X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Frand%2Fmd_rand.c;h=2d6a55f6edfa7739d332933a52f131b7cf6261d1;hp=4aa13f715646eb35ff7249b25ab390ba4eb9ce60;hb=c051e521a7a390a9d61cdb3ae89b3fd69a96e724;hpb=48fc582f66a58e3da6f095ba1b4498c17581e05a

diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 4aa13f7156..2d6a55f6ed 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -109,6 +109,8 @@
  *
  */
 
+#define OPENSSL_FIPSAPI
+
 #ifdef MD_RAND_DEBUG
 # ifndef NDEBUG
 #   define NDEBUG
@@ -121,12 +123,23 @@
 
 #include "e_os.h"
 
+#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYSNAME_DSPBIOS))
+# include <sys/time.h>
+#endif
+#if defined(OPENSSL_SYS_VXWORKS)
+# include <time.h>
+#endif
+
+#include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include "rand_lcl.h"
 
-#include <openssl/crypto.h>
 #include <openssl/err.h>
 
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #ifdef BN_DEBUG
 # define PREDICT
 #endif
@@ -145,26 +158,26 @@ static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
                                            * holds CRYPTO_LOCK_RAND
                                            * (to prevent double locking) */
 /* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */
-static unsigned long locking_thread_id = 0; /* valid iff crypto_lock_rand is set */
-static void *locking_thread_idptr = NULL; /* valid iff crypto_lock_rand is set */
+static CRYPTO_THREADID locking_threadid; /* valid iff crypto_lock_rand is set */
 
 
 #ifdef PREDICT
 int rand_predictable=0;
 #endif
 
-const char *RAND_version="RAND" OPENSSL_VERSION_PTEXT;
+const char RAND_version[]="RAND" OPENSSL_VERSION_PTEXT;
 
 static void ssleay_rand_cleanup(void);
-static void ssleay_rand_seed(const void *buf, int num);
-static void ssleay_rand_add(const void *buf, int num, double add_entropy);
-static int ssleay_rand_bytes(unsigned char *buf, int num);
+static int ssleay_rand_seed(const void *buf, int num);
+static int ssleay_rand_add(const void *buf, int num, double add_entropy);
+static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo);
+static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num);
 static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
 static int ssleay_rand_status(void);
 
-RAND_METHOD rand_ssleay_meth={
+static RAND_METHOD rand_ssleay_meth={
 	ssleay_rand_seed,
-	ssleay_rand_bytes,
+	ssleay_rand_nopseudo_bytes,
 	ssleay_rand_cleanup,
 	ssleay_rand_add,
 	ssleay_rand_pseudo_bytes,
@@ -188,13 +201,14 @@ static void ssleay_rand_cleanup(void)
 	initialized=0;
 	}
 
-static void ssleay_rand_add(const void *buf, int num, double add)
+static int ssleay_rand_add(const void *buf, int num, double add)
 	{
 	int i,j,k,st_idx;
 	long md_c[2];
 	unsigned char local_md[MD_DIGEST_LENGTH];
 	EVP_MD_CTX m;
 	int do_not_lock;
+	int rv = 0;
 
 	/*
 	 * (Based on the rand(3) manpage)
@@ -211,11 +225,14 @@ static void ssleay_rand_add(const void *buf, int num, double add)
          * hash function.
 	 */
 
+	EVP_MD_CTX_init(&m);
 	/* check if we already have the lock */
 	if (crypto_lock_rand)
 		{
+		CRYPTO_THREADID cur;
+		CRYPTO_THREADID_current(&cur);
 		CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
-		do_not_lock = (locking_thread_id == CRYPTO_thread_id()) && (locking_thread_idptr == CRYPTO_thread_idptr());
+		do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
 		CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
 		}
 	else
@@ -255,26 +272,41 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 
 	if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
-	EVP_MD_CTX_init(&m);
 	for (i=0; i<num; i+=MD_DIGEST_LENGTH)
 		{
 		j=(num-i);
 		j=(j > MD_DIGEST_LENGTH)?MD_DIGEST_LENGTH:j;
 
-		MD_Init(&m);
-		MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+		if (!MD_Init(&m))
+			goto err;
+		if (!MD_Update(&m,local_md,MD_DIGEST_LENGTH))
+			goto err;
 		k=(st_idx+j)-STATE_SIZE;
 		if (k > 0)
 			{
-			MD_Update(&m,&(state[st_idx]),j-k);
-			MD_Update(&m,&(state[0]),k);
+			if (!MD_Update(&m,&(state[st_idx]),j-k))
+				goto err;
+			if (!MD_Update(&m,&(state[0]),k))
+				goto err;
 			}
 		else
-			MD_Update(&m,&(state[st_idx]),j);
-			
-		MD_Update(&m,buf,j);
-		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
-		MD_Final(&m,local_md);
+			if (!MD_Update(&m,&(state[st_idx]),j))
+				goto err;
+
+		/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
+		if (!MD_Update(&m,buf,j))
+			goto err;
+		/* We know that line may cause programs such as
+		   purify and valgrind to complain about use of
+		   uninitialized data.  The problem is not, it's
+		   with the caller.  Removing that line will make
+		   sure you get really bad randomness and thereby
+		   other problems such as very insecure keys. */
+
+		if (!MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)))
+			goto err;
+		if (!MD_Final(&m,local_md))
+			goto err;
 		md_c[1]++;
 
 		buf=(const char *)buf + j;
@@ -294,7 +326,6 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 				st_idx=0;
 			}
 		}
-	EVP_MD_CTX_cleanup(&m);
 
 	if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 	/* Don't just copy back local_md into md -- this could mean that
@@ -312,14 +343,18 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 #if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32)
 	assert(md_c[1] == md_count[1]);
 #endif
+	rv = 1;
+	err:
+	EVP_MD_CTX_cleanup(&m);
+	return rv;
 	}
 
-static void ssleay_rand_seed(const void *buf, int num)
+static int ssleay_rand_seed(const void *buf, int num)
 	{
-	ssleay_rand_add(buf, num, (double)num);
+	return ssleay_rand_add(buf, num, (double)num);
 	}
 
-static int ssleay_rand_bytes(unsigned char *buf, int num)
+static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 	{
 	static volatile int stirred_pool = 0;
 	int i,j,k,st_num,st_idx;
@@ -331,7 +366,28 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 #ifndef GETPID_IS_MEANINGLESS
 	pid_t curr_pid = getpid();
 #endif
+	time_t curr_time = time(NULL);
 	int do_stir_pool = 0;
+/* time value for various platforms */
+#ifdef OPENSSL_SYS_WIN32
+	FILETIME tv;
+# ifdef _WIN32_WCE
+	SYSTEMTIME t;
+	GetSystemTime(&t);
+	SystemTimeToFileTime(&t, &tv);
+# else
+	GetSystemTimeAsFileTime(&tv);
+# endif
+#elif defined(OPENSSL_SYS_VXWORKS)
+	struct timespec tv;
+	clock_gettime(CLOCK_REALTIME, &ts);
+#elif defined(OPENSSL_SYSNAME_DSPBIOS)
+	unsigned long long tv, OPENSSL_rdtsc();
+	tv = OPENSSL_rdtsc();
+#else
+	struct timeval tv;
+	gettimeofday(&tv, NULL);
+#endif
 
 #ifdef PREDICT
 	if (rand_predictable)
@@ -373,8 +429,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 
 	/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
 	CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
-	locking_thread_id = CRYPTO_thread_id();
-	locking_thread_idptr = CRYPTO_thread_idptr();
+	CRYPTO_THREADID_current(&locking_threadid);
 	CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
 	crypto_lock_rand = 1;
 
@@ -456,28 +511,57 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 		/* num_ceil -= MD_DIGEST_LENGTH/2 */
 		j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num;
 		num-=j;
-		MD_Init(&m);
+		if (!MD_Init(&m))
+			goto err;
 #ifndef GETPID_IS_MEANINGLESS
 		if (curr_pid) /* just in the first iteration to save time */
 			{
-			MD_Update(&m,(unsigned char*)&curr_pid,sizeof curr_pid);
+			if (!MD_Update(&m,(unsigned char*)&curr_pid,
+				       sizeof curr_pid))
+				goto err;
 			curr_pid = 0;
 			}
 #endif
-		MD_Update(&m,local_md,MD_DIGEST_LENGTH);
-		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
-#ifndef PURIFY
-		MD_Update(&m,buf,j); /* purify complains */
+		if (curr_time) /* just in the first iteration to save time */
+			{
+			if (!MD_Update(&m,(unsigned char*)&curr_time,
+				       sizeof curr_time))
+				goto err;
+			if (!MD_Update(&m,(unsigned char*)&tv,
+				       sizeof tv))
+				goto err;
+			curr_time = 0;
+			}
+		if (!MD_Update(&m,local_md,MD_DIGEST_LENGTH))
+			goto err;
+		if (!MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)))
+			goto err;
+
+#ifndef PURIFY /* purify complains */
+		/* The following line uses the supplied buffer as a small
+		 * source of entropy: since this buffer is often uninitialised
+		 * it may cause programs such as purify or valgrind to
+		 * complain. So for those builds it is not used: the removal
+		 * of such a small source of entropy has negligible impact on
+		 * security.
+		 */
+		if (!MD_Update(&m,buf,j))
+			goto err;
 #endif
+
 		k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
 		if (k > 0)
 			{
-			MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2-k);
-			MD_Update(&m,&(state[0]),k);
+			if (!MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2-k))
+				goto err;
+			if (!MD_Update(&m,&(state[0]),k))
+				goto err;
 			}
 		else
-			MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2);
-		MD_Final(&m,local_md);
+			if (!MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2))
+				goto err;
+		if (!MD_Final(&m,local_md))
+			goto err;
 
 		for (i=0; i<MD_DIGEST_LENGTH/2; i++)
 			{
@@ -489,55 +573,62 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 			}
 		}
 
-	MD_Init(&m);
-	MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
-	MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+	if (!MD_Init(&m)
+		|| !MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c))
+		|| !MD_Update(&m,local_md,MD_DIGEST_LENGTH))
+		goto err;
 	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-	MD_Update(&m,md,MD_DIGEST_LENGTH);
-	MD_Final(&m,md);
+	if (!MD_Update(&m,md,MD_DIGEST_LENGTH) || !MD_Final(&m,md))
+		{
+		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+		goto err;
+		}
 	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
 	EVP_MD_CTX_cleanup(&m);
 	if (ok)
 		return(1);
-	else
+	else if (pseudo)
+		return 0;
+	else 
 		{
 		RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
 		ERR_add_error_data(1, "You need to read the OpenSSL FAQ, "
 			"http://www.openssl.org/support/faq.html");
 		return(0);
 		}
+	err:
+	EVP_MD_CTX_cleanup(&m);
+	RANDerr(RAND_F_SSLEAY_RAND_BYTES,ERR_R_EVP_LIB);
+	return 0;
+
+	}
+
+static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num)
+	{
+	return ssleay_rand_bytes(buf, num, 0);
 	}
 
 /* pseudo-random bytes that are guaranteed to be unique but not
    unpredictable */
 static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) 
 	{
-	int ret;
-	unsigned long err;
-
-	ret = RAND_bytes(buf, num);
-	if (ret == 0)
-		{
-		err = ERR_peek_error();
-		if (ERR_GET_LIB(err) == ERR_LIB_RAND &&
-		    ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED)
-			ERR_clear_error();
-		}
-	return (ret);
+	return ssleay_rand_bytes(buf, num, 1);
 	}
 
 static int ssleay_rand_status(void)
 	{
+	CRYPTO_THREADID cur;
 	int ret;
 	int do_not_lock;
 
+	CRYPTO_THREADID_current(&cur);
 	/* check if we already have the lock
 	 * (could happen if a RAND_poll() implementation calls RAND_status()) */
 	if (crypto_lock_rand)
 		{
 		CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
-		do_not_lock = (locking_thread_id == CRYPTO_thread_id()) && (locking_thread_idptr == CRYPTO_thread_idptr());
+		do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
 		CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
 		}
 	else
@@ -549,8 +640,7 @@ static int ssleay_rand_status(void)
 		
 		/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
 		CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
-		locking_thread_id = CRYPTO_thread_id();
-		locking_thread_idptr = CRYPTO_thread_idptr();
+		CRYPTO_THREADID_cpy(&locking_threadid, &cur);
 		CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
 		crypto_lock_rand = 1;
 		}