Coverage Report

Created: 2026-06-28 06:23

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/boringssl/crypto/dsa/dsa.cc
Line
Count
Source
1
// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2
//
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
6
//
7
//     https://www.apache.org/licenses/LICENSE-2.0
8
//
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
14
15
#include <openssl/dsa.h>
16
17
#include <string.h>
18
19
#include <utility>
20
21
#include <openssl/bn.h>
22
#include <openssl/dh.h>
23
#include <openssl/digest.h>
24
#include <openssl/engine.h>
25
#include <openssl/err.h>
26
#include <openssl/ex_data.h>
27
#include <openssl/mem.h>
28
#include <openssl/rand.h>
29
#include <openssl/sha2.h>
30
31
#include "../fipsmodule/bn/internal.h"
32
#include "../fipsmodule/dh/internal.h"
33
#include "../internal.h"
34
#include "../mem_internal.h"
35
#include "internal.h"
36
37
38
using namespace bssl;
39
40
static_assert(OPENSSL_DSA_MAX_MODULUS_BITS <=
41
                  BN_MONTGOMERY_MAX_WORDS * BN_BITS2,
42
              "Max DSA size too big for Montgomery arithmetic");
43
44
// Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
45
// Miller-Rabin.
46
0
#define DSS_prime_checks 50
47
48
static int dsa_sign_setup(const DSAImpl *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,
49
                          BIGNUM **out_r);
50
51
static ExDataClass g_ex_data_class;
52
53
6.35k
DSA *DSA_new() { return New<DSAImpl>(); }
54
55
6.35k
DSAImpl::DSAImpl() : RefCounted(CheckSubClass()) {
56
6.35k
  CRYPTO_new_ex_data(&ex_data);
57
6.35k
}
58
59
6.35k
DSAImpl::~DSAImpl() { CRYPTO_free_ex_data(&g_ex_data_class, &ex_data); }
60
61
914
void DSA_free(DSA *dsa) {
62
914
  if (dsa == nullptr) {
63
0
    return;
64
0
  }
65
914
  auto *impl = FromOpaque(dsa);
66
914
  impl->DecRefInternal();
67
914
}
68
69
0
int DSA_up_ref(DSA *dsa) {
70
0
  auto *impl = FromOpaque(dsa);
71
0
  impl->UpRefInternal();
72
0
  return 1;
73
0
}
74
75
0
unsigned DSA_bits(const DSA *dsa) {
76
0
  return BN_num_bits(FromOpaque(dsa)->p.get());
77
0
}
78
79
0
const BIGNUM *DSA_get0_pub_key(const DSA *dsa) {
80
0
  return FromOpaque(dsa)->pub_key.get();
81
0
}
82
83
0
const BIGNUM *DSA_get0_priv_key(const DSA *dsa) {
84
0
  return FromOpaque(dsa)->priv_key.get();
85
0
}
86
87
0
const BIGNUM *DSA_get0_p(const DSA *dsa) { return FromOpaque(dsa)->p.get(); }
88
89
0
const BIGNUM *DSA_get0_q(const DSA *dsa) { return FromOpaque(dsa)->q.get(); }
90
91
0
const BIGNUM *DSA_get0_g(const DSA *dsa) { return FromOpaque(dsa)->g.get(); }
92
93
void DSA_get0_key(const DSA *dsa, const BIGNUM **out_pub_key,
94
0
                  const BIGNUM **out_priv_key) {
95
0
  auto *impl = FromOpaque(dsa);
96
0
  if (out_pub_key != nullptr) {
97
0
    *out_pub_key = impl->pub_key.get();
98
0
  }
99
0
  if (out_priv_key != nullptr) {
100
0
    *out_priv_key = impl->priv_key.get();
101
0
  }
102
0
}
103
104
void DSA_get0_pqg(const DSA *dsa, const BIGNUM **out_p, const BIGNUM **out_q,
105
0
                  const BIGNUM **out_g) {
106
0
  auto *impl = FromOpaque(dsa);
107
0
  if (out_p != nullptr) {
108
0
    *out_p = impl->p.get();
109
0
  }
110
0
  if (out_q != nullptr) {
111
0
    *out_q = impl->q.get();
112
0
  }
113
0
  if (out_g != nullptr) {
114
0
    *out_g = impl->g.get();
115
0
  }
116
0
}
117
118
0
int DSA_set0_key(DSA *dsa, BIGNUM *pub_key, BIGNUM *priv_key) {
119
0
  auto *impl = FromOpaque(dsa);
120
121
0
  if (impl->pub_key == nullptr && pub_key == nullptr) {
122
0
    return 0;
123
0
  }
124
125
0
  if (pub_key != nullptr) {
126
0
    impl->pub_key.reset(pub_key);
127
0
  }
128
0
  if (priv_key != nullptr) {
129
0
    impl->priv_key.reset(priv_key);
130
0
  }
131
132
0
  return 1;
133
0
}
134
135
0
int DSA_set0_pqg(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
136
0
  auto *impl = FromOpaque(dsa);
137
138
0
  if ((impl->p == nullptr && p == nullptr) ||
139
0
      (impl->q == nullptr && q == nullptr) ||
140
0
      (impl->g == nullptr && g == nullptr)) {
141
0
    return 0;
142
0
  }
143
144
0
  if (p != nullptr) {
145
0
    impl->p.reset(p);
146
0
  }
147
0
  if (q != nullptr) {
148
0
    impl->q.reset(q);
149
0
  }
150
0
  if (g != nullptr) {
151
0
    impl->g.reset(g);
152
0
  }
153
154
0
  impl->method_mont_p = nullptr;
155
0
  impl->method_mont_q = nullptr;
156
0
  return 1;
157
0
}
158
159
int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,
160
                               size_t seed_len, int *out_counter,
161
0
                               unsigned long *out_h, BN_GENCB *cb) {
162
0
  auto *impl = FromOpaque(dsa);
163
164
0
  if (bits > OPENSSL_DSA_MAX_MODULUS_BITS) {
165
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);
166
0
    return 0;
167
0
  }
168
169
0
  unsigned char seed[SHA256_DIGEST_LENGTH];
170
0
  unsigned char md[SHA256_DIGEST_LENGTH];
171
0
  unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];
172
0
  BIGNUM *r0, *W, *X, *c, *test;
173
0
  BIGNUM *g = nullptr, *q = nullptr, *p = nullptr;
174
0
  int k, n = 0, m = 0;
175
0
  int counter = 0;
176
0
  int r = 0;
177
0
  unsigned int h = 2;
178
0
  const EVP_MD *evpmd;
179
180
0
  evpmd = (bits >= 2048) ? EVP_sha256() : EVP_sha1();
181
0
  size_t qsize = EVP_MD_size(evpmd);
182
183
0
  if (bits < 512) {
184
0
    bits = 512;
185
0
  }
186
187
0
  bits = (bits + 63) / 64 * 64;
188
189
0
  if (seed_in != nullptr) {
190
0
    if (seed_len < qsize) {
191
0
      return 0;
192
0
    }
193
0
    if (seed_len > qsize) {
194
      // Only consume as much seed as is expected.
195
0
      seed_len = qsize;
196
0
    }
197
0
    OPENSSL_memcpy(seed, seed_in, seed_len);
198
0
  }
199
200
0
  UniquePtr<BN_CTX> ctx(BN_CTX_new());
201
0
  if (ctx == nullptr) {
202
0
    return 0;
203
0
  }
204
0
  BN_CTXScope scope(ctx.get());
205
206
0
  r0 = BN_CTX_get(ctx.get());
207
0
  g = BN_CTX_get(ctx.get());
208
0
  W = BN_CTX_get(ctx.get());
209
0
  q = BN_CTX_get(ctx.get());
210
0
  X = BN_CTX_get(ctx.get());
211
0
  c = BN_CTX_get(ctx.get());
212
0
  p = BN_CTX_get(ctx.get());
213
0
  test = BN_CTX_get(ctx.get());
214
215
0
  if (test == nullptr || !BN_lshift(test, BN_value_one(), bits - 1)) {
216
0
    return 0;
217
0
  }
218
219
0
  for (;;) {
220
    // Find q.
221
0
    for (;;) {
222
      // step 1
223
0
      if (!BN_GENCB_call(cb, BN_GENCB_GENERATED, m++)) {
224
0
        return 0;
225
0
      }
226
227
0
      int use_random_seed = (seed_in == nullptr);
228
0
      if (use_random_seed) {
229
0
        if (!RAND_bytes(seed, qsize)) {
230
0
          return 0;
231
0
        }
232
        // DSA parameters are public.
233
0
        CONSTTIME_DECLASSIFY(seed, qsize);
234
0
      } else {
235
        // If we come back through, use random seed next time.
236
0
        seed_in = nullptr;
237
0
      }
238
0
      OPENSSL_memcpy(buf, seed, qsize);
239
0
      OPENSSL_memcpy(buf2, seed, qsize);
240
      // precompute "SEED + 1" for step 7:
241
0
      for (size_t i = qsize - 1; i < qsize; i--) {
242
0
        buf[i]++;
243
0
        if (buf[i] != 0) {
244
0
          break;
245
0
        }
246
0
      }
247
248
      // step 2
249
0
      if (!EVP_Digest(seed, qsize, md, nullptr, evpmd, nullptr) ||
250
0
          !EVP_Digest(buf, qsize, buf2, nullptr, evpmd, nullptr)) {
251
0
        return 0;
252
0
      }
253
0
      for (size_t i = 0; i < qsize; i++) {
254
0
        md[i] ^= buf2[i];
255
0
      }
256
257
      // step 3
258
0
      md[0] |= 0x80;
259
0
      md[qsize - 1] |= 0x01;
260
0
      if (!BN_bin2bn(md, qsize, q)) {
261
0
        return 0;
262
0
      }
263
264
      // step 4
265
0
      r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx.get(),
266
0
                                  use_random_seed, cb);
267
0
      if (r > 0) {
268
0
        break;
269
0
      }
270
0
      if (r != 0) {
271
0
        return 0;
272
0
      }
273
274
      // do a callback call
275
      // step 5
276
0
    }
277
278
0
    if (!BN_GENCB_call(cb, 2, 0) || !BN_GENCB_call(cb, 3, 0)) {
279
0
      return 0;
280
0
    }
281
282
    // step 6
283
0
    counter = 0;
284
    // "offset = 2"
285
286
0
    n = (bits - 1) / 160;
287
288
0
    for (;;) {
289
0
      if ((counter != 0) && !BN_GENCB_call(cb, BN_GENCB_GENERATED, counter)) {
290
0
        return 0;
291
0
      }
292
293
      // step 7
294
0
      BN_zero(W);
295
      // now 'buf' contains "SEED + offset - 1"
296
0
      for (k = 0; k <= n; k++) {
297
        // obtain "SEED + offset + k" by incrementing:
298
0
        for (size_t i = qsize - 1; i < qsize; i--) {
299
0
          buf[i]++;
300
0
          if (buf[i] != 0) {
301
0
            break;
302
0
          }
303
0
        }
304
305
0
        if (!EVP_Digest(buf, qsize, md, nullptr, evpmd, nullptr)) {
306
0
          return 0;
307
0
        }
308
309
        // step 8
310
0
        if (!BN_bin2bn(md, qsize, r0) || !BN_lshift(r0, r0, (qsize << 3) * k) ||
311
0
            !BN_add(W, W, r0)) {
312
0
          return 0;
313
0
        }
314
0
      }
315
316
      // more of step 8
317
0
      if (!BN_mask_bits(W, bits - 1) || !BN_copy(X, W) || !BN_add(X, X, test)) {
318
0
        return 0;
319
0
      }
320
321
      // step 9
322
0
      if (!BN_lshift1(r0, q) || !BN_mod(c, X, r0, ctx.get()) ||
323
0
          !BN_sub(r0, c, BN_value_one()) || !BN_sub(p, X, r0)) {
324
0
        return 0;
325
0
      }
326
327
      // step 10
328
0
      if (BN_cmp(p, test) >= 0) {
329
        // step 11
330
0
        r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx.get(), 1, cb);
331
0
        if (r > 0) {
332
0
          goto end;  // found it
333
0
        }
334
0
        if (r != 0) {
335
0
          return 0;
336
0
        }
337
0
      }
338
339
      // step 13
340
0
      counter++;
341
      // "offset = offset + n + 1"
342
343
      // step 14
344
0
      if (counter >= 4096) {
345
0
        break;
346
0
      }
347
0
    }
348
0
  }
349
0
end:
350
0
  if (!BN_GENCB_call(cb, 2, 1)) {
351
0
    return 0;
352
0
  }
353
354
  // We now need to generate g
355
  // Set r0=(p-1)/q
356
0
  if (!BN_sub(test, p, BN_value_one()) ||
357
0
      !BN_div(r0, nullptr, test, q, ctx.get())) {
358
0
    return 0;
359
0
  }
360
361
0
  UniquePtr<BN_MONT_CTX> mont(BN_MONT_CTX_new_for_modulus(p, ctx.get()));
362
0
  if (mont == nullptr || !BN_set_word(test, h)) {
363
0
    return 0;
364
0
  }
365
366
0
  for (;;) {
367
    // g=test^r0%p
368
0
    if (!BN_mod_exp_mont(g, test, r0, p, ctx.get(), mont.get())) {
369
0
      return 0;
370
0
    }
371
0
    if (!BN_is_one(g)) {
372
0
      break;
373
0
    }
374
0
    if (!BN_add(test, test, BN_value_one())) {
375
0
      return 0;
376
0
    }
377
0
    h++;
378
0
  }
379
380
0
  if (!BN_GENCB_call(cb, 3, 1)) {
381
0
    return 0;
382
0
  }
383
384
0
  impl->p.reset(BN_dup(p));
385
0
  impl->q.reset(BN_dup(q));
386
0
  impl->g.reset(BN_dup(g));
387
0
  if (impl->p == nullptr || impl->q == nullptr || impl->g == nullptr) {
388
0
    return 0;
389
0
  }
390
0
  if (out_counter != nullptr) {
391
0
    *out_counter = counter;
392
0
  }
393
0
  if (out_h != nullptr) {
394
0
    *out_h = h;
395
0
  }
396
397
0
  return 1;
398
0
}
399
400
0
DSA *DSAparams_dup(const DSA *dsa) {
401
0
  auto *impl = FromOpaque(dsa);
402
0
  DSAImpl *ret = FromOpaque(DSA_new());
403
0
  if (ret == nullptr) {
404
0
    return nullptr;
405
0
  }
406
0
  ret->p.reset(BN_dup(impl->p.get()));
407
0
  ret->q.reset(BN_dup(impl->q.get()));
408
0
  ret->g.reset(BN_dup(impl->g.get()));
409
0
  if (ret->p == nullptr || ret->q == nullptr || ret->g == nullptr) {
410
0
    DSA_free(ret);
411
0
    return nullptr;
412
0
  }
413
0
  return ret;
414
0
}
415
416
0
int DSA_generate_key(DSA *dsa) {
417
0
  auto *impl = FromOpaque(dsa);
418
419
0
  if (!dsa_check_key(impl)) {
420
0
    return 0;
421
0
  }
422
423
0
  UniquePtr<BN_CTX> ctx(BN_CTX_new());
424
0
  UniquePtr<BIGNUM> pub_key(BN_new()), priv_key(BN_new());
425
0
  if (ctx == nullptr || pub_key == nullptr || priv_key == nullptr) {
426
0
    return 0;
427
0
  }
428
429
0
  if (!BN_rand_range_ex(priv_key.get(), 1, impl->q.get()) ||
430
0
      !BN_MONT_CTX_set_locked(&impl->method_mont_p, &impl->method_mont_lock,
431
0
                              impl->p.get(), ctx.get()) ||
432
0
      !BN_mod_exp_mont_consttime(pub_key.get(), impl->g.get(), priv_key.get(),
433
0
                                 impl->p.get(), ctx.get(),
434
0
                                 impl->method_mont_p.get())) {
435
0
    return 0;
436
0
  }
437
438
  // The public key is computed from the private key, but is public.
439
0
  bn_declassify(pub_key.get());
440
441
0
  impl->priv_key = std::move(priv_key);
442
0
  impl->pub_key = std::move(pub_key);
443
0
  return 1;
444
0
}
445
446
0
DSA_SIG *DSA_SIG_new() { return New<DSA_SIG>(); }
447
448
0
void DSA_SIG_free(DSA_SIG *sig) {
449
0
  if (!sig) {
450
0
    return;
451
0
  }
452
453
0
  BN_free(sig->r);
454
0
  BN_free(sig->s);
455
0
  Delete(sig);
456
0
}
457
458
void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **out_r,
459
0
                  const BIGNUM **out_s) {
460
0
  if (out_r != nullptr) {
461
0
    *out_r = sig->r;
462
0
  }
463
0
  if (out_s != nullptr) {
464
0
    *out_s = sig->s;
465
0
  }
466
0
}
467
468
0
int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
469
0
  if (r == nullptr || s == nullptr) {
470
0
    return 0;
471
0
  }
472
0
  BN_free(sig->r);
473
0
  BN_free(sig->s);
474
0
  sig->r = r;
475
0
  sig->s = s;
476
0
  return 1;
477
0
}
478
479
// mod_mul_consttime sets `r` to `a` * `b` modulo `mont->N`, treating `a` and
480
// `b` as secret. This function internally uses Montgomery reduction, but
481
// neither inputs nor outputs are in Montgomery form.
482
static int mod_mul_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
483
0
                             const BN_MONT_CTX *mont, BN_CTX *ctx) {
484
0
  BN_CTXScope scope(ctx);
485
0
  BIGNUM *tmp = BN_CTX_get(ctx);
486
  // `BN_mod_mul_montgomery` removes a factor of R, so we cancel it with a
487
  // single `BN_to_montgomery` which adds one factor of R.
488
0
  return tmp != nullptr &&  //
489
0
         BN_to_montgomery(tmp, a, mont, ctx) &&
490
0
         BN_mod_mul_montgomery(r, tmp, b, mont, ctx);
491
0
}
492
493
0
DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) {
494
0
  auto *impl = FromOpaque(dsa);
495
496
0
  if (!dsa_check_key(impl)) {
497
0
    return nullptr;
498
0
  }
499
500
0
  if (impl->priv_key == nullptr) {
501
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);
502
0
    return nullptr;
503
0
  }
504
505
0
  BIGNUM *kinv = nullptr, *r = nullptr, *s = nullptr;
506
0
  BIGNUM m;
507
0
  BIGNUM xr;
508
0
  BN_CTX *ctx = nullptr;
509
0
  DSA_SIG *ret = nullptr;
510
511
0
  BN_init(&m);
512
0
  BN_init(&xr);
513
0
  s = BN_new();
514
0
  {
515
0
    if (s == nullptr) {
516
0
      goto err;
517
0
    }
518
0
    ctx = BN_CTX_new();
519
0
    if (ctx == nullptr) {
520
0
      goto err;
521
0
    }
522
523
    // Cap iterations so that invalid parameters do not infinite loop. This does
524
    // not impact valid parameters because the probability of requiring even one
525
    // retry is negligible, let alone 32. Unfortunately, DSA was mis-specified,
526
    // so invalid parameters are reachable from most callers handling untrusted
527
    // private keys. (The `dsa_check_key` call above is not sufficient. Checking
528
    // whether arbitrary parameters form a valid DSA group is expensive.)
529
0
    static const int kMaxIterations = 32;
530
0
    int iters = 0;
531
0
  redo:
532
0
    if (!dsa_sign_setup(impl, ctx, &kinv, &r)) {
533
0
      goto err;
534
0
    }
535
536
0
    if (digest_len > BN_num_bytes(impl->q.get())) {
537
      // If the digest length is greater than the size of `impl->q` use the
538
      // BN_num_bits(impl->q) leftmost bits of the digest, see FIPS 186-3, 4.2.
539
      // Note the above check that `impl->q` is a multiple of 8 bits.
540
0
      digest_len = BN_num_bytes(impl->q.get());
541
0
    }
542
543
0
    if (BN_bin2bn(digest, digest_len, &m) == nullptr) {
544
0
      goto err;
545
0
    }
546
547
    // `m` is bounded by 2^(num_bits(q)), which is slightly looser than q. This
548
    // violates `bn_mod_add_consttime` and `mod_mul_consttime`'s preconditions.
549
    // (The underlying algorithms could accept looser bounds, but we reduce for
550
    // simplicity.)
551
0
    size_t q_width = bn_minimal_width(impl->q.get());
552
0
    if (!bn_resize_words(&m, q_width) || !bn_resize_words(&xr, q_width)) {
553
0
      goto err;
554
0
    }
555
0
    bn_reduce_once_in_place(m.d, 0 /* no carry word */, impl->q->d,
556
0
                            xr.d /* scratch space */, q_width);
557
558
    // Compute s = inv(k) (m + xr) mod q. Note `impl->method_mont_q` is
559
    // initialized by `dsa_sign_setup`.
560
0
    if (!mod_mul_consttime(&xr, impl->priv_key.get(), r,
561
0
                           impl->method_mont_q.get(), ctx) ||
562
0
        !bn_mod_add_consttime(s, &xr, &m, impl->q.get(), ctx) ||
563
0
        !mod_mul_consttime(s, s, kinv, impl->method_mont_q.get(), ctx)) {
564
0
      goto err;
565
0
    }
566
567
    // The signature is computed from the private key, but is public.
568
0
    bn_declassify(r);
569
0
    bn_declassify(s);
570
571
    // Redo if r or s is zero as required by FIPS 186-3: this is
572
    // very unlikely.
573
0
    if (BN_is_zero(r) || BN_is_zero(s)) {
574
0
      iters++;
575
0
      if (iters > kMaxIterations) {
576
0
        OPENSSL_PUT_ERROR(DSA, DSA_R_TOO_MANY_ITERATIONS);
577
0
        goto err;
578
0
      }
579
0
      goto redo;
580
0
    }
581
582
0
    ret = DSA_SIG_new();
583
0
    if (ret == nullptr) {
584
0
      goto err;
585
0
    }
586
0
    ret->r = r;
587
0
    ret->s = s;
588
0
  }
589
590
0
err:
591
0
  if (ret == nullptr) {
592
0
    OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);
593
0
    BN_free(r);
594
0
    BN_free(s);
595
0
  }
596
0
  BN_CTX_free(ctx);
597
0
  BN_clear_free(&m);
598
0
  BN_clear_free(&xr);
599
0
  BN_clear_free(kinv);
600
601
0
  return ret;
602
0
}
603
604
int DSA_do_verify(const uint8_t *digest, size_t digest_len, const DSA_SIG *sig,
605
0
                  const DSA *dsa) {
606
0
  int valid;
607
0
  if (!DSA_do_check_signature(&valid, digest, digest_len, sig, dsa)) {
608
0
    return -1;
609
0
  }
610
0
  return valid;
611
0
}
612
613
int DSA_do_check_signature(int *out_valid, const uint8_t *digest,
614
                           size_t digest_len, const DSA_SIG *sig,
615
0
                           const DSA *dsa) {
616
0
  auto *impl = FromOpaque(dsa);
617
618
0
  *out_valid = 0;
619
0
  if (!dsa_check_key(impl)) {
620
0
    return 0;
621
0
  }
622
623
0
  if (impl->pub_key == nullptr) {
624
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);
625
0
    return 0;
626
0
  }
627
628
0
  int ret = 0;
629
0
  BIGNUM u1, u2, t1;
630
0
  BN_init(&u1);
631
0
  BN_init(&u2);
632
0
  BN_init(&t1);
633
0
  BN_CTX *ctx = BN_CTX_new();
634
0
  {
635
0
    if (ctx == nullptr) {
636
0
      goto err;
637
0
    }
638
639
0
    if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
640
0
        BN_ucmp(sig->r, impl->q.get()) >= 0) {
641
0
      ret = 1;
642
0
      goto err;
643
0
    }
644
0
    if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||
645
0
        BN_ucmp(sig->s, impl->q.get()) >= 0) {
646
0
      ret = 1;
647
0
      goto err;
648
0
    }
649
650
0
    if (!BN_MONT_CTX_set_locked(&impl->method_mont_p, &impl->method_mont_lock,
651
0
                                impl->p.get(), ctx) ||
652
0
        !BN_MONT_CTX_set_locked(&impl->method_mont_q, &impl->method_mont_lock,
653
0
                                impl->q.get(), ctx)) {
654
0
      goto err;
655
0
    }
656
657
    // Calculate W = inv(S) mod Q, in the Montgomery domain. This is slightly
658
    // more efficiently computed as FromMont(s)^-1 = (s * R^-1)^-1 = s^-1 * R,
659
    // instead of ToMont(s^-1) = s^-1 * R.
660
0
    if (!BN_from_montgomery(&u2, sig->s, impl->method_mont_q.get(), ctx) ||
661
0
        !BN_mod_inverse(&u2, &u2, impl->q.get(), ctx)) {
662
0
      goto err;
663
0
    }
664
665
    // save M in u1
666
0
    unsigned q_bits = BN_num_bits(impl->q.get());
667
0
    if (digest_len > (q_bits >> 3)) {
668
      // if the digest length is greater than the size of q use the
669
      // BN_num_bits(impl->q) leftmost bits of the digest, see
670
      // fips 186-3, 4.2
671
0
      digest_len = (q_bits >> 3);
672
0
    }
673
674
0
    if (BN_bin2bn(digest, digest_len, &u1) == nullptr) {
675
0
      goto err;
676
0
    }
677
678
    // u1 = M * w mod q. w was stored in the Montgomery domain while M was not,
679
    // so the result will already be out of the Montgomery domain.
680
0
    if (!BN_mod_mul_montgomery(&u1, &u1, &u2, impl->method_mont_q.get(), ctx)) {
681
0
      goto err;
682
0
    }
683
684
    // u2 = r * w mod q. w was stored in the Montgomery domain while r was not,
685
    // so the result will already be out of the Montgomery domain.
686
0
    if (!BN_mod_mul_montgomery(&u2, sig->r, &u2, impl->method_mont_q.get(),
687
0
                               ctx)) {
688
0
      goto err;
689
0
    }
690
691
0
    if (!BN_mod_exp2_mont(&t1, impl->g.get(), &u1, impl->pub_key.get(), &u2,
692
0
                          impl->p.get(), ctx, impl->method_mont_p.get())) {
693
0
      goto err;
694
0
    }
695
696
    // let u1 = u1 mod q
697
0
    if (!BN_mod(&u1, &t1, impl->q.get(), ctx)) {
698
0
      goto err;
699
0
    }
700
701
    // V is now in u1.  If the signature is correct, it will be
702
    // equal to R.
703
0
    *out_valid = BN_ucmp(&u1, sig->r) == 0;
704
0
    ret = 1;
705
0
  }
706
707
0
err:
708
0
  if (ret != 1) {
709
0
    OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);
710
0
  }
711
0
  BN_CTX_free(ctx);
712
0
  BN_free(&u1);
713
0
  BN_free(&u2);
714
0
  BN_free(&t1);
715
716
0
  return ret;
717
0
}
718
719
int DSA_sign(int type, const uint8_t *digest, size_t digest_len,
720
0
             uint8_t *out_sig, unsigned int *out_siglen, const DSA *dsa) {
721
0
  DSA_SIG *s = DSA_do_sign(digest, digest_len, dsa);
722
0
  if (s == nullptr) {
723
0
    *out_siglen = 0;
724
0
    return 0;
725
0
  }
726
727
0
  *out_siglen = i2d_DSA_SIG(s, &out_sig);
728
0
  DSA_SIG_free(s);
729
0
  return 1;
730
0
}
731
732
int DSA_verify(int type, const uint8_t *digest, size_t digest_len,
733
0
               const uint8_t *sig, size_t sig_len, const DSA *dsa) {
734
0
  int valid;
735
0
  if (!DSA_check_signature(&valid, digest, digest_len, sig, sig_len, dsa)) {
736
0
    return -1;
737
0
  }
738
0
  return valid;
739
0
}
740
741
int DSA_check_signature(int *out_valid, const uint8_t *digest,
742
                        size_t digest_len, const uint8_t *sig, size_t sig_len,
743
0
                        const DSA *dsa) {
744
0
  *out_valid = 0;
745
0
  DSA_SIG *s = nullptr;
746
0
  int ret = 0;
747
0
  uint8_t *der = nullptr;
748
749
0
  s = DSA_SIG_new();
750
0
  {
751
0
    if (s == nullptr) {
752
0
      goto err;
753
0
    }
754
755
0
    const uint8_t *sigp = sig;
756
0
    if (d2i_DSA_SIG(&s, &sigp, sig_len) == nullptr || sigp != sig + sig_len) {
757
0
      goto err;
758
0
    }
759
760
    // Ensure that the signature uses DER and doesn't have trailing garbage.
761
0
    int der_len = i2d_DSA_SIG(s, &der);
762
0
    if (der_len < 0 || (size_t)der_len != sig_len ||
763
0
        OPENSSL_memcmp(sig, der, sig_len)) {
764
0
      goto err;
765
0
    }
766
767
0
    ret = DSA_do_check_signature(out_valid, digest, digest_len, s, dsa);
768
0
  }
769
770
0
err:
771
0
  OPENSSL_free(der);
772
0
  DSA_SIG_free(s);
773
0
  return ret;
774
0
}
775
776
// der_len_len returns the number of bytes needed to represent a length of `len`
777
// in DER.
778
0
static size_t der_len_len(size_t len) {
779
0
  if (len < 0x80) {
780
0
    return 1;
781
0
  }
782
0
  size_t ret = 1;
783
0
  while (len > 0) {
784
0
    ret++;
785
0
    len >>= 8;
786
0
  }
787
0
  return ret;
788
0
}
789
790
0
int DSA_size(const DSA *dsa) {
791
0
  auto *impl = FromOpaque(dsa);
792
793
0
  if (impl->q == nullptr) {
794
0
    return 0;
795
0
  }
796
797
0
  size_t order_len = BN_num_bytes(impl->q.get());
798
  // Compute the maximum length of an `order_len` byte integer. Defensively
799
  // assume that the leading 0x00 is included.
800
0
  size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;
801
0
  if (integer_len < order_len) {
802
0
    return 0;
803
0
  }
804
  // A DSA signature is two INTEGERs.
805
0
  size_t value_len = 2 * integer_len;
806
0
  if (value_len < integer_len) {
807
0
    return 0;
808
0
  }
809
  // Add the header.
810
0
  size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;
811
0
  if (ret < value_len) {
812
0
    return 0;
813
0
  }
814
0
  return ret;
815
0
}
816
817
static int dsa_sign_setup(const DSAImpl *dsa, BN_CTX *ctx, BIGNUM **out_kinv,
818
0
                          BIGNUM **out_r) {
819
0
  int ret = 0;
820
0
  BIGNUM k;
821
0
  BN_init(&k);
822
0
  BIGNUM *r = BN_new();
823
0
  BIGNUM *kinv = BN_new();
824
0
  if (r == nullptr || kinv == nullptr ||
825
      // Get random k
826
0
      !BN_rand_range_ex(&k, 1, dsa->q.get()) ||
827
0
      !BN_MONT_CTX_set_locked(&dsa->method_mont_p, &dsa->method_mont_lock,
828
0
                              dsa->p.get(), ctx) ||
829
0
      !BN_MONT_CTX_set_locked(&dsa->method_mont_q, &dsa->method_mont_lock,
830
0
                              dsa->q.get(), ctx) ||
831
      // Compute r = (g^k mod p) mod q
832
0
      !BN_mod_exp_mont_consttime(r, dsa->g.get(), &k, dsa->p.get(), ctx,
833
0
                                 dsa->method_mont_p.get())) {
834
0
    OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);
835
0
    goto err;
836
0
  }
837
  // Note `BN_mod` below is not constant-time and may leak information about
838
  // `r`. `dsa->p` may be significantly larger than `dsa->q`, so this is not
839
  // easily performed in constant-time with Montgomery reduction.
840
  //
841
  // However, `r` at this point is g^k (mod p). It is almost the value of `r`
842
  // revealed in the signature anyway (g^k (mod p) (mod q)), going from it to
843
  // `k` would require computing a discrete log.
844
0
  bn_declassify(r);
845
0
  if (!BN_mod(r, r, dsa->q.get(), ctx) ||
846
      // Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little
847
      // Theorem.
848
0
      !bn_mod_inverse_prime(kinv, &k, dsa->q.get(), ctx, dsa->method_mont_q.get())) {
849
0
    OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);
850
0
    goto err;
851
0
  }
852
853
0
  BN_clear_free(*out_kinv);
854
0
  *out_kinv = kinv;
855
0
  kinv = nullptr;
856
857
0
  BN_clear_free(*out_r);
858
0
  *out_r = r;
859
0
  r = nullptr;
860
861
0
  ret = 1;
862
863
0
err:
864
0
  BN_clear_free(&k);
865
0
  BN_clear_free(r);
866
0
  BN_clear_free(kinv);
867
0
  return ret;
868
0
}
869
870
int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
871
0
                         CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
872
0
  return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func);
873
0
}
874
875
0
int DSA_set_ex_data(DSA *dsa, int idx, void *arg) {
876
0
  auto *impl = FromOpaque(dsa);
877
0
  return CRYPTO_set_ex_data(&impl->ex_data, idx, arg);
878
0
}
879
880
0
void *DSA_get_ex_data(const DSA *dsa, int idx) {
881
0
  auto *impl = FromOpaque(dsa);
882
0
  return CRYPTO_get_ex_data(&impl->ex_data, idx);
883
0
}
884
885
0
static bool copy_bn(UniquePtr<BIGNUM> *dst, const BIGNUM *src) {
886
0
  UniquePtr<BIGNUM> copy;
887
0
  if (src) {
888
0
    copy.reset(BN_dup(src));
889
0
    if (!copy) {
890
0
      return false;
891
0
    }
892
0
  }
893
0
  *dst = std::move(copy);
894
0
  return true;
895
0
}
896
897
0
DH *DSA_dup_DH(const DSA *dsa) {
898
0
  auto *impl = FromOpaque(dsa);
899
0
  if (dsa == nullptr) {
900
0
    return nullptr;
901
0
  }
902
903
0
  UniquePtr<DH> ret(DH_new());
904
0
  auto *dh = FromOpaque(ret.get());
905
0
  if (ret == nullptr) {
906
0
    return nullptr;
907
0
  }
908
0
  if (impl->q != nullptr) {
909
0
    dh->priv_length = BN_num_bits(impl->q.get());
910
0
    if (!copy_bn(&dh->q, impl->q.get())) {
911
0
      return nullptr;
912
0
    }
913
0
  }
914
0
  if (!copy_bn(&dh->p, impl->p.get()) ||              //
915
0
      !copy_bn(&dh->g, impl->g.get()) ||              //
916
0
      !copy_bn(&dh->pub_key, impl->pub_key.get()) ||  //
917
0
      !copy_bn(&dh->priv_key, impl->priv_key.get())) {
918
0
    return nullptr;
919
0
  }
920
921
0
  return ret.release();
922
0
}