Switch BN_generate_dsa_nonce's hash back to SHA-512/256.
SHA-512 is faster to calculate on 64-bit systems and that's what we were using before. (Though, realistically, this doesn't show up at all.) Change-Id: Id4f386ca0b5645a863b36405eef03bc62d0f29b3 Reviewed-on: https://boringssl-review.googlesource.com/16006 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
parent
4d1f4ba08d
commit
0d5b886ef8
@ -270,16 +270,16 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
|
|||||||
OPENSSL_memcpy(private_bytes, priv->d, todo);
|
OPENSSL_memcpy(private_bytes, priv->d, todo);
|
||||||
OPENSSL_memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
|
OPENSSL_memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
|
||||||
|
|
||||||
/* Pass a SHA256 hash of the private key and message as additional data into
|
/* Pass a SHA512 hash of the private key and message as additional data into
|
||||||
* the RBG. This is a hardening measure against entropy failure. */
|
* the RBG. This is a hardening measure against entropy failure. */
|
||||||
OPENSSL_COMPILE_ASSERT(SHA256_DIGEST_LENGTH == 32,
|
OPENSSL_COMPILE_ASSERT(SHA512_DIGEST_LENGTH >= 32,
|
||||||
additional_data_is_different_size_from_sha256);
|
additional_data_is_too_large_for_sha512);
|
||||||
SHA256_CTX sha;
|
SHA512_CTX sha;
|
||||||
uint8_t digest[SHA256_DIGEST_LENGTH];
|
uint8_t digest[SHA512_DIGEST_LENGTH];
|
||||||
SHA256_Init(&sha);
|
SHA512_Init(&sha);
|
||||||
SHA256_Update(&sha, private_bytes, sizeof(private_bytes));
|
SHA512_Update(&sha, private_bytes, sizeof(private_bytes));
|
||||||
SHA256_Update(&sha, message, message_len);
|
SHA512_Update(&sha, message, message_len);
|
||||||
SHA256_Final(digest, &sha);
|
SHA512_Final(digest, &sha);
|
||||||
|
|
||||||
/* Select a value k from [1, range-1], following FIPS 186-4 appendix B.5.2. */
|
/* Select a value k from [1, range-1], following FIPS 186-4 appendix B.5.2. */
|
||||||
return bn_rand_range_with_additional_data(out, 1, range, digest);
|
return bn_rand_range_with_additional_data(out, 1, range, digest);
|
||||||
|
Loading…
Reference in New Issue
Block a user