From f00a10b89734e84fe80f98ad9e2e77b557c701ae Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Fri, 7 Aug 2015 22:14:47 -0400 Subject: [PATCH] GH367: Fix dsa keygen for too-short seed MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If the seed value for dsa key generation is too short (< qsize), return an error. Also update the documentation. Signed-off-by: Rich Salz Reviewed-by: Emilia Käsper --- CHANGES | 4 ++++ crypto/dsa/dsa_gen.c | 29 +++++++++++--------------- doc/crypto/DSA_generate_parameters.pod | 11 +++++----- 3 files changed, 21 insertions(+), 23 deletions(-) diff --git a/CHANGES b/CHANGES index bcfae0a349..384abf882f 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 1.0.2 and 1.1.0 [xx XXX xxxx] + *) In DSA_generate_parameters_ex, if the provided seed is too short, + return an error + [Rich Salz and Ismo Puustinen ] + *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites from RFC4279, RFC4785, RFC5487, RFC5489. diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index e030cfa1e9..a4fae17667 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -132,18 +132,15 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, bits = (bits + 63) / 64 * 64; - /* - * NB: seed_len == 0 is special case: copy generated seed to seed_in if - * it is not NULL. - */ - if (seed_len && (seed_len < (size_t)qsize)) - seed_in = NULL; /* seed buffer too small -- ignore */ - if (seed_len > (size_t)qsize) - seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger - * SEED, but our internal buffers are - * restricted to 160 bits */ - if (seed_in != NULL) + if (seed_in != NULL) { + if (seed_len < (size_t)qsize) + return 0; + if (seed_len > (size_t)qsize) { + /* Don't overflow seed local variable. */ + seed_len = qsize; + } memcpy(seed, seed_in, seed_len); + } if ((ctx = BN_CTX_new()) == NULL) goto err; @@ -166,20 +163,18 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, for (;;) { for (;;) { /* find q */ - int seed_is_random; + int seed_is_random = seed_in == NULL; /* step 1 */ if (!BN_GENCB_call(cb, 0, m++)) goto err; - if (!seed_len) { + if (seed_is_random) { if (RAND_bytes(seed, qsize) <= 0) goto err; - seed_is_random = 1; } else { - seed_is_random = 0; - seed_len = 0; /* use random seed if 'seed_in' turns out to - * be bad */ + /* If we come back through, use random seed next time. */ + seed_in = NULL; } memcpy(buf, seed, qsize); memcpy(buf2, seed, qsize); diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod index d2a0418b52..92c89a07eb 100644 --- a/doc/crypto/DSA_generate_parameters.pod +++ b/doc/crypto/DSA_generate_parameters.pod @@ -23,13 +23,12 @@ Deprecated: DSA_generate_parameters_ex() generates primes p and q and a generator g for use in the DSA and stores the result in B. -B is the length of the prime to be generated; the DSS allows a -maximum of 1024 bits. +B is the length of the prime p to be generated. +For lengths under 2048 bits, the length of q is 160 bits; for lengths +at least 2048, it is set to 256 bits. -If B is B or B E 20, the primes will be -generated at random. Otherwise, the seed is used to generate -them. If the given seed does not yield a prime q, a new random -seed is chosen and placed at B. +If B is NULL, the primes will be generated at random. +If B is less than the length of q, an error is returned. DSA_generate_parameters_ex() places the iteration count in *B and a counter used for finding a generator in -- 2.40.0