Implement internally opaque bn access from dsa

Reviewed-by: NTim Hudson <tjh@openssl.org>

crypto/dsa/dsa_depr.c

@@ -89,16 +89,26 @@ DSA *DSA_generate_parameters(int bits,
 		void (*callback)(int, int, void *),
 		void *cb_arg)
 	{
-	BN_GENCB cb;
+	BN_GENCB *cb;
 	DSA *ret;
 
 	if ((ret=DSA_new()) == NULL) return NULL;
+	cb = BN_GENCB_new();
+	if(!cb)
+		{
+		DSA_free(ret);
+		return NULL;
+		}
 
-	BN_GENCB_set_old(&cb, callback, cb_arg);
+	BN_GENCB_set_old(cb, callback, cb_arg);
 
 	if(DSA_generate_parameters_ex(ret, bits, seed_in, seed_len,
-				counter_ret, h_ret, &cb))
+				counter_ret, h_ret, cb))
+		{
+		BN_GENCB_free(cb);
 		return ret;
+		}
+	BN_GENCB_free(cb);
 	DSA_free(ret);
 	return NULL;
 	}

crypto/dsa/dsa_key.c

@@ -102,19 +102,24 @@ static int dsa_builtin_keygen(DSA *dsa)
 		pub_key=dsa->pub_key;
 	
 	{
-		BIGNUM local_prk;
+		BIGNUM *local_prk = NULL;
 		BIGNUM *prk;
 
 		if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
 			{
-			BN_init(&local_prk);
-			prk = &local_prk;
+			local_prk = prk = BN_new();
+			if(!local_prk) goto err;
 			BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
 			}
 		else
 			prk = priv_key;
 
-		if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err;
+		if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx))
+			{
+			if (local_prk != NULL) BN_free(local_prk);
+			goto err;
+			}
+		if (local_prk != NULL) BN_free(local_prk);
 	}
 
 	dsa->priv_key=priv_key;

crypto/dsa/dsa_ossl.c

@@ -136,15 +136,16 @@ const DSA_METHOD *DSA_OpenSSL(void)
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	{
 	BIGNUM *kinv=NULL,*r=NULL,*s=NULL;
-	BIGNUM m;
-	BIGNUM xr;
+	BIGNUM *m;
+	BIGNUM *xr;
 	BN_CTX *ctx=NULL;
 	int reason=ERR_R_BN_LIB;
 	DSA_SIG *ret=NULL;
 	int noredo = 0;
 
-	BN_init(&m);
-	BN_init(&xr);
+	m = BN_new();
+	xr = BN_new();
+	if(!m || !xr) goto err;
 
 	if (!dsa->p || !dsa->q || !dsa->g)
 		{
@@ -177,12 +178,12 @@ redo:
 		 * BN_num_bits(dsa->q) leftmost bits of the digest, see
 		 * fips 186-3, 4.2 */
 		dlen = BN_num_bytes(dsa->q);
-	if (BN_bin2bn(dgst,dlen,&m) == NULL)
+	if (BN_bin2bn(dgst,dlen,m) == NULL)
 		goto err;
 
 	/* Compute  s = inv(k) (m + xr) mod q */
-	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
-	if (!BN_add(s, &xr, &m)) goto err;		/* s = m + xr */
+	if (!BN_mod_mul(xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
+	if (!BN_add(s, xr, m)) goto err;		/* s = m + xr */
 	if (BN_cmp(s,dsa->q) > 0)
 		if (!BN_sub(s,s,dsa->q)) goto err;
 	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
@@ -212,8 +213,8 @@ err:
 		BN_free(s);
 		}
 	if (ctx != NULL) BN_CTX_free(ctx);
-	BN_clear_free(&m);
-	BN_clear_free(&xr);
+	BN_clear_free(m);
+	BN_clear_free(xr);
 	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
 	    BN_clear_free(kinv);
 	return(ret);
@@ -228,8 +229,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
 				      BIGNUM **kinvp, BIGNUM **rp,
 				      const unsigned char *dgst, int dlen)
 	{
-	BN_CTX *ctx;
-	BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
+	BN_CTX *ctx = NULL;
+	BIGNUM *k,*kq,*K,*kinv=NULL,*r=NULL;
 	int ret=0;
 
 	if (!dsa->p || !dsa->q || !dsa->g)
@@ -238,8 +239,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
 		return 0;
 		}
 
-	BN_init(&k);
-	BN_init(&kq);
+	k = BN_new();
+	kq = BN_new();
+	if(!k || !kq) goto err;
 
 	if (ctx_in == NULL)
 		{
@@ -259,18 +261,18 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
 			/* We calculate k from SHA512(private_key + H(message)
 			 * + random). This protects the private key from a weak
 			 * PRNG. */
-			if (!BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, dgst,
+			if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst,
 						   dlen, ctx))
 				goto err;
 			}
 		else
 #endif
-			if (!BN_rand_range(&k, dsa->q)) goto err;
-		} while (BN_is_zero(&k));
+			if (!BN_rand_range(k, dsa->q)) goto err;
+		} while (BN_is_zero(k));
 
 	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
 		{
-		BN_set_flags(&k, BN_FLG_CONSTTIME);
+		BN_set_flags(k, BN_FLG_CONSTTIME);
 		}
 
 	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
@@ -285,7 +287,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
 
 	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
 		{
-		if (!BN_copy(&kq, &k)) goto err;
+		if (!BN_copy(kq, k)) goto err;
 
 		/* We do not want timing information to leak the length of k,
 		 * so we compute g^k using an equivalent exponent of fixed length.
@@ -293,24 +295,24 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
 		 * (This is a kludge that we need because the BN_mod_exp_mont()
 		 * does not let us specify the desired timing behaviour.) */
 
-		if (!BN_add(&kq, &kq, dsa->q)) goto err;
-		if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
+		if (!BN_add(kq, kq, dsa->q)) goto err;
+		if (BN_num_bits(kq) <= BN_num_bits(dsa->q))
 			{
-			if (!BN_add(&kq, &kq, dsa->q)) goto err;
+			if (!BN_add(kq, kq, dsa->q)) goto err;
 			}
 
-		K = &kq;
+		K = kq;
 		}
 	else
 		{
-		K = &k;
+		K = k;
 		}
 	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
 			dsa->method_mont_p);
 	if (!BN_mod(r,r,dsa->q,ctx)) goto err;
 
 	/* Compute  part of 's = inv(k) (m + xr) mod q' */
-	if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
+	if ((kinv=BN_mod_inverse(NULL,k,dsa->q,ctx)) == NULL) goto err;
 
 	if (*kinvp != NULL) BN_clear_free(*kinvp);
 	*kinvp=kinv;
@@ -326,8 +328,8 @@ err:
 			BN_clear_free(r);
 		}
 	if (ctx_in == NULL) BN_CTX_free(ctx);
-	BN_clear_free(&k);
-	BN_clear_free(&kq);
+	BN_clear_free(k);
+	BN_clear_free(kq);
 	return(ret);
 	}
 
@@ -335,7 +337,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 			 DSA *dsa)
 	{
 	BN_CTX *ctx;
-	BIGNUM u1,u2,t1;
+	BIGNUM *u1,*u2,*t1;
 	BN_MONT_CTX *mont=NULL;
 	int ret = -1, i;
 	if (!dsa->p || !dsa->q || !dsa->g)
@@ -357,11 +359,11 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
 		return -1;
 		}
-	BN_init(&u1);
-	BN_init(&u2);
-	BN_init(&t1);
-
-	if ((ctx=BN_CTX_new()) == NULL) goto err;
+	u1 = BN_new();
+	u2 = BN_new();
+	t1 = BN_new();
+	ctx=BN_CTX_new();
+	if(!u1 || !u2 || !t1 || !ctx) goto err;
 
 	if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
 	    BN_ucmp(sig->r, dsa->q) >= 0)
@@ -378,7 +380,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 
 	/* Calculate W = inv(S) mod Q
 	 * save W in u2 */
-	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
+	if ((BN_mod_inverse(u2,sig->s,dsa->q,ctx)) == NULL) goto err;
 
 	/* save M in u1 */
 	if (dgst_len > (i >> 3))
@@ -386,13 +388,13 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		 * BN_num_bits(dsa->q) leftmost bits of the digest, see
 		 * fips 186-3, 4.2 */
 		dgst_len = (i >> 3);
-	if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;
+	if (BN_bin2bn(dgst,dgst_len,u1) == NULL) goto err;
 
 	/* u1 = M * w mod q */
-	if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;
+	if (!BN_mod_mul(u1,u1,u2,dsa->q,ctx)) goto err;
 
 	/* u2 = r * w mod q */
-	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
+	if (!BN_mod_mul(u2,sig->r,u2,dsa->q,ctx)) goto err;
 
 
 	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
@@ -404,21 +406,21 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		}
 
 
-	DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);
+	DSA_MOD_EXP(goto err, dsa, t1, dsa->g, u1, dsa->pub_key, u2, dsa->p, ctx, mont);
 	/* BN_copy(&u1,&t1); */
 	/* let u1 = u1 mod q */
-	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
+	if (!BN_mod(u1,t1,dsa->q,ctx)) goto err;
 
 	/* V is now in u1.  If the signature is correct, it will be
 	 * equal to R. */
-	ret=(BN_ucmp(&u1, sig->r) == 0);
+	ret=(BN_ucmp(u1, sig->r) == 0);
 
 	err:
 	if (ret < 0) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
 	if (ctx != NULL) BN_CTX_free(ctx);
-	BN_free(&u1);
-	BN_free(&u2);
-	BN_free(&t1);
+	if(u1) BN_free(u1);
+	if(u2) BN_free(u2);
+	if(t1) BN_free(t1);
 	return(ret);
 	}
 

crypto/dsa/dsa_pmeth.c

@@ -246,20 +246,25 @@ static int pkey_dsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 	{
 	DSA *dsa = NULL;
 	DSA_PKEY_CTX *dctx = ctx->data;
-	BN_GENCB *pcb, cb;
+	BN_GENCB *pcb;
 	int ret;
 	if (ctx->pkey_gencb)
 		{
-		pcb = &cb;
+		pcb = BN_GENCB_new();
+		if(!pcb) return 0;
 		evp_pkey_set_cb_translate(pcb, ctx);
 		}
 	else
 		pcb = NULL;
 	dsa = DSA_new();
 	if (!dsa)
+		{
+		if(pcb) BN_GENCB_free(pcb);
 		return 0;
+		}
 	ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
 	                           NULL, 0, NULL, NULL, NULL, pcb);
+	if(pcb) BN_GENCB_free(pcb);
 	if (ret)
 		EVP_PKEY_assign_DSA(pkey, dsa);
 	else

crypto/dsa/dsatest.c

@@ -136,7 +136,7 @@ static BIO *bio_err=NULL;
 
 int main(int argc, char **argv)
 	{
-	BN_GENCB cb;
+	BN_GENCB *cb;
 	DSA *dsa=NULL;
 	int counter,ret=0,i,j;
 	unsigned char buf[256];
@@ -156,9 +156,12 @@ int main(int argc, char **argv)
 
 	BIO_printf(bio_err,"test generation of DSA parameters\n");
 
-	BN_GENCB_set(&cb, dsa_cb, bio_err);
+	cb = BN_GENCB_new();
+	if(!cb) goto end;
+
+	BN_GENCB_set(cb, dsa_cb, bio_err);
 	if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
-				seed, 20, &counter, &h, &cb))
+				seed, 20, &counter, &h, cb))
 		goto end;
 
 	BIO_printf(bio_err,"seed\n");
@@ -221,6 +224,7 @@ end:
 	if (!ret)
 		ERR_print_errors(bio_err);
 	if (dsa != NULL) DSA_free(dsa);
+	if (cb != NULL) BN_GENCB_free(cb);
 	CRYPTO_cleanup_all_ex_data();
 	ERR_remove_thread_state(NULL);
 	ERR_free_strings();
@@ -246,8 +250,8 @@ static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *arg)
 	if (p == 1) c='+';
 	if (p == 2) { c='*'; ok++; }
 	if (p == 3) c='\n';
-	BIO_write(arg->arg,&c,1);
-	(void)BIO_flush(arg->arg);
+	BIO_write(BN_GENCB_get_arg(arg),&c,1);
+	(void)BIO_flush(BN_GENCB_get_arg(arg));
 
 	if (!ok && (p == 0) && (num > 1))
 		{