Initial commit.

[BoarSSL] / Crypto / RFC6979.cs

/*
 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
 *
 * Permission is hereby granted, free of charge, to any person obtaining 
 * a copy of this software and associated documentation files (the
 * "Software"), to deal in the Software without restriction, including
 * without limitation the rights to use, copy, modify, merge, publish,
 * distribute, sublicense, and/or sell copies of the Software, and to
 * permit persons to whom the Software is furnished to do so, subject to
 * the following conditions:
 *
 * The above copyright notice and this permission notice shall be 
 * included in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

using System;

namespace Crypto {

/*
 * This class implements the computation of the transient secret value
 * "k" for DSA and ECDSA, using the method described in RFC 6979. It
 * can perform the deterministic computation, and optionally inject
 * extra random bytes when randomized signatures are needed.
 */

class RFC6979 {

        HMAC_DRBG drbg;
        byte[] q;
        int qlen;
        ModInt mh;

        internal RFC6979(IDigest h, byte[] q, byte[] x,
                byte[] hv, bool deterministic)
                : this(h, q, x, hv, 0, hv.Length, deterministic)
        {
        }

        internal RFC6979(IDigest h, byte[] q, byte[] x,
                byte[] hv, int hvOff, int hvLen, bool deterministic)
        {
                if (h == null) {
                        h = new SHA256();
                } else {
                        h = h.Dup();
                        h.Reset();
                }
                drbg = new HMAC_DRBG(h);
                mh = new ModInt(q);
                qlen = mh.ModBitLength;
                int qolen = (qlen + 7) >> 3;
                this.q = new byte[qolen];
                Array.Copy(q, q.Length - qolen, this.q, 0, qolen);
                int hlen = hvLen << 3;
                if (hlen > qlen) {
                        byte[] htmp = new byte[hvLen];
                        Array.Copy(hv, hvOff, htmp, 0, hv.Length);
                        BigInt.RShift(htmp, hlen - qlen);
                        hv = htmp;
                        hvOff = 0;
                }
                mh.DecodeReduce(hv, hvOff, hvLen);
                ModInt mx = mh.Dup();
                mx.Decode(x);

                byte[] seed = new byte[(qolen << 1) + (deterministic ? 0 : 32)];
                mx.Encode(seed, 0, qolen);
                mh.Encode(seed, qolen, qolen);
                if (!deterministic) {
                        RNG.GetBytes(seed, qolen << 1,
                                seed.Length - (qolen << 1));
                }
                drbg.SetSeed(seed);
        }

        internal ModInt GetHashMod()
        {
                return mh.Dup();
        }

        internal void NextK(byte[] k)
        {
                for (;;) {
                        drbg.GetBytes(k);
                        BigInt.RShift(k, (k.Length << 3) - qlen);
                        if (!BigInt.IsZero(k) && BigInt.CompareCT(k, q) < 0) {
                                return;
                        }
                }
        }
}

}