chiark / gitweb /
base/dispatch.c: Recognize `CPUFEAT_ARM_NEON' as requesting ARM64 SIMD.
[catacomb] / pub / dsa-misc.c
CommitLineData
c97fbcf9
MW
1/* -*-c-*-
2 *
3 * Useful functions for doing DSA
4 *
5 * (c) 2008 Straylight/Edgeware
6 */
7
8/*----- Licensing notice --------------------------------------------------*
9 *
10 * This file is part of Catacomb.
11 *
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
16 *
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
21 *
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
25 * MA 02111-1307, USA.
26 */
27
28/*----- Header files ------------------------------------------------------*/
29
30#include "dsa.h"
31
32/*----- Main code ---------------------------------------------------------*/
33
34/* --- @dsa_h2n@ --- *
35 *
36 * Arguments: @mp *d@ = destination integer
37 * @mp *r@ = order of the DSA group
38 * @const void *h@ = pointer to message hash
39 * @size_t hsz@ = size (in bytes) of the hash output
40 *
41 * Returns: Resulting integer.
42 *
43 * Use: Converts a hash to an integer in the demented way necessary
44 * for DSA/ECDSA. This is, of course, completely insane, but
45 * there you go.
46 */
47
48mp *dsa_h2n(mp *d, mp *r, const void *h, size_t hsz)
49{
50 size_t n = mp_bits(r);
51 size_t l = hsz;
52 size_t s = 0;
53
54 if (n < 8*l) {
55 l = (n + 7)/8;
56 s = 8*l - n;
57 }
58 d = mp_loadb(d, h, l);
59 if (s)
60 d = mp_lsr(d, d, s);
61 return (d);
62}
63
77fdf13a
MW
64/* --- @dsa_nonce@ --- *
65 *
66 * Arguments: @mp *d@ = destination integer
67 * @mp *q@ = order of the DSA group
68 * @mp *x@ = secret key
69 * @const octet *m@ = message hash
49a7bf52 70 * @const gchash *ch@ = hash class
77fdf13a
MW
71 * @grand *r@ = random bit source, or null
72 *
73 * Returns: A nonce.
74 *
75 * Use: Generates a nonce for use in DSA (or another Fiat--Shamir
76 * signature scheme).
77 */
78
79mp *dsa_nonce(mp *d, mp *q, mp *x, const octet *m,
80 const gchash *ch, grand *r)
81{
82 uint32 i = 0;
83 size_t nb = mp_bits(q), n = (nb + 7)/8, j;
84 size_t bsz = 2*n + 2*ch->hashsz;
85 octet *b = XS_ALLOC(bsz);
86 octet *kb = b, *rb = kb + n, *hb = rb + ch->hashsz;
8878e543 87 static const char prefix[] = "catacomb-dsa-nonce";
77fdf13a
MW
88 ghash *h;
89
90 mp_storeb(x, kb, n);
91 if (r) grand_fill(r, rb, ch->hashsz);
92
93 do {
94 for (j = 0; j < n; j += ch->hashsz) {
95 h = GH_INIT(ch);
8878e543 96 GH_HASH(h, prefix, sizeof(prefix));
77fdf13a
MW
97 GH_HASHBUF32(h, kb, n);
98 GH_HASHBUF32(h, m, ch->hashsz);
99 if (r) GH_HASHBUF32(h, rb, ch->hashsz);
100 GH_HASHU32(h, i);
101 GH_DONE(h, hb + j);
102 GH_DESTROY(h);
103 i++;
104 }
105 d = mp_loadb(d, hb, n);
106 d = mp_lsr(d, d, 8*n - nb);
107 } while (MP_CMP(d, >=, q));
108
109 memset(b, 0, bsz); XS_FREE(b);
110 return (d);
111}
112
c97fbcf9 113/*----- That's all, folks -------------------------------------------------*/