From 57e7d3ce1546fc6026ffe3f1f243c54d0bb59d3e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ulf=20M=C3=B6ller?= Date: Wed, 7 Feb 2001 22:24:35 +0000 Subject: [PATCH] Bleichenbacher's DSA attack --- CHANGES | 4 ++++ crypto/bn/bn.h | 1 + crypto/bn/bn_rand.c | 11 +++++++++++ crypto/dsa/dsa_ossl.c | 8 +------- doc/crypto/BN_rand.pod | 13 ++++++++++--- doc/crypto/bn.pod | 1 + 6 files changed, 28 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index a51cd20c8c..3e2d97daaa 100644 --- a/CHANGES +++ b/CHANGES @@ -3,6 +3,10 @@ Changes between 0.9.6 and 0.9.7 [xx XXX 2000] + *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent + Bleichenbacher's DSA attack. + [Ulf Moeller] + *) Update Rijndael code to version 3.0 and change EVP AES ciphers to handle the new API. Currently only ECB, CBC modes supported. Add new AES OIDs. Add TLS AES ciphersuites as described in the "AES Ciphersuites diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index 47e355ea9d..be4e7ae2ba 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -329,6 +329,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx); void BN_CTX_end(BN_CTX *ctx); int BN_rand(BIGNUM *rnd, int bits, int top,int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom); +int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max); int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG); BIGNUM *BN_new(void); diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index bab4510345..f2c79b5e31 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -168,3 +168,14 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) return bnrand(2, rnd, bits, top, bottom); } #endif + +/* random number r: min <= r < max */ +int BN_rand_range(BIGNUM *r, BIGNUM *min, BIGNUM *max) + { + int n = BN_num_bits(max); + do + { + if (!BN_rand(r, n, 0, 0)) return 0; + } while ((min && BN_cmp(r, min) < 0) || BN_cmp(r, max) >= 0); + return 1; + } diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 4b600fa731..7304037947 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -180,13 +180,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) kinv=NULL; /* Get random k */ - for (;;) - { - if (!BN_rand(&k, BN_num_bits(dsa->q), 0, 0)) goto err; - if (BN_cmp(&k,dsa->q) >= 0) - BN_sub(&k,&k,dsa->q); - if (!BN_is_zero(&k)) break; - } + if (!BN_rand_range(&k, BN_value_one(), dsa->q)) goto err; if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) { diff --git a/doc/crypto/BN_rand.pod b/doc/crypto/BN_rand.pod index 33363c981f..dc93949246 100644 --- a/doc/crypto/BN_rand.pod +++ b/doc/crypto/BN_rand.pod @@ -12,6 +12,8 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max); + =head1 DESCRIPTION BN_rand() generates a cryptographically strong pseudo-random number of @@ -25,11 +27,15 @@ this function are not necessarily unpredictable. They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc. -The PRNG must be seeded prior to calling BN_rand(). +BN_rand_range() generates a cryptographically strong pseudo-random +number B in the range B E= B E B. B +may be NULL, in that case 0 E= B E B. + +The PRNG must be seeded prior to calling BN_rand() or BN_rand_range(). =head1 RETURN VALUES -BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error. +The functions return 1 on success, 0 on error. The error codes can be obtained by L. =head1 SEE ALSO @@ -40,6 +46,7 @@ L, L =head1 HISTORY BN_rand() is available in all versions of SSLeay and OpenSSL. -BN_pseudo_rand() was added in OpenSSL 0.9.5. +BN_pseudo_rand() was added in OpenSSL 0.9.5, and BN_rand_range() +in OpenSSL 0.9.6a. =cut diff --git a/doc/crypto/bn.pod b/doc/crypto/bn.pod index 224dfe166a..8558ccfcd5 100644 --- a/doc/crypto/bn.pod +++ b/doc/crypto/bn.pod @@ -68,6 +68,7 @@ bn - multiprecision integer arithmetics int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max); BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); -- 2.25.1