void _gcry_mpi_randomize (gcry_mpi_t w, unsigned int nbits, enum gcry_random_level level) { unsigned char *p; size_t nbytes = (nbits+7)/8; if (mpi_is_immutable (w)) { mpi_immutable_failed (); return; } if (level == GCRY_WEAK_RANDOM) { p = mpi_is_secure(w) ? xmalloc_secure (nbytes) : xmalloc (nbytes); _gcry_create_nonce (p, nbytes); } else { p = mpi_is_secure(w) ? _gcry_random_bytes_secure (nbytes, level) : _gcry_random_bytes (nbytes, level); } _gcry_mpi_set_buffer( w, p, nbytes, 0 ); xfree (p); }
void * gcry_random_bytes_secure (size_t nbytes, enum gcry_random_level level) { if (!fips_is_operational ()) { (void)fips_not_operational (); fips_signal_fatal_error ("called in non-operational state"); fips_noreturn (); } return _gcry_random_bytes_secure (nbytes, level); }
/* * Generate a random secret exponent K less than Q. * Note that ECDSA uses this code also to generate D. */ gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level) { gcry_mpi_t k = mpi_alloc_secure (mpi_get_nlimbs (q)); unsigned int nbits = mpi_get_nbits (q); unsigned int nbytes = (nbits+7)/8; char *rndbuf = NULL; /* To learn why we don't use mpi_mod to get the requested bit size, read the paper: "The Insecurity of the Digital Signature Algorithm with Partially Known Nonces" by Nguyen and Shparlinski. Journal of Cryptology, New York. Vol 15, nr 3 (2003) */ if (DBG_CIPHER) log_debug ("choosing a random k of %u bits at seclevel %d\n", nbits, security_level); for (;;) { if ( !rndbuf || nbits < 32 ) { xfree (rndbuf); rndbuf = _gcry_random_bytes_secure (nbytes, security_level); } else { /* Change only some of the higher bits. We could improve this by directly requesting more memory at the first call to get_random_bytes() and use these extra bytes here. However the required management code is more complex and thus we better use this simple method. */ char *pp = _gcry_random_bytes_secure (4, security_level); memcpy (rndbuf, pp, 4); xfree (pp); } _gcry_mpi_set_buffer (k, rndbuf, nbytes, 0); /* Make sure we have the requested number of bits. This code looks a bit funny but it is easy to understand if you consider that mpi_set_highbit clears all higher bits. We don't have a clear_highbit, thus we first set the high bit and then clear it again. */ if (mpi_test_bit (k, nbits-1)) mpi_set_highbit (k, nbits-1); else { mpi_set_highbit (k, nbits-1); mpi_clear_bit (k, nbits-1); } if (!(mpi_cmp (k, q) < 0)) /* check: k < q */ { if (DBG_CIPHER) log_debug ("\tk too large - again\n"); continue; /* no */ } if (!(mpi_cmp_ui (k, 0) > 0)) /* check: k > 0 */ { if (DBG_CIPHER) log_debug ("\tk is zero - again\n"); continue; /* no */ } break; /* okay */ } xfree (rndbuf); return k; }
/** * _gcry_ecc_eddsa_genkey - EdDSA version of the key generation. * * @sk: A struct to receive the secret key. * @E: Parameters of the curve. * @ctx: Elliptic curve computation context. * @flags: Flags controlling aspects of the creation. * * Return: An error code. * * The only @flags bit used by this function is %PUBKEY_FLAG_TRANSIENT * to use a faster RNG. */ gpg_err_code_t _gcry_ecc_eddsa_genkey (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx, int flags) { gpg_err_code_t rc; int b = 256/8; /* The only size we currently support. */ gcry_mpi_t a, x, y; mpi_point_struct Q; gcry_random_level_t random_level; char *dbuf; size_t dlen; gcry_buffer_t hvec[1]; unsigned char *hash_d = NULL; point_init (&Q); memset (hvec, 0, sizeof hvec); if ((flags & PUBKEY_FLAG_TRANSIENT_KEY)) random_level = GCRY_STRONG_RANDOM; else random_level = GCRY_VERY_STRONG_RANDOM; a = mpi_snew (0); x = mpi_new (0); y = mpi_new (0); /* Generate a secret. */ hash_d = xtrymalloc_secure (2*b); if (!hash_d) { rc = gpg_error_from_syserror (); goto leave; } dlen = b; dbuf = _gcry_random_bytes_secure (dlen, random_level); /* Compute the A value. */ hvec[0].data = dbuf; hvec[0].len = dlen; rc = _gcry_md_hash_buffers (GCRY_MD_SHA512, 0, hash_d, hvec, 1); if (rc) goto leave; sk->d = _gcry_mpi_set_opaque (NULL, dbuf, dlen*8); dbuf = NULL; reverse_buffer (hash_d, 32); /* Only the first half of the hash. */ hash_d[0] = (hash_d[0] & 0x7f) | 0x40; hash_d[31] &= 0xf8; _gcry_mpi_set_buffer (a, hash_d, 32, 0); xfree (hash_d); hash_d = NULL; /* log_printmpi ("ecgen a", a); */ /* Compute Q. */ _gcry_mpi_ec_mul_point (&Q, a, &E->G, ctx); if (DBG_CIPHER) log_printpnt ("ecgen pk", &Q, ctx); /* Copy the stuff to the key structures. */ sk->E.model = E->model; sk->E.dialect = E->dialect; sk->E.p = mpi_copy (E->p); sk->E.a = mpi_copy (E->a); sk->E.b = mpi_copy (E->b); point_init (&sk->E.G); point_set (&sk->E.G, &E->G); sk->E.n = mpi_copy (E->n); point_init (&sk->Q); point_set (&sk->Q, &Q); leave: point_free (&Q); _gcry_mpi_release (a); _gcry_mpi_release (x); _gcry_mpi_release (y); xfree (hash_d); return rc; }