kris
/
boringssl
1
0
Çatalla 0
Kod Konular 0 Değişiklik İstekleri 0 Sürümler 0 Wiki Aktivite
25'ten fazla konu seçemezsiniz Konular bir harf veya rakamla başlamalı, kısa çizgiler ('-') içerebilir ve en fazla 35 karakter uzunluğunda olabilir.
3169 İşleme
12 Dallar
38 MiB
Ağaç: 4c4ff02fe8
Dallar Biçim İmleri
${ item.name }
${ searchTerm } dalı oluştur
'4c4ff02fe8'den
${ noResults }
boringssl/crypto/dsa/dsa.c

dsa.c 22 KiB
Ham Normal Görünüm Geçmiş

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Remove string.h from base.h. Including string.h in base.h causes any file that includes a BoringSSL header to include string.h. Generally this wouldn't be a problem, although string.h might slow down the compile if it wasn't otherwise needed. However, it also causes problems for ipsec-tools in Android because OpenSSL didn't have this behaviour. This change removes string.h from base.h and, instead, adds it to each .c file that requires it. Change-Id: I5968e50b0e230fd3adf9b72dd2836e6f52d6fb37 Reviewed-on: https://boringssl-review.googlesource.com/3200 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Add misc functions for easier porting. Android requested that the wpa_supplicant go upstream. This change adds some dummy functions and reinstates DSA_dup_DH in order to make the diff smaller and easier for upstream. Change-Id: I77ac271b8652bae5a0bbe16afde51d9096f3dfb5 Reviewed-on: https://boringssl-review.googlesource.com/1740 Reviewed-by: Adam Langley <agl@google.com>
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Eliminate unnecessary includes from low-level crypto modules. Beyond generally eliminating unnecessary includes, eliminate as many includes of headers that declare/define particularly error-prone functionality like strlen, malloc, and free. crypto/err/internal.h was added to remove the dependency on openssl/thread.h from the public openssl/err.h header. The include of <stdlib.h> in openssl/mem.h was retained since it defines OPENSSL_malloc and friends as macros around the stdlib.h functions. The public x509.h, x509v3.h, and ssl.h headers were not changed in order to minimize breakage of source compatibility with external code. Change-Id: I0d264b73ad0a720587774430b2ab8f8275960329 Reviewed-on: https://boringssl-review.googlesource.com/4220 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Convert BN_MONT_CTX to new-style locking. This introduces a per-RSA/DSA/DH lock. This is good for lock contention, although pthread locks are depressingly bloated. Change-Id: I07c4d1606fc35135fc141ebe6ba904a28c8f8a0c Reviewed-on: https://boringssl-review.googlesource.com/4324 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Remove string.h from base.h. Including string.h in base.h causes any file that includes a BoringSSL header to include string.h. Generally this wouldn't be a problem, although string.h might slow down the compile if it wasn't otherwise needed. However, it also causes problems for ipsec-tools in Android because OpenSSL didn't have this behaviour. This change removes string.h from base.h and, instead, adds it to each .c file that requires it. Change-Id: I5968e50b0e230fd3adf9b72dd2836e6f52d6fb37 Reviewed-on: https://boringssl-review.googlesource.com/3200 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Remove hash table lookups from ex_data. Instead, each module defines a static CRYPTO_EX_DATA_CLASS to hold the values. This makes CRYPTO_cleanup_all_ex_data a no-op as spreading the CRYPTO_EX_DATA_CLASSes across modules (and across crypto and ssl) makes cleanup slightly trickier. We can make it do something if needbe, but it's probably not worth the trouble. Change-Id: Ib6f6fd39a51d8ba88649f0fa29c66db540610c76 Reviewed-on: https://boringssl-review.googlesource.com/4375 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Don't cast |OPENSSL_malloc|/|OPENSSL_realloc| result. C has implicit conversion of |void *| to other pointer types so these casts are unnecessary. Clean them up to make the code easier to read and to make it easier to find dangerous casts. Change-Id: I26988a672e8ed4d69c75cfbb284413999b475464 Reviewed-on: https://boringssl-review.googlesource.com/7102 Reviewed-by: David Benjamin <davidben@google.com>
8 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Compute kinv in DSA with Fermat's Little Theorem. It's a prime, so computing a constant-time mod inverse is straight-forward. Change-Id: Ie09b84363c3d5da827989300a844c470437fd8f2 Reviewed-on: https://boringssl-review.googlesource.com/8308 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Remove the CRYPTO_EX_new callback. This callback is never used. The one caller I've ever seen is in Android code which isn't built with BoringSSL and it was a no-op. It also doesn't actually make much sense. A callback cannot reasonably assume that it sees every, say, SSL_CTX created because the index may be registered after the first SSL_CTX is created. Nor is there any point in an EX_DATA consumer in one file knowing about an SSL_CTX created in completely unrelated code. Replace all the pointers with a typedef to int*. This will ensure code which passes NULL or 0 continues to compile while breaking code which passes an actual function. This simplifies some object creation functions which now needn't worry about CRYPTO_new_ex_data failing. (Also avoids bouncing on the lock, but it's taking a read lock, so this doesn't really matter.) BUG=391192 Change-Id: I02893883c6fa8693682075b7b130aa538a0a1437 Reviewed-on: https://boringssl-review.googlesource.com/6625 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Convert reference counts in crypto/ This change converts the reference counts in crypto/ to use |CRYPTO_refcount_t|. The reference counts in |X509_PKEY| and |X509_INFO| were never actually used and so were dropped. Change-Id: I75d572cdac1f8c1083c482e29c9519282d7fd16c Reviewed-on: https://boringssl-review.googlesource.com/4772 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Remove hash table lookups from ex_data. Instead, each module defines a static CRYPTO_EX_DATA_CLASS to hold the values. This makes CRYPTO_cleanup_all_ex_data a no-op as spreading the CRYPTO_EX_DATA_CLASSes across modules (and across crypto and ssl) makes cleanup slightly trickier. We can make it do something if needbe, but it's probably not worth the trouble. Change-Id: Ib6f6fd39a51d8ba88649f0fa29c66db540610c76 Reviewed-on: https://boringssl-review.googlesource.com/4375 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Remove unnecessary NULL checks, part 1. First batch of the alphabet. Change-Id: If4e60f4fbb69e04eb4b70aa1b2240e329251bfa5 Reviewed-on: https://boringssl-review.googlesource.com/4514 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Compute kinv in DSA with Fermat's Little Theorem. It's a prime, so computing a constant-time mod inverse is straight-forward. Change-Id: Ie09b84363c3d5da827989300a844c470437fd8f2 Reviewed-on: https://boringssl-review.googlesource.com/8308 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Convert reference counts in crypto/ This change converts the reference counts in crypto/ to use |CRYPTO_refcount_t|. The reference counts in |X509_PKEY| and |X509_INFO| were never actually used and so were dropped. Change-Id: I75d572cdac1f8c1083c482e29c9519282d7fd16c Reviewed-on: https://boringssl-review.googlesource.com/4772 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Add various 1.1.0 accessors. This gets cURL building against both BoringSSL as it is and BoringSSL with OPENSSL_VERSION_NUMBER set to 1.1.0. BUG=91 Change-Id: I5be73b84df701fe76f3055b1239ae4704a931082 Reviewed-on: https://boringssl-review.googlesource.com/10180 CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Reimplement DSA parsing logic with crypto/asn1. Functions which lose object reuse and need auditing: - d2i_DSA_SIG - d2i_DSAPublicKey - d2i_DSAPrivateKey - d2i_DSAparams BUG=499653 Change-Id: I1cc2ae10e1e77eb57da3a858ac8734a95715ce4b Reviewed-on: https://boringssl-review.googlesource.com/7022 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Add BN_rand_range_ex and use internally. There are many cases where we need |BN_rand_range| but with a minimum value other than 0. |BN_rand_range_ex| provides that. Change-Id: I564326c9206bf4e20a37414bdbce16a951c148ce Reviewed-on: https://boringssl-review.googlesource.com/8921 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Don't rely on BN_FLG_CONSTTIME in the DSA code. DSA is deprecated, but get this aligned with some of the BN_FLG_CONSTTIME work going on elsewhere. Change-Id: I676ceab298a69362bef1b61d6f597c5c90da2ff0 Reviewed-on: https://boringssl-review.googlesource.com/8309 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Remove unnecessary NULL checks, part 1. First batch of the alphabet. Change-Id: If4e60f4fbb69e04eb4b70aa1b2240e329251bfa5 Reviewed-on: https://boringssl-review.googlesource.com/4514 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Fix memory leak in DSA redo case. Found by clang scan-build. Change-Id: I44a9d5ea165ede836c72aed8725d0bb0981b1004 Reviewed-on: https://boringssl-review.googlesource.com/6700 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Fix memory leak in DSA redo case. Found by clang scan-build. Change-Id: I44a9d5ea165ede836c72aed8725d0bb0981b1004 Reviewed-on: https://boringssl-review.googlesource.com/6700 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Fix DER checks for DSA_check_signature and add tests. DSA_verify and DSA_check_signature didn't share a codepath, so the fix was only applied to the former. Implement verify in terms of check_signature and add tests for bad DER variants. Change-Id: I6577f96b13b57fc89a5308bd8a7c2318defa7ee1 Reviewed-on: https://boringssl-review.googlesource.com/2820 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Fix DER checks for DSA_check_signature and add tests. DSA_verify and DSA_check_signature didn't share a codepath, so the fix was only applied to the former. Implement verify in terms of check_signature and add tests for bad DER variants. Change-Id: I6577f96b13b57fc89a5308bd8a7c2318defa7ee1 Reviewed-on: https://boringssl-review.googlesource.com/2820 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Make return value of |BN_MONT_CTX_set_locked| int. This reduces the chance of double-frees. BUG=10 Change-Id: I11a240e2ea5572effeddc05acb94db08c54a2e0b Reviewed-on: https://boringssl-review.googlesource.com/7583 Reviewed-by: David Benjamin <davidben@google.com>
8 yıl önce
Compute kinv in DSA with Fermat's Little Theorem. It's a prime, so computing a constant-time mod inverse is straight-forward. Change-Id: Ie09b84363c3d5da827989300a844c470437fd8f2 Reviewed-on: https://boringssl-review.googlesource.com/8308 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Make return value of |BN_MONT_CTX_set_locked| int. This reduces the chance of double-frees. BUG=10 Change-Id: I11a240e2ea5572effeddc05acb94db08c54a2e0b Reviewed-on: https://boringssl-review.googlesource.com/7583 Reviewed-by: David Benjamin <davidben@google.com>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Make return value of |BN_MONT_CTX_set_locked| int. This reduces the chance of double-frees. BUG=10 Change-Id: I11a240e2ea5572effeddc05acb94db08c54a2e0b Reviewed-on: https://boringssl-review.googlesource.com/7583 Reviewed-by: David Benjamin <davidben@google.com>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Fix DER checks for DSA_check_signature and add tests. DSA_verify and DSA_check_signature didn't share a codepath, so the fix was only applied to the former. Implement verify in terms of check_signature and add tests for bad DER variants. Change-Id: I6577f96b13b57fc89a5308bd8a7c2318defa7ee1 Reviewed-on: https://boringssl-review.googlesource.com/2820 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Fix DER checks for DSA_check_signature and add tests. DSA_verify and DSA_check_signature didn't share a codepath, so the fix was only applied to the former. Implement verify in terms of check_signature and add tests for bad DER variants. Change-Id: I6577f96b13b57fc89a5308bd8a7c2318defa7ee1 Reviewed-on: https://boringssl-review.googlesource.com/2820 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Fix various certificate fingerprint issues. By using non-DER or invalid encodings outside the signed portion of a certificate the fingerprint can be changed without breaking the signature. Although no details of the signed portion of the certificate can be changed this can cause problems with some applications: e.g. those using the certificate fingerprint for blacklists. 1. Reject signatures with non zero unused bits. If the BIT STRING containing the signature has non zero unused bits reject the signature. All current signature algorithms require zero unused bits. 2. Check certificate algorithm consistency. Check the AlgorithmIdentifier inside TBS matches the one in the certificate signature. NB: this will result in signature failure errors for some broken certificates. 3. Check DSA/ECDSA signatures use DER. Reencode DSA/ECDSA signatures and compare with the original received signature. Return an error if there is a mismatch. This will reject various cases including garbage after signature (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program for discovering this case) and use of BER or invalid ASN.1 INTEGERs (negative or with leading zeroes). CVE-2014-8275 (Imported from upstream's 85cfc188c06bd046420ae70dd6e302f9efe022a9 and 4c52816d35681c0533c25fdd3abb4b7c6962302d) Change-Id: Ic901aea8ea6457df27dc542a11c30464561e322b Reviewed-on: https://boringssl-review.googlesource.com/2783 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Fix various certificate fingerprint issues. By using non-DER or invalid encodings outside the signed portion of a certificate the fingerprint can be changed without breaking the signature. Although no details of the signed portion of the certificate can be changed this can cause problems with some applications: e.g. those using the certificate fingerprint for blacklists. 1. Reject signatures with non zero unused bits. If the BIT STRING containing the signature has non zero unused bits reject the signature. All current signature algorithms require zero unused bits. 2. Check certificate algorithm consistency. Check the AlgorithmIdentifier inside TBS matches the one in the certificate signature. NB: this will result in signature failure errors for some broken certificates. 3. Check DSA/ECDSA signatures use DER. Reencode DSA/ECDSA signatures and compare with the original received signature. Return an error if there is a mismatch. This will reject various cases including garbage after signature (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program for discovering this case) and use of BER or invalid ASN.1 INTEGERs (negative or with leading zeroes). CVE-2014-8275 (Imported from upstream's 85cfc188c06bd046420ae70dd6e302f9efe022a9 and 4c52816d35681c0533c25fdd3abb4b7c6962302d) Change-Id: Ic901aea8ea6457df27dc542a11c30464561e322b Reviewed-on: https://boringssl-review.googlesource.com/2783 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Fix DER checks for DSA_check_signature and add tests. DSA_verify and DSA_check_signature didn't share a codepath, so the fix was only applied to the former. Implement verify in terms of check_signature and add tests for bad DER variants. Change-Id: I6577f96b13b57fc89a5308bd8a7c2318defa7ee1 Reviewed-on: https://boringssl-review.googlesource.com/2820 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Remove unnecessary NULL checks, part 1. First batch of the alphabet. Change-Id: If4e60f4fbb69e04eb4b70aa1b2240e329251bfa5 Reviewed-on: https://boringssl-review.googlesource.com/4514 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Reimplement DSA_size without crypto/asn1. BUG=499653 Change-Id: I16963fb198609d7fc0df6c57923cda3e13350753 Reviewed-on: https://boringssl-review.googlesource.com/6875 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Reimplement DSA_size without crypto/asn1. BUG=499653 Change-Id: I16963fb198609d7fc0df6c57923cda3e13350753 Reviewed-on: https://boringssl-review.googlesource.com/6875 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Don't rely on BN_FLG_CONSTTIME in the DSA code. DSA is deprecated, but get this aligned with some of the BN_FLG_CONSTTIME work going on elsewhere. Change-Id: I676ceab298a69362bef1b61d6f597c5c90da2ff0 Reviewed-on: https://boringssl-review.googlesource.com/8309 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Compute kinv in DSA with Fermat's Little Theorem. It's a prime, so computing a constant-time mod inverse is straight-forward. Change-Id: Ie09b84363c3d5da827989300a844c470437fd8f2 Reviewed-on: https://boringssl-review.googlesource.com/8308 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Add BN_rand_range_ex and use internally. There are many cases where we need |BN_rand_range| but with a minimum value other than 0. |BN_rand_range_ex| provides that. Change-Id: I564326c9206bf4e20a37414bdbce16a951c148ce Reviewed-on: https://boringssl-review.googlesource.com/8921 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Make return value of |BN_MONT_CTX_set_locked| int. This reduces the chance of double-frees. BUG=10 Change-Id: I11a240e2ea5572effeddc05acb94db08c54a2e0b Reviewed-on: https://boringssl-review.googlesource.com/7583 Reviewed-by: David Benjamin <davidben@google.com>
8 yıl önce
Compute kinv in DSA with Fermat's Little Theorem. It's a prime, so computing a constant-time mod inverse is straight-forward. Change-Id: Ie09b84363c3d5da827989300a844c470437fd8f2 Reviewed-on: https://boringssl-review.googlesource.com/8308 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Make return value of |BN_MONT_CTX_set_locked| int. This reduces the chance of double-frees. BUG=10 Change-Id: I11a240e2ea5572effeddc05acb94db08c54a2e0b Reviewed-on: https://boringssl-review.googlesource.com/7583 Reviewed-by: David Benjamin <davidben@google.com>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Fix DSA, preserve BN_FLG_CONSTTIME Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key. CVE-2016-2178 (Imported from upstream's 621eaf49a289bfac26d4cbcdb7396e796784c534 and b7d0f2834e139a20560d64c73e2565e93715ce2b.) We should eventually not depend on BN_FLG_CONSTTIME since it's a mess (seeing as the original fix was wrong until we reported b7d0f2834e to them), but, for now, go with the simplest fix. Change-Id: I9ea15c1d1cc3a7e21ef5b591e1879ec97a179718 Reviewed-on: https://boringssl-review.googlesource.com/8172 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 yıl önce
Don't rely on BN_FLG_CONSTTIME in the DSA code. DSA is deprecated, but get this aligned with some of the BN_FLG_CONSTTIME work going on elsewhere. Change-Id: I676ceab298a69362bef1b61d6f597c5c90da2ff0 Reviewed-on: https://boringssl-review.googlesource.com/8309 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Compute kinv in DSA with Fermat's Little Theorem. It's a prime, so computing a constant-time mod inverse is straight-forward. Change-Id: Ie09b84363c3d5da827989300a844c470437fd8f2 Reviewed-on: https://boringssl-review.googlesource.com/8308 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Compute kinv in DSA with Fermat's Little Theorem. It's a prime, so computing a constant-time mod inverse is straight-forward. Change-Id: Ie09b84363c3d5da827989300a844c470437fd8f2 Reviewed-on: https://boringssl-review.googlesource.com/8308 Reviewed-by: Adam Langley <agl@google.com>
8 yıl önce
Unwind DH_METHOD and DSA_METHOD. This will allow a static linker (with -ffunction-sections since things aren't split into files) to drop unused parts of DH and DSA. Notably, the parameter generation bits pull in primality-checking code. Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59 Reviewed-on: https://boringssl-review.googlesource.com/6388 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Remove the CRYPTO_EX_new callback. This callback is never used. The one caller I've ever seen is in Android code which isn't built with BoringSSL and it was a no-op. It also doesn't actually make much sense. A callback cannot reasonably assume that it sees every, say, SSL_CTX created because the index may be registered after the first SSL_CTX is created. Nor is there any point in an EX_DATA consumer in one file knowing about an SSL_CTX created in completely unrelated code. Replace all the pointers with a typedef to int*. This will ensure code which passes NULL or 0 continues to compile while breaking code which passes an actual function. This simplifies some object creation functions which now needn't worry about CRYPTO_new_ex_data failing. (Also avoids bouncing on the lock, but it's taking a read lock, so this doesn't really matter.) BUG=391192 Change-Id: I02893883c6fa8693682075b7b130aa538a0a1437 Reviewed-on: https://boringssl-review.googlesource.com/6625 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Remove hash table lookups from ex_data. Instead, each module defines a static CRYPTO_EX_DATA_CLASS to hold the values. This makes CRYPTO_cleanup_all_ex_data a no-op as spreading the CRYPTO_EX_DATA_CLASSes across modules (and across crypto and ssl) makes cleanup slightly trickier. We can make it do something if needbe, but it's probably not worth the trouble. Change-Id: Ib6f6fd39a51d8ba88649f0fa29c66db540610c76 Reviewed-on: https://boringssl-review.googlesource.com/4375 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Remove the CRYPTO_EX_new callback. This callback is never used. The one caller I've ever seen is in Android code which isn't built with BoringSSL and it was a no-op. It also doesn't actually make much sense. A callback cannot reasonably assume that it sees every, say, SSL_CTX created because the index may be registered after the first SSL_CTX is created. Nor is there any point in an EX_DATA consumer in one file knowing about an SSL_CTX created in completely unrelated code. Replace all the pointers with a typedef to int*. This will ensure code which passes NULL or 0 continues to compile while breaking code which passes an actual function. This simplifies some object creation functions which now needn't worry about CRYPTO_new_ex_data failing. (Also avoids bouncing on the lock, but it's taking a read lock, so this doesn't really matter.) BUG=391192 Change-Id: I02893883c6fa8693682075b7b130aa538a0a1437 Reviewed-on: https://boringssl-review.googlesource.com/6625 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Remove hash table lookups from ex_data. Instead, each module defines a static CRYPTO_EX_DATA_CLASS to hold the values. This makes CRYPTO_cleanup_all_ex_data a no-op as spreading the CRYPTO_EX_DATA_CLASSes across modules (and across crypto and ssl) makes cleanup slightly trickier. We can make it do something if needbe, but it's probably not worth the trouble. Change-Id: Ib6f6fd39a51d8ba88649f0fa29c66db540610c76 Reviewed-on: https://boringssl-review.googlesource.com/4375 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 yıl önce
Add misc functions for easier porting. Android requested that the wpa_supplicant go upstream. This change adds some dummy functions and reinstates DSA_dup_DH in order to make the diff smaller and easier for upstream. Change-Id: I77ac271b8652bae5a0bbe16afde51d9096f3dfb5 Reviewed-on: https://boringssl-review.googlesource.com/1740 Reviewed-by: Adam Langley <agl@google.com>
10 yıl önce
Remove unnecessary NULL checks, part 1. First batch of the alphabet. Change-Id: If4e60f4fbb69e04eb4b70aa1b2240e329251bfa5 Reviewed-on: https://boringssl-review.googlesource.com/4514 Reviewed-by: Adam Langley <agl@google.com>
9 yıl önce
Add misc functions for easier porting. Android requested that the wpa_supplicant go upstream. This change adds some dummy functions and reinstates DSA_dup_DH in order to make the diff smaller and easier for upstream. Change-Id: I77ac271b8652bae5a0bbe16afde51d9096f3dfb5 Reviewed-on: https://boringssl-review.googlesource.com/1740 Reviewed-by: Adam Langley <agl@google.com>
10 yıl önce
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964 
  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  *

  57.  * The DSS routines are based on patches supplied by

  58.  * Steven Schoch <schoch@sheba.arc.nasa.gov>. */

  59. 

  60. #include <openssl/dsa.h>

  61. 

  62. #include <string.h>

  63. 

  64. #include <openssl/bn.h>

  65. #include <openssl/dh.h>

  66. #include <openssl/digest.h>

  67. #include <openssl/engine.h>

  68. #include <openssl/err.h>

  69. #include <openssl/ex_data.h>

  70. #include <openssl/mem.h>

  71. #include <openssl/rand.h>

  72. #include <openssl/sha.h>

  73. #include <openssl/thread.h>

  74. 

  75. #include "../internal.h"

  76. 

  77. 

  78. #define OPENSSL_DSA_MAX_MODULUS_BITS 10000

  79. 

  80. /* Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of

  81.  * Rabin-Miller */

  82. #define DSS_prime_checks 50

  83. 

  84. static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;

  85. 

  86. DSA *DSA_new(void) {

  87.   DSA *dsa = OPENSSL_malloc(sizeof(DSA));

  88.   if (dsa == NULL) {

  89.     OPENSSL_PUT_ERROR(DSA, ERR_R_MALLOC_FAILURE);

  90.     return NULL;

  91.   }

  92. 

  93.   memset(dsa, 0, sizeof(DSA));

  94. 

  95.   dsa->references = 1;

  96. 

  97.   CRYPTO_MUTEX_init(&dsa->method_mont_lock);

  98.   CRYPTO_new_ex_data(&dsa->ex_data);

  99. 

  100.   return dsa;

  101. }

  102. 

  103. void DSA_free(DSA *dsa) {

  104.   if (dsa == NULL) {

  105.     return;

  106.   }

  107. 

  108.   if (!CRYPTO_refcount_dec_and_test_zero(&dsa->references)) {

  109.     return;

  110.   }

  111. 

  112.   CRYPTO_free_ex_data(&g_ex_data_class, dsa, &dsa->ex_data);

  113. 

  114.   BN_clear_free(dsa->p);

  115.   BN_clear_free(dsa->q);

  116.   BN_clear_free(dsa->g);

  117.   BN_clear_free(dsa->pub_key);

  118.   BN_clear_free(dsa->priv_key);

  119.   BN_clear_free(dsa->kinv);

  120.   BN_clear_free(dsa->r);

  121.   BN_MONT_CTX_free(dsa->method_mont_p);

  122.   BN_MONT_CTX_free(dsa->method_mont_q);

  123.   CRYPTO_MUTEX_cleanup(&dsa->method_mont_lock);

  124.   OPENSSL_free(dsa);

  125. }

  126. 

  127. int DSA_up_ref(DSA *dsa) {

  128.   CRYPTO_refcount_inc(&dsa->references);

  129.   return 1;

  130. }

  131. 

  132. void DSA_get0_key(const DSA *dsa, const BIGNUM **out_pub_key,

  133.                   const BIGNUM **out_priv_key) {

  134.   if (out_pub_key != NULL) {

  135.     *out_pub_key = dsa->pub_key;

  136.   }

  137.   if (out_priv_key != NULL) {

  138.     *out_priv_key = dsa->priv_key;

  139.   }

  140. }

  141. 

  142. void DSA_get0_pqg(const DSA *dsa, const BIGNUM **out_p, const BIGNUM **out_q,

  143.                   const BIGNUM **out_g) {

  144.   if (out_p != NULL) {

  145.     *out_p = dsa->p;

  146.   }

  147.   if (out_q != NULL) {

  148.     *out_q = dsa->q;

  149.   }

  150.   if (out_g != NULL) {

  151.     *out_g = dsa->g;

  152.   }

  153. }

  154. 

  155. int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,

  156.                                size_t seed_len, int *out_counter,

  157.                                unsigned long *out_h, BN_GENCB *cb) {

  158.   int ok = 0;

  159.   unsigned char seed[SHA256_DIGEST_LENGTH];

  160.   unsigned char md[SHA256_DIGEST_LENGTH];

  161.   unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];

  162.   BIGNUM *r0, *W, *X, *c, *test;

  163.   BIGNUM *g = NULL, *q = NULL, *p = NULL;

  164.   BN_MONT_CTX *mont = NULL;

  165.   int k, n = 0, m = 0;

  166.   unsigned i;

  167.   int counter = 0;

  168.   int r = 0;

  169.   BN_CTX *ctx = NULL;

  170.   unsigned int h = 2;

  171.   unsigned qsize;

  172.   const EVP_MD *evpmd;

  173. 

  174.   evpmd = (bits >= 2048) ? EVP_sha256() : EVP_sha1();

  175.   qsize = EVP_MD_size(evpmd);

  176. 

  177.   if (bits < 512) {

  178.     bits = 512;

  179.   }

  180. 

  181.   bits = (bits + 63) / 64 * 64;

  182. 

  183.   if (seed_in != NULL) {

  184.     if (seed_len < (size_t)qsize) {

  185.       return 0;

  186.     }

  187.     if (seed_len > (size_t)qsize) {

  188.       /* Only consume as much seed as is expected. */

  189.       seed_len = qsize;

  190.     }

  191.     memcpy(seed, seed_in, seed_len);

  192.   }

  193. 

  194.   ctx = BN_CTX_new();

  195.   if (ctx == NULL) {

  196.     goto err;

  197.   }

  198.   BN_CTX_start(ctx);

  199. 

  200.   mont = BN_MONT_CTX_new();

  201.   if (mont == NULL) {

  202.     goto err;

  203.   }

  204. 

  205.   r0 = BN_CTX_get(ctx);

  206.   g = BN_CTX_get(ctx);

  207.   W = BN_CTX_get(ctx);

  208.   q = BN_CTX_get(ctx);

  209.   X = BN_CTX_get(ctx);

  210.   c = BN_CTX_get(ctx);

  211.   p = BN_CTX_get(ctx);

  212.   test = BN_CTX_get(ctx);

  213. 

  214.   if (test == NULL || !BN_lshift(test, BN_value_one(), bits - 1)) {

  215.     goto err;

  216.   }

  217. 

  218.   for (;;) {

  219.     /* Find q. */

  220.     for (;;) {

  221.       /* step 1 */

  222.       if (!BN_GENCB_call(cb, 0, m++)) {

  223.         goto err;

  224.       }

  225. 

  226.       int use_random_seed = (seed_in == NULL);

  227.       if (use_random_seed) {

  228.         if (!RAND_bytes(seed, qsize)) {

  229.           goto err;

  230.         }

  231.       } else {

  232.         /* If we come back through, use random seed next time. */

  233.         seed_in = NULL;

  234.       }

  235.       memcpy(buf, seed, qsize);

  236.       memcpy(buf2, seed, qsize);

  237.       /* precompute "SEED + 1" for step 7: */

  238.       for (i = qsize - 1; i < qsize; i--) {

  239.         buf[i]++;

  240.         if (buf[i] != 0) {

  241.           break;

  242.         }

  243.       }

  244. 

  245.       /* step 2 */

  246.       if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL) ||

  247.           !EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) {

  248.         goto err;

  249.       }

  250.       for (i = 0; i < qsize; i++) {

  251.         md[i] ^= buf2[i];

  252.       }

  253. 

  254.       /* step 3 */

  255.       md[0] |= 0x80;

  256.       md[qsize - 1] |= 0x01;

  257.       if (!BN_bin2bn(md, qsize, q)) {

  258.         goto err;

  259.       }

  260. 

  261.       /* step 4 */

  262.       r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed, cb);

  263.       if (r > 0) {

  264.         break;

  265.       }

  266.       if (r != 0) {

  267.         goto err;

  268.       }

  269. 

  270.       /* do a callback call */

  271.       /* step 5 */

  272.     }

  273. 

  274.     if (!BN_GENCB_call(cb, 2, 0) || !BN_GENCB_call(cb, 3, 0)) {

  275.       goto err;

  276.     }

  277. 

  278.     /* step 6 */

  279.     counter = 0;

  280.     /* "offset = 2" */

  281. 

  282.     n = (bits - 1) / 160;

  283. 

  284.     for (;;) {

  285.       if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) {

  286.         goto err;

  287.       }

  288. 

  289.       /* step 7 */

  290.       BN_zero(W);

  291.       /* now 'buf' contains "SEED + offset - 1" */

  292.       for (k = 0; k <= n; k++) {

  293.         /* obtain "SEED + offset + k" by incrementing: */

  294.         for (i = qsize - 1; i < qsize; i--) {

  295.           buf[i]++;

  296.           if (buf[i] != 0) {

  297.             break;

  298.           }

  299.         }

  300. 

  301.         if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) {

  302.           goto err;

  303.         }

  304. 

  305.         /* step 8 */

  306.         if (!BN_bin2bn(md, qsize, r0) ||

  307.             !BN_lshift(r0, r0, (qsize << 3) * k) ||

  308.             !BN_add(W, W, r0)) {

  309.           goto err;

  310.         }

  311.       }

  312. 

  313.       /* more of step 8 */

  314.       if (!BN_mask_bits(W, bits - 1) ||

  315.           !BN_copy(X, W) ||

  316.           !BN_add(X, X, test)) {

  317.         goto err;

  318.       }

  319. 

  320.       /* step 9 */

  321.       if (!BN_lshift1(r0, q) ||

  322.           !BN_mod(c, X, r0, ctx) ||

  323.           !BN_sub(r0, c, BN_value_one()) ||

  324.           !BN_sub(p, X, r0)) {

  325.         goto err;

  326.       }

  327. 

  328.       /* step 10 */

  329.       if (BN_cmp(p, test) >= 0) {

  330.         /* step 11 */

  331.         r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);

  332.         if (r > 0) {

  333.           goto end; /* found it */

  334.         }

  335.         if (r != 0) {

  336.           goto err;

  337.         }

  338.       }

  339. 

  340.       /* step 13 */

  341.       counter++;

  342.       /* "offset = offset + n + 1" */

  343. 

  344.       /* step 14 */

  345.       if (counter >= 4096) {

  346.         break;

  347.       }

  348.     }

  349.   }

  350. end:

  351.   if (!BN_GENCB_call(cb, 2, 1)) {

  352.     goto err;

  353.   }

  354. 

  355.   /* We now need to generate g */

  356.   /* Set r0=(p-1)/q */

  357.   if (!BN_sub(test, p, BN_value_one()) ||

  358.       !BN_div(r0, NULL, test, q, ctx)) {

  359.     goto err;

  360.   }

  361. 

  362.   if (!BN_set_word(test, h) ||

  363.       !BN_MONT_CTX_set(mont, p, ctx)) {

  364.     goto err;

  365.   }

  366. 

  367.   for (;;) {

  368.     /* g=test^r0%p */

  369.     if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont)) {

  370.       goto err;

  371.     }

  372.     if (!BN_is_one(g)) {

  373.       break;

  374.     }

  375.     if (!BN_add(test, test, BN_value_one())) {

  376.       goto err;

  377.     }

  378.     h++;

  379.   }

  380. 

  381.   if (!BN_GENCB_call(cb, 3, 1)) {

  382.     goto err;

  383.   }

  384. 

  385.   ok = 1;

  386. 

  387. err:

  388.   if (ok) {

  389.     BN_free(dsa->p);

  390.     BN_free(dsa->q);

  391.     BN_free(dsa->g);

  392.     dsa->p = BN_dup(p);

  393.     dsa->q = BN_dup(q);

  394.     dsa->g = BN_dup(g);

  395.     if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {

  396.       ok = 0;

  397.       goto err;

  398.     }

  399.     if (out_counter != NULL) {

  400.       *out_counter = counter;

  401.     }

  402.     if (out_h != NULL) {

  403.       *out_h = h;

  404.     }

  405.   }

  406. 

  407.   if (ctx) {

  408.     BN_CTX_end(ctx);

  409.     BN_CTX_free(ctx);

  410.   }

  411. 

  412.   BN_MONT_CTX_free(mont);

  413. 

  414.   return ok;

  415. }

  416. 

  417. DSA *DSAparams_dup(const DSA *dsa) {

  418.   DSA *ret = DSA_new();

  419.   if (ret == NULL) {

  420.     return NULL;

  421.   }

  422.   ret->p = BN_dup(dsa->p);

  423.   ret->q = BN_dup(dsa->q);

  424.   ret->g = BN_dup(dsa->g);

  425.   if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {

  426.     DSA_free(ret);

  427.     return NULL;

  428.   }

  429.   return ret;

  430. }

  431. 

  432. int DSA_generate_key(DSA *dsa) {

  433.   int ok = 0;

  434.   BN_CTX *ctx = NULL;

  435.   BIGNUM *pub_key = NULL, *priv_key = NULL;

  436.   BIGNUM prk;

  437. 

  438.   ctx = BN_CTX_new();

  439.   if (ctx == NULL) {

  440.     goto err;

  441.   }

  442. 

  443.   priv_key = dsa->priv_key;

  444.   if (priv_key == NULL) {

  445.     priv_key = BN_new();

  446.     if (priv_key == NULL) {

  447.       goto err;

  448.     }

  449.   }

  450. 

  451.   if (!BN_rand_range_ex(priv_key, 1, dsa->q)) {

  452.     goto err;

  453.   }

  454. 

  455.   pub_key = dsa->pub_key;

  456.   if (pub_key == NULL) {

  457.     pub_key = BN_new();

  458.     if (pub_key == NULL) {

  459.       goto err;

  460.     }

  461.   }

  462. 

  463.   BN_init(&prk);

  464.   BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);

  465. 

  466.   if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, &dsa->method_mont_lock,

  467.                               dsa->p, ctx) ||

  468.       !BN_mod_exp_mont_consttime(pub_key, dsa->g, &prk, dsa->p, ctx,

  469.                                  dsa->method_mont_p)) {

  470.     goto err;

  471.   }

  472. 

  473.   dsa->priv_key = priv_key;

  474.   dsa->pub_key = pub_key;

  475.   ok = 1;

  476. 

  477. err:

  478.   if (dsa->pub_key == NULL) {

  479.     BN_free(pub_key);

  480.   }

  481.   if (dsa->priv_key == NULL) {

  482.     BN_free(priv_key);

  483.   }

  484.   BN_CTX_free(ctx);

  485. 

  486.   return ok;

  487. }

  488. 

  489. DSA_SIG *DSA_SIG_new(void) {

  490.   DSA_SIG *sig;

  491.   sig = OPENSSL_malloc(sizeof(DSA_SIG));

  492.   if (!sig) {

  493.     return NULL;

  494.   }

  495.   sig->r = NULL;

  496.   sig->s = NULL;

  497.   return sig;

  498. }

  499. 

  500. void DSA_SIG_free(DSA_SIG *sig) {

  501.   if (!sig) {

  502.     return;

  503.   }

  504. 

  505.   BN_free(sig->r);

  506.   BN_free(sig->s);

  507.   OPENSSL_free(sig);

  508. }

  509. 

  510. DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, DSA *dsa) {

  511.   BIGNUM *kinv = NULL, *r = NULL, *s = NULL;

  512.   BIGNUM m;

  513.   BIGNUM xr;

  514.   BN_CTX *ctx = NULL;

  515.   int reason = ERR_R_BN_LIB;

  516.   DSA_SIG *ret = NULL;

  517.   int noredo = 0;

  518. 

  519.   BN_init(&m);

  520.   BN_init(&xr);

  521. 

  522.   if (!dsa->p || !dsa->q || !dsa->g) {

  523.     reason = DSA_R_MISSING_PARAMETERS;

  524.     goto err;

  525.   }

  526. 

  527.   s = BN_new();

  528.   if (s == NULL) {

  529.     goto err;

  530.   }

  531.   ctx = BN_CTX_new();

  532.   if (ctx == NULL) {

  533.     goto err;

  534.   }

  535. 

  536. redo:

  537.   if (dsa->kinv == NULL || dsa->r == NULL) {

  538.     if (!DSA_sign_setup(dsa, ctx, &kinv, &r)) {

  539.       goto err;

  540.     }

  541.   } else {

  542.     kinv = dsa->kinv;

  543.     dsa->kinv = NULL;

  544.     r = dsa->r;

  545.     dsa->r = NULL;

  546.     noredo = 1;

  547.   }

  548. 

  549.   if (digest_len > BN_num_bytes(dsa->q)) {

  550.     /* if the digest length is greater than the size of q use the

  551.      * BN_num_bits(dsa->q) leftmost bits of the digest, see

  552.      * fips 186-3, 4.2 */

  553.     digest_len = BN_num_bytes(dsa->q);

  554.   }

  555. 

  556.   if (BN_bin2bn(digest, digest_len, &m) == NULL) {

  557.     goto err;

  558.   }

  559. 

  560.   /* Compute  s = inv(k) (m + xr) mod q */

  561.   if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) {

  562.     goto err; /* s = xr */

  563.   }

  564.   if (!BN_add(s, &xr, &m)) {

  565.     goto err; /* s = m + xr */

  566.   }

  567.   if (BN_cmp(s, dsa->q) > 0) {

  568.     if (!BN_sub(s, s, dsa->q)) {

  569.       goto err;

  570.     }

  571.   }

  572.   if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) {

  573.     goto err;

  574.   }

  575. 

  576.   /* Redo if r or s is zero as required by FIPS 186-3: this is

  577.    * very unlikely. */

  578.   if (BN_is_zero(r) || BN_is_zero(s)) {

  579.     if (noredo) {

  580.       reason = DSA_R_NEED_NEW_SETUP_VALUES;

  581.       goto err;

  582.     }

  583.     goto redo;

  584.   }

  585.   ret = DSA_SIG_new();

  586.   if (ret == NULL) {

  587.     goto err;

  588.   }

  589.   ret->r = r;

  590.   ret->s = s;

  591. 

  592. err:

  593.   if (ret == NULL) {

  594.     OPENSSL_PUT_ERROR(DSA, reason);

  595.     BN_free(r);

  596.     BN_free(s);

  597.   }

  598.   BN_CTX_free(ctx);

  599.   BN_clear_free(&m);

  600.   BN_clear_free(&xr);

  601.   BN_clear_free(kinv);

  602. 

  603.   return ret;

  604. }

  605. 

  606. int DSA_do_verify(const uint8_t *digest, size_t digest_len, DSA_SIG *sig,

  607.                   const DSA *dsa) {

  608.   int valid;

  609.   if (!DSA_do_check_signature(&valid, digest, digest_len, sig, dsa)) {

  610.     return -1;

  611.   }

  612.   return valid;

  613. }

  614. 

  615. int DSA_do_check_signature(int *out_valid, const uint8_t *digest,

  616.                            size_t digest_len, DSA_SIG *sig, const DSA *dsa) {

  617.   BN_CTX *ctx;

  618.   BIGNUM u1, u2, t1;

  619.   int ret = 0;

  620.   unsigned i;

  621. 

  622.   *out_valid = 0;

  623. 

  624.   if (!dsa->p || !dsa->q || !dsa->g) {

  625.     OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);

  626.     return 0;

  627.   }

  628. 

  629.   i = BN_num_bits(dsa->q);

  630.   /* fips 186-3 allows only different sizes for q */

  631.   if (i != 160 && i != 224 && i != 256) {

  632.     OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);

  633.     return 0;

  634.   }

  635. 

  636.   if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {

  637.     OPENSSL_PUT_ERROR(DSA, DSA_R_MODULUS_TOO_LARGE);

  638.     return 0;

  639.   }

  640. 

  641.   BN_init(&u1);

  642.   BN_init(&u2);

  643.   BN_init(&t1);

  644. 

  645.   ctx = BN_CTX_new();

  646.   if (ctx == NULL) {

  647.     goto err;

  648.   }

  649. 

  650.   if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||

  651.       BN_ucmp(sig->r, dsa->q) >= 0) {

  652.     ret = 1;

  653.     goto err;

  654.   }

  655.   if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||

  656.       BN_ucmp(sig->s, dsa->q) >= 0) {

  657.     ret = 1;

  658.     goto err;

  659.   }

  660. 

  661.   /* Calculate W = inv(S) mod Q

  662.    * save W in u2 */

  663.   if (BN_mod_inverse(&u2, sig->s, dsa->q, ctx) == NULL) {

  664.     goto err;

  665.   }

  666. 

  667.   /* save M in u1 */

  668.   if (digest_len > (i >> 3)) {

  669.     /* if the digest length is greater than the size of q use the

  670.      * BN_num_bits(dsa->q) leftmost bits of the digest, see

  671.      * fips 186-3, 4.2 */

  672.     digest_len = (i >> 3);

  673.   }

  674. 

  675.   if (BN_bin2bn(digest, digest_len, &u1) == NULL) {

  676.     goto err;

  677.   }

  678. 

  679.   /* u1 = M * w mod q */

  680.   if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) {

  681.     goto err;

  682.   }

  683. 

  684.   /* u2 = r * w mod q */

  685.   if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) {

  686.     goto err;

  687.   }

  688. 

  689.   if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,

  690.                               (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->p,

  691.                               ctx)) {

  692.     goto err;

  693.   }

  694. 

  695.   if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx,

  696.                         dsa->method_mont_p)) {

  697.     goto err;

  698.   }

  699. 

  700.   /* BN_copy(&u1,&t1); */

  701.   /* let u1 = u1 mod q */

  702.   if (!BN_mod(&u1, &t1, dsa->q, ctx)) {

  703.     goto err;

  704.   }

  705. 

  706.   /* V is now in u1.  If the signature is correct, it will be

  707.    * equal to R. */

  708.   *out_valid = BN_ucmp(&u1, sig->r) == 0;

  709.   ret = 1;

  710. 

  711. err:

  712.   if (ret != 1) {

  713.     OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);

  714.   }

  715.   BN_CTX_free(ctx);

  716.   BN_free(&u1);

  717.   BN_free(&u2);

  718.   BN_free(&t1);

  719. 

  720.   return ret;

  721. }

  722. 

  723. int DSA_sign(int type, const uint8_t *digest, size_t digest_len,

  724.              uint8_t *out_sig, unsigned int *out_siglen, DSA *dsa) {

  725.   DSA_SIG *s;

  726. 

  727.   s = DSA_do_sign(digest, digest_len, dsa);

  728.   if (s == NULL) {

  729.     *out_siglen = 0;

  730.     return 0;

  731.   }

  732. 

  733.   *out_siglen = i2d_DSA_SIG(s, &out_sig);

  734.   DSA_SIG_free(s);

  735.   return 1;

  736. }

  737. 

  738. int DSA_verify(int type, const uint8_t *digest, size_t digest_len,

  739.                const uint8_t *sig, size_t sig_len, const DSA *dsa) {

  740.   int valid;

  741.   if (!DSA_check_signature(&valid, digest, digest_len, sig, sig_len, dsa)) {

  742.     return -1;

  743.   }

  744.   return valid;

  745. }

  746. 

  747. int DSA_check_signature(int *out_valid, const uint8_t *digest,

  748.                         size_t digest_len, const uint8_t *sig, size_t sig_len,

  749.                         const DSA *dsa) {

  750.   DSA_SIG *s = NULL;

  751.   int ret = 0;

  752.   uint8_t *der = NULL;

  753. 

  754.   s = DSA_SIG_new();

  755.   if (s == NULL) {

  756.     goto err;

  757.   }

  758. 

  759.   const uint8_t *sigp = sig;

  760.   if (d2i_DSA_SIG(&s, &sigp, sig_len) == NULL || sigp != sig + sig_len) {

  761.     goto err;

  762.   }

  763. 

  764.   /* Ensure that the signature uses DER and doesn't have trailing garbage. */

  765.   int der_len = i2d_DSA_SIG(s, &der);

  766.   if (der_len < 0 || (size_t)der_len != sig_len || memcmp(sig, der, sig_len)) {

  767.     goto err;

  768.   }

  769. 

  770.   ret = DSA_do_check_signature(out_valid, digest, digest_len, s, dsa);

  771. 

  772. err:

  773.   OPENSSL_free(der);

  774.   DSA_SIG_free(s);

  775.   return ret;

  776. }

  777. 

  778. /* der_len_len returns the number of bytes needed to represent a length of |len|

  779.  * in DER. */

  780. static size_t der_len_len(size_t len) {

  781.   if (len < 0x80) {

  782.     return 1;

  783.   }

  784.   size_t ret = 1;

  785.   while (len > 0) {

  786.     ret++;

  787.     len >>= 8;

  788.   }

  789.   return ret;

  790. }

  791. 

  792. int DSA_size(const DSA *dsa) {

  793.   size_t order_len = BN_num_bytes(dsa->q);

  794.   /* Compute the maximum length of an |order_len| byte integer. Defensively

  795.    * assume that the leading 0x00 is included. */

  796.   size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;

  797.   if (integer_len < order_len) {

  798.     return 0;

  799.   }

  800.   /* A DSA signature is two INTEGERs. */

  801.   size_t value_len = 2 * integer_len;

  802.   if (value_len < integer_len) {

  803.     return 0;

  804.   }

  805.   /* Add the header. */

  806.   size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;

  807.   if (ret < value_len) {

  808.     return 0;

  809.   }

  810.   return ret;

  811. }

  812. 

  813. int DSA_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,

  814.                    BIGNUM **out_r) {

  815.   BN_CTX *ctx;

  816.   BIGNUM k, kq, qm2, *kinv = NULL, *r = NULL;

  817.   int ret = 0;

  818. 

  819.   if (!dsa->p || !dsa->q || !dsa->g) {

  820.     OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);

  821.     return 0;

  822.   }

  823. 

  824.   BN_init(&k);

  825.   BN_init(&kq);

  826.   BN_init(&qm2);

  827. 

  828.   ctx = ctx_in;

  829.   if (ctx == NULL) {

  830.     ctx = BN_CTX_new();

  831.     if (ctx == NULL) {

  832.       goto err;

  833.     }

  834.   }

  835. 

  836.   r = BN_new();

  837.   if (r == NULL) {

  838.     goto err;

  839.   }

  840. 

  841.   /* Get random k */

  842.   if (!BN_rand_range_ex(&k, 1, dsa->q)) {

  843.     goto err;

  844.   }

  845. 

  846.   BN_set_flags(&k, BN_FLG_CONSTTIME);

  847. 

  848.   if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,

  849.                               (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->p,

  850.                               ctx) ||

  851.       !BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_q,

  852.                               (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->q,

  853.                               ctx)) {

  854.     goto err;

  855.   }

  856. 

  857.   /* Compute r = (g^k mod p) mod q */

  858.   if (!BN_copy(&kq, &k)) {

  859.     goto err;

  860.   }

  861. 

  862.   /* We do not want timing information to leak the length of k,

  863.    * so we compute g^k using an equivalent exponent of fixed length.

  864.    *

  865.    * (This is a kludge that we need because the BN_mod_exp_mont()

  866.    * does not let us specify the desired timing behaviour.) */

  867. 

  868.   if (!BN_add(&kq, &kq, dsa->q)) {

  869.     goto err;

  870.   }

  871.   if (BN_num_bits(&kq) <= BN_num_bits(dsa->q) && !BN_add(&kq, &kq, dsa->q)) {

  872.     goto err;

  873.   }

  874. 

  875.   BN_set_flags(&kq, BN_FLG_CONSTTIME);

  876.   if (!BN_mod_exp_mont_consttime(r, dsa->g, &kq, dsa->p, ctx,

  877.                                  dsa->method_mont_p)) {

  878.     goto err;

  879.   }

  880.   if (!BN_mod(r, r, dsa->q, ctx)) {

  881.     goto err;

  882.   }

  883. 

  884.   /* Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little

  885.    * Theorem. */

  886.   kinv = BN_new();

  887.   if (kinv == NULL ||

  888.       !BN_set_word(&qm2, 2) ||

  889.       !BN_sub(&qm2, dsa->q, &qm2) ||

  890.       !BN_mod_exp_mont(kinv, &k, &qm2, dsa->q, ctx, dsa->method_mont_q)) {

  891.     goto err;

  892.   }

  893. 

  894.   BN_clear_free(*out_kinv);

  895.   *out_kinv = kinv;

  896.   kinv = NULL;

  897.   BN_clear_free(*out_r);

  898.   *out_r = r;

  899.   ret = 1;

  900. 

  901. err:

  902.   if (!ret) {

  903.     OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);

  904.     if (r != NULL) {

  905.       BN_clear_free(r);

  906.     }

  907.   }

  908. 

  909.   if (ctx_in == NULL) {

  910.     BN_CTX_free(ctx);

  911.   }

  912.   BN_clear_free(&k);

  913.   BN_clear_free(&kq);

  914.   BN_free(&qm2);

  915.   return ret;

  916. }

  917. 

  918. int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,

  919.                          CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {

  920.   int index;

  921.   if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, dup_func,

  922.                                free_func)) {

  923.     return -1;

  924.   }

  925.   return index;

  926. }

  927. 

  928. int DSA_set_ex_data(DSA *d, int idx, void *arg) {

  929.   return CRYPTO_set_ex_data(&d->ex_data, idx, arg);

  930. }

  931. 

  932. void *DSA_get_ex_data(const DSA *d, int idx) {

  933.   return CRYPTO_get_ex_data(&d->ex_data, idx);

  934. }

  935. 

  936. DH *DSA_dup_DH(const DSA *r) {

  937.   DH *ret = NULL;

  938. 

  939.   if (r == NULL) {

  940.     goto err;

  941.   }

  942.   ret = DH_new();

  943.   if (ret == NULL) {

  944.     goto err;

  945.   }

  946.   if (r->q != NULL) {

  947.     ret->priv_length = BN_num_bits(r->q);

  948.     if ((ret->q = BN_dup(r->q)) == NULL) {

  949.       goto err;

  950.     }

  951.   }

  952.   if ((r->p != NULL && (ret->p = BN_dup(r->p)) == NULL) ||

  953.       (r->g != NULL && (ret->g = BN_dup(r->g)) == NULL) ||

  954.       (r->pub_key != NULL && (ret->pub_key = BN_dup(r->pub_key)) == NULL) ||

  955.       (r->priv_key != NULL && (ret->priv_key = BN_dup(r->priv_key)) == NULL)) {

  956.       goto err;

  957.   }

  958. 

  959.   return ret;

  960. 

  961. err:

  962.   DH_free(ret);

  963.   return NULL;

  964. }