diff --git a/dsa-sign.c b/dsa-sign.c
new file mode 100644
index 0000000000000000000000000000000000000000..a22b0a52a3674836616d2185945bf33bc83a3872
--- /dev/null
+++ b/dsa-sign.c
@@ -0,0 +1,116 @@
+/* dsa-sign.c
+ *
+ * The DSA publickey algorithm.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2002 Niels Möller
+ *
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB. If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#if WITH_PUBLIC_KEY
+
+#include "dsa.h"
+
+#include "bignum.h"
+
+#include <stdlib.h>
+
+/* Returns a number x, almost uniformly random in the range
+ * 0 <= x < n. */
+static void
+nettle_mpz_random(mpz_t x, const mpz_t n,
+ void *ctx, nettle_random_func random)
+{
+ /* FIXME: This leaves some bias, which may be bad for DSA. A better
+ * way might to generate a random number of mpz_sizeinbase(n, 2)
+ * bits, and loop until one smaller than n is found. */
+
+ /* From Daniel Bleichenbacher (via coderpunks):
+ *
+ * There is still a theoretical attack possible with 8 extra bits.
+ * But, the attack would need about 2^66 signatures 2^66 memory and
+ * 2^66 time (if I remember that correctly). Compare that to DSA,
+ * where the attack requires 2^22 signatures 2^40 memory and 2^64
+ * time. And of course, the numbers above are not a real threat for
+ * PGP. Using 16 extra bits (i.e. generating a 176 bit random number
+ * and reducing it modulo q) will defeat even this theoretical
+ * attack.
+ *
+ * More generally log_2(q)/8 extra bits are enough to defeat my
+ * attack. NIST also plans to update the standard.
+ */
+
+ /* Add a few bits extra, to decrease the bias from the final modulo
+ * operation. */
+ unsigned ndigits = (mpz_sizeinbase(n, 2) + 7) / 8 + 2;
+ uint8_t *digits = alloca(ndigits);
+
+ random(ctx, ndigits, digits);
+ nettle_mpz_set_str_256(x, ndigits, digits);
+
+ mpz_fdiv_r(x, x, n);
+}
+
+void
+dsa_sign(struct dsa_private_key *key,
+ void *random_ctx, nettle_random_func random,
+ struct sha1_ctx *hash,
+ struct dsa_signature *signature)
+{
+ mpz_t k;
+ mpz_t h;
+ mpz_t tmp;
+
+ /* Select k, 0<k<q, randomly */
+ mpz_init_set(tmp, key->pub.q);
+ mpz_sub_ui(tmp, tmp, 1);
+
+ mpz_init(k);
+ nettle_mpz_random(k, tmp, random_ctx, random);
+ mpz_add_ui(k, k, 1);
+
+ /* Compute r = (g^k (mod p)) (mod q) */
+ mpz_powm(tmp, key->pub.g, k, key->pub.p);
+ mpz_fdiv_r(signature->r, tmp, key->pub.q);
+
+ /* Compute hash */
+ _dsa_hash(h, hash);
+
+ /* Compute k^-1 (mod q) */
+ if (!mpz_invert(k, k, key->pub.q))
+ /* What do we do now? The key is invalid. */
+ abort();
+
+ /* Compute signature s = k^-1(h + xr) (mod q) */
+ mpz_mul(tmp, signature->r, key->x);
+ mpz_fdiv_r(tmp, tmp, key->pub.q);
+ mpz_add(tmp, tmp, h);
+ mpz_mul(tmp, tmp, k);
+ mpz_fdiv_r(signature->s, tmp, key->pub.q);
+
+ mpz_clear(k);
+ mpz_clear(h);
+ mpz_clear(tmp);
+}
+
+#endif /* WITH_PUBLIC_KEY */
diff --git a/dsa-verify.c b/dsa-verify.c
new file mode 100644
index 0000000000000000000000000000000000000000..ba73d344400f442384dc95eaf77d8f57224cefa5
--- /dev/null
+++ b/dsa-verify.c
@@ -0,0 +1,100 @@
+/* dsa-verify.c
+ *
+ * The DSA publickey algorithm.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2002 Niels Möller
+ *
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB. If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#if WITH_PUBLIC_KEY
+
+#include "dsa.h"
+
+#include <stdlib.h>
+
+int
+dsa_verify(struct dsa_public_key *key,
+ struct sha1_ctx *hash,
+ const struct dsa_signature *signature)
+{
+ mpz_t w;
+ mpz_t tmp;
+ mpz_t v;
+
+ int res;
+
+ /* Check that r and s are in the proper range */
+ if (mpz_sgn(signature->r) <= 0 || mpz_cmp(signature->r, key->q) >= 0)
+ return 0;
+
+ if (mpz_sgn(signature->s) <= 0 || mpz_cmp(signature->s, key->q) >= 0)
+ return 0;
+
+ mpz_init(w);
+
+ /* Compute w = s^-1 (mod q) */
+
+ /* NOTE: In gmp-2, mpz_invert sometimes generates negative inverses,
+ * so we need gmp-3 or better. */
+ if (!mpz_invert(w, signature->s, key->q))
+ {
+ mpz_clear(w);
+ return 0;
+ }
+
+ mpz_init(tmp);
+ mpz_init(v);
+
+ /* Compute hash */
+ _dsa_hash(tmp, hash);
+
+ /* v = g^{w * h (mod q)} (mod p) */
+
+ mpz_mul(tmp, tmp, w);
+ mpz_fdiv_r(tmp, tmp, key->q);
+
+ mpz_powm(v, key->g, tmp, key->p);
+
+ /* y^{w * r (mod q) } (mod p) */
+ mpz_mul(tmp, signature->r, w);
+ mpz_fdiv_r(tmp, tmp, key->q);
+
+ mpz_powm(tmp, key->y, tmp, key->p);
+
+ /* v = (g^{w * h} * y^{w * r} (mod p) ) (mod q) */
+ mpz_mul(v, v, tmp);
+ mpz_fdiv_r(v, v, key->p);
+
+ mpz_fdiv_r(v, v, key->q);
+
+ res = !mpz_cmp(v, signature->r);
+
+ mpz_clear(w);
+ mpz_clear(tmp);
+ mpz_clear(v);
+
+ return res;
+}
+
+#endif /* WITH_PUBLIC_KEY */
diff --git a/dsa.c b/dsa.c
new file mode 100644
index 0000000000000000000000000000000000000000..ae9f4bb9b006d90b9927d82609f743367da810cd
--- /dev/null
+++ b/dsa.c
@@ -0,0 +1,93 @@
+/* dsa.h
+ *
+ * The DSA publickey algorithm.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2002 Niels Möller
+ *
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB. If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#if WITH_PUBLIC_KEY
+
+#include "dsa.h"
+
+#include "bignum.h"
+
+void
+dsa_public_key_init(struct dsa_public_key *key)
+{
+ mpz_init(key->p);
+ mpz_init(key->q);
+ mpz_init(key->g);
+ mpz_init(key->y);
+}
+
+void
+dsa_public_key_clear(struct dsa_public_key *key)
+{
+ mpz_clear(key->p);
+ mpz_clear(key->q);
+ mpz_clear(key->g);
+ mpz_clear(key->y);
+}
+
+
+void
+dsa_private_key_init(struct dsa_private_key *key)
+{
+ dsa_public_key_init(&key->pub);
+ mpz_init(key->x);
+}
+
+void
+dsa_private_key_clear(struct dsa_private_key *key)
+{
+ dsa_public_key_clear(&key->pub);
+ mpz_clear(key->x);
+}
+
+
+void
+dsa_signature_init(struct dsa_signature *signature)
+{
+ mpz_init(signature->r);
+ mpz_init(signature->s);
+}
+
+void
+dsa_signature_clear(struct dsa_signature *signature)
+{
+ mpz_clear(signature->r);
+ mpz_clear(signature->s);
+}
+
+void
+_dsa_hash(mpz_t x, struct sha1_ctx *hash)
+{
+ uint8_t digest[SHA1_DIGEST_SIZE];
+ sha1_digest(hash, sizeof(digest), digest);
+
+ nettle_mpz_set_str_256(x, sizeof(digest), digest);
+}
+
+#endif /* WITH_PUBLIC_KEY */
diff --git a/dsa.h b/dsa.h
new file mode 100644
index 0000000000000000000000000000000000000000..4c60cb033d6489e2f95e17cc9e2abfb9ad8e54d1
--- /dev/null
+++ b/dsa.h
@@ -0,0 +1,158 @@
+/* dsa.h
+ *
+ * The DSA publickey algorithm.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2002 Niels Möller
+ *
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB. If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#ifndef NETTLE_DSA_H_INCLUDED
+#define NETTLE_DSA_H_INCLUDED
+
+#include <inttypes.h>
+#include <gmp.h>
+
+#include "sha.h"
+
+/* For nettle_random_func */
+#include "nettle-meta.h"
+
+
+struct dsa_public_key
+{
+ /* Modulo */
+ mpz_t p;
+
+ /* Group order */
+ mpz_t q;
+
+ /* Generator */
+ mpz_t g;
+
+ /* Public value */
+ mpz_t y;
+};
+
+struct dsa_private_key
+{
+ /* Unlike an rsa public key, all the public information is needed,
+ * in addition to the private information. */
+ struct dsa_public_key pub;
+ mpz_t x;
+};
+
+struct dsa_signature
+{
+ mpz_t r;
+ mpz_t s;
+};
+
+/* Signing a message works as follows:
+ *
+ * Store the private key in a dsa_private_key struct.
+ *
+ * Initialize a hashing context, by callling
+ * sha1_init
+ *
+ * Hash the message by calling
+ * sha1_update
+ *
+ * Create the signature by calling
+ * dsa_sign
+ *
+ * The signature is represented as two mpz_t bignums. This call also
+ * resets the hashing context.
+ *
+ * When done with the key and signature, don't forget to call
+ * mpz_clear.
+ */
+
+/* Calls mpz_init to initialize bignum storage. */
+void
+dsa_public_key_init(struct dsa_public_key *key);
+
+/* Calls mpz_clear to deallocate bignum storage. */
+void
+dsa_public_key_clear(struct dsa_public_key *key);
+
+
+/* Calls mpz_init to initialize bignum storage. */
+void
+dsa_private_key_init(struct dsa_private_key *key);
+
+/* Calls mpz_clear to deallocate bignum storage. */
+void
+dsa_private_key_clear(struct dsa_private_key *key);
+
+/* Calls mpz_init to initialize bignum storage. */
+void
+dsa_signature_init(struct dsa_signature *signature);
+
+/* Calls mpz_clear to deallocate bignum storage. */
+void
+dsa_signature_clear(struct dsa_signature *signature);
+
+
+void
+_dsa_hash(mpz_t x, struct sha1_ctx *hash);
+
+void
+dsa_sign(struct dsa_private_key *key,
+ void *random_ctx, nettle_random_func random,
+ struct sha1_ctx *hash,
+ struct dsa_signature *signature);
+
+
+int
+dsa_verify(struct dsa_public_key *key,
+ struct sha1_ctx *hash,
+ const struct dsa_signature *signature);
+
+/* Key generation */
+
+#if 0
+/* Note that the key structs must be initialized first. */
+int
+dsa_generate_keypair(struct dsa_public_key *pub,
+ struct dsa_private_key *key,
+
+ void *random_ctx, nettle_random_func random,
+ void *progress_ctx, nettle_progress_func progress,
+
+ /* Desired size of modulo, in bits */
+ unsigned n_size,
+
+ /* Desired size of public exponent, in bits. If
+ * zero, the passed in value pub->e is used. */
+ unsigned e_size);
+
+
+#define DSA_SIGN(key, algorithm, ctx, length, data, signature) ( \
+ algorithm##_update(ctx, length, data), \
+ dsa_##algorithm##_sign(key, ctx, signature) \
+)
+
+#define DSA_VERIFY(key, algorithm, ctx, length, data, signature) ( \
+ algorithm##_update(ctx, length, data), \
+ dsa_##algorithm##_verify(key, ctx, signature) \
+)
+#endif
+
+#endif /* NETTLE_DSA_H_INCLUDED */