diff options
author | Adam Langley <agl@chromium.org> | 2013-07-15 12:42:15 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2013-07-15 12:57:48 +0100 |
commit | 190c615d4398cc6c8b61eb7881d7409314529a75 (patch) | |
tree | 364615b71860e8587e36c1031de887ae32cb2811 /crypto/dsa | |
parent | 5c57c69f9ebcc933161a24d77f87f17011c9977b (diff) | |
download | openssl-190c615d4398cc6c8b61eb7881d7409314529a75.tar.gz |
Make `safe' (EC)DSA nonces the default.
This change updates 8a99cb29 to make the generation of (EC)DSA nonces
using the message digest the default. It also reverts the changes to
(EC)DSA_METHOD structure.
In addition to making it the default, removing the flag from EC_KEY
means that FIPS modules will no longer have an ABI mismatch.
Diffstat (limited to 'crypto/dsa')
-rw-r--r-- | crypto/dsa/dsa.h | 14 | ||||
-rw-r--r-- | crypto/dsa/dsa_err.c | 1 | ||||
-rw-r--r-- | crypto/dsa/dsa_ossl.c | 26 | ||||
-rw-r--r-- | crypto/dsa/dsa_sign.c | 9 |
4 files changed, 19 insertions, 31 deletions
diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h index 28aa8a3073..6010a954f0 100644 --- a/crypto/dsa/dsa.h +++ b/crypto/dsa/dsa.h @@ -104,14 +104,6 @@ * used for all * exponents. */ -#define DSA_FLAG_NONCE_FROM_HASH 0x04 /* Causes the DSA nonce - * to be calculated from - * SHA512(private_key + - * H(message) + - * random). This - * strengthens DSA - * against a weak - * PRNG. */ /* If this flag is set the DSA method is FIPS compliant and can be used * in FIPS mode. This is set in the validated module method. If an @@ -147,9 +139,8 @@ struct dsa_method { const char *name; DSA_SIG * (*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa); - int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, - BIGNUM **kinvp, BIGNUM **rp, - const unsigned char *dgst, int dlen); + int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + BIGNUM **rp); int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, @@ -353,7 +344,6 @@ void ERR_load_DSA_strings(void); #define DSA_R_MISSING_PARAMETERS 101 #define DSA_R_MODULUS_TOO_LARGE 103 #define DSA_R_NEED_NEW_SETUP_VALUES 110 -#define DSA_R_NONCE_CANNOT_BE_PRECOMPUTED 114 #define DSA_R_NO_PARAMETERS_SET 107 #define DSA_R_PARAMETER_ENCODING_ERROR 105 #define DSA_R_Q_NOT_PRIME 113 diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c index 353d81aa7c..084392e7cf 100644 --- a/crypto/dsa/dsa_err.c +++ b/crypto/dsa/dsa_err.c @@ -112,7 +112,6 @@ static ERR_STRING_DATA DSA_str_reasons[]= {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"}, {ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"}, -{ERR_REASON(DSA_R_NONCE_CANNOT_BE_PRECOMPUTED),"nonce cannot be precomputed"}, {ERR_REASON(DSA_R_NO_PARAMETERS_SET) ,"no parameters set"}, {ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"}, {ERR_REASON(DSA_R_Q_NOT_PRIME) ,"q not prime"}, diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index d1f80609b1..fb82c16d01 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -72,9 +72,10 @@ #endif static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); -static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, - BIGNUM **kinvp, BIGNUM **rp, - const unsigned char *dgst, int dlen); +static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); +static int dsa_sign_setup_with_digest(DSA *dsa, BN_CTX *ctx_in, + BIGNUM **kinvp, BIGNUM **rp, + const unsigned char *dgst, int dlen); static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); static int dsa_init(DSA *dsa); @@ -178,7 +179,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) redo: if ((dsa->kinv == NULL) || (dsa->r == NULL)) { - if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r,dgst,dlen)) + if (!dsa_sign_setup_with_digest(dsa,ctx,&kinv,&r,dgst,dlen)) goto err; } else @@ -239,8 +240,13 @@ err: } static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, - BIGNUM **kinvp, BIGNUM **rp, - const unsigned char *dgst, int dlen) + BIGNUM **kinvp, BIGNUM **rp) { + return dsa_sign_setup_with_digest(dsa, ctx_in, kinvp, rp, NULL, 0); +} + +static int dsa_sign_setup_with_digest(DSA *dsa, BN_CTX *ctx_in, + BIGNUM **kinvp, BIGNUM **rp, + const unsigned char *dgst, int dlen) { BN_CTX *ctx; BIGNUM k,kq,*K,*kinv=NULL,*r=NULL; @@ -268,11 +274,11 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, do { #ifndef OPENSSL_NO_SHA512 - if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH) + if (dgst != NULL) { - /* If DSA_FLAG_NONCE_FROM_HASH is set then we calculate k from - * SHA512(private_key + H(message) + random). This protects the - * private key from a weak PRNG. */ + /* We calculate k from SHA512(private_key + H(message) + * + random). This protects the private key from a weak + * PRNG. */ if (!BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, dgst, dlen, ctx)) goto err; diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c index b7e4caab2a..599093a4a8 100644 --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -72,12 +72,5 @@ DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { - if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH) - { - /* One cannot precompute the DSA nonce if it is required to - * depend on the message. */ - DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NONCE_CANNOT_BE_PRECOMPUTED); - return 0; - } - return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0); + return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); } |