From 311276ffe32ab0b161c364727cf8676591dbf47c Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Sun, 18 Feb 2018 20:55:28 +0100 Subject: [PATCH] Return error when trying to use prediction resistance There is a requirements of having access to a live entropy source which we can't do with the default callbacks. If you need prediction resistance you need to set up your own callbacks that follow the requirements of NIST SP 800-90C. Reviewed-by: Dr. Matthias St. Pierre GH: #5402 --- crypto/err/openssl.txt | 2 ++ crypto/rand/rand_err.c | 2 ++ crypto/rand/rand_lib.c | 13 ++++++++++++- include/openssl/randerr.h | 1 + 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 728013ba84..0052ddf2fe 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2310,6 +2310,8 @@ RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED:128:no drbg implementation selected RAND_R_PARENT_LOCKING_NOT_ENABLED:130:parent locking not enabled RAND_R_PARENT_STRENGTH_TOO_WEAK:131:parent strength too weak RAND_R_PERSONALISATION_STRING_TOO_LONG:116:personalisation string too long +RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED:133:\ + prediction resistance not supported RAND_R_PRNG_NOT_SEEDED:100:PRNG not seeded RAND_R_RANDOM_POOL_OVERFLOW:125:random pool overflow RAND_R_REQUEST_TOO_LARGE_FOR_DRBG:117:request too large for drbg diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c index 36d484c726..0cd34ac407 100644 --- a/crypto/rand/rand_err.c +++ b/crypto/rand/rand_err.c @@ -94,6 +94,8 @@ static const ERR_STRING_DATA RAND_str_reasons[] = { "parent strength too weak"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PERSONALISATION_STRING_TOO_LONG), "personalisation string too long"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED), + "prediction resistance not supported"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_PRNG_NOT_SEEDED), "PRNG not seeded"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_RANDOM_POOL_OVERFLOW), "random pool overflow"}, diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 1e60ec4bb6..dfffb84b46 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -217,7 +217,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, rand_drbg_lock(drbg->parent); if (RAND_DRBG_generate(drbg->parent, buffer, bytes_needed, - 0, + prediction_resistance, (unsigned char *)drbg, sizeof(*drbg)) != 0) bytes = bytes_needed; rand_drbg_unlock(drbg->parent); @@ -226,6 +226,17 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, } } else { + if (prediction_resistance) { + /* + * We don't have any entropy sources that comply with the NIST + * standard to provide prediction resistance (see NIST SP 800-90C, + * Section 5.4). + */ + RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY, + RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED); + return 0; + } + /* Get entropy by polling system entropy sources. */ entropy_available = rand_pool_acquire_entropy(pool); } diff --git a/include/openssl/randerr.h b/include/openssl/randerr.h index afc8213927..4746ad63d4 100644 --- a/include/openssl/randerr.h +++ b/include/openssl/randerr.h @@ -71,6 +71,7 @@ int ERR_load_RAND_strings(void); # define RAND_R_PARENT_LOCKING_NOT_ENABLED 130 # define RAND_R_PARENT_STRENGTH_TOO_WEAK 131 # define RAND_R_PERSONALISATION_STRING_TOO_LONG 116 +# define RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED 133 # define RAND_R_PRNG_NOT_SEEDED 100 # define RAND_R_RANDOM_POOL_OVERFLOW 125 # define RAND_R_REQUEST_TOO_LARGE_FOR_DRBG 117 -- 2.34.1