diff options
| author | Rich Salz <rsalz@openssl.org> | 2017-08-02 14:00:52 -0400 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2017-08-03 10:45:17 -0400 |
| commit | ddc6a5c8f5900959bdbdfee79e1625a3f7808acd (patch) | |
| tree | 3121037aca10793706bbc4b8800b40ba305a1c06 /crypto | |
| parent | ae3947de09522206d61c0206a733517b10a910f8 (diff) | |
Add RAND_priv_bytes() for private keys
Add a new global DRBG for private keys used by RAND_priv_bytes.
Add BN_priv_rand() and BN_priv_rand_range() which use RAND_priv_bytes().
Change callers to use the appropriate BN_priv... function.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4076)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/bn/bn_err.c | 1 | ||||
| -rw-r--r-- | crypto/bn/bn_gf2m.c | 2 | ||||
| -rw-r--r-- | crypto/bn/bn_prime.c | 8 | ||||
| -rw-r--r-- | crypto/bn/bn_rand.c | 47 | ||||
| -rw-r--r-- | crypto/bn/bn_x931p.c | 8 | ||||
| -rw-r--r-- | crypto/dh/dh_key.c | 4 | ||||
| -rw-r--r-- | crypto/dsa/dsa_key.c | 2 | ||||
| -rw-r--r-- | crypto/dsa/dsa_ossl.c | 2 | ||||
| -rw-r--r-- | crypto/ec/ec_key.c | 2 | ||||
| -rw-r--r-- | crypto/ec/ecdsa_ossl.c | 2 | ||||
| -rw-r--r-- | crypto/err/openssl.txt | 1 | ||||
| -rw-r--r-- | crypto/rand/drbg_lib.c | 10 | ||||
| -rw-r--r-- | crypto/rand/rand_lcl.h | 1 | ||||
| -rw-r--r-- | crypto/rand/rand_lib.c | 71 |
14 files changed, 110 insertions, 51 deletions
diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c index a086c49e94..e2817470d1 100644 --- a/crypto/bn/bn_err.c +++ b/crypto/bn/bn_err.c @@ -15,6 +15,7 @@ static const ERR_STRING_DATA BN_str_functs[] = { {ERR_PACK(ERR_LIB_BN, BN_F_BNRAND, 0), "bnrand"}, + {ERR_PACK(ERR_LIB_BN, BN_F_BNRAND_RANGE, 0), "bnrand_range"}, {ERR_PACK(ERR_LIB_BN, BN_F_BN_BLINDING_CONVERT_EX, 0), "BN_BLINDING_convert_ex"}, {ERR_PACK(ERR_LIB_BN, BN_F_BN_BLINDING_CREATE_PARAM, 0), diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c index 39b0e3849f..f164f467fb 100644 --- a/crypto/bn/bn_gf2m.c +++ b/crypto/bn/bn_gf2m.c @@ -1077,7 +1077,7 @@ int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const int p[], if (tmp == NULL) goto err; do { - if (!BN_rand(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) goto err; if (!BN_GF2m_mod_arr(rho, rho, p)) goto err; diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index 4581a66bf6..026c119c13 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -216,7 +216,7 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed, goto err; for (i = 0; i < checks; i++) { - if (!BN_rand_range(check, A1)) + if (!BN_priv_rand_range(check, A1)) goto err; if (!BN_add_word(check, 1)) goto err; @@ -279,7 +279,7 @@ static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods) char is_single_word = bits <= BN_BITS2; again: - if (!BN_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD)) + if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD)) return (0); /* we now have a random number 'rnd' to test. */ for (i = 1; i < NUMPRIMES; i++) { @@ -363,7 +363,7 @@ int bn_probable_prime_dh(BIGNUM *rnd, int bits, if ((t1 = BN_CTX_get(ctx)) == NULL) goto err; - if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) + if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) goto err; /* we need ((rnd-rem) % add) == 0 */ @@ -419,7 +419,7 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd, if (!BN_rshift1(qadd, padd)) goto err; - if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) + if (!BN_priv_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) goto err; /* we need ((rnd-rem) % add) == 0 */ diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 0b9e43dbdd..d7b17d5d45 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -14,10 +14,14 @@ #include <openssl/rand.h> #include <openssl/sha.h> -static int bnrand(int testing, BIGNUM *rnd, int bits, int top, int bottom) +typedef enum bnrand_flag_e { + NORMAL, TESTING, PRIVATE +} BNRAND_FLAG; + +static int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom) { unsigned char *buf = NULL; - int ret = 0, bit, bytes, mask; + int b, ret = 0, bit, bytes, mask; if (bits == 0) { if (top != BN_RAND_TOP_ANY || bottom != BN_RAND_BOTTOM_ANY) @@ -39,10 +43,11 @@ static int bnrand(int testing, BIGNUM *rnd, int bits, int top, int bottom) } /* make a random number and set the top and bottom bits */ - if (RAND_bytes(buf, bytes) <= 0) + b = flag == NORMAL ? RAND_bytes(buf, bytes) : RAND_priv_bytes(buf, bytes); + if (b <= 0) goto err; - if (testing) { + if (flag == TESTING) { /* * generate patterns that are more likely to trigger BN library bugs */ @@ -91,22 +96,27 @@ toosmall: int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) { - return bnrand(0, rnd, bits, top, bottom); + return bnrand(NORMAL, rnd, bits, top, bottom); } int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) { - return bnrand(1, rnd, bits, top, bottom); + return bnrand(TESTING, rnd, bits, top, bottom); +} + +int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom) +{ + return bnrand(PRIVATE, rnd, bits, top, bottom); } /* random number r: 0 <= r < range */ -int BN_rand_range(BIGNUM *r, const BIGNUM *range) +static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range) { - int n; + int b, n; int count = 100; if (range->neg || BN_is_zero(range)) { - BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); + BNerr(BN_F_BNRAND_RANGE, BN_R_INVALID_RANGE); return 0; } @@ -122,7 +132,10 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range) * than range */ do { - if (!BN_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) + b = flag == NORMAL + ? BN_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY) + : BN_priv_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY); + if (!b) return 0; /* * If r < 3*range, use r := r MOD range (which is either r, r - @@ -139,7 +152,7 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range) } if (!--count) { - BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS); + BNerr(BN_F_BNRAND_RANGE, BN_R_TOO_MANY_ITERATIONS); return 0; } @@ -152,7 +165,7 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range) return 0; if (!--count) { - BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS); + BNerr(BN_F_BNRAND_RANGE, BN_R_TOO_MANY_ITERATIONS); return 0; } } @@ -163,6 +176,16 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range) return 1; } +int BN_rand_range(BIGNUM *r, const BIGNUM *range) +{ + return bnrand_range(NORMAL, r, range); +} + +int BN_priv_rand_range(BIGNUM *r, const BIGNUM *range) +{ + return bnrand_range(PRIVATE, r, range); +} + int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) { return BN_rand(rnd, bits, top, bottom); diff --git a/crypto/bn/bn_x931p.c b/crypto/bn/bn_x931p.c index 17bc8c73ca..2331b01943 100644 --- a/crypto/bn/bn_x931p.c +++ b/crypto/bn/bn_x931p.c @@ -173,7 +173,7 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) * - 1. By setting the top two bits we ensure that the lower bound is * exceeded. */ - if (!BN_rand(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY)) goto err; BN_CTX_start(ctx); @@ -182,7 +182,7 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) goto err; for (i = 0; i < 1000; i++) { - if (!BN_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY)) goto err; /* Check that |Xp - Xq| > 2^(nbits - 100) */ BN_sub(t, Xp, Xq); @@ -225,9 +225,9 @@ int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, if (Xp1 == NULL || Xp2 == NULL) goto error; - if (!BN_rand(Xp1, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand(Xp1, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) goto error; - if (!BN_rand(Xp2, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand(Xp2, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) goto error; if (!BN_X931_derive_prime_ex(p, p1, p2, Xp, Xp1, Xp2, e, ctx, cb)) goto error; diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index fce9ff47f3..ce01948602 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -111,14 +111,14 @@ static int generate_key(DH *dh) if (generate_new_key) { if (dh->q) { do { - if (!BN_rand_range(priv_key, dh->q)) + if (!BN_priv_rand_range(priv_key, dh->q)) goto err; } while (BN_is_zero(priv_key) || BN_is_one(priv_key)); } else { /* secret exponent length */ l = dh->length ? dh->length : BN_num_bits(dh->p) - 1; - if (!BN_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) goto err; } } diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 31442b1cff..7ced03d083 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -38,7 +38,7 @@ static int dsa_builtin_keygen(DSA *dsa) priv_key = dsa->priv_key; do - if (!BN_rand_range(priv_key, dsa->q)) + if (!BN_priv_rand_range(priv_key, dsa->q)) goto err; while (BN_is_zero(priv_key)) ; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 479337763b..a3b2069c1f 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -175,7 +175,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst, dlen, ctx)) goto err; - } else if (!BN_rand_range(k, dsa->q)) + } else if (!BN_priv_rand_range(k, dsa->q)) goto err; } while (BN_is_zero(k)); diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 97a394fad6..3abf467ce0 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -218,7 +218,7 @@ int ec_key_simple_generate_key(EC_KEY *eckey) goto err; do - if (!BN_rand_range(priv_key, order)) + if (!BN_priv_rand_range(priv_key, order)) goto err; while (BN_is_zero(priv_key)) ; diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c index c7ab0ee1a3..b12d859cc8 100644 --- a/crypto/ec/ecdsa_ossl.c +++ b/crypto/ec/ecdsa_ossl.c @@ -89,7 +89,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, goto err; } } else { - if (!BN_rand_range(k, order)) { + if (!BN_priv_rand_range(k, order)) { ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 58eb3219c6..6d7ac4ef8e 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -158,6 +158,7 @@ BIO_F_LINEBUFFER_CTRL:129:linebuffer_ctrl BIO_F_MEM_WRITE:117:mem_write BIO_F_SSL_NEW:118:SSL_new BN_F_BNRAND:127:bnrand +BN_F_BNRAND_RANGE:138:bnrand_range BN_F_BN_BLINDING_CONVERT_EX:100:BN_BLINDING_convert_ex BN_F_BN_BLINDING_CREATE_PARAM:128:BN_BLINDING_create_param BN_F_BN_BLINDING_INVERT_EX:101:BN_BLINDING_invert_ex diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index a24ec8e2e4..935d5c8fd7 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -365,13 +365,6 @@ err: return ret; } -static void drbg_cleanup(void) -{ - CRYPTO_THREAD_write_lock(rand_drbg.lock); - RAND_DRBG_uninstantiate(&rand_drbg); - CRYPTO_THREAD_unlock(rand_drbg.lock); -} - static int drbg_add(const void *buf, int num, double randomness) { unsigned char *in = (unsigned char *)buf; @@ -411,11 +404,12 @@ static int drbg_status(void) } RAND_DRBG rand_drbg; /* The default global DRBG. */ +RAND_DRBG priv_drbg; /* The global private-key DRBG. */ RAND_METHOD rand_meth = { drbg_seed, drbg_bytes, - drbg_cleanup, + NULL, drbg_add, drbg_bytes, drbg_status diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h index e5944f975f..5c7087c977 100644 --- a/crypto/rand/rand_lcl.h +++ b/crypto/rand/rand_lcl.h @@ -125,6 +125,7 @@ struct rand_drbg_st { extern RAND_METHOD rand_meth; extern RAND_BYTES_BUFFER rand_bytes; extern RAND_DRBG rand_drbg; +extern RAND_DRBG priv_drbg; /* Hardware-based seeding functions. */ void rand_read_tsc(RAND_poll_fn cb, void *arg); diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 059bd55796..d6cb717489 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -169,7 +169,35 @@ size_t drbg_entropy_from_parent(RAND_DRBG *drbg, void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out) { drbg->filled = 0; - OPENSSL_cleanse(drbg->randomness, sizeof(drbg->randomness)); + OPENSSL_cleanse(drbg->randomness, drbg->size); +} + + +/* + * Set up a global DRBG. + */ +static int setup_drbg(RAND_DRBG *drbg) +{ + int ret = 1; + + drbg->lock = CRYPTO_THREAD_lock_new(); + ret &= drbg->lock != NULL; + drbg->size = RANDOMNESS_NEEDED; + drbg->randomness = OPENSSL_malloc(drbg->size); + ret &= drbg->randomness != NULL; + /* If you change these parameters, see RANDOMNESS_NEEDED */ + ret &= RAND_DRBG_set(drbg, + NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF) == 1; + ret &= RAND_DRBG_set_callbacks(drbg, drbg_entropy_from_system, + drbg_release_entropy, NULL, NULL) == 1; + return ret; +} + +static void free_drbg(RAND_DRBG *drbg) +{ + CRYPTO_THREAD_lock_free(drbg->lock); + OPENSSL_clear_free(drbg->randomness, drbg->size); + RAND_DRBG_uninstantiate(drbg); } DEFINE_RUN_ONCE_STATIC(do_rand_init) @@ -189,22 +217,14 @@ DEFINE_RUN_ONCE_STATIC(do_rand_init) rand_bytes.size = MAX_RANDOMNESS_HELD; /* TODO: Should this be secure malloc? */ rand_bytes.buff = malloc(rand_bytes.size); - ret &= rand_bytes.buff != NULL; - rand_drbg.lock = CRYPTO_THREAD_lock_new(); - ret &= rand_drbg.lock != NULL; - rand_drbg.size = RANDOMNESS_NEEDED; - rand_drbg.randomness = OPENSSL_malloc(rand_drbg.size); - ret &= rand_drbg.randomness != NULL; - /* If you change these parameters, see RANDOMNESS_NEEDED */ - ret &= RAND_DRBG_set(&rand_drbg, - NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF) == 1; - ret &= RAND_DRBG_set_callbacks(&rand_drbg, drbg_entropy_from_system, - drbg_release_entropy, - NULL, NULL) == 1; + ret &= rand_bytes.buff != NULL; + ret &= setup_drbg(&rand_drbg); + ret &= setup_drbg(&priv_drbg); return ret; } + void rand_cleanup_int(void) { const RAND_METHOD *meth = default_RAND_meth; @@ -217,9 +237,9 @@ void rand_cleanup_int(void) #endif CRYPTO_THREAD_lock_free(rand_meth_lock); CRYPTO_THREAD_lock_free(rand_bytes.lock); - OPENSSL_clear_free(rand_drbg.randomness, rand_drbg.size); - CRYPTO_THREAD_lock_free(rand_drbg.lock); - RAND_DRBG_uninstantiate(&rand_drbg); + OPENSSL_clear_free(rand_bytes.buff, rand_bytes.size); + free_drbg(&rand_drbg); + free_drbg(&priv_drbg); } /* @@ -323,6 +343,25 @@ void RAND_add(const void *buf, int num, double randomness) meth->add(buf, num, randomness); } +/* + * This function is not part of RAND_METHOD, so if we're not using + * the default method, then just call RAND_bytes(). Otherwise make + * sure we're instantiated and use the private DRBG. + */ +int RAND_priv_bytes(unsigned char *buf, int num) +{ + const RAND_METHOD *meth = RAND_get_rand_method(); + + if (meth != RAND_OpenSSL()) + return RAND_bytes(buf, num); + + if (priv_drbg.state == DRBG_UNINITIALISED + && RAND_DRBG_instantiate(&priv_drbg, NULL, 0) == 0) + return 0; + return RAND_DRBG_generate(&priv_drbg, buf, num, 0, NULL, 0); + +} + int RAND_bytes(unsigned char *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); |