Fix dsa keygen for too-short seed

If the seed value for dsa key generation is too short (< qsize), return an error. (Imported from upstream's 1d7df236dcb4f7c95707110753e5e77b19b9a0aa and df1565ed9cebb6933ee7c6e762abcfefd1cd3846.) This switches the trigger for random seed from seed_len = 0 to seed_in = NULL. Change-Id: I2e07abed754c57ef9d96b02a52ba6d260c3f5fb9 Reviewed-on: https://boringssl-review.googlesource.com/5781 Reviewed-by: Adam Langley <agl@google.com>
2015-09-01 00:18:22 -04:00 · 2015-09-01 00:18:22 -04:00 · 8d100366e5
commit 8d100366e5
parent ee0b02a10d
1 changed files with 12 additions and 16 deletions
--- a/crypto/dsa/dsa_impl.c
+++ b/crypto/dsa/dsa_impl.c
@ -487,16 +487,14 @@ static int paramgen(DSA *ret, unsigned bits, const uint8_t *seed_in,

  bits = (bits + 63) / 64 * 64;

-  /* NB: seed_len == 0 is special case: copy generated seed to
-   * seed_in if it is not NULL. */
-  if (seed_len && (seed_len < (size_t)qsize)) {
-    seed_in = NULL; /* seed buffer too small -- ignore */
-  }
-  if (seed_len > (size_t)qsize) {
-    seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
-                       * but our internal buffers are restricted to 160 bits*/
-  }
  if (seed_in != NULL) {
+    if (seed_len < (size_t)qsize) {
+      return 0;
+    }
+    if (seed_len > (size_t)qsize) {
+      /* Only consume as much seed as is expected. */
+      seed_len = qsize;
+    }
    memcpy(seed, seed_in, seed_len);
  }

@ -527,21 +525,19 @@ static int paramgen(DSA *ret, unsigned bits, const uint8_t *seed_in,
  for (;;) {
    /* Find q. */
    for (;;) {
-      int seed_is_random;
-
      /* step 1 */
      if (!BN_GENCB_call(cb, 0, m++)) {
        goto err;
      }

-      if (!seed_len) {
+      int use_random_seed = (seed_in == NULL);
+      if (use_random_seed) {
        if (!RAND_bytes(seed, qsize)) {
          goto err;
        }
-        seed_is_random = 1;
      } else {
-        seed_is_random = 0;
-        seed_len = 0; /* use random seed if 'seed_in' turns out to be bad*/
+        /* If we come back through, use random seed next time. */
+        seed_in = NULL;
      }
      memcpy(buf, seed, qsize);
      memcpy(buf2, seed, qsize);
@ -570,7 +566,7 @@ static int paramgen(DSA *ret, unsigned bits, const uint8_t *seed_in,
      }

      /* step 4 */
-      r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, seed_is_random, cb);
+      r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed, cb);
      if (r > 0) {
        break;
      }