mp_clear(&H);
- mp_clear(&s);
- mp_clear(&r);
- mp_clear(&kInv);
- mp_clear(&k);
-
- return ret;
-}
-
-
-int wc_DsaVerify(const byte* digest, const byte* sig, DsaKey* key, int* answer)
-{
- mp_int w, u1, u2, v, r, s;
- int ret = 0;
-
- if (digest == NULL || sig == NULL || key == NULL || answer == NULL) {
- return BAD_FUNC_ARG;
- }
-
- if (mp_init_multi(&w, &u1, &u2, &v, &r, &s) != MP_OKAY)
- return MP_INIT_E;
-
- /* set r and s from signature */
- if (mp_read_unsigned_bin(&r, sig, DSA_HALF_SIZE) != MP_OKAY ||
- mp_read_unsigned_bin(&s, sig + DSA_HALF_SIZE, DSA_HALF_SIZE) != MP_OKAY)
- ret = MP_READ_E;
-
- /* sanity checks */
- if (ret == 0) {
- if (mp_iszero(&r) == MP_YES || mp_iszero(&s) == MP_YES ||
- mp_cmp(&r, &key->q) != MP_LT || mp_cmp(&s, &key->q) != MP_LT) {
- ret = MP_ZERO_E;
- }
- }
-
- /* put H into u1 from sha digest */
- if (ret == 0 && mp_read_unsigned_bin(&u1,digest,WC_SHA_DIGEST_SIZE) != MP_OKAY)
- ret = MP_READ_E;
-
- /* w = s invmod q */
- if (ret == 0 && mp_invmod(&s, &key->q, &w) != MP_OKAY)
- ret = MP_INVMOD_E;
-
- /* u1 = (H * w) % q */
- if (ret == 0 && mp_mulmod(&u1, &w, &key->q, &u1) != MP_OKAY)
- ret = MP_MULMOD_E;
-
- /* u2 = (r * w) % q */
- if (ret == 0 && mp_mulmod(&r, &w, &key->q, &u2) != MP_OKAY)
- ret = MP_MULMOD_E;
-
- /* verify v = ((g^u1 * y^u2) mod p) mod q */
- if (ret == 0 && mp_exptmod(&key->g, &u1, &key->p, &u1) != MP_OKAY)
- ret = MP_EXPTMOD_E;
-
- if (ret == 0 && mp_exptmod(&key->y, &u2, &key->p, &u2) != MP_OKAY)
- ret = MP_EXPTMOD_E;
-
- if (ret == 0 && mp_mulmod(&u1, &u2, &key->p, &v) != MP_OKAY)
- ret = MP_MULMOD_E;
-
- if (ret == 0 && mp_mod(&v, &key->q, &v) != MP_OKAY)
- ret = MP_MULMOD_E;
-
- /* do they match */
- if (ret == 0 && mp_cmp(&r, &v) == MP_EQ)
- *answer = 1;
- else
- *answer = 0;
-
- mp_clear(&s);
- mp_clear(&r);
- mp_clear(&u1);
- mp_clear(&u2);
- mp_clear(&w);
- mp_clear(&v);
-
- return ret;
-}
-
-
-#endif /* NO_DSA */
-
-