X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Frand%2Fmd_rand.c;h=67ac5ac92721293bbaeb41efa7b41cdfa969e33d;hp=6e10f6ef676184ffb7d18b2fb55641dbb7bbe0b6;hb=f74fa33bcee6bc84f41442bdd256d838c2cb3c14;hpb=f763e0b5ae74c67795d096c9029b5c61e891e68a

diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 6e10f6ef67..67ac5ac927 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -109,6 +109,8 @@
  *
  */
 
+#define OPENSSL_FIPSAPI
+
 #ifdef MD_RAND_DEBUG
 # ifndef NDEBUG
 #   define NDEBUG
@@ -121,12 +123,23 @@
 
 #include "e_os.h"
 
+#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYSNAME_DSPBIOS))
+# include <sys/time.h>
+#endif
+#if defined(OPENSSL_SYS_VXWORKS)
+# include <time.h>
+#endif
+
+#include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include "rand_lcl.h"
 
-#include <openssl/crypto.h>
 #include <openssl/err.h>
 
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #ifdef BN_DEBUG
 # define PREDICT
 #endif
@@ -145,25 +158,28 @@ static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
                                            * holds CRYPTO_LOCK_RAND
                                            * (to prevent double locking) */
 /* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */
-static unsigned long locking_thread = 0; /* valid iff crypto_lock_rand is set */
+static CRYPTO_THREADID locking_threadid; /* valid iff crypto_lock_rand is set */
 
 
 #ifdef PREDICT
 int rand_predictable=0;
 #endif
 
-const char *RAND_version="RAND" OPENSSL_VERSION_PTEXT;
+const char RAND_version[]="RAND" OPENSSL_VERSION_PTEXT;
+
+static void rand_hw_seed(EVP_MD_CTX *ctx);
 
 static void ssleay_rand_cleanup(void);
-static void ssleay_rand_seed(const void *buf, int num);
-static void ssleay_rand_add(const void *buf, int num, double add_entropy);
-static int ssleay_rand_bytes(unsigned char *buf, int num);
+static int ssleay_rand_seed(const void *buf, int num);
+static int ssleay_rand_add(const void *buf, int num, double add_entropy);
+static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo);
+static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num);
 static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
 static int ssleay_rand_status(void);
 
-RAND_METHOD rand_ssleay_meth={
+static RAND_METHOD rand_ssleay_meth={
 	ssleay_rand_seed,
-	ssleay_rand_bytes,
+	ssleay_rand_nopseudo_bytes,
 	ssleay_rand_cleanup,
 	ssleay_rand_add,
 	ssleay_rand_pseudo_bytes,
@@ -187,13 +203,17 @@ static void ssleay_rand_cleanup(void)
 	initialized=0;
 	}
 
-static void ssleay_rand_add(const void *buf, int num, double add)
+static int ssleay_rand_add(const void *buf, int num, double add)
 	{
 	int i,j,k,st_idx;
 	long md_c[2];
 	unsigned char local_md[MD_DIGEST_LENGTH];
 	EVP_MD_CTX m;
 	int do_not_lock;
+	int rv = 0;
+
+	if (!num)
+		return;
 
 	/*
 	 * (Based on the rand(3) manpage)
@@ -210,11 +230,14 @@ static void ssleay_rand_add(const void *buf, int num, double add)
          * hash function.
 	 */
 
+	EVP_MD_CTX_init(&m);
 	/* check if we already have the lock */
 	if (crypto_lock_rand)
 		{
+		CRYPTO_THREADID cur;
+		CRYPTO_THREADID_current(&cur);
 		CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
-		do_not_lock = (locking_thread == CRYPTO_thread_id());
+		do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
 		CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
 		}
 	else
@@ -254,26 +277,41 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 
 	if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
-	EVP_MD_CTX_init(&m);
 	for (i=0; i<num; i+=MD_DIGEST_LENGTH)
 		{
 		j=(num-i);
 		j=(j > MD_DIGEST_LENGTH)?MD_DIGEST_LENGTH:j;
 
-		MD_Init(&m);
-		MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+		if (!MD_Init(&m))
+			goto err;
+		if (!MD_Update(&m,local_md,MD_DIGEST_LENGTH))
+			goto err;
 		k=(st_idx+j)-STATE_SIZE;
 		if (k > 0)
 			{
-			MD_Update(&m,&(state[st_idx]),j-k);
-			MD_Update(&m,&(state[0]),k);
+			if (!MD_Update(&m,&(state[st_idx]),j-k))
+				goto err;
+			if (!MD_Update(&m,&(state[0]),k))
+				goto err;
 			}
 		else
-			MD_Update(&m,&(state[st_idx]),j);
-			
-		MD_Update(&m,buf,j);
-		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
-		MD_Final(&m,local_md);
+			if (!MD_Update(&m,&(state[st_idx]),j))
+				goto err;
+
+		/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
+		if (!MD_Update(&m,buf,j))
+			goto err;
+		/* We know that line may cause programs such as
+		   purify and valgrind to complain about use of
+		   uninitialized data.  The problem is not, it's
+		   with the caller.  Removing that line will make
+		   sure you get really bad randomness and thereby
+		   other problems such as very insecure keys. */
+
+		if (!MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)))
+			goto err;
+		if (!MD_Final(&m,local_md))
+			goto err;
 		md_c[1]++;
 
 		buf=(const char *)buf + j;
@@ -293,7 +331,6 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 				st_idx=0;
 			}
 		}
-	EVP_MD_CTX_cleanup(&m);
 
 	if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 	/* Don't just copy back local_md into md -- this could mean that
@@ -311,14 +348,18 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 #if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32)
 	assert(md_c[1] == md_count[1]);
 #endif
+	rv = 1;
+	err:
+	EVP_MD_CTX_cleanup(&m);
+	return rv;
 	}
 
-static void ssleay_rand_seed(const void *buf, int num)
+static int ssleay_rand_seed(const void *buf, int num)
 	{
-	ssleay_rand_add(buf, num, (double)num);
+	return ssleay_rand_add(buf, num, (double)num);
 	}
 
-static int ssleay_rand_bytes(unsigned char *buf, int num)
+static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 	{
 	static volatile int stirred_pool = 0;
 	int i,j,k,st_num,st_idx;
@@ -330,7 +371,28 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 #ifndef GETPID_IS_MEANINGLESS
 	pid_t curr_pid = getpid();
 #endif
+	time_t curr_time = time(NULL);
 	int do_stir_pool = 0;
+/* time value for various platforms */
+#ifdef OPENSSL_SYS_WIN32
+	FILETIME tv;
+# ifdef _WIN32_WCE
+	SYSTEMTIME t;
+	GetSystemTime(&t);
+	SystemTimeToFileTime(&t, &tv);
+# else
+	GetSystemTimeAsFileTime(&tv);
+# endif
+#elif defined(OPENSSL_SYS_VXWORKS)
+	struct timespec tv;
+	clock_gettime(CLOCK_REALTIME, &ts);
+#elif defined(OPENSSL_SYSNAME_DSPBIOS)
+	unsigned long long tv, OPENSSL_rdtsc();
+	tv = OPENSSL_rdtsc();
+#else
+	struct timeval tv;
+	gettimeofday(&tv, NULL);
+#endif
 
 #ifdef PREDICT
 	if (rand_predictable)
@@ -372,7 +434,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 
 	/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
 	CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
-	locking_thread = CRYPTO_thread_id();
+	CRYPTO_THREADID_current(&locking_threadid);
 	CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
 	crypto_lock_rand = 1;
 
@@ -454,28 +516,58 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 		/* num_ceil -= MD_DIGEST_LENGTH/2 */
 		j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num;
 		num-=j;
-		MD_Init(&m);
+		if (!MD_Init(&m))
+			goto err;
 #ifndef GETPID_IS_MEANINGLESS
 		if (curr_pid) /* just in the first iteration to save time */
 			{
-			MD_Update(&m,(unsigned char*)&curr_pid,sizeof curr_pid);
+			if (!MD_Update(&m,(unsigned char*)&curr_pid,
+				       sizeof curr_pid))
+				goto err;
 			curr_pid = 0;
 			}
 #endif
-		MD_Update(&m,local_md,MD_DIGEST_LENGTH);
-		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
-#ifndef PURIFY
-		MD_Update(&m,buf,j); /* purify complains */
+		if (curr_time) /* just in the first iteration to save time */
+			{
+			if (!MD_Update(&m,(unsigned char*)&curr_time,
+				       sizeof curr_time))
+				goto err;
+			if (!MD_Update(&m,(unsigned char*)&tv,
+				       sizeof tv))
+				goto err;
+			curr_time = 0;
+			rand_hw_seed(&m);
+			}
+		if (!MD_Update(&m,local_md,MD_DIGEST_LENGTH))
+			goto err;
+		if (!MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)))
+			goto err;
+
+#ifndef PURIFY /* purify complains */
+		/* The following line uses the supplied buffer as a small
+		 * source of entropy: since this buffer is often uninitialised
+		 * it may cause programs such as purify or valgrind to
+		 * complain. So for those builds it is not used: the removal
+		 * of such a small source of entropy has negligible impact on
+		 * security.
+		 */
+		if (!MD_Update(&m,buf,j))
+			goto err;
 #endif
+
 		k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
 		if (k > 0)
 			{
-			MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2-k);
-			MD_Update(&m,&(state[0]),k);
+			if (!MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2-k))
+				goto err;
+			if (!MD_Update(&m,&(state[0]),k))
+				goto err;
 			}
 		else
-			MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2);
-		MD_Final(&m,local_md);
+			if (!MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2))
+				goto err;
+		if (!MD_Final(&m,local_md))
+			goto err;
 
 		for (i=0; i<MD_DIGEST_LENGTH/2; i++)
 			{
@@ -487,55 +579,62 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 			}
 		}
 
-	MD_Init(&m);
-	MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
-	MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+	if (!MD_Init(&m)
+		|| !MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c))
+		|| !MD_Update(&m,local_md,MD_DIGEST_LENGTH))
+		goto err;
 	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-	MD_Update(&m,md,MD_DIGEST_LENGTH);
-	MD_Final(&m,md);
+	if (!MD_Update(&m,md,MD_DIGEST_LENGTH) || !MD_Final(&m,md))
+		{
+		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+		goto err;
+		}
 	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
 	EVP_MD_CTX_cleanup(&m);
 	if (ok)
 		return(1);
-	else
+	else if (pseudo)
+		return 0;
+	else 
 		{
 		RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
 		ERR_add_error_data(1, "You need to read the OpenSSL FAQ, "
 			"http://www.openssl.org/support/faq.html");
 		return(0);
 		}
+	err:
+	EVP_MD_CTX_cleanup(&m);
+	RANDerr(RAND_F_SSLEAY_RAND_BYTES,ERR_R_EVP_LIB);
+	return 0;
+
+	}
+
+static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num)
+	{
+	return ssleay_rand_bytes(buf, num, 0);
 	}
 
 /* pseudo-random bytes that are guaranteed to be unique but not
    unpredictable */
 static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) 
 	{
-	int ret;
-	unsigned long err;
-
-	ret = RAND_bytes(buf, num);
-	if (ret == 0)
-		{
-		err = ERR_peek_error();
-		if (ERR_GET_LIB(err) == ERR_LIB_RAND &&
-		    ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED)
-			ERR_clear_error();
-		}
-	return (ret);
+	return ssleay_rand_bytes(buf, num, 1);
 	}
 
 static int ssleay_rand_status(void)
 	{
+	CRYPTO_THREADID cur;
 	int ret;
 	int do_not_lock;
 
+	CRYPTO_THREADID_current(&cur);
 	/* check if we already have the lock
 	 * (could happen if a RAND_poll() implementation calls RAND_status()) */
 	if (crypto_lock_rand)
 		{
 		CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
-		do_not_lock = (locking_thread == CRYPTO_thread_id());
+		do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
 		CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
 		}
 	else
@@ -547,7 +646,7 @@ static int ssleay_rand_status(void)
 		
 		/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
 		CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
-		locking_thread = CRYPTO_thread_id();
+		CRYPTO_THREADID_cpy(&locking_threadid, &cur);
 		CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
 		crypto_lock_rand = 1;
 		}
@@ -570,3 +669,79 @@ static int ssleay_rand_status(void)
 	
 	return ret;
 	}
+
+/* rand_hw_seed: get seed data from any available hardware RNG.
+ * only currently supports rdrand.
+ */
+
+/* Adapted from eng_rdrand.c */
+
+#if (defined(__i386)   || defined(__i386__)   || defined(_M_IX86) || \
+     defined(__x86_64) || defined(__x86_64__) || \
+     defined(_M_AMD64) || defined (_M_X64)) && defined(OPENSSL_CPUID_OBJ)
+
+#define RDRAND_CALLS	4
+
+size_t OPENSSL_ia32_rdrand(void);
+extern unsigned int OPENSSL_ia32cap_P[];
+
+static void rand_hw_seed(EVP_MD_CTX *ctx)
+	{
+	int i;
+	if (!(OPENSSL_ia32cap_P[1] & (1<<(62-32))))
+		return;
+	for (i = 0; i < RDRAND_CALLS; i++)
+		{
+		size_t rnd;
+		rnd = OPENSSL_ia32_rdrand();
+		if (rnd == 0)
+			return;
+		MD_Update(ctx, (unsigned char *)&rnd, sizeof(size_t));
+		}
+	}
+
+/* XOR an existing buffer with random data */
+
+void rand_hw_xor(unsigned char *buf, size_t num)
+	{
+	size_t rnd;
+	if (!(OPENSSL_ia32cap_P[1] & (1<<(62-32))))
+		return;
+	while (num >= sizeof(size_t))
+		{
+		rnd = OPENSSL_ia32_rdrand();
+		if (rnd == 0)
+			return;
+		*((size_t *)buf) ^= rnd;
+		buf += sizeof(size_t);
+		num -= sizeof(size_t);
+		}
+	if (num)
+		{
+		rnd = OPENSSL_ia32_rdrand();
+		if (rnd == 0)
+			return;
+		while(num)
+			{
+			*buf ^= rnd & 0xff;
+			rnd >>= 8;
+			buf++;
+			num--;
+			}
+		}
+	}
+
+
+#else
+
+static void rand_hw_seed(EVP_MD_CTX *ctx)
+	{
+	return;
+	}
+
+void rand_hw_xor(unsigned char *buf, size_t num)
+	{
+	return;
+	}
+
+#endif