mirror of
https://github.com/openssl/openssl.git
synced 2024-12-15 06:01:37 +08:00
849529257c
When the new OpenSSL CSPRNG was introduced in version 1.1.1,
it was announced in the release notes that it would be fork-safe,
which the old CSPRNG hadn't been.
The fork-safety was implemented using a fork count, which was
incremented by a pthread_atfork handler. Initially, this handler
was enabled by default. Unfortunately, the default behaviour
had to be changed for other reasons in commit b5319bdbd0, so
the new OpenSSL CSPRNG failed to keep its promise.
This commit restores the fork-safety using a different approach.
It replaces the fork count by a fork id, which coincides with
the process id on UNIX-like operating systems and is zero on other
operating systems. It is used to detect when an automatic reseed
after a fork is necessary.
To prevent a future regression, it also adds a test to verify that
the child reseeds after fork.
CVE-2019-1549
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9832)
172 lines
3.8 KiB
C
172 lines
3.8 KiB
C
/*
|
|
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
#if defined(_WIN32)
|
|
# include <windows.h>
|
|
#endif
|
|
|
|
#include <openssl/crypto.h>
|
|
|
|
#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && defined(OPENSSL_SYS_WINDOWS)
|
|
|
|
CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)
|
|
{
|
|
CRYPTO_RWLOCK *lock;
|
|
|
|
if ((lock = OPENSSL_zalloc(sizeof(CRITICAL_SECTION))) == NULL) {
|
|
/* Don't set error, to avoid recursion blowup. */
|
|
return NULL;
|
|
}
|
|
|
|
#if !defined(_WIN32_WCE)
|
|
/* 0x400 is the spin count value suggested in the documentation */
|
|
if (!InitializeCriticalSectionAndSpinCount(lock, 0x400)) {
|
|
OPENSSL_free(lock);
|
|
return NULL;
|
|
}
|
|
#else
|
|
InitializeCriticalSection(lock);
|
|
#endif
|
|
|
|
return lock;
|
|
}
|
|
|
|
int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *lock)
|
|
{
|
|
EnterCriticalSection(lock);
|
|
return 1;
|
|
}
|
|
|
|
int CRYPTO_THREAD_write_lock(CRYPTO_RWLOCK *lock)
|
|
{
|
|
EnterCriticalSection(lock);
|
|
return 1;
|
|
}
|
|
|
|
int CRYPTO_THREAD_unlock(CRYPTO_RWLOCK *lock)
|
|
{
|
|
LeaveCriticalSection(lock);
|
|
return 1;
|
|
}
|
|
|
|
void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock)
|
|
{
|
|
if (lock == NULL)
|
|
return;
|
|
|
|
DeleteCriticalSection(lock);
|
|
OPENSSL_free(lock);
|
|
|
|
return;
|
|
}
|
|
|
|
# define ONCE_UNINITED 0
|
|
# define ONCE_ININIT 1
|
|
# define ONCE_DONE 2
|
|
|
|
/*
|
|
* We don't use InitOnceExecuteOnce because that isn't available in WinXP which
|
|
* we still have to support.
|
|
*/
|
|
int CRYPTO_THREAD_run_once(CRYPTO_ONCE *once, void (*init)(void))
|
|
{
|
|
LONG volatile *lock = (LONG *)once;
|
|
LONG result;
|
|
|
|
if (*lock == ONCE_DONE)
|
|
return 1;
|
|
|
|
do {
|
|
result = InterlockedCompareExchange(lock, ONCE_ININIT, ONCE_UNINITED);
|
|
if (result == ONCE_UNINITED) {
|
|
init();
|
|
*lock = ONCE_DONE;
|
|
return 1;
|
|
}
|
|
} while (result == ONCE_ININIT);
|
|
|
|
return (*lock == ONCE_DONE);
|
|
}
|
|
|
|
int CRYPTO_THREAD_init_local(CRYPTO_THREAD_LOCAL *key, void (*cleanup)(void *))
|
|
{
|
|
*key = TlsAlloc();
|
|
if (*key == TLS_OUT_OF_INDEXES)
|
|
return 0;
|
|
|
|
return 1;
|
|
}
|
|
|
|
void *CRYPTO_THREAD_get_local(CRYPTO_THREAD_LOCAL *key)
|
|
{
|
|
DWORD last_error;
|
|
void *ret;
|
|
|
|
/*
|
|
* TlsGetValue clears the last error even on success, so that callers may
|
|
* distinguish it successfully returning NULL or failing. It is documented
|
|
* to never fail if the argument is a valid index from TlsAlloc, so we do
|
|
* not need to handle this.
|
|
*
|
|
* However, this error-mangling behavior interferes with the caller's use of
|
|
* GetLastError. In particular SSL_get_error queries the error queue to
|
|
* determine whether the caller should look at the OS's errors. To avoid
|
|
* destroying state, save and restore the Windows error.
|
|
*
|
|
* https://msdn.microsoft.com/en-us/library/windows/desktop/ms686812(v=vs.85).aspx
|
|
*/
|
|
last_error = GetLastError();
|
|
ret = TlsGetValue(*key);
|
|
SetLastError(last_error);
|
|
return ret;
|
|
}
|
|
|
|
int CRYPTO_THREAD_set_local(CRYPTO_THREAD_LOCAL *key, void *val)
|
|
{
|
|
if (TlsSetValue(*key, val) == 0)
|
|
return 0;
|
|
|
|
return 1;
|
|
}
|
|
|
|
int CRYPTO_THREAD_cleanup_local(CRYPTO_THREAD_LOCAL *key)
|
|
{
|
|
if (TlsFree(*key) == 0)
|
|
return 0;
|
|
|
|
return 1;
|
|
}
|
|
|
|
CRYPTO_THREAD_ID CRYPTO_THREAD_get_current_id(void)
|
|
{
|
|
return GetCurrentThreadId();
|
|
}
|
|
|
|
int CRYPTO_THREAD_compare_id(CRYPTO_THREAD_ID a, CRYPTO_THREAD_ID b)
|
|
{
|
|
return (a == b);
|
|
}
|
|
|
|
int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock)
|
|
{
|
|
*ret = InterlockedExchangeAdd(val, amount) + amount;
|
|
return 1;
|
|
}
|
|
|
|
int openssl_init_fork_handlers(void)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
int openssl_get_fork_id(void)
|
|
{
|
|
return 0;
|
|
}
|
|
#endif
|