generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

GH367: Fix dsa keygen for too-short seed

Browse Source 
If the seed value for dsa key generation is too short (< qsize),
return an error. Also update the documentation.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit f00a10b89734e84fe80f98ad9e2e77b557c701ae)
This commit is contained in:
Ismo Puustinen 2015-08-07 22:14:47 -04:00 committed by Rich Salz
parent 80c25ba676
commit 9a97446468
3 changed files with 24 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGES
View File

@ -4,7 +4,12 @@
Changes between 1.0.1p and 1.0.1q [xx XXX xxxx] Changes between 1.0.1p and 1.0.1q [xx XXX xxxx]
*) *) In DSA_generate_parameters_ex, if the provided seed is too short,
return an error
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
*) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
from RFC4279, RFC4785, RFC5487, RFC5489.
Changes between 1.0.1o and 1.0.1p [9 Jul 2015] Changes between 1.0.1o and 1.0.1p [9 Jul 2015]

31
crypto/dsa/dsa_gen.c
View File

@ -161,18 +161,15 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
bits = (bits + 63) / 64 * 64; bits = (bits + 63) / 64 * 64;
/* if (seed_in != NULL) {
* NB: seed_len == 0 is special case: copy generated seed to seed_in if if (seed_len < (size_t)qsize)
* it is not NULL. return 0;
*/ if (seed_len > (size_t)qsize) {
if (seed_len && (seed_len < (size_t)qsize)) /* Don't overflow seed local variable. */
seed_in = NULL; /* seed buffer too small -- ignore */ seed_len = qsize;
if (seed_len > (size_t)qsize) }
seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger
* SEED, but our internal buffers are
* restricted to 160 bits */
if (seed_in != NULL)
memcpy(seed, seed_in, seed_len); memcpy(seed, seed_in, seed_len);
}
if ((ctx = BN_CTX_new()) == NULL) if ((ctx = BN_CTX_new()) == NULL)
goto err; goto err;
@ -195,20 +192,18 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
for (;;) { for (;;) {
for (;;) { /* find q */ for (;;) { /* find q */
int seed_is_random; int seed_is_random = seed_in == NULL;
/* step 1 */ /* step 1 */
if (!BN_GENCB_call(cb, 0, m++)) if (!BN_GENCB_call(cb, 0, m++))
goto err; goto err;
if (!seed_len) { if (seed_is_random) {
if (RAND_pseudo_bytes(seed, qsize) < 0) if (RAND_bytes(seed, qsize) <= 0)
goto err; goto err;
seed_is_random = 1;
} else { } else {
seed_is_random = 0; /* If we come back through, use random seed next time. */
seed_len = 0; /* use random seed if 'seed_in' turns out to seed_in = NULL;
* be bad */
} }
memcpy(buf, seed, qsize); memcpy(buf, seed, qsize);
memcpy(buf2, seed, qsize); memcpy(buf2, seed, qsize);

11
doc/crypto/DSA_generate_parameters.pod
View File

@ -17,13 +17,12 @@ DSA_generate_parameters - generate DSA parameters
DSA_generate_parameters() generates primes p and q and a generator g DSA_generate_parameters() generates primes p and q and a generator g
for use in the DSA. for use in the DSA.
B<bits> is the length of the prime to be generated; the DSS allows a B<bits> is the length of the prime p to be generated.
maximum of 1024 bits. For lengths under 2048 bits, the length of q is 160 bits; for lengths
at least 2048, it is set to 256 bits.
If B<seed> is B<NULL> or B<seed_len> E<lt> 20, the primes will be If B<seed> is NULL, the primes will be generated at random.
generated at random. Otherwise, the seed is used to generate If B<seed_len> is less than the length of q, an error is returned.
them. If the given seed does not yield a prime q, a new random
seed is chosen and placed at B<seed>.
DSA_generate_parameters() places the iteration count in DSA_generate_parameters() places the iteration count in
*B<counter_ret> and a counter used for finding a generator in *B<counter_ret> and a counter used for finding a generator in