/src/boringssl/crypto/fipsmodule/bn/random.cc.inc

Source
// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include <openssl/bn.h>

#include <assert.h>
#include <limits.h>
#include <string.h>

#include <openssl/err.h>

#include "../../internal.h"
#include "../bcm_interface.h"
#include "../service_indicator/internal.h"
#include "internal.h"


using namespace bssl;

int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
  if (rnd == nullptr) {
    return 0;
  }

  if (top != BN_RAND_TOP_ANY && top != BN_RAND_TOP_ONE &&
      top != BN_RAND_TOP_TWO) {
    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return 0;
  }

  if (bottom != BN_RAND_BOTTOM_ANY && bottom != BN_RAND_BOTTOM_ODD) {
    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return 0;
  }

  if (bits == 0) {
    BN_zero(rnd);
    return 1;
  }

  if (bits > INT_MAX - (BN_BITS2 - 1)) {
    OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
    return 0;
  }

  int words = (bits + BN_BITS2 - 1) / BN_BITS2;
  int bit = (bits - 1) % BN_BITS2;
  const BN_ULONG kOne = 1;
  const BN_ULONG kThree = 3;
  BN_ULONG mask = bit < BN_BITS2 - 1 ? (kOne << (bit + 1)) - 1 : BN_MASK2;
  if (!bn_wexpand(rnd, words)) {
    return 0;
  }

  FIPS_service_indicator_lock_state();
  BCM_rand_bytes((uint8_t *)rnd->d, words * sizeof(BN_ULONG));
  FIPS_service_indicator_unlock_state();

  rnd->d[words - 1] &= mask;
  if (top != BN_RAND_TOP_ANY) {
    if (top == BN_RAND_TOP_TWO && bits > 1) {
      if (bit == 0) {
        rnd->d[words - 1] |= 1;
        rnd->d[words - 2] |= kOne << (BN_BITS2 - 1);
      } else {
        rnd->d[words - 1] |= kThree << (bit - 1);
      }
    } else {
      rnd->d[words - 1] |= kOne << bit;
    }
  }
  if (bottom == BN_RAND_BOTTOM_ODD) {
    rnd->d[0] |= 1;
  }

  rnd->neg = 0;
  rnd->width = words;
  return 1;
}

int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) {
  return BN_rand(rnd, bits, top, bottom);
}

// bn_less_than_word_mask returns a mask of all ones if the number represented
// by |len| words at |a| is less than |b| and zero otherwise. It performs this
// computation in time independent of the value of |a|. |b| is assumed public.
static crypto_word_t bn_less_than_word_mask(const BN_ULONG *a, size_t len,
                                            BN_ULONG b) {
  if (b == 0) {
    return CONSTTIME_FALSE_W;
  }
  if (len == 0) {
    return CONSTTIME_TRUE_W;
  }

  // |a| < |b| iff a[1..len-1] are all zero and a[0] < b.
  static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
                "crypto_word_t is too small");
  crypto_word_t mask = 0;
  for (size_t i = 1; i < len; i++) {
    mask |= a[i];
  }
  // |mask| is now zero iff a[1..len-1] are all zero.
  mask = constant_time_is_zero_w(mask);
  mask &= constant_time_lt_w(a[0], b);
  return mask;
}

int bssl::bn_in_range_words(const BN_ULONG *a, BN_ULONG min_inclusive,
                            const BN_ULONG *max_exclusive, size_t len) {
  crypto_word_t mask = ~bn_less_than_word_mask(a, len, min_inclusive);
  return mask & bn_less_than_words(a, max_exclusive, len);
}

static int bn_range_to_mask(size_t *out_words, BN_ULONG *out_mask,
                            size_t min_inclusive, const BN_ULONG *max_exclusive,
                            size_t len) {
  // The magnitude of |max_exclusive| is assumed public.
  size_t words = len;
  while (words > 0 && max_exclusive[words - 1] == 0) {
    words--;
  }
  if (words == 0 || (words == 1 && max_exclusive[0] <= min_inclusive)) {
    OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
    return 0;
  }
  BN_ULONG mask = max_exclusive[words - 1];
  // This sets all bits in |mask| below the most significant bit.
  mask |= mask >> 1;
  mask |= mask >> 2;
  mask |= mask >> 4;
  mask |= mask >> 8;
  mask |= mask >> 16;
#if defined(OPENSSL_64_BIT)
  mask |= mask >> 32;
#endif

  *out_words = words;
  *out_mask = mask;
  return 1;
}

int bssl::bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive,
                              const BN_ULONG *max_exclusive, size_t len,
                              const uint8_t additional_data[32]) {
  // This function implements the equivalent of steps 1 through 4 of FIPS 186-5
  // appendices A.2.2 and A.3.2, repeating the process on failure. When called
  // in those contexts, |max_exclusive| is n and |min_inclusive| is one.

  // Compute the bit length of |max_exclusive| (step 1), in terms of a number of
  // |words| worth of entropy to fill and a mask of bits to clear in the top
  // word.
  size_t words;
  BN_ULONG mask;
  if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive, len)) {
    return 0;
  }

  // Fill any unused words with zero.
  OPENSSL_memset(out + words, 0, (len - words) * sizeof(BN_ULONG));

  unsigned count = 100;
  do {
    if (!--count) {
      OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
      return 0;
    }

    // Use |words| and |mask| together to obtain a string of N bits, where N is
    // the bit length of |max_exclusive|.
    FIPS_service_indicator_lock_state();
    BCM_rand_bytes_with_additional_data(
        (uint8_t *)out, words * sizeof(BN_ULONG), additional_data);
    FIPS_service_indicator_unlock_state();
    out[words - 1] &= mask;

    // If out >= max_exclusive or out < min_inclusive, retry. The result of this
    // comparison may be treated as public. It only reveals how many attempts
    // were needed before we found a value in range. This is independent of the
    // final secret output, and has a distribution that depends only on
    // |min_inclusive| and |max_exclusive|, both of which are public.
  } while (!constant_time_declassify_int(
      bn_in_range_words(out, min_inclusive, max_exclusive, words)));
  return 1;
}

int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
                     const BIGNUM *max_exclusive) {
  static const uint8_t kDefaultAdditionalData[32] = {0};
  if (!bn_wexpand(r, max_exclusive->width) ||
      !bn_rand_range_words(r->d, min_inclusive, max_exclusive->d,
                           max_exclusive->width, kDefaultAdditionalData)) {
    return 0;
  }

  r->neg = 0;
  r->width = max_exclusive->width;
  return 1;
}

int bssl::bn_rand_secret_range(BIGNUM *r, int *out_is_uniform,
                               BN_ULONG min_inclusive,
                               const BIGNUM *max_exclusive) {
  size_t words;
  BN_ULONG mask;
  if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive->d,
                        max_exclusive->width) ||
      !bn_wexpand(r, words)) {
    return 0;
  }

  assert(words > 0);
  assert(mask != 0);
  // The range must be large enough for bit tricks to fix invalid values.
  if (words == 1 && min_inclusive > mask >> 1) {
    OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
    return 0;
  }

  // Select a uniform random number with num_bits(max_exclusive) bits.
  FIPS_service_indicator_lock_state();
  BCM_rand_bytes((uint8_t *)r->d, words * sizeof(BN_ULONG));
  FIPS_service_indicator_unlock_state();
  r->d[words - 1] &= mask;

  // Check, in constant-time, if the value is in range.
  *out_is_uniform =
      bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words);
  crypto_word_t in_range = *out_is_uniform;
  in_range = 0 - in_range;

  // If the value is not in range, force it to be in range.
  r->d[0] |= constant_time_select_w(in_range, 0, min_inclusive);
  r->d[words - 1] &= constant_time_select_w(in_range, BN_MASK2, mask >> 1);
  declassify_assert(
      bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words));

  r->neg = 0;
  r->width = (int)words;
  return 1;
}

int BN_rand_range(BIGNUM *r, const BIGNUM *range) {
  return BN_rand_range_ex(r, 0, range);
}

int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) {
  return BN_rand_range(r, range);
}

Coverage Report

Created: 2026-02-16 07:12

Line	Count	Source
1		// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include <openssl/bn.h>
16
17		#include <assert.h>
18		#include <limits.h>
19		#include <string.h>
20
21		#include <openssl/err.h>
22
23		#include "../../internal.h"
24		#include "../bcm_interface.h"
25		#include "../service_indicator/internal.h"
26		#include "internal.h"
27
28
29		using namespace bssl;
30
31	0	int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
32	0	if (rnd == nullptr) {
33	0	return 0;
34	0	}
35
36	0	if (top != BN_RAND_TOP_ANY && top != BN_RAND_TOP_ONE &&
37	0	top != BN_RAND_TOP_TWO) {
38	0	OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
39	0	return 0;
40	0	}
41
42	0	if (bottom != BN_RAND_BOTTOM_ANY && bottom != BN_RAND_BOTTOM_ODD) {
43	0	OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
44	0	return 0;
45	0	}
46
47	0	if (bits == 0) {
48	0	BN_zero(rnd);
49	0	return 1;
50	0	}
51
52	0	if (bits > INT_MAX - (BN_BITS2 - 1)) {
53	0	OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
54	0	return 0;
55	0	}
56
57	0	int words = (bits + BN_BITS2 - 1) / BN_BITS2;
58	0	int bit = (bits - 1) % BN_BITS2;
59	0	const BN_ULONG kOne = 1;
60	0	const BN_ULONG kThree = 3;
61	0	BN_ULONG mask = bit < BN_BITS2 - 1 ? (kOne << (bit + 1)) - 1 : BN_MASK2;
62	0	if (!bn_wexpand(rnd, words)) {
63	0	return 0;
64	0	}
65
66	0	FIPS_service_indicator_lock_state();
67	0	BCM_rand_bytes((uint8_t )rnd->d, words sizeof(BN_ULONG));
68	0	FIPS_service_indicator_unlock_state();
69
70	0	rnd->d[words - 1] &= mask;
71	0	if (top != BN_RAND_TOP_ANY) {
72	0	if (top == BN_RAND_TOP_TWO && bits > 1) {
73	0	if (bit == 0) {
74	0	rnd->d[words - 1] \|= 1;
75	0	rnd->d[words - 2] \|= kOne << (BN_BITS2 - 1);
76	0	} else {
77	0	rnd->d[words - 1] \|= kThree << (bit - 1);
78	0	}
79	0	} else {
80	0	rnd->d[words - 1] \|= kOne << bit;
81	0	}
82	0	}
83	0	if (bottom == BN_RAND_BOTTOM_ODD) {
84	0	rnd->d[0] \|= 1;
85	0	}
86
87	0	rnd->neg = 0;
88	0	rnd->width = words;
89	0	return 1;
90	0	}
91
92	0	int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) {
93	0	return BN_rand(rnd, bits, top, bottom);
94	0	}
95
96		// bn_less_than_word_mask returns a mask of all ones if the number represented
97		// by \|len\| words at \|a\| is less than \|b\| and zero otherwise. It performs this
98		// computation in time independent of the value of \|a\|. \|b\| is assumed public.
99		static crypto_word_t bn_less_than_word_mask(const BN_ULONG *a, size_t len,
100	17.4k	BN_ULONG b) {
101	17.4k	if (b == 0) {
102	0	return CONSTTIME_FALSE_W;
103	0	}
104	17.4k	if (len == 0) {
105	0	return CONSTTIME_TRUE_W;
106	0	}
107
108		// \|a\| < \|b\| iff a[1..len-1] are all zero and a[0] < b.
109	17.4k	static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
110	17.4k	"crypto_word_t is too small");
111	17.4k	crypto_word_t mask = 0;
112	98.6k	for (size_t i = 1; i < len; i++) {
113	81.1k	mask \|= a[i];
114	81.1k	}
115		// \|mask\| is now zero iff a[1..len-1] are all zero.
116	17.4k	mask = constant_time_is_zero_w(mask);
117	17.4k	mask &= constant_time_lt_w(a[0], b);
118	17.4k	return mask;
119	17.4k	}
120
121		int bssl::bn_in_range_words(const BN_ULONG *a, BN_ULONG min_inclusive,
122	17.4k	const BN_ULONG *max_exclusive, size_t len) {
123	17.4k	crypto_word_t mask = ~bn_less_than_word_mask(a, len, min_inclusive);
124	17.4k	return mask & bn_less_than_words(a, max_exclusive, len);
125	17.4k	}
126
127		static int bn_range_to_mask(size_t out_words, BN_ULONG out_mask,
128		size_t min_inclusive, const BN_ULONG *max_exclusive,
129	17.4k	size_t len) {
130		// The magnitude of \|max_exclusive\| is assumed public.
131	17.4k	size_t words = len;
132	17.4k	while (words > 0 && max_exclusive[words - 1] == 0) {
133	0	words--;
134	0	}
135	17.4k	if (words == 0 \|\| (words == 1 && max_exclusive[0] <= min_inclusive)) {
136	0	OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
137	0	return 0;
138	0	}
139	17.4k	BN_ULONG mask = max_exclusive[words - 1];
140		// This sets all bits in \|mask\| below the most significant bit.
141	17.4k	mask \|= mask >> 1;
142	17.4k	mask \|= mask >> 2;
143	17.4k	mask \|= mask >> 4;
144	17.4k	mask \|= mask >> 8;
145	17.4k	mask \|= mask >> 16;
146	17.4k	#if defined(OPENSSL_64_BIT)
147	17.4k	mask \|= mask >> 32;
148	17.4k	#endif
149
150	17.4k	*out_words = words;
151	17.4k	*out_mask = mask;
152	17.4k	return 1;
153	17.4k	}
154
155		int bssl::bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive,
156		const BN_ULONG *max_exclusive, size_t len,
157	17.4k	const uint8_t additional_data[32]) {
158		// This function implements the equivalent of steps 1 through 4 of FIPS 186-5
159		// appendices A.2.2 and A.3.2, repeating the process on failure. When called
160		// in those contexts, \|max_exclusive\| is n and \|min_inclusive\| is one.
161
162		// Compute the bit length of \|max_exclusive\| (step 1), in terms of a number of
163		// \|words\| worth of entropy to fill and a mask of bits to clear in the top
164		// word.
165	17.4k	size_t words;
166	17.4k	BN_ULONG mask;
167	17.4k	if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive, len)) {
168	0	return 0;
169	0	}
170
171		// Fill any unused words with zero.
172	17.4k	OPENSSL_memset(out + words, 0, (len - words) * sizeof(BN_ULONG));
173
174	17.4k	unsigned count = 100;
175	17.4k	do {
176	17.4k	if (!--count) {
177	0	OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
178	0	return 0;
179	0	}
180
181		// Use \|words\| and \|mask\| together to obtain a string of N bits, where N is
182		// the bit length of \|max_exclusive\|.
183	17.4k	FIPS_service_indicator_lock_state();
184	17.4k	BCM_rand_bytes_with_additional_data(
185	17.4k	(uint8_t )out, words sizeof(BN_ULONG), additional_data);
186	17.4k	FIPS_service_indicator_unlock_state();
187	17.4k	out[words - 1] &= mask;
188
189		// If out >= max_exclusive or out < min_inclusive, retry. The result of this
190		// comparison may be treated as public. It only reveals how many attempts
191		// were needed before we found a value in range. This is independent of the
192		// final secret output, and has a distribution that depends only on
193		// \|min_inclusive\| and \|max_exclusive\|, both of which are public.
194	17.4k	} while (!constant_time_declassify_int(
195	17.4k	bn_in_range_words(out, min_inclusive, max_exclusive, words)));
196	17.4k	return 1;
197	17.4k	}
198
199		int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
200	16.9k	const BIGNUM *max_exclusive) {
201	16.9k	static const uint8_t kDefaultAdditionalData[32] = {0};
202	16.9k	if (!bn_wexpand(r, max_exclusive->width) \|\|
203	16.9k	!bn_rand_range_words(r->d, min_inclusive, max_exclusive->d,
204	16.9k	max_exclusive->width, kDefaultAdditionalData)) {
205	0	return 0;
206	0	}
207
208	16.9k	r->neg = 0;
209	16.9k	r->width = max_exclusive->width;
210	16.9k	return 1;
211	16.9k	}
212
213		int bssl::bn_rand_secret_range(BIGNUM r, int out_is_uniform,
214		BN_ULONG min_inclusive,
215	0	const BIGNUM *max_exclusive) {
216	0	size_t words;
217	0	BN_ULONG mask;
218	0	if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive->d,
219	0	max_exclusive->width) \|\|
220	0	!bn_wexpand(r, words)) {
221	0	return 0;
222	0	}
223
224	0	assert(words > 0);
225	0	assert(mask != 0);
226		// The range must be large enough for bit tricks to fix invalid values.
227	0	if (words == 1 && min_inclusive > mask >> 1) {
228	0	OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
229	0	return 0;
230	0	}
231
232		// Select a uniform random number with num_bits(max_exclusive) bits.
233	0	FIPS_service_indicator_lock_state();
234	0	BCM_rand_bytes((uint8_t )r->d, words sizeof(BN_ULONG));
235	0	FIPS_service_indicator_unlock_state();
236	0	r->d[words - 1] &= mask;
237
238		// Check, in constant-time, if the value is in range.
239	0	*out_is_uniform =
240	0	bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words);
241	0	crypto_word_t in_range = *out_is_uniform;
242	0	in_range = 0 - in_range;
243
244		// If the value is not in range, force it to be in range.
245	0	r->d[0] \|= constant_time_select_w(in_range, 0, min_inclusive);
246	0	r->d[words - 1] &= constant_time_select_w(in_range, BN_MASK2, mask >> 1);
247	0	declassify_assert(
248	0	bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words));
249
250	0	r->neg = 0;
251	0	r->width = (int)words;
252	0	return 1;
253	0	}
254
255	0	int BN_rand_range(BIGNUM r, const BIGNUM range) {
256	0	return BN_rand_range_ex(r, 0, range);
257	0	}
258
259	0	int BN_pseudo_rand_range(BIGNUM r, const BIGNUM range) {
260	0	return BN_rand_range(r, range);
261	0	}