From 35ed8cb8b6655606c2be31d44be942f6724ba405 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bodo=20M=C3=B6ller?= Date: Thu, 8 Feb 2001 12:14:51 +0000 Subject: [PATCH] Integrate my implementation of a countermeasure against Bleichenbacher's DSA attack. With this implementation, the expected number of iterations never exceeds 2. New semantics for BN_rand_range(): BN_rand_range(r, min, range) now generates r such that min <= r < min+range. (Previously, BN_rand_range(r, min, max) generated r such that min <= r < max. It is more convenient to have the range; also the previous prototype was misleading because max was larger than the actual maximum.) --- CHANGES | 2 +- crypto/bn/bn.h | 4 ++- crypto/bn/bn_err.c | 2 ++ crypto/bn/bn_rand.c | 61 +++++++++++++++++++++++++++++++++++++----- crypto/dsa/dsa_ossl.c | 4 ++- doc/crypto/BN_rand.pod | 6 ++--- 6 files changed, 67 insertions(+), 12 deletions(-) diff --git a/CHANGES b/CHANGES index 3e2d97daaa..136dde4884 100644 --- a/CHANGES +++ b/CHANGES @@ -5,7 +5,7 @@ *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent Bleichenbacher's DSA attack. - [Ulf Moeller] + [Ulf Moeller, Bodo Moeller] *) Update Rijndael code to version 3.0 and change EVP AES ciphers to handle the new API. Currently only ECB, CBC modes supported. Add new diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index be4e7ae2ba..8b2b970995 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -329,7 +329,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx); void BN_CTX_end(BN_CTX *ctx); int BN_rand(BIGNUM *rnd, int bits, int top,int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom); -int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max); +int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *range); int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG); BIGNUM *BN_new(void); @@ -527,6 +527,7 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom); #define BN_F_BN_MPI2BN 112 #define BN_F_BN_NEW 113 #define BN_F_BN_RAND 114 +#define BN_F_BN_RAND_RANGE 122 #define BN_F_BN_USUB 115 /* Reason codes. */ @@ -539,6 +540,7 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom); #define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105 #define BN_R_INPUT_NOT_REDUCED 110 #define BN_R_INVALID_LENGTH 106 +#define BN_R_INVALID_RANGE 115 #define BN_R_NOT_A_SQUARE 111 #define BN_R_NOT_INITIALIZED 107 #define BN_R_NO_INVERSE 108 diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c index d7f0493f47..c713e1f154 100644 --- a/crypto/bn/bn_err.c +++ b/crypto/bn/bn_err.c @@ -87,6 +87,7 @@ static ERR_STRING_DATA BN_str_functs[]= {ERR_PACK(0,BN_F_BN_MPI2BN,0), "BN_mpi2bn"}, {ERR_PACK(0,BN_F_BN_NEW,0), "BN_new"}, {ERR_PACK(0,BN_F_BN_RAND,0), "BN_rand"}, +{ERR_PACK(0,BN_F_BN_RAND_RANGE,0), "BN_rand_range"}, {ERR_PACK(0,BN_F_BN_USUB,0), "BN_usub"}, {0,NULL} }; @@ -102,6 +103,7 @@ static ERR_STRING_DATA BN_str_reasons[]= {BN_R_EXPAND_ON_STATIC_BIGNUM_DATA ,"expand on static bignum data"}, {BN_R_INPUT_NOT_REDUCED ,"input not reduced"}, {BN_R_INVALID_LENGTH ,"invalid length"}, +{BN_R_INVALID_RANGE ,"invalid range"}, {BN_R_NOT_A_SQUARE ,"not a square"}, {BN_R_NOT_INITIALIZED ,"not initialized"}, {BN_R_NO_INVERSE ,"no inverse"}, diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index f2c79b5e31..a7e35357d6 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -169,13 +169,62 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) } #endif -/* random number r: min <= r < max */ -int BN_rand_range(BIGNUM *r, BIGNUM *min, BIGNUM *max) +/* random number r: min <= r < min+range */ +int BN_rand_range(BIGNUM *r, BIGNUM *min, BIGNUM *range) { - int n = BN_num_bits(max); - do + int n; + + if (range->neg || BN_is_zero(range)) + { + BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); + return 0; + } + + n = BN_num_bits(range); /* n > 0 */ + + if (n == 1) + { + if (!BN_zero(r)) return 0; + } + else if (BN_is_bit_set(range, n - 2)) + { + do + { + /* range = 11..._2, so each iteration succeeds with probability > .5 */ + if (!BN_rand(r, n, 0, 0)) return 0; + fprintf(stderr, "?"); + } + while (BN_cmp(r, range) >= 0); + fprintf(stderr, "! (11...)\n"); + } + else { - if (!BN_rand(r, n, 0, 0)) return 0; - } while ((min && BN_cmp(r, min) < 0) || BN_cmp(r, max) >= 0); + /* range = 10..._2, + * so 3*range (= 11..._2) is exactly one bit longer than range */ + do + { + if (!BN_rand(r, n + 1, 0, 0)) return 0; + /* If r < 3*range, use r := r MOD range + * (which is either r, r - range, or r - 2*range). + * Otherwise, iterate once more. + * Since 3*range = 11..._2, each iteration succeeds with + * probability > .5. */ + if (BN_cmp(r ,range) >= 0) + { + if (!BN_sub(r, r, range)) return 0; + if (BN_cmp(r, range) >= 0) + if (!BN_sub(r, r, range)) return 0; + } + fprintf(stderr, "?"); + } + while (BN_cmp(r, range) >= 0); + fprintf(stderr, "! (10...)\n"); + } + + if (min != NULL) + { + if (!BN_add(r, r, min)) return 0; + } + return 1; } diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 7304037947..1967290baf 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -180,7 +180,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) kinv=NULL; /* Get random k */ - if (!BN_rand_range(&k, BN_value_one(), dsa->q)) goto err; + do + if (!BN_rand_range(&k, NULL, dsa->q)) goto err; + while (BN_is_zero(&k)); if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) { diff --git a/doc/crypto/BN_rand.pod b/doc/crypto/BN_rand.pod index dc93949246..e4c94e3d12 100644 --- a/doc/crypto/BN_rand.pod +++ b/doc/crypto/BN_rand.pod @@ -12,7 +12,7 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); - int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max); + int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *range); =head1 DESCRIPTION @@ -28,8 +28,8 @@ non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc. BN_rand_range() generates a cryptographically strong pseudo-random -number B in the range B E= B E B. B -may be NULL, in that case 0 E= B E B. +number B in the range B E= B E B + B. +B may be NULL, in that case 0 E= B E B. The PRNG must be seeded prior to calling BN_rand() or BN_rand_range(). -- 2.25.1