1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci#include <stdio.h> 11e1051a39Sopenharmony_ci#include <time.h> 12e1051a39Sopenharmony_ci#include "internal/cryptlib.h" 13e1051a39Sopenharmony_ci#include "crypto/rand.h" 14e1051a39Sopenharmony_ci#include "bn_local.h" 15e1051a39Sopenharmony_ci#include <openssl/rand.h> 16e1051a39Sopenharmony_ci#include <openssl/sha.h> 17e1051a39Sopenharmony_ci#include <openssl/evp.h> 18e1051a39Sopenharmony_ci 19e1051a39Sopenharmony_citypedef enum bnrand_flag_e { 20e1051a39Sopenharmony_ci NORMAL, TESTING, PRIVATE 21e1051a39Sopenharmony_ci} BNRAND_FLAG; 22e1051a39Sopenharmony_ci 23e1051a39Sopenharmony_cistatic int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom, 24e1051a39Sopenharmony_ci unsigned int strength, BN_CTX *ctx) 25e1051a39Sopenharmony_ci{ 26e1051a39Sopenharmony_ci unsigned char *buf = NULL; 27e1051a39Sopenharmony_ci int b, ret = 0, bit, bytes, mask; 28e1051a39Sopenharmony_ci OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); 29e1051a39Sopenharmony_ci 30e1051a39Sopenharmony_ci if (bits == 0) { 31e1051a39Sopenharmony_ci if (top != BN_RAND_TOP_ANY || bottom != BN_RAND_BOTTOM_ANY) 32e1051a39Sopenharmony_ci goto toosmall; 33e1051a39Sopenharmony_ci BN_zero(rnd); 34e1051a39Sopenharmony_ci return 1; 35e1051a39Sopenharmony_ci } 36e1051a39Sopenharmony_ci if (bits < 0 || (bits == 1 && top > 0)) 37e1051a39Sopenharmony_ci goto toosmall; 38e1051a39Sopenharmony_ci 39e1051a39Sopenharmony_ci bytes = (bits + 7) / 8; 40e1051a39Sopenharmony_ci bit = (bits - 1) % 8; 41e1051a39Sopenharmony_ci mask = 0xff << (bit + 1); 42e1051a39Sopenharmony_ci 43e1051a39Sopenharmony_ci buf = OPENSSL_malloc(bytes); 44e1051a39Sopenharmony_ci if (buf == NULL) { 45e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, ERR_R_MALLOC_FAILURE); 46e1051a39Sopenharmony_ci goto err; 47e1051a39Sopenharmony_ci } 48e1051a39Sopenharmony_ci 49e1051a39Sopenharmony_ci /* make a random number and set the top and bottom bits */ 50e1051a39Sopenharmony_ci b = flag == NORMAL ? RAND_bytes_ex(libctx, buf, bytes, strength) 51e1051a39Sopenharmony_ci : RAND_priv_bytes_ex(libctx, buf, bytes, strength); 52e1051a39Sopenharmony_ci if (b <= 0) 53e1051a39Sopenharmony_ci goto err; 54e1051a39Sopenharmony_ci 55e1051a39Sopenharmony_ci if (flag == TESTING) { 56e1051a39Sopenharmony_ci /* 57e1051a39Sopenharmony_ci * generate patterns that are more likely to trigger BN library bugs 58e1051a39Sopenharmony_ci */ 59e1051a39Sopenharmony_ci int i; 60e1051a39Sopenharmony_ci unsigned char c; 61e1051a39Sopenharmony_ci 62e1051a39Sopenharmony_ci for (i = 0; i < bytes; i++) { 63e1051a39Sopenharmony_ci if (RAND_bytes_ex(libctx, &c, 1, strength) <= 0) 64e1051a39Sopenharmony_ci goto err; 65e1051a39Sopenharmony_ci if (c >= 128 && i > 0) 66e1051a39Sopenharmony_ci buf[i] = buf[i - 1]; 67e1051a39Sopenharmony_ci else if (c < 42) 68e1051a39Sopenharmony_ci buf[i] = 0; 69e1051a39Sopenharmony_ci else if (c < 84) 70e1051a39Sopenharmony_ci buf[i] = 255; 71e1051a39Sopenharmony_ci } 72e1051a39Sopenharmony_ci } 73e1051a39Sopenharmony_ci 74e1051a39Sopenharmony_ci if (top >= 0) { 75e1051a39Sopenharmony_ci if (top) { 76e1051a39Sopenharmony_ci if (bit == 0) { 77e1051a39Sopenharmony_ci buf[0] = 1; 78e1051a39Sopenharmony_ci buf[1] |= 0x80; 79e1051a39Sopenharmony_ci } else { 80e1051a39Sopenharmony_ci buf[0] |= (3 << (bit - 1)); 81e1051a39Sopenharmony_ci } 82e1051a39Sopenharmony_ci } else { 83e1051a39Sopenharmony_ci buf[0] |= (1 << bit); 84e1051a39Sopenharmony_ci } 85e1051a39Sopenharmony_ci } 86e1051a39Sopenharmony_ci buf[0] &= ~mask; 87e1051a39Sopenharmony_ci if (bottom) /* set bottom bit if requested */ 88e1051a39Sopenharmony_ci buf[bytes - 1] |= 1; 89e1051a39Sopenharmony_ci if (!BN_bin2bn(buf, bytes, rnd)) 90e1051a39Sopenharmony_ci goto err; 91e1051a39Sopenharmony_ci ret = 1; 92e1051a39Sopenharmony_ci err: 93e1051a39Sopenharmony_ci OPENSSL_clear_free(buf, bytes); 94e1051a39Sopenharmony_ci bn_check_top(rnd); 95e1051a39Sopenharmony_ci return ret; 96e1051a39Sopenharmony_ci 97e1051a39Sopenharmony_citoosmall: 98e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_BITS_TOO_SMALL); 99e1051a39Sopenharmony_ci return 0; 100e1051a39Sopenharmony_ci} 101e1051a39Sopenharmony_ci 102e1051a39Sopenharmony_ciint BN_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, 103e1051a39Sopenharmony_ci unsigned int strength, BN_CTX *ctx) 104e1051a39Sopenharmony_ci{ 105e1051a39Sopenharmony_ci return bnrand(NORMAL, rnd, bits, top, bottom, strength, ctx); 106e1051a39Sopenharmony_ci} 107e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 108e1051a39Sopenharmony_ciint BN_rand(BIGNUM *rnd, int bits, int top, int bottom) 109e1051a39Sopenharmony_ci{ 110e1051a39Sopenharmony_ci return bnrand(NORMAL, rnd, bits, top, bottom, 0, NULL); 111e1051a39Sopenharmony_ci} 112e1051a39Sopenharmony_ci 113e1051a39Sopenharmony_ciint BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) 114e1051a39Sopenharmony_ci{ 115e1051a39Sopenharmony_ci return bnrand(TESTING, rnd, bits, top, bottom, 0, NULL); 116e1051a39Sopenharmony_ci} 117e1051a39Sopenharmony_ci#endif 118e1051a39Sopenharmony_ci 119e1051a39Sopenharmony_ciint BN_priv_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, 120e1051a39Sopenharmony_ci unsigned int strength, BN_CTX *ctx) 121e1051a39Sopenharmony_ci{ 122e1051a39Sopenharmony_ci return bnrand(PRIVATE, rnd, bits, top, bottom, strength, ctx); 123e1051a39Sopenharmony_ci} 124e1051a39Sopenharmony_ci 125e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 126e1051a39Sopenharmony_ciint BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom) 127e1051a39Sopenharmony_ci{ 128e1051a39Sopenharmony_ci return bnrand(PRIVATE, rnd, bits, top, bottom, 0, NULL); 129e1051a39Sopenharmony_ci} 130e1051a39Sopenharmony_ci#endif 131e1051a39Sopenharmony_ci 132e1051a39Sopenharmony_ci/* random number r: 0 <= r < range */ 133e1051a39Sopenharmony_cistatic int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range, 134e1051a39Sopenharmony_ci unsigned int strength, BN_CTX *ctx) 135e1051a39Sopenharmony_ci{ 136e1051a39Sopenharmony_ci int n; 137e1051a39Sopenharmony_ci int count = 100; 138e1051a39Sopenharmony_ci 139e1051a39Sopenharmony_ci if (r == NULL) { 140e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER); 141e1051a39Sopenharmony_ci return 0; 142e1051a39Sopenharmony_ci } 143e1051a39Sopenharmony_ci 144e1051a39Sopenharmony_ci if (range->neg || BN_is_zero(range)) { 145e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE); 146e1051a39Sopenharmony_ci return 0; 147e1051a39Sopenharmony_ci } 148e1051a39Sopenharmony_ci 149e1051a39Sopenharmony_ci n = BN_num_bits(range); /* n > 0 */ 150e1051a39Sopenharmony_ci 151e1051a39Sopenharmony_ci /* BN_is_bit_set(range, n - 1) always holds */ 152e1051a39Sopenharmony_ci 153e1051a39Sopenharmony_ci if (n == 1) 154e1051a39Sopenharmony_ci BN_zero(r); 155e1051a39Sopenharmony_ci else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) { 156e1051a39Sopenharmony_ci /* 157e1051a39Sopenharmony_ci * range = 100..._2, so 3*range (= 11..._2) is exactly one bit longer 158e1051a39Sopenharmony_ci * than range 159e1051a39Sopenharmony_ci */ 160e1051a39Sopenharmony_ci do { 161e1051a39Sopenharmony_ci if (!bnrand(flag, r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 162e1051a39Sopenharmony_ci strength, ctx)) 163e1051a39Sopenharmony_ci return 0; 164e1051a39Sopenharmony_ci 165e1051a39Sopenharmony_ci /* 166e1051a39Sopenharmony_ci * If r < 3*range, use r := r MOD range (which is either r, r - 167e1051a39Sopenharmony_ci * range, or r - 2*range). Otherwise, iterate once more. Since 168e1051a39Sopenharmony_ci * 3*range = 11..._2, each iteration succeeds with probability >= 169e1051a39Sopenharmony_ci * .75. 170e1051a39Sopenharmony_ci */ 171e1051a39Sopenharmony_ci if (BN_cmp(r, range) >= 0) { 172e1051a39Sopenharmony_ci if (!BN_sub(r, r, range)) 173e1051a39Sopenharmony_ci return 0; 174e1051a39Sopenharmony_ci if (BN_cmp(r, range) >= 0) 175e1051a39Sopenharmony_ci if (!BN_sub(r, r, range)) 176e1051a39Sopenharmony_ci return 0; 177e1051a39Sopenharmony_ci } 178e1051a39Sopenharmony_ci 179e1051a39Sopenharmony_ci if (!--count) { 180e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); 181e1051a39Sopenharmony_ci return 0; 182e1051a39Sopenharmony_ci } 183e1051a39Sopenharmony_ci 184e1051a39Sopenharmony_ci } 185e1051a39Sopenharmony_ci while (BN_cmp(r, range) >= 0); 186e1051a39Sopenharmony_ci } else { 187e1051a39Sopenharmony_ci do { 188e1051a39Sopenharmony_ci /* range = 11..._2 or range = 101..._2 */ 189e1051a39Sopenharmony_ci if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, 190e1051a39Sopenharmony_ci ctx)) 191e1051a39Sopenharmony_ci return 0; 192e1051a39Sopenharmony_ci 193e1051a39Sopenharmony_ci if (!--count) { 194e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); 195e1051a39Sopenharmony_ci return 0; 196e1051a39Sopenharmony_ci } 197e1051a39Sopenharmony_ci } 198e1051a39Sopenharmony_ci while (BN_cmp(r, range) >= 0); 199e1051a39Sopenharmony_ci } 200e1051a39Sopenharmony_ci 201e1051a39Sopenharmony_ci bn_check_top(r); 202e1051a39Sopenharmony_ci return 1; 203e1051a39Sopenharmony_ci} 204e1051a39Sopenharmony_ci 205e1051a39Sopenharmony_ciint BN_rand_range_ex(BIGNUM *r, const BIGNUM *range, unsigned int strength, 206e1051a39Sopenharmony_ci BN_CTX *ctx) 207e1051a39Sopenharmony_ci{ 208e1051a39Sopenharmony_ci return bnrand_range(NORMAL, r, range, strength, ctx); 209e1051a39Sopenharmony_ci} 210e1051a39Sopenharmony_ci 211e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 212e1051a39Sopenharmony_ciint BN_rand_range(BIGNUM *r, const BIGNUM *range) 213e1051a39Sopenharmony_ci{ 214e1051a39Sopenharmony_ci return bnrand_range(NORMAL, r, range, 0, NULL); 215e1051a39Sopenharmony_ci} 216e1051a39Sopenharmony_ci#endif 217e1051a39Sopenharmony_ci 218e1051a39Sopenharmony_ciint BN_priv_rand_range_ex(BIGNUM *r, const BIGNUM *range, unsigned int strength, 219e1051a39Sopenharmony_ci BN_CTX *ctx) 220e1051a39Sopenharmony_ci{ 221e1051a39Sopenharmony_ci return bnrand_range(PRIVATE, r, range, strength, ctx); 222e1051a39Sopenharmony_ci} 223e1051a39Sopenharmony_ci 224e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 225e1051a39Sopenharmony_ciint BN_priv_rand_range(BIGNUM *r, const BIGNUM *range) 226e1051a39Sopenharmony_ci{ 227e1051a39Sopenharmony_ci return bnrand_range(PRIVATE, r, range, 0, NULL); 228e1051a39Sopenharmony_ci} 229e1051a39Sopenharmony_ci 230e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_DEPRECATED_3_0 231e1051a39Sopenharmony_ciint BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) 232e1051a39Sopenharmony_ci{ 233e1051a39Sopenharmony_ci return BN_rand(rnd, bits, top, bottom); 234e1051a39Sopenharmony_ci} 235e1051a39Sopenharmony_ci 236e1051a39Sopenharmony_ciint BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) 237e1051a39Sopenharmony_ci{ 238e1051a39Sopenharmony_ci return BN_rand_range(r, range); 239e1051a39Sopenharmony_ci} 240e1051a39Sopenharmony_ci# endif 241e1051a39Sopenharmony_ci#endif 242e1051a39Sopenharmony_ci 243e1051a39Sopenharmony_ci/* 244e1051a39Sopenharmony_ci * BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike 245e1051a39Sopenharmony_ci * BN_rand_range, it also includes the contents of |priv| and |message| in 246e1051a39Sopenharmony_ci * the generation so that an RNG failure isn't fatal as long as |priv| 247e1051a39Sopenharmony_ci * remains secret. This is intended for use in DSA and ECDSA where an RNG 248e1051a39Sopenharmony_ci * weakness leads directly to private key exposure unless this function is 249e1051a39Sopenharmony_ci * used. 250e1051a39Sopenharmony_ci */ 251e1051a39Sopenharmony_ciint BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, 252e1051a39Sopenharmony_ci const BIGNUM *priv, const unsigned char *message, 253e1051a39Sopenharmony_ci size_t message_len, BN_CTX *ctx) 254e1051a39Sopenharmony_ci{ 255e1051a39Sopenharmony_ci EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); 256e1051a39Sopenharmony_ci /* 257e1051a39Sopenharmony_ci * We use 512 bits of random data per iteration to ensure that we have at 258e1051a39Sopenharmony_ci * least |range| bits of randomness. 259e1051a39Sopenharmony_ci */ 260e1051a39Sopenharmony_ci unsigned char random_bytes[64]; 261e1051a39Sopenharmony_ci unsigned char digest[SHA512_DIGEST_LENGTH]; 262e1051a39Sopenharmony_ci unsigned done, todo; 263e1051a39Sopenharmony_ci /* We generate |range|+8 bytes of random output. */ 264e1051a39Sopenharmony_ci const unsigned num_k_bytes = BN_num_bytes(range) + 8; 265e1051a39Sopenharmony_ci unsigned char private_bytes[96]; 266e1051a39Sopenharmony_ci unsigned char *k_bytes = NULL; 267e1051a39Sopenharmony_ci int ret = 0; 268e1051a39Sopenharmony_ci EVP_MD *md = NULL; 269e1051a39Sopenharmony_ci OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); 270e1051a39Sopenharmony_ci 271e1051a39Sopenharmony_ci if (mdctx == NULL) 272e1051a39Sopenharmony_ci goto err; 273e1051a39Sopenharmony_ci 274e1051a39Sopenharmony_ci k_bytes = OPENSSL_malloc(num_k_bytes); 275e1051a39Sopenharmony_ci if (k_bytes == NULL) 276e1051a39Sopenharmony_ci goto err; 277e1051a39Sopenharmony_ci 278e1051a39Sopenharmony_ci /* We copy |priv| into a local buffer to avoid exposing its length. */ 279e1051a39Sopenharmony_ci if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { 280e1051a39Sopenharmony_ci /* 281e1051a39Sopenharmony_ci * No reasonable DSA or ECDSA key should have a private key this 282e1051a39Sopenharmony_ci * large and we don't handle this case in order to avoid leaking the 283e1051a39Sopenharmony_ci * length of the private key. 284e1051a39Sopenharmony_ci */ 285e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_PRIVATE_KEY_TOO_LARGE); 286e1051a39Sopenharmony_ci goto err; 287e1051a39Sopenharmony_ci } 288e1051a39Sopenharmony_ci 289e1051a39Sopenharmony_ci md = EVP_MD_fetch(libctx, "SHA512", NULL); 290e1051a39Sopenharmony_ci if (md == NULL) { 291e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_NO_SUITABLE_DIGEST); 292e1051a39Sopenharmony_ci goto err; 293e1051a39Sopenharmony_ci } 294e1051a39Sopenharmony_ci for (done = 0; done < num_k_bytes;) { 295e1051a39Sopenharmony_ci if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), 0) <= 0) 296e1051a39Sopenharmony_ci goto err; 297e1051a39Sopenharmony_ci 298e1051a39Sopenharmony_ci if (!EVP_DigestInit_ex(mdctx, md, NULL) 299e1051a39Sopenharmony_ci || !EVP_DigestUpdate(mdctx, &done, sizeof(done)) 300e1051a39Sopenharmony_ci || !EVP_DigestUpdate(mdctx, private_bytes, 301e1051a39Sopenharmony_ci sizeof(private_bytes)) 302e1051a39Sopenharmony_ci || !EVP_DigestUpdate(mdctx, message, message_len) 303e1051a39Sopenharmony_ci || !EVP_DigestUpdate(mdctx, random_bytes, sizeof(random_bytes)) 304e1051a39Sopenharmony_ci || !EVP_DigestFinal_ex(mdctx, digest, NULL)) 305e1051a39Sopenharmony_ci goto err; 306e1051a39Sopenharmony_ci 307e1051a39Sopenharmony_ci todo = num_k_bytes - done; 308e1051a39Sopenharmony_ci if (todo > SHA512_DIGEST_LENGTH) 309e1051a39Sopenharmony_ci todo = SHA512_DIGEST_LENGTH; 310e1051a39Sopenharmony_ci memcpy(k_bytes + done, digest, todo); 311e1051a39Sopenharmony_ci done += todo; 312e1051a39Sopenharmony_ci } 313e1051a39Sopenharmony_ci 314e1051a39Sopenharmony_ci if (!BN_bin2bn(k_bytes, num_k_bytes, out)) 315e1051a39Sopenharmony_ci goto err; 316e1051a39Sopenharmony_ci if (BN_mod(out, out, range, ctx) != 1) 317e1051a39Sopenharmony_ci goto err; 318e1051a39Sopenharmony_ci ret = 1; 319e1051a39Sopenharmony_ci 320e1051a39Sopenharmony_ci err: 321e1051a39Sopenharmony_ci EVP_MD_CTX_free(mdctx); 322e1051a39Sopenharmony_ci EVP_MD_free(md); 323e1051a39Sopenharmony_ci OPENSSL_clear_free(k_bytes, num_k_bytes); 324e1051a39Sopenharmony_ci OPENSSL_cleanse(digest, sizeof(digest)); 325e1051a39Sopenharmony_ci OPENSSL_cleanse(random_bytes, sizeof(random_bytes)); 326e1051a39Sopenharmony_ci OPENSSL_cleanse(private_bytes, sizeof(private_bytes)); 327e1051a39Sopenharmony_ci return ret; 328e1051a39Sopenharmony_ci} 329