diff --git a/CHANGES b/CHANGES index 8ec710732e..5cd0db8300 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,11 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 1999] + *) Precautions against using the PRNG uninitialized: RAND_bytes() now + has a return value which indicated the quality of the random data + (1 = ok, 0 = not seeded). + [Ulf Möller] + *) Do more iterations of Rabin-Miller probable prime test (specifically, 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes instead of only 2 for all lengths; see BN_prime_checks definition diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index 57305c7273..f4f596a481 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -75,6 +75,7 @@ static int probable_prime_dh(BIGNUM *rnd, int bits, BIGNUM *add, BIGNUM *rem, BN_CTX *ctx); static int probable_prime_dh_safe(BIGNUM *rnd, int bits, BIGNUM *add, BIGNUM *rem, BN_CTX *ctx); + BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int,int,void *), void *cb_arg) { diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 91b8e34ae6..b567b43a6f 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -81,9 +81,10 @@ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) /* make a random number and set the top and bottom bits */ time(&tim); - RAND_seed(&tim,sizeof(tim)); + RAND_add(&tim,sizeof(tim),0); - RAND_bytes(buf,(int)bytes); + if (RAND_bytes(buf,(int)bytes) <= 0) + goto err; if (top) { if (bit == 0) diff --git a/crypto/err/err.c b/crypto/err/err.c index 8810d838c6..8baa53c40d 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -100,6 +100,7 @@ static ERR_STRING_DATA ERR_str_libraries[]= {ERR_PACK(ERR_LIB_PKCS7,0,0) ,"PKCS7 routines"}, {ERR_PACK(ERR_LIB_X509V3,0,0) ,"X509 V3 routines"}, {ERR_PACK(ERR_LIB_PKCS12,0,0) ,"PKCS12 routines"}, +{ERR_PACK(ERR_LIB_RAND,0,0) ,"random number generator"}, {0,NULL}, }; diff --git a/crypto/err/err.h b/crypto/err/err.h index 9411fb3568..44ddc78ec3 100644 --- a/crypto/err/err.h +++ b/crypto/err/err.h @@ -122,6 +122,7 @@ typedef struct err_state_st #define ERR_LIB_PKCS7 33 #define ERR_LIB_X509V3 34 #define ERR_LIB_PKCS12 35 +#define ERR_LIB_RAND 36 #define ERR_LIB_USER 128 @@ -149,6 +150,7 @@ typedef struct err_state_st #define PKCS7err(f,r) ERR_PUT_error(ERR_LIB_PKCS7,(f),(r),ERR_file_name,__LINE__) #define X509V3err(f,r) ERR_PUT_error(ERR_LIB_X509V3,(f),(r),ERR_file_name,__LINE__) #define PKCS12err(f,r) ERR_PUT_error(ERR_LIB_PKCS12,(f),(r),ERR_file_name,__LINE__) +#define RANDerr(f,r) ERR_PUT_error(ERR_LIB_RAND,(f),(r),ERR_file_name,__LINE__) /* Borland C seems too stupid to be able to shift and do longs in * the pre-processor :-( */ diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index ad820227d2..a6f6447a73 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -116,5 +116,6 @@ void ERR_load_crypto_strings(void) ERR_load_CRYPTO_strings(); ERR_load_PKCS7_strings(); ERR_load_PKCS12_strings(); + ERR_load_RAND_strings(); #endif } diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index c2a8acff0c..a3f3989c12 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -21,6 +21,7 @@ L PKCS12 crypto/pkcs12/pkcs12.h crypto/pkcs12/pk12err.c L RSAREF rsaref/rsaref.h rsaref/rsar_err.c L SSL ssl/ssl.h ssl/ssl_err.c L COMP crypto/comp/comp.h crypto/comp/comp_err.c +L RAND crypto/rand/rand.h crypto/rand/rand_err.c F RSAREF_F_RSA_BN2BIN diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index 396862767f..5957162843 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -267,8 +267,8 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) return NULL; } p8->pkey->type = V_ASN1_OCTET_STRING; - RAND_seed (p8->pkey->value.octet_string->data, - p8->pkey->value.octet_string->length); + RAND_add(p8->pkey->value.octet_string->data, + p8->pkey->value.octet_string->length, 0); return p8; } diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c index 09b46f4b0e..7966545e21 100644 --- a/crypto/evp/p_seal.c +++ b/crypto/evp/p_seal.c @@ -73,7 +73,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek, int i; if (npubk <= 0) return(0); - RAND_bytes(key,EVP_MAX_KEY_LENGTH); + if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) == -1) return(0); if (type->iv_len > 0) RAND_bytes(iv,type->iv_len); diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index bb2597b921..449a1fe984 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -378,7 +378,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x, #endif kstr=(unsigned char *)buf; } - RAND_seed(data,i);/* put in the RSA key. */ + RAND_add(data,i,0);/* put in the RSA key. */ RAND_bytes(iv,8); /* Generate a salt */ /* The 'iv' is used as the iv and as a salt. It is * NOT taken from the BytesToKey function */ diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index fa0159ee1d..78355c9387 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -161,7 +161,8 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) BIO_get_cipher_ctx(btmp, &ctx); keylen=EVP_CIPHER_key_length(evp_cipher); ivlen=EVP_CIPHER_iv_length(evp_cipher); - RAND_bytes(key,keylen); + if (RAND_bytes(key,keylen) <= 0) + goto err; xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); if (ivlen > 0) RAND_bytes(iv,ivlen); EVP_CipherInit(ctx, evp_cipher, key, iv, 1); diff --git a/crypto/rand/Makefile.ssl b/crypto/rand/Makefile.ssl index 76bfdfeae5..41190f5f46 100644 --- a/crypto/rand/Makefile.ssl +++ b/crypto/rand/Makefile.ssl @@ -22,8 +22,8 @@ TEST= randtest.c APPS= LIB=$(TOP)/libcrypto.a -LIBSRC=md_rand.c randfile.c rand_lib.c -LIBOBJ=md_rand.o randfile.o rand_lib.o +LIBSRC=md_rand.c randfile.c rand_lib.c rand_err.c +LIBOBJ=md_rand.o randfile.o rand_lib.o rand_err.o SRC= $(LIBSRC) diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 98ad429c68..d727fff924 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ +#define ENTROPY_NEEDED 32 /* require 128 bits of randomness */ + #ifndef MD_RAND_DEBUG # ifndef NDEBUG # define NDEBUG @@ -70,6 +72,7 @@ #include "openssl/e_os.h" #include +#include #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) #if !defined(NO_SHA) && !defined(NO_SHA1) @@ -135,17 +138,20 @@ static int state_num=0,state_index=0; static unsigned char state[STATE_SIZE+MD_DIGEST_LENGTH]; static unsigned char md[MD_DIGEST_LENGTH]; static long md_count[2]={0,0}; +static int entropy=0; const char *RAND_version="RAND" OPENSSL_VERSION_PTEXT; static void ssleay_rand_cleanup(void); static void ssleay_rand_seed(const void *buf, int num); -static void ssleay_rand_bytes(unsigned char *buf, int num); +static void ssleay_rand_add(const void *buf, int num, int entropy); +static int ssleay_rand_bytes(unsigned char *buf, int num); RAND_METHOD rand_ssleay_meth={ ssleay_rand_seed, ssleay_rand_bytes, ssleay_rand_cleanup, + ssleay_rand_add, }; RAND_METHOD *RAND_SSLeay(void) @@ -161,9 +167,10 @@ static void ssleay_rand_cleanup(void) memset(md,0,MD_DIGEST_LENGTH); md_count[0]=0; md_count[1]=0; + entropy=0; } -static void ssleay_rand_seed(const void *buf, int num) +static void ssleay_rand_add(const void *buf, int num, int add) { int i,j,k,st_idx; long md_c[2]; @@ -276,11 +283,18 @@ static void ssleay_rand_seed(const void *buf, int num) #ifndef THREADS assert(md_c[1] == md_count[1]); #endif + entropy += add; } -static void ssleay_rand_bytes(unsigned char *buf, int num) +static void ssleay_rand_seed(const void *buf, int num) + { + ssleay_rand_add(buf, num, num); + } + +static int ssleay_rand_bytes(unsigned char *buf, int num) { int i,j,k,st_num,st_idx; + int ok; long md_c[2]; unsigned char local_md[MD_DIGEST_LENGTH]; MD_CTX m; @@ -299,7 +313,7 @@ static void ssleay_rand_bytes(unsigned char *buf, int num) for (i=0; i= ENTROPY_NEEDED); + st_idx=state_index; st_num=state_num; md_c[0] = md_count[0]; @@ -426,6 +442,13 @@ static void ssleay_rand_bytes(unsigned char *buf, int num) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); memset(&m,0,sizeof(m)); + if (ok) + return(1); + else + { + RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED); + return(0); + } } #ifdef WINDOWS diff --git a/crypto/rand/rand.h b/crypto/rand/rand.h index fd8ee38366..35a3bb6e10 100644 --- a/crypto/rand/rand.h +++ b/crypto/rand/rand.h @@ -66,24 +66,41 @@ extern "C" { typedef struct rand_meth_st { void (*seed)(const void *buf, int num); - void (*bytes)(unsigned char *buf, int num); + int (*bytes)(unsigned char *buf, int num); void (*cleanup)(void); + void (*add)(const void *buf, int num, int entropy); } RAND_METHOD; void RAND_set_rand_method(RAND_METHOD *meth); RAND_METHOD *RAND_get_rand_method(void ); RAND_METHOD *RAND_SSLeay(void); void RAND_cleanup(void ); -void RAND_bytes(unsigned char *buf,int num); +int RAND_bytes(unsigned char *buf,int num); void RAND_seed(const void *buf,int num); +void RAND_add(const void *buf,int num,int entropy); int RAND_load_file(const char *file,long max_bytes); int RAND_write_file(const char *file); char *RAND_file_name(char *file,int num); #ifdef WINDOWS void RAND_screen(void); #endif +void ERR_load_RAND_strings(void); + +/* BEGIN ERROR CODES */ +/* The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. + */ + +/* Error codes for the RAND functions. */ + +/* Function codes. */ +#define RAND_F_SSLEAY_RAND_BYTES 100 + +/* Reason codes. */ +#define RAND_R_PRNG_NOT_SEEDED 100 + #ifdef __cplusplus } #endif - #endif + diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c new file mode 100644 index 0000000000..a5b2814d34 --- /dev/null +++ b/crypto/rand/rand_err.c @@ -0,0 +1,93 @@ +/* crypto/rand/rand_err.c */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +/* NOTE: this file was auto generated by the mkerr.pl script: any changes + * made to it will be overwritten when the script next updates this file. + */ + +#include +#include +#include + +/* BEGIN ERROR CODES */ +#ifndef NO_ERR +static ERR_STRING_DATA RAND_str_functs[]= + { +{ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0), "ssleay_rand_bytes"}, +{0,NULL} + }; + +static ERR_STRING_DATA RAND_str_reasons[]= + { +{RAND_R_PRNG_NOT_SEEDED ,"prng not seeded"}, +{0,NULL} + }; + +#endif + +void ERR_load_RAND_strings(void) + { + static int init=1; + + if (init) + { + init=0; +#ifndef NO_ERR + ERR_load_strings(ERR_LIB_RAND,RAND_str_functs); + ERR_load_strings(ERR_LIB_RAND,RAND_str_reasons); +#endif + + } + } diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 0f96e166e5..3cdba48ba8 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -89,9 +89,16 @@ void RAND_seed(const void *buf, int num) rand_meth->seed(buf,num); } -void RAND_bytes(unsigned char *buf, int num) +void RAND_add(const void *buf, int num, int entropy) { if (rand_meth != NULL) - rand_meth->bytes(buf,num); + rand_meth->add(buf,num,entropy); + } + +int RAND_bytes(unsigned char *buf, int num) + { + if (rand_meth != NULL) + return rand_meth->bytes(buf,num); + return(-1); } diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c index 942a963e83..97c3ece535 100644 --- a/crypto/rand/randfile.c +++ b/crypto/rand/randfile.c @@ -91,7 +91,7 @@ int RAND_load_file(const char *file, long bytes) i=stat(file,&sb); /* If the state fails, put some crap in anyway */ - RAND_seed(&sb,sizeof(sb)); + RAND_add(&sb,sizeof(sb),0); ret+=sizeof(sb); if (i < 0) return(0); if (bytes <= 0) return(ret); @@ -104,7 +104,7 @@ int RAND_load_file(const char *file, long bytes) i=fread(buf,1,n,in); if (i <= 0) break; /* even if n != i, use the full array */ - RAND_seed(buf,n); + RAND_add(buf,n,i); ret+=i; bytes-=n; if (bytes <= 0) break; diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 843c40c864..1465c01f4f 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -50,7 +50,8 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, emlen - flen - 2 * SHA_DIGEST_LENGTH - 1); db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01; memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen); - RAND_bytes(seed, SHA_DIGEST_LENGTH); + if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0) + return (0); #ifdef PKCS_TESTVECT memcpy(seed, "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f", diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index f0ae51f234..b35eb62682 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -155,12 +155,14 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, /* pad out with non-zero random data */ j=tlen-3-flen; - RAND_bytes(p,j); + if (RAND_bytes(p,j) <= 0) + return(0); for (i=0; i