Hi,
(I am not fully sure I understand it right.)
Coverity thinks dsa_builtin_paramgen() can use portions of "seed" uninitialized
and I can agree.
If seed_len is > 0 but < qsize, the memcpy(seed,seed_in,seed_len) does
not trigger, but "seed" is used, being a uninitialized stack variable.
This would probably means that the seeding is done with whatever is on the stack
if a seed_len >0 <qsize is passed in, and would be predictable.
Usually the for () loop will detect this as bad state and redo it.
But I am not sure if you can in some call sequence setup the stack so it
gets a predictable content which would be a valid number (and so always
get the same initial state).
Also the comment above the check seems to be wrong, nothing is ever copied
to seed_in in the function.
I do think an invalid seed_len with the condition might not be happening in
real life.
I would _suggest_ this fix, but it needs to be reviewed.
Ciao, Marcus
--- crypto/dsa/dsa_gen.c.xx 2011-05-18 16:55:14.000000000 +0200
+++ crypto/dsa/dsa_gen.c 2011-05-18 16:55:17.000000000 +0200
@@ -140,11 +140,12 @@
bits = (bits+63)/64*64;
- /* NB: seed_len == 0 is special case: copy generated seed to
- * seed_in if it is not NULL.
+ /* NB: seed_len == 0 is special case: use a random initial seed.
*/
- if (seed_len && (seed_len < (size_t)qsize))
+ if (seed_len && (seed_len < (size_t)qsize)) {
seed_in = NULL; /* seed buffer too small -- ignore */
+ seed_len = 0; /* ... and use randomness by default */
+ }
if (seed_len > (size_t)qsize)
seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows
larger SEED,
* but our internal buffers are
restricted to 160 bits*/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
