rand: fix seeding from a weak entropy source

The 'rand_generate' method is not well suited for being used with
weak entropy sources in the 'get_entropy' callback, because the
caller needs to provide a preallocated buffer without knowing
how much bytes are actually needed to collect the required entropy.

Instead we use the 'rand_get_seed' and 'rand_clear_seed' methods
which were exactly designed for this purpose: it's the callee who
allocates and fills the buffer, and finally cleans it up again.

The 'rand_get_seed' and 'rand_clear_seed' methods are currently
optional for a provided random generator. We could fall back to
using 'rand_generate' if those methods are not implemented.
However, imo it would be better to simply make them an officially
documented requirement for seed sources.

Fixes #22332

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22394)

4 files changed, 109 insertions, 46 deletions

diff --git a/crypto/evp/evp_rand.c b/crypto/evp/evp_rand.c
index ecfc876cda..50334042a9 100644
--- a/crypto/evp/evp_rand.c
+++ b/crypto/evp/evp_rand.c
@@ -46,6 +46,8 @@ struct evp_rand_st {
     OSSL_FUNC_rand_get_ctx_params_fn *get_ctx_params;
     OSSL_FUNC_rand_set_ctx_params_fn *set_ctx_params;
     OSSL_FUNC_rand_verify_zeroization_fn *verify_zeroization;
+    OSSL_FUNC_rand_get_seed_fn *get_seed;
+    OSSL_FUNC_rand_clear_seed_fn *clear_seed;
 } /* EVP_RAND */ ;
 
 static int evp_rand_up_ref(void *vrand)
@@ -236,6 +238,16 @@ static void *evp_rand_from_algorithm(int name_id,
             fnzeroizecnt++;
 #endif
             break;
+        case OSSL_FUNC_RAND_GET_SEED:
+            if (rand->get_seed != NULL)
+                break;
+            rand->get_seed = OSSL_FUNC_rand_get_seed(fns);
+            break;
+        case OSSL_FUNC_RAND_CLEAR_SEED:
+            if (rand->clear_seed != NULL)
+                break;
+            rand->clear_seed = OSSL_FUNC_rand_clear_seed(fns);
+            break;
         }
     }
     /*
@@ -680,3 +692,59 @@ int EVP_RAND_verify_zeroization(EVP_RAND_CTX *ctx)
     evp_rand_unlock(ctx);
     return res;
 }
+
+int evp_rand_can_seed(EVP_RAND_CTX *ctx)
+{
+    return ctx->meth->get_seed != NULL;
+}
+
+static size_t evp_rand_get_seed_locked(EVP_RAND_CTX *ctx,
+                                       unsigned char **buffer,
+                                       int entropy,
+                                       size_t min_len, size_t max_len,
+                                       int prediction_resistance,
+                                       const unsigned char *adin,
+                                       size_t adin_len)
+{
+    if (ctx->meth->get_seed != NULL)
+        return ctx->meth->get_seed(ctx->algctx, buffer,
+                                   entropy, min_len, max_len,
+                                   prediction_resistance,
+                                   adin, adin_len);
+    return 0;
+}
+
+size_t evp_rand_get_seed(EVP_RAND_CTX *ctx,
+                         unsigned char **buffer,
+                         int entropy, size_t min_len, size_t max_len,
+                         int prediction_resistance,
+                         const unsigned char *adin, size_t adin_len)
+{
+    int res;
+
+    if (!evp_rand_lock(ctx))
+        return 0;
+    res = evp_rand_get_seed_locked(ctx,
+                                   buffer,
+                                   entropy, min_len, max_len,
+                                   prediction_resistance,
+                                   adin, adin_len);
+    evp_rand_unlock(ctx);
+    return res;
+}
+
+static void evp_rand_clear_seed_locked(EVP_RAND_CTX *ctx,
+                                       unsigned char *buffer, size_t b_len)
+{
+    if (ctx->meth->clear_seed != NULL)
+        ctx->meth->clear_seed(ctx->algctx, buffer, b_len);
+}
+
+void evp_rand_clear_seed(EVP_RAND_CTX *ctx,
+                         unsigned char *buffer, size_t b_len)
+{
+    if (!evp_rand_lock(ctx))
+        return;
+    evp_rand_clear_seed_locked(ctx, buffer, b_len);
+    evp_rand_unlock(ctx);
+}
diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c
index a8128119b5..2985c7f2d8 100644
--- a/crypto/rand/prov_seed.c
+++ b/crypto/rand/prov_seed.c
@@ -8,6 +8,7 @@
  */
 
 #include "rand_local.h"
+#include "crypto/evp.h"
 #include "crypto/rand.h"
 #include "crypto/rand_pool.h"
 #include "internal/core.h"
@@ -44,31 +45,13 @@ size_t ossl_rand_get_user_entropy(OSSL_LIB_CTX *ctx,
                                   unsigned char **pout, int entropy,
                                   size_t min_len, size_t max_len)
 {
-    unsigned char *buf;
     EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx);
-    size_t ret;
 
-    if (rng == NULL)
+    if (rng != NULL && evp_rand_can_seed(rng))
+        return evp_rand_get_seed(rng, pout, entropy, min_len, max_len,
+                                 0, NULL, 0);
+    else
         return ossl_rand_get_entropy(ctx, pout, entropy, min_len, max_len);
-
-    /* Determine how many bytes to generate */
-    ret = entropy > 0 ? (size_t)(7 + entropy) / 8 : min_len;
-    if (ret < min_len)
-        ret = min_len;
-    else if (ret > max_len)
-        ret = max_len;
-
-    /* Allocate the return buffer */
-    if ((buf = OPENSSL_secure_malloc(ret)) == NULL)
-        return 0;
-
-    /* Fill the buffer */
-    if (!EVP_RAND_generate(rng, buf, ret, entropy, 0, NULL, 0)) {
-        OPENSSL_free(buf);
-        return 0;
-    }
-    *pout = buf;
-    return ret;
 }
 
 void ossl_rand_cleanup_entropy(ossl_unused OSSL_LIB_CTX *ctx,
@@ -80,7 +63,12 @@ void ossl_rand_cleanup_entropy(ossl_unused OSSL_LIB_CTX *ctx,
 void ossl_rand_cleanup_user_entropy(OSSL_LIB_CTX *ctx,
                                     unsigned char *buf, size_t len)
 {
-    OPENSSL_secure_clear_free(buf, len);
+    EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx);
+
+    if (rng != NULL && evp_rand_can_seed(rng))
+        evp_rand_clear_seed(rng, buf, len);
+    else
+        OPENSSL_secure_clear_free(buf, len);
 }
 
 size_t ossl_rand_get_nonce(ossl_unused OSSL_LIB_CTX *ctx,
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index 473b95514a..34cea2f9f4 100644
--- a/include/crypto/evp.h
+++ b/include/crypto/evp.h
@@ -953,6 +953,14 @@ int evp_keymgmt_get_number(const EVP_KEYMGMT *keymgmt);
 int evp_mac_get_number(const EVP_MAC *mac);
 int evp_md_get_number(const EVP_MD *md);
 int evp_rand_get_number(const EVP_RAND *rand);
+int evp_rand_can_seed(EVP_RAND_CTX *ctx);
+size_t evp_rand_get_seed(EVP_RAND_CTX *ctx,
+                         unsigned char **buffer,
+                         int entropy, size_t min_len, size_t max_len,
+                         int prediction_resistance,
+                         const unsigned char *adin, size_t adin_len);
+void evp_rand_clear_seed(EVP_RAND_CTX *ctx,
+                         unsigned char *buffer, size_t b_len);
 int evp_signature_get_number(const EVP_SIGNATURE *signature);
 
 int evp_pkey_decrypt_alloc(EVP_PKEY_CTX *ctx, unsigned char **outp,
diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c
index e57c9c4d41..e8f7ec9efc 100644
--- a/providers/implementations/rands/seed_src.c
+++ b/providers/implementations/rands/seed_src.c
@@ -177,33 +177,32 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout,
                             int prediction_resistance,
                             const unsigned char *adin, size_t adin_len)
 {
-    size_t bytes_needed;
-    unsigned char *p;
-
-    /*
-     * Figure out how many bytes we need.
-     * This assumes that the seed sources provide eight bits of entropy
-     * per byte.  For lower quality sources, the formula will need to be
-     * different.
-     */
-    bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0;
-    if (bytes_needed < min_len)
-        bytes_needed = min_len;
-    if (bytes_needed > max_len) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK);
+    size_t ret = 0;
+    size_t entropy_available = 0;
+    size_t i;
+    RAND_POOL *pool;
+
+    pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
+    if (pool == NULL) {
+        ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
         return 0;
     }
 
-    p = OPENSSL_secure_malloc(bytes_needed);
-    if (p == NULL)
-        return 0;
-    if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance,
-                          adin, adin_len) != 0) {
-        *pout = p;
-        return bytes_needed;
+    /* Get entropy by polling system entropy sources. */
+    entropy_available = ossl_pool_acquire_entropy(pool);
+
+    if (entropy_available > 0) {
+        ret = ossl_rand_pool_length(pool);
+        *pout = ossl_rand_pool_detach(pool);
+
+        /* xor the additional data into the output */
+        for (i = 0 ; i < adin_len ; ++i)
+            (*pout)[i % ret] ^= adin[i];
+    } else {
+        ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK);
     }
-    OPENSSL_secure_clear_free(p, bytes_needed);
-    return 0;
+    ossl_rand_pool_free(pool);
+    return ret;
 }
 
 static void seed_clear_seed(ossl_unused void *vdrbg,