[openssl-dev] [openssl-commits] [openssl] master update

Kaduk, Ben bkaduk at akamai.com
Fri Aug 28 15:26:36 UTC 2015 

Hi Rich, Ismo,

I'm surprised this doesn't cause the compiler to warn/error out (inline)

On 8/27/15, 21:57, "Rich Salz" <rsalz at openssl.org> wrote:

>The branch master has been updated
>       via  f00a10b89734e84fe80f98ad9e2e77b557c701ae (commit)
>      from  3c65047d30dacca345d30269b95af4a5c413e8d1 (commit)
>
>
>- Log -----------------------------------------------------------------
>commit f00a10b89734e84fe80f98ad9e2e77b557c701ae
>Author: Ismo Puustinen <ismo.puustinen at intel.com>
>Date:   Fri Aug 7 22:14:47 2015 -0400
>
>    GH367: Fix dsa keygen for too-short seed
>    
>    If the seed value for dsa key generation is too short (< qsize),
>    return an error. Also update the documentation.
>    
>    Signed-off-by: Rich Salz <rsalz at akamai.com>
>    Reviewed-by: Emilia Käsper <emilia at openssl.org>
>
>-----------------------------------------------------------------------
>
>diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
>index e030cfa..a4fae17 100644
>--- a/crypto/dsa/dsa_gen.c
>+++ b/crypto/dsa/dsa_gen.c
>@@ -132,18 +132,15 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits,
>size_t qbits,
> 
>     bits = (bits + 63) / 64 * 64;
> 
>-    /*
>-     * NB: seed_len == 0 is special case: copy generated seed to seed_in
>if
>-     * it is not NULL.
>-     */
>-    if (seed_len && (seed_len < (size_t)qsize))
>-        seed_in = NULL;         /* seed buffer too small -- ignore */
>-    if (seed_len > (size_t)qsize)
>-        seed_len = qsize;       /* App. 2.2 of FIPS PUB 186 allows larger
>-                                 * SEED, but our internal buffers are
>-                                 * restricted to 160 bits */
>-    if (seed_in != NULL)
>+    if (seed_in != NULL) {
>+        if (seed_len < (size_t)qsize)
>+            return 0;
>+        if (seed_len > (size_t)qsize) {
>+            /* Don't overflow seed local variable. */

The comment and code here are a slight mismatch, since qsize is
dynamically computed (but limited to three values, the largest of which is
used to size the local variable).  It's not clear that using
SHA256_DIGEST_LENGTH for the check would actually be better, though.

>+            seed_len = qsize;
>+        }
>         memcpy(seed, seed_in, seed_len);
>+    }
> 
>     if ((ctx = BN_CTX_new()) == NULL)
>         goto err;
>@@ -166,20 +163,18 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits,
>size_t qbits,
> 
>     for (;;) {
>         for (;;) {              /* find q */
>-            int seed_is_random;
>+            int seed_is_random = seed_in == NULL;

This part seems really bogus; seed_is_random is an int, but seed_in is
const unsigned char *; the assignment makes no sense.

> 
>             /* step 1 */
>             if (!BN_GENCB_call(cb, 0, m++))
>                 goto err;
> 
>-            if (!seed_len) {
>+            if (seed_is_random) {

and this chunk can never execute since seed_is_random was just set to 0
(er, NULL).
I guess the intent is to declare the variable in the outer loop?

>                 if (RAND_bytes(seed, qsize) <= 0)
>                     goto err;
>-                seed_is_random = 1;
>             } else {
>-                seed_is_random = 0;
>-                seed_len = 0;   /* use random seed if 'seed_in' turns
>out to
>-                                 * be bad */
>+                /* If we come back through, use random seed next time. */
>+                seed_in = NULL;

and seed_in is never read after this point.

>             }
>             memcpy(buf, seed, qsize);
>             memcpy(buf2, seed, qsize);
>diff --git a/doc/crypto/DSA_generate_parameters.pod
>b/doc/crypto/DSA_generate_parameters.pod
>index d2a0418..92c89a0 100644
>--- a/doc/crypto/DSA_generate_parameters.pod
>+++ b/doc/crypto/DSA_generate_parameters.pod
>@@ -23,13 +23,12 @@ Deprecated:
> DSA_generate_parameters_ex() generates primes p and q and a generator g
> for use in the DSA and stores the result in B<dsa>.
> 
>-B<bits> is the length of the prime to be generated; the DSS allows a
>-maximum of 1024 bits.
>+B<bits> is the length of the prime p to be generated.
>+For lengths under 2048 bits, the length of q is 160 bits; for lengths
>+at least 2048, it is set to 256 bits.

The grammar here is slightly unusual; "for lengths of at least 2048 bits"
or "for lengths 2048 bits and larger" would feel more natural to me.

-Ben

> 
>-If B<seed> is B<NULL> or B<seed_len> E<lt> 20, the primes will be
>-generated at random. Otherwise, the seed is used to generate
>-them. If the given seed does not yield a prime q, a new random
>-seed is chosen and placed at B<seed>.
>+If B<seed> is NULL, the primes will be generated at random.
>+If B<seed_len> is less than the length of q, an error is returned.
> 
> DSA_generate_parameters_ex() places the iteration count in
> *B<counter_ret> and a counter used for finding a generator in
>_____
>openssl-commits mailing list
>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
>

More information about the openssl-dev mailing list