Make `safe' (EC)DSA nonces the default.

This change updates 8a99cb29 to make the generation of (EC)DSA nonces using the message digest the default. It also reverts the changes to (EC)DSA_METHOD structure. In addition to making it the default, removing the flag from EC_KEY means that FIPS modules will no longer have an ABI mismatch.
author: Adam Langley <agl@chromium.org> 2013-07-15 12:42:15 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2013-07-15 12:57:48 +0100
commit: 190c615d4398cc6c8b61eb7881d7409314529a75 (patch)
tree: 364615b71860e8587e36c1031de887ae32cb2811 /crypto/ecdsa
parent: 5c57c69f9ebcc933161a24d77f87f17011c9977b (diff)
5 files changed, 19 insertions, 22 deletions
diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h
index 865c3302ee..cd6d19ccde 100644
--- a/crypto/ecdsa/ecdsa.h
+++ b/crypto/ecdsa/ecdsa.h
@@ -264,7 +264,6 @@ void ERR_load_ECDSA_strings(void);
 #define ECDSA_R_ERR_EC_LIB				 102
 #define ECDSA_R_MISSING_PARAMETERS			 103
 #define ECDSA_R_NEED_NEW_SETUP_VALUES			 106
-#define ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED		 107
 #define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED		 104
 #define ECDSA_R_SIGNATURE_MALLOC_FAILED			 105
 
diff --git a/crypto/ecdsa/ecs_err.c b/crypto/ecdsa/ecs_err.c
index 17ccb4085c..d549ee5323 100644
--- a/crypto/ecdsa/ecs_err.c
+++ b/crypto/ecdsa/ecs_err.c
@@ -84,7 +84,6 @@ static ERR_STRING_DATA ECDSA_str_reasons[]=
 {ERR_REASON(ECDSA_R_ERR_EC_LIB)          ,"err ec lib"},
 {ERR_REASON(ECDSA_R_MISSING_PARAMETERS)  ,"missing parameters"},
 {ERR_REASON(ECDSA_R_NEED_NEW_SETUP_VALUES),"need new setup values"},
-{ERR_REASON(ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED),"nonce cannot be precomputed"},
 {ERR_REASON(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED),"random number generation failed"},
 {ERR_REASON(ECDSA_R_SIGNATURE_MALLOC_FAILED),"signature malloc failed"},
 {0,NULL}
diff --git a/crypto/ecdsa/ecs_locl.h b/crypto/ecdsa/ecs_locl.h
index 46f7ad9102..ad466e2b61 100644
--- a/crypto/ecdsa/ecs_locl.h
+++ b/crypto/ecdsa/ecs_locl.h
@@ -70,9 +70,8 @@ struct ecdsa_method
 	const char *name;
 	ECDSA_SIG *(*ecdsa_do_sign)(const unsigned char *dgst, int dgst_len, 
 			const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey);
-	int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx,
-				BIGNUM **kinv, BIGNUM **r,
-				const unsigned char *dgst, int dlen);
+	int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv,
+			BIGNUM **r);
 	int (*ecdsa_do_verify)(const unsigned char *dgst, int dgst_len, 
 			const ECDSA_SIG *sig, EC_KEY *eckey);
 #if 0
diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index 113e60c4b9..9f7aecf5ee 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -66,9 +66,11 @@
 
 static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, 
 		const BIGNUM *, const BIGNUM *, EC_KEY *eckey);
-static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
-			    BIGNUM **kinvp, BIGNUM **rp,
-			    const unsigned char *dgst, int dlen);
+static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+		BIGNUM **rp);
+static int ecdsa_sign_setup_with_digest(EC_KEY *eckey, BN_CTX *ctx_in,
+					BIGNUM **kinvp, BIGNUM **rp,
+					const unsigned char *dgst, int dlen);
 static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, 
 		const ECDSA_SIG *sig, EC_KEY *eckey);
 
@@ -90,9 +92,14 @@ const ECDSA_METHOD *ECDSA_OpenSSL(void)
 	return &openssl_ecdsa_meth;
 }
 
-static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
-			    BIGNUM **kinvp, BIGNUM **rp,
-			    const unsigned char *dgst, int dlen)
+static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+		BIGNUM **rp) {
+	return ecdsa_sign_setup_with_digest(eckey, ctx_in, kinvp, rp, NULL, 0);
+}
+
+static int ecdsa_sign_setup_with_digest(EC_KEY *eckey, BN_CTX *ctx_in,
+					BIGNUM **kinvp, BIGNUM **rp,
+					const unsigned char *dgst, int dlen)
 {
 	BN_CTX   *ctx = NULL;
 	BIGNUM	 *k = NULL, *r = NULL, *order = NULL, *X = NULL;
@@ -147,7 +154,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
 		/* get random k */	
 		do
 #ifndef OPENSSL_NO_SHA512
-			if (EC_KEY_get_nonce_from_hash(eckey))
+			if (dgst != NULL)
 			{
 				if (!BN_generate_dsa_nonce(k, order, EC_KEY_get0_private_key(eckey),
 							   dgst, dlen, ctx))
@@ -320,7 +327,8 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
 	{
 		if (in_kinv == NULL || in_r == NULL)
 		{
-			if (!ecdsa->meth->ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len))
+			if (!ecdsa_sign_setup_with_digest(
+				eckey, ctx, &kinv, &ret->r, dgst, dgst_len))
 			{
 				ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);
 				goto err;
diff --git a/crypto/ecdsa/ecs_sign.c b/crypto/ecdsa/ecs_sign.c
index ea79a24b85..042b1565ec 100644
--- a/crypto/ecdsa/ecs_sign.c
+++ b/crypto/ecdsa/ecs_sign.c
@@ -58,7 +58,6 @@
 #include <openssl/engine.h>
 #endif
 #include <openssl/rand.h>
-#include <openssl/err.h>
 
 ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey)
 {
@@ -103,12 +102,5 @@ int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
 	ECDSA_DATA *ecdsa = ecdsa_check(eckey);
 	if (ecdsa == NULL)
 		return 0;
-	if (EC_KEY_get_nonce_from_hash(eckey))
-		{
-		/* You cannot precompute the ECDSA nonce if it is required to
-		 * depend on the message. */
-		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED);
-		return 0;
-		}
-	return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0);
+	return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp);
 }
author	Adam Langley <agl@chromium.org>	2013-07-15 12:42:15 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2013-07-15 12:57:48 +0100
commit	190c615d4398cc6c8b61eb7881d7409314529a75 (patch)
tree	364615b71860e8587e36c1031de887ae32cb2811 /crypto/ecdsa
parent	5c57c69f9ebcc933161a24d77f87f17011c9977b (diff)