From 35ed8cb8b6655606c2be31d44be942f6724ba405 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Thu, 8 Feb 2001 12:14:51 +0000 Subject: Integrate my implementation of a countermeasure against Bleichenbacher's DSA attack. With this implementation, the expected number of iterations never exceeds 2. New semantics for BN_rand_range(): BN_rand_range(r, min, range) now generates r such that min <= r < min+range. (Previously, BN_rand_range(r, min, max) generated r such that min <= r < max. It is more convenient to have the range; also the previous prototype was misleading because max was larger than the actual maximum.) --- crypto/dsa/dsa_ossl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'crypto/dsa') diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 7304037947..1967290baf 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -180,7 +180,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) kinv=NULL; /* Get random k */ - if (!BN_rand_range(&k, BN_value_one(), dsa->q)) goto err; + do + if (!BN_rand_range(&k, NULL, dsa->q)) goto err; + while (BN_is_zero(&k)); if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) { -- cgit v1.2.3