The Tor Browser: security/nss/lib/freebl/dsa.c@b8a032363ba2 (annotated)

security/nss/lib/freebl/dsa.c@b8a032363ba2 (annotated)

security/nss/lib/freebl/dsa.c

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 /*
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 #include "prerror.h"
 #include "secerr.h"
 #include "prtypes.h"
 #include "prinit.h"
 #include "blapi.h"
 #include "nssilock.h"
 #include "secitem.h"
 #include "blapi.h"
 #include "mpi.h"
 #include "secmpi.h"
 #include "pqg.h"
  /* XXX to be replaced by define in blapit.h */
 #define NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE 2048
 /*
  * FIPS 186-2 requires result from random output to be reduced mod q when
  * generating random numbers for DSA.
  *
  * Input: w, 2*qLen bytes
  *        q, qLen bytes
  * Output: xj, qLen bytes
  */
 static SECStatus
 fips186Change_ReduceModQForDSA(const PRUint8 *w, const PRUint8 *q,
                                unsigned int qLen, PRUint8 * xj)
 {
     mp_int W, Q, Xj;
     mp_err err;
     SECStatus rv = SECSuccess;
     /* Initialize MPI integers. */
     MP_DIGITS(&W) = 0;
     MP_DIGITS(&Q) = 0;
     MP_DIGITS(&Xj) = 0;
     CHECK_MPI_OK( mp_init(&W) );
     CHECK_MPI_OK( mp_init(&Q) );
     CHECK_MPI_OK( mp_init(&Xj) );
     /*
      * Convert input arguments into MPI integers.
      */
     CHECK_MPI_OK( mp_read_unsigned_octets(&W, w, 2*qLen) );
     CHECK_MPI_OK( mp_read_unsigned_octets(&Q, q, qLen) );
     /*
      * Algorithm 1 of FIPS 186-2 Change Notice 1, Step 3.3
      *
      * xj = (w0 || w1) mod q
      */
     CHECK_MPI_OK( mp_mod(&W, &Q, &Xj) );
     CHECK_MPI_OK( mp_to_fixlen_octets(&Xj, xj, qLen) );
 cleanup:
     mp_clear(&W);
     mp_clear(&Q);
     mp_clear(&Xj);
     if (err) {
 	MP_TO_SEC_ERROR(err);
 	rv = SECFailure;
     }
     return rv;
 }
 /*
  * FIPS 186-2 requires result from random output to be reduced mod q when
  * generating random numbers for DSA.
  */
 SECStatus
 FIPS186Change_ReduceModQForDSA(const unsigned char *w,
                                const unsigned char *q,
                                unsigned char *xj) {
     return fips186Change_ReduceModQForDSA(w, q, DSA1_SUBPRIME_LEN, xj);
 }
 /*
  * The core of Algorithm 1 of FIPS 186-2 Change Notice 1.
  *
  * We no longer support FIPS 186-2 RNG. This function was exported
  * for power-up self tests and FIPS tests. Keep this stub, which fails,
  * to prevent crashes, but also to signal to test code that FIPS 186-2
  * RNG is no longer supported.
  */
 SECStatus
 FIPS186Change_GenerateX(PRUint8 *XKEY, const PRUint8 *XSEEDj,
                         PRUint8 *x_j)
 {
     PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
     return SECFailure;
 }
 /*
  * Specialized RNG for DSA
  *
  * As per Algorithm 1 of FIPS 186-2 Change Notice 1, in step 3.3 the value
  * Xj should be reduced mod q, a 160-bit prime number.  Since this parameter
  * is only meaningful in the context of DSA, the above RNG functions
  * were implemented without it.  They are re-implemented below for use
  * with DSA.
  */
 /*
 ** Generate some random bytes, using the global random number generator
 ** object.  In DSA mode, so there is a q.
 */
 static SECStatus
 dsa_GenerateGlobalRandomBytes(const SECItem * qItem, PRUint8 * dest,
                               unsigned int * destLen, unsigned int maxDestLen)
 {
     SECStatus rv;
     SECItem w;
     const PRUint8 * q = qItem->data;
     unsigned int qLen = qItem->len;
     if (*q == 0) {
         ++q;
         --qLen;
     }
     if (maxDestLen < qLen) {
         /* This condition can occur when DSA_SignDigest is passed a group
            with a subprime that is larger than DSA_MAX_SUBPRIME_LEN. */
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     w.data = NULL; /* otherwise SECITEM_AllocItem asserts */
     if (!SECITEM_AllocItem(NULL, &w, 2*qLen)) {
         return SECFailure;
     }
     *destLen = qLen;
     rv = RNG_GenerateGlobalRandomBytes(w.data, w.len);
     if (rv == SECSuccess) {
         rv = fips186Change_ReduceModQForDSA(w.data, q, qLen, dest);
     }
     SECITEM_FreeItem(&w, PR_FALSE);
     return rv;
 }
 static void translate_mpi_error(mp_err err)
 {
     MP_TO_SEC_ERROR(err);
 }
 static SECStatus
 dsa_NewKeyExtended(const PQGParams *params, const SECItem * seed,
                    DSAPrivateKey **privKey)
 {
     mp_int p, g;
     mp_int x, y;
     mp_err err;
     PLArenaPool *arena;
     DSAPrivateKey *key;
     /* Check args. */
     if (!params || !privKey || !seed || !seed->data) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     /* Initialize an arena for the DSA key. */
     arena = PORT_NewArena(NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE);
     if (!arena) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	return SECFailure;
     }
     key = (DSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DSAPrivateKey));
     if (!key) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	PORT_FreeArena(arena, PR_TRUE);
 	return SECFailure;
     }
     key->params.arena = arena;
     /* Initialize MPI integers. */
     MP_DIGITS(&p) = 0;
     MP_DIGITS(&g) = 0;
     MP_DIGITS(&x) = 0;
     MP_DIGITS(&y) = 0;
     CHECK_MPI_OK( mp_init(&p) );
     CHECK_MPI_OK( mp_init(&g) );
     CHECK_MPI_OK( mp_init(&x) );
     CHECK_MPI_OK( mp_init(&y) );
     /* Copy over the PQG params */
     CHECK_MPI_OK( SECITEM_CopyItem(arena, &key->params.prime,
                                           &params->prime) );
     CHECK_MPI_OK( SECITEM_CopyItem(arena, &key->params.subPrime,
                                           &params->subPrime) );
     CHECK_MPI_OK( SECITEM_CopyItem(arena, &key->params.base, &params->base) );
     /* Convert stored p, g, and received x into MPI integers. */
     SECITEM_TO_MPINT(params->prime, &p);
     SECITEM_TO_MPINT(params->base,  &g);
     OCTETS_TO_MPINT(seed->data, &x, seed->len);
     /* Store x in private key */
     SECITEM_AllocItem(arena, &key->privateValue, seed->len);
     PORT_Memcpy(key->privateValue.data, seed->data, seed->len);
     /* Compute public key y = g**x mod p */
     CHECK_MPI_OK( mp_exptmod(&g, &x, &p, &y) );
     /* Store y in public key */
     MPINT_TO_SECITEM(&y, &key->publicValue, arena);
     *privKey = key;
     key = NULL;
 cleanup:
     mp_clear(&p);
     mp_clear(&g);
     mp_clear(&x);
     mp_clear(&y);
     if (key)
 	PORT_FreeArena(key->params.arena, PR_TRUE);
     if (err) {
 	translate_mpi_error(err);
 	return SECFailure;
     }
     return SECSuccess;
 }
 SECStatus
 DSA_NewRandom(PLArenaPool * arena, const SECItem * q, SECItem * seed)
 {
     int retries = 10;
     unsigned int i;
     PRBool good;
     if (q == NULL || q->data == NULL || q->len == 0 ||
         (q->data[0] == 0 && q->len == 1)) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     if (!SECITEM_AllocItem(arena, seed, q->len)) {
         return SECFailure;
     }
     do {
 	/* Generate seed bytes for x according to FIPS 186-1 appendix 3 */
         if (dsa_GenerateGlobalRandomBytes(q, seed->data, &seed->len,
                                           seed->len)) {
             goto loser;
         }
 	/* Disallow values of 0 and 1 for x. */
 	good = PR_FALSE;
 	for (i = 0; i < seed->len-1; i++) {
 	    if (seed->data[i] != 0) {
 		good = PR_TRUE;
 		break;
 	    }
 	}
 	if (!good && seed->data[i] > 1) {
 	    good = PR_TRUE;
 	}
     } while (!good && --retries > 0);
     if (!good) {
 	PORT_SetError(SEC_ERROR_NEED_RANDOM);
 loser:	if (arena != NULL) {
             SECITEM_FreeItem(seed, PR_FALSE);
         }
 	return SECFailure;
     }
     return SECSuccess;
 }
 /*
 ** Generate and return a new DSA public and private key pair,
 **	both of which are encoded into a single DSAPrivateKey struct.
 **	"params" is a pointer to the PQG parameters for the domain
 **	Uses a random seed.
 */
 SECStatus
 DSA_NewKey(const PQGParams *params, DSAPrivateKey **privKey)
 {
     SECItem seed;
     SECStatus rv;
     rv = PQG_Check(params);
     if (rv != SECSuccess) {
 	return rv;
     }
     seed.data = NULL;
     rv = DSA_NewRandom(NULL, &params->subPrime, &seed);
     if (rv == SECSuccess) {
         if (seed.len != PQG_GetLength(&params->subPrime)) {
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             rv = SECFailure;
         } else {
             rv = dsa_NewKeyExtended(params, &seed, privKey);
         }
     }
     SECITEM_FreeItem(&seed, PR_FALSE);
     return rv;
 }
 /* For FIPS compliance testing. Seed must be exactly the size of subPrime  */
 SECStatus
 DSA_NewKeyFromSeed(const PQGParams *params,
                    const unsigned char *seed,
                    DSAPrivateKey **privKey)
 {
     SECItem seedItem;
     seedItem.data = (unsigned char*) seed;
     seedItem.len = PQG_GetLength(&params->subPrime);
     return dsa_NewKeyExtended(params, &seedItem, privKey);
 }
 static SECStatus
 dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
                const unsigned char *kb)
 {
     mp_int p, q, g;  /* PQG parameters */
     mp_int x, k;     /* private key & pseudo-random integer */
     mp_int r, s;     /* tuple (r, s) is signature) */
     mp_err err   = MP_OKAY;
     SECStatus rv = SECSuccess;
     unsigned int dsa_subprime_len, dsa_signature_len, offset;
     SECItem localDigest;
     unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN];
     /* FIPS-compliance dictates that digest is a SHA hash. */
     /* Check args. */
     if (!key || !signature || !digest) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     dsa_subprime_len = PQG_GetLength(&key->params.subPrime);
     dsa_signature_len = dsa_subprime_len*2;
     if ((signature->len < dsa_signature_len) ||
 	(digest->len > HASH_LENGTH_MAX)  ||
 	(digest->len < SHA1_LENGTH)) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     /* DSA accepts digests not equal to dsa_subprime_len, if the
      * digests are greater, then they are truncated to the size of
      * dsa_subprime_len, using the left most bits. If they are less
      * then they are padded on the left.*/
     PORT_Memset(localDigestData, 0, dsa_subprime_len);
     offset = (digest->len < dsa_subprime_len) ?
 			(dsa_subprime_len - digest->len) : 0;
     PORT_Memcpy(localDigestData+offset, digest->data,
 		dsa_subprime_len - offset);
     localDigest.data = localDigestData;
     localDigest.len = dsa_subprime_len;
     /* Initialize MPI integers. */
     MP_DIGITS(&p) = 0;
     MP_DIGITS(&q) = 0;
     MP_DIGITS(&g) = 0;
     MP_DIGITS(&x) = 0;
     MP_DIGITS(&k) = 0;
     MP_DIGITS(&r) = 0;
     MP_DIGITS(&s) = 0;
     CHECK_MPI_OK( mp_init(&p) );
     CHECK_MPI_OK( mp_init(&q) );
     CHECK_MPI_OK( mp_init(&g) );
     CHECK_MPI_OK( mp_init(&x) );
     CHECK_MPI_OK( mp_init(&k) );
     CHECK_MPI_OK( mp_init(&r) );
     CHECK_MPI_OK( mp_init(&s) );
     /*
     ** Convert stored PQG and private key into MPI integers.
     */
     SECITEM_TO_MPINT(key->params.prime,    &p);
     SECITEM_TO_MPINT(key->params.subPrime, &q);
     SECITEM_TO_MPINT(key->params.base,     &g);
     SECITEM_TO_MPINT(key->privateValue,    &x);
     OCTETS_TO_MPINT(kb, &k, dsa_subprime_len);
     /*
     ** FIPS 186-1, Section 5, Step 1
     **
     ** r = (g**k mod p) mod q
     */
     CHECK_MPI_OK( mp_exptmod(&g, &k, &p, &r) ); /* r = g**k mod p */
     CHECK_MPI_OK(     mp_mod(&r, &q, &r) );     /* r = r mod q    */
     /*
     ** FIPS 186-1, Section 5, Step 2
     **
     ** s = (k**-1 * (HASH(M) + x*r)) mod q
     */
     SECITEM_TO_MPINT(localDigest, &s);          /* s = HASH(M)     */
     CHECK_MPI_OK( mp_invmod(&k, &q, &k) );      /* k = k**-1 mod q */
     CHECK_MPI_OK( mp_mulmod(&x, &r, &q, &x) );  /* x = x * r mod q */
     CHECK_MPI_OK( mp_addmod(&s, &x, &q, &s) );  /* s = s + x mod q */
     CHECK_MPI_OK( mp_mulmod(&s, &k, &q, &s) );  /* s = s * k mod q */
     /*
     ** verify r != 0 and s != 0
     ** mentioned as optional in FIPS 186-1.
     */
     if (mp_cmp_z(&r) == 0 || mp_cmp_z(&s) == 0) {
 	PORT_SetError(SEC_ERROR_NEED_RANDOM);
 	rv = SECFailure;
 	goto cleanup;
     }
     /*
     ** Step 4
     **
     ** Signature is tuple (r, s)
     */
     err = mp_to_fixlen_octets(&r, signature->data, dsa_subprime_len);
     if (err < 0) goto cleanup;
     err = mp_to_fixlen_octets(&s, signature->data + dsa_subprime_len,
                                   dsa_subprime_len);
     if (err < 0) goto cleanup;
     err = MP_OKAY;
     signature->len = dsa_signature_len;
 cleanup:
     PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN);
     mp_clear(&p);
     mp_clear(&q);
     mp_clear(&g);
     mp_clear(&x);
     mp_clear(&k);
     mp_clear(&r);
     mp_clear(&s);
     if (err) {
 	translate_mpi_error(err);
 	rv = SECFailure;
     }
     return rv;
 }
 /* signature is caller-supplied buffer of at least 40 bytes.
 ** On input,  signature->len == size of buffer to hold signature.
 **            digest->len    == size of digest.
 ** On output, signature->len == size of signature in buffer.
 ** Uses a random seed.
 */
 SECStatus
 DSA_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest)
 {
     SECStatus rv;
     int       retries = 10;
     unsigned char kSeed[DSA_MAX_SUBPRIME_LEN];
     unsigned int kSeedLen = 0;
     unsigned int i;
     unsigned int dsa_subprime_len = PQG_GetLength(&key->params.subPrime);
     PRBool    good;
     PORT_SetError(0);
     do {
 	rv = dsa_GenerateGlobalRandomBytes(&key->params.subPrime,
                                            kSeed, &kSeedLen, sizeof kSeed);
 	if (rv != SECSuccess)
 	    break;
         if (kSeedLen != dsa_subprime_len) {
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             rv = SECFailure;
             break;
         }
 	/* Disallow a value of 0 for k. */
 	good = PR_FALSE;
 	for (i = 0; i < kSeedLen; i++) {
 	    if (kSeed[i] != 0) {
 		good = PR_TRUE;
 		break;
 	    }
 	}
 	if (!good) {
 	    PORT_SetError(SEC_ERROR_NEED_RANDOM);
 	    rv = SECFailure;
 	    continue;
 	}
 	rv = dsa_SignDigest(key, signature, digest, kSeed);
     } while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM &&
 	     --retries > 0);
     return rv;
 }
 /* For FIPS compliance testing. Seed must be exactly 20 bytes. */
 SECStatus
 DSA_SignDigestWithSeed(DSAPrivateKey * key,
                        SECItem *       signature,
                        const SECItem * digest,
                        const unsigned char * seed)
 {
     SECStatus rv;
     rv = dsa_SignDigest(key, signature, digest, seed);
     return rv;
 }
 /* signature is caller-supplied buffer of at least 20 bytes.
 ** On input,  signature->len == size of buffer to hold signature.
 **            digest->len    == size of digest.
 */
 SECStatus
 DSA_VerifyDigest(DSAPublicKey *key, const SECItem *signature,
                  const SECItem *digest)
 {
     /* FIPS-compliance dictates that digest is a SHA hash. */
     mp_int p, q, g;      /* PQG parameters */
     mp_int r_, s_;       /* tuple (r', s') is received signature) */
     mp_int u1, u2, v, w; /* intermediate values used in verification */
     mp_int y;            /* public key */
     mp_err err;
     int dsa_subprime_len, dsa_signature_len, offset;
     SECItem localDigest;
     unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN];
     SECStatus verified = SECFailure;
     /* Check args. */
     if (!key || !signature || !digest ) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     dsa_subprime_len = PQG_GetLength(&key->params.subPrime);
     dsa_signature_len = dsa_subprime_len*2;
     if ((signature->len != dsa_signature_len) ||
 	(digest->len > HASH_LENGTH_MAX)  ||
 	(digest->len < SHA1_LENGTH)) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     /* DSA accepts digests not equal to dsa_subprime_len, if the
      * digests are greater, than they are truncated to the size of
      * dsa_subprime_len, using the left most bits. If they are less
      * then they are padded on the left.*/
     PORT_Memset(localDigestData, 0, dsa_subprime_len);
     offset = (digest->len < dsa_subprime_len) ?
 			(dsa_subprime_len - digest->len) : 0;
     PORT_Memcpy(localDigestData+offset, digest->data,
 		dsa_subprime_len - offset);
     localDigest.data = localDigestData;
     localDigest.len = dsa_subprime_len;
     /* Initialize MPI integers. */
     MP_DIGITS(&p)  = 0;
     MP_DIGITS(&q)  = 0;
     MP_DIGITS(&g)  = 0;
     MP_DIGITS(&y)  = 0;
     MP_DIGITS(&r_) = 0;
     MP_DIGITS(&s_) = 0;
     MP_DIGITS(&u1) = 0;
     MP_DIGITS(&u2) = 0;
     MP_DIGITS(&v)  = 0;
     MP_DIGITS(&w)  = 0;
     CHECK_MPI_OK( mp_init(&p)  );
     CHECK_MPI_OK( mp_init(&q)  );
     CHECK_MPI_OK( mp_init(&g)  );
     CHECK_MPI_OK( mp_init(&y)  );
     CHECK_MPI_OK( mp_init(&r_) );
     CHECK_MPI_OK( mp_init(&s_) );
     CHECK_MPI_OK( mp_init(&u1) );
     CHECK_MPI_OK( mp_init(&u2) );
     CHECK_MPI_OK( mp_init(&v)  );
     CHECK_MPI_OK( mp_init(&w)  );
     /*
     ** Convert stored PQG and public key into MPI integers.
     */
     SECITEM_TO_MPINT(key->params.prime,    &p);
     SECITEM_TO_MPINT(key->params.subPrime, &q);
     SECITEM_TO_MPINT(key->params.base,     &g);
     SECITEM_TO_MPINT(key->publicValue,     &y);
     /*
     ** Convert received signature (r', s') into MPI integers.
     */
     OCTETS_TO_MPINT(signature->data, &r_, dsa_subprime_len);
     OCTETS_TO_MPINT(signature->data + dsa_subprime_len, &s_, dsa_subprime_len);
     /*
     ** Verify that 0 < r' < q and 0 < s' < q
     */
     if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 ||
         mp_cmp(&r_, &q) >= 0 || mp_cmp(&s_, &q) >= 0) {
 	/* err is zero here. */
 	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
 	goto cleanup; /* will return verified == SECFailure */
     }
     /*
     ** FIPS 186-1, Section 6, Step 1
     **
     ** w = (s')**-1 mod q
     */
     CHECK_MPI_OK( mp_invmod(&s_, &q, &w) );      /* w = (s')**-1 mod q */
     /*
     ** FIPS 186-1, Section 6, Step 2
     **
     ** u1 = ((Hash(M')) * w) mod q
     */
     SECITEM_TO_MPINT(localDigest, &u1);              /* u1 = HASH(M')     */
     CHECK_MPI_OK( mp_mulmod(&u1, &w, &q, &u1) ); /* u1 = u1 * w mod q */
     /*
     ** FIPS 186-1, Section 6, Step 3
     **
     ** u2 = ((r') * w) mod q
     */
     CHECK_MPI_OK( mp_mulmod(&r_, &w, &q, &u2) );
     /*
     ** FIPS 186-1, Section 6, Step 4
     **
     ** v = ((g**u1 * y**u2) mod p) mod q
     */
     CHECK_MPI_OK( mp_exptmod(&g, &u1, &p, &g) ); /* g = g**u1 mod p */
     CHECK_MPI_OK( mp_exptmod(&y, &u2, &p, &y) ); /* y = y**u2 mod p */
     CHECK_MPI_OK(  mp_mulmod(&g, &y, &p, &v)  ); /* v = g * y mod p */
     CHECK_MPI_OK(     mp_mod(&v, &q, &v)      ); /* v = v mod q     */
     /*
     ** Verification:  v == r'
     */
     if (mp_cmp(&v, &r_)) {
 	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
 	verified = SECFailure; /* Signature failed to verify. */
     } else {
 	verified = SECSuccess; /* Signature verified. */
     }
 cleanup:
     mp_clear(&p);
     mp_clear(&q);
     mp_clear(&g);
     mp_clear(&y);
     mp_clear(&r_);
     mp_clear(&s_);
     mp_clear(&u1);
     mp_clear(&u2);
     mp_clear(&v);
     mp_clear(&w);
     if (err) {
 	translate_mpi_error(err);
     }
     return verified;
 }

The Tor Browser / annotate

security/nss/lib/freebl/dsa.c@b8a032363ba2 (annotated)

security/nss/lib/freebl/dsa.c