commit 25f3d84f4cf1f92c9fb44e4b93c3ade41bdf968c
author David Benjamin <davidben@google.com> Sun Feb 04 11:09:50 2018 -0500
committer Adam Langley <agl@google.com> Mon Apr 02 18:07:12 2018 +0000
tree 14597043f89b79276bca5190daf11e2dfdf477c3
parent 85c2cd8a458dc62fb7e9a540d94d21d1bb39c86a

Rewrite BN_rand without an extra malloc.

RSA keygen uses this to pick primes. May as well avoid bouncing on
malloc. (The BIGNUM internally allocates, of course, but that allocation
will be absorbed by BN_CTX in RSA keygen.)

Change-Id: Ie2243a6e48b9c55f777153cbf67ba5c06688c2f1
Reviewed-on: https://boringssl-review.googlesource.com/26887
Reviewed-by: Adam Langley <agl@google.com>

crypto/fipsmodule/bn/random.c

diff --git a/crypto/fipsmodule/bn/random.c b/crypto/fipsmodule/bn/random.c
index 5922df4..e41a0ef 100644
--- a/crypto/fipsmodule/bn/random.c
+++ b/crypto/fipsmodule/bn/random.c
@@ -108,10 +108,10 @@
 
 #include <openssl/bn.h>
 
+#include <limits.h>
 #include <string.h>
 
 #include <openssl/err.h>
-#include <openssl/mem.h>
 #include <openssl/rand.h>
 #include <openssl/type_check.h>
 
@@ -121,9 +121,6 @@
 
 
 int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
-  uint8_t *buf = NULL;
-  int ret = 0, bit, bytes, mask;
-
   if (rnd == NULL) {
     return 0;
   }
@@ -144,48 +141,41 @@
     return 1;
   }
 
-  bytes = (bits + 7) / 8;
-  bit = (bits - 1) % 8;
-  mask = 0xff << (bit + 1);
-
-  buf = OPENSSL_malloc(bytes);
-  if (buf == NULL) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-    goto err;
+  if (bits > INT_MAX - (BN_BITS2 - 1)) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
+    return 0;
   }
 
-  // Make a random number and set the top and bottom bits.
-  RAND_bytes(buf, bytes);
+  int words = (bits + BN_BITS2 - 1) / BN_BITS2;
+  int bit = (bits - 1) % BN_BITS2;
+  const BN_ULONG kOne = 1;
+  const BN_ULONG kThree = 3;
+  BN_ULONG mask = bit < BN_BITS2 - 1 ? (kOne << (bit + 1)) - 1 : BN_MASK2;
+  if (!bn_wexpand(rnd, words)) {
+    return 0;
+  }
 
+  RAND_bytes((uint8_t *)rnd->d, words * sizeof(BN_ULONG));
+  rnd->d[words - 1] &= mask;
   if (top != BN_RAND_TOP_ANY) {
     if (top == BN_RAND_TOP_TWO && bits > 1) {
       if (bit == 0) {
-        buf[0] = 1;
-        buf[1] |= 0x80;
+        rnd->d[words - 1] |= 1;
+        rnd->d[words - 2] |= kOne << (BN_BITS2 - 1);
       } else {
-        buf[0] |= (3 << (bit - 1));
+        rnd->d[words - 1] |= kThree << (bit - 1);
       }
     } else {
-      buf[0] |= (1 << bit);
+      rnd->d[words - 1] |= kOne << bit;
     }
   }
-
-  buf[0] &= ~mask;
-
-  // Set the bottom bit if requested,
-  if (bottom == BN_RAND_BOTTOM_ODD)  {
-    buf[bytes - 1] |= 1;
+  if (bottom == BN_RAND_BOTTOM_ODD) {
+    rnd->d[0] |= 1;
   }
 
-  if (!BN_bin2bn(buf, bytes, rnd)) {
-    goto err;
-  }
-
-  ret = 1;
-
-err:
-  OPENSSL_free(buf);
-  return ret;
+  rnd->neg = 0;
+  rnd->width = words;
+  return 1;
 }
 
 int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) {