1656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* crypto/bn/bn_rand.c */ 2656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * All rights reserved. 4656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 5656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This package is an SSL implementation written 6656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * by Eric Young (eay@cryptsoft.com). 7656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The implementation was written so as to conform with Netscapes SSL. 8656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 9656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This library is free for commercial and non-commercial use as long as 10656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the following conditions are aheared to. The following conditions 11656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * apply to all code found in this distribution, be it the RC4, RSA, 12656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * included with this distribution is covered by the same copyright terms 14656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 16656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Copyright remains Eric Young's, and as such any Copyright notices in 17656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the code are not to be removed. 18656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * If this package is used in a product, Eric Young should be given attribution 19656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * as the author of the parts of the library used. 20656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This can be in the form of a textual message at program startup or 21656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * in documentation (online or textual) provided with the package. 22656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 23656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Redistribution and use in source and binary forms, with or without 24656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * modification, are permitted provided that the following conditions 25656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * are met: 26656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 1. Redistributions of source code must retain the copyright 27656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer. 28656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 2. Redistributions in binary form must reproduce the above copyright 29656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer in the 30656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * documentation and/or other materials provided with the distribution. 31656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 3. All advertising materials mentioning features or use of this software 32656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * must display the following acknowledgement: 33656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes cryptographic software written by 34656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Eric Young (eay@cryptsoft.com)" 35656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The word 'cryptographic' can be left out if the rouines from the library 36656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * being used are not cryptographic related :-). 37656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 4. If you include any Windows specific code (or a derivative thereof) from 38656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the apps directory (application code) you must include an acknowledgement: 39656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 41656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * SUCH DAMAGE. 52656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 53656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The licence and distribution terms for any publically available version or 54656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * derivative of this code cannot be changed. i.e. this code cannot simply be 55656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * copied and put under another distribution licence 56656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * [including the GNU Public Licence.] 57656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 58656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* ==================================================================== 59656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 60656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 61656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Redistribution and use in source and binary forms, with or without 62656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * modification, are permitted provided that the following conditions 63656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * are met: 64656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 65656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 1. Redistributions of source code must retain the above copyright 66656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer. 67656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 68656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 2. Redistributions in binary form must reproduce the above copyright 69656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer in 70656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the documentation and/or other materials provided with the 71656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * distribution. 72656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 73656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 3. All advertising materials mentioning features or use of this 74656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * software must display the following acknowledgment: 75656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes software developed by the OpenSSL Project 76656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 78656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * endorse or promote products derived from this software without 80656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * prior written permission. For written permission, please contact 81656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * openssl-core@openssl.org. 82656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 83656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 5. Products derived from this software may not be called "OpenSSL" 84656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * nor may "OpenSSL" appear in their names without prior written 85656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * permission of the OpenSSL Project. 86656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 87656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 6. Redistributions of any form whatsoever must retain the following 88656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * acknowledgment: 89656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes software developed by the OpenSSL Project 90656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 92656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OF THE POSSIBILITY OF SUCH DAMAGE. 104656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ==================================================================== 105656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 106656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This product includes cryptographic software written by Eric Young 107656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * (eay@cryptsoft.com). This product includes software written by Tim 108656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Hudson (tjh@cryptsoft.com). 109656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 110656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 111656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 112656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <stdio.h> 113656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <time.h> 114656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include "cryptlib.h" 115656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include "bn_lcl.h" 116656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/rand.h> 11723b9568fd705172c870175f42556ae21861da399Adam Langley#include <openssl/sha.h> 118656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 119656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectstatic int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) 120656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 121656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *buf=NULL; 122656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ret=0,bit,bytes,mask; 123656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project time_t tim; 124656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 125656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (bits == 0) 126656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 127656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_zero(rnd); 128656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 129656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 130656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 131656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project bytes=(bits+7)/8; 132656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project bit=(bits-1)%8; 133656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project mask=0xff<<(bit+1); 134656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 135656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf=(unsigned char *)OPENSSL_malloc(bytes); 136656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (buf == NULL) 137656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 138656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BNerr(BN_F_BNRAND,ERR_R_MALLOC_FAILURE); 139656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 140656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 141656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 142656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* make a random number and set the top and bottom bits */ 143656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project time(&tim); 144656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RAND_add(&tim,sizeof(tim),0.0); 145656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 146656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (pseudorand) 147656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 148656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (RAND_pseudo_bytes(buf, bytes) == -1) 149656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 150656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 151656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 152656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 153656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (RAND_bytes(buf, bytes) <= 0) 154656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 155656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 156656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 157656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#if 1 158656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (pseudorand == 2) 159656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 160656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* generate patterns that are more likely to trigger BN 161656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project library bugs */ 162656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i; 163656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char c; 164656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 165656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (i = 0; i < bytes; i++) 166656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 167656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RAND_pseudo_bytes(&c, 1); 168656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (c >= 128 && i > 0) 169656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf[i] = buf[i-1]; 170656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else if (c < 42) 171656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf[i] = 0; 172656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else if (c < 84) 173656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf[i] = 255; 174656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 175656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 176656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 177656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 178656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (top != -1) 179656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 180656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (top) 181656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 182656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (bit == 0) 183656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 184656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf[0]=1; 185656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf[1]|=0x80; 186656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 187656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 188656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 189656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf[0]|=(3<<(bit-1)); 190656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 191656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 192656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 193656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 194656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf[0]|=(1<<bit); 195656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 196656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 197656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf[0] &= ~mask; 198656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (bottom) /* set bottom bit if requested */ 199656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf[bytes-1]|=1; 200656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_bin2bn(buf,bytes,rnd)) goto err; 201656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=1; 202656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projecterr: 203656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (buf != NULL) 204656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 205656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_cleanse(buf,bytes); 206656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_free(buf); 207656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 208656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project bn_check_top(rnd); 209656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ret); 210656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 211656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 212656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint BN_rand(BIGNUM *rnd, int bits, int top, int bottom) 213656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 214656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return bnrand(0, rnd, bits, top, bottom); 215656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 216656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 217656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) 218656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 219656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return bnrand(1, rnd, bits, top, bottom); 220656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 221656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 222656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#if 1 223656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) 224656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 225656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return bnrand(2, rnd, bits, top, bottom); 226656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 227656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 228656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 229656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 230656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* random number r: 0 <= r < range */ 231e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugustatic int bn_rand_range(int pseudo, BIGNUM *r, const BIGNUM *range) 232656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 233656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int (*bn_rand)(BIGNUM *, int, int, int) = pseudo ? BN_pseudo_rand : BN_rand; 234656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int n; 235656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int count = 100; 236656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 237656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (range->neg || BN_is_zero(range)) 238656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 239656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); 240656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 241656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 242656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 243656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n = BN_num_bits(range); /* n > 0 */ 244656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 245656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* BN_is_bit_set(range, n - 1) always holds */ 246656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 247656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (n == 1) 248656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_zero(r); 249656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) 250656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 251656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* range = 100..._2, 252656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * so 3*range (= 11..._2) is exactly one bit longer than range */ 253656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project do 254656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 255656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!bn_rand(r, n + 1, -1, 0)) return 0; 256656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If r < 3*range, use r := r MOD range 257656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * (which is either r, r - range, or r - 2*range). 258656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Otherwise, iterate once more. 259656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Since 3*range = 11..._2, each iteration succeeds with 260656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * probability >= .75. */ 261656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_cmp(r ,range) >= 0) 262656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 263656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_sub(r, r, range)) return 0; 264656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (BN_cmp(r, range) >= 0) 265656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BN_sub(r, r, range)) return 0; 266656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 267656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 268656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!--count) 269656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 270656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS); 271656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 272656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 273656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 274656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 275656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project while (BN_cmp(r, range) >= 0); 276656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 277656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 278656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 279656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project do 280656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 281656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* range = 11..._2 or range = 101..._2 */ 282656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!bn_rand(r, n, -1, 0)) return 0; 283656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 284656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!--count) 285656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 286656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS); 287656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 0; 288656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 289656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 290656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project while (BN_cmp(r, range) >= 0); 291656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 292656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 293656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project bn_check_top(r); 294656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 295656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 296656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 297656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 298e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguint BN_rand_range(BIGNUM *r, const BIGNUM *range) 299656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 300656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return bn_rand_range(0, r, range); 301656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 302656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 303e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modaduguint BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) 304656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 305656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return bn_rand_range(1, r, range); 306656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 30723b9568fd705172c870175f42556ae21861da399Adam Langley 30823b9568fd705172c870175f42556ae21861da399Adam Langley#ifndef OPENSSL_NO_SHA512 30923b9568fd705172c870175f42556ae21861da399Adam Langley/* BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike 31023b9568fd705172c870175f42556ae21861da399Adam Langley * BN_rand_range, it also includes the contents of |priv| and |message| in the 31123b9568fd705172c870175f42556ae21861da399Adam Langley * generation so that an RNG failure isn't fatal as long as |priv| remains 31223b9568fd705172c870175f42556ae21861da399Adam Langley * secret. This is intended for use in DSA and ECDSA where an RNG weakness 31323b9568fd705172c870175f42556ae21861da399Adam Langley * leads directly to private key exposure unless this function is used. */ 31423b9568fd705172c870175f42556ae21861da399Adam Langleyint BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM* priv, 31523b9568fd705172c870175f42556ae21861da399Adam Langley const unsigned char *message, size_t message_len, 31623b9568fd705172c870175f42556ae21861da399Adam Langley BN_CTX *ctx) 31723b9568fd705172c870175f42556ae21861da399Adam Langley { 31823b9568fd705172c870175f42556ae21861da399Adam Langley SHA512_CTX sha; 31923b9568fd705172c870175f42556ae21861da399Adam Langley /* We use 512 bits of random data per iteration to 32023b9568fd705172c870175f42556ae21861da399Adam Langley * ensure that we have at least |range| bits of randomness. */ 32123b9568fd705172c870175f42556ae21861da399Adam Langley unsigned char random_bytes[64]; 32223b9568fd705172c870175f42556ae21861da399Adam Langley unsigned char digest[SHA512_DIGEST_LENGTH]; 32323b9568fd705172c870175f42556ae21861da399Adam Langley unsigned done, todo; 32423b9568fd705172c870175f42556ae21861da399Adam Langley /* We generate |range|+8 bytes of random output. */ 32523b9568fd705172c870175f42556ae21861da399Adam Langley const unsigned num_k_bytes = BN_num_bytes(range) + 8; 32623b9568fd705172c870175f42556ae21861da399Adam Langley unsigned char private_bytes[96]; 32723b9568fd705172c870175f42556ae21861da399Adam Langley unsigned char *k_bytes; 32823b9568fd705172c870175f42556ae21861da399Adam Langley int ret = 0; 32923b9568fd705172c870175f42556ae21861da399Adam Langley 33023b9568fd705172c870175f42556ae21861da399Adam Langley k_bytes = OPENSSL_malloc(num_k_bytes); 33123b9568fd705172c870175f42556ae21861da399Adam Langley if (!k_bytes) 33223b9568fd705172c870175f42556ae21861da399Adam Langley goto err; 33323b9568fd705172c870175f42556ae21861da399Adam Langley 33423b9568fd705172c870175f42556ae21861da399Adam Langley /* We copy |priv| into a local buffer to avoid exposing its length. */ 33523b9568fd705172c870175f42556ae21861da399Adam Langley todo = sizeof(priv->d[0])*priv->top; 33623b9568fd705172c870175f42556ae21861da399Adam Langley if (todo > sizeof(private_bytes)) 33723b9568fd705172c870175f42556ae21861da399Adam Langley { 33823b9568fd705172c870175f42556ae21861da399Adam Langley /* No reasonable DSA or ECDSA key should have a private key 33923b9568fd705172c870175f42556ae21861da399Adam Langley * this large and we don't handle this case in order to avoid 34023b9568fd705172c870175f42556ae21861da399Adam Langley * leaking the length of the private key. */ 34123b9568fd705172c870175f42556ae21861da399Adam Langley BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE); 34223b9568fd705172c870175f42556ae21861da399Adam Langley goto err; 34323b9568fd705172c870175f42556ae21861da399Adam Langley } 34423b9568fd705172c870175f42556ae21861da399Adam Langley memcpy(private_bytes, priv->d, todo); 34523b9568fd705172c870175f42556ae21861da399Adam Langley memset(private_bytes + todo, 0, sizeof(private_bytes) - todo); 34623b9568fd705172c870175f42556ae21861da399Adam Langley 34723b9568fd705172c870175f42556ae21861da399Adam Langley for (done = 0; done < num_k_bytes;) { 34823b9568fd705172c870175f42556ae21861da399Adam Langley if (RAND_bytes(random_bytes, sizeof(random_bytes)) != 1) 34923b9568fd705172c870175f42556ae21861da399Adam Langley goto err; 35023b9568fd705172c870175f42556ae21861da399Adam Langley SHA512_Init(&sha); 35123b9568fd705172c870175f42556ae21861da399Adam Langley SHA512_Update(&sha, &done, sizeof(done)); 35223b9568fd705172c870175f42556ae21861da399Adam Langley SHA512_Update(&sha, private_bytes, sizeof(private_bytes)); 35323b9568fd705172c870175f42556ae21861da399Adam Langley SHA512_Update(&sha, message, message_len); 35423b9568fd705172c870175f42556ae21861da399Adam Langley SHA512_Update(&sha, random_bytes, sizeof(random_bytes)); 35523b9568fd705172c870175f42556ae21861da399Adam Langley SHA512_Final(digest, &sha); 35623b9568fd705172c870175f42556ae21861da399Adam Langley 35723b9568fd705172c870175f42556ae21861da399Adam Langley todo = num_k_bytes - done; 35823b9568fd705172c870175f42556ae21861da399Adam Langley if (todo > SHA512_DIGEST_LENGTH) 35923b9568fd705172c870175f42556ae21861da399Adam Langley todo = SHA512_DIGEST_LENGTH; 36023b9568fd705172c870175f42556ae21861da399Adam Langley memcpy(k_bytes + done, digest, todo); 36123b9568fd705172c870175f42556ae21861da399Adam Langley done += todo; 36223b9568fd705172c870175f42556ae21861da399Adam Langley } 36323b9568fd705172c870175f42556ae21861da399Adam Langley 36423b9568fd705172c870175f42556ae21861da399Adam Langley if (!BN_bin2bn(k_bytes, num_k_bytes, out)) 36523b9568fd705172c870175f42556ae21861da399Adam Langley goto err; 36623b9568fd705172c870175f42556ae21861da399Adam Langley if (BN_mod(out, out, range, ctx) != 1) 36723b9568fd705172c870175f42556ae21861da399Adam Langley goto err; 36823b9568fd705172c870175f42556ae21861da399Adam Langley ret = 1; 36923b9568fd705172c870175f42556ae21861da399Adam Langley 37023b9568fd705172c870175f42556ae21861da399Adam Langleyerr: 37123b9568fd705172c870175f42556ae21861da399Adam Langley if (k_bytes) 37223b9568fd705172c870175f42556ae21861da399Adam Langley OPENSSL_free(k_bytes); 37323b9568fd705172c870175f42556ae21861da399Adam Langley return ret; 37423b9568fd705172c870175f42556ae21861da399Adam Langley } 37523b9568fd705172c870175f42556ae21861da399Adam Langley#endif /* OPENSSL_NO_SHA512 */ 376