From 011adf78027bced403e1190e496f00d941510468 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 6 Nov 2018 02:14:39 +0000
Subject: revert use of bn_rand_interval due to failures with ECDHE and TLS
---
src/lib/libcrypto/dh/dh_key.c | 15 ++++++---------
src/lib/libcrypto/dsa/dsa_key.c | 8 +++++---
src/lib/libcrypto/dsa/dsa_ossl.c | 17 ++++++++++++-----
src/lib/libcrypto/ec/ec_key.c | 9 +++++----
src/lib/libcrypto/ec/ecp_smpl.c | 8 +++++---
5 files changed, 33 insertions(+), 24 deletions(-)
(limited to 'src')
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 17df620ec5..3da2413666 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_key.c,v 1.32 2018/11/05 23:54:27 tb Exp $ */
+/* $OpenBSD: dh_key.c,v 1.33 2018/11/06 02:14:39 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -106,7 +106,7 @@ generate_key(DH *dh)
unsigned l;
BN_CTX *ctx;
BN_MONT_CTX *mont = NULL;
- BIGNUM *pub_key = dh->pub_key, *priv_key = dh->priv_key, *two = NULL;
+ BIGNUM *pub_key = dh->pub_key, *priv_key = dh->priv_key;
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
DHerror(DH_R_MODULUS_TOO_LARGE);
@@ -137,12 +137,10 @@ generate_key(DH *dh)
if (generate_new_key) {
if (dh->q) {
- if ((two = BN_new()) == NULL)
- goto err;
- if (!BN_add(two, BN_value_one(), BN_value_one()))
- goto err;
- if (!bn_rand_interval(priv_key, two, dh->q))
- goto err;
+ do {
+ if (!BN_rand_range(priv_key, dh->q))
+ goto err;
+ } while (BN_is_zero(priv_key) || BN_is_one(priv_key));
} else {
/* secret exponent length */
l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
@@ -167,7 +165,6 @@ generate_key(DH *dh)
if (dh->priv_key == NULL)
BN_free(priv_key);
BN_CTX_free(ctx);
- BN_free(two);
return ok;
}
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index 7ead1f30cc..4039fbf407 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_key.c,v 1.26 2018/11/05 23:54:27 tb Exp $ */
+/* $OpenBSD: dsa_key.c,v 1.27 2018/11/06 02:14:39 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -92,8 +92,10 @@ dsa_builtin_keygen(DSA *dsa)
goto err;
}
- if (!bn_rand_interval(priv_key, BN_value_one(), dsa->q))
- goto err;
+ do {
+ if (!BN_rand_range(priv_key, dsa->q))
+ goto err;
+ } while (BN_is_zero(priv_key));
if (pub_key == NULL) {
if ((pub_key = BN_new()) == NULL)
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index cda750a0ed..6eb391ddeb 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.38 2018/11/05 23:54:27 tb Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.39 2018/11/06 02:14:39 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -150,9 +150,13 @@ dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
*
* s = inv(k)inv(b)(bm + bxr) mod q
*
- * Where b is a random value in the range [1, q).
+ * Where b is a random value in the range [1, q-1].
*/
- if (!bn_rand_interval(&b, BN_value_one(), dsa->q))
+ if (!BN_sub(&bm, dsa->q, BN_value_one()))
+ goto err;
+ if (!BN_rand_range(&b, &bm))
+ goto err;
+ if (!BN_add(&b, &b, BN_value_one()))
goto err;
if (BN_mod_inverse_ct(&binv, &b, dsa->q, ctx) == NULL)
goto err;
@@ -238,8 +242,11 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
!BN_set_bit(&m, q_bits))
goto err;
- if (!bn_rand_interval(&k, BN_value_one(), dsa->q))
- goto err;
+ /* Get random k */
+ do {
+ if (!BN_rand_range(&k, dsa->q))
+ goto err;
+ } while (BN_is_zero(&k));
BN_set_flags(&k, BN_FLG_CONSTTIME);
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
index 8c6f3186ca..ca49c7676e 100644
--- a/src/lib/libcrypto/ec/ec_key.c
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_key.c,v 1.19 2018/11/05 23:54:27 tb Exp $ */
+/* $OpenBSD: ec_key.c,v 1.20 2018/11/06 02:14:39 tb Exp $ */
/*
* Written by Nils Larsch for the OpenSSL project.
*/
@@ -65,7 +65,6 @@
#include <openssl/opensslconf.h>
-#include "bn_lcl.h"
#include "ec_lcl.h"
#include <openssl/err.h>
@@ -232,8 +231,10 @@ EC_KEY_generate_key(EC_KEY *eckey)
if (!EC_GROUP_get_order(eckey->group, order, ctx))
goto err;
- if (!bn_rand_interval(priv_key, BN_value_one(), order))
- goto err;
+ do
+ if (!BN_rand_range(priv_key, order))
+ goto err;
+ while (BN_is_zero(priv_key));
if (pub_key == NULL) {
if ((pub_key = EC_POINT_new(eckey->group)) == NULL)
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index 96c1e8a278..24054a51c5 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_smpl.c,v 1.24 2018/11/05 23:54:27 tb Exp $ */
+/* $OpenBSD: ecp_smpl.c,v 1.25 2018/11/06 02:14:39 tb Exp $ */
/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
* for the OpenSSL project.
* Includes code written by Bodo Moeller for the OpenSSL project.
@@ -1434,8 +1434,10 @@ ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx)
goto err;
/* Generate lambda in [1, group->field - 1] */
- if (!bn_rand_interval(lambda, BN_value_one(), &group->field))
- goto err;
+ do {
+ if (!BN_rand_range(lambda, &group->field))
+ goto err;
+ } while (BN_is_zero(lambda));
if (group->meth->field_encode != NULL &&
!group->meth->field_encode(group, lambda, lambda, ctx))
--
cgit v1.2.3-55-g6feb