From 9a9744646805bcf5d25af990be0533f71bf5edd5 Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Fri, 7 Aug 2015 22:14:47 -0400 Subject: [PATCH] GH367: Fix dsa keygen for too-short seed MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If the seed value for dsa key generation is too short (< qsize), return an error. Also update the documentation. Signed-off-by: Rich Salz Reviewed-by: Emilia Käsper (cherry picked from commit f00a10b89734e84fe80f98ad9e2e77b557c701ae) --- CHANGES | 7 +++++- crypto/dsa/dsa_gen.c | 31 +++++++++++--------------- doc/crypto/DSA_generate_parameters.pod | 11 +++++---- 3 files changed, 24 insertions(+), 25 deletions(-) diff --git a/CHANGES b/CHANGES index c2aba4bd19..6e19f3d861 100644 --- a/CHANGES +++ b/CHANGES @@ -4,7 +4,12 @@ Changes between 1.0.1p and 1.0.1q [xx XXX xxxx] - *) + *) In DSA_generate_parameters_ex, if the provided seed is too short, + return an error + [Rich Salz and Ismo Puustinen ] + + *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites + from RFC4279, RFC4785, RFC5487, RFC5489. Changes between 1.0.1o and 1.0.1p [9 Jul 2015] diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index d686ab0af7..44c47a3f82 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -161,18 +161,15 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, bits = (bits + 63) / 64 * 64; - /* - * NB: seed_len == 0 is special case: copy generated seed to seed_in if - * it is not NULL. - */ - if (seed_len && (seed_len < (size_t)qsize)) - seed_in = NULL; /* seed buffer too small -- ignore */ - if (seed_len > (size_t)qsize) - seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger - * SEED, but our internal buffers are - * restricted to 160 bits */ - if (seed_in != NULL) + if (seed_in != NULL) { + if (seed_len < (size_t)qsize) + return 0; + if (seed_len > (size_t)qsize) { + /* Don't overflow seed local variable. */ + seed_len = qsize; + } memcpy(seed, seed_in, seed_len); + } if ((ctx = BN_CTX_new()) == NULL) goto err; @@ -195,20 +192,18 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, for (;;) { for (;;) { /* find q */ - int seed_is_random; + int seed_is_random = seed_in == NULL; /* step 1 */ if (!BN_GENCB_call(cb, 0, m++)) goto err; - if (!seed_len) { - if (RAND_pseudo_bytes(seed, qsize) < 0) + if (seed_is_random) { + if (RAND_bytes(seed, qsize) <= 0) goto err; - seed_is_random = 1; } else { - seed_is_random = 0; - seed_len = 0; /* use random seed if 'seed_in' turns out to - * be bad */ + /* If we come back through, use random seed next time. */ + seed_in = NULL; } memcpy(buf, seed, qsize); memcpy(buf2, seed, qsize); diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod index be7c924ff8..ae30824d5d 100644 --- a/doc/crypto/DSA_generate_parameters.pod +++ b/doc/crypto/DSA_generate_parameters.pod @@ -17,13 +17,12 @@ DSA_generate_parameters - generate DSA parameters DSA_generate_parameters() generates primes p and q and a generator g for use in the DSA. -B is the length of the prime to be generated; the DSS allows a -maximum of 1024 bits. +B is the length of the prime p to be generated. +For lengths under 2048 bits, the length of q is 160 bits; for lengths +at least 2048, it is set to 256 bits. -If B is B or B E 20, the primes will be -generated at random. Otherwise, the seed is used to generate -them. If the given seed does not yield a prime q, a new random -seed is chosen and placed at B. +If B is NULL, the primes will be generated at random. +If B is less than the length of q, an error is returned. DSA_generate_parameters() places the iteration count in *B and a counter used for finding a generator in -- 2.39.5