* used for all
* exponents.
*/
-#define DSA_FLAG_NONCE_FROM_HASH 0x04 /* Causes the DSA nonce
- * to be calculated from
- * SHA512(private_key +
- * H(message) +
- * random). This
- * strengthens DSA
- * against a weak
- * PRNG. */
/* If this flag is set the DSA method is FIPS compliant and can be used
* in FIPS mode. This is set in the validated module method. If an
{
const char *name;
DSA_SIG * (*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa);
- int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in,
- BIGNUM **kinvp, BIGNUM **rp,
- const unsigned char *dgst, int dlen);
+ int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+ BIGNUM **rp);
int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
DSA_SIG *sig, DSA *dsa);
int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
#define DSA_R_MISSING_PARAMETERS 101
#define DSA_R_MODULUS_TOO_LARGE 103
#define DSA_R_NEED_NEW_SETUP_VALUES 110
-#define DSA_R_NONCE_CANNOT_BE_PRECOMPUTED 114
#define DSA_R_NO_PARAMETERS_SET 107
#define DSA_R_PARAMETER_ENCODING_ERROR 105
#define DSA_R_Q_NOT_PRIME 113
{ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"},
{ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
{ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
-{ERR_REASON(DSA_R_NONCE_CANNOT_BE_PRECOMPUTED),"nonce cannot be precomputed"},
{ERR_REASON(DSA_R_NO_PARAMETERS_SET) ,"no parameters set"},
{ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"},
{ERR_REASON(DSA_R_Q_NOT_PRIME) ,"q not prime"},
#endif
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
-static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- BIGNUM **kinvp, BIGNUM **rp,
- const unsigned char *dgst, int dlen);
+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
+static int dsa_sign_setup_with_digest(DSA *dsa, BN_CTX *ctx_in,
+ BIGNUM **kinvp, BIGNUM **rp,
+ const unsigned char *dgst, int dlen);
static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
DSA *dsa);
static int dsa_init(DSA *dsa);
redo:
if ((dsa->kinv == NULL) || (dsa->r == NULL))
{
- if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r,dgst,dlen))
+ if (!dsa_sign_setup_with_digest(dsa,ctx,&kinv,&r,dgst,dlen))
goto err;
}
else
}
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- BIGNUM **kinvp, BIGNUM **rp,
- const unsigned char *dgst, int dlen)
+ BIGNUM **kinvp, BIGNUM **rp) {
+ return dsa_sign_setup_with_digest(dsa, ctx_in, kinvp, rp, NULL, 0);
+}
+
+static int dsa_sign_setup_with_digest(DSA *dsa, BN_CTX *ctx_in,
+ BIGNUM **kinvp, BIGNUM **rp,
+ const unsigned char *dgst, int dlen)
{
BN_CTX *ctx;
BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
do
{
#ifndef OPENSSL_NO_SHA512
- if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH)
+ if (dgst != NULL)
{
- /* If DSA_FLAG_NONCE_FROM_HASH is set then we calculate k from
- * SHA512(private_key + H(message) + random). This protects the
- * private key from a weak PRNG. */
+ /* We calculate k from SHA512(private_key + H(message)
+ * + random). This protects the private key from a weak
+ * PRNG. */
if (!BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, dgst,
dlen, ctx))
goto err;
int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
{
- if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH)
- {
- /* One cannot precompute the DSA nonce if it is required to
- * depend on the message. */
- DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NONCE_CANNOT_BE_PRECOMPUTED);
- return 0;
- }
- return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0);
+ return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
}
/* wrapper functions for the underlying EC_GROUP object */
void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
-/** Sets whether ECDSA operations with the given key will calculate their k
- * value from SHA512(private_key + message + random) in order to protect
- * against a weak PRNG.
- * \param on Whether to calculate k from a hash or not
- */
-void EC_KEY_set_nonce_from_hash(EC_KEY *key, int on);
-
-/** Returns the value of nonce_from_hash
- */
-int EC_KEY_get_nonce_from_hash(const EC_KEY *key);
-
/** Creates a table of pre-computed multiples of the generator to
* accelerate further EC_KEY operations.
* \param key EC_KEY object
ret->pub_key = NULL;
ret->priv_key= NULL;
ret->enc_flag= 0;
- ret->nonce_from_hash_flag = 0;
ret->conv_form = POINT_CONVERSION_UNCOMPRESSED;
ret->references= 1;
ret->method_data = NULL;
/* copy the rest */
dest->enc_flag = src->enc_flag;
- dest->nonce_from_hash_flag = src->nonce_from_hash_flag;
dest->conv_form = src->conv_form;
dest->version = src->version;
dest->flags = src->flags;
key->enc_flag = flags;
}
-int EC_KEY_get_nonce_from_hash(const EC_KEY *key)
- {
- return key->nonce_from_hash_flag;
- }
-
-void EC_KEY_set_nonce_from_hash(EC_KEY *key, int on)
- {
- key->nonce_from_hash_flag = on != 0;
- }
-
point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key)
{
return key->conv_form;
BIGNUM *priv_key;
unsigned int enc_flag;
- char nonce_from_hash_flag;
point_conversion_form_t conv_form;
int references;
#define ECDSA_R_ERR_EC_LIB 102
#define ECDSA_R_MISSING_PARAMETERS 103
#define ECDSA_R_NEED_NEW_SETUP_VALUES 106
-#define ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED 107
#define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 104
#define ECDSA_R_SIGNATURE_MALLOC_FAILED 105
{ERR_REASON(ECDSA_R_ERR_EC_LIB) ,"err ec lib"},
{ERR_REASON(ECDSA_R_MISSING_PARAMETERS) ,"missing parameters"},
{ERR_REASON(ECDSA_R_NEED_NEW_SETUP_VALUES),"need new setup values"},
-{ERR_REASON(ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED),"nonce cannot be precomputed"},
{ERR_REASON(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED),"random number generation failed"},
{ERR_REASON(ECDSA_R_SIGNATURE_MALLOC_FAILED),"signature malloc failed"},
{0,NULL}
const char *name;
ECDSA_SIG *(*ecdsa_do_sign)(const unsigned char *dgst, int dgst_len,
const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey);
- int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx,
- BIGNUM **kinv, BIGNUM **r,
- const unsigned char *dgst, int dlen);
+ int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv,
+ BIGNUM **r);
int (*ecdsa_do_verify)(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey);
#if 0
static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
const BIGNUM *, const BIGNUM *, EC_KEY *eckey);
-static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
- BIGNUM **kinvp, BIGNUM **rp,
- const unsigned char *dgst, int dlen);
+static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+ BIGNUM **rp);
+static int ecdsa_sign_setup_with_digest(EC_KEY *eckey, BN_CTX *ctx_in,
+ BIGNUM **kinvp, BIGNUM **rp,
+ const unsigned char *dgst, int dlen);
static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey);
return &openssl_ecdsa_meth;
}
-static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
- BIGNUM **kinvp, BIGNUM **rp,
- const unsigned char *dgst, int dlen)
+static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+ BIGNUM **rp) {
+ return ecdsa_sign_setup_with_digest(eckey, ctx_in, kinvp, rp, NULL, 0);
+}
+
+static int ecdsa_sign_setup_with_digest(EC_KEY *eckey, BN_CTX *ctx_in,
+ BIGNUM **kinvp, BIGNUM **rp,
+ const unsigned char *dgst, int dlen)
{
BN_CTX *ctx = NULL;
BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL;
/* get random k */
do
#ifndef OPENSSL_NO_SHA512
- if (EC_KEY_get_nonce_from_hash(eckey))
+ if (dgst != NULL)
{
if (!BN_generate_dsa_nonce(k, order, EC_KEY_get0_private_key(eckey),
dgst, dlen, ctx))
{
if (in_kinv == NULL || in_r == NULL)
{
- if (!ecdsa->meth->ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len))
+ if (!ecdsa_sign_setup_with_digest(
+ eckey, ctx, &kinv, &ret->r, dgst, dgst_len))
{
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);
goto err;
#include <openssl/engine.h>
#endif
#include <openssl/rand.h>
-#include <openssl/err.h>
ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey)
{
ECDSA_DATA *ecdsa = ecdsa_check(eckey);
if (ecdsa == NULL)
return 0;
- if (EC_KEY_get_nonce_from_hash(eckey))
- {
- /* You cannot precompute the ECDSA nonce if it is required to
- * depend on the message. */
- ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED);
- return 0;
- }
- return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0);
+ return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp);
}