mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-12 13:36:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

rand: fix seeding from a weak entropy source

Browse Source 
The 'rand_generate' method is not well suited for being used with
weak entropy sources in the 'get_entropy' callback, because the
caller needs to provide a preallocated buffer without knowing
how much bytes are actually needed to collect the required entropy.

Instead we use the 'rand_get_seed' and 'rand_clear_seed' methods
which were exactly designed for this purpose: it's the callee who
allocates and fills the buffer, and finally cleans it up again.

The 'rand_get_seed' and 'rand_clear_seed' methods are currently
optional for a provided random generator. We could fall back to
using 'rand_generate' if those methods are not implemented.
However, imo it would be better to simply make them an officially
documented requirement for seed sources.

Fixes #22332

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22394)
This commit is contained in:
Matthias St. Pierre 2023-10-16 01:35:48 +02:00 committed by Matt Caswell
parent 0a8faac3c7
commit 7998e7dc07
4 changed files with 110 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
crypto/evp/evp_rand.c
View File

@ -46,6 +46,8 @@ struct evp_rand_st {
OSSL_FUNC_rand_get_ctx_params_fn *get_ctx_params;
OSSL_FUNC_rand_set_ctx_params_fn *set_ctx_params;
OSSL_FUNC_rand_verify_zeroization_fn *verify_zeroization;
OSSL_FUNC_rand_get_seed_fn *get_seed;
OSSL_FUNC_rand_clear_seed_fn *clear_seed;
} /* EVP_RAND */ ;
static int evp_rand_up_ref(void *vrand)
@ -236,6 +238,16 @@ static void *evp_rand_from_algorithm(int name_id,
fnzeroizecnt++;
#endif
break;
case OSSL_FUNC_RAND_GET_SEED:
if (rand->get_seed != NULL)
break;
rand->get_seed = OSSL_FUNC_rand_get_seed(fns);
break;
case OSSL_FUNC_RAND_CLEAR_SEED:
if (rand->clear_seed != NULL)
break;
rand->clear_seed = OSSL_FUNC_rand_clear_seed(fns);
break;
}
}
/*
@ -680,3 +692,59 @@ int EVP_RAND_verify_zeroization(EVP_RAND_CTX *ctx)
evp_rand_unlock(ctx);
return res;
}
int evp_rand_can_seed(EVP_RAND_CTX *ctx)
{
return ctx->meth->get_seed != NULL;
}
static size_t evp_rand_get_seed_locked(EVP_RAND_CTX *ctx,
unsigned char **buffer,
int entropy,
size_t min_len, size_t max_len,
int prediction_resistance,
const unsigned char *adin,
size_t adin_len)
{
if (ctx->meth->get_seed != NULL)
return ctx->meth->get_seed(ctx->algctx, buffer,
entropy, min_len, max_len,
prediction_resistance,
adin, adin_len);
return 0;
}
size_t evp_rand_get_seed(EVP_RAND_CTX *ctx,
unsigned char **buffer,
int entropy, size_t min_len, size_t max_len,
int prediction_resistance,
const unsigned char *adin, size_t adin_len)
{
int res;
if (!evp_rand_lock(ctx))
return 0;
res = evp_rand_get_seed_locked(ctx,
buffer,
entropy, min_len, max_len,
prediction_resistance,
adin, adin_len);
evp_rand_unlock(ctx);
return res;
}
static void evp_rand_clear_seed_locked(EVP_RAND_CTX *ctx,
unsigned char *buffer, size_t b_len)
{
if (ctx->meth->clear_seed != NULL)
ctx->meth->clear_seed(ctx->algctx, buffer, b_len);
}
void evp_rand_clear_seed(EVP_RAND_CTX *ctx,
unsigned char *buffer, size_t b_len)
{
if (!evp_rand_lock(ctx))
return;
evp_rand_clear_seed_locked(ctx, buffer, b_len);
evp_rand_unlock(ctx);
}

34
crypto/rand/prov_seed.c
View File

@ -8,6 +8,7 @@
*/
#include "rand_local.h"
#include "crypto/evp.h"
#include "crypto/rand.h"
#include "crypto/rand_pool.h"
#include "internal/core.h"
@ -44,31 +45,13 @@ size_t ossl_rand_get_user_entropy(OSSL_LIB_CTX *ctx,
unsigned char **pout, int entropy,
size_t min_len, size_t max_len)
{
unsigned char *buf;
EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx);
size_t ret;
if (rng == NULL)
if (rng != NULL && evp_rand_can_seed(rng))
return evp_rand_get_seed(rng, pout, entropy, min_len, max_len,
0, NULL, 0);
else
return ossl_rand_get_entropy(ctx, pout, entropy, min_len, max_len);
/* Determine how many bytes to generate */
ret = entropy > 0 ? (size_t)(7 + entropy) / 8 : min_len;
if (ret < min_len)
ret = min_len;
else if (ret > max_len)
ret = max_len;
/* Allocate the return buffer */
if ((buf = OPENSSL_secure_malloc(ret)) == NULL)
return 0;
/* Fill the buffer */
if (!EVP_RAND_generate(rng, buf, ret, entropy, 0, NULL, 0)) {
OPENSSL_free(buf);
return 0;
}
*pout = buf;
return ret;
}
void ossl_rand_cleanup_entropy(ossl_unused OSSL_LIB_CTX *ctx,
@ -80,7 +63,12 @@ void ossl_rand_cleanup_entropy(ossl_unused OSSL_LIB_CTX *ctx,
void ossl_rand_cleanup_user_entropy(OSSL_LIB_CTX *ctx,
unsigned char *buf, size_t len)
{
OPENSSL_secure_clear_free(buf, len);
EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx);
if (rng != NULL && evp_rand_can_seed(rng))
evp_rand_clear_seed(rng, buf, len);
else
OPENSSL_secure_clear_free(buf, len);
}
size_t ossl_rand_get_nonce(ossl_unused OSSL_LIB_CTX *ctx,

8
include/crypto/evp.h
View File

@ -953,6 +953,14 @@ int evp_keymgmt_get_number(const EVP_KEYMGMT *keymgmt);
int evp_mac_get_number(const EVP_MAC *mac);
int evp_md_get_number(const EVP_MD *md);
int evp_rand_get_number(const EVP_RAND *rand);
int evp_rand_can_seed(EVP_RAND_CTX *ctx);
size_t evp_rand_get_seed(EVP_RAND_CTX *ctx,
unsigned char **buffer,
int entropy, size_t min_len, size_t max_len,
int prediction_resistance,
const unsigned char *adin, size_t adin_len);
void evp_rand_clear_seed(EVP_RAND_CTX *ctx,
unsigned char *buffer, size_t b_len);
int evp_signature_get_number(const EVP_SIGNATURE *signature);
int evp_pkey_decrypt_alloc(EVP_PKEY_CTX *ctx, unsigned char **outp,

47
providers/implementations/rands/seed_src.c
View File

@ -177,33 +177,32 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout,
int prediction_resistance,
const unsigned char *adin, size_t adin_len)
{
size_t bytes_needed;
unsigned char *p;
size_t ret = 0;
size_t entropy_available = 0;
size_t i;
RAND_POOL *pool;
/*
* Figure out how many bytes we need.
* This assumes that the seed sources provide eight bits of entropy
* per byte. For lower quality sources, the formula will need to be
* different.
*/
bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0;
if (bytes_needed < min_len)
bytes_needed = min_len;
if (bytes_needed > max_len) {
pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
if (pool == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
return 0;
}
/* Get entropy by polling system entropy sources. */
entropy_available = ossl_pool_acquire_entropy(pool);
if (entropy_available > 0) {
ret = ossl_rand_pool_length(pool);
*pout = ossl_rand_pool_detach(pool);
/* xor the additional data into the output */
for (i = 0 ; i < adin_len ; ++i)
(*pout)[i % ret] ^= adin[i];
} else {
ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK);
return 0;
}
p = OPENSSL_secure_malloc(bytes_needed);
if (p == NULL)
return 0;
if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance,
adin, adin_len) != 0) {
*pout = p;
return bytes_needed;
}
OPENSSL_secure_clear_free(p, bytes_needed);
return 0;
ossl_rand_pool_free(pool);
return ret;
}
static void seed_clear_seed(ossl_unused void *vdrbg,