• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1From 9be2984bfbff9a83e7b38f47ac87c677e9a9a0b8 Mon Sep 17 00:00:00 2001
2From: Adam Langley <agl@chromium.org>
3Date: Thu, 24 Jan 2013 16:27:28 -0500
4Subject: dsa_nonce
5
6Adds the option to calculate (EC)DSA nonces by hashing the message and
7private key along with entropy.
8---
9 crypto/bn/bn.h          |  6 +++++
10 crypto/bn/bn_err.c      |  2 ++
11 crypto/bn/bn_rand.c     | 70 +++++++++++++++++++++++++++++++++++++++++++++++++
12 crypto/dsa/dsa.h        | 10 +++++--
13 crypto/dsa/dsa_err.c    |  1 +
14 crypto/dsa/dsa_ossl.c   | 28 ++++++++++++++++----
15 crypto/dsa/dsa_sign.c   |  9 ++++++-
16 crypto/ec/ec.h          | 11 ++++++++
17 crypto/ec/ec_key.c      | 12 +++++++++
18 crypto/ec/ec_lcl.h      |  1 +
19 crypto/ecdsa/ecdsa.h    |  1 +
20 crypto/ecdsa/ecs_err.c  |  1 +
21 crypto/ecdsa/ecs_locl.h |  5 ++--
22 crypto/ecdsa/ecs_ossl.c | 38 ++++++++++++++++++++-------
23 crypto/ecdsa/ecs_sign.c | 10 ++++++-
24 15 files changed, 185 insertions(+), 20 deletions(-)
25
26diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
27index f34248e..9281ce5 100644
28--- a/crypto/bn/bn.h
29+++ b/crypto/bn/bn.h
30@@ -692,6 +692,10 @@ const BIGNUM *BN_get0_nist_prime_256(void);
31 const BIGNUM *BN_get0_nist_prime_384(void);
32 const BIGNUM *BN_get0_nist_prime_521(void);
33
34+int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
35+			  const unsigned char *message, size_t message_len,
36+			  BN_CTX *ctx);
37+
38 /* library internal functions */
39
40 #define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
41@@ -842,6 +846,7 @@ void ERR_load_BN_strings(void);
42 #define BN_F_BN_EXP					 123
43 #define BN_F_BN_EXPAND2					 108
44 #define BN_F_BN_EXPAND_INTERNAL				 120
45+#define BN_F_BN_GENERATE_DSA_NONCE			 140
46 #define BN_F_BN_GF2M_MOD				 131
47 #define BN_F_BN_GF2M_MOD_EXP				 132
48 #define BN_F_BN_GF2M_MOD_MUL				 133
49@@ -881,6 +886,7 @@ void ERR_load_BN_strings(void);
50 #define BN_R_NOT_INITIALIZED				 107
51 #define BN_R_NO_INVERSE					 108
52 #define BN_R_NO_SOLUTION				 116
53+#define BN_R_PRIVATE_KEY_TOO_LARGE			 117
54 #define BN_R_P_IS_NOT_PRIME				 112
55 #define BN_R_TOO_MANY_ITERATIONS			 113
56 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES		 109
57diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c
58index cfe2eb9..f722b52 100644
59--- a/crypto/bn/bn_err.c
60+++ b/crypto/bn/bn_err.c
61@@ -87,6 +87,7 @@ static ERR_STRING_DATA BN_str_functs[]=
62 {ERR_FUNC(BN_F_BN_EXP),	"BN_exp"},
63 {ERR_FUNC(BN_F_BN_EXPAND2),	"bn_expand2"},
64 {ERR_FUNC(BN_F_BN_EXPAND_INTERNAL),	"BN_EXPAND_INTERNAL"},
65+{ERR_FUNC(BN_F_BN_GENERATE_DSA_NONCE),	"BN_generate_dsa_nonce"},
66 {ERR_FUNC(BN_F_BN_GF2M_MOD),	"BN_GF2m_mod"},
67 {ERR_FUNC(BN_F_BN_GF2M_MOD_EXP),	"BN_GF2m_mod_exp"},
68 {ERR_FUNC(BN_F_BN_GF2M_MOD_MUL),	"BN_GF2m_mod_mul"},
69@@ -129,6 +130,7 @@ static ERR_STRING_DATA BN_str_reasons[]=
70 {ERR_REASON(BN_R_NOT_INITIALIZED)        ,"not initialized"},
71 {ERR_REASON(BN_R_NO_INVERSE)             ,"no inverse"},
72 {ERR_REASON(BN_R_NO_SOLUTION)            ,"no solution"},
73+{ERR_REASON(BN_R_PRIVATE_KEY_TOO_LARGE)  ,"private key too large"},
74 {ERR_REASON(BN_R_P_IS_NOT_PRIME)         ,"p is not prime"},
75 {ERR_REASON(BN_R_TOO_MANY_ITERATIONS)    ,"too many iterations"},
76 {ERR_REASON(BN_R_TOO_MANY_TEMPORARY_VARIABLES),"too many temporary variables"},
77diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
78index b376c28..55676f0 100644
79--- a/crypto/bn/bn_rand.c
80+++ b/crypto/bn/bn_rand.c
81@@ -114,6 +114,7 @@
82 #include "cryptlib.h"
83 #include "bn_lcl.h"
84 #include <openssl/rand.h>
85+#include <openssl/sha.h>
86
87 static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
88 	{
89@@ -303,3 +304,72 @@ int	BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range)
90 	{
91 	return bn_rand_range(1, r, range);
92 	}
93+
94+#ifndef OPENSSL_NO_SHA512
95+/* BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike
96+ * BN_rand_range, it also includes the contents of |priv| and |message| in the
97+ * generation so that an RNG failure isn't fatal as long as |priv| remains
98+ * secret. This is intended for use in DSA and ECDSA where an RNG weakness
99+ * leads directly to private key exposure unless this function is used. */
100+int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM* priv,
101+			  const unsigned char *message, size_t message_len,
102+			  BN_CTX *ctx)
103+	{
104+	SHA512_CTX sha;
105+	/* We use 512 bits of random data per iteration to
106+	 * ensure that we have at least |range| bits of randomness. */
107+	unsigned char random_bytes[64];
108+	unsigned char digest[SHA512_DIGEST_LENGTH];
109+	unsigned done, todo;
110+	/* We generate |range|+8 bytes of random output. */
111+	const unsigned num_k_bytes = BN_num_bytes(range) + 8;
112+	unsigned char private_bytes[96];
113+	unsigned char *k_bytes;
114+	int ret = 0;
115+
116+	k_bytes = OPENSSL_malloc(num_k_bytes);
117+	if (!k_bytes)
118+		goto err;
119+
120+	/* We copy |priv| into a local buffer to avoid exposing its length. */
121+	todo = sizeof(priv->d[0])*priv->top;
122+	if (todo > sizeof(private_bytes))
123+		{
124+		/* No reasonable DSA or ECDSA key should have a private key
125+		 * this large and we don't handle this case in order to avoid
126+		 * leaking the length of the private key. */
127+		BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE);
128+		goto err;
129+		}
130+	memcpy(private_bytes, priv->d, todo);
131+	memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
132+
133+	for (done = 0; done < num_k_bytes;) {
134+		if (RAND_bytes(random_bytes, sizeof(random_bytes)) != 1)
135+			goto err;
136+		SHA512_Init(&sha);
137+		SHA512_Update(&sha, &done, sizeof(done));
138+		SHA512_Update(&sha, private_bytes, sizeof(private_bytes));
139+		SHA512_Update(&sha, message, message_len);
140+		SHA512_Update(&sha, random_bytes, sizeof(random_bytes));
141+		SHA512_Final(digest, &sha);
142+
143+		todo = num_k_bytes - done;
144+		if (todo > SHA512_DIGEST_LENGTH)
145+			todo = SHA512_DIGEST_LENGTH;
146+		memcpy(k_bytes + done, digest, todo);
147+		done += todo;
148+	}
149+
150+	if (!BN_bin2bn(k_bytes, num_k_bytes, out))
151+		goto err;
152+	if (BN_mod(out, out, range, ctx) != 1)
153+		goto err;
154+	ret = 1;
155+
156+err:
157+	if (k_bytes)
158+		OPENSSL_free(k_bytes);
159+	return ret;
160+	}
161+#endif  /* OPENSSL_NO_SHA512 */
162diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h
163index b448d2a..71ef572 100644
164--- a/crypto/dsa/dsa.h
165+++ b/crypto/dsa/dsa.h
166@@ -96,6 +96,10 @@
167                                               * faster variable sliding window method to
168                                               * be used for all exponents.
169                                               */
170+#define DSA_FLAG_NONCE_FROM_HASH	0x04 /* Causes the DSA nonce to be calculated
171+						from SHA512(private_key + H(message) +
172+						random). This strengthens DSA against a
173+						weak PRNG. */
174
175
176 /* If this flag is set the DSA method is FIPS compliant and can be used
177@@ -131,8 +135,9 @@ struct dsa_method
178 	{
179 	const char *name;
180 	DSA_SIG * (*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa);
181-	int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
182-								BIGNUM **rp);
183+	int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in,
184+			      BIGNUM **kinvp, BIGNUM **rp,
185+			      const unsigned char *dgst, int dlen);
186 	int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
187 			     DSA_SIG *sig, DSA *dsa);
188 	int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
189@@ -325,6 +330,7 @@ void ERR_load_DSA_strings(void);
190 #define DSA_R_MISSING_PARAMETERS			 101
191 #define DSA_R_MODULUS_TOO_LARGE				 103
192 #define DSA_R_NEED_NEW_SETUP_VALUES			 110
193+#define DSA_R_NONCE_CANNOT_BE_PRECOMPUTED		 112
194 #define DSA_R_NON_FIPS_DSA_METHOD			 111
195 #define DSA_R_NO_PARAMETERS_SET				 107
196 #define DSA_R_PARAMETER_ENCODING_ERROR			 105
197diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c
198index 00545b7..e6171cc 100644
199--- a/crypto/dsa/dsa_err.c
200+++ b/crypto/dsa/dsa_err.c
201@@ -109,6 +109,7 @@ static ERR_STRING_DATA DSA_str_reasons[]=
202 {ERR_REASON(DSA_R_MISSING_PARAMETERS)    ,"missing parameters"},
203 {ERR_REASON(DSA_R_MODULUS_TOO_LARGE)     ,"modulus too large"},
204 {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
205+{ERR_REASON(DSA_R_NONCE_CANNOT_BE_PRECOMPUTED),"nonce cannot be precomputed"},
206 {ERR_REASON(DSA_R_NON_FIPS_DSA_METHOD)   ,"non fips dsa method"},
207 {ERR_REASON(DSA_R_NO_PARAMETERS_SET)     ,"no parameters set"},
208 {ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"},
209diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
210index a865a8c..15f8da2 100644
211--- a/crypto/dsa/dsa_ossl.c
212+++ b/crypto/dsa/dsa_ossl.c
213@@ -67,7 +67,9 @@
214 #include <openssl/asn1.h>
215
216 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
217-static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
218+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
219+			  BIGNUM **kinvp, BIGNUM **rp,
220+			  const unsigned char *dgst, int dlen);
221 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
222 			 DSA *dsa);
223 static int dsa_init(DSA *dsa);
224@@ -167,7 +169,8 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
225 redo:
226 	if ((dsa->kinv == NULL) || (dsa->r == NULL))
227 		{
228-		if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
229+		if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r,dgst,dlen))
230+			goto err;
231 		}
232 	else
233 		{
234@@ -226,7 +229,9 @@ err:
235 	return(ret);
236 	}
237
238-static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
239+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
240+			  BIGNUM **kinvp, BIGNUM **rp,
241+			  const unsigned char *dgst, int dlen)
242 	{
243 	BN_CTX *ctx;
244 	BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
245@@ -252,8 +257,21 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
246
247 	/* Get random k */
248 	do
249-		if (!BN_rand_range(&k, dsa->q)) goto err;
250-	while (BN_is_zero(&k));
251+		{
252+#ifndef OPENSSL_NO_SHA512
253+		if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH)
254+			{
255+			/* If DSA_FLAG_NONCE_FROM_HASH is set then we calculate k from
256+			 * SHA512(private_key + H(message) + random). This protects the
257+			 * private key from a weak PRNG. */
258+			if (!BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, dgst,
259+						   dlen, ctx))
260+				goto err;
261+			}
262+		else
263+#endif
264+			if (!BN_rand_range(&k, dsa->q)) goto err;
265+		} while (BN_is_zero(&k));
266 	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
267 		{
268 		BN_set_flags(&k, BN_FLG_CONSTTIME);
269diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c
270index c3cc364..8ace300 100644
271--- a/crypto/dsa/dsa_sign.c
272+++ b/crypto/dsa/dsa_sign.c
273@@ -86,7 +86,14 @@ int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
274 		return 0;
275 		}
276 #endif
277-	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
278+	if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH)
279+		{
280+		/* You cannot precompute the DSA nonce if it is required to
281+		 * depend on the message. */
282+		DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NONCE_CANNOT_BE_PRECOMPUTED);
283+		return 0;
284+		}
285+	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0);
286 	}
287
288 DSA_SIG *DSA_SIG_new(void)
289diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
290index dfe8710..d008a0d 100644
291--- a/crypto/ec/ec.h
292+++ b/crypto/ec/ec.h
293@@ -819,6 +819,17 @@ void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
294 /* wrapper functions for the underlying EC_GROUP object */
295 void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
296
297+/** Sets whether ECDSA operations with the given key will calculate their k
298+ * value from SHA512(private_key + message + random) in order to protect
299+ * against a weak PRNG.
300+ * \param  on  Whether to calculate k from a hash or not
301+ */
302+void EC_KEY_set_nonce_from_hash(EC_KEY *key, int on);
303+
304+/** Returns the value of nonce_from_hash
305+ */
306+int EC_KEY_get_nonce_from_hash(const EC_KEY *key);
307+
308 /** Creates a table of pre-computed multiples of the generator to
309  *  accelerate further EC_KEY operations.
310  *  \param  key  EC_KEY object
311diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
312index 7fa2475..73dd7b9 100644
313--- a/crypto/ec/ec_key.c
314+++ b/crypto/ec/ec_key.c
315@@ -85,6 +85,7 @@ EC_KEY *EC_KEY_new(void)
316 	ret->pub_key = NULL;
317 	ret->priv_key= NULL;
318 	ret->enc_flag= 0;
319+	ret->nonce_from_hash_flag = 0;
320 	ret->conv_form = POINT_CONVERSION_UNCOMPRESSED;
321 	ret->references= 1;
322 	ret->method_data = NULL;
323@@ -198,6 +199,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
324
325 	/* copy the rest */
326 	dest->enc_flag  = src->enc_flag;
327+	dest->nonce_from_hash_flag = src->nonce_from_hash_flag;
328 	dest->conv_form = src->conv_form;
329 	dest->version   = src->version;
330 	dest->flags = src->flags;
331@@ -505,6 +507,16 @@ void EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags)
332 	key->enc_flag = flags;
333 	}
334
335+int EC_KEY_get_nonce_from_hash(const EC_KEY *key)
336+	{
337+	return key->nonce_from_hash_flag;
338+	}
339+
340+void EC_KEY_set_nonce_from_hash(EC_KEY *key, int on)
341+	{
342+	key->nonce_from_hash_flag = on != 0;
343+	}
344+
345 point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key)
346 	{
347 	return key->conv_form;
348diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h
349index da7967d..6f714c7 100644
350--- a/crypto/ec/ec_lcl.h
351+++ b/crypto/ec/ec_lcl.h
352@@ -246,6 +246,7 @@ struct ec_key_st {
353 	BIGNUM	 *priv_key;
354
355 	unsigned int enc_flag;
356+	char nonce_from_hash_flag;
357 	point_conversion_form_t conv_form;
358
359 	int 	references;
360diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h
361index 7fb5254..dc6a36b 100644
362--- a/crypto/ecdsa/ecdsa.h
363+++ b/crypto/ecdsa/ecdsa.h
364@@ -250,6 +250,7 @@ void ERR_load_ECDSA_strings(void);
365 #define ECDSA_R_ERR_EC_LIB				 102
366 #define ECDSA_R_MISSING_PARAMETERS			 103
367 #define ECDSA_R_NEED_NEW_SETUP_VALUES			 106
368+#define ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED		 108
369 #define ECDSA_R_NON_FIPS_METHOD				 107
370 #define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED		 104
371 #define ECDSA_R_SIGNATURE_MALLOC_FAILED			 105
372diff --git a/crypto/ecdsa/ecs_err.c b/crypto/ecdsa/ecs_err.c
373index 81542e6..7406c6d 100644
374--- a/crypto/ecdsa/ecs_err.c
375+++ b/crypto/ecdsa/ecs_err.c
376@@ -85,6 +85,7 @@ static ERR_STRING_DATA ECDSA_str_reasons[]=
377 {ERR_REASON(ECDSA_R_ERR_EC_LIB)          ,"err ec lib"},
378 {ERR_REASON(ECDSA_R_MISSING_PARAMETERS)  ,"missing parameters"},
379 {ERR_REASON(ECDSA_R_NEED_NEW_SETUP_VALUES),"need new setup values"},
380+{ERR_REASON(ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED),"nonce cannot be precomputed"},
381 {ERR_REASON(ECDSA_R_NON_FIPS_METHOD)     ,"non fips method"},
382 {ERR_REASON(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED),"random number generation failed"},
383 {ERR_REASON(ECDSA_R_SIGNATURE_MALLOC_FAILED),"signature malloc failed"},
384diff --git a/crypto/ecdsa/ecs_locl.h b/crypto/ecdsa/ecs_locl.h
385index cb3be13..46f7ad9 100644
386--- a/crypto/ecdsa/ecs_locl.h
387+++ b/crypto/ecdsa/ecs_locl.h
388@@ -70,8 +70,9 @@ struct ecdsa_method
389 	const char *name;
390 	ECDSA_SIG *(*ecdsa_do_sign)(const unsigned char *dgst, int dgst_len,
391 			const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey);
392-	int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv,
393-			BIGNUM **r);
394+	int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx,
395+				BIGNUM **kinv, BIGNUM **r,
396+				const unsigned char *dgst, int dlen);
397 	int (*ecdsa_do_verify)(const unsigned char *dgst, int dgst_len,
398 			const ECDSA_SIG *sig, EC_KEY *eckey);
399 #if 0
400diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
401index 7725935..325aca8 100644
402--- a/crypto/ecdsa/ecs_ossl.c
403+++ b/crypto/ecdsa/ecs_ossl.c
404@@ -60,11 +60,13 @@
405 #include <openssl/err.h>
406 #include <openssl/obj_mac.h>
407 #include <openssl/bn.h>
408+#include <openssl/rand.h>
409
410 static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
411 		const BIGNUM *, const BIGNUM *, EC_KEY *eckey);
412-static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
413-		BIGNUM **rp);
414+static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
415+			    BIGNUM **kinvp, BIGNUM **rp,
416+			    const unsigned char *dgst, int dlen);
417 static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
418 		const ECDSA_SIG *sig, EC_KEY *eckey);
419
420@@ -86,8 +88,9 @@ const ECDSA_METHOD *ECDSA_OpenSSL(void)
421 	return &openssl_ecdsa_meth;
422 }
423
424-static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
425-		BIGNUM **rp)
426+static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
427+			    BIGNUM **kinvp, BIGNUM **rp,
428+			    const unsigned char *dgst, int dlen)
429 {
430 	BN_CTX   *ctx = NULL;
431 	BIGNUM	 *k = NULL, *r = NULL, *order = NULL, *X = NULL;
432@@ -136,11 +139,28 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
433 	{
434 		/* get random k */
435 		do
436-			if (!BN_rand_range(k, order))
437+#ifndef OPENSSL_NO_SHA512
438+			if (EC_KEY_get_nonce_from_hash(eckey))
439 			{
440-				ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
441-				 ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
442-				goto err;
443+				if (!BN_generate_dsa_nonce(
444+					k, order,
445+					EC_KEY_get0_private_key(eckey),
446+					dgst, dlen, ctx))
447+					{
448+					ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
449+						 ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
450+					goto err;
451+					}
452+			}
453+			else
454+#endif
455+			{
456+				if (!BN_rand_range(k, order))
457+				{
458+					ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
459+					 ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
460+					goto err;
461+				}
462 			}
463 		while (BN_is_zero(k));
464
465@@ -282,7 +302,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
466 	{
467 		if (in_kinv == NULL || in_r == NULL)
468 		{
469-			if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r))
470+			if (!ecdsa->meth->ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len))
471 			{
472 				ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);
473 				goto err;
474diff --git a/crypto/ecdsa/ecs_sign.c b/crypto/ecdsa/ecs_sign.c
475index 353d5af..ea79a24 100644
476--- a/crypto/ecdsa/ecs_sign.c
477+++ b/crypto/ecdsa/ecs_sign.c
478@@ -58,6 +58,7 @@
479 #include <openssl/engine.h>
480 #endif
481 #include <openssl/rand.h>
482+#include <openssl/err.h>
483
484 ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey)
485 {
486@@ -102,5 +103,12 @@ int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
487 	ECDSA_DATA *ecdsa = ecdsa_check(eckey);
488 	if (ecdsa == NULL)
489 		return 0;
490-	return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp);
491+	if (EC_KEY_get_nonce_from_hash(eckey))
492+		{
493+		/* You cannot precompute the ECDSA nonce if it is required to
494+		 * depend on the message. */
495+		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED);
496+		return 0;
497+		}
498+	return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0);
499 }
500--
5011.8.5.1
502
503