From 38b3a46ffa24e7b0e2a4d2055b543910c63a0906 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ulf=20M=C3=B6ller?= Date: Wed, 7 Feb 2001 22:35:11 +0000 Subject: [PATCH] DSA fix from main branch. --- CHANGES | 4 ++++ crypto/bn/bn.h | 1 + crypto/bn/bn_rand.c | 12 ++++++++++++ crypto/dsa/dsa_ossl.c | 8 +------- doc/crypto/BN_rand.pod | 13 ++++++++++--- doc/crypto/bn.pod | 1 + 6 files changed, 29 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index 6234386c74..5f3556cc7f 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 0.9.6 and 0.9.6a [xx XXX 2001] + *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent + Bleichenbacher's DSA attack. + [Ulf Moeller] + *) In the NCONF_...-based implementations for CONF_... queries (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using a temporary CONF structure with the data component set to NULL diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index 68a1beca47..fe4fea55cf 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -328,6 +328,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx); void BN_CTX_end(BN_CTX *ctx); int BN_rand(BIGNUM *rnd, int bits, int top,int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom); +int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max); int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG); BIGNUM *BN_new(void); diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 21ecbc04ed..dfa53bc2f3 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -140,3 +140,15 @@ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) { return bnrand(1, rnd, bits, top, bottom); } + +/* random number r: min <= r < max */ +int BN_rand_range(BIGNUM *r, BIGNUM *min, BIGNUM *max) + { + int n = BN_num_bits(max); + do + { + if (!BN_rand(r, n, 0, 0)) return 0; + } while ((min && BN_cmp(r, min) < 0) || BN_cmp(r, max) >= 0); + return 1; + } + diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 094356518f..28e5a9e407 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -179,13 +179,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) kinv=NULL; /* Get random k */ - for (;;) - { - if (!BN_rand(&k, BN_num_bits(dsa->q), 0, 0)) goto err; - if (BN_cmp(&k,dsa->q) >= 0) - BN_sub(&k,&k,dsa->q); - if (!BN_is_zero(&k)) break; - } + if (!BN_rand_range(&k, BN_value_one(), dsa->q)) goto err; if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) { diff --git a/doc/crypto/BN_rand.pod b/doc/crypto/BN_rand.pod index 33363c981f..dc93949246 100644 --- a/doc/crypto/BN_rand.pod +++ b/doc/crypto/BN_rand.pod @@ -12,6 +12,8 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max); + =head1 DESCRIPTION BN_rand() generates a cryptographically strong pseudo-random number of @@ -25,11 +27,15 @@ this function are not necessarily unpredictable. They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc. -The PRNG must be seeded prior to calling BN_rand(). +BN_rand_range() generates a cryptographically strong pseudo-random +number B in the range B E= B E B. B +may be NULL, in that case 0 E= B E B. + +The PRNG must be seeded prior to calling BN_rand() or BN_rand_range(). =head1 RETURN VALUES -BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error. +The functions return 1 on success, 0 on error. The error codes can be obtained by L. =head1 SEE ALSO @@ -40,6 +46,7 @@ L, L =head1 HISTORY BN_rand() is available in all versions of SSLeay and OpenSSL. -BN_pseudo_rand() was added in OpenSSL 0.9.5. +BN_pseudo_rand() was added in OpenSSL 0.9.5, and BN_rand_range() +in OpenSSL 0.9.6a. =cut diff --git a/doc/crypto/bn.pod b/doc/crypto/bn.pod index 1504a1c92d..b0492c634a 100644 --- a/doc/crypto/bn.pod +++ b/doc/crypto/bn.pod @@ -60,6 +60,7 @@ bn - multiprecision integer arithmetics int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max); BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); -- 2.25.1