diff options
| author | Bodo Möller <bodo@openssl.org> | 2001-02-08 12:14:51 +0000 |
|---|---|---|
| committer | Bodo Möller <bodo@openssl.org> | 2001-02-08 12:14:51 +0000 |
| commit | 35ed8cb8b6655606c2be31d44be942f6724ba405 (patch) | |
| tree | 23cb17587c9eba1277d885d28d70e39e6a319af0 /crypto/dsa | |
| parent | 7edc5ed90a55ecaf94ded491c99cfe930da9ba2a (diff) | |
Integrate my implementation of a countermeasure against
Bleichenbacher's DSA attack. With this implementation, the expected
number of iterations never exceeds 2.
New semantics for BN_rand_range():
BN_rand_range(r, min, range) now generates r such that
min <= r < min+range.
(Previously, BN_rand_range(r, min, max) generated r such that
min <= r < max.
It is more convenient to have the range; also the previous
prototype was misleading because max was larger than
the actual maximum.)
Diffstat (limited to 'crypto/dsa')
| -rw-r--r-- | crypto/dsa/dsa_ossl.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 7304037947..1967290baf 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -180,7 +180,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) kinv=NULL; /* Get random k */ - if (!BN_rand_range(&k, BN_value_one(), dsa->q)) goto err; + do + if (!BN_rand_range(&k, NULL, dsa->q)) goto err; + while (BN_is_zero(&k)); if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) { |