/src/openssl31/crypto/bn/bn_rand.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <stdio.h> |
11 | | #include <time.h> |
12 | | #include "internal/cryptlib.h" |
13 | | #include "crypto/rand.h" |
14 | | #include "bn_local.h" |
15 | | #include <openssl/rand.h> |
16 | | #include <openssl/sha.h> |
17 | | #include <openssl/evp.h> |
18 | | |
19 | | typedef enum bnrand_flag_e { |
20 | | NORMAL, TESTING, PRIVATE |
21 | | } BNRAND_FLAG; |
22 | | |
23 | | static int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom, |
24 | | unsigned int strength, BN_CTX *ctx) |
25 | 485k | { |
26 | 485k | unsigned char *buf = NULL; |
27 | 485k | int b, ret = 0, bit, bytes, mask; |
28 | 485k | OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); |
29 | | |
30 | 485k | if (bits == 0) { |
31 | 0 | if (top != BN_RAND_TOP_ANY || bottom != BN_RAND_BOTTOM_ANY) |
32 | 0 | goto toosmall; |
33 | 0 | BN_zero(rnd); |
34 | 0 | return 1; |
35 | 0 | } |
36 | 485k | if (bits < 0 || (bits == 1 && top > 0)) |
37 | 0 | goto toosmall; |
38 | | |
39 | 485k | bytes = (bits + 7) / 8; |
40 | 485k | bit = (bits - 1) % 8; |
41 | 485k | mask = 0xff << (bit + 1); |
42 | | |
43 | 485k | buf = OPENSSL_malloc(bytes); |
44 | 485k | if (buf == NULL) { |
45 | 0 | ERR_raise(ERR_LIB_BN, ERR_R_MALLOC_FAILURE); |
46 | 0 | goto err; |
47 | 0 | } |
48 | | |
49 | | /* make a random number and set the top and bottom bits */ |
50 | 485k | b = flag == NORMAL ? RAND_bytes_ex(libctx, buf, bytes, strength) |
51 | 485k | : RAND_priv_bytes_ex(libctx, buf, bytes, strength); |
52 | 485k | if (b <= 0) |
53 | 0 | goto err; |
54 | | |
55 | 485k | if (flag == TESTING) { |
56 | | /* |
57 | | * generate patterns that are more likely to trigger BN library bugs |
58 | | */ |
59 | 0 | int i; |
60 | 0 | unsigned char c; |
61 | |
|
62 | 0 | for (i = 0; i < bytes; i++) { |
63 | 0 | if (RAND_bytes_ex(libctx, &c, 1, strength) <= 0) |
64 | 0 | goto err; |
65 | 0 | if (c >= 128 && i > 0) |
66 | 0 | buf[i] = buf[i - 1]; |
67 | 0 | else if (c < 42) |
68 | 0 | buf[i] = 0; |
69 | 0 | else if (c < 84) |
70 | 0 | buf[i] = 255; |
71 | 0 | } |
72 | 0 | } |
73 | | |
74 | 485k | if (top >= 0) { |
75 | 275k | if (top) { |
76 | 0 | if (bit == 0) { |
77 | 0 | buf[0] = 1; |
78 | 0 | buf[1] |= 0x80; |
79 | 0 | } else { |
80 | 0 | buf[0] |= (3 << (bit - 1)); |
81 | 0 | } |
82 | 275k | } else { |
83 | 275k | buf[0] |= (1 << bit); |
84 | 275k | } |
85 | 275k | } |
86 | 485k | buf[0] &= ~mask; |
87 | 485k | if (bottom) /* set bottom bit if requested */ |
88 | 0 | buf[bytes - 1] |= 1; |
89 | 485k | if (!BN_bin2bn(buf, bytes, rnd)) |
90 | 0 | goto err; |
91 | 485k | ret = 1; |
92 | 485k | err: |
93 | 485k | OPENSSL_clear_free(buf, bytes); |
94 | 485k | bn_check_top(rnd); |
95 | 485k | return ret; |
96 | | |
97 | 0 | toosmall: |
98 | 0 | ERR_raise(ERR_LIB_BN, BN_R_BITS_TOO_SMALL); |
99 | 0 | return 0; |
100 | 485k | } |
101 | | |
102 | | int BN_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, |
103 | | unsigned int strength, BN_CTX *ctx) |
104 | 0 | { |
105 | 0 | return bnrand(NORMAL, rnd, bits, top, bottom, strength, ctx); |
106 | 0 | } |
107 | | #ifndef FIPS_MODULE |
108 | | int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) |
109 | 0 | { |
110 | 0 | return bnrand(NORMAL, rnd, bits, top, bottom, 0, NULL); |
111 | 0 | } |
112 | | |
113 | | int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) |
114 | 0 | { |
115 | 0 | return bnrand(TESTING, rnd, bits, top, bottom, 0, NULL); |
116 | 0 | } |
117 | | #endif |
118 | | |
119 | | int BN_priv_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, |
120 | | unsigned int strength, BN_CTX *ctx) |
121 | 399k | { |
122 | 399k | return bnrand(PRIVATE, rnd, bits, top, bottom, strength, ctx); |
123 | 399k | } |
124 | | |
125 | | #ifndef FIPS_MODULE |
126 | | int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom) |
127 | 0 | { |
128 | 0 | return bnrand(PRIVATE, rnd, bits, top, bottom, 0, NULL); |
129 | 0 | } |
130 | | #endif |
131 | | |
132 | | /* random number r: 0 <= r < range */ |
133 | | static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range, |
134 | | unsigned int strength, BN_CTX *ctx) |
135 | 86.4k | { |
136 | 86.4k | int n; |
137 | 86.4k | int count = 100; |
138 | | |
139 | 86.4k | if (r == NULL) { |
140 | 0 | ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER); |
141 | 0 | return 0; |
142 | 0 | } |
143 | | |
144 | 86.4k | if (range->neg || BN_is_zero(range)) { |
145 | 0 | ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE); |
146 | 0 | return 0; |
147 | 0 | } |
148 | | |
149 | 86.4k | n = BN_num_bits(range); /* n > 0 */ |
150 | | |
151 | | /* BN_is_bit_set(range, n - 1) always holds */ |
152 | | |
153 | 86.4k | if (n == 1) |
154 | 0 | BN_zero(r); |
155 | 86.4k | else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) { |
156 | | /* |
157 | | * range = 100..._2, so 3*range (= 11..._2) is exactly one bit longer |
158 | | * than range |
159 | | */ |
160 | 24.8k | do { |
161 | 24.8k | if (!bnrand(flag, r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, |
162 | 24.8k | strength, ctx)) |
163 | 0 | return 0; |
164 | | |
165 | | /* |
166 | | * If r < 3*range, use r := r MOD range (which is either r, r - |
167 | | * range, or r - 2*range). Otherwise, iterate once more. Since |
168 | | * 3*range = 11..._2, each iteration succeeds with probability >= |
169 | | * .75. |
170 | | */ |
171 | 24.8k | if (BN_cmp(r, range) >= 0) { |
172 | 11.1k | if (!BN_sub(r, r, range)) |
173 | 0 | return 0; |
174 | 11.1k | if (BN_cmp(r, range) >= 0) |
175 | 2.96k | if (!BN_sub(r, r, range)) |
176 | 0 | return 0; |
177 | 11.1k | } |
178 | | |
179 | 24.8k | if (!--count) { |
180 | 0 | ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); |
181 | 0 | return 0; |
182 | 0 | } |
183 | | |
184 | 24.8k | } |
185 | 24.8k | while (BN_cmp(r, range) >= 0); |
186 | 61.5k | } else { |
187 | 61.5k | do { |
188 | | /* range = 11..._2 or range = 101..._2 */ |
189 | 61.5k | if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, |
190 | 61.5k | strength, ctx)) |
191 | 0 | return 0; |
192 | | |
193 | 61.5k | if (!--count) { |
194 | 0 | ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); |
195 | 0 | return 0; |
196 | 0 | } |
197 | 61.5k | } |
198 | 61.5k | while (BN_cmp(r, range) >= 0); |
199 | 61.5k | } |
200 | | |
201 | 86.4k | bn_check_top(r); |
202 | 86.4k | return 1; |
203 | 86.4k | } |
204 | | |
205 | | int BN_rand_range_ex(BIGNUM *r, const BIGNUM *range, unsigned int strength, |
206 | | BN_CTX *ctx) |
207 | 0 | { |
208 | 0 | return bnrand_range(NORMAL, r, range, strength, ctx); |
209 | 0 | } |
210 | | |
211 | | #ifndef FIPS_MODULE |
212 | | int BN_rand_range(BIGNUM *r, const BIGNUM *range) |
213 | 0 | { |
214 | 0 | return bnrand_range(NORMAL, r, range, 0, NULL); |
215 | 0 | } |
216 | | #endif |
217 | | |
218 | | int BN_priv_rand_range_ex(BIGNUM *r, const BIGNUM *range, unsigned int strength, |
219 | | BN_CTX *ctx) |
220 | 86.4k | { |
221 | 86.4k | return bnrand_range(PRIVATE, r, range, strength, ctx); |
222 | 86.4k | } |
223 | | |
224 | | #ifndef FIPS_MODULE |
225 | | int BN_priv_rand_range(BIGNUM *r, const BIGNUM *range) |
226 | 0 | { |
227 | 0 | return bnrand_range(PRIVATE, r, range, 0, NULL); |
228 | 0 | } |
229 | | |
230 | | # ifndef OPENSSL_NO_DEPRECATED_3_0 |
231 | | int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) |
232 | 0 | { |
233 | 0 | return BN_rand(rnd, bits, top, bottom); |
234 | 0 | } |
235 | | |
236 | | int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) |
237 | 0 | { |
238 | 0 | return BN_rand_range(r, range); |
239 | 0 | } |
240 | | # endif |
241 | | #endif |
242 | | |
243 | | int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range, |
244 | | unsigned int strength, BN_CTX *ctx) |
245 | 0 | { |
246 | 0 | int n; |
247 | 0 | int count = 100; |
248 | |
|
249 | 0 | if (r == NULL) { |
250 | 0 | ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER); |
251 | 0 | return 0; |
252 | 0 | } |
253 | | |
254 | 0 | if (range->neg || BN_is_zero(range)) { |
255 | 0 | ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE); |
256 | 0 | return 0; |
257 | 0 | } |
258 | | |
259 | 0 | n = BN_num_bits(range); /* n > 0 */ |
260 | | |
261 | | /* BN_is_bit_set(range, n - 1) always holds */ |
262 | |
|
263 | 0 | if (n == 1) { |
264 | 0 | BN_zero(r); |
265 | 0 | } else { |
266 | 0 | BN_set_flags(r, BN_FLG_CONSTTIME); |
267 | 0 | do { |
268 | 0 | if (!bnrand(PRIVATE, r, n + 1, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY, |
269 | 0 | strength, ctx)) |
270 | 0 | return 0; |
271 | | |
272 | 0 | if (!--count) { |
273 | 0 | ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); |
274 | 0 | return 0; |
275 | 0 | } |
276 | 0 | ossl_bn_mask_bits_fixed_top(r, n); |
277 | 0 | } |
278 | 0 | while (BN_ucmp(r, range) >= 0); |
279 | | #ifdef BN_DEBUG |
280 | | /* With BN_DEBUG on a fixed top number cannot be returned */ |
281 | | bn_correct_top(r); |
282 | | #endif |
283 | 0 | } |
284 | | |
285 | 0 | return 1; |
286 | 0 | } |
287 | | |
288 | | /* |
289 | | * ossl_bn_gen_dsa_nonce_fixed_top generates a random number 0 <= out < range. |
290 | | * Unlike BN_rand_range, it also includes the contents of |priv| and |message| |
291 | | * in the generation so that an RNG failure isn't fatal as long as |priv| |
292 | | * remains secret. This is intended for use in DSA and ECDSA where an RNG |
293 | | * weakness leads directly to private key exposure unless this function is |
294 | | * used. |
295 | | */ |
296 | | int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range, |
297 | | const BIGNUM *priv, |
298 | | const unsigned char *message, |
299 | | size_t message_len, BN_CTX *ctx) |
300 | 2.93k | { |
301 | 2.93k | EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); |
302 | | /* |
303 | | * We use 512 bits of random data per iteration to ensure that we have at |
304 | | * least |range| bits of randomness. |
305 | | */ |
306 | 2.93k | unsigned char random_bytes[64]; |
307 | 2.93k | unsigned char digest[SHA512_DIGEST_LENGTH]; |
308 | 2.93k | unsigned done, todo; |
309 | | /* We generate |range|+1 bytes of random output. */ |
310 | 2.93k | const unsigned num_k_bytes = BN_num_bytes(range) + 1; |
311 | 2.93k | unsigned char private_bytes[96]; |
312 | 2.93k | unsigned char *k_bytes = NULL; |
313 | 2.93k | const int max_n = 64; /* Pr(failure to generate) < 2^max_n */ |
314 | 2.93k | int n; |
315 | 2.93k | int ret = 0; |
316 | 2.93k | EVP_MD *md = NULL; |
317 | 2.93k | OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); |
318 | | |
319 | 2.93k | if (mdctx == NULL) |
320 | 0 | goto end; |
321 | | |
322 | 2.93k | k_bytes = OPENSSL_malloc(num_k_bytes); |
323 | 2.93k | if (k_bytes == NULL) |
324 | 0 | goto end; |
325 | | /* Ensure top byte is set to avoid non-constant time in bin2bn */ |
326 | 2.93k | k_bytes[0] = 0xff; |
327 | | |
328 | | /* We copy |priv| into a local buffer to avoid exposing its length. */ |
329 | 2.93k | if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { |
330 | | /* |
331 | | * No reasonable DSA or ECDSA key should have a private key this |
332 | | * large and we don't handle this case in order to avoid leaking the |
333 | | * length of the private key. |
334 | | */ |
335 | 0 | ERR_raise(ERR_LIB_BN, BN_R_PRIVATE_KEY_TOO_LARGE); |
336 | 0 | goto end; |
337 | 0 | } |
338 | | |
339 | 2.93k | md = EVP_MD_fetch(libctx, "SHA512", NULL); |
340 | 2.93k | if (md == NULL) { |
341 | 0 | ERR_raise(ERR_LIB_BN, BN_R_NO_SUITABLE_DIGEST); |
342 | 0 | goto end; |
343 | 0 | } |
344 | 2.93k | for (n = 0; n < max_n; n++) { |
345 | 2.93k | unsigned char i = 0; |
346 | | |
347 | 5.86k | for (done = 1; done < num_k_bytes;) { |
348 | 2.93k | if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), |
349 | 2.93k | 0) <= 0) |
350 | 0 | goto end; |
351 | | |
352 | 2.93k | if (!EVP_DigestInit_ex(mdctx, md, NULL) |
353 | 2.93k | || !EVP_DigestUpdate(mdctx, &i, sizeof(i)) |
354 | 2.93k | || !EVP_DigestUpdate(mdctx, private_bytes, |
355 | 2.93k | sizeof(private_bytes)) |
356 | 2.93k | || !EVP_DigestUpdate(mdctx, message, message_len) |
357 | 2.93k | || !EVP_DigestUpdate(mdctx, random_bytes, |
358 | 2.93k | sizeof(random_bytes)) |
359 | 2.93k | || !EVP_DigestFinal_ex(mdctx, digest, NULL)) |
360 | 0 | goto end; |
361 | | |
362 | 2.93k | todo = num_k_bytes - done; |
363 | 2.93k | if (todo > SHA512_DIGEST_LENGTH) |
364 | 0 | todo = SHA512_DIGEST_LENGTH; |
365 | 2.93k | memcpy(k_bytes + done, digest, todo); |
366 | 2.93k | done += todo; |
367 | 2.93k | ++i; |
368 | 2.93k | } |
369 | | |
370 | 2.93k | if (!BN_bin2bn(k_bytes, num_k_bytes, out)) |
371 | 0 | goto end; |
372 | | |
373 | | /* Clear out the top bits and rejection filter into range */ |
374 | 2.93k | BN_set_flags(out, BN_FLG_CONSTTIME); |
375 | 2.93k | ossl_bn_mask_bits_fixed_top(out, BN_num_bits(range)); |
376 | | |
377 | 2.93k | if (BN_ucmp(out, range) < 0) { |
378 | 2.93k | ret = 1; |
379 | | #ifdef BN_DEBUG |
380 | | /* With BN_DEBUG on a fixed top number cannot be returned */ |
381 | | bn_correct_top(out); |
382 | | #endif |
383 | 2.93k | goto end; |
384 | 2.93k | } |
385 | 2.93k | } |
386 | | /* Failed to generate anything */ |
387 | 2.93k | ERR_raise(ERR_LIB_BN, ERR_R_INTERNAL_ERROR); |
388 | |
|
389 | 2.93k | end: |
390 | 2.93k | EVP_MD_CTX_free(mdctx); |
391 | 2.93k | EVP_MD_free(md); |
392 | 2.93k | OPENSSL_clear_free(k_bytes, num_k_bytes); |
393 | 2.93k | OPENSSL_cleanse(digest, sizeof(digest)); |
394 | 2.93k | OPENSSL_cleanse(random_bytes, sizeof(random_bytes)); |
395 | 2.93k | OPENSSL_cleanse(private_bytes, sizeof(private_bytes)); |
396 | 2.93k | return ret; |
397 | 0 | } |
398 | | |
399 | | int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, |
400 | | const BIGNUM *priv, const unsigned char *message, |
401 | | size_t message_len, BN_CTX *ctx) |
402 | 0 | { |
403 | 0 | int ret; |
404 | |
|
405 | 0 | ret = ossl_bn_gen_dsa_nonce_fixed_top(out, range, priv, message, |
406 | 0 | message_len, ctx); |
407 | | /* |
408 | | * This call makes the BN_generate_dsa_nonce non-const-time, thus we |
409 | | * do not use it internally. But fixed_top BNs currently cannot be returned |
410 | | * from public API calls. |
411 | | */ |
412 | 0 | bn_correct_top(out); |
413 | 0 | return ret; |
414 | 0 | } |