recalculate DSA signature if r or s is zero (FIPS 186-3 requirement)

[openssl.git] / crypto / dsa / dsa_ossl.c

diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 1fb665ec57414d3da49a2c11ff8334a9c80d89ca..1b416901b43f8d6feff6c3748b86ad2e70658b1c 100644 (file)
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -136,6 +136,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
        BN_CTX *ctx=NULL;
        int reason=ERR_R_BN_LIB;
        DSA_SIG *ret=NULL;
+       int noredo = 0;
 
        BN_init(&m);
        BN_init(&xr);
@@ -159,7 +160,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 
        ctx=BN_CTX_new();
        if (ctx == NULL) goto err;
-
+redo:
        if ((dsa->kinv == NULL) || (dsa->r == NULL))
                {
                if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
@@ -170,6 +171,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
                dsa->kinv=NULL;
                r=dsa->r;
                dsa->r=NULL;
+               noredo = 1;
                }
 
        
@@ -190,6 +192,18 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 
        ret=DSA_SIG_new();
        if (ret == NULL) goto err;
+       /* Redo if r or s is zero as required by FIPS 186-3: this is
+        * very unlikely.
+        */
+       if (BN_is_zero(r) || BN_is_zero(s))
+               {
+               if (noredo)
+                       {
+                       reason = DSA_R_NEED_NEW_SETUP_VALUES;
+                       goto err;
+                       }
+               goto redo;
+               }
        ret->r = r;
        ret->s = s;