diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2016-08-06 13:18:41 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-08-07 17:15:18 +0900 |
| commit | 88e510ed590026df208f182ca78f558a26c08a85 (patch) | |
| tree | 43ba9071a3c9c7dc885f31591a9061de7c0b0dae | |
| parent | aba0560a65f97bd64299035ed825d286a13fb6b0 (diff) | |
| download | ruby-openssl-88e510ed590026df208f182ca78f558a26c08a85.tar.gz | |
pkey: don't pass a seed to DSA_generate_parameters_ex()
We currently always pass 20 random bytes generated by RAND_bytes(). It
is fine when generating parameters <= 1024 bits, because OpenSSL
requires a seed with the same length as the prime q, which is 160 bits.
FIPS 186-3 allowed the parameters to be >= 2048 bits. For them, OpenSSL
generates a 256 bits long q. We can pass 32 bytes long random bytes
instead, but the function is able to generate on its own. So just give
NULL.
| -rw-r--r-- | ext/openssl/ossl_pkey_dsa.c | 13 | ||||
| -rw-r--r-- | test/test_pkey_dsa.rb | 5 |
2 files changed, 8 insertions, 10 deletions
diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c index 8787e02f..db103cb6 100644 --- a/ext/openssl/ossl_pkey_dsa.c +++ b/ext/openssl/ossl_pkey_dsa.c @@ -95,8 +95,6 @@ ossl_dsa_new(EVP_PKEY *pkey) struct dsa_blocking_gen_arg { DSA *dsa; int size; - unsigned char* seed; - int seed_len; int *counter; unsigned long *h; BN_GENCB *cb; @@ -107,7 +105,8 @@ static void * dsa_blocking_gen(void *arg) { struct dsa_blocking_gen_arg *gen = (struct dsa_blocking_gen_arg *)arg; - gen->result = DSA_generate_parameters_ex(gen->dsa, gen->size, gen->seed, gen->seed_len, gen->counter, gen->h, gen->cb); + gen->result = DSA_generate_parameters_ex(gen->dsa, gen->size, NULL, 0, + gen->counter, gen->h, gen->cb); return 0; } @@ -118,13 +117,9 @@ dsa_generate(int size) struct dsa_blocking_gen_arg gen_arg; DSA *dsa = DSA_new(); BN_GENCB *cb = BN_GENCB_new(); - unsigned char seed[20]; - int seed_len = 20, counter; + int counter; unsigned long h; - if (RAND_bytes(seed, seed_len) <= 0) - return NULL; - if (!dsa || !cb) { DSA_free(dsa); BN_GENCB_free(cb); @@ -136,8 +131,6 @@ dsa_generate(int size) BN_GENCB_set(cb, ossl_generate_cb_2, &cb_arg); gen_arg.dsa = dsa; gen_arg.size = size; - gen_arg.seed = seed; - gen_arg.seed_len = seed_len; gen_arg.counter = &counter; gen_arg.h = &h; gen_arg.cb = cb; diff --git a/test/test_pkey_dsa.rb b/test/test_pkey_dsa.rb index 522cdeed..ed79e0de 100644 --- a/test/test_pkey_dsa.rb +++ b/test/test_pkey_dsa.rb @@ -20,6 +20,11 @@ class OpenSSL::TestPKeyDSA < OpenSSL::TestCase key = OpenSSL::PKey::DSA.new 256 pem = key.public_key.to_pem OpenSSL::PKey::DSA.new pem + if $0 == __FILE__ + assert_nothing_raised { + key = OpenSSL::PKey::DSA.new 2048 + } + end end def test_new_break |