Commit f00a10b8 authored by Ismo Puustinen's avatar Ismo Puustinen Committed by Rich Salz
Browse files

GH367: Fix dsa keygen for too-short seed 



If the seed value for dsa key generation is too short (< qsize),
return an error. Also update the documentation.

Signed-off-by: default avatarRich Salz <rsalz@akamai.com>
Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
parent 3c65047d

CHANGES

+4 −0
Original line number Diff line number Diff line
@@ -4,6 +4,10 @@ 


 Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]



  *) In DSA_generate_parameters_ex, if the provided seed is too short,

     return an error

     [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]



  *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites

     from RFC4279, RFC4785, RFC5487, RFC5489.

crypto/dsa/dsa_gen.c

+12 −17
Original line number Diff line number Diff line
@@ -132,18 +132,15 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, 


    bits = (bits + 63) / 64 * 64;



    /*

     * NB: seed_len == 0 is special case: copy generated seed to seed_in if

     * it is not NULL.

     */

    if (seed_len && (seed_len < (size_t)qsize))

        seed_in = NULL;         /* seed buffer too small -- ignore */

    if (seed_len > (size_t)qsize)

        seed_len = qsize;       /* App. 2.2 of FIPS PUB 186 allows larger

                                 * SEED, but our internal buffers are

                                 * restricted to 160 bits */

    if (seed_in != NULL)

    if (seed_in != NULL) {

        if (seed_len < (size_t)qsize)

            return 0;

        if (seed_len > (size_t)qsize) {

            /* Don't overflow seed local variable. */

            seed_len = qsize;

        }

        memcpy(seed, seed_in, seed_len);

    }



    if ((ctx = BN_CTX_new()) == NULL)

        goto err;
@@ -166,20 +163,18 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, 


    for (;;) {

        for (;;) {              /* find q */

            int seed_is_random;

            int seed_is_random = seed_in == NULL;



            /* step 1 */

            if (!BN_GENCB_call(cb, 0, m++))

                goto err;



            if (!seed_len) {

            if (seed_is_random) {

                if (RAND_bytes(seed, qsize) <= 0)

                    goto err;

                seed_is_random = 1;

            } else {

                seed_is_random = 0;

                seed_len = 0;   /* use random seed if 'seed_in' turns out to

                                 * be bad */

                /* If we come back through, use random seed next time. */

                seed_in = NULL;

            }

            memcpy(buf, seed, qsize);

            memcpy(buf2, seed, qsize);

doc/crypto/DSA_generate_parameters.pod

+5 −6
Original line number Diff line number Diff line
@@ -23,13 +23,12 @@ Deprecated: 
DSA_generate_parameters_ex() generates primes p and q and a generator g

for use in the DSA and stores the result in B<dsa>.



B<bits> is the length of the prime to be generated; the DSS allows a

maximum of 1024 bits.

B<bits> is the length of the prime p to be generated.

For lengths under 2048 bits, the length of q is 160 bits; for lengths

at least 2048, it is set to 256 bits.



If B<seed> is B<NULL> or B<seed_len> E<lt> 20, the primes will be

generated at random. Otherwise, the seed is used to generate

them. If the given seed does not yield a prime q, a new random

seed is chosen and placed at B<seed>.

If B<seed> is NULL, the primes will be generated at random.

If B<seed_len> is less than the length of q, an error is returned.



DSA_generate_parameters_ex() places the iteration count in

*B<counter_ret> and a counter used for finding a generator in