suzanne.soy/fork-openpgpjs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OP-01-020 Missing check in DSA signature generation (Medium). Add check and repeat until r and s not equal to 0.

Browse Source
This commit is contained in:
Thomas Oberndörfer 2014-03-21 16:45:19 +01:00
parent 93ca8b62fe
commit 04680a67cd
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/crypto/public_key/dsa.js
View File

@ -42,9 +42,20 @@ function DSA() {
// directly in the DSA signature algorithm.
var hashed_data = util.getLeftNBits(hashModule.digest(hashalgo, m), q.bitLength());
var hash = new BigInteger(util.hexstrdump(hashed_data), 16);
var k = random.getRandomBigIntegerInRange(BigInteger.ONE.add(BigInteger.ONE), q.subtract(BigInteger.ONE));
var s1 = (g.modPow(k, p)).mod(q);
var s2 = (k.modInverse(q).multiply(hash.add(x.multiply(s1)))).mod(q);
// FIPS-186-4, section 4.6:
// The values of r and s shall be checked to determine if r = 0 or s = 0.
// If either r = 0 or s = 0, a new value of k shall be generated, and the
// signature shall be recalculated. It is extremely unlikely that r = 0
// or s = 0 if signatures are generated properly.
var k, s1, s2;
while (true) {
k = random.getRandomBigIntegerInRange(BigInteger.ONE.add(BigInteger.ONE), q.subtract(BigInteger.ONE));
s1 = (g.modPow(k, p)).mod(q);
s2 = (k.modInverse(q).multiply(hash.add(x.multiply(s1)))).mod(q);
if (s1 != 0 && s2 != 0) {
break;
}
}
var result = [];
result[0] = s1.toMPI();
result[1] = s2.toMPI();