X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Frand%2Fmd_rand.c;h=a06fd209d9b8b264017059ef2cee31dff1b8417b;hp=841631d3cafcbf60553ea0e58255f9d987bffce8;hb=4ead4e5241bd08989f9d6305ff21f9da0614f955;hpb=dbad169019598981174ff46c7a9bf58373b0e53a diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 841631d3ca..a06fd209d9 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -109,6 +109,8 @@ * */ +#define OPENSSL_FIPSEVP + #ifdef MD_RAND_DEBUG # ifndef NDEBUG # define NDEBUG @@ -145,25 +147,26 @@ static unsigned int crypto_lock_rand = 0; /* may be set only when a thread * holds CRYPTO_LOCK_RAND * (to prevent double locking) */ /* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */ -static unsigned long locking_thread = 0; /* valid iff crypto_lock_rand is set */ +static CRYPTO_THREADID locking_threadid; /* valid iff crypto_lock_rand is set */ #ifdef PREDICT int rand_predictable=0; #endif -const char *RAND_version="RAND" OPENSSL_VERSION_PTEXT; +const char RAND_version[]="RAND" OPENSSL_VERSION_PTEXT; static void ssleay_rand_cleanup(void); -static void ssleay_rand_seed(const void *buf, int num); -static void ssleay_rand_add(const void *buf, int num, double add_entropy); -static int ssleay_rand_bytes(unsigned char *buf, int num); +static int ssleay_rand_seed(const void *buf, int num); +static int ssleay_rand_add(const void *buf, int num, double add_entropy); +static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo); +static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num); static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num); static int ssleay_rand_status(void); RAND_METHOD rand_ssleay_meth={ ssleay_rand_seed, - ssleay_rand_bytes, + ssleay_rand_nopseudo_bytes, ssleay_rand_cleanup, ssleay_rand_add, ssleay_rand_pseudo_bytes, @@ -177,23 +180,24 @@ RAND_METHOD *RAND_SSLeay(void) static void ssleay_rand_cleanup(void) { - memset(state,0,sizeof(state)); + OPENSSL_cleanse(state,sizeof(state)); state_num=0; state_index=0; - memset(md,0,MD_DIGEST_LENGTH); + OPENSSL_cleanse(md,MD_DIGEST_LENGTH); md_count[0]=0; md_count[1]=0; entropy=0; initialized=0; } -static void ssleay_rand_add(const void *buf, int num, double add) +static int ssleay_rand_add(const void *buf, int num, double add) { int i,j,k,st_idx; long md_c[2]; unsigned char local_md[MD_DIGEST_LENGTH]; EVP_MD_CTX m; int do_not_lock; + int rv = 0; /* * (Based on the rand(3) manpage) @@ -210,11 +214,14 @@ static void ssleay_rand_add(const void *buf, int num, double add) * hash function. */ + EVP_MD_CTX_init(&m); /* check if we already have the lock */ if (crypto_lock_rand) { + CRYPTO_THREADID cur; + CRYPTO_THREADID_current(&cur); CRYPTO_r_lock(CRYPTO_LOCK_RAND2); - do_not_lock = (locking_thread == CRYPTO_thread_id()); + do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur); CRYPTO_r_unlock(CRYPTO_LOCK_RAND2); } else @@ -254,26 +261,41 @@ static void ssleay_rand_add(const void *buf, int num, double add) if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); - EVP_MD_CTX_init(&m); for (i=0; i MD_DIGEST_LENGTH)?MD_DIGEST_LENGTH:j; - MD_Init(&m); - MD_Update(&m,local_md,MD_DIGEST_LENGTH); + if (!MD_Init(&m)) + goto err; + if (!MD_Update(&m,local_md,MD_DIGEST_LENGTH)) + goto err; k=(st_idx+j)-STATE_SIZE; if (k > 0) { - MD_Update(&m,&(state[st_idx]),j-k); - MD_Update(&m,&(state[0]),k); + if (!MD_Update(&m,&(state[st_idx]),j-k)) + goto err; + if (!MD_Update(&m,&(state[0]),k)) + goto err; } else - MD_Update(&m,&(state[st_idx]),j); - - MD_Update(&m,buf,j); - MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); - MD_Final(&m,local_md); + if (!MD_Update(&m,&(state[st_idx]),j)) + goto err; + + /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */ + if (!MD_Update(&m,buf,j)) + goto err; + /* We know that line may cause programs such as + purify and valgrind to complain about use of + uninitialized data. The problem is not, it's + with the caller. Removing that line will make + sure you get really bad randomness and thereby + other problems such as very insecure keys. */ + + if (!MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c))) + goto err; + if (!MD_Final(&m,local_md)) + goto err; md_c[1]++; buf=(const char *)buf + j; @@ -293,14 +315,13 @@ static void ssleay_rand_add(const void *buf, int num, double add) st_idx=0; } } - EVP_MD_CTX_cleanup(&m); if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND); /* Don't just copy back local_md into md -- this could mean that * other thread's seeding remains without effect (except for * the incremented counter). By XORing it we keep at least as * much entropy as fits into md. */ - for (k = 0; k < sizeof md; k++) + for (k = 0; k < (int)sizeof(md); k++) { md[k] ^= local_md[k]; } @@ -311,14 +332,18 @@ static void ssleay_rand_add(const void *buf, int num, double add) #if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) assert(md_c[1] == md_count[1]); #endif + rv = 1; + err: + EVP_MD_CTX_cleanup(&m); + return rv; } -static void ssleay_rand_seed(const void *buf, int num) +static int ssleay_rand_seed(const void *buf, int num) { - ssleay_rand_add(buf, num, num); + return ssleay_rand_add(buf, num, (double)num); } -static int ssleay_rand_bytes(unsigned char *buf, int num) +static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo) { static volatile int stirred_pool = 0; int i,j,k,st_num,st_idx; @@ -372,7 +397,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) /* prevent ssleay_rand_bytes() from trying to obtain the lock again */ CRYPTO_w_lock(CRYPTO_LOCK_RAND2); - locking_thread = CRYPTO_thread_id(); + CRYPTO_THREADID_current(&locking_threadid); CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); crypto_lock_rand = 1; @@ -454,28 +479,46 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) /* num_ceil -= MD_DIGEST_LENGTH/2 */ j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num; num-=j; - MD_Init(&m); + if (!MD_Init(&m)) + goto err; #ifndef GETPID_IS_MEANINGLESS if (curr_pid) /* just in the first iteration to save time */ { - MD_Update(&m,(unsigned char*)&curr_pid,sizeof curr_pid); + if (!MD_Update(&m,(unsigned char*)&curr_pid,sizeof curr_pid)) + goto err; curr_pid = 0; } #endif - MD_Update(&m,local_md,MD_DIGEST_LENGTH); - MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); -#ifndef PURIFY - MD_Update(&m,buf,j); /* purify complains */ + if (!MD_Update(&m,local_md,MD_DIGEST_LENGTH)) + goto err; + if (!MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c))) + goto err; + +#ifndef PURIFY /* purify complains */ + /* The following line uses the supplied buffer as a small + * source of entropy: since this buffer is often uninitialised + * it may cause programs such as purify or valgrind to + * complain. So for those builds it is not used: the removal + * of such a small source of entropy has negligible impact on + * security. + */ + if (!MD_Update(&m,buf,j)) + goto err; #endif + k=(st_idx+MD_DIGEST_LENGTH/2)-st_num; if (k > 0) { - MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2-k); - MD_Update(&m,&(state[0]),k); + if (!MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2-k)) + goto err; + if (!MD_Update(&m,&(state[0]),k)) + goto err; } else - MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2); - MD_Final(&m,local_md); + if (!MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2)) + goto err; + if (!MD_Final(&m,local_md)) + goto err; for (i=0; i