1 | /* |
2 | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <stdio.h> |
11 | #include <time.h> |
12 | #include "internal/cryptlib.h" |
13 | #include <openssl/opensslconf.h> |
14 | #include "crypto/rand.h" |
15 | #include <openssl/engine.h> |
16 | #include "internal/thread_once.h" |
17 | #include "rand_local.h" |
18 | #include "e_os.h" |
19 | |
20 | #ifndef FIPS_MODE |
21 | # ifndef OPENSSL_NO_ENGINE |
22 | /* non-NULL if default_RAND_meth is ENGINE-provided */ |
23 | static ENGINE *funct_ref; |
24 | static CRYPTO_RWLOCK *rand_engine_lock; |
25 | # endif |
26 | static CRYPTO_RWLOCK *rand_meth_lock; |
27 | static const RAND_METHOD *default_RAND_meth; |
28 | static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT; |
29 | |
30 | static int rand_inited = 0; |
31 | #endif /* FIPS_MODE */ |
32 | |
33 | #ifdef OPENSSL_RAND_SEED_RDTSC |
34 | /* |
35 | * IMPORTANT NOTE: It is not currently possible to use this code |
36 | * because we are not sure about the amount of randomness it provides. |
37 | * Some SP900 tests have been run, but there is internal skepticism. |
38 | * So for now this code is not used. |
39 | */ |
40 | # error "RDTSC enabled? Should not be possible!" |
41 | |
42 | /* |
43 | * Acquire entropy from high-speed clock |
44 | * |
45 | * Since we get some randomness from the low-order bits of the |
46 | * high-speed clock, it can help. |
47 | * |
48 | * Returns the total entropy count, if it exceeds the requested |
49 | * entropy count. Otherwise, returns an entropy count of 0. |
50 | */ |
51 | size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool) |
52 | { |
53 | unsigned char c; |
54 | int i; |
55 | |
56 | if ((OPENSSL_ia32cap_P[0] & (1 << 4)) != 0) { |
57 | for (i = 0; i < TSC_READ_COUNT; i++) { |
58 | c = (unsigned char)(OPENSSL_rdtsc() & 0xFF); |
59 | rand_pool_add(pool, &c, 1, 4); |
60 | } |
61 | } |
62 | return rand_pool_entropy_available(pool); |
63 | } |
64 | #endif |
65 | |
66 | #ifdef OPENSSL_RAND_SEED_RDCPU |
67 | size_t OPENSSL_ia32_rdseed_bytes(unsigned char *buf, size_t len); |
68 | size_t OPENSSL_ia32_rdrand_bytes(unsigned char *buf, size_t len); |
69 | |
70 | /* |
71 | * Acquire entropy using Intel-specific cpu instructions |
72 | * |
73 | * Uses the RDSEED instruction if available, otherwise uses |
74 | * RDRAND if available. |
75 | * |
76 | * For the differences between RDSEED and RDRAND, and why RDSEED |
77 | * is the preferred choice, see https://goo.gl/oK3KcN |
78 | * |
79 | * Returns the total entropy count, if it exceeds the requested |
80 | * entropy count. Otherwise, returns an entropy count of 0. |
81 | */ |
82 | size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool) |
83 | { |
84 | size_t bytes_needed; |
85 | unsigned char *buffer; |
86 | |
87 | bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); |
88 | if (bytes_needed > 0) { |
89 | buffer = rand_pool_add_begin(pool, bytes_needed); |
90 | |
91 | if (buffer != NULL) { |
92 | /* Whichever comes first, use RDSEED, RDRAND or nothing */ |
93 | if ((OPENSSL_ia32cap_P[2] & (1 << 18)) != 0) { |
94 | if (OPENSSL_ia32_rdseed_bytes(buffer, bytes_needed) |
95 | == bytes_needed) { |
96 | rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); |
97 | } |
98 | } else if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) { |
99 | if (OPENSSL_ia32_rdrand_bytes(buffer, bytes_needed) |
100 | == bytes_needed) { |
101 | rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); |
102 | } |
103 | } else { |
104 | rand_pool_add_end(pool, 0, 0); |
105 | } |
106 | } |
107 | } |
108 | |
109 | return rand_pool_entropy_available(pool); |
110 | } |
111 | #endif |
112 | |
113 | |
114 | /* |
115 | * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks()) |
116 | * |
117 | * If the DRBG has a parent, then the required amount of entropy input |
118 | * is fetched using the parent's RAND_DRBG_generate(). |
119 | * |
120 | * Otherwise, the entropy is polled from the system entropy sources |
121 | * using rand_pool_acquire_entropy(). |
122 | * |
123 | * If a random pool has been added to the DRBG using RAND_add(), then |
124 | * its entropy will be used up first. |
125 | */ |
126 | size_t rand_drbg_get_entropy(RAND_DRBG *drbg, |
127 | unsigned char **pout, |
128 | int entropy, size_t min_len, size_t max_len, |
129 | int prediction_resistance) |
130 | { |
131 | size_t ret = 0; |
132 | size_t entropy_available = 0; |
133 | RAND_POOL *pool; |
134 | |
135 | if (drbg->parent != NULL && drbg->strength > drbg->parent->strength) { |
136 | /* |
137 | * We currently don't support the algorithm from NIST SP 800-90C |
138 | * 10.1.2 to use a weaker DRBG as source |
139 | */ |
140 | RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY, RAND_R_PARENT_STRENGTH_TOO_WEAK); |
141 | return 0; |
142 | } |
143 | |
144 | if (drbg->seed_pool != NULL) { |
145 | pool = drbg->seed_pool; |
146 | pool->entropy_requested = entropy; |
147 | } else { |
148 | pool = rand_pool_new(entropy, drbg->secure, min_len, max_len); |
149 | if (pool == NULL) |
150 | return 0; |
151 | } |
152 | |
153 | if (drbg->parent != NULL) { |
154 | size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); |
155 | unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed); |
156 | |
157 | if (buffer != NULL) { |
158 | size_t bytes = 0; |
159 | |
160 | /* |
161 | * Get random data from parent. Include our address as additional input, |
162 | * in order to provide some additional distinction between different |
163 | * DRBG child instances. |
164 | * Our lock is already held, but we need to lock our parent before |
165 | * generating bits from it. (Note: taking the lock will be a no-op |
166 | * if locking if drbg->parent->lock == NULL.) |
167 | */ |
168 | rand_drbg_lock(drbg->parent); |
169 | if (RAND_DRBG_generate(drbg->parent, |
170 | buffer, bytes_needed, |
171 | prediction_resistance, |
172 | (unsigned char *)&drbg, sizeof(drbg)) != 0) |
173 | bytes = bytes_needed; |
174 | drbg->reseed_next_counter |
175 | = tsan_load(&drbg->parent->reseed_prop_counter); |
176 | rand_drbg_unlock(drbg->parent); |
177 | |
178 | rand_pool_add_end(pool, bytes, 8 * bytes); |
179 | entropy_available = rand_pool_entropy_available(pool); |
180 | } |
181 | |
182 | } else { |
183 | /* Get entropy by polling system entropy sources. */ |
184 | entropy_available = rand_pool_acquire_entropy(pool); |
185 | } |
186 | |
187 | if (entropy_available > 0) { |
188 | ret = rand_pool_length(pool); |
189 | *pout = rand_pool_detach(pool); |
190 | } |
191 | |
192 | if (drbg->seed_pool == NULL) |
193 | rand_pool_free(pool); |
194 | return ret; |
195 | } |
196 | |
197 | /* |
198 | * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks()) |
199 | * |
200 | */ |
201 | void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, |
202 | unsigned char *out, size_t outlen) |
203 | { |
204 | if (drbg->seed_pool == NULL) { |
205 | if (drbg->secure) |
206 | OPENSSL_secure_clear_free(out, outlen); |
207 | else |
208 | OPENSSL_clear_free(out, outlen); |
209 | } |
210 | } |
211 | |
212 | /* |
213 | * Generate additional data that can be used for the drbg. The data does |
214 | * not need to contain entropy, but it's useful if it contains at least |
215 | * some bits that are unpredictable. |
216 | * |
217 | * Returns 0 on failure. |
218 | * |
219 | * On success it allocates a buffer at |*pout| and returns the length of |
220 | * the data. The buffer should get freed using OPENSSL_secure_clear_free(). |
221 | */ |
222 | size_t rand_drbg_get_additional_data(RAND_POOL *pool, unsigned char **pout) |
223 | { |
224 | size_t ret = 0; |
225 | |
226 | if (rand_pool_add_additional_data(pool) == 0) |
227 | goto err; |
228 | |
229 | ret = rand_pool_length(pool); |
230 | *pout = rand_pool_detach(pool); |
231 | |
232 | err: |
233 | return ret; |
234 | } |
235 | |
236 | void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out) |
237 | { |
238 | rand_pool_reattach(pool, out); |
239 | } |
240 | |
241 | #ifndef FIPS_MODE |
242 | DEFINE_RUN_ONCE_STATIC(do_rand_init) |
243 | { |
244 | # ifndef OPENSSL_NO_ENGINE |
245 | rand_engine_lock = CRYPTO_THREAD_lock_new(); |
246 | if (rand_engine_lock == NULL) |
247 | return 0; |
248 | # endif |
249 | |
250 | rand_meth_lock = CRYPTO_THREAD_lock_new(); |
251 | if (rand_meth_lock == NULL) |
252 | goto err; |
253 | |
254 | if (!rand_pool_init()) |
255 | goto err; |
256 | |
257 | rand_inited = 1; |
258 | return 1; |
259 | |
260 | err: |
261 | CRYPTO_THREAD_lock_free(rand_meth_lock); |
262 | rand_meth_lock = NULL; |
263 | # ifndef OPENSSL_NO_ENGINE |
264 | CRYPTO_THREAD_lock_free(rand_engine_lock); |
265 | rand_engine_lock = NULL; |
266 | # endif |
267 | return 0; |
268 | } |
269 | |
270 | void rand_cleanup_int(void) |
271 | { |
272 | const RAND_METHOD *meth = default_RAND_meth; |
273 | |
274 | if (!rand_inited) |
275 | return; |
276 | |
277 | if (meth != NULL && meth->cleanup != NULL) |
278 | meth->cleanup(); |
279 | RAND_set_rand_method(NULL); |
280 | rand_pool_cleanup(); |
281 | # ifndef OPENSSL_NO_ENGINE |
282 | CRYPTO_THREAD_lock_free(rand_engine_lock); |
283 | rand_engine_lock = NULL; |
284 | # endif |
285 | CRYPTO_THREAD_lock_free(rand_meth_lock); |
286 | rand_meth_lock = NULL; |
287 | rand_inited = 0; |
288 | } |
289 | |
290 | /* TODO(3.0): Do we need to handle this somehow in the FIPS module? */ |
291 | /* |
292 | * RAND_close_seed_files() ensures that any seed file descriptors are |
293 | * closed after use. |
294 | */ |
295 | void RAND_keep_random_devices_open(int keep) |
296 | { |
297 | if (RUN_ONCE(&rand_init, do_rand_init)) |
298 | rand_pool_keep_random_devices_open(keep); |
299 | } |
300 | |
301 | /* |
302 | * RAND_poll() reseeds the default RNG using random input |
303 | * |
304 | * The random input is obtained from polling various entropy |
305 | * sources which depend on the operating system and are |
306 | * configurable via the --with-rand-seed configure option. |
307 | */ |
308 | int RAND_poll(void) |
309 | { |
310 | int ret = 0; |
311 | |
312 | const RAND_METHOD *meth = RAND_get_rand_method(); |
313 | |
314 | if (meth == NULL) |
315 | return 0; |
316 | |
317 | if (meth == RAND_OpenSSL()) { |
318 | /* fill random pool and seed the master DRBG */ |
319 | RAND_DRBG *drbg = RAND_DRBG_get0_master(); |
320 | |
321 | if (drbg == NULL) |
322 | return 0; |
323 | |
324 | rand_drbg_lock(drbg); |
325 | ret = rand_drbg_restart(drbg, NULL, 0, 0); |
326 | rand_drbg_unlock(drbg); |
327 | |
328 | return ret; |
329 | |
330 | } else { |
331 | RAND_POOL *pool = NULL; |
332 | |
333 | /* fill random pool and seed the current legacy RNG */ |
334 | pool = rand_pool_new(RAND_DRBG_STRENGTH, 1, |
335 | (RAND_DRBG_STRENGTH + 7) / 8, |
336 | RAND_POOL_MAX_LENGTH); |
337 | if (pool == NULL) |
338 | return 0; |
339 | |
340 | if (rand_pool_acquire_entropy(pool) == 0) |
341 | goto err; |
342 | |
343 | if (meth->add == NULL |
344 | || meth->add(rand_pool_buffer(pool), |
345 | rand_pool_length(pool), |
346 | (rand_pool_entropy(pool) / 8.0)) == 0) |
347 | goto err; |
348 | |
349 | ret = 1; |
350 | |
351 | err: |
352 | rand_pool_free(pool); |
353 | } |
354 | |
355 | return ret; |
356 | } |
357 | #endif /* FIPS_MODE */ |
358 | |
359 | /* |
360 | * Allocate memory and initialize a new random pool |
361 | */ |
362 | |
363 | RAND_POOL *rand_pool_new(int entropy_requested, int secure, |
364 | size_t min_len, size_t max_len) |
365 | { |
366 | RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); |
367 | size_t min_alloc_size = RAND_POOL_MIN_ALLOCATION(secure); |
368 | |
369 | if (pool == NULL) { |
370 | RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); |
371 | return NULL; |
372 | } |
373 | |
374 | pool->min_len = min_len; |
375 | pool->max_len = (max_len > RAND_POOL_MAX_LENGTH) ? |
376 | RAND_POOL_MAX_LENGTH : max_len; |
377 | pool->alloc_len = min_len < min_alloc_size ? min_alloc_size : min_len; |
378 | if (pool->alloc_len > pool->max_len) |
379 | pool->alloc_len = pool->max_len; |
380 | |
381 | if (secure) |
382 | pool->buffer = OPENSSL_secure_zalloc(pool->alloc_len); |
383 | else |
384 | pool->buffer = OPENSSL_zalloc(pool->alloc_len); |
385 | |
386 | if (pool->buffer == NULL) { |
387 | RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); |
388 | goto err; |
389 | } |
390 | |
391 | pool->entropy_requested = entropy_requested; |
392 | pool->secure = secure; |
393 | |
394 | return pool; |
395 | |
396 | err: |
397 | OPENSSL_free(pool); |
398 | return NULL; |
399 | } |
400 | |
401 | /* |
402 | * Attach new random pool to the given buffer |
403 | * |
404 | * This function is intended to be used only for feeding random data |
405 | * provided by RAND_add() and RAND_seed() into the <master> DRBG. |
406 | */ |
407 | RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len, |
408 | size_t entropy) |
409 | { |
410 | RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); |
411 | |
412 | if (pool == NULL) { |
413 | RANDerr(RAND_F_RAND_POOL_ATTACH, ERR_R_MALLOC_FAILURE); |
414 | return NULL; |
415 | } |
416 | |
417 | /* |
418 | * The const needs to be cast away, but attached buffers will not be |
419 | * modified (in contrary to allocated buffers which are zeroed and |
420 | * freed in the end). |
421 | */ |
422 | pool->buffer = (unsigned char *) buffer; |
423 | pool->len = len; |
424 | |
425 | pool->attached = 1; |
426 | |
427 | pool->min_len = pool->max_len = pool->alloc_len = pool->len; |
428 | pool->entropy = entropy; |
429 | |
430 | return pool; |
431 | } |
432 | |
433 | /* |
434 | * Free |pool|, securely erasing its buffer. |
435 | */ |
436 | void rand_pool_free(RAND_POOL *pool) |
437 | { |
438 | if (pool == NULL) |
439 | return; |
440 | |
441 | /* |
442 | * Although it would be advisable from a cryptographical viewpoint, |
443 | * we are not allowed to clear attached buffers, since they are passed |
444 | * to rand_pool_attach() as `const unsigned char*`. |
445 | * (see corresponding comment in rand_pool_attach()). |
446 | */ |
447 | if (!pool->attached) { |
448 | if (pool->secure) |
449 | OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len); |
450 | else |
451 | OPENSSL_clear_free(pool->buffer, pool->alloc_len); |
452 | } |
453 | |
454 | OPENSSL_free(pool); |
455 | } |
456 | |
457 | /* |
458 | * Return the |pool|'s buffer to the caller (readonly). |
459 | */ |
460 | const unsigned char *rand_pool_buffer(RAND_POOL *pool) |
461 | { |
462 | return pool->buffer; |
463 | } |
464 | |
465 | /* |
466 | * Return the |pool|'s entropy to the caller. |
467 | */ |
468 | size_t rand_pool_entropy(RAND_POOL *pool) |
469 | { |
470 | return pool->entropy; |
471 | } |
472 | |
473 | /* |
474 | * Return the |pool|'s buffer length to the caller. |
475 | */ |
476 | size_t rand_pool_length(RAND_POOL *pool) |
477 | { |
478 | return pool->len; |
479 | } |
480 | |
481 | /* |
482 | * Detach the |pool| buffer and return it to the caller. |
483 | * It's the responsibility of the caller to free the buffer |
484 | * using OPENSSL_secure_clear_free() or to re-attach it |
485 | * again to the pool using rand_pool_reattach(). |
486 | */ |
487 | unsigned char *rand_pool_detach(RAND_POOL *pool) |
488 | { |
489 | unsigned char *ret = pool->buffer; |
490 | pool->buffer = NULL; |
491 | pool->entropy = 0; |
492 | return ret; |
493 | } |
494 | |
495 | /* |
496 | * Re-attach the |pool| buffer. It is only allowed to pass |
497 | * the |buffer| which was previously detached from the same pool. |
498 | */ |
499 | void rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer) |
500 | { |
501 | pool->buffer = buffer; |
502 | OPENSSL_cleanse(pool->buffer, pool->len); |
503 | pool->len = 0; |
504 | } |
505 | |
506 | /* |
507 | * If |entropy_factor| bits contain 1 bit of entropy, how many bytes does one |
508 | * need to obtain at least |bits| bits of entropy? |
509 | */ |
510 | #define ENTROPY_TO_BYTES(bits, entropy_factor) \ |
511 | (((bits) * (entropy_factor) + 7) / 8) |
512 | |
513 | |
514 | /* |
515 | * Checks whether the |pool|'s entropy is available to the caller. |
516 | * This is the case when entropy count and buffer length are high enough. |
517 | * Returns |
518 | * |
519 | * |entropy| if the entropy count and buffer size is large enough |
520 | * 0 otherwise |
521 | */ |
522 | size_t rand_pool_entropy_available(RAND_POOL *pool) |
523 | { |
524 | if (pool->entropy < pool->entropy_requested) |
525 | return 0; |
526 | |
527 | if (pool->len < pool->min_len) |
528 | return 0; |
529 | |
530 | return pool->entropy; |
531 | } |
532 | |
533 | /* |
534 | * Returns the (remaining) amount of entropy needed to fill |
535 | * the random pool. |
536 | */ |
537 | |
538 | size_t rand_pool_entropy_needed(RAND_POOL *pool) |
539 | { |
540 | if (pool->entropy < pool->entropy_requested) |
541 | return pool->entropy_requested - pool->entropy; |
542 | |
543 | return 0; |
544 | } |
545 | |
546 | /* Increase the allocation size -- not usable for an attached pool */ |
547 | static int rand_pool_grow(RAND_POOL *pool, size_t len) |
548 | { |
549 | if (len > pool->alloc_len - pool->len) { |
550 | unsigned char *p; |
551 | const size_t limit = pool->max_len / 2; |
552 | size_t newlen = pool->alloc_len; |
553 | |
554 | if (pool->attached || len > pool->max_len - pool->len) { |
555 | RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_INTERNAL_ERROR); |
556 | return 0; |
557 | } |
558 | |
559 | do |
560 | newlen = newlen < limit ? newlen * 2 : pool->max_len; |
561 | while (len > newlen - pool->len); |
562 | |
563 | if (pool->secure) |
564 | p = OPENSSL_secure_zalloc(newlen); |
565 | else |
566 | p = OPENSSL_zalloc(newlen); |
567 | if (p == NULL) { |
568 | RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_MALLOC_FAILURE); |
569 | return 0; |
570 | } |
571 | memcpy(p, pool->buffer, pool->len); |
572 | if (pool->secure) |
573 | OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len); |
574 | else |
575 | OPENSSL_clear_free(pool->buffer, pool->alloc_len); |
576 | pool->buffer = p; |
577 | pool->alloc_len = newlen; |
578 | } |
579 | return 1; |
580 | } |
581 | |
582 | /* |
583 | * Returns the number of bytes needed to fill the pool, assuming |
584 | * the input has 1 / |entropy_factor| entropy bits per data bit. |
585 | * In case of an error, 0 is returned. |
586 | */ |
587 | |
588 | size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_factor) |
589 | { |
590 | size_t bytes_needed; |
591 | size_t entropy_needed = rand_pool_entropy_needed(pool); |
592 | |
593 | if (entropy_factor < 1) { |
594 | RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_ARGUMENT_OUT_OF_RANGE); |
595 | return 0; |
596 | } |
597 | |
598 | bytes_needed = ENTROPY_TO_BYTES(entropy_needed, entropy_factor); |
599 | |
600 | if (bytes_needed > pool->max_len - pool->len) { |
601 | /* not enough space left */ |
602 | RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_RANDOM_POOL_OVERFLOW); |
603 | return 0; |
604 | } |
605 | |
606 | if (pool->len < pool->min_len && |
607 | bytes_needed < pool->min_len - pool->len) |
608 | /* to meet the min_len requirement */ |
609 | bytes_needed = pool->min_len - pool->len; |
610 | |
611 | /* |
612 | * Make sure the buffer is large enough for the requested amount |
613 | * of data. This guarantees that existing code patterns where |
614 | * rand_pool_add_begin, rand_pool_add_end or rand_pool_add |
615 | * are used to collect entropy data without any error handling |
616 | * whatsoever, continue to be valid. |
617 | * Furthermore if the allocation here fails once, make sure that |
618 | * we don't fall back to a less secure or even blocking random source, |
619 | * as that could happen by the existing code patterns. |
620 | * This is not a concern for additional data, therefore that |
621 | * is not needed if rand_pool_grow fails in other places. |
622 | */ |
623 | if (!rand_pool_grow(pool, bytes_needed)) { |
624 | /* persistent error for this pool */ |
625 | pool->max_len = pool->len = 0; |
626 | return 0; |
627 | } |
628 | |
629 | return bytes_needed; |
630 | } |
631 | |
632 | /* Returns the remaining number of bytes available */ |
633 | size_t rand_pool_bytes_remaining(RAND_POOL *pool) |
634 | { |
635 | return pool->max_len - pool->len; |
636 | } |
637 | |
638 | /* |
639 | * Add random bytes to the random pool. |
640 | * |
641 | * It is expected that the |buffer| contains |len| bytes of |
642 | * random input which contains at least |entropy| bits of |
643 | * randomness. |
644 | * |
645 | * Returns 1 if the added amount is adequate, otherwise 0 |
646 | */ |
647 | int rand_pool_add(RAND_POOL *pool, |
648 | const unsigned char *buffer, size_t len, size_t entropy) |
649 | { |
650 | if (len > pool->max_len - pool->len) { |
651 | RANDerr(RAND_F_RAND_POOL_ADD, RAND_R_ENTROPY_INPUT_TOO_LONG); |
652 | return 0; |
653 | } |
654 | |
655 | if (pool->buffer == NULL) { |
656 | RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR); |
657 | return 0; |
658 | } |
659 | |
660 | if (len > 0) { |
661 | /* |
662 | * This is to protect us from accidentally passing the buffer |
663 | * returned from rand_pool_add_begin. |
664 | * The check for alloc_len makes sure we do not compare the |
665 | * address of the end of the allocated memory to something |
666 | * different, since that comparison would have an |
667 | * indeterminate result. |
668 | */ |
669 | if (pool->alloc_len > pool->len && pool->buffer + pool->len == buffer) { |
670 | RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR); |
671 | return 0; |
672 | } |
673 | /* |
674 | * We have that only for cases when a pool is used to collect |
675 | * additional data. |
676 | * For entropy data, as long as the allocation request stays within |
677 | * the limits given by rand_pool_bytes_needed this rand_pool_grow |
678 | * below is guaranteed to succeed, thus no allocation happens. |
679 | */ |
680 | if (!rand_pool_grow(pool, len)) |
681 | return 0; |
682 | memcpy(pool->buffer + pool->len, buffer, len); |
683 | pool->len += len; |
684 | pool->entropy += entropy; |
685 | } |
686 | |
687 | return 1; |
688 | } |
689 | |
690 | /* |
691 | * Start to add random bytes to the random pool in-place. |
692 | * |
693 | * Reserves the next |len| bytes for adding random bytes in-place |
694 | * and returns a pointer to the buffer. |
695 | * The caller is allowed to copy up to |len| bytes into the buffer. |
696 | * If |len| == 0 this is considered a no-op and a NULL pointer |
697 | * is returned without producing an error message. |
698 | * |
699 | * After updating the buffer, rand_pool_add_end() needs to be called |
700 | * to finish the udpate operation (see next comment). |
701 | */ |
702 | unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) |
703 | { |
704 | if (len == 0) |
705 | return NULL; |
706 | |
707 | if (len > pool->max_len - pool->len) { |
708 | RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, RAND_R_RANDOM_POOL_OVERFLOW); |
709 | return NULL; |
710 | } |
711 | |
712 | if (pool->buffer == NULL) { |
713 | RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, ERR_R_INTERNAL_ERROR); |
714 | return NULL; |
715 | } |
716 | |
717 | /* |
718 | * As long as the allocation request stays within the limits given |
719 | * by rand_pool_bytes_needed this rand_pool_grow below is guaranteed |
720 | * to succeed, thus no allocation happens. |
721 | * We have that only for cases when a pool is used to collect |
722 | * additional data. Then the buffer might need to grow here, |
723 | * and of course the caller is responsible to check the return |
724 | * value of this function. |
725 | */ |
726 | if (!rand_pool_grow(pool, len)) |
727 | return NULL; |
728 | |
729 | return pool->buffer + pool->len; |
730 | } |
731 | |
732 | /* |
733 | * Finish to add random bytes to the random pool in-place. |
734 | * |
735 | * Finishes an in-place update of the random pool started by |
736 | * rand_pool_add_begin() (see previous comment). |
737 | * It is expected that |len| bytes of random input have been added |
738 | * to the buffer which contain at least |entropy| bits of randomness. |
739 | * It is allowed to add less bytes than originally reserved. |
740 | */ |
741 | int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy) |
742 | { |
743 | if (len > pool->alloc_len - pool->len) { |
744 | RANDerr(RAND_F_RAND_POOL_ADD_END, RAND_R_RANDOM_POOL_OVERFLOW); |
745 | return 0; |
746 | } |
747 | |
748 | if (len > 0) { |
749 | pool->len += len; |
750 | pool->entropy += entropy; |
751 | } |
752 | |
753 | return 1; |
754 | } |
755 | |
756 | #ifndef FIPS_MODE |
757 | int RAND_set_rand_method(const RAND_METHOD *meth) |
758 | { |
759 | if (!RUN_ONCE(&rand_init, do_rand_init)) |
760 | return 0; |
761 | |
762 | CRYPTO_THREAD_write_lock(rand_meth_lock); |
763 | # ifndef OPENSSL_NO_ENGINE |
764 | ENGINE_finish(funct_ref); |
765 | funct_ref = NULL; |
766 | # endif |
767 | default_RAND_meth = meth; |
768 | CRYPTO_THREAD_unlock(rand_meth_lock); |
769 | return 1; |
770 | } |
771 | #endif |
772 | |
773 | const RAND_METHOD *RAND_get_rand_method(void) |
774 | { |
775 | #ifdef FIPS_MODE |
776 | return NULL; |
777 | #else |
778 | const RAND_METHOD *tmp_meth = NULL; |
779 | |
780 | if (!RUN_ONCE(&rand_init, do_rand_init)) |
781 | return NULL; |
782 | |
783 | CRYPTO_THREAD_write_lock(rand_meth_lock); |
784 | if (default_RAND_meth == NULL) { |
785 | # ifndef OPENSSL_NO_ENGINE |
786 | ENGINE *e; |
787 | |
788 | /* If we have an engine that can do RAND, use it. */ |
789 | if ((e = ENGINE_get_default_RAND()) != NULL |
790 | && (tmp_meth = ENGINE_get_RAND(e)) != NULL) { |
791 | funct_ref = e; |
792 | default_RAND_meth = tmp_meth; |
793 | } else { |
794 | ENGINE_finish(e); |
795 | default_RAND_meth = &rand_meth; |
796 | } |
797 | # else |
798 | default_RAND_meth = &rand_meth; |
799 | # endif |
800 | } |
801 | tmp_meth = default_RAND_meth; |
802 | CRYPTO_THREAD_unlock(rand_meth_lock); |
803 | return tmp_meth; |
804 | #endif |
805 | } |
806 | |
807 | #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) |
808 | int RAND_set_rand_engine(ENGINE *engine) |
809 | { |
810 | const RAND_METHOD *tmp_meth = NULL; |
811 | |
812 | if (!RUN_ONCE(&rand_init, do_rand_init)) |
813 | return 0; |
814 | |
815 | if (engine != NULL) { |
816 | if (!ENGINE_init(engine)) |
817 | return 0; |
818 | tmp_meth = ENGINE_get_RAND(engine); |
819 | if (tmp_meth == NULL) { |
820 | ENGINE_finish(engine); |
821 | return 0; |
822 | } |
823 | } |
824 | CRYPTO_THREAD_write_lock(rand_engine_lock); |
825 | /* This function releases any prior ENGINE so call it first */ |
826 | RAND_set_rand_method(tmp_meth); |
827 | funct_ref = engine; |
828 | CRYPTO_THREAD_unlock(rand_engine_lock); |
829 | return 1; |
830 | } |
831 | #endif |
832 | |
833 | void RAND_seed(const void *buf, int num) |
834 | { |
835 | const RAND_METHOD *meth = RAND_get_rand_method(); |
836 | |
837 | if (meth != NULL && meth->seed != NULL) |
838 | meth->seed(buf, num); |
839 | } |
840 | |
841 | void RAND_add(const void *buf, int num, double randomness) |
842 | { |
843 | const RAND_METHOD *meth = RAND_get_rand_method(); |
844 | |
845 | if (meth != NULL && meth->add != NULL) |
846 | meth->add(buf, num, randomness); |
847 | } |
848 | |
849 | /* |
850 | * This function is not part of RAND_METHOD, so if we're not using |
851 | * the default method, then just call RAND_bytes(). Otherwise make |
852 | * sure we're instantiated and use the private DRBG. |
853 | */ |
854 | int rand_priv_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num) |
855 | { |
856 | RAND_DRBG *drbg; |
857 | const RAND_METHOD *meth = RAND_get_rand_method(); |
858 | |
859 | if (meth != NULL && meth != RAND_OpenSSL()) { |
860 | if (meth->bytes != NULL) |
861 | return meth->bytes(buf, num); |
862 | RANDerr(RAND_F_RAND_PRIV_BYTES_EX, RAND_R_FUNC_NOT_IMPLEMENTED); |
863 | return -1; |
864 | } |
865 | |
866 | drbg = OPENSSL_CTX_get0_private_drbg(ctx); |
867 | if (drbg != NULL) |
868 | return RAND_DRBG_bytes(drbg, buf, num); |
869 | |
870 | return 0; |
871 | } |
872 | |
873 | int RAND_priv_bytes(unsigned char *buf, int num) |
874 | { |
875 | return rand_priv_bytes_ex(NULL, buf, num); |
876 | } |
877 | |
878 | int rand_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num) |
879 | { |
880 | RAND_DRBG *drbg; |
881 | const RAND_METHOD *meth = RAND_get_rand_method(); |
882 | |
883 | if (meth != NULL && meth != RAND_OpenSSL()) { |
884 | if (meth->bytes != NULL) |
885 | return meth->bytes(buf, num); |
886 | RANDerr(RAND_F_RAND_BYTES_EX, RAND_R_FUNC_NOT_IMPLEMENTED); |
887 | return -1; |
888 | } |
889 | |
890 | drbg = OPENSSL_CTX_get0_public_drbg(ctx); |
891 | if (drbg != NULL) |
892 | return RAND_DRBG_bytes(drbg, buf, num); |
893 | |
894 | return 0; |
895 | } |
896 | |
897 | int RAND_bytes(unsigned char *buf, int num) |
898 | { |
899 | return rand_bytes_ex(NULL, buf, num); |
900 | } |
901 | |
902 | #if !defined(OPENSSL_NO_DEPRECATED_1_1_0) && !defined(FIPS_MODE) |
903 | int RAND_pseudo_bytes(unsigned char *buf, int num) |
904 | { |
905 | const RAND_METHOD *meth = RAND_get_rand_method(); |
906 | |
907 | if (meth != NULL && meth->pseudorand != NULL) |
908 | return meth->pseudorand(buf, num); |
909 | RANDerr(RAND_F_RAND_PSEUDO_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); |
910 | return -1; |
911 | } |
912 | #endif |
913 | |
914 | int RAND_status(void) |
915 | { |
916 | const RAND_METHOD *meth = RAND_get_rand_method(); |
917 | |
918 | if (meth != NULL && meth->status != NULL) |
919 | return meth->status(); |
920 | return 0; |
921 | } |
922 | |