summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormarkus <>2001-04-23 07:46:00 +0000
committermarkus <>2001-04-23 07:46:00 +0000
commitb32892991f70744ca178482fe884c025b4782b1e (patch)
tree85bc1ff1cac03d5ce1f6f03f4eea6c3886398df1
parent7bdbb2116dd933f7b4639bd9028ed79bfc1c12f9 (diff)
downloadopenbsd-b32892991f70744ca178482fe884c025b4782b1e.tar.gz
openbsd-b32892991f70744ca178482fe884c025b4782b1e.tar.bz2
openbsd-b32892991f70744ca178482fe884c025b4782b1e.zip
import DSA changes from 0.9.6a (Bleichenbacher attack), ok provos@/deraadt@
Diffstat
-rw-r--r--src/lib/libcrypto/dsa/dsa_key.c15
-rw-r--r--src/lib/libcrypto/dsa/dsa_lib.c8
-rw-r--r--src/lib/libcrypto/dsa/dsa_ossl.c64
-rw-r--r--src/lib/libssl/src/crypto/dsa/dsa_key.c15
-rw-r--r--src/lib/libssl/src/crypto/dsa/dsa_lib.c8
-rw-r--r--src/lib/libssl/src/crypto/dsa/dsa_ossl.c64
6 files changed, 132 insertions, 42 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index af3c56d770..a68d236e05 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -65,10 +65,11 @@
65#include <openssl/dsa.h> 65#include <openssl/dsa.h>
66#include <openssl/rand.h> 66#include <openssl/rand.h>
67 67
68extern int __BN_rand_range(BIGNUM *r, BIGNUM *range);
69
68int DSA_generate_key(DSA *dsa) 70int DSA_generate_key(DSA *dsa)
69 { 71 {
70 int ok=0; 72 int ok=0;
71 unsigned int i;
72 BN_CTX *ctx=NULL; 73 BN_CTX *ctx=NULL;
73 BIGNUM *pub_key=NULL,*priv_key=NULL; 74 BIGNUM *pub_key=NULL,*priv_key=NULL;
74 75
@@ -81,15 +82,9 @@ int DSA_generate_key(DSA *dsa)
81 else 82 else
82 priv_key=dsa->priv_key; 83 priv_key=dsa->priv_key;
83 84
84 i=BN_num_bits(dsa->q); 85 do
85 for (;;) 86 if (!__BN_rand_range(priv_key,dsa->q)) goto err;
86 { 87 while (BN_is_zero(priv_key));
87 if (!BN_rand(priv_key,i,0,0))
88 goto err;
89 if (BN_cmp(priv_key,dsa->q) >= 0)
90 BN_sub(priv_key,priv_key,dsa->q);
91 if (!BN_is_zero(priv_key)) break;
92 }
93 88
94 if (dsa->pub_key == NULL) 89 if (dsa->pub_key == NULL)
95 { 90 {
diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c
index b31b946ad3..15f667a203 100644
--- a/src/lib/libcrypto/dsa/dsa_lib.c
+++ b/src/lib/libcrypto/dsa/dsa_lib.c
@@ -173,13 +173,13 @@ DSA *DSA_new_method(ENGINE *engine)
173 173
174 ret->references=1; 174 ret->references=1;
175 ret->flags=meth->flags; 175 ret->flags=meth->flags;
176 CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data);
176 if ((meth->init != NULL) && !meth->init(ret)) 177 if ((meth->init != NULL) && !meth->init(ret))
177 { 178 {
179 CRYPTO_free_ex_data(dsa_meth,ret,&ret->ex_data);
178 OPENSSL_free(ret); 180 OPENSSL_free(ret);
179 ret=NULL; 181 ret=NULL;
180 } 182 }
181 else
182 CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data);
183 183
184 return(ret); 184 return(ret);
185 } 185 }
@@ -204,12 +204,12 @@ void DSA_free(DSA *r)
204 } 204 }
205#endif 205#endif
206 206
207 CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data);
208
209 meth = ENGINE_get_DSA(r->engine); 207 meth = ENGINE_get_DSA(r->engine);
210 if(meth->finish) meth->finish(r); 208 if(meth->finish) meth->finish(r);
211 ENGINE_finish(r->engine); 209 ENGINE_finish(r->engine);
212 210
211 CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data);
212
213 if (r->p != NULL) BN_clear_free(r->p); 213 if (r->p != NULL) BN_clear_free(r->p);
214 if (r->q != NULL) BN_clear_free(r->q); 214 if (r->q != NULL) BN_clear_free(r->q);
215 if (r->g != NULL) BN_clear_free(r->g); 215 if (r->g != NULL) BN_clear_free(r->g);
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 96295dc24f..5cbbdddfb9 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -66,6 +66,8 @@
66#include <openssl/asn1.h> 66#include <openssl/asn1.h>
67#include <openssl/engine.h> 67#include <openssl/engine.h>
68 68
69int __BN_rand_range(BIGNUM *r, BIGNUM *range);
70
69static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); 71static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
70static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); 72static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
71static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, 73static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
@@ -180,13 +182,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
180 kinv=NULL; 182 kinv=NULL;
181 183
182 /* Get random k */ 184 /* Get random k */
183 for (;;) 185 do
184 { 186 if (!__BN_rand_range(&k, dsa->q)) goto err;
185 if (!BN_rand(&k, BN_num_bits(dsa->q), 0, 0)) goto err; 187 while (BN_is_zero(&k));
186 if (BN_cmp(&k,dsa->q) >= 0)
187 BN_sub(&k,&k,dsa->q);
188 if (!BN_is_zero(&k)) break;
189 }
190 188
191 if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) 189 if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
192 { 190 {
@@ -320,3 +318,55 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
320{ 318{
321 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); 319 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
322} 320}
321
322
323/* random number r: 0 <= r < range */
324int __BN_rand_range(BIGNUM *r, BIGNUM *range)
325 {
326 int n;
327
328 if (range->neg || BN_is_zero(range))
329 {
330 /* BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); */
331 return 0;
332 }
333
334 n = BN_num_bits(range); /* n > 0 */
335
336 if (n == 1)
337 {
338 if (!BN_zero(r)) return 0;
339 }
340 else if (BN_is_bit_set(range, n - 2))
341 {
342 do
343 {
344 /* range = 11..._2, so each iteration succeeds with probability >= .75 */
345 if (!BN_rand(r, n, -1, 0)) return 0;
346 }
347 while (BN_cmp(r, range) >= 0);
348 }
349 else
350 {
351 /* range = 10..._2,
352 * so 3*range (= 11..._2) is exactly one bit longer than range */
353 do
354 {
355 if (!BN_rand(r, n + 1, -1, 0)) return 0;
356 /* If r < 3*range, use r := r MOD range
357 * (which is either r, r - range, or r - 2*range).
358 * Otherwise, iterate once more.
359 * Since 3*range = 11..._2, each iteration succeeds with
360 * probability >= .75. */
361 if (BN_cmp(r ,range) >= 0)
362 {
363 if (!BN_sub(r, r, range)) return 0;
364 if (BN_cmp(r, range) >= 0)
365 if (!BN_sub(r, r, range)) return 0;
366 }
367 }
368 while (BN_cmp(r, range) >= 0);
369 }
370
371 return 1;
372 }
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_key.c b/src/lib/libssl/src/crypto/dsa/dsa_key.c
index af3c56d770..a68d236e05 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_key.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_key.c
@@ -65,10 +65,11 @@
65#include <openssl/dsa.h> 65#include <openssl/dsa.h>
66#include <openssl/rand.h> 66#include <openssl/rand.h>
67 67
68extern int __BN_rand_range(BIGNUM *r, BIGNUM *range);
69
68int DSA_generate_key(DSA *dsa) 70int DSA_generate_key(DSA *dsa)
69 { 71 {
70 int ok=0; 72 int ok=0;
71 unsigned int i;
72 BN_CTX *ctx=NULL; 73 BN_CTX *ctx=NULL;
73 BIGNUM *pub_key=NULL,*priv_key=NULL; 74 BIGNUM *pub_key=NULL,*priv_key=NULL;
74 75
@@ -81,15 +82,9 @@ int DSA_generate_key(DSA *dsa)
81 else 82 else
82 priv_key=dsa->priv_key; 83 priv_key=dsa->priv_key;
83 84
84 i=BN_num_bits(dsa->q); 85 do
85 for (;;) 86 if (!__BN_rand_range(priv_key,dsa->q)) goto err;
86 { 87 while (BN_is_zero(priv_key));
87 if (!BN_rand(priv_key,i,0,0))
88 goto err;
89 if (BN_cmp(priv_key,dsa->q) >= 0)
90 BN_sub(priv_key,priv_key,dsa->q);
91 if (!BN_is_zero(priv_key)) break;
92 }
93 88
94 if (dsa->pub_key == NULL) 89 if (dsa->pub_key == NULL)
95 { 90 {
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_lib.c b/src/lib/libssl/src/crypto/dsa/dsa_lib.c
index b31b946ad3..15f667a203 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_lib.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_lib.c
@@ -173,13 +173,13 @@ DSA *DSA_new_method(ENGINE *engine)
173 173
174 ret->references=1; 174 ret->references=1;
175 ret->flags=meth->flags; 175 ret->flags=meth->flags;
176 CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data);
176 if ((meth->init != NULL) && !meth->init(ret)) 177 if ((meth->init != NULL) && !meth->init(ret))
177 { 178 {
179 CRYPTO_free_ex_data(dsa_meth,ret,&ret->ex_data);
178 OPENSSL_free(ret); 180 OPENSSL_free(ret);
179 ret=NULL; 181 ret=NULL;
180 } 182 }
181 else
182 CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data);
183 183
184 return(ret); 184 return(ret);
185 } 185 }
@@ -204,12 +204,12 @@ void DSA_free(DSA *r)
204 } 204 }
205#endif 205#endif
206 206
207 CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data);
208
209 meth = ENGINE_get_DSA(r->engine); 207 meth = ENGINE_get_DSA(r->engine);
210 if(meth->finish) meth->finish(r); 208 if(meth->finish) meth->finish(r);
211 ENGINE_finish(r->engine); 209 ENGINE_finish(r->engine);
212 210
211 CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data);
212
213 if (r->p != NULL) BN_clear_free(r->p); 213 if (r->p != NULL) BN_clear_free(r->p);
214 if (r->q != NULL) BN_clear_free(r->q); 214 if (r->q != NULL) BN_clear_free(r->q);
215 if (r->g != NULL) BN_clear_free(r->g); 215 if (r->g != NULL) BN_clear_free(r->g);
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
index 96295dc24f..5cbbdddfb9 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
@@ -66,6 +66,8 @@
66#include <openssl/asn1.h> 66#include <openssl/asn1.h>
67#include <openssl/engine.h> 67#include <openssl/engine.h>
68 68
69int __BN_rand_range(BIGNUM *r, BIGNUM *range);
70
69static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); 71static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
70static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); 72static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
71static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, 73static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
@@ -180,13 +182,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
180 kinv=NULL; 182 kinv=NULL;
181 183
182 /* Get random k */ 184 /* Get random k */
183 for (;;) 185 do
184 { 186 if (!__BN_rand_range(&k, dsa->q)) goto err;
185 if (!BN_rand(&k, BN_num_bits(dsa->q), 0, 0)) goto err; 187 while (BN_is_zero(&k));
186 if (BN_cmp(&k,dsa->q) >= 0)
187 BN_sub(&k,&k,dsa->q);
188 if (!BN_is_zero(&k)) break;
189 }
190 188
191 if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) 189 if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
192 { 190 {
@@ -320,3 +318,55 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
320{ 318{
321 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); 319 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
322} 320}
321
322
323/* random number r: 0 <= r < range */
324int __BN_rand_range(BIGNUM *r, BIGNUM *range)
325 {
326 int n;
327
328 if (range->neg || BN_is_zero(range))
329 {
330 /* BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); */
331 return 0;
332 }
333
334 n = BN_num_bits(range); /* n > 0 */
335
336 if (n == 1)
337 {
338 if (!BN_zero(r)) return 0;
339 }
340 else if (BN_is_bit_set(range, n - 2))
341 {
342 do
343 {
344 /* range = 11..._2, so each iteration succeeds with probability >= .75 */
345 if (!BN_rand(r, n, -1, 0)) return 0;
346 }
347 while (BN_cmp(r, range) >= 0);
348 }
349 else
350 {
351 /* range = 10..._2,
352 * so 3*range (= 11..._2) is exactly one bit longer than range */
353 do
354 {
355 if (!BN_rand(r, n + 1, -1, 0)) return 0;
356 /* If r < 3*range, use r := r MOD range
357 * (which is either r, r - range, or r - 2*range).
358 * Otherwise, iterate once more.
359 * Since 3*range = 11..._2, each iteration succeeds with
360 * probability >= .75. */
361 if (BN_cmp(r ,range) >= 0)
362 {
363 if (!BN_sub(r, r, range)) return 0;
364 if (BN_cmp(r, range) >= 0)
365 if (!BN_sub(r, r, range)) return 0;
366 }
367 }
368 while (BN_cmp(r, range) >= 0);
369 }
370
371 return 1;
372 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 22:46:12 +0000