Merge pull request #2376 from SparkiDev/dsa_sign

Generate k for DSA signature as per FIPS 186-4 B.2.2

wolfcrypt/src/dsa.c

@@ -663,7 +663,8 @@ int wc_DsaExportKeyRaw(DsaKey* dsa, byte* x, word32* xSz, byte* y, word32* ySz)
 int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, WC_RNG* rng)
 {
     mp_int  k, kInv, r, s, H;
-    int    ret, sz;
+    mp_int* qMinus1;
+    int     ret = 0, sz;
     byte    buffer[DSA_HALF_SIZE];
     byte*   tmp;  /* initial output pointer */
 
@@ -677,25 +678,35 @@ int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, WC_RNG* rng)
 
     if (mp_init_multi(&k, &kInv, &r, &s, &H, 0) != MP_OKAY)
         return MP_INIT_E;
+    qMinus1 = &kInv;
 
+    /* NIST FIPS 186-4: B.2.2
+     * Per-Message Secret Number Generation by Testing Candidates
+     * Generate k in range [1, q-1].
+     *   Check that k is less than q-1: range [0, q-2].
+     *   Add 1 to k: range [1, q-1].
+     */
+    if (mp_sub_d(&key->q, 1, qMinus1))
+        ret = MP_SUB_E;
+
+    if (ret == 0) {
         do {
-        /* generate k */
+            /* Step 4: generate k */
             ret = wc_RNG_GenerateBlock(rng, buffer, sz);
-        if (ret != 0)
-            return ret;
 
-        buffer[0] |= 0x0C;
+            /* Step 5 */
-
+            if (ret == 0 && mp_read_unsigned_bin(&k, buffer, sz) != MP_OKAY)
-        if (mp_read_unsigned_bin(&k, buffer, sz) != MP_OKAY)
                 ret = MP_READ_E;
 
-        /* k is a random numnber and it should be less than q
+            /* k is a random numnber and it should be less than q-1
              * if k greater than repeat
              */
-    } while (mp_cmp(&k, &key->q) != MP_LT);
+        /* Step 6 */
-
+        } while (ret == 0 && mp_cmp(&k, qMinus1) != MP_LT);
-    if (ret == 0 && mp_cmp_d(&k, 1) != MP_GT)
+    }
-        ret = MP_CMP_E;
+    /* Step 7 */
+    if (ret == 0 && mp_add_d(&k, 1, &k) != MP_OKAY)
+        ret = MP_MOD_E;
 
     /* inverse k mod q */
     if (ret == 0 && mp_invmod(&k, &key->q, &kInv) != MP_OKAY)