Switch BN_generate_dsa_nonce's hash back to SHA-512/256.
SHA-512 is faster to calculate on 64-bit systems and that's what we were
using before. (Though, realistically, this doesn't show up at all.)
Change-Id: Id4f386ca0b5645a863b36405eef03bc62d0f29b3
Reviewed-on: https://boringssl-review.googlesource.com/16006
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/fipsmodule/bn/random.c b/crypto/fipsmodule/bn/random.c
index 97f9bc2..8aa40cf 100644
--- a/crypto/fipsmodule/bn/random.c
+++ b/crypto/fipsmodule/bn/random.c
@@ -270,16 +270,16 @@
OPENSSL_memcpy(private_bytes, priv->d, todo);
OPENSSL_memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
- /* Pass a SHA256 hash of the private key and message as additional data into
+ /* Pass a SHA512 hash of the private key and message as additional data into
* the RBG. This is a hardening measure against entropy failure. */
- OPENSSL_COMPILE_ASSERT(SHA256_DIGEST_LENGTH == 32,
- additional_data_is_different_size_from_sha256);
- SHA256_CTX sha;
- uint8_t digest[SHA256_DIGEST_LENGTH];
- SHA256_Init(&sha);
- SHA256_Update(&sha, private_bytes, sizeof(private_bytes));
- SHA256_Update(&sha, message, message_len);
- SHA256_Final(digest, &sha);
+ OPENSSL_COMPILE_ASSERT(SHA512_DIGEST_LENGTH >= 32,
+ additional_data_is_too_large_for_sha512);
+ SHA512_CTX sha;
+ uint8_t digest[SHA512_DIGEST_LENGTH];
+ SHA512_Init(&sha);
+ SHA512_Update(&sha, private_bytes, sizeof(private_bytes));
+ SHA512_Update(&sha, message, message_len);
+ SHA512_Final(digest, &sha);
/* Select a value k from [1, range-1], following FIPS 186-4 appendix B.5.2. */
return bn_rand_range_with_additional_data(out, 1, range, digest);
