openssl/crypto
Dr. Matthias St. Pierre 3064b55134 DRBG: fix reseeding via RAND_add()/RAND_seed() with large input
In pull request #4328 the seeding of the DRBG via RAND_add()/RAND_seed()
was implemented by buffering the data in a random pool where it is
picked up later by the rand_drbg_get_entropy() callback. This buffer
was limited to the size of 4096 bytes.

When a larger input was added via RAND_add() or RAND_seed() to the DRBG,
the reseeding failed, but the error returned by the DRBG was ignored
by the two calling functions, which both don't return an error code.
As a consequence, the data provided by the application was effectively
ignored.

This commit fixes the problem by a more efficient implementation which
does not copy the data in memory and by raising the buffer the size limit
to INT32_MAX (2 gigabytes). This is less than the NIST limit of 2^35 bits
but it was chosen intentionally to avoid platform dependent problems
like integer sizes and/or signed/unsigned conversion.

Additionally, the DRBG is now less permissive on errors: In addition to
pushing a message to the openssl error stack, it enters the error state,
which forces a reinstantiation on next call.

Thanks go to Dr. Falko Strenzke for reporting this issue to the
openssl-security mailing list. After internal discussion the issue
has been categorized as not being security relevant, because the DRBG
reseeds automatically and is fully functional even without additional
randomness provided by the application.

Fixes #7381

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7382)
2018-10-16 22:15:43 +02:00
..
aes Update copyright year 2018-09-11 13:45:17 +01:00
aria Fix potential null problem. 2017-09-01 09:30:18 +10:00
asn1 ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes 2018-09-09 03:39:37 +02:00
async Update copyright year 2018-05-01 13:34:30 +01:00
bf Harmonize the make variables across all known platforms families 2018-02-14 17:13:53 +01:00
bio Fix the BIO callback return code handling 2018-10-04 14:16:16 +01:00
blake2 Remove parentheses of return. 2017-10-18 16:05:06 +01:00
bn crypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG 2018-09-21 11:15:25 +02:00
buffer Update copyright year 2018-04-03 13:57:12 +01:00
camellia Update copyright year 2018-09-11 13:45:17 +01:00
cast Harmonize the make variables across all known platforms families 2018-02-14 17:13:53 +01:00
chacha chacha/asm/chacha-x86_64.pl: add dedicated path for 128-byte inputs. 2018-07-03 19:02:02 +02:00
cmac Update copyright year 2018-04-17 15:18:40 +02:00
cms Update copyright year 2018-09-11 13:45:17 +01:00
comp Fix last(?) batch of malloc-NULL places 2018-04-26 14:02:24 -04:00
conf Use secure_getenv(3) when available. 2018-09-24 11:21:18 +10:00
ct Use secure_getenv(3) when available. 2018-09-24 11:21:18 +10:00
des Update copyright year 2018-04-03 13:57:12 +01:00
dh Harmonize the error handling codepath 2018-09-05 15:22:35 +03:00
dsa Update copyright year 2018-09-11 13:45:17 +01:00
dso Extend dladdr() for AIX, consequence from changes for openssl#6368. 2018-08-22 21:50:33 +02:00
ec Update copyright year 2018-09-11 13:45:17 +01:00
engine /dev/crypto engine: give CIOCFSESSION the actual sess-id 2018-10-05 21:54:49 +02:00
err DRBG: fix reseeding via RAND_add()/RAND_seed() with large input 2018-10-16 22:15:43 +02:00
evp Fix some Coverity warnings 2018-10-02 10:52:57 +01:00
hmac Fix HMAC SHA3-224 and HMAC SHA3-256. 2018-09-04 08:09:12 +10:00
idea Remove parentheses of return. 2017-10-18 16:05:06 +01:00
include/internal DRBG: fix reseeding via RAND_add()/RAND_seed() with large input 2018-10-16 22:15:43 +02:00
kdf hkdf zeroization fix 2018-09-05 05:21:46 +10:00
lhash Update copyright year 2018-09-11 13:45:17 +01:00
md2 Remove parentheses of return. 2017-10-18 16:05:06 +01:00
md4 Remove parentheses of return. 2017-10-18 16:05:06 +01:00
md5 Harmonize the make variables across all known platforms families 2018-02-14 17:13:53 +01:00
mdc2 Remove parentheses of return. 2017-10-18 16:05:06 +01:00
modes Update copyright year 2018-09-11 13:45:17 +01:00
objects Make OBJ_NAME case insensitive. 2018-09-04 07:35:45 +10:00
ocsp Update copyright year 2018-09-11 13:45:17 +01:00
pem key zeroisation for pvkfmt now done on all branch paths 2018-09-05 05:14:02 +10:00
perlasm Update copyright year 2018-09-11 13:45:17 +01:00
pkcs7 Update copyright year 2018-09-11 13:45:17 +01:00
pkcs12 Use secure_getenv(3) when available. 2018-09-24 11:21:18 +10:00
poly1305 Fix a nit of copyright date range 2018-10-09 13:02:37 +08:00
rand DRBG: fix reseeding via RAND_add()/RAND_seed() with large input 2018-10-16 22:15:43 +02:00
rc2 Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
rc4 Update copyright year 2018-09-11 13:45:17 +01:00
rc5 Harmonize the make variables across all known platforms families 2018-02-14 17:13:53 +01:00
ripemd Harmonize the make variables across all known platforms families 2018-02-14 17:13:53 +01:00
rsa rsa/rsa_ossl.c: fix and extend commentary [skip ci]. 2018-10-12 22:26:02 +02:00
seed Update copyright year 2018-09-11 13:45:17 +01:00
sha sha/asm/keccak1600-s390x.pl: resolve -march=z900 portability issue. 2018-10-12 20:51:27 +02:00
siphash Update copyright year 2018-09-11 13:45:17 +01:00
sm2 crypto/sm2/sm2_sign.c: ensure UINT16_MAX is properly defined 2018-09-12 02:06:26 +02:00
sm3 SM3: restructure to EVP internal and update doc to right location 2017-11-06 07:21:15 +08:00
sm4 SM4: Add SM4 block cipher to EVP 2017-10-31 15:19:14 +10:00
srp Make ck_errf.pl ignore commented out error generation 2018-06-12 12:31:45 +02:00
stack Revert "stack/stack.c: omit redundant NULL checks." 2018-08-09 14:37:10 +01:00
store crypto/*: address standard-compilance nits. 2018-07-20 13:40:30 +02:00
ts Check conversion return in ASN1_INTEGER_print_bio. 2018-07-31 11:37:05 +10:00
txt_db Update copyright year 2018-04-03 13:57:12 +01:00
ui crypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too 2018-09-20 06:39:07 +02:00
whrlpool Harmonize the make variables across all known platforms families 2018-02-14 17:13:53 +01:00
x509 Use secure_getenv(3) when available. 2018-09-24 11:21:18 +10:00
x509v3 Update copyright year 2018-09-11 13:45:17 +01:00
alphacpuid.pl
arm64cpuid.pl {arm64|x86_64}cpuid.pl: add special 16-byte case to OPENSSL_memcmp. 2018-06-03 21:15:18 +02:00
arm_arch.h Fix building linux-armv4 with --strict-warnings 2018-04-20 15:49:33 +02:00
armcap.c crypto/armcap.c: mask SHA512 hardware detection on iOS. 2018-03-06 23:18:24 +01:00
armv4cpuid.pl Update copyright year 2018-05-01 13:34:30 +01:00
build.info Use secure_getenv(3) when available. 2018-09-24 11:21:18 +10:00
c64xpluscpuid.pl Many spelling fixes/typo's corrected. 2017-11-11 19:03:10 -05:00
cpt_err.c Fix last(?) batch of malloc-NULL places 2018-04-26 14:02:24 -04:00
cryptlib.c minor fixes for Windows 2018-09-12 09:16:07 +02:00
ctype.c Check for EOF in ASCII conversions. 2017-08-25 06:42:17 +10:00
cversion.c Fix SOURCE_DATE_EPOCH bug; use UTC 2017-11-27 14:34:14 -05:00
dllmain.c Update copyright year 2018-09-11 13:45:17 +01:00
ebcdic.c Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
ex_data.c Ensure the thread keys are always allocated in the same order 2018-04-20 15:45:06 +02:00
getenv.c Use secure_getenv(3) when available. 2018-09-24 11:21:18 +10:00
ia64cpuid.S Fix typo in files in crypto folder 2017-08-05 20:42:06 +02:00
init.c crypto/init.c: improve destructor_key's portability. 2018-08-22 21:46:01 +02:00
LPdir_nyi.c Fix typo (note by oneton@users.github) 2017-06-20 08:15:00 -04:00
LPdir_unix.c typo-fixes: miscellaneous typo fixes 2018-09-21 23:55:22 +02:00
LPdir_vms.c Fix typo (note by oneton@users.github) 2017-06-20 08:15:00 -04:00
LPdir_win32.c Fix typo (note by oneton@users.github) 2017-06-20 08:15:00 -04:00
LPdir_win.c Fix typo (note by oneton@users.github) 2017-06-20 08:15:00 -04:00
LPdir_wince.c Fix typo (note by oneton@users.github) 2017-06-20 08:15:00 -04:00
mem_clr.c
mem_dbg.c Update copyright year 2018-02-13 13:59:25 +00:00
mem_sec.c test/secmemtest: test secure memory only if it is implemented 2018-10-05 12:19:48 +02:00
mem.c crypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG. 2018-08-07 09:08:50 +02:00
mips_arch.h
o_dir.c Move e_os.h to be the very first include. 2017-08-30 07:20:44 +10:00
o_fips.c Clean up references to FIPS 2017-02-28 15:26:25 +01:00
o_fopen.c Add missing include file. 2018-09-17 10:40:32 +10:00
o_init.c Use "" not <> on e_os.h include 2017-08-22 11:07:56 -04:00
o_str.c Revert "GH614: Use memcpy()/strdup() when possible" 2017-09-14 10:26:54 +10:00
o_time.c Update copyright year 2018-04-03 13:57:12 +01:00
pariscid.pl PA-RISC assembly pack: make it work with GNU assembler for HP-UX. 2018-06-25 16:45:48 +02:00
ppc_arch.h
ppccap.c crypto/ppccap.c: wire new ChaCha20_ctr32_vsx. 2018-06-06 22:14:15 +02:00
ppccpuid.pl
s390x_arch.h s390x assembly pack: add KIMD/KLMD code path for sha3/shake 2018-08-06 12:04:52 +02:00
s390xcap.c s390x assembly pack: extend s390x capability vector. 2017-10-30 14:31:32 +01:00
s390xcpuid.pl s390x assembly pack: add KIMD/KLMD code path for sha3/shake 2018-08-06 12:04:52 +02:00
sparc_arch.h
sparccpuid.S Clean up references to FIPS 2017-02-28 15:26:25 +01:00
sparcv9cap.c Create a prototype for OPENSSL_rdtsc 2017-11-25 14:30:11 +01:00
threads_none.c crypto/threads_*: remove CRYPTO_atomic_{read|write}. 2018-08-17 12:40:39 +02:00
threads_pthread.c crypto/threads_*: remove CRYPTO_atomic_{read|write}. 2018-08-17 12:40:39 +02:00
threads_win.c crypto/threads_*: remove CRYPTO_atomic_{read|write}. 2018-08-17 12:40:39 +02:00
uid.c Update copyright year 2018-09-11 13:45:17 +01:00
vms_rms.h
x86_64cpuid.pl {arm64|x86_64}cpuid.pl: add special 16-byte case to OPENSSL_memcmp. 2018-06-03 21:15:18 +02:00
x86cpuid.pl Fix issues in ia32 RDRAND asm leading to reduced entropy 2018-03-08 10:27:49 -05:00