ChangeLog

+2014-03-25  Niels Möller  <nisse@lysator.liu.se>
+
+	* testsuite/dsa-keygen-test.c (test_main): Do dsa_param cast once,
+	and assign to variable. Test dsa_generate_params and
+	dsa_generate_keypair with a large q; p_bits = 1024, q_bits = 768.
+
+	* dsa.h: Deleted old interface (moved to dsa-compat.h).
+	(struct dsa_value): Deleted. Updated many files.
+
+	* Makefile.in (hogweed_SOURCES): Add dsa-compat.c and
+	dsa-compat-keygen.c, remove dsa-keygen-old.c.
+	(HEADERS): Add dsa-compat.h.
+
+	* dsa-compat.c: New file.
+	* dsa-compat.h: New file. Include in corresponding C files.
+
+	* dsa-compat-keygen.c: Renamed file, ...
+	* dsa-keygen-old.c: ... old name.
+
+2014-03-11  Niels Möller  <nisse@lysator.liu.se>
+
+	* examples/hogweed-benchmark.c: Update dsa benchmarking to use new
+	DSA interface.
+
+	* dsa.h: Updated prototypes.
+
+	* sexp2dsa.c (dsa_sha1_keypair_from_sexp)
+	(dsa_sha256_keypair_from_sexp): Converted to new DSA interface.
+	(dsa_keypair_from_sexp_alist): Converted to new DSA
+	interface. Allow q_size == 0, meaning any q < p is allowed.
+	Additional validity checks.
+
+	* der2dsa.c (dsa_params_from_der_iterator): Likewise.
+	(dsa_public_key_from_der_iterator): Converted to new DSA
+	interface. Also check that the public value is in the correct
+	range.
+	(dsa_openssl_private_key_from_der_iterator): Converted
+	to new DSA interface. Additional validity checks.
+	(dsa_openssl_private_key_from_der): Converted to new DSA
+	interface.
+
+	* tools/pkcs1-conv.c (convert_dsa_private_key): Use new DSA
+	interface.
+	(convert_public_key): Likewise.
+
+	* dsa2sexp.c (dsa_keypair_to_sexp): Converted to new DSA
+	interface.
+
+2014-03-09  Niels Möller  <nisse@lysator.liu.se>
+
+	* Makefile.in (hogweed_SOURCES): Added dsa-gen-params.c and
+	dsa-keygen-old.c.
+
+	* testsuite/dsa-keygen-test.c (test_main): Updated to use
+	dsa_generate_keypair_old.
+
+	* dsa.h: Update declarations for key generation functions.
+
+	* dsa-keygen.c (dsa_generate_keypair): New interface, generating
+	only a keypair, and no new parameters.
+
+	* dsa-keygen-old.c (dsa_generate_keypair_old): Implement old
+	dsa_generate_keypair interface, based on dsa_generate_params and
+	dsa_generate_keypair.
+
+	* dsa-gen-params.c (dsa_generate_params): New file and function,
+	extracted from DSA key generation.
+
+2014-01-04  Niels Möller  <nisse@lysator.liu.se>
+
+	* testsuite/testutils.c (test_dsa_sign): #if:ed out, unused.
+	(test_dsa_verify): Use _dsa_verify.
+
+	* dsa-verify.c (_dsa_verify): New function, with a struct
+	dsa_params * as a separate argument.
+	(dsa_verify): Use _dsa_verify.
+	* dsa-sha1-verify.c (dsa_sha1_verify_digest, dsa_sha1_verify): Use
+	_dsa_verify.
+	* dsa-sha256-verify.c (dsa_sha256_verify_digest)
+	(dsa_sha256_verify): Likewise.
+
+	* dsa-sign.c (_dsa_sign): New function, with struct dsa_params *
+	as a separate argument.
+	(dsa_sign): Use _dsa_sign.
+	* dsa-sha1-sign.c (dsa_sha1_sign_digest, dsa_sha1_sign): Use
+	_dsa_sign, cast the struct dsa_public_key * input to a struct
+	dsa_params *.
+	* dsa-sha256-sign.c (dsa_sha256_sign_digest, dsa_sha256_sign):
+	Likewise.
+
+	* dsa.c (dsa_params_init, dsa_params_clear): New functions.
+	(dsa_value_init, dsa_value_clear): New functions.
+	(dsa_public_key_init): Use dsa_params_init.
+	(dsa_public_key_clear): Use dsa_params_clear.
+
+	* dsa.h (dsa_params, dsa_value): New structs.
+
 2014-01-03  Niels Möller  <nisse@lysator.liu.se>
 
 	* shadata.c (main): Zero-pad output values to 8 hex digits.

Makefile.in

@@ -129,7 +129,9 @@ hogweed_SOURCES = sexp.c sexp-format.c \
 		  rsa-encrypt.c rsa-decrypt.c rsa-decrypt-tr.c \
 		  rsa-keygen.c rsa-compat.c rsa-blind.c \
 		  rsa2sexp.c sexp2rsa.c \
-		  dsa.c dsa-sign.c dsa-verify.c dsa-keygen.c dsa-hash.c \
+		  dsa.c dsa-gen-params.c \
+		  dsa-hash.c dsa-sign.c dsa-verify.c dsa-keygen.c \
+		  dsa-compat.c dsa-compat-keygen.c \
 		  dsa-sha1-sign.c dsa-sha1-verify.c \
 		  dsa-sha256-sign.c dsa-sha256-verify.c  \
 		  dsa2sexp.c sexp2dsa.c \
@@ -150,7 +152,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
 HEADERS = aes.h arcfour.h arctwo.h asn1.h bignum.h blowfish.h \
 	  base16.h base64.h buffer.h camellia.h cast128.h \
 	  cbc.h ctr.h \
-	  des.h des-compat.h dsa.h eax.h ecc-curve.h ecc.h ecdsa.h \
+	  des.h des-compat.h dsa.h dsa-compat.h eax.h ecc-curve.h ecc.h ecdsa.h \
 	  gcm.h gosthash94.h hmac.h \
 	  knuth-lfib.h \
 	  macros.h \

bignum-random-prime.c

@@ -315,8 +315,9 @@ miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a)
 
 /* Generate a prime number p of size bits with 2 p0q dividing (p-1).
    p0 must be of size >= ceil(bits/3). The extra factor q can be
-   omitted. If top_bits_set is one, the topmost two bits are set to
-   one, suitable for RSA primes. Also returns r = (p-1)/q. */
+   omitted (then p0 and p0q should be equal). If top_bits_set is one,
+   the topmost two bits are set to one, suitable for RSA primes. Also
+   returns r = (p-1)/p0q. */
 void
 _nettle_generate_pocklington_prime (mpz_t p, mpz_t r,
 				    unsigned bits, int top_bits_set, 

der2dsa.c

@@ -5,7 +5,7 @@
 
 /* nettle, low-level cryptographics library
  *
- * Copyright (C) 2005, 2009 Niels Möller, Magnus Holmgren
+ * Copyright (C) 2005, 2009, 2014 Niels Möller, Magnus Holmgren
  *  
  * The nettle library is free software; you can redistribute it and/or modify
  * it under the terms of the GNU Lesser General Public License as published by
@@ -27,6 +27,8 @@
 # include "config.h"
 #endif
 
+#include <assert.h>
+
 #include "dsa.h"
 
 #include "bignum.h"
@@ -38,9 +40,10 @@
  && asn1_der_get_bignum((i), (x), (l))			\
  && mpz_sgn((x)) > 0)
 
+/* If q_bits > 0, q is required to be of exactly this size. */
 int
-dsa_params_from_der_iterator(struct dsa_public_key *pub,
-			     unsigned p_max_bits,
+dsa_params_from_der_iterator(struct dsa_params *params,
+			     unsigned max_bits, unsigned q_bits,
 			     struct asn1_der_iterator *i)
 {
   /* Dss-Parms ::= SEQUENCE {
@@ -49,30 +52,41 @@ dsa_params_from_der_iterator(struct dsa_public_key *pub,
 	 g  INTEGER
      }
   */
-  return (i->type == ASN1_INTEGER
-	  && asn1_der_get_bignum(i, pub->p, p_max_bits)
-	  && mpz_sgn(pub->p) > 0
-	  && GET(i, pub->q, DSA_SHA1_Q_BITS)
-	  && GET(i, pub->g, p_max_bits)
+  if (i->type == ASN1_INTEGER
+      && asn1_der_get_bignum(i, params->p, max_bits)
+      && mpz_sgn(params->p) > 0)
+    {
+      unsigned p_bits = mpz_sizeinbase (params->p, 2);
+      return (GET(i, params->q, q_bits ? q_bits : p_bits)
+	      && (q_bits == 0 || mpz_sizeinbase(params->q, 2) == q_bits)
+	      && mpz_cmp (params->q, params->p) < 0
+	      && GET(i, params->g, p_bits)
+	      && mpz_cmp (params->g, params->p) < 0
 	      && asn1_der_iterator_next(i) == ASN1_ITERATOR_END);
     }
+  else
+    return 0;
+}
 
 int
-dsa_public_key_from_der_iterator(struct dsa_public_key *pub,
-				 unsigned p_max_bits,
+dsa_public_key_from_der_iterator(const struct dsa_params *params,
+				 mpz_t pub,
 				 struct asn1_der_iterator *i)
 {
   /* DSAPublicKey ::= INTEGER
   */
 
   return (i->type == ASN1_INTEGER
-	  && asn1_der_get_bignum(i, pub->y, p_max_bits)
-	  && mpz_sgn(pub->y) > 0);
+	  && asn1_der_get_bignum(i, pub,
+				 mpz_sizeinbase (params->p, 2))
+	  && mpz_sgn(pub) > 0
+	  && mpz_cmp(pub, params->p) < 0);
 }
 
 int
-dsa_openssl_private_key_from_der_iterator(struct dsa_public_key *pub,
-					  struct dsa_private_key *priv,
+dsa_openssl_private_key_from_der_iterator(struct dsa_params *params,
+					  mpz_t pub,
+					  mpz_t priv,
 					  unsigned p_max_bits,
 					  struct asn1_der_iterator *i)
 {
@@ -88,22 +102,30 @@ dsa_openssl_private_key_from_der_iterator(struct dsa_public_key *pub,
 
   uint32_t version;
 
-  return (i->type == ASN1_SEQUENCE
+  if (i->type == ASN1_SEQUENCE
 	  && asn1_der_decode_constructed_last(i) == ASN1_ITERATOR_PRIMITIVE
 	  && i->type == ASN1_INTEGER
 	  && asn1_der_get_uint32(i, &version)
 	  && version == 0
-	  && GET(i, pub->p, p_max_bits)
-	  && GET(i, pub->q, DSA_SHA1_Q_BITS)
-	  && GET(i, pub->g, p_max_bits)
-	  && GET(i, pub->y, p_max_bits)
-	  && GET(i, priv->x, DSA_SHA1_Q_BITS)
+      && GET(i, params->p, p_max_bits))
+    {
+      unsigned p_bits = mpz_sizeinbase (params->p, 2);
+      return (GET(i, params->q, DSA_SHA1_Q_BITS)
+	      && GET(i, params->g, p_bits)
+	      && mpz_cmp (params->g, params->p) < 0
+	      && GET(i, pub, p_bits)
+	      && mpz_cmp (pub, params->p) < 0
+	      && GET(i, priv, DSA_SHA1_Q_BITS)
 	      && asn1_der_iterator_next(i) == ASN1_ITERATOR_END);
     }
+  else
+    return 0;
+}
 
 int
-dsa_openssl_private_key_from_der(struct dsa_public_key *pub,
-				 struct dsa_private_key *priv,
+dsa_openssl_private_key_from_der(struct dsa_params *params,
+				 mpz_t pub,
+				 mpz_t priv,
 				 unsigned p_max_bits,
 				 size_t length, const uint8_t *data)
 {
@@ -113,5 +135,6 @@ dsa_openssl_private_key_from_der(struct dsa_public_key *pub,
   res = asn1_der_iterator_first(&i, length, data);
 
   return (res == ASN1_ITERATOR_CONSTRUCTED
-	  && dsa_openssl_private_key_from_der_iterator(pub, priv, p_max_bits, &i));
+	  && dsa_openssl_private_key_from_der_iterator(params, pub, priv,
+						       p_max_bits, &i));
 }

dsa-compat-keygen.c

+/* dsa-compat-keygen.c
+ *
+ * Generation of DSA keypairs
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2002, 2014 Niels Möller
+ *  
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ * 
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02111-1301, USA.
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+
+#include "dsa-compat.h"
+
+#include "bignum.h"
+
+
+/* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224),
+   (2048, 256), (3072, 256). */
+int
+dsa_compat_generate_keypair(struct dsa_public_key *pub,
+			    struct dsa_private_key *key,
+			    void *random_ctx, nettle_random_func *random,
+			    void *progress_ctx, nettle_progress_func *progress,
+			    unsigned p_bits, unsigned q_bits)
+{
+  struct dsa_params *params;
+
+  switch (q_bits)
+    {
+    case 160:
+      if (p_bits < DSA_SHA1_MIN_P_BITS)
+	return 0;
+      break;
+    case 224:
+    case 256:
+      if (p_bits < DSA_SHA256_MIN_P_BITS)
+	return 0;
+      break;
+    default:
+      return 0;
+    }
+
+  /* NOTE: Depends on identical layout! */
+  params = (struct dsa_params *) pub;
+
+  if (!dsa_generate_params (params,
+			    random_ctx, random,
+			    progress_ctx, progress,
+			    p_bits, q_bits))
+    return 0;
+
+  dsa_generate_keypair_new (params, pub->y, key->x, random_ctx, random);
+
+  return 1;
+}

dsa-compat.c

+/* dsa-compat.c
+ *
+ * The DSA publickey algorithm, old interface.
+ */
+
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2002 Niels Möller
+ *  
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ * 
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02111-1301, USA.
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "dsa-compat.h"
+
+void
+dsa_public_key_init(struct dsa_public_key *key)
+{
+  dsa_params_init ((struct dsa_params *) key);
+  mpz_init(key->y);
+}
+
+void
+dsa_public_key_clear(struct dsa_public_key *key)
+{
+  dsa_params_clear ((struct dsa_params *) key);
+  mpz_clear(key->y);
+}
+
+
+void
+dsa_private_key_init(struct dsa_private_key *key)
+{
+  mpz_init(key->x);
+}
+
+void
+dsa_private_key_clear(struct dsa_private_key *key)
+{
+  mpz_clear(key->x);
+}

dsa-compat.h

+/* dsa-compat.h
+ *
+ * Old DSA publickey interface.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2002, 2013, 2014 Niels Möller
+ *  
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ * 
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02111-1301, USA.
+ */
+
+#ifndef NETTLE_DSA_COMPAT_H_INCLUDED
+#define NETTLE_DSA_COMPAT_H_INCLUDED
+
+#include "dsa.h"
+
+#include "sha1.h"
+#include "sha2.h"
+
+/* Name mangling */
+#define dsa_public_key_init nettle_dsa_public_key_init
+#define dsa_public_key_clear nettle_dsa_public_key_clear
+#define dsa_private_key_init nettle_dsa_private_key_init
+#define dsa_private_key_clear nettle_dsa_private_key_clear
+#define dsa_sha1_sign nettle_dsa_sha1_sign
+#define dsa_sha1_verify nettle_dsa_sha1_verify
+#define dsa_sha256_sign nettle_dsa_sha256_sign
+#define dsa_sha256_verify nettle_dsa_sha256_verify
+#define dsa_sha1_sign_digest nettle_dsa_sha1_sign_digest
+#define dsa_sha1_verify_digest nettle_dsa_sha1_verify_digest
+#define dsa_sha256_sign_digest nettle_dsa_sha256_sign_digest
+#define dsa_sha256_verify_digest nettle_dsa_sha256_verify_digest
+#define dsa_compat_generate_keypair nettle_dsa_compat_generate_keypair
+
+/* Switch meaning of dsa_generate_keypair */
+#undef dsa_generate_keypair
+#define dsa_generate_keypair nettle_dsa_compat_generate_keypair
+#define dsa_generate_keypair_new nettle_dsa_generate_keypair
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct dsa_public_key
+{
+  /* Same as struct dsa_params, but can't use that struct here without
+     breaking backwards compatibility. Layout must be identical, since
+     this is cast to a struct dsa_param pointer for calling _dsa_sign
+     and _dsa_verify */
+  mpz_t p;
+  mpz_t q;
+  mpz_t g;
+
+  /* Public value */
+  mpz_t y;
+};
+
+struct dsa_private_key
+{
+  /* Unlike an rsa public key, private key operations will need both
+   * the private and the public information. */
+  mpz_t x;
+};
+
+/* Signing a message works as follows:
+ *
+ * Store the private key in a dsa_private_key struct.
+ *
+ * Initialize a hashing context, by callling
+ *   sha1_init
+ *
+ * Hash the message by calling
+ *   sha1_update
+ *
+ * Create the signature by calling
+ *   dsa_sha1_sign
+ *
+ * The signature is represented as a struct dsa_signature. This call also
+ * resets the hashing context.
+ *
+ * When done with the key and signature, don't forget to call
+ * dsa_signature_clear.
+ */
+
+/* Calls mpz_init to initialize bignum storage. */
+void
+dsa_public_key_init(struct dsa_public_key *key);
+
+/* Calls mpz_clear to deallocate bignum storage. */
+void
+dsa_public_key_clear(struct dsa_public_key *key);
+
+
+/* Calls mpz_init to initialize bignum storage. */
+void
+dsa_private_key_init(struct dsa_private_key *key);
+
+/* Calls mpz_clear to deallocate bignum storage. */
+void
+dsa_private_key_clear(struct dsa_private_key *key);
+
+int
+dsa_sha1_sign(const struct dsa_public_key *pub,
+	      const struct dsa_private_key *key,
+	      void *random_ctx, nettle_random_func *random,
+	      struct sha1_ctx *hash,
+	      struct dsa_signature *signature);
+
+int
+dsa_sha256_sign(const struct dsa_public_key *pub,
+		const struct dsa_private_key *key,
+		void *random_ctx, nettle_random_func *random,
+		struct sha256_ctx *hash,
+		struct dsa_signature *signature);
+
+int
+dsa_sha1_verify(const struct dsa_public_key *key,
+		struct sha1_ctx *hash,
+		const struct dsa_signature *signature);
+
+int
+dsa_sha256_verify(const struct dsa_public_key *key,
+		  struct sha256_ctx *hash,
+		  const struct dsa_signature *signature);
+
+int
+dsa_sha1_sign_digest(const struct dsa_public_key *pub,
+		     const struct dsa_private_key *key,
+		     void *random_ctx, nettle_random_func *random,
+		     const uint8_t *digest,
+		     struct dsa_signature *signature);
+int
+dsa_sha256_sign_digest(const struct dsa_public_key *pub,
+		       const struct dsa_private_key *key,
+		       void *random_ctx, nettle_random_func *random,
+		       const uint8_t *digest,
+		       struct dsa_signature *signature);
+
+int
+dsa_sha1_verify_digest(const struct dsa_public_key *key,
+		       const uint8_t *digest,
+		       const struct dsa_signature *signature);
+
+int
+dsa_sha256_verify_digest(const struct dsa_public_key *key,
+			 const uint8_t *digest,
+			 const struct dsa_signature *signature);
+
+/* Key generation */
+int
+dsa_generate_keypair(struct dsa_public_key *pub,
+		     struct dsa_private_key *key,
+
+		     void *random_ctx, nettle_random_func *random,
+		     void *progress_ctx, nettle_progress_func *progress,
+		     unsigned p_bits, unsigned q_bits);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_DSA_COMPAT_H_INCLUDED */

dsa-gen-params.c

+/* dsa-gen-params.c
+ *
+ * Generation of DSA parameters
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2002, 2013, 2014 Niels Möller
+ *  
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ * 
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02111-1301, USA.
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+
+#include "dsa.h"
+
+#include "bignum.h"
+#include "nettle-internal.h"
+
+
+/* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224),
+   (2048, 256), (3072, 256). */
+int
+dsa_generate_params(struct dsa_params *params,
+		    void *random_ctx, nettle_random_func *random,
+		    void *progress_ctx, nettle_progress_func *progress,
+		    unsigned p_bits, unsigned q_bits)
+{
+  mpz_t r;
+  unsigned p0_bits;
+  unsigned a;
+
+  if (q_bits < 30 || p_bits < q_bits + 30)
+    return 0;
+
+  mpz_init (r);
+
+  nettle_random_prime (params->q, q_bits, 0, random_ctx, random,
+		       progress_ctx, progress);
+
+  if (q_bits >= (p_bits + 2)/3)
+    _nettle_generate_pocklington_prime (params->p, r, p_bits, 0,
+					random_ctx, random,
+					params->q, NULL, params->q);
+  else
+    {
+      mpz_t p0, p0q;
+      mpz_init (p0);
+      mpz_init (p0q);
+
+      p0_bits = (p_bits + 3)/2;
+  
+      nettle_random_prime (p0, p0_bits, 0,
+			   random_ctx, random,
+			   progress_ctx, progress);
+
+      if (progress)
+	progress (progress_ctx, 'q');
+
+      /* Generate p = 2 r q p0 + 1, such that 2^{n-1} < p < 2^n. */
+      mpz_mul (p0q, p0, params->q);
+
+      _nettle_generate_pocklington_prime (params->p, r, p_bits, 0,
+					  random_ctx, random,
+					  p0, params->q, p0q);
+
+      mpz_mul (r, r, p0);
+
+      mpz_clear (p0);
+      mpz_clear (p0q);
+    }
+  if (progress)
+    progress (progress_ctx, 'p');
+
+  for (a = 2; ; a++)
+    {
+      mpz_set_ui (params->g, a);
+      mpz_powm (params->g, params->g, r, params->p);
+      if (mpz_cmp_ui (params->g, 1) != 0)
+	break;
+    }
+
+  mpz_clear (r);
+  
+  if (progress)
+    progress (progress_ctx, 'g');
+
+  return 1;
+}

dsa-keygen.c

@@ -5,7 +5,7 @@
 
 /* nettle, low-level cryptographics library
  *
- * Copyright (C) 2002 Niels Möller
+ * Copyright (C) 2002, 2014 Niels Möller
  *  
  * The nettle library is free software; you can redistribute it and/or modify
  * it under the terms of the GNU Lesser General Public License as published by
@@ -27,7 +27,6 @@
 # include "config.h"
 #endif
 
-#include <assert.h>
 #include <stdlib.h>
 
 #include "dsa.h"
@@ -38,88 +37,19 @@
 /* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224),
    (2048, 256), (3072, 256). Currenty, we use only q_bits of 160 or
    256. */
-int
-dsa_generate_keypair(struct dsa_public_key *pub,
-		     struct dsa_private_key *key,
-		     void *random_ctx, nettle_random_func *random,
-		     void *progress_ctx, nettle_progress_func *progress,
-		     unsigned p_bits, unsigned q_bits)
-{
-  mpz_t p0, p0q, r;
-  unsigned p0_bits;
-  unsigned a;
+void
+dsa_generate_keypair (const struct dsa_params *params,
+		      mpz_t pub, mpz_t key,
 
-  switch (q_bits)
+		      void *random_ctx, nettle_random_func *random)
 {
-    case 160:
-      if (p_bits < DSA_SHA1_MIN_P_BITS)
-	return 0;
-      break;
-    case 224:
-    case 256:
-      if (p_bits < DSA_SHA256_MIN_P_BITS)
-	return 0;
-      break;
-    default:
-      return 0;
-    }
-
-  mpz_init (p0);
-  mpz_init (p0q);
-  mpz_init (r);
-
-  nettle_random_prime (pub->q, q_bits, 0, random_ctx, random,
-		       progress_ctx, progress);
-
-  p0_bits = (p_bits + 3)/2;
-  
-  nettle_random_prime (p0, p0_bits, 0,
-		       random_ctx, random,
-		       progress_ctx, progress);
-
-  if (progress)
-    progress (progress_ctx, 'q');
-  
-  /* Generate p = 2 r q p0 + 1, such that 2^{n-1} < p < 2^n.
-   *
-   * We select r in the range i + 1 < r <= 2i, with i = floor (2^{n-2} / (p0 q). */
-
-  mpz_mul (p0q, p0, pub->q);
-
-  _nettle_generate_pocklington_prime (pub->p, r, p_bits, 0,
-				      random_ctx, random,
-				      p0, pub->q, p0q);
+  mpz_t r;
 
-  if (progress)
-    progress (progress_ctx, 'p');
-
-  mpz_mul (r, r, p0);
-
-  for (a = 2; ; a++)
-    {
-      mpz_set_ui (pub->g, a);
-      mpz_powm (pub->g, pub->g, r, pub->p);
-      if (mpz_cmp_ui (pub->g, 1) != 0)
-	break;
-    }
-
-  if (progress)
-    progress (progress_ctx, 'g');
-
-  mpz_set(r, pub->q);
+  mpz_init_set(r, params->q);
   mpz_sub_ui(r, r, 2);
-  nettle_mpz_random(key->x, random_ctx, random, r);
-
-  mpz_add_ui(key->x, key->x, 1);
-
-  mpz_powm(pub->y, pub->g, key->x, pub->p);
+  nettle_mpz_random(key, random_ctx, random, r);
 
-  if (progress)
-    progress (progress_ctx, '\n');
-  
-  mpz_clear (p0);
-  mpz_clear (p0q);
+  mpz_add_ui(key, key, 1);
+  mpz_powm(pub, params->g, key, params->p);
   mpz_clear (r);
-
-  return 1;
 }

dsa-sha1-sign.c

@@ -27,7 +27,7 @@
 # include "config.h"
 #endif
 
-#include "dsa.h"
+#include "dsa-compat.h"
 
 int
 dsa_sha1_sign_digest(const struct dsa_public_key *pub,
@@ -36,7 +36,8 @@ dsa_sha1_sign_digest(const struct dsa_public_key *pub,
 		     const uint8_t *digest,
 		     struct dsa_signature *signature)
 {
-  return dsa_sign(pub, key, random_ctx, random,
+  return dsa_sign((const struct dsa_params *) pub, key->x,
+		  random_ctx, random,
 		  SHA1_DIGEST_SIZE, digest, signature);
 }
 
@@ -51,6 +52,7 @@ dsa_sha1_sign(const struct dsa_public_key *pub,
   uint8_t digest[SHA1_DIGEST_SIZE];
   sha1_digest(hash, sizeof(digest), digest);
   
-  return dsa_sign(pub, key, random_ctx, random,
+  return dsa_sign((const struct dsa_params *) pub, key->x,
+		  random_ctx, random,
 		  sizeof(digest), digest, signature);
 }

dsa-sha1-verify.c

@@ -27,16 +27,15 @@
 # include "config.h"
 #endif
 
-#include <stdlib.h>
-
-#include "dsa.h"
+#include "dsa-compat.h"
 
 int
 dsa_sha1_verify_digest(const struct dsa_public_key *key,
 		       const uint8_t *digest,
 		       const struct dsa_signature *signature)
 {
-  return dsa_verify(key, SHA1_DIGEST_SIZE, digest, signature);
+  return dsa_verify((const struct dsa_params *) key, key->y,
+		    SHA1_DIGEST_SIZE, digest, signature);
 }
 
 int
@@ -47,5 +46,6 @@ dsa_sha1_verify(const struct dsa_public_key *key,
   uint8_t digest[SHA1_DIGEST_SIZE];
   sha1_digest(hash, sizeof(digest), digest);
 
-  return dsa_verify(key, sizeof(digest), digest, signature);
+  return dsa_verify((const struct dsa_params *) key, key->y,
+		    sizeof(digest), digest, signature);
 }

dsa-sha256-sign.c

@@ -27,7 +27,7 @@
 # include "config.h"
 #endif
 
-#include "dsa.h"
+#include "dsa-compat.h"
 
 int
 dsa_sha256_sign_digest(const struct dsa_public_key *pub,
@@ -36,7 +36,8 @@ dsa_sha256_sign_digest(const struct dsa_public_key *pub,
 		       const uint8_t *digest,
 		       struct dsa_signature *signature)
 {
-  return dsa_sign(pub, key, random_ctx, random,
+  return dsa_sign((const struct dsa_params *) pub, key->x,
+		  random_ctx, random,
 		  SHA256_DIGEST_SIZE, digest, signature);
 }
 
@@ -50,6 +51,7 @@ dsa_sha256_sign(const struct dsa_public_key *pub,
   uint8_t digest[SHA256_DIGEST_SIZE];
   sha256_digest(hash, sizeof(digest), digest);
 
-  return dsa_sign(pub, key, random_ctx, random,
+  return dsa_sign((const struct dsa_params *) pub, key->x,
+		  random_ctx, random,
 		  sizeof(digest), digest, signature);
 }

dsa-sha256-verify.c

@@ -27,16 +27,15 @@
 # include "config.h"
 #endif
 
-#include <stdlib.h>
-
-#include "dsa.h"
+#include "dsa-compat.h"
 
 int
 dsa_sha256_verify_digest(const struct dsa_public_key *key,
 			 const uint8_t *digest,
 			 const struct dsa_signature *signature)
 {
-  return dsa_verify(key, SHA256_DIGEST_SIZE, digest, signature);
+  return dsa_verify((const struct dsa_params *) key, key->y,
+		    SHA256_DIGEST_SIZE, digest, signature);
 }
 
 int
@@ -47,5 +46,6 @@ dsa_sha256_verify(const struct dsa_public_key *key,
   uint8_t digest[SHA256_DIGEST_SIZE];
   sha256_digest(hash, sizeof(digest), digest);
 
-  return dsa_verify(key, sizeof(digest), digest, signature);
+  return dsa_verify((const struct dsa_params *) key, key->y,
+		    sizeof(digest), digest, signature);
 }

dsa-sign.c

@@ -36,8 +36,8 @@
 
 
 int
-dsa_sign(const struct dsa_public_key *pub,
-	 const struct dsa_private_key *key,
+dsa_sign(const struct dsa_params *params,
+	 const mpz_t key,
 	 void *random_ctx, nettle_random_func *random,
 	 size_t digest_size,
 	 const uint8_t *digest,
@@ -49,7 +49,7 @@ dsa_sign(const struct dsa_public_key *pub,
   int res;
   
   /* Select k, 0<k<q, randomly */
-  mpz_init_set(tmp, pub->q);
+  mpz_init_set(tmp, params->q);
   mpz_sub_ui(tmp, tmp, 1);
 
   mpz_init(k);
@@ -57,22 +57,22 @@ dsa_sign(const struct dsa_public_key *pub,
   mpz_add_ui(k, k, 1);
 
   /* Compute r = (g^k (mod p)) (mod q) */
-  mpz_powm(tmp, pub->g, k, pub->p);
-  mpz_fdiv_r(signature->r, tmp, pub->q);
+  mpz_powm(tmp, params->g, k, params->p);
+  mpz_fdiv_r(signature->r, tmp, params->q);
 
   /* Compute hash */
   mpz_init(h);
-  _dsa_hash (h, mpz_sizeinbase(pub->q, 2), digest_size, digest);
+  _dsa_hash (h, mpz_sizeinbase(params->q, 2), digest_size, digest);
 
   /* Compute k^-1 (mod q) */
-  if (mpz_invert(k, k, pub->q))
+  if (mpz_invert(k, k, params->q))
     {
       /* Compute signature s = k^-1 (h + xr) (mod q) */
-      mpz_mul(tmp, signature->r, key->x);
-      mpz_fdiv_r(tmp, tmp, pub->q);
+      mpz_mul(tmp, signature->r, key);
+      mpz_fdiv_r(tmp, tmp, params->q);
       mpz_add(tmp, tmp, h);
       mpz_mul(tmp, tmp, k);
-      mpz_fdiv_r(signature->s, tmp, pub->q);
+      mpz_fdiv_r(signature->s, tmp, params->q);
       res = 1;
     }
   else

dsa-verify.c

@@ -34,7 +34,8 @@
 #include "bignum.h"
 
 int
-dsa_verify(const struct dsa_public_key *key,
+dsa_verify(const struct dsa_params *params,
+	   const mpz_t key,
 	   size_t digest_size,
 	   const uint8_t *digest,
 	   const struct dsa_signature *signature)
@@ -46,10 +47,10 @@ dsa_verify(const struct dsa_public_key *key,
   int res;
 
   /* Check that r and s are in the proper range */
-  if (mpz_sgn(signature->r) <= 0 || mpz_cmp(signature->r, key->q) >= 0)
+  if (mpz_sgn(signature->r) <= 0 || mpz_cmp(signature->r, params->q) >= 0)
     return 0;
 
-  if (mpz_sgn(signature->s) <= 0 || mpz_cmp(signature->s, key->q) >= 0)
+  if (mpz_sgn(signature->s) <= 0 || mpz_cmp(signature->s, params->q) >= 0)
     return 0;
 
   mpz_init(w);
@@ -58,7 +59,7 @@ dsa_verify(const struct dsa_public_key *key,
 
   /* NOTE: In gmp-2, mpz_invert sometimes generates negative inverses,
    * so we need gmp-3 or better. */
-  if (!mpz_invert(w, signature->s, key->q))
+  if (!mpz_invert(w, signature->s, params->q))
     {
       mpz_clear(w);
       return 0;
@@ -68,25 +69,25 @@ dsa_verify(const struct dsa_public_key *key,
   mpz_init(v);
 
   /* The message digest */
-  _dsa_hash (tmp, mpz_sizeinbase (key->q, 2), digest_size, digest);
+  _dsa_hash (tmp, mpz_sizeinbase (params->q, 2), digest_size, digest);
   
   /* v = g^{w * h (mod q)} (mod p)  */
   mpz_mul(tmp, tmp, w);
-  mpz_fdiv_r(tmp, tmp, key->q);
+  mpz_fdiv_r(tmp, tmp, params->q);
 
-  mpz_powm(v, key->g, tmp, key->p);
+  mpz_powm(v, params->g, tmp, params->p);
 
   /* y^{w * r (mod q) } (mod p) */
   mpz_mul(tmp, signature->r, w);
-  mpz_fdiv_r(tmp, tmp, key->q);
+  mpz_fdiv_r(tmp, tmp, params->q);
 
-  mpz_powm(tmp, key->y, tmp, key->p);
+  mpz_powm(tmp, key, tmp, params->p);
 
   /* v = (g^{w * h} * y^{w * r} (mod p) ) (mod q) */
   mpz_mul(v, v, tmp);
-  mpz_fdiv_r(v, v, key->p);
+  mpz_fdiv_r(v, v, params->p);
 
-  mpz_fdiv_r(v, v, key->q);
+  mpz_fdiv_r(v, v, params->q);
 
   res = !mpz_cmp(v, signature->r);
 

dsa.c

-/* dsa.h
+/* dsa.c
  *
  * The DSA publickey algorithm.
  */
@@ -32,37 +32,21 @@
 #include "bignum.h"
 
 void
-dsa_public_key_init(struct dsa_public_key *key)
+dsa_params_init (struct dsa_params *params)
 {
-  mpz_init(key->p);
-  mpz_init(key->q);
-  mpz_init(key->g);
-  mpz_init(key->y);
+  mpz_init(params->p);
+  mpz_init(params->q);
+  mpz_init(params->g);
 }
 
 void
-dsa_public_key_clear(struct dsa_public_key *key)
+dsa_params_clear (struct dsa_params *params)
 {
-  mpz_clear(key->p);
-  mpz_clear(key->q);
-  mpz_clear(key->g);
-  mpz_clear(key->y);
+  mpz_clear(params->p);
+  mpz_clear(params->q);
+  mpz_clear(params->g);
 }
 
-
-void
-dsa_private_key_init(struct dsa_private_key *key)
-{
-  mpz_init(key->x);
-}
-
-void
-dsa_private_key_clear(struct dsa_private_key *key)
-{
-  mpz_clear(key->x);
-}
-
-
 void
 dsa_signature_init(struct dsa_signature *signature)
 {

dsa.h

@@ -5,7 +5,7 @@
 
 /* nettle, low-level cryptographics library
  *
- * Copyright (C) 2002 Niels Möller
+ * Copyright (C) 2002, 2013, 2014 Niels Möller
  *  
  * The nettle library is free software; you can redistribute it and/or modify
  * it under the terms of the GNU Lesser General Public License as published by
@@ -30,30 +30,18 @@
 
 #include "nettle-types.h"
 
-#include "sha1.h"
-#include "sha2.h"
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 /* Name mangling */
-#define dsa_public_key_init nettle_dsa_public_key_init
-#define dsa_public_key_clear nettle_dsa_public_key_clear
-#define dsa_private_key_init nettle_dsa_private_key_init
-#define dsa_private_key_clear nettle_dsa_private_key_clear
+#define dsa_params_init nettle_dsa_params_init
+#define dsa_params_clear nettle_dsa_params_clear
 #define dsa_signature_init nettle_dsa_signature_init
 #define dsa_signature_clear nettle_dsa_signature_clear
-#define dsa_sha1_sign nettle_dsa_sha1_sign
-#define dsa_sha1_verify nettle_dsa_sha1_verify
-#define dsa_sha256_sign nettle_dsa_sha256_sign
-#define dsa_sha256_verify nettle_dsa_sha256_verify
 #define dsa_sign nettle_dsa_sign
 #define dsa_verify nettle_dsa_verify
-#define dsa_sha1_sign_digest nettle_dsa_sha1_sign_digest
-#define dsa_sha1_verify_digest nettle_dsa_sha1_verify_digest
-#define dsa_sha256_sign_digest nettle_dsa_sha256_sign_digest
-#define dsa_sha256_verify_digest nettle_dsa_sha256_verify_digest
+#define dsa_generate_params nettle_dsa_generate_params
 #define dsa_generate_keypair nettle_dsa_generate_keypair
 #define dsa_signature_from_sexp nettle_dsa_signature_from_sexp
 #define dsa_keypair_to_sexp nettle_dsa_keypair_to_sexp
@@ -66,6 +54,7 @@ extern "C" {
 #define dsa_openssl_private_key_from_der nettle_openssl_provate_key_from_der
 #define _dsa_hash _nettle_dsa_hash
 
+/* For FIPS approved parameters */
 #define DSA_SHA1_MIN_P_BITS 512
 #define DSA_SHA1_Q_OCTETS 20
 #define DSA_SHA1_Q_BITS 160
@@ -74,7 +63,8 @@ extern "C" {
 #define DSA_SHA256_Q_OCTETS 32
 #define DSA_SHA256_Q_BITS 256
 
-struct dsa_public_key
+/* Tentative new DSA interface */
+struct dsa_params
 {  
   /* Modulo */
   mpz_t p;
@@ -84,16 +74,6 @@ struct dsa_public_key
 
   /* Generator */
   mpz_t g;
-  
-  /* Public value */
-  mpz_t y;
-};
-
-struct dsa_private_key
-{
-  /* Unlike an rsa public key, private key operations will need both
-   * the private and the public information. */
-  mpz_t x;
 };
 
 struct dsa_signature
@@ -102,42 +82,11 @@ struct dsa_signature
   mpz_t s;
 };
 
-/* Signing a message works as follows:
- *
- * Store the private key in a dsa_private_key struct.
- *
- * Initialize a hashing context, by callling
- *   sha1_init
- *
- * Hash the message by calling
- *   sha1_update
- *
- * Create the signature by calling
- *   dsa_sha1_sign
- *
- * The signature is represented as a struct dsa_signature. This call also
- * resets the hashing context.
- *
- * When done with the key and signature, don't forget to call
- * dsa_signature_clear.
- */
-
-/* Calls mpz_init to initialize bignum storage. */
-void
-dsa_public_key_init(struct dsa_public_key *key);
-
-/* Calls mpz_clear to deallocate bignum storage. */
-void
-dsa_public_key_clear(struct dsa_public_key *key);
-
-
-/* Calls mpz_init to initialize bignum storage. */
 void
-dsa_private_key_init(struct dsa_private_key *key);
+dsa_params_init (struct dsa_params *params);
 
-/* Calls mpz_clear to deallocate bignum storage. */
 void
-dsa_private_key_clear(struct dsa_private_key *key);
+dsa_params_clear (struct dsa_params *params);
 
 /* Calls mpz_init to initialize bignum storage. */
 void
@@ -147,81 +96,33 @@ dsa_signature_init(struct dsa_signature *signature);
 void
 dsa_signature_clear(struct dsa_signature *signature);
 
-
-int
-dsa_sha1_sign(const struct dsa_public_key *pub,
-	      const struct dsa_private_key *key,
-	      void *random_ctx, nettle_random_func *random,
-	      struct sha1_ctx *hash,
-	      struct dsa_signature *signature);
-
 int
-dsa_sha256_sign(const struct dsa_public_key *pub,
-		const struct dsa_private_key *key,
-		void *random_ctx, nettle_random_func *random,
-		struct sha256_ctx *hash,
-		struct dsa_signature *signature);
-
-int
-dsa_sha1_verify(const struct dsa_public_key *key,
-		struct sha1_ctx *hash,
-		const struct dsa_signature *signature);
-
-int
-dsa_sha256_verify(const struct dsa_public_key *key,
-		  struct sha256_ctx *hash,
-		  const struct dsa_signature *signature);
-
-int
-dsa_sign(const struct dsa_public_key *pub,
-	 const struct dsa_private_key *key,
+dsa_sign(const struct dsa_params *params,
+	 const mpz_t priv,
 	 void *random_ctx, nettle_random_func *random,
 	 size_t digest_size,
 	 const uint8_t *digest,
 	 struct dsa_signature *signature);
 
 int
-dsa_verify(const struct dsa_public_key *key,
+dsa_verify(const struct dsa_params *params,
+	   const mpz_t pub,
 	   size_t digest_size,
 	   const uint8_t *digest,
 	   const struct dsa_signature *signature);
 
-/* Maybe obsolete these functions? One can just as well call dsa_sign
-   and dsa_verify directly, all that matters is the digest size. */
-int
-dsa_sha1_sign_digest(const struct dsa_public_key *pub,
-		     const struct dsa_private_key *key,
-		     void *random_ctx, nettle_random_func *random,
-		     const uint8_t *digest,
-		     struct dsa_signature *signature);
 int
-dsa_sha256_sign_digest(const struct dsa_public_key *pub,
-		       const struct dsa_private_key *key,
+dsa_generate_params (struct dsa_params *params,
 		     void *random_ctx, nettle_random_func *random,
-		       const uint8_t *digest,
-		       struct dsa_signature *signature);
-
-int
-dsa_sha1_verify_digest(const struct dsa_public_key *key,
-		       const uint8_t *digest,
-		       const struct dsa_signature *signature);
-
-int
-dsa_sha256_verify_digest(const struct dsa_public_key *key,
-			 const uint8_t *digest,
-			 const struct dsa_signature *signature);
-
-/* Key generation */
-
-int
-dsa_generate_keypair(struct dsa_public_key *pub,
-		     struct dsa_private_key *key,
-
-		     void *random_ctx, nettle_random_func *random,
-
 		     void *progress_ctx, nettle_progress_func *progress,
 		     unsigned p_bits, unsigned q_bits);
 
+void
+dsa_generate_keypair (const struct dsa_params *params,
+		      mpz_t pub, mpz_t key,
+
+		      void *random_ctx, nettle_random_func *random);
+
 /* Keys in sexp form. */
 
 struct nettle_buffer;
@@ -230,8 +131,9 @@ struct nettle_buffer;
 int
 dsa_keypair_to_sexp(struct nettle_buffer *buffer,
 		    const char *algorithm_name, /* NULL means "dsa" */
-		    const struct dsa_public_key *pub,
-		    const struct dsa_private_key *priv);
+		    const struct dsa_params *params,
+		    const mpz_t pub,
+		    const mpz_t priv);
 
 struct sexp_iterator;
 
@@ -241,9 +143,10 @@ dsa_signature_from_sexp(struct dsa_signature *rs,
 			unsigned q_bits);
 
 int
-dsa_keypair_from_sexp_alist(struct dsa_public_key *pub,
-			    struct dsa_private_key *priv,
-			    unsigned p_max_bits,
+dsa_keypair_from_sexp_alist(struct dsa_params *params,
+			    mpz_t pub,
+			    mpz_t priv,
+			    unsigned max_bits,
 			    unsigned q_bits,
 			    struct sexp_iterator *i);
 
@@ -252,14 +155,16 @@ dsa_keypair_from_sexp_alist(struct dsa_public_key *pub,
  * the public key. */
 /* Keys must be initialized before calling this function, as usual. */
 int
-dsa_sha1_keypair_from_sexp(struct dsa_public_key *pub,
-			   struct dsa_private_key *priv,
+dsa_sha1_keypair_from_sexp(struct dsa_params *params,
+			   mpz_t pub,
+			   mpz_t priv,
 			   unsigned p_max_bits,
 			   size_t length, const uint8_t *expr);
 
 int
-dsa_sha256_keypair_from_sexp(struct dsa_public_key *pub,
-			     struct dsa_private_key *priv,
+dsa_sha256_keypair_from_sexp(struct dsa_params *params,
+			     mpz_t pub,
+			     mpz_t priv,
 			     unsigned p_max_bits,
 			     size_t length, const uint8_t *expr);
 
@@ -267,23 +172,25 @@ dsa_sha256_keypair_from_sexp(struct dsa_public_key *pub,
 struct asn1_der_iterator;
 
 int
-dsa_params_from_der_iterator(struct dsa_public_key *pub,
-			     unsigned p_max_bits,
+dsa_params_from_der_iterator(struct dsa_params *params,
+			     unsigned max_bits, unsigned q_bits,
 			     struct asn1_der_iterator *i);
 int
-dsa_public_key_from_der_iterator(struct dsa_public_key *pub,
-				 unsigned p_max_bits,
+dsa_public_key_from_der_iterator(const struct dsa_params *params,
+				 mpz_t pub,
 				 struct asn1_der_iterator *i);
 
 int
-dsa_openssl_private_key_from_der_iterator(struct dsa_public_key *pub,
-					  struct dsa_private_key *priv,
+dsa_openssl_private_key_from_der_iterator(struct dsa_params *params,
+					  mpz_t pub,
+					  mpz_t priv,
 					  unsigned p_max_bits,
 					  struct asn1_der_iterator *i);
 
 int
-dsa_openssl_private_key_from_der(struct dsa_public_key *pub,
-				 struct dsa_private_key *priv,
+dsa_openssl_private_key_from_der(struct dsa_params *params,
+				 mpz_t pub,
+				 mpz_t priv,
 				 unsigned p_max_bits,
 				 size_t length, const uint8_t *data);
 

dsa2sexp.c

@@ -4,7 +4,7 @@
 
 /* nettle, low-level cryptographics library
  *
- * Copyright (C) 2002, 2009 Niels Möller, Magnus Holmgren
+ * Copyright (C) 2002, 2009, 2014 Niels Möller, Magnus Holmgren
  *  
  * The nettle library is free software; you can redistribute it and/or modify
  * it under the terms of the GNU Lesser General Public License as published by
@@ -26,6 +26,8 @@
 # include "config.h"
 #endif
 
+#include <assert.h>
+
 #include "dsa.h"
 
 #include "sexp.h"
@@ -33,22 +35,25 @@
 int
 dsa_keypair_to_sexp(struct nettle_buffer *buffer,
 		    const char *algorithm_name,
-		    const struct dsa_public_key *pub,
-		    const struct dsa_private_key *priv)
+		    const struct dsa_params *params,
+                    const mpz_t pub,
+                    const mpz_t priv)
 {
   if (!algorithm_name)
     algorithm_name = "dsa";
 
   if (priv)
+    {
       return sexp_format(buffer,
 			 "(private-key(%0s(p%b)(q%b)"
 		       "(g%b)(y%b)(x%b)))",
-		       algorithm_name, pub->p, pub->q,
-		       pub->g, pub->y, priv->x);
+			 algorithm_name, params->p, params->q,
+			 params->g, pub, priv);
+    }
   else
     return sexp_format(buffer,
 		       "(public-key(%0s(p%b)(q%b)"
 		       "(g%b)(y%b)))",
-		       algorithm_name, pub->p, pub->q,
-		       pub->g, pub->y);
+		       algorithm_name, params->p, params->q,
+		       params->g, pub);
 }

examples/hogweed-benchmark.c

@@ -2,7 +2,7 @@
 
 /* nettle, low-level cryptographics library
  *
- * Copyright (C) 2013 Niels Möller
+ * Copyright (C) 2013, 2014 Niels Möller
  *
  * The nettle library is free software; you can redistribute it and/or modify
  * it under the terms of the GNU Lesser General Public License as published by
@@ -265,8 +265,9 @@ bench_rsa_clear (void *p)
 
 struct dsa_ctx
 {
-  struct dsa_public_key pub;
-  struct dsa_private_key key;
+  struct dsa_params params;
+  mpz_t pub;
+  mpz_t key;
   struct knuth_lfib_ctx lfib;
   struct dsa_signature s;
   uint8_t *digest;
@@ -292,8 +293,9 @@ bench_dsa_init (unsigned size)
 
   ctx = xalloc(sizeof(*ctx));
 
-  dsa_public_key_init (&ctx->pub);
-  dsa_private_key_init (&ctx->key);
+  dsa_params_init (&ctx->params);
+  mpz_init (ctx->pub);
+  mpz_init (ctx->key);
   dsa_signature_init (&ctx->s);
   knuth_lfib_init (&ctx->lfib, 1);
 
@@ -303,14 +305,14 @@ bench_dsa_init (unsigned size)
   if (! (sexp_transport_iterator_first (&i, sizeof(dsa1024) - 1, dsa1024)
 	 && sexp_iterator_check_type (&i, "private-key")
 	 && sexp_iterator_check_type (&i, "dsa")
-	 && dsa_keypair_from_sexp_alist (&ctx->pub, &ctx->key, 0, DSA_SHA1_Q_BITS, &i)) )
+	 && dsa_keypair_from_sexp_alist (&ctx->params, ctx->pub, ctx->key, 0, DSA_SHA1_Q_BITS, &i)) )
     die ("Internal error.\n");
 
   ctx->digest = hash_string (&nettle_sha1, 3, "foo");
 
-  dsa_sha1_sign_digest (&ctx->pub, &ctx->key,
+  dsa_sign (&ctx->params, ctx->key,
 	    &ctx->lfib, (nettle_random_func *)knuth_lfib_random,
-			ctx->digest, &ctx->s);
+	    SHA1_DIGEST_SIZE, ctx->digest, &ctx->s);
 
   return ctx;
 }
@@ -322,9 +324,9 @@ bench_dsa_sign (void *p)
   struct dsa_signature s;
 
   dsa_signature_init (&s);
-  dsa_sha1_sign_digest (&ctx->pub, &ctx->key,
+  dsa_sign (&ctx->params, ctx->key,
 	    &ctx->lfib, (nettle_random_func *)knuth_lfib_random,
-			ctx->digest, &s);
+	    SHA1_DIGEST_SIZE, ctx->digest, &s);
   dsa_signature_clear (&s);
 }
 
@@ -332,7 +334,7 @@ static void
 bench_dsa_verify (void *p)
 {
   struct dsa_ctx *ctx = p;
-  if (! dsa_sha1_verify_digest (&ctx->pub, ctx->digest, &ctx->s))
+  if (! dsa_verify (&ctx->params, ctx->pub, SHA1_DIGEST_SIZE, ctx->digest, &ctx->s))
     die ("Internal error, dsa_sha1_verify_digest failed.\n");
 }
 
@@ -340,8 +342,9 @@ static void
 bench_dsa_clear (void *p)
 {
   struct dsa_ctx *ctx = p;
-  dsa_public_key_clear (&ctx->pub);
-  dsa_private_key_clear (&ctx->key);
+  dsa_params_clear (&ctx->params);
+  mpz_clear (ctx->pub);
+  mpz_clear (ctx->key);
   dsa_signature_clear (&ctx->s);
   free (ctx->digest);
   free (ctx);

sexp2dsa.c

@@ -26,6 +26,7 @@
 # include "config.h"
 #endif
 
+#include <assert.h>
 #include <string.h>
 
 #include "dsa.h"
@@ -47,8 +48,9 @@ do {						\
  */
 
 int
-dsa_keypair_from_sexp_alist(struct dsa_public_key *pub,
-			    struct dsa_private_key *priv,
+dsa_keypair_from_sexp_alist(struct dsa_params *params,
+			    mpz_t pub,
+			    mpz_t priv,
 			    unsigned p_max_bits,
 			    unsigned q_bits,
 			    struct sexp_iterator *i)
@@ -57,26 +59,39 @@ dsa_keypair_from_sexp_alist(struct dsa_public_key *pub,
     = { "p", "q", "g", "y", "x" };
   struct sexp_iterator values[5];
   unsigned nvalues = priv ? 5 : 4;
+  unsigned p_bits;
 
   if (!sexp_iterator_assoc(i, nvalues, names, values))
     return 0;
 
-  if (priv)
-    GET(priv->x, q_bits, &values[4]);
+  GET(params->p, p_max_bits, &values[0]);
+  p_bits = mpz_sizeinbase (params->p, 2);
+  GET(params->q, q_bits ? q_bits : p_bits, &values[1]);
+  if (q_bits > 0 && mpz_sizeinbase(params->q, 2) != q_bits)
+    return 0;
+  if (mpz_cmp (params->q, params->p) >= 0)
+    return 0;
+  GET(params->g, p_bits, &values[2]);
+  if (mpz_cmp (params->g, params->p) >= 0)
+    return 0;
+  GET(pub, p_bits, &values[3]);
+  if (mpz_cmp (pub, params->p) >= 0)
+    return 0;
 
-  GET(pub->p, p_max_bits, &values[0]);
-  GET(pub->q, q_bits, &values[1]);
-  if (mpz_sizeinbase(pub->q, 2) != q_bits)
+  if (priv)
+    {
+      GET(priv, mpz_sizeinbase (params->q, 2), &values[4]);
+      if (mpz_cmp (priv, params->q) >= 0)
 	return 0;
-  GET(pub->g, p_max_bits, &values[2]);
-  GET(pub->y, p_max_bits, &values[3]);
+    }
 
   return 1;
 }
 
 int
-dsa_sha1_keypair_from_sexp(struct dsa_public_key *pub,
-			   struct dsa_private_key *priv,
+dsa_sha1_keypair_from_sexp(struct dsa_params *params,
+			   mpz_t pub,
+			   mpz_t priv,
 			   unsigned p_max_bits, 
 			   size_t length, const uint8_t *expr)
 {
@@ -85,12 +100,14 @@ dsa_sha1_keypair_from_sexp(struct dsa_public_key *pub,
   return sexp_iterator_first(&i, length, expr)
     && sexp_iterator_check_type(&i, priv ? "private-key" : "public-key")
     && sexp_iterator_check_type(&i, "dsa")
-    && dsa_keypair_from_sexp_alist(pub, priv, p_max_bits, DSA_SHA1_Q_BITS, &i);
+    && dsa_keypair_from_sexp_alist(params, pub, priv,
+				   p_max_bits, DSA_SHA1_Q_BITS, &i);
 }
 
 int
-dsa_sha256_keypair_from_sexp(struct dsa_public_key *pub,
-			     struct dsa_private_key *priv,
+dsa_sha256_keypair_from_sexp(struct dsa_params *params,
+			     mpz_t pub,
+			     mpz_t priv,
 			     unsigned p_max_bits, 
 			     size_t length, const uint8_t *expr)
 {
@@ -99,7 +116,8 @@ dsa_sha256_keypair_from_sexp(struct dsa_public_key *pub,
   return sexp_iterator_first(&i, length, expr)
     && sexp_iterator_check_type(&i, priv ? "private-key" : "public-key")
     && sexp_iterator_check_type(&i, "dsa-sha256")
-    && dsa_keypair_from_sexp_alist(pub, priv, p_max_bits, DSA_SHA256_Q_BITS, &i);
+    && dsa_keypair_from_sexp_alist(params, pub, priv,
+				   p_max_bits, DSA_SHA256_Q_BITS, &i);
 }
 
 int