diff options
| author | Matthias St. Pierre <matthias.st.pierre@ncp-e.com> | 2023-10-16 01:35:48 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2023-10-24 11:14:11 +0100 |
| commit | 7998e7dc07d8f1f516af32887f2490c03cd8c594 (patch) | |
| tree | 47fb9ebc7a356181874d8423dda1c4643d6c78ce /providers/implementations | |
| parent | 0a8faac3c7cc2e88f46a8bdce5bd039dc22abdec (diff) | |
rand: fix seeding from a weak entropy source
The 'rand_generate' method is not well suited for being used with
weak entropy sources in the 'get_entropy' callback, because the
caller needs to provide a preallocated buffer without knowing
how much bytes are actually needed to collect the required entropy.
Instead we use the 'rand_get_seed' and 'rand_clear_seed' methods
which were exactly designed for this purpose: it's the callee who
allocates and fills the buffer, and finally cleans it up again.
The 'rand_get_seed' and 'rand_clear_seed' methods are currently
optional for a provided random generator. We could fall back to
using 'rand_generate' if those methods are not implemented.
However, imo it would be better to simply make them an officially
documented requirement for seed sources.
Fixes #22332
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22394)
Diffstat (limited to 'providers/implementations')
| -rw-r--r-- | providers/implementations/rands/seed_src.c | 45 |
1 files changed, 22 insertions, 23 deletions
diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c index e57c9c4d41..e8f7ec9efc 100644 --- a/providers/implementations/rands/seed_src.c +++ b/providers/implementations/rands/seed_src.c @@ -177,33 +177,32 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout, int prediction_resistance, const unsigned char *adin, size_t adin_len) { - size_t bytes_needed; - unsigned char *p; - - /* - * Figure out how many bytes we need. - * This assumes that the seed sources provide eight bits of entropy - * per byte. For lower quality sources, the formula will need to be - * different. - */ - bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0; - if (bytes_needed < min_len) - bytes_needed = min_len; - if (bytes_needed > max_len) { - ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK); + size_t ret = 0; + size_t entropy_available = 0; + size_t i; + RAND_POOL *pool; + + pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); + if (pool == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); return 0; } - p = OPENSSL_secure_malloc(bytes_needed); - if (p == NULL) - return 0; - if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance, - adin, adin_len) != 0) { - *pout = p; - return bytes_needed; + /* Get entropy by polling system entropy sources. */ + entropy_available = ossl_pool_acquire_entropy(pool); + + if (entropy_available > 0) { + ret = ossl_rand_pool_length(pool); + *pout = ossl_rand_pool_detach(pool); + + /* xor the additional data into the output */ + for (i = 0 ; i < adin_len ; ++i) + (*pout)[i % ret] ^= adin[i]; + } else { + ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK); } - OPENSSL_secure_clear_free(p, bytes_needed); - return 0; + ossl_rand_pool_free(pool); + return ret; } static void seed_clear_seed(ossl_unused void *vdrbg, |