diff options
author | Rich Salz <rsalz@openssl.org> | 2017-08-03 09:23:28 -0400 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2017-08-03 09:23:28 -0400 |
commit | 75e2c877650444fb829547bdb58d46eb1297bc1a (patch) | |
tree | 67ad6280bccdca4ae95cc269b1994ea4c1557aa7 | |
parent | 67dc995eaf538ea309c6292a1a5073465201f55b (diff) |
Switch from ossl_rand to DRBG rand
If RAND_add wraps around, XOR with existing. Add test to drbgtest that
does the wrap-around.
Re-order seeding and stop after first success.
Add RAND_poll_ex()
Use the DF and therefore lower RANDOMNESS_NEEDED. Also, for child DRBG's,
mix in the address as the personalization bits.
Centralize the entropy callbacks, from drbg_lib to rand_lib.
(Conceptually, entropy is part of the enclosing application.)
Thanks to Dr. Matthias St Pierre for the suggestion.
Various code cleanups:
-Make state an enum; inline RANDerr calls.
-Add RAND_POLL_RETRIES (thanks Pauli for the idea)
-Remove most RAND_seed calls from rest of library
-Rename DRBG_CTX to RAND_DRBG, etc.
-Move some code from drbg_lib to drbg_rand; drbg_lib is now only the
implementation of NIST DRBG.
-Remove blocklength
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4019)
34 files changed, 816 insertions, 1397 deletions
diff --git a/apps/speed.c b/apps/speed.c index 2d943b12e2..4a2a4a9069 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -247,11 +247,6 @@ static double ecdsa_results[EC_NUM][2]; static double ecdh_results[EC_NUM][1]; #endif -#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC) -static const char rnd_seed[] = - "string to make the random number generator think it has randomness"; -#endif - #ifdef SIGALRM # if defined(__STDC__) || defined(sgi) || defined(_AIX) # define SIGRETTYPE void @@ -2397,9 +2392,6 @@ int speed_main(int argc, char **argv) RAND_bytes(loopargs[i].buf, 36); #ifndef OPENSSL_NO_DSA - if (RAND_status() != 1) { - RAND_seed(rnd_seed, sizeof rnd_seed); - } for (testnum = 0; testnum < DSA_NUM; testnum++) { int st = 0; if (!dsa_doit[testnum]) @@ -2467,9 +2459,6 @@ int speed_main(int argc, char **argv) #endif /* OPENSSL_NO_DSA */ #ifndef OPENSSL_NO_EC - if (RAND_status() != 1) { - RAND_seed(rnd_seed, sizeof rnd_seed); - } for (testnum = 0; testnum < EC_NUM; testnum++) { int st = 1; @@ -2554,9 +2543,6 @@ int speed_main(int argc, char **argv) } } - if (RAND_status() != 1) { - RAND_seed(rnd_seed, sizeof rnd_seed); - } for (testnum = 0; testnum < EC_NUM; testnum++) { int ecdh_checks = 1; diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index a7c7309888..0b9e43dbdd 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -18,7 +18,6 @@ static int bnrand(int testing, BIGNUM *rnd, int bits, int top, int bottom) { unsigned char *buf = NULL; int ret = 0, bit, bytes, mask; - time_t tim; if (bits == 0) { if (top != BN_RAND_TOP_ANY || bottom != BN_RAND_BOTTOM_ANY) @@ -40,9 +39,6 @@ static int bnrand(int testing, BIGNUM *rnd, int bits, int top, int bottom) } /* make a random number and set the top and bottom bits */ - time(&tim); - RAND_add(&tim, sizeof(tim), 0.0); - if (RAND_bytes(buf, bytes) <= 0) goto err; diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c index 7de00c7440..92d6ae0ef1 100644 --- a/crypto/dsa/dsa_asn1.c +++ b/crypto/dsa/dsa_asn1.c @@ -111,7 +111,7 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, unsigned int *siglen, DSA *dsa) { DSA_SIG *s; - RAND_seed(dgst, dlen); + s = DSA_do_sign(dgst, dlen, dsa); if (s == NULL) { *siglen = 0; diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c index d67c48524a..c7ab0ee1a3 100644 --- a/crypto/ec/ecdsa_ossl.c +++ b/crypto/ec/ecdsa_ossl.c @@ -20,7 +20,7 @@ int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) { ECDSA_SIG *s; - RAND_seed(dgst, dlen); + s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey); if (s == NULL) { *siglen = 0; diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index 81bffa6d91..e61a8761a9 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -80,7 +80,6 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) EVPerr(EVP_F_EVP_PKEY2PKCS8, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM); goto error; } - RAND_add(p8->pkey->data, p8->pkey->length, 0.0); return p8; error: PKCS8_PRIV_KEY_INFO_free(p8); diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index cfe2fa6fac..76e0698558 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -361,7 +361,6 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, #endif kstr = (unsigned char *)buf; } - RAND_add(data, i, 0); /* put in the RSA key. */ OPENSSL_assert(EVP_CIPHER_iv_length(enc) <= (int)sizeof(iv)); if (RAND_bytes(iv, EVP_CIPHER_iv_length(enc)) <= 0) /* Generate a salt */ goto err; diff --git a/crypto/rand/build.info b/crypto/rand/build.info index f011d78d88..2591c01f3b 100644 --- a/crypto/rand/build.info +++ b/crypto/rand/build.info @@ -1,4 +1,4 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - ossl_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c \ + randfile.c rand_lib.c rand_err.c rand_egd.c \ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_rand.c diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index 1588515441..e3d97d38d9 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -15,53 +15,28 @@ /* * Support framework for NIST SP 800-90A DRBG, AES-CTR mode. - */ - -/* - * Get entropy from the existing callback. This is mainly used for KATs. - */ -static size_t get_entropy(DRBG_CTX *dctx, unsigned char **pout, - int entropy, size_t min_len, size_t max_len) -{ - if (dctx->get_entropy != NULL) - return dctx->get_entropy(dctx, pout, entropy, min_len, max_len); - /* TODO: Get from parent if it exists. */ - return 0; -} - -/* - * Cleanup entropy. - */ -static void cleanup_entropy(DRBG_CTX *dctx, unsigned char *out, size_t olen) -{ - if (dctx->cleanup_entropy != NULL) - dctx->cleanup_entropy(dctx, out, olen); -} - -/* + * The RAND_DRBG is OpenSSL's pointer to an instance of the DRBG. + * * The OpenSSL model is to have new and free functions, and that new * does all initialization. That is not the NIST model, which has * instantiation and un-instantiate, and re-use within a new/free * lifecycle. (No doubt this comes from the desire to support hardware * DRBG, where allocation of resources on something like an HSM is * a much bigger deal than just re-setting an allocated resource.) - * - * The DRBG_CTX is OpenSSL's opaque pointer to an instance of the - * DRBG. */ /* - * Set/initialize |dctx| to be of type |nid|, with optional |flags|. + * Set/initialize |drbg| to be of type |nid|, with optional |flags|. * Return -2 if the type is not supported, 1 on success and -1 on * failure. */ -int RAND_DRBG_set(DRBG_CTX *dctx, int nid, unsigned int flags) +int RAND_DRBG_set(RAND_DRBG *drbg, int nid, unsigned int flags) { int ret = 1; - dctx->status = DRBG_STATUS_UNINITIALISED; - dctx->flags = flags; - dctx->nid = nid; + drbg->state = DRBG_UNINITIALISED; + drbg->flags = flags; + drbg->nid = nid; switch (nid) { default: @@ -73,7 +48,7 @@ int RAND_DRBG_set(DRBG_CTX *dctx, int nid, unsigned int flags) case NID_aes_128_ctr: case NID_aes_192_ctr: case NID_aes_256_ctr: - ret = ctr_init(dctx); + ret = ctr_init(drbg); break; } @@ -84,169 +59,176 @@ int RAND_DRBG_set(DRBG_CTX *dctx, int nid, unsigned int flags) /* * Allocate memory and initialize a new DRBG. The |parent|, if not - * NULL, will be used to auto-seed this DRBG_CTX as needed. + * NULL, will be used to auto-seed this RAND_DRBG as needed. */ -DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent) +RAND_DRBG *RAND_DRBG_new(int type, unsigned int flags, RAND_DRBG *parent) { - DRBG_CTX *dctx = OPENSSL_zalloc(sizeof(*dctx)); + RAND_DRBG *drbg = OPENSSL_zalloc(sizeof(*drbg)); + unsigned char *ucp = OPENSSL_zalloc(RANDOMNESS_NEEDED); - if (dctx == NULL) { + if (drbg == NULL || ucp == NULL) { RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } - - dctx->parent = parent; - if (RAND_DRBG_set(dctx, type, flags) < 0) { - OPENSSL_free(dctx); - return NULL; + drbg->size = RANDOMNESS_NEEDED; + drbg->randomness = ucp; + + drbg->parent = parent; + if (RAND_DRBG_set(drbg, type, flags) < 0) + goto err; + + if (parent != NULL) { + if (!RAND_DRBG_set_callbacks(drbg, drbg_entropy_from_parent, + drbg_release_entropy, + NULL, NULL) + /* + * Add in our address. Note we are adding the pointer + * itself, not its contents! + */ + || !RAND_DRBG_instantiate(drbg, + (unsigned char*)&drbg, sizeof(drbg))) + goto err; } - return dctx; + + return drbg; + +err: + OPENSSL_free(ucp); + OPENSSL_free(drbg); + return NULL; } /* - * Uninstantiate |dctx| and free all memory. + * Uninstantiate |drbg| and free all memory. */ -void RAND_DRBG_free(DRBG_CTX *dctx) +void RAND_DRBG_free(RAND_DRBG *drbg) { - if (dctx == NULL) + /* The global DRBG is free'd by rand_cleanup_int() */ + if (drbg == NULL || drbg == &rand_drbg) return; - ctr_uninstantiate(dctx); - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, dctx, &dctx->ex_data); - - /* Don't free up default DRBG */ - if (dctx == RAND_DRBG_get_default()) { - memset(dctx, 0, sizeof(DRBG_CTX)); - dctx->nid = 0; - dctx->status = DRBG_STATUS_UNINITIALISED; - } else { - OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr)); - OPENSSL_free(dctx); - } + ctr_uninstantiate(drbg); + OPENSSL_cleanse(drbg->randomness, drbg->size); + OPENSSL_free(drbg->randomness); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data); + OPENSSL_clear_free(drbg, sizeof(*drbg)); } /* - * Instantiate |dctx|, after it has been initialized. Use |pers| and + * Instantiate |drbg|, after it has been initialized. Use |pers| and * |perslen| as prediction-resistance input. */ -int RAND_DRBG_instantiate(DRBG_CTX *dctx, +int RAND_DRBG_instantiate(RAND_DRBG *drbg, const unsigned char *pers, size_t perslen) { - size_t entlen = 0, noncelen = 0; unsigned char *nonce = NULL, *entropy = NULL; - int r = 0; + size_t noncelen = 0, entlen = 0; - if (perslen > dctx->max_pers) { - r = RAND_R_PERSONALISATION_STRING_TOO_LONG; + if (perslen > drbg->max_pers) { + RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, + RAND_R_PERSONALISATION_STRING_TOO_LONG); goto end; } - if (dctx->status != DRBG_STATUS_UNINITIALISED) { - r = dctx->status == DRBG_STATUS_ERROR ? RAND_R_IN_ERROR_STATE - : RAND_R_ALREADY_INSTANTIATED; + if (drbg->state != DRBG_UNINITIALISED) { + RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, + drbg->state == DRBG_ERROR ? RAND_R_IN_ERROR_STATE + : RAND_R_ALREADY_INSTANTIATED); goto end; } - dctx->status = DRBG_STATUS_ERROR; - entlen = get_entropy(dctx, &entropy, dctx->strength, - dctx->min_entropy, dctx->max_entropy); - if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { - r = RAND_R_ERROR_RETRIEVING_ENTROPY; + drbg->state = DRBG_ERROR; + if (drbg->get_entropy != NULL) + entlen = drbg->get_entropy(drbg, &entropy, drbg->strength, + drbg->min_entropy, drbg->max_entropy); + if (entlen < drbg->min_entropy || entlen > drbg->max_entropy) { + RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_RETRIEVING_ENTROPY); goto end; } - if (dctx->max_nonce > 0 && dctx->get_nonce != NULL) { - noncelen = dctx->get_nonce(dctx, &nonce, - dctx->strength / 2, - dctx->min_nonce, dctx->max_nonce); - - if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) { - r = RAND_R_ERROR_RETRIEVING_NONCE; + if (drbg->max_nonce > 0 && drbg->get_nonce != NULL) { + noncelen = drbg->get_nonce(drbg, &nonce, drbg->strength / 2, + drbg->min_nonce, drbg->max_nonce); + if (noncelen < drbg->min_nonce || noncelen > drbg->max_nonce) { + RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_RETRIEVING_NONCE); goto end; } } - if (!ctr_instantiate(dctx, entropy, entlen, + if (!ctr_instantiate(drbg, entropy, entlen, nonce, noncelen, pers, perslen)) { - r = RAND_R_ERROR_INSTANTIATING_DRBG; + RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_INSTANTIATING_DRBG); goto end; } - dctx->status = DRBG_STATUS_READY; - dctx->reseed_counter = 1; + drbg->state = DRBG_READY; + drbg->reseed_counter = 1; end: - if (entropy != NULL && dctx->cleanup_entropy != NULL) - dctx->cleanup_entropy(dctx, entropy, entlen); - if (nonce != NULL && dctx->cleanup_nonce!= NULL ) - dctx->cleanup_nonce(dctx, nonce, noncelen); - if (dctx->status == DRBG_STATUS_READY) + if (entropy != NULL && drbg->cleanup_entropy != NULL) + drbg->cleanup_entropy(drbg, entropy); + if (nonce != NULL && drbg->cleanup_nonce!= NULL ) + drbg->cleanup_nonce(drbg, nonce); + if (drbg->state == DRBG_READY) return 1; - - if (r) - RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, r); return 0; } /* - * Uninstantiate |dctx|. Must be instantiated before it can be used. + * Uninstantiate |drbg|. Must be instantiated before it can be used. */ -int RAND_DRBG_uninstantiate(DRBG_CTX *dctx) +int RAND_DRBG_uninstantiate(RAND_DRBG *drbg) { - int ret = ctr_uninstantiate(dctx); + int ret = ctr_uninstantiate(drbg); - OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr)); - dctx->status = DRBG_STATUS_UNINITIALISED; + OPENSSL_cleanse(&drbg->ctr, sizeof(drbg->ctr)); + drbg->state = DRBG_UNINITIALISED; return ret; } /* - * Mix in the specified data to reseed |dctx|. + * Mix in the specified data to reseed |drbg|. */ -int RAND_DRBG_reseed(DRBG_CTX *dctx, +int RAND_DRBG_reseed(RAND_DRBG *drbg, const unsigned char *adin, size_t adinlen) { unsigned char *entropy = NULL; size_t entlen = 0; - int r = 0; - - if (dctx->status != DRBG_STATUS_READY - && dctx->status != DRBG_STATUS_RESEED) { - if (dctx->status == DRBG_STATUS_ERROR) - r = RAND_R_IN_ERROR_STATE; - else if (dctx->status == DRBG_STATUS_UNINITIALISED) - r = RAND_R_NOT_INSTANTIATED; - goto end; + + if (drbg->state == DRBG_ERROR) { + RANDerr(RAND_F_RAND_DRBG_RESEED, RAND_R_IN_ERROR_STATE); + return 0; + } + if (drbg->state == DRBG_UNINITIALISED) { + RANDerr(RAND_F_RAND_DRBG_RESEED, RAND_R_NOT_INSTANTIATED); + return 0; } if (adin == NULL) adinlen = 0; - else if (adinlen > dctx->max_adin) { - r = RAND_R_ADDITIONAL_INPUT_TOO_LONG; - goto end; + else if (adinlen > drbg->max_adin) { + RANDerr(RAND_F_RAND_DRBG_RESEED, RAND_R_ADDITIONAL_INPUT_TOO_LONG); + return 0; } - dctx->status = DRBG_STATUS_ERROR; - entlen = get_entropy(dctx, &entropy, dctx->strength, - dctx->min_entropy, dctx->max_entropy); - - if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { - r = RAND_R_ERROR_RETRIEVING_ENTROPY; + drbg->state = DRBG_ERROR; + if (drbg->get_entropy != NULL) + entlen = drbg->get_entropy(drbg, &entropy, drbg->strength, + drbg->min_entropy, drbg->max_entropy); + if (entlen < drbg->min_entropy || entlen > drbg->max_entropy) { + RANDerr(RAND_F_RAND_DRBG_RESEED, RAND_R_ERROR_RETRIEVING_ENTROPY); goto end; } - if (!ctr_reseed(dctx, entropy, entlen, adin, adinlen)) + if (!ctr_reseed(drbg, entropy, entlen, adin, adinlen)) goto end; - dctx->status = DRBG_STATUS_READY; - dctx->reseed_counter = 1; + drbg->state = DRBG_READY; + drbg->reseed_counter = 1; end: - if (entropy != NULL && dctx->cleanup_entropy != NULL) - cleanup_entropy(dctx, entropy, entlen); - if (dctx->status == DRBG_STATUS_READY) + if (entropy != NULL && drbg->cleanup_entropy != NULL) + drbg->cleanup_entropy(drbg, entropy); + if (drbg->state == DRBG_READY) return 1; - if (r) - RANDerr(RAND_F_RAND_DRBG_RESEED, r); - return 0; } @@ -255,98 +237,183 @@ end: * to or if |prediction_resistance| is set. Additional input can be * sent in |adin| and |adinlen|. */ -int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, +int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen, int prediction_resistance, const unsigned char *adin, size_t adinlen) { - int r = 0; - - if (dctx->status != DRBG_STATUS_READY - && dctx->status != DRBG_STATUS_RESEED) { - if (dctx->status == DRBG_STATUS_ERROR) - r = RAND_R_IN_ERROR_STATE; - else if(dctx->status == DRBG_STATUS_UNINITIALISED) - r = RAND_R_NOT_INSTANTIATED; - goto end; + if (drbg->state == DRBG_ERROR) { + RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_IN_ERROR_STATE); + return 0; } - - if (outlen > dctx->max_request) { - r = RAND_R_REQUEST_TOO_LARGE_FOR_DRBG; + if (drbg->state == DRBG_UNINITIALISED) { + RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_NOT_INSTANTIATED); return 0; } - if (adinlen > dctx->max_adin) { - r = RAND_R_ADDITIONAL_INPUT_TOO_LONG; - goto end; + if (outlen > drbg->max_request) { + RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_REQUEST_TOO_LARGE_FOR_DRBG); + return 0; + } + if (adinlen > drbg->max_adin) { + RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_ADDITIONAL_INPUT_TOO_LONG); + return 0; } - if (dctx->reseed_counter >= dctx->reseed_interval) - dctx->status = DRBG_STATUS_RESEED; + if (drbg->reseed_counter >= drbg->reseed_interval) + drbg->state = DRBG_RESEED; - if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) { - if (!RAND_DRBG_reseed(dctx, adin, adinlen)) { - r = RAND_R_RESEED_ERROR; - goto end; + if (drbg->state == DRBG_RESEED || prediction_resistance) { + if (!RAND_DRBG_reseed(drbg, adin, adinlen)) { + RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_RESEED_ERROR); + return 0; } adin = NULL; adinlen = 0; } - if (!ctr_generate(dctx, out, outlen, adin, adinlen)) { - r = RAND_R_GENERATE_ERROR; - dctx->status = DRBG_STATUS_ERROR; - goto end; + if (!ctr_generate(drbg, out, outlen, adin, adinlen)) { + drbg->state = DRBG_ERROR; + RANDerr(RAND_F_RAND_DRBG_GENERATE, RAND_R_GENERATE_ERROR); + return 0; } - if (dctx->reseed_counter >= dctx->reseed_interval) - dctx->status = DRBG_STATUS_RESEED; + + if (drbg->reseed_counter >= drbg->reseed_interval) + drbg->state = DRBG_RESEED; else - dctx->reseed_counter++; + drbg->reseed_counter++; return 1; - -end: - RANDerr(RAND_F_RAND_DRBG_GENERATE, r); - return 0; } /* - * Set the callbacks for entropy and nonce. Used mainly for the KATs + * Set the callbacks for entropy and nonce. We currently don't use + * the nonce; that's mainly for the KATs */ -int RAND_DRBG_set_callbacks(DRBG_CTX *dctx, - size_t (*cb_get_entropy)(DRBG_CTX *ctx, unsigned char **pout, - int entropy, size_t min_len, size_t max_len), - void (*cb_cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen), - size_t (*cb_get_nonce)(DRBG_CTX *ctx, unsigned char **pout, - int entropy, size_t min_len, size_t max_len), - void (*cb_cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen)) +int RAND_DRBG_set_callbacks(RAND_DRBG *drbg, + RAND_DRBG_get_entropy_fn cb_get_entropy, + RAND_DRBG_cleanup_entropy_fn cb_cleanup_entropy, + RAND_DRBG_get_nonce_fn cb_get_nonce, + RAND_DRBG_cleanup_nonce_fn cb_cleanup_nonce) { - if (dctx->status != DRBG_STATUS_UNINITIALISED) + if (drbg->state != DRBG_UNINITIALISED) return 0; - dctx->get_entropy = cb_get_entropy; - dctx->cleanup_entropy = cb_cleanup_entropy; - dctx->get_nonce = cb_get_nonce; - dctx->cleanup_nonce = cb_cleanup_nonce; + drbg->get_entropy = cb_get_entropy; + drbg->cleanup_entropy = cb_cleanup_entropy; + drbg->get_nonce = cb_get_nonce; + drbg->cleanup_nonce = cb_cleanup_nonce; return 1; } /* - * Set the reseed interval. Used mainly for the KATs. + * Set the reseed interval. */ -int RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval) +int RAND_DRBG_set_reseed_interval(RAND_DRBG *drbg, int interval) { if (interval < 0 || interval > MAX_RESEED) return 0; - dctx->reseed_interval = interval; + drbg->reseed_interval = interval; return 1; } /* * Get and set the EXDATA */ -int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg) +int RAND_DRBG_set_ex_data(RAND_DRBG *drbg, int idx, void *arg) +{ + return CRYPTO_set_ex_data(&drbg->ex_data, idx, arg); +} + +void *RAND_DRBG_get_ex_data(const RAND_DRBG *drbg, int idx) +{ + return CRYPTO_get_ex_data(&drbg->ex_data, idx); +} + + +/* + * The following functions provide a RAND_METHOD that works on the + * global DRBG. They lock. + */ + +static int drbg_bytes(unsigned char *out, int count) +{ + int ret = 0; + size_t chunk; + + CRYPTO_THREAD_write_lock(rand_drbg.lock); + if (rand_drbg.state == DRBG_UNINITIALISED + && RAND_DRBG_instantiate(&rand_drbg, NULL, 0) == 0) + goto err; + + for ( ; count > 0; count -= chunk, out += chunk) { + chunk = count; + if (chunk > rand_drbg.max_request) + chunk = rand_drbg.max_request; + ret = RAND_DRBG_generate(&rand_drbg, out, chunk, 0, NULL, 0); + if (!ret) + goto err; + } + ret = 1; + +err: + CRYPTO_THREAD_unlock(rand_drbg.lock); + return ret; +} + +static void drbg_cleanup(void) +{ + CRYPTO_THREAD_write_lock(rand_drbg.lock); + RAND_DRBG_uninstantiate(&rand_drbg); + CRYPTO_THREAD_unlock(rand_drbg.lock); +} + +static int drbg_add(const void *buf, int num, double randomness) +{ + unsigned char *in = (unsigned char *)buf; + unsigned char *out, *end; + + CRYPTO_THREAD_write_lock(rand_bytes.lock); + out = &rand_bytes.buff[rand_bytes.curr]; + end = &rand_bytes.buff[rand_bytes.size]; + + /* Copy whatever fits into the end of the buffer. */ + for ( ; --num >= 0 && out < end; rand_bytes.curr++) + *out++ = *in++; + + /* XOR any the leftover. */ + while (num > 0) { + for (out = rand_bytes.buff; --num >= 0 && out < end; ) + *out++ ^= *in++; + } + + CRYPTO_THREAD_unlock(rand_bytes.lock); + return 1; +} + +static int drbg_seed(const void *buf, int num) +{ + return drbg_add(buf, num, num); +} + +static int drbg_status(void) { - return CRYPTO_set_ex_data(&dctx->ex_data, idx, arg); + int ret; + + CRYPTO_THREAD_write_lock(rand_drbg.lock); + ret = rand_drbg.state == DRBG_READY ? 1 : 0; + CRYPTO_THREAD_unlock(rand_drbg.lock); + return ret; } -void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx) +RAND_DRBG rand_drbg; /* The default global DRBG. */ + +RAND_METHOD rand_meth = { + drbg_seed, + drbg_bytes, + drbg_cleanup, + drbg_add, + drbg_bytes, + drbg_status +}; + +RAND_METHOD *RAND_OpenSSL(void) { - return CRYPTO_get_ex_data(&dctx->ex_data, idx); + return &rand_meth; } diff --git a/crypto/rand/drbg_rand.c b/crypto/rand/drbg_rand.c index 8b30cd8a0d..06f8affeb8 100644 --- a/crypto/rand/drbg_rand.c +++ b/crypto/rand/drbg_rand.c @@ -16,37 +16,14 @@ #include "internal/thread_once.h" /* - * Mapping of NIST SP 800-90A DRBG to OpenSSL RAND_METHOD. + * Implementation of NIST SP 800-90A CTR DRBG. */ - -/* - * The default global DRBG and its auto-init/auto-cleanup. - */ -static DRBG_CTX ossl_drbg; - -static CRYPTO_ONCE ossl_drbg_init = CRYPTO_ONCE_STATIC_INIT; - -DEFINE_RUN_ONCE_STATIC(do_ossl_drbg_init) -{ - int st = 1; - - ossl_drbg.lock = CRYPTO_THREAD_lock_new(); - st &= ossl_drbg.lock != NULL; - st &= RAND_DRBG_set(&ossl_drbg, NID_aes_128_ctr, 0) == 1; - return st; -} - -void rand_drbg_cleanup(void) -{ - CRYPTO_THREAD_lock_free(ossl_drbg.lock); -} - |