diff -up openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsa_gen.c --- openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 2011-02-03 21:04:14.000000000 +0100 +++ openssl-1.0.0c/crypto/dsa/dsa_gen.c 2011-02-04 08:54:42.000000000 +0100 @@ -120,11 +120,11 @@ int dsa_builtin_paramgen(DSA *ret, size_ int ok=0; unsigned char seed[SHA256_DIGEST_LENGTH]; unsigned char md[SHA256_DIGEST_LENGTH]; - unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH]; + unsigned char buf[SHA256_DIGEST_LENGTH]; BIGNUM *r0,*W,*X,*c,*test; BIGNUM *g=NULL,*q=NULL,*p=NULL; BN_MONT_CTX *mont=NULL; - int i, k, n=0, m=0, qsize = qbits >> 3; + int i, k, b, n=0, m=0, qsize = qbits >> 3; int counter=0; int r=0; BN_CTX *ctx=NULL; @@ -138,9 +138,13 @@ int dsa_builtin_paramgen(DSA *ret, size_ goto err; } - if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) + if (FIPS_mode() && + (bits != 1024 || qbits != 160) && + (bits != 2048 || qbits != 224) && + (bits != 2048 || qbits != 256) && + (bits != 3072 || qbits != 256)) { - DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL); + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); goto err; } #endif @@ -151,22 +155,25 @@ int dsa_builtin_paramgen(DSA *ret, size_ return 0; if (evpmd == NULL) - /* use SHA1 as default */ - evpmd = EVP_sha1(); + { + if (qbits <= 160) + evpmd = EVP_sha1(); + else if (qbits <= 224) + evpmd = EVP_sha224(); + else + evpmd = EVP_sha256(); + } if (bits < 512) bits = 512; bits = (bits+63)/64*64; - /* NB: seed_len == 0 is special case: copy generated seed to - * seed_in if it is not NULL. - */ if (seed_len && (seed_len < (size_t)qsize)) seed_in = NULL; /* seed buffer too small -- ignore */ if (seed_len > (size_t)qsize) seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED, - * but our internal buffers are restricted to 160 bits*/ + * but our internal buffers are restricted to 256 bits*/ if (seed_in != NULL) memcpy(seed, seed_in, seed_len); @@ -189,13 +196,18 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (!BN_lshift(test,BN_value_one(),bits-1)) goto err; + /* step 3 n = \lceil bits / qbits \rceil - 1 */ + n = (bits+qbits-1)/qbits - 1; + /* step 4 b = bits - 1 - n * qbits */ + b = bits - 1 - n*qbits; + for (;;) { for (;;) /* find q */ { int seed_is_random; - /* step 1 */ + /* step 5 generate seed */ if(!BN_GENCB_call(cb, 0, m++)) goto err; @@ -210,28 +222,17 @@ int dsa_builtin_paramgen(DSA *ret, size_ seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/ } memcpy(buf , seed, qsize); - memcpy(buf2, seed, qsize); - /* precompute "SEED + 1" for step 7: */ - for (i = qsize-1; i >= 0; i--) - { - buf[i]++; - if (buf[i] != 0) - break; - } - /* step 2 */ + /* step 6 U = hash(seed) */ EVP_Digest(seed, qsize, md, NULL, evpmd, NULL); - EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL); - for (i = 0; i < qsize; i++) - md[i]^=buf2[i]; - /* step 3 */ + /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */ md[0] |= 0x80; md[qsize-1] |= 0x01; if (!BN_bin2bn(md, qsize, q)) goto err; - /* step 4 */ + /* step 8 test for prime (64 round of Rabin-Miller) */ r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, seed_is_random, cb); if (r > 0) @@ -239,27 +240,22 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (r != 0) goto err; - /* do a callback call */ - /* step 5 */ } if(!BN_GENCB_call(cb, 2, 0)) goto err; if(!BN_GENCB_call(cb, 3, 0)) goto err; - /* step 6 */ + /* step 11 */ counter=0; - /* "offset = 2" */ - - n=(bits-1)/160; + /* "offset = 1" */ for (;;) { if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) goto err; - /* step 7 */ + /* step 11.1, 11.2 obtain W */ BN_zero(W); - /* now 'buf' contains "SEED + offset - 1" */ for (k=0; k<=n; k++) { /* obtain "SEED + offset + k" by incrementing: */ @@ -272,28 +268,30 @@ int dsa_builtin_paramgen(DSA *ret, size_ EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL); - /* step 8 */ if (!BN_bin2bn(md, qsize, r0)) goto err; - if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err; + if (k == n) + BN_mask_bits(r0,b); + if (!BN_lshift(r0,r0,qbits*k)) goto err; if (!BN_add(W,W,r0)) goto err; } - /* more of step 8 */ - if (!BN_mask_bits(W,bits-1)) goto err; + /* step 11.3 X = W + 2^(L-1) */ if (!BN_copy(X,W)) goto err; if (!BN_add(X,X,test)) goto err; - /* step 9 */ + /* step 11.4 c = X mod 2*q */ if (!BN_lshift1(r0,q)) goto err; if (!BN_mod(c,X,r0,ctx)) goto err; + + /* step 11.5 p = X - (c - 1) */ if (!BN_sub(r0,c,BN_value_one())) goto err; if (!BN_sub(p,X,r0)) goto err; - /* step 10 */ + /* step 11.6 */ if (BN_cmp(p,test) >= 0) { - /* step 11 */ + /* step 11.7 */ r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb); if (r > 0) @@ -302,12 +300,12 @@ int dsa_builtin_paramgen(DSA *ret, size_ goto err; } - /* step 13 */ + /* step 11.9 */ counter++; /* "offset = offset + n + 1" */ - /* step 14 */ - if (counter >= 4096) break; + /* step 12 */ + if (counter >= 4*bits) break; } } end: diff -up openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 openssl-1.0.0c/crypto/dsa/dsa.h --- openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 2011-02-03 21:04:14.000000000 +0100 +++ openssl-1.0.0c/crypto/dsa/dsa.h 2011-02-03 21:04:14.000000000 +0100 @@ -316,6 +316,7 @@ void ERR_load_DSA_strings(void); #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100 #define DSA_R_DECODE_ERROR 104 #define DSA_R_INVALID_DIGEST_TYPE 106 +#define DSA_R_KEY_SIZE_INVALID 113 #define DSA_R_KEY_SIZE_TOO_SMALL 110 #define DSA_R_MISSING_PARAMETERS 101 #define DSA_R_MODULUS_TOO_LARGE 103 diff -up openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsatest.c --- openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 2011-02-03 21:14:07.000000000 +0100 +++ openssl-1.0.0c/crypto/dsa/dsatest.c 2011-02-04 08:40:24.000000000 +0100 @@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */ static unsigned char seed[20]={ - 0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40, - 0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3, + 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62, + 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3, }; static unsigned char out_p[]={ - 0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa, - 0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb, - 0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7, - 0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5, - 0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf, - 0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac, - 0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2, - 0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91, + 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E, + 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99, + 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD, + 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB, + 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18, + 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B, + 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E, + 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD, + 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93, + 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D, + 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F, }; static unsigned char out_q[]={ - 0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee, - 0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e, - 0xda,0xce,0x91,0x5f, + 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B, + 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87, }; static unsigned char out_g[]={ - 0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13, - 0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00, - 0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb, - 0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e, - 0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf, - 0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c, - 0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c, - 0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02, + 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C, + 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE, + 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36, + 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13, + 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C, + 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D, + 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9, + 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F, + 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E, + 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41, + 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29, }; static const unsigned char str1[]="12345678901234567890"; @@ -157,7 +162,7 @@ int main(int argc, char **argv) BIO_printf(bio_err,"test generation of DSA parameters\n"); BN_GENCB_set(&cb, dsa_cb, bio_err); - if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512, + if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024, seed, 20, &counter, &h, &cb)) goto end; @@ -170,9 +175,9 @@ int main(int argc, char **argv) BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h); DSA_print(bio_err,dsa,0); - if (counter != 105) + if (counter != 239) { - BIO_printf(bio_err,"counter should be 105\n"); + BIO_printf(bio_err,"counter should be 239\n"); goto end; } if (h != 2) diff -up openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c --- openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 2011-02-03 21:04:14.000000000 +0100 +++ openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c 2011-02-04 09:03:03.000000000 +0100 @@ -68,44 +68,42 @@ #ifdef OPENSSL_FIPS -/* seed, out_p, out_q, out_g are taken the NIST test vectors */ - static unsigned char seed[20] = { - 0x77, 0x8f, 0x40, 0x74, 0x6f, 0x66, 0xbe, 0x33, 0xce, 0xbe, 0x99, 0x34, - 0x4c, 0xfc, 0xf3, 0x28, 0xaa, 0x70, 0x2d, 0x3a - }; + 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62, + 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3, + }; static unsigned char out_p[] = { - 0xf7, 0x7c, 0x1b, 0x83, 0xd8, 0xe8, 0x5c, 0x7f, 0x85, 0x30, 0x17, 0x57, - 0x21, 0x95, 0xfe, 0x26, 0x04, 0xeb, 0x47, 0x4c, 0x3a, 0x4a, 0x81, 0x4b, - 0x71, 0x2e, 0xed, 0x6e, 0x4f, 0x3d, 0x11, 0x0f, 0x7c, 0xfe, 0x36, 0x43, - 0x51, 0xd9, 0x81, 0x39, 0x17, 0xdf, 0x62, 0xf6, 0x9c, 0x01, 0xa8, 0x69, - 0x71, 0xdd, 0x29, 0x7f, 0x47, 0xe6, 0x65, 0xa6, 0x22, 0xe8, 0x6a, 0x12, - 0x2b, 0xc2, 0x81, 0xff, 0x32, 0x70, 0x2f, 0x9e, 0xca, 0x53, 0x26, 0x47, - 0x0f, 0x59, 0xd7, 0x9e, 0x2c, 0xa5, 0x07, 0xc4, 0x49, 0x52, 0xa3, 0xe4, - 0x6b, 0x04, 0x00, 0x25, 0x49, 0xe2, 0xe6, 0x7f, 0x28, 0x78, 0x97, 0xb8, - 0x3a, 0x32, 0x14, 0x38, 0xa2, 0x51, 0x33, 0x22, 0x44, 0x7e, 0xd7, 0xef, - 0x45, 0xdb, 0x06, 0x4a, 0xd2, 0x82, 0x4a, 0x82, 0x2c, 0xb1, 0xd7, 0xd8, - 0xb6, 0x73, 0x00, 0x4d, 0x94, 0x77, 0x94, 0xef + 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E, + 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99, + 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD, + 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB, + 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18, + 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B, + 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E, + 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD, + 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93, + 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D, + 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F, }; static unsigned char out_q[] = { - 0xd4, 0x0a, 0xac, 0x9f, 0xbd, 0x8c, 0x80, 0xc2, 0x38, 0x7e, 0x2e, 0x0c, - 0x52, 0x5c, 0xea, 0x34, 0xa1, 0x83, 0x32, 0xf3 + 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B, + 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87, }; static unsigned char out_g[] = { - 0x34, 0x73, 0x8b, 0x57, 0x84, 0x8e, 0x55, 0xbf, 0x57, 0xcc, 0x41, 0xbb, - 0x5e, 0x2b, 0xd5, 0x42, 0xdd, 0x24, 0x22, 0x2a, 0x09, 0xea, 0x26, 0x1e, - 0x17, 0x65, 0xcb, 0x1a, 0xb3, 0x12, 0x44, 0xa3, 0x9e, 0x99, 0xe9, 0x63, - 0xeb, 0x30, 0xb1, 0x78, 0x7b, 0x09, 0x40, 0x30, 0xfa, 0x83, 0xc2, 0x35, - 0xe1, 0xc4, 0x2d, 0x74, 0x1a, 0xb1, 0x83, 0x54, 0xd8, 0x29, 0xf4, 0xcf, - 0x7f, 0x6f, 0x67, 0x1c, 0x36, 0x49, 0xee, 0x6c, 0xa2, 0x3c, 0x2d, 0x6a, - 0xe9, 0xd3, 0x9a, 0xf6, 0x57, 0x78, 0x6f, 0xfd, 0x33, 0xcd, 0x3c, 0xed, - 0xfd, 0xd4, 0x41, 0xe6, 0x5c, 0x8b, 0xe0, 0x68, 0x31, 0x47, 0x47, 0xaf, - 0x12, 0xa7, 0xf9, 0x32, 0x0d, 0x94, 0x15, 0x48, 0xd0, 0x54, 0x85, 0xb2, - 0x04, 0xb5, 0x4d, 0xd4, 0x9d, 0x05, 0x22, 0x25, 0xd9, 0xfd, 0x6c, 0x36, - 0xef, 0xbe, 0x69, 0x6c, 0x55, 0xf4, 0xee, 0xec + 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C, + 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE, + 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36, + 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13, + 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C, + 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D, + 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9, + 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F, + 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E, + 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41, + 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29, }; static const unsigned char str1[]="12345678901234567890"; @@ -133,7 +131,7 @@ int FIPS_selftest_dsa() goto err; if(!DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,NULL)) goto err; - if (counter != 378) + if (counter != 239) goto err; if (h != 2) goto err;