Implement internally opaque bn access from dsa

Reviewed-by: Tim Hudson <tjh@openssl.org>

diff --git a/crypto/dsa/dsa_depr.c b/crypto/dsa/dsa_depr.c
index f2da680eb466a4c1ff9d888b887fc920a8cfd347..35c3423f29f0210f178bb7d581346b1913db698e 100644 (file)
--- a/crypto/dsa/dsa_depr.c
+++ b/crypto/dsa/dsa_depr.c
@@ -89,16 +89,26 @@ DSA *DSA_generate_parameters(int bits,
                void (*callback)(int, int, void *),
                void *cb_arg)
        {
-       BN_GENCB cb;
+       BN_GENCB *cb;
        DSA *ret;
 
        if ((ret=DSA_new()) == NULL) return NULL;
+       cb = BN_GENCB_new();
+       if(!cb)
+               {
+               DSA_free(ret);
+               return NULL;
+               }
 
-       BN_GENCB_set_old(&cb, callback, cb_arg);
+       BN_GENCB_set_old(cb, callback, cb_arg);
 
        if(DSA_generate_parameters_ex(ret, bits, seed_in, seed_len,
-                               counter_ret, h_ret, &cb))
+                               counter_ret, h_ret, cb))
+               {
+               BN_GENCB_free(cb);
                return ret;
+               }
+       BN_GENCB_free(cb);
        DSA_free(ret);
        return NULL;
        }

diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c
index dbf745a7f34aa82f513c62b506f44143151ce924..a3adb2fdde552495e9c05de75e4a8858663ed4b5 100644 (file)
--- a/crypto/dsa/dsa_key.c
+++ b/crypto/dsa/dsa_key.c
@@ -102,19 +102,24 @@ static int dsa_builtin_keygen(DSA *dsa)
                pub_key=dsa->pub_key;
        
        {
-               BIGNUM local_prk;
+               BIGNUM *local_prk = NULL;
                BIGNUM *prk;
 
                if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
                        {
-                       BN_init(&local_prk);
-                       prk = &local_prk;
+                       local_prk = prk = BN_new();
+                       if(!local_prk) goto err;
                        BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
                        }
                else
                        prk = priv_key;
 
-               if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err;
+               if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx))
+                       {
+                       if (local_prk != NULL) BN_free(local_prk);
+                       goto err;
+                       }
+               if (local_prk != NULL) BN_free(local_prk);
        }
 
        dsa->priv_key=priv_key;

diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index fb0030a66f1603bb1adb3a6aa3e099b22011d16a..ff29e55c8df787b68ba8e459103246b035674e0b 100644 (file)
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -136,15 +136,16 @@ const DSA_METHOD *DSA_OpenSSL(void)
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
        {
        BIGNUM *kinv=NULL,*r=NULL,*s=NULL;
-       BIGNUM m;
-       BIGNUM xr;
+       BIGNUM *m;
+       BIGNUM *xr;
        BN_CTX *ctx=NULL;
        int reason=ERR_R_BN_LIB;
        DSA_SIG *ret=NULL;
        int noredo = 0;
 
-       BN_init(&m);
-       BN_init(&xr);
+       m = BN_new();
+       xr = BN_new();
+       if(!m || !xr) goto err;
 
        if (!dsa->p || !dsa->q || !dsa->g)
                {
@@ -177,12 +178,12 @@ redo:
                 * BN_num_bits(dsa->q) leftmost bits of the digest, see
                 * fips 186-3, 4.2 */
                dlen = BN_num_bytes(dsa->q);
-       if (BN_bin2bn(dgst,dlen,&m) == NULL)
+       if (BN_bin2bn(dgst,dlen,m) == NULL)
                goto err;
 
        /* Compute  s = inv(k) (m + xr) mod q */
-       if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
-       if (!BN_add(s, &xr, &m)) goto err;              /* s = m + xr */
+       if (!BN_mod_mul(xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
+       if (!BN_add(s, xr, m)) goto err;                /* s = m + xr */
        if (BN_cmp(s,dsa->q) > 0)
                if (!BN_sub(s,s,dsa->q)) goto err;
        if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
@@ -212,8 +213,8 @@ err:
                BN_free(s);
                }
        if (ctx != NULL) BN_CTX_free(ctx);
-       BN_clear_free(&m);
-       BN_clear_free(&xr);
+       BN_clear_free(m);
+       BN_clear_free(xr);
        if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
            BN_clear_free(kinv);
        return(ret);
@@ -228,8 +229,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
                                      BIGNUM **kinvp, BIGNUM **rp,
                                      const unsigned char *dgst, int dlen)
        {
-       BN_CTX *ctx;
-       BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
+       BN_CTX *ctx = NULL;
+       BIGNUM *k,*kq,*K,*kinv=NULL,*r=NULL;
        int ret=0;
 
        if (!dsa->p || !dsa->q || !dsa->g)
@@ -238,8 +239,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
                return 0;
                }
 
-       BN_init(&k);
-       BN_init(&kq);
+       k = BN_new();
+       kq = BN_new();
+       if(!k || !kq) goto err;
 
        if (ctx_in == NULL)
                {
@@ -259,18 +261,18 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
                        /* We calculate k from SHA512(private_key + H(message)
                         * + random). This protects the private key from a weak
                         * PRNG. */
-                       if (!BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, dgst,
+                       if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst,
                                                   dlen, ctx))
                                goto err;
                        }
                else
 #endif
-                       if (!BN_rand_range(&k, dsa->q)) goto err;
-               } while (BN_is_zero(&k));
+                       if (!BN_rand_range(k, dsa->q)) goto err;
+               } while (BN_is_zero(k));
 
        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
                {
-               BN_set_flags(&k, BN_FLG_CONSTTIME);
+               BN_set_flags(k, BN_FLG_CONSTTIME);
                }
 
        if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
@@ -285,7 +287,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
 
        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
                {
-               if (!BN_copy(&kq, &k)) goto err;
+               if (!BN_copy(kq, k)) goto err;
 
                /* We do not want timing information to leak the length of k,
                 * so we compute g^k using an equivalent exponent of fixed length.
@@ -293,24 +295,24 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
                 * (This is a kludge that we need because the BN_mod_exp_mont()
                 * does not let us specify the desired timing behaviour.) */
 
-               if (!BN_add(&kq, &kq, dsa->q)) goto err;
-               if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
+               if (!BN_add(kq, kq, dsa->q)) goto err;
+               if (BN_num_bits(kq) <= BN_num_bits(dsa->q))
                        {
-                       if (!BN_add(&kq, &kq, dsa->q)) goto err;
+                       if (!BN_add(kq, kq, dsa->q)) goto err;
                        }
 
-               K = &kq;
+               K = kq;
                }
        else
                {
-               K = &k;
+               K = k;
                }
        DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
                        dsa->method_mont_p);
        if (!BN_mod(r,r,dsa->q,ctx)) goto err;
 
        /* Compute  part of 's = inv(k) (m + xr) mod q' */
-       if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
+       if ((kinv=BN_mod_inverse(NULL,k,dsa->q,ctx)) == NULL) goto err;
 
        if (*kinvp != NULL) BN_clear_free(*kinvp);
        *kinvp=kinv;
@@ -326,8 +328,8 @@ err:
                        BN_clear_free(r);
                }
        if (ctx_in == NULL) BN_CTX_free(ctx);
-       BN_clear_free(&k);
-       BN_clear_free(&kq);
+       BN_clear_free(k);
+       BN_clear_free(kq);
        return(ret);
        }
 
@@ -335,7 +337,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                         DSA *dsa)
        {
        BN_CTX *ctx;
-       BIGNUM u1,u2,t1;
+       BIGNUM *u1,*u2,*t1;
        BN_MONT_CTX *mont=NULL;
        int ret = -1, i;
        if (!dsa->p || !dsa->q || !dsa->g)
@@ -357,11 +359,11 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
                return -1;
                }
-       BN_init(&u1);
-       BN_init(&u2);
-       BN_init(&t1);
-
-       if ((ctx=BN_CTX_new()) == NULL) goto err;
+       u1 = BN_new();
+       u2 = BN_new();
+       t1 = BN_new();
+       ctx=BN_CTX_new();
+       if(!u1 || !u2 || !t1 || !ctx) goto err;
 
        if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
            BN_ucmp(sig->r, dsa->q) >= 0)
@@ -378,7 +380,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 
        /* Calculate W = inv(S) mod Q
         * save W in u2 */
-       if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
+       if ((BN_mod_inverse(u2,sig->s,dsa->q,ctx)) == NULL) goto err;
 
        /* save M in u1 */
        if (dgst_len > (i >> 3))
@@ -386,13 +388,13 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                 * BN_num_bits(dsa->q) leftmost bits of the digest, see
                 * fips 186-3, 4.2 */
                dgst_len = (i >> 3);
-       if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;
+       if (BN_bin2bn(dgst,dgst_len,u1) == NULL) goto err;
 
        /* u1 = M * w mod q */
-       if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;
+       if (!BN_mod_mul(u1,u1,u2,dsa->q,ctx)) goto err;
 
        /* u2 = r * w mod q */
-       if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
+       if (!BN_mod_mul(u2,sig->r,u2,dsa->q,ctx)) goto err;
 
 
        if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
@@ -404,21 +406,21 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                }
 
 
-       DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);
+       DSA_MOD_EXP(goto err, dsa, t1, dsa->g, u1, dsa->pub_key, u2, dsa->p, ctx, mont);
        /* BN_copy(&u1,&t1); */
        /* let u1 = u1 mod q */
-       if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
+       if (!BN_mod(u1,t1,dsa->q,ctx)) goto err;
 
        /* V is now in u1.  If the signature is correct, it will be
         * equal to R. */
-       ret=(BN_ucmp(&u1, sig->r) == 0);
+       ret=(BN_ucmp(u1, sig->r) == 0);
 
        err:
        if (ret < 0) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
        if (ctx != NULL) BN_CTX_free(ctx);
-       BN_free(&u1);
-       BN_free(&u2);
-       BN_free(&t1);
+       if(u1) BN_free(u1);
+       if(u2) BN_free(u2);
+       if(t1) BN_free(t1);
        return(ret);
        }
 

diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c
index 4c7a5a847b3e8350ea4234360b6a5d1509e30dec..2f0586a5413bf94a6886ccd3f287105f556248d9 100644 (file)
--- a/crypto/dsa/dsa_pmeth.c
+++ b/crypto/dsa/dsa_pmeth.c
@@ -246,20 +246,25 @@ static int pkey_dsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
        {
        DSA *dsa = NULL;
        DSA_PKEY_CTX *dctx = ctx->data;
-       BN_GENCB *pcb, cb;
+       BN_GENCB *pcb;
        int ret;
        if (ctx->pkey_gencb)
                {
-               pcb = &cb;
+               pcb = BN_GENCB_new();
+               if(!pcb) return 0;
                evp_pkey_set_cb_translate(pcb, ctx);
                }
        else
                pcb = NULL;
        dsa = DSA_new();
        if (!dsa)
+               {
+               if(pcb) BN_GENCB_free(pcb);
                return 0;
+               }
        ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
                                   NULL, 0, NULL, NULL, NULL, pcb);
+       if(pcb) BN_GENCB_free(pcb);
        if (ret)
                EVP_PKEY_assign_DSA(pkey, dsa);
        else

diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c
index edffd24e6ba24975d0fdc857e1a49a040450d651..271a8e0d0f8c63f815f5ab33f836e9e8ad7014b1 100644 (file)
--- a/crypto/dsa/dsatest.c
+++ b/crypto/dsa/dsatest.c
@@ -136,7 +136,7 @@ static BIO *bio_err=NULL;
 
 int main(int argc, char **argv)
        {
-       BN_GENCB cb;
+       BN_GENCB *cb;
        DSA *dsa=NULL;
        int counter,ret=0,i,j;
        unsigned char buf[256];
@@ -156,9 +156,12 @@ int main(int argc, char **argv)
 
        BIO_printf(bio_err,"test generation of DSA parameters\n");
 
-       BN_GENCB_set(&cb, dsa_cb, bio_err);
+       cb = BN_GENCB_new();
+       if(!cb) goto end;
+
+       BN_GENCB_set(cb, dsa_cb, bio_err);
        if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
-                               seed, 20, &counter, &h, &cb))
+                               seed, 20, &counter, &h, cb))
                goto end;
 
        BIO_printf(bio_err,"seed\n");
@@ -221,6 +224,7 @@ end:
        if (!ret)
                ERR_print_errors(bio_err);
        if (dsa != NULL) DSA_free(dsa);
+       if (cb != NULL) BN_GENCB_free(cb);
        CRYPTO_cleanup_all_ex_data();
        ERR_remove_thread_state(NULL);
        ERR_free_strings();
@@ -246,8 +250,8 @@ static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *arg)
        if (p == 1) c='+';
        if (p == 2) { c='*'; ok++; }
        if (p == 3) c='\n';
-       BIO_write(arg->arg,&c,1);
-       (void)BIO_flush(arg->arg);
+       BIO_write(BN_GENCB_get_arg(arg),&c,1);
+       (void)BIO_flush(BN_GENCB_get_arg(arg));
 
        if (!ok && (p == 0) && (num > 1))
                {