diff options
Diffstat (limited to 'crypto/dsa/dsa_ossl.c')
-rw-r--r-- | crypto/dsa/dsa_ossl.c | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 888e415724..822e51786a 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -22,6 +22,9 @@ #include <openssl/asn1.h> #include "internal/deterministic_nonce.h" +#define MIN_DSA_SIGN_QBITS 128 +#define MAX_DSA_SIGN_RETRIES 8 + static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); @@ -80,6 +83,7 @@ DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa, int reason = ERR_R_BN_LIB; DSA_SIG *ret = NULL; int rv = 0; + int retries = 0; if (dsa->params.p == NULL || dsa->params.q == NULL @@ -135,7 +139,10 @@ DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa, * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q */ - /* Generate a blinding value */ + /* + * Generate a blinding value + * The size of q is tested in dsa_sign_setup() so there should not be an infinite loop here. + */ do { if (!BN_priv_rand_ex(blind, BN_num_bits(dsa->params.q) - 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, ctx)) @@ -170,14 +177,19 @@ DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa, goto err; /* - * Redo if r or s is zero as required by FIPS 186-3: this is very - * unlikely. + * Redo if r or s is zero as required by FIPS 186-4: Section 4.6 + * This is very unlikely. + * Limit the retries so there is no possibility of an infinite + * loop for bad domain parameter values. */ - if (BN_is_zero(ret->r) || BN_is_zero(ret->s)) + if (BN_is_zero(ret->r) || BN_is_zero(ret->s)) { + if (retries++ > MAX_DSA_SIGN_RETRIES) { + reason = DSA_R_TOO_MANY_RETRIES; + goto err; + } goto redo; - + } rv = 1; - err: if (rv == 0) { ERR_raise(ERR_LIB_DSA, reason); @@ -230,7 +242,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, ERR_raise(ERR_LIB_DSA, DSA_R_MISSING_PRIVATE_KEY); return 0; } - k = BN_new(); l = BN_new(); if (k == NULL || l == NULL) @@ -246,7 +257,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, /* Preallocate space */ q_bits = BN_num_bits(dsa->params.q); q_words = bn_get_top(dsa->params.q); - if (!bn_wexpand(k, q_words + 2) + if (q_bits < MIN_DSA_SIGN_QBITS + || !bn_wexpand(k, q_words + 2) || !bn_wexpand(l, q_words + 2)) goto err; |