/*
- * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* DRBGs. It reseeds itself by pulling either randomness from os entropy
* sources or by consuming randomnes which was added by RAND_add()
*/
-static RAND_DRBG drbg_master;
+static RAND_DRBG *drbg_master;
/*
* THE PUBLIC DRBG
*
* Used by default for generating random bytes using RAND_bytes().
*/
-static RAND_DRBG drbg_public;
+static RAND_DRBG *drbg_public;
/*
* THE PRIVATE DRBG
*
* Used by default for generating private keys using RAND_priv_bytes()
*/
-static RAND_DRBG drbg_private;
+static RAND_DRBG *drbg_private;
/*+
* DRBG HIERARCHY
*
* |randomness| argument). This will immediately reseed the <master> DRBG.
* The <public> and <private> DRBG will detect this on their next generate
* call and reseed, pulling randomness from <master>.
+ *
+ * LOCKING
+ *
+ * The three shared DRBGs are intended to be used concurrently, so they
+ * support locking by default. It is the callers responsibility to wrap
+ * calls to functions like RAND_DRBG_generate() which modify the DRBGs
+ * internal state with calls to RAND_DRBG_lock() and RAND_DRBG_unlock().
+ * The functions RAND_bytes() and RAND_priv_bytes() take the locks
+ * automatically, so using the RAND api is thread safe as before.
+ *
+ * All other DRBG instances don't have locking enabled by default, because
+ * they are intendended to be used by a single thread. If it is desired,
+ * locking can be enabled using RAND_DRBG_enable_locking(). However, instead
+ * of accessing a single DRBG instance concurrently from different threads,
+ * it is recommended to instantiate a separate DRBG instance per thread.
*/
static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
-static int drbg_setup(RAND_DRBG *drbg, const char *name, RAND_DRBG *parent);
+static RAND_DRBG *drbg_setup(RAND_DRBG *parent);
+static void drbg_cleanup(RAND_DRBG *drbg);
/*
* Set/initialize |drbg| to be of type |nid|, with optional |flags|.
- * Return -2 if the type is not supported, 1 on success and -1 on
- * failure.
+ *
+ * Returns 1 on success, 0 on failure.
*/
int RAND_DRBG_set(RAND_DRBG *drbg, int nid, unsigned int flags)
{
switch (nid) {
default:
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
- return -2;
+ return 0;
case 0:
/* Uninitialized; that's okay. */
return 1;
case NID_aes_128_ctr:
case NID_aes_192_ctr:
case NID_aes_256_ctr:
- ret = ctr_init(drbg);
+ ret = drbg_ctr_init(drbg);
break;
}
- if (ret < 0)
+ if (ret == 0)
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG);
return ret;
}
}
drbg->fork_count = rand_fork_count;
drbg->parent = parent;
- if (RAND_DRBG_set(drbg, type, flags) < 0)
+ if (RAND_DRBG_set(drbg, type, flags) == 0)
goto err;
if (!RAND_DRBG_set_callbacks(drbg, rand_drbg_get_entropy,
if (drbg == NULL)
return;
- ctr_uninstantiate(drbg);
+ if (drbg->meth != NULL)
+ drbg->meth->uninstantiate(drbg);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data);
OPENSSL_clear_free(drbg, sizeof(*drbg));
}
* |perslen| as prediction-resistance input.
*
* Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
*/
int RAND_DRBG_instantiate(RAND_DRBG *drbg,
const unsigned char *pers, size_t perslen)
RAND_R_PERSONALISATION_STRING_TOO_LONG);
goto end;
}
+
+ if (drbg->meth == NULL)
+ {
+ RANDerr(RAND_F_RAND_DRBG_INSTANTIATE,
+ RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
+ goto end;
+ }
+
if (drbg->state != DRBG_UNINITIALISED) {
RANDerr(RAND_F_RAND_DRBG_INSTANTIATE,
drbg->state == DRBG_ERROR ? RAND_R_IN_ERROR_STATE
}
}
- if (!ctr_instantiate(drbg, entropy, entropylen,
+ if (!drbg->meth->instantiate(drbg, entropy, entropylen,
nonce, noncelen, pers, perslen)) {
RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_INSTANTIATING_DRBG);
goto end;
* Uninstantiate |drbg|. Must be instantiated before it can be used.
*
* Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
*/
int RAND_DRBG_uninstantiate(RAND_DRBG *drbg)
{
- int ret = ctr_uninstantiate(drbg);
+ if (drbg->meth == NULL)
+ {
+ RANDerr(RAND_F_RAND_DRBG_UNINSTANTIATE,
+ RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
+ return 0;
+ }
- drbg->state = DRBG_UNINITIALISED;
- return ret;
+ /* Clear the entire drbg->ctr struct, then reset some important
+ * members of the drbg->ctr struct (e.g. keysize, df_ks) to their
+ * initial values.
+ */
+ drbg->meth->uninstantiate(drbg);
+ return RAND_DRBG_set(drbg, drbg->nid, drbg->flags);
}
/*
* Reseed |drbg|, mixing in the specified data
*
* Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
*/
int RAND_DRBG_reseed(RAND_DRBG *drbg,
const unsigned char *adin, size_t adinlen)
goto end;
}
- if (!ctr_reseed(drbg, entropy, entropylen, adin, adinlen))
+ if (!drbg->meth->reseed(drbg, entropy, entropylen, adin, adinlen))
goto end;
drbg->state = DRBG_READY;
}
/* repair error state */
- if (drbg->state == DRBG_ERROR) {
+ if (drbg->state == DRBG_ERROR)
RAND_DRBG_uninstantiate(drbg);
- /* The drbg->ctr member needs to be reinitialized before reinstantiation */
- RAND_DRBG_set(drbg, drbg->nid, drbg->flags);
- }
/* repair uninitialized state */
if (drbg->state == DRBG_UNINITIALISED) {
* entropy from the trusted entropy source using get_entropy().
* This is not a reseeding in the strict sense of NIST SP 800-90A.
*/
- ctr_reseed(drbg, adin, adinlen, NULL, 0);
+ drbg->meth->reseed(drbg, adin, adinlen, NULL, 0);
} else if (reseeded == 0) {
/* do a full reseeding if it has not been done yet above */
RAND_DRBG_reseed(drbg, NULL, 0);
adinlen = 0;
}
- if (!ctr_generate(drbg, out, outlen, adin, adinlen)) {
+ if (!drbg->meth->generate(drbg, out, outlen, adin, adinlen)) {
drbg->state = DRBG_ERROR;
RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_GENERATE_ERROR);
return 0;
return 1;
}
+/*
+ * Generates |outlen| random bytes and stores them in |out|. It will
+ * using the given |drbg| to generate the bytes.
+ *
+ * Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success 0 on failure.
+ */
+int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
+{
+ unsigned char *additional = NULL;
+ size_t additional_len;
+ size_t chunk;
+ size_t ret;
+
+ additional_len = rand_drbg_get_additional_data(&additional, drbg->max_adinlen);
+
+ for ( ; outlen > 0; outlen -= chunk, out += chunk) {
+ chunk = outlen;
+ if (chunk > drbg->max_request)
+ chunk = drbg->max_request;
+ ret = RAND_DRBG_generate(drbg, out, chunk, 0, additional, additional_len);
+ if (!ret)
+ goto err;
+ }
+ ret = 1;
+
+err:
+ if (additional_len != 0)
+ OPENSSL_secure_clear_free(additional, additional_len);
+
+ return ret;
+}
+
/*
* Set the RAND_DRBG callbacks for obtaining entropy and nonce.
*
return 1;
}
+
+/*
+ * Locks the given drbg. Locking a drbg which does not have locking
+ * enabled is considered a successful no-op.
+ *
+ * Returns 1 on success, 0 on failure.
+ */
+int RAND_DRBG_lock(RAND_DRBG *drbg)
+{
+ if (drbg->lock != NULL)
+ return CRYPTO_THREAD_write_lock(drbg->lock);
+
+ return 1;
+}
+
+/*
+ * Unlocks the given drbg. Unlocking a drbg which does not have locking
+ * enabled is considered a successful no-op.
+ *
+ * Returns 1 on success, 0 on failure.
+ */
+int RAND_DRBG_unlock(RAND_DRBG *drbg)
+{
+ if (drbg->lock != NULL)
+ return CRYPTO_THREAD_unlock(drbg->lock);
+
+ return 1;
+}
+
+/*
+ * Enables locking for the given drbg
+ *
+ * Locking can only be enabled if the random generator
+ * is in the uninitialized state.
+ *
+ * Returns 1 on success, 0 on failure.
+ */
+int RAND_DRBG_enable_locking(RAND_DRBG *drbg)
+{
+ if (drbg->state != DRBG_UNINITIALISED) {
+ RANDerr(RAND_F_RAND_DRBG_ENABLE_LOCKING,
+ RAND_R_DRBG_ALREADY_INITIALIZED);
+ return 0;
+ }
+
+ if (drbg->lock == NULL) {
+ if (drbg->parent != NULL && drbg->lock == NULL) {
+ RANDerr(RAND_F_RAND_DRBG_ENABLE_LOCKING,
+ RAND_R_PARENT_LOCKING_NOT_ENABLED);
+ return 0;
+ }
+
+ drbg->lock = CRYPTO_THREAD_lock_new();
+ if (drbg->lock == NULL) {
+ RANDerr(RAND_F_RAND_DRBG_ENABLE_LOCKING,
+ RAND_R_FAILED_TO_CREATE_LOCK);
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
/*
* Get and set the EXDATA
*/
*/
/*
- * Initializes the given global DRBG with default settings.
- * A global lock for the DRBG is created with the given name.
+ * Allocates a new global DRBG on the secure heap (if enabled) and
+ * initializes it with default settings.
*
* Returns a pointer to the new DRBG instance on success, NULL on failure.
*/
-static int drbg_setup(RAND_DRBG *drbg, const char *name, RAND_DRBG *parent)
+static RAND_DRBG *drbg_setup(RAND_DRBG *parent)
{
- int ret = 1;
+ RAND_DRBG *drbg;
- if (name == NULL || drbg->lock != NULL) {
- RANDerr(RAND_F_DRBG_SETUP, ERR_R_INTERNAL_ERROR);
- return 0;
- }
+ drbg = OPENSSL_secure_zalloc(sizeof(RAND_DRBG));
+ if (drbg == NULL)
+ return NULL;
- drbg->lock = CRYPTO_THREAD_glock_new(name);
+ drbg->lock = CRYPTO_THREAD_lock_new();
if (drbg->lock == NULL) {
RANDerr(RAND_F_DRBG_SETUP, RAND_R_FAILED_TO_CREATE_LOCK);
- return 0;
+ goto err;
}
- ret &= RAND_DRBG_set(drbg,
- RAND_DRBG_NID, RAND_DRBG_FLAG_CTR_USE_DF) == 1;
- ret &= RAND_DRBG_set_callbacks(drbg, rand_drbg_get_entropy,
- rand_drbg_cleanup_entropy, NULL, NULL) == 1;
+ if (RAND_DRBG_set(drbg,
+ RAND_DRBG_NID, RAND_DRBG_FLAG_CTR_USE_DF) != 1)
+ goto err;
+ if (RAND_DRBG_set_callbacks(drbg, rand_drbg_get_entropy,
+ rand_drbg_cleanup_entropy, NULL, NULL) != 1)
+ goto err;
if (parent == NULL) {
drbg->reseed_interval = MASTER_RESEED_INTERVAL;
RAND_DRBG_instantiate(drbg,
(const unsigned char *) ossl_pers_string,
sizeof(ossl_pers_string) - 1);
- return ret;
+ return drbg;
+
+err:
+ drbg_cleanup(drbg);
+ return NULL;
}
/*
*/
DEFINE_RUN_ONCE_STATIC(do_rand_drbg_init)
{
- int ret = 1;
+ /*
+ * ensure that libcrypto is initialized, otherwise the
+ * DRBG locks are not cleaned up properly
+ */
+ if (!OPENSSL_init_crypto(0, NULL))
+ return 0;
- ret &= drbg_setup(&drbg_master, "drbg_master", NULL);
- ret &= drbg_setup(&drbg_public, "drbg_public", &drbg_master);
- ret &= drbg_setup(&drbg_private, "drbg_private", &drbg_master);
+ drbg_master = drbg_setup(NULL);
+ drbg_public = drbg_setup(drbg_master);
+ drbg_private = drbg_setup(drbg_master);
- return ret;
+ if (drbg_master == NULL || drbg_public == NULL || drbg_private == NULL)
+ return 0;
+
+ return 1;
}
/* Cleans up the given global DRBG */
static void drbg_cleanup(RAND_DRBG *drbg)
{
- CRYPTO_THREAD_lock_free(drbg->lock);
- RAND_DRBG_uninstantiate(drbg);
+ if (drbg != NULL) {
+ RAND_DRBG_uninstantiate(drbg);
+ CRYPTO_THREAD_lock_free(drbg->lock);
+ OPENSSL_secure_clear_free(drbg, sizeof(RAND_DRBG));
+ }
}
/* Clean up the global DRBGs before exit */
void rand_drbg_cleanup_int(void)
{
- drbg_cleanup(&drbg_private);
- drbg_cleanup(&drbg_public);
- drbg_cleanup(&drbg_master);
+ drbg_cleanup(drbg_private);
+ drbg_cleanup(drbg_public);
+ drbg_cleanup(drbg_master);
+
+ drbg_private = drbg_public = drbg_master = NULL;
}
/* Implements the default OpenSSL RAND_bytes() method */
static int drbg_bytes(unsigned char *out, int count)
{
- int ret = 0;
- size_t chunk;
+ int ret;
RAND_DRBG *drbg = RAND_DRBG_get0_public();
if (drbg == NULL)
return 0;
- CRYPTO_THREAD_write_lock(drbg->lock);
- if (drbg->state == DRBG_UNINITIALISED)
- goto err;
+ RAND_DRBG_lock(drbg);
+ ret = RAND_DRBG_bytes(drbg, out, count);
+ RAND_DRBG_unlock(drbg);
- for ( ; count > 0; count -= chunk, out += chunk) {
- chunk = count;
- if (chunk > drbg->max_request)
- chunk = drbg->max_request;
- ret = RAND_DRBG_generate(drbg, out, chunk, 0, NULL, 0);
- if (!ret)
- goto err;
- }
- ret = 1;
-
-err:
- CRYPTO_THREAD_unlock(drbg->lock);
return ret;
}
return 0;
}
- CRYPTO_THREAD_write_lock(drbg->lock);
+ RAND_DRBG_lock(drbg);
ret = rand_drbg_restart(drbg, buf,
(size_t)(unsigned int)num,
(size_t)(8*randomness));
- CRYPTO_THREAD_unlock(drbg->lock);
+ RAND_DRBG_unlock(drbg);
return ret;
}
if (drbg == NULL)
return 0;
- CRYPTO_THREAD_write_lock(drbg->lock);
+ RAND_DRBG_lock(drbg);
ret = drbg->state == DRBG_READY ? 1 : 0;
- CRYPTO_THREAD_unlock(drbg->lock);
+ RAND_DRBG_unlock(drbg);
return ret;
}
if (!RUN_ONCE(&rand_drbg_init, do_rand_drbg_init))
return NULL;
- return &drbg_master;
+ return drbg_master;
}
/*
if (!RUN_ONCE(&rand_drbg_init, do_rand_drbg_init))
return NULL;
- return &drbg_public;
+ return drbg_public;
}
/*
if (!RUN_ONCE(&rand_drbg_init, do_rand_drbg_init))
return NULL;
- return &drbg_private;
+ return drbg_private;
}
RAND_METHOD rand_meth = {