boringssl/crypto/fipsmodule/bn/random.c

342 lines
12 KiB
C
Raw Normal View History

/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com). */
#include <openssl/bn.h>
#include <limits.h>
#include <string.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/type_check.h>
#include "internal.h"
#include "../../internal.h"
#include "../rand/internal.h"
int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
if (rnd == NULL) {
return 0;
}
if (top != BN_RAND_TOP_ANY && top != BN_RAND_TOP_ONE &&
top != BN_RAND_TOP_TWO) {
OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (bottom != BN_RAND_BOTTOM_ANY && bottom != BN_RAND_BOTTOM_ODD) {
OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (bits == 0) {
BN_zero(rnd);
return 1;
}
if (bits > INT_MAX - (BN_BITS2 - 1)) {
OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
return 0;
}
int words = (bits + BN_BITS2 - 1) / BN_BITS2;
int bit = (bits - 1) % BN_BITS2;
const BN_ULONG kOne = 1;
const BN_ULONG kThree = 3;
BN_ULONG mask = bit < BN_BITS2 - 1 ? (kOne << (bit + 1)) - 1 : BN_MASK2;
if (!bn_wexpand(rnd, words)) {
return 0;
}
RAND_bytes((uint8_t *)rnd->d, words * sizeof(BN_ULONG));
rnd->d[words - 1] &= mask;
if (top != BN_RAND_TOP_ANY) {
if (top == BN_RAND_TOP_TWO && bits > 1) {
if (bit == 0) {
rnd->d[words - 1] |= 1;
rnd->d[words - 2] |= kOne << (BN_BITS2 - 1);
} else {
rnd->d[words - 1] |= kThree << (bit - 1);
}
} else {
rnd->d[words - 1] |= kOne << bit;
}
}
if (bottom == BN_RAND_BOTTOM_ODD) {
rnd->d[0] |= 1;
}
rnd->neg = 0;
rnd->width = words;
return 1;
}
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) {
return BN_rand(rnd, bits, top, bottom);
}
Blind the range check for finding a Rabin-Miller witness. Rabin-Miller requires selecting a random number from 2 to |w|-1. This is done by picking an N-bit number and discarding out-of-range values. This leaks information about |w|, so apply blinding. Rather than discard bad values, adjust them to be in range. Though not uniformly selected, these adjusted values are still usable as Rabin-Miller checks. Rabin-Miller is already probabilistic, so we could reach the desired confidence levels by just suitably increasing the iteration count. However, to align with FIPS 186-4, we use a more pessimal analysis: we do not count the non-uniform values towards the iteration count. As a result, this function is more complex and has more timing risk than necessary. We count both total iterations and uniform ones and iterate until we've reached at least |BN_PRIME_CHECKS_BLINDED| and |iterations|, respectively. If the latter is large enough, it will be the limiting factor with high probability and we won't leak information. Note this blinding does not impact most calls when picking primes because composites are rejected early. Only the two secret primes see extra work. So while this does make the BNTest.PrimeChecking test take about 2x longer to run on debug mode, RSA key generation time is fine. Another, perhaps simpler, option here would have to run bn_rand_range_words to the full 100 count, select an arbitrary successful try, and declare failure of the entire keygen process (as we do already) if all tries failed. I went with the option in this CL because I happened to come up with it first, and because the failure probability decreases much faster. Additionally, the option in this CL does not affect composite numbers, while the alternate would. This gives a smaller multiplier on our entropy draw. We also continue to use the "wasted" work for stronger assurance on primality. FIPS' numbers are remarkably low, considering the increase has negligible cost. Thanks to Nathan Benjamin for helping me explore the failure rate as the target count and blinding count change. Now we're down to the rest of RSA keygen, which will require all the operations we've traditionally just avoided in constant-time code! Median of 29 RSA keygens: 0m0.169s -> 0m0.298s (Accuracy beyond 0.1s is questionable. The runs at subsequent test- and rename-only CLs were 0m0.217s, 0m0.245s, 0m0.244s, 0m0.247s.) Bug: 238 Change-Id: Id6406c3020f2585b86946eb17df64ac42f30ebab Reviewed-on: https://boringssl-review.googlesource.com/25890 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2018-02-05 04:48:36 +00:00
// bn_less_than_word_mask returns a mask of all ones if the number represented
// by |len| words at |a| is less than |b| and zero otherwise. It performs this
// computation in time independent of the value of |a|. |b| is assumed public.
static crypto_word_t bn_less_than_word_mask(const BN_ULONG *a, size_t len,
BN_ULONG b) {
if (b == 0) {
Blind the range check for finding a Rabin-Miller witness. Rabin-Miller requires selecting a random number from 2 to |w|-1. This is done by picking an N-bit number and discarding out-of-range values. This leaks information about |w|, so apply blinding. Rather than discard bad values, adjust them to be in range. Though not uniformly selected, these adjusted values are still usable as Rabin-Miller checks. Rabin-Miller is already probabilistic, so we could reach the desired confidence levels by just suitably increasing the iteration count. However, to align with FIPS 186-4, we use a more pessimal analysis: we do not count the non-uniform values towards the iteration count. As a result, this function is more complex and has more timing risk than necessary. We count both total iterations and uniform ones and iterate until we've reached at least |BN_PRIME_CHECKS_BLINDED| and |iterations|, respectively. If the latter is large enough, it will be the limiting factor with high probability and we won't leak information. Note this blinding does not impact most calls when picking primes because composites are rejected early. Only the two secret primes see extra work. So while this does make the BNTest.PrimeChecking test take about 2x longer to run on debug mode, RSA key generation time is fine. Another, perhaps simpler, option here would have to run bn_rand_range_words to the full 100 count, select an arbitrary successful try, and declare failure of the entire keygen process (as we do already) if all tries failed. I went with the option in this CL because I happened to come up with it first, and because the failure probability decreases much faster. Additionally, the option in this CL does not affect composite numbers, while the alternate would. This gives a smaller multiplier on our entropy draw. We also continue to use the "wasted" work for stronger assurance on primality. FIPS' numbers are remarkably low, considering the increase has negligible cost. Thanks to Nathan Benjamin for helping me explore the failure rate as the target count and blinding count change. Now we're down to the rest of RSA keygen, which will require all the operations we've traditionally just avoided in constant-time code! Median of 29 RSA keygens: 0m0.169s -> 0m0.298s (Accuracy beyond 0.1s is questionable. The runs at subsequent test- and rename-only CLs were 0m0.217s, 0m0.245s, 0m0.244s, 0m0.247s.) Bug: 238 Change-Id: Id6406c3020f2585b86946eb17df64ac42f30ebab Reviewed-on: https://boringssl-review.googlesource.com/25890 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2018-02-05 04:48:36 +00:00
return CONSTTIME_FALSE_W;
}
if (len == 0) {
Blind the range check for finding a Rabin-Miller witness. Rabin-Miller requires selecting a random number from 2 to |w|-1. This is done by picking an N-bit number and discarding out-of-range values. This leaks information about |w|, so apply blinding. Rather than discard bad values, adjust them to be in range. Though not uniformly selected, these adjusted values are still usable as Rabin-Miller checks. Rabin-Miller is already probabilistic, so we could reach the desired confidence levels by just suitably increasing the iteration count. However, to align with FIPS 186-4, we use a more pessimal analysis: we do not count the non-uniform values towards the iteration count. As a result, this function is more complex and has more timing risk than necessary. We count both total iterations and uniform ones and iterate until we've reached at least |BN_PRIME_CHECKS_BLINDED| and |iterations|, respectively. If the latter is large enough, it will be the limiting factor with high probability and we won't leak information. Note this blinding does not impact most calls when picking primes because composites are rejected early. Only the two secret primes see extra work. So while this does make the BNTest.PrimeChecking test take about 2x longer to run on debug mode, RSA key generation time is fine. Another, perhaps simpler, option here would have to run bn_rand_range_words to the full 100 count, select an arbitrary successful try, and declare failure of the entire keygen process (as we do already) if all tries failed. I went with the option in this CL because I happened to come up with it first, and because the failure probability decreases much faster. Additionally, the option in this CL does not affect composite numbers, while the alternate would. This gives a smaller multiplier on our entropy draw. We also continue to use the "wasted" work for stronger assurance on primality. FIPS' numbers are remarkably low, considering the increase has negligible cost. Thanks to Nathan Benjamin for helping me explore the failure rate as the target count and blinding count change. Now we're down to the rest of RSA keygen, which will require all the operations we've traditionally just avoided in constant-time code! Median of 29 RSA keygens: 0m0.169s -> 0m0.298s (Accuracy beyond 0.1s is questionable. The runs at subsequent test- and rename-only CLs were 0m0.217s, 0m0.245s, 0m0.244s, 0m0.247s.) Bug: 238 Change-Id: Id6406c3020f2585b86946eb17df64ac42f30ebab Reviewed-on: https://boringssl-review.googlesource.com/25890 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2018-02-05 04:48:36 +00:00
return CONSTTIME_TRUE_W;
}
// |a| < |b| iff a[1..len-1] are all zero and a[0] < b.
OPENSSL_STATIC_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
"crypto_word_t is too small");
crypto_word_t mask = 0;
for (size_t i = 1; i < len; i++) {
mask |= a[i];
}
// |mask| is now zero iff a[1..len-1] are all zero.
mask = constant_time_is_zero_w(mask);
mask &= constant_time_lt_w(a[0], b);
Blind the range check for finding a Rabin-Miller witness. Rabin-Miller requires selecting a random number from 2 to |w|-1. This is done by picking an N-bit number and discarding out-of-range values. This leaks information about |w|, so apply blinding. Rather than discard bad values, adjust them to be in range. Though not uniformly selected, these adjusted values are still usable as Rabin-Miller checks. Rabin-Miller is already probabilistic, so we could reach the desired confidence levels by just suitably increasing the iteration count. However, to align with FIPS 186-4, we use a more pessimal analysis: we do not count the non-uniform values towards the iteration count. As a result, this function is more complex and has more timing risk than necessary. We count both total iterations and uniform ones and iterate until we've reached at least |BN_PRIME_CHECKS_BLINDED| and |iterations|, respectively. If the latter is large enough, it will be the limiting factor with high probability and we won't leak information. Note this blinding does not impact most calls when picking primes because composites are rejected early. Only the two secret primes see extra work. So while this does make the BNTest.PrimeChecking test take about 2x longer to run on debug mode, RSA key generation time is fine. Another, perhaps simpler, option here would have to run bn_rand_range_words to the full 100 count, select an arbitrary successful try, and declare failure of the entire keygen process (as we do already) if all tries failed. I went with the option in this CL because I happened to come up with it first, and because the failure probability decreases much faster. Additionally, the option in this CL does not affect composite numbers, while the alternate would. This gives a smaller multiplier on our entropy draw. We also continue to use the "wasted" work for stronger assurance on primality. FIPS' numbers are remarkably low, considering the increase has negligible cost. Thanks to Nathan Benjamin for helping me explore the failure rate as the target count and blinding count change. Now we're down to the rest of RSA keygen, which will require all the operations we've traditionally just avoided in constant-time code! Median of 29 RSA keygens: 0m0.169s -> 0m0.298s (Accuracy beyond 0.1s is questionable. The runs at subsequent test- and rename-only CLs were 0m0.217s, 0m0.245s, 0m0.244s, 0m0.247s.) Bug: 238 Change-Id: Id6406c3020f2585b86946eb17df64ac42f30ebab Reviewed-on: https://boringssl-review.googlesource.com/25890 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2018-02-05 04:48:36 +00:00
return mask;
}
int bn_in_range_words(const BN_ULONG *a, BN_ULONG min_inclusive,
const BN_ULONG *max_exclusive, size_t len) {
Blind the range check for finding a Rabin-Miller witness. Rabin-Miller requires selecting a random number from 2 to |w|-1. This is done by picking an N-bit number and discarding out-of-range values. This leaks information about |w|, so apply blinding. Rather than discard bad values, adjust them to be in range. Though not uniformly selected, these adjusted values are still usable as Rabin-Miller checks. Rabin-Miller is already probabilistic, so we could reach the desired confidence levels by just suitably increasing the iteration count. However, to align with FIPS 186-4, we use a more pessimal analysis: we do not count the non-uniform values towards the iteration count. As a result, this function is more complex and has more timing risk than necessary. We count both total iterations and uniform ones and iterate until we've reached at least |BN_PRIME_CHECKS_BLINDED| and |iterations|, respectively. If the latter is large enough, it will be the limiting factor with high probability and we won't leak information. Note this blinding does not impact most calls when picking primes because composites are rejected early. Only the two secret primes see extra work. So while this does make the BNTest.PrimeChecking test take about 2x longer to run on debug mode, RSA key generation time is fine. Another, perhaps simpler, option here would have to run bn_rand_range_words to the full 100 count, select an arbitrary successful try, and declare failure of the entire keygen process (as we do already) if all tries failed. I went with the option in this CL because I happened to come up with it first, and because the failure probability decreases much faster. Additionally, the option in this CL does not affect composite numbers, while the alternate would. This gives a smaller multiplier on our entropy draw. We also continue to use the "wasted" work for stronger assurance on primality. FIPS' numbers are remarkably low, considering the increase has negligible cost. Thanks to Nathan Benjamin for helping me explore the failure rate as the target count and blinding count change. Now we're down to the rest of RSA keygen, which will require all the operations we've traditionally just avoided in constant-time code! Median of 29 RSA keygens: 0m0.169s -> 0m0.298s (Accuracy beyond 0.1s is questionable. The runs at subsequent test- and rename-only CLs were 0m0.217s, 0m0.245s, 0m0.244s, 0m0.247s.) Bug: 238 Change-Id: Id6406c3020f2585b86946eb17df64ac42f30ebab Reviewed-on: https://boringssl-review.googlesource.com/25890 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2018-02-05 04:48:36 +00:00
crypto_word_t mask = ~bn_less_than_word_mask(a, len, min_inclusive);
return mask & bn_less_than_words(a, max_exclusive, len);
}
Blind the range check for finding a Rabin-Miller witness. Rabin-Miller requires selecting a random number from 2 to |w|-1. This is done by picking an N-bit number and discarding out-of-range values. This leaks information about |w|, so apply blinding. Rather than discard bad values, adjust them to be in range. Though not uniformly selected, these adjusted values are still usable as Rabin-Miller checks. Rabin-Miller is already probabilistic, so we could reach the desired confidence levels by just suitably increasing the iteration count. However, to align with FIPS 186-4, we use a more pessimal analysis: we do not count the non-uniform values towards the iteration count. As a result, this function is more complex and has more timing risk than necessary. We count both total iterations and uniform ones and iterate until we've reached at least |BN_PRIME_CHECKS_BLINDED| and |iterations|, respectively. If the latter is large enough, it will be the limiting factor with high probability and we won't leak information. Note this blinding does not impact most calls when picking primes because composites are rejected early. Only the two secret primes see extra work. So while this does make the BNTest.PrimeChecking test take about 2x longer to run on debug mode, RSA key generation time is fine. Another, perhaps simpler, option here would have to run bn_rand_range_words to the full 100 count, select an arbitrary successful try, and declare failure of the entire keygen process (as we do already) if all tries failed. I went with the option in this CL because I happened to come up with it first, and because the failure probability decreases much faster. Additionally, the option in this CL does not affect composite numbers, while the alternate would. This gives a smaller multiplier on our entropy draw. We also continue to use the "wasted" work for stronger assurance on primality. FIPS' numbers are remarkably low, considering the increase has negligible cost. Thanks to Nathan Benjamin for helping me explore the failure rate as the target count and blinding count change. Now we're down to the rest of RSA keygen, which will require all the operations we've traditionally just avoided in constant-time code! Median of 29 RSA keygens: 0m0.169s -> 0m0.298s (Accuracy beyond 0.1s is questionable. The runs at subsequent test- and rename-only CLs were 0m0.217s, 0m0.245s, 0m0.244s, 0m0.247s.) Bug: 238 Change-Id: Id6406c3020f2585b86946eb17df64ac42f30ebab Reviewed-on: https://boringssl-review.googlesource.com/25890 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2018-02-05 04:48:36 +00:00
static int bn_range_to_mask(size_t *out_words, BN_ULONG *out_mask,
size_t min_inclusive, const BN_ULONG *max_exclusive,
size_t len) {
// The magnitude of |max_exclusive| is assumed public.
size_t words = len;
while (words > 0 && max_exclusive[words - 1] == 0) {
words--;
}
if (words == 0 ||
(words == 1 && max_exclusive[0] <= min_inclusive)) {
OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
return 0;
}
BN_ULONG mask = max_exclusive[words - 1];
// This sets all bits in |mask| below the most significant bit.
mask |= mask >> 1;
mask |= mask >> 2;
mask |= mask >> 4;
mask |= mask >> 8;
mask |= mask >> 16;
#if defined(OPENSSL_64_BIT)
mask |= mask >> 32;
#endif
Blind the range check for finding a Rabin-Miller witness. Rabin-Miller requires selecting a random number from 2 to |w|-1. This is done by picking an N-bit number and discarding out-of-range values. This leaks information about |w|, so apply blinding. Rather than discard bad values, adjust them to be in range. Though not uniformly selected, these adjusted values are still usable as Rabin-Miller checks. Rabin-Miller is already probabilistic, so we could reach the desired confidence levels by just suitably increasing the iteration count. However, to align with FIPS 186-4, we use a more pessimal analysis: we do not count the non-uniform values towards the iteration count. As a result, this function is more complex and has more timing risk than necessary. We count both total iterations and uniform ones and iterate until we've reached at least |BN_PRIME_CHECKS_BLINDED| and |iterations|, respectively. If the latter is large enough, it will be the limiting factor with high probability and we won't leak information. Note this blinding does not impact most calls when picking primes because composites are rejected early. Only the two secret primes see extra work. So while this does make the BNTest.PrimeChecking test take about 2x longer to run on debug mode, RSA key generation time is fine. Another, perhaps simpler, option here would have to run bn_rand_range_words to the full 100 count, select an arbitrary successful try, and declare failure of the entire keygen process (as we do already) if all tries failed. I went with the option in this CL because I happened to come up with it first, and because the failure probability decreases much faster. Additionally, the option in this CL does not affect composite numbers, while the alternate would. This gives a smaller multiplier on our entropy draw. We also continue to use the "wasted" work for stronger assurance on primality. FIPS' numbers are remarkably low, considering the increase has negligible cost. Thanks to Nathan Benjamin for helping me explore the failure rate as the target count and blinding count change. Now we're down to the rest of RSA keygen, which will require all the operations we've traditionally just avoided in constant-time code! Median of 29 RSA keygens: 0m0.169s -> 0m0.298s (Accuracy beyond 0.1s is questionable. The runs at subsequent test- and rename-only CLs were 0m0.217s, 0m0.245s, 0m0.244s, 0m0.247s.) Bug: 238 Change-Id: Id6406c3020f2585b86946eb17df64ac42f30ebab Reviewed-on: https://boringssl-review.googlesource.com/25890 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2018-02-05 04:48:36 +00:00
*out_words = words;
*out_mask = mask;
return 1;
}
int bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive,
const BN_ULONG *max_exclusive, size_t len,
const uint8_t additional_data[32]) {
// This function implements the equivalent of steps 4 through 7 of FIPS 186-4
// appendices B.4.2 and B.5.2. When called in those contexts, |max_exclusive|
// is n and |min_inclusive| is one.
// Compute the bit length of |max_exclusive| (step 1), in terms of a number of
// |words| worth of entropy to fill and a mask of bits to clear in the top
// word.
size_t words;
BN_ULONG mask;
if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive, len)) {
return 0;
}
// Fill any unused words with zero.
OPENSSL_memset(out + words, 0, (len - words) * sizeof(BN_ULONG));
unsigned count = 100;
do {
if (!--count) {
OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
return 0;
}
// Steps 4 and 5. Use |words| and |mask| together to obtain a string of N
// bits, where N is the bit length of |max_exclusive|.
RAND_bytes_with_additional_data((uint8_t *)out, words * sizeof(BN_ULONG),
additional_data);
out[words - 1] &= mask;
// If out >= max_exclusive or out < min_inclusive, retry. This implements
// the equivalent of steps 6 and 7 without leaking the value of |out|.
} while (!bn_in_range_words(out, min_inclusive, max_exclusive, words));
return 1;
}
Make ECDSA signing 10% faster and plug some timing leaks. None of the asymmetric crypto we inherented from OpenSSL is constant-time because of BIGNUM. BIGNUM chops leading zeros off the front of everything, so we end up leaking information about the first word, in theory. BIGNUM functions additionally tend to take the full range of inputs and then call into BN_nnmod at various points. All our secret values should be acted on in constant-time, but k in ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an attempt to mitigate the BIGNUM leaks, would add a couple copies of the order. This does not work at all. k is used to compute two values: k^-1 and kG. The first operation when computing k^-1 is to call BN_nnmod if k is out of range. The entry point to our tuned constant-time curve implementations is to call BN_nnmod if the scalar has too many bits, which this causes. The result is both corrections are immediately undone but cause us to do more variable-time work in the meantime. Replace all these computations around k with the word-based functions added in the various preceding CLs. In doing so, replace the BN_mod_mul calls (which internally call BN_nnmod) with Montgomery reduction. We can avoid taking k^-1 out of Montgomery form, which combines nicely with Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along the way, we avoid some unnecessary mallocs. BIGNUM still affects the private key itself, as well as the EC_POINTs. But this should hopefully be much better now. Also it's 10% faster: Before: Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec) Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec) Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec) Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec) After: Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec) Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec) Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec) Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec) Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1 Reviewed-on: https://boringssl-review.googlesource.com/23075 Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
const BIGNUM *max_exclusive) {
static const uint8_t kDefaultAdditionalData[32] = {0};
if (!bn_wexpand(r, max_exclusive->width) ||
!bn_rand_range_words(r->d, min_inclusive, max_exclusive->d,
max_exclusive->width, kDefaultAdditionalData)) {
return 0;
}
r->neg = 0;
r->width = max_exclusive->width;
return 1;
}
Blind the range check for finding a Rabin-Miller witness. Rabin-Miller requires selecting a random number from 2 to |w|-1. This is done by picking an N-bit number and discarding out-of-range values. This leaks information about |w|, so apply blinding. Rather than discard bad values, adjust them to be in range. Though not uniformly selected, these adjusted values are still usable as Rabin-Miller checks. Rabin-Miller is already probabilistic, so we could reach the desired confidence levels by just suitably increasing the iteration count. However, to align with FIPS 186-4, we use a more pessimal analysis: we do not count the non-uniform values towards the iteration count. As a result, this function is more complex and has more timing risk than necessary. We count both total iterations and uniform ones and iterate until we've reached at least |BN_PRIME_CHECKS_BLINDED| and |iterations|, respectively. If the latter is large enough, it will be the limiting factor with high probability and we won't leak information. Note this blinding does not impact most calls when picking primes because composites are rejected early. Only the two secret primes see extra work. So while this does make the BNTest.PrimeChecking test take about 2x longer to run on debug mode, RSA key generation time is fine. Another, perhaps simpler, option here would have to run bn_rand_range_words to the full 100 count, select an arbitrary successful try, and declare failure of the entire keygen process (as we do already) if all tries failed. I went with the option in this CL because I happened to come up with it first, and because the failure probability decreases much faster. Additionally, the option in this CL does not affect composite numbers, while the alternate would. This gives a smaller multiplier on our entropy draw. We also continue to use the "wasted" work for stronger assurance on primality. FIPS' numbers are remarkably low, considering the increase has negligible cost. Thanks to Nathan Benjamin for helping me explore the failure rate as the target count and blinding count change. Now we're down to the rest of RSA keygen, which will require all the operations we've traditionally just avoided in constant-time code! Median of 29 RSA keygens: 0m0.169s -> 0m0.298s (Accuracy beyond 0.1s is questionable. The runs at subsequent test- and rename-only CLs were 0m0.217s, 0m0.245s, 0m0.244s, 0m0.247s.) Bug: 238 Change-Id: Id6406c3020f2585b86946eb17df64ac42f30ebab Reviewed-on: https://boringssl-review.googlesource.com/25890 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2018-02-05 04:48:36 +00:00
int bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive,
const BIGNUM *max_exclusive) {
size_t words;
BN_ULONG mask;
if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive->d,
max_exclusive->width) ||
!bn_wexpand(r, words)) {
return 0;
}
assert(words > 0);
assert(mask != 0);
// The range must be large enough for bit tricks to fix invalid values.
if (words == 1 && min_inclusive > mask >> 1) {
OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
return 0;
}
// Select a uniform random number with num_bits(max_exclusive) bits.
RAND_bytes((uint8_t *)r->d, words * sizeof(BN_ULONG));
r->d[words - 1] &= mask;
// Check, in constant-time, if the value is in range.
*out_is_uniform =
bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words);
crypto_word_t in_range = *out_is_uniform;
in_range = 0 - in_range;
// If the value is not in range, force it to be in range.
r->d[0] |= constant_time_select_w(in_range, 0, min_inclusive);
r->d[words - 1] &= constant_time_select_w(in_range, BN_MASK2, mask >> 1);
assert(bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words));
r->neg = 0;
r->width = words;
return 1;
}
int BN_rand_range(BIGNUM *r, const BIGNUM *range) {
return BN_rand_range_ex(r, 0, range);
}
int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) {
return BN_rand_range(r, range);
}