OpenCoverage

dsa_ossl.c

Absolute File Name:/home/opencoverage/opencoverage/guest-scripts/libressl/src/crypto/dsa/dsa_ossl.c
Source codeSwitch to Preprocessed file
LineSourceCount
1/* $OpenBSD: dsa_ossl.c,v 1.37 2018/06/14 18:34:50 jsing Exp $ */-
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)-
3 * All rights reserved.-
4 *-
5 * This package is an SSL implementation written-
6 * by Eric Young (eay@cryptsoft.com).-
7 * The implementation was written so as to conform with Netscapes SSL.-
8 * -
9 * This library is free for commercial and non-commercial use as long as-
10 * the following conditions are aheared to. The following conditions-
11 * apply to all code found in this distribution, be it the RC4, RSA,-
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation-
13 * included with this distribution is covered by the same copyright terms-
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).-
15 * -
16 * Copyright remains Eric Young's, and as such any Copyright notices in-
17 * the code are not to be removed.-
18 * If this package is used in a product, Eric Young should be given attribution-
19 * as the author of the parts of the library used.-
20 * This can be in the form of a textual message at program startup or-
21 * in documentation (online or textual) provided with the package.-
22 * -
23 * Redistribution and use in source and binary forms, with or without-
24 * modification, are permitted provided that the following conditions-
25 * are met:-
26 * 1. Redistributions of source code must retain the copyright-
27 * notice, this list of conditions and the following disclaimer.-
28 * 2. Redistributions in binary form must reproduce the above copyright-
29 * notice, this list of conditions and the following disclaimer in the-
30 * documentation and/or other materials provided with the distribution.-
31 * 3. All advertising materials mentioning features or use of this software-
32 * must display the following acknowledgement:-
33 * "This product includes cryptographic software written by-
34 * Eric Young (eay@cryptsoft.com)"-
35 * The word 'cryptographic' can be left out if the rouines from the library-
36 * being used are not cryptographic related :-).-
37 * 4. If you include any Windows specific code (or a derivative thereof) from -
38 * the apps directory (application code) you must include an acknowledgement:-
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"-
40 * -
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND-
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE-
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE-
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE-
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL-
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS-
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)-
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT-
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY-
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF-
51 * SUCH DAMAGE.-
52 * -
53 * The licence and distribution terms for any publically available version or-
54 * derivative of this code cannot be changed. i.e. this code cannot simply be-
55 * copied and put under another distribution licence-
56 * [including the GNU Public Licence.]-
57 */-
58-
59/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */-
60-
61#include <stdio.h>-
62-
63#include <openssl/asn1.h>-
64#include <openssl/bn.h>-
65#include <openssl/dsa.h>-
66#include <openssl/err.h>-
67#include <openssl/sha.h>-
68-
69#include "bn_lcl.h"-
70-
71static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);-
72static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,-
73 BIGNUM **rp);-
74static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,-
75 DSA *dsa);-
76static int dsa_init(DSA *dsa);-
77static int dsa_finish(DSA *dsa);-
78-
79static DSA_METHOD openssl_dsa_meth = {-
80 .name = "OpenSSL DSA method",-
81 .dsa_do_sign = dsa_do_sign,-
82 .dsa_sign_setup = dsa_sign_setup,-
83 .dsa_do_verify = dsa_do_verify,-
84 .init = dsa_init,-
85 .finish = dsa_finish,-
86};-
87-
88const DSA_METHOD *-
89DSA_OpenSSL(void)-
90{-
91 return &openssl_dsa_meth;
executed 4 times by 2 tests: return &openssl_dsa_meth;
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
4
92}-
93-
94static DSA_SIG *-
95dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)-
96{-
97 BIGNUM b, bm, bxr, binv, m, *kinv = NULL, *r = NULL, *s = NULL;-
98 BN_CTX *ctx = NULL;-
99 int reason = ERR_R_BN_LIB;-
100 DSA_SIG *ret = NULL;-
101 int noredo = 0;-
102-
103 BN_init(&b);-
104 BN_init(&binv);-
105 BN_init(&bm);-
106 BN_init(&bxr);-
107 BN_init(&m);-
108-
109 if (!dsa->p || !dsa->q || !dsa->g) {
!dsa->pDescription
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
!dsa->qDescription
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
!dsa->gDescription
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
110 reason = DSA_R_MISSING_PARAMETERS;-
111 goto err;
never executed: goto err;
0
112 }-
113-
114 s = BN_new();-
115 if (s == NULL)
s == ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
116 goto err;
never executed: goto err;
0
117 ctx = BN_CTX_new();-
118 if (ctx == NULL)
ctx == ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
119 goto err;
never executed: goto err;
0
120-
121 /*-
122 * If the digest length is greater than N (the bit length of q), the-
123 * leftmost N bits of the digest shall be used, see FIPS 186-3, 4.2.-
124 * In this case the digest length is given in bytes.-
125 */-
126 if (dlen > BN_num_bytes(dsa->q))
dlen > ((BN_nu...(dsa->q)+7)/8)Description
TRUEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.44.0.1
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
1
127 dlen = BN_num_bytes(dsa->q);
executed 1 time by 1 test: dlen = ((BN_num_bits(dsa->q)+7)/8);
Executed by:
  • libcrypto.so.44.0.1
1
128 if (BN_bin2bn(dgst, dlen, &m) == NULL)
BN_bin2bn(dgst...== ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
129 goto err;
never executed: goto err;
0
130-
131 redo:
code before this statement executed 2 times by 2 tests: redo:
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
2
132 if (dsa->kinv == NULL || dsa->r == NULL) {
dsa->kinv == ((void *)0)Description
TRUEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
FALSEnever evaluated
dsa->r == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0-2
133 if (!DSA_sign_setup(dsa, ctx, &kinv, &r))
!DSA_sign_setu...tx, &kinv, &r)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
134 goto err;
never executed: goto err;
0
135 } else {
executed 2 times by 2 tests: end of block
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
2
136 kinv = dsa->kinv;-
137 dsa->kinv = NULL;-
138 r = dsa->r;-
139 dsa->r = NULL;-
140 noredo = 1;-
141 }
never executed: end of block
0
142-
143 /*-
144 * Compute:-
145 *-
146 * s = inv(k)(m + xr) mod q-
147 *-
148 * In order to reduce the possibility of a side-channel attack, the-
149 * following is calculated using a blinding value:-
150 *-
151 * s = inv(k)inv(b)(bm + bxr) mod q-
152 *-
153 * Where b is a random value in the range [1, q-1].-
154 */-
155 if (!BN_sub(&bm, dsa->q, BN_value_one()))
!BN_sub(&bm, d...N_value_one())Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
156 goto err;
never executed: goto err;
0
157 if (!BN_rand_range(&b, &bm))
!BN_rand_range(&b, &bm)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
158 goto err;
never executed: goto err;
0
159 if (!BN_add(&b, &b, BN_value_one()))
!BN_add(&b, &b...N_value_one())Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
160 goto err;
never executed: goto err;
0
161 if (BN_mod_inverse_ct(&binv, &b, dsa->q, ctx) == NULL)
BN_mod_inverse...== ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
162 goto err;
never executed: goto err;
0
163-
164 if (!BN_mod_mul(&bxr, &b, dsa->priv_key, dsa->q, ctx)) /* bx */
!BN_mod_mul(&b..., dsa->q, ctx)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
165 goto err;
never executed: goto err;
0
166 if (!BN_mod_mul(&bxr, &bxr, r, dsa->q, ctx)) /* bxr */
!BN_mod_mul(&b..., dsa->q, ctx)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
167 goto err;
never executed: goto err;
0
168 if (!BN_mod_mul(&bm, &b, &m, dsa->q, ctx)) /* bm */
!BN_mod_mul(&b..., dsa->q, ctx)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
169 goto err;
never executed: goto err;
0
170 if (!BN_mod_add(s, &bxr, &bm, dsa->q, ctx)) /* s = bm + bxr */
!BN_mod_add(s,..., dsa->q, ctx)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
171 goto err;
never executed: goto err;
0
172 if (!BN_mod_mul(s, s, &binv, dsa->q, ctx)) /* s = m + xr */
!BN_mod_mul(s,..., dsa->q, ctx)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
173 goto err;
never executed: goto err;
0
174 if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
!BN_mod_mul(s,..., dsa->q, ctx)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
175 goto err;
never executed: goto err;
0
176-
177 /*-
178 * Redo if r or s is zero as required by FIPS 186-3: this is very-
179 * unlikely.-
180 */-
181 if (BN_is_zero(r) || BN_is_zero(s)) {
((r)->top == 0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
((s)->top == 0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
182 if (noredo) {
noredoDescription
TRUEnever evaluated
FALSEnever evaluated
0
183 reason = DSA_R_NEED_NEW_SETUP_VALUES;-
184 goto err;
never executed: goto err;
0
185 }-
186 goto redo;
never executed: goto redo;
0
187 }-
188-
189 if ((ret = DSA_SIG_new()) == NULL) {
(ret = DSA_SIG...== ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
190 reason = ERR_R_MALLOC_FAILURE;-
191 goto err;
never executed: goto err;
0
192 }-
193 ret->r = r;-
194 ret->s = s;-
195 -
196 err:
code before this statement executed 2 times by 2 tests: err:
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
2
197 if (!ret) {
!retDescription
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
198 DSAerror(reason);-
199 BN_free(r);-
200 BN_free(s);-
201 }
never executed: end of block
0
202 BN_CTX_free(ctx);-
203 BN_clear_free(&b);-
204 BN_clear_free(&bm);-
205 BN_clear_free(&bxr);-
206 BN_clear_free(&binv);-
207 BN_clear_free(&m);-
208 BN_clear_free(kinv);-
209-
210 return ret;
executed 2 times by 2 tests: return ret;
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
2
211}-
212-
213static int-
214dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)-
215{-
216 BN_CTX *ctx;-
217 BIGNUM k, l, m, *kinv = NULL, *r = NULL;-
218 int q_bits, ret = 0;-
219-
220 if (!dsa->p || !dsa->q || !dsa->g) {
!dsa->pDescription
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
!dsa->qDescription
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
!dsa->gDescription
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
221 DSAerror(DSA_R_MISSING_PARAMETERS);-
222 return 0;
never executed: return 0;
0
223 }-
224-
225 BN_init(&k);-
226 BN_init(&l);-
227 BN_init(&m);-
228-
229 if (ctx_in == NULL) {
ctx_in == ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
230 if ((ctx = BN_CTX_new()) == NULL)
(ctx = BN_CTX_...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
231 goto err;
never executed: goto err;
0
232 } else
never executed: end of block
0
233 ctx = ctx_in;
executed 2 times by 2 tests: ctx = ctx_in;
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
2
234-
235 if ((r = BN_new()) == NULL)
(r = BN_new()) == ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
236 goto err;
never executed: goto err;
0
237-
238 /* Preallocate space */-
239 q_bits = BN_num_bits(dsa->q);-
240 if (!BN_set_bit(&k, q_bits) ||
!BN_set_bit(&k, q_bits)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
241 !BN_set_bit(&l, q_bits) ||
!BN_set_bit(&l, q_bits)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
242 !BN_set_bit(&m, q_bits))
!BN_set_bit(&m, q_bits)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
243 goto err;
never executed: goto err;
0
244-
245 /* Get random k */-
246 do {-
247 if (!BN_rand_range(&k, dsa->q))
!BN_rand_range(&k, dsa->q)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
248 goto err;
never executed: goto err;
0
249 } while (BN_is_zero(&k));
executed 2 times by 2 tests: end of block
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
((&k)->top == 0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
250-
251 BN_set_flags(&k, BN_FLG_CONSTTIME);-
252-
253 if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
dsa->flags & 0x01Description
TRUEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
FALSEnever evaluated
0-2
254 if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
!BN_MONT_CTX_s..., dsa->p, ctx)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
255 CRYPTO_LOCK_DSA, dsa->p, ctx))
!BN_MONT_CTX_s..., dsa->p, ctx)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
256 goto err;
never executed: goto err;
0
257 }
executed 2 times by 2 tests: end of block
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
2
258-
259 /* Compute r = (g^k mod p) mod q */-
260-
261 /*-
262 * We do not want timing information to leak the length of k,-
263 * so we compute G^k using an equivalent exponent of fixed-
264 * bit-length.-
265 *-
266 * We unconditionally perform both of these additions to prevent a-
267 * small timing information leakage. We then choose the sum that is-
268 * one bit longer than the modulus.-
269 *-
270 * TODO: revisit the BN_copy aiming for a memory access agnostic-
271 * conditional copy.-
272 */-
273-
274 if (!BN_add(&l, &k, dsa->q) ||
!BN_add(&l, &k, dsa->q)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
275 !BN_add(&m, &l, dsa->q) ||
!BN_add(&m, &l, dsa->q)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
276 !BN_copy(&k, BN_num_bits(&l) > q_bits ? &l : &m))
!BN_copy(&k, B...its ? &l : &m)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
277 goto err;
never executed: goto err;
0
278-
279 if (dsa->meth->bn_mod_exp != NULL) {
dsa->meth->bn_...!= ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
280 if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, &k, dsa->p, ctx,
!dsa->meth->bn...method_mont_p)Description
TRUEnever evaluated
FALSEnever evaluated
0
281 dsa->method_mont_p))
!dsa->meth->bn...method_mont_p)Description
TRUEnever evaluated
FALSEnever evaluated
0
282 goto err;
never executed: goto err;
0
283 } else {
never executed: end of block
0
284 if (!BN_mod_exp_mont_ct(r, dsa->g, &k, dsa->p, ctx,
!BN_mod_exp_mo...method_mont_p)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
285 dsa->method_mont_p))
!BN_mod_exp_mo...method_mont_p)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
286 goto err;
never executed: goto err;
0
287 }
executed 2 times by 2 tests: end of block
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
2
288-
289 if (!BN_mod_ct(r, r, dsa->q, ctx))
!BN_div_ct( ((...dsa->q),(ctx))Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
290 goto err;
never executed: goto err;
0
291-
292 /* Compute part of 's = inv(k) (m + xr) mod q' */-
293 if ((kinv = BN_mod_inverse_ct(NULL, &k, dsa->q, ctx)) == NULL)
(kinv = BN_mod...== ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
294 goto err;
never executed: goto err;
0
295-
296 BN_clear_free(*kinvp);-
297 *kinvp = kinv;-
298 kinv = NULL;-
299 BN_clear_free(*rp);-
300 *rp = r;-
301-
302 ret = 1;-
303-
304 err:
code before this statement executed 2 times by 2 tests: err:
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
2
305 if (!ret) {
!retDescription
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
306 DSAerror(ERR_R_BN_LIB);-
307 BN_clear_free(r);-
308 }
never executed: end of block
0
309 if (ctx_in == NULL)
ctx_in == ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 2 times by 2 tests
Evaluated by:
  • dsatest
  • libcrypto.so.44.0.1
0-2
310 BN_CTX_free(ctx);
never executed: BN_CTX_free(ctx);
0
311 BN_clear_free(&k);-
312 BN_clear_free(&l);-
313 BN_clear_free(&m);-
314-
315 return ret;
executed 2 times by 2 tests: return ret;
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
2
316}-
317-
318static int-
319dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)-
320{-
321 BN_CTX *ctx;-
322 BIGNUM u1, u2, t1;-
323 BN_MONT_CTX *mont = NULL;-
324 int ret = -1, i;-
325-
326 if (!dsa->p || !dsa->q || !dsa->g) {
!dsa->pDescription
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
!dsa->qDescription
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
!dsa->gDescription
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
327 DSAerror(DSA_R_MISSING_PARAMETERS);-
328 return -1;
never executed: return -1;
0
329 }-
330-
331 i = BN_num_bits(dsa->q);-
332 /* FIPS 186-3 allows only three different sizes for q. */-
333 if (i != 160 && i != 224 && i != 256) {
i != 160Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
i != 224Description
TRUEnever evaluated
FALSEnever evaluated
i != 256Description
TRUEnever evaluated
FALSEnever evaluated
0-1
334 DSAerror(DSA_R_BAD_Q_VALUE);-
335 return -1;
never executed: return -1;
0
336 }-
337-
338 if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
BN_num_bits(dsa->p) > 10000Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
339 DSAerror(DSA_R_MODULUS_TOO_LARGE);-
340 return -1;
never executed: return -1;
0
341 }-
342 BN_init(&u1);-
343 BN_init(&u2);-
344 BN_init(&t1);-
345-
346 if ((ctx = BN_CTX_new()) == NULL)
(ctx = BN_CTX_...== ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
347 goto err;
never executed: goto err;
0
348-
349 if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
((sig->r)->top == 0)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
((sig->r)->neg != 0)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
350 BN_ucmp(sig->r, dsa->q) >= 0) {
BN_ucmp(sig->r, dsa->q) >= 0Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
351 ret = 0;-
352 goto err;
never executed: goto err;
0
353 }-
354 if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||
((sig->s)->top == 0)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
((sig->s)->neg != 0)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
355 BN_ucmp(sig->s, dsa->q) >= 0) {
BN_ucmp(sig->s, dsa->q) >= 0Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
356 ret = 0;-
357 goto err;
never executed: goto err;
0
358 }-
359-
360 /* Calculate w = inv(s) mod q, saving w in u2. */-
361 if ((BN_mod_inverse_ct(&u2, sig->s, dsa->q, ctx)) == NULL)
(BN_mod_invers...== ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
362 goto err;
never executed: goto err;
0
363-
364 /*-
365 * If the digest length is greater than the size of q use the-
366 * BN_num_bits(dsa->q) leftmost bits of the digest, see FIPS 186-3, 4.2.-
367 */-
368 if (dgst_len > (i >> 3))
dgst_len > (i >> 3)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
369 dgst_len = (i >> 3);
never executed: dgst_len = (i >> 3);
0
370-
371 /* Save m in u1. */-
372 if (BN_bin2bn(dgst, dgst_len, &u1) == NULL)
BN_bin2bn(dgst...== ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
373 goto err;
never executed: goto err;
0
374-
375 /* u1 = m * w mod q */-
376 if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx))
!BN_mod_mul(&u..., dsa->q, ctx)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
377 goto err;
never executed: goto err;
0
378-
379 /* u2 = r * w mod q */-
380 if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx))
!BN_mod_mul(&u..., dsa->q, ctx)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
381 goto err;
never executed: goto err;
0
382-
383 if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
dsa->flags & 0x01Description
TRUEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
FALSEnever evaluated
0-1
384 mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,-
385 CRYPTO_LOCK_DSA, dsa->p, ctx);-
386 if (!mont)
!montDescription
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
387 goto err;
never executed: goto err;
0
388 }
executed 1 time by 1 test: end of block
Executed by:
  • dsatest
1
389-
390 if (dsa->meth->dsa_mod_exp != NULL) {
dsa->meth->dsa...!= ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
391 if (!dsa->meth->dsa_mod_exp(dsa, &t1, dsa->g, &u1, dsa->pub_key,
!dsa->meth->ds...>p, ctx, mont)Description
TRUEnever evaluated
FALSEnever evaluated
0
392 &u2, dsa->p, ctx, mont))
!dsa->meth->ds...>p, ctx, mont)Description
TRUEnever evaluated
FALSEnever evaluated
0
393 goto err;
never executed: goto err;
0
394 } else {
never executed: end of block
0
395 if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2,
!BN_mod_exp2_m...>p, ctx, mont)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
396 dsa->p, ctx, mont))
!BN_mod_exp2_m...>p, ctx, mont)Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
397 goto err;
never executed: goto err;
0
398 }
executed 1 time by 1 test: end of block
Executed by:
  • dsatest
1
399-
400 /* BN_copy(&u1,&t1); */-
401 /* let u1 = u1 mod q */-
402 if (!BN_mod_ct(&u1, &t1, dsa->q, ctx))
!BN_div_ct( ((...dsa->q),(ctx))Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
403 goto err;
never executed: goto err;
0
404-
405 /* v is in u1 - if the signature is correct, it will be equal to r. */-
406 ret = BN_ucmp(&u1, sig->r) == 0;-
407-
408 err:
code before this statement executed 1 time by 1 test: err:
Executed by:
  • dsatest
1
409 if (ret < 0)
ret < 0Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • dsatest
0-1
410 DSAerror(ERR_R_BN_LIB);
never executed: ERR_put_error(10,(0xfff),(3),__FILE__,410);
0
411 BN_CTX_free(ctx);-
412 BN_free(&u1);-
413 BN_free(&u2);-
414 BN_free(&t1);-
415-
416 return ret;
executed 1 time by 1 test: return ret;
Executed by:
  • dsatest
1
417}-
418-
419static int-
420dsa_init(DSA *dsa)-
421{-
422 dsa->flags |= DSA_FLAG_CACHE_MONT_P;-
423 return 1;
executed 6 times by 2 tests: return 1;
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
6
424}-
425-
426static int-
427dsa_finish(DSA *dsa)-
428{-
429 BN_MONT_CTX_free(dsa->method_mont_p);-
430 return 1;
executed 6 times by 2 tests: return 1;
Executed by:
  • dsatest
  • libcrypto.so.44.0.1
6
431}-
432-
Source codeSwitch to Preprocessed file
Generated by Squish Coco 4.2.2