diff options
| author | Adam Langley <agl@chromium.org> | 2013-01-24 22:27:28 +0100 |
|---|---|---|
| committer | Ben Laurie <ben@links.org> | 2013-06-13 18:26:07 +0200 |
| commit | 8a99cb29d1f0013243a532bccc1dc70ed678eebe (patch) | |
| tree | e29022ee28dbc0e6507597b2baf094760924f421 /crypto/ecdsa/ecs_sign.c | |
| parent | Limit the number of empty records that will be processed consecutively (diff) | |
| download | openssl-8a99cb29d1f0013243a532bccc1dc70ed678eebe.tar.xz openssl-8a99cb29d1f0013243a532bccc1dc70ed678eebe.zip | |
Add secure DSA nonce flag.
This change adds the option to calculate (EC)DSA nonces by hashing the
message and private key along with entropy to avoid leaking the private
key if the PRNG fails.
Diffstat (limited to '')
| -rw-r--r-- | crypto/ecdsa/ecs_sign.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/crypto/ecdsa/ecs_sign.c b/crypto/ecdsa/ecs_sign.c index 353d5af514..ea79a24b85 100644 --- a/crypto/ecdsa/ecs_sign.c +++ b/crypto/ecdsa/ecs_sign.c @@ -58,6 +58,7 @@ #include <openssl/engine.h> #endif #include <openssl/rand.h> +#include <openssl/err.h> ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) { @@ -102,5 +103,12 @@ int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, ECDSA_DATA *ecdsa = ecdsa_check(eckey); if (ecdsa == NULL) return 0; - return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp); + if (EC_KEY_get_nonce_from_hash(eckey)) + { + /* You cannot precompute the ECDSA nonce if it is required to + * depend on the message. */ + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED); + return 0; + } + return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0); } |