From 628c15039fd3e20980a587b71683d786a8addcd4 Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Thu, 17 Sep 2015 21:53:43 -0400 Subject: [PATCH] This undoes GH367 for non-master MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Was only approved for master, to avoid compatibility issues on previous releases. Reviewed-by: Emilia Käsper (cherry picked from commit 6be18a22199de4d114b53686c31ba02723fc2c18) --- crypto/dsa/dsa_gen.c | 33 +++++++++++++++----------- doc/crypto/DSA_generate_parameters.pod | 11 +++++---- 2 files changed, 25 insertions(+), 19 deletions(-) diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index 1f12d6b4f7..d686ab0af7 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -161,15 +161,18 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, bits = (bits + 63) / 64 * 64; - if (seed_in != NULL) { - if (seed_len < (size_t)qsize) - return 0; - if (seed_len > (size_t)qsize) { - /* Only consume as much seed as is expected. */ - seed_len = qsize; - } + /* + * NB: seed_len == 0 is special case: copy generated seed to seed_in if + * it is not NULL. + */ + if (seed_len && (seed_len < (size_t)qsize)) + seed_in = NULL; /* seed buffer too small -- ignore */ + if (seed_len > (size_t)qsize) + seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger + * SEED, but our internal buffers are + * restricted to 160 bits */ + if (seed_in != NULL) memcpy(seed, seed_in, seed_len); - } if ((ctx = BN_CTX_new()) == NULL) goto err; @@ -192,18 +195,20 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, for (;;) { for (;;) { /* find q */ - int use_random_seed = (seed_in == NULL); + int seed_is_random; /* step 1 */ if (!BN_GENCB_call(cb, 0, m++)) goto err; - if (use_random_seed) { - if (RAND_bytes(seed, qsize) <= 0) + if (!seed_len) { + if (RAND_pseudo_bytes(seed, qsize) < 0) goto err; + seed_is_random = 1; } else { - /* If we come back through, use random seed next time. */ - seed_in = NULL; + seed_is_random = 0; + seed_len = 0; /* use random seed if 'seed_in' turns out to + * be bad */ } memcpy(buf, seed, qsize); memcpy(buf2, seed, qsize); @@ -230,7 +235,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, /* step 4 */ r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, - use_random_seed, cb); + seed_is_random, cb); if (r > 0) break; if (r != 0) diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod index b64a276570..be7c924ff8 100644 --- a/doc/crypto/DSA_generate_parameters.pod +++ b/doc/crypto/DSA_generate_parameters.pod @@ -17,12 +17,13 @@ DSA_generate_parameters - generate DSA parameters DSA_generate_parameters() generates primes p and q and a generator g for use in the DSA. -B is the length of the prime p to be generated. -For lengths under 2048 bits, the length of q is 160 bits; for lengths -greater than or equal to 2048 bits, the length of q is set to 256 bits. +B is the length of the prime to be generated; the DSS allows a +maximum of 1024 bits. -If B is NULL, the primes will be generated at random. -If B is less than the length of q, an error is returned. +If B is B or B E 20, the primes will be +generated at random. Otherwise, the seed is used to generate +them. If the given seed does not yield a prime q, a new random +seed is chosen and placed at B. DSA_generate_parameters() places the iteration count in *B and a counter used for finding a generator in -- 2.25.1