Fix dsa keygen for too-short seed

If the seed value for dsa key generation is too short (< qsize),
return an error.

(Imported from upstream's 1d7df236dcb4f7c95707110753e5e77b19b9a0aa and
df1565ed9cebb6933ee7c6e762abcfefd1cd3846.)

This switches the trigger for random seed from seed_len = 0 to seed_in =
NULL.

Change-Id: I2e07abed754c57ef9d96b02a52ba6d260c3f5fb9
Reviewed-on: https://boringssl-review.googlesource.com/5781
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2015-09-01 00:18:22 -04:00 committed by Adam Langley
parent ee0b02a10d
commit 8d100366e5

View File

@ -487,16 +487,14 @@ static int paramgen(DSA *ret, unsigned bits, const uint8_t *seed_in,
bits = (bits + 63) / 64 * 64; bits = (bits + 63) / 64 * 64;
/* NB: seed_len == 0 is special case: copy generated seed to
* seed_in if it is not NULL. */
if (seed_len && (seed_len < (size_t)qsize)) {
seed_in = NULL; /* seed buffer too small -- ignore */
}
if (seed_len > (size_t)qsize) {
seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
* but our internal buffers are restricted to 160 bits*/
}
if (seed_in != NULL) { if (seed_in != NULL) {
if (seed_len < (size_t)qsize) {
return 0;
}
if (seed_len > (size_t)qsize) {
/* Only consume as much seed as is expected. */
seed_len = qsize;
}
memcpy(seed, seed_in, seed_len); memcpy(seed, seed_in, seed_len);
} }
@ -527,21 +525,19 @@ static int paramgen(DSA *ret, unsigned bits, const uint8_t *seed_in,
for (;;) { for (;;) {
/* Find q. */ /* Find q. */
for (;;) { for (;;) {
int seed_is_random;
/* step 1 */ /* step 1 */
if (!BN_GENCB_call(cb, 0, m++)) { if (!BN_GENCB_call(cb, 0, m++)) {
goto err; goto err;
} }
if (!seed_len) { int use_random_seed = (seed_in == NULL);
if (use_random_seed) {
if (!RAND_bytes(seed, qsize)) { if (!RAND_bytes(seed, qsize)) {
goto err; goto err;
} }
seed_is_random = 1;
} else { } else {
seed_is_random = 0; /* If we come back through, use random seed next time. */
seed_len = 0; /* use random seed if 'seed_in' turns out to be bad*/ seed_in = NULL;
} }
memcpy(buf, seed, qsize); memcpy(buf, seed, qsize);
memcpy(buf2, seed, qsize); memcpy(buf2, seed, qsize);
@ -570,7 +566,7 @@ static int paramgen(DSA *ret, unsigned bits, const uint8_t *seed_in,
} }
/* step 4 */ /* step 4 */
r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, seed_is_random, cb); r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed, cb);
if (r > 0) { if (r > 0) {
break; break;
} }