diff options
| author | Matt Caswell <matt@openssl.org> | 2019-07-04 15:41:17 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-07-15 11:03:44 +0100 |
| commit | 2934be91349b365f1350fe9c30e4263be653c0f6 (patch) | |
| tree | 926db8537c403e61baf0c228800fb88bcec37005 /crypto/bn | |
| parent | 753149d97f8474ff8745a66175b8e4a19fe50743 (diff) | |
| download | openssl-new-2934be91349b365f1350fe9c30e4263be653c0f6.tar.gz | |
Make sure all BIGNUM operations work within the FIPS provider
The FIPS provider does not have a default OPENSSL_CTX so, where
necessary, we need to ensure we can always access an explicit
OPENSSL_CTX. We remove functions from the FIPS provider that use
the default OPENSSL_CTX, and fixup some places which were using
those removed functions.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9310)
Diffstat (limited to 'crypto/bn')
| -rw-r--r-- | crypto/bn/bn_blind.c | 2 | ||||
| -rw-r--r-- | crypto/bn/bn_ctx.c | 4 | ||||
| -rw-r--r-- | crypto/bn/bn_err.c | 2 | ||||
| -rw-r--r-- | crypto/bn/bn_gf2m.c | 7 | ||||
| -rw-r--r-- | crypto/bn/bn_prime.c | 67 | ||||
| -rw-r--r-- | crypto/bn/bn_rand.c | 8 | ||||
| -rw-r--r-- | crypto/bn/bn_rsa_fips186_4.c | 9 | ||||
| -rw-r--r-- | crypto/bn/bn_sqrt.c | 2 | ||||
| -rw-r--r-- | crypto/bn/bn_x931p.c | 9 |
9 files changed, 75 insertions, 35 deletions
diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index e003f9a08f..826f3f06aa 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -270,7 +270,7 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, do { int rv; - if (!BN_priv_rand_range(ret->A, ret->mod)) + if (!BN_priv_rand_range_ex(ret->A, ret->mod, ctx)) goto err; if (int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv)) break; diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index cc3c3034a4..a60c7442a4 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -143,10 +143,12 @@ BN_CTX *BN_CTX_new_ex(OPENSSL_CTX *ctx) return ret; } +#ifndef FIPS_MODE BN_CTX *BN_CTX_new(void) { return BN_CTX_new_ex(NULL); } +#endif BN_CTX *BN_CTX_secure_new_ex(OPENSSL_CTX *ctx) { @@ -157,10 +159,12 @@ BN_CTX *BN_CTX_secure_new_ex(OPENSSL_CTX *ctx) return ret; } +#ifndef FIPS_MODE BN_CTX *BN_CTX_secure_new(void) { return BN_CTX_secure_new_ex(NULL); } +#endif void BN_CTX_free(BN_CTX *ctx) { diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c index a28443c71a..9a59cfbb07 100644 --- a/crypto/bn/bn_err.c +++ b/crypto/bn/bn_err.c @@ -40,6 +40,8 @@ static const ERR_STRING_DATA BN_str_functs[] = { "BN_generate_dsa_nonce"}, {ERR_PACK(ERR_LIB_BN, BN_F_BN_GENERATE_PRIME_EX, 0), "BN_generate_prime_ex"}, + {ERR_PACK(ERR_LIB_BN, BN_F_BN_GENERATE_PRIME_EX2, 0), + "BN_generate_prime_ex2"}, {ERR_PACK(ERR_LIB_BN, BN_F_BN_GF2M_MOD, 0), "BN_GF2m_mod"}, {ERR_PACK(ERR_LIB_BN, BN_F_BN_GF2M_MOD_EXP, 0), "BN_GF2m_mod_exp"}, {ERR_PACK(ERR_LIB_BN, BN_F_BN_GF2M_MOD_MUL, 0), "BN_GF2m_mod_mul"}, diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c index 910f014422..e025dae6c1 100644 --- a/crypto/bn/bn_gf2m.c +++ b/crypto/bn/bn_gf2m.c @@ -732,8 +732,8 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) /* generate blinding value */ do { - if (!BN_priv_rand(b, BN_num_bits(p) - 1, - BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand_ex(b, BN_num_bits(p) - 1, + BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, ctx)) goto err; } while (BN_is_zero(b)); @@ -1031,7 +1031,8 @@ int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const int p[], if (tmp == NULL) goto err; do { - if (!BN_priv_rand(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand_ex(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY, + ctx)) goto err; if (!BN_GF2m_mod_arr(rho, rho, p)) goto err; diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index 47e2f2357a..1cfd95307c 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -19,7 +19,7 @@ */ #include "bn_prime.h" -static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods); +static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods, BN_CTX *ctx); static int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx); @@ -84,19 +84,19 @@ int BN_GENCB_call(BN_GENCB *cb, int a, int b) return 0; } -int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, - const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb) +int BN_generate_prime_ex2(BIGNUM *ret, int bits, int safe, + const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb, + BN_CTX *ctx) { BIGNUM *t; int found = 0; int i, j, c1 = 0; - BN_CTX *ctx = NULL; prime_t *mods = NULL; int checks = BN_prime_checks_for_size(bits); if (bits < 2) { /* There are no prime numbers this small. */ - BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL); + BNerr(BN_F_BN_GENERATE_PRIME_EX2, BN_R_BITS_TOO_SMALL); return 0; } else if (add == NULL && safe && bits < 6 && bits != 3) { /* @@ -104,7 +104,7 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, * But the following two safe primes with less than 6 bits (11, 23) * are unreachable for BN_rand with BN_RAND_TOP_TWO. */ - BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL); + BNerr(BN_F_BN_GENERATE_PRIME_EX2, BN_R_BITS_TOO_SMALL); return 0; } @@ -112,9 +112,6 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, if (mods == NULL) goto err; - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; BN_CTX_start(ctx); t = BN_CTX_get(ctx); if (t == NULL) @@ -122,7 +119,7 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, loop: /* make a random number and set the top and bottom bits */ if (add == NULL) { - if (!probable_prime(ret, bits, mods)) + if (!probable_prime(ret, bits, mods, ctx)) goto err; } else { if (safe) { @@ -175,11 +172,27 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, err: OPENSSL_free(mods); BN_CTX_end(ctx); - BN_CTX_free(ctx); bn_check_top(ret); return found; } +#ifndef FIPS_MODE +int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, + const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb) +{ + BN_CTX *ctx = BN_CTX_new(); + int retval; + + if (ctx == NULL) + return 0; + + retval = BN_generate_prime_ex2(ret, bits, safe, add, rem, cb, ctx); + + BN_CTX_free(ctx); + return retval; +} +#endif + int BN_is_prime_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed, BN_GENCB *cb) { @@ -187,11 +200,17 @@ int BN_is_prime_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed, } /* See FIPS 186-4 C.3.1 Miller Rabin Probabilistic Primality Test. */ -int BN_is_prime_fasttest_ex(const BIGNUM *w, int checks, BN_CTX *ctx_passed, +int BN_is_prime_fasttest_ex(const BIGNUM *w, int checks, BN_CTX *ctx, int do_trial_division, BN_GENCB *cb) { int i, status, ret = -1; - BN_CTX *ctx = NULL; +#ifndef FIPS_MODE + BN_CTX *ctxlocal = NULL; +#else + + if (ctx == NULL) + return -1; +#endif /* w must be bigger than 1 */ if (BN_cmp(w, BN_value_one()) <= 0) @@ -219,18 +238,19 @@ int BN_is_prime_fasttest_ex(const BIGNUM *w, int checks, BN_CTX *ctx_passed, if (!BN_GENCB_call(cb, 1, -1)) return -1; } - if (ctx_passed != NULL) - ctx = ctx_passed; - else if ((ctx = BN_CTX_new()) == NULL) +#ifndef FIPS_MODE + if (ctx == NULL && (ctxlocal = ctx = BN_CTX_new()) == NULL) goto err; +#endif ret = bn_miller_rabin_is_prime(w, checks, ctx, cb, 0, &status); if (!ret) goto err; ret = (status == BN_PRIMETEST_PROBABLY_PRIME); err: - if (ctx_passed == NULL) - BN_CTX_free(ctx); +#ifndef FIPS_MODE + BN_CTX_free(ctxlocal); +#endif return ret; } @@ -301,7 +321,8 @@ int bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx, /* (Step 4) */ for (i = 0; i < iterations; ++i) { /* (Step 4.1) obtain a Random string of bits b where 1 < b < w-1 */ - if (!BN_priv_rand_range(b, w3) || !BN_add_word(b, 2)) /* 1 < b < w-1 */ + if (!BN_priv_rand_range_ex(b, w3, ctx) + || !BN_add_word(b, 2)) /* 1 < b < w-1 */ goto err; if (enhanced) { @@ -379,7 +400,7 @@ err: return ret; } -static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods) +static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods, BN_CTX *ctx) { int i; BN_ULONG delta; @@ -388,7 +409,7 @@ static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods) again: /* TODO: Not all primes are private */ - if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD)) + if (!BN_priv_rand_ex(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD, ctx)) return 0; /* we now have a random number 'rnd' to test. */ for (i = 1; i < NUMPRIMES; i++) { @@ -472,7 +493,7 @@ int bn_probable_prime_dh(BIGNUM *rnd, int bits, if ((t1 = BN_CTX_get(ctx)) == NULL) goto err; - if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) + if (!BN_rand_ex(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD, ctx)) goto err; /* we need ((rnd-rem) % add) == 0 */ @@ -528,7 +549,7 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd, if (!BN_rshift1(qadd, padd)) goto err; - if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) + if (!BN_rand_ex(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD, ctx)) goto err; /* we need ((rnd-rem) % add) == 0 */ diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index a71e7d49d1..d1743ddf7a 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -103,6 +103,7 @@ int BN_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, BN_CTX *ctx) { return bnrand(NORMAL, rnd, bits, top, bottom, ctx); } +#ifndef FIPS_MODE int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) { return bnrand(NORMAL, rnd, bits, top, bottom, NULL); @@ -112,16 +113,19 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) { return bnrand(TESTING, rnd, bits, top, bottom, NULL); } +#endif int BN_priv_rand_ex(BIGNUM *rnd, int bits, int top, int bottom, BN_CTX *ctx) { return bnrand(PRIVATE, rnd, bits, top, bottom, ctx); } +#ifndef FIPS_MODE int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom) { return bnrand(PRIVATE, rnd, bits, top, bottom, NULL); } +#endif /* random number r: 0 <= r < range */ static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range, @@ -195,16 +199,19 @@ int BN_rand_range_ex(BIGNUM *r, const BIGNUM *range, BN_CTX *ctx) return bnrand_range(NORMAL, r, range, ctx); } +#ifndef FIPS_MODE int BN_rand_range(BIGNUM *r, const BIGNUM *range) { return bnrand_range(NORMAL, r, range, NULL); } +#endif int BN_priv_rand_range_ex(BIGNUM *r, const BIGNUM *range, BN_CTX *ctx) { return bnrand_range(PRIVATE, r, range, ctx); } +#ifndef FIPS_MODE int BN_priv_rand_range(BIGNUM *r, const BIGNUM *range) { return bnrand_range(PRIVATE, r, range, NULL); @@ -219,6 +226,7 @@ int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) { return BN_rand_range(r, range); } +#endif /* * BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c index 261669d0d0..9a3041e2e1 100644 --- a/crypto/bn/bn_rsa_fips186_4.c +++ b/crypto/bn/bn_rsa_fips186_4.c @@ -193,13 +193,15 @@ int bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, /* (Steps 4.1/5.1): Randomly generate Xp1 if it is not passed in */ if (Xp1 == NULL) { /* Set the top and bottom bits to make it odd and the correct size */ - if (!BN_priv_rand(Xp1i, bitlen, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) + if (!BN_priv_rand_ex(Xp1i, bitlen, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD, + ctx)) goto err; } /* (Steps 4.1/5.1): Randomly generate Xp2 if it is not passed in */ if (Xp2 == NULL) { /* Set the top and bottom bits to make it odd and the correct size */ - if (!BN_priv_rand(Xp2i, bitlen, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) + if (!BN_priv_rand_ex(Xp2i, bitlen, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD, + ctx)) goto err; } @@ -305,7 +307,8 @@ int bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, * so largest number will have B5... as the top byte * Setting the top 2 bits gives 0xC0. */ - if (!BN_priv_rand(X, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand_ex(X, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY, + ctx)) goto end; } /* (Step 4) Y = X + ((R - X) mod 2r1r2) */ diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c index 5981cd077a..2107487b72 100644 --- a/crypto/bn/bn_sqrt.c +++ b/crypto/bn/bn_sqrt.c @@ -180,7 +180,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) if (!BN_set_word(y, i)) goto end; } else { - if (!BN_priv_rand(y, BN_num_bits(p), 0, 0)) + if (!BN_priv_rand_ex(y, BN_num_bits(p), 0, 0, ctx)) goto end; if (BN_ucmp(y, p) >= 0) { if (!(p->neg ? BN_add : BN_sub) (y, y, p)) diff --git a/crypto/bn/bn_x931p.c b/crypto/bn/bn_x931p.c index 3599270564..c79e427854 100644 --- a/crypto/bn/bn_x931p.c +++ b/crypto/bn/bn_x931p.c @@ -173,7 +173,7 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) * - 1. By setting the top two bits we ensure that the lower bound is * exceeded. */ - if (!BN_priv_rand(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand_ex(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY, ctx)) goto err; BN_CTX_start(ctx); @@ -182,7 +182,8 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) goto err; for (i = 0; i < 1000; i++) { - if (!BN_priv_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand_ex(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY, + ctx)) goto err; /* Check that |Xp - Xq| > 2^(nbits - 100) */ @@ -227,9 +228,9 @@ int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, if (Xp1 == NULL || Xp2 == NULL) goto error; - if (!BN_priv_rand(Xp1, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand_ex(Xp1, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY, ctx)) goto error; - if (!BN_priv_rand(Xp2, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) + if (!BN_priv_rand_ex(Xp2, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY, ctx)) goto error; if (!BN_X931_derive_prime_ex(p, p1, p2, Xp, Xp1, Xp2, e, ctx, cb)) goto error; |