Avoid two memory allocations in each RAND_DRBG_bytes

[openssl.git] / crypto / rand / drbg_lib.c

diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c
index 4a666040c8ccdfba4ea0881a6f044a3476dd6013..8e372e593eed6b008c7d8f881809a483038edfea 100644 (file)
--- a/crypto/rand/drbg_lib.c
+++ b/crypto/rand/drbg_lib.c
@@ -158,8 +158,10 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
     }
 
     /* If set is called multiple times - clear the old one */
-    if (type != drbg->type && drbg->type != 0 && drbg->meth != NULL) {
+    if (drbg->type != 0 && (type != drbg->type || flags != drbg->flags)) {
         drbg->meth->uninstantiate(drbg);
+        rand_pool_free(drbg->adin_pool);
+        drbg->adin_pool = NULL;
     }
 
     drbg->state = DRBG_UNINITIALISED;
@@ -168,6 +170,7 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
 
     if (type == 0) {
         /* Uninitialized; that's okay. */
+        drbg->meth = NULL;
         return 1;
     } else if (is_ctr(type)) {
         ret = drbg_ctr_init(drbg);
@@ -315,6 +318,7 @@ void RAND_DRBG_free(RAND_DRBG *drbg)
 
     if (drbg->meth != NULL)
         drbg->meth->uninstantiate(drbg);
+    rand_pool_free(drbg->adin_pool);
     CRYPTO_THREAD_lock_free(drbg->lock);
     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data);
 
@@ -722,9 +726,18 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
     unsigned char *additional = NULL;
     size_t additional_len;
     size_t chunk;
-    size_t ret;
+    size_t ret = 0;
 
-    additional_len = rand_drbg_get_additional_data(&additional, drbg->max_adinlen);
+    if (drbg->adin_pool == NULL) {
+        if (drbg->type == 0)
+            goto err;
+        drbg->adin_pool = rand_pool_new(0, 0, drbg->max_adinlen);
+        if (drbg->adin_pool == NULL)
+            goto err;
+    }
+
+    additional_len = rand_drbg_get_additional_data(drbg->adin_pool,
+                                                   &additional);
 
     for ( ; outlen > 0; outlen -= chunk, out += chunk) {
         chunk = outlen;
@@ -736,9 +749,9 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
     }
     ret = 1;
 
-err:
-    if (additional_len != 0)
-        OPENSSL_secure_clear_free(additional, additional_len);
+ err:
+    if (additional != NULL)
+        rand_drbg_cleanup_additional_data(drbg->adin_pool, additional);
 
     return ret;
 }
@@ -1079,6 +1092,7 @@ static int drbg_add(const void *buf, int num, double randomness)
     if (num < 0 || randomness < 0.0)
         return 0;
 
+    rand_drbg_lock(drbg);
     seedlen = rand_drbg_seedlen(drbg);
 
     buflen = (size_t)num;
@@ -1090,10 +1104,13 @@ static int drbg_add(const void *buf, int num, double randomness)
          * inevitably. So we use a trick to mix the buffer contents into
          * the DRBG state without forcing a reseeding: we generate a
          * dummy random byte, using the buffer content as additional data.
+         * Note: This won't work with RAND_DRBG_FLAG_CTR_NO_DF.
          */
         unsigned char dummy[1];
 
-        return RAND_DRBG_generate(drbg, dummy, sizeof(dummy), 0, buf, buflen);
+        ret = RAND_DRBG_generate(drbg, dummy, sizeof(dummy), 0, buf, buflen);
+        rand_drbg_unlock(drbg);
+        return ret;
 #else
         /*
          * If an os entropy source is avaible then we declare the buffer content
@@ -1117,7 +1134,6 @@ static int drbg_add(const void *buf, int num, double randomness)
         randomness = (double)seedlen;
     }
 
-    rand_drbg_lock(drbg);
     ret = rand_drbg_restart(drbg, buf, buflen, (size_t)(8 * randomness));
     rand_drbg_unlock(drbg);