DSA and NR require certain parameters (which depend on the randomly

choosen nonce) not be 0. Previously it would just check and throw an
exception if this was the case. Change to generate a new nonce and
retry if this happens.

1 files changed, 12 insertions, 9 deletions

diff --git a/src/pubkey/dsa/dsa.cpp b/src/pubkey/dsa/dsa.cpp
index feac712b8..d1f721084 100644
--- a/src/pubkey/dsa/dsa.cpp
+++ b/src/pubkey/dsa/dsa.cpp
@@ -9,6 +9,8 @@
 #include <botan/numthry.h>
 #include <botan/keypair.h>
 
+#include <stdio.h>
+
 namespace Botan {
 
 /*
@@ -90,18 +92,19 @@ DSA_Signature_Operation::sign(const byte msg[], u32bit msg_len,
    {
    rng.add_entropy(msg, msg_len);
 
-   BigInt k;
-   do
-      k.randomize(rng, q.bits());
-   while(k >= q);
-
    BigInt i(msg, msg_len);
+   BigInt r = 0, s = 0;
 
-   BigInt r = mod_q.reduce(powermod_g_p(k));
-   BigInt s = mod_q.multiply(inverse_mod(k, q), mul_add(x, r, i));
+   while(r == 0 || s == 0)
+      {
+      BigInt k;
+      do
+         k.randomize(rng, q.bits());
+      while(k >= q);
 
-   if(r.is_zero() || s.is_zero())
-      throw Internal_Error("DSA signature gen failure: r or s was zero");
+      r = mod_q.reduce(powermod_g_p(k));
+      s = mod_q.multiply(inverse_mod(k, q), mul_add(x, r, i));
+      }
 
    SecureVector<byte> output(2*q.bytes());
    r.binary_encode(output + (output.size() / 2 - r.bytes()));