Commit ddc6a5c8 authored by Rich Salz's avatar Rich Salz
Browse files

Add RAND_priv_bytes() for private keys 



Add a new global DRBG for private keys used by RAND_priv_bytes.

Add BN_priv_rand() and BN_priv_rand_range() which use RAND_priv_bytes().
Change callers to use the appropriate BN_priv... function.

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4076)
parent ae3947de

crypto/bn/bn_err.c

+1 −0
Original line number Diff line number Diff line
@@ -15,6 +15,7 @@ 


static const ERR_STRING_DATA BN_str_functs[] = {

    {ERR_PACK(ERR_LIB_BN, BN_F_BNRAND, 0), "bnrand"},

    {ERR_PACK(ERR_LIB_BN, BN_F_BNRAND_RANGE, 0), "bnrand_range"},

    {ERR_PACK(ERR_LIB_BN, BN_F_BN_BLINDING_CONVERT_EX, 0),

     "BN_BLINDING_convert_ex"},

    {ERR_PACK(ERR_LIB_BN, BN_F_BN_BLINDING_CREATE_PARAM, 0),

crypto/bn/bn_gf2m.c

+1 −1
Original line number Diff line number Diff line
@@ -1077,7 +1077,7 @@ int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const int p[], 
        if (tmp == NULL)

            goto err;

        do {

            if (!BN_rand(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))

            if (!BN_priv_rand(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))

                goto err;

            if (!BN_GF2m_mod_arr(rho, rho, p))

                goto err;

crypto/bn/bn_prime.c

+4 −4
Original line number Diff line number Diff line
@@ -216,7 +216,7 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed, 
        goto err;



    for (i = 0; i < checks; i++) {

        if (!BN_rand_range(check, A1))

        if (!BN_priv_rand_range(check, A1))

            goto err;

        if (!BN_add_word(check, 1))

            goto err;
@@ -279,7 +279,7 @@ static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods) 
    char is_single_word = bits <= BN_BITS2;



 again:

    if (!BN_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))

    if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))

        return (0);

    /* we now have a random number 'rnd' to test. */

    for (i = 1; i < NUMPRIMES; i++) {
@@ -363,7 +363,7 @@ int bn_probable_prime_dh(BIGNUM *rnd, int bits, 
    if ((t1 = BN_CTX_get(ctx)) == NULL)

        goto err;



    if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))

    if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))

        goto err;



    /* we need ((rnd-rem) % add) == 0 */
@@ -419,7 +419,7 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd, 
    if (!BN_rshift1(qadd, padd))

        goto err;



    if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))

    if (!BN_priv_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))

        goto err;



    /* we need ((rnd-rem) % add) == 0 */

crypto/bn/bn_rand.c

+35 −12
Original line number Diff line number Diff line
@@ -14,10 +14,14 @@ 
#include <openssl/rand.h>

#include <openssl/sha.h>



static int bnrand(int testing, BIGNUM *rnd, int bits, int top, int bottom)

typedef enum bnrand_flag_e {

    NORMAL, TESTING, PRIVATE

} BNRAND_FLAG;



static int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom)

{

    unsigned char *buf = NULL;

    int ret = 0, bit, bytes, mask;

    int b, ret = 0, bit, bytes, mask;



    if (bits == 0) {

        if (top != BN_RAND_TOP_ANY || bottom != BN_RAND_BOTTOM_ANY)
@@ -39,10 +43,11 @@ static int bnrand(int testing, BIGNUM *rnd, int bits, int top, int bottom) 
    }



    /* make a random number and set the top and bottom bits */

    if (RAND_bytes(buf, bytes) <= 0)

    b = flag == NORMAL ? RAND_bytes(buf, bytes) : RAND_priv_bytes(buf, bytes);

    if (b <= 0)

        goto err;



    if (testing) {

    if (flag == TESTING) {

        /*

         * generate patterns that are more likely to trigger BN library bugs

         */
@@ -91,22 +96,27 @@ toosmall: 


int BN_rand(BIGNUM *rnd, int bits, int top, int bottom)

{

    return bnrand(0, rnd, bits, top, bottom);

    return bnrand(NORMAL, rnd, bits, top, bottom);

}



int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom)

{

    return bnrand(1, rnd, bits, top, bottom);

    return bnrand(TESTING, rnd, bits, top, bottom);

}



int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom)

{

    return bnrand(PRIVATE, rnd, bits, top, bottom);

}



/* random number r:  0 <= r < range */

int BN_rand_range(BIGNUM *r, const BIGNUM *range)

static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range)

{

    int n;

    int b, n;

    int count = 100;



    if (range->neg || BN_is_zero(range)) {

        BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE);

        BNerr(BN_F_BNRAND_RANGE, BN_R_INVALID_RANGE);

        return 0;

    }
@@ -122,7 +132,10 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range) 
         * than range

         */

        do {

            if (!BN_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY))

            b = flag == NORMAL

                ? BN_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)

                : BN_priv_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY);

            if (!b)

                return 0;

            /*

             * If r < 3*range, use r := r MOD range (which is either r, r -
@@ -139,7 +152,7 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range) 
            }



            if (!--count) {

                BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS);

                BNerr(BN_F_BNRAND_RANGE, BN_R_TOO_MANY_ITERATIONS);

                return 0;

            }
@@ -152,7 +165,7 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range) 
                return 0;



            if (!--count) {

                BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS);

                BNerr(BN_F_BNRAND_RANGE, BN_R_TOO_MANY_ITERATIONS);

                return 0;

            }

        }
@@ -163,6 +176,16 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range) 
    return 1;

}



int BN_rand_range(BIGNUM *r, const BIGNUM *range)

{

    return bnrand_range(NORMAL, r, range);

}



int BN_priv_rand_range(BIGNUM *r, const BIGNUM *range)

{

    return bnrand_range(PRIVATE, r, range);

}



int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom)

{

    return BN_rand(rnd, bits, top, bottom);

crypto/bn/bn_x931p.c

+4 −4
Original line number Diff line number Diff line
@@ -173,7 +173,7 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) 
     * - 1. By setting the top two bits we ensure that the lower bound is

     * exceeded.

     */

    if (!BN_rand(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))

    if (!BN_priv_rand(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))

        goto err;



    BN_CTX_start(ctx);
@@ -182,7 +182,7 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) 
        goto err;



    for (i = 0; i < 1000; i++) {

        if (!BN_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))

        if (!BN_priv_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))

            goto err;

        /* Check that |Xp - Xq| > 2^(nbits - 100) */

        BN_sub(t, Xp, Xq);
@@ -225,9 +225,9 @@ int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, 
    if (Xp1 == NULL || Xp2 == NULL)

        goto error;



    if (!BN_rand(Xp1, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))

    if (!BN_priv_rand(Xp1, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))

        goto error;

    if (!BN_rand(Xp2, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))

    if (!BN_priv_rand(Xp2, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))

        goto error;

    if (!BN_X931_derive_prime_ex(p, p1, p2, Xp, Xp1, Xp2, e, ctx, cb))

        goto error;