openssl/crypto/dsa/dsa_err.c

77 lines
3.4 KiB
C
Raw Normal View History

/*
* Generated by util/mkerr.pl DO NOT EDIT
Pick a q size consistent with the digest for DSA param generation There are two undocumented DSA parameter generation options available in the genpkey command line app: dsa_paramgen_md and dsa_paramgen_q_bits. These can also be accessed via the EVP API but only by using EVP_PKEY_CTX_ctrl() or EVP_PKEY_CTX_ctrl_str() directly. There are no helper macros for these options. dsa_paramgen_q_bits sets the length of q in bits (default 160 bits). dsa_paramgen_md sets the digest that is used during the parameter generation (default SHA1). In particular the output length of the digest used must be equal to or greater than the number of bits in q because of this code: if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL)) goto err; if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) goto err; for (i = 0; i < qsize; i++) md[i] ^= buf2[i]; /* step 3 */ md[0] |= 0x80; md[qsize - 1] |= 0x01; if (!BN_bin2bn(md, qsize, q)) goto err; qsize here is the number of bits in q and evpmd is the digest set via dsa_paramgen_md. md and buf2 are buffers of length SHA256_DIGEST_LENGTH. buf2 has been filled with qsize bits of random seed data, and md is uninitialised. If the output size of evpmd is less than qsize then the line "md[i] ^= buf2[i]" will be xoring an uninitialised value and the random seed data together to form the least significant bits of q (and not using the output of the digest at all for those bits) - which is probably not what was intended. The same seed is then used as an input to generating p. If the uninitialised data is actually all zeros (as seems quite likely) then the least significant bits of q will exactly match the least significant bits of the seed. This problem only occurs if you use these undocumented and difficult to find options and you set the size of q to be greater than the message digest output size. This is for parameter generation only not key generation. This scenario is considered highly unlikely and therefore the security risk of this is considered negligible. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5800)
2018-03-29 16:49:17 +00:00
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/err.h>
#include <openssl/dsaerr.h>
#ifndef OPENSSL_NO_ERR
2005-04-12 16:15:22 +00:00
static const ERR_STRING_DATA DSA_str_functs[] = {
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT_FP, 0), "DSAparams_print_fp"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN, 0),
"dsa_builtin_paramgen"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN2, 0),
"dsa_builtin_paramgen2"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_NEW_METHOD, 0), "DSA_new_method"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_PARAM_DECODE, 0), "dsa_param_decode"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_PRINT_FP, 0), "DSA_print_fp"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_PRIV_DECODE, 0), "dsa_priv_decode"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_PRIV_ENCODE, 0), "dsa_priv_encode"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_PUB_DECODE, 0), "dsa_pub_decode"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_PUB_ENCODE, 0), "dsa_pub_encode"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_SIGN, 0), "DSA_sign"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_SIGN_SETUP, 0), "DSA_sign_setup"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_SIG_NEW, 0), "DSA_SIG_new"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_OLD_DSA_PRIV_DECODE, 0),
"old_dsa_priv_decode"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_PKEY_DSA_CTRL, 0), "pkey_dsa_ctrl"},
Pick a q size consistent with the digest for DSA param generation There are two undocumented DSA parameter generation options available in the genpkey command line app: dsa_paramgen_md and dsa_paramgen_q_bits. These can also be accessed via the EVP API but only by using EVP_PKEY_CTX_ctrl() or EVP_PKEY_CTX_ctrl_str() directly. There are no helper macros for these options. dsa_paramgen_q_bits sets the length of q in bits (default 160 bits). dsa_paramgen_md sets the digest that is used during the parameter generation (default SHA1). In particular the output length of the digest used must be equal to or greater than the number of bits in q because of this code: if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL)) goto err; if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) goto err; for (i = 0; i < qsize; i++) md[i] ^= buf2[i]; /* step 3 */ md[0] |= 0x80; md[qsize - 1] |= 0x01; if (!BN_bin2bn(md, qsize, q)) goto err; qsize here is the number of bits in q and evpmd is the digest set via dsa_paramgen_md. md and buf2 are buffers of length SHA256_DIGEST_LENGTH. buf2 has been filled with qsize bits of random seed data, and md is uninitialised. If the output size of evpmd is less than qsize then the line "md[i] ^= buf2[i]" will be xoring an uninitialised value and the random seed data together to form the least significant bits of q (and not using the output of the digest at all for those bits) - which is probably not what was intended. The same seed is then used as an input to generating p. If the uninitialised data is actually all zeros (as seems quite likely) then the least significant bits of q will exactly match the least significant bits of the seed. This problem only occurs if you use these undocumented and difficult to find options and you set the size of q to be greater than the message digest output size. This is for parameter generation only not key generation. This scenario is considered highly unlikely and therefore the security risk of this is considered negligible. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5800)
2018-03-29 16:49:17 +00:00
{ERR_PACK(ERR_LIB_DSA, DSA_F_PKEY_DSA_CTRL_STR, 0), "pkey_dsa_ctrl_str"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_PKEY_DSA_KEYGEN, 0), "pkey_dsa_keygen"},
{0, NULL}
};
static const ERR_STRING_DATA DSA_str_reasons[] = {
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_BAD_Q_VALUE), "bad q value"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_BN_DECODE_ERROR), "bn decode error"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_BN_ERROR), "bn error"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_DECODE_ERROR), "decode error"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE),
"invalid digest type"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_SEED_LEN_SMALL),
"seed_len is less than the length of q"},
{0, NULL}
};
#endif
int ERR_load_DSA_strings(void)
{
#ifndef OPENSSL_NO_ERR
if (ERR_func_error_string(DSA_str_functs[0].error) == NULL) {
ERR_load_strings_const(DSA_str_functs);
ERR_load_strings_const(DSA_str_reasons);
}
#endif
return 1;
}