Make the bn_rand_interval() API a bit more ergonomic

Provide bn_rand_in_range() which is a slightly tweaked version of what was previously called bn_rand_range(). The way bn_rand_range() is called in libcrypto, the lower bound is always expressible as a word. In fact, most of the time it is 1, the DH code uses a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in the Tonelli-Shanks implementation where we use 32. Converting these lower bounds to BIGNUMs on the call site is annoying so let bn_rand_interval() do that internally and route that through bn_rand_in_range(). This way we can avoid using BN_sub_word(). Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the only caller that uses actual BIGNUMs as lower bounds. ok jsing
author: tb <> 2023-08-03 18:53:56 +0000
committer: tb <> 2023-08-03 18:53:56 +0000
commit: e680fe5b2098d1406fab3bb3994254f026651090 (patch)
tree: 3779d2c9bdc12cd8a0d0eb7981bf515d6e27b344
parent: 9110c93cd11bc18d800c645352c10a57e2ceea4b (diff)
download: openbsd-e680fe5b2098d1406fab3bb3994254f026651090.tar.gz
openbsd-e680fe5b2098d1406fab3bb3994254f026651090.tar.bz2
openbsd-e680fe5b2098d1406fab3bb3994254f026651090.zip
11 files changed, 57 insertions, 52 deletions
diff --git a/src/lib/libcrypto/bn/bn_bpsw.c b/src/lib/libcrypto/bn/bn_bpsw.c
index 82a4e87146..14f2800ad3 100644
--- a/src/lib/libcrypto/bn/bn_bpsw.c
+++ b/src/lib/libcrypto/bn/bn_bpsw.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_bpsw.c,v 1.10 2023/05/10 21:05:24 tb Exp $ */
+/*      $OpenBSD: bn_bpsw.c,v 1.11 2023/08/03 18:53:55 tb Exp $ */
 /*
 * Copyright (c) 2022 Martin Grenouilloux <martin.grenouilloux@lse.epita.fr>
 * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -385,7 +385,7 @@ bn_miller_rabin(int *is_pseudoprime, const BIGNUM *n, BN_CTX *ctx,
    size_t rounds)
 {
        BN_MONT_CTX *mctx = NULL;
-        BIGNUM *base, *k, *n_minus_one, *three;
+        BIGNUM *base, *k, *n_minus_one;
        size_t i;
        int s;
        int ret = 0;
@@ -398,8 +398,6 @@ bn_miller_rabin(int *is_pseudoprime, const BIGNUM *n, BN_CTX *ctx,
                goto err;
        if ((n_minus_one = BN_CTX_get(ctx)) == NULL)
                goto err;
-        if ((three = BN_CTX_get(ctx)) == NULL)
-                goto err;
        if (BN_is_word(n, 2) || BN_is_word(n, 3)) {
                *is_pseudoprime = 1;
@@ -451,11 +449,8 @@ bn_miller_rabin(int *is_pseudoprime, const BIGNUM *n, BN_CTX *ctx,
         * risk of false positives in BPSW.
         */
-        if (!BN_set_word(three, 3))
-                goto err;
        for (i = 0; i < rounds; i++) {
-                if (!bn_rand_interval(base, three, n_minus_one))
+                if (!bn_rand_interval(base, 3, n_minus_one))
                        goto err;
                if (!bn_fermat(is_pseudoprime, n, n_minus_one, k, s, base, ctx,
diff --git a/src/lib/libcrypto/bn/bn_local.h b/src/lib/libcrypto/bn/bn_local.h
index 9447ed4f4c..5b7e852d70 100644
--- a/src/lib/libcrypto/bn/bn_local.h
+++ b/src/lib/libcrypto/bn/bn_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_local.h,v 1.32 2023/08/02 08:44:38 tb Exp $ */
+/* $OpenBSD: bn_local.h,v 1.33 2023/08/03 18:53:55 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -274,7 +274,8 @@ void bn_div_rem_words(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q,
    BN_ULONG *out_r);
 int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
-int bn_rand_interval(BIGNUM *rnd, const BIGNUM *lower_inc, const BIGNUM *upper_exc);
+int bn_rand_in_range(BIGNUM *rnd, const BIGNUM *lower_inc, const BIGNUM *upper_exc);
+int bn_rand_interval(BIGNUM *rnd, BN_ULONG lower_word, const BIGNUM *upper_exc);
 void    BN_init(BIGNUM *);
diff --git a/src/lib/libcrypto/bn/bn_mod_sqrt.c b/src/lib/libcrypto/bn/bn_mod_sqrt.c
index bdd5b2cdba..280002cc48 100644
--- a/src/lib/libcrypto/bn/bn_mod_sqrt.c
+++ b/src/lib/libcrypto/bn/bn_mod_sqrt.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_mod_sqrt.c,v 1.2 2023/07/08 12:21:58 beck Exp $ */
+/*      $OpenBSD: bn_mod_sqrt.c,v 1.3 2023/08/03 18:53:55 tb Exp $ */
 /*
 * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -237,7 +237,7 @@ static int
 bn_mod_sqrt_find_sylow_generator(BIGNUM *out_generator, const BIGNUM *p,
    const BIGNUM *q, BN_CTX *ctx)
 {
-        BIGNUM *n, *p_abs, *thirty_two;
+        BIGNUM *n, *p_abs;
        int i, is_non_residue;
        int ret = 0;
@@ -245,8 +245,6 @@ bn_mod_sqrt_find_sylow_generator(BIGNUM *out_generator, const BIGNUM *p,
        if ((n = BN_CTX_get(ctx)) == NULL)
                goto err;
-        if ((thirty_two = BN_CTX_get(ctx)) == NULL)
-                goto err;
        if ((p_abs = BN_CTX_get(ctx)) == NULL)
                goto err;
@@ -259,14 +257,12 @@ bn_mod_sqrt_find_sylow_generator(BIGNUM *out_generator, const BIGNUM *p,
                        goto found;
        }
-        if (!BN_set_word(thirty_two, 32))
-                goto err;
        if (!bn_copy(p_abs, p))
                goto err;
        BN_set_negative(p_abs, 0);
        for (i = 0; i < 128; i++) {
-                if (!bn_rand_interval(n, thirty_two, p_abs))
+                if (!bn_rand_interval(n, 32, p_abs))
                        goto err;
                if (!bn_mod_sqrt_n_is_non_residue(&is_non_residue, n, p, ctx))
                        goto err;
diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c
index f68913473f..a5b163c820 100644
--- a/src/lib/libcrypto/bn/bn_rand.c
+++ b/src/lib/libcrypto/bn/bn_rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_rand.c,v 1.28 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_rand.c,v 1.29 2023/08/03 18:53:55 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -284,29 +284,46 @@ BN_rand_range(BIGNUM *r, const BIGNUM *range)
 LCRYPTO_ALIAS(BN_rand_range);
 int
-bn_rand_interval(BIGNUM *rnd, const BIGNUM *lower_inc, const BIGNUM *upper_exc)
+bn_rand_in_range(BIGNUM *rnd, const BIGNUM *lower_inc, const BIGNUM *upper_exc)
 {
-        BIGNUM *len = NULL;
+        BIGNUM *len;
        int ret = 0;
-        if (BN_cmp(lower_inc, upper_exc) >= 0)
-                goto err;
        if ((len = BN_new()) == NULL)
                goto err;
        if (!BN_sub(len, upper_exc, lower_inc))
                goto err;
+        if (!BN_rand_range(rnd, len))
-        if (!bn_rand_range(0, rnd, len))
                goto err;
        if (!BN_add(rnd, rnd, lower_inc))
                goto err;
        ret = 1;
 err:
        BN_free(len);
+        return ret;
+}
+int
+bn_rand_interval(BIGNUM *rnd, BN_ULONG lower_word, const BIGNUM *upper_exc)
+{
+        BIGNUM *lower_inc = NULL;
+        int ret = 0;
+        if ((lower_inc = BN_new()) == NULL)
+                goto err;
+        if (!BN_set_word(lower_inc, lower_word))
+                goto err;
+        if (!bn_rand_in_range(rnd, lower_inc, upper_exc))
+                goto err;
+        ret = 1;
+ err:
+        BN_free(lower_inc);
        return ret;
 }
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index a4bd689483..050d1143f8 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_key.c,v 1.39 2023/07/08 15:29:03 beck Exp $ */
+/* $OpenBSD: dh_key.c,v 1.40 2023/08/03 18:53:55 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -109,7 +109,7 @@ generate_key(DH *dh)
        unsigned l;
        BN_CTX *ctx;
        BN_MONT_CTX *mont = NULL;
-        BIGNUM *pub_key = NULL, *priv_key = NULL, *two = NULL;
+        BIGNUM *pub_key = NULL, *priv_key = NULL;
        if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
                DHerror(DH_R_MODULUS_TOO_LARGE);
@@ -139,11 +139,7 @@ generate_key(DH *dh)
        if (dh->priv_key == NULL) {
                if (dh->q) {
-                        if ((two = BN_new()) == NULL)
+                        if (!bn_rand_interval(priv_key, 2, dh->q))
-                                goto err;
-                        if (!BN_add(two, BN_value_one(), BN_value_one()))
-                                goto err;
-                        if (!bn_rand_interval(priv_key, two, dh->q))
                                goto err;
                } else {
                        /* secret exponent length */
@@ -169,7 +165,7 @@ generate_key(DH *dh)
        if (dh->priv_key == NULL)
                BN_free(priv_key);
        BN_CTX_free(ctx);
-        BN_free(two);
        return ok;
 }
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index c378707e36..431748ab75 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_key.c,v 1.34 2023/07/08 14:28:15 beck Exp $ */
+/* $OpenBSD: dsa_key.c,v 1.35 2023/08/03 18:53:55 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -95,7 +95,7 @@ dsa_builtin_keygen(DSA *dsa)
        if ((ctx = BN_CTX_new()) == NULL)
                goto err;
-        if (!bn_rand_interval(priv_key, BN_value_one(), dsa->q))
+        if (!bn_rand_interval(priv_key, 1, dsa->q))
                goto err;
        if (!BN_mod_exp_ct(pub_key, dsa->g, priv_key, dsa->p, ctx))
                goto err;
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 36b2a63462..b92d0b8cee 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.52 2023/07/08 14:28:15 beck Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.53 2023/08/03 18:53:55 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -172,7 +172,7 @@ dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         *
         * Where b is a random value in the range [1, q).
         */
-        if (!bn_rand_interval(b, BN_value_one(), dsa->q))
+        if (!bn_rand_interval(b, 1, dsa->q))
                goto err;
        if (BN_mod_inverse_ct(binv, b, dsa->q, ctx) == NULL)
                goto err;
@@ -261,7 +261,7 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
            !BN_set_bit(m, q_bits))
                goto err;
-        if (!bn_rand_interval(k, BN_value_one(), dsa->q))
+        if (!bn_rand_interval(k, 1, dsa->q))
                goto err;
        BN_set_flags(k, BN_FLG_CONSTTIME);
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
index e5ff189803..d9ddd5d797 100644
--- a/src/lib/libcrypto/ec/ec_key.c
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_key.c,v 1.36 2023/07/07 13:54:45 beck Exp $ */
+/* $OpenBSD: ec_key.c,v 1.37 2023/08/03 18:53:56 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@@ -269,7 +269,7 @@ ec_key_gen(EC_KEY *eckey)
        if ((order = EC_GROUP_get0_order(eckey->group)) == NULL)
                goto err;
-        if (!bn_rand_interval(priv_key, BN_value_one(), order))
+        if (!bn_rand_interval(priv_key, 1, order))
                goto err;
        if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, NULL))
                goto err;
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index de1f9a3472..018aedfd4e 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_smpl.c,v 1.55 2023/07/26 17:15:25 tb Exp $ */
+/* $OpenBSD: ecp_smpl.c,v 1.56 2023/08/03 18:53:56 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
 * for the OpenSSL project.
 * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1227,7 +1227,7 @@ ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx)
                goto err;
        /* Generate lambda in [1, group->field). */
-        if (!bn_rand_interval(lambda, BN_value_one(), &group->field))
+        if (!bn_rand_interval(lambda, 1, &group->field))
                goto err;
        if (group->meth->field_encode != NULL &&
diff --git a/src/lib/libcrypto/ecdsa/ecdsa.c b/src/lib/libcrypto/ecdsa/ecdsa.c
index 1252ab2a43..8160014b3b 100644
--- a/src/lib/libcrypto/ecdsa/ecdsa.c
+++ b/src/lib/libcrypto/ecdsa/ecdsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecdsa.c,v 1.16 2023/07/28 09:18:10 tb Exp $ */
+/* $OpenBSD: ecdsa.c,v 1.17 2023/08/03 18:53:56 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 2000-2002 The OpenSSL Project.  All rights reserved.
 *
@@ -338,7 +338,7 @@ ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv, BIGNUM **out_r)
        /* Step 11: repeat until r != 0. */
        do {
                /* Step 3: generate random k. */
-                if (!bn_rand_interval(k, BN_value_one(), order))
+                if (!bn_rand_interval(k, 1, order))
                        goto err;
                /*
@@ -472,7 +472,7 @@ ecdsa_compute_s(BIGNUM **out_s, const BIGNUM *e, const BIGNUM *kinv,
                goto err;
        }
-        if (!bn_rand_interval(b, BN_value_one(), order)) {
+        if (!bn_rand_interval(b, 1, order)) {
                ECerror(ERR_R_BN_LIB);
                goto err;
        }
diff --git a/src/regress/lib/libcrypto/bn/bn_isqrt.c b/src/regress/lib/libcrypto/bn/bn_isqrt.c
index 2663bb74e9..d8a2d2755f 100644
--- a/src/regress/lib/libcrypto/bn/bn_isqrt.c
+++ b/src/regress/lib/libcrypto/bn/bn_isqrt.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_isqrt.c,v 1.3 2023/03/08 06:28:08 tb Exp $ */
+/*      $OpenBSD: bn_isqrt.c,v 1.4 2023/08/03 18:53:56 tb Exp $ */
 /*
 * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
 *
@@ -194,8 +194,8 @@ isqrt_test(void)
        if (!BN_set_bit(upper, UPPER_BITS))
                errx(1, "BN_set_bit(upper, %d)", UPPER_BITS);
-        if (!bn_rand_interval(n, lower, upper))
+        if (!bn_rand_in_range(n, lower, upper))
-                errx(1, "bn_rand_interval n");
+                errx(1, "bn_rand_in_range n");
        /* n_sqr = n^2 */
        if (!BN_sqr(n_sqr, n, ctx))
@@ -246,8 +246,8 @@ isqrt_test(void)
         */
        for (i = 0; i < N_TESTS; i++) {
-                if (!bn_rand_interval(testcase, n_sqr, upper))
+                if (!bn_rand_in_range(testcase, n_sqr, upper))
-                        errx(1, "bn_rand_interval testcase");
+                        errx(1, "bn_rand_in_range testcase");
                if (!bn_isqrt(isqrt, &is_perfect_square, testcase, ctx))
                        errx(1, "bn_isqrt testcase");
author	tb <>	2023-08-03 18:53:56 +0000
committer	tb <>	2023-08-03 18:53:56 +0000
commit	e680fe5b2098d1406fab3bb3994254f026651090 (patch)
tree	3779d2c9bdc12cd8a0d0eb7981bf515d6e27b344
parent	9110c93cd11bc18d800c645352c10a57e2ceea4b (diff)
download	openbsd-e680fe5b2098d1406fab3bb3994254f026651090.tar.gz openbsd-e680fe5b2098d1406fab3bb3994254f026651090.tar.bz2 openbsd-e680fe5b2098d1406fab3bb3994254f026651090.zip

diff --git a/src/lib/libcrypto/bn/bn_bpsw.c b/src/lib/libcrypto/bn/bn_bpsw.c index 82a4e87146..14f2800ad3 100644 --- a/src/lib/libcrypto/bn/bn_bpsw.c +++ b/src/lib/libcrypto/bn/bn_bpsw.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_bpsw.c,v 1.10 2023/05/10 21:05:24 tb Exp $ */	1	/* $OpenBSD: bn_bpsw.c,v 1.11 2023/08/03 18:53:55 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2022 Martin Grenouilloux <martin.grenouilloux@lse.epita.fr>	3	* Copyright (c) 2022 Martin Grenouilloux <martin.grenouilloux@lse.epita.fr>
4	* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -385,7 +385,7 @@ bn_miller_rabin(int is_pseudoprime, const BIGNUM n, BN_CTX *ctx,
385	size_t rounds)	385	size_t rounds)
386	{	386	{
387	BN_MONT_CTX *mctx = NULL;	387	BN_MONT_CTX *mctx = NULL;
388	BIGNUM base, k, n_minus_one, three;	388	BIGNUM base, k, *n_minus_one;
389	size_t i;	389	size_t i;
390	int s;	390	int s;
391	int ret = 0;	391	int ret = 0;
@@ -398,8 +398,6 @@ bn_miller_rabin(int is_pseudoprime, const BIGNUM n, BN_CTX *ctx,
398	goto err;	398	goto err;
399	if ((n_minus_one = BN_CTX_get(ctx)) == NULL)	399	if ((n_minus_one = BN_CTX_get(ctx)) == NULL)
400	goto err;	400	goto err;
401	if ((three = BN_CTX_get(ctx)) == NULL)
402	goto err;
403		401
404	if (BN_is_word(n, 2) \|\| BN_is_word(n, 3)) {	402	if (BN_is_word(n, 2) \|\| BN_is_word(n, 3)) {
405	*is_pseudoprime = 1;	403	*is_pseudoprime = 1;
@@ -451,11 +449,8 @@ bn_miller_rabin(int is_pseudoprime, const BIGNUM n, BN_CTX *ctx,
451	* risk of false positives in BPSW.	449	* risk of false positives in BPSW.
452	*/	450	*/
453		451
454	if (!BN_set_word(three, 3))
455	goto err;
456
457	for (i = 0; i < rounds; i++) {	452	for (i = 0; i < rounds; i++) {
458	if (!bn_rand_interval(base, three, n_minus_one))	453	if (!bn_rand_interval(base, 3, n_minus_one))
459	goto err;	454	goto err;
460		455
461	if (!bn_fermat(is_pseudoprime, n, n_minus_one, k, s, base, ctx,	456	if (!bn_fermat(is_pseudoprime, n, n_minus_one, k, s, base, ctx,


diff --git a/src/lib/libcrypto/bn/bn_local.h b/src/lib/libcrypto/bn/bn_local.h index 9447ed4f4c..5b7e852d70 100644 --- a/src/lib/libcrypto/bn/bn_local.h +++ b/src/lib/libcrypto/bn/bn_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_local.h,v 1.32 2023/08/02 08:44:38 tb Exp $ */	1	/* $OpenBSD: bn_local.h,v 1.33 2023/08/03 18:53:55 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -274,7 +274,8 @@ void bn_div_rem_words(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q,
274	BN_ULONG *out_r);	274	BN_ULONG *out_r);
275		275
276	int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);	276	int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
277	int bn_rand_interval(BIGNUM rnd, const BIGNUM lower_inc, const BIGNUM *upper_exc);	277	int bn_rand_in_range(BIGNUM rnd, const BIGNUM lower_inc, const BIGNUM *upper_exc);
		278	int bn_rand_interval(BIGNUM rnd, BN_ULONG lower_word, const BIGNUM upper_exc);
278		279
279	void BN_init(BIGNUM *);	280	void BN_init(BIGNUM *);
280		281


diff --git a/src/lib/libcrypto/bn/bn_mod_sqrt.c b/src/lib/libcrypto/bn/bn_mod_sqrt.c index bdd5b2cdba..280002cc48 100644 --- a/src/lib/libcrypto/bn/bn_mod_sqrt.c +++ b/src/lib/libcrypto/bn/bn_mod_sqrt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_mod_sqrt.c,v 1.2 2023/07/08 12:21:58 beck Exp $ */	1	/* $OpenBSD: bn_mod_sqrt.c,v 1.3 2023/08/03 18:53:55 tb Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -237,7 +237,7 @@ static int
237	bn_mod_sqrt_find_sylow_generator(BIGNUM out_generator, const BIGNUM p,	237	bn_mod_sqrt_find_sylow_generator(BIGNUM out_generator, const BIGNUM p,
238	const BIGNUM q, BN_CTX ctx)	238	const BIGNUM q, BN_CTX ctx)
239	{	239	{
240	BIGNUM n, p_abs, *thirty_two;	240	BIGNUM n, p_abs;
241	int i, is_non_residue;	241	int i, is_non_residue;
242	int ret = 0;	242	int ret = 0;
243		243
@@ -245,8 +245,6 @@ bn_mod_sqrt_find_sylow_generator(BIGNUM out_generator, const BIGNUM p,
245		245
246	if ((n = BN_CTX_get(ctx)) == NULL)	246	if ((n = BN_CTX_get(ctx)) == NULL)
247	goto err;	247	goto err;
248	if ((thirty_two = BN_CTX_get(ctx)) == NULL)
249	goto err;
250	if ((p_abs = BN_CTX_get(ctx)) == NULL)	248	if ((p_abs = BN_CTX_get(ctx)) == NULL)
251	goto err;	249	goto err;
252		250
@@ -259,14 +257,12 @@ bn_mod_sqrt_find_sylow_generator(BIGNUM out_generator, const BIGNUM p,
259	goto found;	257	goto found;
260	}	258	}
261		259
262	if (!BN_set_word(thirty_two, 32))
263	goto err;
264	if (!bn_copy(p_abs, p))	260	if (!bn_copy(p_abs, p))
265	goto err;	261	goto err;
266	BN_set_negative(p_abs, 0);	262	BN_set_negative(p_abs, 0);
267		263
268	for (i = 0; i < 128; i++) {	264	for (i = 0; i < 128; i++) {
269	if (!bn_rand_interval(n, thirty_two, p_abs))	265	if (!bn_rand_interval(n, 32, p_abs))
270	goto err;	266	goto err;
271	if (!bn_mod_sqrt_n_is_non_residue(&is_non_residue, n, p, ctx))	267	if (!bn_mod_sqrt_n_is_non_residue(&is_non_residue, n, p, ctx))
272	goto err;	268	goto err;


diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c index f68913473f..a5b163c820 100644 --- a/src/lib/libcrypto/bn/bn_rand.c +++ b/src/lib/libcrypto/bn/bn_rand.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_rand.c,v 1.28 2023/07/08 12:21:58 beck Exp $ */	1	/* $OpenBSD: bn_rand.c,v 1.29 2023/08/03 18:53:55 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -284,29 +284,46 @@ BN_rand_range(BIGNUM r, const BIGNUM range)
284	LCRYPTO_ALIAS(BN_rand_range);	284	LCRYPTO_ALIAS(BN_rand_range);
285		285
286	int	286	int
287	bn_rand_interval(BIGNUM rnd, const BIGNUM lower_inc, const BIGNUM *upper_exc)	287	bn_rand_in_range(BIGNUM rnd, const BIGNUM lower_inc, const BIGNUM *upper_exc)
288	{	288	{
289	BIGNUM *len = NULL;	289	BIGNUM *len;
290	int ret = 0;	290	int ret = 0;
291		291
292	if (BN_cmp(lower_inc, upper_exc) >= 0)
293	goto err;
294
295	if ((len = BN_new()) == NULL)	292	if ((len = BN_new()) == NULL)
296	goto err;	293	goto err;
297
298	if (!BN_sub(len, upper_exc, lower_inc))	294	if (!BN_sub(len, upper_exc, lower_inc))
299	goto err;	295	goto err;
300		296	if (!BN_rand_range(rnd, len))
301	if (!bn_rand_range(0, rnd, len))
302	goto err;	297	goto err;
303
304	if (!BN_add(rnd, rnd, lower_inc))	298	if (!BN_add(rnd, rnd, lower_inc))
305	goto err;	299	goto err;
306		300
307	ret = 1;	301	ret = 1;
		302
308	err:	303	err:
309	BN_free(len);	304	BN_free(len);
		305
		306	return ret;
		307	}
		308
		309	int
		310	bn_rand_interval(BIGNUM rnd, BN_ULONG lower_word, const BIGNUM upper_exc)
		311	{
		312	BIGNUM *lower_inc = NULL;
		313	int ret = 0;
		314
		315	if ((lower_inc = BN_new()) == NULL)
		316	goto err;
		317	if (!BN_set_word(lower_inc, lower_word))
		318	goto err;
		319	if (!bn_rand_in_range(rnd, lower_inc, upper_exc))
		320	goto err;
		321
		322	ret = 1;
		323
		324	err:
		325	BN_free(lower_inc);
		326
310	return ret;	327	return ret;
311	}	328	}
312		329


diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c index a4bd689483..050d1143f8 100644 --- a/src/lib/libcrypto/dh/dh_key.c +++ b/src/lib/libcrypto/dh/dh_key.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: dh_key.c,v 1.39 2023/07/08 15:29:03 beck Exp $ */	1	/* $OpenBSD: dh_key.c,v 1.40 2023/08/03 18:53:55 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -109,7 +109,7 @@ generate_key(DH *dh)
109	unsigned l;	109	unsigned l;
110	BN_CTX *ctx;	110	BN_CTX *ctx;
111	BN_MONT_CTX *mont = NULL;	111	BN_MONT_CTX *mont = NULL;
112	BIGNUM pub_key = NULL, priv_key = NULL, *two = NULL;	112	BIGNUM pub_key = NULL, priv_key = NULL;
113		113
114	if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {	114	if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
115	DHerror(DH_R_MODULUS_TOO_LARGE);	115	DHerror(DH_R_MODULUS_TOO_LARGE);
@@ -139,11 +139,7 @@ generate_key(DH *dh)
139		139
140	if (dh->priv_key == NULL) {	140	if (dh->priv_key == NULL) {
141	if (dh->q) {	141	if (dh->q) {
142	if ((two = BN_new()) == NULL)	142	if (!bn_rand_interval(priv_key, 2, dh->q))
143	goto err;
144	if (!BN_add(two, BN_value_one(), BN_value_one()))
145	goto err;
146	if (!bn_rand_interval(priv_key, two, dh->q))
147	goto err;	143	goto err;
148	} else {	144	} else {
149	/* secret exponent length */	145	/* secret exponent length */
@@ -169,7 +165,7 @@ generate_key(DH *dh)
169	if (dh->priv_key == NULL)	165	if (dh->priv_key == NULL)
170	BN_free(priv_key);	166	BN_free(priv_key);
171	BN_CTX_free(ctx);	167	BN_CTX_free(ctx);
172	BN_free(two);	168
173	return ok;	169	return ok;
174	}	170	}
175		171


diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c index c378707e36..431748ab75 100644 --- a/src/lib/libcrypto/dsa/dsa_key.c +++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: dsa_key.c,v 1.34 2023/07/08 14:28:15 beck Exp $ */	1	/* $OpenBSD: dsa_key.c,v 1.35 2023/08/03 18:53:55 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -95,7 +95,7 @@ dsa_builtin_keygen(DSA *dsa)
95	if ((ctx = BN_CTX_new()) == NULL)	95	if ((ctx = BN_CTX_new()) == NULL)
96	goto err;	96	goto err;
97		97
98	if (!bn_rand_interval(priv_key, BN_value_one(), dsa->q))	98	if (!bn_rand_interval(priv_key, 1, dsa->q))
99	goto err;	99	goto err;
100	if (!BN_mod_exp_ct(pub_key, dsa->g, priv_key, dsa->p, ctx))	100	if (!BN_mod_exp_ct(pub_key, dsa->g, priv_key, dsa->p, ctx))
101	goto err;	101	goto err;


diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c index 36b2a63462..b92d0b8cee 100644 --- a/src/lib/libcrypto/dsa/dsa_ossl.c +++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: dsa_ossl.c,v 1.52 2023/07/08 14:28:15 beck Exp $ */	1	/* $OpenBSD: dsa_ossl.c,v 1.53 2023/08/03 18:53:55 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -172,7 +172,7 @@ dsa_do_sign(const unsigned char dgst, int dlen, DSA dsa)
172	*	172	*
173	* Where b is a random value in the range [1, q).	173	* Where b is a random value in the range [1, q).
174	*/	174	*/
175	if (!bn_rand_interval(b, BN_value_one(), dsa->q))	175	if (!bn_rand_interval(b, 1, dsa->q))
176	goto err;	176	goto err;
177	if (BN_mod_inverse_ct(binv, b, dsa->q, ctx) == NULL)	177	if (BN_mod_inverse_ct(binv, b, dsa->q, ctx) == NULL)
178	goto err;	178	goto err;
@@ -261,7 +261,7 @@ dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
261	!BN_set_bit(m, q_bits))	261	!BN_set_bit(m, q_bits))
262	goto err;	262	goto err;
263		263
264	if (!bn_rand_interval(k, BN_value_one(), dsa->q))	264	if (!bn_rand_interval(k, 1, dsa->q))
265	goto err;	265	goto err;
266		266
267	BN_set_flags(k, BN_FLG_CONSTTIME);	267	BN_set_flags(k, BN_FLG_CONSTTIME);


diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c index e5ff189803..d9ddd5d797 100644 --- a/src/lib/libcrypto/ec/ec_key.c +++ b/src/lib/libcrypto/ec/ec_key.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ec_key.c,v 1.36 2023/07/07 13:54:45 beck Exp $ */	1	/* $OpenBSD: ec_key.c,v 1.37 2023/08/03 18:53:56 tb Exp $ */
2	/*	2	/*
3	* Written by Nils Larsch for the OpenSSL project.	3	* Written by Nils Larsch for the OpenSSL project.
4	*/	4	*/
@@ -269,7 +269,7 @@ ec_key_gen(EC_KEY *eckey)
269		269
270	if ((order = EC_GROUP_get0_order(eckey->group)) == NULL)	270	if ((order = EC_GROUP_get0_order(eckey->group)) == NULL)
271	goto err;	271	goto err;
272	if (!bn_rand_interval(priv_key, BN_value_one(), order))	272	if (!bn_rand_interval(priv_key, 1, order))
273	goto err;	273	goto err;
274	if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, NULL))	274	if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, NULL))
275	goto err;	275	goto err;


diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c index de1f9a3472..018aedfd4e 100644 --- a/src/lib/libcrypto/ec/ecp_smpl.c +++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ecp_smpl.c,v 1.55 2023/07/26 17:15:25 tb Exp $ */	1	/* $OpenBSD: ecp_smpl.c,v 1.56 2023/08/03 18:53:56 tb Exp $ */
2	/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>	2	/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3	* for the OpenSSL project.	3	* for the OpenSSL project.
4	* Includes code written by Bodo Moeller for the OpenSSL project.	4	* Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1227,7 +1227,7 @@ ec_GFp_simple_blind_coordinates(const EC_GROUP group, EC_POINT p, BN_CTX *ctx)
1227	goto err;	1227	goto err;
1228		1228
1229	/* Generate lambda in [1, group->field). */	1229	/* Generate lambda in [1, group->field). */
1230	if (!bn_rand_interval(lambda, BN_value_one(), &group->field))	1230	if (!bn_rand_interval(lambda, 1, &group->field))
1231	goto err;	1231	goto err;
1232		1232
1233	if (group->meth->field_encode != NULL &&	1233	if (group->meth->field_encode != NULL &&


diff --git a/src/lib/libcrypto/ecdsa/ecdsa.c b/src/lib/libcrypto/ecdsa/ecdsa.c index 1252ab2a43..8160014b3b 100644 --- a/src/lib/libcrypto/ecdsa/ecdsa.c +++ b/src/lib/libcrypto/ecdsa/ecdsa.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ecdsa.c,v 1.16 2023/07/28 09:18:10 tb Exp $ */	1	/* $OpenBSD: ecdsa.c,v 1.17 2023/08/03 18:53:56 tb Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -338,7 +338,7 @@ ecdsa_sign_setup(EC_KEY key, BN_CTX in_ctx, BIGNUM out_kinv, BIGNUM out_r)
338	/* Step 11: repeat until r != 0. */	338	/* Step 11: repeat until r != 0. */
339	do {	339	do {
340	/* Step 3: generate random k. */	340	/* Step 3: generate random k. */
341	if (!bn_rand_interval(k, BN_value_one(), order))	341	if (!bn_rand_interval(k, 1, order))
342	goto err;	342	goto err;
343		343
344	/*	344	/*
@@ -472,7 +472,7 @@ ecdsa_compute_s(BIGNUM *out_s, const BIGNUM e, const BIGNUM *kinv,
472	goto err;	472	goto err;
473	}	473	}
474		474
475	if (!bn_rand_interval(b, BN_value_one(), order)) {	475	if (!bn_rand_interval(b, 1, order)) {
476	ECerror(ERR_R_BN_LIB);	476	ECerror(ERR_R_BN_LIB);
477	goto err;	477	goto err;
478	}	478	}


diff --git a/src/regress/lib/libcrypto/bn/bn_isqrt.c b/src/regress/lib/libcrypto/bn/bn_isqrt.c index 2663bb74e9..d8a2d2755f 100644 --- a/src/regress/lib/libcrypto/bn/bn_isqrt.c +++ b/src/regress/lib/libcrypto/bn/bn_isqrt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_isqrt.c,v 1.3 2023/03/08 06:28:08 tb Exp $ */	1	/* $OpenBSD: bn_isqrt.c,v 1.4 2023/08/03 18:53:56 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>	3	* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
4	*	4	*
@@ -194,8 +194,8 @@ isqrt_test(void)
194	if (!BN_set_bit(upper, UPPER_BITS))	194	if (!BN_set_bit(upper, UPPER_BITS))
195	errx(1, "BN_set_bit(upper, %d)", UPPER_BITS);	195	errx(1, "BN_set_bit(upper, %d)", UPPER_BITS);
196		196
197	if (!bn_rand_interval(n, lower, upper))	197	if (!bn_rand_in_range(n, lower, upper))
198	errx(1, "bn_rand_interval n");	198	errx(1, "bn_rand_in_range n");
199		199
200	/* n_sqr = n^2 */	200	/* n_sqr = n^2 */
201	if (!BN_sqr(n_sqr, n, ctx))	201	if (!BN_sqr(n_sqr, n, ctx))
@@ -246,8 +246,8 @@ isqrt_test(void)
246	*/	246	*/
247		247
248	for (i = 0; i < N_TESTS; i++) {	248	for (i = 0; i < N_TESTS; i++) {
249	if (!bn_rand_interval(testcase, n_sqr, upper))	249	if (!bn_rand_in_range(testcase, n_sqr, upper))
250	errx(1, "bn_rand_interval testcase");	250	errx(1, "bn_rand_in_range testcase");
251		251
252	if (!bn_isqrt(isqrt, &is_perfect_square, testcase, ctx))	252	if (!bn_isqrt(isqrt, &is_perfect_square, testcase, ctx))
253	errx(1, "bn_isqrt testcase");	253	errx(1, "bn_isqrt testcase");