2
0

rand_lib.c 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include <time.h>
  11. #include "internal/cryptlib.h"
  12. #include <openssl/opensslconf.h>
  13. #include "crypto/rand.h"
  14. #include <openssl/engine.h>
  15. #include "internal/thread_once.h"
  16. #include "rand_local.h"
  17. #include "e_os.h"
  18. #ifndef FIPS_MODE
  19. # ifndef OPENSSL_NO_ENGINE
  20. /* non-NULL if default_RAND_meth is ENGINE-provided */
  21. static ENGINE *funct_ref;
  22. static CRYPTO_RWLOCK *rand_engine_lock;
  23. # endif
  24. static CRYPTO_RWLOCK *rand_meth_lock;
  25. static const RAND_METHOD *default_RAND_meth;
  26. static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT;
  27. static int rand_inited = 0;
  28. #endif /* FIPS_MODE */
  29. #ifdef OPENSSL_RAND_SEED_RDTSC
  30. /*
  31. * IMPORTANT NOTE: It is not currently possible to use this code
  32. * because we are not sure about the amount of randomness it provides.
  33. * Some SP900 tests have been run, but there is internal skepticism.
  34. * So for now this code is not used.
  35. */
  36. # error "RDTSC enabled? Should not be possible!"
  37. /*
  38. * Acquire entropy from high-speed clock
  39. *
  40. * Since we get some randomness from the low-order bits of the
  41. * high-speed clock, it can help.
  42. *
  43. * Returns the total entropy count, if it exceeds the requested
  44. * entropy count. Otherwise, returns an entropy count of 0.
  45. */
  46. size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool)
  47. {
  48. unsigned char c;
  49. int i;
  50. if ((OPENSSL_ia32cap_P[0] & (1 << 4)) != 0) {
  51. for (i = 0; i < TSC_READ_COUNT; i++) {
  52. c = (unsigned char)(OPENSSL_rdtsc() & 0xFF);
  53. rand_pool_add(pool, &c, 1, 4);
  54. }
  55. }
  56. return rand_pool_entropy_available(pool);
  57. }
  58. #endif
  59. #ifdef OPENSSL_RAND_SEED_RDCPU
  60. size_t OPENSSL_ia32_rdseed_bytes(unsigned char *buf, size_t len);
  61. size_t OPENSSL_ia32_rdrand_bytes(unsigned char *buf, size_t len);
  62. /*
  63. * Acquire entropy using Intel-specific cpu instructions
  64. *
  65. * Uses the RDSEED instruction if available, otherwise uses
  66. * RDRAND if available.
  67. *
  68. * For the differences between RDSEED and RDRAND, and why RDSEED
  69. * is the preferred choice, see https://goo.gl/oK3KcN
  70. *
  71. * Returns the total entropy count, if it exceeds the requested
  72. * entropy count. Otherwise, returns an entropy count of 0.
  73. */
  74. size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool)
  75. {
  76. size_t bytes_needed;
  77. unsigned char *buffer;
  78. bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
  79. if (bytes_needed > 0) {
  80. buffer = rand_pool_add_begin(pool, bytes_needed);
  81. if (buffer != NULL) {
  82. /* Whichever comes first, use RDSEED, RDRAND or nothing */
  83. if ((OPENSSL_ia32cap_P[2] & (1 << 18)) != 0) {
  84. if (OPENSSL_ia32_rdseed_bytes(buffer, bytes_needed)
  85. == bytes_needed) {
  86. rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed);
  87. }
  88. } else if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) {
  89. if (OPENSSL_ia32_rdrand_bytes(buffer, bytes_needed)
  90. == bytes_needed) {
  91. rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed);
  92. }
  93. } else {
  94. rand_pool_add_end(pool, 0, 0);
  95. }
  96. }
  97. }
  98. return rand_pool_entropy_available(pool);
  99. }
  100. #endif
  101. /*
  102. * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks())
  103. *
  104. * If the DRBG has a parent, then the required amount of entropy input
  105. * is fetched using the parent's RAND_DRBG_generate().
  106. *
  107. * Otherwise, the entropy is polled from the system entropy sources
  108. * using rand_pool_acquire_entropy().
  109. *
  110. * If a random pool has been added to the DRBG using RAND_add(), then
  111. * its entropy will be used up first.
  112. */
  113. size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
  114. unsigned char **pout,
  115. int entropy, size_t min_len, size_t max_len,
  116. int prediction_resistance)
  117. {
  118. size_t ret = 0;
  119. size_t entropy_available = 0;
  120. RAND_POOL *pool;
  121. if (drbg->parent != NULL && drbg->strength > drbg->parent->strength) {
  122. /*
  123. * We currently don't support the algorithm from NIST SP 800-90C
  124. * 10.1.2 to use a weaker DRBG as source
  125. */
  126. RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY, RAND_R_PARENT_STRENGTH_TOO_WEAK);
  127. return 0;
  128. }
  129. if (drbg->seed_pool != NULL) {
  130. pool = drbg->seed_pool;
  131. pool->entropy_requested = entropy;
  132. } else {
  133. pool = rand_pool_new(entropy, drbg->secure, min_len, max_len);
  134. if (pool == NULL)
  135. return 0;
  136. }
  137. if (drbg->parent != NULL) {
  138. size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
  139. unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed);
  140. if (buffer != NULL) {
  141. size_t bytes = 0;
  142. /*
  143. * Get random data from parent. Include our address as additional input,
  144. * in order to provide some additional distinction between different
  145. * DRBG child instances.
  146. * Our lock is already held, but we need to lock our parent before
  147. * generating bits from it. (Note: taking the lock will be a no-op
  148. * if locking if drbg->parent->lock == NULL.)
  149. */
  150. rand_drbg_lock(drbg->parent);
  151. if (RAND_DRBG_generate(drbg->parent,
  152. buffer, bytes_needed,
  153. prediction_resistance,
  154. (unsigned char *)&drbg, sizeof(drbg)) != 0)
  155. bytes = bytes_needed;
  156. drbg->reseed_next_counter
  157. = tsan_load(&drbg->parent->reseed_prop_counter);
  158. rand_drbg_unlock(drbg->parent);
  159. rand_pool_add_end(pool, bytes, 8 * bytes);
  160. entropy_available = rand_pool_entropy_available(pool);
  161. }
  162. } else {
  163. /* Get entropy by polling system entropy sources. */
  164. entropy_available = rand_pool_acquire_entropy(pool);
  165. }
  166. if (entropy_available > 0) {
  167. ret = rand_pool_length(pool);
  168. *pout = rand_pool_detach(pool);
  169. }
  170. if (drbg->seed_pool == NULL)
  171. rand_pool_free(pool);
  172. return ret;
  173. }
  174. /*
  175. * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks())
  176. *
  177. */
  178. void rand_drbg_cleanup_entropy(RAND_DRBG *drbg,
  179. unsigned char *out, size_t outlen)
  180. {
  181. if (drbg->seed_pool == NULL) {
  182. if (drbg->secure)
  183. OPENSSL_secure_clear_free(out, outlen);
  184. else
  185. OPENSSL_clear_free(out, outlen);
  186. }
  187. }
  188. /*
  189. * Generate additional data that can be used for the drbg. The data does
  190. * not need to contain entropy, but it's useful if it contains at least
  191. * some bits that are unpredictable.
  192. *
  193. * Returns 0 on failure.
  194. *
  195. * On success it allocates a buffer at |*pout| and returns the length of
  196. * the data. The buffer should get freed using OPENSSL_secure_clear_free().
  197. */
  198. size_t rand_drbg_get_additional_data(RAND_POOL *pool, unsigned char **pout)
  199. {
  200. size_t ret = 0;
  201. if (rand_pool_add_additional_data(pool) == 0)
  202. goto err;
  203. ret = rand_pool_length(pool);
  204. *pout = rand_pool_detach(pool);
  205. err:
  206. return ret;
  207. }
  208. void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out)
  209. {
  210. rand_pool_reattach(pool, out);
  211. }
  212. #ifndef FIPS_MODE
  213. DEFINE_RUN_ONCE_STATIC(do_rand_init)
  214. {
  215. # ifndef OPENSSL_NO_ENGINE
  216. rand_engine_lock = CRYPTO_THREAD_lock_new();
  217. if (rand_engine_lock == NULL)
  218. return 0;
  219. # endif
  220. rand_meth_lock = CRYPTO_THREAD_lock_new();
  221. if (rand_meth_lock == NULL)
  222. goto err;
  223. if (!rand_pool_init())
  224. goto err;
  225. rand_inited = 1;
  226. return 1;
  227. err:
  228. CRYPTO_THREAD_lock_free(rand_meth_lock);
  229. rand_meth_lock = NULL;
  230. # ifndef OPENSSL_NO_ENGINE
  231. CRYPTO_THREAD_lock_free(rand_engine_lock);
  232. rand_engine_lock = NULL;
  233. # endif
  234. return 0;
  235. }
  236. void rand_cleanup_int(void)
  237. {
  238. const RAND_METHOD *meth = default_RAND_meth;
  239. if (!rand_inited)
  240. return;
  241. if (meth != NULL && meth->cleanup != NULL)
  242. meth->cleanup();
  243. RAND_set_rand_method(NULL);
  244. rand_pool_cleanup();
  245. # ifndef OPENSSL_NO_ENGINE
  246. CRYPTO_THREAD_lock_free(rand_engine_lock);
  247. rand_engine_lock = NULL;
  248. # endif
  249. CRYPTO_THREAD_lock_free(rand_meth_lock);
  250. rand_meth_lock = NULL;
  251. rand_inited = 0;
  252. }
  253. /* TODO(3.0): Do we need to handle this somehow in the FIPS module? */
  254. /*
  255. * RAND_close_seed_files() ensures that any seed file descriptors are
  256. * closed after use.
  257. */
  258. void RAND_keep_random_devices_open(int keep)
  259. {
  260. if (RUN_ONCE(&rand_init, do_rand_init))
  261. rand_pool_keep_random_devices_open(keep);
  262. }
  263. /*
  264. * RAND_poll() reseeds the default RNG using random input
  265. *
  266. * The random input is obtained from polling various entropy
  267. * sources which depend on the operating system and are
  268. * configurable via the --with-rand-seed configure option.
  269. */
  270. int RAND_poll(void)
  271. {
  272. int ret = 0;
  273. const RAND_METHOD *meth = RAND_get_rand_method();
  274. if (meth == RAND_OpenSSL()) {
  275. /* fill random pool and seed the master DRBG */
  276. RAND_DRBG *drbg = RAND_DRBG_get0_master();
  277. if (drbg == NULL)
  278. return 0;
  279. rand_drbg_lock(drbg);
  280. ret = rand_drbg_restart(drbg, NULL, 0, 0);
  281. rand_drbg_unlock(drbg);
  282. return ret;
  283. } else {
  284. RAND_POOL *pool = NULL;
  285. /* fill random pool and seed the current legacy RNG */
  286. pool = rand_pool_new(RAND_DRBG_STRENGTH, 1,
  287. (RAND_DRBG_STRENGTH + 7) / 8,
  288. RAND_POOL_MAX_LENGTH);
  289. if (pool == NULL)
  290. return 0;
  291. if (rand_pool_acquire_entropy(pool) == 0)
  292. goto err;
  293. if (meth->add == NULL
  294. || meth->add(rand_pool_buffer(pool),
  295. rand_pool_length(pool),
  296. (rand_pool_entropy(pool) / 8.0)) == 0)
  297. goto err;
  298. ret = 1;
  299. err:
  300. rand_pool_free(pool);
  301. }
  302. return ret;
  303. }
  304. #endif /* FIPS_MODE */
  305. /*
  306. * Allocate memory and initialize a new random pool
  307. */
  308. RAND_POOL *rand_pool_new(int entropy_requested, int secure,
  309. size_t min_len, size_t max_len)
  310. {
  311. RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
  312. size_t min_alloc_size = RAND_POOL_MIN_ALLOCATION(secure);
  313. if (pool == NULL) {
  314. RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE);
  315. return NULL;
  316. }
  317. pool->min_len = min_len;
  318. pool->max_len = (max_len > RAND_POOL_MAX_LENGTH) ?
  319. RAND_POOL_MAX_LENGTH : max_len;
  320. pool->alloc_len = min_len < min_alloc_size ? min_alloc_size : min_len;
  321. if (pool->alloc_len > pool->max_len)
  322. pool->alloc_len = pool->max_len;
  323. if (secure)
  324. pool->buffer = OPENSSL_secure_zalloc(pool->alloc_len);
  325. else
  326. pool->buffer = OPENSSL_zalloc(pool->alloc_len);
  327. if (pool->buffer == NULL) {
  328. RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE);
  329. goto err;
  330. }
  331. pool->entropy_requested = entropy_requested;
  332. pool->secure = secure;
  333. return pool;
  334. err:
  335. OPENSSL_free(pool);
  336. return NULL;
  337. }
  338. /*
  339. * Attach new random pool to the given buffer
  340. *
  341. * This function is intended to be used only for feeding random data
  342. * provided by RAND_add() and RAND_seed() into the <master> DRBG.
  343. */
  344. RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len,
  345. size_t entropy)
  346. {
  347. RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
  348. if (pool == NULL) {
  349. RANDerr(RAND_F_RAND_POOL_ATTACH, ERR_R_MALLOC_FAILURE);
  350. return NULL;
  351. }
  352. /*
  353. * The const needs to be cast away, but attached buffers will not be
  354. * modified (in contrary to allocated buffers which are zeroed and
  355. * freed in the end).
  356. */
  357. pool->buffer = (unsigned char *) buffer;
  358. pool->len = len;
  359. pool->attached = 1;
  360. pool->min_len = pool->max_len = pool->alloc_len = pool->len;
  361. pool->entropy = entropy;
  362. return pool;
  363. }
  364. /*
  365. * Free |pool|, securely erasing its buffer.
  366. */
  367. void rand_pool_free(RAND_POOL *pool)
  368. {
  369. if (pool == NULL)
  370. return;
  371. /*
  372. * Although it would be advisable from a cryptographical viewpoint,
  373. * we are not allowed to clear attached buffers, since they are passed
  374. * to rand_pool_attach() as `const unsigned char*`.
  375. * (see corresponding comment in rand_pool_attach()).
  376. */
  377. if (!pool->attached) {
  378. if (pool->secure)
  379. OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len);
  380. else
  381. OPENSSL_clear_free(pool->buffer, pool->alloc_len);
  382. }
  383. OPENSSL_free(pool);
  384. }
  385. /*
  386. * Return the |pool|'s buffer to the caller (readonly).
  387. */
  388. const unsigned char *rand_pool_buffer(RAND_POOL *pool)
  389. {
  390. return pool->buffer;
  391. }
  392. /*
  393. * Return the |pool|'s entropy to the caller.
  394. */
  395. size_t rand_pool_entropy(RAND_POOL *pool)
  396. {
  397. return pool->entropy;
  398. }
  399. /*
  400. * Return the |pool|'s buffer length to the caller.
  401. */
  402. size_t rand_pool_length(RAND_POOL *pool)
  403. {
  404. return pool->len;
  405. }
  406. /*
  407. * Detach the |pool| buffer and return it to the caller.
  408. * It's the responsibility of the caller to free the buffer
  409. * using OPENSSL_secure_clear_free() or to re-attach it
  410. * again to the pool using rand_pool_reattach().
  411. */
  412. unsigned char *rand_pool_detach(RAND_POOL *pool)
  413. {
  414. unsigned char *ret = pool->buffer;
  415. pool->buffer = NULL;
  416. pool->entropy = 0;
  417. return ret;
  418. }
  419. /*
  420. * Re-attach the |pool| buffer. It is only allowed to pass
  421. * the |buffer| which was previously detached from the same pool.
  422. */
  423. void rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer)
  424. {
  425. pool->buffer = buffer;
  426. OPENSSL_cleanse(pool->buffer, pool->len);
  427. pool->len = 0;
  428. }
  429. /*
  430. * If |entropy_factor| bits contain 1 bit of entropy, how many bytes does one
  431. * need to obtain at least |bits| bits of entropy?
  432. */
  433. #define ENTROPY_TO_BYTES(bits, entropy_factor) \
  434. (((bits) * (entropy_factor) + 7) / 8)
  435. /*
  436. * Checks whether the |pool|'s entropy is available to the caller.
  437. * This is the case when entropy count and buffer length are high enough.
  438. * Returns
  439. *
  440. * |entropy| if the entropy count and buffer size is large enough
  441. * 0 otherwise
  442. */
  443. size_t rand_pool_entropy_available(RAND_POOL *pool)
  444. {
  445. if (pool->entropy < pool->entropy_requested)
  446. return 0;
  447. if (pool->len < pool->min_len)
  448. return 0;
  449. return pool->entropy;
  450. }
  451. /*
  452. * Returns the (remaining) amount of entropy needed to fill
  453. * the random pool.
  454. */
  455. size_t rand_pool_entropy_needed(RAND_POOL *pool)
  456. {
  457. if (pool->entropy < pool->entropy_requested)
  458. return pool->entropy_requested - pool->entropy;
  459. return 0;
  460. }
  461. /* Increase the allocation size -- not usable for an attached pool */
  462. static int rand_pool_grow(RAND_POOL *pool, size_t len)
  463. {
  464. if (len > pool->alloc_len - pool->len) {
  465. unsigned char *p;
  466. const size_t limit = pool->max_len / 2;
  467. size_t newlen = pool->alloc_len;
  468. if (pool->attached || len > pool->max_len - pool->len) {
  469. RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_INTERNAL_ERROR);
  470. return 0;
  471. }
  472. do
  473. newlen = newlen < limit ? newlen * 2 : pool->max_len;
  474. while (len > newlen - pool->len);
  475. if (pool->secure)
  476. p = OPENSSL_secure_zalloc(newlen);
  477. else
  478. p = OPENSSL_zalloc(newlen);
  479. if (p == NULL) {
  480. RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_MALLOC_FAILURE);
  481. return 0;
  482. }
  483. memcpy(p, pool->buffer, pool->len);
  484. if (pool->secure)
  485. OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len);
  486. else
  487. OPENSSL_clear_free(pool->buffer, pool->alloc_len);
  488. pool->buffer = p;
  489. pool->alloc_len = newlen;
  490. }
  491. return 1;
  492. }
  493. /*
  494. * Returns the number of bytes needed to fill the pool, assuming
  495. * the input has 1 / |entropy_factor| entropy bits per data bit.
  496. * In case of an error, 0 is returned.
  497. */
  498. size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_factor)
  499. {
  500. size_t bytes_needed;
  501. size_t entropy_needed = rand_pool_entropy_needed(pool);
  502. if (entropy_factor < 1) {
  503. RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_ARGUMENT_OUT_OF_RANGE);
  504. return 0;
  505. }
  506. bytes_needed = ENTROPY_TO_BYTES(entropy_needed, entropy_factor);
  507. if (bytes_needed > pool->max_len - pool->len) {
  508. /* not enough space left */
  509. RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_RANDOM_POOL_OVERFLOW);
  510. return 0;
  511. }
  512. if (pool->len < pool->min_len &&
  513. bytes_needed < pool->min_len - pool->len)
  514. /* to meet the min_len requirement */
  515. bytes_needed = pool->min_len - pool->len;
  516. /*
  517. * Make sure the buffer is large enough for the requested amount
  518. * of data. This guarantees that existing code patterns where
  519. * rand_pool_add_begin, rand_pool_add_end or rand_pool_add
  520. * are used to collect entropy data without any error handling
  521. * whatsoever, continue to be valid.
  522. * Furthermore if the allocation here fails once, make sure that
  523. * we don't fall back to a less secure or even blocking random source,
  524. * as that could happen by the existing code patterns.
  525. * This is not a concern for additional data, therefore that
  526. * is not needed if rand_pool_grow fails in other places.
  527. */
  528. if (!rand_pool_grow(pool, bytes_needed)) {
  529. /* persistent error for this pool */
  530. pool->max_len = pool->len = 0;
  531. return 0;
  532. }
  533. return bytes_needed;
  534. }
  535. /* Returns the remaining number of bytes available */
  536. size_t rand_pool_bytes_remaining(RAND_POOL *pool)
  537. {
  538. return pool->max_len - pool->len;
  539. }
  540. /*
  541. * Add random bytes to the random pool.
  542. *
  543. * It is expected that the |buffer| contains |len| bytes of
  544. * random input which contains at least |entropy| bits of
  545. * randomness.
  546. *
  547. * Returns 1 if the added amount is adequate, otherwise 0
  548. */
  549. int rand_pool_add(RAND_POOL *pool,
  550. const unsigned char *buffer, size_t len, size_t entropy)
  551. {
  552. if (len > pool->max_len - pool->len) {
  553. RANDerr(RAND_F_RAND_POOL_ADD, RAND_R_ENTROPY_INPUT_TOO_LONG);
  554. return 0;
  555. }
  556. if (pool->buffer == NULL) {
  557. RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR);
  558. return 0;
  559. }
  560. if (len > 0) {
  561. /*
  562. * This is to protect us from accidentally passing the buffer
  563. * returned from rand_pool_add_begin.
  564. * The check for alloc_len makes sure we do not compare the
  565. * address of the end of the allocated memory to something
  566. * different, since that comparison would have an
  567. * indeterminate result.
  568. */
  569. if (pool->alloc_len > pool->len && pool->buffer + pool->len == buffer) {
  570. RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR);
  571. return 0;
  572. }
  573. /*
  574. * We have that only for cases when a pool is used to collect
  575. * additional data.
  576. * For entropy data, as long as the allocation request stays within
  577. * the limits given by rand_pool_bytes_needed this rand_pool_grow
  578. * below is guaranteed to succeed, thus no allocation happens.
  579. */
  580. if (!rand_pool_grow(pool, len))
  581. return 0;
  582. memcpy(pool->buffer + pool->len, buffer, len);
  583. pool->len += len;
  584. pool->entropy += entropy;
  585. }
  586. return 1;
  587. }
  588. /*
  589. * Start to add random bytes to the random pool in-place.
  590. *
  591. * Reserves the next |len| bytes for adding random bytes in-place
  592. * and returns a pointer to the buffer.
  593. * The caller is allowed to copy up to |len| bytes into the buffer.
  594. * If |len| == 0 this is considered a no-op and a NULL pointer
  595. * is returned without producing an error message.
  596. *
  597. * After updating the buffer, rand_pool_add_end() needs to be called
  598. * to finish the udpate operation (see next comment).
  599. */
  600. unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len)
  601. {
  602. if (len == 0)
  603. return NULL;
  604. if (len > pool->max_len - pool->len) {
  605. RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, RAND_R_RANDOM_POOL_OVERFLOW);
  606. return NULL;
  607. }
  608. if (pool->buffer == NULL) {
  609. RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, ERR_R_INTERNAL_ERROR);
  610. return NULL;
  611. }
  612. /*
  613. * As long as the allocation request stays within the limits given
  614. * by rand_pool_bytes_needed this rand_pool_grow below is guaranteed
  615. * to succeed, thus no allocation happens.
  616. * We have that only for cases when a pool is used to collect
  617. * additional data. Then the buffer might need to grow here,
  618. * and of course the caller is responsible to check the return
  619. * value of this function.
  620. */
  621. if (!rand_pool_grow(pool, len))
  622. return NULL;
  623. return pool->buffer + pool->len;
  624. }
  625. /*
  626. * Finish to add random bytes to the random pool in-place.
  627. *
  628. * Finishes an in-place update of the random pool started by
  629. * rand_pool_add_begin() (see previous comment).
  630. * It is expected that |len| bytes of random input have been added
  631. * to the buffer which contain at least |entropy| bits of randomness.
  632. * It is allowed to add less bytes than originally reserved.
  633. */
  634. int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy)
  635. {
  636. if (len > pool->alloc_len - pool->len) {
  637. RANDerr(RAND_F_RAND_POOL_ADD_END, RAND_R_RANDOM_POOL_OVERFLOW);
  638. return 0;
  639. }
  640. if (len > 0) {
  641. pool->len += len;
  642. pool->entropy += entropy;
  643. }
  644. return 1;
  645. }
  646. #ifndef FIPS_MODE
  647. int RAND_set_rand_method(const RAND_METHOD *meth)
  648. {
  649. if (!RUN_ONCE(&rand_init, do_rand_init))
  650. return 0;
  651. CRYPTO_THREAD_write_lock(rand_meth_lock);
  652. # ifndef OPENSSL_NO_ENGINE
  653. ENGINE_finish(funct_ref);
  654. funct_ref = NULL;
  655. # endif
  656. default_RAND_meth = meth;
  657. CRYPTO_THREAD_unlock(rand_meth_lock);
  658. return 1;
  659. }
  660. #endif
  661. const RAND_METHOD *RAND_get_rand_method(void)
  662. {
  663. #ifdef FIPS_MODE
  664. return NULL;
  665. #else
  666. const RAND_METHOD *tmp_meth = NULL;
  667. if (!RUN_ONCE(&rand_init, do_rand_init))
  668. return NULL;
  669. CRYPTO_THREAD_write_lock(rand_meth_lock);
  670. if (default_RAND_meth == NULL) {
  671. # ifndef OPENSSL_NO_ENGINE
  672. ENGINE *e;
  673. /* If we have an engine that can do RAND, use it. */
  674. if ((e = ENGINE_get_default_RAND()) != NULL
  675. && (tmp_meth = ENGINE_get_RAND(e)) != NULL) {
  676. funct_ref = e;
  677. default_RAND_meth = tmp_meth;
  678. } else {
  679. ENGINE_finish(e);
  680. default_RAND_meth = &rand_meth;
  681. }
  682. # else
  683. default_RAND_meth = &rand_meth;
  684. # endif
  685. }
  686. tmp_meth = default_RAND_meth;
  687. CRYPTO_THREAD_unlock(rand_meth_lock);
  688. return tmp_meth;
  689. #endif
  690. }
  691. #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
  692. int RAND_set_rand_engine(ENGINE *engine)
  693. {
  694. const RAND_METHOD *tmp_meth = NULL;
  695. if (!RUN_ONCE(&rand_init, do_rand_init))
  696. return 0;
  697. if (engine != NULL) {
  698. if (!ENGINE_init(engine))
  699. return 0;
  700. tmp_meth = ENGINE_get_RAND(engine);
  701. if (tmp_meth == NULL) {
  702. ENGINE_finish(engine);
  703. return 0;
  704. }
  705. }
  706. CRYPTO_THREAD_write_lock(rand_engine_lock);
  707. /* This function releases any prior ENGINE so call it first */
  708. RAND_set_rand_method(tmp_meth);
  709. funct_ref = engine;
  710. CRYPTO_THREAD_unlock(rand_engine_lock);
  711. return 1;
  712. }
  713. #endif
  714. void RAND_seed(const void *buf, int num)
  715. {
  716. const RAND_METHOD *meth = RAND_get_rand_method();
  717. if (meth->seed != NULL)
  718. meth->seed(buf, num);
  719. }
  720. void RAND_add(const void *buf, int num, double randomness)
  721. {
  722. const RAND_METHOD *meth = RAND_get_rand_method();
  723. if (meth->add != NULL)
  724. meth->add(buf, num, randomness);
  725. }
  726. /*
  727. * This function is not part of RAND_METHOD, so if we're not using
  728. * the default method, then just call RAND_bytes(). Otherwise make
  729. * sure we're instantiated and use the private DRBG.
  730. */
  731. int rand_priv_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num)
  732. {
  733. RAND_DRBG *drbg;
  734. int ret;
  735. const RAND_METHOD *meth = RAND_get_rand_method();
  736. if (meth != RAND_OpenSSL())
  737. return meth->bytes(buf, num);
  738. drbg = OPENSSL_CTX_get0_private_drbg(ctx);
  739. if (drbg == NULL)
  740. return 0;
  741. ret = RAND_DRBG_bytes(drbg, buf, num);
  742. return ret;
  743. }
  744. int RAND_priv_bytes(unsigned char *buf, int num)
  745. {
  746. return rand_priv_bytes_ex(NULL, buf, num);
  747. }
  748. int rand_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num)
  749. {
  750. RAND_DRBG *drbg;
  751. int ret;
  752. const RAND_METHOD *meth = RAND_get_rand_method();
  753. if (meth != RAND_OpenSSL()) {
  754. if (meth->bytes != NULL)
  755. return meth->bytes(buf, num);
  756. RANDerr(RAND_F_RAND_BYTES_EX, RAND_R_FUNC_NOT_IMPLEMENTED);
  757. return -1;
  758. }
  759. drbg = OPENSSL_CTX_get0_public_drbg(ctx);
  760. if (drbg == NULL)
  761. return 0;
  762. ret = RAND_DRBG_bytes(drbg, buf, num);
  763. return ret;
  764. }
  765. int RAND_bytes(unsigned char *buf, int num)
  766. {
  767. return rand_bytes_ex(NULL, buf, num);
  768. }
  769. #if !OPENSSL_API_1_1_0 && !defined(FIPS_MODE)
  770. int RAND_pseudo_bytes(unsigned char *buf, int num)
  771. {
  772. const RAND_METHOD *meth = RAND_get_rand_method();
  773. if (meth->pseudorand != NULL)
  774. return meth->pseudorand(buf, num);
  775. return -1;
  776. }
  777. #endif
  778. int RAND_status(void)
  779. {
  780. const RAND_METHOD *meth = RAND_get_rand_method();
  781. if (meth->status != NULL)
  782. return meth->status();
  783. return 0;
  784. }