X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Frand%2Frand_lib.c;h=a4c9e694726e749f7ce981364f192f0086d85b17;hp=76d5767ccd769ad80f3244740c34f9a43e6bf592;hb=4bffc025fd1b75b690f50552f443cbd3b1f1cbaf;hpb=6decf9436f77ff65ed8ed773268663a9273cfbc8 diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 76d5767ccd..a4c9e69472 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -1,7 +1,7 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -11,63 +11,24 @@ #include #include "internal/cryptlib.h" #include -#include "internal/rand_int.h" +#include "crypto/rand.h" #include #include "internal/thread_once.h" -#include "rand_lcl.h" -#ifdef OPENSSL_SYS_UNIX -# include -# include -# include -#endif +#include "rand_local.h" #include "e_os.h" -/* Macro to convert two thirty two bit values into a sixty four bit one */ -#define TWO32TO64(a, b) ((((uint64_t)(a)) << 32) + (b)) - -/* - * Check for the existence and support of POSIX timers. The standard - * says that the _POSIX_TIMERS macro will have a positive value if they - * are available. - * - * However, we want an additional constraint: that the timer support does - * not require an extra library dependency. Early versions of glibc - * require -lrt to be specified on the link line to access the timers, - * so this needs to be checked for. - * - * It is worse because some libraries define __GLIBC__ but don't - * support the version testing macro (e.g. uClibc). This means - * an extra check is needed. - * - * The final condition is: - * "have posix timers and either not glibc or glibc without -lrt" - * - * The nested #if sequences are required to avoid using a parameterised - * macro that might be undefined. - */ -#undef OSSL_POSIX_TIMER_OKAY -#if defined(_POSIX_TIMERS) && _POSIX_TIMERS > 0 -# if defined(__GLIBC__) -# if defined(__GLIBC_PREREQ) -# if __GLIBC_PREREQ(2, 17) -# define OSSL_POSIX_TIMER_OKAY -# endif -# endif -# else -# define OSSL_POSIX_TIMER_OKAY -# endif -#endif - -#ifndef OPENSSL_NO_ENGINE +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ static ENGINE *funct_ref; static CRYPTO_RWLOCK *rand_engine_lock; -#endif +# endif static CRYPTO_RWLOCK *rand_meth_lock; static const RAND_METHOD *default_RAND_meth; static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT; -int rand_fork_count; +static int rand_inited = 0; +#endif /* FIPS_MODULE */ #ifdef OPENSSL_RAND_SEED_RDTSC /* @@ -106,8 +67,6 @@ size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool) size_t OPENSSL_ia32_rdseed_bytes(unsigned char *buf, size_t len); size_t OPENSSL_ia32_rdrand_bytes(unsigned char *buf, size_t len); -extern unsigned int OPENSSL_ia32cap_P[]; - /* * Acquire entropy using Intel-specific cpu instructions * @@ -125,31 +84,25 @@ size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool) size_t bytes_needed; unsigned char *buffer; - bytes_needed = rand_pool_bytes_needed(pool, 8 /*entropy_per_byte*/); + bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); if (bytes_needed > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); if (buffer != NULL) { - - /* If RDSEED is available, use that. */ + /* Whichever comes first, use RDSEED, RDRAND or nothing */ if ((OPENSSL_ia32cap_P[2] & (1 << 18)) != 0) { if (OPENSSL_ia32_rdseed_bytes(buffer, bytes_needed) - == bytes_needed) - return rand_pool_add_end(pool, - bytes_needed, - 8 * bytes_needed); - } - - /* Second choice is RDRAND. */ - if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) { + == bytes_needed) { + rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); + } + } else if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) { if (OPENSSL_ia32_rdrand_bytes(buffer, bytes_needed) - == bytes_needed) - return rand_pool_add_end(pool, - bytes_needed, - 8 * bytes_needed); + == bytes_needed) { + rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); + } + } else { + rand_pool_add_end(pool, 0, 0); } - - return rand_pool_add_end(pool, 0, 0); } } @@ -157,7 +110,7 @@ size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool) } #endif - +#if 0 /* * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks()) * @@ -171,14 +124,15 @@ size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool) * its entropy will be used up first. */ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, - unsigned char **pout, - int entropy, size_t min_len, size_t max_len) + unsigned char **pout, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance) { size_t ret = 0; size_t entropy_available = 0; RAND_POOL *pool; - if (drbg->parent && drbg->strength > drbg->parent->strength) { + if (drbg->parent != NULL && drbg->strength > drbg->parent->strength) { /* * We currently don't support the algorithm from NIST SP 800-90C * 10.1.2 to use a weaker DRBG as source @@ -187,28 +141,26 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, return 0; } - pool = rand_pool_new(entropy, min_len, max_len); - if (pool == NULL) - return 0; - - if (drbg->pool) { - rand_pool_add(pool, - rand_pool_buffer(drbg->pool), - rand_pool_length(drbg->pool), - rand_pool_entropy(drbg->pool)); - rand_pool_free(drbg->pool); - drbg->pool = NULL; + if (drbg->seed_pool != NULL) { + pool = drbg->seed_pool; + pool->entropy_requested = entropy; + } else { + pool = rand_pool_new(entropy, drbg->secure, min_len, max_len); + if (pool == NULL) + return 0; } - if (drbg->parent) { - size_t bytes_needed = rand_pool_bytes_needed(pool, 8); + if (drbg->parent != NULL) { + size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed); if (buffer != NULL) { size_t bytes = 0; /* - * Get random from parent, include our state as additional input. + * Get random data from parent. Include our address as additional input, + * in order to provide some additional distinction between different + * DRBG child instances. * Our lock is already held, but we need to lock our parent before * generating bits from it. (Note: taking the lock will be a no-op * if locking if drbg->parent->lock == NULL.) @@ -216,12 +168,15 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, rand_drbg_lock(drbg->parent); if (RAND_DRBG_generate(drbg->parent, buffer, bytes_needed, - 0, - (unsigned char *)drbg, sizeof(*drbg)) != 0) + prediction_resistance, + (unsigned char *)&drbg, sizeof(drbg)) != 0) bytes = bytes_needed; + drbg->reseed_next_counter + = tsan_load(&drbg->parent->reseed_prop_counter); rand_drbg_unlock(drbg->parent); - entropy_available = rand_pool_add_end(pool, bytes, 8 * bytes); + rand_pool_add_end(pool, bytes, 8 * bytes); + entropy_available = rand_pool_entropy_available(pool); } } else { @@ -234,77 +189,24 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, *pout = rand_pool_detach(pool); } - rand_pool_free(pool); + if (drbg->seed_pool == NULL) + rand_pool_free(pool); return ret; } /* - * Find a suitable source of time. Start with the highest resolution source - * and work down to the slower ones. This is added as additional data and - * isn't counted as randomness, so any result is acceptable. + * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks()) * - * Returns 0 when we weren't able to find any time source */ -static uint64_t get_timer_bits(void) +void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, + unsigned char *out, size_t outlen) { - uint64_t res = OPENSSL_rdtsc(); - - if (res != 0) - return res; -#if defined(_WIN32) - { - LARGE_INTEGER t; - FILETIME ft; - - if (QueryPerformanceCounter(&t) != 0) - return t.QuadPart; - GetSystemTimeAsFileTime(&ft); - return TWO32TO64(ft.dwHighDateTime, ft.dwLowDateTime); - } -#elif defined(__sun) || defined(__hpux) - return gethrtime(); -#elif defined(_AIX) - { - timebasestruct_t t; - - read_wall_time(&t, TIMEBASE_SZ); - return TWO32TO64(t.tb_high, t.tb_low); - } -#else - -# if defined(OSSL_POSIX_TIMER_OKAY) - { - struct timespec ts; - clockid_t cid; - -# ifdef CLOCK_BOOTTIME - cid = CLOCK_BOOTTIME; -# elif defined(_POSIX_MONOTONIC_CLOCK) - cid = CLOCK_MONOTONIC; -# else - cid = CLOCK_REALTIME; -# endif - - if (clock_gettime(cid, &ts) == 0) - return TWO32TO64(ts.tv_sec, ts.tv_nsec); + if (drbg->seed_pool == NULL) { + if (drbg->secure) + OPENSSL_secure_clear_free(out, outlen); + else + OPENSSL_clear_free(out, outlen); } -# endif -# if defined(__unix__) \ - || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) - { - struct timeval tv; - - if (gettimeofday(&tv, NULL) == 0) - return TWO32TO64(tv.tv_sec, tv.tv_usec); - } -# endif - { - time_t t = time(NULL); - if (t == (time_t)-1) - return 0; - return t; - } -#endif } /* @@ -317,88 +219,84 @@ static uint64_t get_timer_bits(void) * On success it allocates a buffer at |*pout| and returns the length of * the data. The buffer should get freed using OPENSSL_secure_clear_free(). */ -size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len) +size_t rand_drbg_get_additional_data(RAND_POOL *pool, unsigned char **pout) { - RAND_POOL *pool; - CRYPTO_THREAD_ID thread_id; - size_t len; -#ifdef OPENSSL_SYS_UNIX - pid_t pid; -#elif defined(OPENSSL_SYS_WIN32) - DWORD pid; -#endif - uint64_t tbits; - - pool = rand_pool_new(0, 0, max_len); - if (pool == NULL) - return 0; - -#ifdef OPENSSL_SYS_UNIX - pid = getpid(); - rand_pool_add(pool, (unsigned char *)&pid, sizeof(pid), 0); -#elif defined(OPENSSL_SYS_WIN32) - pid = GetCurrentProcessId(); - rand_pool_add(pool, (unsigned char *)&pid, sizeof(pid), 0); -#endif - - thread_id = CRYPTO_THREAD_get_current_id(); - if (thread_id != 0) - rand_pool_add(pool, (unsigned char *)&thread_id, sizeof(thread_id), 0); - - tbits = get_timer_bits(); - if (tbits != 0) - rand_pool_add(pool, (unsigned char *)&tbits, sizeof(tbits), 0); - - /* TODO: Use RDSEED? */ + size_t ret = 0; - len = rand_pool_length(pool); - if (len != 0) - *pout = rand_pool_detach(pool); - rand_pool_free(pool); + if (rand_pool_add_additional_data(pool) == 0) + goto err; - return len; -} + ret = rand_pool_length(pool); + *pout = rand_pool_detach(pool); -/* - * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks()) - * - */ -void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, - unsigned char *out, size_t outlen) -{ - OPENSSL_secure_clear_free(out, outlen); + err: + return ret; } -void rand_fork() +void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out) { - rand_fork_count++; + rand_pool_reattach(pool, out); } +#endif +#ifndef FIPS_MODULE DEFINE_RUN_ONCE_STATIC(do_rand_init) { - int ret = 1; - -#ifndef OPENSSL_NO_ENGINE +# ifndef OPENSSL_NO_ENGINE rand_engine_lock = CRYPTO_THREAD_lock_new(); - ret &= rand_engine_lock != NULL; -#endif + if (rand_engine_lock == NULL) + return 0; +# endif + rand_meth_lock = CRYPTO_THREAD_lock_new(); - ret &= rand_meth_lock != NULL; + if (rand_meth_lock == NULL) + goto err; - return ret; + if (!rand_pool_init()) + goto err; + + rand_inited = 1; + return 1; + + err: + CRYPTO_THREAD_lock_free(rand_meth_lock); + rand_meth_lock = NULL; +# ifndef OPENSSL_NO_ENGINE + CRYPTO_THREAD_lock_free(rand_engine_lock); + rand_engine_lock = NULL; +# endif + return 0; } void rand_cleanup_int(void) { const RAND_METHOD *meth = default_RAND_meth; + if (!rand_inited) + return; + if (meth != NULL && meth->cleanup != NULL) meth->cleanup(); RAND_set_rand_method(NULL); -#ifndef OPENSSL_NO_ENGINE + rand_pool_cleanup(); +# ifndef OPENSSL_NO_ENGINE CRYPTO_THREAD_lock_free(rand_engine_lock); -#endif + rand_engine_lock = NULL; +# endif CRYPTO_THREAD_lock_free(rand_meth_lock); + rand_meth_lock = NULL; + rand_inited = 0; +} + +/* TODO(3.0): Do we need to handle this somehow in the FIPS module? */ +/* + * RAND_close_seed_files() ensures that any seed file descriptors are + * closed after use. + */ +void RAND_keep_random_devices_open(int keep) +{ + if (RUN_ONCE(&rand_init, do_rand_init)) + rand_pool_keep_random_devices_open(keep); } /* @@ -412,10 +310,11 @@ int RAND_poll(void) { int ret = 0; - RAND_POOL *pool = NULL; - const RAND_METHOD *meth = RAND_get_rand_method(); + if (meth == NULL) + return 0; + if (meth == RAND_OpenSSL()) { /* fill random pool and seed the master DRBG */ RAND_DRBG *drbg = RAND_DRBG_get0_master(); @@ -423,23 +322,25 @@ int RAND_poll(void) if (drbg == NULL) return 0; - rand_drbg_lock(drbg); +#if 0 ret = rand_drbg_restart(drbg, NULL, 0, 0); - rand_drbg_unlock(drbg); +#endif return ret; } else { + RAND_POOL *pool = NULL; + /* fill random pool and seed the current legacy RNG */ - pool = rand_pool_new(RAND_DRBG_STRENGTH, - RAND_DRBG_STRENGTH / 8, - DRBG_MINMAX_FACTOR * (RAND_DRBG_STRENGTH / 8)); + pool = rand_pool_new(RAND_DRBG_STRENGTH, 1, + (RAND_DRBG_STRENGTH + 7) / 8, + RAND_POOL_MAX_LENGTH); if (pool == NULL) return 0; - +#if 0 if (rand_pool_acquire_entropy(pool) == 0) goto err; - +#endif if (meth->add == NULL || meth->add(rand_pool_buffer(pool), rand_pool_length(pool), @@ -447,285 +348,35 @@ int RAND_poll(void) goto err; ret = 1; - } -err: - rand_pool_free(pool); - return ret; -} - -/* - * The 'random pool' acts as a dumb container for collecting random - * input from various entropy sources. The pool has no knowledge about - * whether its randomness is fed into a legacy RAND_METHOD via RAND_add() - * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the - * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and - * 4) cleanup the random pool again. - * - * The random pool contains no locking mechanism because its scope and - * lifetime is intended to be restricted to a single stack frame. - */ -struct rand_pool_st { - unsigned char *buffer; /* points to the beginning of the random pool */ - size_t len; /* current number of random bytes contained in the pool */ - - size_t min_len; /* minimum number of random bytes requested */ - size_t max_len; /* maximum number of random bytes (allocated buffer size) */ - size_t entropy; /* current entropy count in bits */ - size_t requested_entropy; /* requested entropy count in bits */ -}; - -/* - * Allocate memory and initialize a new random pool - */ - -RAND_POOL *rand_pool_new(int entropy, size_t min_len, size_t max_len) -{ - RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); - - if (pool == NULL) { - RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); - goto err; + err: + rand_pool_free(pool); } - pool->min_len = min_len; - pool->max_len = max_len; - - pool->buffer = OPENSSL_secure_zalloc(pool->max_len); - if (pool->buffer == NULL) { - RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); - goto err; - } - - pool->requested_entropy = entropy; - - return pool; - -err: - OPENSSL_free(pool); - return NULL; -} - -/* - * Free |pool|, securely erasing its buffer. - */ -void rand_pool_free(RAND_POOL *pool) -{ - if (pool == NULL) - return; - - OPENSSL_secure_clear_free(pool->buffer, pool->max_len); - OPENSSL_free(pool); -} - -/* - * Return the |pool|'s buffer to the caller (readonly). - */ -const unsigned char *rand_pool_buffer(RAND_POOL *pool) -{ - return pool->buffer; -} - -/* - * Return the |pool|'s entropy to the caller. - */ -size_t rand_pool_entropy(RAND_POOL *pool) -{ - return pool->entropy; -} - -/* - * Return the |pool|'s buffer length to the caller. - */ -size_t rand_pool_length(RAND_POOL *pool) -{ - return pool->len; -} - -/* - * Detach the |pool| buffer and return it to the caller. - * It's the responsibility of the caller to free the buffer - * using OPENSSL_secure_clear_free(). - */ -unsigned char *rand_pool_detach(RAND_POOL *pool) -{ - unsigned char *ret = pool->buffer; - pool->buffer = NULL; return ret; } - -/* - * If every byte of the input contains |entropy_per_bytes| bits of entropy, - * how many bytes does one need to obtain at least |bits| bits of entropy? - */ -#define ENTROPY_TO_BYTES(bits, entropy_per_bytes) \ - (((bits) + ((entropy_per_bytes) - 1))/(entropy_per_bytes)) - - -/* - * Checks whether the |pool|'s entropy is available to the caller. - * This is the case when entropy count and buffer length are high enough. - * Returns - * - * |entropy| if the entropy count and buffer size is large enough - * 0 otherwise - */ -size_t rand_pool_entropy_available(RAND_POOL *pool) -{ - if (pool->entropy < pool->requested_entropy) - return 0; - - if (pool->len < pool->min_len) - return 0; - - return pool->entropy; -} - -/* - * Returns the (remaining) amount of entropy needed to fill - * the random pool. - */ - -size_t rand_pool_entropy_needed(RAND_POOL *pool) -{ - if (pool->entropy < pool->requested_entropy) - return pool->requested_entropy - pool->entropy; - - return 0; -} - -/* - * Returns the number of bytes needed to fill the pool, assuming - * the input has 'entropy_per_byte' entropy bits per byte. - * In case of an error, 0 is returned. - */ - -size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_per_byte) -{ - size_t bytes_needed; - size_t entropy_needed = rand_pool_entropy_needed(pool); - - if (entropy_per_byte < 1 || entropy_per_byte > 8) { - RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_ARGUMENT_OUT_OF_RANGE); - return 0; - } - - bytes_needed = ENTROPY_TO_BYTES(entropy_needed, entropy_per_byte); - - if (bytes_needed > pool->max_len - pool->len) { - /* not enough space left */ - RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_RANDOM_POOL_OVERFLOW); - return 0; - } - - if (pool->len < pool->min_len && - bytes_needed < pool->min_len - pool->len) - /* to meet the min_len requirement */ - bytes_needed = pool->min_len - pool->len; - - return bytes_needed; -} - -/* Returns the remaining number of bytes available */ -size_t rand_pool_bytes_remaining(RAND_POOL *pool) -{ - return pool->max_len - pool->len; -} - -/* - * Add random bytes to the random pool. - * - * It is expected that the |buffer| contains |len| bytes of - * random input which contains at least |entropy| bits of - * randomness. - * - * Return available amount of entropy after this operation. - * (see rand_pool_entropy_available(pool)) - */ -size_t rand_pool_add(RAND_POOL *pool, - const unsigned char *buffer, size_t len, size_t entropy) -{ - if (len > pool->max_len - pool->len) { - RANDerr(RAND_F_RAND_POOL_ADD, RAND_R_ENTROPY_INPUT_TOO_LONG); - return 0; - } - - if (len > 0) { - memcpy(pool->buffer + pool->len, buffer, len); - pool->len += len; - pool->entropy += entropy; - } - - return rand_pool_entropy_available(pool); -} - -/* - * Start to add random bytes to the random pool in-place. - * - * Reserves the next |len| bytes for adding random bytes in-place - * and returns a pointer to the buffer. - * The caller is allowed to copy up to |len| bytes into the buffer. - * If |len| == 0 this is considered a no-op and a NULL pointer - * is returned without producing an error message. - * - * After updating the buffer, rand_pool_add_end() needs to be called - * to finish the udpate operation (see next comment). - */ -unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) -{ - if (len == 0) - return NULL; - - if (len > pool->max_len - pool->len) { - RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, RAND_R_RANDOM_POOL_OVERFLOW); - return NULL; - } - - return pool->buffer + pool->len; -} - -/* - * Finish to add random bytes to the random pool in-place. - * - * Finishes an in-place update of the random pool started by - * rand_pool_add_begin() (see previous comment). - * It is expected that |len| bytes of random input have been added - * to the buffer which contain at least |entropy| bits of randomness. - * It is allowed to add less bytes than originally reserved. - */ -size_t rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy) -{ - if (len > pool->max_len - pool->len) { - RANDerr(RAND_F_RAND_POOL_ADD_END, RAND_R_RANDOM_POOL_OVERFLOW); - return 0; - } - - if (len > 0) { - pool->len += len; - pool->entropy += entropy; - } - - return rand_pool_entropy_available(pool); -} - int RAND_set_rand_method(const RAND_METHOD *meth) { if (!RUN_ONCE(&rand_init, do_rand_init)) return 0; CRYPTO_THREAD_write_lock(rand_meth_lock); -#ifndef OPENSSL_NO_ENGINE +# ifndef OPENSSL_NO_ENGINE ENGINE_finish(funct_ref); funct_ref = NULL; -#endif +# endif default_RAND_meth = meth; CRYPTO_THREAD_unlock(rand_meth_lock); return 1; } +#endif /* FIPS_MODULE */ const RAND_METHOD *RAND_get_rand_method(void) { +#ifdef FIPS_MODULE + return NULL; +#else const RAND_METHOD *tmp_meth = NULL; if (!RUN_ONCE(&rand_init, do_rand_init)) @@ -733,7 +384,7 @@ const RAND_METHOD *RAND_get_rand_method(void) CRYPTO_THREAD_write_lock(rand_meth_lock); if (default_RAND_meth == NULL) { -#ifndef OPENSSL_NO_ENGINE +# ifndef OPENSSL_NO_ENGINE ENGINE *e; /* If we have an engine that can do RAND, use it. */ @@ -745,16 +396,17 @@ const RAND_METHOD *RAND_get_rand_method(void) ENGINE_finish(e); default_RAND_meth = &rand_meth; } -#else +# else default_RAND_meth = &rand_meth; -#endif +# endif } tmp_meth = default_RAND_meth; CRYPTO_THREAD_unlock(rand_meth_lock); return tmp_meth; +#endif } -#ifndef OPENSSL_NO_ENGINE +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) int RAND_set_rand_engine(ENGINE *engine) { const RAND_METHOD *tmp_meth = NULL; @@ -784,7 +436,7 @@ void RAND_seed(const void *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth->seed != NULL) + if (meth != NULL && meth->seed != NULL) meth->seed(buf, num); } @@ -792,7 +444,7 @@ void RAND_add(const void *buf, int num, double randomness) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth->add != NULL) + if (meth != NULL && meth->add != NULL) meth->add(buf, num, randomness); } @@ -801,43 +453,62 @@ void RAND_add(const void *buf, int num, double randomness) * the default method, then just call RAND_bytes(). Otherwise make * sure we're instantiated and use the private DRBG. */ -int RAND_priv_bytes(unsigned char *buf, int num) +int RAND_priv_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num) { - const RAND_METHOD *meth = RAND_get_rand_method(); RAND_DRBG *drbg; - int ret; + const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth != RAND_OpenSSL()) - return RAND_bytes(buf, num); + if (meth != NULL && meth != RAND_OpenSSL()) { + if (meth->bytes != NULL) + return meth->bytes(buf, num); + RANDerr(RAND_F_RAND_PRIV_BYTES_EX, RAND_R_FUNC_NOT_IMPLEMENTED); + return -1; + } - drbg = RAND_DRBG_get0_private(); - if (drbg == NULL) - return 0; + drbg = OPENSSL_CTX_get0_private_drbg(ctx); + if (drbg != NULL) + return RAND_DRBG_bytes(drbg, buf, num); - /* We have to lock the DRBG before generating bits from it. */ - rand_drbg_lock(drbg); - ret = RAND_DRBG_bytes(drbg, buf, num); - rand_drbg_unlock(drbg); - return ret; + return 0; } -int RAND_bytes(unsigned char *buf, int num) +int RAND_priv_bytes(unsigned char *buf, int num) +{ + return RAND_priv_bytes_ex(NULL, buf, num); +} + +int RAND_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num) { + RAND_DRBG *drbg; const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth->bytes != NULL) - return meth->bytes(buf, num); - RANDerr(RAND_F_RAND_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); - return -1; + if (meth != NULL && meth != RAND_OpenSSL()) { + if (meth->bytes != NULL) + return meth->bytes(buf, num); + RANDerr(RAND_F_RAND_BYTES_EX, RAND_R_FUNC_NOT_IMPLEMENTED); + return -1; + } + + drbg = OPENSSL_CTX_get0_public_drbg(ctx); + if (drbg != NULL) + return RAND_DRBG_bytes(drbg, buf, num); + + return 0; +} + +int RAND_bytes(unsigned char *buf, int num) +{ + return RAND_bytes_ex(NULL, buf, num); } -#if OPENSSL_API_COMPAT < 0x10100000L +#if !defined(OPENSSL_NO_DEPRECATED_1_1_0) && !defined(FIPS_MODULE) int RAND_pseudo_bytes(unsigned char *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth->pseudorand != NULL) + if (meth != NULL && meth->pseudorand != NULL) return meth->pseudorand(buf, num); + RANDerr(RAND_F_RAND_PSEUDO_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); return -1; } #endif @@ -846,7 +517,7 @@ int RAND_status(void) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth->status != NULL) + if (meth != NULL && meth->status != NULL) return meth->status(); return 0; }