diff options
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/rand/md_rand.c')
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/rand/md_rand.c | 91 |
1 files changed, 54 insertions, 37 deletions
diff --git a/Cryptlib/OpenSSL/crypto/rand/md_rand.c b/Cryptlib/OpenSSL/crypto/rand/md_rand.c index 6445c1b2..5c13d577 100644 --- a/Cryptlib/OpenSSL/crypto/rand/md_rand.c +++ b/Cryptlib/OpenSSL/crypto/rand/md_rand.c @@ -109,6 +109,8 @@ * */ +#define OPENSSL_FIPSEVP + #ifdef MD_RAND_DEBUG # ifndef NDEBUG # define NDEBUG @@ -121,14 +123,11 @@ #include "e_os.h" +#include <openssl/crypto.h> #include <openssl/rand.h> #include "rand_lcl.h" -#include <openssl/crypto.h> #include <openssl/err.h> -#ifdef OPENSSL_FIPS -# include <openssl/fips.h> -#endif #ifdef BN_DEBUG # define PREDICT @@ -150,7 +149,7 @@ static unsigned int crypto_lock_rand = 0; /* may be set only when a thread * prevent double locking) */ /* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */ /* valid iff crypto_lock_rand is set */ -static unsigned long locking_thread = 0; +static CRYPTO_THREADID locking_threadid; #ifdef PREDICT int rand_predictable = 0; @@ -161,13 +160,13 @@ const char RAND_version[] = "RAND" OPENSSL_VERSION_PTEXT; static void ssleay_rand_cleanup(void); static void ssleay_rand_seed(const void *buf, int num); static void ssleay_rand_add(const void *buf, int num, double add_entropy); -static int ssleay_rand_bytes(unsigned char *buf, int num); +static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num); static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num); static int ssleay_rand_status(void); RAND_METHOD rand_ssleay_meth = { ssleay_rand_seed, - ssleay_rand_bytes, + ssleay_rand_nopseudo_bytes, ssleay_rand_cleanup, ssleay_rand_add, ssleay_rand_pseudo_bytes, @@ -199,6 +198,9 @@ static void ssleay_rand_add(const void *buf, int num, double add) EVP_MD_CTX m; int do_not_lock; + if (!num) + return; + /* * (Based on the rand(3) manpage) * @@ -216,8 +218,10 @@ static void ssleay_rand_add(const void *buf, int num, double add) /* check if we already have the lock */ if (crypto_lock_rand) { + CRYPTO_THREADID cur; + CRYPTO_THREADID_current(&cur); CRYPTO_r_lock(CRYPTO_LOCK_RAND2); - do_not_lock = (locking_thread == CRYPTO_thread_id()); + do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur); CRYPTO_r_unlock(CRYPTO_LOCK_RAND2); } else do_not_lock = 0; @@ -271,7 +275,16 @@ static void ssleay_rand_add(const void *buf, int num, double add) } else MD_Update(&m, &(state[st_idx]), j); + /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */ MD_Update(&m, buf, j); + /* + * We know that line may cause programs such as purify and valgrind + * to complain about use of uninitialized data. The problem is not, + * it's with the caller. Removing that line will make sure you get + * really bad randomness and thereby other problems such as very + * insecure keys. + */ + MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c)); MD_Final(&m, local_md); md_c[1]++; @@ -320,7 +333,7 @@ static void ssleay_rand_seed(const void *buf, int num) ssleay_rand_add(buf, num, (double)num); } -static int ssleay_rand_bytes(unsigned char *buf, int num) +int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) { static volatile int stirred_pool = 0; int i, j, k, st_num, st_idx; @@ -334,13 +347,6 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) #endif int do_stir_pool = 0; -#ifdef OPENSSL_FIPS - if (FIPS_mode()) { - FIPSerr(FIPS_F_SSLEAY_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); - return 0; - } -#endif - #ifdef PREDICT if (rand_predictable) { static unsigned char val = 0; @@ -376,12 +382,12 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) * are fed into the hash function and the results are kept in the * global 'md'. */ - - CRYPTO_w_lock(CRYPTO_LOCK_RAND); + if (lock) + CRYPTO_w_lock(CRYPTO_LOCK_RAND); /* prevent ssleay_rand_bytes() from trying to obtain the lock again */ CRYPTO_w_lock(CRYPTO_LOCK_RAND2); - locking_thread = CRYPTO_thread_id(); + CRYPTO_THREADID_current(&locking_threadid); CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); crypto_lock_rand = 1; @@ -456,7 +462,8 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) /* before unlocking, we must clear 'crypto_lock_rand' */ crypto_lock_rand = 0; - CRYPTO_w_unlock(CRYPTO_LOCK_RAND); + if (lock) + CRYPTO_w_unlock(CRYPTO_LOCK_RAND); while (num > 0) { /* num_ceil -= MD_DIGEST_LENGTH/2 */ @@ -471,9 +478,18 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) #endif MD_Update(&m, local_md, MD_DIGEST_LENGTH); MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c)); -#ifndef PURIFY - MD_Update(&m, buf, j); /* purify complains */ + +#ifndef PURIFY /* purify complains */ + /* + * The following line uses the supplied buffer as a small source of + * entropy: since this buffer is often uninitialised it may cause + * programs such as purify or valgrind to complain. So for those + * builds it is not used: the removal of such a small source of + * entropy has negligible impact on security. + */ + MD_Update(&m, buf, j); #endif + k = (st_idx + MD_DIGEST_LENGTH / 2) - st_num; if (k > 0) { MD_Update(&m, &(state[st_idx]), MD_DIGEST_LENGTH / 2 - k); @@ -495,14 +511,18 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) MD_Init(&m); MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c)); MD_Update(&m, local_md, MD_DIGEST_LENGTH); - CRYPTO_w_lock(CRYPTO_LOCK_RAND); + if (lock) + CRYPTO_w_lock(CRYPTO_LOCK_RAND); MD_Update(&m, md, MD_DIGEST_LENGTH); MD_Final(&m, md); - CRYPTO_w_unlock(CRYPTO_LOCK_RAND); + if (lock) + CRYPTO_w_unlock(CRYPTO_LOCK_RAND); EVP_MD_CTX_cleanup(&m); if (ok) return (1); + else if (pseudo) + return 0; else { RANDerr(RAND_F_SSLEAY_RAND_BYTES, RAND_R_PRNG_NOT_SEEDED); ERR_add_error_data(1, "You need to read the OpenSSL FAQ, " @@ -511,36 +531,33 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) } } +static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num) +{ + return ssleay_rand_bytes(buf, num, 0, 1); +} + /* * pseudo-random bytes that are guaranteed to be unique but not unpredictable */ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) { - int ret; - unsigned long err; - - ret = RAND_bytes(buf, num); - if (ret == 0) { - err = ERR_peek_error(); - if (ERR_GET_LIB(err) == ERR_LIB_RAND && - ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED) - ERR_clear_error(); - } - return (ret); + return ssleay_rand_bytes(buf, num, 1, 1); } static int ssleay_rand_status(void) { + CRYPTO_THREADID cur; int ret; int do_not_lock; + CRYPTO_THREADID_current(&cur); /* * check if we already have the lock (could happen if a RAND_poll() * implementation calls RAND_status()) */ if (crypto_lock_rand) { CRYPTO_r_lock(CRYPTO_LOCK_RAND2); - do_not_lock = (locking_thread == CRYPTO_thread_id()); + do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur); CRYPTO_r_unlock(CRYPTO_LOCK_RAND2); } else do_not_lock = 0; @@ -552,7 +569,7 @@ static int ssleay_rand_status(void) * prevent ssleay_rand_bytes() from trying to obtain the lock again */ CRYPTO_w_lock(CRYPTO_LOCK_RAND2); - locking_thread = CRYPTO_thread_id(); + CRYPTO_THREADID_cpy(&locking_threadid, &cur); CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); crypto_lock_rand = 1; } |