early-access version 2698

externals/libressl/crypto/dsa/dsa_ameth.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ameth.c,v 1.28 2019/11/01 15:15:35 jsing Exp $ */
+/* $OpenBSD: dsa_ameth.c,v 1.35 2022/04/07 17:38:24 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -69,6 +69,8 @@
 
 #include "asn1_locl.h"
 #include "bn_lcl.h"
+#include "dsa_locl.h"
+#include "evp_locl.h"
 
 static int
 dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
@@ -131,47 +133,46 @@ static int
 dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
 {
 	DSA *dsa;
-	void *pval = NULL;
-	int ptype;
+	ASN1_INTEGER *pubint = NULL;
+	ASN1_STRING *str = NULL;
+	int ptype = V_ASN1_UNDEF;
 	unsigned char *penc = NULL;
 	int penclen;
 
 	dsa = pkey->pkey.dsa;
 	if (pkey->save_parameters && dsa->p && dsa->q && dsa->g) {
-		ASN1_STRING *str;
-
-		str = ASN1_STRING_new();
-		if (str == NULL) {
+		if ((str = ASN1_STRING_new()) == NULL) {
 			DSAerror(ERR_R_MALLOC_FAILURE);
 			goto err;
 		}
 		str->length = i2d_DSAparams(dsa, &str->data);
 		if (str->length <= 0) {
 			DSAerror(ERR_R_MALLOC_FAILURE);
-			ASN1_STRING_free(str);
 			goto err;
 		}
-		pval = str;
 		ptype = V_ASN1_SEQUENCE;
-	} else
-		ptype = V_ASN1_UNDEF;
+	}
 
-	dsa->write_params = 0;
+	if ((pubint = BN_to_ASN1_INTEGER(dsa->pub_key, NULL)) == NULL) {
+		DSAerror(ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
 
-	penclen = i2d_DSAPublicKey(dsa, &penc);
+	penclen = i2d_ASN1_INTEGER(pubint, &penc);
+	ASN1_INTEGER_free(pubint);
 
 	if (penclen <= 0) {
 		DSAerror(ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
 
-	if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DSA), ptype, pval,
+	if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DSA), ptype, str,
 	    penc, penclen))
 		return 1;
 
-err:
+ err:
 	free(penc);
-	ASN1_STRING_free(pval);
+	ASN1_STRING_free(str);
 
 	return 0;
 }
@@ -478,13 +479,32 @@ old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
 {
 	DSA *dsa;
 	BN_CTX *ctx = NULL;
-	BIGNUM *j, *p1, *newp1;
+	BIGNUM *j, *p1, *newp1, *powg;
+	int qbits;
 
 	if (!(dsa = d2i_DSAPrivateKey(NULL, pder, derlen))) {
 		DSAerror(ERR_R_DSA_LIB);
 		return 0;
 	}
 
+	/* FIPS 186-3 allows only three different sizes for q. */
+	qbits = BN_num_bits(dsa->q);
+	if (qbits != 160 && qbits != 224 && qbits != 256) {
+		DSAerror(DSA_R_BAD_Q_VALUE);
+		goto err;
+	}
+	if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
+		DSAerror(DSA_R_MODULUS_TOO_LARGE);
+		goto err;
+	}
+
+	/* Check that 1 < g < p. */
+	if (BN_cmp(dsa->g, BN_value_one()) <= 0 ||
+	    BN_cmp(dsa->g, dsa->p) >= 0) {
+		DSAerror(DSA_R_PARAMETER_ENCODING_ERROR); /* XXX */
+		goto err;
+	}
+
 	ctx = BN_CTX_new();
 	if (ctx == NULL)
 		goto err;
@@ -496,7 +516,8 @@ old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
 	j = BN_CTX_get(ctx);
 	p1 = BN_CTX_get(ctx);
 	newp1 = BN_CTX_get(ctx);
-	if (j == NULL || p1 == NULL || newp1 == NULL)
+	powg = BN_CTX_get(ctx);
+	if (j == NULL || p1 == NULL || newp1 == NULL || powg == NULL)
 		goto err;
 	/* p1 = p - 1 */
 	if (BN_sub(p1, dsa->p, BN_value_one()) == 0)
@@ -512,6 +533,19 @@ old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
 		goto err;
 	}
 
+	/*
+	 * Check that g generates a multiplicative subgroup of order q.
+	 * We only check that g^q == 1, so the order is a divisor of q.
+	 * Once we know that q is prime, this is enough.
+	 */
+
+	if (!BN_mod_exp_ct(powg, dsa->g, dsa->q, dsa->p, ctx))
+		goto err;
+	if (BN_cmp(powg, BN_value_one()) != 0) {
+		DSAerror(DSA_R_PARAMETER_ENCODING_ERROR); /* XXX */
+		goto err;
+	}
+
 	/*
 	 * Check that q is not a composite number.
 	 */

externals/libressl/crypto/dsa/dsa_asn1.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */
+/* $OpenBSD: dsa_asn1.c,v 1.24 2022/01/14 08:29:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -64,6 +64,8 @@
 #include <openssl/dsa.h>
 #include <openssl/err.h>
 
+#include "dsa_locl.h"
+
 /* Override the default new methods */
 static int
 sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
@@ -327,14 +329,15 @@ i2d_DSAparams_fp(FILE *fp, DSA *a)
 	return ASN1_item_i2d_fp(&DSAparams_it, fp, a);
 }
 
-/*
- * DSA public key is a bit trickier... its effectively a CHOICE type
- * decided by a field called write_params which can either write out
- * just the public key as an INTEGER or the parameters and public key
- * in a SEQUENCE
- */
-
-static const ASN1_TEMPLATE dsa_pub_internal_seq_tt[] = {
+static const ASN1_AUX DSAPublicKey_aux = {
+	.app_data = NULL,
+	.flags = 0,
+	.ref_offset = 0,
+	.ref_lock = 0,
+	.asn1_cb = dsa_cb,
+	.enc_offset = 0,
+};
+static const ASN1_TEMPLATE DSAPublicKey_seq_tt[] = {
 	{
 		.flags = 0,
 		.tag = 0,
@@ -365,52 +368,16 @@ static const ASN1_TEMPLATE dsa_pub_internal_seq_tt[] = {
 	},
 };
 
-const ASN1_ITEM dsa_pub_internal_it = {
+const ASN1_ITEM DSAPublicKey_it = {
 	.itype = ASN1_ITYPE_SEQUENCE,
 	.utype = V_ASN1_SEQUENCE,
-	.templates = dsa_pub_internal_seq_tt,
-	.tcount = sizeof(dsa_pub_internal_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(DSA),
-	.sname = "DSA",
-};
-
-static const ASN1_AUX DSAPublicKey_aux = {
-	.app_data = NULL,
-	.flags = 0,
-	.ref_offset = 0,
-	.ref_lock = 0,
-	.asn1_cb = dsa_cb,
-	.enc_offset = 0,
-};
-static const ASN1_TEMPLATE DSAPublicKey_ch_tt[] = {
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(DSA, pub_key),
-		.field_name = "pub_key",
-		.item = &BIGNUM_it,
-	},
-	{
-		.flags = 0 | ASN1_TFLG_COMBINE,
-		.tag = 0,
-		.offset = 0,
-		.field_name = NULL,
-		.item = &dsa_pub_internal_it,
-	},
-};
-
-const ASN1_ITEM DSAPublicKey_it = {
-	.itype = ASN1_ITYPE_CHOICE,
-	.utype = offsetof(DSA, write_params),
-	.templates = DSAPublicKey_ch_tt,
-	.tcount = sizeof(DSAPublicKey_ch_tt) / sizeof(ASN1_TEMPLATE),
+	.templates = DSAPublicKey_seq_tt,
+	.tcount = sizeof(DSAPublicKey_seq_tt) / sizeof(ASN1_TEMPLATE),
 	.funcs = &DSAPublicKey_aux,
 	.size = sizeof(DSA),
 	.sname = "DSA",
 };
 
-
 DSA *
 d2i_DSAPublicKey(DSA **a, const unsigned char **in, long len)
 {

externals/libressl/crypto/dsa/dsa_depr.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_depr.c,v 1.7 2014/10/18 17:20:40 jsing Exp $ */
+/* $OpenBSD: dsa_depr.c,v 1.8 2021/12/04 16:08:32 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
@@ -68,6 +68,8 @@
 #include <openssl/evp.h>
 #include <openssl/sha.h>
 
+#include "bn_lcl.h"
+
 #ifndef OPENSSL_NO_DEPRECATED
 DSA *
 DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,

externals/libressl/crypto/dsa/dsa_key.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_key.c,v 1.29 2018/11/09 23:45:19 tb Exp $ */
+/* $OpenBSD: dsa_key.c,v 1.30 2022/01/07 09:35:36 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,7 +65,9 @@
 
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
+
 #include "bn_lcl.h"
+#include "dsa_locl.h"
 
 static int dsa_builtin_keygen(DSA *dsa);
 

externals/libressl/crypto/dsa/dsa_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */
+/* $OpenBSD: dsa_lib.c,v 1.34 2022/01/14 08:29:06 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -74,6 +74,9 @@
 #include <openssl/engine.h>
 #endif
 
+#include "dh_local.h"
+#include "dsa_locl.h"
+
 static const DSA_METHOD *default_DSA_method = NULL;
 
 void
@@ -151,7 +154,6 @@ DSA_new_method(ENGINE *engine)
 
 	ret->pad = 0;
 	ret->version = 0;
-	ret->write_params = 1;
 	ret->p = NULL;
 	ret->q = NULL;
 	ret->g = NULL;
@@ -174,7 +176,7 @@ DSA_new_method(ENGINE *engine)
 		free(ret);
 		ret = NULL;
 	}
-	
+
 	return ret;
 }
 
@@ -361,6 +363,36 @@ DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
 	return 1;
 }
 
+const BIGNUM *
+DSA_get0_p(const DSA *d)
+{
+	return d->p;
+}
+
+const BIGNUM *
+DSA_get0_q(const DSA *d)
+{
+	return d->q;
+}
+
+const BIGNUM *
+DSA_get0_g(const DSA *d)
+{
+	return d->g;
+}
+
+const BIGNUM *
+DSA_get0_pub_key(const DSA *d)
+{
+	return d->pub_key;
+}
+
+const BIGNUM *
+DSA_get0_priv_key(const DSA *d)
+{
+	return d->priv_key;
+}
+
 void
 DSA_clear_flags(DSA *d, int flags)
 {
@@ -384,3 +416,9 @@ DSA_get0_engine(DSA *d)
 {
 	return d->engine;
 }
+
+int
+DSA_bits(const DSA *dsa)
+{
+	return BN_num_bits(dsa->p);
+}

externals/libressl/crypto/dsa/dsa_locl.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_locl.h,v 1.3 2016/12/21 15:49:29 jsing Exp $ */
+/* $OpenBSD: dsa_locl.h,v 1.5 2022/01/14 08:29:06 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
  *
@@ -57,6 +57,59 @@
 
 __BEGIN_HIDDEN_DECLS
 
+struct DSA_SIG_st {
+	BIGNUM *r;
+	BIGNUM *s;
+} /* DSA_SIG */;
+
+struct dsa_method {
+	const char *name;
+	DSA_SIG *(*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa);
+	int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+	    BIGNUM **rp);
+	int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
+	    DSA_SIG *sig, DSA *dsa);
+	int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+	    BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
+	    BN_MONT_CTX *in_mont);
+	int (*bn_mod_exp)(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+	    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); /* Can be null */
+	int (*init)(DSA *dsa);
+	int (*finish)(DSA *dsa);
+	int flags;
+	char *app_data;
+	/* If this is non-NULL, it is used to generate DSA parameters */
+	int (*dsa_paramgen)(DSA *dsa, int bits, const unsigned char *seed,
+	    int seed_len, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
+	/* If this is non-NULL, it is used to generate DSA keys */
+	int (*dsa_keygen)(DSA *dsa);
+} /* DSA_METHOD */;
+
+struct dsa_st {
+	/* This first variable is used to pick up errors where
+	 * a DSA is passed instead of of a EVP_PKEY */
+	int pad;
+	long version;
+	BIGNUM *p;
+	BIGNUM *q;	/* == 20 */
+	BIGNUM *g;
+
+	BIGNUM *pub_key;  /* y public key */
+	BIGNUM *priv_key; /* x private key */
+
+	BIGNUM *kinv;	/* Signing pre-calc */
+	BIGNUM *r;	/* Signing pre-calc */
+
+	int flags;
+	/* Normally used to cache montgomery values */
+	BN_MONT_CTX *method_mont_p;
+	int references;
+	CRYPTO_EX_DATA ex_data;
+	const DSA_METHOD *meth;
+	/* functional reference if 'meth' is ENGINE-provided */
+	ENGINE *engine;
+} /* DSA */;
+
 int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 	const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
 	unsigned char *seed_out,

externals/libressl/crypto/dsa/dsa_meth.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: dsa_meth.c,v 1.1 2018/03/17 15:19:12 tb Exp $	*/
+/*	$OpenBSD: dsa_meth.c,v 1.2 2022/01/07 09:35:36 tb Exp $	*/
 /*
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
  *
@@ -21,6 +21,8 @@
 #include <openssl/dsa.h>
 #include <openssl/err.h>
 
+#include "dsa_locl.h"
+
 DSA_METHOD *
 DSA_meth_new(const char *name, int flags)
 {

externals/libressl/crypto/dsa/dsa_ossl.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.42 2019/06/04 18:12:26 tb Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.44 2022/02/24 08:35:45 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -67,6 +67,7 @@
 #include <openssl/sha.h>
 
 #include "bn_lcl.h"
+#include "dsa_locl.h"
 
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
@@ -314,24 +315,25 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)
 	BN_CTX *ctx;
 	BIGNUM u1, u2, t1;
 	BN_MONT_CTX *mont = NULL;
-	int ret = -1, i;
+	int qbits;
+	int ret = -1;
 
 	if (!dsa->p || !dsa->q || !dsa->g) {
 		DSAerror(DSA_R_MISSING_PARAMETERS);
 		return -1;
 	}
 
-	i = BN_num_bits(dsa->q);
 	/* FIPS 186-3 allows only three different sizes for q. */
-	if (i != 160 && i != 224 && i != 256) {
+	qbits = BN_num_bits(dsa->q);
+	if (qbits != 160 && qbits != 224 && qbits != 256) {
 		DSAerror(DSA_R_BAD_Q_VALUE);
 		return -1;
 	}
-
 	if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
 		DSAerror(DSA_R_MODULUS_TOO_LARGE);
 		return -1;
 	}
+
 	BN_init(&u1);
 	BN_init(&u2);
 	BN_init(&t1);
@@ -358,8 +360,8 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)
 	 * If the digest length is greater than the size of q use the
 	 * BN_num_bits(dsa->q) leftmost bits of the digest, see FIPS 186-3, 4.2.
 	 */
-	if (dgst_len > (i >> 3))
-		dgst_len = (i >> 3);
+	if (dgst_len > (qbits >> 3))
+		dgst_len = (qbits >> 3);
 
 	/* Save m in u1. */
 	if (BN_bin2bn(dgst, dgst_len, &u1) == NULL)

externals/libressl/crypto/dsa/dsa_pmeth.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_pmeth.c,v 1.12 2019/09/09 18:06:25 jsing Exp $ */
+/* $OpenBSD: dsa_pmeth.c,v 1.13 2021/12/04 16:08:32 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -66,6 +66,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
+#include "bn_lcl.h"
 #include "dsa_locl.h"
 #include "evp_locl.h"
 

externals/libressl/crypto/dsa/dsa_sign.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_sign.c,v 1.20 2018/06/14 17:01:49 jsing Exp $ */
+/* $OpenBSD: dsa_sign.c,v 1.21 2022/01/07 09:35:36 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,6 +61,8 @@
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
 
+#include "dsa_locl.h"
+
 DSA_SIG *
 DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 {

externals/libressl/crypto/dsa/dsa_vrf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_vrf.c,v 1.16 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: dsa_vrf.c,v 1.17 2022/01/07 09:35:36 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,6 +60,8 @@
 
 #include <openssl/dsa.h>
 
+#include "dsa_locl.h"
+
 int
 DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)
 {