From c0d439019460def565bb115ecef749833eb4c299 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 28 Oct 2014 22:56:18 +0000 Subject: [PATCH] Implement internally opaque bn access from dsa Reviewed-by: Tim Hudson --- crypto/dsa/dsa_depr.c | 16 ++++++-- crypto/dsa/dsa_key.c | 13 +++++-- crypto/dsa/dsa_ossl.c | 86 +++++++++++++++++++++--------------------- crypto/dsa/dsa_pmeth.c | 9 ++++- crypto/dsa/dsatest.c | 14 ++++--- 5 files changed, 82 insertions(+), 56 deletions(-) diff --git a/crypto/dsa/dsa_depr.c b/crypto/dsa/dsa_depr.c index f2da680eb4..35c3423f29 100644 --- a/crypto/dsa/dsa_depr.c +++ b/crypto/dsa/dsa_depr.c @@ -89,16 +89,26 @@ DSA *DSA_generate_parameters(int bits, void (*callback)(int, int, void *), void *cb_arg) { - BN_GENCB cb; + BN_GENCB *cb; DSA *ret; if ((ret=DSA_new()) == NULL) return NULL; + cb = BN_GENCB_new(); + if(!cb) + { + DSA_free(ret); + return NULL; + } - BN_GENCB_set_old(&cb, callback, cb_arg); + BN_GENCB_set_old(cb, callback, cb_arg); if(DSA_generate_parameters_ex(ret, bits, seed_in, seed_len, - counter_ret, h_ret, &cb)) + counter_ret, h_ret, cb)) + { + BN_GENCB_free(cb); return ret; + } + BN_GENCB_free(cb); DSA_free(ret); return NULL; } diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index dbf745a7f3..a3adb2fdde 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -102,19 +102,24 @@ static int dsa_builtin_keygen(DSA *dsa) pub_key=dsa->pub_key; { - BIGNUM local_prk; + BIGNUM *local_prk = NULL; BIGNUM *prk; if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { - BN_init(&local_prk); - prk = &local_prk; + local_prk = prk = BN_new(); + if(!local_prk) goto err; BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); } else prk = priv_key; - if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err; + if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) + { + if (local_prk != NULL) BN_free(local_prk); + goto err; + } + if (local_prk != NULL) BN_free(local_prk); } dsa->priv_key=priv_key; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index fb0030a66f..ff29e55c8d 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -136,15 +136,16 @@ const DSA_METHOD *DSA_OpenSSL(void) static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { BIGNUM *kinv=NULL,*r=NULL,*s=NULL; - BIGNUM m; - BIGNUM xr; + BIGNUM *m; + BIGNUM *xr; BN_CTX *ctx=NULL; int reason=ERR_R_BN_LIB; DSA_SIG *ret=NULL; int noredo = 0; - BN_init(&m); - BN_init(&xr); + m = BN_new(); + xr = BN_new(); + if(!m || !xr) goto err; if (!dsa->p || !dsa->q || !dsa->g) { @@ -177,12 +178,12 @@ redo: * BN_num_bits(dsa->q) leftmost bits of the digest, see * fips 186-3, 4.2 */ dlen = BN_num_bytes(dsa->q); - if (BN_bin2bn(dgst,dlen,&m) == NULL) + if (BN_bin2bn(dgst,dlen,m) == NULL) goto err; /* Compute s = inv(k) (m + xr) mod q */ - if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */ - if (!BN_add(s, &xr, &m)) goto err; /* s = m + xr */ + if (!BN_mod_mul(xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */ + if (!BN_add(s, xr, m)) goto err; /* s = m + xr */ if (BN_cmp(s,dsa->q) > 0) if (!BN_sub(s,s,dsa->q)) goto err; if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err; @@ -212,8 +213,8 @@ err: BN_free(s); } if (ctx != NULL) BN_CTX_free(ctx); - BN_clear_free(&m); - BN_clear_free(&xr); + BN_clear_free(m); + BN_clear_free(xr); if (kinv != NULL) /* dsa->kinv is NULL now if we used it */ BN_clear_free(kinv); return(ret); @@ -228,8 +229,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp, const unsigned char *dgst, int dlen) { - BN_CTX *ctx; - BIGNUM k,kq,*K,*kinv=NULL,*r=NULL; + BN_CTX *ctx = NULL; + BIGNUM *k,*kq,*K,*kinv=NULL,*r=NULL; int ret=0; if (!dsa->p || !dsa->q || !dsa->g) @@ -238,8 +239,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, return 0; } - BN_init(&k); - BN_init(&kq); + k = BN_new(); + kq = BN_new(); + if(!k || !kq) goto err; if (ctx_in == NULL) { @@ -259,18 +261,18 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, /* We calculate k from SHA512(private_key + H(message) * + random). This protects the private key from a weak * PRNG. */ - if (!BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, dgst, + if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst, dlen, ctx)) goto err; } else #endif - if (!BN_rand_range(&k, dsa->q)) goto err; - } while (BN_is_zero(&k)); + if (!BN_rand_range(k, dsa->q)) goto err; + } while (BN_is_zero(k)); if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { - BN_set_flags(&k, BN_FLG_CONSTTIME); + BN_set_flags(k, BN_FLG_CONSTTIME); } if (dsa->flags & DSA_FLAG_CACHE_MONT_P) @@ -285,7 +287,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { - if (!BN_copy(&kq, &k)) goto err; + if (!BN_copy(kq, k)) goto err; /* We do not want timing information to leak the length of k, * so we compute g^k using an equivalent exponent of fixed length. @@ -293,24 +295,24 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, * (This is a kludge that we need because the BN_mod_exp_mont() * does not let us specify the desired timing behaviour.) */ - if (!BN_add(&kq, &kq, dsa->q)) goto err; - if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) + if (!BN_add(kq, kq, dsa->q)) goto err; + if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) { - if (!BN_add(&kq, &kq, dsa->q)) goto err; + if (!BN_add(kq, kq, dsa->q)) goto err; } - K = &kq; + K = kq; } else { - K = &k; + K = k; } DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, dsa->method_mont_p); if (!BN_mod(r,r,dsa->q,ctx)) goto err; /* Compute part of 's = inv(k) (m + xr) mod q' */ - if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err; + if ((kinv=BN_mod_inverse(NULL,k,dsa->q,ctx)) == NULL) goto err; if (*kinvp != NULL) BN_clear_free(*kinvp); *kinvp=kinv; @@ -326,8 +328,8 @@ err: BN_clear_free(r); } if (ctx_in == NULL) BN_CTX_free(ctx); - BN_clear_free(&k); - BN_clear_free(&kq); + BN_clear_free(k); + BN_clear_free(kq); return(ret); } @@ -335,7 +337,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) { BN_CTX *ctx; - BIGNUM u1,u2,t1; + BIGNUM *u1,*u2,*t1; BN_MONT_CTX *mont=NULL; int ret = -1, i; if (!dsa->p || !dsa->q || !dsa->g) @@ -357,11 +359,11 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE); return -1; } - BN_init(&u1); - BN_init(&u2); - BN_init(&t1); - - if ((ctx=BN_CTX_new()) == NULL) goto err; + u1 = BN_new(); + u2 = BN_new(); + t1 = BN_new(); + ctx=BN_CTX_new(); + if(!u1 || !u2 || !t1 || !ctx) goto err; if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || BN_ucmp(sig->r, dsa->q) >= 0) @@ -378,7 +380,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, /* Calculate W = inv(S) mod Q * save W in u2 */ - if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err; + if ((BN_mod_inverse(u2,sig->s,dsa->q,ctx)) == NULL) goto err; /* save M in u1 */ if (dgst_len > (i >> 3)) @@ -386,13 +388,13 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, * BN_num_bits(dsa->q) leftmost bits of the digest, see * fips 186-3, 4.2 */ dgst_len = (i >> 3); - if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err; + if (BN_bin2bn(dgst,dgst_len,u1) == NULL) goto err; /* u1 = M * w mod q */ - if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err; + if (!BN_mod_mul(u1,u1,u2,dsa->q,ctx)) goto err; /* u2 = r * w mod q */ - if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err; + if (!BN_mod_mul(u2,sig->r,u2,dsa->q,ctx)) goto err; if (dsa->flags & DSA_FLAG_CACHE_MONT_P) @@ -404,21 +406,21 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, } - DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont); + DSA_MOD_EXP(goto err, dsa, t1, dsa->g, u1, dsa->pub_key, u2, dsa->p, ctx, mont); /* BN_copy(&u1,&t1); */ /* let u1 = u1 mod q */ - if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err; + if (!BN_mod(u1,t1,dsa->q,ctx)) goto err; /* V is now in u1. If the signature is correct, it will be * equal to R. */ - ret=(BN_ucmp(&u1, sig->r) == 0); + ret=(BN_ucmp(u1, sig->r) == 0); err: if (ret < 0) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB); if (ctx != NULL) BN_CTX_free(ctx); - BN_free(&u1); - BN_free(&u2); - BN_free(&t1); + if(u1) BN_free(u1); + if(u2) BN_free(u2); + if(t1) BN_free(t1); return(ret); } diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index 4c7a5a847b..2f0586a541 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -246,20 +246,25 @@ static int pkey_dsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { DSA *dsa = NULL; DSA_PKEY_CTX *dctx = ctx->data; - BN_GENCB *pcb, cb; + BN_GENCB *pcb; int ret; if (ctx->pkey_gencb) { - pcb = &cb; + pcb = BN_GENCB_new(); + if(!pcb) return 0; evp_pkey_set_cb_translate(pcb, ctx); } else pcb = NULL; dsa = DSA_new(); if (!dsa) + { + if(pcb) BN_GENCB_free(pcb); return 0; + } ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd, NULL, 0, NULL, NULL, NULL, pcb); + if(pcb) BN_GENCB_free(pcb); if (ret) EVP_PKEY_assign_DSA(pkey, dsa); else diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c index edffd24e6b..271a8e0d0f 100644 --- a/crypto/dsa/dsatest.c +++ b/crypto/dsa/dsatest.c @@ -136,7 +136,7 @@ static BIO *bio_err=NULL; int main(int argc, char **argv) { - BN_GENCB cb; + BN_GENCB *cb; DSA *dsa=NULL; int counter,ret=0,i,j; unsigned char buf[256]; @@ -156,9 +156,12 @@ int main(int argc, char **argv) BIO_printf(bio_err,"test generation of DSA parameters\n"); - BN_GENCB_set(&cb, dsa_cb, bio_err); + cb = BN_GENCB_new(); + if(!cb) goto end; + + BN_GENCB_set(cb, dsa_cb, bio_err); if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512, - seed, 20, &counter, &h, &cb)) + seed, 20, &counter, &h, cb)) goto end; BIO_printf(bio_err,"seed\n"); @@ -221,6 +224,7 @@ end: if (!ret) ERR_print_errors(bio_err); if (dsa != NULL) DSA_free(dsa); + if (cb != NULL) BN_GENCB_free(cb); CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); ERR_free_strings(); @@ -246,8 +250,8 @@ static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *arg) if (p == 1) c='+'; if (p == 2) { c='*'; ok++; } if (p == 3) c='\n'; - BIO_write(arg->arg,&c,1); - (void)BIO_flush(arg->arg); + BIO_write(BN_GENCB_get_arg(arg),&c,1); + (void)BIO_flush(BN_GENCB_get_arg(arg)); if (!ok && (p == 0) && (num > 1)) {