From a87030a1edf0e4c6d601895f810b2d0da84ee10a Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bodo=20M=C3=B6ller?= Date: Sun, 30 Jan 2000 02:23:03 +0000 Subject: [PATCH] Make DSA_generate_parameters, and fix a couple of bug (including another problem in the s3_srvr.c state machine). --- CHANGES | 43 ++++++-- TABLE | 17 +++ crypto/bn/bn.h | 6 +- crypto/bn/bn_prime.c | 38 +++++-- crypto/dsa/dsa.h | 7 +- crypto/dsa/dsa_err.c | 1 - crypto/dsa/dsa_gen.c | 140 ++++++++----------------- crypto/dsa/dsatest.c | 8 +- crypto/sha/sha.h | 2 +- doc/crypto/DSA_generate_parameters.pod | 39 ++++--- ms/test.bat | 4 + ssl/s3_srvr.c | 10 +- test/Makefile.ssl | 5 +- test/testssl | 3 + util/libeay.num | 2 + 15 files changed, 186 insertions(+), 139 deletions(-) diff --git a/CHANGES b/CHANGES index 9f3af3ace4..df2f1bb467 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,35 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 2000] + *) Bugfix: ssl3_send_server_key_exchange was not restartable + (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of + this the server could overwrite ephemeral keys that the client + has already seen). + [Bodo Moeller] + + *) Turn DSA_is_prime into a macro that calls BN_is_prime, + using 50 iterations of the Rabin-Miller test. + + DSA_generate_parameters now uses BN_is_prime_fasttest (with 50 + iterations of the Rabin-Miller test as required by the appendix + to FIPS PUB 186[-1]) instead of DSA_is_prime. + As BN_is_prime_fasttest includes trial division, DSA parameter + generation becomes much faster. + + This implies a change for the callback functions in DSA_is_prime + and DSA_generate_parameters: They are now called once for each + positive witness in the Rabin-Miller test, not just occasionally + in the inner loop; and the parameters to the callback function now + provide an iteration count for the outer loop rather than for the + current invocation of the inner loop. + [Bodo Moeller] + + *) New functions BN_is_prime_fasttest that optionally does trial + division before starting the Rabin-Miller test and has + an additional BN_CTX * argument (whereas BN_is_prime always + has to allocate at least one BN_CTX). + [Bodo Moeller] + *) Fix for bug in CRL encoding. The validity dates weren't being handled as ASN1_TIME. [Steve Henson] @@ -11,10 +40,6 @@ *) New -pkcs12 option to CA.pl script to write out a PKCS#12 file. [Steve Henson] - *) Use BN_prime_checks_size(BN_num_bits(w)) rounds of Miller-Rabin when - generating DSA primes. - [Ulf Möller] - *) New function BN_pseudo_rand(). [Ulf Möller] @@ -41,7 +66,10 @@ *) Make BN_generate_prime() return NULL on error if ret!=NULL. [Ulf Möller] - *) Retain source code compatibility for BN_prime_checks macro. + *) Retain source code compatibility for BN_prime_checks macro: + BN_is_prime(..., BN_prime_checks, ...) now uses + BN_prime_checks_for_size to determine the appropriate number of + Rabin-Miller iterations. [Ulf Möller] *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to @@ -114,10 +142,9 @@ *) Do more iterations of Rabin-Miller probable prime test (specifically, 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes - instead of only 2 for all lengths; see BN_prime_checks_size definition + instead of only 2 for all lengths; see BN_prime_checks_for_size definition in crypto/bn/bn_prime.c for the complete table). This guarantees a - false-positive rate of at most 2^-80 (actually less because we are - additionally doing trial division) for random input. + false-positive rate of at most 2^-80 for random input. [Bodo Moeller] *) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs. diff --git a/TABLE b/TABLE index fd08b7c2b8..1d266a8c77 100644 --- a/TABLE +++ b/TABLE @@ -663,6 +663,23 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o +*** debug-levitte-linux-elf +$cc = gcc +$cflags = -DRL_DEBUG -DREF_CHECK -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = + *** debug-linux-elf $cc = gcc $cflags = -DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index 93e2f6f2bd..e88291d62c 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -292,7 +292,7 @@ typedef struct bn_recp_ctx_st * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; * original paper: Damgaard, Landrock, Pomerance: Average case error estimates * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */ -#define BN_prime_checks_size(b) ((b) >= 1300 ? 2 : \ +#define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \ (b) >= 850 ? 3 : \ (b) >= 650 ? 4 : \ (b) >= 550 ? 5 : \ @@ -406,6 +406,10 @@ BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,BIGNUM *add, BIGNUM *rem,void (*callback)(int,int,void *),void *cb_arg); int BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(int,int,void *), BN_CTX *ctx,void *cb_arg); +int BN_is_prime_fasttest(BIGNUM *p,int nchecks, + void (*callback)(int,int,void *), + BN_CTX *ctx,BN_CTX *ctx2,void *cb_arg, + int do_trial_division); void ERR_load_BN_strings(void ); BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w); diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index 84f0699b9b..e679c7c822 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -84,7 +84,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add, int found=0; int i,j,c1=0; BN_CTX *ctx; - int checks = BN_prime_checks_size(bits); + int checks = BN_prime_checks_for_size(bits); ctx=BN_CTX_new(); if (ctx == NULL) goto err; @@ -154,10 +154,12 @@ err: return(found ? rnd : NULL); } -int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), - BN_CTX *ctx_passed, void *cb_arg) +int BN_is_prime_fasttest(BIGNUM *a, int checks, + void (*callback)(int,int,void *), + BN_CTX *ctx_passed, BN_CTX *ctx2_passed, void *cb_arg, + int do_trial_division) { - int i,j,c2=0,ret= -1; + int i,j,ret= -1; BIGNUM *check; BN_CTX *ctx=NULL,*ctx2=NULL; BN_MONT_CTX *mont=NULL; @@ -165,17 +167,25 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), if (checks == BN_prime_checks) { int bits = BN_num_bits(a); - checks = BN_prime_checks_size(bits); + checks = BN_prime_checks_for_size(bits); } if (!BN_is_odd(a)) return(0); + if (do_trial_division) + for (i = 1; i < NUMPRIMES; i++) + if (BN_mod_word(a, primes[i]) == 0) + return 0; + if (ctx_passed != NULL) ctx=ctx_passed; else if ((ctx=BN_CTX_new()) == NULL) goto err; + if (ctx2_passed != NULL) + ctx2=ctx2_passed; + else + if ((ctx2=BN_CTX_new()) == NULL) goto err; - if ((ctx2=BN_CTX_new()) == NULL) goto err; if ((mont=BN_MONT_CTX_new()) == NULL) goto err; check= &(ctx->bn[ctx->tos++]); @@ -185,7 +195,9 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), for (i=0; i= 0) + BN_sub(check, check, a); j=witness(check,a,ctx,ctx2,mont); if (j == -1) goto err; if (j) @@ -193,20 +205,26 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), ret=0; goto err; } - if (callback != NULL) callback(1,c2++,cb_arg); + if (callback != NULL) callback(1,i,cb_arg); } ret=1; err: ctx->tos--; if ((ctx_passed == NULL) && (ctx != NULL)) BN_CTX_free(ctx); - if (ctx2 != NULL) + if ((ctx2_passed == NULL) && (ctx2 != NULL)) BN_CTX_free(ctx2); if (mont != NULL) BN_MONT_CTX_free(mont); return(ret); } +int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), + BN_CTX *ctx_passed, void *cb_arg) + { + return BN_is_prime_fasttest(a, checks, callback, ctx_passed, NULL, cb_arg, 0); + } + static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx, BN_CTX *ctx2, BN_MONT_CTX *mont) { @@ -274,7 +292,7 @@ err: static int probable_prime(BIGNUM *rnd, int bits) { int i; - MS_STATIC BN_ULONG mods[NUMPRIMES]; + BN_ULONG mods[NUMPRIMES]; BN_ULONG delta,d; again: diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h index 3da104b6dd..e59c7d293f 100644 --- a/crypto/dsa/dsa.h +++ b/crypto/dsa/dsa.h @@ -197,7 +197,11 @@ int DSAparams_print_fp(FILE *fp, DSA *x); int DSA_print_fp(FILE *bp, DSA *x, int off); #endif -int DSA_is_prime(BIGNUM *q,void (*callback)(),void *cb_arg); +#define DSS_prime_checks 50 +/* Primality test according to FIPS PUB 186[-1], Appendix 2.1: + * 50 rounds of Rabin-Miller */ +#define DSA_is_prime(n, callback, cb_arg) \ + BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg) #ifndef NO_DH /* Convert DSA structure (key or just parameters) into DH structure @@ -218,7 +222,6 @@ DH *DSA_dup_DH(DSA *r); #define DSA_F_DSAPARAMS_PRINT_FP 101 #define DSA_F_DSA_DO_SIGN 112 #define DSA_F_DSA_DO_VERIFY 113 -#define DSA_F_DSA_IS_PRIME 102 #define DSA_F_DSA_NEW 103 #define DSA_F_DSA_PRINT 104 #define DSA_F_DSA_PRINT_FP 105 diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c index 33a8270afd..38e4af968c 100644 --- a/crypto/dsa/dsa_err.c +++ b/crypto/dsa/dsa_err.c @@ -70,7 +70,6 @@ static ERR_STRING_DATA DSA_str_functs[]= {ERR_PACK(0,DSA_F_DSAPARAMS_PRINT_FP,0), "DSAparams_print_fp"}, {ERR_PACK(0,DSA_F_DSA_DO_SIGN,0), "DSA_do_sign"}, {ERR_PACK(0,DSA_F_DSA_DO_VERIFY,0), "DSA_do_verify"}, -{ERR_PACK(0,DSA_F_DSA_IS_PRIME,0), "DSA_is_prime"}, {ERR_PACK(0,DSA_F_DSA_NEW,0), "DSA_new"}, {ERR_PACK(0,DSA_F_DSA_PRINT,0), "DSA_print"}, {ERR_PACK(0,DSA_F_DSA_PRINT_FP,0), "DSA_print_fp"}, diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index 5df9132dd8..f7e0b585a1 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -59,12 +59,18 @@ #undef GENUINE_DSA #ifdef GENUINE_DSA +/* Parameter generation follows the original release of FIPS PUB 186, + * Appendix 2.2 (i.e. use SHA as defined in FIPS PUB 180) */ #define HASH SHA #else +/* Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186, + * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in + * FIPS PUB 180-1) */ #define HASH SHA1 #endif #ifndef NO_SHA + #include #include #include "cryptlib.h" @@ -74,8 +80,8 @@ #include DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, - int *counter_ret, unsigned long *h_ret, void (*callback)(), - void *cb_arg) + int *counter_ret, unsigned long *h_ret, void (*callback)(), + void *cb_arg) { int ok=0; unsigned char seed[SHA_DIGEST_LENGTH]; @@ -86,19 +92,26 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, BN_MONT_CTX *mont=NULL; int k,n=0,i,b,m=0; int counter=0; - BN_CTX *ctx=NULL,*ctx2=NULL; + int r=0; + BN_CTX *ctx=NULL,*ctx2=NULL,*ctx3=NULL,*ctx4=NULL; unsigned int h=2; DSA *ret=NULL; if (bits < 512) bits=512; bits=(bits+63)/64*64; - if (seed_len < 20) seed_in = NULL; + if (seed_len < 20) + seed_in = NULL; /* seed buffer too small -- ignore */ + if (seed_len > 20) + seed_len = 20; /* App. 2.2 of FIPS PUB 186 allows larger SEED, + * but our internal buffers are restricted to 160 bits*/ if ((seed_in != NULL) && (seed_len == 20)) memcpy(seed,seed_in,seed_len); if ((ctx=BN_CTX_new()) == NULL) goto err; if ((ctx2=BN_CTX_new()) == NULL) goto err; + if ((ctx3=BN_CTX_new()) == NULL) goto err; + if ((ctx4=BN_CTX_new()) == NULL) goto err; if ((ret=DSA_new()) == NULL) goto err; if ((mont=BN_MONT_CTX_new()) == NULL) goto err; @@ -116,18 +129,24 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, for (;;) { - for (;;) + for (;;) /* find q */ { + int seed_is_random = 0; + /* step 1 */ if (callback != NULL) callback(0,m++,cb_arg); if (!seed_len) + { RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH); + seed_is_random = 1; + } else + /* use random seed if 'seed_in' turns out to be bad */ seed_len=0; - memcpy(buf,seed,SHA_DIGEST_LENGTH); memcpy(buf2,seed,SHA_DIGEST_LENGTH); + /* precompute "SEED + 1" for step 7: */ for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--) { buf[i]++; @@ -146,7 +165,12 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err; /* step 4 */ - if (BN_is_prime(q,BN_prime_checks,callback,NULL,cb_arg) > 0) break; + r = BN_is_prime_fasttest(q, DSS_prime_checks, callback, ctx3, ctx4, cb_arg, seed_is_random); + if (r > 0) + break; + if (r != 0) + goto err; + /* do a callback call */ /* step 5 */ } @@ -156,16 +180,22 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, /* step 6 */ counter=0; + /* "offset = 2" */ n=(bits-1)/160; b=(bits-1)-n*160; for (;;) { + if (callback != NULL && counter != 0) + callback(0,counter,cb_arg); + /* step 7 */ BN_zero(W); + /* now 'buf' contains "SEED + offset - 1" */ for (k=0; k<=n; k++) { + /* obtain "SEED + offset + k" by incrementing: */ for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--) { buf[i]++; @@ -196,17 +226,19 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, if (BN_cmp(p,test) >= 0) { /* step 11 */ - if (BN_is_prime(p,BN_prime_checks,callback,NULL,cb_arg) > 0) - goto end; + r = BN_is_prime_fasttest(p, DSS_prime_checks, callback, ctx3, ctx4, cb_arg, 1); + if (r > 0) + goto end; /* found it */ + if (r != 0) + goto err; } /* step 13 */ counter++; + /* "offset = offset + n + 1" */ /* step 14 */ if (counter >= 4096) break; - - if (callback != NULL) callback(0,counter,cb_arg); } } end: @@ -247,90 +279,10 @@ err: if (h_ret != NULL) *h_ret=h; } if (ctx != NULL) BN_CTX_free(ctx); - if (ctx != NULL) BN_CTX_free(ctx2); + if (ctx2 != NULL) BN_CTX_free(ctx2); + if (ctx3 != NULL) BN_CTX_free(ctx3); + if (ctx4 != NULL) BN_CTX_free(ctx4); if (mont != NULL) BN_MONT_CTX_free(mont); return(ok?ret:NULL); } - -int DSA_is_prime(BIGNUM *w, void (*callback)(), void *cb_arg) - { - int ok= -1,j,i,n; - BN_CTX *ctx=NULL,*ctx2=NULL; - BIGNUM *w_1,*b,*m,*z,*tmp,*mont_1; - int a; - BN_MONT_CTX *mont=NULL; - - if (!BN_is_odd(w)) return(0); - - if ((ctx=BN_CTX_new()) == NULL) goto err; - if ((ctx2=BN_CTX_new()) == NULL) goto err; - if ((mont=BN_MONT_CTX_new()) == NULL) goto err; - - m= &(ctx2->bn[2]); - b= &(ctx2->bn[3]); - z= &(ctx2->bn[4]); - w_1= &(ctx2->bn[5]); - tmp= &(ctx2->bn[6]); - mont_1= &(ctx2->bn[7]); - - /* step 1 */ - n=BN_prime_checks_size(BN_num_bits(w)); - - /* step 2 */ - if (!BN_sub(w_1,w,BN_value_one())) goto err; - for (a=1; !BN_is_bit_set(w_1,a); a++) - ; - if (!BN_rshift(m,w_1,a)) goto err; - - BN_MONT_CTX_set(mont,w,ctx); - BN_to_montgomery(mont_1,BN_value_one(),mont,ctx); - BN_to_montgomery(w_1,w_1,mont,ctx); - for (i=1; i < n; i++) - { - /* step 3 */ - if (!BN_pseudo_rand(b,BN_num_bits(w)-2/*-1*/,0,0)) - goto err; - /* BN_set_word(b,0x10001L); */ - - /* step 4 */ - j=0; - if (!BN_mod_exp_mont(z,b,m,w,ctx,mont)) goto err; - - if (!BN_to_montgomery(z,z,mont,ctx)) goto err; - - /* step 5 */ - for (;;) - { - if (((j == 0) && (BN_cmp(z,mont_1) == 0)) || - (BN_cmp(z,w_1) == 0)) - break; - - /* step 6 */ - if ((j > 0) && (BN_cmp(z,mont_1) == 0)) - { - ok=0; - goto err; - } - - j++; - if (j >= a) - { - ok=0; - goto err; - } - - if (!BN_mod_mul_montgomery(z,z,z,mont,ctx)) goto err; - if (callback != NULL) callback(1,j,cb_arg); - } - } - - ok=1; -err: - if (ok == -1) DSAerr(DSA_F_DSA_IS_PRIME,ERR_R_BN_LIB); - BN_CTX_free(ctx); - BN_CTX_free(ctx2); - BN_MONT_CTX_free(mont); - - return(ok); - } #endif diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c index a30dae6b72..f096ed0688 100644 --- a/crypto/dsa/dsatest.c +++ b/crypto/dsa/dsatest.c @@ -85,6 +85,9 @@ int main(int argc, char *argv[]) #endif static void MS_CALLBACK dsa_cb(int p, int n, char *arg); + +/* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to + * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */ static unsigned char seed[20]={ 0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40, 0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3, @@ -141,9 +144,8 @@ int main(int argc, char **argv) CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); BIO_printf(bio_err,"test generation of DSA parameters\n"); - BIO_printf(bio_err,"expect '.*' followed by 3 lines of '.'s and '+'s\n"); - dsa=DSA_generate_parameters(512,seed,20,&counter,&h,dsa_cb, - (char *)bio_err); + + dsa=DSA_generate_parameters(512,seed,20,&counter,&h,dsa_cb,(char *)bio_err); BIO_printf(bio_err,"seed\n"); for (i=0; i<20; i+=4) diff --git a/crypto/sha/sha.h b/crypto/sha/sha.h index 96daa968fe..5e9cf20cc8 100644 --- a/crypto/sha/sha.h +++ b/crypto/sha/sha.h @@ -63,7 +63,7 @@ extern "C" { #endif -#if defined(NO_SHA) || defined(NO_SHA0) || defined(NO_SHA1) +#if defined(NO_SHA) || (defined(NO_SHA0) && defined(NO_SHA1)) #error SHA is disabled. #endif diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod index 1058c5eb44..bae4e1b560 100644 --- a/doc/crypto/DSA_generate_parameters.pod +++ b/doc/crypto/DSA_generate_parameters.pod @@ -20,14 +20,14 @@ for use in the DSA. B is the length of the prime to be generated; the DSS allows a maximum of 1024 bits. -If B is NULL or B E 20, the primes will be +If B is B or B E 20, the primes will be generated at random. Otherwise, the seed is used to generate them. If the given seed does not yield a prime q, a new random seed is chosen and placed at B. DSA_generate_parameters() places the iteration count in *B and a counter used for finding a generator in -*B, unless these are NULL. +*B, unless these are B. A callback function may be used to provide feedback about the progress of the key generation. If B is not B, it will be @@ -37,13 +37,15 @@ called as follows: =item * -When the the m-th candidate for q is generated, B is called. +When a candidate for q is generated, B is called +(m is 0 for the first candidate). =item * -B is called in the inner loop of the -Miller-Rabin primality test. +While a candidate for q is tested, B +is called in the outer loop of the Miller-Rabin primality tests +(once for each witness that confirms that the candidate may be prime). +i is the loop counter (starting at 0). =item * @@ -52,10 +54,15 @@ B are called. =item * -While candidates for p are being tested, B -is called in the inner loop of the Miller-Rabin primality test, then -B is called when the next candidate -is chosen. +Before a candidate for p (other than the first) is generated and tested, +B is called. + +=item * + +While a candidate for p is tested, B +is called in the outer loop of the Miller-Rabin primality test +(once for each witness that confirms that the candidate may be prime). +i is the loop counter (starting at 0). =item * @@ -70,15 +77,11 @@ When the generator has been found, B is called. =head1 RETURN VALUE DSA_generate_parameters() returns a pointer to the DSA structure, or -NULL if the parameter generation fails. The error codes can be +B if the parameter generation fails. The error codes can be obtained by L. =head1 BUGS -The deterministic generation of p does not follow the NIST algorithm: -r0 is SHA1(s+k+1), but should be SHA1(s+j+k) with j_0=2, -j_counter=j_counter-1 + n + 1. - Seed lengths E 20 are not supported. =head1 SEE ALSO @@ -90,5 +93,9 @@ L DSA_generate_parameters() appeared in SSLeay 0.8. The B argument was added in SSLeay 0.9.0. - +In versions up to OpenSSL 0.9.4, B was called +in the inner loop of the Miller-Rabin test whenever it reached the +squaring step (the parameters to B did not reveal how many +witnesses had been tested); since OpenSSL 0.9.5, B +is called as in BN_is_prime(3), i.e. once for each witness. =cut diff --git a/ms/test.bat b/ms/test.bat index 9a54afe065..3506a644f5 100755 --- a/ms/test.bat +++ b/ms/test.bat @@ -135,6 +135,10 @@ echo test sslv2 via BIO pair ssltest -bio_pair -ssl2 if errorlevel 1 goto done +echo test sslv2/sslv3 with 1024 bit DHE via BIO pair +ssltest -bio_pair -dhe1024 -v +if errorlevel 1 goto done + echo test sslv2 with server authentication via BIO pair ssltest -bio_pair -ssl2 -server_auth -CAfile cert.tmp if errorlevel 1 goto done diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index d6158dbc65..ce68732e60 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -963,6 +963,14 @@ static int ssl3_send_server_key_exchange(SSL *s) SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); goto f_err; } + + if (s->s3->tmp.dh != NULL) + { + DH_free(dh); + SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_INTERNAL_ERROR); + goto err; + } + if ((dh=DHparams_dup(dhp)) == NULL) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); @@ -1109,7 +1117,7 @@ static int ssl3_send_server_key_exchange(SSL *s) s->init_off=0; } - /* SSL3_ST_SW_KEY_EXCH_B */ + s->state = SSL3_ST_SW_KEY_EXCH_B; return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); diff --git a/test/Makefile.ssl b/test/Makefile.ssl index 6507b2f6ff..6607f63f9d 100644 --- a/test/Makefile.ssl +++ b/test/Makefile.ssl @@ -197,12 +197,13 @@ test_verify: ../apps/openssl verify -CApath ../certs ../certs/*.pem test_dh: - @echo "Generate as set of DH parameters" + @echo "Generate a set of DH parameters" ./$(DHTEST) test_dsa: - @echo "Generate as set of DSA parameters" + @echo "Generate a set of DSA parameters" ./$(DSATEST) + ./$(DSATEST) -app2_1 test_gen: @echo "Generate and verify a certificate request" diff --git a/test/testssl b/test/testssl index 1d04b939f3..a88e290c57 100644 --- a/test/testssl +++ b/test/testssl @@ -66,6 +66,9 @@ echo test sslv2/sslv3 via BIO pair echo test sslv2/sslv3 w/o DHE via BIO pair ./ssltest -bio_pair -no_dhe || exit 1 +echo test sslv2/sslv3 with 1024bit DHE +./ssltest -bio_pair -dhe1024 -v || exit 1 + echo test sslv2/sslv3 with server authentication ./ssltest -bio_pair -server_auth -CApath ../certs || exit 1 diff --git a/util/libeay.num b/util/libeay.num index 8fe12da3bc..b65e8f79a6 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -2211,3 +2211,5 @@ sk_CRYPTO_EX_DATA_FUNCS_num 2235 sk_CRYPTO_EX_DATA_FUNCS_pop_free 2236 sk_CRYPTO_EX_DATA_FUNCS_insert 2237 sk_CRYPTO_EX_DATA_FUNCS_zero 2238 +BN_pseudo_rand 2239 +BN_is_prime_fasttest 2240 -- 2.25.1