From 011adf78027bced403e1190e496f00d941510468 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 6 Nov 2018 02:14:39 +0000
Subject: revert use of bn_rand_interval due to failures with ECDHE and TLS

---
 src/lib/libcrypto/dh/dh_key.c    | 15 ++++++---------
 src/lib/libcrypto/dsa/dsa_key.c  |  8 +++++---
 src/lib/libcrypto/dsa/dsa_ossl.c | 17 ++++++++++++-----
 src/lib/libcrypto/ec/ec_key.c    |  9 +++++----
 src/lib/libcrypto/ec/ecp_smpl.c  |  8 +++++---
 5 files changed, 33 insertions(+), 24 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 17df620ec5..3da2413666 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_key.c,v 1.32 2018/11/05 23:54:27 tb Exp $ */
+/* $OpenBSD: dh_key.c,v 1.33 2018/11/06 02:14:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -106,7 +106,7 @@ generate_key(DH *dh)
 	unsigned l;
 	BN_CTX *ctx;
 	BN_MONT_CTX *mont = NULL;
-	BIGNUM *pub_key = dh->pub_key, *priv_key = dh->priv_key, *two = NULL;
+	BIGNUM *pub_key = dh->pub_key, *priv_key = dh->priv_key;
 
 	if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
 		DHerror(DH_R_MODULUS_TOO_LARGE);
@@ -137,12 +137,10 @@ generate_key(DH *dh)
 
 	if (generate_new_key) {
 		if (dh->q) {
-			if ((two = BN_new()) == NULL)
-				goto err;
-			if (!BN_add(two, BN_value_one(), BN_value_one()))
-				goto err;
-			if (!bn_rand_interval(priv_key, two, dh->q))
-				goto err;
+			do {
+				if (!BN_rand_range(priv_key, dh->q))
+					goto err;
+			} while (BN_is_zero(priv_key) || BN_is_one(priv_key));
 		} else {
 			/* secret exponent length */
 			l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
@@ -167,7 +165,6 @@ generate_key(DH *dh)
 	if (dh->priv_key == NULL)
 		BN_free(priv_key);
 	BN_CTX_free(ctx);
-	BN_free(two);
 	return ok;
 }
 
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index 7ead1f30cc..4039fbf407 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_key.c,v 1.26 2018/11/05 23:54:27 tb Exp $ */
+/* $OpenBSD: dsa_key.c,v 1.27 2018/11/06 02:14:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -92,8 +92,10 @@ dsa_builtin_keygen(DSA *dsa)
 			goto err;
 	}
 
-	if (!bn_rand_interval(priv_key, BN_value_one(), dsa->q))
-		goto err;
+	do {
+		if (!BN_rand_range(priv_key, dsa->q))
+			goto err;
+	} while (BN_is_zero(priv_key));
 
 	if (pub_key == NULL) {
 		if ((pub_key = BN_new()) == NULL)
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index cda750a0ed..6eb391ddeb 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.38 2018/11/05 23:54:27 tb Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.39 2018/11/06 02:14:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -150,9 +150,13 @@ dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	 *
 	 *  s = inv(k)inv(b)(bm + bxr) mod q
 	 *
-	 * Where b is a random value in the range [1, q).
+	 * Where b is a random value in the range [1, q-1].
 	 */
-	if (!bn_rand_interval(&b, BN_value_one(), dsa->q))
+	if (!BN_sub(&bm, dsa->q, BN_value_one()))
+		goto err;
+	if (!BN_rand_range(&b, &bm))
+		goto err;
+	if (!BN_add(&b, &b, BN_value_one()))
 		goto err;
 	if (BN_mod_inverse_ct(&binv, &b, dsa->q, ctx) == NULL)
 		goto err;
@@ -238,8 +242,11 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	    !BN_set_bit(&m, q_bits))
 		goto err;
 
-	if (!bn_rand_interval(&k, BN_value_one(), dsa->q))
-		goto err;
+	/* Get random k */
+	do {
+		if (!BN_rand_range(&k, dsa->q))
+			goto err;
+	} while (BN_is_zero(&k));
 
 	BN_set_flags(&k, BN_FLG_CONSTTIME);
 
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
index 8c6f3186ca..ca49c7676e 100644
--- a/src/lib/libcrypto/ec/ec_key.c
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_key.c,v 1.19 2018/11/05 23:54:27 tb Exp $ */
+/* $OpenBSD: ec_key.c,v 1.20 2018/11/06 02:14:39 tb Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -65,7 +65,6 @@
 
 #include <openssl/opensslconf.h>
 
-#include "bn_lcl.h"
 #include "ec_lcl.h"
 #include <openssl/err.h>
 
@@ -232,8 +231,10 @@ EC_KEY_generate_key(EC_KEY *eckey)
 	if (!EC_GROUP_get_order(eckey->group, order, ctx))
 		goto err;
 
-	if (!bn_rand_interval(priv_key, BN_value_one(), order))
-		goto err;
+	do
+		if (!BN_rand_range(priv_key, order))
+			goto err;
+	while (BN_is_zero(priv_key));
 
 	if (pub_key == NULL) {
 		if ((pub_key = EC_POINT_new(eckey->group)) == NULL)
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index 96c1e8a278..24054a51c5 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_smpl.c,v 1.24 2018/11/05 23:54:27 tb Exp $ */
+/* $OpenBSD: ecp_smpl.c,v 1.25 2018/11/06 02:14:39 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project.
  * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1434,8 +1434,10 @@ ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx)
 		goto err;
 
 	/* Generate lambda in [1, group->field - 1] */
-	if (!bn_rand_interval(lambda, BN_value_one(), &group->field))
-		goto err;
+	do {
+		if (!BN_rand_range(lambda, &group->field))
+			goto err;
+	} while (BN_is_zero(lambda));
 
 	if (group->meth->field_encode != NULL &&
 	    !group->meth->field_encode(group, lambda, lambda, ctx))
-- 
cgit v1.2.3-55-g6feb