From 7998e7dc07d8f1f516af32887f2490c03cd8c594 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Mon, 16 Oct 2023 01:35:48 +0200 Subject: rand: fix seeding from a weak entropy source The 'rand_generate' method is not well suited for being used with weak entropy sources in the 'get_entropy' callback, because the caller needs to provide a preallocated buffer without knowing how much bytes are actually needed to collect the required entropy. Instead we use the 'rand_get_seed' and 'rand_clear_seed' methods which were exactly designed for this purpose: it's the callee who allocates and fills the buffer, and finally cleans it up again. The 'rand_get_seed' and 'rand_clear_seed' methods are currently optional for a provided random generator. We could fall back to using 'rand_generate' if those methods are not implemented. However, imo it would be better to simply make them an officially documented requirement for seed sources. Fixes #22332 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22394) --- crypto/evp/evp_rand.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) (limited to 'crypto/evp') diff --git a/crypto/evp/evp_rand.c b/crypto/evp/evp_rand.c index ecfc876cda..50334042a9 100644 --- a/crypto/evp/evp_rand.c +++ b/crypto/evp/evp_rand.c @@ -46,6 +46,8 @@ struct evp_rand_st { OSSL_FUNC_rand_get_ctx_params_fn *get_ctx_params; OSSL_FUNC_rand_set_ctx_params_fn *set_ctx_params; OSSL_FUNC_rand_verify_zeroization_fn *verify_zeroization; + OSSL_FUNC_rand_get_seed_fn *get_seed; + OSSL_FUNC_rand_clear_seed_fn *clear_seed; } /* EVP_RAND */ ; static int evp_rand_up_ref(void *vrand) @@ -236,6 +238,16 @@ static void *evp_rand_from_algorithm(int name_id, fnzeroizecnt++; #endif break; + case OSSL_FUNC_RAND_GET_SEED: + if (rand->get_seed != NULL) + break; + rand->get_seed = OSSL_FUNC_rand_get_seed(fns); + break; + case OSSL_FUNC_RAND_CLEAR_SEED: + if (rand->clear_seed != NULL) + break; + rand->clear_seed = OSSL_FUNC_rand_clear_seed(fns); + break; } } /* @@ -680,3 +692,59 @@ int EVP_RAND_verify_zeroization(EVP_RAND_CTX *ctx) evp_rand_unlock(ctx); return res; } + +int evp_rand_can_seed(EVP_RAND_CTX *ctx) +{ + return ctx->meth->get_seed != NULL; +} + +static size_t evp_rand_get_seed_locked(EVP_RAND_CTX *ctx, + unsigned char **buffer, + int entropy, + size_t min_len, size_t max_len, + int prediction_resistance, + const unsigned char *adin, + size_t adin_len) +{ + if (ctx->meth->get_seed != NULL) + return ctx->meth->get_seed(ctx->algctx, buffer, + entropy, min_len, max_len, + prediction_resistance, + adin, adin_len); + return 0; +} + +size_t evp_rand_get_seed(EVP_RAND_CTX *ctx, + unsigned char **buffer, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance, + const unsigned char *adin, size_t adin_len) +{ + int res; + + if (!evp_rand_lock(ctx)) + return 0; + res = evp_rand_get_seed_locked(ctx, + buffer, + entropy, min_len, max_len, + prediction_resistance, + adin, adin_len); + evp_rand_unlock(ctx); + return res; +} + +static void evp_rand_clear_seed_locked(EVP_RAND_CTX *ctx, + unsigned char *buffer, size_t b_len) +{ + if (ctx->meth->clear_seed != NULL) + ctx->meth->clear_seed(ctx->algctx, buffer, b_len); +} + +void evp_rand_clear_seed(EVP_RAND_CTX *ctx, + unsigned char *buffer, size_t b_len) +{ + if (!evp_rand_lock(ctx)) + return; + evp_rand_clear_seed_locked(ctx, buffer, b_len); + evp_rand_unlock(ctx); +} -- cgit v1.2.3