Add RAND_priv_bytes() for private keys

Add a new global DRBG for private keys used by RAND_priv_bytes.

Add BN_priv_rand() and BN_priv_rand_range() which use RAND_priv_bytes().
Change callers to use the appropriate BN_priv... function.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4076)

crypto/bn/bn_err.c

@@ -15,6 +15,7 @@
 
 static const ERR_STRING_DATA BN_str_functs[] = {
     {ERR_PACK(ERR_LIB_BN, BN_F_BNRAND, 0), "bnrand"},
+    {ERR_PACK(ERR_LIB_BN, BN_F_BNRAND_RANGE, 0), "bnrand_range"},
     {ERR_PACK(ERR_LIB_BN, BN_F_BN_BLINDING_CONVERT_EX, 0),
      "BN_BLINDING_convert_ex"},
     {ERR_PACK(ERR_LIB_BN, BN_F_BN_BLINDING_CREATE_PARAM, 0),

crypto/bn/bn_gf2m.c

@@ -1077,7 +1077,7 @@ int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const int p[],
         if (tmp == NULL)
             goto err;
         do {
-            if (!BN_rand(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+            if (!BN_priv_rand(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
                 goto err;
             if (!BN_GF2m_mod_arr(rho, rho, p))
                 goto err;

crypto/bn/bn_prime.c

@@ -216,7 +216,7 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
         goto err;
 
     for (i = 0; i < checks; i++) {
-        if (!BN_rand_range(check, A1))
+        if (!BN_priv_rand_range(check, A1))
             goto err;
         if (!BN_add_word(check, 1))
             goto err;
@@ -279,7 +279,7 @@ static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods)
     char is_single_word = bits <= BN_BITS2;
 
  again:
-    if (!BN_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))
+    if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))
         return (0);
     /* we now have a random number 'rnd' to test. */
     for (i = 1; i < NUMPRIMES; i++) {
@@ -363,7 +363,7 @@ int bn_probable_prime_dh(BIGNUM *rnd, int bits,
     if ((t1 = BN_CTX_get(ctx)) == NULL)
         goto err;
 
-    if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
+    if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
         goto err;
 
     /* we need ((rnd-rem) % add) == 0 */
@@ -419,7 +419,7 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
     if (!BN_rshift1(qadd, padd))
         goto err;
 
-    if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
+    if (!BN_priv_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
         goto err;
 
     /* we need ((rnd-rem) % add) == 0 */

crypto/bn/bn_rand.c

@@ -14,10 +14,14 @@
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 
-static int bnrand(int testing, BIGNUM *rnd, int bits, int top, int bottom)
+typedef enum bnrand_flag_e {
+    NORMAL, TESTING, PRIVATE
+} BNRAND_FLAG;
+
+static int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom)
 {
     unsigned char *buf = NULL;
-    int ret = 0, bit, bytes, mask;
+    int b, ret = 0, bit, bytes, mask;
 
     if (bits == 0) {
         if (top != BN_RAND_TOP_ANY || bottom != BN_RAND_BOTTOM_ANY)
@@ -39,10 +43,11 @@ static int bnrand(int testing, BIGNUM *rnd, int bits, int top, int bottom)
     }
 
     /* make a random number and set the top and bottom bits */
-    if (RAND_bytes(buf, bytes) <= 0)
+    b = flag == NORMAL ? RAND_bytes(buf, bytes) : RAND_priv_bytes(buf, bytes);
+    if (b <= 0)
         goto err;
 
-    if (testing) {
+    if (flag == TESTING) {
         /*
          * generate patterns that are more likely to trigger BN library bugs
          */
@@ -91,22 +96,27 @@ toosmall:
 
 int BN_rand(BIGNUM *rnd, int bits, int top, int bottom)
 {
-    return bnrand(0, rnd, bits, top, bottom);
+    return bnrand(NORMAL, rnd, bits, top, bottom);
 }
 
 int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom)
 {
-    return bnrand(1, rnd, bits, top, bottom);
+    return bnrand(TESTING, rnd, bits, top, bottom);
+}
+
+int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom)
+{
+    return bnrand(PRIVATE, rnd, bits, top, bottom);
 }
 
 /* random number r:  0 <= r < range */
-int BN_rand_range(BIGNUM *r, const BIGNUM *range)
+static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range)
 {
-    int n;
+    int b, n;
     int count = 100;
 
     if (range->neg || BN_is_zero(range)) {
-        BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE);
+        BNerr(BN_F_BNRAND_RANGE, BN_R_INVALID_RANGE);
         return 0;
     }
 
@@ -122,7 +132,10 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range)
          * than range
          */
         do {
-            if (!BN_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY))
+            b = flag == NORMAL
+                ? BN_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)
+                : BN_priv_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY);
+            if (!b)
                 return 0;
             /*
              * If r < 3*range, use r := r MOD range (which is either r, r -
@@ -139,7 +152,7 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range)
             }
 
             if (!--count) {
-                BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS);
+                BNerr(BN_F_BNRAND_RANGE, BN_R_TOO_MANY_ITERATIONS);
                 return 0;
             }
 
@@ -152,7 +165,7 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range)
                 return 0;
 
             if (!--count) {
-                BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS);
+                BNerr(BN_F_BNRAND_RANGE, BN_R_TOO_MANY_ITERATIONS);
                 return 0;
             }
         }
@@ -163,6 +176,16 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range)
     return 1;
 }
 
+int BN_rand_range(BIGNUM *r, const BIGNUM *range)
+{
+    return bnrand_range(NORMAL, r, range);
+}
+
+int BN_priv_rand_range(BIGNUM *r, const BIGNUM *range)
+{
+    return bnrand_range(PRIVATE, r, range);
+}
+
 int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom)
 {
     return BN_rand(rnd, bits, top, bottom);

crypto/bn/bn_x931p.c

@@ -173,7 +173,7 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
      * - 1. By setting the top two bits we ensure that the lower bound is
      * exceeded.
      */
-    if (!BN_rand(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))
+    if (!BN_priv_rand(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))
         goto err;
 
     BN_CTX_start(ctx);
@@ -182,7 +182,7 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
         goto err;
 
     for (i = 0; i < 1000; i++) {
-        if (!BN_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))
+        if (!BN_priv_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))
             goto err;
         /* Check that |Xp - Xq| > 2^(nbits - 100) */
         BN_sub(t, Xp, Xq);
@@ -225,9 +225,9 @@ int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
     if (Xp1 == NULL || Xp2 == NULL)
         goto error;
 
-    if (!BN_rand(Xp1, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+    if (!BN_priv_rand(Xp1, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
         goto error;
-    if (!BN_rand(Xp2, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+    if (!BN_priv_rand(Xp2, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
         goto error;
     if (!BN_X931_derive_prime_ex(p, p1, p2, Xp, Xp1, Xp2, e, ctx, cb))
         goto error;

crypto/dh/dh_key.c

@@ -111,14 +111,14 @@ static int generate_key(DH *dh)
     if (generate_new_key) {
         if (dh->q) {
             do {
-                if (!BN_rand_range(priv_key, dh->q))
+                if (!BN_priv_rand_range(priv_key, dh->q))
                     goto err;
             }
             while (BN_is_zero(priv_key) || BN_is_one(priv_key));
         } else {
             /* secret exponent length */
             l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
-            if (!BN_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+            if (!BN_priv_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
                 goto err;
         }
     }

crypto/dsa/dsa_key.c

@@ -38,7 +38,7 @@ static int dsa_builtin_keygen(DSA *dsa)
         priv_key = dsa->priv_key;
 
     do
-        if (!BN_rand_range(priv_key, dsa->q))
+        if (!BN_priv_rand_range(priv_key, dsa->q))
             goto err;
     while (BN_is_zero(priv_key)) ;
 

crypto/dsa/dsa_ossl.c

@@ -175,7 +175,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
             if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst,
                                        dlen, ctx))
                 goto err;
-        } else if (!BN_rand_range(k, dsa->q))
+        } else if (!BN_priv_rand_range(k, dsa->q))
             goto err;
     } while (BN_is_zero(k));
 

crypto/ec/ec_key.c

@@ -218,7 +218,7 @@ int ec_key_simple_generate_key(EC_KEY *eckey)
         goto err;
 
     do
-        if (!BN_rand_range(priv_key, order))
+        if (!BN_priv_rand_range(priv_key, order))
             goto err;
     while (BN_is_zero(priv_key)) ;
 

crypto/ec/ecdsa_ossl.c

@@ -89,7 +89,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
                     goto err;
                 }
             } else {
-                if (!BN_rand_range(k, order)) {
+                if (!BN_priv_rand_range(k, order)) {
                     ECerr(EC_F_ECDSA_SIGN_SETUP,
                              EC_R_RANDOM_NUMBER_GENERATION_FAILED);
                     goto err;

crypto/err/openssl.txt

@@ -158,6 +158,7 @@ BIO_F_LINEBUFFER_CTRL:129:linebuffer_ctrl
 BIO_F_MEM_WRITE:117:mem_write
 BIO_F_SSL_NEW:118:SSL_new
 BN_F_BNRAND:127:bnrand
+BN_F_BNRAND_RANGE:138:bnrand_range
 BN_F_BN_BLINDING_CONVERT_EX:100:BN_BLINDING_convert_ex
 BN_F_BN_BLINDING_CREATE_PARAM:128:BN_BLINDING_create_param
 BN_F_BN_BLINDING_INVERT_EX:101:BN_BLINDING_invert_ex

crypto/rand/drbg_lib.c

@@ -365,13 +365,6 @@ err:
     return ret;
 }
 
-static void drbg_cleanup(void)
-{
-    CRYPTO_THREAD_write_lock(rand_drbg.lock);
-    RAND_DRBG_uninstantiate(&rand_drbg);
-    CRYPTO_THREAD_unlock(rand_drbg.lock);
-}
-
 static int drbg_add(const void *buf, int num, double randomness)
 {
     unsigned char *in = (unsigned char *)buf;
@@ -411,11 +404,12 @@ static int drbg_status(void)
 }
 
 RAND_DRBG rand_drbg; /* The default global DRBG. */
+RAND_DRBG priv_drbg; /* The global private-key DRBG. */
 
 RAND_METHOD rand_meth = {
     drbg_seed,
     drbg_bytes,
-    drbg_cleanup,
+    NULL,
     drbg_add,
     drbg_bytes,
     drbg_status

crypto/rand/rand_lcl.h

@@ -125,6 +125,7 @@ struct rand_drbg_st {
 extern RAND_METHOD rand_meth;
 extern RAND_BYTES_BUFFER rand_bytes;
 extern RAND_DRBG rand_drbg;
+extern RAND_DRBG priv_drbg;
 
 /* Hardware-based seeding functions. */
 void rand_read_tsc(RAND_poll_fn cb, void *arg);

crypto/rand/rand_lib.c

@@ -169,7 +169,35 @@ size_t drbg_entropy_from_parent(RAND_DRBG *drbg,
 void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out)
 {
     drbg->filled = 0;
-    OPENSSL_cleanse(drbg->randomness, sizeof(drbg->randomness));
+    OPENSSL_cleanse(drbg->randomness, drbg->size);
+}
+
+
+/*
+ * Set up a global DRBG.
+ */
+static int setup_drbg(RAND_DRBG *drbg)
+{
+    int ret = 1;
+
+    drbg->lock = CRYPTO_THREAD_lock_new();
+    ret &= drbg->lock != NULL;
+    drbg->size = RANDOMNESS_NEEDED;
+    drbg->randomness = OPENSSL_malloc(drbg->size);
+    ret &= drbg->randomness != NULL;
+    /* If you change these parameters, see RANDOMNESS_NEEDED */
+    ret &= RAND_DRBG_set(drbg,
+                         NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF) == 1;
+    ret &= RAND_DRBG_set_callbacks(drbg, drbg_entropy_from_system,
+                                   drbg_release_entropy, NULL, NULL) == 1;
+    return ret;
+}
+
+static void free_drbg(RAND_DRBG *drbg)
+{
+    CRYPTO_THREAD_lock_free(drbg->lock);
+    OPENSSL_clear_free(drbg->randomness, drbg->size);
+    RAND_DRBG_uninstantiate(drbg);
 }
 
 DEFINE_RUN_ONCE_STATIC(do_rand_init)
@@ -189,22 +217,14 @@ DEFINE_RUN_ONCE_STATIC(do_rand_init)
     rand_bytes.size = MAX_RANDOMNESS_HELD;
     /* TODO: Should this be secure malloc? */
     rand_bytes.buff = malloc(rand_bytes.size);
-    ret &= rand_bytes.buff != NULL;
 
-    rand_drbg.lock = CRYPTO_THREAD_lock_new();
-    ret &= rand_drbg.lock != NULL;
-    rand_drbg.size = RANDOMNESS_NEEDED;
-    rand_drbg.randomness = OPENSSL_malloc(rand_drbg.size);
-    ret &= rand_drbg.randomness != NULL;
-    /* If you change these parameters, see RANDOMNESS_NEEDED */
-    ret &= RAND_DRBG_set(&rand_drbg,
-                         NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF) == 1;
-    ret &= RAND_DRBG_set_callbacks(&rand_drbg, drbg_entropy_from_system,
-                                   drbg_release_entropy,
-                                   NULL, NULL) == 1;
+    ret &= rand_bytes.buff != NULL;
+    ret &= setup_drbg(&rand_drbg);
+    ret &= setup_drbg(&priv_drbg);
     return ret;
 }
 
+
 void rand_cleanup_int(void)
 {
     const RAND_METHOD *meth = default_RAND_meth;
@@ -217,9 +237,9 @@ void rand_cleanup_int(void)
 #endif
     CRYPTO_THREAD_lock_free(rand_meth_lock);
     CRYPTO_THREAD_lock_free(rand_bytes.lock);
-    OPENSSL_clear_free(rand_drbg.randomness, rand_drbg.size);
-    CRYPTO_THREAD_lock_free(rand_drbg.lock);
-    RAND_DRBG_uninstantiate(&rand_drbg);
+    OPENSSL_clear_free(rand_bytes.buff, rand_bytes.size);
+    free_drbg(&rand_drbg);
+    free_drbg(&priv_drbg);
 }
 
 /*
@@ -323,6 +343,25 @@ void RAND_add(const void *buf, int num, double randomness)
         meth->add(buf, num, randomness);
 }
 
+/*
+ * This function is not part of RAND_METHOD, so if we're not using
+ * the default method, then just call RAND_bytes().  Otherwise make
+ * sure we're instantiated and use the private DRBG.
+ */
+int RAND_priv_bytes(unsigned char *buf, int num)
+{
+    const RAND_METHOD *meth = RAND_get_rand_method();
+
+    if (meth != RAND_OpenSSL())
+        return RAND_bytes(buf, num);
+
+    if (priv_drbg.state == DRBG_UNINITIALISED
+            && RAND_DRBG_instantiate(&priv_drbg, NULL, 0) == 0)
+        return 0;
+    return RAND_DRBG_generate(&priv_drbg, buf, num, 0, NULL, 0);
+
+}
+
 int RAND_bytes(unsigned char *buf, int num)
 {
     const RAND_METHOD *meth = RAND_get_rand_method();

doc/man3/RAND_bytes.pod

@@ -2,13 +2,14 @@
 
 =head1 NAME
 
-RAND_bytes, RAND_pseudo_bytes - generate random data
+RAND_bytes, RAND_priv_bytes, RAND_pseudo_bytes - generate random data
 
 =head1 SYNOPSIS
 
  #include <openssl/rand.h>
 
  int RAND_bytes(unsigned char *buf, int num);
+ int RAND_priv_bytes(unsigned char *buf, int num);
 
 Deprecated:
 
@@ -22,9 +23,15 @@ RAND_bytes() puts B<num> cryptographically strong pseudo-random bytes
 into B<buf>. An error occurs if the PRNG has not been seeded with
 enough randomness to ensure an unpredictable byte sequence.
 
+RAND_priv_bytes() has the same semantics as RAND_bytes().  It is intended to
+be used for generating long-term private keys. If using the default
+RAND_METHOD, this function uses a separate instance of the PRNG so that
+a compromise of the global generator will not affect such key generation.
+
 =head1 RETURN VALUES
 
-RAND_bytes() returns 1 on success, -1 if not supported by the current
+RAND_bytes() nad RAND_priv_bytes()
+return 1 on success, -1 if not supported by the current
 RAND method, or 0 on other failure. The error code can be
 obtained by L<ERR_get_error(3)>.
 

include/openssl/bn.h

@@ -154,7 +154,9 @@ void BN_CTX_start(BN_CTX *ctx);
 BIGNUM *BN_CTX_get(BN_CTX *ctx);
 void BN_CTX_end(BN_CTX *ctx);
 int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
+int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom);
 int BN_rand_range(BIGNUM *rnd, const BIGNUM *range);
+int BN_priv_rand_range(BIGNUM *rnd, const BIGNUM *range);
 int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
 int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range);
 int BN_num_bits(const BIGNUM *a);

include/openssl/bnerr.h

@@ -23,6 +23,7 @@ int ERR_load_BN_strings(void);
  * BN function codes.
  */
 # define BN_F_BNRAND                                      127
+# define BN_F_BNRAND_RANGE                                138
 # define BN_F_BN_BLINDING_CONVERT_EX                      100
 # define BN_F_BN_BLINDING_CREATE_PARAM                    128
 # define BN_F_BN_BLINDING_INVERT_EX                       101

include/openssl/rand.h

@@ -40,6 +40,7 @@ RAND_METHOD *RAND_OpenSSL(void);
 #   define RAND_cleanup() while(0) continue
 # endif
 int RAND_bytes(unsigned char *buf, int num);
+int RAND_priv_bytes(unsigned char *buf, int num);
 DEPRECATEDIN_1_1_0(int RAND_pseudo_bytes(unsigned char *buf, int num))
 
 void RAND_seed(const void *buf, int num);

util/libcrypto.num

@@ -4373,3 +4373,6 @@ EVP_PKEY_meth_get0                      4316	1_1_1	EXIST::FUNCTION:
 EVP_PKEY_meth_get_count                 4317	1_1_1	EXIST::FUNCTION:
 RAND_poll_ex                            4318	1_1_1	EXIST::FUNCTION:
 RAND_DRBG_get0_global                   4319	1_1_1	EXIST::FUNCTION:
+RAND_priv_bytes                         4320	1_1_1	EXIST::FUNCTION:
+BN_priv_rand                            4321	1_1_1	EXIST::FUNCTION:
+BN_priv_rand_range                      4322	1_1_1	EXIST::FUNCTION: