diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2020-01-24 14:09:33 +1000 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2020-01-24 14:09:33 +1000 |
| commit | dc8de3e6f1eed18617dc42d41dec6c6566c2ac0c (patch) | |
| tree | 5cf78a6ef780836f16831f2776c0dc155047d742 /crypto/dsa | |
| parent | 21d08b9ee9c0f7fabcad27b5d0b0c8c16f7dd1e9 (diff) | |
| download | openssl-dc8de3e6f1eed18617dc42d41dec6c6566c2ac0c.zip openssl-dc8de3e6f1eed18617dc42d41dec6c6566c2ac0c.tar.gz openssl-dc8de3e6f1eed18617dc42d41dec6c6566c2ac0c.tar.bz2 | |
Modify DSA and DH keys to use a shared FFC_PARAMS struct
This is required in order to share code for FIPS related parameter generation and validation routinues.
Note the 'counter' field is now stored as a integer (as that is the form required for generation/validation functions).
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10860)
Diffstat (limited to 'crypto/dsa')
| -rw-r--r-- | crypto/dsa/dsa_ameth.c | 62 | ||||
| -rw-r--r-- | crypto/dsa/dsa_asn1.c | 18 | ||||
| -rw-r--r-- | crypto/dsa/dsa_gen.c | 44 | ||||
| -rw-r--r-- | crypto/dsa/dsa_key.c | 4 | ||||
| -rw-r--r-- | crypto/dsa/dsa_lib.c | 79 | ||||
| -rw-r--r-- | crypto/dsa/dsa_local.h | 5 | ||||
| -rw-r--r-- | crypto/dsa/dsa_ossl.c | 86 | ||||
| -rw-r--r-- | crypto/dsa/dsa_sign.c | 2 |
8 files changed, 130 insertions, 170 deletions
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index ddd262b..510b204 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -88,7 +88,10 @@ static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) ASN1_OBJECT *aobj; dsa = pkey->pkey.dsa; - if (pkey->save_parameters && dsa->p && dsa->q && dsa->g) { + if (pkey->save_parameters + && dsa->params.p != NULL + && dsa->params.q != NULL + && dsa->params.g != NULL) { str = ASN1_STRING_new(); if (str == NULL) { DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE); @@ -183,7 +186,8 @@ static int dsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) } BN_set_flags(dsa->priv_key, BN_FLG_CONSTTIME); - if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) { + if (!BN_mod_exp(dsa->pub_key, dsa->params.g, dsa->priv_key, dsa->params.p, + ctx)) { DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_BN_ERROR); goto dsaerr; } @@ -275,55 +279,34 @@ static int dsa_missing_parameters(const EVP_PKEY *pkey) { DSA *dsa; dsa = pkey->pkey.dsa; - if (dsa == NULL || dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) - return 1; - return 0; + return dsa == NULL + || dsa->params.p == NULL + || dsa->params.q == NULL + || dsa->params.g == NULL; } static int dsa_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) { - BIGNUM *a; - if (to->pkey.dsa == NULL) { to->pkey.dsa = DSA_new(); if (to->pkey.dsa == NULL) return 0; } - - if ((a = BN_dup(from->pkey.dsa->p)) == NULL) + if (!ffc_params_copy(&to->pkey.dsa->params, &from->pkey.dsa->params)) return 0; - BN_free(to->pkey.dsa->p); - to->pkey.dsa->p = a; - if ((a = BN_dup(from->pkey.dsa->q)) == NULL) - return 0; - BN_free(to->pkey.dsa->q); - to->pkey.dsa->q = a; - - if ((a = BN_dup(from->pkey.dsa->g)) == NULL) - return 0; - BN_free(to->pkey.dsa->g); - to->pkey.dsa->g = a; to->pkey.dsa->dirty_cnt++; return 1; } static int dsa_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) { - if (BN_cmp(a->pkey.dsa->p, b->pkey.dsa->p) || - BN_cmp(a->pkey.dsa->q, b->pkey.dsa->q) || - BN_cmp(a->pkey.dsa->g, b->pkey.dsa->g)) - return 0; - else - return 1; + return ffc_params_cmp(&a->pkey.dsa->params, &b->pkey.dsa->params, 1); } static int dsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { - if (BN_cmp(b->pkey.dsa->pub_key, a->pkey.dsa->pub_key) != 0) - return 0; - else - return 1; + return BN_cmp(b->pkey.dsa->pub_key, a->pkey.dsa->pub_key) == 0; } static void int_dsa_free(EVP_PKEY *pkey) @@ -338,8 +321,8 @@ static int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) const BIGNUM *priv_key, *pub_key; int mod_len = 0; - if (x->p != NULL) - mod_len = BN_num_bits(x->p); + if (x->params.p != NULL) + mod_len = DSA_bits(x); if (ptype == 2) priv_key = x->priv_key; @@ -358,11 +341,10 @@ static int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) else ktype = "DSA-Parameters"; - if (priv_key) { + if (priv_key != NULL) { if (!BIO_indent(bp, off, 128)) goto err; - if (BIO_printf(bp, "%s: (%d bit)\n", ktype, BN_num_bits(x->p)) - <= 0) + if (BIO_printf(bp, "%s: (%d bit)\n", ktype, mod_len) <= 0) goto err; } else { if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0) @@ -373,11 +355,7 @@ static int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) goto err; if (!ASN1_bn_print(bp, "pub: ", pub_key, NULL, off)) goto err; - if (!ASN1_bn_print(bp, "P: ", x->p, NULL, off)) - goto err; - if (!ASN1_bn_print(bp, "Q: ", x->q, NULL, off)) - goto err; - if (!ASN1_bn_print(bp, "G: ", x->g, NULL, off)) + if (!ffc_params_print(bp, &x->params, off)) goto err; ret = 1; err: @@ -446,7 +424,7 @@ static int dsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, DSA_SIG *dsa_sig; const unsigned char *p; - if (!sig) { + if (sig == NULL) { if (BIO_puts(bp, "\n") <= 0) return 0; else @@ -454,7 +432,7 @@ static int dsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, } p = sig->data; dsa_sig = d2i_DSA_SIG(NULL, &p, sig->length); - if (dsa_sig) { + if (dsa_sig != NULL) { int rv = 0; const BIGNUM *r, *s; diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c index 20bf251..ba1cbad 100644 --- a/crypto/dsa/dsa_asn1.c +++ b/crypto/dsa/dsa_asn1.c @@ -34,9 +34,9 @@ static int dsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, ASN1_SEQUENCE_cb(DSAPrivateKey, dsa_cb) = { ASN1_EMBED(DSA, version, INT32), - ASN1_SIMPLE(DSA, p, BIGNUM), - ASN1_SIMPLE(DSA, q, BIGNUM), - ASN1_SIMPLE(DSA, g, BIGNUM), + ASN1_SIMPLE(DSA, params.p, BIGNUM), + ASN1_SIMPLE(DSA, params.q, BIGNUM), + ASN1_SIMPLE(DSA, params.g, BIGNUM), ASN1_SIMPLE(DSA, pub_key, BIGNUM), ASN1_SIMPLE(DSA, priv_key, CBIGNUM) } static_ASN1_SEQUENCE_END_cb(DSA, DSAPrivateKey) @@ -44,18 +44,18 @@ ASN1_SEQUENCE_cb(DSAPrivateKey, dsa_cb) = { IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(DSA, DSAPrivateKey, DSAPrivateKey) ASN1_SEQUENCE_cb(DSAparams, dsa_cb) = { - ASN1_SIMPLE(DSA, p, BIGNUM), - ASN1_SIMPLE(DSA, q, BIGNUM), - ASN1_SIMPLE(DSA, g, BIGNUM), + ASN1_SIMPLE(DSA, params.p, BIGNUM), + ASN1_SIMPLE(DSA, params.q, BIGNUM), + ASN1_SIMPLE(DSA, params.g, BIGNUM), } static_ASN1_SEQUENCE_END_cb(DSA, DSAparams) IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(DSA, DSAparams, DSAparams) ASN1_SEQUENCE_cb(DSAPublicKey, dsa_cb) = { ASN1_SIMPLE(DSA, pub_key, BIGNUM), - ASN1_SIMPLE(DSA, p, BIGNUM), - ASN1_SIMPLE(DSA, q, BIGNUM), - ASN1_SIMPLE(DSA, g, BIGNUM) + ASN1_SIMPLE(DSA, params.p, BIGNUM), + ASN1_SIMPLE(DSA, params.q, BIGNUM), + ASN1_SIMPLE(DSA, params.g, BIGNUM) } static_ASN1_SEQUENCE_END_cb(DSA, DSAPublicKey) IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(DSA, DSAPublicKey, DSAPublicKey) diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index 67551e5..02c2bd8 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -274,14 +274,16 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, ok = 1; err: if (ok) { - BN_free(ret->p); - BN_free(ret->q); - BN_free(ret->g); - ret->p = BN_dup(p); - ret->q = BN_dup(q); - ret->g = BN_dup(g); + BN_free(ret->params.p); + BN_free(ret->params.q); + BN_free(ret->params.g); + ret->params.p = BN_dup(p); + ret->params.q = BN_dup(q); + ret->params.g = BN_dup(g); ret->dirty_cnt++; - if (ret->p == NULL || ret->q == NULL || ret->g == NULL) { + if (ret->params.p == NULL + || ret->params.q == NULL + || ret->params.g == NULL) { ok = 0; goto err; } @@ -343,7 +345,7 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, mdsize = EVP_MD_size(evpmd); /* If unverifiable g generation only don't need seed */ - if (!ret->p || !ret->q || idx >= 0) { + if (!ret->params.p || !ret->params.q || idx >= 0) { if (seed_len == 0) seed_len = mdsize; @@ -379,9 +381,9 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, goto err; /* if p, q already supplied generate g only */ - if (ret->p && ret->q) { - p = ret->p; - q = ret->q; + if (ret->params.p && ret->params.q) { + p = ret->params.p; + q = ret->params.q; if (idx >= 0) memcpy(seed_tmp, seed, seed_len); goto g_only; @@ -583,17 +585,19 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, ok = 1; err: if (ok == 1) { - if (p != ret->p) { - BN_free(ret->p); - ret->p = BN_dup(p); + if (p != ret->params.p) { + BN_free(ret->params.p); + ret->params.p = BN_dup(p); } - if (q != ret->q) { - BN_free(ret->q); - ret->q = BN_dup(q); + if (q != ret->params.q) { + BN_free(ret->params.q); + ret->params.q = BN_dup(q); } - BN_free(ret->g); - ret->g = BN_dup(g); - if (ret->p == NULL || ret->q == NULL || ret->g == NULL) { + BN_free(ret->params.g); + ret->params.g = BN_dup(g); + if (ret->params.p == NULL + || ret->params.q == NULL + || ret->params.g == NULL) { ok = -1; goto err; } diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 6e5039a..efc1252 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -38,7 +38,7 @@ static int dsa_builtin_keygen(DSA *dsa) priv_key = dsa->priv_key; do - if (!BN_priv_rand_range(priv_key, dsa->q)) + if (!BN_priv_rand_range(priv_key, dsa->params.q)) goto err; while (BN_is_zero(priv_key)) ; @@ -55,7 +55,7 @@ static int dsa_builtin_keygen(DSA *dsa) goto err; BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); - if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { + if (!BN_mod_exp(pub_key, dsa->params.g, prk, dsa->params.p, ctx)) { BN_free(prk); goto err; } diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index 976eb62..469746e 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,11 +11,11 @@ #include "internal/cryptlib.h" #include "internal/refcount.h" #include <openssl/bn.h> -#include "dsa_local.h" #include <openssl/asn1.h> #include <openssl/engine.h> -#include <openssl/dh.h> +#include "dsa_local.h" #include "crypto/dsa.h" +#include "crypto/dh.h" /* required by DSA_dup_DH() */ #ifndef FIPS_MODE @@ -29,34 +29,25 @@ void *DSA_get_ex_data(DSA *d, int idx) return CRYPTO_get_ex_data(&d->ex_data, idx); } -#ifndef OPENSSL_NO_DH +# ifndef OPENSSL_NO_DH DH *DSA_dup_DH(const DSA *r) { /* - * DSA has p, q, g, optional pub_key, optional priv_key. DH has p, - * optional length, g, optional pub_key, optional priv_key, optional q. + * DSA has p, q, g, optional pub_key, optional priv_key. + * DH has p, optional length, g, optional pub_key, + * optional priv_key, optional q. */ - DH *ret = NULL; - BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; if (r == NULL) goto err; ret = DH_new(); if (ret == NULL) goto err; - if (r->p != NULL || r->g != NULL || r->q != NULL) { - if (r->p == NULL || r->g == NULL || r->q == NULL) { - /* Shouldn't happen */ - goto err; - } - p = BN_dup(r->p); - g = BN_dup(r->g); - q = BN_dup(r->q); - if (p == NULL || g == NULL || q == NULL || !DH_set0_pqg(ret, p, q, g)) - goto err; - p = g = q = NULL; - } + + if (!ffc_params_copy(dh_get0_params(ret), &r->params)) + goto err; if (r->pub_key != NULL) { pub_key = BN_dup(r->pub_key); @@ -77,29 +68,26 @@ DH *DSA_dup_DH(const DSA *r) return ret; err: - BN_free(p); - BN_free(g); - BN_free(q); BN_free(pub_key); BN_free(priv_key); DH_free(ret); return NULL; } -#endif +# endif /* OPENSSL_NO_DH */ const BIGNUM *DSA_get0_p(const DSA *d) { - return d->p; + return d->params.p; } const BIGNUM *DSA_get0_q(const DSA *d) { - return d->q; + return d->params.q; } const BIGNUM *DSA_get0_g(const DSA *d) { - return d->g; + return d->params.g; } const BIGNUM *DSA_get0_pub_key(const DSA *d) @@ -250,9 +238,7 @@ void DSA_free(DSA *r) CRYPTO_THREAD_lock_free(r->lock); - BN_clear_free(r->p); - BN_clear_free(r->q); - BN_clear_free(r->g); + ffc_params_cleanup(&r->params); BN_clear_free(r->pub_key); BN_clear_free(r->priv_key); OPENSSL_free(r); @@ -273,12 +259,7 @@ int DSA_up_ref(DSA *r) void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) { - if (p != NULL) - *p = d->p; - if (q != NULL) - *q = d->q; - if (g != NULL) - *g = d->g; + ffc_params_get0_pqg(&d->params, p, q, g); } int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) @@ -286,23 +267,12 @@ int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) /* If the fields p, q and g in d are NULL, the corresponding input * parameters MUST be non-NULL. */ - if ((d->p == NULL && p == NULL) - || (d->q == NULL && q == NULL) - || (d->g == NULL && g == NULL)) + if ((d->params.p == NULL && p == NULL) + || (d->params.q == NULL && q == NULL) + || (d->params.g == NULL && g == NULL)) return 0; - if (p != NULL) { - BN_free(d->p); - d->p = p; - } - if (q != NULL) { - BN_free(d->q); - d->q = q; - } - if (g != NULL) { - BN_free(d->g); - d->g = g; - } + ffc_params_set0_pqg(&d->params, p, q, g); d->dirty_cnt++; return 1; @@ -341,12 +311,13 @@ int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) int DSA_security_bits(const DSA *d) { - if (d->p && d->q) - return BN_security_bits(BN_num_bits(d->p), BN_num_bits(d->q)); + if (d->params.p != NULL && d->params.q != NULL) + return BN_security_bits(BN_num_bits(d->params.p), + BN_num_bits(d->params.q)); return -1; } int DSA_bits(const DSA *dsa) { - return BN_num_bits(dsa->p); + return BN_num_bits(dsa->params.p); } diff --git a/crypto/dsa/dsa_local.h b/crypto/dsa/dsa_local.h index f0ec734..49b36c5 100644 --- a/crypto/dsa/dsa_local.h +++ b/crypto/dsa/dsa_local.h @@ -9,6 +9,7 @@ #include <openssl/dsa.h> #include "internal/refcount.h" +#include "internal/ffc.h" struct dsa_st { /* @@ -17,9 +18,7 @@ struct dsa_st { */ int pad; int32_t version; - BIGNUM *p; - BIGNUM *q; /* == 20 */ - BIGNUM *g; + FFC_PARAMS params; BIGNUM *pub_key; /* y public key */ BIGNUM *priv_key; /* x private key */ int flags; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index af0fa6b..8de5a36 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -71,7 +71,9 @@ DSA_SIG *dsa_do_sign_int(OPENSSL_CTX *libctx, const unsigned char *dgst, DSA_SIG *ret = NULL; int rv = 0; - if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) { + if (dsa->params.p == NULL + || dsa->params.q == NULL + || dsa->params.g == NULL) { reason = DSA_R_MISSING_PARAMETERS; goto err; } @@ -102,13 +104,13 @@ DSA_SIG *dsa_do_sign_int(OPENSSL_CTX *libctx, const unsigned char *dgst, if (!dsa_sign_setup(dsa, ctx, &kinv, &ret->r, dgst, dlen)) goto err; - if (dlen > BN_num_bytes(dsa->q)) + if (dlen > BN_num_bytes(dsa->params.q)) /* * if the digest length is greater than the size of q use the * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3, * 4.2 */ - dlen = BN_num_bytes(dsa->q); + dlen = BN_num_bytes(dsa->params.q); if (BN_bin2bn(dgst, dlen, m) == NULL) goto err; @@ -124,7 +126,7 @@ DSA_SIG *dsa_do_sign_int(OPENSSL_CTX *libctx, const unsigned char *dgst, /* Generate a blinding value */ do { - if (!BN_priv_rand_ex(blind, BN_num_bits(dsa->q) - 1, + if (!BN_priv_rand_ex(blind, BN_num_bits(dsa->params.q) - 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, ctx)) goto err; } while (BN_is_zero(blind)); @@ -133,27 +135,27 @@ DSA_SIG *dsa_do_sign_int(OPENSSL_CTX *libctx, const unsigned char *dgst, BN_set_flags(tmp, BN_FLG_CONSTTIME); /* tmp := blind * priv_key * r mod q */ - if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx)) + if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->params.q, ctx)) goto err; - if (!BN_mod_mul(tmp, tmp, ret->r, dsa->q, ctx)) + if (!BN_mod_mul(tmp, tmp, ret->r, dsa->params.q, ctx)) goto err; /* blindm := blind * m mod q */ - if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx)) + if (!BN_mod_mul(blindm, blind, m, dsa->params.q, ctx)) goto err; /* s : = (blind * priv_key * r) + (blind * m) mod q */ - if (!BN_mod_add_quick(ret->s, tmp, blindm, dsa->q)) + if (!BN_mod_add_quick(ret->s, tmp, blindm, dsa->params.q)) goto err; /* s := s * k^-1 mod q */ - if (!BN_mod_mul(ret->s, ret->s, kinv, dsa->q, ctx)) + if (!BN_mod_mul(ret->s, ret->s, kinv, dsa->params.q, ctx)) goto err; /* s:= s * blind^-1 mod q */ - if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL) + if (BN_mod_inverse(blind, blind, dsa->params.q, ctx) == NULL) goto err; - if (!BN_mod_mul(ret->s, ret->s, blind, dsa->q, ctx)) + if (!BN_mod_mul(ret->s, ret->s, blind, dsa->params.q, ctx)) goto err; /* @@ -197,13 +199,15 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, int ret = 0; int q_bits, q_words; - if (!dsa->p || !dsa->q || !dsa->g) { + if (!dsa->params.p || !dsa->params.q || !dsa->params.g) { DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); return 0; } /* Reject obviously invalid parameters */ - if (BN_is_zero(dsa->p) || BN_is_zero(dsa->q) || BN_is_zero(dsa->g)) { + if (BN_is_zero(dsa->params.p) + || BN_is_zero(dsa->params.q) + || BN_is_zero(dsa->params.g)) { DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_INVALID_PARAMETERS); return 0; } @@ -225,8 +229,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, ctx = ctx_in; /* Preallocate space */ - q_bits = BN_num_bits(dsa->q); - q_words = bn_get_top(dsa->q); + q_bits = BN_num_bits(dsa->params.q); + q_words = bn_get_top(dsa->params.q); if (!bn_wexpand(k, q_words + 2) || !bn_wexpand(l, q_words + 2)) goto err; @@ -238,10 +242,10 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, * We calculate k from SHA512(private_key + H(message) + random). * This protects the private key from a weak PRNG. */ - if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst, + if (!BN_generate_dsa_nonce(k, dsa->params.q, dsa->priv_key, dgst, dlen, ctx)) goto err; - } else if (!BN_priv_rand_range_ex(k, dsa->q, ctx)) + } else if (!BN_priv_rand_range_ex(k, dsa->params.q, ctx)) goto err; } while (BN_is_zero(k)); @@ -250,7 +254,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, - dsa->lock, dsa->p, ctx)) + dsa->lock, dsa->params.p, ctx)) goto err; } @@ -269,26 +273,27 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, * https://github.com/openssl/openssl/pull/7486#discussion_r228323705 * The fix is to rework BN so these gymnastics aren't required. */ - if (!BN_add(l, k, dsa->q) - || !BN_add(k, l, dsa->q)) + if (!BN_add(l, k, dsa->params.q) + || !BN_add(k, l, dsa->params.q)) goto err; BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2); if ((dsa)->meth->bn_mod_exp != NULL) { - if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx, - dsa->method_mont_p)) + if (!dsa->meth->bn_mod_exp(dsa, r, dsa->params.g, k, dsa->params.p, + ctx, dsa->method_mont_p)) goto err; } else { - if (!BN_mod_exp_mont(r, dsa->g, k, dsa->p, ctx, dsa->method_mont_p)) + if (!BN_mod_exp_mont(r, dsa->params.g, k, dsa->params.p, ctx, + dsa->method_mont_p)) goto err; } - if (!BN_mod(r, r, dsa->q, ctx)) + if (!BN_mod(r, r, dsa->params.q, ctx)) goto err; /* Compute part of 's = inv(k) (m + xr) mod q' */ - if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL) + if ((kinv = dsa_mod_inverse_fermat(k, dsa->params.q, ctx)) == NULL) goto err; BN_clear_free(*kinvp); @@ -313,19 +318,21 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, BN_MONT_CTX *mont = NULL; const BIGNUM *r, *s; int ret = -1, i; - if (!dsa->p || !dsa->q || !dsa->g) { + if (dsa->params.p == NULL + || dsa->params.q == NULL + || dsa->params.g == NULL) { DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MISSING_PARAMETERS); return -1; } - i = BN_num_bits(dsa->q); + i = BN_num_bits(dsa->params.q); /* fips 186-3 allows only different sizes for q */ if (i != 160 && i != 224 && i != 256) { DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE); return -1; } - if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { + if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) { DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE); return -1; } @@ -339,12 +346,12 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG_get0(sig, &r, &s); if (BN_is_zero(r) || BN_is_negative(r) || - BN_ucmp(r, dsa->q) >= 0) { + BN_ucmp(r, dsa->params.q) >= 0) { ret = 0; goto err; } if (BN_is_zero(s) || BN_is_negative(s) || - BN_ucmp(s, dsa->q) >= 0) { + BN_ucmp(s, dsa->params.q) >= 0) { ret = 0; goto err; } @@ -352,7 +359,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, /* * Calculate W = inv(S) mod Q save W in u2 */ - if ((BN_mod_inverse(u2, s, dsa->q, ctx)) == NULL) + if ((BN_mod_inverse(u2, s, dsa->params.q, ctx)) == NULL) goto err; /* save M in u1 */ @@ -367,32 +374,32 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, goto err; /* u1 = M * w mod q */ - if (!BN_mod_mul(u1, u1, u2, dsa->q, ctx)) + if (!BN_mod_mul(u1, u1, u2, dsa->params.q, ctx)) goto err; /* u2 = r * w mod q */ - if (!BN_mod_mul(u2, r, u2, dsa->q, ctx)) + if (!BN_mod_mul(u2, r, u2, dsa->params.q, ctx)) goto err; if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p, - dsa->lock, dsa->p, ctx); + dsa->lock, dsa->params.p, ctx); if (!mont) goto err; } if (dsa->meth->dsa_mod_exp != NULL) { - if (!dsa->meth->dsa_mod_exp(dsa, t1, dsa->g, u1, dsa->pub_key, u2, - dsa->p, ctx, mont)) + if (!dsa->meth->dsa_mod_exp(dsa, t1, dsa->params.g, u1, dsa->pub_key, u2, + dsa->params.p, ctx, mont)) goto err; } else { - if (!BN_mod_exp2_mont(t1, dsa->g, u1, dsa->pub_key, u2, dsa->p, ctx, - mont)) + if (!BN_mod_exp2_mont(t1, dsa->params.g, u1, dsa->pub_key, u2, + dsa->params.p, ctx, mont)) goto err; } /* let u1 = u1 mod q */ - if (!BN_mod(u1, t1, dsa->q, ctx)) + if (!BN_mod(u1, t1, dsa->params.q, ctx)) goto err; /* @@ -413,6 +420,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, static int dsa_init(DSA *dsa) { dsa->flags |= DSA_FLAG_CACHE_MONT_P; + ffc_params_init(&dsa->params); return 1; } diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c index d09aaea..d3e8cfa 100644 --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -115,7 +115,7 @@ int DSA_size(const DSA *dsa) int ret; DSA_SIG sig; - sig.r = sig.s = dsa->q; + sig.r = sig.s = dsa->params.q; ret = i2d_DSA_SIG(&sig, NULL); if (ret < 0) |