GH367: Fix dsa keygen for too-short seed

If the seed value for dsa key generation is too short (< qsize), return an error. Also update the documentation. Signed-off-by: Rich Salz <rsalz@akamai.com> Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit f00a10b89734e84fe80f98ad9e2e77b557c701ae)
author: Ismo Puustinen <ismo.puustinen@intel.com> 2015-08-07 22:14:47 -0400
committer: Rich Salz <rsalz@openssl.org> 2015-08-28 11:22:34 -0400
commit: 1d7df236dcb4f7c95707110753e5e77b19b9a0aa (patch)
tree: 59c2b09e0a99518d70a358b4bfc21d102c02fda8 /crypto/dsa
parent: a7cb67f4f2457724fbfbc39377f55c26f3aafa80 (diff)
1 files changed, 13 insertions, 18 deletions
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index 5a328aaab5..847c874ad2 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -163,18 +163,15 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
     bits = (bits + 63) / 64 * 64;
 
-    /*
-     * NB: seed_len == 0 is special case: copy generated seed to seed_in if
-     * it is not NULL.
-     */
-    if (seed_len && (seed_len < (size_t)qsize))
-        seed_in = NULL;         /* seed buffer too small -- ignore */
-    if (seed_len > (size_t)qsize)
-        seed_len = qsize;       /* App. 2.2 of FIPS PUB 186 allows larger
-                                 * SEED, but our internal buffers are
-                                 * restricted to 160 bits */
-    if (seed_in != NULL)
+    if (seed_in != NULL) {
+        if (seed_len < (size_t)qsize)
+            return 0;
+        if (seed_len > (size_t)qsize) {
+            /* Don't overflow seed local variable. */
+            seed_len = qsize;
+        }
         memcpy(seed, seed_in, seed_len);
+    }
 
     if ((ctx = BN_CTX_new()) == NULL)
         goto err;
@@ -197,20 +194,18 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
     for (;;) {
         for (;;) {              /* find q */
-            int seed_is_random;
+            int seed_is_random = seed_in == NULL;
 
             /* step 1 */
             if (!BN_GENCB_call(cb, 0, m++))
                 goto err;
 
-            if (!seed_len) {
-                if (RAND_pseudo_bytes(seed, qsize) < 0)
+            if (seed_is_random) {
+                if (RAND_bytes(seed, qsize) <= 0)
                     goto err;
-                seed_is_random = 1;
             } else {
-                seed_is_random = 0;
-                seed_len = 0;   /* use random seed if 'seed_in' turns out to
-                                 * be bad */
+                /* If we come back through, use random seed next time. */
+                seed_in = NULL;
             }
             memcpy(buf, seed, qsize);
             memcpy(buf2, seed, qsize);
author	Ismo Puustinen <ismo.puustinen@intel.com>	2015-08-07 22:14:47 -0400
committer	Rich Salz <rsalz@openssl.org>	2015-08-28 11:22:34 -0400
commit	1d7df236dcb4f7c95707110753e5e77b19b9a0aa (patch)
tree	59c2b09e0a99518d70a358b4bfc21d102c02fda8 /crypto/dsa
parent	a7cb67f4f2457724fbfbc39377f55c26f3aafa80 (diff)