Integrate my implementation of a countermeasure against

Bleichenbacher's DSA attack. With this implementation, the expected number of iterations never exceeds 2. New semantics for BN_rand_range(): BN_rand_range(r, min, range) now generates r such that min <= r < min+range. (Previously, BN_rand_range(r, min, max) generated r such that min <= r < max. It is more convenient to have the range; also the previous prototype was misleading because max was larger than the actual maximum.)
2001-02-08 12:20:25 +00:00 · 2001-02-08 12:20:25 +00:00 · 07fc72fea1
commit 07fc72fea1
parent 813c7c415b
5 changed files with 66 additions and 11 deletions
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@ -328,7 +328,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx);
 void	BN_CTX_end(BN_CTX *ctx);
 int     BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
 int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom);
-int	BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max);
+int	BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *range);
 int	BN_num_bits(const BIGNUM *a);
 int	BN_num_bits_word(BN_ULONG);
 BIGNUM *BN_new(void);
@ -494,6 +494,7 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
 #define BN_F_BN_MPI2BN					 112
 #define BN_F_BN_NEW					 113
 #define BN_F_BN_RAND					 114
+#define BN_F_BN_RAND_RANGE				 122
 #define BN_F_BN_USUB					 115

 /* Reason codes. */
@ -505,6 +506,7 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
 #define BN_R_ENCODING_ERROR				 104
 #define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA		 105
 #define BN_R_INVALID_LENGTH				 106
+#define BN_R_INVALID_RANGE				 115
 #define BN_R_NOT_INITIALIZED				 107
 #define BN_R_NO_INVERSE					 108
 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES		 109
--- a/crypto/bn/bn_err.c
+++ b/crypto/bn/bn_err.c
@ -84,6 +84,7 @@ static ERR_STRING_DATA BN_str_functs[]=
 {ERR_PACK(0,BN_F_BN_MPI2BN,0),	"BN_mpi2bn"},
 {ERR_PACK(0,BN_F_BN_NEW,0),	"BN_new"},
 {ERR_PACK(0,BN_F_BN_RAND,0),	"BN_rand"},
+{ERR_PACK(0,BN_F_BN_RAND_RANGE,0),	"BN_rand_range"},
 {ERR_PACK(0,BN_F_BN_USUB,0),	"BN_usub"},
 {0,NULL}
 	};
@ -98,6 +99,7 @@ static ERR_STRING_DATA BN_str_reasons[]=
 {BN_R_ENCODING_ERROR                     ,"encoding error"},
 {BN_R_EXPAND_ON_STATIC_BIGNUM_DATA       ,"expand on static bignum data"},
 {BN_R_INVALID_LENGTH                     ,"invalid length"},
+{BN_R_INVALID_RANGE                      ,"invalid range"},
 {BN_R_NOT_INITIALIZED                    ,"not initialized"},
 {BN_R_NO_INVERSE                         ,"no inverse"},
 {BN_R_TOO_MANY_TEMPORARY_VARIABLES       ,"too many temporary variables"},
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@ -141,14 +141,63 @@ int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom)
 	return bnrand(1, rnd, bits, top, bottom);
 	}

-/* random number r: min <= r < max */
-int	BN_rand_range(BIGNUM *r, BIGNUM *min, BIGNUM *max)
+/* random number r: min <= r < min+range */
+int	BN_rand_range(BIGNUM *r, BIGNUM *min, BIGNUM *range)
 	{
-	int n = BN_num_bits(max);
-	do
+	int n;
+
+	if (range->neg || BN_is_zero(range))
 		{
-		if (!BN_rand(r, n, 0, 0)) return 0;
-		} while ((min && BN_cmp(r, min) < 0) || BN_cmp(r, max) >= 0);
+		BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE);
+		return 0;
+		}
+
+	n = BN_num_bits(range); /* n > 0 */
+	
+	if (n == 1)
+		{
+		if (!BN_zero(r)) return 0;
+		}
+	else if (BN_is_bit_set(range, n - 2))
+		{
+		do
+			{
+			/* range = 11..._2, so each iteration succeeds with probability > .5 */
+			if (!BN_rand(r, n, 0, 0)) return 0;
+			fprintf(stderr, "?");
+			}
+		while (BN_cmp(r, range) >= 0);
+		fprintf(stderr, "! (11...)\n");
+		}
+	else
+		{
+		/* range = 10..._2,
+		 * so  3*range (= 11..._2)  is exactly one bit longer than  range */
+		do
+			{
+			if (!BN_rand(r, n + 1, 0, 0)) return 0;
+			/* If  r < 3*range,  use  r := r MOD range
+			 * (which is either  r, r - range,  or  r - 2*range).
+			 * Otherwise, iterate once more.
+			 * Since  3*range = 11..._2, each iteration succeeds with
+			 * probability > .5. */
+			if (BN_cmp(r ,range) >= 0)
+				{
+				if (!BN_sub(r, r, range)) return 0;
+				if (BN_cmp(r, range) >= 0)
+					if (!BN_sub(r, r, range)) return 0;
+				}
+			fprintf(stderr, "?");
+			}
+		while (BN_cmp(r, range) >= 0);
+		fprintf(stderr, "! (10...)\n");
+		}
+
+	if (min != NULL)
+		{
+		if (!BN_add(r, r, min)) return 0;
+		}
+	
 	return 1;
 	}

--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@ -179,7 +179,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	kinv=NULL;

 	/* Get random k */
-	if (!BN_rand_range(&k, BN_value_one(), dsa->q)) goto err;
+	do
+		if (!BN_rand_range(&k, NULL, dsa->q)) goto err;
+	while (BN_is_zero(&k));

 	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
 		{
--- a/doc/crypto/BN_rand.pod
+++ b/doc/crypto/BN_rand.pod
@ -12,7 +12,7 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number

 int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);

- int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *max);
+ int BN_rand_range(BIGNUM *rnd, BIGNUM *min, BIGNUM *range);

 =head1 DESCRIPTION

@ -28,8 +28,8 @@ non-cryptographic purposes and for certain purposes in cryptographic
 protocols, but usually not for key generation etc.

 BN_rand_range() generates a cryptographically strong pseudo-random
-number B<rnd> in the range B<min> E<lt>= B<rnd> E<lt> B<max>. B<min>
-may be NULL, in that case 0 E<lt>= B<rnd> E<lt> B<max>.
+number B<rnd> in the range B<min> E<lt>= B<rnd> E<lt> B<min> + B<range>.
+B<min> may be NULL, in that case 0 E<lt>= B<rnd> E<lt> B<range>.

 The PRNG must be seeded prior to calling BN_rand() or BN_rand_range().