Add a new global DRBG for private keys used by RAND_priv_bytes.
Add BN_priv_rand() and BN_priv_rand_range() which use RAND_priv_bytes().
Change callers to use the appropriate BN_priv... function.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4076)
static const ERR_STRING_DATA BN_str_functs[] = {
{ERR_PACK(ERR_LIB_BN, BN_F_BNRAND, 0), "bnrand"},
+ {ERR_PACK(ERR_LIB_BN, BN_F_BNRAND_RANGE, 0), "bnrand_range"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_BLINDING_CONVERT_EX, 0),
"BN_BLINDING_convert_ex"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_BLINDING_CREATE_PARAM, 0),
if (tmp == NULL)
goto err;
do {
- if (!BN_rand(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+ if (!BN_priv_rand(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
goto err;
if (!BN_GF2m_mod_arr(rho, rho, p))
goto err;
goto err;
for (i = 0; i < checks; i++) {
- if (!BN_rand_range(check, A1))
+ if (!BN_priv_rand_range(check, A1))
goto err;
if (!BN_add_word(check, 1))
goto err;
char is_single_word = bits <= BN_BITS2;
again:
- if (!BN_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))
+ if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))
return (0);
/* we now have a random number 'rnd' to test. */
for (i = 1; i < NUMPRIMES; i++) {
if ((t1 = BN_CTX_get(ctx)) == NULL)
goto err;
- if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
+ if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
goto err;
/* we need ((rnd-rem) % add) == 0 */
if (!BN_rshift1(qadd, padd))
goto err;
- if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
+ if (!BN_priv_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
goto err;
/* we need ((rnd-rem) % add) == 0 */
#include <openssl/rand.h>
#include <openssl/sha.h>
-static int bnrand(int testing, BIGNUM *rnd, int bits, int top, int bottom)
+typedef enum bnrand_flag_e {
+ NORMAL, TESTING, PRIVATE
+} BNRAND_FLAG;
+
+static int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom)
{
unsigned char *buf = NULL;
- int ret = 0, bit, bytes, mask;
+ int b, ret = 0, bit, bytes, mask;
if (bits == 0) {
if (top != BN_RAND_TOP_ANY || bottom != BN_RAND_BOTTOM_ANY)
}
/* make a random number and set the top and bottom bits */
- if (RAND_bytes(buf, bytes) <= 0)
+ b = flag == NORMAL ? RAND_bytes(buf, bytes) : RAND_priv_bytes(buf, bytes);
+ if (b <= 0)
goto err;
- if (testing) {
+ if (flag == TESTING) {
/*
* generate patterns that are more likely to trigger BN library bugs
*/
int BN_rand(BIGNUM *rnd, int bits, int top, int bottom)
{
- return bnrand(0, rnd, bits, top, bottom);
+ return bnrand(NORMAL, rnd, bits, top, bottom);
}
int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom)
{
- return bnrand(1, rnd, bits, top, bottom);
+ return bnrand(TESTING, rnd, bits, top, bottom);
+}
+
+int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom)
+{
+ return bnrand(PRIVATE, rnd, bits, top, bottom);
}
/* random number r: 0 <= r < range */
-int BN_rand_range(BIGNUM *r, const BIGNUM *range)
+static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range)
{
- int n;
+ int b, n;
int count = 100;
if (range->neg || BN_is_zero(range)) {
- BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE);
+ BNerr(BN_F_BNRAND_RANGE, BN_R_INVALID_RANGE);
return 0;
}
* than range
*/
do {
- if (!BN_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY))
+ b = flag == NORMAL
+ ? BN_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)
+ : BN_priv_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY);
+ if (!b)
return 0;
/*
* If r < 3*range, use r := r MOD range (which is either r, r -
}
if (!--count) {
- BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS);
+ BNerr(BN_F_BNRAND_RANGE, BN_R_TOO_MANY_ITERATIONS);
return 0;
}
return 0;
if (!--count) {
- BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS);
+ BNerr(BN_F_BNRAND_RANGE, BN_R_TOO_MANY_ITERATIONS);
return 0;
}
}
return 1;
}
+int BN_rand_range(BIGNUM *r, const BIGNUM *range)
+{
+ return bnrand_range(NORMAL, r, range);
+}
+
+int BN_priv_rand_range(BIGNUM *r, const BIGNUM *range)
+{
+ return bnrand_range(PRIVATE, r, range);
+}
+
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom)
{
return BN_rand(rnd, bits, top, bottom);
* - 1. By setting the top two bits we ensure that the lower bound is
* exceeded.
*/
- if (!BN_rand(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))
+ if (!BN_priv_rand(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))
goto err;
BN_CTX_start(ctx);
goto err;
for (i = 0; i < 1000; i++) {
- if (!BN_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))
+ if (!BN_priv_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))
goto err;
/* Check that |Xp - Xq| > 2^(nbits - 100) */
BN_sub(t, Xp, Xq);
if (Xp1 == NULL || Xp2 == NULL)
goto error;
- if (!BN_rand(Xp1, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+ if (!BN_priv_rand(Xp1, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
goto error;
- if (!BN_rand(Xp2, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+ if (!BN_priv_rand(Xp2, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
goto error;
if (!BN_X931_derive_prime_ex(p, p1, p2, Xp, Xp1, Xp2, e, ctx, cb))
goto error;
if (generate_new_key) {
if (dh->q) {
do {
- if (!BN_rand_range(priv_key, dh->q))
+ if (!BN_priv_rand_range(priv_key, dh->q))
goto err;
}
while (BN_is_zero(priv_key) || BN_is_one(priv_key));
} else {
/* secret exponent length */
l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
- if (!BN_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+ if (!BN_priv_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
goto err;
}
}
priv_key = dsa->priv_key;
do
- if (!BN_rand_range(priv_key, dsa->q))
+ if (!BN_priv_rand_range(priv_key, dsa->q))
goto err;
while (BN_is_zero(priv_key)) ;
if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst,
dlen, ctx))
goto err;
- } else if (!BN_rand_range(k, dsa->q))
+ } else if (!BN_priv_rand_range(k, dsa->q))
goto err;
} while (BN_is_zero(k));
goto err;
do
- if (!BN_rand_range(priv_key, order))
+ if (!BN_priv_rand_range(priv_key, order))
goto err;
while (BN_is_zero(priv_key)) ;
goto err;
}
} else {
- if (!BN_rand_range(k, order)) {
+ if (!BN_priv_rand_range(k, order)) {
ECerr(EC_F_ECDSA_SIGN_SETUP,
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
BIO_F_MEM_WRITE:117:mem_write
BIO_F_SSL_NEW:118:SSL_new
BN_F_BNRAND:127:bnrand
+BN_F_BNRAND_RANGE:138:bnrand_range
BN_F_BN_BLINDING_CONVERT_EX:100:BN_BLINDING_convert_ex
BN_F_BN_BLINDING_CREATE_PARAM:128:BN_BLINDING_create_param
BN_F_BN_BLINDING_INVERT_EX:101:BN_BLINDING_invert_ex
return ret;
}
-static void drbg_cleanup(void)
-{
- CRYPTO_THREAD_write_lock(rand_drbg.lock);
- RAND_DRBG_uninstantiate(&rand_drbg);
- CRYPTO_THREAD_unlock(rand_drbg.lock);
-}
-
static int drbg_add(const void *buf, int num, double randomness)
{
unsigned char *in = (unsigned char *)buf;
}
RAND_DRBG rand_drbg; /* The default global DRBG. */
+RAND_DRBG priv_drbg; /* The global private-key DRBG. */
RAND_METHOD rand_meth = {
drbg_seed,
drbg_bytes,
- drbg_cleanup,
+ NULL,
drbg_add,
drbg_bytes,
drbg_status
extern RAND_METHOD rand_meth;
extern RAND_BYTES_BUFFER rand_bytes;
extern RAND_DRBG rand_drbg;
+extern RAND_DRBG priv_drbg;
/* Hardware-based seeding functions. */
void rand_read_tsc(RAND_poll_fn cb, void *arg);
void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out)
{
drbg->filled = 0;
- OPENSSL_cleanse(drbg->randomness, sizeof(drbg->randomness));
+ OPENSSL_cleanse(drbg->randomness, drbg->size);
+}
+
+
+/*
+ * Set up a global DRBG.
+ */
+static int setup_drbg(RAND_DRBG *drbg)
+{
+ int ret = 1;
+
+ drbg->lock = CRYPTO_THREAD_lock_new();
+ ret &= drbg->lock != NULL;
+ drbg->size = RANDOMNESS_NEEDED;
+ drbg->randomness = OPENSSL_malloc(drbg->size);
+ ret &= drbg->randomness != NULL;
+ /* If you change these parameters, see RANDOMNESS_NEEDED */
+ ret &= RAND_DRBG_set(drbg,
+ NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF) == 1;
+ ret &= RAND_DRBG_set_callbacks(drbg, drbg_entropy_from_system,
+ drbg_release_entropy, NULL, NULL) == 1;
+ return ret;
+}
+
+static void free_drbg(RAND_DRBG *drbg)
+{
+ CRYPTO_THREAD_lock_free(drbg->lock);
+ OPENSSL_clear_free(drbg->randomness, drbg->size);
+ RAND_DRBG_uninstantiate(drbg);
}
DEFINE_RUN_ONCE_STATIC(do_rand_init)
rand_bytes.size = MAX_RANDOMNESS_HELD;
/* TODO: Should this be secure malloc? */
rand_bytes.buff = malloc(rand_bytes.size);
- ret &= rand_bytes.buff != NULL;
- rand_drbg.lock = CRYPTO_THREAD_lock_new();
- ret &= rand_drbg.lock != NULL;
- rand_drbg.size = RANDOMNESS_NEEDED;
- rand_drbg.randomness = OPENSSL_malloc(rand_drbg.size);
- ret &= rand_drbg.randomness != NULL;
- /* If you change these parameters, see RANDOMNESS_NEEDED */
- ret &= RAND_DRBG_set(&rand_drbg,
- NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF) == 1;
- ret &= RAND_DRBG_set_callbacks(&rand_drbg, drbg_entropy_from_system,
- drbg_release_entropy,
- NULL, NULL) == 1;
+ ret &= rand_bytes.buff != NULL;
+ ret &= setup_drbg(&rand_drbg);
+ ret &= setup_drbg(&priv_drbg);
return ret;
}
+
void rand_cleanup_int(void)
{
const RAND_METHOD *meth = default_RAND_meth;
#endif
CRYPTO_THREAD_lock_free(rand_meth_lock);
CRYPTO_THREAD_lock_free(rand_bytes.lock);
- OPENSSL_clear_free(rand_drbg.randomness, rand_drbg.size);
- CRYPTO_THREAD_lock_free(rand_drbg.lock);
- RAND_DRBG_uninstantiate(&rand_drbg);
+ OPENSSL_clear_free(rand_bytes.buff, rand_bytes.size);
+ free_drbg(&rand_drbg);
+ free_drbg(&priv_drbg);
}
/*
meth->add(buf, num, randomness);
}
+/*
+ * This function is not part of RAND_METHOD, so if we're not using
+ * the default method, then just call RAND_bytes(). Otherwise make
+ * sure we're instantiated and use the private DRBG.
+ */
+int RAND_priv_bytes(unsigned char *buf, int num)
+{
+ const RAND_METHOD *meth = RAND_get_rand_method();
+
+ if (meth != RAND_OpenSSL())
+ return RAND_bytes(buf, num);
+
+ if (priv_drbg.state == DRBG_UNINITIALISED
+ && RAND_DRBG_instantiate(&priv_drbg, NULL, 0) == 0)
+ return 0;
+ return RAND_DRBG_generate(&priv_drbg, buf, num, 0, NULL, 0);
+
+}
+
int RAND_bytes(unsigned char *buf, int num)
{
const RAND_METHOD *meth = RAND_get_rand_method();
=head1 NAME
-RAND_bytes, RAND_pseudo_bytes - generate random data
+RAND_bytes, RAND_priv_bytes, RAND_pseudo_bytes - generate random data
=head1 SYNOPSIS
#include <openssl/rand.h>
int RAND_bytes(unsigned char *buf, int num);
+ int RAND_priv_bytes(unsigned char *buf, int num);
Deprecated:
into B<buf>. An error occurs if the PRNG has not been seeded with
enough randomness to ensure an unpredictable byte sequence.
+RAND_priv_bytes() has the same semantics as RAND_bytes(). It is intended to
+be used for generating long-term private keys. If using the default
+RAND_METHOD, this function uses a separate instance of the PRNG so that
+a compromise of the global generator will not affect such key generation.
+
=head1 RETURN VALUES
-RAND_bytes() returns 1 on success, -1 if not supported by the current
+RAND_bytes() nad RAND_priv_bytes()
+return 1 on success, -1 if not supported by the current
RAND method, or 0 on other failure. The error code can be
obtained by L<ERR_get_error(3)>.
BIGNUM *BN_CTX_get(BN_CTX *ctx);
void BN_CTX_end(BN_CTX *ctx);
int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
+int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom);
int BN_rand_range(BIGNUM *rnd, const BIGNUM *range);
+int BN_priv_rand_range(BIGNUM *rnd, const BIGNUM *range);
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range);
int BN_num_bits(const BIGNUM *a);
* BN function codes.
*/
# define BN_F_BNRAND 127
+# define BN_F_BNRAND_RANGE 138
# define BN_F_BN_BLINDING_CONVERT_EX 100
# define BN_F_BN_BLINDING_CREATE_PARAM 128
# define BN_F_BN_BLINDING_INVERT_EX 101
# define RAND_cleanup() while(0) continue
# endif
int RAND_bytes(unsigned char *buf, int num);
+int RAND_priv_bytes(unsigned char *buf, int num);
DEPRECATEDIN_1_1_0(int RAND_pseudo_bytes(unsigned char *buf, int num))
void RAND_seed(const void *buf, int num);
EVP_PKEY_meth_get_count 4317 1_1_1 EXIST::FUNCTION:
RAND_poll_ex 4318 1_1_1 EXIST::FUNCTION:
RAND_DRBG_get0_global 4319 1_1_1 EXIST::FUNCTION:
+RAND_priv_bytes 4320 1_1_1 EXIST::FUNCTION:
+BN_priv_rand 4321 1_1_1 EXIST::FUNCTION:
+BN_priv_rand_range 4322 1_1_1 EXIST::FUNCTION: