1From 9be2984bfbff9a83e7b38f47ac87c677e9a9a0b8 Mon Sep 17 00:00:00 2001 2From: Adam Langley <agl@chromium.org> 3Date: Thu, 24 Jan 2013 16:27:28 -0500 4Subject: dsa_nonce 5 6Adds the option to calculate (EC)DSA nonces by hashing the message and 7private key along with entropy. 8--- 9 crypto/bn/bn.h | 6 +++++ 10 crypto/bn/bn_err.c | 2 ++ 11 crypto/bn/bn_rand.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++ 12 crypto/dsa/dsa.h | 10 +++++-- 13 crypto/dsa/dsa_err.c | 1 + 14 crypto/dsa/dsa_ossl.c | 28 ++++++++++++++++---- 15 crypto/dsa/dsa_sign.c | 9 ++++++- 16 crypto/ec/ec.h | 11 ++++++++ 17 crypto/ec/ec_key.c | 12 +++++++++ 18 crypto/ec/ec_lcl.h | 1 + 19 crypto/ecdsa/ecdsa.h | 1 + 20 crypto/ecdsa/ecs_err.c | 1 + 21 crypto/ecdsa/ecs_locl.h | 5 ++-- 22 crypto/ecdsa/ecs_ossl.c | 38 ++++++++++++++++++++------- 23 crypto/ecdsa/ecs_sign.c | 10 ++++++- 24 15 files changed, 185 insertions(+), 20 deletions(-) 25 26diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h 27index f34248e..9281ce5 100644 28--- a/crypto/bn/bn.h 29+++ b/crypto/bn/bn.h 30@@ -692,6 +692,10 @@ const BIGNUM *BN_get0_nist_prime_256(void); 31 const BIGNUM *BN_get0_nist_prime_384(void); 32 const BIGNUM *BN_get0_nist_prime_521(void); 33 34+int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv, 35+ const unsigned char *message, size_t message_len, 36+ BN_CTX *ctx); 37+ 38 /* library internal functions */ 39 40 #define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\ 41@@ -842,6 +846,7 @@ void ERR_load_BN_strings(void); 42 #define BN_F_BN_EXP 123 43 #define BN_F_BN_EXPAND2 108 44 #define BN_F_BN_EXPAND_INTERNAL 120 45+#define BN_F_BN_GENERATE_DSA_NONCE 140 46 #define BN_F_BN_GF2M_MOD 131 47 #define BN_F_BN_GF2M_MOD_EXP 132 48 #define BN_F_BN_GF2M_MOD_MUL 133 49@@ -881,6 +886,7 @@ void ERR_load_BN_strings(void); 50 #define BN_R_NOT_INITIALIZED 107 51 #define BN_R_NO_INVERSE 108 52 #define BN_R_NO_SOLUTION 116 53+#define BN_R_PRIVATE_KEY_TOO_LARGE 117 54 #define BN_R_P_IS_NOT_PRIME 112 55 #define BN_R_TOO_MANY_ITERATIONS 113 56 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109 57diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c 58index cfe2eb9..f722b52 100644 59--- a/crypto/bn/bn_err.c 60+++ b/crypto/bn/bn_err.c 61@@ -87,6 +87,7 @@ static ERR_STRING_DATA BN_str_functs[]= 62 {ERR_FUNC(BN_F_BN_EXP), "BN_exp"}, 63 {ERR_FUNC(BN_F_BN_EXPAND2), "bn_expand2"}, 64 {ERR_FUNC(BN_F_BN_EXPAND_INTERNAL), "BN_EXPAND_INTERNAL"}, 65+{ERR_FUNC(BN_F_BN_GENERATE_DSA_NONCE), "BN_generate_dsa_nonce"}, 66 {ERR_FUNC(BN_F_BN_GF2M_MOD), "BN_GF2m_mod"}, 67 {ERR_FUNC(BN_F_BN_GF2M_MOD_EXP), "BN_GF2m_mod_exp"}, 68 {ERR_FUNC(BN_F_BN_GF2M_MOD_MUL), "BN_GF2m_mod_mul"}, 69@@ -129,6 +130,7 @@ static ERR_STRING_DATA BN_str_reasons[]= 70 {ERR_REASON(BN_R_NOT_INITIALIZED) ,"not initialized"}, 71 {ERR_REASON(BN_R_NO_INVERSE) ,"no inverse"}, 72 {ERR_REASON(BN_R_NO_SOLUTION) ,"no solution"}, 73+{ERR_REASON(BN_R_PRIVATE_KEY_TOO_LARGE) ,"private key too large"}, 74 {ERR_REASON(BN_R_P_IS_NOT_PRIME) ,"p is not prime"}, 75 {ERR_REASON(BN_R_TOO_MANY_ITERATIONS) ,"too many iterations"}, 76 {ERR_REASON(BN_R_TOO_MANY_TEMPORARY_VARIABLES),"too many temporary variables"}, 77diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c 78index b376c28..55676f0 100644 79--- a/crypto/bn/bn_rand.c 80+++ b/crypto/bn/bn_rand.c 81@@ -114,6 +114,7 @@ 82 #include "cryptlib.h" 83 #include "bn_lcl.h" 84 #include <openssl/rand.h> 85+#include <openssl/sha.h> 86 87 static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) 88 { 89@@ -303,3 +304,72 @@ int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) 90 { 91 return bn_rand_range(1, r, range); 92 } 93+ 94+#ifndef OPENSSL_NO_SHA512 95+/* BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike 96+ * BN_rand_range, it also includes the contents of |priv| and |message| in the 97+ * generation so that an RNG failure isn't fatal as long as |priv| remains 98+ * secret. This is intended for use in DSA and ECDSA where an RNG weakness 99+ * leads directly to private key exposure unless this function is used. */ 100+int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM* priv, 101+ const unsigned char *message, size_t message_len, 102+ BN_CTX *ctx) 103+ { 104+ SHA512_CTX sha; 105+ /* We use 512 bits of random data per iteration to 106+ * ensure that we have at least |range| bits of randomness. */ 107+ unsigned char random_bytes[64]; 108+ unsigned char digest[SHA512_DIGEST_LENGTH]; 109+ unsigned done, todo; 110+ /* We generate |range|+8 bytes of random output. */ 111+ const unsigned num_k_bytes = BN_num_bytes(range) + 8; 112+ unsigned char private_bytes[96]; 113+ unsigned char *k_bytes; 114+ int ret = 0; 115+ 116+ k_bytes = OPENSSL_malloc(num_k_bytes); 117+ if (!k_bytes) 118+ goto err; 119+ 120+ /* We copy |priv| into a local buffer to avoid exposing its length. */ 121+ todo = sizeof(priv->d[0])*priv->top; 122+ if (todo > sizeof(private_bytes)) 123+ { 124+ /* No reasonable DSA or ECDSA key should have a private key 125+ * this large and we don't handle this case in order to avoid 126+ * leaking the length of the private key. */ 127+ BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE); 128+ goto err; 129+ } 130+ memcpy(private_bytes, priv->d, todo); 131+ memset(private_bytes + todo, 0, sizeof(private_bytes) - todo); 132+ 133+ for (done = 0; done < num_k_bytes;) { 134+ if (RAND_bytes(random_bytes, sizeof(random_bytes)) != 1) 135+ goto err; 136+ SHA512_Init(&sha); 137+ SHA512_Update(&sha, &done, sizeof(done)); 138+ SHA512_Update(&sha, private_bytes, sizeof(private_bytes)); 139+ SHA512_Update(&sha, message, message_len); 140+ SHA512_Update(&sha, random_bytes, sizeof(random_bytes)); 141+ SHA512_Final(digest, &sha); 142+ 143+ todo = num_k_bytes - done; 144+ if (todo > SHA512_DIGEST_LENGTH) 145+ todo = SHA512_DIGEST_LENGTH; 146+ memcpy(k_bytes + done, digest, todo); 147+ done += todo; 148+ } 149+ 150+ if (!BN_bin2bn(k_bytes, num_k_bytes, out)) 151+ goto err; 152+ if (BN_mod(out, out, range, ctx) != 1) 153+ goto err; 154+ ret = 1; 155+ 156+err: 157+ if (k_bytes) 158+ OPENSSL_free(k_bytes); 159+ return ret; 160+ } 161+#endif /* OPENSSL_NO_SHA512 */ 162diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h 163index b448d2a..71ef572 100644 164--- a/crypto/dsa/dsa.h 165+++ b/crypto/dsa/dsa.h 166@@ -96,6 +96,10 @@ 167 * faster variable sliding window method to 168 * be used for all exponents. 169 */ 170+#define DSA_FLAG_NONCE_FROM_HASH 0x04 /* Causes the DSA nonce to be calculated 171+ from SHA512(private_key + H(message) + 172+ random). This strengthens DSA against a 173+ weak PRNG. */ 174 175 176 /* If this flag is set the DSA method is FIPS compliant and can be used 177@@ -131,8 +135,9 @@ struct dsa_method 178 { 179 const char *name; 180 DSA_SIG * (*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa); 181- int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, 182- BIGNUM **rp); 183+ int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, 184+ BIGNUM **kinvp, BIGNUM **rp, 185+ const unsigned char *dgst, int dlen); 186 int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len, 187 DSA_SIG *sig, DSA *dsa); 188 int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, 189@@ -325,6 +330,7 @@ void ERR_load_DSA_strings(void); 190 #define DSA_R_MISSING_PARAMETERS 101 191 #define DSA_R_MODULUS_TOO_LARGE 103 192 #define DSA_R_NEED_NEW_SETUP_VALUES 110 193+#define DSA_R_NONCE_CANNOT_BE_PRECOMPUTED 112 194 #define DSA_R_NON_FIPS_DSA_METHOD 111 195 #define DSA_R_NO_PARAMETERS_SET 107 196 #define DSA_R_PARAMETER_ENCODING_ERROR 105 197diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c 198index 00545b7..e6171cc 100644 199--- a/crypto/dsa/dsa_err.c 200+++ b/crypto/dsa/dsa_err.c 201@@ -109,6 +109,7 @@ static ERR_STRING_DATA DSA_str_reasons[]= 202 {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"}, 203 {ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, 204 {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"}, 205+{ERR_REASON(DSA_R_NONCE_CANNOT_BE_PRECOMPUTED),"nonce cannot be precomputed"}, 206 {ERR_REASON(DSA_R_NON_FIPS_DSA_METHOD) ,"non fips dsa method"}, 207 {ERR_REASON(DSA_R_NO_PARAMETERS_SET) ,"no parameters set"}, 208 {ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"}, 209diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c 210index a865a8c..15f8da2 100644 211--- a/crypto/dsa/dsa_ossl.c 212+++ b/crypto/dsa/dsa_ossl.c 213@@ -67,7 +67,9 @@ 214 #include <openssl/asn1.h> 215 216 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); 217-static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); 218+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, 219+ BIGNUM **kinvp, BIGNUM **rp, 220+ const unsigned char *dgst, int dlen); 221 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, 222 DSA *dsa); 223 static int dsa_init(DSA *dsa); 224@@ -167,7 +169,8 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) 225 redo: 226 if ((dsa->kinv == NULL) || (dsa->r == NULL)) 227 { 228- if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err; 229+ if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r,dgst,dlen)) 230+ goto err; 231 } 232 else 233 { 234@@ -226,7 +229,9 @@ err: 235 return(ret); 236 } 237 238-static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) 239+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, 240+ BIGNUM **kinvp, BIGNUM **rp, 241+ const unsigned char *dgst, int dlen) 242 { 243 BN_CTX *ctx; 244 BIGNUM k,kq,*K,*kinv=NULL,*r=NULL; 245@@ -252,8 +257,21 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) 246 247 /* Get random k */ 248 do 249- if (!BN_rand_range(&k, dsa->q)) goto err; 250- while (BN_is_zero(&k)); 251+ { 252+#ifndef OPENSSL_NO_SHA512 253+ if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH) 254+ { 255+ /* If DSA_FLAG_NONCE_FROM_HASH is set then we calculate k from 256+ * SHA512(private_key + H(message) + random). This protects the 257+ * private key from a weak PRNG. */ 258+ if (!BN_generate_dsa_nonce(&k, dsa->q, dsa->priv_key, dgst, 259+ dlen, ctx)) 260+ goto err; 261+ } 262+ else 263+#endif 264+ if (!BN_rand_range(&k, dsa->q)) goto err; 265+ } while (BN_is_zero(&k)); 266 if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) 267 { 268 BN_set_flags(&k, BN_FLG_CONSTTIME); 269diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c 270index c3cc364..8ace300 100644 271--- a/crypto/dsa/dsa_sign.c 272+++ b/crypto/dsa/dsa_sign.c 273@@ -86,7 +86,14 @@ int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) 274 return 0; 275 } 276 #endif 277- return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); 278+ if (dsa->flags & DSA_FLAG_NONCE_FROM_HASH) 279+ { 280+ /* You cannot precompute the DSA nonce if it is required to 281+ * depend on the message. */ 282+ DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NONCE_CANNOT_BE_PRECOMPUTED); 283+ return 0; 284+ } 285+ return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0); 286 } 287 288 DSA_SIG *DSA_SIG_new(void) 289diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h 290index dfe8710..d008a0d 100644 291--- a/crypto/ec/ec.h 292+++ b/crypto/ec/ec.h 293@@ -819,6 +819,17 @@ void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, 294 /* wrapper functions for the underlying EC_GROUP object */ 295 void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag); 296 297+/** Sets whether ECDSA operations with the given key will calculate their k 298+ * value from SHA512(private_key + message + random) in order to protect 299+ * against a weak PRNG. 300+ * \param on Whether to calculate k from a hash or not 301+ */ 302+void EC_KEY_set_nonce_from_hash(EC_KEY *key, int on); 303+ 304+/** Returns the value of nonce_from_hash 305+ */ 306+int EC_KEY_get_nonce_from_hash(const EC_KEY *key); 307+ 308 /** Creates a table of pre-computed multiples of the generator to 309 * accelerate further EC_KEY operations. 310 * \param key EC_KEY object 311diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c 312index 7fa2475..73dd7b9 100644 313--- a/crypto/ec/ec_key.c 314+++ b/crypto/ec/ec_key.c 315@@ -85,6 +85,7 @@ EC_KEY *EC_KEY_new(void) 316 ret->pub_key = NULL; 317 ret->priv_key= NULL; 318 ret->enc_flag= 0; 319+ ret->nonce_from_hash_flag = 0; 320 ret->conv_form = POINT_CONVERSION_UNCOMPRESSED; 321 ret->references= 1; 322 ret->method_data = NULL; 323@@ -198,6 +199,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) 324 325 /* copy the rest */ 326 dest->enc_flag = src->enc_flag; 327+ dest->nonce_from_hash_flag = src->nonce_from_hash_flag; 328 dest->conv_form = src->conv_form; 329 dest->version = src->version; 330 dest->flags = src->flags; 331@@ -505,6 +507,16 @@ void EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags) 332 key->enc_flag = flags; 333 } 334 335+int EC_KEY_get_nonce_from_hash(const EC_KEY *key) 336+ { 337+ return key->nonce_from_hash_flag; 338+ } 339+ 340+void EC_KEY_set_nonce_from_hash(EC_KEY *key, int on) 341+ { 342+ key->nonce_from_hash_flag = on != 0; 343+ } 344+ 345 point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key) 346 { 347 return key->conv_form; 348diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h 349index da7967d..6f714c7 100644 350--- a/crypto/ec/ec_lcl.h 351+++ b/crypto/ec/ec_lcl.h 352@@ -246,6 +246,7 @@ struct ec_key_st { 353 BIGNUM *priv_key; 354 355 unsigned int enc_flag; 356+ char nonce_from_hash_flag; 357 point_conversion_form_t conv_form; 358 359 int references; 360diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h 361index 7fb5254..dc6a36b 100644 362--- a/crypto/ecdsa/ecdsa.h 363+++ b/crypto/ecdsa/ecdsa.h 364@@ -250,6 +250,7 @@ void ERR_load_ECDSA_strings(void); 365 #define ECDSA_R_ERR_EC_LIB 102 366 #define ECDSA_R_MISSING_PARAMETERS 103 367 #define ECDSA_R_NEED_NEW_SETUP_VALUES 106 368+#define ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED 108 369 #define ECDSA_R_NON_FIPS_METHOD 107 370 #define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 104 371 #define ECDSA_R_SIGNATURE_MALLOC_FAILED 105 372diff --git a/crypto/ecdsa/ecs_err.c b/crypto/ecdsa/ecs_err.c 373index 81542e6..7406c6d 100644 374--- a/crypto/ecdsa/ecs_err.c 375+++ b/crypto/ecdsa/ecs_err.c 376@@ -85,6 +85,7 @@ static ERR_STRING_DATA ECDSA_str_reasons[]= 377 {ERR_REASON(ECDSA_R_ERR_EC_LIB) ,"err ec lib"}, 378 {ERR_REASON(ECDSA_R_MISSING_PARAMETERS) ,"missing parameters"}, 379 {ERR_REASON(ECDSA_R_NEED_NEW_SETUP_VALUES),"need new setup values"}, 380+{ERR_REASON(ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED),"nonce cannot be precomputed"}, 381 {ERR_REASON(ECDSA_R_NON_FIPS_METHOD) ,"non fips method"}, 382 {ERR_REASON(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED),"random number generation failed"}, 383 {ERR_REASON(ECDSA_R_SIGNATURE_MALLOC_FAILED),"signature malloc failed"}, 384diff --git a/crypto/ecdsa/ecs_locl.h b/crypto/ecdsa/ecs_locl.h 385index cb3be13..46f7ad9 100644 386--- a/crypto/ecdsa/ecs_locl.h 387+++ b/crypto/ecdsa/ecs_locl.h 388@@ -70,8 +70,9 @@ struct ecdsa_method 389 const char *name; 390 ECDSA_SIG *(*ecdsa_do_sign)(const unsigned char *dgst, int dgst_len, 391 const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey); 392- int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, 393- BIGNUM **r); 394+ int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, 395+ BIGNUM **kinv, BIGNUM **r, 396+ const unsigned char *dgst, int dlen); 397 int (*ecdsa_do_verify)(const unsigned char *dgst, int dgst_len, 398 const ECDSA_SIG *sig, EC_KEY *eckey); 399 #if 0 400diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c 401index 7725935..325aca8 100644 402--- a/crypto/ecdsa/ecs_ossl.c 403+++ b/crypto/ecdsa/ecs_ossl.c 404@@ -60,11 +60,13 @@ 405 #include <openssl/err.h> 406 #include <openssl/obj_mac.h> 407 #include <openssl/bn.h> 408+#include <openssl/rand.h> 409 410 static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, 411 const BIGNUM *, const BIGNUM *, EC_KEY *eckey); 412-static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 413- BIGNUM **rp); 414+static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, 415+ BIGNUM **kinvp, BIGNUM **rp, 416+ const unsigned char *dgst, int dlen); 417 static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, 418 const ECDSA_SIG *sig, EC_KEY *eckey); 419 420@@ -86,8 +88,9 @@ const ECDSA_METHOD *ECDSA_OpenSSL(void) 421 return &openssl_ecdsa_meth; 422 } 423 424-static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 425- BIGNUM **rp) 426+static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, 427+ BIGNUM **kinvp, BIGNUM **rp, 428+ const unsigned char *dgst, int dlen) 429 { 430 BN_CTX *ctx = NULL; 431 BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL; 432@@ -136,11 +139,28 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 433 { 434 /* get random k */ 435 do 436- if (!BN_rand_range(k, order)) 437+#ifndef OPENSSL_NO_SHA512 438+ if (EC_KEY_get_nonce_from_hash(eckey)) 439 { 440- ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, 441- ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); 442- goto err; 443+ if (!BN_generate_dsa_nonce( 444+ k, order, 445+ EC_KEY_get0_private_key(eckey), 446+ dgst, dlen, ctx)) 447+ { 448+ ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, 449+ ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); 450+ goto err; 451+ } 452+ } 453+ else 454+#endif 455+ { 456+ if (!BN_rand_range(k, order)) 457+ { 458+ ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, 459+ ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); 460+ goto err; 461+ } 462 } 463 while (BN_is_zero(k)); 464 465@@ -282,7 +302,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, 466 { 467 if (in_kinv == NULL || in_r == NULL) 468 { 469- if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) 470+ if (!ecdsa->meth->ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) 471 { 472 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB); 473 goto err; 474diff --git a/crypto/ecdsa/ecs_sign.c b/crypto/ecdsa/ecs_sign.c 475index 353d5af..ea79a24 100644 476--- a/crypto/ecdsa/ecs_sign.c 477+++ b/crypto/ecdsa/ecs_sign.c 478@@ -58,6 +58,7 @@ 479 #include <openssl/engine.h> 480 #endif 481 #include <openssl/rand.h> 482+#include <openssl/err.h> 483 484 ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) 485 { 486@@ -102,5 +103,12 @@ int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 487 ECDSA_DATA *ecdsa = ecdsa_check(eckey); 488 if (ecdsa == NULL) 489 return 0; 490- return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp); 491+ if (EC_KEY_get_nonce_from_hash(eckey)) 492+ { 493+ /* You cannot precompute the ECDSA nonce if it is required to 494+ * depend on the message. */ 495+ ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ECDSA_R_NONCE_CANNOT_BE_PRECOMPUTED); 496+ return 0; 497+ } 498+ return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0); 499 } 500-- 5011.8.5.1 502 503