1 /* 2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <time.h> 12 #include "internal/cryptlib.h" 13 #include "bn_local.h" 14 #include <openssl/rand.h> 15 #include <openssl/sha.h> 16 17 typedef enum bnrand_flag_e { 18 NORMAL, TESTING, PRIVATE 19 } BNRAND_FLAG; 20 21 static int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom) 22 { 23 unsigned char *buf = NULL; 24 int b, ret = 0, bit, bytes, mask; 25 26 if (bits == 0) { 27 if (top != BN_RAND_TOP_ANY || bottom != BN_RAND_BOTTOM_ANY) 28 goto toosmall; 29 BN_zero(rnd); 30 return 1; 31 } 32 if (bits < 0 || (bits == 1 && top > 0)) 33 goto toosmall; 34 35 bytes = (bits + 7) / 8; 36 bit = (bits - 1) % 8; 37 mask = 0xff << (bit + 1); 38 39 buf = OPENSSL_malloc(bytes); 40 if (buf == NULL) { 41 BNerr(BN_F_BNRAND, ERR_R_MALLOC_FAILURE); 42 goto err; 43 } 44 45 /* make a random number and set the top and bottom bits */ 46 b = flag == NORMAL ? RAND_bytes(buf, bytes) : RAND_priv_bytes(buf, bytes); 47 if (b <= 0) 48 goto err; 49 50 if (flag == TESTING) { 51 /* 52 * generate patterns that are more likely to trigger BN library bugs 53 */ 54 int i; 55 unsigned char c; 56 57 for (i = 0; i < bytes; i++) { 58 if (RAND_bytes(&c, 1) <= 0) 59 goto err; 60 if (c >= 128 && i > 0) 61 buf[i] = buf[i - 1]; 62 else if (c < 42) 63 buf[i] = 0; 64 else if (c < 84) 65 buf[i] = 255; 66 } 67 } 68 69 if (top >= 0) { 70 if (top) { 71 if (bit == 0) { 72 buf[0] = 1; 73 buf[1] |= 0x80; 74 } else { 75 buf[0] |= (3 << (bit - 1)); 76 } 77 } else { 78 buf[0] |= (1 << bit); 79 } 80 } 81 buf[0] &= ~mask; 82 if (bottom) /* set bottom bit if requested */ 83 buf[bytes - 1] |= 1; 84 if (!BN_bin2bn(buf, bytes, rnd)) 85 goto err; 86 ret = 1; 87 err: 88 OPENSSL_clear_free(buf, bytes); 89 bn_check_top(rnd); 90 return ret; 91 92 toosmall: 93 BNerr(BN_F_BNRAND, BN_R_BITS_TOO_SMALL); 94 return 0; 95 } 96 97 int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) 98 { 99 return bnrand(NORMAL, rnd, bits, top, bottom); 100 } 101 102 int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) 103 { 104 return bnrand(TESTING, rnd, bits, top, bottom); 105 } 106 107 int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom) 108 { 109 return bnrand(PRIVATE, rnd, bits, top, bottom); 110 } 111 112 /* random number r: 0 <= r < range */ 113 static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range) 114 { 115 int n; 116 int count = 100; 117 118 if (range->neg || BN_is_zero(range)) { 119 BNerr(BN_F_BNRAND_RANGE, BN_R_INVALID_RANGE); 120 return 0; 121 } 122 123 n = BN_num_bits(range); /* n > 0 */ 124 125 /* BN_is_bit_set(range, n - 1) always holds */ 126 127 if (n == 1) 128 BN_zero(r); 129 else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) { 130 /* 131 * range = 100..._2, so 3*range (= 11..._2) is exactly one bit longer 132 * than range 133 */ 134 do { 135 if (!bnrand(flag, r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) 136 return 0; 137 138 /* 139 * If r < 3*range, use r := r MOD range (which is either r, r - 140 * range, or r - 2*range). Otherwise, iterate once more. Since 141 * 3*range = 11..._2, each iteration succeeds with probability >= 142 * .75. 143 */ 144 if (BN_cmp(r, range) >= 0) { 145 if (!BN_sub(r, r, range)) 146 return 0; 147 if (BN_cmp(r, range) >= 0) 148 if (!BN_sub(r, r, range)) 149 return 0; 150 } 151 152 if (!--count) { 153 BNerr(BN_F_BNRAND_RANGE, BN_R_TOO_MANY_ITERATIONS); 154 return 0; 155 } 156 157 } 158 while (BN_cmp(r, range) >= 0); 159 } else { 160 do { 161 /* range = 11..._2 or range = 101..._2 */ 162 if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) 163 return 0; 164 165 if (!--count) { 166 BNerr(BN_F_BNRAND_RANGE, BN_R_TOO_MANY_ITERATIONS); 167 return 0; 168 } 169 } 170 while (BN_cmp(r, range) >= 0); 171 } 172 173 bn_check_top(r); 174 return 1; 175 } 176 177 int BN_rand_range(BIGNUM *r, const BIGNUM *range) 178 { 179 return bnrand_range(NORMAL, r, range); 180 } 181 182 int BN_priv_rand_range(BIGNUM *r, const BIGNUM *range) 183 { 184 return bnrand_range(PRIVATE, r, range); 185 } 186 187 int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) 188 { 189 return BN_rand(rnd, bits, top, bottom); 190 } 191 192 int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) 193 { 194 return BN_rand_range(r, range); 195 } 196 197 /* 198 * BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike 199 * BN_rand_range, it also includes the contents of |priv| and |message| in 200 * the generation so that an RNG failure isn't fatal as long as |priv| 201 * remains secret. This is intended for use in DSA and ECDSA where an RNG 202 * weakness leads directly to private key exposure unless this function is 203 * used. 204 */ 205 int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, 206 const BIGNUM *priv, const unsigned char *message, 207 size_t message_len, BN_CTX *ctx) 208 { 209 SHA512_CTX sha; 210 /* 211 * We use 512 bits of random data per iteration to ensure that we have at 212 * least |range| bits of randomness. 213 */ 214 unsigned char random_bytes[64]; 215 unsigned char digest[SHA512_DIGEST_LENGTH]; 216 unsigned done, todo; 217 /* We generate |range|+8 bytes of random output. */ 218 const unsigned num_k_bytes = BN_num_bytes(range) + 8; 219 unsigned char private_bytes[96]; 220 unsigned char *k_bytes; 221 int ret = 0; 222 223 k_bytes = OPENSSL_malloc(num_k_bytes); 224 if (k_bytes == NULL) 225 goto err; 226 227 /* We copy |priv| into a local buffer to avoid exposing its length. */ 228 if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { 229 /* 230 * No reasonable DSA or ECDSA key should have a private key this 231 * large and we don't handle this case in order to avoid leaking the 232 * length of the private key. 233 */ 234 BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE); 235 goto err; 236 } 237 238 for (done = 0; done < num_k_bytes;) { 239 if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1) 240 goto err; 241 SHA512_Init(&sha); 242 SHA512_Update(&sha, &done, sizeof(done)); 243 SHA512_Update(&sha, private_bytes, sizeof(private_bytes)); 244 SHA512_Update(&sha, message, message_len); 245 SHA512_Update(&sha, random_bytes, sizeof(random_bytes)); 246 SHA512_Final(digest, &sha); 247 248 todo = num_k_bytes - done; 249 if (todo > SHA512_DIGEST_LENGTH) 250 todo = SHA512_DIGEST_LENGTH; 251 memcpy(k_bytes + done, digest, todo); 252 done += todo; 253 } 254 255 if (!BN_bin2bn(k_bytes, num_k_bytes, out)) 256 goto err; 257 if (BN_mod(out, out, range, ctx) != 1) 258 goto err; 259 ret = 1; 260 261 err: 262 OPENSSL_free(k_bytes); 263 OPENSSL_cleanse(private_bytes, sizeof(private_bytes)); 264 return ret; 265 } 266