From 380ae1b3ac7052f873099dcccd9c378f64e11fc1 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Mon, 16 Oct 2023 01:35:48 +0200 Subject: rand: fix seeding from a weak entropy source The 'rand_generate' method is not well suited for being used with weak entropy sources in the 'get_entropy' callback, because the caller needs to provide a preallocated buffer without knowing how much bytes are actually needed to collect the required entropy. Instead we use the 'rand_get_seed' and 'rand_clear_seed' methods which were exactly designed for this purpose: it's the callee who allocates and fills the buffer, and finally cleans it up again. The 'rand_get_seed' and 'rand_clear_seed' methods are currently optional for a provided random generator. We could fall back to using 'rand_generate' if those methods are not implemented. However, imo it would be better to simply make them an officially documented requirement for seed sources. Fixes #22332 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22394) (cherry picked from commit 7998e7dc07d8f1f516af32887f2490c03cd8c594) --- crypto/evp/evp_rand.c | 68 ++++++++++++++++++++++++++++++ crypto/rand/prov_seed.c | 34 +++++---------- include/crypto/evp.h | 8 ++++ providers/implementations/rands/seed_src.c | 47 ++++++++++----------- 4 files changed, 109 insertions(+), 48 deletions(-) diff --git a/crypto/evp/evp_rand.c b/crypto/evp/evp_rand.c index 3031ecbcc0..f7fc6c3344 100644 --- a/crypto/evp/evp_rand.c +++ b/crypto/evp/evp_rand.c @@ -47,6 +47,8 @@ struct evp_rand_st { OSSL_FUNC_rand_get_ctx_params_fn *get_ctx_params; OSSL_FUNC_rand_set_ctx_params_fn *set_ctx_params; OSSL_FUNC_rand_verify_zeroization_fn *verify_zeroization; + OSSL_FUNC_rand_get_seed_fn *get_seed; + OSSL_FUNC_rand_clear_seed_fn *clear_seed; } /* EVP_RAND */ ; static int evp_rand_up_ref(void *vrand) @@ -236,6 +238,16 @@ static void *evp_rand_from_algorithm(int name_id, fnzeroizecnt++; #endif break; + case OSSL_FUNC_RAND_GET_SEED: + if (rand->get_seed != NULL) + break; + rand->get_seed = OSSL_FUNC_rand_get_seed(fns); + break; + case OSSL_FUNC_RAND_CLEAR_SEED: + if (rand->clear_seed != NULL) + break; + rand->clear_seed = OSSL_FUNC_rand_clear_seed(fns); + break; } } /* @@ -680,3 +692,59 @@ int EVP_RAND_verify_zeroization(EVP_RAND_CTX *ctx) evp_rand_unlock(ctx); return res; } + +int evp_rand_can_seed(EVP_RAND_CTX *ctx) +{ + return ctx->meth->get_seed != NULL; +} + +static size_t evp_rand_get_seed_locked(EVP_RAND_CTX *ctx, + unsigned char **buffer, + int entropy, + size_t min_len, size_t max_len, + int prediction_resistance, + const unsigned char *adin, + size_t adin_len) +{ + if (ctx->meth->get_seed != NULL) + return ctx->meth->get_seed(ctx->algctx, buffer, + entropy, min_len, max_len, + prediction_resistance, + adin, adin_len); + return 0; +} + +size_t evp_rand_get_seed(EVP_RAND_CTX *ctx, + unsigned char **buffer, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance, + const unsigned char *adin, size_t adin_len) +{ + int res; + + if (!evp_rand_lock(ctx)) + return 0; + res = evp_rand_get_seed_locked(ctx, + buffer, + entropy, min_len, max_len, + prediction_resistance, + adin, adin_len); + evp_rand_unlock(ctx); + return res; +} + +static void evp_rand_clear_seed_locked(EVP_RAND_CTX *ctx, + unsigned char *buffer, size_t b_len) +{ + if (ctx->meth->clear_seed != NULL) + ctx->meth->clear_seed(ctx->algctx, buffer, b_len); +} + +void evp_rand_clear_seed(EVP_RAND_CTX *ctx, + unsigned char *buffer, size_t b_len) +{ + if (!evp_rand_lock(ctx)) + return; + evp_rand_clear_seed_locked(ctx, buffer, b_len); + evp_rand_unlock(ctx); +} diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c index 09457427f1..ccc472afb7 100644 --- a/crypto/rand/prov_seed.c +++ b/crypto/rand/prov_seed.c @@ -8,6 +8,7 @@ */ #include "rand_local.h" +#include "crypto/evp.h" #include "crypto/rand.h" #include "crypto/rand_pool.h" #include "internal/core.h" @@ -44,31 +45,13 @@ size_t ossl_rand_get_user_entropy(OSSL_LIB_CTX *ctx, unsigned char **pout, int entropy, size_t min_len, size_t max_len) { - unsigned char *buf; EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx); - size_t ret; - if (rng == NULL) + if (rng != NULL && evp_rand_can_seed(rng)) + return evp_rand_get_seed(rng, pout, entropy, min_len, max_len, + 0, NULL, 0); + else return ossl_rand_get_entropy(ctx, pout, entropy, min_len, max_len); - - /* Determine how many bytes to generate */ - ret = entropy > 0 ? (size_t)(7 + entropy) / 8 : min_len; - if (ret < min_len) - ret = min_len; - else if (ret > max_len) - ret = max_len; - - /* Allocate the return buffer */ - if ((buf = OPENSSL_secure_malloc(ret)) == NULL) - return 0; - - /* Fill the buffer */ - if (!EVP_RAND_generate(rng, buf, ret, entropy, 0, NULL, 0)) { - OPENSSL_free(buf); - return 0; - } - *pout = buf; - return ret; } void ossl_rand_cleanup_entropy(ossl_unused OSSL_LIB_CTX *ctx, @@ -80,7 +63,12 @@ void ossl_rand_cleanup_entropy(ossl_unused OSSL_LIB_CTX *ctx, void ossl_rand_cleanup_user_entropy(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t len) { - OPENSSL_secure_clear_free(buf, len); + EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx); + + if (rng != NULL && evp_rand_can_seed(rng)) + evp_rand_clear_seed(rng, buf, len); + else + OPENSSL_secure_clear_free(buf, len); } size_t ossl_rand_get_nonce(ossl_unused OSSL_LIB_CTX *ctx, diff --git a/include/crypto/evp.h b/include/crypto/evp.h index dbbdcccbda..17828c0a89 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -949,6 +949,14 @@ int evp_keymgmt_get_number(const EVP_KEYMGMT *keymgmt); int evp_mac_get_number(const EVP_MAC *mac); int evp_md_get_number(const EVP_MD *md); int evp_rand_get_number(const EVP_RAND *rand); +int evp_rand_can_seed(EVP_RAND_CTX *ctx); +size_t evp_rand_get_seed(EVP_RAND_CTX *ctx, + unsigned char **buffer, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance, + const unsigned char *adin, size_t adin_len); +void evp_rand_clear_seed(EVP_RAND_CTX *ctx, + unsigned char *buffer, size_t b_len); int evp_signature_get_number(const EVP_SIGNATURE *signature); #endif /* OSSL_CRYPTO_EVP_H */ diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c index 7a4b780bb4..30fd25244e 100644 --- a/providers/implementations/rands/seed_src.c +++ b/providers/implementations/rands/seed_src.c @@ -179,35 +179,32 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout, int prediction_resistance, const unsigned char *adin, size_t adin_len) { - size_t bytes_needed; - unsigned char *p; - - /* - * Figure out how many bytes we need. - * This assumes that the seed sources provide eight bits of entropy - * per byte. For lower quality sources, the formula will need to be - * different. - */ - bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0; - if (bytes_needed < min_len) - bytes_needed = min_len; - if (bytes_needed > max_len) { - ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK); - return 0; - } + size_t ret = 0; + size_t entropy_available = 0; + size_t i; + RAND_POOL *pool; - p = OPENSSL_secure_malloc(bytes_needed); - if (p == NULL) { - ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); + if (pool == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); return 0; } - if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance, - adin, adin_len) != 0) { - *pout = p; - return bytes_needed; + + /* Get entropy by polling system entropy sources. */ + entropy_available = ossl_pool_acquire_entropy(pool); + + if (entropy_available > 0) { + ret = ossl_rand_pool_length(pool); + *pout = ossl_rand_pool_detach(pool); + + /* xor the additional data into the output */ + for (i = 0 ; i < adin_len ; ++i) + (*pout)[i % ret] ^= adin[i]; + } else { + ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK); } - OPENSSL_secure_clear_free(p, bytes_needed); - return 0; + ossl_rand_pool_free(pool); + return ret; } static void seed_clear_seed(ossl_unused void *vdrbg, -- cgit v1.2.3