The 'rand_generate' method is not well suited for being used with
weak entropy sources in the 'get_entropy' callback, because the
caller needs to provide a preallocated buffer without knowing
how much bytes are actually needed to collect the required entropy.
Instead we use the 'rand_get_seed' and 'rand_clear_seed' methods
which were exactly designed for this purpose: it's the callee who
allocates and fills the buffer, and finally cleans it up again.
The 'rand_get_seed' and 'rand_clear_seed' methods are currently
optional for a provided random generator. We could fall back to
using 'rand_generate' if those methods are not implemented.
However, imo it would be better to simply make them an officially
documented requirement for seed sources.
Fixes #22332
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22394)
(cherry picked from commit
7998e7dc07d8f1f516af32887f2490c03cd8c594)
OSSL_FUNC_rand_get_ctx_params_fn *get_ctx_params;
OSSL_FUNC_rand_set_ctx_params_fn *set_ctx_params;
OSSL_FUNC_rand_verify_zeroization_fn *verify_zeroization;
+ OSSL_FUNC_rand_get_seed_fn *get_seed;
+ OSSL_FUNC_rand_clear_seed_fn *clear_seed;
} /* EVP_RAND */ ;
static int evp_rand_up_ref(void *vrand)
fnzeroizecnt++;
#endif
break;
+ case OSSL_FUNC_RAND_GET_SEED:
+ if (rand->get_seed != NULL)
+ break;
+ rand->get_seed = OSSL_FUNC_rand_get_seed(fns);
+ break;
+ case OSSL_FUNC_RAND_CLEAR_SEED:
+ if (rand->clear_seed != NULL)
+ break;
+ rand->clear_seed = OSSL_FUNC_rand_clear_seed(fns);
+ break;
}
}
/*
evp_rand_unlock(ctx);
return res;
}
+
+int evp_rand_can_seed(EVP_RAND_CTX *ctx)
+{
+ return ctx->meth->get_seed != NULL;
+}
+
+static size_t evp_rand_get_seed_locked(EVP_RAND_CTX *ctx,
+ unsigned char **buffer,
+ int entropy,
+ size_t min_len, size_t max_len,
+ int prediction_resistance,
+ const unsigned char *adin,
+ size_t adin_len)
+{
+ if (ctx->meth->get_seed != NULL)
+ return ctx->meth->get_seed(ctx->algctx, buffer,
+ entropy, min_len, max_len,
+ prediction_resistance,
+ adin, adin_len);
+ return 0;
+}
+
+size_t evp_rand_get_seed(EVP_RAND_CTX *ctx,
+ unsigned char **buffer,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance,
+ const unsigned char *adin, size_t adin_len)
+{
+ int res;
+
+ if (!evp_rand_lock(ctx))
+ return 0;
+ res = evp_rand_get_seed_locked(ctx,
+ buffer,
+ entropy, min_len, max_len,
+ prediction_resistance,
+ adin, adin_len);
+ evp_rand_unlock(ctx);
+ return res;
+}
+
+static void evp_rand_clear_seed_locked(EVP_RAND_CTX *ctx,
+ unsigned char *buffer, size_t b_len)
+{
+ if (ctx->meth->clear_seed != NULL)
+ ctx->meth->clear_seed(ctx->algctx, buffer, b_len);
+}
+
+void evp_rand_clear_seed(EVP_RAND_CTX *ctx,
+ unsigned char *buffer, size_t b_len)
+{
+ if (!evp_rand_lock(ctx))
+ return;
+ evp_rand_clear_seed_locked(ctx, buffer, b_len);
+ evp_rand_unlock(ctx);
+}
*/
#include "rand_local.h"
+#include "crypto/evp.h"
#include "crypto/rand.h"
#include "crypto/rand_pool.h"
#include "internal/core.h"
unsigned char **pout, int entropy,
size_t min_len, size_t max_len)
{
- unsigned char *buf;
EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx);
- size_t ret;
- if (rng == NULL)
+ if (rng != NULL && evp_rand_can_seed(rng))
+ return evp_rand_get_seed(rng, pout, entropy, min_len, max_len,
+ 0, NULL, 0);
+ else
return ossl_rand_get_entropy(ctx, pout, entropy, min_len, max_len);
-
- /* Determine how many bytes to generate */
- ret = entropy > 0 ? (size_t)(7 + entropy) / 8 : min_len;
- if (ret < min_len)
- ret = min_len;
- else if (ret > max_len)
- ret = max_len;
-
- /* Allocate the return buffer */
- if ((buf = OPENSSL_secure_malloc(ret)) == NULL)
- return 0;
-
- /* Fill the buffer */
- if (!EVP_RAND_generate(rng, buf, ret, entropy, 0, NULL, 0)) {
- OPENSSL_free(buf);
- return 0;
- }
- *pout = buf;
- return ret;
}
void ossl_rand_cleanup_entropy(ossl_unused OSSL_LIB_CTX *ctx,
void ossl_rand_cleanup_user_entropy(OSSL_LIB_CTX *ctx,
unsigned char *buf, size_t len)
{
- OPENSSL_secure_clear_free(buf, len);
+ EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx);
+
+ if (rng != NULL && evp_rand_can_seed(rng))
+ evp_rand_clear_seed(rng, buf, len);
+ else
+ OPENSSL_secure_clear_free(buf, len);
}
size_t ossl_rand_get_nonce(ossl_unused OSSL_LIB_CTX *ctx,
int evp_mac_get_number(const EVP_MAC *mac);
int evp_md_get_number(const EVP_MD *md);
int evp_rand_get_number(const EVP_RAND *rand);
+int evp_rand_can_seed(EVP_RAND_CTX *ctx);
+size_t evp_rand_get_seed(EVP_RAND_CTX *ctx,
+ unsigned char **buffer,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance,
+ const unsigned char *adin, size_t adin_len);
+void evp_rand_clear_seed(EVP_RAND_CTX *ctx,
+ unsigned char *buffer, size_t b_len);
int evp_signature_get_number(const EVP_SIGNATURE *signature);
#endif /* OSSL_CRYPTO_EVP_H */
int prediction_resistance,
const unsigned char *adin, size_t adin_len)
{
- size_t bytes_needed;
- unsigned char *p;
-
- /*
- * Figure out how many bytes we need.
- * This assumes that the seed sources provide eight bits of entropy
- * per byte. For lower quality sources, the formula will need to be
- * different.
- */
- bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0;
- if (bytes_needed < min_len)
- bytes_needed = min_len;
- if (bytes_needed > max_len) {
- ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK);
- return 0;
- }
+ size_t ret = 0;
+ size_t entropy_available = 0;
+ size_t i;
+ RAND_POOL *pool;
- p = OPENSSL_secure_malloc(bytes_needed);
- if (p == NULL) {
- ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
+ if (pool == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
return 0;
}
- if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance,
- adin, adin_len) != 0) {
- *pout = p;
- return bytes_needed;
+
+ /* Get entropy by polling system entropy sources. */
+ entropy_available = ossl_pool_acquire_entropy(pool);
+
+ if (entropy_available > 0) {
+ ret = ossl_rand_pool_length(pool);
+ *pout = ossl_rand_pool_detach(pool);
+
+ /* xor the additional data into the output */
+ for (i = 0 ; i < adin_len ; ++i)
+ (*pout)[i % ret] ^= adin[i];
+ } else {
+ ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK);
}
- OPENSSL_secure_clear_free(p, bytes_needed);
- return 0;
+ ossl_rand_pool_free(pool);
+ return ret;
}
static void seed_clear_seed(ossl_unused void *vdrbg,
projects / openssl.git / commitdiff