Coverage Report

Created: 2024-11-21 07:03

/src/boringssl/crypto/dsa/dsa_asn1.c
Line
Count
Source (jump to first uncovered line)
1
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2
 * project 2000. */
3
/* ====================================================================
4
 * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 *
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 *
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in
15
 *    the documentation and/or other materials provided with the
16
 *    distribution.
17
 *
18
 * 3. All advertising materials mentioning features or use of this
19
 *    software must display the following acknowledgment:
20
 *    "This product includes software developed by the OpenSSL Project
21
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
22
 *
23
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
24
 *    endorse or promote products derived from this software without
25
 *    prior written permission. For written permission, please contact
26
 *    licensing@OpenSSL.org.
27
 *
28
 * 5. Products derived from this software may not be called "OpenSSL"
29
 *    nor may "OpenSSL" appear in their names without prior written
30
 *    permission of the OpenSSL Project.
31
 *
32
 * 6. Redistributions of any form whatsoever must retain the following
33
 *    acknowledgment:
34
 *    "This product includes software developed by the OpenSSL Project
35
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
36
 *
37
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
38
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
39
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
40
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
41
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
42
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
43
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
44
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
45
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
46
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
47
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
48
 * OF THE POSSIBILITY OF SUCH DAMAGE.
49
 * ====================================================================
50
 *
51
 * This product includes cryptographic software written by Eric Young
52
 * (eay@cryptsoft.com).  This product includes software written by Tim
53
 * Hudson (tjh@cryptsoft.com). */
54
55
#include <openssl/dsa.h>
56
57
#include <assert.h>
58
59
#include <openssl/bn.h>
60
#include <openssl/bytestring.h>
61
#include <openssl/err.h>
62
#include <openssl/mem.h>
63
64
#include "internal.h"
65
#include "../bytestring/internal.h"
66
67
68
// This function is in dsa_asn1.c rather than dsa.c because it is reachable from
69
// |EVP_PKEY| parsers. This makes it easier for the static linker to drop most
70
// of the DSA implementation.
71
83
int dsa_check_key(const DSA *dsa) {
72
83
  if (!dsa->p || !dsa->q || !dsa->g) {
73
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);
74
0
    return 0;
75
0
  }
76
77
  // Fully checking for invalid DSA groups is expensive, so security and
78
  // correctness of the signature scheme depend on how |dsa| was computed. I.e.
79
  // we leave "assurance of domain parameter validity" from FIPS 186-4 to the
80
  // caller. However, we check bounds on all values to avoid DoS vectors even
81
  // when domain parameters are invalid. In particular, signing will infinite
82
  // loop if |g| is zero.
83
83
  if (BN_is_negative(dsa->p) || BN_is_negative(dsa->q) || BN_is_zero(dsa->p) ||
84
83
      BN_is_zero(dsa->q) || !BN_is_odd(dsa->p) || !BN_is_odd(dsa->q) ||
85
      // |q| must be a prime divisor of |p - 1|, which implies |q < p|.
86
83
      BN_cmp(dsa->q, dsa->p) >= 0 ||
87
      // |g| is in the multiplicative group of |p|.
88
83
      BN_is_negative(dsa->g) || BN_is_zero(dsa->g) ||
89
83
      BN_cmp(dsa->g, dsa->p) >= 0) {
90
67
    OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);
91
67
    return 0;
92
67
  }
93
94
  // FIPS 186-4 allows only three different sizes for q.
95
16
  unsigned q_bits = BN_num_bits(dsa->q);
96
16
  if (q_bits != 160 && q_bits != 224 && q_bits != 256) {
97
7
    OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);
98
7
    return 0;
99
7
  }
100
101
  // Bound |dsa->p| to avoid a DoS vector. Note this limit is much larger than
102
  // the one in FIPS 186-4, which only allows L = 1024, 2048, and 3072.
103
9
  if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
104
1
    OPENSSL_PUT_ERROR(DSA, DSA_R_MODULUS_TOO_LARGE);
105
1
    return 0;
106
1
  }
107
108
8
  if (dsa->pub_key != NULL) {
109
    // The public key is also in the multiplicative group of |p|.
110
8
    if (BN_is_negative(dsa->pub_key) || BN_is_zero(dsa->pub_key) ||
111
8
        BN_cmp(dsa->pub_key, dsa->p) >= 0) {
112
5
      OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);
113
5
      return 0;
114
5
    }
115
8
  }
116
117
3
  if (dsa->priv_key != NULL) {
118
    // The private key is a non-zero element of the scalar field, determined by
119
    // |q|.
120
0
    if (BN_is_negative(dsa->priv_key) ||
121
0
        constant_time_declassify_int(BN_is_zero(dsa->priv_key)) ||
122
0
        constant_time_declassify_int(BN_cmp(dsa->priv_key, dsa->q) >= 0)) {
123
0
      OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);
124
0
      return 0;
125
0
    }
126
0
  }
127
128
3
  return 1;
129
3
}
130
131
122
static int parse_integer(CBS *cbs, BIGNUM **out) {
132
122
  assert(*out == NULL);
133
122
  *out = BN_new();
134
122
  if (*out == NULL) {
135
0
    return 0;
136
0
  }
137
122
  return BN_parse_asn1_unsigned(cbs, *out);
138
122
}
139
140
244
static int marshal_integer(CBB *cbb, BIGNUM *bn) {
141
244
  if (bn == NULL) {
142
    // A DSA object may be missing some components.
143
0
    OPENSSL_PUT_ERROR(DSA, ERR_R_PASSED_NULL_PARAMETER);
144
0
    return 0;
145
0
  }
146
244
  return BN_marshal_asn1(cbb, bn);
147
244
}
148
149
61
DSA_SIG *DSA_SIG_parse(CBS *cbs) {
150
61
  DSA_SIG *ret = DSA_SIG_new();
151
61
  if (ret == NULL) {
152
0
    return NULL;
153
0
  }
154
61
  CBS child;
155
61
  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
156
61
      !parse_integer(&child, &ret->r) ||
157
61
      !parse_integer(&child, &ret->s) ||
158
61
      CBS_len(&child) != 0) {
159
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
160
0
    DSA_SIG_free(ret);
161
0
    return NULL;
162
0
  }
163
61
  return ret;
164
61
}
165
166
122
int DSA_SIG_marshal(CBB *cbb, const DSA_SIG *sig) {
167
122
  CBB child;
168
122
  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
169
122
      !marshal_integer(&child, sig->r) ||
170
122
      !marshal_integer(&child, sig->s) ||
171
122
      !CBB_flush(cbb)) {
172
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR);
173
0
    return 0;
174
0
  }
175
122
  return 1;
176
122
}
177
178
0
DSA *DSA_parse_public_key(CBS *cbs) {
179
0
  DSA *ret = DSA_new();
180
0
  if (ret == NULL) {
181
0
    return NULL;
182
0
  }
183
0
  CBS child;
184
0
  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
185
0
      !parse_integer(&child, &ret->pub_key) ||
186
0
      !parse_integer(&child, &ret->p) ||
187
0
      !parse_integer(&child, &ret->q) ||
188
0
      !parse_integer(&child, &ret->g) ||
189
0
      CBS_len(&child) != 0) {
190
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
191
0
    goto err;
192
0
  }
193
0
  if (!dsa_check_key(ret)) {
194
0
    goto err;
195
0
  }
196
0
  return ret;
197
198
0
err:
199
0
  DSA_free(ret);
200
0
  return NULL;
201
0
}
202
203
0
int DSA_marshal_public_key(CBB *cbb, const DSA *dsa) {
204
0
  CBB child;
205
0
  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
206
0
      !marshal_integer(&child, dsa->pub_key) ||
207
0
      !marshal_integer(&child, dsa->p) ||
208
0
      !marshal_integer(&child, dsa->q) ||
209
0
      !marshal_integer(&child, dsa->g) ||
210
0
      !CBB_flush(cbb)) {
211
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR);
212
0
    return 0;
213
0
  }
214
0
  return 1;
215
0
}
216
217
0
DSA *DSA_parse_parameters(CBS *cbs) {
218
0
  DSA *ret = DSA_new();
219
0
  if (ret == NULL) {
220
0
    return NULL;
221
0
  }
222
0
  CBS child;
223
0
  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
224
0
      !parse_integer(&child, &ret->p) ||
225
0
      !parse_integer(&child, &ret->q) ||
226
0
      !parse_integer(&child, &ret->g) ||
227
0
      CBS_len(&child) != 0) {
228
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
229
0
    goto err;
230
0
  }
231
0
  if (!dsa_check_key(ret)) {
232
0
    goto err;
233
0
  }
234
0
  return ret;
235
236
0
err:
237
0
  DSA_free(ret);
238
0
  return NULL;
239
0
}
240
241
0
int DSA_marshal_parameters(CBB *cbb, const DSA *dsa) {
242
0
  CBB child;
243
0
  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
244
0
      !marshal_integer(&child, dsa->p) ||
245
0
      !marshal_integer(&child, dsa->q) ||
246
0
      !marshal_integer(&child, dsa->g) ||
247
0
      !CBB_flush(cbb)) {
248
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR);
249
0
    return 0;
250
0
  }
251
0
  return 1;
252
0
}
253
254
0
DSA *DSA_parse_private_key(CBS *cbs) {
255
0
  DSA *ret = DSA_new();
256
0
  if (ret == NULL) {
257
0
    return NULL;
258
0
  }
259
260
0
  CBS child;
261
0
  uint64_t version;
262
0
  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
263
0
      !CBS_get_asn1_uint64(&child, &version)) {
264
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
265
0
    goto err;
266
0
  }
267
268
0
  if (version != 0) {
269
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_VERSION);
270
0
    goto err;
271
0
  }
272
273
0
  if (!parse_integer(&child, &ret->p) ||
274
0
      !parse_integer(&child, &ret->q) ||
275
0
      !parse_integer(&child, &ret->g) ||
276
0
      !parse_integer(&child, &ret->pub_key) ||
277
0
      !parse_integer(&child, &ret->priv_key) ||
278
0
      CBS_len(&child) != 0) {
279
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
280
0
    goto err;
281
0
  }
282
0
  if (!dsa_check_key(ret)) {
283
0
    goto err;
284
0
  }
285
286
0
  return ret;
287
288
0
err:
289
0
  DSA_free(ret);
290
0
  return NULL;
291
0
}
292
293
0
int DSA_marshal_private_key(CBB *cbb, const DSA *dsa) {
294
0
  CBB child;
295
0
  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
296
0
      !CBB_add_asn1_uint64(&child, 0 /* version */) ||
297
0
      !marshal_integer(&child, dsa->p) ||
298
0
      !marshal_integer(&child, dsa->q) ||
299
0
      !marshal_integer(&child, dsa->g) ||
300
0
      !marshal_integer(&child, dsa->pub_key) ||
301
0
      !marshal_integer(&child, dsa->priv_key) ||
302
0
      !CBB_flush(cbb)) {
303
0
    OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR);
304
0
    return 0;
305
0
  }
306
0
  return 1;
307
0
}
308
309
61
DSA_SIG *d2i_DSA_SIG(DSA_SIG **out_sig, const uint8_t **inp, long len) {
310
61
  if (len < 0) {
311
0
    return NULL;
312
0
  }
313
61
  CBS cbs;
314
61
  CBS_init(&cbs, *inp, (size_t)len);
315
61
  DSA_SIG *ret = DSA_SIG_parse(&cbs);
316
61
  if (ret == NULL) {
317
0
    return NULL;
318
0
  }
319
61
  if (out_sig != NULL) {
320
61
    DSA_SIG_free(*out_sig);
321
61
    *out_sig = ret;
322
61
  }
323
61
  *inp = CBS_data(&cbs);
324
61
  return ret;
325
61
}
326
327
122
int i2d_DSA_SIG(const DSA_SIG *in, uint8_t **outp) {
328
122
  CBB cbb;
329
122
  if (!CBB_init(&cbb, 0) ||
330
122
      !DSA_SIG_marshal(&cbb, in)) {
331
0
    CBB_cleanup(&cbb);
332
0
    return -1;
333
0
  }
334
122
  return CBB_finish_i2d(&cbb, outp);
335
122
}
336
337
0
DSA *d2i_DSAPublicKey(DSA **out, const uint8_t **inp, long len) {
338
0
  if (len < 0) {
339
0
    return NULL;
340
0
  }
341
0
  CBS cbs;
342
0
  CBS_init(&cbs, *inp, (size_t)len);
343
0
  DSA *ret = DSA_parse_public_key(&cbs);
344
0
  if (ret == NULL) {
345
0
    return NULL;
346
0
  }
347
0
  if (out != NULL) {
348
0
    DSA_free(*out);
349
0
    *out = ret;
350
0
  }
351
0
  *inp = CBS_data(&cbs);
352
0
  return ret;
353
0
}
354
355
0
int i2d_DSAPublicKey(const DSA *in, uint8_t **outp) {
356
0
  CBB cbb;
357
0
  if (!CBB_init(&cbb, 0) ||
358
0
      !DSA_marshal_public_key(&cbb, in)) {
359
0
    CBB_cleanup(&cbb);
360
0
    return -1;
361
0
  }
362
0
  return CBB_finish_i2d(&cbb, outp);
363
0
}
364
365
0
DSA *d2i_DSAPrivateKey(DSA **out, const uint8_t **inp, long len) {
366
0
  if (len < 0) {
367
0
    return NULL;
368
0
  }
369
0
  CBS cbs;
370
0
  CBS_init(&cbs, *inp, (size_t)len);
371
0
  DSA *ret = DSA_parse_private_key(&cbs);
372
0
  if (ret == NULL) {
373
0
    return NULL;
374
0
  }
375
0
  if (out != NULL) {
376
0
    DSA_free(*out);
377
0
    *out = ret;
378
0
  }
379
0
  *inp = CBS_data(&cbs);
380
0
  return ret;
381
0
}
382
383
0
int i2d_DSAPrivateKey(const DSA *in, uint8_t **outp) {
384
0
  CBB cbb;
385
0
  if (!CBB_init(&cbb, 0) ||
386
0
      !DSA_marshal_private_key(&cbb, in)) {
387
0
    CBB_cleanup(&cbb);
388
0
    return -1;
389
0
  }
390
0
  return CBB_finish_i2d(&cbb, outp);
391
0
}
392
393
0
DSA *d2i_DSAparams(DSA **out, const uint8_t **inp, long len) {
394
0
  if (len < 0) {
395
0
    return NULL;
396
0
  }
397
0
  CBS cbs;
398
0
  CBS_init(&cbs, *inp, (size_t)len);
399
0
  DSA *ret = DSA_parse_parameters(&cbs);
400
0
  if (ret == NULL) {
401
0
    return NULL;
402
0
  }
403
0
  if (out != NULL) {
404
0
    DSA_free(*out);
405
0
    *out = ret;
406
0
  }
407
0
  *inp = CBS_data(&cbs);
408
0
  return ret;
409
0
}
410
411
0
int i2d_DSAparams(const DSA *in, uint8_t **outp) {
412
0
  CBB cbb;
413
0
  if (!CBB_init(&cbb, 0) ||
414
0
      !DSA_marshal_parameters(&cbb, in)) {
415
0
    CBB_cleanup(&cbb);
416
0
    return -1;
417
0
  }
418
0
  return CBB_finish_i2d(&cbb, outp);
419
0
}