mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-09 05:51:54 +08:00
Code Issues Packages Projects Releases Wiki Activity
55ecb812b1
openssl/crypto/rand/rand_vms.c

618 lines
18 KiB
C
Raw Normal View History

Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
/*
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5689)
2018-03-20 21:00:17 +08:00
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
Change RAND_poll for Unix to try a number of devices and only read them for a short period of time (actually, poll them with select(), then read() whatever is there), which is about 10ms (hard-coded value) each. Separate Windows and Unixly code, and start on a VMS variant that currently just returns 0.
2001-01-08 18:59:26 +08:00
*
Following the license change, modify the boilerplates in crypto/rand/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7811)
2018-12-06 20:52:15 +08:00
* Licensed under the Apache License 2.0 (the "License"). You may not use
Copyright consolidation 09/10 Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-18 02:52:22 +08:00
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
Change RAND_poll for Unix to try a number of devices and only read them for a short period of time (actually, poll them with select(), then read() whatever is there), which is about 10ms (hard-coded value) each. Separate Windows and Unixly code, and start on a VMS variant that currently just returns 0.
2001-01-08 18:59:26 +08:00
*/
Start to overhaul RAND API Remove unused rand_hw_xor, MD/EVP indirection Make rand_pseudo same as rand. Cleanup formatting and ifdef control Rename some things: - rand_meth to openssl_rand_meth; make it global - source file - lock/init functions, start per-thread state - ossl_meth_init to ossl_rand_init Put state into RAND_STATE structure And put OSSL_RAND_STATE into ossl_typ.h Use "randomness" instead of "entropy" Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3758)
2017-06-22 21:21:43 +08:00
#include "e_os.h"
Change RAND_poll for Unix to try a number of devices and only read them for a short period of time (actually, poll them with select(), then read() whatever is there), which is about 10ms (hard-coded value) each. Separate Windows and Unixly code, and start on a VMS variant that currently just returns 0.
2001-01-08 18:59:26 +08:00
Use new-style system-id macros everywhere possible. I hope I haven't missed any. This compiles and runs on Linux, and external applications have no problems with it. The definite test will be to build this on VMS.
2001-02-20 16:13:47 +08:00
#if defined(OPENSSL_SYS_VMS)
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
# define __NEW_STARLET 1 /* New starlet definitions since VMS 7.0 */
DRBG: implement a get_nonce() callback Fixes #5849 In pull request #5503 a fallback was added which adds a random nonce of security_strength/2 bits if no nonce callback is provided. This change raised the entropy requirements form 256 to 384 bit, which can cause problems on some platforms (e.g. VMS, see issue #5849). The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1: A nonce may be required in the construction of a seed during instantiation in order to provide a security cushion to block certain attacks. The nonce shall be either: a) A value with at least (security_strength/2) bits of entropy, or b) A value that is expected to repeat no more often than a (security_strength/2)-bit random string would be expected to repeat. Each nonce shall be unique to the cryptographic module in which instantiation is performed, but need not be secret. When used, the nonce shall be considered to be a critical security parameter. This commit implements a nonce of type b) in order to lower the entropy requirements during instantiation back to 256 bits. The formulation "shall be unique to the cryptographic module" above implies that the nonce needs to be unique among (with high probability) among all DRBG instances in "space" and "time". We try to achieve this goal by creating a nonce of the following form nonce = app-specific-data || high-resolution-utc-timestamp || counter Where || denotes concatenation. The application specific data can be something like the process or group id of the application. A utc timestamp is used because it increases monotonically, provided the system time is synchronized. This approach may not be perfect yet for a FIPS evaluation, but it should be good enough for the moment. This commit also harmonizes the implementation of the get_nonce() and the get_additional_data() callbacks and moves the platform specific parts from rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5920)
2018-04-10 16:22:52 +08:00
# include <unistd.h>
VMS: stricter acquisition of entropy for the pool Fail harshly (in debug builds) when rand_pool_acquire_entropy isn't delivering the required amount of entropy. In release builds, this produces an error with details. We also take the opportunity to modernise the types used. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5857)
2018-04-03 22:33:55 +08:00
# include "internal/cryptlib.h"
Start to overhaul RAND API Remove unused rand_hw_xor, MD/EVP indirection Make rand_pseudo same as rand. Cleanup formatting and ifdef control Rename some things: - rand_meth to openssl_rand_meth; make it global - source file - lock/init functions, start per-thread state - ossl_meth_init to ossl_rand_init Put state into RAND_STATE structure And put OSSL_RAND_STATE into ossl_typ.h Use "randomness" instead of "entropy" Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3758)
2017-06-22 21:21:43 +08:00
# include <openssl/rand.h>
Reorganize private crypto header files Currently, there are two different directories which contain internal header files of libcrypto which are meant to be shared internally: While header files in 'include/internal' are intended to be shared between libcrypto and libssl, the files in 'crypto/include/internal' are intended to be shared inside libcrypto only. To make things complicated, the include search path is set up in such a way that the directive #include "internal/file.h" could refer to a file in either of these two directoroes. This makes it necessary in some cases to add a '_int.h' suffix to some files to resolve this ambiguity: #include "internal/file.h" # located in 'include/internal' #include "internal/file_int.h" # located in 'crypto/include/internal' This commit moves the private crypto headers from 'crypto/include/internal' to 'include/crypto' As a result, the include directives become unambiguous #include "internal/file.h" # located in 'include/internal' #include "crypto/file.h" # located in 'include/crypto' hence the superfluous '_int.h' suffixes can be stripped. The files 'store_int.h' and 'store.h' need to be treated specially; they are joined into a single file. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
2019-09-28 06:45:33 +08:00
# include "crypto/rand.h"
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
2019-09-28 06:45:40 +08:00
# include "rand_local.h"
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
# include <descrip.h>
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
# include <dvidef.h>
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
# include <jpidef.h>
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
# include <rmidef.h>
# include <syidef.h>
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
# include <ssdef.h>
# include <starlet.h>
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
# include <efndef.h>
# include <gen64def.h>
# include <iosbdef.h>
# include <iledef.h>
# include <lib$routines.h>
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
# ifdef __DECC
# pragma message disable DOLLARID
# endif
Change RAND_poll for Unix to try a number of devices and only read them for a short period of time (actually, poll them with select(), then read() whatever is there), which is about 10ms (hard-coded value) each. Separate Windows and Unixly code, and start on a VMS variant that currently just returns 0.
2001-01-08 18:59:26 +08:00
VMS: Added new method to gather entropy on VMS, based on SYS$GET_ENTROPY. This system services is based on FreeBSD 12's getentropy(), and is therefore treated the same way as getentropy() with regards to amount of entropy bits per data bit. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8926)
2019-05-14 08:15:14 +08:00
# include <dlfcn.h> /* SYS$GET_ENTROPY presence */
Add --with-rand-seed Add a new config param to specify how the CSPRNG should be seeded. Illegal values or nonsensical combinations (e.g., anything other than "os" on VMS or HP VOS etc) result in build failures. Add RDSEED support. Add RDTSC but leave it disabled for now pending more investigation. Refactor and reorganization all seeding files (rand_unix/win/vms) so that they are simpler. Only require 128 bits of seeding material. Many document improvements, including why to not use RAND_add() and the limitations around using load_file/write_file. Document RAND_poll(). Cleanup Windows RAND_poll and return correct status More completely initialize the default DRBG. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/3965)
2017-07-18 21:39:21 +08:00
# ifndef OPENSSL_RAND_SEED_OS
# error "Unsupported seeding method configured; must be os"
# endif
VMS: Added new method to gather entropy on VMS, based on SYS$GET_ENTROPY. This system services is based on FreeBSD 12's getentropy(), and is therefore treated the same way as getentropy() with regards to amount of entropy bits per data bit. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8926)
2019-05-14 08:15:14 +08:00
/*
* DATA COLLECTION METHOD
* ======================
*
* This is a method to get low quality entropy.
* It works by collecting all kinds of statistical data that
* VMS offers and using them as random seed.
*/
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
/* We need to make sure we have the right size pointer in some cases */
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
# if __INITIAL_POINTER_SIZE == 64
# pragma pointer_size save
# pragma pointer_size 32
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
# endif
typedef uint32_t *uint32_t__ptr32;
# if __INITIAL_POINTER_SIZE == 64
# pragma pointer_size restore
Start to overhaul RAND API Remove unused rand_hw_xor, MD/EVP indirection Make rand_pseudo same as rand. Cleanup formatting and ifdef control Rename some things: - rand_meth to openssl_rand_meth; make it global - source file - lock/init functions, start per-thread state - ossl_meth_init to ossl_rand_init Put state into RAND_STATE structure And put OSSL_RAND_STATE into ossl_typ.h Use "randomness" instead of "entropy" Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3758)
2017-06-22 21:21:43 +08:00
# endif
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
struct item_st {
VSI submission: make the VMS version of RAND_poll() faster and more secure Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-04 03:45:06 +08:00
short length, code; /* length is number of bytes */
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
};
static const struct item_st DVI_item_data[] = {
{4, DVI$_ERRCNT},
{4, DVI$_REFCNT},
};
static const struct item_st JPI_item_data[] = {
{4, JPI$_BUFIO},
{4, JPI$_CPUTIM},
{4, JPI$_DIRIO},
{4, JPI$_IMAGECOUNT},
{4, JPI$_PAGEFLTS},
{4, JPI$_PID},
{4, JPI$_PPGCNT},
{4, JPI$_WSPEAK},
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
/*
* Note: the direct result is just a 32-bit address. However, it points
* to a list of 4 32-bit words, so we make extra space for them so we can
* do in-place replacement of values
*/
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
{16, JPI$_FINALEXC},
};
static const struct item_st JPI_item_data_64bit[] = {
{8, JPI$_LAST_LOGIN_I},
{8, JPI$_LOGINTIM},
};
static const struct item_st RMI_item_data[] = {
{4, RMI$_COLPG},
{4, RMI$_MWAIT},
{4, RMI$_CEF},
{4, RMI$_PFW},
{4, RMI$_LEF},
{4, RMI$_LEFO},
{4, RMI$_HIB},
{4, RMI$_HIBO},
{4, RMI$_SUSP},
{4, RMI$_SUSPO},
{4, RMI$_FPG},
{4, RMI$_COM},
{4, RMI$_COMO},
{4, RMI$_CUR},
#if defined __alpha
{4, RMI$_FRLIST},
{4, RMI$_MODLIST},
#endif
{4, RMI$_FAULTS},
{4, RMI$_PREADS},
{4, RMI$_PWRITES},
{4, RMI$_PWRITIO},
{4, RMI$_PREADIO},
{4, RMI$_GVALFLTS},
{4, RMI$_WRTINPROG},
{4, RMI$_FREFLTS},
{4, RMI$_DZROFLTS},
{4, RMI$_SYSFAULTS},
{4, RMI$_ISWPCNT},
{4, RMI$_DIRIO},
{4, RMI$_BUFIO},
{4, RMI$_MBREADS},
{4, RMI$_MBWRITES},
{4, RMI$_LOGNAM},
{4, RMI$_FCPCALLS},
{4, RMI$_FCPREAD},
{4, RMI$_FCPWRITE},
{4, RMI$_FCPCACHE},
{4, RMI$_FCPCPU},
{4, RMI$_FCPHIT},
{4, RMI$_FCPSPLIT},
{4, RMI$_FCPFAULT},
{4, RMI$_ENQNEW},
{4, RMI$_ENQCVT},
{4, RMI$_DEQ},
{4, RMI$_BLKAST},
{4, RMI$_ENQWAIT},
{4, RMI$_ENQNOTQD},
{4, RMI$_DLCKSRCH},
{4, RMI$_DLCKFND},
{4, RMI$_NUMLOCKS},
{4, RMI$_NUMRES},
{4, RMI$_ARRLOCPK},
{4, RMI$_DEPLOCPK},
{4, RMI$_ARRTRAPK},
{4, RMI$_TRCNGLOS},
{4, RMI$_RCVBUFFL},
{4, RMI$_ENQNEWLOC},
{4, RMI$_ENQNEWIN},
{4, RMI$_ENQNEWOUT},
{4, RMI$_ENQCVTLOC},
{4, RMI$_ENQCVTIN},
{4, RMI$_ENQCVTOUT},
{4, RMI$_DEQLOC},
{4, RMI$_DEQIN},
{4, RMI$_DEQOUT},
{4, RMI$_BLKLOC},
{4, RMI$_BLKIN},
{4, RMI$_BLKOUT},
{4, RMI$_DIRIN},
{4, RMI$_DIROUT},
/* We currently get a fault when trying these. TODO: To be figured out. */
#if 0
{140, RMI$_MSCP_EVERYTHING}, /* 35 32-bit words */
{152, RMI$_DDTM_ALL}, /* 38 32-bit words */
{80, RMI$_TMSCP_EVERYTHING} /* 20 32-bit words */
#endif
{4, RMI$_LPZ_PAGCNT},
{4, RMI$_LPZ_HITS},
{4, RMI$_LPZ_MISSES},
{4, RMI$_LPZ_EXPCNT},
{4, RMI$_LPZ_ALLOCF},
{4, RMI$_LPZ_ALLOC2},
{4, RMI$_ACCESS},
{4, RMI$_ALLOC},
{4, RMI$_FCPCREATE},
{4, RMI$_VOLWAIT},
{4, RMI$_FCPTURN},
{4, RMI$_FCPERASE},
{4, RMI$_OPENS},
{4, RMI$_FIDHIT},
{4, RMI$_FIDMISS},
{4, RMI$_FILHDR_HIT},
{4, RMI$_DIRFCB_HIT},
{4, RMI$_DIRFCB_MISS},
{4, RMI$_DIRDATA_HIT},
{4, RMI$_EXTHIT},
{4, RMI$_EXTMISS},
{4, RMI$_QUOHIT},
{4, RMI$_QUOMISS},
{4, RMI$_STORAGMAP_HIT},
{4, RMI$_VOLLCK},
{4, RMI$_SYNCHLCK},
{4, RMI$_SYNCHWAIT},
{4, RMI$_ACCLCK},
{4, RMI$_XQPCACHEWAIT},
{4, RMI$_DIRDATA_MISS},
{4, RMI$_FILHDR_MISS},
{4, RMI$_STORAGMAP_MISS},
{4, RMI$_PROCCNTMAX},
{4, RMI$_PROCBATCNT},
{4, RMI$_PROCINTCNT},
{4, RMI$_PROCNETCNT},
{4, RMI$_PROCSWITCHCNT},
{4, RMI$_PROCBALSETCNT},
{4, RMI$_PROCLOADCNT},
{4, RMI$_BADFLTS},
{4, RMI$_EXEFAULTS},
{4, RMI$_HDRINSWAPS},
{4, RMI$_HDROUTSWAPS},
{4, RMI$_IOPAGCNT},
{4, RMI$_ISWPCNTPG},
{4, RMI$_OSWPCNT},
{4, RMI$_OSWPCNTPG},
{4, RMI$_RDFAULTS},
{4, RMI$_TRANSFLTS},
{4, RMI$_WRTFAULTS},
#if defined __alpha
{4, RMI$_USERPAGES},
#endif
{4, RMI$_VMSPAGES},
{4, RMI$_TTWRITES},
{4, RMI$_BUFOBJPAG},
{4, RMI$_BUFOBJPAGPEAK},
{4, RMI$_BUFOBJPAGS01},
{4, RMI$_BUFOBJPAGS2},
{4, RMI$_BUFOBJPAGMAXS01},
{4, RMI$_BUFOBJPAGMAXS2},
{4, RMI$_BUFOBJPAGPEAKS01},
{4, RMI$_BUFOBJPAGPEAKS2},
{4, RMI$_BUFOBJPGLTMAXS01},
{4, RMI$_BUFOBJPGLTMAXS2},
{4, RMI$_DLCK_INCMPLT},
{4, RMI$_DLCKMSGS_IN},
{4, RMI$_DLCKMSGS_OUT},
{4, RMI$_MCHKERRS},
{4, RMI$_MEMERRS},
};
static const struct item_st RMI_item_data_64bit[] = {
#if defined __ia64
{8, RMI$_FRLIST},
{8, RMI$_MODLIST},
#endif
{8, RMI$_LCKMGR_REQCNT},
{8, RMI$_LCKMGR_REQTIME},
{8, RMI$_LCKMGR_SPINCNT},
{8, RMI$_LCKMGR_SPINTIME},
{8, RMI$_CPUINTSTK},
{8, RMI$_CPUMPSYNCH},
{8, RMI$_CPUKERNEL},
{8, RMI$_CPUEXEC},
{8, RMI$_CPUSUPER},
{8, RMI$_CPUUSER},
#if defined __ia64
{8, RMI$_USERPAGES},
#endif
{8, RMI$_TQETOTAL},
{8, RMI$_TQESYSUB},
{8, RMI$_TQEUSRTIMR},
{8, RMI$_TQEUSRWAKE},
};
static const struct item_st SYI_item_data[] = {
{4, SYI$_PAGEFILE_FREE},
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
};
After some adjustments, apply the changes OpenSSL 1.0.0d on OpenVMS submitted by Steven M. Schweda <sms@antinode.info>
2011-03-19 18:58:14 +08:00
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
/*
* Input:
* items_data - an array of lengths and codes
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
* items_data_num - number of elements in that array
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
*
* Output:
* items - pre-allocated ILE3 array to be filled.
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
* It's assumed to have items_data_num elements plus
* one extra for the terminating NULL element
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
* databuffer - pre-allocated 32-bit word array.
*
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
* Returns the number of elements used in databuffer
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
*/
static size_t prepare_item_list(const struct item_st *items_input,
size_t items_input_num,
ILE3 *items,
uint32_t__ptr32 databuffer)
{
size_t data_sz = 0;
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
for (; items_input_num-- > 0; items_input++, items++) {
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
VMS rand: assign before check, not the other way around items->ile3$w_code was checked before it was assigned its value... Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6200)
2018-05-09 02:15:27 +08:00
items->ile3$w_code = items_input->code;
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
/* Special treatment of JPI$_FINALEXC */
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
if (items->ile3$w_code == JPI$_FINALEXC)
items->ile3$w_length = 4;
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
else
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
items->ile3$w_length = items_input->length;
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
items->ile3$ps_bufaddr = databuffer;
items->ile3$ps_retlen_addr = 0;
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
databuffer += items_input->length / sizeof(databuffer[0]);
data_sz += items_input->length;
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
}
/* Terminating NULL entry */
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
items->ile3$w_length = items->ile3$w_code = 0;
items->ile3$ps_bufaddr = items->ile3$ps_retlen_addr = NULL;
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
return data_sz / sizeof(databuffer[0]);
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
}
static void massage_JPI(ILE3 *items)
{
/*
* Special treatment of JPI$_FINALEXC
* The result of that item's data buffer is a 32-bit address to a list of
* 4 32-bit words.
*/
for (; items->ile3$w_length != 0; items++) {
if (items->ile3$w_code == JPI$_FINALEXC) {
uint32_t *data = items->ile3$ps_bufaddr;
uint32_t *ptr = (uint32_t *)*data;
size_t j;
/*
* We know we made space for 4 32-bit words, so we can do in-place
* replacement.
*/
for (j = 0; j < 4; j++)
data[j] = ptr[j];
break;
}
}
}
VMS: stricter acquisition of entropy for the pool Fail harshly (in debug builds) when rand_pool_acquire_entropy isn't delivering the required amount of entropy. In release builds, this produces an error with details. We also take the opportunity to modernise the types used. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5857)
2018-04-03 22:33:55 +08:00
/*
Change rand_pool_bytes_needed to handle less entropy than 1 per 8 bits rand_pool_bytes_needed() was constructed in such a way that the smallest acceptable entropy factor was 1 entropy bits per 8 bits of data. At the same time, we have a DRBG_MINMAX_FACTOR that allows weaker source, as small as 1 bit of entropy per 128 bits of data. The conclusion is that rand_pool_bytes_needed() needs to change to support weaker entropy sources. We therefore change the input of entropy per byte to be an entropy factor instead. This entropy factor expresses how many bits of data it takes (on average) to get 1 bit of entropy. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6150)
2018-05-02 12:24:20 +08:00
* This number expresses how many bits of data contain 1 bit of entropy.
*
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
* For the moment, we assume about 0.05 entropy bits per data bit, or 1
* bit of entropy per 20 data bits.
VMS: stricter acquisition of entropy for the pool Fail harshly (in debug builds) when rand_pool_acquire_entropy isn't delivering the required amount of entropy. In release builds, this produces an error with details. We also take the opportunity to modernise the types used. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5857)
2018-04-03 22:33:55 +08:00
*/
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
#define ENTROPY_FACTOR 20
VMS: stricter acquisition of entropy for the pool Fail harshly (in debug builds) when rand_pool_acquire_entropy isn't delivering the required amount of entropy. In release builds, this produces an error with details. We also take the opportunity to modernise the types used. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5857)
2018-04-03 22:33:55 +08:00
VMS: Added new method to gather entropy on VMS, based on SYS$GET_ENTROPY. This system services is based on FreeBSD 12's getentropy(), and is therefore treated the same way as getentropy() with regards to amount of entropy bits per data bit. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8926)
2019-05-14 08:15:14 +08:00
size_t data_collect_method(RAND_POOL *pool)
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
{
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
ILE3 JPI_items_64bit[OSSL_NELEM(JPI_item_data_64bit) + 1];
ILE3 RMI_items_64bit[OSSL_NELEM(RMI_item_data_64bit) + 1];
ILE3 DVI_items[OSSL_NELEM(DVI_item_data) + 1];
ILE3 JPI_items[OSSL_NELEM(JPI_item_data) + 1];
ILE3 RMI_items[OSSL_NELEM(RMI_item_data) + 1];
ILE3 SYI_items[OSSL_NELEM(SYI_item_data) + 1];
union {
/* This ensures buffer starts at 64 bit boundary */
uint64_t dummy;
uint32_t buffer[OSSL_NELEM(JPI_item_data_64bit) * 2
+ OSSL_NELEM(RMI_item_data_64bit) * 2
+ OSSL_NELEM(DVI_item_data)
+ OSSL_NELEM(JPI_item_data)
+ OSSL_NELEM(RMI_item_data)
+ OSSL_NELEM(SYI_item_data)
+ 4 /* For JPI$_FINALEXC */];
} data;
size_t total_elems = 0;
VMS: stricter acquisition of entropy for the pool Fail harshly (in debug builds) when rand_pool_acquire_entropy isn't delivering the required amount of entropy. In release builds, this produces an error with details. We also take the opportunity to modernise the types used. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5857)
2018-04-03 22:33:55 +08:00
size_t total_length = 0;
Change rand_pool_bytes_needed to handle less entropy than 1 per 8 bits rand_pool_bytes_needed() was constructed in such a way that the smallest acceptable entropy factor was 1 entropy bits per 8 bits of data. At the same time, we have a DRBG_MINMAX_FACTOR that allows weaker source, as small as 1 bit of entropy per 128 bits of data. The conclusion is that rand_pool_bytes_needed() needs to change to support weaker entropy sources. We therefore change the input of entropy per byte to be an entropy factor instead. This entropy factor expresses how many bits of data it takes (on average) to get 1 bit of entropy. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6150)
2018-05-02 12:24:20 +08:00
size_t bytes_needed = rand_pool_bytes_needed(pool, ENTROPY_FACTOR);
VMS: stricter acquisition of entropy for the pool Fail harshly (in debug builds) when rand_pool_acquire_entropy isn't delivering the required amount of entropy. In release builds, this produces an error with details. We also take the opportunity to modernise the types used. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5857)
2018-04-03 22:33:55 +08:00
size_t bytes_remaining = rand_pool_bytes_remaining(pool);
A randomizer for OpenVMS, using the statistics that are easily reachable. It's completely untested for now. To be done in the next few days.
2001-05-13 18:34:18 +08:00
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
/* Take all the 64-bit items first, to ensure proper alignment of data */
total_elems +=
prepare_item_list(JPI_item_data_64bit, OSSL_NELEM(JPI_item_data_64bit),
JPI_items_64bit, &data.buffer[total_elems]);
total_elems +=
prepare_item_list(RMI_item_data_64bit, OSSL_NELEM(RMI_item_data_64bit),
RMI_items_64bit, &data.buffer[total_elems]);
/* Now the 32-bit items */
total_elems += prepare_item_list(DVI_item_data, OSSL_NELEM(DVI_item_data),
DVI_items, &data.buffer[total_elems]);
total_elems += prepare_item_list(JPI_item_data, OSSL_NELEM(JPI_item_data),
JPI_items, &data.buffer[total_elems]);
total_elems += prepare_item_list(RMI_item_data, OSSL_NELEM(RMI_item_data),
RMI_items, &data.buffer[total_elems]);
total_elems += prepare_item_list(SYI_item_data, OSSL_NELEM(SYI_item_data),
SYI_items, &data.buffer[total_elems]);
total_length = total_elems * sizeof(data.buffer[0]);
A randomizer for OpenVMS, using the statistics that are easily reachable. It's completely untested for now. To be done in the next few days.
2001-05-13 18:34:18 +08:00
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
/* Fill data.buffer with various info bits from this process */
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
{
uint32_t status;
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
uint32_t efn;
IOSB iosb;
$DESCRIPTOR(SYSDEVICE,"SYS$SYSDEVICE:");
VSI submission: make the VMS version of RAND_poll() faster and more secure Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-04 03:45:06 +08:00
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
if ((status = sys$getdviw(EFN$C_ENF, 0, &SYSDEVICE, DVI_items,
0, 0, 0, 0, 0)) != SS$_NORMAL) {
lib$signal(status);
return 0;
}
if ((status = sys$getjpiw(EFN$C_ENF, 0, 0, JPI_items_64bit, 0, 0, 0))
!= SS$_NORMAL) {
lib$signal(status);
return 0;
}
if ((status = sys$getjpiw(EFN$C_ENF, 0, 0, JPI_items, 0, 0, 0))
!= SS$_NORMAL) {
lib$signal(status);
return 0;
}
if ((status = sys$getsyiw(EFN$C_ENF, 0, 0, SYI_items, 0, 0, 0))
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
!= SS$_NORMAL) {
lib$signal(status);
return 0;
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
}
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
/*
* The RMI service is a bit special, as there is no synchronous
* variant, so we MUST create an event flag to synchronise on.
*/
if ((status = lib$get_ef(&efn)) != SS$_NORMAL) {
lib$signal(status);
return 0;
}
if ((status = sys$getrmi(efn, 0, 0, RMI_items_64bit, &iosb, 0, 0))
!= SS$_NORMAL) {
lib$signal(status);
return 0;
}
if ((status = sys$synch(efn, &iosb)) != SS$_NORMAL) {
lib$signal(status);
return 0;
}
if (iosb.iosb$l_getxxi_status != SS$_NORMAL) {
lib$signal(iosb.iosb$l_getxxi_status);
return 0;
}
if ((status = sys$getrmi(efn, 0, 0, RMI_items, &iosb, 0, 0))
!= SS$_NORMAL) {
lib$signal(status);
return 0;
}
if ((status = sys$synch(efn, &iosb)) != SS$_NORMAL) {
lib$signal(status);
return 0;
}
if (iosb.iosb$l_getxxi_status != SS$_NORMAL) {
lib$signal(iosb.iosb$l_getxxi_status);
return 0;
}
if ((status = lib$free_ef(&efn)) != SS$_NORMAL) {
lib$signal(status);
return 0;
}
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 11:40:55 +08:00
}
VSI submission: make the VMS version of RAND_poll() faster and more secure Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-04 03:45:06 +08:00
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
massage_JPI(JPI_items);
VMS: stricter acquisition of entropy for the pool Fail harshly (in debug builds) when rand_pool_acquire_entropy isn't delivering the required amount of entropy. In release builds, this produces an error with details. We also take the opportunity to modernise the types used. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5857)
2018-04-03 22:33:55 +08:00
Fix reseeding issues of the public RAND_DRBG Reseeding is handled very differently by the classic RAND_METHOD API and the new RAND_DRBG api. These differences led to some problems when the new RAND_DRBG was made the default OpenSSL RNG. In particular, RAND_add() did not work as expected anymore. These issues are discussed on the thread '[openssl-dev] Plea for a new public OpenSSL RNG API' and in Pull Request #4328. This commit fixes the mentioned issues, introducing the following changes: - Replace the fixed size RAND_BYTES_BUFFER by a new RAND_POOL API which facilitates collecting entropy by the get_entropy() callback. - Don't use RAND_poll()/RAND_add() for collecting entropy from the get_entropy() callback anymore. Instead, replace RAND_poll() by RAND_POOL_acquire_entropy(). - Add a new function rand_drbg_restart() which tries to get the DRBG in an instantiated state by all means, regardless of the current state (uninstantiated, error, ...) the DRBG is in. If the caller provides entropy or additional input, it will be used for reseeding. - Restore the original documented behaviour of RAND_add() and RAND_poll() (namely to reseed the DRBG immediately) by a new implementation based on rand_drbg_restart(). - Add automatic error recovery from temporary failures of the entropy source to RAND_DRBG_generate() using the rand_drbg_restart() function. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4328)
2017-09-01 05:16:22 +08:00
/*
VMS: stricter acquisition of entropy for the pool Fail harshly (in debug builds) when rand_pool_acquire_entropy isn't delivering the required amount of entropy. In release builds, this produces an error with details. We also take the opportunity to modernise the types used. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5857)
2018-04-03 22:33:55 +08:00
* If we can't feed the requirements from the caller, we're in deep trouble.
Fix reseeding issues of the public RAND_DRBG Reseeding is handled very differently by the classic RAND_METHOD API and the new RAND_DRBG api. These differences led to some problems when the new RAND_DRBG was made the default OpenSSL RNG. In particular, RAND_add() did not work as expected anymore. These issues are discussed on the thread '[openssl-dev] Plea for a new public OpenSSL RNG API' and in Pull Request #4328. This commit fixes the mentioned issues, introducing the following changes: - Replace the fixed size RAND_BYTES_BUFFER by a new RAND_POOL API which facilitates collecting entropy by the get_entropy() callback. - Don't use RAND_poll()/RAND_add() for collecting entropy from the get_entropy() callback anymore. Instead, replace RAND_poll() by RAND_POOL_acquire_entropy(). - Add a new function rand_drbg_restart() which tries to get the DRBG in an instantiated state by all means, regardless of the current state (uninstantiated, error, ...) the DRBG is in. If the caller provides entropy or additional input, it will be used for reseeding. - Restore the original documented behaviour of RAND_add() and RAND_poll() (namely to reseed the DRBG immediately) by a new implementation based on rand_drbg_restart(). - Add automatic error recovery from temporary failures of the entropy source to RAND_DRBG_generate() using the rand_drbg_restart() function. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4328)
2017-09-01 05:16:22 +08:00
*/
VMS: stricter acquisition of entropy for the pool Fail harshly (in debug builds) when rand_pool_acquire_entropy isn't delivering the required amount of entropy. In release builds, this produces an error with details. We also take the opportunity to modernise the types used. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5857)
2018-04-03 22:33:55 +08:00
if (!ossl_assert(total_length >= bytes_needed)) {
VMS: Added new method to gather entropy on VMS, based on SYS$GET_ENTROPY. This system services is based on FreeBSD 12's getentropy(), and is therefore treated the same way as getentropy() with regards to amount of entropy bits per data bit. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8926)
2019-05-14 08:15:14 +08:00
ERR_raise_data(ERR_LIB_RAND, RAND_R_RANDOM_POOL_UNDERFLOW,
"Needed: %zu, Available: %zu",
bytes_needed, total_length);
VMS: stricter acquisition of entropy for the pool Fail harshly (in debug builds) when rand_pool_acquire_entropy isn't delivering the required amount of entropy. In release builds, this produces an error with details. We also take the opportunity to modernise the types used. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5857)
2018-04-03 22:33:55 +08:00
return 0;
}
/*
* Try not to overfeed the pool
*/
if (total_length > bytes_remaining)
total_length = bytes_remaining;
Change rand_pool_bytes_needed to handle less entropy than 1 per 8 bits rand_pool_bytes_needed() was constructed in such a way that the smallest acceptable entropy factor was 1 entropy bits per 8 bits of data. At the same time, we have a DRBG_MINMAX_FACTOR that allows weaker source, as small as 1 bit of entropy per 128 bits of data. The conclusion is that rand_pool_bytes_needed() needs to change to support weaker entropy sources. We therefore change the input of entropy per byte to be an entropy factor instead. This entropy factor expresses how many bits of data it takes (on average) to get 1 bit of entropy. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6150)
2018-05-02 12:24:20 +08:00
/* We give the pessimistic value for the amount of entropy */
VMS: modernise rand_pool_acquire_entropy, step 2 Add more items that could serve as entropy source. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-02 12:16:04 +08:00
rand_pool_add(pool, (unsigned char *)data.buffer, total_length,
8 * total_length / ENTROPY_FACTOR);
Remove ambiguity in rand_pool_add[_end] return value When these two functions returned zero, it could mean: 1. that an error occured. In their case, the error is an overflow of the pool, i.e. the correct response from the caller would be to stop trying to fill the pool. 2. that there isn't enought entropy acquired yet, i.e. the correct response from the caller would be to try and add more entropy to the pool. Because of this ambiguity, the returned zero turns out to be useless. This change makes the returned value more consistent. 1 means the addition of new entropy was successful, 0 means it wasn't. To know if the pool has been filled enough, the caller will have to call some other function, such as rand_pool_entropy_available(). Fixes #5846 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5876)
2018-04-05 00:31:50 +08:00
return rand_pool_entropy_available(pool);
Change RAND_poll for Unix to try a number of devices and only read them for a short period of time (actually, poll them with select(), then read() whatever is there), which is about 10ms (hard-coded value) each. Separate Windows and Unixly code, and start on a VMS variant that currently just returns 0.
2001-01-08 18:59:26 +08:00
}
DRBG: implement a get_nonce() callback Fixes #5849 In pull request #5503 a fallback was added which adds a random nonce of security_strength/2 bits if no nonce callback is provided. This change raised the entropy requirements form 256 to 384 bit, which can cause problems on some platforms (e.g. VMS, see issue #5849). The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1: A nonce may be required in the construction of a seed during instantiation in order to provide a security cushion to block certain attacks. The nonce shall be either: a) A value with at least (security_strength/2) bits of entropy, or b) A value that is expected to repeat no more often than a (security_strength/2)-bit random string would be expected to repeat. Each nonce shall be unique to the cryptographic module in which instantiation is performed, but need not be secret. When used, the nonce shall be considered to be a critical security parameter. This commit implements a nonce of type b) in order to lower the entropy requirements during instantiation back to 256 bits. The formulation "shall be unique to the cryptographic module" above implies that the nonce needs to be unique among (with high probability) among all DRBG instances in "space" and "time". We try to achieve this goal by creating a nonce of the following form nonce = app-specific-data || high-resolution-utc-timestamp || counter Where || denotes concatenation. The application specific data can be something like the process or group id of the application. A utc timestamp is used because it increases monotonically, provided the system time is synchronized. This approach may not be perfect yet for a FIPS evaluation, but it should be good enough for the moment. This commit also harmonizes the implementation of the get_nonce() and the get_additional_data() callbacks and moves the platform specific parts from rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5920)
2018-04-10 16:22:52 +08:00
int rand_pool_add_nonce_data(RAND_POOL *pool)
{
struct {
pid_t pid;
CRYPTO_THREAD_ID tid;
uint64_t time;
Clear seed source structures. If the structures have empty padding bytes, ensure they are zeroed. These structures are added to seed pools as complete blocks including any padding and alignment bytes. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8610)
2019-03-29 15:46:11 +08:00
} data;
/* Erase the entire structure including any padding */
memset(&data, 0, sizeof(data));
DRBG: implement a get_nonce() callback Fixes #5849 In pull request #5503 a fallback was added which adds a random nonce of security_strength/2 bits if no nonce callback is provided. This change raised the entropy requirements form 256 to 384 bit, which can cause problems on some platforms (e.g. VMS, see issue #5849). The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1: A nonce may be required in the construction of a seed during instantiation in order to provide a security cushion to block certain attacks. The nonce shall be either: a) A value with at least (security_strength/2) bits of entropy, or b) A value that is expected to repeat no more often than a (security_strength/2)-bit random string would be expected to repeat. Each nonce shall be unique to the cryptographic module in which instantiation is performed, but need not be secret. When used, the nonce shall be considered to be a critical security parameter. This commit implements a nonce of type b) in order to lower the entropy requirements during instantiation back to 256 bits. The formulation "shall be unique to the cryptographic module" above implies that the nonce needs to be unique among (with high probability) among all DRBG instances in "space" and "time". We try to achieve this goal by creating a nonce of the following form nonce = app-specific-data || high-resolution-utc-timestamp || counter Where || denotes concatenation. The application specific data can be something like the process or group id of the application. A utc timestamp is used because it increases monotonically, provided the system time is synchronized. This approach may not be perfect yet for a FIPS evaluation, but it should be good enough for the moment. This commit also harmonizes the implementation of the get_nonce() and the get_additional_data() callbacks and moves the platform specific parts from rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5920)
2018-04-10 16:22:52 +08:00
/*
VMS: only use the high precision on VMS v8.4 and up It simply isn't available on older versions. Issue submitted by Mark Daniels Fixes #7229 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7230) (cherry picked from commit d6d6aa3521e207c2727bbd1e5c97772502d15739)
2018-09-15 20:59:06 +08:00
* Add process id, thread id, and a high resolution timestamp
* (where available, which is OpenVMS v8.4 and up) to ensure that
Fix some typos Reported-by: misspell-fixer <https://github.com/vlajos/misspell-fixer> CLA: trivial Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10544)
2019-12-01 07:18:47 +08:00
* the nonce is unique with high probability for different process
VMS: only use the high precision on VMS v8.4 and up It simply isn't available on older versions. Issue submitted by Mark Daniels Fixes #7229 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7230) (cherry picked from commit d6d6aa3521e207c2727bbd1e5c97772502d15739)
2018-09-15 20:59:06 +08:00
* instances.
DRBG: implement a get_nonce() callback Fixes #5849 In pull request #5503 a fallback was added which adds a random nonce of security_strength/2 bits if no nonce callback is provided. This change raised the entropy requirements form 256 to 384 bit, which can cause problems on some platforms (e.g. VMS, see issue #5849). The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1: A nonce may be required in the construction of a seed during instantiation in order to provide a security cushion to block certain attacks. The nonce shall be either: a) A value with at least (security_strength/2) bits of entropy, or b) A value that is expected to repeat no more often than a (security_strength/2)-bit random string would be expected to repeat. Each nonce shall be unique to the cryptographic module in which instantiation is performed, but need not be secret. When used, the nonce shall be considered to be a critical security parameter. This commit implements a nonce of type b) in order to lower the entropy requirements during instantiation back to 256 bits. The formulation "shall be unique to the cryptographic module" above implies that the nonce needs to be unique among (with high probability) among all DRBG instances in "space" and "time". We try to achieve this goal by creating a nonce of the following form nonce = app-specific-data || high-resolution-utc-timestamp || counter Where || denotes concatenation. The application specific data can be something like the process or group id of the application. A utc timestamp is used because it increases monotonically, provided the system time is synchronized. This approach may not be perfect yet for a FIPS evaluation, but it should be good enough for the moment. This commit also harmonizes the implementation of the get_nonce() and the get_additional_data() callbacks and moves the platform specific parts from rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5920)
2018-04-10 16:22:52 +08:00
*/
data.pid = getpid();
data.tid = CRYPTO_THREAD_get_current_id();
VMS: only use the high precision on VMS v8.4 and up It simply isn't available on older versions. Issue submitted by Mark Daniels Fixes #7229 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7230) (cherry picked from commit d6d6aa3521e207c2727bbd1e5c97772502d15739)
2018-09-15 20:59:06 +08:00
#if __CRTL_VER >= 80400000
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
sys$gettim_prec(&data.time);
VMS: only use the high precision on VMS v8.4 and up It simply isn't available on older versions. Issue submitted by Mark Daniels Fixes #7229 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7230) (cherry picked from commit d6d6aa3521e207c2727bbd1e5c97772502d15739)
2018-09-15 20:59:06 +08:00
#else
sys$gettim((void*)&data.time);
#endif
DRBG: implement a get_nonce() callback Fixes #5849 In pull request #5503 a fallback was added which adds a random nonce of security_strength/2 bits if no nonce callback is provided. This change raised the entropy requirements form 256 to 384 bit, which can cause problems on some platforms (e.g. VMS, see issue #5849). The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1: A nonce may be required in the construction of a seed during instantiation in order to provide a security cushion to block certain attacks. The nonce shall be either: a) A value with at least (security_strength/2) bits of entropy, or b) A value that is expected to repeat no more often than a (security_strength/2)-bit random string would be expected to repeat. Each nonce shall be unique to the cryptographic module in which instantiation is performed, but need not be secret. When used, the nonce shall be considered to be a critical security parameter. This commit implements a nonce of type b) in order to lower the entropy requirements during instantiation back to 256 bits. The formulation "shall be unique to the cryptographic module" above implies that the nonce needs to be unique among (with high probability) among all DRBG instances in "space" and "time". We try to achieve this goal by creating a nonce of the following form nonce = app-specific-data || high-resolution-utc-timestamp || counter Where || denotes concatenation. The application specific data can be something like the process or group id of the application. A utc timestamp is used because it increases monotonically, provided the system time is synchronized. This approach may not be perfect yet for a FIPS evaluation, but it should be good enough for the moment. This commit also harmonizes the implementation of the get_nonce() and the get_additional_data() callbacks and moves the platform specific parts from rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5920)
2018-04-10 16:22:52 +08:00
return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0);
}
VMS: Added new method to gather entropy on VMS, based on SYS$GET_ENTROPY. This system services is based on FreeBSD 12's getentropy(), and is therefore treated the same way as getentropy() with regards to amount of entropy bits per data bit. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8926)
2019-05-14 08:15:14 +08:00
/*
* SYS$GET_ENTROPY METHOD
* ======================
*
* This is a high entropy method based on a new system service that is
* based on getentropy() from FreeBSD 12. It's only used if available,
* and its availability is detected at run-time.
*
* We assume that this function provides full entropy random output.
*/
#define PUBLIC_VECTORS "SYS$LIBRARY:SYS$PUBLIC_VECTORS.EXE"
#define GET_ENTROPY "SYS$GET_ENTROPY"
static int get_entropy_address_flag = 0;
static int (*get_entropy_address)(void *buffer, size_t buffer_size) = NULL;
static int init_get_entropy_address(void)
{
if (get_entropy_address_flag == 0)
get_entropy_address = dlsym(dlopen(PUBLIC_VECTORS, 0), GET_ENTROPY);
get_entropy_address_flag = 1;
return get_entropy_address != NULL;
}
size_t get_entropy_method(RAND_POOL *pool)
{
/*
* The documentation says that SYS$GET_ENTROPY will give a maximum of
* 256 bytes of data.
*/
unsigned char buffer[256];
size_t bytes_needed;
size_t bytes_to_get = 0;
uint32_t status;
for (bytes_needed = rand_pool_bytes_needed(pool, 1);
bytes_needed > 0;
bytes_needed -= bytes_to_get) {
bytes_to_get =
bytes_needed > sizeof(buffer) ? sizeof(buffer) : bytes_needed;
status = get_entropy_address(buffer, bytes_to_get);
if (status == SS$_RETRY) {
/* Set to zero so the loop doesn't diminish |bytes_needed| */
bytes_to_get = 0;
/* Should sleep some amount of time */
continue;
}
if (status != SS$_NORMAL) {
lib$signal(status);
return 0;
}
rand_pool_add(pool, buffer, bytes_to_get, 8 * bytes_to_get);
}
return rand_pool_entropy_available(pool);
}
/*
* MAIN ENTROPY ACQUISITION FUNCTIONS
* ==================================
*
* These functions are called by the RAND / DRBG functions
*/
size_t rand_pool_acquire_entropy(RAND_POOL *pool)
{
if (init_get_entropy_address())
return get_entropy_method(pool);
return data_collect_method(pool);
}
DRBG: implement a get_nonce() callback Fixes #5849 In pull request #5503 a fallback was added which adds a random nonce of security_strength/2 bits if no nonce callback is provided. This change raised the entropy requirements form 256 to 384 bit, which can cause problems on some platforms (e.g. VMS, see issue #5849). The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1: A nonce may be required in the construction of a seed during instantiation in order to provide a security cushion to block certain attacks. The nonce shall be either: a) A value with at least (security_strength/2) bits of entropy, or b) A value that is expected to repeat no more often than a (security_strength/2)-bit random string would be expected to repeat. Each nonce shall be unique to the cryptographic module in which instantiation is performed, but need not be secret. When used, the nonce shall be considered to be a critical security parameter. This commit implements a nonce of type b) in order to lower the entropy requirements during instantiation back to 256 bits. The formulation "shall be unique to the cryptographic module" above implies that the nonce needs to be unique among (with high probability) among all DRBG instances in "space" and "time". We try to achieve this goal by creating a nonce of the following form nonce = app-specific-data || high-resolution-utc-timestamp || counter Where || denotes concatenation. The application specific data can be something like the process or group id of the application. A utc timestamp is used because it increases monotonically, provided the system time is synchronized. This approach may not be perfect yet for a FIPS evaluation, but it should be good enough for the moment. This commit also harmonizes the implementation of the get_nonce() and the get_additional_data() callbacks and moves the platform specific parts from rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5920)
2018-04-10 16:22:52 +08:00
int rand_pool_add_additional_data(RAND_POOL *pool)
{
struct {
CRYPTO_THREAD_ID tid;
uint64_t time;
Clear seed source structures. If the structures have empty padding bytes, ensure they are zeroed. These structures are added to seed pools as complete blocks including any padding and alignment bytes. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8610)
2019-03-29 15:46:11 +08:00
} data;
/* Erase the entire structure including any padding */
memset(&data, 0, sizeof(data));
DRBG: implement a get_nonce() callback Fixes #5849 In pull request #5503 a fallback was added which adds a random nonce of security_strength/2 bits if no nonce callback is provided. This change raised the entropy requirements form 256 to 384 bit, which can cause problems on some platforms (e.g. VMS, see issue #5849). The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1: A nonce may be required in the construction of a seed during instantiation in order to provide a security cushion to block certain attacks. The nonce shall be either: a) A value with at least (security_strength/2) bits of entropy, or b) A value that is expected to repeat no more often than a (security_strength/2)-bit random string would be expected to repeat. Each nonce shall be unique to the cryptographic module in which instantiation is performed, but need not be secret. When used, the nonce shall be considered to be a critical security parameter. This commit implements a nonce of type b) in order to lower the entropy requirements during instantiation back to 256 bits. The formulation "shall be unique to the cryptographic module" above implies that the nonce needs to be unique among (with high probability) among all DRBG instances in "space" and "time". We try to achieve this goal by creating a nonce of the following form nonce = app-specific-data || high-resolution-utc-timestamp || counter Where || denotes concatenation. The application specific data can be something like the process or group id of the application. A utc timestamp is used because it increases monotonically, provided the system time is synchronized. This approach may not be perfect yet for a FIPS evaluation, but it should be good enough for the moment. This commit also harmonizes the implementation of the get_nonce() and the get_additional_data() callbacks and moves the platform specific parts from rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5920)
2018-04-10 16:22:52 +08:00
/*
* Add some noise from the thread id and a high resolution timer.
* The thread id adds a little randomness if the drbg is accessed
* concurrently (which is the case for the <master> drbg).
*/
data.tid = CRYPTO_THREAD_get_current_id();
VMS: only use the high precision on VMS v8.4 and up Fixes #8487 Amends #7230 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8488)
2019-03-15 08:48:51 +08:00
#if __CRTL_VER >= 80400000
VMS: modernise rand_pool_acquire_entropy, step 1 Stop redefining structures that are already defined in system headers. This also means we can stop setting the pointer size globally, because the system structures will have the correct pointer sizes either way. The only exception is passing the right pointer size to a function. Stop trying to twist things around with rand(), that's the job of the DRBG that we feed. Stop assuming the location of the JPI$_FINALEXC item, look it up instead. Signal an exception if the sys$getjpiw call fails (it means the item list isn't set up right, so works as an assertion, but using VMS methodology). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6151)
2018-05-01 00:04:10 +08:00
sys$gettim_prec(&data.time);
VMS: only use the high precision on VMS v8.4 and up Fixes #8487 Amends #7230 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8488)
2019-03-15 08:48:51 +08:00
#else
sys$gettim((void*)&data.time);
#endif
DRBG: implement a get_nonce() callback Fixes #5849 In pull request #5503 a fallback was added which adds a random nonce of security_strength/2 bits if no nonce callback is provided. This change raised the entropy requirements form 256 to 384 bit, which can cause problems on some platforms (e.g. VMS, see issue #5849). The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1: A nonce may be required in the construction of a seed during instantiation in order to provide a security cushion to block certain attacks. The nonce shall be either: a) A value with at least (security_strength/2) bits of entropy, or b) A value that is expected to repeat no more often than a (security_strength/2)-bit random string would be expected to repeat. Each nonce shall be unique to the cryptographic module in which instantiation is performed, but need not be secret. When used, the nonce shall be considered to be a critical security parameter. This commit implements a nonce of type b) in order to lower the entropy requirements during instantiation back to 256 bits. The formulation "shall be unique to the cryptographic module" above implies that the nonce needs to be unique among (with high probability) among all DRBG instances in "space" and "time". We try to achieve this goal by creating a nonce of the following form nonce = app-specific-data || high-resolution-utc-timestamp || counter Where || denotes concatenation. The application specific data can be something like the process or group id of the application. A utc timestamp is used because it increases monotonically, provided the system time is synchronized. This approach may not be perfect yet for a FIPS evaluation, but it should be good enough for the moment. This commit also harmonizes the implementation of the get_nonce() and the get_additional_data() callbacks and moves the platform specific parts from rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5920)
2018-04-10 16:22:52 +08:00
return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0);
}
Modify the DEVRANDOM source so that the files are kept open persistently. This allows operation inside a chroot environment without having the random device present. A new call, RAND_keep_random_devices_open(), has been introduced that can be used to control file descriptor use by the random seed sources. Some seed sources maintain open file descriptors by default, which allows such sources to operate in a chroot(2) jail without the associated device nodes being available. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6432)
2018-06-07 07:31:44 +08:00
int rand_pool_init(void)
{
return 1;
}
void rand_pool_cleanup(void)
{
}
void rand_pool_keep_random_devices_open(int keep)
{
}
Change RAND_poll for Unix to try a number of devices and only read them for a short period of time (actually, poll them with select(), then read() whatever is there), which is about 10ms (hard-coded value) each. Separate Windows and Unixly code, and start on a VMS variant that currently just returns 0.
2001-01-08 18:59:26 +08:00
#endif
Reference in New Issue Copy Permalink