diff options
| author | Adam Langley <agl@chromium.org> | 2013-01-24 16:27:28 -0500 |
|---|---|---|
| committer | Ben Laurie <ben@links.org> | 2013-06-13 17:26:07 +0100 |
| commit | 8a99cb29d1f0013243a532bccc1dc70ed678eebe (patch) | |
| tree | e29022ee28dbc0e6507597b2baf094760924f421 /crypto/dsa/dsa_sign.c | |
| parent | 64a786a292e301bfbcb269cd2bff0533503d5b8b (diff) | |
Add secure DSA nonce flag.
This change adds the option to calculate (EC)DSA nonces by hashing the
message and private key along with entropy to avoid leaking the private
key if the PRNG fails.
Diffstat (limited to 'crypto/dsa/dsa_sign.c')
| -rw-r--r-- | crypto/dsa/dsa_sign.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c index 599093a4a8..b7e4caab2a 100644 --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -72,5 +72,12 @@ DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { - return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); + if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH) + { + /* One cannot precompute the DSA nonce if it is required to + * depend on the message. */ + DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NONCE_CANNOT_BE_PRECOMPUTED); + return 0; + } + return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0); } |