import DSA changes from 0.9.6a (Bleichenbacher attack), ok provos@/deraadt@

1 files changed, 57 insertions, 7 deletions

diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 96295dc24f..5cbbdddfb9 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -66,6 +66,8 @@
 #include <openssl/asn1.h>
 #include <openssl/engine.h>
 
+int     __BN_rand_range(BIGNUM *r, BIGNUM *range);
+
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
@@ -180,13 +182,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
         kinv=NULL;
 
         /* Get random k */
-        for (;;)
-                {
-                if (!BN_rand(&k, BN_num_bits(dsa->q), 0, 0)) goto err;
-                if (BN_cmp(&k,dsa->q) >= 0)
-                        BN_sub(&k,&k,dsa->q);
-                if (!BN_is_zero(&k)) break;
-                }
+        do
+                if (!__BN_rand_range(&k, dsa->q)) goto err;
+        while (BN_is_zero(&k));
 
         if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
                 {
@@ -320,3 +318,55 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
 {
         return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
+
+
+/* random number r:  0 <= r < range */
+int     __BN_rand_range(BIGNUM *r, BIGNUM *range)
+        {
+        int n;
+
+        if (range->neg || BN_is_zero(range))
+                {
+                /* BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); */
+                return 0;
+                }
+
+        n = BN_num_bits(range); /* n > 0 */
+
+        if (n == 1)
+                {
+                if (!BN_zero(r)) return 0;
+                }
+        else if (BN_is_bit_set(range, n - 2))
+                {
+                do
+                        {
+                        /* range = 11..._2, so each iteration succeeds with probability >= .75 */
+                        if (!BN_rand(r, n, -1, 0)) return 0;
+                        }
+                while (BN_cmp(r, range) >= 0);
+                }
+        else
+                {
+                /* range = 10..._2,
+                 * so  3*range (= 11..._2)  is exactly one bit longer than  range */
+                do
+                        {
+                        if (!BN_rand(r, n + 1, -1, 0)) return 0;
+                        /* If  r < 3*range,  use  r := r MOD range
+                         * (which is either  r, r - range,  or  r - 2*range).
+                         * Otherwise, iterate once more.
+                         * Since  3*range = 11..._2, each iteration succeeds with
+                         * probability >= .75. */
+                        if (BN_cmp(r ,range) >= 0)
+                                {
+                                if (!BN_sub(r, r, range)) return 0;
+                                if (BN_cmp(r, range) >= 0)
+                                        if (!BN_sub(r, r, range)) return 0;
+                                }
+                        }
+                while (BN_cmp(r, range) >= 0);
+                }
+
+        return 1;
+        }