leviathan
/
openssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
A local copy of OpenSSL from GitHub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16747 Commits
1 Branch
199 MiB
Tree: e33826f01b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e33826f01b'
${ noResults }
openssl/crypto/dsa/dsa_ossl.c

372 lines
10 KiB
Raw Normal View History

Copyright consolidation 07/10 Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years ago
Initial support for DSA_METHOD...
23 years ago
Copyright consolidation 07/10 Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years ago
Initial support for DSA_METHOD...
23 years ago
Identify and move common internal libcrypto header files There are header files in crypto/ that are used by a number of crypto/ submodules. Move those to crypto/include/internal and adapt the affected source code and Makefiles. The header files that got moved are: crypto/cryptolib.h crypto/md32_common.h Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Initial support for DSA_METHOD...
23 years ago
add support for DSA with SHA2
16 years ago
Make the DSA structure opaque Move the dsa_st structure out of the public header file. Add some accessor functions to enable access to the internal fields, and update all internal usage to use the new functions. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>
6 years ago
Initial support for DSA_METHOD...
23 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Initial support for DSA_METHOD...
23 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Initial support for DSA_METHOD...
23 years ago
mark all block comments that need format preserving so that indent will not alter them when reformatting comments Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
8 years ago
The default implementation of DSA_METHOD has an interdependence on the dsa_mod_exp() and bn_mod_exp() handlers from dsa_do_verify() and dsa_sign_setup(). When another DSA_METHOD implementation does not define these lower-level handlers, it becomes impossible to do a fallback to software on errors using a simple DSA_OpenSSL()->fn(key). This change allows the default DSA_METHOD to function in such circumstances by only using dsa_mod_exp() and bn_mod_exp() handlers if they exist, otherwise using BIGNUM implementations directly (which is what those handlers did before this change). There should be no noticable difference for the software case, or indeed any custom case that didn't already segfault, except perhaps that there is now one less level of indirection in all cases. PR: 507
20 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
The default implementation of DSA_METHOD has an interdependence on the dsa_mod_exp() and bn_mod_exp() handlers from dsa_do_verify() and dsa_sign_setup(). When another DSA_METHOD implementation does not define these lower-level handlers, it becomes impossible to do a fallback to software on errors using a simple DSA_OpenSSL()->fn(key). This change allows the default DSA_METHOD to function in such circumstances by only using dsa_mod_exp() and bn_mod_exp() handlers if they exist, otherwise using BIGNUM implementations directly (which is what those handlers did before this change). There should be no noticable difference for the software case, or indeed any custom case that didn't already segfault, except perhaps that there is now one less level of indirection in all cases. PR: 507
20 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Code style: space after 'if' Reviewed-by: Matt Caswell <matt@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Code style: space after 'if' Reviewed-by: Matt Caswell <matt@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
The default implementation of DSA_METHOD has an interdependence on the dsa_mod_exp() and bn_mod_exp() handlers from dsa_do_verify() and dsa_sign_setup(). When another DSA_METHOD implementation does not define these lower-level handlers, it becomes impossible to do a fallback to software on errors using a simple DSA_OpenSSL()->fn(key). This change allows the default DSA_METHOD to function in such circumstances by only using dsa_mod_exp() and bn_mod_exp() handlers if they exist, otherwise using BIGNUM implementations directly (which is what those handlers did before this change). There should be no noticable difference for the software case, or indeed any custom case that didn't already segfault, except perhaps that there is now one less level of indirection in all cases. PR: 507
20 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Code style: space after 'if' Reviewed-by: Matt Caswell <matt@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Code style: space after 'if' Reviewed-by: Matt Caswell <matt@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
The default implementation of DSA_METHOD has an interdependence on the dsa_mod_exp() and bn_mod_exp() handlers from dsa_do_verify() and dsa_sign_setup(). When another DSA_METHOD implementation does not define these lower-level handlers, it becomes impossible to do a fallback to software on errors using a simple DSA_OpenSSL()->fn(key). This change allows the default DSA_METHOD to function in such circumstances by only using dsa_mod_exp() and bn_mod_exp() handlers if they exist, otherwise using BIGNUM implementations directly (which is what those handlers did before this change). There should be no noticable difference for the software case, or indeed any custom case that didn't already segfault, except perhaps that there is now one less level of indirection in all cases. PR: 507
20 years ago
Constify DSA-related code.
22 years ago
Initial support for DSA_METHOD...
23 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Initial support for DSA_METHOD...
23 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Continue standardising malloc style for libcrypto Continuing from previous commit ensure our style is consistent for malloc return checks. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Remove kinv/r fields from DSA structure. The kinv/r fields in the DSA structure are not used by OpenSSL internally and should not be used in general. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Remove some dead code Commit e1d9f1ab39eea left some dead code behind. This removes it. Reviewed-by: Stephen Henson <steve@openssl.org>
6 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
free NULL cleanup 7 This gets BN_.*free: BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd dead code in engines/e_ubsec. Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
free NULL cleanup 7 This gets BN_.*free: BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd dead code in engines/e_ubsec. Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Initial support for DSA_METHOD...
23 years ago
Avoid need to change function code. Keep original function names for nonce versions so we don't have to change error function codes.
9 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make `safe' (EC)DSA nonces the default. This change updates 8a99cb29 to make the generation of (EC)DSA nonces using the message digest the default. It also reverts the changes to (EC)DSA_METHOD structure. In addition to making it the default, removing the flag from EC_KEY means that FIPS modules will no longer have an ABI mismatch.
9 years ago
Avoid need to change function code. Keep original function names for nonce versions so we don't have to change error function codes.
9 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Continue standardising malloc style for libcrypto Continuing from previous commit ensure our style is consistent for malloc return checks. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
OPENSSL_NO_xxx cleanup: SHA Remove support for SHA0 and DSS0 (they were broken), and remove the ability to attempt to build without SHA (it didn't work). For simplicity, remove the option of not building various SHA algorithms; you could argue that SHA_224/256/384/512 should be kept, since they're like crypto algorithms, but I decided to go the other way. So these options are gone: GENUINE_DSA OPENSSL_NO_SHA0 OPENSSL_NO_SHA OPENSSL_NO_SHA1 OPENSSL_NO_SHA224 OPENSSL_NO_SHA256 OPENSSL_NO_SHA384 OPENSSL_NO_SHA512 Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Convert CRYPTO_LOCK_{DH,DSA,RSA} to new multi-threading API Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
free NULL cleanup 7 This gets BN_.*free: BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd dead code in engines/e_ubsec. Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
free NULL cleanup 7 This gets BN_.*free: BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd dead code in engines/e_ubsec. Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Continue standardising malloc style for libcrypto Continuing from previous commit ensure our style is consistent for malloc return checks. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Convert CRYPTO_LOCK_{DH,DSA,RSA} to new multi-threading API Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Make DSA_SIG opaque. This adds a new accessor function DSA_SIG_get0. The customisation of DSA_SIG structure initialisation has been removed this means that the 'r' and 's' components are automatically allocated when DSA_SIG_new() is called. Update documentation. Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
free NULL cleanup 7 This gets BN_.*free: BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd dead code in engines/e_ubsec. Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Initial support for DSA_METHOD...
23 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Initial support for DSA_METHOD...
23 years ago
free NULL cleanup 7 This gets BN_.*free: BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd dead code in engines/e_ubsec. Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years ago
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years ago
Initial support for DSA_METHOD...
23 years ago
 
  1. /*

  2.  * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
  3.  *
  4.  * Licensed under the OpenSSL license (the "License").  You may not use
  5.  * this file except in compliance with the License.  You can obtain a copy
  6.  * in the file LICENSE in the source distribution or at
  7.  * https://www.openssl.org/source/license.html

  8.  */
  9. 

  10. /* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
  11. 

  12. #include <stdio.h>

  13. #include "internal/cryptlib.h"

  14. #include <openssl/bn.h>

  15. #include <openssl/sha.h>

  16. #include "dsa_locl.h"

  17. #include <openssl/rand.h>

  18. #include <openssl/asn1.h>

  19. 

  20. static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
  21. static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
  22.                                     BIGNUM **rp);
  23. static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
  24.                           BIGNUM **rp, const unsigned char *dgst, int dlen);
  25. static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
  26.                          DSA_SIG *sig, DSA *dsa);
  27. static int dsa_init(DSA *dsa);
  28. static int dsa_finish(DSA *dsa);
  29. 

  30. static DSA_METHOD openssl_dsa_meth = {
  31.     "OpenSSL DSA method",
  32.     dsa_do_sign,
  33.     dsa_sign_setup_no_digest,
  34.     dsa_do_verify,
  35.     NULL,                       /* dsa_mod_exp, */
  36.     NULL,                       /* dsa_bn_mod_exp, */
  37.     dsa_init,
  38.     dsa_finish,
  39.     DSA_FLAG_FIPS_METHOD,
  40.     NULL,
  41.     NULL,
  42.     NULL
  43. };
  44. 

  45. /*-

  46.  * These macro wrappers replace attempts to use the dsa_mod_exp() and
  47.  * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
  48.  * having a the macro work as an expression by bundling an "err_instr". So;
  49.  *
  50.  *     if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
  51.  *                 dsa->method_mont_p)) goto err;
  52.  *
  53.  * can be replaced by;
  54.  *
  55.  *     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
  56.  *                 dsa->method_mont_p);
  57.  */
  58. 

  59. #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \

  60.         do { \
  61.         int _tmp_res53; \
  62.         if ((dsa)->meth->dsa_mod_exp) \
  63.                 _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
  64.                                 (a2), (p2), (m), (ctx), (in_mont)); \
  65.         else \
  66.                 _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
  67.                                 (m), (ctx), (in_mont)); \
  68.         if (!_tmp_res53) err_instr; \
  69.         } while(0)
  70. #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \

  71.         do { \
  72.         int _tmp_res53; \
  73.         if ((dsa)->meth->bn_mod_exp) \
  74.                 _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
  75.                                 (m), (ctx), (m_ctx)); \
  76.         else \
  77.                 _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
  78.         if (!_tmp_res53) err_instr; \
  79.         } while(0)
  80. 

  81. const DSA_METHOD *DSA_OpenSSL(void)
  82. {
  83.     return &openssl_dsa_meth;
  84. }
  85. 

  86. static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
  87. {
  88.     BIGNUM *kinv = NULL;
  89.     BIGNUM *m;
  90.     BIGNUM *xr;
  91.     BIGNUM *r, *s;
  92.     BN_CTX *ctx = NULL;
  93.     int reason = ERR_R_BN_LIB;
  94.     DSA_SIG *ret = NULL;
  95.     int rv = 0;
  96. 

  97.     m = BN_new();
  98.     xr = BN_new();
  99.     if (m == NULL || xr == NULL)
  100.         goto err;
  101. 

  102.     if (!dsa->p || !dsa->q || !dsa->g) {
  103.         reason = DSA_R_MISSING_PARAMETERS;
  104.         goto err;
  105.     }
  106. 

  107.     ret = DSA_SIG_new();
  108.     if (ret == NULL)
  109.         goto err;
  110. 

  111.     DSA_SIG_get0(&r, &s, ret);
  112. 

  113.     ctx = BN_CTX_new();
  114.     if (ctx == NULL)
  115.         goto err;
  116.  redo:
  117.     if (!dsa_sign_setup(dsa, ctx, &kinv, &r, dgst, dlen))
  118.         goto err;
  119. 

  120.     if (dlen > BN_num_bytes(dsa->q))
  121.         /*

  122.          * if the digest length is greater than the size of q use the
  123.          * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
  124.          * 4.2
  125.          */
  126.         dlen = BN_num_bytes(dsa->q);
  127.     if (BN_bin2bn(dgst, dlen, m) == NULL)
  128.         goto err;
  129. 

  130.     /* Compute  s = inv(k) (m + xr) mod q */
  131.     if (!BN_mod_mul(xr, dsa->priv_key, r, dsa->q, ctx))
  132.         goto err;               /* s = xr */
  133.     if (!BN_add(s, xr, m))
  134.         goto err;               /* s = m + xr */
  135.     if (BN_cmp(s, dsa->q) > 0)
  136.         if (!BN_sub(s, s, dsa->q))
  137.             goto err;
  138.     if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
  139.         goto err;
  140. 

  141.     /*

  142.      * Redo if r or s is zero as required by FIPS 186-3: this is very
  143.      * unlikely.
  144.      */
  145.     if (BN_is_zero(r) || BN_is_zero(s))
  146.         goto redo;
  147. 

  148.     rv = 1;
  149. 

  150.  err:
  151.     if (rv == 0) {
  152.         DSAerr(DSA_F_DSA_DO_SIGN, reason);
  153.         DSA_SIG_free(ret);
  154.         ret = NULL;
  155.     }
  156.     BN_CTX_free(ctx);
  157.     BN_clear_free(m);
  158.     BN_clear_free(xr);
  159.     BN_clear_free(kinv);
  160.     return ret;
  161. }
  162. 

  163. static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in,
  164.                                     BIGNUM **kinvp, BIGNUM **rp)
  165. {
  166.     return dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0);
  167. }
  168. 

  169. static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
  170.                           BIGNUM **kinvp, BIGNUM **rp,
  171.                           const unsigned char *dgst, int dlen)
  172. {
  173.     BN_CTX *ctx = NULL;
  174.     BIGNUM *k, *kq, *K, *kinv = NULL, *r = *rp;
  175.     int ret = 0;
  176. 

  177.     if (!dsa->p || !dsa->q || !dsa->g) {
  178.         DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
  179.         return 0;
  180.     }
  181. 

  182.     k = BN_new();
  183.     kq = BN_new();
  184.     if (k == NULL || kq == NULL)
  185.         goto err;
  186. 

  187.     if (ctx_in == NULL) {
  188.         if ((ctx = BN_CTX_new()) == NULL)
  189.             goto err;
  190.     } else
  191.         ctx = ctx_in;
  192. 

  193.     /* Get random k */
  194.     do {
  195.         if (dgst != NULL) {
  196.             /*

  197.              * We calculate k from SHA512(private_key + H(message) + random).
  198.              * This protects the private key from a weak PRNG.
  199.              */
  200.             if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst,
  201.                                        dlen, ctx))
  202.                 goto err;
  203.         } else if (!BN_rand_range(k, dsa->q))
  204.             goto err;
  205.     } while (BN_is_zero(k));
  206. 

  207.     if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
  208.         BN_set_flags(k, BN_FLG_CONSTTIME);
  209.     }
  210. 

  211.     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
  212.         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
  213.                                     dsa->lock, dsa->p, ctx))
  214.             goto err;
  215.     }
  216. 

  217.     /* Compute r = (g^k mod p) mod q */
  218. 

  219.     if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
  220.         if (!BN_copy(kq, k))
  221.             goto err;
  222. 

  223.         /*

  224.          * We do not want timing information to leak the length of k, so we
  225.          * compute g^k using an equivalent exponent of fixed length. (This
  226.          * is a kludge that we need because the BN_mod_exp_mont() does not
  227.          * let us specify the desired timing behaviour.)
  228.          */
  229. 

  230.         if (!BN_add(kq, kq, dsa->q))
  231.             goto err;
  232.         if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) {
  233.             if (!BN_add(kq, kq, dsa->q))
  234.                 goto err;
  235.         }
  236. 

  237.         K = kq;
  238.     } else {
  239.         K = k;
  240.     }
  241.     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
  242.                    dsa->method_mont_p);
  243.     if (!BN_mod(r, r, dsa->q, ctx))
  244.         goto err;
  245. 

  246.     /* Compute  part of 's = inv(k) (m + xr) mod q' */
  247.     if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
  248.         goto err;
  249. 

  250.     BN_clear_free(*kinvp);
  251.     *kinvp = kinv;
  252.     kinv = NULL;
  253.     ret = 1;
  254.  err:
  255.     if (!ret)
  256.         DSAerr(DSA_F_DSA_SIGN_SETUP, ERR_R_BN_LIB);
  257.     if (ctx != ctx_in)
  258.         BN_CTX_free(ctx);
  259.     BN_clear_free(k);
  260.     BN_clear_free(kq);
  261.     return ret;
  262. }
  263. 

  264. static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
  265.                          DSA_SIG *sig, DSA *dsa)
  266. {
  267.     BN_CTX *ctx;
  268.     BIGNUM *u1, *u2, *t1;
  269.     BN_MONT_CTX *mont = NULL;
  270.     BIGNUM *r, *s;
  271.     int ret = -1, i;
  272.     if (!dsa->p || !dsa->q || !dsa->g) {
  273.         DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MISSING_PARAMETERS);
  274.         return -1;
  275.     }
  276. 

  277.     i = BN_num_bits(dsa->q);
  278.     /* fips 186-3 allows only different sizes for q */
  279.     if (i != 160 && i != 224 && i != 256) {
  280.         DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
  281.         return -1;
  282.     }
  283. 

  284.     if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
  285.         DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
  286.         return -1;
  287.     }
  288.     u1 = BN_new();
  289.     u2 = BN_new();
  290.     t1 = BN_new();
  291.     ctx = BN_CTX_new();
  292.     if (u1 == NULL || u2 == NULL || t1 == NULL || ctx == NULL)
  293.         goto err;
  294. 

  295.     DSA_SIG_get0(&r, &s, sig);
  296. 

  297.     if (BN_is_zero(r) || BN_is_negative(r) ||
  298.         BN_ucmp(r, dsa->q) >= 0) {
  299.         ret = 0;
  300.         goto err;
  301.     }
  302.     if (BN_is_zero(s) || BN_is_negative(s) ||
  303.         BN_ucmp(s, dsa->q) >= 0) {
  304.         ret = 0;
  305.         goto err;
  306.     }
  307. 

  308.     /*

  309.      * Calculate W = inv(S) mod Q save W in u2
  310.      */
  311.     if ((BN_mod_inverse(u2, s, dsa->q, ctx)) == NULL)
  312.         goto err;
  313. 

  314.     /* save M in u1 */
  315.     if (dgst_len > (i >> 3))
  316.         /*

  317.          * if the digest length is greater than the size of q use the
  318.          * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3,
  319.          * 4.2
  320.          */
  321.         dgst_len = (i >> 3);
  322.     if (BN_bin2bn(dgst, dgst_len, u1) == NULL)
  323.         goto err;
  324. 

  325.     /* u1 = M * w mod q */
  326.     if (!BN_mod_mul(u1, u1, u2, dsa->q, ctx))
  327.         goto err;
  328. 

  329.     /* u2 = r * w mod q */
  330.     if (!BN_mod_mul(u2, r, u2, dsa->q, ctx))
  331.         goto err;
  332. 

  333.     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
  334.         mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
  335.                                       dsa->lock, dsa->p, ctx);
  336.         if (!mont)
  337.             goto err;
  338.     }
  339. 

  340.     DSA_MOD_EXP(goto err, dsa, t1, dsa->g, u1, dsa->pub_key, u2, dsa->p, ctx,
  341.                 mont);
  342.     /* BN_copy(&u1,&t1); */
  343.     /* let u1 = u1 mod q */
  344.     if (!BN_mod(u1, t1, dsa->q, ctx))
  345.         goto err;
  346. 

  347.     /*

  348.      * V is now in u1.  If the signature is correct, it will be equal to R.
  349.      */
  350.     ret = (BN_ucmp(u1, r) == 0);
  351. 

  352.  err:
  353.     if (ret < 0)
  354.         DSAerr(DSA_F_DSA_DO_VERIFY, ERR_R_BN_LIB);
  355.     BN_CTX_free(ctx);
  356.     BN_free(u1);
  357.     BN_free(u2);
  358.     BN_free(t1);
  359.     return (ret);
  360. }
  361. 

  362. static int dsa_init(DSA *dsa)
  363. {
  364.     dsa->flags |= DSA_FLAG_CACHE_MONT_P;
  365.     return (1);
  366. }
  367. 

  368. static int dsa_finish(DSA *dsa)
  369. {
  370.     BN_MONT_CTX_free(dsa->method_mont_p);
  371.     return (1);
  372. }