1 From 9be2984bfbff9a83e7b38f47ac87c677e9a9a0b8 Mon Sep 17 00:00:00 2001 2 From: Adam Langley <agl (a] chromium.org> 3 Date: Thu, 24 Jan 2013 16:27:28 -0500 4 Subject: dsa_nonce 5 6 Adds the option to calculate (EC)DSA nonces by hashing the message and 7 private key along with entropy. 8 --- 9 crypto/bn/bn.h | 6 +++++ 10 crypto/bn/bn_err.c | 2 ++ 11 crypto/bn/bn_rand.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++ 12 crypto/dsa/dsa.h | 10 +++++-- 13 crypto/dsa/dsa_err.c | 1 + 14 crypto/dsa/dsa_ossl.c | 28 ++++++++++++++++---- 15 crypto/dsa/dsa_sign.c | 9 ++++++- 16 crypto/ec/ec.h | 11 ++++++++ 17 crypto/ec/ec_key.c | 12 +++++++++ 18 crypto/ec/ec_lcl.h | 1 + 19 crypto/ecdsa/ecdsa.h | 1 + 20 crypto/ecdsa/ecs_err.c | 1 + 21 crypto/ecdsa/ecs_locl.h | 5 ++-- 22 crypto/ecdsa/ecs_ossl.c | 38 ++++++++++++++++++++------- 23 crypto/ecdsa/ecs_sign.c | 10 ++++++- 24 15 files changed, 185 insertions(+), 20 deletions(-) 25 26 diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h 27 index f34248e..9281ce5 100644 28 --- a/crypto/bn/bn.h 29 +++ b/crypto/bn/bn.h 30 @@ -692,6 +692,10 @@ const BIGNUM *BN_get0_nist_prime_256(void); 31 const BIGNUM *BN_get0_nist_prime_384(void); 32 const BIGNUM *BN_get0_nist_prime_521(void); 33 34 +int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv, 35 + const unsigned char *message, size_t message_len, 36 + BN_CTX *ctx); 37 + 38 /* library internal functions */ 39 40 #define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\ 41 @@ -842,6 +846,7 @@ void ERR_load_BN_strings(void); 42 #define BN_F_BN_EXP 123 43 #define BN_F_BN_EXPAND2 108 44 #define BN_F_BN_EXPAND_INTERNAL 120 45 +#define BN_F_BN_GENERATE_DSA_NONCE 140 46 #define BN_F_BN_GF2M_MOD 131 47 #define BN_F_BN_GF2M_MOD_EXP 132 48 #define BN_F_BN_GF2M_MOD_MUL 133 49 @@ -881,6 +886,7 @@ void ERR_load_BN_strings(void); 50 #define BN_R_NOT_INITIALIZED 107 51 #define BN_R_NO_INVERSE 108 52 #define BN_R_NO_SOLUTION 116 53 +#define BN_R_PRIVATE_KEY_TOO_LARGE 117 54 #define BN_R_P_IS_NOT_PRIME 112 55 #define BN_R_TOO_MANY_ITERATIONS 113 56 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109 57 diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c 58 index cfe2eb9..f722b52 100644 59 --- a/crypto/bn/bn_err.c 60 +++ b/crypto/bn/bn_err.c 61 @@ -87,6 +87,7 @@ static ERR_STRING_DATA BN_str_functs[]= 62 {ERR_FUNC(BN_F_BN_EXP), "BN_exp"}, 63 {ERR_FUNC(BN_F_BN_EXPAND2), "bn_expand2"}, 64 {ERR_FUNC(BN_F_BN_EXPAND_INTERNAL), "BN_EXPAND_INTERNAL"}, 65 +{ERR_FUNC(BN_F_BN_GENERATE_DSA_NONCE), "BN_generate_dsa_nonce"}, 66 {ERR_FUNC(BN_F_BN_GF2M_MOD), "BN_GF2m_mod"}, 67 {ERR_FUNC(BN_F_BN_GF2M_MOD_EXP), "BN_GF2m_mod_exp"}, 68 {ERR_FUNC(BN_F_BN_GF2M_MOD_MUL), "BN_GF2m_mod_mul"}, 69 @@ -129,6 +130,7 @@ static ERR_STRING_DATA BN_str_reasons[]= 70 {ERR_REASON(BN_R_NOT_INITIALIZED) ,"not initialized"}, 71 {ERR_REASON(BN_R_NO_INVERSE) ,"no inverse"}, 72 {ERR_REASON(BN_R_NO_SOLUTION) ,"no solution"}, 73 +{ERR_REASON(BN_R_PRIVATE_KEY_TOO_LARGE) ,"private key too large"}, 74 {ERR_REASON(BN_R_P_IS_NOT_PRIME) ,"p is not prime"}, 75 {ERR_REASON(BN_R_TOO_MANY_ITERATIONS) ,"too many iterations"}, 76 {ERR_REASON(BN_R_TOO_MANY_TEMPORARY_VARIABLES),"too many temporary variables"}, 77 diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c 78 index b376c28..55676f0 100644 79 --- a/crypto/bn/bn_rand.c 80 +++ b/crypto/bn/bn_rand.c 81 @@ -114,6 +114,7 @@ 82 #include "cryptlib.h" 83 #include "bn_lcl.h" 84 #include <openssl/rand.h> 85 +#include <openssl/sha.h> 86 87 static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) 88 { 89 @@ -303,3 +304,72 @@ int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) 90 { 91 return bn_rand_range(1, r, range); 92 } 93 + 94 +#ifndef OPENSSL_NO_SHA512 95 +/* BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike 96 + * BN_rand_range, it also includes the contents of |priv| and |message| in the 97 + * generation so that an RNG failure isn't fatal as long as |priv| remains 98 + * secret. This is intended for use in DSA and ECDSA where an RNG weakness 99 + * leads directly to private key exposure unless this function is used. */ 100 +int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM* priv, 101 + const unsigned char *message, size_t message_len, 102 + BN_CTX *ctx) 103 + { 104 + SHA512_CTX sha; 105 + /* We use 512 bits of random data per iteration to 106 + * ensure that we have at least |range| bits of randomness. */ 107 + unsigned char random_bytes[64]; 108 + unsigned char digest[SHA512_DIGEST_LENGTH]; 109 + unsigned done, todo; 110 + /* We generate |range|+8 bytes of random output. */ 111 + const unsigned num_k_bytes = BN_num_bytes(range) + 8; 112 + unsigned char private_bytes[96]; 113 + unsigned char *k_bytes; 114 + int ret = 0; 115 + 116 + k_bytes = OPENSSL_malloc(num_k_bytes); 117 + if (!k_bytes) 118 + goto err; 119 + 120 + /* We copy |priv| into a local buffer to avoid exposing its length. */ 121 + todo = sizeof(priv->d[0])*priv->top; 122 + if (todo > sizeof(private_bytes)) 123 + { 124 + /* No reasonable DSA or ECDSA key should have a private key 125 + * this large and we don't handle this case in order to avoid 126 + * leaking the length of the private key. */ 127 + BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE); 128 + goto err; 129 + } 130 + memcpy(private_bytes, priv->d, todo); 131 + memset(private_bytes + todo, 0, sizeof(private_bytes) - todo); 132 + 133 + for (done = 0; done < num_k_bytes;) { 134 + if (RAND_bytes(random_bytes, sizeof(random_bytes)) != 1) 135 + goto err; 136 + SHA512_Init(&sha); 137 + SHA512_Update(&sha, &done, sizeof(done)); 138 + SHA512_Update(&sha, private_bytes, sizeof(private_bytes)); 139 + SHA512_Update(&sha, message, message_len); 140 + SHA512_Update(&sha, random_bytes, sizeof(random_bytes)); 141 + SHA512_Final(digest, &sha); 142 + 143 + todo = num_k_bytes - done; 144 + if (todo > SHA512_DIGEST_LENGTH) 145 + todo = SHA512_DIGEST_LENGTH; 146 + memcpy(k_bytes + done, digest, todo); 147 + done += todo; 148 + } 149 + 150 + if (!BN_bin2bn(k_bytes, num_k_bytes, out)) 151 + goto err; 152 + if (BN_mod(out, out, range, ctx) != 1) 153 + goto err; 154 + ret = 1; 155 + 156 +err: 157 + if (k_bytes) 158 + OPENSSL_free(k_bytes); 159 + return ret; 160 + } 161 +#endif /* OPENSSL_NO_SHA512 */ 162 diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h 163 index b448d2a..71ef572 100644 164 --- a/crypto/dsa/dsa.h 165 +++ b/crypto/dsa/dsa.h 166 @@ -96,6 +96,10 @@ 167 * faster variable sliding window method to 168 * be used for all exponents. 169 */ 170 +#define DSA_FLAG_NONCE_FROM_HASH 0x04 /* Causes the DSA nonce to be calculated 171 + from SHA512(private_key + H(message) + 172 + random). This strengthens DSA against a 173 + weak PRNG. */ 174 175 176 /* If this flag is set the DSA method is FIPS compliant and can be used 177 @@ -131,8 +135,9 @@ struct dsa_method 178 { 179 const char *name; 180 DSA_SIG * (*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa); 181 - int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, 182 - BIGNUM **rp); 183 + int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, 184 + BIGNUM **kinvp, BIGNUM **rp, 185 + const unsigned char *dgst, int dlen); 186 int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len, 187 DSA_SIG *sig, DSA *dsa); 188 int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, 189 @@ -325,6 +330,7 @@ void ERR_load_DSA_strings(void); 190 #define DSA_R_MISSING_PARAMETERS 101 191 #define DSA_R_MODULUS_TOO_LARGE 103 192 #define DSA_R_NEED_NEW_SETUP_VALUES 110 193 +#define DSA_R_NONCE_CANNOT_BE_PRECOMPUTED 112 194 #define DSA_R_NON_FIPS_DSA_METHOD 111 195 #define DSA_R_NO_PARAMETERS_SET 107 196 #define DSA_R_PARAMETER_ENCODING_ERROR 105 197 diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c 198 index 00545b7..e6171cc 100644 199 --- a/crypto/dsa/dsa_err.c 200 +++ b/crypto/dsa/dsa_err.c 201 @@ -109,6 +109,7 @@ static ERR_STRING_DATA DSA_str_reasons[]= 202 {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"}, 203 {ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, 204 {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"}, 205 +{ERR_REASON(DSA_R_NONCE_CANNOT_BE_PRECOMPUTED),"nonce cannot be precomputed"}, 206 {ERR_REASON(DSA_R_NON_FIPS_DSA_METHOD) ,"non fips dsa method"}, 207 {ERR_REASON(DSA_R_NO_PARAMETERS_SET) ,"no parameters set"}, 208 {ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"}, 209 diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c 210 index a865a8c..15f8da2 100644 211 --- a/crypto/dsa/dsa_ossl.c 212 +++ b/crypto/dsa/dsa_ossl.c 213 @@ -67,7 +67,9 @@ 214 #include <openssl/asn1.h> 215 216 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); 217 -static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); 218 +static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, 219 + BIGNUM **kinvp, BIGNUM **rp, 220 + const unsigned char *dgst, int dlen); 221 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, 222 DSA *dsa); 223 static int dsa_init(DSA *dsa); 224 @@ -167,7 +169,8 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) 225 redo: 226 if ((dsa->kinv == NULL) || (dsa->r == NULL)) 227 { 228 - if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err; 229 + if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r,dgst,dlen)) 230 + goto err; 231 } 232 else 233 { 234 @@ -226,7 +229,9 @@ err: 235 return(ret); 236 } 237 238 -static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) 239 +static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, 240 + BIGNUM **kinvp, BIGNUM **rp, 241 + const unsigned char *dgst, int dlen) 242 { 243 BN_CTX *ctx; 244 BIGNUM k,kq,*K,*kinv=NULL,*r=NULL; 245 @@ -252,8 +257,21 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) 246 247 /* Get random k */ 248 do 249 - if (!BN_rand_range(&k, dsa->q)) goto err; 250 - while (BN_is_zero(&k)); 251 + { 252 +#ifndef OPENSSL_NO_SHA512 253 + if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH) 254 + { 255 + /* If DSA_FLAG_NONCE_FROM_HASH is set then we calculate k from 256 + * SHA512(private_key + H(message) + random). This protects the 257 + * private key from a weak PRNG. */ 258 + if (!BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, dgst, 259 + dlen, ctx)) 260 + goto err; 261 + } 262 + else 263 +#endif 264 + if (!BN_rand_range(&k, dsa->q)) goto err; 265 + } while (BN_is_zero(&k)); 266 if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) 267 { 268 BN_set_flags(&k, BN_FLG_CONSTTIME); 269 diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c 270 index c3cc364..8ace300 100644 271 --- a/crypto/dsa/dsa_sign.c 272 +++ b/crypto/dsa/dsa_sign.c 273 @@ -86,7 +86,14 @@ int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) 274 return 0; 275 } 276 #endif 277 - return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); 278 + if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH) 279 + { 280 + /* You cannot precompute the DSA nonce if it is required to 281 + * depend on the message. */ 282 + DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NONCE_CANNOT_BE_PRECOMPUTED); 283 + return 0; 284 + } 285 + return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0); 286 } 287 288 DSA_SIG *DSA_SIG_new(void) 289 diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h 290 index dfe8710..d008a0d 100644 291 --- a/crypto/ec/ec.h 292 +++ b/crypto/ec/ec.h 293 @@ -819,6 +819,17 @@ void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, 294 /* wrapper functions for the underlying EC_GROUP object */ 295 void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag); 296 297 +/** Sets whether ECDSA operations with the given key will calculate their k 298 + * value from SHA512(private_key + message + random) in order to protect 299 + * against a weak PRNG. 300 + * \param on Whether to calculate k from a hash or not 301 + */ 302 +void EC_KEY_set_nonce_from_hash(EC_KEY *key, int on); 303 + 304 +/** Returns the value of nonce_from_hash 305 + */ 306 +int EC_KEY_get_nonce_from_hash(const EC_KEY *key); 307 + 308 /** Creates a table of pre-computed multiples of the generator to 309 * accelerate further EC_KEY operations. 310 * \param key EC_KEY object 311 diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c 312 index 7fa2475..73dd7b9 100644 313 --- a/crypto/ec/ec_key.c 314 +++ b/crypto/ec/ec_key.c 315 @@ -85,6 +85,7 @@ EC_KEY *EC_KEY_new(void) 316 ret->pub_key = NULL; 317 ret->priv_key= NULL; 318 ret->enc_flag= 0; 319 + ret->nonce_from_hash_flag = 0; 320 ret->conv_form = POINT_CONVERSION_UNCOMPRESSED; 321 ret->references= 1; 322 ret->method_data = NULL; 323 @@ -198,6 +199,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) 324 325 /* copy the rest */ 326 dest->enc_flag = src->enc_flag; 327 + dest->nonce_from_hash_flag = src->nonce_from_hash_flag; 328 dest->conv_form = src->conv_form; 329 dest->version = src->version; 330 dest->flags = src->flags; 331 @@ -505,6 +507,16 @@ void EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags) 332 key->enc_flag = flags; 333 } 334 335 +int EC_KEY_get_nonce_from_hash(const EC_KEY *key) 336 + { 337 + return key->nonce_from_hash_flag; 338 + } 339 + 340 +void EC_KEY_set_nonce_from_hash(EC_KEY *key, int on) 341 + { 342 + key->nonce_from_hash_flag = on != 0; 343 + } 344 + 345 point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key) 346 { 347 return key->conv_form; 348 diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h 349 index da7967d..6f714c7 100644 350 --- a/crypto/ec/ec_lcl.h 351 +++ b/crypto/ec/ec_lcl.h 352 @@ -246,6 +246,7 @@ struct ec_key_st { 353 BIGNUM *priv_key; 354 355 unsigned int enc_flag; 356 + char nonce_from_hash_flag; 357 point_conversion_form_t conv_form; 358 359 int references; 360 diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h 361 index 7fb5254..dc6a36b 100644 362 --- a/crypto/ecdsa/ecdsa.h 363 +++ b/crypto/ecdsa/ecdsa.h 364 @@ -250,6 +250,7 @@ void ERR_load_ECDSA_strings(void); 365 #define ECDSA_R_ERR_EC_LIB 102 366 #define ECDSA_R_MISSING_PARAMETERS 103 367 #define ECDSA_R_NEED_NEW_SETUP_VALUES 106 368 +#define ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED 108 369 #define ECDSA_R_NON_FIPS_METHOD 107 370 #define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 104 371 #define ECDSA_R_SIGNATURE_MALLOC_FAILED 105 372 diff --git a/crypto/ecdsa/ecs_err.c b/crypto/ecdsa/ecs_err.c 373 index 81542e6..7406c6d 100644 374 --- a/crypto/ecdsa/ecs_err.c 375 +++ b/crypto/ecdsa/ecs_err.c 376 @@ -85,6 +85,7 @@ static ERR_STRING_DATA ECDSA_str_reasons[]= 377 {ERR_REASON(ECDSA_R_ERR_EC_LIB) ,"err ec lib"}, 378 {ERR_REASON(ECDSA_R_MISSING_PARAMETERS) ,"missing parameters"}, 379 {ERR_REASON(ECDSA_R_NEED_NEW_SETUP_VALUES),"need new setup values"}, 380 +{ERR_REASON(ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED),"nonce cannot be precomputed"}, 381 {ERR_REASON(ECDSA_R_NON_FIPS_METHOD) ,"non fips method"}, 382 {ERR_REASON(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED),"random number generation failed"}, 383 {ERR_REASON(ECDSA_R_SIGNATURE_MALLOC_FAILED),"signature malloc failed"}, 384 diff --git a/crypto/ecdsa/ecs_locl.h b/crypto/ecdsa/ecs_locl.h 385 index cb3be13..46f7ad9 100644 386 --- a/crypto/ecdsa/ecs_locl.h 387 +++ b/crypto/ecdsa/ecs_locl.h 388 @@ -70,8 +70,9 @@ struct ecdsa_method 389 const char *name; 390 ECDSA_SIG *(*ecdsa_do_sign)(const unsigned char *dgst, int dgst_len, 391 const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey); 392 - int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, 393 - BIGNUM **r); 394 + int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, 395 + BIGNUM **kinv, BIGNUM **r, 396 + const unsigned char *dgst, int dlen); 397 int (*ecdsa_do_verify)(const unsigned char *dgst, int dgst_len, 398 const ECDSA_SIG *sig, EC_KEY *eckey); 399 #if 0 400 diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c 401 index 7725935..325aca8 100644 402 --- a/crypto/ecdsa/ecs_ossl.c 403 +++ b/crypto/ecdsa/ecs_ossl.c 404 @@ -60,11 +60,13 @@ 405 #include <openssl/err.h> 406 #include <openssl/obj_mac.h> 407 #include <openssl/bn.h> 408 +#include <openssl/rand.h> 409 410 static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, 411 const BIGNUM *, const BIGNUM *, EC_KEY *eckey); 412 -static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 413 - BIGNUM **rp); 414 +static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, 415 + BIGNUM **kinvp, BIGNUM **rp, 416 + const unsigned char *dgst, int dlen); 417 static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, 418 const ECDSA_SIG *sig, EC_KEY *eckey); 419 420 @@ -86,8 +88,9 @@ const ECDSA_METHOD *ECDSA_OpenSSL(void) 421 return &openssl_ecdsa_meth; 422 } 423 424 -static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 425 - BIGNUM **rp) 426 +static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, 427 + BIGNUM **kinvp, BIGNUM **rp, 428 + const unsigned char *dgst, int dlen) 429 { 430 BN_CTX *ctx = NULL; 431 BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL; 432 @@ -136,11 +139,28 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 433 { 434 /* get random k */ 435 do 436 - if (!BN_rand_range(k, order)) 437 +#ifndef OPENSSL_NO_SHA512 438 + if (EC_KEY_get_nonce_from_hash(eckey)) 439 { 440 - ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, 441 - ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); 442 - goto err; 443 + if (!BN_generate_dsa_nonce( 444 + k, order, 445 + EC_KEY_get0_private_key(eckey), 446 + dgst, dlen, ctx)) 447 + { 448 + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, 449 + ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); 450 + goto err; 451 + } 452 + } 453 + else 454 +#endif 455 + { 456 + if (!BN_rand_range(k, order)) 457 + { 458 + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, 459 + ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); 460 + goto err; 461 + } 462 } 463 while (BN_is_zero(k)); 464 465 @@ -282,7 +302,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, 466 { 467 if (in_kinv == NULL || in_r == NULL) 468 { 469 - if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) 470 + if (!ecdsa->meth->ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) 471 { 472 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB); 473 goto err; 474 diff --git a/crypto/ecdsa/ecs_sign.c b/crypto/ecdsa/ecs_sign.c 475 index 353d5af..ea79a24 100644 476 --- a/crypto/ecdsa/ecs_sign.c 477 +++ b/crypto/ecdsa/ecs_sign.c 478 @@ -58,6 +58,7 @@ 479 #include <openssl/engine.h> 480 #endif 481 #include <openssl/rand.h> 482 +#include <openssl/err.h> 483 484 ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) 485 { 486 @@ -102,5 +103,12 @@ int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 487 ECDSA_DATA *ecdsa = ecdsa_check(eckey); 488 if (ecdsa == NULL) 489 return 0; 490 - return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp); 491 + if (EC_KEY_get_nonce_from_hash(eckey)) 492 + { 493 + /* You cannot precompute the ECDSA nonce if it is required to 494 + * depend on the message. */ 495 + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED); 496 + return 0; 497 + } 498 + return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0); 499 } 500 -- 501 1.8.5.1 502 503