Externalize the state of a RFC 6979 nonce computation.

This lets you amortize quite a few memory allocations (RNG, various
BigInts, etc) over many nonce generations.

Change generate_rfc6979_nonce to just instantiate one of these states,
call the function once, and return. This doesn't have any additional
overhead versus the previous implementation of this function.

Fix HMAC_DRBG to correctly reset its state to its starting position
when you call clear() on it.

1 files changed, 23 insertions, 1 deletions

diff --git a/src/lib/pubkey/rfc6979/rfc6979.h b/src/lib/pubkey/rfc6979/rfc6979.h
index 8e2940578..5b3dee8ef 100644
--- a/src/lib/pubkey/rfc6979/rfc6979.h
+++ b/src/lib/pubkey/rfc6979/rfc6979.h
@@ -1,6 +1,6 @@
 /*
 * RFC 6979 Deterministic Nonce Generator
-* (C) 2014 Jack Lloyd
+* (C) 2014,2015 Jack Lloyd
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -10,9 +10,31 @@
 
 #include <botan/bigint.h>
 #include <string>
+#include <memory>
 
 namespace Botan {
 
+class RandomNumberGenerator;
+
+class BOTAN_DLL RFC6979_Nonce_Generator
+   {
+   public:
+      /**
+      * Note: keeps persistent reference to order
+      */
+      RFC6979_Nonce_Generator(const std::string& hash,
+                              const BigInt& order,
+                              const BigInt& x);
+
+      const BigInt& nonce_for(const BigInt& m);
+   private:
+      const BigInt& m_order;
+      BigInt m_k;
+      size_t m_qlen, m_rlen;
+      std::unique_ptr<RandomNumberGenerator> m_hmac_drbg;
+      secure_vector<byte> m_rng_in, m_rng_out;
+   };
+
 /**
 * @param x the secret (EC)DSA key
 * @param q the group order