grpc 1.13.0 → 1.14.0

data/third_party/boringssl/crypto/fipsmodule/bn/random.c

@@ -120,8 +120,6 @@
 #include "../rand/internal.h"
 
 
-static const uint8_t kDefaultAdditionalData[32] = {0};
-
 int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
   uint8_t *buf = NULL;
   int ret = 0, bit, bytes, mask;
@@ -194,15 +192,16 @@ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) {
   return BN_rand(rnd, bits, top, bottom);
 }
 
-// bn_less_than_word returns one if the number represented by |len| words at |a|
-// is less than |b| and zero otherwise. It performs this computation in time
-// independent of the value of |a|. |b| is assumed public.
-static int bn_less_than_word(const BN_ULONG *a, size_t len, BN_ULONG b) {
+// bn_less_than_word_mask returns a mask of all ones if the number represented
+// by |len| words at |a| is less than |b| and zero otherwise. It performs this
+// computation in time independent of the value of |a|. |b| is assumed public.
+static crypto_word_t bn_less_than_word_mask(const BN_ULONG *a, size_t len,
+                                            BN_ULONG b) {
   if (b == 0) {
-    return 0;
+    return CONSTTIME_FALSE_W;
   }
   if (len == 0) {
-    return 1;
+    return CONSTTIME_TRUE_W;
   }
 
   // |a| < |b| iff a[1..len-1] are all zero and a[0] < b.
@@ -215,25 +214,19 @@ static int bn_less_than_word(const BN_ULONG *a, size_t len, BN_ULONG b) {
   // |mask| is now zero iff a[1..len-1] are all zero.
   mask = constant_time_is_zero_w(mask);
   mask &= constant_time_lt_w(a[0], b);
-  return constant_time_select_int(mask, 1, 0);
+  return mask;
 }
 
 int bn_in_range_words(const BN_ULONG *a, BN_ULONG min_inclusive,
                       const BN_ULONG *max_exclusive, size_t len) {
-  return bn_less_than_words(a, max_exclusive, len) &&
-         !bn_less_than_word(a, len, min_inclusive);
+  crypto_word_t mask = ~bn_less_than_word_mask(a, len, min_inclusive);
+  return mask & bn_less_than_words(a, max_exclusive, len);
 }
 
-int bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive,
-                        const BN_ULONG *max_exclusive, size_t len,
-                        const uint8_t additional_data[32]) {
-  // This function implements the equivalent of steps 4 through 7 of FIPS 186-4
-  // appendices B.4.2 and B.5.2. When called in those contexts, |max_exclusive|
-  // is n and |min_inclusive| is one.
-
-  // Compute the bit length of |max_exclusive| (step 1), in terms of a number of
-  // |words| worth of entropy to fill and a mask of bits to clear in the top
-  // word.
+static int bn_range_to_mask(size_t *out_words, BN_ULONG *out_mask,
+                            size_t min_inclusive, const BN_ULONG *max_exclusive,
+                            size_t len) {
+  // The magnitude of |max_exclusive| is assumed public.
   size_t words = len;
   while (words > 0 && max_exclusive[words - 1] == 0) {
     words--;
@@ -254,6 +247,27 @@ int bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive,
   mask |= mask >> 32;
 #endif
 
+  *out_words = words;
+  *out_mask = mask;
+  return 1;
+}
+
+int bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive,
+                        const BN_ULONG *max_exclusive, size_t len,
+                        const uint8_t additional_data[32]) {
+  // This function implements the equivalent of steps 4 through 7 of FIPS 186-4
+  // appendices B.4.2 and B.5.2. When called in those contexts, |max_exclusive|
+  // is n and |min_inclusive| is one.
+
+  // Compute the bit length of |max_exclusive| (step 1), in terms of a number of
+  // |words| worth of entropy to fill and a mask of bits to clear in the top
+  // word.
+  size_t words;
+  BN_ULONG mask;
+  if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive, len)) {
+    return 0;
+  }
+
   // Fill any unused words with zero.
   OPENSSL_memset(out + words, 0, (len - words) * sizeof(BN_ULONG));
 
@@ -278,6 +292,7 @@ int bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive,
 
 int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
                      const BIGNUM *max_exclusive) {
+  static const uint8_t kDefaultAdditionalData[32] = {0};
   if (!bn_wexpand(r, max_exclusive->width) ||
       !bn_rand_range_words(r->d, min_inclusive, max_exclusive->d,
                            max_exclusive->width, kDefaultAdditionalData)) {
@@ -289,6 +304,44 @@ int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
   return 1;
 }
 
+int bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive,
+                         const BIGNUM *max_exclusive) {
+  size_t words;
+  BN_ULONG mask;
+  if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive->d,
+                        max_exclusive->width) ||
+      !bn_wexpand(r, words)) {
+    return 0;
+  }
+
+  assert(words > 0);
+  assert(mask != 0);
+  // The range must be large enough for bit tricks to fix invalid values.
+  if (words == 1 && min_inclusive > mask >> 1) {
+    OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
+    return 0;
+  }
+
+  // Select a uniform random number with num_bits(max_exclusive) bits.
+  RAND_bytes((uint8_t *)r->d, words * sizeof(BN_ULONG));
+  r->d[words - 1] &= mask;
+
+  // Check, in constant-time, if the value is in range.
+  *out_is_uniform =
+      bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words);
+  crypto_word_t in_range = *out_is_uniform;
+  in_range = 0 - in_range;
+
+  // If the value is not in range, force it to be in range.
+  r->d[0] |= constant_time_select_w(in_range, 0, min_inclusive);
+  r->d[words - 1] &= constant_time_select_w(in_range, BN_MASK2, mask >> 1);
+  assert(bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words));
+
+  r->neg = 0;
+  r->width = words;
+  return 1;
+}
+
 int BN_rand_range(BIGNUM *r, const BIGNUM *range) {
   return BN_rand_range_ex(r, 0, range);
 }

data/third_party/boringssl/crypto/fipsmodule/bn/shift.c

@@ -59,6 +59,7 @@
 #include <string.h>
 
 #include <openssl/err.h>
+#include <openssl/type_check.h>
 
 #include "internal.h"
 
@@ -132,99 +133,88 @@ int BN_lshift1(BIGNUM *r, const BIGNUM *a) {
   return 1;
 }
 
-int BN_rshift(BIGNUM *r, const BIGNUM *a, int n) {
-  int i, j, nw, lb, rb;
-  BN_ULONG *t, *f;
-  BN_ULONG l, tmp;
+static void bn_rshift_words(BN_ULONG *r, const BN_ULONG *a, unsigned shift,
+                            size_t num) {
+  unsigned shift_bits = shift % BN_BITS2;
+  size_t shift_words = shift / BN_BITS2;
+  if (shift_words >= num) {
+    OPENSSL_memset(r, 0, num * sizeof(BN_ULONG));
+    return;
+  }
+  if (shift_bits == 0) {
+    OPENSSL_memmove(r, a + shift_words, (num - shift_words) * sizeof(BN_ULONG));
+  } else {
+    for (size_t i = shift_words; i < num - 1; i++) {
+      r[i - shift_words] =
+          (a[i] >> shift_bits) | (a[i + 1] << (BN_BITS2 - shift_bits));
+    }
+    r[num - 1 - shift_words] = a[num - 1] >> shift_bits;
+  }
+  OPENSSL_memset(r + num - shift_words, 0, shift_words * sizeof(BN_ULONG));
+}
 
+int BN_rshift(BIGNUM *r, const BIGNUM *a, int n) {
   if (n < 0) {
     OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
     return 0;
   }
 
-  int a_width = bn_minimal_width(a);
-  nw = n / BN_BITS2;
-  rb = n % BN_BITS2;
-  lb = BN_BITS2 - rb;
-  if (nw >= a_width || a_width == 0) {
-    BN_zero(r);
-    return 1;
-  }
-  i = (BN_num_bits(a) - n + (BN_BITS2 - 1)) / BN_BITS2;
-  if (r != a) {
-    r->neg = a->neg;
-    if (!bn_wexpand(r, i)) {
-      return 0;
-    }
-  } else {
-    if (n == 0) {
-      return 1;  // or the copying loop will go berserk
-    }
+  if (!bn_wexpand(r, a->width)) {
+    return 0;
   }
+  bn_rshift_words(r->d, a->d, n, a->width);
+  r->neg = a->neg;
+  r->width = a->width;
+  bn_set_minimal_width(r);
+  return 1;
+}
 
-  f = &(a->d[nw]);
-  t = r->d;
-  j = a_width - nw;
-  r->width = i;
-
-  if (rb == 0) {
-    for (i = j; i != 0; i--) {
-      *(t++) = *(f++);
-    }
-  } else {
-    l = *(f++);
-    for (i = j - 1; i != 0; i--) {
-      tmp = l >> rb;
-      l = *(f++);
-      *(t++) = tmp | (l << lb);
-    }
-    l >>= rb;
-    if (l) {
-      *(t) = l;
-    }
+int bn_rshift_secret_shift(BIGNUM *r, const BIGNUM *a, unsigned n,
+                           BN_CTX *ctx) {
+  int ret = 0;
+  BN_CTX_start(ctx);
+  BIGNUM *tmp = BN_CTX_get(ctx);
+  if (tmp == NULL ||
+      !BN_copy(r, a) ||
+      !bn_wexpand(tmp, r->width)) {
+    goto err;
   }
 
-  if (r->width == 0) {
-    r->neg = 0;
+  // Shift conditionally by powers of two.
+  unsigned max_bits = BN_BITS2 * r->width;
+  for (unsigned i = 0; (max_bits >> i) != 0; i++) {
+    BN_ULONG mask = (n >> i) & 1;
+    mask = 0 - mask;
+    bn_rshift_words(tmp->d, r->d, 1u << i, r->width);
+    bn_select_words(r->d, mask, tmp->d /* apply shift */,
+                    r->d /* ignore shift */, r->width);
   }
 
-  return 1;
-}
+  ret = 1;
 
-int BN_rshift1(BIGNUM *r, const BIGNUM *a) {
-  BN_ULONG *ap, *rp, t, c;
-  int i, j;
+err:
+  BN_CTX_end(ctx);
+  return ret;
+}
 
-  if (BN_is_zero(a)) {
-    BN_zero(r);
-    return 1;
-  }
-  i = bn_minimal_width(a);
-  ap = a->d;
-  j = i - (ap[i - 1] == 1);
-  if (a != r) {
-    if (!bn_wexpand(r, j)) {
-      return 0;
-    }
-    r->neg = a->neg;
-  }
-  rp = r->d;
-  t = ap[--i];
-  c = t << (BN_BITS2 - 1);
-  if (t >>= 1) {
-    rp[i] = t;
+void bn_rshift1_words(BN_ULONG *r, const BN_ULONG *a, size_t num) {
+  if (num == 0) {
+    return;
   }
-  while (i > 0) {
-    t = ap[--i];
-    rp[i] = (t >> 1) | c;
-    c = t << (BN_BITS2 - 1);
+  for (size_t i = 0; i < num - 1; i++) {
+    r[i] = (a[i] >> 1) | (a[i + 1] << (BN_BITS2 - 1));
   }
-  r->width = j;
+  r[num - 1] = a[num - 1] >> 1;
+}
 
-  if (r->width == 0) {
-    r->neg = 0;
+int BN_rshift1(BIGNUM *r, const BIGNUM *a) {
+  if (!bn_wexpand(r, a->width)) {
+    return 0;
   }
-
+  bn_rshift1_words(r->d, a->d, a->width);
+  r->width = a->width;
+  r->neg = a->neg;
+  bn_set_minimal_width(r);
   return 1;
 }
 
@@ -292,7 +282,7 @@ int BN_mask_bits(BIGNUM *a, int n) {
   int w = n / BN_BITS2;
   int b = n % BN_BITS2;
   if (w >= a->width) {
-    return 0;
+    return 1;
   }
   if (b == 0) {
     a->width = w;
@@ -305,18 +295,70 @@ int BN_mask_bits(BIGNUM *a, int n) {
   return 1;
 }
 
+static int bn_count_low_zero_bits_word(BN_ULONG l) {
+  OPENSSL_COMPILE_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
+                         crypto_word_t_too_small);
+  OPENSSL_COMPILE_ASSERT(sizeof(int) <= sizeof(crypto_word_t),
+                         crypto_word_t_too_small_2);
+  OPENSSL_COMPILE_ASSERT(BN_BITS2 == sizeof(BN_ULONG) * 8,
+                         bn_ulong_has_padding_bits);
+  // C has very bizarre rules for types smaller than an int.
+  OPENSSL_COMPILE_ASSERT(sizeof(BN_ULONG) >= sizeof(int),
+                         bn_ulong_is_promoted_to_int);
+
+  crypto_word_t mask;
+  int bits = 0;
+
+#if BN_BITS2 > 32
+  // Check if the lower half of |x| are all zero.
+  mask = constant_time_is_zero_w(l << (BN_BITS2 - 32));
+  // If the lower half is all zeros, it is included in the bit count and we
+  // count the upper half. Otherwise, we count the lower half.
+  bits += 32 & mask;
+  l = constant_time_select_w(mask, l >> 32, l);
+#endif
+
+  // The remaining blocks are analogous iterations at lower powers of two.
+  mask = constant_time_is_zero_w(l << (BN_BITS2 - 16));
+  bits += 16 & mask;
+  l = constant_time_select_w(mask, l >> 16, l);
+
+  mask = constant_time_is_zero_w(l << (BN_BITS2 - 8));
+  bits += 8 & mask;
+  l = constant_time_select_w(mask, l >> 8, l);
+
+  mask = constant_time_is_zero_w(l << (BN_BITS2 - 4));
+  bits += 4 & mask;
+  l = constant_time_select_w(mask, l >> 4, l);
+
+  mask = constant_time_is_zero_w(l << (BN_BITS2 - 2));
+  bits += 2 & mask;
+  l = constant_time_select_w(mask, l >> 2, l);
+
+  mask = constant_time_is_zero_w(l << (BN_BITS2 - 1));
+  bits += 1 & mask;
+
+  return bits;
+}
+
 int BN_count_low_zero_bits(const BIGNUM *bn) {
+  OPENSSL_COMPILE_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
+                         crypto_word_t_too_small);
+  OPENSSL_COMPILE_ASSERT(sizeof(int) <= sizeof(crypto_word_t),
+                         crypto_word_t_too_small_2);
+
+  int ret = 0;
+  crypto_word_t saw_nonzero = 0;
   for (int i = 0; i < bn->width; i++) {
-    if (bn->d[i] != 0) {
-      int bits = 0;
-      for (BN_ULONG w = bn->d[i]; (w & 1) == 0; w >>= 1) {
-        bits++;
-      }
-      return i * BN_BITS2 + bits;
-    }
+    crypto_word_t nonzero = ~constant_time_is_zero_w(bn->d[i]);
+    crypto_word_t first_nonzero = ~saw_nonzero & nonzero;
+    saw_nonzero |= nonzero;
+
+    int bits = bn_count_low_zero_bits_word(bn->d[i]);
+    ret |= first_nonzero & (i * BN_BITS2 + bits);
   }
 
-  // We got to the end of |bn| and saw no non-zero words. |bn| is zero, so
-  // return zero.
-  return 0;
+  // If got to the end of |bn| and saw no non-zero words, |bn| is zero. |ret|
+  // will then remain zero.
+  return ret;
 }

data/third_party/boringssl/crypto/fipsmodule/bn/sqrt.c

@@ -184,7 +184,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
     // November 1992.)
 
     // t := 2*a
-    if (!bn_mod_lshift1_quick_ctx(t, A, p, ctx)) {
+    if (!bn_mod_lshift1_consttime(t, A, p, ctx)) {
       goto end;
     }
 

data/third_party/boringssl/crypto/fipsmodule/ec/ec_key.c

@@ -84,6 +84,25 @@
 
 DEFINE_STATIC_EX_DATA_CLASS(g_ec_ex_data_class);
 
+static EC_WRAPPED_SCALAR *ec_wrapped_scalar_new(const EC_GROUP *group) {
+  EC_WRAPPED_SCALAR *wrapped = OPENSSL_malloc(sizeof(EC_WRAPPED_SCALAR));
+  if (wrapped == NULL) {
+    OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
+    return NULL;
+  }
+
+  OPENSSL_memset(wrapped, 0, sizeof(EC_WRAPPED_SCALAR));
+  wrapped->bignum.d = wrapped->scalar.words;
+  wrapped->bignum.width = group->order.width;
+  wrapped->bignum.dmax = group->order.width;
+  wrapped->bignum.flags = BN_FLG_STATIC_DATA;
+  return wrapped;
+}
+
+static void ec_wrapped_scalar_free(EC_WRAPPED_SCALAR *scalar) {
+  OPENSSL_free(scalar);
+}
+
 EC_KEY *EC_KEY_new(void) { return EC_KEY_new_method(NULL); }
 
 EC_KEY *EC_KEY_new_method(const ENGINE *engine) {
@@ -151,7 +170,7 @@ void EC_KEY_free(EC_KEY *r) {
 
   EC_GROUP_free(r->group);
   EC_POINT_free(r->pub_key);
-  BN_clear_free(r->priv_key);
+  ec_wrapped_scalar_free(r->priv_key);
   BN_free(r->fixed_k);
 
   CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), r, &r->ex_data);
@@ -159,65 +178,29 @@ void EC_KEY_free(EC_KEY *r) {
   OPENSSL_free(r);
 }
 
-EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) {
-  if (dest == NULL || src == NULL) {
+EC_KEY *EC_KEY_dup(const EC_KEY *src) {
+  if (src == NULL) {
     OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
     return NULL;
   }
-  // Copy the parameters.
-  if (src->group) {
-    // TODO(fork): duplicating the group seems wasteful.
-    EC_GROUP_free(dest->group);
-    dest->group = EC_GROUP_dup(src->group);
-    if (dest->group == NULL) {
-      return NULL;
-    }
-  }
 
-  // Copy the public key.
-  if (src->pub_key && src->group) {
-    EC_POINT_free(dest->pub_key);
-    dest->pub_key = EC_POINT_dup(src->pub_key, src->group);
-    if (dest->pub_key == NULL) {
-      return NULL;
-    }
-  }
-
-  // copy the private key
-  if (src->priv_key) {
-    if (dest->priv_key == NULL) {
-      dest->priv_key = BN_new();
-      if (dest->priv_key == NULL) {
-        return NULL;
-      }
-    }
-    if (!BN_copy(dest->priv_key, src->priv_key)) {
-      return NULL;
-    }
-  }
-  // copy method/extra data
-  if (src->ecdsa_meth) {
-      METHOD_unref(dest->ecdsa_meth);
-      dest->ecdsa_meth = src->ecdsa_meth;
-      METHOD_ref(dest->ecdsa_meth);
-  }
-
-  // copy the rest
-  dest->enc_flag = src->enc_flag;
-  dest->conv_form = src->conv_form;
-
-  return dest;
-}
-
-EC_KEY *EC_KEY_dup(const EC_KEY *ec_key) {
   EC_KEY *ret = EC_KEY_new();
   if (ret == NULL) {
     return NULL;
   }
-  if (EC_KEY_copy(ret, ec_key) == NULL) {
+
+  if ((src->group != NULL &&
+       !EC_KEY_set_group(ret, src->group)) ||
+      (src->pub_key != NULL &&
+       !EC_KEY_set_public_key(ret, src->pub_key)) ||
+      (src->priv_key != NULL &&
+       !EC_KEY_set_private_key(ret, EC_KEY_get0_private_key(src)))) {
     EC_KEY_free(ret);
     return NULL;
   }
+
+  ret->enc_flag = src->enc_flag;
+  ret->conv_form = src->conv_form;
   return ret;
 }
 
@@ -251,7 +234,7 @@ int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group) {
 }
 
 const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key) {
-  return key->priv_key;
+  return key->priv_key != NULL ? &key->priv_key->bignum : NULL;
 }
 
 int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) {
@@ -260,14 +243,18 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) {
     return 0;
   }
 
-  if (BN_is_negative(priv_key) ||
-      BN_cmp(priv_key, EC_GROUP_get0_order(key->group)) >= 0) {
+  EC_WRAPPED_SCALAR *scalar = ec_wrapped_scalar_new(key->group);
+  if (scalar == NULL) {
+    return 0;
+  }
+  if (!ec_bignum_to_scalar(key->group, &scalar->scalar, priv_key)) {
     OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER);
+    ec_wrapped_scalar_free(scalar);
     return 0;
   }
-  BN_clear_free(key->priv_key);
-  key->priv_key = BN_dup(priv_key);
-  return (key->priv_key == NULL) ? 0 : 1;
+  ec_wrapped_scalar_free(key->priv_key);
+  key->priv_key = scalar;
+  return 1;
 }
 
 const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key) {
@@ -332,15 +319,11 @@ int EC_KEY_check_key(const EC_KEY *eckey) {
   }
   // in case the priv_key is present :
   // check if generator * priv_key == pub_key
-  if (eckey->priv_key) {
-    if (BN_is_negative(eckey->priv_key) ||
-        BN_cmp(eckey->priv_key, EC_GROUP_get0_order(eckey->group)) >= 0) {
-      OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER);
-      goto err;
-    }
+  if (eckey->priv_key != NULL) {
     point = EC_POINT_new(eckey->group);
     if (point == NULL ||
-        !EC_POINT_mul(eckey->group, point, eckey->priv_key, NULL, NULL, ctx)) {
+        !ec_point_mul_scalar(eckey->group, point, &eckey->priv_key->scalar,
+                             NULL, NULL, ctx)) {
       OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);
       goto err;
     }
@@ -411,65 +394,37 @@ err:
   return ok;
 }
 
-int EC_KEY_generate_key(EC_KEY *eckey) {
-  int ok = 0;
-  BIGNUM *priv_key = NULL;
-  EC_POINT *pub_key = NULL;
-
-  if (!eckey || !eckey->group) {
+int EC_KEY_generate_key(EC_KEY *key) {
+  if (key == NULL || key->group == NULL) {
     OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
     return 0;
   }
 
-  if (eckey->priv_key == NULL) {
-    priv_key = BN_new();
-    if (priv_key == NULL) {
-      goto err;
-    }
-  } else {
-    priv_key = eckey->priv_key;
-  }
-
-  const BIGNUM *order = EC_GROUP_get0_order(eckey->group);
-
-  // Check that the size of the group order is FIPS compliant (FIPS 186-4
-  // B.4.2).
-  if (BN_num_bits(order) < 160) {
+  // Check that the group order is FIPS compliant (FIPS 186-4 B.4.2).
+  if (BN_num_bits(EC_GROUP_get0_order(key->group)) < 160) {
     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
-    goto err;
-  }
-
-  // Generate the private key by testing candidates (FIPS 186-4 B.4.2).
-  if (!BN_rand_range_ex(priv_key, 1, order)) {
-    goto err;
-  }
-
-  if (eckey->pub_key == NULL) {
-    pub_key = EC_POINT_new(eckey->group);
-    if (pub_key == NULL) {
-      goto err;
-    }
-  } else {
-    pub_key = eckey->pub_key;
-  }
-
-  if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, NULL)) {
-    goto err;
+    return 0;
   }
 
-  eckey->priv_key = priv_key;
-  eckey->pub_key = pub_key;
-
-  ok = 1;
-
-err:
-  if (eckey->pub_key == NULL) {
+  static const uint8_t kDefaultAdditionalData[32] = {0};
+  EC_WRAPPED_SCALAR *priv_key = ec_wrapped_scalar_new(key->group);
+  EC_POINT *pub_key = EC_POINT_new(key->group);
+  if (priv_key == NULL || pub_key == NULL ||
+      // Generate the private key by testing candidates (FIPS 186-4 B.4.2).
+      !ec_random_nonzero_scalar(key->group, &priv_key->scalar,
+                                kDefaultAdditionalData) ||
+      !ec_point_mul_scalar(key->group, pub_key, &priv_key->scalar, NULL, NULL,
+                           NULL)) {
     EC_POINT_free(pub_key);
+    ec_wrapped_scalar_free(priv_key);
+    return 0;
   }
-  if (eckey->priv_key == NULL) {
-    BN_free(priv_key);
-  }
-  return ok;
+
+  ec_wrapped_scalar_free(key->priv_key);
+  key->priv_key = priv_key;
+  EC_POINT_free(key->pub_key);
+  key->pub_key = pub_key;
+  return 1;
 }
 
 int EC_KEY_generate_key_fips(EC_KEY *eckey) {