openssl/crypto
Dr. Matthias St. Pierre 0768b38b80 drbg: fix issue where DRBG_CTR fails if NO_DF is used (2nd attempt)
Since commit 7c226dfc43 a chained DRBG does not add additional
data anymore when reseeding from its parent. The reason is that
the size of the additional data exceeded the allowed size when
no derivation function was used.

This commit provides an alternative fix: instead of adding the
entire DRBG's complete state, we just add the DRBG's address
in memory, thereby providing some distinction between the different
DRBG instances.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9832)
2019-09-11 11:22:18 +02:00
..
aes Fix Typos 2019-07-02 14:22:29 +02:00
aria Remove tab characters from C source files. 2019-07-16 20:24:10 +10:00
asn1 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation. 2019-09-06 16:11:27 +01:00
async Regenerate mkerr files 2019-07-16 05:26:28 +02:00
bf Move bf_asm_src file information to build.info files 2019-06-17 16:08:52 +02:00
bio BIO_lookup_ex: Do not retry on EAI_MEMORY 2019-08-13 11:40:55 +02:00
blake2 Move BLAKE2 MACs to the providers 2019-08-15 22:12:25 +02:00
bn Uniform BN_bn2binpad() and BN_bn2lebinpad() implementations 2019-09-07 02:06:29 +03:00
buffer Make the EC code available from inside the FIPS provider 2019-08-06 11:19:07 +01:00
camellia Move cmll_asm_src file information to build.info files 2019-06-17 16:08:53 +02:00
cast Move cast_asm_src file information to build.info files 2019-06-17 16:08:52 +02:00
chacha Move chacha_asm_src file information to build.info files 2019-06-17 16:08:53 +02:00
cmac Coverty fixes for MACs 2019-08-27 18:55:01 +02:00
cmp Regenerate mkerr files 2019-07-16 05:26:28 +02:00
cms Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey 2019-09-10 11:31:25 +01:00
comp Regenerate mkerr files 2019-07-16 05:26:28 +02:00
conf Replace FUNCerr with ERR_raise_data 2019-08-02 11:41:54 +02:00
crmf OSSL_PARAM_construct_utf8_string computes the string length. 2019-09-04 19:41:22 +10:00
ct Regenerate mkerr files 2019-07-16 05:26:28 +02:00
des Cleanup ciphers and Add 3des ciphers. 2019-08-26 17:05:08 +10:00
dh Usages of KDFs converted to use the name macros 2019-09-11 10:22:49 +10:00
dsa Implement DSA in the default provider 2019-09-09 14:00:00 +01:00
dso Cygwin: enable the use of Dl_info and dladdr() 2019-07-21 11:06:22 +02:00
ec Usages of KDFs converted to use the name macros 2019-09-11 10:22:49 +10:00
engine Remove extern declarations of OPENSSL_ia32cap_P 2019-09-01 15:41:58 +02:00
err KDF error codes reworked 2019-09-06 19:27:57 +10:00
ess Regenerate mkerr files 2019-07-16 05:26:28 +02:00
evp Add EVP_CIPHER_CTX_tag_length() 2019-09-11 17:52:30 +10:00
hmac Move HMAC to providers 2019-08-15 22:12:25 +02:00
idea Following the license change, modify the boilerplates in crypto/idea/ 2018-12-06 14:56:39 +01:00
include/internal drbg: ensure fork-safety without using a pthread_atfork handler 2019-09-11 11:22:18 +02:00
lhash Fix Typos 2019-07-02 14:22:29 +02:00
md2 Following the license change, modify the boilerplates in crypto/mdN/ 2018-12-06 15:04:11 +01:00
md4 Following the license change, modify the boilerplates in crypto/mdN/ 2018-12-06 15:04:11 +01:00
md5 Move md5_asm_src file information to build.info files 2019-06-17 16:08:52 +02:00
mdc2 Following the license change, modify the boilerplates in crypto/mdc2/ 2018-12-06 15:04:57 +01:00
modes OSSL_PARAM_construct_utf8_string computes the string length. 2019-09-04 19:41:22 +10:00
objects Load the config file by default 2019-08-01 09:59:20 +01:00
ocsp Regenerate mkerr files 2019-07-16 05:26:28 +02:00
pem Fix SCA vulnerability when using PVK and MSBLOB key formats 2019-08-27 09:07:30 +01:00
perlasm s390x assembly pack: update perlasm module 2019-04-25 23:07:36 +02:00
pkcs7 Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey 2019-09-10 11:31:25 +01:00
pkcs12 Regenerate mkerr files 2019-07-16 05:26:28 +02:00
poly1305 Move Poly1305 to providers 2019-08-15 22:12:25 +02:00
property Make sure we pre-initialise properties 2019-08-29 10:50:47 +01:00
rand drbg: fix issue where DRBG_CTR fails if NO_DF is used (2nd attempt) 2019-09-11 11:22:18 +02:00
rc2 Following the license change, modify the boilerplates in crypto/rcN/ 2018-12-06 15:14:57 +01:00
rc4 Move rc4_asm_src file information to build.info files 2019-06-17 16:08:52 +02:00
rc5 Change RC5_32_set_key to return an int type 2019-07-01 10:18:37 +01:00
ripemd Move rmd160_asm_src file information to build.info files 2019-06-17 16:08:52 +02:00
rsa Coverity 1453629 and 1453638: Error handling issues (NEGATIVE_RETURNS) 2019-09-11 08:27:27 +10:00
seed Following the license change, modify the boilerplates in crypto/seed/ 2018-12-06 15:22:15 +01:00
sha Directly return from final sha3/keccak_final if no bytes are requested 2019-08-18 21:06:03 +02:00
siphash Move SipHash to providers 2019-08-15 22:12:25 +02:00
sm2 Support parsing of SM2 ID in hexdecimal 2019-08-22 10:29:28 +08:00
sm3 Move digests to providers 2019-06-04 12:09:50 +10:00
sm4 Following the license change, modify the boilerplates in crypto/smN/ 2018-12-06 15:24:52 +01:00
srp Remove unnecessary trailing whitespace 2019-02-05 16:25:11 +01:00
stack Make core code available within the FIPS module 2019-05-23 11:02:04 +01:00
store Replace FUNCerr with ERR_raise_data 2019-08-02 11:41:54 +02:00
ts Regenerate mkerr files 2019-07-16 05:26:28 +02:00
txt_db Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
ui Remove tab characters from C source files. 2019-07-16 20:24:10 +10:00
whrlpool Remove extern declarations of OPENSSL_ia32cap_P 2019-09-01 15:41:58 +02:00
x509 Fix error handling in x509_lu.c 2019-09-05 08:37:55 +02:00
alphacpuid.pl Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
arm64cpuid.pl Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
arm_arch.h Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
armcap.c crypto/armcap.c, crypto/ppccap.c: stricter use of getauxval() 2019-01-16 18:00:48 +01:00
armv4cpuid.pl ARM assembly pack: make it Windows-friendly. 2019-02-16 16:59:23 +01:00
asn1_dsa.c remove end of line whitespace 2019-07-12 06:27:19 +10:00
bsearch.c ossl_bsearch(): New generic internal binary search utility function 2019-05-08 16:17:16 +02:00
build.info Cleanse crypto/kdf directory 2019-09-06 19:27:57 +10:00
c64xpluscpuid.pl Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
context.c Make sure we pre-initialise properties 2019-08-29 10:50:47 +01:00
core_algorithm.c Add internal function ossl_algorithm_do_all() 2019-07-23 06:34:09 +02:00
core_fetch.c Modify ossl_method_store_add() to accept an OSSL_PROVIDER and check for it 2019-08-22 01:50:30 +02:00
core_namemap.c OSSL_NAMEMAP: make names case insensitive 2019-06-24 10:58:13 +02:00
cpt_err.c Add OPENSSL_hexstr2buf_ex() and OPENSSL_buf2hexstr_ex() 2019-08-12 12:50:41 +02:00
cryptlib.c Remove extern declarations of OPENSSL_ia32cap_P 2019-09-01 15:41:58 +02:00
ctype.c Add missing EBCDIC strings 2019-08-14 10:41:41 +01:00
cversion.c Undeprecate OpenSSL_version_num and OPENSSL_VERSION_NUMBER 2019-09-05 21:48:41 +02:00
dllmain.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
ebcdic.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
ex_data.c Access data after obtaining the lock not before. 2019-08-12 21:37:55 +10:00
getenv.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
ia64cpuid.S Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
info.c Add CPU info to the speed command summary 2019-09-02 20:46:34 +02:00
init.c drbg: ensure fork-safety without using a pthread_atfork handler 2019-09-11 11:22:18 +02:00
initthread.c Fix init_get_thread_local() 2019-07-18 06:20:55 +02:00
LPdir_nyi.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
LPdir_unix.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
LPdir_vms.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
LPdir_win32.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
LPdir_win.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
LPdir_wince.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
mem_clr.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
mem_dbg.c Fix deprecation inconsisteny w.r.t. CRYPTO_mem_debug_{push,pop}() 2019-08-04 13:15:30 +02:00
mem_sec.c Use vxRandLib for VxWorks7 2019-05-02 23:32:44 +02:00
mem.c Create a FIPS provider and put SHA256 in it 2019-04-04 23:09:47 +01:00
mips_arch.h Fix compiling error for mips32r6 and mips64r6 2019-03-19 07:36:21 +01:00
o_dir.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
o_fips.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
o_fopen.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
o_init.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
o_str.c Add OPENSSL_hexstr2buf_ex() and OPENSSL_buf2hexstr_ex() 2019-08-12 12:50:41 +02:00
o_time.c Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
packet.c Give WPACKET the ability to have a NULL buffer underneath it 2019-07-12 06:26:46 +10:00
param_build.c Fix ossl_param_bld_push_{utf8,octet}_string() / param_bld_convert() 2019-08-21 11:18:58 +02:00
params_from_text.c Params from text to allow zero length value fields 2019-09-06 19:27:57 +10:00
params.c OSSL_PARAM_construct_utf8_string computes the string length. 2019-09-04 19:41:22 +10:00
pariscid.pl Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
ppc_arch.h PPC: Try out if mftb works before using it 2019-01-21 15:42:04 +01:00
ppccap.c Make the EC code available from inside the FIPS provider 2019-08-06 11:19:07 +01:00
ppccpuid.pl PPC: Try out if mftb works before using it 2019-01-21 15:42:04 +01:00
provider_conf.c Load the config file by default 2019-08-01 09:59:20 +01:00
provider_core.c ossl_provider_library_context(NULL) returns NULL. 2019-09-06 19:27:57 +10:00
provider_local.h Replumbing: Add a mechanism to pre-populate the provider store 2019-03-19 14:06:58 +01:00
provider_predefined.c Make core code available within the FIPS module 2019-05-23 11:02:04 +01:00
provider.c Rename provider and core get_param_types functions 2019-08-15 11:58:25 +02:00
README.sparse_array Fix Typos 2019-07-02 14:22:29 +02:00
s390x_arch.h Remove tab characters from C source files. 2019-07-16 20:24:10 +10:00
s390xcap.c s390x assembly pack: use getauxval to detect hw capabilities 2019-07-26 22:31:48 +02:00
s390xcpuid.pl s390xcpuid.pl: fix comment 2019-08-15 16:27:38 +02:00
sparc_arch.h Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
sparccpuid.S Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
sparcv9cap.c Ensure we get all the right defines for AES assembler in FIPS module 2019-06-03 12:56:53 +01:00
sparse_array.c Fix Typos 2019-07-02 14:22:29 +02:00
threads_none.c drbg: ensure fork-safety without using a pthread_atfork handler 2019-09-11 11:22:18 +02:00
threads_pthread.c drbg: ensure fork-safety without using a pthread_atfork handler 2019-09-11 11:22:18 +02:00
threads_win.c drbg: ensure fork-safety without using a pthread_atfork handler 2019-09-11 11:22:18 +02:00
trace.c prevent endless recursion when trace API is used within OPENSSL_init_crypto() 2019-08-20 11:16:41 +08:00
uid.c Remove NextStep support 2019-07-01 13:32:46 -04:00
vms_rms.h Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
x86_64cpuid.pl Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00
x86cpuid.pl Following the license change, modify the boilerplates in crypto/ 2018-12-06 15:32:17 +01:00

The sparse_array.c file contains an implementation of a sparse array that
attempts to be both space and time efficient.

The sparse array is represented using a tree structure.  Each node in the
tree contains a block of pointers to either the user supplied leaf values or
to another node.

There are a number of parameters used to define the block size:

    OPENSSL_SA_BLOCK_BITS   Specifies the number of bits covered by each block
    SA_BLOCK_MAX            Specifies the number of pointers in each block
    SA_BLOCK_MASK           Specifies a bit mask to perform modulo block size
    SA_BLOCK_MAX_LEVELS     Indicates the maximum possible height of the tree

These constants are inter-related:
    SA_BLOCK_MAX        = 2 ^ OPENSSL_SA_BLOCK_BITS
    SA_BLOCK_MASK       = SA_BLOCK_MAX - 1
    SA_BLOCK_MAX_LEVELS = number of bits in size_t divided by
                          OPENSSL_SA_BLOCK_BITS rounded up to the next multiple
                          of OPENSSL_SA_BLOCK_BITS

OPENSSL_SA_BLOCK_BITS can be defined at compile time and this overrides the
built in setting.

As a space and performance optimisation, the height of the tree is usually
less than the maximum possible height.  Only sufficient height is allocated to
accommodate the largest index added to the data structure.

The largest index used to add a value to the array determines the tree height:

        +----------------------+---------------------+
        | Largest Added Index  |   Height of Tree    |
        +----------------------+---------------------+
        | SA_BLOCK_MAX     - 1 |          1          |
        | SA_BLOCK_MAX ^ 2 - 1 |          2          |
        | SA_BLOCK_MAX ^ 3 - 1 |          3          |
        | ...                  |          ...        |
        | size_t max           | SA_BLOCK_MAX_LEVELS |
        +----------------------+---------------------+

The tree height is dynamically increased as needed based on additions.

An empty tree is represented by a NULL root pointer.  Inserting a value at
index 0 results in the allocation of a top level node full of null pointers
except for the single pointer to the user's data (N = SA_BLOCK_MAX for
brevity):

        +----+
        |Root|
        |Node|
        +-+--+
          |
          |
          |
          v
        +-+-+---+---+---+---+
        | 0 | 1 | 2 |...|N-1|
        |   |nil|nil|...|nil|
        +-+-+---+---+---+---+
          |
          |
          |
          v
        +-+--+
        |User|
        |Data|
        +----+
    Index 0


Inserting at element 2N+1 creates a new root node and pushes down the old root
node.  It then creates a second second level node to hold the pointer to the
user's new data:

        +----+
        |Root|
        |Node|
        +-+--+
          |
          |
          |
          v
        +-+-+---+---+---+---+
        | 0 | 1 | 2 |...|N-1|
        |   |nil|   |...|nil|
        +-+-+---+-+-+---+---+
          |       |
          |       +------------------+
          |                          |
          v                          v
        +-+-+---+---+---+---+      +-+-+---+---+---+---+
        | 0 | 1 | 2 |...|N-1|      | 0 | 1 | 2 |...|N-1|
        |nil|   |nil|...|nil|      |nil|   |nil|...|nil|
        +-+-+---+---+---+---+      +---+-+-+---+---+---+
          |                              |
          |                              |
          |                              |
          v                              v
        +-+--+                         +-+--+
        |User|                         |User|
        |Data|                         |Data|
        +----+                         +----+
    Index 0                       Index 2N+1


The nodes themselves are allocated in a sparse manner.  Only nodes which exist
along a path from the root of the tree to an added leaf will be allocated.
The complexity is hidden and nodes are allocated on an as needed basis.
Because the data is expected to be sparse this doesn't result in a large waste
of space.

Values can be removed from the sparse array by setting their index position to
NULL.  The data structure does not attempt to reclaim nodes or reduce the
height of the tree on removal.  For example, now setting index 0 to NULL would
result in:

        +----+
        |Root|
        |Node|
        +-+--+
          |
          |
          |
          v
        +-+-+---+---+---+---+
        | 0 | 1 | 2 |...|N-1|
        |   |nil|   |...|nil|
        +-+-+---+-+-+---+---+
          |       |
          |       +------------------+
          |                          |
          v                          v
        +-+-+---+---+---+---+      +-+-+---+---+---+---+
        | 0 | 1 | 2 |...|N-1|      | 0 | 1 | 2 |...|N-1|
        |nil|nil|nil|...|nil|      |nil|   |nil|...|nil|
        +---+---+---+---+---+      +---+-+-+---+---+---+
                                         |
                                         |
                                         |
                                         v
                                       +-+--+
                                       |User|
                                       |Data|
                                       +----+
                                  Index 2N+1


Accesses to elements in the sparse array take O(log n) time where n is the
largest element.  The base of the logarithm is SA_BLOCK_MAX, so for moderately
small indices (e.g. NIDs), single level (constant time) access is achievable.
Space usage is O(minimum(m, n log(n)) where m is the number of elements in the
array.

Note: sparse arrays only include pointers to types.  Thus, SPARSE_ARRAY_OF(char)
can be used to store a string.