X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Frand%2Frand_lib.c;h=8b44b5502d2fce9e55e574b37fe982a5747259da;hp=d2f5be1a65d656ffe3db73ef07bea3c323b9cb03;hb=a6a66e4511eec0f4ecc2943117a42b3723eb2222;hpb=fcd2d5a6121ad3e5e65edc714ad99fc36f609f81 diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index d2f5be1a65..8b44b5502d 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -1,7 +1,7 @@ /* * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -17,21 +17,20 @@ #include "rand_lcl.h" #include "e_os.h" -#ifndef OPENSSL_NO_ENGINE +#ifndef FIPS_MODE +# ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ static ENGINE *funct_ref; static CRYPTO_RWLOCK *rand_engine_lock; -#endif +# endif static CRYPTO_RWLOCK *rand_meth_lock; static const RAND_METHOD *default_RAND_meth; static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT; -int rand_fork_count; - -static CRYPTO_RWLOCK *rand_nonce_lock; -static int rand_nonce_count; - static int rand_inited = 0; +#endif /* FIPS_MODE */ + +int rand_fork_count; #ifdef OPENSSL_RAND_SEED_RDTSC /* @@ -137,7 +136,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, size_t entropy_available = 0; RAND_POOL *pool; - if (drbg->parent && drbg->strength > drbg->parent->strength) { + if (drbg->parent != NULL && drbg->strength > drbg->parent->strength) { /* * We currently don't support the algorithm from NIST SP 800-90C * 10.1.2 to use a weaker DRBG as source @@ -150,12 +149,12 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, pool = drbg->seed_pool; pool->entropy_requested = entropy; } else { - pool = rand_pool_new(entropy, min_len, max_len); + pool = rand_pool_new(entropy, drbg->secure, min_len, max_len); if (pool == NULL) return 0; } - if (drbg->parent) { + if (drbg->parent != NULL) { size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed); @@ -183,17 +182,6 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, } } else { - if (prediction_resistance) { - /* - * We don't have any entropy sources that comply with the NIST - * standard to provide prediction resistance (see NIST SP 800-90C, - * Section 5.4). - */ - RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY, - RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED); - goto err; - } - /* Get entropy by polling system entropy sources. */ entropy_available = rand_pool_acquire_entropy(pool); } @@ -203,7 +191,6 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, *pout = rand_pool_detach(pool); } - err: if (drbg->seed_pool == NULL) rand_pool_free(pool); return ret; @@ -216,57 +203,12 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, unsigned char *out, size_t outlen) { - if (drbg->seed_pool == NULL) - OPENSSL_secure_clear_free(out, outlen); -} - - -/* - * Implements the get_nonce() callback (see RAND_DRBG_set_callbacks()) - * - */ -size_t rand_drbg_get_nonce(RAND_DRBG *drbg, - unsigned char **pout, - int entropy, size_t min_len, size_t max_len) -{ - size_t ret = 0; - RAND_POOL *pool; - - struct { - void * instance; - int count; - } data = { 0 }; - - pool = rand_pool_new(0, min_len, max_len); - if (pool == NULL) - return 0; - - if (rand_pool_add_nonce_data(pool) == 0) - goto err; - - data.instance = drbg; - CRYPTO_atomic_add(&rand_nonce_count, 1, &data.count, rand_nonce_lock); - - if (rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0) == 0) - goto err; - - ret = rand_pool_length(pool); - *pout = rand_pool_detach(pool); - - err: - rand_pool_free(pool); - - return ret; -} - -/* - * Implements the cleanup_nonce() callback (see RAND_DRBG_set_callbacks()) - * - */ -void rand_drbg_cleanup_nonce(RAND_DRBG *drbg, - unsigned char *out, size_t outlen) -{ - OPENSSL_secure_clear_free(out, outlen); + if (drbg->seed_pool == NULL) { + if (drbg->secure) + OPENSSL_secure_clear_free(out, outlen); + else + OPENSSL_clear_free(out, outlen); + } } /* @@ -303,39 +245,32 @@ void rand_fork(void) rand_fork_count++; } +#ifndef FIPS_MODE DEFINE_RUN_ONCE_STATIC(do_rand_init) { -#ifndef OPENSSL_NO_ENGINE +# ifndef OPENSSL_NO_ENGINE rand_engine_lock = CRYPTO_THREAD_lock_new(); if (rand_engine_lock == NULL) return 0; -#endif +# endif rand_meth_lock = CRYPTO_THREAD_lock_new(); if (rand_meth_lock == NULL) - goto err1; - - rand_nonce_lock = CRYPTO_THREAD_lock_new(); - if (rand_nonce_lock == NULL) - goto err2; + goto err; if (!rand_pool_init()) - goto err3; + goto err; rand_inited = 1; return 1; -err3: - CRYPTO_THREAD_lock_free(rand_nonce_lock); - rand_nonce_lock = NULL; -err2: + err: CRYPTO_THREAD_lock_free(rand_meth_lock); rand_meth_lock = NULL; -err1: -#ifndef OPENSSL_NO_ENGINE +# ifndef OPENSSL_NO_ENGINE CRYPTO_THREAD_lock_free(rand_engine_lock); rand_engine_lock = NULL; -#endif +# endif return 0; } @@ -350,19 +285,18 @@ void rand_cleanup_int(void) meth->cleanup(); RAND_set_rand_method(NULL); rand_pool_cleanup(); -#ifndef OPENSSL_NO_ENGINE +# ifndef OPENSSL_NO_ENGINE CRYPTO_THREAD_lock_free(rand_engine_lock); rand_engine_lock = NULL; -#endif +# endif CRYPTO_THREAD_lock_free(rand_meth_lock); rand_meth_lock = NULL; - CRYPTO_THREAD_lock_free(rand_nonce_lock); - rand_nonce_lock = NULL; rand_inited = 0; } +/* TODO(3.0): Do we need to handle this somehow in the FIPS module? */ /* - * RAND_close_seed_files() ensures that any seed file decriptors are + * RAND_close_seed_files() ensures that any seed file descriptors are * closed after use. */ void RAND_keep_random_devices_open(int keep) @@ -382,8 +316,6 @@ int RAND_poll(void) { int ret = 0; - RAND_POOL *pool = NULL; - const RAND_METHOD *meth = RAND_get_rand_method(); if (meth == RAND_OpenSSL()) { @@ -400,9 +332,11 @@ int RAND_poll(void) return ret; } else { + RAND_POOL *pool = NULL; + /* fill random pool and seed the current legacy RNG */ - pool = rand_pool_new(RAND_DRBG_STRENGTH, - RAND_DRBG_STRENGTH / 8, + pool = rand_pool_new(RAND_DRBG_STRENGTH, 1, + (RAND_DRBG_STRENGTH + 7) / 8, RAND_POOL_MAX_LENGTH); if (pool == NULL) return 0; @@ -417,20 +351,24 @@ int RAND_poll(void) goto err; ret = 1; + + err: + rand_pool_free(pool); } -err: - rand_pool_free(pool); return ret; } +#endif /* FIPS_MODE */ /* * Allocate memory and initialize a new random pool */ -RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len) +RAND_POOL *rand_pool_new(int entropy_requested, int secure, + size_t min_len, size_t max_len) { RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); + size_t min_alloc_size = RAND_POOL_MIN_ALLOCATION(secure); if (pool == NULL) { RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); @@ -440,14 +378,22 @@ RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len) pool->min_len = min_len; pool->max_len = (max_len > RAND_POOL_MAX_LENGTH) ? RAND_POOL_MAX_LENGTH : max_len; + pool->alloc_len = min_len < min_alloc_size ? min_alloc_size : min_len; + if (pool->alloc_len > pool->max_len) + pool->alloc_len = pool->max_len; + + if (secure) + pool->buffer = OPENSSL_secure_zalloc(pool->alloc_len); + else + pool->buffer = OPENSSL_zalloc(pool->alloc_len); - pool->buffer = OPENSSL_secure_zalloc(pool->max_len); if (pool->buffer == NULL) { RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); goto err; } pool->entropy_requested = entropy_requested; + pool->secure = secure; return pool; @@ -482,7 +428,7 @@ RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len, pool->attached = 1; - pool->min_len = pool->max_len = pool->len; + pool->min_len = pool->max_len = pool->alloc_len = pool->len; pool->entropy = entropy; return pool; @@ -502,8 +448,13 @@ void rand_pool_free(RAND_POOL *pool) * to rand_pool_attach() as `const unsigned char*`. * (see corresponding comment in rand_pool_attach()). */ - if (!pool->attached) - OPENSSL_secure_clear_free(pool->buffer, pool->max_len); + if (!pool->attached) { + if (pool->secure) + OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len); + else + OPENSSL_clear_free(pool->buffer, pool->alloc_len); + } + OPENSSL_free(pool); } @@ -634,6 +585,36 @@ size_t rand_pool_bytes_remaining(RAND_POOL *pool) return pool->max_len - pool->len; } +static int rand_pool_grow(RAND_POOL *pool, size_t len) +{ + if (len > pool->alloc_len - pool->len) { + unsigned char *p; + const size_t limit = pool->max_len / 2; + size_t newlen = pool->alloc_len; + + do + newlen = newlen < limit ? newlen * 2 : pool->max_len; + while (len > newlen - pool->len); + + if (pool->secure) + p = OPENSSL_secure_zalloc(newlen); + else + p = OPENSSL_zalloc(newlen); + if (p == NULL) { + RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_MALLOC_FAILURE); + return 0; + } + memcpy(p, pool->buffer, pool->len); + if (pool->secure) + OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len); + else + OPENSSL_clear_free(pool->buffer, pool->alloc_len); + pool->buffer = p; + pool->alloc_len = newlen; + } + return 1; +} + /* * Add random bytes to the random pool. * @@ -657,6 +638,8 @@ int rand_pool_add(RAND_POOL *pool, } if (len > 0) { + if (!rand_pool_grow(pool, len)) + return 0; memcpy(pool->buffer + pool->len, buffer, len); pool->len += len; pool->entropy += entropy; @@ -689,9 +672,11 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) if (pool->buffer == NULL) { RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, ERR_R_INTERNAL_ERROR); - return 0; + return NULL; } + if (!rand_pool_grow(pool, len)) + return NULL; return pool->buffer + pool->len; } @@ -719,23 +704,28 @@ int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy) return 1; } +#ifndef FIPS_MODE int RAND_set_rand_method(const RAND_METHOD *meth) { if (!RUN_ONCE(&rand_init, do_rand_init)) return 0; CRYPTO_THREAD_write_lock(rand_meth_lock); -#ifndef OPENSSL_NO_ENGINE +# ifndef OPENSSL_NO_ENGINE ENGINE_finish(funct_ref); funct_ref = NULL; -#endif +# endif default_RAND_meth = meth; CRYPTO_THREAD_unlock(rand_meth_lock); return 1; } +#endif const RAND_METHOD *RAND_get_rand_method(void) { +#ifdef FIPS_MODE + return NULL; +#else const RAND_METHOD *tmp_meth = NULL; if (!RUN_ONCE(&rand_init, do_rand_init)) @@ -743,7 +733,7 @@ const RAND_METHOD *RAND_get_rand_method(void) CRYPTO_THREAD_write_lock(rand_meth_lock); if (default_RAND_meth == NULL) { -#ifndef OPENSSL_NO_ENGINE +# ifndef OPENSSL_NO_ENGINE ENGINE *e; /* If we have an engine that can do RAND, use it. */ @@ -755,16 +745,17 @@ const RAND_METHOD *RAND_get_rand_method(void) ENGINE_finish(e); default_RAND_meth = &rand_meth; } -#else +# else default_RAND_meth = &rand_meth; -#endif +# endif } tmp_meth = default_RAND_meth; CRYPTO_THREAD_unlock(rand_meth_lock); return tmp_meth; +#endif } -#ifndef OPENSSL_NO_ENGINE +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) int RAND_set_rand_engine(ENGINE *engine) { const RAND_METHOD *tmp_meth = NULL; @@ -811,16 +802,16 @@ void RAND_add(const void *buf, int num, double randomness) * the default method, then just call RAND_bytes(). Otherwise make * sure we're instantiated and use the private DRBG. */ -int RAND_priv_bytes(unsigned char *buf, int num) +int rand_priv_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num) { - const RAND_METHOD *meth = RAND_get_rand_method(); RAND_DRBG *drbg; int ret; + const RAND_METHOD *meth = RAND_get_rand_method(); if (meth != RAND_OpenSSL()) - return RAND_bytes(buf, num); + return meth->bytes(buf, num); - drbg = RAND_DRBG_get0_private(); + drbg = OPENSSL_CTX_get0_private_drbg(ctx); if (drbg == NULL) return 0; @@ -828,17 +819,38 @@ int RAND_priv_bytes(unsigned char *buf, int num) return ret; } -int RAND_bytes(unsigned char *buf, int num) +int RAND_priv_bytes(unsigned char *buf, int num) { + return rand_priv_bytes_ex(NULL, buf, num); +} + +int rand_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num) +{ + RAND_DRBG *drbg; + int ret; const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth->bytes != NULL) - return meth->bytes(buf, num); - RANDerr(RAND_F_RAND_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); - return -1; + if (meth != RAND_OpenSSL()) { + if (meth->bytes != NULL) + return meth->bytes(buf, num); + RANDerr(RAND_F_RAND_BYTES_EX, RAND_R_FUNC_NOT_IMPLEMENTED); + return -1; + } + + drbg = OPENSSL_CTX_get0_public_drbg(ctx); + if (drbg == NULL) + return 0; + + ret = RAND_DRBG_bytes(drbg, buf, num); + return ret; +} + +int RAND_bytes(unsigned char *buf, int num) +{ + return rand_bytes_ex(NULL, buf, num); } -#if !OPENSSL_API_1_1_0 +#if !OPENSSL_API_1_1_0 && !defined(FIPS_MODE) int RAND_pseudo_bytes(unsigned char *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method();