nettle/gost: support GOST key unmasking

New Russian reccomendation defines 'key masking' in the form of
several concatenated numbers, which must be multiplied modulo Q to get
private key.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

3 files changed, 87 insertions, 1 deletions

diff --git a/lib/nettle/Makefile.am b/lib/nettle/Makefile.am
index b3d9ec5dac..30a195b52b 100644
--- a/lib/nettle/Makefile.am
+++ b/lib/nettle/Makefile.am
@@ -84,6 +84,6 @@ libcrypto_la_SOURCES += \
 	gost/ecc-gost512a.c gost/ecc-gost512a-32.h gost/ecc-gost512a-64.h \
 	gost/ecc-internal.h gost/gmp-glue.h \
 	gost/ecc-gostdsa-sign.c gost/ecc-gostdsa-verify.c \
-	gost/gostdsa-sign.c gost/gostdsa-verify.c \
+	gost/gostdsa-mask.c gost/gostdsa-sign.c gost/gostdsa-verify.c \
 	gost/gostdsa.h gost/ecc-gost-curve.h gost/ecc-gost-hash.c
 endif
diff --git a/lib/nettle/gost/gostdsa-mask.c b/lib/nettle/gost/gostdsa-mask.c
new file mode 100644
index 0000000000..cb9a30280b
--- /dev/null
+++ b/lib/nettle/gost/gostdsa-mask.c
@@ -0,0 +1,81 @@
+/* gostdsa-verify.c
+
+  Copyright (C) 2018 Dmitry Eremin-Solenikov
+
+  This file is part of GNU Nettle.
+
+  GNU Nettle is free software: you can redistribute it and/or
+  modify it under the terms of either:
+
+   * the GNU Lesser General Public License as published by the Free
+    Software Foundation; either version 3 of the License, or (at your
+    option) any later version.
+
+  or
+
+   * the GNU General Public License as published by the Free
+    Software Foundation; either version 2 of the License, or (at your
+    option) any later version.
+
+  or both in parallel, as here.
+
+  GNU Nettle is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  General Public License for more details.
+
+  You should have received copies of the GNU General Public License and
+  the GNU Lesser General Public License along with this program. If
+  not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <gnutls_int.h>
+
+#include <stdlib.h>
+
+#include "gostdsa.h"
+#include "ecc-internal.h"
+
+#include "gmp-glue.h"
+
+/* Key comes in form .... M_2 M_1 K_0,
+  unmask is K_i = K_i-1 * M_i mod Q */
+int
+gostdsa_unmask_key (const struct ecc_curve *ecc,
+		    mpz_t key)
+{
+ unsigned bits = ecc_bit_size (ecc);
+ unsigned keybits = mpz_sizeinbase (key, 2);
+ mpz_t unmasked, temp, temp2, q;
+
+ if (keybits <= bits)
+  return 0;
+
+ mpz_init (unmasked);
+ mpz_init (temp);
+ mpz_init (temp2);
+ mpz_roinit_n (q, ecc->q.m, ecc->q.size);
+ mpz_tdiv_r_2exp (unmasked, key, bits);
+ mpz_tdiv_q_2exp (key, key, bits);
+ keybits -= bits;
+ while (keybits > bits)
+  {
+   mpz_tdiv_r_2exp (temp2, key, bits);
+   mpz_tdiv_q_2exp (key, key, bits);
+   keybits -= bits;
+   mpz_mul (temp, unmasked, temp2);
+   mpz_mod (unmasked, temp, q);
+  }
+ mpz_mul (temp, unmasked, key);
+ mpz_mod (key, temp, q);
+
+ mpz_clear (temp2);
+ mpz_clear (temp);
+ mpz_clear (unmasked);
+
+ return 0;
+}
diff --git a/lib/nettle/gost/gostdsa.h b/lib/nettle/gost/gostdsa.h
index 7546176267..106d17c165 100644
--- a/lib/nettle/gost/gostdsa.h
+++ b/lib/nettle/gost/gostdsa.h
@@ -46,6 +46,7 @@ extern "C" {
 /* Name mangling */
 #define gostdsa_sign _gnutls_gostdsa_sign
 #define gostdsa_verify _gnutls_gostdsa_verify
+#define gostdsa_unmask_key _gnutls_gostdsa_unmask_key
 #define ecc_gostdsa_sign _gnutls_ecc_gostdsa_sign
 #define ecc_gostdsa_sign_itch _gnutls_ecc_gostdsa_sign_itch
 #define ecc_gostdsa_verify _gnutls_ecc_gostdsa_verify
@@ -70,6 +71,10 @@ gostdsa_verify (const struct ecc_point *pub,
 	        size_t length, const uint8_t *digest,
 	        const struct dsa_signature *signature);
 
+int
+gostdsa_unmask_key (const struct ecc_curve *ecc,
+		    mpz_t key);
+
 /* Low-level GOSTDSA functions. */
 mp_size_t
 ecc_gostdsa_sign_itch (const struct ecc_curve *ecc);