/*
- * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* DRBGs. It reseeds itself by pulling either randomness from os entropy
* sources or by consuming randomnes which was added by RAND_add()
*/
-static RAND_DRBG drbg_master;
+static RAND_DRBG *drbg_master;
/*
* THE PUBLIC DRBG
*
* Used by default for generating random bytes using RAND_bytes().
*/
-static RAND_DRBG drbg_public;
+static RAND_DRBG *drbg_public;
/*
* THE PRIVATE DRBG
*
* Used by default for generating private keys using RAND_priv_bytes()
*/
-static RAND_DRBG drbg_private;
+static RAND_DRBG *drbg_private;
/*+
* DRBG HIERARCHY
*
*
* AUTOMATIC RESEEDING
*
- * Before satisfying a generate request, a DRBG reseeds itself automatically
- * if the number of generate requests since the last reseeding exceeds a
- * certain threshold, the so called |reseed_interval|. This automatic
- * reseeding can be disabled by setting the |reseed_interval| to 0.
+ * Before satisfying a generate request, a DRBG reseeds itself automatically,
+ * if one of the following two conditions holds:
+ *
+ * - the number of generate requests since the last reseeding exceeds a
+ * certain threshold, the so called |reseed_interval|. This behaviour
+ * can be disabled by setting the |reseed_interval| to 0.
+ *
+ * - the time elapsed since the last reseeding exceeds a certain time
+ * interval, the so called |reseed_time_interval|. This behaviour
+ * can be disabled by setting the |reseed_time_interval| to 0.
*
* MANUAL RESEEDING
*
- * For the three shared DRBGs (and only for these) there is a way to reseed
- * them manually by calling RAND_seed() (or RAND_add() with a positive
+ * For the three shared DRBGs (and only for these) there is another way to
+ * reseed them manually by calling RAND_seed() (or RAND_add() with a positive
* |randomness| argument). This will immediately reseed the <master> DRBG.
- * Its immediate children (<public> and <private> DRBG) will detect this
- * on their next generate call and reseed, pulling randomness from <master>.
+ * The <public> and <private> DRBG will detect this on their next generate
+ * call and reseed, pulling randomness from <master>.
*/
static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
-static int drbg_setup(RAND_DRBG *drbg, const char *name, RAND_DRBG *parent);
+static RAND_DRBG *drbg_setup(const char *name, RAND_DRBG *parent);
+static void drbg_cleanup(RAND_DRBG *drbg);
/*
* Set/initialize |drbg| to be of type |nid|, with optional |flags|.
- * Return -2 if the type is not supported, 1 on success and -1 on
- * failure.
+ *
+ * Returns 1 on success, 0 on failure.
*/
int RAND_DRBG_set(RAND_DRBG *drbg, int nid, unsigned int flags)
{
switch (nid) {
default:
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
- return -2;
+ return 0;
case 0:
/* Uninitialized; that's okay. */
return 1;
case NID_aes_128_ctr:
case NID_aes_192_ctr:
case NID_aes_256_ctr:
- ret = ctr_init(drbg);
+ ret = drbg_ctr_init(drbg);
break;
}
- if (ret < 0)
+ if (ret == 0)
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG);
return ret;
}
}
drbg->fork_count = rand_fork_count;
drbg->parent = parent;
- if (RAND_DRBG_set(drbg, type, flags) < 0)
+ if (RAND_DRBG_set(drbg, type, flags) == 0)
goto err;
if (!RAND_DRBG_set_callbacks(drbg, rand_drbg_get_entropy,
if (drbg == NULL)
return;
- ctr_uninstantiate(drbg);
+ if (drbg->meth != NULL)
+ drbg->meth->uninstantiate(drbg);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data);
OPENSSL_clear_free(drbg, sizeof(*drbg));
}
* |perslen| as prediction-resistance input.
*
* Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
*/
int RAND_DRBG_instantiate(RAND_DRBG *drbg,
const unsigned char *pers, size_t perslen)
RAND_R_PERSONALISATION_STRING_TOO_LONG);
goto end;
}
+
+ if (drbg->meth == NULL)
+ {
+ RANDerr(RAND_F_RAND_DRBG_INSTANTIATE,
+ RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
+ goto end;
+ }
+
if (drbg->state != DRBG_UNINITIALISED) {
RANDerr(RAND_F_RAND_DRBG_INSTANTIATE,
drbg->state == DRBG_ERROR ? RAND_R_IN_ERROR_STATE
}
}
- if (!ctr_instantiate(drbg, entropy, entropylen,
+ if (!drbg->meth->instantiate(drbg, entropy, entropylen,
nonce, noncelen, pers, perslen)) {
RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_INSTANTIATING_DRBG);
goto end;
drbg->state = DRBG_READY;
drbg->generate_counter = 0;
-
+ drbg->reseed_time = time(NULL);
if (drbg->reseed_counter > 0) {
if (drbg->parent == NULL)
drbg->reseed_counter++;
* Uninstantiate |drbg|. Must be instantiated before it can be used.
*
* Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
*/
int RAND_DRBG_uninstantiate(RAND_DRBG *drbg)
{
- int ret = ctr_uninstantiate(drbg);
+ if (drbg->meth == NULL)
+ {
+ RANDerr(RAND_F_RAND_DRBG_UNINSTANTIATE,
+ RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
+ return 0;
+ }
- drbg->state = DRBG_UNINITIALISED;
- return ret;
+ /* Clear the entire drbg->ctr struct, then reset some important
+ * members of the drbg->ctr struct (e.g. keysize, df_ks) to their
+ * initial values.
+ */
+ drbg->meth->uninstantiate(drbg);
+ return RAND_DRBG_set(drbg, drbg->nid, drbg->flags);
}
/*
* Reseed |drbg|, mixing in the specified data
*
* Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
*/
int RAND_DRBG_reseed(RAND_DRBG *drbg,
const unsigned char *adin, size_t adinlen)
goto end;
}
- if (!ctr_reseed(drbg, entropy, entropylen, adin, adinlen))
+ if (!drbg->meth->reseed(drbg, entropy, entropylen, adin, adinlen))
goto end;
drbg->state = DRBG_READY;
drbg->generate_counter = 0;
-
+ drbg->reseed_time = time(NULL);
if (drbg->reseed_counter > 0) {
if (drbg->parent == NULL)
drbg->reseed_counter++;
}
/* repair error state */
- if (drbg->state == DRBG_ERROR) {
+ if (drbg->state == DRBG_ERROR)
RAND_DRBG_uninstantiate(drbg);
- /* The drbg->ctr member needs to be reinitialized before reinstantiation */
- RAND_DRBG_set(drbg, drbg->nid, drbg->flags);
- }
/* repair uninitialized state */
if (drbg->state == DRBG_UNINITIALISED) {
* entropy from the trusted entropy source using get_entropy().
* This is not a reseeding in the strict sense of NIST SP 800-90A.
*/
- ctr_reseed(drbg, adin, adinlen, NULL, 0);
+ drbg->meth->reseed(drbg, adin, adinlen, NULL, 0);
} else if (reseeded == 0) {
/* do a full reseeding if it has not been done yet above */
RAND_DRBG_reseed(drbg, NULL, 0);
if (drbg->generate_counter >= drbg->reseed_interval)
reseed_required = 1;
}
-
+ if (drbg->reseed_time_interval > 0) {
+ time_t now = time(NULL);
+ if (now < drbg->reseed_time
+ || now - drbg->reseed_time >= drbg->reseed_time_interval)
+ reseed_required = 1;
+ }
if (drbg->reseed_counter > 0 && drbg->parent != NULL) {
if (drbg->reseed_counter != drbg->parent->reseed_counter)
reseed_required = 1;
adinlen = 0;
}
- if (!ctr_generate(drbg, out, outlen, adin, adinlen)) {
+ if (!drbg->meth->generate(drbg, out, outlen, adin, adinlen)) {
drbg->state = DRBG_ERROR;
RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_GENERATE_ERROR);
return 0;
return 1;
}
+/*
+ * Generates |outlen| random bytes and stores them in |out|. It will
+ * using the given |drbg| to generate the bytes.
+ *
+ * Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success 0 on failure.
+ */
+int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
+{
+ unsigned char *additional = NULL;
+ size_t additional_len;
+ size_t ret;
+
+ additional_len = rand_drbg_get_additional_data(&additional, drbg->max_adinlen);
+ ret = RAND_DRBG_generate(drbg, out, outlen, 0, additional, additional_len);
+ if (additional_len != 0)
+ OPENSSL_secure_clear_free(additional, additional_len);
+
+ return ret;
+}
+
/*
* Set the RAND_DRBG callbacks for obtaining entropy and nonce.
*
*
* The drbg will reseed automatically whenever the number of generate
* requests exceeds the given reseed interval. If the reseed interval
- * is 0, then this automatic reseeding is disabled.
+ * is 0, then this feature is disabled.
*
* Returns 1 on success, 0 on failure.
*/
return 1;
}
+/*
+ * Set the reseed time interval.
+ *
+ * The drbg will reseed automatically whenever the time elapsed since
+ * the last reseeding exceeds the given reseed time interval. For safety,
+ * a reseeding will also occur if the clock has been reset to a smaller
+ * value.
+ *
+ * Returns 1 on success, 0 on failure.
+ */
+int RAND_DRBG_set_reseed_time_interval(RAND_DRBG *drbg, time_t interval)
+{
+ if (interval > MAX_RESEED_TIME_INTERVAL)
+ return 0;
+ drbg->reseed_time_interval = interval;
+ return 1;
+}
+
/*
* Get and set the EXDATA
*/
*/
/*
- * Initializes the given global DRBG with default settings.
+ * Allocates a new global DRBG on the secure heap (if enabled) and
+ * initializes it with default settings.
* A global lock for the DRBG is created with the given name.
*
* Returns a pointer to the new DRBG instance on success, NULL on failure.
*/
-static int drbg_setup(RAND_DRBG *drbg, const char *name, RAND_DRBG *parent)
+static RAND_DRBG *drbg_setup(const char *name, RAND_DRBG *parent)
{
- int ret = 1;
+ RAND_DRBG *drbg;
- if (name == NULL || drbg->lock != NULL) {
+ if (name == NULL) {
RANDerr(RAND_F_DRBG_SETUP, ERR_R_INTERNAL_ERROR);
- return 0;
+ return NULL;
}
+ drbg = OPENSSL_secure_zalloc(sizeof(RAND_DRBG));
+ if (drbg == NULL)
+ return NULL;
+
drbg->lock = CRYPTO_THREAD_glock_new(name);
if (drbg->lock == NULL) {
RANDerr(RAND_F_DRBG_SETUP, RAND_R_FAILED_TO_CREATE_LOCK);
- return 0;
+ goto err;
}
- ret &= RAND_DRBG_set(drbg,
- RAND_DRBG_NID, RAND_DRBG_FLAG_CTR_USE_DF) == 1;
- ret &= RAND_DRBG_set_callbacks(drbg, rand_drbg_get_entropy,
- rand_drbg_cleanup_entropy, NULL, NULL) == 1;
+ if (RAND_DRBG_set(drbg,
+ RAND_DRBG_NID, RAND_DRBG_FLAG_CTR_USE_DF) != 1)
+ goto err;
+ if (RAND_DRBG_set_callbacks(drbg, rand_drbg_get_entropy,
+ rand_drbg_cleanup_entropy, NULL, NULL) != 1)
+ goto err;
- if (parent == NULL)
+ if (parent == NULL) {
drbg->reseed_interval = MASTER_RESEED_INTERVAL;
- else {
+ drbg->reseed_time_interval = MASTER_RESEED_TIME_INTERVAL;
+ } else {
drbg->parent = parent;
drbg->reseed_interval = SLAVE_RESEED_INTERVAL;
+ drbg->reseed_time_interval = SLAVE_RESEED_TIME_INTERVAL;
}
/* enable seed propagation */
RAND_DRBG_instantiate(drbg,
(const unsigned char *) ossl_pers_string,
sizeof(ossl_pers_string) - 1);
- return ret;
+ return drbg;
+
+err:
+ drbg_cleanup(drbg);
+ return NULL;
}
/*
*/
DEFINE_RUN_ONCE_STATIC(do_rand_drbg_init)
{
- int ret = 1;
+ /*
+ * ensure that libcrypto is initialized, otherwise the
+ * DRBG locks are not cleaned up properly
+ */
+ if (!OPENSSL_init_crypto(0, NULL))
+ return 0;
- ret &= drbg_setup(&drbg_master, "drbg_master", NULL);
- ret &= drbg_setup(&drbg_public, "drbg_public", &drbg_master);
- ret &= drbg_setup(&drbg_private, "drbg_private", &drbg_master);
+ drbg_master = drbg_setup("drbg_master", NULL);
+ drbg_public = drbg_setup("drbg_public", drbg_master);
+ drbg_private = drbg_setup("drbg_private", drbg_master);
- return ret;
+ if (drbg_master == NULL || drbg_public == NULL || drbg_private == NULL)
+ return 0;
+
+ return 1;
}
/* Cleans up the given global DRBG */
static void drbg_cleanup(RAND_DRBG *drbg)
{
- CRYPTO_THREAD_lock_free(drbg->lock);
- RAND_DRBG_uninstantiate(drbg);
+ if (drbg != NULL) {
+ RAND_DRBG_uninstantiate(drbg);
+ CRYPTO_THREAD_lock_free(drbg->lock);
+ OPENSSL_secure_clear_free(drbg, sizeof(RAND_DRBG));
+ }
}
/* Clean up the global DRBGs before exit */
void rand_drbg_cleanup_int(void)
{
- drbg_cleanup(&drbg_private);
- drbg_cleanup(&drbg_public);
- drbg_cleanup(&drbg_master);
+ drbg_cleanup(drbg_private);
+ drbg_cleanup(drbg_public);
+ drbg_cleanup(drbg_master);
+
+ drbg_private = drbg_public = drbg_master = NULL;
}
/* Implements the default OpenSSL RAND_bytes() method */
if (!RUN_ONCE(&rand_drbg_init, do_rand_drbg_init))
return NULL;
- return &drbg_master;
+ return drbg_master;
}
/*
if (!RUN_ONCE(&rand_drbg_init, do_rand_drbg_init))
return NULL;
- return &drbg_public;
+ return drbg_public;
}
/*
if (!RUN_ONCE(&rand_drbg_init, do_rand_drbg_init))
return NULL;
- return &drbg_private;
+ return drbg_private;
}
RAND_METHOD rand_meth = {