factotum/libressl-portable
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

check in v3.8.1 source

Browse Source
This commit is contained in:
torque
2023-09-03 18:24:16 -07:00
parent fbb21ed921
commit b31c897352
1205 changed files with 561101 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

737
crypto/dsa/dsa_ameth.c Normal file
View File

@@ -0,0 +1,737 @@
/* $OpenBSD: dsa_ameth.c,v 1.55 2023/08/12 07:59:48 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
/* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <openssl/opensslconf.h>
#include <openssl/asn1.h>
#include <openssl/bn.h>
#include <openssl/cms.h>
#include <openssl/dsa.h>
#include <openssl/err.h>
#include <openssl/x509.h>
#include "asn1_local.h"
#include "bn_local.h"
#include "dsa_local.h"
#include "evp_local.h"
static int
dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
{
X509_ALGOR *algor;
int ptype;
const void *pval;
const ASN1_STRING *astr;
const unsigned char *key, *params, *p;
int key_len, params_len;
ASN1_INTEGER *aint = NULL;
DSA *dsa = NULL;
int ret = 0;
if (!X509_PUBKEY_get0_param(NULL, &key, &key_len, &algor, pubkey))
goto err;
X509_ALGOR_get0(NULL, &ptype, &pval, algor);
if (ptype == V_ASN1_SEQUENCE) {
astr = pval;
params = astr->data;
params_len = astr->length;
p = params;
if ((dsa = d2i_DSAparams(NULL, &p, params_len)) == NULL) {
DSAerror(DSA_R_DECODE_ERROR);
goto err;
}
} else if (ptype == V_ASN1_NULL || ptype == V_ASN1_UNDEF) {
if ((dsa = DSA_new()) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
} else {
DSAerror(DSA_R_PARAMETER_ENCODING_ERROR);
goto err;
}
p = key;
if ((aint = d2i_ASN1_INTEGER(NULL, &p, key_len)) == NULL) {
DSAerror(DSA_R_DECODE_ERROR);
goto err;
}
BN_free(dsa->pub_key);
if ((dsa->pub_key = ASN1_INTEGER_to_BN(aint, NULL)) == NULL) {
DSAerror(DSA_R_BN_DECODE_ERROR);
goto err;
}
/* We can only check for key consistency if we have parameters. */
if (ptype == V_ASN1_SEQUENCE) {
if (!dsa_check_key(dsa))
goto err;
}
if (!EVP_PKEY_assign_DSA(pkey, dsa))
goto err;
dsa = NULL;
ret = 1;
err:
ASN1_INTEGER_free(aint);
DSA_free(dsa);
return ret;
}
static int
dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
{
const DSA *dsa = pkey->pkey.dsa;
ASN1_STRING *astr = NULL;
int ptype = V_ASN1_UNDEF;
ASN1_INTEGER *aint = NULL;
ASN1_OBJECT *aobj;
unsigned char *params = NULL, *key = NULL;
int params_len = 0, key_len = 0;
int ret = 0;
if (pkey->save_parameters > 0 && !EVP_PKEY_missing_parameters(pkey)) {
if ((params_len = i2d_DSAparams(dsa, &params)) <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
params_len = 0;
goto err;
}
if ((astr = ASN1_STRING_new()) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
ASN1_STRING_set0(astr, params, params_len);
params = NULL;
params_len = 0;
ptype = V_ASN1_SEQUENCE;
}
if ((aint = BN_to_ASN1_INTEGER(dsa->pub_key, NULL)) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
if ((key_len = i2d_ASN1_INTEGER(aint, &key)) <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
key_len = 0;
goto err;
}
if ((aobj = OBJ_nid2obj(EVP_PKEY_DSA)) == NULL)
goto err;
if (!X509_PUBKEY_set0_param(pk, aobj, ptype, astr, key, key_len))
goto err;
astr = NULL;
key = NULL;
key_len = 0;
ret = 1;
err:
ASN1_STRING_free(astr);
ASN1_INTEGER_free(aint);
freezero(params, params_len);
freezero(key, key_len);
return ret;
}
/*
* In PKCS#8 DSA: you just get a private key integer and parameters in the
* AlgorithmIdentifier the pubkey must be recalculated.
*/
static int
dsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
{
const X509_ALGOR *algor;
int ptype;
const void *pval;
const ASN1_STRING *astr;
const unsigned char *key, *params, *p;
int key_len, params_len;
ASN1_INTEGER *aint = NULL;
BN_CTX *ctx = NULL;
DSA *dsa = NULL;
int ret = 0;
if (!PKCS8_pkey_get0(NULL, &key, &key_len, &algor, p8))
goto err;
X509_ALGOR_get0(NULL, &ptype, &pval, algor);
if (ptype != V_ASN1_SEQUENCE) {
DSAerror(DSA_R_PARAMETER_ENCODING_ERROR);
goto err;
}
astr = pval;
params = astr->data;
params_len = astr->length;
p = params;
if ((dsa = d2i_DSAparams(NULL, &p, params_len)) == NULL) {
DSAerror(DSA_R_DECODE_ERROR);
goto err;
}
p = key;
if ((aint = d2i_ASN1_INTEGER(NULL, &p, key_len)) == NULL) {
DSAerror(DSA_R_DECODE_ERROR);
goto err;
}
BN_free(dsa->priv_key);
if ((dsa->priv_key = ASN1_INTEGER_to_BN(aint, NULL)) == NULL) {
DSAerror(DSA_R_BN_DECODE_ERROR);
goto err;
}
/* Check the key for basic consistency before doing expensive things. */
if (!dsa_check_key(dsa))
goto err;
/* Calculate public key */
BN_free(dsa->pub_key);
if ((dsa->pub_key = BN_new()) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
if ((ctx = BN_CTX_new()) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
BN_CTX_start(ctx);
if (!BN_mod_exp_ct(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) {
DSAerror(DSA_R_BN_ERROR);
goto err;
}
if (!EVP_PKEY_assign_DSA(pkey, dsa))
goto err;
dsa = NULL;
ret = 1;
err:
DSA_free(dsa);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
ASN1_INTEGER_free(aint);
return ret;
}
static int
dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
{
const DSA *dsa = pkey->pkey.dsa;
ASN1_STRING *astr = NULL;
int ptype = V_ASN1_SEQUENCE;
ASN1_INTEGER *aint = NULL;
ASN1_OBJECT *aobj;
unsigned char *params = NULL, *key = NULL;
int params_len = 0, key_len = 0;
int ret = 0;
if ((params_len = i2d_DSAparams(dsa, &params)) <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
params_len = 0;
goto err;
}
if ((astr = ASN1_STRING_type_new(V_ASN1_SEQUENCE)) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
ASN1_STRING_set0(astr, params, params_len);
params = NULL;
params_len = 0;
if ((aint = BN_to_ASN1_INTEGER(dsa->priv_key, NULL)) == NULL) {
DSAerror(DSA_R_BN_ERROR);
goto err;
}
if ((key_len = i2d_ASN1_INTEGER(aint, &key)) <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
key_len = 0;
goto err;
}
if ((aobj = OBJ_nid2obj(NID_dsa)) == NULL)
goto err;
if (!PKCS8_pkey_set0(p8, aobj, 0, ptype, astr, key, key_len))
goto err;
astr = NULL;
key = NULL;
key_len = 0;
ret = 1;
err:
ASN1_STRING_free(astr);
ASN1_INTEGER_free(aint);
freezero(params, params_len);
freezero(key, key_len);
return ret;
}
static int
dsa_size(const EVP_PKEY *pkey)
{
return DSA_size(pkey->pkey.dsa);
}
static int
dsa_bits(const EVP_PKEY *pkey)
{
return BN_num_bits(pkey->pkey.dsa->p);
}
static int
dsa_security_bits(const EVP_PKEY *pkey)
{
return DSA_security_bits(pkey->pkey.dsa);
}
static int
dsa_missing_parameters(const EVP_PKEY *pkey)
{
const DSA *dsa = pkey->pkey.dsa;
return dsa->p == NULL || dsa->q == NULL || dsa->g == NULL;
}
static int
dsa_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
{
BIGNUM *a;
if ((a = BN_dup(from->pkey.dsa->p)) == NULL)
return 0;
BN_free(to->pkey.dsa->p);
to->pkey.dsa->p = a;
if ((a = BN_dup(from->pkey.dsa->q)) == NULL)
return 0;
BN_free(to->pkey.dsa->q);
to->pkey.dsa->q = a;
if ((a = BN_dup(from->pkey.dsa->g)) == NULL)
return 0;
BN_free(to->pkey.dsa->g);
to->pkey.dsa->g = a;
return 1;
}
static int
dsa_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
{
if (BN_cmp(a->pkey.dsa->p, b->pkey.dsa->p) ||
BN_cmp(a->pkey.dsa->q, b->pkey.dsa->q) ||
BN_cmp(a->pkey.dsa->g, b->pkey.dsa->g))
return 0;
else
return 1;
}
static int
dsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
{
if (BN_cmp(b->pkey.dsa->pub_key, a->pkey.dsa->pub_key) != 0)
return 0;
else
return 1;
}
static void
dsa_free(EVP_PKEY *pkey)
{
DSA_free(pkey->pkey.dsa);
}
static int
do_dsa_print(BIO *bp, const DSA *x, int off, int ptype)
{
const char *ktype = NULL;
const BIGNUM *priv_key, *pub_key;
int ret = 0;
if (ptype == 2)
priv_key = x->priv_key;
else
priv_key = NULL;
if (ptype > 0)
pub_key = x->pub_key;
else
pub_key = NULL;
if (ptype == 2)
ktype = "Private-Key";
else if (ptype == 1)
ktype = "Public-Key";
else
ktype = "DSA-Parameters";
if (priv_key) {
if (!BIO_indent(bp, off, 128))
goto err;
if (BIO_printf(bp, "%s: (%d bit)\n", ktype,
BN_num_bits(x->p)) <= 0)
goto err;
}
if (!bn_printf(bp, priv_key, off, "priv:"))
goto err;
if (!bn_printf(bp, pub_key, off, "pub: "))
goto err;
if (!bn_printf(bp, x->p, off, "P: "))
goto err;
if (!bn_printf(bp, x->q, off, "Q: "))
goto err;
if (!bn_printf(bp, x->g, off, "G: "))
goto err;
ret = 1;
err:
return ret;
}
static int
dsa_param_decode(EVP_PKEY *pkey, const unsigned char **params, int params_len)
{
DSA *dsa = NULL;
int ret = 0;
if ((dsa = d2i_DSAparams(NULL, params, params_len)) == NULL) {
DSAerror(ERR_R_DSA_LIB);
goto err;
}
if (!dsa_check_key(dsa))
goto err;
if (!EVP_PKEY_assign_DSA(pkey, dsa))
goto err;
dsa = NULL;
ret = 1;
err:
DSA_free(dsa);
return ret;
}
static int
dsa_param_encode(const EVP_PKEY *pkey, unsigned char **params)
{
return i2d_DSAparams(pkey->pkey.dsa, params);
}
static int
dsa_param_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
{
return do_dsa_print(bp, pkey->pkey.dsa, indent, 0);
}
static int
dsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
{
return do_dsa_print(bp, pkey->pkey.dsa, indent, 1);
}
static int
dsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
{
return do_dsa_print(bp, pkey->pkey.dsa, indent, 2);
}
static int
old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **key, int key_len)
{
DSA *dsa = NULL;
BN_CTX *ctx = NULL;
BIGNUM *result;
int ret = 0;
if ((dsa = d2i_DSAPrivateKey(NULL, key, key_len)) == NULL) {
DSAerror(ERR_R_DSA_LIB);
goto err;
}
if (!dsa_check_key(dsa))
goto err;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
if ((result = BN_CTX_get(ctx)) == NULL)
goto err;
/*
* Check that p and q are consistent with each other. dsa_check_key()
* ensures that 1 < q < p. Now check that q divides p - 1.
*/
if (!BN_sub(result, dsa->p, BN_value_one()))
goto err;
if (!BN_mod_ct(result, result, dsa->q, ctx))
goto err;
if (!BN_is_zero(result)) {
DSAerror(DSA_R_BAD_Q_VALUE);
goto err;
}
/*
* Check that g generates a multiplicative subgroup of order q.
* We only check that g^q == 1, so the order is a divisor of q.
* Once we know that q is prime, this is enough.
*/
if (!BN_mod_exp_ct(result, dsa->g, dsa->q, dsa->p, ctx))
goto err;
if (BN_cmp(result, BN_value_one()) != 0) {
DSAerror(DSA_R_INVALID_PARAMETERS);
goto err;
}
/*
* Check that q is not a composite number.
*/
if (BN_is_prime_ex(dsa->q, BN_prime_checks, ctx, NULL) <= 0) {
DSAerror(DSA_R_BAD_Q_VALUE);
goto err;
}
if (!EVP_PKEY_assign_DSA(pkey, dsa))
goto err;
dsa = NULL;
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
DSA_free(dsa);
return ret;
}
static int
old_dsa_priv_encode(const EVP_PKEY *pkey, unsigned char **key)
{
return i2d_DSAPrivateKey(pkey->pkey.dsa, key);
}
static int
dsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig,
int indent, ASN1_PCTX *pctx)
{
DSA_SIG *dsa_sig;
const unsigned char *p;
if (!sig) {
if (BIO_puts(bp, "\n") <= 0)
return 0;
else
return 1;
}
p = sig->data;
dsa_sig = d2i_DSA_SIG(NULL, &p, sig->length);
if (dsa_sig) {
int rv = 0;
if (BIO_write(bp, "\n", 1) != 1)
goto err;
if (!bn_printf(bp, dsa_sig->r, indent, "r: "))
goto err;
if (!bn_printf(bp, dsa_sig->s, indent, "s: "))
goto err;
rv = 1;
err:
DSA_SIG_free(dsa_sig);
return rv;
}
return X509_signature_dump(bp, sig, indent);
}
static int
dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
{
switch (op) {
case ASN1_PKEY_CTRL_PKCS7_SIGN:
if (arg1 == 0) {
int snid, hnid;
X509_ALGOR *alg1, *alg2;
PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2);
if (alg1 == NULL || alg1->algorithm == NULL)
return -1;
hnid = OBJ_obj2nid(alg1->algorithm);
if (hnid == NID_undef)
return -1;
if (!OBJ_find_sigid_by_algs(&snid, hnid,
EVP_PKEY_id(pkey)))
return -1;
X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF,
0);
}
return 1;
#ifndef OPENSSL_NO_CMS
case ASN1_PKEY_CTRL_CMS_SIGN:
if (arg1 == 0) {
int snid, hnid;
X509_ALGOR *alg1, *alg2;
CMS_SignerInfo_get0_algs(arg2, NULL, NULL, &alg1, &alg2);
if (alg1 == NULL || alg1->algorithm == NULL)
return -1;
hnid = OBJ_obj2nid(alg1->algorithm);
if (hnid == NID_undef)
return -1;
if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
return -1;
X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
}
return 1;
case ASN1_PKEY_CTRL_CMS_RI_TYPE:
*(int *)arg2 = CMS_RECIPINFO_NONE;
return 1;
#endif
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
*(int *)arg2 = NID_sha1;
return 2;
default:
return -2;
}
}
/* NB these are sorted in pkey_id order, lowest first */
const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[] = {
{
.pkey_id = EVP_PKEY_DSA2,
.pkey_base_id = EVP_PKEY_DSA,
.pkey_flags = ASN1_PKEY_ALIAS
},
{
.pkey_id = EVP_PKEY_DSA1,
.pkey_base_id = EVP_PKEY_DSA,
.pkey_flags = ASN1_PKEY_ALIAS
},
{
.pkey_id = EVP_PKEY_DSA4,
.pkey_base_id = EVP_PKEY_DSA,
.pkey_flags = ASN1_PKEY_ALIAS
},
{
.pkey_id = EVP_PKEY_DSA3,
.pkey_base_id = EVP_PKEY_DSA,
.pkey_flags = ASN1_PKEY_ALIAS
},
{
.pkey_id = EVP_PKEY_DSA,
.pkey_base_id = EVP_PKEY_DSA,
.pem_str = "DSA",
.info = "OpenSSL DSA method",
.pub_decode = dsa_pub_decode,
.pub_encode = dsa_pub_encode,
.pub_cmp = dsa_pub_cmp,
.pub_print = dsa_pub_print,
.priv_decode = dsa_priv_decode,
.priv_encode = dsa_priv_encode,
.priv_print = dsa_priv_print,
.pkey_size = dsa_size,
.pkey_bits = dsa_bits,
.pkey_security_bits = dsa_security_bits,
.param_decode = dsa_param_decode,
.param_encode = dsa_param_encode,
.param_missing = dsa_missing_parameters,
.param_copy = dsa_copy_parameters,
.param_cmp = dsa_cmp_parameters,
.param_print = dsa_param_print,
.sig_print = dsa_sig_print,
.pkey_free = dsa_free,
.pkey_ctrl = dsa_pkey_ctrl,
.old_priv_decode = old_dsa_priv_decode,
.old_priv_encode = old_dsa_priv_encode
}
};

476
crypto/dsa/dsa_asn1.c Normal file
View File

@@ -0,0 +1,476 @@
/* $OpenBSD: dsa_asn1.c,v 1.31 2023/07/08 14:28:15 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2000.
*/
/* ====================================================================
* Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <string.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/bn.h>
#include <openssl/dsa.h>
#include <openssl/err.h>
#include "dsa_local.h"
/* Override the default new methods */
static int
sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
{
if (operation == ASN1_OP_NEW_PRE) {
DSA_SIG *sig;
if ((sig = DSA_SIG_new()) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
return 0;
}
*pval = (ASN1_VALUE *)sig;
return 2;
}
return 1;
}
static const ASN1_AUX DSA_SIG_aux = {
.app_data = NULL,
.flags = 0,
.ref_offset = 0,
.ref_lock = 0,
.asn1_cb = sig_cb,
.enc_offset = 0,
};
static const ASN1_TEMPLATE DSA_SIG_seq_tt[] = {
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA_SIG, r),
.field_name = "r",
.item = &BIGNUM_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA_SIG, s),
.field_name = "s",
.item = &BIGNUM_it,
},
};
const ASN1_ITEM DSA_SIG_it = {
.itype = ASN1_ITYPE_SEQUENCE,
.utype = V_ASN1_SEQUENCE,
.templates = DSA_SIG_seq_tt,
.tcount = sizeof(DSA_SIG_seq_tt) / sizeof(ASN1_TEMPLATE),
.funcs = &DSA_SIG_aux,
.size = sizeof(DSA_SIG),
.sname = "DSA_SIG",
};
DSA_SIG *
d2i_DSA_SIG(DSA_SIG **a, const unsigned char **in, long len)
{
return (DSA_SIG *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
&DSA_SIG_it);
}
LCRYPTO_ALIAS(d2i_DSA_SIG);
int
i2d_DSA_SIG(const DSA_SIG *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &DSA_SIG_it);
}
LCRYPTO_ALIAS(i2d_DSA_SIG);
void
DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
{
if (pr != NULL)
*pr = sig->r;
if (ps != NULL)
*ps = sig->s;
}
LCRYPTO_ALIAS(DSA_SIG_get0);
int
DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
{
if (r == NULL || s == NULL)
return 0;
BN_free(sig->r);
sig->r = r;
BN_free(sig->s);
sig->s = s;
return 1;
}
LCRYPTO_ALIAS(DSA_SIG_set0);
/* Override the default free and new methods */
static int
dsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
{
if (operation == ASN1_OP_NEW_PRE) {
*pval = (ASN1_VALUE *)DSA_new();
if (*pval)
return 2;
return 0;
} else if (operation == ASN1_OP_FREE_PRE) {
DSA_free((DSA *)*pval);
*pval = NULL;
return 2;
}
return 1;
}
static const ASN1_AUX DSAPrivateKey_aux = {
.app_data = NULL,
.flags = 0,
.ref_offset = 0,
.ref_lock = 0,
.asn1_cb = dsa_cb,
.enc_offset = 0,
};
static const ASN1_TEMPLATE DSAPrivateKey_seq_tt[] = {
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, version),
.field_name = "version",
.item = &LONG_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, p),
.field_name = "p",
.item = &BIGNUM_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, q),
.field_name = "q",
.item = &BIGNUM_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, g),
.field_name = "g",
.item = &BIGNUM_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, pub_key),
.field_name = "pub_key",
.item = &BIGNUM_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, priv_key),
.field_name = "priv_key",
.item = &BIGNUM_it,
},
};
const ASN1_ITEM DSAPrivateKey_it = {
.itype = ASN1_ITYPE_SEQUENCE,
.utype = V_ASN1_SEQUENCE,
.templates = DSAPrivateKey_seq_tt,
.tcount = sizeof(DSAPrivateKey_seq_tt) / sizeof(ASN1_TEMPLATE),
.funcs = &DSAPrivateKey_aux,
.size = sizeof(DSA),
.sname = "DSA",
};
DSA *
d2i_DSAPrivateKey(DSA **a, const unsigned char **in, long len)
{
return (DSA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
&DSAPrivateKey_it);
}
LCRYPTO_ALIAS(d2i_DSAPrivateKey);
int
i2d_DSAPrivateKey(const DSA *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &DSAPrivateKey_it);
}
LCRYPTO_ALIAS(i2d_DSAPrivateKey);
static const ASN1_AUX DSAparams_aux = {
.app_data = NULL,
.flags = 0,
.ref_offset = 0,
.ref_lock = 0,
.asn1_cb = dsa_cb,
.enc_offset = 0,
};
static const ASN1_TEMPLATE DSAparams_seq_tt[] = {
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, p),
.field_name = "p",
.item = &BIGNUM_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, q),
.field_name = "q",
.item = &BIGNUM_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, g),
.field_name = "g",
.item = &BIGNUM_it,
},
};
const ASN1_ITEM DSAparams_it = {
.itype = ASN1_ITYPE_SEQUENCE,
.utype = V_ASN1_SEQUENCE,
.templates = DSAparams_seq_tt,
.tcount = sizeof(DSAparams_seq_tt) / sizeof(ASN1_TEMPLATE),
.funcs = &DSAparams_aux,
.size = sizeof(DSA),
.sname = "DSA",
};
DSA *
d2i_DSAparams(DSA **a, const unsigned char **in, long len)
{
return (DSA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
&DSAparams_it);
}
LCRYPTO_ALIAS(d2i_DSAparams);
int
i2d_DSAparams(const DSA *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &DSAparams_it);
}
LCRYPTO_ALIAS(i2d_DSAparams);
DSA *
d2i_DSAparams_bio(BIO *bp, DSA **a)
{
return ASN1_item_d2i_bio(&DSAparams_it, bp, a);
}
LCRYPTO_ALIAS(d2i_DSAparams_bio);
int
i2d_DSAparams_bio(BIO *bp, DSA *a)
{
return ASN1_item_i2d_bio(&DSAparams_it, bp, a);
}
LCRYPTO_ALIAS(i2d_DSAparams_bio);
DSA *
d2i_DSAparams_fp(FILE *fp, DSA **a)
{
return ASN1_item_d2i_fp(&DSAparams_it, fp, a);
}
LCRYPTO_ALIAS(d2i_DSAparams_fp);
int
i2d_DSAparams_fp(FILE *fp, DSA *a)
{
return ASN1_item_i2d_fp(&DSAparams_it, fp, a);
}
LCRYPTO_ALIAS(i2d_DSAparams_fp);
static const ASN1_AUX DSAPublicKey_aux = {
.app_data = NULL,
.flags = 0,
.ref_offset = 0,
.ref_lock = 0,
.asn1_cb = dsa_cb,
.enc_offset = 0,
};
static const ASN1_TEMPLATE DSAPublicKey_seq_tt[] = {
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, pub_key),
.field_name = "pub_key",
.item = &BIGNUM_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, p),
.field_name = "p",
.item = &BIGNUM_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, q),
.field_name = "q",
.item = &BIGNUM_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(DSA, g),
.field_name = "g",
.item = &BIGNUM_it,
},
};
const ASN1_ITEM DSAPublicKey_it = {
.itype = ASN1_ITYPE_SEQUENCE,
.utype = V_ASN1_SEQUENCE,
.templates = DSAPublicKey_seq_tt,
.tcount = sizeof(DSAPublicKey_seq_tt) / sizeof(ASN1_TEMPLATE),
.funcs = &DSAPublicKey_aux,
.size = sizeof(DSA),
.sname = "DSA",
};
DSA *
d2i_DSAPublicKey(DSA **a, const unsigned char **in, long len)
{
return (DSA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
&DSAPublicKey_it);
}
LCRYPTO_ALIAS(d2i_DSAPublicKey);
int
i2d_DSAPublicKey(const DSA *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &DSAPublicKey_it);
}
LCRYPTO_ALIAS(i2d_DSAPublicKey);
DSA *
DSAparams_dup(DSA *dsa)
{
return ASN1_item_dup(&DSAparams_it, dsa);
}
LCRYPTO_ALIAS(DSAparams_dup);
int
DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
unsigned int *out_siglen, DSA *dsa)
{
DSA_SIG *s;
int siglen;
int ret = 0;
*out_siglen = 0;
if ((s = DSA_do_sign(dgst, dlen, dsa)) == NULL)
goto err;
if ((siglen = i2d_DSA_SIG(s, &sig)) < 0)
goto err;
*out_siglen = siglen;
ret = 1;
err:
DSA_SIG_free(s);
return ret;
}
LCRYPTO_ALIAS(DSA_sign);
/*
* data has already been hashed (probably with SHA or SHA-1).
* returns
* 1: correct signature
* 0: incorrect signature
* -1: error
*/
int
DSA_verify(int type, const unsigned char *dgst, int dgst_len,
const unsigned char *sigbuf, int siglen, DSA *dsa)
{
DSA_SIG *s = NULL;
unsigned char *der = NULL;
const unsigned char *p;
int ret = -1;
p = sigbuf;
if ((s = d2i_DSA_SIG(NULL, &p, siglen)) == NULL)
goto err;
/* Ensure signature uses DER and doesn't have trailing garbage */
if (i2d_DSA_SIG(s, &der) != siglen)
goto err;
if (memcmp(der, sigbuf, siglen) != 0)
goto err;
ret = DSA_do_verify(dgst, dgst_len, s, dsa);
err:
free(der);
DSA_SIG_free(s);
return ret;
}
LCRYPTO_ALIAS(DSA_verify);

104
crypto/dsa/dsa_err.c Normal file
View File

@@ -0,0 +1,104 @@
/* $OpenBSD: dsa_err.c,v 1.19 2023/07/08 14:28:15 beck Exp $ */
/* ====================================================================
* Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <openssl/opensslconf.h>
#include <openssl/err.h>
#include <openssl/dsa.h>
#ifndef OPENSSL_NO_ERR
#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSA,func,0)
#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSA,0,reason)
static ERR_STRING_DATA DSA_str_functs[]= {
{ERR_FUNC(0xfff), "CRYPTO_internal"},
{0, NULL}
};
static ERR_STRING_DATA DSA_str_reasons[]=
{
{ERR_REASON(DSA_R_BAD_Q_VALUE) ,"bad q value"},
{ERR_REASON(DSA_R_BN_DECODE_ERROR) ,"bn decode error"},
{ERR_REASON(DSA_R_BN_ERROR) ,"bn error"},
{ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
{ERR_REASON(DSA_R_DECODE_ERROR) ,"decode error"},
{ERR_REASON(DSA_R_INVALID_DIGEST_TYPE) ,"invalid digest type"},
{ERR_REASON(DSA_R_INVALID_PARAMETERS) ,"invalid parameters"},
{ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"},
{ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
{ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
{ERR_REASON(DSA_R_NON_FIPS_DSA_METHOD) ,"non fips dsa method"},
{ERR_REASON(DSA_R_NO_PARAMETERS_SET) ,"no parameters set"},
{ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"},
{0,NULL}
};
#endif
void ERR_load_DSA_strings(void)
{
#ifndef OPENSSL_NO_ERR
if (ERR_func_error_string(DSA_str_functs[0].error) == NULL)
{
ERR_load_strings(0,DSA_str_functs);
ERR_load_strings(0,DSA_str_reasons);
}
#endif
}
LCRYPTO_ALIAS(ERR_load_DSA_strings);

381
crypto/dsa/dsa_gen.c Normal file
View File

@@ -0,0 +1,381 @@
/* $OpenBSD: dsa_gen.c,v 1.30 2023/07/08 14:28:15 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_SHA is defined */
#ifndef OPENSSL_NO_SHA
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/sha.h>
#include "bn_local.h"
#include "dsa_local.h"
int
DSA_generate_parameters_ex(DSA *ret, int bits, const unsigned char *seed_in,
int seed_len, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
{
if (ret->meth->dsa_paramgen)
return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
counter_ret, h_ret, cb);
else {
const EVP_MD *evpmd;
size_t qbits;
if (bits >= 2048) {
qbits = 256;
evpmd = EVP_sha256();
} else {
qbits = 160;
evpmd = EVP_sha1();
}
return dsa_builtin_paramgen(ret, bits, qbits, evpmd, seed_in,
seed_len, NULL, counter_ret, h_ret, cb);
}
}
LCRYPTO_ALIAS(DSA_generate_parameters_ex);
int
dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd,
const unsigned char *seed_in, size_t seed_len, unsigned char *seed_out,
int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
{
int ok = 0;
unsigned char seed[SHA256_DIGEST_LENGTH];
unsigned char md[SHA256_DIGEST_LENGTH];
unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];
BIGNUM *r0, *W, *X, *c, *test;
BIGNUM *g = NULL, *q = NULL, *p = NULL;
BN_MONT_CTX *mont = NULL;
int i, k, n = 0, m = 0, qsize = qbits >> 3;
int counter = 0;
int r = 0;
BN_CTX *ctx = NULL;
unsigned int h = 2;
if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
qsize != SHA256_DIGEST_LENGTH)
/* invalid q size */
return 0;
if (evpmd == NULL)
/* use SHA1 as default */
evpmd = EVP_sha1();
if (bits < 512)
bits = 512;
bits = (bits + 63) / 64 * 64;
if (seed_len < (size_t)qsize) {
seed_in = NULL; /* seed buffer too small -- ignore */
seed_len = 0;
}
/*
* App. 2.2 of FIPS PUB 186 allows larger SEED,
* but our internal buffers are restricted to 160 bits
*/
if (seed_len > (size_t)qsize)
seed_len = qsize;
if (seed_in != NULL)
memcpy(seed, seed_in, seed_len);
else if (seed_len != 0)
goto err;
if ((mont = BN_MONT_CTX_new()) == NULL)
goto err;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
if ((r0 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((g = BN_CTX_get(ctx)) == NULL)
goto err;
if ((W = BN_CTX_get(ctx)) == NULL)
goto err;
if ((q = BN_CTX_get(ctx)) == NULL)
goto err;
if ((X = BN_CTX_get(ctx)) == NULL)
goto err;
if ((c = BN_CTX_get(ctx)) == NULL)
goto err;
if ((p = BN_CTX_get(ctx)) == NULL)
goto err;
if ((test = BN_CTX_get(ctx)) == NULL)
goto err;
if (!BN_lshift(test, BN_value_one(), bits - 1))
goto err;
for (;;) {
for (;;) { /* find q */
int seed_is_random;
/* step 1 */
if (!BN_GENCB_call(cb, 0, m++))
goto err;
if (seed_len == 0) {
arc4random_buf(seed, qsize);
seed_is_random = 1;
} else {
seed_is_random = 0;
/* use random seed if 'seed_in' turns out
to be bad */
seed_len = 0;
}
memcpy(buf, seed, qsize);
memcpy(buf2, seed, qsize);
/* precompute "SEED + 1" for step 7: */
for (i = qsize - 1; i >= 0; i--) {
buf[i]++;
if (buf[i] != 0)
break;
}
/* step 2 */
if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
goto err;
if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
goto err;
for (i = 0; i < qsize; i++)
md[i] ^= buf2[i];
/* step 3 */
md[0] |= 0x80;
md[qsize - 1] |= 0x01;
if (!BN_bin2bn(md, qsize, q))
goto err;
/* step 4 */
r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
seed_is_random, cb);
if (r > 0)
break;
if (r != 0)
goto err;
/* do a callback call */
/* step 5 */
}
if (!BN_GENCB_call(cb, 2, 0))
goto err;
if (!BN_GENCB_call(cb, 3, 0))
goto err;
/* step 6 */
counter = 0;
/* "offset = 2" */
n = (bits - 1) / 160;
for (;;) {
if (counter != 0 && !BN_GENCB_call(cb, 0, counter))
goto err;
/* step 7 */
BN_zero(W);
/* now 'buf' contains "SEED + offset - 1" */
for (k = 0; k <= n; k++) {
/* obtain "SEED + offset + k" by incrementing: */
for (i = qsize - 1; i >= 0; i--) {
buf[i]++;
if (buf[i] != 0)
break;
}
if (!EVP_Digest(buf, qsize, md ,NULL, evpmd,
NULL))
goto err;
/* step 8 */
if (!BN_bin2bn(md, qsize, r0))
goto err;
if (!BN_lshift(r0, r0, (qsize << 3) * k))
goto err;
if (!BN_add(W, W, r0))
goto err;
}
/* more of step 8 */
if (!BN_mask_bits(W, bits - 1))
goto err;
if (!bn_copy(X, W))
goto err;
if (!BN_add(X, X, test))
goto err;
/* step 9 */
if (!BN_lshift1(r0, q))
goto err;
if (!BN_mod_ct(c, X, r0, ctx))
goto err;
if (!BN_sub(r0, c, BN_value_one()))
goto err;
if (!BN_sub(p, X, r0))
goto err;
/* step 10 */
if (BN_cmp(p, test) >= 0) {
/* step 11 */
r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
ctx, 1, cb);
if (r > 0)
goto end; /* found it */
if (r != 0)
goto err;
}
/* step 13 */
counter++;
/* "offset = offset + n + 1" */
/* step 14 */
if (counter >= 4096)
break;
}
}
end:
if (!BN_GENCB_call(cb, 2, 1))
goto err;
/* We now need to generate g */
/* Set r0=(p-1)/q */
if (!BN_sub(test, p, BN_value_one()))
goto err;
if (!BN_div_ct(r0, NULL, test, q, ctx))
goto err;
if (!BN_set_word(test, h))
goto err;
if (!BN_MONT_CTX_set(mont, p, ctx))
goto err;
for (;;) {
/* g=test^r0%p */
if (!BN_mod_exp_mont_ct(g, test, r0, p, ctx, mont))
goto err;
if (!BN_is_one(g))
break;
if (!BN_add(test, test, BN_value_one()))
goto err;
h++;
}
if (!BN_GENCB_call(cb, 3, 1))
goto err;
ok = 1;
err:
if (ok) {
BN_free(ret->p);
BN_free(ret->q);
BN_free(ret->g);
ret->p = BN_dup(p);
ret->q = BN_dup(q);
ret->g = BN_dup(g);
if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
ok = 0;
goto err;
}
if (counter_ret != NULL)
*counter_ret = counter;
if (h_ret != NULL)
*h_ret = h;
if (seed_out != NULL)
memcpy(seed_out, seed, qsize);
}
BN_CTX_end(ctx);
BN_CTX_free(ctx);
BN_MONT_CTX_free(mont);
return ok;
}
DSA *
DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
int *counter_ret, unsigned long *h_ret, void (*callback)(int, int, void *),
void *cb_arg)
{
BN_GENCB cb;
DSA *ret;
if ((ret = DSA_new()) == NULL)
return NULL;
BN_GENCB_set_old(&cb, callback, cb_arg);
if (DSA_generate_parameters_ex(ret, bits, seed_in, seed_len,
counter_ret, h_ret, &cb))
return ret;
DSA_free(ret);
return NULL;
}
LCRYPTO_ALIAS(DSA_generate_parameters);
#endif

120
crypto/dsa/dsa_key.c Normal file
View File

@@ -0,0 +1,120 @@
/* $OpenBSD: dsa_key.c,v 1.35 2023/08/03 18:53:55 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <stdio.h>
#include <time.h>
#include <openssl/opensslconf.h>
#ifndef OPENSSL_NO_SHA
#include <openssl/bn.h>
#include <openssl/dsa.h>
#include "bn_local.h"
#include "dsa_local.h"
static int dsa_builtin_keygen(DSA *dsa);
int
DSA_generate_key(DSA *dsa)
{
if (dsa->meth->dsa_keygen)
return dsa->meth->dsa_keygen(dsa);
return dsa_builtin_keygen(dsa);
}
LCRYPTO_ALIAS(DSA_generate_key);
static int
dsa_builtin_keygen(DSA *dsa)
{
BIGNUM *pub_key = NULL, *priv_key = NULL;
BN_CTX *ctx = NULL;
int ok = 0;
if ((priv_key = BN_new()) == NULL)
goto err;
if ((pub_key = BN_new()) == NULL)
goto err;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
if (!bn_rand_interval(priv_key, 1, dsa->q))
goto err;
if (!BN_mod_exp_ct(pub_key, dsa->g, priv_key, dsa->p, ctx))
goto err;
BN_free(dsa->priv_key);
dsa->priv_key = priv_key;
priv_key = NULL;
BN_free(dsa->pub_key);
dsa->pub_key = pub_key;
pub_key = NULL;
ok = 1;
err:
BN_free(pub_key);
BN_free(priv_key);
BN_CTX_free(ctx);
return ok;
}
#endif

510
crypto/dsa/dsa_lib.c Normal file
View File

@@ -0,0 +1,510 @@
/* $OpenBSD: dsa_lib.c,v 1.44 2023/08/12 06:14:36 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
#include <stdio.h>
#include <openssl/opensslconf.h>
#include <openssl/asn1.h>
#include <openssl/bn.h>
#include <openssl/dsa.h>
#include <openssl/err.h>
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
#include "dh_local.h"
#include "dsa_local.h"
static const DSA_METHOD *default_DSA_method = NULL;
void
DSA_set_default_method(const DSA_METHOD *meth)
{
default_DSA_method = meth;
}
LCRYPTO_ALIAS(DSA_set_default_method);
const DSA_METHOD *
DSA_get_default_method(void)
{
if (!default_DSA_method)
default_DSA_method = DSA_OpenSSL();
return default_DSA_method;
}
LCRYPTO_ALIAS(DSA_get_default_method);
DSA *
DSA_new(void)
{
return DSA_new_method(NULL);
}
LCRYPTO_ALIAS(DSA_new);
int
DSA_set_method(DSA *dsa, const DSA_METHOD *meth)
{
/*
* NB: The caller is specifically setting a method, so it's not up to us
* to deal with which ENGINE it comes from.
*/
const DSA_METHOD *mtmp;
mtmp = dsa->meth;
if (mtmp->finish)
mtmp->finish(dsa);
#ifndef OPENSSL_NO_ENGINE
ENGINE_finish(dsa->engine);
dsa->engine = NULL;
#endif
dsa->meth = meth;
if (meth->init)
meth->init(dsa);
return 1;
}
LCRYPTO_ALIAS(DSA_set_method);
DSA *
DSA_new_method(ENGINE *engine)
{
DSA *dsa;
if ((dsa = calloc(1, sizeof(DSA))) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
dsa->meth = DSA_get_default_method();
dsa->flags = dsa->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
dsa->references = 1;
#ifndef OPENSSL_NO_ENGINE
if (engine) {
if (!ENGINE_init(engine)) {
DSAerror(ERR_R_ENGINE_LIB);
goto err;
}
dsa->engine = engine;
} else
dsa->engine = ENGINE_get_default_DSA();
if (dsa->engine != NULL) {
if ((dsa->meth = ENGINE_get_DSA(dsa->engine)) == NULL) {
DSAerror(ERR_R_ENGINE_LIB);
goto err;
}
dsa->flags = dsa->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
}
#endif
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, dsa, &dsa->ex_data))
goto err;
if (dsa->meth->init != NULL && !dsa->meth->init(dsa))
goto err;
return dsa;
err:
DSA_free(dsa);
return NULL;
}
LCRYPTO_ALIAS(DSA_new_method);
void
DSA_free(DSA *r)
{
int i;
if (r == NULL)
return;
i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_DSA);
if (i > 0)
return;
if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r);
#ifndef OPENSSL_NO_ENGINE
ENGINE_finish(r->engine);
#endif
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, r, &r->ex_data);
BN_free(r->p);
BN_free(r->q);
BN_free(r->g);
BN_free(r->pub_key);
BN_free(r->priv_key);
BN_free(r->kinv);
BN_free(r->r);
free(r);
}
LCRYPTO_ALIAS(DSA_free);
int
DSA_up_ref(DSA *r)
{
int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_DSA);
return i > 1 ? 1 : 0;
}
LCRYPTO_ALIAS(DSA_up_ref);
int
DSA_size(const DSA *r)
{
DSA_SIG signature;
int ret = 0;
signature.r = r->q;
signature.s = r->q;
if ((ret = i2d_DSA_SIG(&signature, NULL)) < 0)
ret = 0;
return ret;
}
LCRYPTO_ALIAS(DSA_size);
int
DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
{
return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DSA, argl, argp,
new_func, dup_func, free_func);
}
LCRYPTO_ALIAS(DSA_get_ex_new_index);
int
DSA_set_ex_data(DSA *d, int idx, void *arg)
{
return CRYPTO_set_ex_data(&d->ex_data, idx, arg);
}
LCRYPTO_ALIAS(DSA_set_ex_data);
void *
DSA_get_ex_data(DSA *d, int idx)
{
return CRYPTO_get_ex_data(&d->ex_data, idx);
}
LCRYPTO_ALIAS(DSA_get_ex_data);
int
DSA_security_bits(const DSA *d)
{
if (d->p == NULL || d->q == NULL)
return -1;
return BN_security_bits(BN_num_bits(d->p), BN_num_bits(d->q));
}
LCRYPTO_ALIAS(DSA_security_bits);
#ifndef OPENSSL_NO_DH
DH *
DSA_dup_DH(const DSA *r)
{
/*
* DSA has p, q, g, optional pub_key, optional priv_key.
* DH has p, optional length, g, optional pub_key, optional priv_key,
* optional q.
*/
DH *ret = NULL;
if (r == NULL)
goto err;
ret = DH_new();
if (ret == NULL)
goto err;
if (r->p != NULL)
if ((ret->p = BN_dup(r->p)) == NULL)
goto err;
if (r->q != NULL) {
ret->length = BN_num_bits(r->q);
if ((ret->q = BN_dup(r->q)) == NULL)
goto err;
}
if (r->g != NULL)
if ((ret->g = BN_dup(r->g)) == NULL)
goto err;
if (r->pub_key != NULL)
if ((ret->pub_key = BN_dup(r->pub_key)) == NULL)
goto err;
if (r->priv_key != NULL)
if ((ret->priv_key = BN_dup(r->priv_key)) == NULL)
goto err;
return ret;
err:
DH_free(ret);
return NULL;
}
LCRYPTO_ALIAS(DSA_dup_DH);
#endif
void
DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
{
if (p != NULL)
*p = d->p;
if (q != NULL)
*q = d->q;
if (g != NULL)
*g = d->g;
}
LCRYPTO_ALIAS(DSA_get0_pqg);
int
DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
{
if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) ||
(d->g == NULL && g == NULL))
return 0;
if (p != NULL) {
BN_free(d->p);
d->p = p;
}
if (q != NULL) {
BN_free(d->q);
d->q = q;
}
if (g != NULL) {
BN_free(d->g);
d->g = g;
}
return 1;
}
LCRYPTO_ALIAS(DSA_set0_pqg);
void
DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key)
{
if (pub_key != NULL)
*pub_key = d->pub_key;
if (priv_key != NULL)
*priv_key = d->priv_key;
}
LCRYPTO_ALIAS(DSA_get0_key);
int
DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
{
if (d->pub_key == NULL && pub_key == NULL)
return 0;
if (pub_key != NULL) {
BN_free(d->pub_key);
d->pub_key = pub_key;
}
if (priv_key != NULL) {
BN_free(d->priv_key);
d->priv_key = priv_key;
}
return 1;
}
LCRYPTO_ALIAS(DSA_set0_key);
const BIGNUM *
DSA_get0_p(const DSA *d)
{
return d->p;
}
LCRYPTO_ALIAS(DSA_get0_p);
const BIGNUM *
DSA_get0_q(const DSA *d)
{
return d->q;
}
LCRYPTO_ALIAS(DSA_get0_q);
const BIGNUM *
DSA_get0_g(const DSA *d)
{
return d->g;
}
LCRYPTO_ALIAS(DSA_get0_g);
const BIGNUM *
DSA_get0_pub_key(const DSA *d)
{
return d->pub_key;
}
LCRYPTO_ALIAS(DSA_get0_pub_key);
const BIGNUM *
DSA_get0_priv_key(const DSA *d)
{
return d->priv_key;
}
LCRYPTO_ALIAS(DSA_get0_priv_key);
void
DSA_clear_flags(DSA *d, int flags)
{
d->flags &= ~flags;
}
LCRYPTO_ALIAS(DSA_clear_flags);
int
DSA_test_flags(const DSA *d, int flags)
{
return d->flags & flags;
}
LCRYPTO_ALIAS(DSA_test_flags);
void
DSA_set_flags(DSA *d, int flags)
{
d->flags |= flags;
}
LCRYPTO_ALIAS(DSA_set_flags);
ENGINE *
DSA_get0_engine(DSA *d)
{
return d->engine;
}
LCRYPTO_ALIAS(DSA_get0_engine);
int
DSA_bits(const DSA *dsa)
{
return BN_num_bits(dsa->p);
}
LCRYPTO_ALIAS(DSA_bits);
int
dsa_check_key(const DSA *dsa)
{
int p_bits, q_bits;
if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
DSAerror(DSA_R_MISSING_PARAMETERS);
return 0;
}
/* Checking that p and q are primes is expensive. Check they are odd. */
if (!BN_is_odd(dsa->p) || !BN_is_odd(dsa->q)) {
DSAerror(DSA_R_INVALID_PARAMETERS);
return 0;
}
/* FIPS 186-4: 1 < g < p. */
if (BN_cmp(dsa->g, BN_value_one()) <= 0 ||
BN_cmp(dsa->g, dsa->p) >= 0) {
DSAerror(DSA_R_INVALID_PARAMETERS);
return 0;
}
/* We know p and g are positive. The next two checks imply q > 0. */
if (BN_is_negative(dsa->q)) {
DSAerror(DSA_R_BAD_Q_VALUE);
return 0;
}
/* FIPS 186-4 only allows three sizes for q. */
q_bits = BN_num_bits(dsa->q);
if (q_bits != 160 && q_bits != 224 && q_bits != 256) {
DSAerror(DSA_R_BAD_Q_VALUE);
return 0;
}
/*
* XXX - FIPS 186-4 only allows 1024, 2048, and 3072 bits for p.
* Cap the size to reduce DoS risks. Poor defaults make keys with
* incorrect p sizes >= 512 bits common, so only enforce a weak
* lower bound.
*/
p_bits = BN_num_bits(dsa->p);
if (p_bits > OPENSSL_DSA_MAX_MODULUS_BITS) {
DSAerror(DSA_R_MODULUS_TOO_LARGE);
return 0;
}
if (p_bits < 512) {
DSAerror(DSA_R_INVALID_PARAMETERS);
return 0;
}
/* The public key must be in the multiplicative group (mod p). */
if (dsa->pub_key != NULL) {
if (BN_cmp(dsa->pub_key, BN_value_one()) <= 0 ||
BN_cmp(dsa->pub_key, dsa->p) >= 0) {
DSAerror(DSA_R_INVALID_PARAMETERS);
return 0;
}
}
/* The private key must be nonzero and in GF(q). */
if (dsa->priv_key != NULL) {
if (BN_cmp(dsa->priv_key, BN_value_one()) < 0 ||
BN_cmp(dsa->priv_key, dsa->q) >= 0) {
DSAerror(DSA_R_INVALID_PARAMETERS);
return 0;
}
}
return 1;
}

120
crypto/dsa/dsa_local.h Normal file
View File

@@ -0,0 +1,120 @@
/* $OpenBSD: dsa_local.h,v 1.2 2023/03/04 20:54:52 tb Exp $ */
/* ====================================================================
* Copyright (c) 2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <openssl/dsa.h>
__BEGIN_HIDDEN_DECLS
struct DSA_SIG_st {
BIGNUM *r;
BIGNUM *s;
} /* DSA_SIG */;
struct dsa_method {
char *name;
DSA_SIG *(*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa);
int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
BIGNUM **rp);
int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
DSA_SIG *sig, DSA *dsa);
int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *in_mont);
int (*bn_mod_exp)(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); /* Can be null */
int (*init)(DSA *dsa);
int (*finish)(DSA *dsa);
int flags;
char *app_data;
/* If this is non-NULL, it is used to generate DSA parameters */
int (*dsa_paramgen)(DSA *dsa, int bits, const unsigned char *seed,
int seed_len, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
/* If this is non-NULL, it is used to generate DSA keys */
int (*dsa_keygen)(DSA *dsa);
} /* DSA_METHOD */;
struct dsa_st {
/* This first variable is used to pick up errors where
* a DSA is passed instead of of a EVP_PKEY */
int pad;
long version;
BIGNUM *p;
BIGNUM *q; /* == 20 */
BIGNUM *g;
BIGNUM *pub_key; /* y public key */
BIGNUM *priv_key; /* x private key */
BIGNUM *kinv; /* Signing pre-calc */
BIGNUM *r; /* Signing pre-calc */
int flags;
/* Normally used to cache montgomery values */
BN_MONT_CTX *method_mont_p;
int references;
CRYPTO_EX_DATA ex_data;
const DSA_METHOD *meth;
/* functional reference if 'meth' is ENGINE-provided */
ENGINE *engine;
} /* DSA */;
int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
unsigned char *seed_out,
int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
int dsa_check_key(const DSA *dsa);
__END_HIDDEN_DECLS

110
crypto/dsa/dsa_meth.c Normal file
View File

@@ -0,0 +1,110 @@
/* $OpenBSD: dsa_meth.c,v 1.7 2023/07/08 14:28:15 beck Exp $ */
/*
* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stdlib.h>
#include <string.h>
#include <openssl/dsa.h>
#include <openssl/err.h>
#include "dsa_local.h"
DSA_METHOD *
DSA_meth_new(const char *name, int flags)
{
DSA_METHOD *meth;
if ((meth = calloc(1, sizeof(*meth))) == NULL)
return NULL;
if ((meth->name = strdup(name)) == NULL) {
free(meth);
return NULL;
}
meth->flags = flags;
return meth;
}
LCRYPTO_ALIAS(DSA_meth_new);
void
DSA_meth_free(DSA_METHOD *meth)
{
if (meth == NULL)
return;
free(meth->name);
free(meth);
}
LCRYPTO_ALIAS(DSA_meth_free);
DSA_METHOD *
DSA_meth_dup(const DSA_METHOD *meth)
{
DSA_METHOD *copy;
if ((copy = calloc(1, sizeof(*copy))) == NULL)
return NULL;
memcpy(copy, meth, sizeof(*copy));
if ((copy->name = strdup(meth->name)) == NULL) {
free(copy);
return NULL;
}
return copy;
}
LCRYPTO_ALIAS(DSA_meth_dup);
const char *
DSA_meth_get0_name(const DSA_METHOD *meth)
{
return meth->name;
}
LCRYPTO_ALIAS(DSA_meth_get0_name);
int
DSA_meth_set1_name(DSA_METHOD *meth, const char *name)
{
char *new_name;
if ((new_name = strdup(name)) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
return 0;
}
free(meth->name);
meth->name = new_name;
return 1;
}
LCRYPTO_ALIAS(DSA_meth_set1_name);
int
DSA_meth_set_sign(DSA_METHOD *meth,
DSA_SIG *(*sign)(const unsigned char *, int, DSA *))
{
meth->dsa_do_sign = sign;
return 1;
}
LCRYPTO_ALIAS(DSA_meth_set_sign);
int
DSA_meth_set_finish(DSA_METHOD *meth, int (*finish)(DSA *))
{
meth->finish = finish;
return 1;
}
LCRYPTO_ALIAS(DSA_meth_set_finish);

477
crypto/dsa/dsa_ossl.c Normal file
View File

@@ -0,0 +1,477 @@
/* $OpenBSD: dsa_ossl.c,v 1.53 2023/08/03 18:53:55 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
#include <stdio.h>
#include <openssl/asn1.h>
#include <openssl/bn.h>
#include <openssl/dsa.h>
#include <openssl/err.h>
#include <openssl/sha.h>
#include "bn_local.h"
#include "dsa_local.h"
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
BIGNUM **rp);
static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
DSA *dsa);
static int dsa_init(DSA *dsa);
static int dsa_finish(DSA *dsa);
static DSA_METHOD openssl_dsa_meth = {
.name = "OpenSSL DSA method",
.dsa_do_sign = dsa_do_sign,
.dsa_sign_setup = dsa_sign_setup,
.dsa_do_verify = dsa_do_verify,
.init = dsa_init,
.finish = dsa_finish,
};
const DSA_METHOD *
DSA_OpenSSL(void)
{
return &openssl_dsa_meth;
}
LCRYPTO_ALIAS(DSA_OpenSSL);
/*
* Since DSA parameters are entirely arbitrary and checking them to be
* consistent is very expensive, we cannot do so on every sign operation.
* Instead, cap the number of retries so we do not loop indefinitely if
* the generator of the multiplicative group happens to be nilpotent.
* The probability of needing a retry with valid parameters is negligible,
* so trying 32 times is amply enough.
*/
#define DSA_MAX_SIGN_ITERATIONS 32
static DSA_SIG *
dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
{
BIGNUM *b = NULL, *bm = NULL, *bxr = NULL, *binv = NULL, *m = NULL;
BIGNUM *kinv = NULL, *r = NULL, *s = NULL;
BN_CTX *ctx = NULL;
int reason = ERR_R_BN_LIB;
DSA_SIG *ret = NULL;
int attempts = 0;
int noredo = 0;
if (!dsa_check_key(dsa)) {
reason = DSA_R_INVALID_PARAMETERS;
goto err;
}
if ((s = BN_new()) == NULL)
goto err;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
if ((b = BN_CTX_get(ctx)) == NULL)
goto err;
if ((binv = BN_CTX_get(ctx)) == NULL)
goto err;
if ((bm = BN_CTX_get(ctx)) == NULL)
goto err;
if ((bxr = BN_CTX_get(ctx)) == NULL)
goto err;
if ((m = BN_CTX_get(ctx)) == NULL)
goto err;
/*
* If the digest length is greater than N (the bit length of q), the
* leftmost N bits of the digest shall be used, see FIPS 186-3, 4.2.
* In this case the digest length is given in bytes.
*/
if (dlen > BN_num_bytes(dsa->q))
dlen = BN_num_bytes(dsa->q);
if (BN_bin2bn(dgst, dlen, m) == NULL)
goto err;
redo:
if (dsa->kinv == NULL || dsa->r == NULL) {
if (!DSA_sign_setup(dsa, ctx, &kinv, &r))
goto err;
} else {
kinv = dsa->kinv;
dsa->kinv = NULL;
r = dsa->r;
dsa->r = NULL;
noredo = 1;
}
/*
* Compute:
*
* s = inv(k)(m + xr) mod q
*
* In order to reduce the possibility of a side-channel attack, the
* following is calculated using a blinding value:
*
* s = inv(b)(bm + bxr)inv(k) mod q
*
* Where b is a random value in the range [1, q).
*/
if (!bn_rand_interval(b, 1, dsa->q))
goto err;
if (BN_mod_inverse_ct(binv, b, dsa->q, ctx) == NULL)
goto err;
if (!BN_mod_mul(bxr, b, dsa->priv_key, dsa->q, ctx)) /* bx */
goto err;
if (!BN_mod_mul(bxr, bxr, r, dsa->q, ctx)) /* bxr */
goto err;
if (!BN_mod_mul(bm, b, m, dsa->q, ctx)) /* bm */
goto err;
if (!BN_mod_add(s, bxr, bm, dsa->q, ctx)) /* s = bm + bxr */
goto err;
if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) /* s = b(m + xr)k^-1 */
goto err;
if (!BN_mod_mul(s, s, binv, dsa->q, ctx)) /* s = (m + xr)k^-1 */
goto err;
/*
* Redo if r or s is zero as required by FIPS 186-3: this is very
* unlikely.
*/
if (BN_is_zero(r) || BN_is_zero(s)) {
if (noredo) {
reason = DSA_R_NEED_NEW_SETUP_VALUES;
goto err;
}
if (++attempts > DSA_MAX_SIGN_ITERATIONS) {
reason = DSA_R_INVALID_PARAMETERS;
goto err;
}
goto redo;
}
if ((ret = DSA_SIG_new()) == NULL) {
reason = ERR_R_MALLOC_FAILURE;
goto err;
}
ret->r = r;
ret->s = s;
err:
if (!ret) {
DSAerror(reason);
BN_free(r);
BN_free(s);
}
BN_CTX_end(ctx);
BN_CTX_free(ctx);
BN_free(kinv);
return ret;
}
static int
dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
{
BIGNUM *k = NULL, *l = NULL, *m = NULL, *kinv = NULL, *r = NULL;
BN_CTX *ctx = NULL;
int q_bits;
int ret = 0;
if (!dsa_check_key(dsa))
goto err;
if ((r = BN_new()) == NULL)
goto err;
if ((ctx = ctx_in) == NULL)
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
BN_CTX_start(ctx);
if ((k = BN_CTX_get(ctx)) == NULL)
goto err;
if ((l = BN_CTX_get(ctx)) == NULL)
goto err;
if ((m = BN_CTX_get(ctx)) == NULL)
goto err;
/* Preallocate space */
q_bits = BN_num_bits(dsa->q);
if (!BN_set_bit(k, q_bits) ||
!BN_set_bit(l, q_bits) ||
!BN_set_bit(m, q_bits))
goto err;
if (!bn_rand_interval(k, 1, dsa->q))
goto err;
BN_set_flags(k, BN_FLG_CONSTTIME);
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
CRYPTO_LOCK_DSA, dsa->p, ctx))
goto err;
}
/* Compute r = (g^k mod p) mod q */
/*
* We do not want timing information to leak the length of k,
* so we compute G^k using an equivalent exponent of fixed
* bit-length.
*
* We unconditionally perform both of these additions to prevent a
* small timing information leakage. We then choose the sum that is
* one bit longer than the modulus.
*
* TODO: revisit the bn_copy aiming for a memory access agnostic
* conditional copy.
*/
if (!BN_add(l, k, dsa->q) ||
!BN_add(m, l, dsa->q) ||
!bn_copy(k, BN_num_bits(l) > q_bits ? l : m))
goto err;
if (dsa->meth->bn_mod_exp != NULL) {
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
dsa->method_mont_p))
goto err;
} else {
if (!BN_mod_exp_mont_ct(r, dsa->g, k, dsa->p, ctx,
dsa->method_mont_p))
goto err;
}
if (!BN_mod_ct(r, r, dsa->q, ctx))
goto err;
/* Compute part of 's = inv(k) (m + xr) mod q' */
if ((kinv = BN_mod_inverse_ct(NULL, k, dsa->q, ctx)) == NULL)
goto err;
BN_free(*kinvp);
*kinvp = kinv;
kinv = NULL;
BN_free(*rp);
*rp = r;
ret = 1;
err:
if (!ret) {
DSAerror(ERR_R_BN_LIB);
BN_free(r);
}
BN_CTX_end(ctx);
if (ctx != ctx_in)
BN_CTX_free(ctx);
return ret;
}
static int
dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)
{
BIGNUM *u1 = NULL, *u2 = NULL, *t1 = NULL;
BN_CTX *ctx = NULL;
BN_MONT_CTX *mont = NULL;
int qbits;
int ret = -1;
if (!dsa_check_key(dsa))
goto err;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
if ((u1 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((u2 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((t1 = BN_CTX_get(ctx)) == NULL)
goto err;
if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
BN_ucmp(sig->r, dsa->q) >= 0) {
ret = 0;
goto err;
}
if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||
BN_ucmp(sig->s, dsa->q) >= 0) {
ret = 0;
goto err;
}
/* Calculate w = inv(s) mod q, saving w in u2. */
if ((BN_mod_inverse_ct(u2, sig->s, dsa->q, ctx)) == NULL)
goto err;
/*
* If the digest length is greater than the size of q use the
* BN_num_bits(dsa->q) leftmost bits of the digest, see FIPS 186-4, 4.2.
*/
qbits = BN_num_bits(dsa->q);
if (dgst_len > (qbits >> 3))
dgst_len = (qbits >> 3);
/* Save m in u1. */
if (BN_bin2bn(dgst, dgst_len, u1) == NULL)
goto err;
/* u1 = m * w mod q */
if (!BN_mod_mul(u1, u1, u2, dsa->q, ctx))
goto err;
/* u2 = r * w mod q */
if (!BN_mod_mul(u2, sig->r, u2, dsa->q, ctx))
goto err;
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
CRYPTO_LOCK_DSA, dsa->p, ctx);
if (!mont)
goto err;
}
if (dsa->meth->dsa_mod_exp != NULL) {
if (!dsa->meth->dsa_mod_exp(dsa, t1, dsa->g, u1, dsa->pub_key,
u2, dsa->p, ctx, mont))
goto err;
} else {
if (!BN_mod_exp2_mont(t1, dsa->g, u1, dsa->pub_key, u2,
dsa->p, ctx, mont))
goto err;
}
/* let u1 = u1 mod q */
if (!BN_mod_ct(u1, t1, dsa->q, ctx))
goto err;
/* v is in u1 - if the signature is correct, it will be equal to r. */
ret = BN_ucmp(u1, sig->r) == 0;
err:
if (ret < 0)
DSAerror(ERR_R_BN_LIB);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ret;
}
static int
dsa_init(DSA *dsa)
{
dsa->flags |= DSA_FLAG_CACHE_MONT_P;
return 1;
}
static int
dsa_finish(DSA *dsa)
{
BN_MONT_CTX_free(dsa->method_mont_p);
return 1;
}
DSA_SIG *
DSA_SIG_new(void)
{
return calloc(1, sizeof(DSA_SIG));
}
LCRYPTO_ALIAS(DSA_SIG_new);
void
DSA_SIG_free(DSA_SIG *sig)
{
if (sig == NULL)
return;
BN_free(sig->r);
BN_free(sig->s);
free(sig);
}
LCRYPTO_ALIAS(DSA_SIG_free);
int
DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
{
return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
}
LCRYPTO_ALIAS(DSA_sign_setup);
DSA_SIG *
DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
{
return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
}
LCRYPTO_ALIAS(DSA_do_sign);
int
DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)
{
return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
}
LCRYPTO_ALIAS(DSA_do_verify);

350
crypto/dsa/dsa_pmeth.c Normal file
View File

@@ -0,0 +1,350 @@
/* $OpenBSD: dsa_pmeth.c,v 1.17 2023/04/25 15:48:48 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
/* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <limits.h>
#include <stdio.h>
#include <string.h>
#include <openssl/asn1t.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include "bn_local.h"
#include "dsa_local.h"
#include "evp_local.h"
/* DSA pkey context structure */
typedef struct {
/* Parameter gen parameters */
int nbits; /* size of p in bits (default: 1024) */
int qbits; /* size of q in bits (default: 160) */
const EVP_MD *pmd; /* MD for parameter generation */
/* Keygen callback info */
int gentmp[2];
/* message digest */
const EVP_MD *md; /* MD for the signature */
} DSA_PKEY_CTX;
static int
pkey_dsa_init(EVP_PKEY_CTX *ctx)
{
DSA_PKEY_CTX *dctx;
dctx = malloc(sizeof(DSA_PKEY_CTX));
if (!dctx)
return 0;
dctx->nbits = 1024;
dctx->qbits = 160;
dctx->pmd = NULL;
dctx->md = NULL;
ctx->data = dctx;
ctx->keygen_info = dctx->gentmp;
ctx->keygen_info_count = 2;
return 1;
}
static int
pkey_dsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
{
DSA_PKEY_CTX *dctx, *sctx;
if (!pkey_dsa_init(dst))
return 0;
sctx = src->data;
dctx = dst->data;
dctx->nbits = sctx->nbits;
dctx->qbits = sctx->qbits;
dctx->pmd = sctx->pmd;
dctx->md = sctx->md;
return 1;
}
static void
pkey_dsa_cleanup(EVP_PKEY_CTX *ctx)
{
DSA_PKEY_CTX *dctx = ctx->data;
free(dctx);
}
static int
pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *out_siglen,
const unsigned char *tbs, size_t tbslen)
{
DSA *dsa = ctx->pkey->pkey.dsa;
DSA_PKEY_CTX *dctx = ctx->data;
unsigned int siglen;
*out_siglen = 0;
if (tbslen > INT_MAX)
return 0;
if (dctx->md != NULL) {
if (tbslen != EVP_MD_size(dctx->md))
return 0;
}
if (!DSA_sign(0, tbs, tbslen, sig, &siglen, dsa))
return 0;
*out_siglen = siglen;
return 1;
}
static int
pkey_dsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
const unsigned char *tbs, size_t tbslen)
{
DSA *dsa = ctx->pkey->pkey.dsa;
DSA_PKEY_CTX *dctx = ctx->data;
if (tbslen > INT_MAX || siglen > INT_MAX)
return 0;
if (dctx->md != NULL) {
if (tbslen != EVP_MD_size(dctx->md))
return 0;
}
return DSA_verify(0, tbs, tbslen, sig, siglen, dsa);
}
static int
pkey_dsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
{
DSA_PKEY_CTX *dctx = ctx->data;
switch (type) {
case EVP_PKEY_CTRL_DSA_PARAMGEN_BITS:
if (p1 < 256)
return -2;
dctx->nbits = p1;
return 1;
case EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS:
if (p1 != 160 && p1 != 224 && p1 && p1 != 256)
return -2;
dctx->qbits = p1;
return 1;
case EVP_PKEY_CTRL_DSA_PARAMGEN_MD:
switch (EVP_MD_type((const EVP_MD *)p2)) {
case NID_sha1:
case NID_sha224:
case NID_sha256:
break;
default:
DSAerror(DSA_R_INVALID_DIGEST_TYPE);
return 0;
}
dctx->md = p2;
return 1;
case EVP_PKEY_CTRL_MD:
/* ANSI X9.57 and NIST CSOR. */
switch (EVP_MD_type((const EVP_MD *)p2)) {
case NID_sha1:
case NID_dsa:
case NID_dsaWithSHA:
case NID_sha224:
case NID_sha256:
case NID_sha384:
case NID_sha512:
case NID_sha3_224:
case NID_sha3_256:
case NID_sha3_384:
case NID_sha3_512:
break;
default:
DSAerror(DSA_R_INVALID_DIGEST_TYPE);
return 0;
}
dctx->md = p2;
return 1;
case EVP_PKEY_CTRL_GET_MD:
*(const EVP_MD **)p2 = dctx->md;
return 1;
case EVP_PKEY_CTRL_DIGESTINIT:
case EVP_PKEY_CTRL_PKCS7_SIGN:
case EVP_PKEY_CTRL_CMS_SIGN:
return 1;
case EVP_PKEY_CTRL_PEER_KEY:
DSAerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
default:
return -2;
}
}
static int
pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
{
long lval;
char *ep;
if (!strcmp(type, "dsa_paramgen_bits")) {
int nbits;
errno = 0;
lval = strtol(value, &ep, 10);
if (value[0] == '\0' || *ep != '\0')
goto not_a_number;
if ((errno == ERANGE &&
(lval == LONG_MAX || lval == LONG_MIN)) ||
(lval > INT_MAX || lval < INT_MIN))
goto out_of_range;
nbits = lval;
return EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits);
} else if (!strcmp(type, "dsa_paramgen_q_bits")) {
int qbits;
errno = 0;
lval = strtol(value, &ep, 10);
if (value[0] == '\0' || *ep != '\0')
goto not_a_number;
if ((errno == ERANGE &&
(lval == LONG_MAX || lval == LONG_MIN)) ||
(lval > INT_MAX || lval < INT_MIN))
goto out_of_range;
qbits = lval;
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA,
EVP_PKEY_OP_PARAMGEN, EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS,
qbits, NULL);
} else if (!strcmp(type, "dsa_paramgen_md")) {
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA,
EVP_PKEY_OP_PARAMGEN, EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0,
(void *)EVP_get_digestbyname(value));
}
not_a_number:
out_of_range:
return -2;
}
static int
pkey_dsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
DSA *dsa = NULL;
DSA_PKEY_CTX *dctx = ctx->data;
BN_GENCB *pcb, cb;
int ret;
if (ctx->pkey_gencb) {
pcb = &cb;
evp_pkey_set_cb_translate(pcb, ctx);
} else
pcb = NULL;
dsa = DSA_new();
if (!dsa)
return 0;
ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
NULL, 0, NULL, NULL, NULL, pcb);
if (ret)
EVP_PKEY_assign_DSA(pkey, dsa);
else
DSA_free(dsa);
return ret;
}
static int
pkey_dsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
DSA *dsa = NULL;
if (ctx->pkey == NULL) {
DSAerror(DSA_R_NO_PARAMETERS_SET);
return 0;
}
dsa = DSA_new();
if (!dsa)
return 0;
EVP_PKEY_assign_DSA(pkey, dsa);
/* Note: if error return, pkey is freed by parent routine */
if (!EVP_PKEY_copy_parameters(pkey, ctx->pkey))
return 0;
return DSA_generate_key(pkey->pkey.dsa);
}
const EVP_PKEY_METHOD dsa_pkey_meth = {
.pkey_id = EVP_PKEY_DSA,
.flags = EVP_PKEY_FLAG_AUTOARGLEN,
.init = pkey_dsa_init,
.copy = pkey_dsa_copy,
.cleanup = pkey_dsa_cleanup,
.paramgen = pkey_dsa_paramgen,
.keygen = pkey_dsa_keygen,
.sign = pkey_dsa_sign,
.verify = pkey_dsa_verify,
.ctrl = pkey_dsa_ctrl,
.ctrl_str = pkey_dsa_ctrl_str
};

135
crypto/dsa/dsa_prn.c Normal file
View File

@@ -0,0 +1,135 @@
/* $OpenBSD: dsa_prn.c,v 1.10 2023/07/08 14:28:15 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
/* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <openssl/dsa.h>
#include <openssl/err.h>
#include <openssl/evp.h>
int
DSA_print_fp(FILE *fp, const DSA *x, int off)
{
BIO *b;
int ret;
if ((b = BIO_new(BIO_s_file())) == NULL) {
DSAerror(ERR_R_BUF_LIB);
return 0;
}
BIO_set_fp(b, fp, BIO_NOCLOSE);
ret = DSA_print(b, x, off);
BIO_free(b);
return ret;
}
LCRYPTO_ALIAS(DSA_print_fp);
int
DSAparams_print_fp(FILE *fp, const DSA *x)
{
BIO *b;
int ret;
if ((b = BIO_new(BIO_s_file())) == NULL) {
DSAerror(ERR_R_BUF_LIB);
return 0;
}
BIO_set_fp(b, fp, BIO_NOCLOSE);
ret = DSAparams_print(b, x);
BIO_free(b);
return ret;
}
LCRYPTO_ALIAS(DSAparams_print_fp);
int
DSA_print(BIO *bp, const DSA *x, int off)
{
EVP_PKEY *pk;
int ret = 0;
if ((pk = EVP_PKEY_new()) == NULL)
goto err;
if (!EVP_PKEY_set1_DSA(pk, (DSA *)x))
goto err;
ret = EVP_PKEY_print_private(bp, pk, off, NULL);
err:
EVP_PKEY_free(pk);
return ret;
}
LCRYPTO_ALIAS(DSA_print);
int
DSAparams_print(BIO *bp, const DSA *x)
{
EVP_PKEY *pk;
int ret = 0;
if ((pk = EVP_PKEY_new()) == NULL)
goto err;
if (!EVP_PKEY_set1_DSA(pk, (DSA *)x))
goto err;
ret = EVP_PKEY_print_params(bp, pk, 4, NULL);
err:
EVP_PKEY_free(pk);
return ret;
}
LCRYPTO_ALIAS(DSAparams_print);