summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/dsa
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2025-04-14 17:32:06 +0000
committercvs2svn <admin@example.com>2025-04-14 17:32:06 +0000
commitb1ddde874c215cc8891531ed92876f091b7eb83e (patch)
treeedb6da6af7e865d488dc1a29309f1e1ec226e603 /src/lib/libcrypto/dsa
parentf0a36529837a161734c802ae4c42e84e42347be2 (diff)
downloadopenbsd-tb_20250414.tar.gz
openbsd-tb_20250414.tar.bz2
openbsd-tb_20250414.zip
This commit was manufactured by cvs2git to create tag 'tb_20250414'.tb_20250414
Diffstat (limited to 'src/lib/libcrypto/dsa')
-rw-r--r--src/lib/libcrypto/dsa/dsa.h263
-rw-r--r--src/lib/libcrypto/dsa/dsa_ameth.c736
-rw-r--r--src/lib/libcrypto/dsa/dsa_asn1.c479
-rw-r--r--src/lib/libcrypto/dsa/dsa_err.c104
-rw-r--r--src/lib/libcrypto/dsa/dsa_gen.c360
-rw-r--r--src/lib/libcrypto/dsa/dsa_key.c111
-rw-r--r--src/lib/libcrypto/dsa/dsa_lib.c483
-rw-r--r--src/lib/libcrypto/dsa/dsa_local.h104
-rw-r--r--src/lib/libcrypto/dsa/dsa_meth.c110
-rw-r--r--src/lib/libcrypto/dsa/dsa_ossl.c456
-rw-r--r--src/lib/libcrypto/dsa/dsa_pmeth.c351
-rw-r--r--src/lib/libcrypto/dsa/dsa_prn.c135
12 files changed, 0 insertions, 3692 deletions
diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h
deleted file mode 100644
index 7a8e7fcba4..0000000000
--- a/src/lib/libcrypto/dsa/dsa.h
+++ /dev/null
@@ -1,263 +0,0 @@
1/* $OpenBSD: dsa.h,v 1.48 2025/03/01 11:33:07 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59/*
60 * The DSS routines are based on patches supplied by
61 * Steven Schoch <schoch@sheba.arc.nasa.gov>. He basically did the
62 * work and I have just tweaked them a little to fit into my
63 * stylistic vision for SSLeay :-) */
64
65#ifndef HEADER_DSA_H
66#define HEADER_DSA_H
67
68#include <openssl/opensslconf.h>
69
70#ifndef OPENSSL_NO_BIO
71#include <openssl/bio.h>
72#endif
73#include <openssl/bn.h>
74#include <openssl/crypto.h>
75#ifndef OPENSSL_NO_DH
76# include <openssl/dh.h>
77#endif
78
79#include <openssl/ossl_typ.h>
80
81#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
82# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
83#endif
84
85#define DSA_FLAG_CACHE_MONT_P 0x01
86
87/* If this flag is set the DSA method is FIPS compliant and can be used
88 * in FIPS mode. This is set in the validated module method. If an
89 * application sets this flag in its own methods it is its reposibility
90 * to ensure the result is compliant.
91 */
92
93#define DSA_FLAG_FIPS_METHOD 0x0400
94
95/* If this flag is set the operations normally disabled in FIPS mode are
96 * permitted it is then the applications responsibility to ensure that the
97 * usage is compliant.
98 */
99
100#define DSA_FLAG_NON_FIPS_ALLOW 0x0400
101
102#ifdef __cplusplus
103extern "C" {
104#endif
105
106typedef struct DSA_SIG_st DSA_SIG;
107
108DSA *d2i_DSAparams_bio(BIO *bp, DSA **a);
109int i2d_DSAparams_bio(BIO *bp, DSA *a);
110DSA *d2i_DSAparams_fp(FILE *fp, DSA **a);
111int i2d_DSAparams_fp(FILE *fp, DSA *a);
112
113DSA *DSAparams_dup(DSA *x);
114DSA_SIG * DSA_SIG_new(void);
115void DSA_SIG_free(DSA_SIG *a);
116int i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp);
117DSA_SIG * d2i_DSA_SIG(DSA_SIG **v, const unsigned char **pp, long length);
118void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
119int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
120
121DSA_SIG * DSA_do_sign(const unsigned char *dgst,int dlen,DSA *dsa);
122int DSA_do_verify(const unsigned char *dgst,int dgst_len,
123 DSA_SIG *sig,DSA *dsa);
124
125const DSA_METHOD *DSA_OpenSSL(void);
126
127void DSA_set_default_method(const DSA_METHOD *);
128const DSA_METHOD *DSA_get_default_method(void);
129int DSA_set_method(DSA *dsa, const DSA_METHOD *);
130
131DSA * DSA_new(void);
132DSA * DSA_new_method(ENGINE *engine);
133void DSA_free(DSA *r);
134/* "up" the DSA object's reference count */
135int DSA_up_ref(DSA *r);
136int DSA_size(const DSA *);
137int DSA_bits(const DSA *d);
138 /* next 4 return -1 on error */
139int DSA_sign_setup( DSA *dsa,BN_CTX *ctx_in,BIGNUM **kinvp,BIGNUM **rp);
140int DSA_sign(int type,const unsigned char *dgst,int dlen,
141 unsigned char *sig, unsigned int *siglen, DSA *dsa);
142int DSA_verify(int type,const unsigned char *dgst,int dgst_len,
143 const unsigned char *sigbuf, int siglen, DSA *dsa);
144int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
145 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
146int DSA_set_ex_data(DSA *d, int idx, void *arg);
147void *DSA_get_ex_data(DSA *d, int idx);
148int DSA_security_bits(const DSA *d);
149
150DSA *d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length);
151int i2d_DSAPublicKey(const DSA *a, unsigned char **pp);
152extern const ASN1_ITEM DSAPublicKey_it;
153
154DSA *d2i_DSAPrivateKey(DSA **a, const unsigned char **pp, long length);
155int i2d_DSAPrivateKey(const DSA *a, unsigned char **pp);
156extern const ASN1_ITEM DSAPrivateKey_it;
157
158DSA *d2i_DSAparams(DSA **a, const unsigned char **pp, long length);
159int i2d_DSAparams(const DSA *a,unsigned char **pp);
160extern const ASN1_ITEM DSAparams_it;
161
162/* New version */
163int DSA_generate_parameters_ex(DSA *dsa, int bits,
164 const unsigned char *seed,int seed_len,
165 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
166
167int DSA_generate_key(DSA *a);
168
169#ifndef OPENSSL_NO_BIO
170int DSAparams_print(BIO *bp, const DSA *x);
171int DSA_print(BIO *bp, const DSA *x, int off);
172#endif
173int DSAparams_print_fp(FILE *fp, const DSA *x);
174int DSA_print_fp(FILE *bp, const DSA *x, int off);
175
176#ifndef OPENSSL_NO_DH
177/* Convert DSA structure (key or just parameters) into DH structure
178 * (be careful to avoid small subgroup attacks when using this!) */
179DH *DSA_dup_DH(const DSA *r);
180#endif
181
182void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
183 const BIGNUM **g);
184int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
185void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key);
186int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
187const BIGNUM *DSA_get0_p(const DSA *d);
188const BIGNUM *DSA_get0_q(const DSA *d);
189const BIGNUM *DSA_get0_g(const DSA *d);
190const BIGNUM *DSA_get0_pub_key(const DSA *d);
191const BIGNUM *DSA_get0_priv_key(const DSA *d);
192void DSA_clear_flags(DSA *d, int flags);
193int DSA_test_flags(const DSA *d, int flags);
194void DSA_set_flags(DSA *d, int flags);
195ENGINE *DSA_get0_engine(DSA *d);
196
197DSA_METHOD *DSA_meth_new(const char *name, int flags);
198void DSA_meth_free(DSA_METHOD *meth);
199DSA_METHOD *DSA_meth_dup(const DSA_METHOD *meth);
200const char *DSA_meth_get0_name(const DSA_METHOD *meth);
201int DSA_meth_set1_name(DSA_METHOD *meth, const char *name);
202int DSA_meth_set_sign(DSA_METHOD *meth,
203 DSA_SIG *(*sign)(const unsigned char *, int, DSA *));
204int DSA_meth_set_finish(DSA_METHOD *meth, int (*finish)(DSA *));
205
206#define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \
207 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
208 EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL)
209
210#define EVP_PKEY_CTRL_DSA_PARAMGEN_BITS (EVP_PKEY_ALG_CTRL + 1)
211#define EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS (EVP_PKEY_ALG_CTRL + 2)
212#define EVP_PKEY_CTRL_DSA_PARAMGEN_MD (EVP_PKEY_ALG_CTRL + 3)
213
214void ERR_load_DSA_strings(void);
215
216/* Error codes for the DSA functions. */
217
218/* Function codes. */
219#define DSA_F_D2I_DSA_SIG 110
220#define DSA_F_DO_DSA_PRINT 104
221#define DSA_F_DSAPARAMS_PRINT 100
222#define DSA_F_DSAPARAMS_PRINT_FP 101
223#define DSA_F_DSA_DO_SIGN 112
224#define DSA_F_DSA_DO_VERIFY 113
225#define DSA_F_DSA_GENERATE_KEY 124
226#define DSA_F_DSA_GENERATE_PARAMETERS_EX 123
227#define DSA_F_DSA_NEW_METHOD 103
228#define DSA_F_DSA_PARAM_DECODE 119
229#define DSA_F_DSA_PRINT_FP 105
230#define DSA_F_DSA_PRIV_DECODE 115
231#define DSA_F_DSA_PRIV_ENCODE 116
232#define DSA_F_DSA_PUB_DECODE 117
233#define DSA_F_DSA_PUB_ENCODE 118
234#define DSA_F_DSA_SIGN 106
235#define DSA_F_DSA_SIGN_SETUP 107
236#define DSA_F_DSA_SIG_NEW 109
237#define DSA_F_DSA_SIG_PRINT 125
238#define DSA_F_DSA_VERIFY 108
239#define DSA_F_I2D_DSA_SIG 111
240#define DSA_F_OLD_DSA_PRIV_DECODE 122
241#define DSA_F_PKEY_DSA_CTRL 120
242#define DSA_F_PKEY_DSA_KEYGEN 121
243#define DSA_F_SIG_CB 114
244
245/* Reason codes. */
246#define DSA_R_BAD_Q_VALUE 102
247#define DSA_R_BN_DECODE_ERROR 108
248#define DSA_R_BN_ERROR 109
249#define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
250#define DSA_R_DECODE_ERROR 104
251#define DSA_R_INVALID_DIGEST_TYPE 106
252#define DSA_R_INVALID_PARAMETERS 112
253#define DSA_R_MISSING_PARAMETERS 101
254#define DSA_R_MODULUS_TOO_LARGE 103
255#define DSA_R_NEED_NEW_SETUP_VALUES 110
256#define DSA_R_NON_FIPS_DSA_METHOD 111
257#define DSA_R_NO_PARAMETERS_SET 107
258#define DSA_R_PARAMETER_ENCODING_ERROR 105
259
260#ifdef __cplusplus
261}
262#endif
263#endif
diff --git a/src/lib/libcrypto/dsa/dsa_ameth.c b/src/lib/libcrypto/dsa/dsa_ameth.c
deleted file mode 100644
index 866e5ec476..0000000000
--- a/src/lib/libcrypto/dsa/dsa_ameth.c
+++ /dev/null
@@ -1,736 +0,0 @@
1/* $OpenBSD: dsa_ameth.c,v 1.59 2024/04/13 14:02:51 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/opensslconf.h>
62
63#include <openssl/asn1.h>
64#include <openssl/bn.h>
65#include <openssl/cms.h>
66#include <openssl/dsa.h>
67#include <openssl/err.h>
68#include <openssl/x509.h>
69
70#include "asn1_local.h"
71#include "bn_local.h"
72#include "dsa_local.h"
73#include "evp_local.h"
74#include "x509_local.h"
75
76static int
77dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
78{
79 X509_ALGOR *algor;
80 int ptype;
81 const void *pval;
82 const ASN1_STRING *astr;
83 const unsigned char *key, *params, *p;
84 int key_len, params_len;
85 ASN1_INTEGER *aint = NULL;
86 DSA *dsa = NULL;
87 int ret = 0;
88
89 if (!X509_PUBKEY_get0_param(NULL, &key, &key_len, &algor, pubkey))
90 goto err;
91 X509_ALGOR_get0(NULL, &ptype, &pval, algor);
92
93 if (ptype == V_ASN1_SEQUENCE) {
94 astr = pval;
95 params = astr->data;
96 params_len = astr->length;
97
98 p = params;
99 if ((dsa = d2i_DSAparams(NULL, &p, params_len)) == NULL) {
100 DSAerror(DSA_R_DECODE_ERROR);
101 goto err;
102 }
103 } else if (ptype == V_ASN1_NULL || ptype == V_ASN1_UNDEF) {
104 if ((dsa = DSA_new()) == NULL) {
105 DSAerror(ERR_R_MALLOC_FAILURE);
106 goto err;
107 }
108 } else {
109 DSAerror(DSA_R_PARAMETER_ENCODING_ERROR);
110 goto err;
111 }
112
113 p = key;
114 if ((aint = d2i_ASN1_INTEGER(NULL, &p, key_len)) == NULL) {
115 DSAerror(DSA_R_DECODE_ERROR);
116 goto err;
117 }
118 BN_free(dsa->pub_key);
119 if ((dsa->pub_key = ASN1_INTEGER_to_BN(aint, NULL)) == NULL) {
120 DSAerror(DSA_R_BN_DECODE_ERROR);
121 goto err;
122 }
123
124 /* We can only check for key consistency if we have parameters. */
125 if (ptype == V_ASN1_SEQUENCE) {
126 if (!dsa_check_key(dsa))
127 goto err;
128 }
129
130 if (!EVP_PKEY_assign_DSA(pkey, dsa))
131 goto err;
132 dsa = NULL;
133
134 ret = 1;
135
136 err:
137 ASN1_INTEGER_free(aint);
138 DSA_free(dsa);
139
140 return ret;
141}
142
143static int
144dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
145{
146 const DSA *dsa = pkey->pkey.dsa;
147 ASN1_STRING *astr = NULL;
148 int ptype = V_ASN1_UNDEF;
149 ASN1_INTEGER *aint = NULL;
150 ASN1_OBJECT *aobj;
151 unsigned char *params = NULL, *key = NULL;
152 int params_len = 0, key_len = 0;
153 int ret = 0;
154
155 if (pkey->save_parameters > 0 && !EVP_PKEY_missing_parameters(pkey)) {
156 if ((params_len = i2d_DSAparams(dsa, &params)) <= 0) {
157 DSAerror(ERR_R_MALLOC_FAILURE);
158 params_len = 0;
159 goto err;
160 }
161 if ((astr = ASN1_STRING_new()) == NULL) {
162 DSAerror(ERR_R_MALLOC_FAILURE);
163 goto err;
164 }
165 ASN1_STRING_set0(astr, params, params_len);
166 params = NULL;
167 params_len = 0;
168 ptype = V_ASN1_SEQUENCE;
169 }
170
171 if ((aint = BN_to_ASN1_INTEGER(dsa->pub_key, NULL)) == NULL) {
172 DSAerror(ERR_R_MALLOC_FAILURE);
173 goto err;
174 }
175 if ((key_len = i2d_ASN1_INTEGER(aint, &key)) <= 0) {
176 DSAerror(ERR_R_MALLOC_FAILURE);
177 key_len = 0;
178 goto err;
179 }
180
181 if ((aobj = OBJ_nid2obj(EVP_PKEY_DSA)) == NULL)
182 goto err;
183 if (!X509_PUBKEY_set0_param(pk, aobj, ptype, astr, key, key_len))
184 goto err;
185 astr = NULL;
186 key = NULL;
187 key_len = 0;
188
189 ret = 1;
190
191 err:
192 ASN1_STRING_free(astr);
193 ASN1_INTEGER_free(aint);
194 freezero(params, params_len);
195 freezero(key, key_len);
196
197 return ret;
198}
199
200/*
201 * In PKCS#8 DSA: you just get a private key integer and parameters in the
202 * AlgorithmIdentifier the pubkey must be recalculated.
203 */
204static int
205dsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
206{
207 const X509_ALGOR *algor;
208 int ptype;
209 const void *pval;
210 const ASN1_STRING *astr;
211 const unsigned char *key, *params, *p;
212 int key_len, params_len;
213 ASN1_INTEGER *aint = NULL;
214 BN_CTX *ctx = NULL;
215 DSA *dsa = NULL;
216 int ret = 0;
217
218 if (!PKCS8_pkey_get0(NULL, &key, &key_len, &algor, p8))
219 goto err;
220 X509_ALGOR_get0(NULL, &ptype, &pval, algor);
221
222 if (ptype != V_ASN1_SEQUENCE) {
223 DSAerror(DSA_R_PARAMETER_ENCODING_ERROR);
224 goto err;
225 }
226
227 astr = pval;
228 params = astr->data;
229 params_len = astr->length;
230
231 p = params;
232 if ((dsa = d2i_DSAparams(NULL, &p, params_len)) == NULL) {
233 DSAerror(DSA_R_DECODE_ERROR);
234 goto err;
235 }
236 p = key;
237 if ((aint = d2i_ASN1_INTEGER(NULL, &p, key_len)) == NULL) {
238 DSAerror(DSA_R_DECODE_ERROR);
239 goto err;
240 }
241 BN_free(dsa->priv_key);
242 if ((dsa->priv_key = ASN1_INTEGER_to_BN(aint, NULL)) == NULL) {
243 DSAerror(DSA_R_BN_DECODE_ERROR);
244 goto err;
245 }
246
247 /* Check the key for basic consistency before doing expensive things. */
248 if (!dsa_check_key(dsa))
249 goto err;
250
251 /* Calculate public key */
252 BN_free(dsa->pub_key);
253 if ((dsa->pub_key = BN_new()) == NULL) {
254 DSAerror(ERR_R_MALLOC_FAILURE);
255 goto err;
256 }
257
258 if ((ctx = BN_CTX_new()) == NULL) {
259 DSAerror(ERR_R_MALLOC_FAILURE);
260 goto err;
261 }
262
263 BN_CTX_start(ctx);
264
265 if (!BN_mod_exp_ct(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) {
266 DSAerror(DSA_R_BN_ERROR);
267 goto err;
268 }
269
270 if (!EVP_PKEY_assign_DSA(pkey, dsa))
271 goto err;
272 dsa = NULL;
273
274 ret = 1;
275
276 err:
277 DSA_free(dsa);
278 BN_CTX_end(ctx);
279 BN_CTX_free(ctx);
280 ASN1_INTEGER_free(aint);
281
282 return ret;
283}
284
285static int
286dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
287{
288 const DSA *dsa = pkey->pkey.dsa;
289 ASN1_STRING *astr = NULL;
290 int ptype = V_ASN1_SEQUENCE;
291 ASN1_INTEGER *aint = NULL;
292 ASN1_OBJECT *aobj;
293 unsigned char *params = NULL, *key = NULL;
294 int params_len = 0, key_len = 0;
295 int ret = 0;
296
297 if ((params_len = i2d_DSAparams(dsa, &params)) <= 0) {
298 DSAerror(ERR_R_MALLOC_FAILURE);
299 params_len = 0;
300 goto err;
301 }
302 if ((astr = ASN1_STRING_type_new(V_ASN1_SEQUENCE)) == NULL) {
303 DSAerror(ERR_R_MALLOC_FAILURE);
304 goto err;
305 }
306 ASN1_STRING_set0(astr, params, params_len);
307 params = NULL;
308 params_len = 0;
309
310 if ((aint = BN_to_ASN1_INTEGER(dsa->priv_key, NULL)) == NULL) {
311 DSAerror(DSA_R_BN_ERROR);
312 goto err;
313 }
314 if ((key_len = i2d_ASN1_INTEGER(aint, &key)) <= 0) {
315 DSAerror(ERR_R_MALLOC_FAILURE);
316 key_len = 0;
317 goto err;
318 }
319
320 if ((aobj = OBJ_nid2obj(NID_dsa)) == NULL)
321 goto err;
322 if (!PKCS8_pkey_set0(p8, aobj, 0, ptype, astr, key, key_len))
323 goto err;
324 astr = NULL;
325 key = NULL;
326 key_len = 0;
327
328 ret = 1;
329
330 err:
331 ASN1_STRING_free(astr);
332 ASN1_INTEGER_free(aint);
333 freezero(params, params_len);
334 freezero(key, key_len);
335
336 return ret;
337}
338
339static int
340dsa_size(const EVP_PKEY *pkey)
341{
342 return DSA_size(pkey->pkey.dsa);
343}
344
345static int
346dsa_bits(const EVP_PKEY *pkey)
347{
348 return BN_num_bits(pkey->pkey.dsa->p);
349}
350
351static int
352dsa_security_bits(const EVP_PKEY *pkey)
353{
354 return DSA_security_bits(pkey->pkey.dsa);
355}
356
357static int
358dsa_missing_parameters(const EVP_PKEY *pkey)
359{
360 const DSA *dsa = pkey->pkey.dsa;
361
362 return dsa->p == NULL || dsa->q == NULL || dsa->g == NULL;
363}
364
365static int
366dsa_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
367{
368 BIGNUM *a;
369
370 if ((a = BN_dup(from->pkey.dsa->p)) == NULL)
371 return 0;
372 BN_free(to->pkey.dsa->p);
373 to->pkey.dsa->p = a;
374
375 if ((a = BN_dup(from->pkey.dsa->q)) == NULL)
376 return 0;
377 BN_free(to->pkey.dsa->q);
378 to->pkey.dsa->q = a;
379
380 if ((a = BN_dup(from->pkey.dsa->g)) == NULL)
381 return 0;
382 BN_free(to->pkey.dsa->g);
383 to->pkey.dsa->g = a;
384 return 1;
385}
386
387static int
388dsa_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
389{
390 if (BN_cmp(a->pkey.dsa->p, b->pkey.dsa->p) ||
391 BN_cmp(a->pkey.dsa->q, b->pkey.dsa->q) ||
392 BN_cmp(a->pkey.dsa->g, b->pkey.dsa->g))
393 return 0;
394 else
395 return 1;
396}
397
398static int
399dsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
400{
401 if (BN_cmp(b->pkey.dsa->pub_key, a->pkey.dsa->pub_key) != 0)
402 return 0;
403 else
404 return 1;
405}
406
407static void
408dsa_free(EVP_PKEY *pkey)
409{
410 DSA_free(pkey->pkey.dsa);
411}
412
413static int
414do_dsa_print(BIO *bp, const DSA *x, int off, int ptype)
415{
416 const char *ktype = NULL;
417 const BIGNUM *priv_key, *pub_key;
418 int ret = 0;
419
420 if (ptype == 2)
421 priv_key = x->priv_key;
422 else
423 priv_key = NULL;
424
425 if (ptype > 0)
426 pub_key = x->pub_key;
427 else
428 pub_key = NULL;
429
430 if (ptype == 2)
431 ktype = "Private-Key";
432 else if (ptype == 1)
433 ktype = "Public-Key";
434 else
435 ktype = "DSA-Parameters";
436
437 if (priv_key) {
438 if (!BIO_indent(bp, off, 128))
439 goto err;
440 if (BIO_printf(bp, "%s: (%d bit)\n", ktype,
441 BN_num_bits(x->p)) <= 0)
442 goto err;
443 }
444
445 if (!bn_printf(bp, priv_key, off, "priv:"))
446 goto err;
447 if (!bn_printf(bp, pub_key, off, "pub: "))
448 goto err;
449 if (!bn_printf(bp, x->p, off, "P: "))
450 goto err;
451 if (!bn_printf(bp, x->q, off, "Q: "))
452 goto err;
453 if (!bn_printf(bp, x->g, off, "G: "))
454 goto err;
455
456 ret = 1;
457
458 err:
459 return ret;
460}
461
462static int
463dsa_param_decode(EVP_PKEY *pkey, const unsigned char **params, int params_len)
464{
465 DSA *dsa = NULL;
466 int ret = 0;
467
468 if ((dsa = d2i_DSAparams(NULL, params, params_len)) == NULL) {
469 DSAerror(ERR_R_DSA_LIB);
470 goto err;
471 }
472 if (!dsa_check_key(dsa))
473 goto err;
474 if (!EVP_PKEY_assign_DSA(pkey, dsa))
475 goto err;
476 dsa = NULL;
477
478 ret = 1;
479
480 err:
481 DSA_free(dsa);
482
483 return ret;
484}
485
486static int
487dsa_param_encode(const EVP_PKEY *pkey, unsigned char **params)
488{
489 return i2d_DSAparams(pkey->pkey.dsa, params);
490}
491
492static int
493dsa_param_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
494{
495 return do_dsa_print(bp, pkey->pkey.dsa, indent, 0);
496}
497
498static int
499dsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
500{
501 return do_dsa_print(bp, pkey->pkey.dsa, indent, 1);
502}
503
504static int
505dsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
506{
507 return do_dsa_print(bp, pkey->pkey.dsa, indent, 2);
508}
509
510static int
511old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **key, int key_len)
512{
513 DSA *dsa = NULL;
514 BN_CTX *ctx = NULL;
515 BIGNUM *result;
516 int ret = 0;
517
518 if ((dsa = d2i_DSAPrivateKey(NULL, key, key_len)) == NULL) {
519 DSAerror(ERR_R_DSA_LIB);
520 goto err;
521 }
522
523 if (!dsa_check_key(dsa))
524 goto err;
525
526 if ((ctx = BN_CTX_new()) == NULL)
527 goto err;
528
529 BN_CTX_start(ctx);
530
531 if ((result = BN_CTX_get(ctx)) == NULL)
532 goto err;
533
534 /*
535 * Check that p and q are consistent with each other. dsa_check_key()
536 * ensures that 1 < q < p. Now check that q divides p - 1.
537 */
538
539 if (!BN_sub(result, dsa->p, BN_value_one()))
540 goto err;
541 if (!BN_mod_ct(result, result, dsa->q, ctx))
542 goto err;
543 if (!BN_is_zero(result)) {
544 DSAerror(DSA_R_BAD_Q_VALUE);
545 goto err;
546 }
547
548 /*
549 * Check that g generates a multiplicative subgroup of order q.
550 * We only check that g^q == 1, so the order is a divisor of q.
551 * Once we know that q is prime, this is enough.
552 */
553
554 if (!BN_mod_exp_ct(result, dsa->g, dsa->q, dsa->p, ctx))
555 goto err;
556 if (BN_cmp(result, BN_value_one()) != 0) {
557 DSAerror(DSA_R_INVALID_PARAMETERS);
558 goto err;
559 }
560
561 /*
562 * Check that q is not a composite number.
563 */
564
565 if (BN_is_prime_ex(dsa->q, BN_prime_checks, ctx, NULL) <= 0) {
566 DSAerror(DSA_R_BAD_Q_VALUE);
567 goto err;
568 }
569
570 if (!EVP_PKEY_assign_DSA(pkey, dsa))
571 goto err;
572 dsa = NULL;
573
574 ret = 1;
575
576 err:
577 BN_CTX_end(ctx);
578 BN_CTX_free(ctx);
579 DSA_free(dsa);
580
581 return ret;
582}
583
584static int
585old_dsa_priv_encode(const EVP_PKEY *pkey, unsigned char **key)
586{
587 return i2d_DSAPrivateKey(pkey->pkey.dsa, key);
588}
589
590static int
591dsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig,
592 int indent, ASN1_PCTX *pctx)
593{
594 DSA_SIG *dsa_sig;
595 const unsigned char *p;
596
597 if (!sig) {
598 if (BIO_puts(bp, "\n") <= 0)
599 return 0;
600 else
601 return 1;
602 }
603 p = sig->data;
604 dsa_sig = d2i_DSA_SIG(NULL, &p, sig->length);
605 if (dsa_sig) {
606 int rv = 0;
607
608 if (BIO_write(bp, "\n", 1) != 1)
609 goto err;
610
611 if (!bn_printf(bp, dsa_sig->r, indent, "r: "))
612 goto err;
613 if (!bn_printf(bp, dsa_sig->s, indent, "s: "))
614 goto err;
615 rv = 1;
616 err:
617 DSA_SIG_free(dsa_sig);
618 return rv;
619 }
620 return X509_signature_dump(bp, sig, indent);
621}
622
623static int
624dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
625{
626 switch (op) {
627 case ASN1_PKEY_CTRL_PKCS7_SIGN:
628 if (arg1 == 0) {
629 int snid, hnid;
630 X509_ALGOR *alg1, *alg2;
631
632 PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2);
633 if (alg1 == NULL || alg1->algorithm == NULL)
634 return -1;
635 hnid = OBJ_obj2nid(alg1->algorithm);
636 if (hnid == NID_undef)
637 return -1;
638 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
639 return -1;
640 if (!X509_ALGOR_set0_by_nid(alg2, snid, V_ASN1_UNDEF,
641 NULL))
642 return -1;
643 }
644 return 1;
645
646#ifndef OPENSSL_NO_CMS
647 case ASN1_PKEY_CTRL_CMS_SIGN:
648 if (arg1 == 0) {
649 int snid, hnid;
650 X509_ALGOR *alg1, *alg2;
651
652 CMS_SignerInfo_get0_algs(arg2, NULL, NULL, &alg1, &alg2);
653 if (alg1 == NULL || alg1->algorithm == NULL)
654 return -1;
655 hnid = OBJ_obj2nid(alg1->algorithm);
656 if (hnid == NID_undef)
657 return -1;
658 if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
659 return -1;
660 if (!X509_ALGOR_set0_by_nid(alg2, snid, V_ASN1_UNDEF,
661 NULL))
662 return -1;
663 }
664 return 1;
665
666 case ASN1_PKEY_CTRL_CMS_RI_TYPE:
667 *(int *)arg2 = CMS_RECIPINFO_NONE;
668 return 1;
669#endif
670
671 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
672 *(int *)arg2 = NID_sha1;
673 return 2;
674
675 default:
676 return -2;
677 }
678}
679
680const EVP_PKEY_ASN1_METHOD dsa_asn1_meth = {
681 .base_method = &dsa_asn1_meth,
682 .pkey_id = EVP_PKEY_DSA,
683
684 .pem_str = "DSA",
685 .info = "OpenSSL DSA method",
686
687 .pub_decode = dsa_pub_decode,
688 .pub_encode = dsa_pub_encode,
689 .pub_cmp = dsa_pub_cmp,
690 .pub_print = dsa_pub_print,
691
692 .priv_decode = dsa_priv_decode,
693 .priv_encode = dsa_priv_encode,
694 .priv_print = dsa_priv_print,
695
696 .pkey_size = dsa_size,
697 .pkey_bits = dsa_bits,
698 .pkey_security_bits = dsa_security_bits,
699
700 .param_decode = dsa_param_decode,
701 .param_encode = dsa_param_encode,
702 .param_missing = dsa_missing_parameters,
703 .param_copy = dsa_copy_parameters,
704 .param_cmp = dsa_cmp_parameters,
705 .param_print = dsa_param_print,
706 .sig_print = dsa_sig_print,
707
708 .pkey_free = dsa_free,
709 .pkey_ctrl = dsa_pkey_ctrl,
710 .old_priv_decode = old_dsa_priv_decode,
711 .old_priv_encode = old_dsa_priv_encode
712};
713
714const EVP_PKEY_ASN1_METHOD dsa1_asn1_meth = {
715 .base_method = &dsa_asn1_meth,
716 .pkey_id = EVP_PKEY_DSA1,
717 .pkey_flags = ASN1_PKEY_ALIAS,
718};
719
720const EVP_PKEY_ASN1_METHOD dsa2_asn1_meth = {
721 .base_method = &dsa_asn1_meth,
722 .pkey_id = EVP_PKEY_DSA2,
723 .pkey_flags = ASN1_PKEY_ALIAS,
724};
725
726const EVP_PKEY_ASN1_METHOD dsa3_asn1_meth = {
727 .base_method = &dsa_asn1_meth,
728 .pkey_id = EVP_PKEY_DSA3,
729 .pkey_flags = ASN1_PKEY_ALIAS,
730};
731
732const EVP_PKEY_ASN1_METHOD dsa4_asn1_meth = {
733 .base_method = &dsa_asn1_meth,
734 .pkey_id = EVP_PKEY_DSA4,
735 .pkey_flags = ASN1_PKEY_ALIAS,
736};
diff --git a/src/lib/libcrypto/dsa/dsa_asn1.c b/src/lib/libcrypto/dsa/dsa_asn1.c
deleted file mode 100644
index de6ec46195..0000000000
--- a/src/lib/libcrypto/dsa/dsa_asn1.c
+++ /dev/null
@@ -1,479 +0,0 @@
1/* $OpenBSD: dsa_asn1.c,v 1.33 2024/07/08 17:11:05 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/bn.h>
65#include <openssl/dsa.h>
66#include <openssl/err.h>
67
68#include "dsa_local.h"
69
70/* Override the default new methods */
71static int
72sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
73{
74 if (operation == ASN1_OP_NEW_PRE) {
75 DSA_SIG *sig;
76
77 if ((sig = DSA_SIG_new()) == NULL) {
78 DSAerror(ERR_R_MALLOC_FAILURE);
79 return 0;
80 }
81 *pval = (ASN1_VALUE *)sig;
82 return 2;
83 }
84 return 1;
85}
86
87static const ASN1_AUX DSA_SIG_aux = {
88 .app_data = NULL,
89 .flags = 0,
90 .ref_offset = 0,
91 .ref_lock = 0,
92 .asn1_cb = sig_cb,
93 .enc_offset = 0,
94};
95static const ASN1_TEMPLATE DSA_SIG_seq_tt[] = {
96 {
97 .flags = 0,
98 .tag = 0,
99 .offset = offsetof(DSA_SIG, r),
100 .field_name = "r",
101 .item = &BIGNUM_it,
102 },
103 {
104 .flags = 0,
105 .tag = 0,
106 .offset = offsetof(DSA_SIG, s),
107 .field_name = "s",
108 .item = &BIGNUM_it,
109 },
110};
111
112static const ASN1_ITEM DSA_SIG_it = {
113 .itype = ASN1_ITYPE_SEQUENCE,
114 .utype = V_ASN1_SEQUENCE,
115 .templates = DSA_SIG_seq_tt,
116 .tcount = sizeof(DSA_SIG_seq_tt) / sizeof(ASN1_TEMPLATE),
117 .funcs = &DSA_SIG_aux,
118 .size = sizeof(DSA_SIG),
119 .sname = "DSA_SIG",
120};
121
122
123DSA_SIG *
124d2i_DSA_SIG(DSA_SIG **a, const unsigned char **in, long len)
125{
126 return (DSA_SIG *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
127 &DSA_SIG_it);
128}
129LCRYPTO_ALIAS(d2i_DSA_SIG);
130
131int
132i2d_DSA_SIG(const DSA_SIG *a, unsigned char **out)
133{
134 return ASN1_item_i2d((ASN1_VALUE *)a, out, &DSA_SIG_it);
135}
136LCRYPTO_ALIAS(i2d_DSA_SIG);
137
138void
139DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
140{
141 if (pr != NULL)
142 *pr = sig->r;
143 if (ps != NULL)
144 *ps = sig->s;
145}
146LCRYPTO_ALIAS(DSA_SIG_get0);
147
148int
149DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
150{
151 if (r == NULL || s == NULL)
152 return 0;
153
154 BN_free(sig->r);
155 sig->r = r;
156 BN_free(sig->s);
157 sig->s = s;
158
159 return 1;
160}
161LCRYPTO_ALIAS(DSA_SIG_set0);
162
163/* Override the default free and new methods */
164static int
165dsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
166{
167 if (operation == ASN1_OP_NEW_PRE) {
168 *pval = (ASN1_VALUE *)DSA_new();
169 if (*pval)
170 return 2;
171 return 0;
172 } else if (operation == ASN1_OP_FREE_PRE) {
173 DSA_free((DSA *)*pval);
174 *pval = NULL;
175 return 2;
176 }
177 return 1;
178}
179
180static const ASN1_AUX DSAPrivateKey_aux = {
181 .app_data = NULL,
182 .flags = 0,
183 .ref_offset = 0,
184 .ref_lock = 0,
185 .asn1_cb = dsa_cb,
186 .enc_offset = 0,
187};
188static const ASN1_TEMPLATE DSAPrivateKey_seq_tt[] = {
189 {
190 .flags = 0,
191 .tag = 0,
192 .offset = offsetof(DSA, version),
193 .field_name = "version",
194 .item = &LONG_it,
195 },
196 {
197 .flags = 0,
198 .tag = 0,
199 .offset = offsetof(DSA, p),
200 .field_name = "p",
201 .item = &BIGNUM_it,
202 },
203 {
204 .flags = 0,
205 .tag = 0,
206 .offset = offsetof(DSA, q),
207 .field_name = "q",
208 .item = &BIGNUM_it,
209 },
210 {
211 .flags = 0,
212 .tag = 0,
213 .offset = offsetof(DSA, g),
214 .field_name = "g",
215 .item = &BIGNUM_it,
216 },
217 {
218 .flags = 0,
219 .tag = 0,
220 .offset = offsetof(DSA, pub_key),
221 .field_name = "pub_key",
222 .item = &BIGNUM_it,
223 },
224 {
225 .flags = 0,
226 .tag = 0,
227 .offset = offsetof(DSA, priv_key),
228 .field_name = "priv_key",
229 .item = &BIGNUM_it,
230 },
231};
232
233const ASN1_ITEM DSAPrivateKey_it = {
234 .itype = ASN1_ITYPE_SEQUENCE,
235 .utype = V_ASN1_SEQUENCE,
236 .templates = DSAPrivateKey_seq_tt,
237 .tcount = sizeof(DSAPrivateKey_seq_tt) / sizeof(ASN1_TEMPLATE),
238 .funcs = &DSAPrivateKey_aux,
239 .size = sizeof(DSA),
240 .sname = "DSA",
241};
242LCRYPTO_ALIAS(DSAPrivateKey_it);
243
244
245DSA *
246d2i_DSAPrivateKey(DSA **a, const unsigned char **in, long len)
247{
248 return (DSA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
249 &DSAPrivateKey_it);
250}
251LCRYPTO_ALIAS(d2i_DSAPrivateKey);
252
253int
254i2d_DSAPrivateKey(const DSA *a, unsigned char **out)
255{
256 return ASN1_item_i2d((ASN1_VALUE *)a, out, &DSAPrivateKey_it);
257}
258LCRYPTO_ALIAS(i2d_DSAPrivateKey);
259
260static const ASN1_AUX DSAparams_aux = {
261 .app_data = NULL,
262 .flags = 0,
263 .ref_offset = 0,
264 .ref_lock = 0,
265 .asn1_cb = dsa_cb,
266 .enc_offset = 0,
267};
268static const ASN1_TEMPLATE DSAparams_seq_tt[] = {
269 {
270 .flags = 0,
271 .tag = 0,
272 .offset = offsetof(DSA, p),
273 .field_name = "p",
274 .item = &BIGNUM_it,
275 },
276 {
277 .flags = 0,
278 .tag = 0,
279 .offset = offsetof(DSA, q),
280 .field_name = "q",
281 .item = &BIGNUM_it,
282 },
283 {
284 .flags = 0,
285 .tag = 0,
286 .offset = offsetof(DSA, g),
287 .field_name = "g",
288 .item = &BIGNUM_it,
289 },
290};
291
292const ASN1_ITEM DSAparams_it = {
293 .itype = ASN1_ITYPE_SEQUENCE,
294 .utype = V_ASN1_SEQUENCE,
295 .templates = DSAparams_seq_tt,
296 .tcount = sizeof(DSAparams_seq_tt) / sizeof(ASN1_TEMPLATE),
297 .funcs = &DSAparams_aux,
298 .size = sizeof(DSA),
299 .sname = "DSA",
300};
301LCRYPTO_ALIAS(DSAparams_it);
302
303
304DSA *
305d2i_DSAparams(DSA **a, const unsigned char **in, long len)
306{
307 return (DSA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
308 &DSAparams_it);
309}
310LCRYPTO_ALIAS(d2i_DSAparams);
311
312int
313i2d_DSAparams(const DSA *a, unsigned char **out)
314{
315 return ASN1_item_i2d((ASN1_VALUE *)a, out, &DSAparams_it);
316}
317LCRYPTO_ALIAS(i2d_DSAparams);
318
319DSA *
320d2i_DSAparams_bio(BIO *bp, DSA **a)
321{
322 return ASN1_item_d2i_bio(&DSAparams_it, bp, a);
323}
324LCRYPTO_ALIAS(d2i_DSAparams_bio);
325
326int
327i2d_DSAparams_bio(BIO *bp, DSA *a)
328{
329 return ASN1_item_i2d_bio(&DSAparams_it, bp, a);
330}
331LCRYPTO_ALIAS(i2d_DSAparams_bio);
332
333DSA *
334d2i_DSAparams_fp(FILE *fp, DSA **a)
335{
336 return ASN1_item_d2i_fp(&DSAparams_it, fp, a);
337}
338LCRYPTO_ALIAS(d2i_DSAparams_fp);
339
340int
341i2d_DSAparams_fp(FILE *fp, DSA *a)
342{
343 return ASN1_item_i2d_fp(&DSAparams_it, fp, a);
344}
345LCRYPTO_ALIAS(i2d_DSAparams_fp);
346
347static const ASN1_AUX DSAPublicKey_aux = {
348 .app_data = NULL,
349 .flags = 0,
350 .ref_offset = 0,
351 .ref_lock = 0,
352 .asn1_cb = dsa_cb,
353 .enc_offset = 0,
354};
355static const ASN1_TEMPLATE DSAPublicKey_seq_tt[] = {
356 {
357 .flags = 0,
358 .tag = 0,
359 .offset = offsetof(DSA, pub_key),
360 .field_name = "pub_key",
361 .item = &BIGNUM_it,
362 },
363 {
364 .flags = 0,
365 .tag = 0,
366 .offset = offsetof(DSA, p),
367 .field_name = "p",
368 .item = &BIGNUM_it,
369 },
370 {
371 .flags = 0,
372 .tag = 0,
373 .offset = offsetof(DSA, q),
374 .field_name = "q",
375 .item = &BIGNUM_it,
376 },
377 {
378 .flags = 0,
379 .tag = 0,
380 .offset = offsetof(DSA, g),
381 .field_name = "g",
382 .item = &BIGNUM_it,
383 },
384};
385
386const ASN1_ITEM DSAPublicKey_it = {
387 .itype = ASN1_ITYPE_SEQUENCE,
388 .utype = V_ASN1_SEQUENCE,
389 .templates = DSAPublicKey_seq_tt,
390 .tcount = sizeof(DSAPublicKey_seq_tt) / sizeof(ASN1_TEMPLATE),
391 .funcs = &DSAPublicKey_aux,
392 .size = sizeof(DSA),
393 .sname = "DSA",
394};
395LCRYPTO_ALIAS(DSAPublicKey_it);
396
397DSA *
398d2i_DSAPublicKey(DSA **a, const unsigned char **in, long len)
399{
400 return (DSA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
401 &DSAPublicKey_it);
402}
403LCRYPTO_ALIAS(d2i_DSAPublicKey);
404
405int
406i2d_DSAPublicKey(const DSA *a, unsigned char **out)
407{
408 return ASN1_item_i2d((ASN1_VALUE *)a, out, &DSAPublicKey_it);
409}
410LCRYPTO_ALIAS(i2d_DSAPublicKey);
411
412DSA *
413DSAparams_dup(DSA *dsa)
414{
415 return ASN1_item_dup(&DSAparams_it, dsa);
416}
417LCRYPTO_ALIAS(DSAparams_dup);
418
419int
420DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
421 unsigned int *out_siglen, DSA *dsa)
422{
423 DSA_SIG *s;
424 int siglen;
425 int ret = 0;
426
427 *out_siglen = 0;
428
429 if ((s = DSA_do_sign(dgst, dlen, dsa)) == NULL)
430 goto err;
431
432 if ((siglen = i2d_DSA_SIG(s, &sig)) < 0)
433 goto err;
434
435 *out_siglen = siglen;
436
437 ret = 1;
438 err:
439 DSA_SIG_free(s);
440
441 return ret;
442}
443LCRYPTO_ALIAS(DSA_sign);
444
445/*
446 * data has already been hashed (probably with SHA or SHA-1).
447 * returns
448 * 1: correct signature
449 * 0: incorrect signature
450 * -1: error
451 */
452int
453DSA_verify(int type, const unsigned char *dgst, int dgst_len,
454 const unsigned char *sigbuf, int siglen, DSA *dsa)
455{
456 DSA_SIG *s = NULL;
457 unsigned char *der = NULL;
458 const unsigned char *p;
459 int ret = -1;
460
461 p = sigbuf;
462 if ((s = d2i_DSA_SIG(NULL, &p, siglen)) == NULL)
463 goto err;
464
465 /* Ensure signature uses DER and doesn't have trailing garbage */
466 if (i2d_DSA_SIG(s, &der) != siglen)
467 goto err;
468
469 if (memcmp(der, sigbuf, siglen) != 0)
470 goto err;
471
472 ret = DSA_do_verify(dgst, dgst_len, s, dsa);
473 err:
474 free(der);
475 DSA_SIG_free(s);
476
477 return ret;
478}
479LCRYPTO_ALIAS(DSA_verify);
diff --git a/src/lib/libcrypto/dsa/dsa_err.c b/src/lib/libcrypto/dsa/dsa_err.c
deleted file mode 100644
index b7670f895b..0000000000
--- a/src/lib/libcrypto/dsa/dsa_err.c
+++ /dev/null
@@ -1,104 +0,0 @@
1/* $OpenBSD: dsa_err.c,v 1.22 2024/06/24 06:43:22 tb Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56#include <stdio.h>
57
58#include <openssl/opensslconf.h>
59
60#include <openssl/err.h>
61#include <openssl/dsa.h>
62
63#include "err_local.h"
64
65#ifndef OPENSSL_NO_ERR
66
67#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSA,func,0)
68#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSA,0,reason)
69
70static const ERR_STRING_DATA DSA_str_functs[] = {
71 {ERR_FUNC(0xfff), "CRYPTO_internal"},
72 {0, NULL}
73};
74
75static const ERR_STRING_DATA DSA_str_reasons[] = {
76 {ERR_REASON(DSA_R_BAD_Q_VALUE) ,"bad q value"},
77 {ERR_REASON(DSA_R_BN_DECODE_ERROR) ,"bn decode error"},
78 {ERR_REASON(DSA_R_BN_ERROR) ,"bn error"},
79 {ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
80 {ERR_REASON(DSA_R_DECODE_ERROR) ,"decode error"},
81 {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE) ,"invalid digest type"},
82 {ERR_REASON(DSA_R_INVALID_PARAMETERS) ,"invalid parameters"},
83 {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"},
84 {ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
85 {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
86 {ERR_REASON(DSA_R_NON_FIPS_DSA_METHOD) ,"non fips dsa method"},
87 {ERR_REASON(DSA_R_NO_PARAMETERS_SET) ,"no parameters set"},
88 {ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"},
89 {0,NULL}
90};
91
92#endif
93
94void
95ERR_load_DSA_strings(void)
96{
97#ifndef OPENSSL_NO_ERR
98 if (ERR_func_error_string(DSA_str_functs[0].error) == NULL) {
99 ERR_load_const_strings(DSA_str_functs);
100 ERR_load_const_strings(DSA_str_reasons);
101 }
102#endif
103}
104LCRYPTO_ALIAS(ERR_load_DSA_strings);
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
deleted file mode 100644
index c8f626cd97..0000000000
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ /dev/null
@@ -1,360 +0,0 @@
1/* $OpenBSD: dsa_gen.c,v 1.34 2025/02/13 11:18:00 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_SHA is defined */
60
61#ifndef OPENSSL_NO_SHA
62
63#include <stdio.h>
64#include <stdlib.h>
65#include <string.h>
66
67#include <openssl/bn.h>
68#include <openssl/evp.h>
69#include <openssl/sha.h>
70
71#include "bn_local.h"
72#include "dsa_local.h"
73
74/*
75 * Primality test according to FIPS PUB 186-4, Appendix C.3. Set the number
76 * to 64 rounds of Miller-Rabin, which corresponds to 128 bits of security.
77 * This is necessary for keys of size >= 3072.
78 * XXX - now that we do BPSW the recommendation is to do 2 for p and 27 for q.
79 */
80#define DSA_prime_checks 64
81
82int
83DSA_generate_parameters_ex(DSA *ret, int bits, const unsigned char *seed_in,
84 int seed_len, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
85{
86 const EVP_MD *evpmd;
87 size_t qbits;
88
89 if (bits >= 2048) {
90 qbits = 256;
91 evpmd = EVP_sha256();
92 } else {
93 qbits = 160;
94 evpmd = EVP_sha1();
95 }
96
97 return dsa_builtin_paramgen(ret, bits, qbits, evpmd, seed_in, seed_len,
98 NULL, counter_ret, h_ret, cb);
99}
100LCRYPTO_ALIAS(DSA_generate_parameters_ex);
101
102int
103dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd,
104 const unsigned char *seed_in, size_t seed_len, unsigned char *seed_out,
105 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
106{
107 int ok = 0;
108 unsigned char seed[SHA256_DIGEST_LENGTH];
109 unsigned char md[SHA256_DIGEST_LENGTH];
110 unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];
111 BIGNUM *r0, *W, *X, *c, *test;
112 BIGNUM *g = NULL, *q = NULL, *p = NULL;
113 BN_MONT_CTX *mont = NULL;
114 int i, k, n = 0, m = 0, qsize = qbits >> 3;
115 int counter = 0;
116 int r = 0;
117 BN_CTX *ctx = NULL;
118 unsigned int h = 2;
119
120 if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
121 qsize != SHA256_DIGEST_LENGTH)
122 /* invalid q size */
123 return 0;
124
125 if (evpmd == NULL)
126 /* use SHA1 as default */
127 evpmd = EVP_sha1();
128
129 if (bits < 512)
130 bits = 512;
131
132 bits = (bits + 63) / 64 * 64;
133
134 if (seed_len < (size_t)qsize) {
135 seed_in = NULL; /* seed buffer too small -- ignore */
136 seed_len = 0;
137 }
138 /*
139 * App. 2.2 of FIPS PUB 186 allows larger SEED,
140 * but our internal buffers are restricted to 160 bits
141 */
142 if (seed_len > (size_t)qsize)
143 seed_len = qsize;
144 if (seed_in != NULL)
145 memcpy(seed, seed_in, seed_len);
146 else if (seed_len != 0)
147 goto err;
148
149 if ((ctx = BN_CTX_new()) == NULL)
150 goto err;
151
152 BN_CTX_start(ctx);
153
154 if ((r0 = BN_CTX_get(ctx)) == NULL)
155 goto err;
156 if ((g = BN_CTX_get(ctx)) == NULL)
157 goto err;
158 if ((W = BN_CTX_get(ctx)) == NULL)
159 goto err;
160 if ((q = BN_CTX_get(ctx)) == NULL)
161 goto err;
162 if ((X = BN_CTX_get(ctx)) == NULL)
163 goto err;
164 if ((c = BN_CTX_get(ctx)) == NULL)
165 goto err;
166 if ((p = BN_CTX_get(ctx)) == NULL)
167 goto err;
168 if ((test = BN_CTX_get(ctx)) == NULL)
169 goto err;
170
171 if (!BN_lshift(test, BN_value_one(), bits - 1))
172 goto err;
173
174 for (;;) {
175 for (;;) { /* find q */
176 int seed_is_random;
177
178 /* step 1 */
179 if (!BN_GENCB_call(cb, 0, m++))
180 goto err;
181
182 if (seed_len == 0) {
183 arc4random_buf(seed, qsize);
184 seed_is_random = 1;
185 } else {
186 seed_is_random = 0;
187 /* use random seed if 'seed_in' turns out
188 to be bad */
189 seed_len = 0;
190 }
191 memcpy(buf, seed, qsize);
192 memcpy(buf2, seed, qsize);
193 /* precompute "SEED + 1" for step 7: */
194 for (i = qsize - 1; i >= 0; i--) {
195 buf[i]++;
196 if (buf[i] != 0)
197 break;
198 }
199
200 /* step 2 */
201 if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
202 goto err;
203 if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
204 goto err;
205 for (i = 0; i < qsize; i++)
206 md[i] ^= buf2[i];
207
208 /* step 3 */
209 md[0] |= 0x80;
210 md[qsize - 1] |= 0x01;
211 if (!BN_bin2bn(md, qsize, q))
212 goto err;
213
214 /* step 4 */
215 r = BN_is_prime_fasttest_ex(q, DSA_prime_checks, ctx,
216 seed_is_random, cb);
217 if (r > 0)
218 break;
219 if (r != 0)
220 goto err;
221
222 /* do a callback call */
223 /* step 5 */
224 }
225
226 if (!BN_GENCB_call(cb, 2, 0))
227 goto err;
228 if (!BN_GENCB_call(cb, 3, 0))
229 goto err;
230
231 /* step 6 */
232 counter = 0;
233 /* "offset = 2" */
234
235 n = (bits - 1) / 160;
236
237 for (;;) {
238 if (counter != 0 && !BN_GENCB_call(cb, 0, counter))
239 goto err;
240
241 /* step 7 */
242 BN_zero(W);
243 /* now 'buf' contains "SEED + offset - 1" */
244 for (k = 0; k <= n; k++) {
245 /* obtain "SEED + offset + k" by incrementing: */
246 for (i = qsize - 1; i >= 0; i--) {
247 buf[i]++;
248 if (buf[i] != 0)
249 break;
250 }
251
252 if (!EVP_Digest(buf, qsize, md ,NULL, evpmd,
253 NULL))
254 goto err;
255
256 /* step 8 */
257 if (!BN_bin2bn(md, qsize, r0))
258 goto err;
259 if (!BN_lshift(r0, r0, (qsize << 3) * k))
260 goto err;
261 if (!BN_add(W, W, r0))
262 goto err;
263 }
264
265 /* more of step 8 */
266 if (!BN_mask_bits(W, bits - 1))
267 goto err;
268 if (!bn_copy(X, W))
269 goto err;
270 if (!BN_add(X, X, test))
271 goto err;
272
273 /* step 9 */
274 if (!BN_lshift1(r0, q))
275 goto err;
276 if (!BN_mod_ct(c, X, r0, ctx))
277 goto err;
278 if (!BN_sub(r0, c, BN_value_one()))
279 goto err;
280 if (!BN_sub(p, X, r0))
281 goto err;
282
283 /* step 10 */
284 if (BN_cmp(p, test) >= 0) {
285 /* step 11 */
286 r = BN_is_prime_fasttest_ex(p, DSA_prime_checks,
287 ctx, 1, cb);
288 if (r > 0)
289 goto end; /* found it */
290 if (r != 0)
291 goto err;
292 }
293
294 /* step 13 */
295 counter++;
296 /* "offset = offset + n + 1" */
297
298 /* step 14 */
299 if (counter >= 4096)
300 break;
301 }
302 }
303end:
304 if (!BN_GENCB_call(cb, 2, 1))
305 goto err;
306
307 /* We now need to generate g */
308 /* Set r0=(p-1)/q */
309 if (!BN_sub(test, p, BN_value_one()))
310 goto err;
311 if (!BN_div_ct(r0, NULL, test, q, ctx))
312 goto err;
313
314 if (!BN_set_word(test, h))
315 goto err;
316 if ((mont = BN_MONT_CTX_create(p, ctx)) == NULL)
317 goto err;
318
319 for (;;) {
320 /* g=test^r0%p */
321 if (!BN_mod_exp_mont_ct(g, test, r0, p, ctx, mont))
322 goto err;
323 if (!BN_is_one(g))
324 break;
325 if (!BN_add(test, test, BN_value_one()))
326 goto err;
327 h++;
328 }
329
330 if (!BN_GENCB_call(cb, 3, 1))
331 goto err;
332
333 ok = 1;
334err:
335 if (ok) {
336 BN_free(ret->p);
337 BN_free(ret->q);
338 BN_free(ret->g);
339 ret->p = BN_dup(p);
340 ret->q = BN_dup(q);
341 ret->g = BN_dup(g);
342 if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
343 ok = 0;
344 goto err;
345 }
346 if (counter_ret != NULL)
347 *counter_ret = counter;
348 if (h_ret != NULL)
349 *h_ret = h;
350 if (seed_out != NULL)
351 memcpy(seed_out, seed, qsize);
352 }
353 BN_CTX_end(ctx);
354 BN_CTX_free(ctx);
355 BN_MONT_CTX_free(mont);
356
357 return ok;
358}
359
360#endif
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
deleted file mode 100644
index 5fbedcf705..0000000000
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ /dev/null
@@ -1,111 +0,0 @@
1/* $OpenBSD: dsa_key.c,v 1.37 2024/05/11 06:43:50 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61
62#include <openssl/opensslconf.h>
63
64#ifndef OPENSSL_NO_SHA
65
66#include <openssl/bn.h>
67#include <openssl/dsa.h>
68
69#include "bn_local.h"
70#include "dsa_local.h"
71
72int
73DSA_generate_key(DSA *dsa)
74{
75 BIGNUM *pub_key = NULL, *priv_key = NULL;
76 BN_CTX *ctx = NULL;
77 int ok = 0;
78
79 if ((priv_key = BN_new()) == NULL)
80 goto err;
81 if ((pub_key = BN_new()) == NULL)
82 goto err;
83
84 if ((ctx = BN_CTX_new()) == NULL)
85 goto err;
86
87 if (!bn_rand_interval(priv_key, 1, dsa->q))
88 goto err;
89 if (!BN_mod_exp_ct(pub_key, dsa->g, priv_key, dsa->p, ctx))
90 goto err;
91
92 BN_free(dsa->priv_key);
93 dsa->priv_key = priv_key;
94 priv_key = NULL;
95
96 BN_free(dsa->pub_key);
97 dsa->pub_key = pub_key;
98 pub_key = NULL;
99
100 ok = 1;
101
102 err:
103 BN_free(pub_key);
104 BN_free(priv_key);
105 BN_CTX_free(ctx);
106
107 return ok;
108}
109LCRYPTO_ALIAS(DSA_generate_key);
110
111#endif
diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c
deleted file mode 100644
index daf2fa135b..0000000000
--- a/src/lib/libcrypto/dsa/dsa_lib.c
+++ /dev/null
@@ -1,483 +0,0 @@
1/* $OpenBSD: dsa_lib.c,v 1.48 2024/03/27 01:49:31 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
60
61#include <stdio.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/asn1.h>
66#include <openssl/bn.h>
67#include <openssl/dsa.h>
68#include <openssl/err.h>
69
70#ifndef OPENSSL_NO_DH
71#include <openssl/dh.h>
72#endif
73
74#include "dh_local.h"
75#include "dsa_local.h"
76
77static const DSA_METHOD *default_DSA_method = NULL;
78
79void
80DSA_set_default_method(const DSA_METHOD *meth)
81{
82 default_DSA_method = meth;
83}
84LCRYPTO_ALIAS(DSA_set_default_method);
85
86const DSA_METHOD *
87DSA_get_default_method(void)
88{
89 if (!default_DSA_method)
90 default_DSA_method = DSA_OpenSSL();
91 return default_DSA_method;
92}
93LCRYPTO_ALIAS(DSA_get_default_method);
94
95DSA *
96DSA_new(void)
97{
98 return DSA_new_method(NULL);
99}
100LCRYPTO_ALIAS(DSA_new);
101
102int
103DSA_set_method(DSA *dsa, const DSA_METHOD *meth)
104{
105 /*
106 * NB: The caller is specifically setting a method, so it's not up to us
107 * to deal with which ENGINE it comes from.
108 */
109 const DSA_METHOD *mtmp;
110 mtmp = dsa->meth;
111 if (mtmp->finish)
112 mtmp->finish(dsa);
113 dsa->meth = meth;
114 if (meth->init)
115 meth->init(dsa);
116 return 1;
117}
118LCRYPTO_ALIAS(DSA_set_method);
119
120DSA *
121DSA_new_method(ENGINE *engine)
122{
123 DSA *dsa;
124
125 if ((dsa = calloc(1, sizeof(DSA))) == NULL) {
126 DSAerror(ERR_R_MALLOC_FAILURE);
127 goto err;
128 }
129
130 dsa->meth = DSA_get_default_method();
131 dsa->flags = dsa->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
132 dsa->references = 1;
133
134 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, dsa, &dsa->ex_data))
135 goto err;
136 if (dsa->meth->init != NULL && !dsa->meth->init(dsa))
137 goto err;
138
139 return dsa;
140
141 err:
142 DSA_free(dsa);
143
144 return NULL;
145}
146LCRYPTO_ALIAS(DSA_new_method);
147
148void
149DSA_free(DSA *dsa)
150{
151 if (dsa == NULL)
152 return;
153
154 if (CRYPTO_add(&dsa->references, -1, CRYPTO_LOCK_DSA) > 0)
155 return;
156
157 if (dsa->meth != NULL && dsa->meth->finish != NULL)
158 dsa->meth->finish(dsa);
159
160 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, dsa, &dsa->ex_data);
161
162 BN_free(dsa->p);
163 BN_free(dsa->q);
164 BN_free(dsa->g);
165 BN_free(dsa->pub_key);
166 BN_free(dsa->priv_key);
167 BN_free(dsa->kinv);
168 BN_free(dsa->r);
169 free(dsa);
170}
171LCRYPTO_ALIAS(DSA_free);
172
173int
174DSA_up_ref(DSA *dsa)
175{
176 return CRYPTO_add(&dsa->references, 1, CRYPTO_LOCK_DSA) > 1;
177}
178LCRYPTO_ALIAS(DSA_up_ref);
179
180int
181DSA_size(const DSA *dsa)
182{
183 DSA_SIG signature;
184 int ret = 0;
185
186 signature.r = dsa->q;
187 signature.s = dsa->q;
188
189 if ((ret = i2d_DSA_SIG(&signature, NULL)) < 0)
190 ret = 0;
191
192 return ret;
193}
194LCRYPTO_ALIAS(DSA_size);
195
196int
197DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
198 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
199{
200 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DSA, argl, argp,
201 new_func, dup_func, free_func);
202}
203LCRYPTO_ALIAS(DSA_get_ex_new_index);
204
205int
206DSA_set_ex_data(DSA *dsa, int idx, void *arg)
207{
208 return CRYPTO_set_ex_data(&dsa->ex_data, idx, arg);
209}
210LCRYPTO_ALIAS(DSA_set_ex_data);
211
212void *
213DSA_get_ex_data(DSA *dsa, int idx)
214{
215 return CRYPTO_get_ex_data(&dsa->ex_data, idx);
216}
217LCRYPTO_ALIAS(DSA_get_ex_data);
218
219int
220DSA_security_bits(const DSA *dsa)
221{
222 if (dsa->p == NULL || dsa->q == NULL)
223 return -1;
224
225 return BN_security_bits(BN_num_bits(dsa->p), BN_num_bits(dsa->q));
226}
227LCRYPTO_ALIAS(DSA_security_bits);
228
229#ifndef OPENSSL_NO_DH
230DH *
231DSA_dup_DH(const DSA *dsa)
232{
233 /*
234 * DSA has p, q, g, optional pub_key, optional priv_key.
235 * DH has p, optional length, g, optional pub_key, optional priv_key,
236 * optional q.
237 */
238 DH *dh = NULL;
239
240 if (dsa == NULL)
241 goto err;
242
243 if ((dh = DH_new()) == NULL)
244 goto err;
245
246 if (dsa->p != NULL) {
247 if ((dh->p = BN_dup(dsa->p)) == NULL)
248 goto err;
249 }
250 if (dsa->q != NULL) {
251 dh->length = BN_num_bits(dsa->q);
252 if ((dh->q = BN_dup(dsa->q)) == NULL)
253 goto err;
254 }
255 if (dsa->g != NULL) {
256 if ((dh->g = BN_dup(dsa->g)) == NULL)
257 goto err;
258 }
259 if (dsa->pub_key != NULL) {
260 if ((dh->pub_key = BN_dup(dsa->pub_key)) == NULL)
261 goto err;
262 }
263 if (dsa->priv_key != NULL) {
264 if ((dh->priv_key = BN_dup(dsa->priv_key)) == NULL)
265 goto err;
266 }
267
268 return dh;
269
270 err:
271 DH_free(dh);
272 return NULL;
273}
274LCRYPTO_ALIAS(DSA_dup_DH);
275#endif
276
277void
278DSA_get0_pqg(const DSA *dsa, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
279{
280 if (p != NULL)
281 *p = dsa->p;
282 if (q != NULL)
283 *q = dsa->q;
284 if (g != NULL)
285 *g = dsa->g;
286}
287LCRYPTO_ALIAS(DSA_get0_pqg);
288
289int
290DSA_set0_pqg(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g)
291{
292 if ((dsa->p == NULL && p == NULL) || (dsa->q == NULL && q == NULL) ||
293 (dsa->g == NULL && g == NULL))
294 return 0;
295
296 if (p != NULL) {
297 BN_free(dsa->p);
298 dsa->p = p;
299 }
300 if (q != NULL) {
301 BN_free(dsa->q);
302 dsa->q = q;
303 }
304 if (g != NULL) {
305 BN_free(dsa->g);
306 dsa->g = g;
307 }
308
309 return 1;
310}
311LCRYPTO_ALIAS(DSA_set0_pqg);
312
313void
314DSA_get0_key(const DSA *dsa, const BIGNUM **pub_key, const BIGNUM **priv_key)
315{
316 if (pub_key != NULL)
317 *pub_key = dsa->pub_key;
318 if (priv_key != NULL)
319 *priv_key = dsa->priv_key;
320}
321LCRYPTO_ALIAS(DSA_get0_key);
322
323int
324DSA_set0_key(DSA *dsa, BIGNUM *pub_key, BIGNUM *priv_key)
325{
326 if (dsa->pub_key == NULL && pub_key == NULL)
327 return 0;
328
329 if (pub_key != NULL) {
330 BN_free(dsa->pub_key);
331 dsa->pub_key = pub_key;
332 }
333 if (priv_key != NULL) {
334 BN_free(dsa->priv_key);
335 dsa->priv_key = priv_key;
336 }
337
338 return 1;
339}
340LCRYPTO_ALIAS(DSA_set0_key);
341
342const BIGNUM *
343DSA_get0_p(const DSA *dsa)
344{
345 return dsa->p;
346}
347LCRYPTO_ALIAS(DSA_get0_p);
348
349const BIGNUM *
350DSA_get0_q(const DSA *dsa)
351{
352 return dsa->q;
353}
354LCRYPTO_ALIAS(DSA_get0_q);
355
356const BIGNUM *
357DSA_get0_g(const DSA *dsa)
358{
359 return dsa->g;
360}
361LCRYPTO_ALIAS(DSA_get0_g);
362
363const BIGNUM *
364DSA_get0_pub_key(const DSA *dsa)
365{
366 return dsa->pub_key;
367}
368LCRYPTO_ALIAS(DSA_get0_pub_key);
369
370const BIGNUM *
371DSA_get0_priv_key(const DSA *dsa)
372{
373 return dsa->priv_key;
374}
375LCRYPTO_ALIAS(DSA_get0_priv_key);
376
377void
378DSA_clear_flags(DSA *dsa, int flags)
379{
380 dsa->flags &= ~flags;
381}
382LCRYPTO_ALIAS(DSA_clear_flags);
383
384int
385DSA_test_flags(const DSA *dsa, int flags)
386{
387 return dsa->flags & flags;
388}
389LCRYPTO_ALIAS(DSA_test_flags);
390
391void
392DSA_set_flags(DSA *dsa, int flags)
393{
394 dsa->flags |= flags;
395}
396LCRYPTO_ALIAS(DSA_set_flags);
397
398ENGINE *
399DSA_get0_engine(DSA *dsa)
400{
401 return NULL;
402}
403LCRYPTO_ALIAS(DSA_get0_engine);
404
405int
406DSA_bits(const DSA *dsa)
407{
408 return BN_num_bits(dsa->p);
409}
410LCRYPTO_ALIAS(DSA_bits);
411
412int
413dsa_check_key(const DSA *dsa)
414{
415 int p_bits, q_bits;
416
417 if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
418 DSAerror(DSA_R_MISSING_PARAMETERS);
419 return 0;
420 }
421
422 /* Checking that p and q are primes is expensive. Check they are odd. */
423 if (!BN_is_odd(dsa->p) || !BN_is_odd(dsa->q)) {
424 DSAerror(DSA_R_INVALID_PARAMETERS);
425 return 0;
426 }
427
428 /* FIPS 186-4: 1 < g < p. */
429 if (BN_cmp(dsa->g, BN_value_one()) <= 0 ||
430 BN_cmp(dsa->g, dsa->p) >= 0) {
431 DSAerror(DSA_R_INVALID_PARAMETERS);
432 return 0;
433 }
434
435 /* We know p and g are positive. The next two checks imply q > 0. */
436 if (BN_is_negative(dsa->q)) {
437 DSAerror(DSA_R_BAD_Q_VALUE);
438 return 0;
439 }
440
441 /* FIPS 186-4 only allows three sizes for q. */
442 q_bits = BN_num_bits(dsa->q);
443 if (q_bits != 160 && q_bits != 224 && q_bits != 256) {
444 DSAerror(DSA_R_BAD_Q_VALUE);
445 return 0;
446 }
447
448 /*
449 * XXX - FIPS 186-4 only allows 1024, 2048, and 3072 bits for p.
450 * Cap the size to reduce DoS risks. Poor defaults make keys with
451 * incorrect p sizes >= 512 bits common, so only enforce a weak
452 * lower bound.
453 */
454 p_bits = BN_num_bits(dsa->p);
455 if (p_bits > OPENSSL_DSA_MAX_MODULUS_BITS) {
456 DSAerror(DSA_R_MODULUS_TOO_LARGE);
457 return 0;
458 }
459 if (p_bits < 512) {
460 DSAerror(DSA_R_INVALID_PARAMETERS);
461 return 0;
462 }
463
464 /* The public key must be in the multiplicative group (mod p). */
465 if (dsa->pub_key != NULL) {
466 if (BN_cmp(dsa->pub_key, BN_value_one()) <= 0 ||
467 BN_cmp(dsa->pub_key, dsa->p) >= 0) {
468 DSAerror(DSA_R_INVALID_PARAMETERS);
469 return 0;
470 }
471 }
472
473 /* The private key must be nonzero and in GF(q). */
474 if (dsa->priv_key != NULL) {
475 if (BN_cmp(dsa->priv_key, BN_value_one()) < 0 ||
476 BN_cmp(dsa->priv_key, dsa->q) >= 0) {
477 DSAerror(DSA_R_INVALID_PARAMETERS);
478 return 0;
479 }
480 }
481
482 return 1;
483}
diff --git a/src/lib/libcrypto/dsa/dsa_local.h b/src/lib/libcrypto/dsa/dsa_local.h
deleted file mode 100644
index fc77c09fcb..0000000000
--- a/src/lib/libcrypto/dsa/dsa_local.h
+++ /dev/null
@@ -1,104 +0,0 @@
1/* $OpenBSD: dsa_local.h,v 1.5 2024/11/29 07:42:35 tb Exp $ */
2/* ====================================================================
3 * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56#include <openssl/dsa.h>
57
58__BEGIN_HIDDEN_DECLS
59
60struct DSA_SIG_st {
61 BIGNUM *r;
62 BIGNUM *s;
63} /* DSA_SIG */;
64
65struct dsa_method {
66 char *name;
67 DSA_SIG *(*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa);
68 int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
69 BIGNUM **rp);
70 int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
71 DSA_SIG *sig, DSA *dsa);
72 int (*init)(DSA *dsa);
73 int (*finish)(DSA *dsa);
74 int flags;
75} /* DSA_METHOD */;
76
77struct dsa_st {
78 long version;
79 BIGNUM *p;
80 BIGNUM *q; /* == 20 */
81 BIGNUM *g;
82
83 BIGNUM *pub_key; /* y public key */
84 BIGNUM *priv_key; /* x private key */
85
86 BIGNUM *kinv; /* Signing pre-calc */
87 BIGNUM *r; /* Signing pre-calc */
88
89 int flags;
90 /* Normally used to cache montgomery values */
91 BN_MONT_CTX *method_mont_p;
92 int references;
93 CRYPTO_EX_DATA ex_data;
94 const DSA_METHOD *meth;
95} /* DSA */;
96
97int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
98 const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
99 unsigned char *seed_out,
100 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
101
102int dsa_check_key(const DSA *dsa);
103
104__END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/dsa/dsa_meth.c b/src/lib/libcrypto/dsa/dsa_meth.c
deleted file mode 100644
index c84b5287e1..0000000000
--- a/src/lib/libcrypto/dsa/dsa_meth.c
+++ /dev/null
@@ -1,110 +0,0 @@
1/* $OpenBSD: dsa_meth.c,v 1.7 2023/07/08 14:28:15 beck Exp $ */
2/*
3 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <stdlib.h>
19#include <string.h>
20
21#include <openssl/dsa.h>
22#include <openssl/err.h>
23
24#include "dsa_local.h"
25
26DSA_METHOD *
27DSA_meth_new(const char *name, int flags)
28{
29 DSA_METHOD *meth;
30
31 if ((meth = calloc(1, sizeof(*meth))) == NULL)
32 return NULL;
33 if ((meth->name = strdup(name)) == NULL) {
34 free(meth);
35 return NULL;
36 }
37 meth->flags = flags;
38
39 return meth;
40}
41LCRYPTO_ALIAS(DSA_meth_new);
42
43void
44DSA_meth_free(DSA_METHOD *meth)
45{
46 if (meth == NULL)
47 return;
48
49 free(meth->name);
50 free(meth);
51}
52LCRYPTO_ALIAS(DSA_meth_free);
53
54DSA_METHOD *
55DSA_meth_dup(const DSA_METHOD *meth)
56{
57 DSA_METHOD *copy;
58
59 if ((copy = calloc(1, sizeof(*copy))) == NULL)
60 return NULL;
61 memcpy(copy, meth, sizeof(*copy));
62 if ((copy->name = strdup(meth->name)) == NULL) {
63 free(copy);
64 return NULL;
65 }
66
67 return copy;
68}
69LCRYPTO_ALIAS(DSA_meth_dup);
70
71const char *
72DSA_meth_get0_name(const DSA_METHOD *meth)
73{
74 return meth->name;
75}
76LCRYPTO_ALIAS(DSA_meth_get0_name);
77
78int
79DSA_meth_set1_name(DSA_METHOD *meth, const char *name)
80{
81 char *new_name;
82
83 if ((new_name = strdup(name)) == NULL) {
84 DSAerror(ERR_R_MALLOC_FAILURE);
85 return 0;
86 }
87
88 free(meth->name);
89 meth->name = new_name;
90
91 return 1;
92}
93LCRYPTO_ALIAS(DSA_meth_set1_name);
94
95int
96DSA_meth_set_sign(DSA_METHOD *meth,
97 DSA_SIG *(*sign)(const unsigned char *, int, DSA *))
98{
99 meth->dsa_do_sign = sign;
100 return 1;
101}
102LCRYPTO_ALIAS(DSA_meth_set_sign);
103
104int
105DSA_meth_set_finish(DSA_METHOD *meth, int (*finish)(DSA *))
106{
107 meth->finish = finish;
108 return 1;
109}
110LCRYPTO_ALIAS(DSA_meth_set_finish);
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
deleted file mode 100644
index c53c8b9001..0000000000
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ /dev/null
@@ -1,456 +0,0 @@
1/* $OpenBSD: dsa_ossl.c,v 1.56 2024/05/11 06:43:50 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
60
61#include <stdio.h>
62
63#include <openssl/asn1.h>
64#include <openssl/bn.h>
65#include <openssl/dsa.h>
66#include <openssl/err.h>
67#include <openssl/sha.h>
68
69#include "bn_local.h"
70#include "dsa_local.h"
71
72/*
73 * Since DSA parameters are entirely arbitrary and checking them to be
74 * consistent is very expensive, we cannot do so on every sign operation.
75 * Instead, cap the number of retries so we do not loop indefinitely if
76 * the generator of the multiplicative group happens to be nilpotent.
77 * The probability of needing a retry with valid parameters is negligible,
78 * so trying 32 times is amply enough.
79 */
80#define DSA_MAX_SIGN_ITERATIONS 32
81
82static DSA_SIG *
83dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
84{
85 BIGNUM *b = NULL, *bm = NULL, *bxr = NULL, *binv = NULL, *m = NULL;
86 BIGNUM *kinv = NULL, *r = NULL, *s = NULL;
87 BN_CTX *ctx = NULL;
88 int reason = ERR_R_BN_LIB;
89 DSA_SIG *ret = NULL;
90 int attempts = 0;
91 int noredo = 0;
92
93 if (!dsa_check_key(dsa)) {
94 reason = DSA_R_INVALID_PARAMETERS;
95 goto err;
96 }
97
98 if ((s = BN_new()) == NULL)
99 goto err;
100
101 if ((ctx = BN_CTX_new()) == NULL)
102 goto err;
103
104 BN_CTX_start(ctx);
105
106 if ((b = BN_CTX_get(ctx)) == NULL)
107 goto err;
108 if ((binv = BN_CTX_get(ctx)) == NULL)
109 goto err;
110 if ((bm = BN_CTX_get(ctx)) == NULL)
111 goto err;
112 if ((bxr = BN_CTX_get(ctx)) == NULL)
113 goto err;
114 if ((m = BN_CTX_get(ctx)) == NULL)
115 goto err;
116
117 /*
118 * If the digest length is greater than N (the bit length of q), the
119 * leftmost N bits of the digest shall be used, see FIPS 186-3, 4.2.
120 * In this case the digest length is given in bytes.
121 */
122 if (dlen > BN_num_bytes(dsa->q))
123 dlen = BN_num_bytes(dsa->q);
124 if (BN_bin2bn(dgst, dlen, m) == NULL)
125 goto err;
126
127 redo:
128 if (dsa->kinv == NULL || dsa->r == NULL) {
129 if (!DSA_sign_setup(dsa, ctx, &kinv, &r))
130 goto err;
131 } else {
132 kinv = dsa->kinv;
133 dsa->kinv = NULL;
134 r = dsa->r;
135 dsa->r = NULL;
136 noredo = 1;
137 }
138
139 /*
140 * Compute:
141 *
142 * s = inv(k)(m + xr) mod q
143 *
144 * In order to reduce the possibility of a side-channel attack, the
145 * following is calculated using a blinding value:
146 *
147 * s = inv(b)(bm + bxr)inv(k) mod q
148 *
149 * Where b is a random value in the range [1, q).
150 */
151 if (!bn_rand_interval(b, 1, dsa->q))
152 goto err;
153 if (BN_mod_inverse_ct(binv, b, dsa->q, ctx) == NULL)
154 goto err;
155
156 if (!BN_mod_mul(bxr, b, dsa->priv_key, dsa->q, ctx)) /* bx */
157 goto err;
158 if (!BN_mod_mul(bxr, bxr, r, dsa->q, ctx)) /* bxr */
159 goto err;
160 if (!BN_mod_mul(bm, b, m, dsa->q, ctx)) /* bm */
161 goto err;
162 if (!BN_mod_add(s, bxr, bm, dsa->q, ctx)) /* s = bm + bxr */
163 goto err;
164 if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) /* s = b(m + xr)k^-1 */
165 goto err;
166 if (!BN_mod_mul(s, s, binv, dsa->q, ctx)) /* s = (m + xr)k^-1 */
167 goto err;
168
169 /*
170 * Redo if r or s is zero as required by FIPS 186-3: this is very
171 * unlikely.
172 */
173 if (BN_is_zero(r) || BN_is_zero(s)) {
174 if (noredo) {
175 reason = DSA_R_NEED_NEW_SETUP_VALUES;
176 goto err;
177 }
178 if (++attempts > DSA_MAX_SIGN_ITERATIONS) {
179 reason = DSA_R_INVALID_PARAMETERS;
180 goto err;
181 }
182 goto redo;
183 }
184
185 if ((ret = DSA_SIG_new()) == NULL) {
186 reason = ERR_R_MALLOC_FAILURE;
187 goto err;
188 }
189 ret->r = r;
190 ret->s = s;
191
192 err:
193 if (!ret) {
194 DSAerror(reason);
195 BN_free(r);
196 BN_free(s);
197 }
198 BN_CTX_end(ctx);
199 BN_CTX_free(ctx);
200 BN_free(kinv);
201
202 return ret;
203}
204
205static int
206dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
207{
208 BIGNUM *k = NULL, *l = NULL, *m = NULL, *kinv = NULL, *r = NULL;
209 BN_CTX *ctx = NULL;
210 int q_bits;
211 int ret = 0;
212
213 if (!dsa_check_key(dsa))
214 goto err;
215
216 if ((r = BN_new()) == NULL)
217 goto err;
218
219 if ((ctx = ctx_in) == NULL)
220 ctx = BN_CTX_new();
221 if (ctx == NULL)
222 goto err;
223
224 BN_CTX_start(ctx);
225
226 if ((k = BN_CTX_get(ctx)) == NULL)
227 goto err;
228 if ((l = BN_CTX_get(ctx)) == NULL)
229 goto err;
230 if ((m = BN_CTX_get(ctx)) == NULL)
231 goto err;
232
233 /* Preallocate space */
234 q_bits = BN_num_bits(dsa->q);
235 if (!BN_set_bit(k, q_bits) ||
236 !BN_set_bit(l, q_bits) ||
237 !BN_set_bit(m, q_bits))
238 goto err;
239
240 if (!bn_rand_interval(k, 1, dsa->q))
241 goto err;
242
243 BN_set_flags(k, BN_FLG_CONSTTIME);
244
245 if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
246 if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
247 CRYPTO_LOCK_DSA, dsa->p, ctx))
248 goto err;
249 }
250
251 /* Compute r = (g^k mod p) mod q */
252
253 /*
254 * We do not want timing information to leak the length of k,
255 * so we compute G^k using an equivalent exponent of fixed
256 * bit-length.
257 *
258 * We unconditionally perform both of these additions to prevent a
259 * small timing information leakage. We then choose the sum that is
260 * one bit longer than the modulus.
261 *
262 * TODO: revisit the bn_copy aiming for a memory access agnostic
263 * conditional copy.
264 */
265
266 if (!BN_add(l, k, dsa->q) ||
267 !BN_add(m, l, dsa->q) ||
268 !bn_copy(k, BN_num_bits(l) > q_bits ? l : m))
269 goto err;
270
271 if (!BN_mod_exp_mont_ct(r, dsa->g, k, dsa->p, ctx, dsa->method_mont_p))
272 goto err;
273
274 if (!BN_mod_ct(r, r, dsa->q, ctx))
275 goto err;
276
277 /* Compute part of 's = inv(k) (m + xr) mod q' */
278 if ((kinv = BN_mod_inverse_ct(NULL, k, dsa->q, ctx)) == NULL)
279 goto err;
280
281 BN_free(*kinvp);
282 *kinvp = kinv;
283 kinv = NULL;
284
285 BN_free(*rp);
286 *rp = r;
287
288 ret = 1;
289
290 err:
291 if (!ret) {
292 DSAerror(ERR_R_BN_LIB);
293 BN_free(r);
294 }
295 BN_CTX_end(ctx);
296 if (ctx != ctx_in)
297 BN_CTX_free(ctx);
298
299 return ret;
300}
301
302static int
303dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)
304{
305 BIGNUM *u1 = NULL, *u2 = NULL, *t1 = NULL;
306 BN_CTX *ctx = NULL;
307 BN_MONT_CTX *mont = NULL;
308 int qbits;
309 int ret = -1;
310
311 if (!dsa_check_key(dsa))
312 goto err;
313
314 if ((ctx = BN_CTX_new()) == NULL)
315 goto err;
316
317 BN_CTX_start(ctx);
318
319 if ((u1 = BN_CTX_get(ctx)) == NULL)
320 goto err;
321 if ((u2 = BN_CTX_get(ctx)) == NULL)
322 goto err;
323 if ((t1 = BN_CTX_get(ctx)) == NULL)
324 goto err;
325
326 if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
327 BN_ucmp(sig->r, dsa->q) >= 0) {
328 ret = 0;
329 goto err;
330 }
331 if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||
332 BN_ucmp(sig->s, dsa->q) >= 0) {
333 ret = 0;
334 goto err;
335 }
336
337 /* Calculate w = inv(s) mod q, saving w in u2. */
338 if ((BN_mod_inverse_ct(u2, sig->s, dsa->q, ctx)) == NULL)
339 goto err;
340
341 /*
342 * If the digest length is greater than the size of q use the
343 * BN_num_bits(dsa->q) leftmost bits of the digest, see FIPS 186-4, 4.2.
344 */
345 qbits = BN_num_bits(dsa->q);
346 if (dgst_len > (qbits >> 3))
347 dgst_len = (qbits >> 3);
348
349 /* Save m in u1. */
350 if (BN_bin2bn(dgst, dgst_len, u1) == NULL)
351 goto err;
352
353 /* u1 = m * w mod q */
354 if (!BN_mod_mul(u1, u1, u2, dsa->q, ctx))
355 goto err;
356
357 /* u2 = r * w mod q */
358 if (!BN_mod_mul(u2, sig->r, u2, dsa->q, ctx))
359 goto err;
360
361 if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
362 mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
363 CRYPTO_LOCK_DSA, dsa->p, ctx);
364 if (!mont)
365 goto err;
366 }
367
368 if (!BN_mod_exp2_mont(t1, dsa->g, u1, dsa->pub_key, u2, dsa->p,
369 ctx, mont))
370 goto err;
371
372 /* let u1 = u1 mod q */
373 if (!BN_mod_ct(u1, t1, dsa->q, ctx))
374 goto err;
375
376 /* v is in u1 - if the signature is correct, it will be equal to r. */
377 ret = BN_ucmp(u1, sig->r) == 0;
378
379 err:
380 if (ret < 0)
381 DSAerror(ERR_R_BN_LIB);
382 BN_CTX_end(ctx);
383 BN_CTX_free(ctx);
384
385 return ret;
386}
387
388static int
389dsa_init(DSA *dsa)
390{
391 dsa->flags |= DSA_FLAG_CACHE_MONT_P;
392 return 1;
393}
394
395static int
396dsa_finish(DSA *dsa)
397{
398 BN_MONT_CTX_free(dsa->method_mont_p);
399 return 1;
400}
401
402static const DSA_METHOD openssl_dsa_meth = {
403 .name = "OpenSSL DSA method",
404 .dsa_do_sign = dsa_do_sign,
405 .dsa_sign_setup = dsa_sign_setup,
406 .dsa_do_verify = dsa_do_verify,
407 .init = dsa_init,
408 .finish = dsa_finish,
409};
410
411const DSA_METHOD *
412DSA_OpenSSL(void)
413{
414 return &openssl_dsa_meth;
415}
416LCRYPTO_ALIAS(DSA_OpenSSL);
417
418DSA_SIG *
419DSA_SIG_new(void)
420{
421 return calloc(1, sizeof(DSA_SIG));
422}
423LCRYPTO_ALIAS(DSA_SIG_new);
424
425void
426DSA_SIG_free(DSA_SIG *sig)
427{
428 if (sig == NULL)
429 return;
430
431 BN_free(sig->r);
432 BN_free(sig->s);
433 free(sig);
434}
435LCRYPTO_ALIAS(DSA_SIG_free);
436
437int
438DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
439{
440 return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
441}
442LCRYPTO_ALIAS(DSA_sign_setup);
443
444DSA_SIG *
445DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
446{
447 return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
448}
449LCRYPTO_ALIAS(DSA_do_sign);
450
451int
452DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)
453{
454 return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
455}
456LCRYPTO_ALIAS(DSA_do_verify);
diff --git a/src/lib/libcrypto/dsa/dsa_pmeth.c b/src/lib/libcrypto/dsa/dsa_pmeth.c
deleted file mode 100644
index adc7319731..0000000000
--- a/src/lib/libcrypto/dsa/dsa_pmeth.c
+++ /dev/null
@@ -1,351 +0,0 @@
1/* $OpenBSD: dsa_pmeth.c,v 1.21 2024/10/19 14:39:44 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <limits.h>
60#include <stdio.h>
61#include <stdlib.h>
62#include <string.h>
63
64#include <openssl/asn1t.h>
65#include <openssl/bn.h>
66#include <openssl/err.h>
67#include <openssl/evp.h>
68#include <openssl/x509.h>
69
70#include "bn_local.h"
71#include "dsa_local.h"
72#include "evp_local.h"
73
74/* DSA pkey context structure */
75
76typedef struct {
77 /* Parameter gen parameters */
78 int nbits; /* size of p in bits (default: 1024) */
79 int qbits; /* size of q in bits (default: 160) */
80 const EVP_MD *pmd; /* MD for parameter generation */
81 /* Keygen callback info */
82 int gentmp[2];
83 /* message digest */
84 const EVP_MD *md; /* MD for the signature */
85} DSA_PKEY_CTX;
86
87static int
88pkey_dsa_init(EVP_PKEY_CTX *ctx)
89{
90 DSA_PKEY_CTX *dctx;
91
92 dctx = malloc(sizeof(DSA_PKEY_CTX));
93 if (!dctx)
94 return 0;
95 dctx->nbits = 1024;
96 dctx->qbits = 160;
97 dctx->pmd = NULL;
98 dctx->md = NULL;
99
100 ctx->data = dctx;
101 ctx->keygen_info = dctx->gentmp;
102 ctx->keygen_info_count = 2;
103
104 return 1;
105}
106
107static int
108pkey_dsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
109{
110 DSA_PKEY_CTX *dctx, *sctx;
111
112 if (!pkey_dsa_init(dst))
113 return 0;
114 sctx = src->data;
115 dctx = dst->data;
116 dctx->nbits = sctx->nbits;
117 dctx->qbits = sctx->qbits;
118 dctx->pmd = sctx->pmd;
119 dctx->md = sctx->md;
120 return 1;
121}
122
123static void
124pkey_dsa_cleanup(EVP_PKEY_CTX *ctx)
125{
126 DSA_PKEY_CTX *dctx = ctx->data;
127
128 free(dctx);
129}
130
131static int
132pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *out_siglen,
133 const unsigned char *tbs, size_t tbslen)
134{
135 DSA *dsa = ctx->pkey->pkey.dsa;
136 DSA_PKEY_CTX *dctx = ctx->data;
137 unsigned int siglen;
138
139 *out_siglen = 0;
140
141 if (tbslen > INT_MAX)
142 return 0;
143
144 if (dctx->md != NULL) {
145 if (tbslen != EVP_MD_size(dctx->md))
146 return 0;
147 }
148
149 if (!DSA_sign(0, tbs, tbslen, sig, &siglen, dsa))
150 return 0;
151
152 *out_siglen = siglen;
153
154 return 1;
155}
156
157static int
158pkey_dsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
159 const unsigned char *tbs, size_t tbslen)
160{
161 DSA *dsa = ctx->pkey->pkey.dsa;
162 DSA_PKEY_CTX *dctx = ctx->data;
163
164 if (tbslen > INT_MAX || siglen > INT_MAX)
165 return 0;
166
167 if (dctx->md != NULL) {
168 if (tbslen != EVP_MD_size(dctx->md))
169 return 0;
170 }
171
172 return DSA_verify(0, tbs, tbslen, sig, siglen, dsa);
173}
174
175static int
176pkey_dsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
177{
178 DSA_PKEY_CTX *dctx = ctx->data;
179
180 switch (type) {
181 case EVP_PKEY_CTRL_DSA_PARAMGEN_BITS:
182 if (p1 < 256)
183 return -2;
184 dctx->nbits = p1;
185 return 1;
186
187 case EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS:
188 if (p1 != 160 && p1 != 224 && p1 && p1 != 256)
189 return -2;
190 dctx->qbits = p1;
191 return 1;
192
193 case EVP_PKEY_CTRL_DSA_PARAMGEN_MD:
194 switch (EVP_MD_type((const EVP_MD *)p2)) {
195 case NID_sha1:
196 case NID_sha224:
197 case NID_sha256:
198 break;
199 default:
200 DSAerror(DSA_R_INVALID_DIGEST_TYPE);
201 return 0;
202 }
203 dctx->md = p2;
204 return 1;
205
206 case EVP_PKEY_CTRL_MD:
207 /* ANSI X9.57 and NIST CSOR. */
208 switch (EVP_MD_type(p2)) {
209 case NID_sha1:
210 case NID_dsa:
211 case NID_dsaWithSHA:
212 case NID_sha224:
213 case NID_sha256:
214 case NID_sha384:
215 case NID_sha512:
216 case NID_sha3_224:
217 case NID_sha3_256:
218 case NID_sha3_384:
219 case NID_sha3_512:
220 break;
221 default:
222 DSAerror(DSA_R_INVALID_DIGEST_TYPE);
223 return 0;
224 }
225 dctx->md = p2;
226 return 1;
227
228 case EVP_PKEY_CTRL_GET_MD:
229 *(const EVP_MD **)p2 = dctx->md;
230 return 1;
231
232 case EVP_PKEY_CTRL_DIGESTINIT:
233 case EVP_PKEY_CTRL_PKCS7_SIGN:
234 case EVP_PKEY_CTRL_CMS_SIGN:
235 return 1;
236
237 case EVP_PKEY_CTRL_PEER_KEY:
238 DSAerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
239 return -2;
240 default:
241 return -2;
242 }
243}
244
245static int
246pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
247{
248 const char *errstr;
249
250 if (!strcmp(type, "dsa_paramgen_bits")) {
251 int nbits;
252
253 nbits = strtonum(value, INT_MIN, INT_MAX, &errstr);
254 if (errstr != NULL)
255 return -2;
256 return EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits);
257 } else if (!strcmp(type, "dsa_paramgen_q_bits")) {
258 int qbits;
259
260 qbits = strtonum(value, INT_MIN, INT_MAX, &errstr);
261 if (errstr != NULL)
262 return -2;
263 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA,
264 EVP_PKEY_OP_PARAMGEN, EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS,
265 qbits, NULL);
266 } else if (!strcmp(type, "dsa_paramgen_md")) {
267 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA,
268 EVP_PKEY_OP_PARAMGEN, EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0,
269 (void *)EVP_get_digestbyname(value));
270 }
271
272 return -2;
273}
274
275static int
276pkey_dsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
277{
278 DSA *dsa;
279 DSA_PKEY_CTX *dctx = ctx->data;
280 BN_GENCB *pcb = NULL;
281 BN_GENCB cb = {0};
282 int ret = 0;
283
284 if ((dsa = DSA_new()) == NULL)
285 goto err;
286 if (ctx->pkey_gencb != NULL) {
287 pcb = &cb;
288 evp_pkey_set_cb_translate(pcb, ctx);
289 }
290 if (!dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
291 NULL, 0, NULL, NULL, NULL, pcb))
292 goto err;
293 if (!EVP_PKEY_assign_DSA(pkey, dsa))
294 goto err;
295 dsa = NULL;
296
297 ret = 1;
298
299 err:
300 DSA_free(dsa);
301
302 return ret;
303}
304
305static int
306pkey_dsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
307{
308 DSA *dsa = NULL;
309 int ret = 0;
310
311 if (ctx->pkey == NULL) {
312 DSAerror(DSA_R_NO_PARAMETERS_SET);
313 goto err;
314 }
315 if ((dsa = DSA_new()) == NULL)
316 goto err;
317 if (!EVP_PKEY_set1_DSA(pkey, dsa))
318 goto err;
319
320 if (!EVP_PKEY_copy_parameters(pkey, ctx->pkey))
321 goto err;
322 if (!DSA_generate_key(dsa))
323 goto err;
324
325 ret = 1;
326
327 err:
328 DSA_free(dsa);
329
330 return ret;
331}
332
333const EVP_PKEY_METHOD dsa_pkey_meth = {
334 .pkey_id = EVP_PKEY_DSA,
335 .flags = EVP_PKEY_FLAG_AUTOARGLEN,
336
337 .init = pkey_dsa_init,
338 .copy = pkey_dsa_copy,
339 .cleanup = pkey_dsa_cleanup,
340
341 .paramgen = pkey_dsa_paramgen,
342
343 .keygen = pkey_dsa_keygen,
344
345 .sign = pkey_dsa_sign,
346
347 .verify = pkey_dsa_verify,
348
349 .ctrl = pkey_dsa_ctrl,
350 .ctrl_str = pkey_dsa_ctrl_str
351};
diff --git a/src/lib/libcrypto/dsa/dsa_prn.c b/src/lib/libcrypto/dsa/dsa_prn.c
deleted file mode 100644
index f276d82482..0000000000
--- a/src/lib/libcrypto/dsa/dsa_prn.c
+++ /dev/null
@@ -1,135 +0,0 @@
1/* $OpenBSD: dsa_prn.c,v 1.10 2023/07/08 14:28:15 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/dsa.h>
62#include <openssl/err.h>
63#include <openssl/evp.h>
64
65int
66DSA_print_fp(FILE *fp, const DSA *x, int off)
67{
68 BIO *b;
69 int ret;
70
71 if ((b = BIO_new(BIO_s_file())) == NULL) {
72 DSAerror(ERR_R_BUF_LIB);
73 return 0;
74 }
75 BIO_set_fp(b, fp, BIO_NOCLOSE);
76 ret = DSA_print(b, x, off);
77 BIO_free(b);
78 return ret;
79}
80LCRYPTO_ALIAS(DSA_print_fp);
81
82int
83DSAparams_print_fp(FILE *fp, const DSA *x)
84{
85 BIO *b;
86 int ret;
87
88 if ((b = BIO_new(BIO_s_file())) == NULL) {
89 DSAerror(ERR_R_BUF_LIB);
90 return 0;
91 }
92 BIO_set_fp(b, fp, BIO_NOCLOSE);
93 ret = DSAparams_print(b, x);
94 BIO_free(b);
95 return ret;
96}
97LCRYPTO_ALIAS(DSAparams_print_fp);
98
99int
100DSA_print(BIO *bp, const DSA *x, int off)
101{
102 EVP_PKEY *pk;
103 int ret = 0;
104
105 if ((pk = EVP_PKEY_new()) == NULL)
106 goto err;
107
108 if (!EVP_PKEY_set1_DSA(pk, (DSA *)x))
109 goto err;
110
111 ret = EVP_PKEY_print_private(bp, pk, off, NULL);
112 err:
113 EVP_PKEY_free(pk);
114 return ret;
115}
116LCRYPTO_ALIAS(DSA_print);
117
118int
119DSAparams_print(BIO *bp, const DSA *x)
120{
121 EVP_PKEY *pk;
122 int ret = 0;
123
124 if ((pk = EVP_PKEY_new()) == NULL)
125 goto err;
126
127 if (!EVP_PKEY_set1_DSA(pk, (DSA *)x))
128 goto err;
129
130 ret = EVP_PKEY_print_params(bp, pk, 4, NULL);
131 err:
132 EVP_PKEY_free(pk);
133 return ret;
134}
135LCRYPTO_ALIAS(DSAparams_print);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-23 18:38:56 +0000