1 files changed, 66 insertions, 54 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 12509a7083..75ff7cc4af 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -65,33 +65,63 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
-#ifndef OPENSSL_FIPS
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                  DSA *dsa);
 static int dsa_init(DSA *dsa);
 static int dsa_finish(DSA *dsa);
-static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
-                BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
-                BN_MONT_CTX *in_mont);
-static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-                                const BIGNUM *m, BN_CTX *ctx,
-                                BN_MONT_CTX *m_ctx);
 static DSA_METHOD openssl_dsa_meth = {
 "OpenSSL DSA method",
 dsa_do_sign,
 dsa_sign_setup,
 dsa_do_verify,
-dsa_mod_exp,
+NULL, /* dsa_mod_exp, */
-dsa_bn_mod_exp,
+NULL, /* dsa_bn_mod_exp, */
 dsa_init,
 dsa_finish,
 0,
+NULL,
+NULL,
 NULL
 };
+/* These macro wrappers replace attempts to use the dsa_mod_exp() and
+ * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
+ * having a the macro work as an expression by bundling an "err_instr". So;
+ * 
+ *     if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
+ *                 dsa->method_mont_p)) goto err;
+ *
+ * can be replaced by;
+ *
+ *     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
+ *                 dsa->method_mont_p);
+ */
+#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
+        do { \
+        int _tmp_res53; \
+        if((dsa)->meth->dsa_mod_exp) \
+                _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
+                                (a2), (p2), (m), (ctx), (in_mont)); \
+        else \
+                _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
+                                (m), (ctx), (in_mont)); \
+        if(!_tmp_res53) err_instr; \
+        } while(0)
+#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
+        do { \
+        int _tmp_res53; \
+        if((dsa)->meth->bn_mod_exp) \
+                _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
+                                (m), (ctx), (m_ctx)); \
+        else \
+                _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
+        if(!_tmp_res53) err_instr; \
+        } while(0)
 const DSA_METHOD *DSA_OpenSSL(void)
 {
        return &openssl_dsa_meth;
@@ -199,12 +229,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
        while (BN_is_zero(&k));
        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
                {
-                BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);
+                BN_set_flags(&k, BN_FLG_CONSTTIME);
                }
        if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
                {
-                if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
+                if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
                                                CRYPTO_LOCK_DSA,
                                                dsa->p, ctx))
                        goto err;
@@ -234,8 +264,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                {
                K = &k;
                }
-        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,K,dsa->p,ctx,
+        DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
-                (BN_MONT_CTX *)dsa->method_mont_p)) goto err;
+                        dsa->method_mont_p);
        if (!BN_mod(r,r,dsa->q,ctx)) goto err;
        /* Compute  part of 's = inv(k) (m + xr) mod q' */
@@ -274,18 +304,32 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                return -1;
                }
+        if (BN_num_bits(dsa->q) != 160)
+                {
+                DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
+                return -1;
+                }
+        if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
+                {
+                DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
+                return -1;
+                }
        BN_init(&u1);
        BN_init(&u2);
        BN_init(&t1);
        if ((ctx=BN_CTX_new()) == NULL) goto err;
-        if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0)
+        if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
+            BN_ucmp(sig->r, dsa->q) >= 0)
                {
                ret = 0;
                goto err;
                }
-        if (BN_is_zero(sig->s) || sig->s->neg || BN_ucmp(sig->s, dsa->q) >= 0)
+        if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||
+            BN_ucmp(sig->s, dsa->q) >= 0)
                {
                ret = 0;
                goto err;
@@ -307,43 +351,25 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
        if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
                {
-                mont = BN_MONT_CTX_set_locked(
+                mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
-                                        (BN_MONT_CTX **)&dsa->method_mont_p,
                                        CRYPTO_LOCK_DSA, dsa->p, ctx);
                if (!mont)
                        goto err;
                }
-#if 0
-        {
+        DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);
-        BIGNUM t2;
-        BN_init(&t2);
-        /* v = ( g^u1 * y^u2 mod p ) mod q */
-        /* let t1 = g ^ u1 mod p */
-        if (!BN_mod_exp_mont(&t1,dsa->g,&u1,dsa->p,ctx,mont)) goto err;
-        /* let t2 = y ^ u2 mod p */
-        if (!BN_mod_exp_mont(&t2,dsa->pub_key,&u2,dsa->p,ctx,mont)) goto err;
-        /* let u1 = t1 * t2 mod p */
-        if (!BN_mod_mul(&u1,&t1,&t2,dsa->p,ctx)) goto err_bn;
-        BN_free(&t2);
-        }
-        /* let u1 = u1 mod q */
-        if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err;
-#else
-        {
-        if (!dsa->meth->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2,
-                                                dsa->p,ctx,mont)) goto err;
        /* BN_copy(&u1,&t1); */
        /* let u1 = u1 mod q */
        if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
-        }
-#endif
        /* V is now in u1.  If the signature is correct, it will be
         * equal to R. */
        ret=(BN_ucmp(&u1, sig->r) == 0);
        err:
+        /* XXX: surely this is wrong - if ret is 0, it just didn't verify;
+           there is no error in BN. Test should be ret == -1 (Ben) */
        if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
        if (ctx != NULL) BN_CTX_free(ctx);
        BN_free(&u1);
@@ -361,21 +387,7 @@ static int dsa_init(DSA *dsa)
 static int dsa_finish(DSA *dsa)
 {
        if(dsa->method_mont_p)
-                BN_MONT_CTX_free((BN_MONT_CTX *)dsa->method_mont_p);
+                BN_MONT_CTX_free(dsa->method_mont_p);
        return(1);
 }
-static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
-                BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
-                BN_MONT_CTX *in_mont)
-{
-        return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont);
-}
-        
-static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-                                const BIGNUM *m, BN_CTX *ctx,
-                                BN_MONT_CTX *m_ctx)
-{
-        return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
-}
-#endif

diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c index 12509a7083..75ff7cc4af 100644 --- a/src/lib/libcrypto/dsa/dsa_ossl.c +++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -65,33 +65,63 @@
65	#include <openssl/rand.h>	65	#include <openssl/rand.h>
66	#include <openssl/asn1.h>	66	#include <openssl/asn1.h>
67		67
68	#ifndef OPENSSL_FIPS
69	static DSA_SIG dsa_do_sign(const unsigned char dgst, int dlen, DSA *dsa);	68	static DSA_SIG dsa_do_sign(const unsigned char dgst, int dlen, DSA *dsa);
70	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp);	69	static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp);
71	static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,	70	static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
72	DSA *dsa);	71	DSA *dsa);
73	static int dsa_init(DSA *dsa);	72	static int dsa_init(DSA *dsa);
74	static int dsa_finish(DSA *dsa);	73	static int dsa_finish(DSA *dsa);
75	static int dsa_mod_exp(DSA dsa, BIGNUM rr, BIGNUM a1, BIGNUM p1,
76	BIGNUM a2, BIGNUM p2, BIGNUM m, BN_CTX ctx,
77	BN_MONT_CTX *in_mont);
78	static int dsa_bn_mod_exp(DSA dsa, BIGNUM r, BIGNUM a, const BIGNUM p,
79	const BIGNUM m, BN_CTX ctx,
80	BN_MONT_CTX *m_ctx);
81		74
82	static DSA_METHOD openssl_dsa_meth = {	75	static DSA_METHOD openssl_dsa_meth = {
83	"OpenSSL DSA method",	76	"OpenSSL DSA method",
84	dsa_do_sign,	77	dsa_do_sign,
85	dsa_sign_setup,	78	dsa_sign_setup,
86	dsa_do_verify,	79	dsa_do_verify,
87	dsa_mod_exp,	80	NULL, /* dsa_mod_exp, */
88	dsa_bn_mod_exp,	81	NULL, /* dsa_bn_mod_exp, */
89	dsa_init,	82	dsa_init,
90	dsa_finish,	83	dsa_finish,
91	0,	84	0,
		85	NULL,
		86	NULL,
92	NULL	87	NULL
93	};	88	};
94		89
		90	/* These macro wrappers replace attempts to use the dsa_mod_exp() and
		91	* bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
		92	* having a the macro work as an expression by bundling an "err_instr". So;
		93	*
		94	* if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
		95	* dsa->method_mont_p)) goto err;
		96	*
		97	* can be replaced by;
		98	*
		99	* DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
		100	* dsa->method_mont_p);
		101	*/
		102
		103	#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
		104	do { \
		105	int _tmp_res53; \
		106	if((dsa)->meth->dsa_mod_exp) \
		107	_tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
		108	(a2), (p2), (m), (ctx), (in_mont)); \
		109	else \
		110	_tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
		111	(m), (ctx), (in_mont)); \
		112	if(!_tmp_res53) err_instr; \
		113	} while(0)
		114	#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
		115	do { \
		116	int _tmp_res53; \
		117	if((dsa)->meth->bn_mod_exp) \
		118	_tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
		119	(m), (ctx), (m_ctx)); \
		120	else \
		121	_tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
		122	if(!_tmp_res53) err_instr; \
		123	} while(0)
		124
95	const DSA_METHOD *DSA_OpenSSL(void)	125	const DSA_METHOD *DSA_OpenSSL(void)
96	{	126	{
97	return &openssl_dsa_meth;	127	return &openssl_dsa_meth;
@@ -199,12 +229,12 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
199	while (BN_is_zero(&k));	229	while (BN_is_zero(&k));
200	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)	230	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
201	{	231	{
202	BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);	232	BN_set_flags(&k, BN_FLG_CONSTTIME);
203	}	233	}
204		234
205	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)	235	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
206	{	236	{
207	if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,	237	if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
208	CRYPTO_LOCK_DSA,	238	CRYPTO_LOCK_DSA,
209	dsa->p, ctx))	239	dsa->p, ctx))
210	goto err;	240	goto err;
@@ -234,8 +264,8 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
234	{	264	{
235	K = &k;	265	K = &k;
236	}	266	}
237	if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,K,dsa->p,ctx,	267	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
238	(BN_MONT_CTX *)dsa->method_mont_p)) goto err;	268	dsa->method_mont_p);
239	if (!BN_mod(r,r,dsa->q,ctx)) goto err;	269	if (!BN_mod(r,r,dsa->q,ctx)) goto err;
240		270
241	/* Compute part of 's = inv(k) (m + xr) mod q' */	271	/* Compute part of 's = inv(k) (m + xr) mod q' */
@@ -274,18 +304,32 @@ static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
274	return -1;	304	return -1;
275	}	305	}
276		306
		307	if (BN_num_bits(dsa->q) != 160)
		308	{
		309	DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
		310	return -1;
		311	}
		312
		313	if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
		314	{
		315	DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
		316	return -1;
		317	}
		318
277	BN_init(&u1);	319	BN_init(&u1);
278	BN_init(&u2);	320	BN_init(&u2);
279	BN_init(&t1);	321	BN_init(&t1);
280		322
281	if ((ctx=BN_CTX_new()) == NULL) goto err;	323	if ((ctx=BN_CTX_new()) == NULL) goto err;
282		324
283	if (BN_is_zero(sig->r) \|\| sig->r->neg \|\| BN_ucmp(sig->r, dsa->q) >= 0)	325	if (BN_is_zero(sig->r) \|\| BN_is_negative(sig->r) \|\|
		326	BN_ucmp(sig->r, dsa->q) >= 0)
284	{	327	{
285	ret = 0;	328	ret = 0;
286	goto err;	329	goto err;
287	}	330	}
288	if (BN_is_zero(sig->s) \|\| sig->s->neg \|\| BN_ucmp(sig->s, dsa->q) >= 0)	331	if (BN_is_zero(sig->s) \|\| BN_is_negative(sig->s) \|\|
		332	BN_ucmp(sig->s, dsa->q) >= 0)
289	{	333	{
290	ret = 0;	334	ret = 0;
291	goto err;	335	goto err;
@@ -307,43 +351,25 @@ static int dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig,
307		351
308	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)	352	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
309	{	353	{
310	mont = BN_MONT_CTX_set_locked(	354	mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
311	(BN_MONT_CTX **)&dsa->method_mont_p,
312	CRYPTO_LOCK_DSA, dsa->p, ctx);	355	CRYPTO_LOCK_DSA, dsa->p, ctx);
313	if (!mont)	356	if (!mont)
314	goto err;	357	goto err;
315	}	358	}
316		359
317	#if 0	360
318	{	361	DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);
319	BIGNUM t2;
320
321	BN_init(&t2);
322	/* v = ( g^u1 * y^u2 mod p ) mod q */
323	/* let t1 = g ^ u1 mod p */
324	if (!BN_mod_exp_mont(&t1,dsa->g,&u1,dsa->p,ctx,mont)) goto err;
325	/* let t2 = y ^ u2 mod p */
326	if (!BN_mod_exp_mont(&t2,dsa->pub_key,&u2,dsa->p,ctx,mont)) goto err;
327	/* let u1 = t1 * t2 mod p */
328	if (!BN_mod_mul(&u1,&t1,&t2,dsa->p,ctx)) goto err_bn;
329	BN_free(&t2);
330	}
331	/* let u1 = u1 mod q */
332	if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err;
333	#else
334	{
335	if (!dsa->meth->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2,
336	dsa->p,ctx,mont)) goto err;
337	/* BN_copy(&u1,&t1); */	362	/* BN_copy(&u1,&t1); */
338	/* let u1 = u1 mod q */	363	/* let u1 = u1 mod q */
339	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;	364	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
340	}	365
341	#endif
342	/* V is now in u1. If the signature is correct, it will be	366	/* V is now in u1. If the signature is correct, it will be
343	* equal to R. */	367	* equal to R. */
344	ret=(BN_ucmp(&u1, sig->r) == 0);	368	ret=(BN_ucmp(&u1, sig->r) == 0);
345		369
346	err:	370	err:
		371	/* XXX: surely this is wrong - if ret is 0, it just didn't verify;
		372	there is no error in BN. Test should be ret == -1 (Ben) */
347	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);	373	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
348	if (ctx != NULL) BN_CTX_free(ctx);	374	if (ctx != NULL) BN_CTX_free(ctx);
349	BN_free(&u1);	375	BN_free(&u1);
@@ -361,21 +387,7 @@ static int dsa_init(DSA *dsa)
361	static int dsa_finish(DSA *dsa)	387	static int dsa_finish(DSA *dsa)
362	{	388	{
363	if(dsa->method_mont_p)	389	if(dsa->method_mont_p)
364	BN_MONT_CTX_free((BN_MONT_CTX *)dsa->method_mont_p);	390	BN_MONT_CTX_free(dsa->method_mont_p);
365	return(1);	391	return(1);
366	}	392	}
367		393
368	static int dsa_mod_exp(DSA dsa, BIGNUM rr, BIGNUM a1, BIGNUM p1,
369	BIGNUM a2, BIGNUM p2, BIGNUM m, BN_CTX ctx,
370	BN_MONT_CTX *in_mont)
371	{
372	return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont);
373	}
374
375	static int dsa_bn_mod_exp(DSA dsa, BIGNUM r, BIGNUM a, const BIGNUM p,
376	const BIGNUM m, BN_CTX ctx,
377	BN_MONT_CTX *m_ctx)
378	{
379	return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
380	}
381	#endif