Commit 190c615d authored by Adam Langley's avatar Adam Langley Committed by Dr. Stephen Henson
Browse files

Make `safe' (EC)DSA nonces the default. 

This change updates 8a99cb29 to make the generation of (EC)DSA nonces
using the message digest the default. It also reverts the changes to
(EC)DSA_METHOD structure.

In addition to making it the default, removing the flag from EC_KEY
means that FIPS modules will no longer have an ABI mismatch.
parent 5c57c69f

crypto/dsa/dsa.h

+2 −12
Original line number Diff line number Diff line
@@ -104,14 +104,6 @@ 
                                              * used for all

                                              * exponents.

                                              */

#define DSA_FLAG_NONCE_FROM_HASH	0x04 /* Causes the DSA nonce

					      * to be calculated from

					      * SHA512(private_key +

					      * H(message) +

					      * random). This

					      * strengthens DSA

					      * against a weak

					      * PRNG. */



/* If this flag is set the DSA method is FIPS compliant and can be used

 * in FIPS mode. This is set in the validated module method. If an
@@ -147,9 +139,8 @@ struct dsa_method 
	{

	const char *name;

	DSA_SIG * (*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa);

	int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in,

			      BIGNUM **kinvp, BIGNUM **rp,

			      const unsigned char *dgst, int dlen);

	int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,

								BIGNUM **rp);

	int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,

			     DSA_SIG *sig, DSA *dsa);

	int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
@@ -353,7 +344,6 @@ void ERR_load_DSA_strings(void); 
#define DSA_R_MISSING_PARAMETERS			 101

#define DSA_R_MODULUS_TOO_LARGE				 103

#define DSA_R_NEED_NEW_SETUP_VALUES			 110

#define DSA_R_NONCE_CANNOT_BE_PRECOMPUTED		 114

#define DSA_R_NO_PARAMETERS_SET				 107

#define DSA_R_PARAMETER_ENCODING_ERROR			 105

#define DSA_R_Q_NOT_PRIME				 113

crypto/dsa/dsa_err.c

+0 −1
Original line number Diff line number Diff line
@@ -112,7 +112,6 @@ static ERR_STRING_DATA DSA_str_reasons[]= 
{ERR_REASON(DSA_R_MISSING_PARAMETERS)    ,"missing parameters"},

{ERR_REASON(DSA_R_MODULUS_TOO_LARGE)     ,"modulus too large"},

{ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},

{ERR_REASON(DSA_R_NONCE_CANNOT_BE_PRECOMPUTED),"nonce cannot be precomputed"},

{ERR_REASON(DSA_R_NO_PARAMETERS_SET)     ,"no parameters set"},

{ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"},

{ERR_REASON(DSA_R_Q_NOT_PRIME)           ,"q not prime"},

crypto/dsa/dsa_ossl.c

+16 −10
Original line number Diff line number Diff line
@@ -72,7 +72,8 @@ 
#endif



static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);

static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,

static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);

static int dsa_sign_setup_with_digest(DSA *dsa, BN_CTX *ctx_in,

				      BIGNUM **kinvp, BIGNUM **rp,

				      const unsigned char *dgst, int dlen);

static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
@@ -178,7 +179,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) 
redo:

	if ((dsa->kinv == NULL) || (dsa->r == NULL))

		{

		if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r,dgst,dlen))

		if (!dsa_sign_setup_with_digest(dsa,ctx,&kinv,&r,dgst,dlen))

			goto err;

		}

	else
@@ -239,6 +240,11 @@ err: 
	}



static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,

			  BIGNUM **kinvp, BIGNUM **rp) {

	return dsa_sign_setup_with_digest(dsa, ctx_in, kinvp, rp, NULL, 0);

}



static int dsa_sign_setup_with_digest(DSA *dsa, BN_CTX *ctx_in,

				      BIGNUM **kinvp, BIGNUM **rp,

				      const unsigned char *dgst, int dlen)

	{
@@ -268,11 +274,11 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, 
	do

		{

#ifndef OPENSSL_NO_SHA512

		if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH)

		if (dgst != NULL)

			{

			/* If DSA_FLAG_NONCE_FROM_HASH is set then we calculate k from

			 * SHA512(private_key + H(message) + random). This protects the

			 * private key from a weak PRNG. */

			/* We calculate k from SHA512(private_key + H(message)

			 * + random). This protects the private key from a weak

			 * PRNG. */

			if (!BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, dgst,

						   dlen, ctx))

				goto err;

crypto/dsa/dsa_sign.c

+1 −8
Original line number Diff line number Diff line
@@ -72,12 +72,5 @@ DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) 


int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)

	{

	if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH)

		{

		/* One cannot precompute the DSA nonce if it is required to

		 * depend on the message. */

		DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NONCE_CANNOT_BE_PRECOMPUTED);

		return 0;

		}

	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0);

	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);

	}

crypto/ec/ec.h

+0 −11
Original line number Diff line number Diff line
@@ -823,17 +823,6 @@ void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, 
/* wrapper functions for the underlying EC_GROUP object */

void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);



/** Sets whether ECDSA operations with the given key will calculate their k

 * value from SHA512(private_key + message + random) in order to protect

 * against a weak PRNG.

 * \param  on  Whether to calculate k from a hash or not

 */

void EC_KEY_set_nonce_from_hash(EC_KEY *key, int on);



/** Returns the value of nonce_from_hash

 */

int EC_KEY_get_nonce_from_hash(const EC_KEY *key);



/** Creates a table of pre-computed multiples of the generator to 

 *  accelerate further EC_KEY operations.

 *  \param  key  EC_KEY object