1 /* Written by Dr Stephen N Henson ([email protected]) for the OpenSSL
2 * project 2000. */
3 /* ====================================================================
4 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
16 * distribution.
17 *
18 * 3. All advertising materials mentioning features or use of this
19 * software must display the following acknowledgment:
20 * "This product includes software developed by the OpenSSL Project
21 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
22 *
23 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
24 * endorse or promote products derived from this software without
25 * prior written permission. For written permission, please contact
26 * [email protected].
27 *
28 * 5. Products derived from this software may not be called "OpenSSL"
29 * nor may "OpenSSL" appear in their names without prior written
30 * permission of the OpenSSL Project.
31 *
32 * 6. Redistributions of any form whatsoever must retain the following
33 * acknowledgment:
34 * "This product includes software developed by the OpenSSL Project
35 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
36 *
37 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
38 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
39 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
40 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
41 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
42 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
43 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
44 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
45 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
46 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
47 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
48 * OF THE POSSIBILITY OF SUCH DAMAGE.
49 * ====================================================================
50 *
51 * This product includes cryptographic software written by Eric Young
52 * ([email protected]). This product includes software written by Tim
53 * Hudson ([email protected]). */
54
55 #include <openssl/dsa.h>
56
57 #include <assert.h>
58
59 #include <openssl/bn.h>
60 #include <openssl/bytestring.h>
61 #include <openssl/err.h>
62 #include <openssl/mem.h>
63
64 #include "internal.h"
65 #include "../bytestring/internal.h"
66
67
68 // This function is in dsa_asn1.c rather than dsa.c because it is reachable from
69 // |EVP_PKEY| parsers. This makes it easier for the static linker to drop most
70 // of the DSA implementation.
dsa_check_key(const DSA * dsa)71 int dsa_check_key(const DSA *dsa) {
72 if (!dsa->p || !dsa->q || !dsa->g) {
73 OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);
74 return 0;
75 }
76
77 // Fully checking for invalid DSA groups is expensive, so security and
78 // correctness of the signature scheme depend on how |dsa| was computed. I.e.
79 // we leave "assurance of domain parameter validity" from FIPS 186-4 to the
80 // caller. However, we check bounds on all values to avoid DoS vectors even
81 // when domain parameters are invalid. In particular, signing will infinite
82 // loop if |g| is zero.
83 if (BN_is_negative(dsa->p) || BN_is_negative(dsa->q) || BN_is_zero(dsa->p) ||
84 BN_is_zero(dsa->q) || !BN_is_odd(dsa->p) || !BN_is_odd(dsa->q) ||
85 // |q| must be a prime divisor of |p - 1|, which implies |q < p|.
86 BN_cmp(dsa->q, dsa->p) >= 0 ||
87 // |g| is in the multiplicative group of |p|.
88 BN_is_negative(dsa->g) || BN_is_zero(dsa->g) ||
89 BN_cmp(dsa->g, dsa->p) >= 0) {
90 OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);
91 return 0;
92 }
93
94 // FIPS 186-4 allows only three different sizes for q.
95 unsigned q_bits = BN_num_bits(dsa->q);
96 if (q_bits != 160 && q_bits != 224 && q_bits != 256) {
97 OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);
98 return 0;
99 }
100
101 // Bound |dsa->p| to avoid a DoS vector. Note this limit is much larger than
102 // the one in FIPS 186-4, which only allows L = 1024, 2048, and 3072.
103 if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
104 OPENSSL_PUT_ERROR(DSA, DSA_R_MODULUS_TOO_LARGE);
105 return 0;
106 }
107
108 if (dsa->pub_key != NULL) {
109 // The public key is also in the multiplicative group of |p|.
110 if (BN_is_negative(dsa->pub_key) || BN_is_zero(dsa->pub_key) ||
111 BN_cmp(dsa->pub_key, dsa->p) >= 0) {
112 OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);
113 return 0;
114 }
115 }
116
117 if (dsa->priv_key != NULL) {
118 // The private key is a non-zero element of the scalar field, determined by
119 // |q|.
120 if (BN_is_negative(dsa->priv_key) ||
121 constant_time_declassify_int(BN_is_zero(dsa->priv_key)) ||
122 constant_time_declassify_int(BN_cmp(dsa->priv_key, dsa->q) >= 0)) {
123 OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);
124 return 0;
125 }
126 }
127
128 return 1;
129 }
130
parse_integer(CBS * cbs,BIGNUM ** out)131 static int parse_integer(CBS *cbs, BIGNUM **out) {
132 assert(*out == NULL);
133 *out = BN_new();
134 if (*out == NULL) {
135 return 0;
136 }
137 return BN_parse_asn1_unsigned(cbs, *out);
138 }
139
marshal_integer(CBB * cbb,BIGNUM * bn)140 static int marshal_integer(CBB *cbb, BIGNUM *bn) {
141 if (bn == NULL) {
142 // A DSA object may be missing some components.
143 OPENSSL_PUT_ERROR(DSA, ERR_R_PASSED_NULL_PARAMETER);
144 return 0;
145 }
146 return BN_marshal_asn1(cbb, bn);
147 }
148
DSA_SIG_parse(CBS * cbs)149 DSA_SIG *DSA_SIG_parse(CBS *cbs) {
150 DSA_SIG *ret = DSA_SIG_new();
151 if (ret == NULL) {
152 return NULL;
153 }
154 CBS child;
155 if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
156 !parse_integer(&child, &ret->r) ||
157 !parse_integer(&child, &ret->s) ||
158 CBS_len(&child) != 0) {
159 OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
160 DSA_SIG_free(ret);
161 return NULL;
162 }
163 return ret;
164 }
165
DSA_SIG_marshal(CBB * cbb,const DSA_SIG * sig)166 int DSA_SIG_marshal(CBB *cbb, const DSA_SIG *sig) {
167 CBB child;
168 if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
169 !marshal_integer(&child, sig->r) ||
170 !marshal_integer(&child, sig->s) ||
171 !CBB_flush(cbb)) {
172 OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR);
173 return 0;
174 }
175 return 1;
176 }
177
DSA_parse_public_key(CBS * cbs)178 DSA *DSA_parse_public_key(CBS *cbs) {
179 DSA *ret = DSA_new();
180 if (ret == NULL) {
181 return NULL;
182 }
183 CBS child;
184 if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
185 !parse_integer(&child, &ret->pub_key) ||
186 !parse_integer(&child, &ret->p) ||
187 !parse_integer(&child, &ret->q) ||
188 !parse_integer(&child, &ret->g) ||
189 CBS_len(&child) != 0) {
190 OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
191 goto err;
192 }
193 if (!dsa_check_key(ret)) {
194 goto err;
195 }
196 return ret;
197
198 err:
199 DSA_free(ret);
200 return NULL;
201 }
202
DSA_marshal_public_key(CBB * cbb,const DSA * dsa)203 int DSA_marshal_public_key(CBB *cbb, const DSA *dsa) {
204 CBB child;
205 if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
206 !marshal_integer(&child, dsa->pub_key) ||
207 !marshal_integer(&child, dsa->p) ||
208 !marshal_integer(&child, dsa->q) ||
209 !marshal_integer(&child, dsa->g) ||
210 !CBB_flush(cbb)) {
211 OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR);
212 return 0;
213 }
214 return 1;
215 }
216
DSA_parse_parameters(CBS * cbs)217 DSA *DSA_parse_parameters(CBS *cbs) {
218 DSA *ret = DSA_new();
219 if (ret == NULL) {
220 return NULL;
221 }
222 CBS child;
223 if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
224 !parse_integer(&child, &ret->p) ||
225 !parse_integer(&child, &ret->q) ||
226 !parse_integer(&child, &ret->g) ||
227 CBS_len(&child) != 0) {
228 OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
229 goto err;
230 }
231 if (!dsa_check_key(ret)) {
232 goto err;
233 }
234 return ret;
235
236 err:
237 DSA_free(ret);
238 return NULL;
239 }
240
DSA_marshal_parameters(CBB * cbb,const DSA * dsa)241 int DSA_marshal_parameters(CBB *cbb, const DSA *dsa) {
242 CBB child;
243 if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
244 !marshal_integer(&child, dsa->p) ||
245 !marshal_integer(&child, dsa->q) ||
246 !marshal_integer(&child, dsa->g) ||
247 !CBB_flush(cbb)) {
248 OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR);
249 return 0;
250 }
251 return 1;
252 }
253
DSA_parse_private_key(CBS * cbs)254 DSA *DSA_parse_private_key(CBS *cbs) {
255 DSA *ret = DSA_new();
256 if (ret == NULL) {
257 return NULL;
258 }
259
260 CBS child;
261 uint64_t version;
262 if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
263 !CBS_get_asn1_uint64(&child, &version)) {
264 OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
265 goto err;
266 }
267
268 if (version != 0) {
269 OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_VERSION);
270 goto err;
271 }
272
273 if (!parse_integer(&child, &ret->p) ||
274 !parse_integer(&child, &ret->q) ||
275 !parse_integer(&child, &ret->g) ||
276 !parse_integer(&child, &ret->pub_key) ||
277 !parse_integer(&child, &ret->priv_key) ||
278 CBS_len(&child) != 0) {
279 OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);
280 goto err;
281 }
282 if (!dsa_check_key(ret)) {
283 goto err;
284 }
285
286 return ret;
287
288 err:
289 DSA_free(ret);
290 return NULL;
291 }
292
DSA_marshal_private_key(CBB * cbb,const DSA * dsa)293 int DSA_marshal_private_key(CBB *cbb, const DSA *dsa) {
294 CBB child;
295 if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
296 !CBB_add_asn1_uint64(&child, 0 /* version */) ||
297 !marshal_integer(&child, dsa->p) ||
298 !marshal_integer(&child, dsa->q) ||
299 !marshal_integer(&child, dsa->g) ||
300 !marshal_integer(&child, dsa->pub_key) ||
301 !marshal_integer(&child, dsa->priv_key) ||
302 !CBB_flush(cbb)) {
303 OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR);
304 return 0;
305 }
306 return 1;
307 }
308
d2i_DSA_SIG(DSA_SIG ** out_sig,const uint8_t ** inp,long len)309 DSA_SIG *d2i_DSA_SIG(DSA_SIG **out_sig, const uint8_t **inp, long len) {
310 if (len < 0) {
311 return NULL;
312 }
313 CBS cbs;
314 CBS_init(&cbs, *inp, (size_t)len);
315 DSA_SIG *ret = DSA_SIG_parse(&cbs);
316 if (ret == NULL) {
317 return NULL;
318 }
319 if (out_sig != NULL) {
320 DSA_SIG_free(*out_sig);
321 *out_sig = ret;
322 }
323 *inp = CBS_data(&cbs);
324 return ret;
325 }
326
i2d_DSA_SIG(const DSA_SIG * in,uint8_t ** outp)327 int i2d_DSA_SIG(const DSA_SIG *in, uint8_t **outp) {
328 CBB cbb;
329 if (!CBB_init(&cbb, 0) ||
330 !DSA_SIG_marshal(&cbb, in)) {
331 CBB_cleanup(&cbb);
332 return -1;
333 }
334 return CBB_finish_i2d(&cbb, outp);
335 }
336
d2i_DSAPublicKey(DSA ** out,const uint8_t ** inp,long len)337 DSA *d2i_DSAPublicKey(DSA **out, const uint8_t **inp, long len) {
338 if (len < 0) {
339 return NULL;
340 }
341 CBS cbs;
342 CBS_init(&cbs, *inp, (size_t)len);
343 DSA *ret = DSA_parse_public_key(&cbs);
344 if (ret == NULL) {
345 return NULL;
346 }
347 if (out != NULL) {
348 DSA_free(*out);
349 *out = ret;
350 }
351 *inp = CBS_data(&cbs);
352 return ret;
353 }
354
i2d_DSAPublicKey(const DSA * in,uint8_t ** outp)355 int i2d_DSAPublicKey(const DSA *in, uint8_t **outp) {
356 CBB cbb;
357 if (!CBB_init(&cbb, 0) ||
358 !DSA_marshal_public_key(&cbb, in)) {
359 CBB_cleanup(&cbb);
360 return -1;
361 }
362 return CBB_finish_i2d(&cbb, outp);
363 }
364
d2i_DSAPrivateKey(DSA ** out,const uint8_t ** inp,long len)365 DSA *d2i_DSAPrivateKey(DSA **out, const uint8_t **inp, long len) {
366 if (len < 0) {
367 return NULL;
368 }
369 CBS cbs;
370 CBS_init(&cbs, *inp, (size_t)len);
371 DSA *ret = DSA_parse_private_key(&cbs);
372 if (ret == NULL) {
373 return NULL;
374 }
375 if (out != NULL) {
376 DSA_free(*out);
377 *out = ret;
378 }
379 *inp = CBS_data(&cbs);
380 return ret;
381 }
382
i2d_DSAPrivateKey(const DSA * in,uint8_t ** outp)383 int i2d_DSAPrivateKey(const DSA *in, uint8_t **outp) {
384 CBB cbb;
385 if (!CBB_init(&cbb, 0) ||
386 !DSA_marshal_private_key(&cbb, in)) {
387 CBB_cleanup(&cbb);
388 return -1;
389 }
390 return CBB_finish_i2d(&cbb, outp);
391 }
392
d2i_DSAparams(DSA ** out,const uint8_t ** inp,long len)393 DSA *d2i_DSAparams(DSA **out, const uint8_t **inp, long len) {
394 if (len < 0) {
395 return NULL;
396 }
397 CBS cbs;
398 CBS_init(&cbs, *inp, (size_t)len);
399 DSA *ret = DSA_parse_parameters(&cbs);
400 if (ret == NULL) {
401 return NULL;
402 }
403 if (out != NULL) {
404 DSA_free(*out);
405 *out = ret;
406 }
407 *inp = CBS_data(&cbs);
408 return ret;
409 }
410
i2d_DSAparams(const DSA * in,uint8_t ** outp)411 int i2d_DSAparams(const DSA *in, uint8_t **outp) {
412 CBB cbb;
413 if (!CBB_init(&cbb, 0) ||
414 !DSA_marshal_parameters(&cbb, in)) {
415 CBB_cleanup(&cbb);
416 return -1;
417 }
418 return CBB_finish_i2d(&cbb, outp);
419 }
420