/src/boringssl/crypto/fipsmodule/bn/random.cc.inc

Source (jump to first uncovered line)
// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include <openssl/bn.h>

#include <assert.h>
#include <limits.h>
#include <string.h>

#include <openssl/err.h>

#include "../../internal.h"
#include "../bcm_interface.h"
#include "../service_indicator/internal.h"
#include "internal.h"


int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
  if (rnd == NULL) {
    return 0;
  }

  if (top != BN_RAND_TOP_ANY && top != BN_RAND_TOP_ONE &&
      top != BN_RAND_TOP_TWO) {
    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return 0;
  }

  if (bottom != BN_RAND_BOTTOM_ANY && bottom != BN_RAND_BOTTOM_ODD) {
    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return 0;
  }

  if (bits == 0) {
    BN_zero(rnd);
    return 1;
  }

  if (bits > INT_MAX - (BN_BITS2 - 1)) {
    OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
    return 0;
  }

  int words = (bits + BN_BITS2 - 1) / BN_BITS2;
  int bit = (bits - 1) % BN_BITS2;
  const BN_ULONG kOne = 1;
  const BN_ULONG kThree = 3;
  BN_ULONG mask = bit < BN_BITS2 - 1 ? (kOne << (bit + 1)) - 1 : BN_MASK2;
  if (!bn_wexpand(rnd, words)) {
    return 0;
  }

  FIPS_service_indicator_lock_state();
  BCM_rand_bytes((uint8_t *)rnd->d, words * sizeof(BN_ULONG));
  FIPS_service_indicator_unlock_state();

  rnd->d[words - 1] &= mask;
  if (top != BN_RAND_TOP_ANY) {
    if (top == BN_RAND_TOP_TWO && bits > 1) {
      if (bit == 0) {
        rnd->d[words - 1] |= 1;
        rnd->d[words - 2] |= kOne << (BN_BITS2 - 1);
      } else {
        rnd->d[words - 1] |= kThree << (bit - 1);
      }
    } else {
      rnd->d[words - 1] |= kOne << bit;
    }
  }
  if (bottom == BN_RAND_BOTTOM_ODD) {
    rnd->d[0] |= 1;
  }

  rnd->neg = 0;
  rnd->width = words;
  return 1;
}

int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) {
  return BN_rand(rnd, bits, top, bottom);
}

// bn_less_than_word_mask returns a mask of all ones if the number represented
// by |len| words at |a| is less than |b| and zero otherwise. It performs this
// computation in time independent of the value of |a|. |b| is assumed public.
static crypto_word_t bn_less_than_word_mask(const BN_ULONG *a, size_t len,
                                            BN_ULONG b) {
  if (b == 0) {
    return CONSTTIME_FALSE_W;
  }
  if (len == 0) {
    return CONSTTIME_TRUE_W;
  }

  // |a| < |b| iff a[1..len-1] are all zero and a[0] < b.
  static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
                "crypto_word_t is too small");
  crypto_word_t mask = 0;
  for (size_t i = 1; i < len; i++) {
    mask |= a[i];
  }
  // |mask| is now zero iff a[1..len-1] are all zero.
  mask = constant_time_is_zero_w(mask);
  mask &= constant_time_lt_w(a[0], b);
  return mask;
}

int bn_in_range_words(const BN_ULONG *a, BN_ULONG min_inclusive,
                      const BN_ULONG *max_exclusive, size_t len) {
  crypto_word_t mask = ~bn_less_than_word_mask(a, len, min_inclusive);
  return mask & bn_less_than_words(a, max_exclusive, len);
}

static int bn_range_to_mask(size_t *out_words, BN_ULONG *out_mask,
                            size_t min_inclusive, const BN_ULONG *max_exclusive,
                            size_t len) {
  // The magnitude of |max_exclusive| is assumed public.
  size_t words = len;
  while (words > 0 && max_exclusive[words - 1] == 0) {
    words--;
  }
  if (words == 0 || (words == 1 && max_exclusive[0] <= min_inclusive)) {
    OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
    return 0;
  }
  BN_ULONG mask = max_exclusive[words - 1];
  // This sets all bits in |mask| below the most significant bit.
  mask |= mask >> 1;
  mask |= mask >> 2;
  mask |= mask >> 4;
  mask |= mask >> 8;
  mask |= mask >> 16;
#if defined(OPENSSL_64_BIT)
  mask |= mask >> 32;
#endif

  *out_words = words;
  *out_mask = mask;
  return 1;
}

int bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive,
                        const BN_ULONG *max_exclusive, size_t len,
                        const uint8_t additional_data[32]) {
  // This function implements the equivalent of steps 4 through 7 of FIPS 186-4
  // appendices B.4.2 and B.5.2. When called in those contexts, |max_exclusive|
  // is n and |min_inclusive| is one.

  // Compute the bit length of |max_exclusive| (step 1), in terms of a number of
  // |words| worth of entropy to fill and a mask of bits to clear in the top
  // word.
  size_t words;
  BN_ULONG mask;
  if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive, len)) {
    return 0;
  }

  // Fill any unused words with zero.
  OPENSSL_memset(out + words, 0, (len - words) * sizeof(BN_ULONG));

  unsigned count = 100;
  do {
    if (!--count) {
      OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
      return 0;
    }

    // Steps 4 and 5. Use |words| and |mask| together to obtain a string of N
    // bits, where N is the bit length of |max_exclusive|.
    FIPS_service_indicator_lock_state();
    BCM_rand_bytes_with_additional_data(
        (uint8_t *)out, words * sizeof(BN_ULONG), additional_data);
    FIPS_service_indicator_unlock_state();
    out[words - 1] &= mask;

    // If out >= max_exclusive or out < min_inclusive, retry. This implements
    // the equivalent of steps 6 and 7 without leaking the value of |out|. The
    // result of this comparison may be treated as public. It only reveals how
    // many attempts were needed before we found a value in range. This is
    // independent of the final secret output, and has a distribution that
    // depends only on |min_inclusive| and |max_exclusive|, both of which are
    // public.
  } while (!constant_time_declassify_int(
      bn_in_range_words(out, min_inclusive, max_exclusive, words)));
  return 1;
}

int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
                     const BIGNUM *max_exclusive) {
  static const uint8_t kDefaultAdditionalData[32] = {0};
  if (!bn_wexpand(r, max_exclusive->width) ||
      !bn_rand_range_words(r->d, min_inclusive, max_exclusive->d,
                           max_exclusive->width, kDefaultAdditionalData)) {
    return 0;
  }

  r->neg = 0;
  r->width = max_exclusive->width;
  return 1;
}

int bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive,
                         const BIGNUM *max_exclusive) {
  size_t words;
  BN_ULONG mask;
  if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive->d,
                        max_exclusive->width) ||
      !bn_wexpand(r, words)) {
    return 0;
  }

  assert(words > 0);
  assert(mask != 0);
  // The range must be large enough for bit tricks to fix invalid values.
  if (words == 1 && min_inclusive > mask >> 1) {
    OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
    return 0;
  }

  // Select a uniform random number with num_bits(max_exclusive) bits.
  FIPS_service_indicator_lock_state();
  BCM_rand_bytes((uint8_t *)r->d, words * sizeof(BN_ULONG));
  FIPS_service_indicator_unlock_state();
  r->d[words - 1] &= mask;

  // Check, in constant-time, if the value is in range.
  *out_is_uniform =
      bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words);
  crypto_word_t in_range = *out_is_uniform;
  in_range = 0 - in_range;

  // If the value is not in range, force it to be in range.
  r->d[0] |= constant_time_select_w(in_range, 0, min_inclusive);
  r->d[words - 1] &= constant_time_select_w(in_range, BN_MASK2, mask >> 1);
  declassify_assert(
      bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words));

  r->neg = 0;
  r->width = (int)words;
  return 1;
}

int BN_rand_range(BIGNUM *r, const BIGNUM *range) {
  return BN_rand_range_ex(r, 0, range);
}

int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) {
  return BN_rand_range(r, range);
}

Coverage Report

Created: 2025-06-11 06:41

Line	Count	Source (jump to first uncovered line)
1		// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include <openssl/bn.h>
16
17		#include <assert.h>
18		#include <limits.h>
19		#include <string.h>
20
21		#include <openssl/err.h>
22
23		#include "../../internal.h"
24		#include "../bcm_interface.h"
25		#include "../service_indicator/internal.h"
26		#include "internal.h"
27
28
29	0	int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
30	0	if (rnd == NULL) {
31	0	return 0;
32	0	}
33
34	0	if (top != BN_RAND_TOP_ANY && top != BN_RAND_TOP_ONE &&
35	0	top != BN_RAND_TOP_TWO) {
36	0	OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
37	0	return 0;
38	0	}
39
40	0	if (bottom != BN_RAND_BOTTOM_ANY && bottom != BN_RAND_BOTTOM_ODD) {
41	0	OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
42	0	return 0;
43	0	}
44
45	0	if (bits == 0) {
46	0	BN_zero(rnd);
47	0	return 1;
48	0	}
49
50	0	if (bits > INT_MAX - (BN_BITS2 - 1)) {
51	0	OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
52	0	return 0;
53	0	}
54
55	0	int words = (bits + BN_BITS2 - 1) / BN_BITS2;
56	0	int bit = (bits - 1) % BN_BITS2;
57	0	const BN_ULONG kOne = 1;
58	0	const BN_ULONG kThree = 3;
59	0	BN_ULONG mask = bit < BN_BITS2 - 1 ? (kOne << (bit + 1)) - 1 : BN_MASK2;
60	0	if (!bn_wexpand(rnd, words)) {
61	0	return 0;
62	0	}
63
64	0	FIPS_service_indicator_lock_state();
65	0	BCM_rand_bytes((uint8_t )rnd->d, words sizeof(BN_ULONG));
66	0	FIPS_service_indicator_unlock_state();
67
68	0	rnd->d[words - 1] &= mask;
69	0	if (top != BN_RAND_TOP_ANY) {
70	0	if (top == BN_RAND_TOP_TWO && bits > 1) {
71	0	if (bit == 0) {
72	0	rnd->d[words - 1] \|= 1;
73	0	rnd->d[words - 2] \|= kOne << (BN_BITS2 - 1);
74	0	} else {
75	0	rnd->d[words - 1] \|= kThree << (bit - 1);
76	0	}
77	0	} else {
78	0	rnd->d[words - 1] \|= kOne << bit;
79	0	}
80	0	}
81	0	if (bottom == BN_RAND_BOTTOM_ODD) {
82	0	rnd->d[0] \|= 1;
83	0	}
84
85	0	rnd->neg = 0;
86	0	rnd->width = words;
87	0	return 1;
88	0	}
89
90	0	int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) {
91	0	return BN_rand(rnd, bits, top, bottom);
92	0	}
93
94		// bn_less_than_word_mask returns a mask of all ones if the number represented
95		// by \|len\| words at \|a\| is less than \|b\| and zero otherwise. It performs this
96		// computation in time independent of the value of \|a\|. \|b\| is assumed public.
97		static crypto_word_t bn_less_than_word_mask(const BN_ULONG *a, size_t len,
98	36.7k	BN_ULONG b) {
99	36.7k	if (b == 0) {
100	0	return CONSTTIME_FALSE_W;
101	0	}
102	36.7k	if (len == 0) {
103	0	return CONSTTIME_TRUE_W;
104	0	}
105
106		// \|a\| < \|b\| iff a[1..len-1] are all zero and a[0] < b.
107	36.7k	static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
108	36.7k	"crypto_word_t is too small");
109	36.7k	crypto_word_t mask = 0;
110	289k	for (size_t i = 1; i < len; i++) {
111	252k	mask \|= a[i];
112	252k	}
113		// \|mask\| is now zero iff a[1..len-1] are all zero.
114	36.7k	mask = constant_time_is_zero_w(mask);
115	36.7k	mask &= constant_time_lt_w(a[0], b);
116	36.7k	return mask;
117	36.7k	}
118
119		int bn_in_range_words(const BN_ULONG *a, BN_ULONG min_inclusive,
120	36.7k	const BN_ULONG *max_exclusive, size_t len) {
121	36.7k	crypto_word_t mask = ~bn_less_than_word_mask(a, len, min_inclusive);
122	36.7k	return mask & bn_less_than_words(a, max_exclusive, len);
123	36.7k	}
124
125		static int bn_range_to_mask(size_t out_words, BN_ULONG out_mask,
126		size_t min_inclusive, const BN_ULONG *max_exclusive,
127	36.1k	size_t len) {
128		// The magnitude of \|max_exclusive\| is assumed public.
129	36.1k	size_t words = len;
130	36.1k	while (words > 0 && max_exclusive[words - 1] == 0) {
131	0	words--;
132	0	}
133	36.1k	if (words == 0 \|\| (words == 1 && max_exclusive[0] <= min_inclusive)) {
134	0	OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
135	0	return 0;
136	0	}
137	36.1k	BN_ULONG mask = max_exclusive[words - 1];
138		// This sets all bits in \|mask\| below the most significant bit.
139	36.1k	mask \|= mask >> 1;
140	36.1k	mask \|= mask >> 2;
141	36.1k	mask \|= mask >> 4;
142	36.1k	mask \|= mask >> 8;
143	36.1k	mask \|= mask >> 16;
144	36.1k	#if defined(OPENSSL_64_BIT)
145	36.1k	mask \|= mask >> 32;
146	36.1k	#endif
147
148	36.1k	*out_words = words;
149	36.1k	*out_mask = mask;
150	36.1k	return 1;
151	36.1k	}
152
153		int bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive,
154		const BN_ULONG *max_exclusive, size_t len,
155	36.1k	const uint8_t additional_data[32]) {
156		// This function implements the equivalent of steps 4 through 7 of FIPS 186-4
157		// appendices B.4.2 and B.5.2. When called in those contexts, \|max_exclusive\|
158		// is n and \|min_inclusive\| is one.
159
160		// Compute the bit length of \|max_exclusive\| (step 1), in terms of a number of
161		// \|words\| worth of entropy to fill and a mask of bits to clear in the top
162		// word.
163	36.1k	size_t words;
164	36.1k	BN_ULONG mask;
165	36.1k	if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive, len)) {
166	0	return 0;
167	0	}
168
169		// Fill any unused words with zero.
170	36.1k	OPENSSL_memset(out + words, 0, (len - words) * sizeof(BN_ULONG));
171
172	36.1k	unsigned count = 100;
173	36.7k	do {
174	36.7k	if (!--count) {
175	0	OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
176	0	return 0;
177	0	}
178
179		// Steps 4 and 5. Use \|words\| and \|mask\| together to obtain a string of N
180		// bits, where N is the bit length of \|max_exclusive\|.
181	36.7k	FIPS_service_indicator_lock_state();
182	36.7k	BCM_rand_bytes_with_additional_data(
183	36.7k	(uint8_t )out, words sizeof(BN_ULONG), additional_data);
184	36.7k	FIPS_service_indicator_unlock_state();
185	36.7k	out[words - 1] &= mask;
186
187		// If out >= max_exclusive or out < min_inclusive, retry. This implements
188		// the equivalent of steps 6 and 7 without leaking the value of \|out\|. The
189		// result of this comparison may be treated as public. It only reveals how
190		// many attempts were needed before we found a value in range. This is
191		// independent of the final secret output, and has a distribution that
192		// depends only on \|min_inclusive\| and \|max_exclusive\|, both of which are
193		// public.
194	36.7k	} while (!constant_time_declassify_int(
195	36.7k	bn_in_range_words(out, min_inclusive, max_exclusive, words)));
196	36.1k	return 1;
197	36.1k	}
198
199		int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
200	36.0k	const BIGNUM *max_exclusive) {
201	36.0k	static const uint8_t kDefaultAdditionalData[32] = {0};
202	36.0k	if (!bn_wexpand(r, max_exclusive->width) \|\|
203	36.0k	!bn_rand_range_words(r->d, min_inclusive, max_exclusive->d,
204	36.0k	max_exclusive->width, kDefaultAdditionalData)) {
205	0	return 0;
206	0	}
207
208	36.0k	r->neg = 0;
209	36.0k	r->width = max_exclusive->width;
210	36.0k	return 1;
211	36.0k	}
212
213		int bn_rand_secret_range(BIGNUM r, int out_is_uniform, BN_ULONG min_inclusive,
214	0	const BIGNUM *max_exclusive) {
215	0	size_t words;
216	0	BN_ULONG mask;
217	0	if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive->d,
218	0	max_exclusive->width) \|\|
219	0	!bn_wexpand(r, words)) {
220	0	return 0;
221	0	}
222
223	0	assert(words > 0);
224	0	assert(mask != 0);
225		// The range must be large enough for bit tricks to fix invalid values.
226	0	if (words == 1 && min_inclusive > mask >> 1) {
227	0	OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
228	0	return 0;
229	0	}
230
231		// Select a uniform random number with num_bits(max_exclusive) bits.
232	0	FIPS_service_indicator_lock_state();
233	0	BCM_rand_bytes((uint8_t )r->d, words sizeof(BN_ULONG));
234	0	FIPS_service_indicator_unlock_state();
235	0	r->d[words - 1] &= mask;
236
237		// Check, in constant-time, if the value is in range.
238	0	*out_is_uniform =
239	0	bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words);
240	0	crypto_word_t in_range = *out_is_uniform;
241	0	in_range = 0 - in_range;
242
243		// If the value is not in range, force it to be in range.
244	0	r->d[0] \|= constant_time_select_w(in_range, 0, min_inclusive);
245	0	r->d[words - 1] &= constant_time_select_w(in_range, BN_MASK2, mask >> 1);
246	0	declassify_assert(
247	0	bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words));
248
249	0	r->neg = 0;
250	0	r->width = (int)words;
251	0	return 1;
252	0	}
253
254	0	int BN_rand_range(BIGNUM r, const BIGNUM range) {
255	0	return BN_rand_range_ex(r, 0, range);
256	0	}
257
258	0	int BN_pseudo_rand_range(BIGNUM r, const BIGNUM range) {
259	0	return BN_rand_range(r, range);
260	0	}