rand_pool.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408
  1. /*
  2. * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include <time.h>
  11. #include "internal/cryptlib.h"
  12. #include <openssl/opensslconf.h>
  13. #include "crypto/rand.h"
  14. #include <openssl/engine.h>
  15. #include "internal/thread_once.h"
  16. #include "crypto/rand_pool.h"
  17. /*
  18. * Allocate memory and initialize a new random pool
  19. */
  20. RAND_POOL *ossl_rand_pool_new(int entropy_requested, int secure,
  21. size_t min_len, size_t max_len)
  22. {
  23. RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
  24. size_t min_alloc_size = RAND_POOL_MIN_ALLOCATION(secure);
  25. if (pool == NULL)
  26. return NULL;
  27. pool->min_len = min_len;
  28. pool->max_len = (max_len > RAND_POOL_MAX_LENGTH) ?
  29. RAND_POOL_MAX_LENGTH : max_len;
  30. pool->alloc_len = min_len < min_alloc_size ? min_alloc_size : min_len;
  31. if (pool->alloc_len > pool->max_len)
  32. pool->alloc_len = pool->max_len;
  33. if (secure)
  34. pool->buffer = OPENSSL_secure_zalloc(pool->alloc_len);
  35. else
  36. pool->buffer = OPENSSL_zalloc(pool->alloc_len);
  37. if (pool->buffer == NULL)
  38. goto err;
  39. pool->entropy_requested = entropy_requested;
  40. pool->secure = secure;
  41. return pool;
  42. err:
  43. OPENSSL_free(pool);
  44. return NULL;
  45. }
  46. /*
  47. * Attach new random pool to the given buffer
  48. *
  49. * This function is intended to be used only for feeding random data
  50. * provided by RAND_add() and RAND_seed() into the <master> DRBG.
  51. */
  52. RAND_POOL *ossl_rand_pool_attach(const unsigned char *buffer, size_t len,
  53. size_t entropy)
  54. {
  55. RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
  56. if (pool == NULL)
  57. return NULL;
  58. /*
  59. * The const needs to be cast away, but attached buffers will not be
  60. * modified (in contrary to allocated buffers which are zeroed and
  61. * freed in the end).
  62. */
  63. pool->buffer = (unsigned char *) buffer;
  64. pool->len = len;
  65. pool->attached = 1;
  66. pool->min_len = pool->max_len = pool->alloc_len = pool->len;
  67. pool->entropy = entropy;
  68. return pool;
  69. }
  70. /*
  71. * Free |pool|, securely erasing its buffer.
  72. */
  73. void ossl_rand_pool_free(RAND_POOL *pool)
  74. {
  75. if (pool == NULL)
  76. return;
  77. /*
  78. * Although it would be advisable from a cryptographical viewpoint,
  79. * we are not allowed to clear attached buffers, since they are passed
  80. * to ossl_rand_pool_attach() as `const unsigned char*`.
  81. * (see corresponding comment in ossl_rand_pool_attach()).
  82. */
  83. if (!pool->attached) {
  84. if (pool->secure)
  85. OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len);
  86. else
  87. OPENSSL_clear_free(pool->buffer, pool->alloc_len);
  88. }
  89. OPENSSL_free(pool);
  90. }
  91. /*
  92. * Return the |pool|'s buffer to the caller (readonly).
  93. */
  94. const unsigned char *ossl_rand_pool_buffer(RAND_POOL *pool)
  95. {
  96. return pool->buffer;
  97. }
  98. /*
  99. * Return the |pool|'s entropy to the caller.
  100. */
  101. size_t ossl_rand_pool_entropy(RAND_POOL *pool)
  102. {
  103. return pool->entropy;
  104. }
  105. /*
  106. * Return the |pool|'s buffer length to the caller.
  107. */
  108. size_t ossl_rand_pool_length(RAND_POOL *pool)
  109. {
  110. return pool->len;
  111. }
  112. /*
  113. * Detach the |pool| buffer and return it to the caller.
  114. * It's the responsibility of the caller to free the buffer
  115. * using OPENSSL_secure_clear_free() or to re-attach it
  116. * again to the pool using ossl_rand_pool_reattach().
  117. */
  118. unsigned char *ossl_rand_pool_detach(RAND_POOL *pool)
  119. {
  120. unsigned char *ret = pool->buffer;
  121. pool->buffer = NULL;
  122. pool->entropy = 0;
  123. return ret;
  124. }
  125. /*
  126. * Re-attach the |pool| buffer. It is only allowed to pass
  127. * the |buffer| which was previously detached from the same pool.
  128. */
  129. void ossl_rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer)
  130. {
  131. pool->buffer = buffer;
  132. OPENSSL_cleanse(pool->buffer, pool->len);
  133. pool->len = 0;
  134. }
  135. /*
  136. * If |entropy_factor| bits contain 1 bit of entropy, how many bytes does one
  137. * need to obtain at least |bits| bits of entropy?
  138. */
  139. #define ENTROPY_TO_BYTES(bits, entropy_factor) \
  140. (((bits) * (entropy_factor) + 7) / 8)
  141. /*
  142. * Checks whether the |pool|'s entropy is available to the caller.
  143. * This is the case when entropy count and buffer length are high enough.
  144. * Returns
  145. *
  146. * |entropy| if the entropy count and buffer size is large enough
  147. * 0 otherwise
  148. */
  149. size_t ossl_rand_pool_entropy_available(RAND_POOL *pool)
  150. {
  151. if (pool->entropy < pool->entropy_requested)
  152. return 0;
  153. if (pool->len < pool->min_len)
  154. return 0;
  155. return pool->entropy;
  156. }
  157. /*
  158. * Returns the (remaining) amount of entropy needed to fill
  159. * the random pool.
  160. */
  161. size_t ossl_rand_pool_entropy_needed(RAND_POOL *pool)
  162. {
  163. if (pool->entropy < pool->entropy_requested)
  164. return pool->entropy_requested - pool->entropy;
  165. return 0;
  166. }
  167. /* Increase the allocation size -- not usable for an attached pool */
  168. static int rand_pool_grow(RAND_POOL *pool, size_t len)
  169. {
  170. if (len > pool->alloc_len - pool->len) {
  171. unsigned char *p;
  172. const size_t limit = pool->max_len / 2;
  173. size_t newlen = pool->alloc_len;
  174. if (pool->attached || len > pool->max_len - pool->len) {
  175. ERR_raise(ERR_LIB_RAND, ERR_R_INTERNAL_ERROR);
  176. return 0;
  177. }
  178. do
  179. newlen = newlen < limit ? newlen * 2 : pool->max_len;
  180. while (len > newlen - pool->len);
  181. if (pool->secure)
  182. p = OPENSSL_secure_zalloc(newlen);
  183. else
  184. p = OPENSSL_zalloc(newlen);
  185. if (p == NULL)
  186. return 0;
  187. memcpy(p, pool->buffer, pool->len);
  188. if (pool->secure)
  189. OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len);
  190. else
  191. OPENSSL_clear_free(pool->buffer, pool->alloc_len);
  192. pool->buffer = p;
  193. pool->alloc_len = newlen;
  194. }
  195. return 1;
  196. }
  197. /*
  198. * Returns the number of bytes needed to fill the pool, assuming
  199. * the input has 1 / |entropy_factor| entropy bits per data bit.
  200. * In case of an error, 0 is returned.
  201. */
  202. size_t ossl_rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_factor)
  203. {
  204. size_t bytes_needed;
  205. size_t entropy_needed = ossl_rand_pool_entropy_needed(pool);
  206. if (entropy_factor < 1) {
  207. ERR_raise(ERR_LIB_RAND, RAND_R_ARGUMENT_OUT_OF_RANGE);
  208. return 0;
  209. }
  210. bytes_needed = ENTROPY_TO_BYTES(entropy_needed, entropy_factor);
  211. if (bytes_needed > pool->max_len - pool->len) {
  212. /* not enough space left */
  213. ERR_raise_data(ERR_LIB_RAND, RAND_R_RANDOM_POOL_OVERFLOW,
  214. "entropy_factor=%u, entropy_needed=%zu, bytes_needed=%zu,"
  215. "pool->max_len=%zu, pool->len=%zu",
  216. entropy_factor, entropy_needed, bytes_needed,
  217. pool->max_len, pool->len);
  218. return 0;
  219. }
  220. if (pool->len < pool->min_len &&
  221. bytes_needed < pool->min_len - pool->len)
  222. /* to meet the min_len requirement */
  223. bytes_needed = pool->min_len - pool->len;
  224. /*
  225. * Make sure the buffer is large enough for the requested amount
  226. * of data. This guarantees that existing code patterns where
  227. * ossl_rand_pool_add_begin, ossl_rand_pool_add_end or ossl_rand_pool_add
  228. * are used to collect entropy data without any error handling
  229. * whatsoever, continue to be valid.
  230. * Furthermore if the allocation here fails once, make sure that
  231. * we don't fall back to a less secure or even blocking random source,
  232. * as that could happen by the existing code patterns.
  233. * This is not a concern for additional data, therefore that
  234. * is not needed if rand_pool_grow fails in other places.
  235. */
  236. if (!rand_pool_grow(pool, bytes_needed)) {
  237. /* persistent error for this pool */
  238. pool->max_len = pool->len = 0;
  239. return 0;
  240. }
  241. return bytes_needed;
  242. }
  243. /* Returns the remaining number of bytes available */
  244. size_t ossl_rand_pool_bytes_remaining(RAND_POOL *pool)
  245. {
  246. return pool->max_len - pool->len;
  247. }
  248. /*
  249. * Add random bytes to the random pool.
  250. *
  251. * It is expected that the |buffer| contains |len| bytes of
  252. * random input which contains at least |entropy| bits of
  253. * randomness.
  254. *
  255. * Returns 1 if the added amount is adequate, otherwise 0
  256. */
  257. int ossl_rand_pool_add(RAND_POOL *pool,
  258. const unsigned char *buffer, size_t len, size_t entropy)
  259. {
  260. if (len > pool->max_len - pool->len) {
  261. ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_INPUT_TOO_LONG);
  262. return 0;
  263. }
  264. if (pool->buffer == NULL) {
  265. ERR_raise(ERR_LIB_RAND, ERR_R_INTERNAL_ERROR);
  266. return 0;
  267. }
  268. if (len > 0) {
  269. /*
  270. * This is to protect us from accidentally passing the buffer
  271. * returned from ossl_rand_pool_add_begin.
  272. * The check for alloc_len makes sure we do not compare the
  273. * address of the end of the allocated memory to something
  274. * different, since that comparison would have an
  275. * indeterminate result.
  276. */
  277. if (pool->alloc_len > pool->len && pool->buffer + pool->len == buffer) {
  278. ERR_raise(ERR_LIB_RAND, ERR_R_INTERNAL_ERROR);
  279. return 0;
  280. }
  281. /*
  282. * We have that only for cases when a pool is used to collect
  283. * additional data.
  284. * For entropy data, as long as the allocation request stays within
  285. * the limits given by ossl_rand_pool_bytes_needed this rand_pool_grow
  286. * below is guaranteed to succeed, thus no allocation happens.
  287. */
  288. if (!rand_pool_grow(pool, len))
  289. return 0;
  290. memcpy(pool->buffer + pool->len, buffer, len);
  291. pool->len += len;
  292. pool->entropy += entropy;
  293. }
  294. return 1;
  295. }
  296. /*
  297. * Start to add random bytes to the random pool in-place.
  298. *
  299. * Reserves the next |len| bytes for adding random bytes in-place
  300. * and returns a pointer to the buffer.
  301. * The caller is allowed to copy up to |len| bytes into the buffer.
  302. * If |len| == 0 this is considered a no-op and a NULL pointer
  303. * is returned without producing an error message.
  304. *
  305. * After updating the buffer, ossl_rand_pool_add_end() needs to be called
  306. * to finish the update operation (see next comment).
  307. */
  308. unsigned char *ossl_rand_pool_add_begin(RAND_POOL *pool, size_t len)
  309. {
  310. if (len == 0)
  311. return NULL;
  312. if (len > pool->max_len - pool->len) {
  313. ERR_raise(ERR_LIB_RAND, RAND_R_RANDOM_POOL_OVERFLOW);
  314. return NULL;
  315. }
  316. if (pool->buffer == NULL) {
  317. ERR_raise(ERR_LIB_RAND, ERR_R_INTERNAL_ERROR);
  318. return NULL;
  319. }
  320. /*
  321. * As long as the allocation request stays within the limits given
  322. * by ossl_rand_pool_bytes_needed this rand_pool_grow below is guaranteed
  323. * to succeed, thus no allocation happens.
  324. * We have that only for cases when a pool is used to collect
  325. * additional data. Then the buffer might need to grow here,
  326. * and of course the caller is responsible to check the return
  327. * value of this function.
  328. */
  329. if (!rand_pool_grow(pool, len))
  330. return NULL;
  331. return pool->buffer + pool->len;
  332. }
  333. /*
  334. * Finish to add random bytes to the random pool in-place.
  335. *
  336. * Finishes an in-place update of the random pool started by
  337. * ossl_rand_pool_add_begin() (see previous comment).
  338. * It is expected that |len| bytes of random input have been added
  339. * to the buffer which contain at least |entropy| bits of randomness.
  340. * It is allowed to add less bytes than originally reserved.
  341. */
  342. int ossl_rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy)
  343. {
  344. if (len > pool->alloc_len - pool->len) {
  345. ERR_raise(ERR_LIB_RAND, RAND_R_RANDOM_POOL_OVERFLOW);
  346. return 0;
  347. }
  348. if (len > 0) {
  349. pool->len += len;
  350. pool->entropy += entropy;
  351. }
  352. return 1;
  353. }