Make `safe' (EC)DSA nonces the default.

This change updates 8a99cb29 to make the generation of (EC)DSA nonces
using the message digest the default. It also reverts the changes to
(EC)DSA_METHOD structure.

In addition to making it the default, removing the flag from EC_KEY
means that FIPS modules will no longer have an ABI mismatch.

4 files changed, 19 insertions, 31 deletions

diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h
index 28aa8a3073..6010a954f0 100644
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -104,14 +104,6 @@
                                               * used for all
                                               * exponents.
                                               */
-#define DSA_FLAG_NONCE_FROM_HASH	0x04 /* Causes the DSA nonce
-					      * to be calculated from
-					      * SHA512(private_key +
-					      * H(message) +
-					      * random). This
-					      * strengthens DSA
-					      * against a weak
-					      * PRNG. */
 
 /* If this flag is set the DSA method is FIPS compliant and can be used
  * in FIPS mode. This is set in the validated module method. If an
@@ -147,9 +139,8 @@ struct dsa_method
 	{
 	const char *name;
 	DSA_SIG * (*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa);
-	int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in,
-			      BIGNUM **kinvp, BIGNUM **rp,
-			      const unsigned char *dgst, int dlen);
+	int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+								BIGNUM **rp);
 	int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
 			     DSA_SIG *sig, DSA *dsa);
 	int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
@@ -353,7 +344,6 @@ void ERR_load_DSA_strings(void);
 #define DSA_R_MISSING_PARAMETERS			 101
 #define DSA_R_MODULUS_TOO_LARGE				 103
 #define DSA_R_NEED_NEW_SETUP_VALUES			 110
-#define DSA_R_NONCE_CANNOT_BE_PRECOMPUTED		 114
 #define DSA_R_NO_PARAMETERS_SET				 107
 #define DSA_R_PARAMETER_ENCODING_ERROR			 105
 #define DSA_R_Q_NOT_PRIME				 113
diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c
index 353d81aa7c..084392e7cf 100644
--- a/crypto/dsa/dsa_err.c
+++ b/crypto/dsa/dsa_err.c
@@ -112,7 +112,6 @@ static ERR_STRING_DATA DSA_str_reasons[]=
 {ERR_REASON(DSA_R_MISSING_PARAMETERS)    ,"missing parameters"},
 {ERR_REASON(DSA_R_MODULUS_TOO_LARGE)     ,"modulus too large"},
 {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
-{ERR_REASON(DSA_R_NONCE_CANNOT_BE_PRECOMPUTED),"nonce cannot be precomputed"},
 {ERR_REASON(DSA_R_NO_PARAMETERS_SET)     ,"no parameters set"},
 {ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"},
 {ERR_REASON(DSA_R_Q_NOT_PRIME)           ,"q not prime"},
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index d1f80609b1..fb82c16d01 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -72,9 +72,10 @@
 #endif
 
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
-static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
-			  BIGNUM **kinvp, BIGNUM **rp,
-			  const unsigned char *dgst, int dlen);
+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
+static int dsa_sign_setup_with_digest(DSA *dsa, BN_CTX *ctx_in,
+				      BIGNUM **kinvp, BIGNUM **rp,
+				      const unsigned char *dgst, int dlen);
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 			 DSA *dsa);
 static int dsa_init(DSA *dsa);
@@ -178,7 +179,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 redo:
 	if ((dsa->kinv == NULL) || (dsa->r == NULL))
 		{
-		if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r,dgst,dlen))
+		if (!dsa_sign_setup_with_digest(dsa,ctx,&kinv,&r,dgst,dlen))
 			goto err;
 		}
 	else
@@ -239,8 +240,13 @@ err:
 	}
 
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
-			  BIGNUM **kinvp, BIGNUM **rp,
-			  const unsigned char *dgst, int dlen)
+			  BIGNUM **kinvp, BIGNUM **rp) {
+	return dsa_sign_setup_with_digest(dsa, ctx_in, kinvp, rp, NULL, 0);
+}
+
+static int dsa_sign_setup_with_digest(DSA *dsa, BN_CTX *ctx_in,
+				      BIGNUM **kinvp, BIGNUM **rp,
+				      const unsigned char *dgst, int dlen)
 	{
 	BN_CTX *ctx;
 	BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
@@ -268,11 +274,11 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
 	do
 		{
 #ifndef OPENSSL_NO_SHA512
-		if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH)
+		if (dgst != NULL)
 			{
-			/* If DSA_FLAG_NONCE_FROM_HASH is set then we calculate k from
-			 * SHA512(private_key + H(message) + random). This protects the
-			 * private key from a weak PRNG. */
+			/* We calculate k from SHA512(private_key + H(message)
+			 * + random). This protects the private key from a weak
+			 * PRNG. */
 			if (!BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, dgst,
 						   dlen, ctx))
 				goto err;
diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c
index b7e4caab2a..599093a4a8 100644
--- a/crypto/dsa/dsa_sign.c
+++ b/crypto/dsa/dsa_sign.c
@@ -72,12 +72,5 @@ DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	{
-	if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH)
-		{
-		/* One cannot precompute the DSA nonce if it is required to
-		 * depend on the message. */
-		DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NONCE_CANNOT_BE_PRECOMPUTED);
-		return 0;
-		}
-	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0);
+	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
 	}