From: Rich Salz Date: Fri, 18 Sep 2015 01:53:43 +0000 (-0400) Subject: This undoes GH367 for non-master X-Git-Tag: OpenSSL_1_0_2e~84 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=6be18a22199de4d114b53686c31ba02723fc2c18;p=oweals%2Fopenssl.git This undoes GH367 for non-master Was only approved for master, to avoid compatibility issues on previous releases. Reviewed-by: Emilia Käsper --- diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index f65790c58c..5a328aaab5 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -163,15 +163,18 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, bits = (bits + 63) / 64 * 64; - if (seed_in != NULL) { - if (seed_len < (size_t)qsize) - return 0; - if (seed_len > (size_t)qsize) { - /* Only consume as much seed as is expected. */ - seed_len = qsize; - } + /* + * NB: seed_len == 0 is special case: copy generated seed to seed_in if + * it is not NULL. + */ + if (seed_len && (seed_len < (size_t)qsize)) + seed_in = NULL; /* seed buffer too small -- ignore */ + if (seed_len > (size_t)qsize) + seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger + * SEED, but our internal buffers are + * restricted to 160 bits */ + if (seed_in != NULL) memcpy(seed, seed_in, seed_len); - } if ((ctx = BN_CTX_new()) == NULL) goto err; @@ -194,18 +197,20 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, for (;;) { for (;;) { /* find q */ - int use_random_seed = (seed_in == NULL); + int seed_is_random; /* step 1 */ if (!BN_GENCB_call(cb, 0, m++)) goto err; - if (use_random_seed) { - if (RAND_bytes(seed, qsize) <= 0) + if (!seed_len) { + if (RAND_pseudo_bytes(seed, qsize) < 0) goto err; + seed_is_random = 1; } else { - /* If we come back through, use random seed next time. */ - seed_in = NULL; + seed_is_random = 0; + seed_len = 0; /* use random seed if 'seed_in' turns out to + * be bad */ } memcpy(buf, seed, qsize); memcpy(buf2, seed, qsize); @@ -232,7 +237,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, /* step 4 */ r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, - use_random_seed, cb); + seed_is_random, cb); if (r > 0) break; if (r != 0) diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod index 116ff096a0..16a67f22b0 100644 --- a/doc/crypto/DSA_generate_parameters.pod +++ b/doc/crypto/DSA_generate_parameters.pod @@ -23,12 +23,13 @@ Deprecated: DSA_generate_parameters_ex() generates primes p and q and a generator g for use in the DSA and stores the result in B. -B is the length of the prime p to be generated. -For lengths under 2048 bits, the length of q is 160 bits; for lengths -greater than or equal to 2048 bits, the length of q is set to 256 bits. +B is the length of the prime to be generated; the DSS allows a +maximum of 1024 bits. -If B is NULL, the primes will be generated at random. -If B is less than the length of q, an error is returned. +If B is B or B E 20, the primes will be +generated at random. Otherwise, the seed is used to generate +them. If the given seed does not yield a prime q, a new random +seed is chosen and placed at B. DSA_generate_parameters_ex() places the iteration count in *B and a counter used for finding a generator in