diff options
| author |   markus <markus@openbsd.org> | 2001-04-23 07:46:00 +0000 |
|---|---|---|
| committer | markus <markus@openbsd.org> | 2001-04-23 07:46:00 +0000 |
| commit | 0db957ea4b50977e63ac73c531368d2666d606d4 (patch) | |
| tree | 507242862a2bbc9e1d7f4c7efd091a5097df07fd /lib/libcrypto/dsa/dsa_ossl.c | |
| parent | when we take a pci interrupt, upgrade it to level. but always ignore (diff) | |
| download | wireguard-openbsd-0db957ea4b50977e63ac73c531368d2666d606d4.tar.xz wireguard-openbsd-0db957ea4b50977e63ac73c531368d2666d606d4.zip | |
import DSA changes from 0.9.6a (Bleichenbacher attack), ok provos@/deraadt@
Diffstat (limited to 'lib/libcrypto/dsa/dsa_ossl.c')
| -rw-r--r-- | lib/libcrypto/dsa/dsa_ossl.c | 64 |
1 files changed, 57 insertions, 7 deletions
diff --git a/lib/libcrypto/dsa/dsa_ossl.c b/lib/libcrypto/dsa/dsa_ossl.c index 96295dc24f7..5cbbdddfb96 100644 --- a/lib/libcrypto/dsa/dsa_ossl.c +++ b/lib/libcrypto/dsa/dsa_ossl.c @@ -66,6 +66,8 @@ #include <openssl/asn1.h> #include <openssl/engine.h> +int __BN_rand_range(BIGNUM *r, BIGNUM *range); + static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, @@ -180,13 +182,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) kinv=NULL; /* Get random k */ - for (;;) - { - if (!BN_rand(&k, BN_num_bits(dsa->q), 0, 0)) goto err; - if (BN_cmp(&k,dsa->q) >= 0) - BN_sub(&k,&k,dsa->q); - if (!BN_is_zero(&k)) break; - } + do + if (!__BN_rand_range(&k, dsa->q)) goto err; + while (BN_is_zero(&k)); if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) { @@ -320,3 +318,55 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, { return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); } + + +/* random number r: 0 <= r < range */ +int __BN_rand_range(BIGNUM *r, BIGNUM *range) + { + int n; + + if (range->neg || BN_is_zero(range)) + { + /* BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); */ + return 0; + } + + n = BN_num_bits(range); /* n > 0 */ + + if (n == 1) + { + if (!BN_zero(r)) return 0; + } + else if (BN_is_bit_set(range, n - 2)) + { + do + { + /* range = 11..._2, so each iteration succeeds with probability >= .75 */ + if (!BN_rand(r, n, -1, 0)) return 0; + } + while (BN_cmp(r, range) >= 0); + } + else + { + /* range = 10..._2, + * so 3*range (= 11..._2) is exactly one bit longer than range */ + do + { + if (!BN_rand(r, n + 1, -1, 0)) return 0; + /* If r < 3*range, use r := r MOD range + * (which is either r, r - range, or r - 2*range). + * Otherwise, iterate once more. + * Since 3*range = 11..._2, each iteration succeeds with + * probability >= .75. */ + if (BN_cmp(r ,range) >= 0) + { + if (!BN_sub(r, r, range)) return 0; + if (BN_cmp(r, range) >= 0) + if (!BN_sub(r, r, range)) return 0; + } + } + while (BN_cmp(r, range) >= 0); + } + + return 1; + } |