1/* 2 * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdio.h> 11#include <time.h> 12#include "internal/cryptlib.h" 13#include "crypto/rand.h" 14#include "bn_local.h" 15#include <openssl/rand.h> 16#include <openssl/sha.h> 17#include <openssl/evp.h> 18 19typedef enum bnrand_flag_e { 20 NORMAL, TESTING, PRIVATE 21} BNRAND_FLAG; 22 23static int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom, 24 unsigned int strength, BN_CTX *ctx) 25{ 26 unsigned char *buf = NULL; 27 int b, ret = 0, bit, bytes, mask; 28 OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); 29 30 if (bits == 0) { 31 if (top != BN_RAND_TOP_ANY || bottom != BN_RAND_BOTTOM_ANY) 32 goto toosmall; 33 BN_zero(rnd); 34 return 1; 35 } 36 if (bits < 0 || (bits == 1 && top > 0)) 37 goto toosmall; 38 39 bytes = (bits + 7) / 8; 40 bit = (bits - 1) % 8; 41 mask = 0xff << (bit + 1); 42 43 buf = OPENSSL_malloc(bytes); 44 if (buf == NULL) { 45 ERR_raise(ERR_LIB_BN, ERR_R_MALLOC_FAILURE); 46 goto err; 47 } 48 49 /* make a random number and set the top and bottom bits */ 50 b = flag == NORMAL ? RAND_bytes_ex(libctx, buf, bytes, strength) 51 : RAND_priv_bytes_ex(libctx, buf, bytes, strength); 52 if (b <= 0) 53 goto err; 54 55 if (flag == TESTING) { 56 /* 57 * generate patterns that are more likely to trigger BN library bugs 58 */ 59 int i; 60 unsigned char c; 61 62 for (i = 0; i < bytes; i++) { 63 if (RAND_bytes_ex(libctx, &c, 1, strength) <= 0) 64 goto err; 65 if (c >= 128 && i > 0) 66 buf[i] = buf[i - 1]; 67 else if (c < 42) 68 buf[i] = 0; 69 else if (c < 84) 70 buf[i] = 255; 71 } 72 } 73 74 if (top >= 0) { 75 if (top) { 76 if (bit == 0) { 77 buf[0] = 1; 78 buf[1] |= 0x80; 79 } else { 80 buf[0] |= (3 << (bit - 1)); 81 } 82 } else { 83 buf[0] |= (1 << bit); 84 } 85 } 86 buf[0] &= ~mask; 87 if (bottom) /* set bottom bit if requested */ 88 buf[bytes - 1] |= 1; 89 if (!BN_bin2bn(buf, bytes, rnd)) 90 goto err; 91 ret = 1; 92 err: 93 OPENSSL_clear_free(buf, bytes); 94 bn_check_top(rnd); 95 return ret; 96 97toosmall: 98 ERR_raise(ERR_LIB_BN, BN_R_BITS_TOO_SMALL); 99 return 0; 100} 101 102int BN_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, 103 unsigned int strength, BN_CTX *ctx) 104{ 105 return bnrand(NORMAL, rnd, bits, top, bottom, strength, ctx); 106} 107#ifndef FIPS_MODULE 108int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) 109{ 110 return bnrand(NORMAL, rnd, bits, top, bottom, 0, NULL); 111} 112 113int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) 114{ 115 return bnrand(TESTING, rnd, bits, top, bottom, 0, NULL); 116} 117#endif 118 119int BN_priv_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, 120 unsigned int strength, BN_CTX *ctx) 121{ 122 return bnrand(PRIVATE, rnd, bits, top, bottom, strength, ctx); 123} 124 125#ifndef FIPS_MODULE 126int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom) 127{ 128 return bnrand(PRIVATE, rnd, bits, top, bottom, 0, NULL); 129} 130#endif 131 132/* random number r: 0 <= r < range */ 133static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range, 134 unsigned int strength, BN_CTX *ctx) 135{ 136 int n; 137 int count = 100; 138 139 if (r == NULL) { 140 ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER); 141 return 0; 142 } 143 144 if (range->neg || BN_is_zero(range)) { 145 ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE); 146 return 0; 147 } 148 149 n = BN_num_bits(range); /* n > 0 */ 150 151 /* BN_is_bit_set(range, n - 1) always holds */ 152 153 if (n == 1) 154 BN_zero(r); 155 else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) { 156 /* 157 * range = 100..._2, so 3*range (= 11..._2) is exactly one bit longer 158 * than range 159 */ 160 do { 161 if (!bnrand(flag, r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 162 strength, ctx)) 163 return 0; 164 165 /* 166 * If r < 3*range, use r := r MOD range (which is either r, r - 167 * range, or r - 2*range). Otherwise, iterate once more. Since 168 * 3*range = 11..._2, each iteration succeeds with probability >= 169 * .75. 170 */ 171 if (BN_cmp(r, range) >= 0) { 172 if (!BN_sub(r, r, range)) 173 return 0; 174 if (BN_cmp(r, range) >= 0) 175 if (!BN_sub(r, r, range)) 176 return 0; 177 } 178 179 if (!--count) { 180 ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); 181 return 0; 182 } 183 184 } 185 while (BN_cmp(r, range) >= 0); 186 } else { 187 do { 188 /* range = 11..._2 or range = 101..._2 */ 189 if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, 190 ctx)) 191 return 0; 192 193 if (!--count) { 194 ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); 195 return 0; 196 } 197 } 198 while (BN_cmp(r, range) >= 0); 199 } 200 201 bn_check_top(r); 202 return 1; 203} 204 205int BN_rand_range_ex(BIGNUM *r, const BIGNUM *range, unsigned int strength, 206 BN_CTX *ctx) 207{ 208 return bnrand_range(NORMAL, r, range, strength, ctx); 209} 210 211#ifndef FIPS_MODULE 212int BN_rand_range(BIGNUM *r, const BIGNUM *range) 213{ 214 return bnrand_range(NORMAL, r, range, 0, NULL); 215} 216#endif 217 218int BN_priv_rand_range_ex(BIGNUM *r, const BIGNUM *range, unsigned int strength, 219 BN_CTX *ctx) 220{ 221 return bnrand_range(PRIVATE, r, range, strength, ctx); 222} 223 224#ifndef FIPS_MODULE 225int BN_priv_rand_range(BIGNUM *r, const BIGNUM *range) 226{ 227 return bnrand_range(PRIVATE, r, range, 0, NULL); 228} 229 230# ifndef OPENSSL_NO_DEPRECATED_3_0 231int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) 232{ 233 return BN_rand(rnd, bits, top, bottom); 234} 235 236int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) 237{ 238 return BN_rand_range(r, range); 239} 240# endif 241#endif 242 243/* 244 * BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike 245 * BN_rand_range, it also includes the contents of |priv| and |message| in 246 * the generation so that an RNG failure isn't fatal as long as |priv| 247 * remains secret. This is intended for use in DSA and ECDSA where an RNG 248 * weakness leads directly to private key exposure unless this function is 249 * used. 250 */ 251int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, 252 const BIGNUM *priv, const unsigned char *message, 253 size_t message_len, BN_CTX *ctx) 254{ 255 EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); 256 /* 257 * We use 512 bits of random data per iteration to ensure that we have at 258 * least |range| bits of randomness. 259 */ 260 unsigned char random_bytes[64]; 261 unsigned char digest[SHA512_DIGEST_LENGTH]; 262 unsigned done, todo; 263 /* We generate |range|+8 bytes of random output. */ 264 const unsigned num_k_bytes = BN_num_bytes(range) + 8; 265 unsigned char private_bytes[96]; 266 unsigned char *k_bytes = NULL; 267 int ret = 0; 268 EVP_MD *md = NULL; 269 OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); 270 271 if (mdctx == NULL) 272 goto err; 273 274 k_bytes = OPENSSL_malloc(num_k_bytes); 275 if (k_bytes == NULL) 276 goto err; 277 278 /* We copy |priv| into a local buffer to avoid exposing its length. */ 279 if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { 280 /* 281 * No reasonable DSA or ECDSA key should have a private key this 282 * large and we don't handle this case in order to avoid leaking the 283 * length of the private key. 284 */ 285 ERR_raise(ERR_LIB_BN, BN_R_PRIVATE_KEY_TOO_LARGE); 286 goto err; 287 } 288 289 md = EVP_MD_fetch(libctx, "SHA512", NULL); 290 if (md == NULL) { 291 ERR_raise(ERR_LIB_BN, BN_R_NO_SUITABLE_DIGEST); 292 goto err; 293 } 294 for (done = 0; done < num_k_bytes;) { 295 if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), 0) <= 0) 296 goto err; 297 298 if (!EVP_DigestInit_ex(mdctx, md, NULL) 299 || !EVP_DigestUpdate(mdctx, &done, sizeof(done)) 300 || !EVP_DigestUpdate(mdctx, private_bytes, 301 sizeof(private_bytes)) 302 || !EVP_DigestUpdate(mdctx, message, message_len) 303 || !EVP_DigestUpdate(mdctx, random_bytes, sizeof(random_bytes)) 304 || !EVP_DigestFinal_ex(mdctx, digest, NULL)) 305 goto err; 306 307 todo = num_k_bytes - done; 308 if (todo > SHA512_DIGEST_LENGTH) 309 todo = SHA512_DIGEST_LENGTH; 310 memcpy(k_bytes + done, digest, todo); 311 done += todo; 312 } 313 314 if (!BN_bin2bn(k_bytes, num_k_bytes, out)) 315 goto err; 316 if (BN_mod(out, out, range, ctx) != 1) 317 goto err; 318 ret = 1; 319 320 err: 321 EVP_MD_CTX_free(mdctx); 322 EVP_MD_free(md); 323 OPENSSL_clear_free(k_bytes, num_k_bytes); 324 OPENSSL_cleanse(digest, sizeof(digest)); 325 OPENSSL_cleanse(random_bytes, sizeof(random_bytes)); 326 OPENSSL_cleanse(private_bytes, sizeof(private_bytes)); 327 return ret; 328} 329