kris
/
boringssl
1
0
Fork 0
Código Incidencias 0 Pull Requests 0 Lanzamientos 0 Wiki Actividad
No puede seleccionar más de 25 temas Los temas deben comenzar con una letra o número, pueden incluir guiones ('-') y pueden tener hasta 35 caracteres de largo.
528 Commits
12 Ramas
38 MiB
 
 
 
 
 
 
Árbol: f4b4952719
Ramas Etiquetas
${ item.name }
Crear rama ${ searchTerm }
desde 'f4b4952719'
${ noResults }
boringssl/crypto/bn/random.c

326 líneas
11 KiB
Original Blame Histórico 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. 

  109. #include <openssl/bn.h>

  110. 

  111. #include <openssl/err.h>

  112. #include <openssl/mem.h>

  113. #include <openssl/rand.h>

  114. #include <openssl/sha.h>

  115. 

  116. int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {

  117.   uint8_t *buf = NULL;

  118.   int ret = 0, bit, bytes, mask;

  119. 

  120.   if (rnd == NULL) {

  121.     return 0;

  122.   }

  123. 

  124.   if (bits == 0) {

  125.     BN_zero(rnd);

  126.     return 1;

  127.   }

  128. 

  129.   bytes = (bits + 7) / 8;

  130.   bit = (bits - 1) % 8;

  131.   mask = 0xff << (bit + 1);

  132. 

  133.   buf = OPENSSL_malloc(bytes);

  134.   if (buf == NULL) {

  135.     OPENSSL_PUT_ERROR(BN, BN_rand, ERR_R_MALLOC_FAILURE);

  136.     goto err;

  137.   }

  138. 

  139.   /* make a random number and set the top and bottom bits */

  140.   if (RAND_pseudo_bytes(buf, bytes) <= 0)

  141.     goto err;

  142. 

  143.   if (top != -1) {

  144.     if (top) {

  145.       if (bit == 0) {

  146.         buf[0] = 1;

  147.         buf[1] |= 0x80;

  148.       } else {

  149.         buf[0] |= (3 << (bit - 1));

  150.       }

  151.     } else {

  152.       buf[0] |= (1 << bit);

  153.     }

  154.   }

  155. 

  156.   buf[0] &= ~mask;

  157. 

  158.   /* set bottom bit if requested */

  159.   if (bottom)  {

  160.     buf[bytes - 1] |= 1;

  161.   }

  162. 

  163.   if (!BN_bin2bn(buf, bytes, rnd)) {

  164.     goto err;

  165.   }

  166. 

  167.   ret = 1;

  168. 

  169. err:

  170.   if (buf != NULL) {

  171.     OPENSSL_cleanse(buf, bytes);

  172.     OPENSSL_free(buf);

  173.   }

  174.   return (ret);

  175. }

  176. 

  177. int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) {

  178.   return BN_rand(rnd, bits, top, bottom);

  179. }

  180. 

  181. int BN_rand_range(BIGNUM *r, const BIGNUM *range) {

  182.   unsigned n;

  183.   unsigned count = 100;

  184. 

  185.   if (range->neg || BN_is_zero(range)) {

  186.     OPENSSL_PUT_ERROR(BN, BN_rand_range, BN_R_INVALID_RANGE);

  187.     return 0;

  188.   }

  189. 

  190.   n = BN_num_bits(range); /* n > 0 */

  191. 

  192.   /* BN_is_bit_set(range, n - 1) always holds */

  193.   if (n == 1) {

  194.     BN_zero(r);

  195.   } else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) {

  196.     /* range = 100..._2,

  197.      * so  3*range (= 11..._2)  is exactly one bit longer than  range */

  198.     do {

  199.       if (!BN_rand(r, n + 1, -1 /* don't set most significant bits */,

  200.                    0 /* don't set least significant bits */)) {

  201.         return 0;

  202.       }

  203. 

  204.       /* If r < 3*range, use r := r MOD range (which is either r, r - range, or

  205.        * r - 2*range). Otherwise, iterate again. Since 3*range = 11..._2, each

  206.        * iteration succeeds with probability >= .75. */

  207.       if (BN_cmp(r, range) >= 0) {

  208.         if (!BN_sub(r, r, range)) {

  209.           return 0;

  210.         }

  211.         if (BN_cmp(r, range) >= 0) {

  212.           if (!BN_sub(r, r, range)) {

  213.             return 0;

  214.           }

  215.         }

  216.       }

  217. 

  218.       if (!--count) {

  219.         OPENSSL_PUT_ERROR(BN, BN_rand_range, BN_R_TOO_MANY_ITERATIONS);

  220.         return 0;

  221.       }

  222.     } while (BN_cmp(r, range) >= 0);

  223.   } else {

  224.     do {

  225.       /* range = 11..._2  or  range = 101..._2 */

  226.       if (!BN_rand(r, n, -1, 0)) {

  227.         return 0;

  228.       }

  229. 

  230.       if (!--count) {

  231.         OPENSSL_PUT_ERROR(BN, BN_rand_range, BN_R_TOO_MANY_ITERATIONS);

  232.         return 0;

  233.       }

  234.     } while (BN_cmp(r, range) >= 0);

  235.   }

  236. 

  237.   return 1;

  238. }

  239. 

  240. int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) {

  241.   return BN_rand_range(r, range);

  242. }

  243. 

  244. int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,

  245.                           const uint8_t *message, size_t message_len,

  246.                           BN_CTX *ctx) {

  247.   SHA512_CTX sha;

  248.   /* We use 512 bits of random data per iteration to

  249.    * ensure that we have at least |range| bits of randomness. */

  250.   uint8_t random_bytes[64];

  251.   uint8_t digest[SHA512_DIGEST_LENGTH];

  252.   size_t done, todo, attempt;

  253.   const unsigned num_k_bytes = BN_num_bytes(range);

  254.   const unsigned bits_to_mask = (8 - (BN_num_bits(range) % 8)) % 8;

  255.   uint8_t private_bytes[96];

  256.   uint8_t *k_bytes = NULL;

  257.   int ret = 0;

  258. 

  259.   if (out == NULL) {

  260.     return 0;

  261.   }

  262. 

  263.   if (BN_is_zero(range)) {

  264.     OPENSSL_PUT_ERROR(BN, BN_generate_dsa_nonce, BN_R_DIV_BY_ZERO);

  265.     goto err;

  266.   }

  267. 

  268.   k_bytes = OPENSSL_malloc(num_k_bytes);

  269.   if (!k_bytes) {

  270.     OPENSSL_PUT_ERROR(BN, BN_generate_dsa_nonce, ERR_R_MALLOC_FAILURE);

  271.     goto err;

  272.   }

  273. 

  274.   /* We copy |priv| into a local buffer to avoid furthur exposing its

  275.    * length. */

  276.   todo = sizeof(priv->d[0]) * priv->top;

  277.   if (todo > sizeof(private_bytes)) {

  278.     /* No reasonable DSA or ECDSA key should have a private key

  279.      * this large and we don't handle this case in order to avoid

  280.      * leaking the length of the private key. */

  281.     OPENSSL_PUT_ERROR(BN, BN_generate_dsa_nonce, BN_R_PRIVATE_KEY_TOO_LARGE);

  282.     goto err;

  283.   }

  284.   memcpy(private_bytes, priv->d, todo);

  285.   memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);

  286. 

  287.   for (attempt = 0;; attempt++) {

  288.     for (done = 0; done < num_k_bytes;) {

  289.       if (RAND_pseudo_bytes(random_bytes, sizeof(random_bytes)) != 1) {

  290.         goto err;

  291.       }

  292.       SHA512_Init(&sha);

  293.       SHA512_Update(&sha, &attempt, sizeof(attempt));

  294.       SHA512_Update(&sha, &done, sizeof(done));

  295.       SHA512_Update(&sha, private_bytes, sizeof(private_bytes));

  296.       SHA512_Update(&sha, message, message_len);

  297.       SHA512_Update(&sha, random_bytes, sizeof(random_bytes));

  298.       SHA512_Final(digest, &sha);

  299. 

  300.       todo = num_k_bytes - done;

  301.       if (todo > SHA512_DIGEST_LENGTH) {

  302.         todo = SHA512_DIGEST_LENGTH;

  303.       }

  304.       memcpy(k_bytes + done, digest, todo);

  305.       done += todo;

  306.     }

  307. 

  308.     k_bytes[0] &= 0xff >> bits_to_mask;

  309. 

  310.     if (!BN_bin2bn(k_bytes, num_k_bytes, out)) {

  311.       goto err;

  312.     }

  313.     if (BN_cmp(out, range) < 0) {

  314.       break;

  315.     }

  316.   }

  317. 

  318.   ret = 1;

  319. 

  320. err:

  321.   if (k_bytes) {

  322.     OPENSSL_free(k_bytes);

  323.   }

  324.   return ret;

  325. }