DSA fix from main branch.

2001-02-07 22:35:11 +00:00 · 2001-02-07 22:35:11 +00:00 · 38b3a46ffa
commit 38b3a46ffa
parent 60b3b2c9d0
6 changed files with 29 additions and 10 deletions
--- a/4
+++ b/4
@ -4,6 +4,10 @@

 Changes between 0.9.6 and 0.9.6a  [xx XXX 2001]

+  *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
+     Bleichenbacher's DSA attack.
+     [Ulf Moeller]
+
  *) In the NCONF_...-based implementations for CONF_... queries
     (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
     a temporary CONF structure with the data component set to NULL
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@ -328,6 +328,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx);
 void	BN_CTX_end(BN_CTX *ctx);
 int     BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
 int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom);
+int	BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max);
 int	BN_num_bits(const BIGNUM *a);
 int	BN_num_bits_word(BN_ULONG);
 BIGNUM *BN_new(void);
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@ -140,3 +140,15 @@ int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom)
 	{
 	return bnrand(1, rnd, bits, top, bottom);
 	}
+
+/* random number r: min <= r < max */
+int	BN_rand_range(BIGNUM *r, BIGNUM *min, BIGNUM *max)
+	{
+	int n = BN_num_bits(max);
+	do
+		{
+		if (!BN_rand(r, n, 0, 0)) return 0;
+		} while ((min && BN_cmp(r, min) < 0) || BN_cmp(r, max) >= 0);
+	return 1;
+	}
+
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@ -179,13 +179,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	kinv=NULL;

 	/* Get random k */
-	for (;;)
-		{
-		if (!BN_rand(&k, BN_num_bits(dsa->q), 0, 0)) goto err;
-		if (BN_cmp(&k,dsa->q) >= 0)
-			BN_sub(&k,&k,dsa->q);
-		if (!BN_is_zero(&k)) break;
-		}
+	if (!BN_rand_range(&k, BN_value_one(), dsa->q)) goto err;

 	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
 		{
--- a/doc/crypto/BN_rand.pod
+++ b/doc/crypto/BN_rand.pod
@ -12,6 +12,8 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number

 int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);

+ int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max);
+
 =head1 DESCRIPTION

 BN_rand() generates a cryptographically strong pseudo-random number of
@ -25,11 +27,15 @@ this function are not necessarily unpredictable. They can be used for
 non-cryptographic purposes and for certain purposes in cryptographic
 protocols, but usually not for key generation etc.

-The PRNG must be seeded prior to calling BN_rand().
+BN_rand_range() generates a cryptographically strong pseudo-random
+number B<rnd> in the range B<min> E<lt>= B<rnd> E<lt> B<max>. B<min>
+may be NULL, in that case 0 E<lt>= B<rnd> E<lt> B<max>.
+
+The PRNG must be seeded prior to calling BN_rand() or BN_rand_range().

 =head1 RETURN VALUES

-BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error.
+The functions return 1 on success, 0 on error.
 The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.

 =head1 SEE ALSO
@ -40,6 +46,7 @@ L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
 =head1 HISTORY

 BN_rand() is available in all versions of SSLeay and OpenSSL.
-BN_pseudo_rand() was added in OpenSSL 0.9.5.
+BN_pseudo_rand() was added in OpenSSL 0.9.5, and BN_rand_range()
+in OpenSSL 0.9.6a.

 =cut
--- a/doc/crypto/bn.pod
+++ b/doc/crypto/bn.pod
@ -60,6 +60,7 @@ bn - multiprecision integer arithmetics

 int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
 int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
+ int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max);

 BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add,
         BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);