1 /* 2 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <time.h> 12 #include "internal/cryptlib.h" 13 #include "crypto/rand.h" 14 #include "bn_local.h" 15 #include <openssl/rand.h> 16 #include <openssl/sha.h> 17 #include <openssl/evp.h> 18 19 typedef enum bnrand_flag_e { 20 NORMAL, TESTING, PRIVATE 21 } BNRAND_FLAG; 22 23 static int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom, 24 unsigned int strength, BN_CTX *ctx) 25 { 26 unsigned char *buf = NULL; 27 int b, ret = 0, bit, bytes, mask; 28 OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); 29 30 if (bits == 0) { 31 if (top != BN_RAND_TOP_ANY || bottom != BN_RAND_BOTTOM_ANY) 32 goto toosmall; 33 BN_zero(rnd); 34 return 1; 35 } 36 if (bits < 0 || (bits == 1 && top > 0)) 37 goto toosmall; 38 39 bytes = (bits + 7) / 8; 40 bit = (bits - 1) % 8; 41 mask = 0xff << (bit + 1); 42 43 buf = OPENSSL_malloc(bytes); 44 if (buf == NULL) { 45 ERR_raise(ERR_LIB_BN, ERR_R_MALLOC_FAILURE); 46 goto err; 47 } 48 49 /* make a random number and set the top and bottom bits */ 50 b = flag == NORMAL ? RAND_bytes_ex(libctx, buf, bytes, strength) 51 : RAND_priv_bytes_ex(libctx, buf, bytes, strength); 52 if (b <= 0) 53 goto err; 54 55 if (flag == TESTING) { 56 /* 57 * generate patterns that are more likely to trigger BN library bugs 58 */ 59 int i; 60 unsigned char c; 61 62 for (i = 0; i < bytes; i++) { 63 if (RAND_bytes_ex(libctx, &c, 1, strength) <= 0) 64 goto err; 65 if (c >= 128 && i > 0) 66 buf[i] = buf[i - 1]; 67 else if (c < 42) 68 buf[i] = 0; 69 else if (c < 84) 70 buf[i] = 255; 71 } 72 } 73 74 if (top >= 0) { 75 if (top) { 76 if (bit == 0) { 77 buf[0] = 1; 78 buf[1] |= 0x80; 79 } else { 80 buf[0] |= (3 << (bit - 1)); 81 } 82 } else { 83 buf[0] |= (1 << bit); 84 } 85 } 86 buf[0] &= ~mask; 87 if (bottom) /* set bottom bit if requested */ 88 buf[bytes - 1] |= 1; 89 if (!BN_bin2bn(buf, bytes, rnd)) 90 goto err; 91 ret = 1; 92 err: 93 OPENSSL_clear_free(buf, bytes); 94 bn_check_top(rnd); 95 return ret; 96 97 toosmall: 98 ERR_raise(ERR_LIB_BN, BN_R_BITS_TOO_SMALL); 99 return 0; 100 } 101 102 int BN_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, 103 unsigned int strength, BN_CTX *ctx) 104 { 105 return bnrand(NORMAL, rnd, bits, top, bottom, strength, ctx); 106 } 107 #ifndef FIPS_MODULE 108 int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) 109 { 110 return bnrand(NORMAL, rnd, bits, top, bottom, 0, NULL); 111 } 112 113 int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) 114 { 115 return bnrand(TESTING, rnd, bits, top, bottom, 0, NULL); 116 } 117 #endif 118 119 int BN_priv_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, 120 unsigned int strength, BN_CTX *ctx) 121 { 122 return bnrand(PRIVATE, rnd, bits, top, bottom, strength, ctx); 123 } 124 125 #ifndef FIPS_MODULE 126 int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom) 127 { 128 return bnrand(PRIVATE, rnd, bits, top, bottom, 0, NULL); 129 } 130 #endif 131 132 /* random number r: 0 <= r < range */ 133 static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range, 134 unsigned int strength, BN_CTX *ctx) 135 { 136 int n; 137 int count = 100; 138 139 if (r == NULL) { 140 ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER); 141 return 0; 142 } 143 144 if (range->neg || BN_is_zero(range)) { 145 ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE); 146 return 0; 147 } 148 149 n = BN_num_bits(range); /* n > 0 */ 150 151 /* BN_is_bit_set(range, n - 1) always holds */ 152 153 if (n == 1) 154 BN_zero(r); 155 else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) { 156 /* 157 * range = 100..._2, so 3*range (= 11..._2) is exactly one bit longer 158 * than range 159 */ 160 do { 161 if (!bnrand(flag, r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 162 strength, ctx)) 163 return 0; 164 165 /* 166 * If r < 3*range, use r := r MOD range (which is either r, r - 167 * range, or r - 2*range). Otherwise, iterate once more. Since 168 * 3*range = 11..._2, each iteration succeeds with probability >= 169 * .75. 170 */ 171 if (BN_cmp(r, range) >= 0) { 172 if (!BN_sub(r, r, range)) 173 return 0; 174 if (BN_cmp(r, range) >= 0) 175 if (!BN_sub(r, r, range)) 176 return 0; 177 } 178 179 if (!--count) { 180 ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); 181 return 0; 182 } 183 184 } 185 while (BN_cmp(r, range) >= 0); 186 } else { 187 do { 188 /* range = 11..._2 or range = 101..._2 */ 189 if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 190 strength, ctx)) 191 return 0; 192 193 if (!--count) { 194 ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); 195 return 0; 196 } 197 } 198 while (BN_cmp(r, range) >= 0); 199 } 200 201 bn_check_top(r); 202 return 1; 203 } 204 205 int BN_rand_range_ex(BIGNUM *r, const BIGNUM *range, unsigned int strength, 206 BN_CTX *ctx) 207 { 208 return bnrand_range(NORMAL, r, range, strength, ctx); 209 } 210 211 #ifndef FIPS_MODULE 212 int BN_rand_range(BIGNUM *r, const BIGNUM *range) 213 { 214 return bnrand_range(NORMAL, r, range, 0, NULL); 215 } 216 #endif 217 218 int BN_priv_rand_range_ex(BIGNUM *r, const BIGNUM *range, unsigned int strength, 219 BN_CTX *ctx) 220 { 221 return bnrand_range(PRIVATE, r, range, strength, ctx); 222 } 223 224 #ifndef FIPS_MODULE 225 int BN_priv_rand_range(BIGNUM *r, const BIGNUM *range) 226 { 227 return bnrand_range(PRIVATE, r, range, 0, NULL); 228 } 229 230 # ifndef OPENSSL_NO_DEPRECATED_3_0 231 int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) 232 { 233 return BN_rand(rnd, bits, top, bottom); 234 } 235 236 int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) 237 { 238 return BN_rand_range(r, range); 239 } 240 # endif 241 #endif 242 243 int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range, 244 unsigned int strength, BN_CTX *ctx) 245 { 246 int n; 247 int count = 100; 248 249 if (r == NULL) { 250 ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER); 251 return 0; 252 } 253 254 if (range->neg || BN_is_zero(range)) { 255 ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE); 256 return 0; 257 } 258 259 n = BN_num_bits(range); /* n > 0 */ 260 261 /* BN_is_bit_set(range, n - 1) always holds */ 262 263 if (n == 1) { 264 BN_zero(r); 265 } else { 266 BN_set_flags(r, BN_FLG_CONSTTIME); 267 do { 268 if (!bnrand(PRIVATE, r, n + 1, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY, 269 strength, ctx)) 270 return 0; 271 272 if (!--count) { 273 ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); 274 return 0; 275 } 276 ossl_bn_mask_bits_fixed_top(r, n); 277 } 278 while (BN_ucmp(r, range) >= 0); 279 #ifdef BN_DEBUG 280 /* With BN_DEBUG on a fixed top number cannot be returned */ 281 bn_correct_top(r); 282 #endif 283 } 284 285 return 1; 286 } 287 288 /* 289 * ossl_bn_gen_dsa_nonce_fixed_top generates a random number 0 <= out < range. 290 * Unlike BN_rand_range, it also includes the contents of |priv| and |message| 291 * in the generation so that an RNG failure isn't fatal as long as |priv| 292 * remains secret. This is intended for use in DSA and ECDSA where an RNG 293 * weakness leads directly to private key exposure unless this function is 294 * used. 295 */ 296 int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range, 297 const BIGNUM *priv, 298 const unsigned char *message, 299 size_t message_len, BN_CTX *ctx) 300 { 301 EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); 302 /* 303 * We use 512 bits of random data per iteration to ensure that we have at 304 * least |range| bits of randomness. 305 */ 306 unsigned char random_bytes[64]; 307 unsigned char digest[SHA512_DIGEST_LENGTH]; 308 unsigned done, todo; 309 /* We generate |range|+1 bytes of random output. */ 310 const unsigned num_k_bytes = BN_num_bytes(range) + 1; 311 unsigned char private_bytes[96]; 312 unsigned char *k_bytes = NULL; 313 const int max_n = 64; /* Pr(failure to generate) < 2^max_n */ 314 int n; 315 int ret = 0; 316 EVP_MD *md = NULL; 317 OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); 318 319 if (mdctx == NULL) 320 goto end; 321 322 k_bytes = OPENSSL_malloc(num_k_bytes); 323 if (k_bytes == NULL) 324 goto end; 325 /* Ensure top byte is set to avoid non-constant time in bin2bn */ 326 k_bytes[0] = 0xff; 327 328 /* We copy |priv| into a local buffer to avoid exposing its length. */ 329 if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { 330 /* 331 * No reasonable DSA or ECDSA key should have a private key this 332 * large and we don't handle this case in order to avoid leaking the 333 * length of the private key. 334 */ 335 ERR_raise(ERR_LIB_BN, BN_R_PRIVATE_KEY_TOO_LARGE); 336 goto end; 337 } 338 339 md = EVP_MD_fetch(libctx, "SHA512", NULL); 340 if (md == NULL) { 341 ERR_raise(ERR_LIB_BN, BN_R_NO_SUITABLE_DIGEST); 342 goto end; 343 } 344 for (n = 0; n < max_n; n++) { 345 unsigned char i = 0; 346 347 for (done = 1; done < num_k_bytes;) { 348 if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), 349 0) <= 0) 350 goto end; 351 352 if (!EVP_DigestInit_ex(mdctx, md, NULL) 353 || !EVP_DigestUpdate(mdctx, &i, sizeof(i)) 354 || !EVP_DigestUpdate(mdctx, private_bytes, 355 sizeof(private_bytes)) 356 || !EVP_DigestUpdate(mdctx, message, message_len) 357 || !EVP_DigestUpdate(mdctx, random_bytes, 358 sizeof(random_bytes)) 359 || !EVP_DigestFinal_ex(mdctx, digest, NULL)) 360 goto end; 361 362 todo = num_k_bytes - done; 363 if (todo > SHA512_DIGEST_LENGTH) 364 todo = SHA512_DIGEST_LENGTH; 365 memcpy(k_bytes + done, digest, todo); 366 done += todo; 367 ++i; 368 } 369 370 if (!BN_bin2bn(k_bytes, num_k_bytes, out)) 371 goto end; 372 373 /* Clear out the top bits and rejection filter into range */ 374 BN_set_flags(out, BN_FLG_CONSTTIME); 375 ossl_bn_mask_bits_fixed_top(out, BN_num_bits(range)); 376 377 if (BN_ucmp(out, range) < 0) { 378 ret = 1; 379 #ifdef BN_DEBUG 380 /* With BN_DEBUG on a fixed top number cannot be returned */ 381 bn_correct_top(out); 382 #endif 383 goto end; 384 } 385 } 386 /* Failed to generate anything */ 387 ERR_raise(ERR_LIB_BN, ERR_R_INTERNAL_ERROR); 388 389 end: 390 EVP_MD_CTX_free(mdctx); 391 EVP_MD_free(md); 392 OPENSSL_clear_free(k_bytes, num_k_bytes); 393 OPENSSL_cleanse(digest, sizeof(digest)); 394 OPENSSL_cleanse(random_bytes, sizeof(random_bytes)); 395 OPENSSL_cleanse(private_bytes, sizeof(private_bytes)); 396 return ret; 397 } 398 399 int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, 400 const BIGNUM *priv, const unsigned char *message, 401 size_t message_len, BN_CTX *ctx) 402 { 403 int ret; 404 405 ret = ossl_bn_gen_dsa_nonce_fixed_top(out, range, priv, message, 406 message_len, ctx); 407 /* 408 * This call makes the BN_generate_dsa_nonce non-const-time, thus we 409 * do not use it internally. But fixed_top BNs currently cannot be returned 410 * from public API calls. 411 */ 412 bn_correct_top(out); 413 return ret; 414 } 415