]>
Commit | Line | Data |
---|---|---|
b1322259 | 1 | /* |
f61f62ea | 2 | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. |
dfeab068 | 3 | * |
b1322259 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
dfeab068 RE |
8 | */ |
9 | ||
10 | #include <stdio.h> | |
dfeab068 | 11 | #include <time.h> |
b39fc560 | 12 | #include "internal/cryptlib.h" |
98186eb4 | 13 | #include <openssl/opensslconf.h> |
63f483e1 | 14 | #include "internal/rand_int.h" |
3c27208f | 15 | #include <openssl/engine.h> |
87975cfa | 16 | #include "internal/thread_once.h" |
da8fc25a | 17 | #include "rand_lcl.h" |
20928ff6 KR |
18 | #ifdef OPENSSL_SYS_UNIX |
19 | # include <sys/types.h> | |
20 | # include <unistd.h> | |
21 | # include <sys/time.h> | |
22 | #endif | |
23 | #include "e_os.h" | |
dfeab068 | 24 | |
2b66fd57 P |
25 | /* Macro to convert two thirty two bit values into a sixty four bit one */ |
26 | #define TWO32TO64(a, b) ((((uint64_t)(a)) << 32) + (b)) | |
27 | ||
4cd58771 P |
28 | /* |
29 | * Check for the existence and support of POSIX timers. The standard | |
30 | * says that the _POSIX_TIMERS macro will have a positive value if they | |
31 | * are available. | |
32 | * | |
33 | * However, we want an additional constraint: that the timer support does | |
34 | * not require an extra library dependency. Early versions of glibc | |
35 | * require -lrt to be specified on the link line to access the timers, | |
36 | * so this needs to be checked for. | |
37 | * | |
38 | * It is worse because some libraries define __GLIBC__ but don't | |
39 | * support the version testing macro (e.g. uClibc). This means | |
40 | * an extra check is needed. | |
41 | * | |
42 | * The final condition is: | |
43 | * "have posix timers and either not glibc or glibc without -lrt" | |
44 | * | |
45 | * The nested #if sequences are required to avoid using a parameterised | |
46 | * macro that might be undefined. | |
47 | */ | |
48 | #undef OSSL_POSIX_TIMER_OKAY | |
49 | #if defined(_POSIX_TIMERS) && _POSIX_TIMERS > 0 | |
50 | # if defined(__GLIBC__) | |
51 | # if defined(__GLIBC_PREREQ) | |
52 | # if __GLIBC_PREREQ(2, 17) | |
53 | # define OSSL_POSIX_TIMER_OKAY | |
54 | # endif | |
55 | # endif | |
56 | # else | |
57 | # define OSSL_POSIX_TIMER_OKAY | |
58 | # endif | |
59 | #endif | |
60 | ||
0b13e9f0 | 61 | #ifndef OPENSSL_NO_ENGINE |
cb78486d | 62 | /* non-NULL if default_RAND_meth is ENGINE-provided */ |
da8fc25a RS |
63 | static ENGINE *funct_ref; |
64 | static CRYPTO_RWLOCK *rand_engine_lock; | |
0b13e9f0 | 65 | #endif |
da8fc25a RS |
66 | static CRYPTO_RWLOCK *rand_meth_lock; |
67 | static const RAND_METHOD *default_RAND_meth; | |
68 | static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT; | |
c16de9d8 | 69 | |
a35f607c | 70 | int rand_fork_count; |
87975cfa | 71 | |
8389ec4b RS |
72 | #ifdef OPENSSL_RAND_SEED_RDTSC |
73 | /* | |
74 | * IMPORTANT NOTE: It is not currently possible to use this code | |
9ed79d8e RS |
75 | * because we are not sure about the amount of randomness it provides. |
76 | * Some SP900 tests have been run, but there is internal skepticism. | |
8389ec4b RS |
77 | * So for now this code is not used. |
78 | */ | |
79 | # error "RDTSC enabled? Should not be possible!" | |
80 | ||
81 | /* | |
c16de9d8 DMSP |
82 | * Acquire entropy from high-speed clock |
83 | * | |
8389ec4b | 84 | * Since we get some randomness from the low-order bits of the |
c16de9d8 DMSP |
85 | * high-speed clock, it can help. |
86 | * | |
87 | * Returns the total entropy count, if it exceeds the requested | |
88 | * entropy count. Otherwise, returns an entropy count of 0. | |
8389ec4b | 89 | */ |
c16de9d8 | 90 | size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool) |
8389ec4b RS |
91 | { |
92 | unsigned char c; | |
93 | int i; | |
94 | ||
9ed79d8e RS |
95 | if ((OPENSSL_ia32cap_P[0] & (1 << 4)) != 0) { |
96 | for (i = 0; i < TSC_READ_COUNT; i++) { | |
97 | c = (unsigned char)(OPENSSL_rdtsc() & 0xFF); | |
6decf943 | 98 | rand_pool_add(pool, &c, 1, 4); |
9ed79d8e | 99 | } |
8389ec4b | 100 | } |
6decf943 | 101 | return rand_pool_entropy_available(pool); |
8389ec4b RS |
102 | } |
103 | #endif | |
104 | ||
105 | #ifdef OPENSSL_RAND_SEED_RDCPU | |
c16de9d8 DMSP |
106 | size_t OPENSSL_ia32_rdseed_bytes(unsigned char *buf, size_t len); |
107 | size_t OPENSSL_ia32_rdrand_bytes(unsigned char *buf, size_t len); | |
8389ec4b RS |
108 | |
109 | extern unsigned int OPENSSL_ia32cap_P[]; | |
110 | ||
c16de9d8 DMSP |
111 | /* |
112 | * Acquire entropy using Intel-specific cpu instructions | |
113 | * | |
114 | * Uses the RDSEED instruction if available, otherwise uses | |
115 | * RDRAND if available. | |
116 | * | |
117 | * For the differences between RDSEED and RDRAND, and why RDSEED | |
118 | * is the preferred choice, see https://goo.gl/oK3KcN | |
119 | * | |
120 | * Returns the total entropy count, if it exceeds the requested | |
121 | * entropy count. Otherwise, returns an entropy count of 0. | |
122 | */ | |
123 | size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool) | |
8389ec4b | 124 | { |
c16de9d8 DMSP |
125 | size_t bytes_needed; |
126 | unsigned char *buffer; | |
127 | ||
6decf943 | 128 | bytes_needed = rand_pool_bytes_needed(pool, 8 /*entropy_per_byte*/); |
c16de9d8 | 129 | if (bytes_needed > 0) { |
6decf943 | 130 | buffer = rand_pool_add_begin(pool, bytes_needed); |
c16de9d8 DMSP |
131 | |
132 | if (buffer != NULL) { | |
133 | ||
134 | /* If RDSEED is available, use that. */ | |
135 | if ((OPENSSL_ia32cap_P[2] & (1 << 18)) != 0) { | |
136 | if (OPENSSL_ia32_rdseed_bytes(buffer, bytes_needed) | |
137 | == bytes_needed) | |
6decf943 | 138 | return rand_pool_add_end(pool, |
c16de9d8 DMSP |
139 | bytes_needed, |
140 | 8 * bytes_needed); | |
141 | } | |
142 | ||
143 | /* Second choice is RDRAND. */ | |
144 | if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) { | |
145 | if (OPENSSL_ia32_rdrand_bytes(buffer, bytes_needed) | |
146 | == bytes_needed) | |
6decf943 | 147 | return rand_pool_add_end(pool, |
c16de9d8 DMSP |
148 | bytes_needed, |
149 | 8 * bytes_needed); | |
150 | } | |
151 | ||
6decf943 | 152 | return rand_pool_add_end(pool, 0, 0); |
9ed79d8e | 153 | } |
8389ec4b RS |
154 | } |
155 | ||
6decf943 | 156 | return rand_pool_entropy_available(pool); |
8389ec4b RS |
157 | } |
158 | #endif | |
da8fc25a | 159 | |
75e2c877 RS |
160 | |
161 | /* | |
c16de9d8 DMSP |
162 | * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks()) |
163 | * | |
164 | * If the DRBG has a parent, then the required amount of entropy input | |
165 | * is fetched using the parent's RAND_DRBG_generate(). | |
75e2c877 | 166 | * |
c16de9d8 | 167 | * Otherwise, the entropy is polled from the system entropy sources |
6decf943 | 168 | * using rand_pool_acquire_entropy(). |
c16de9d8 DMSP |
169 | * |
170 | * If a random pool has been added to the DRBG using RAND_add(), then | |
171 | * its entropy will be used up first. | |
75e2c877 | 172 | */ |
c16de9d8 | 173 | size_t rand_drbg_get_entropy(RAND_DRBG *drbg, |
eb238134 KR |
174 | unsigned char **pout, |
175 | int entropy, size_t min_len, size_t max_len, | |
176 | int prediction_resistance) | |
75e2c877 | 177 | { |
c16de9d8 DMSP |
178 | size_t ret = 0; |
179 | size_t entropy_available = 0; | |
35503b7c KR |
180 | RAND_POOL *pool; |
181 | ||
182 | if (drbg->parent && drbg->strength > drbg->parent->strength) { | |
183 | /* | |
184 | * We currently don't support the algorithm from NIST SP 800-90C | |
185 | * 10.1.2 to use a weaker DRBG as source | |
186 | */ | |
187 | RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY, RAND_R_PARENT_STRENGTH_TOO_WEAK); | |
188 | return 0; | |
189 | } | |
75e2c877 | 190 | |
6decf943 | 191 | pool = rand_pool_new(entropy, min_len, max_len); |
c16de9d8 DMSP |
192 | if (pool == NULL) |
193 | return 0; | |
194 | ||
195 | if (drbg->pool) { | |
6decf943 DMSP |
196 | rand_pool_add(pool, |
197 | rand_pool_buffer(drbg->pool), | |
198 | rand_pool_length(drbg->pool), | |
199 | rand_pool_entropy(drbg->pool)); | |
200 | rand_pool_free(drbg->pool); | |
c16de9d8 | 201 | drbg->pool = NULL; |
75e2c877 RS |
202 | } |
203 | ||
c16de9d8 | 204 | if (drbg->parent) { |
6decf943 DMSP |
205 | size_t bytes_needed = rand_pool_bytes_needed(pool, 8); |
206 | unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed); | |
9d951a78 | 207 | |
c16de9d8 DMSP |
208 | if (buffer != NULL) { |
209 | size_t bytes = 0; | |
75e2c877 | 210 | |
2139145b BK |
211 | /* |
212 | * Get random from parent, include our state as additional input. | |
213 | * Our lock is already held, but we need to lock our parent before | |
3ce1c27b DMSP |
214 | * generating bits from it. (Note: taking the lock will be a no-op |
215 | * if locking if drbg->parent->lock == NULL.) | |
2139145b | 216 | */ |
812b1537 | 217 | rand_drbg_lock(drbg->parent); |
c16de9d8 DMSP |
218 | if (RAND_DRBG_generate(drbg->parent, |
219 | buffer, bytes_needed, | |
311276ff | 220 | prediction_resistance, |
c16de9d8 DMSP |
221 | (unsigned char *)drbg, sizeof(*drbg)) != 0) |
222 | bytes = bytes_needed; | |
812b1537 | 223 | rand_drbg_unlock(drbg->parent); |
75e2c877 | 224 | |
6decf943 | 225 | entropy_available = rand_pool_add_end(pool, bytes, 8 * bytes); |
c16de9d8 | 226 | } |
0b14a5b7 | 227 | |
c16de9d8 | 228 | } else { |
311276ff KR |
229 | if (prediction_resistance) { |
230 | /* | |
231 | * We don't have any entropy sources that comply with the NIST | |
232 | * standard to provide prediction resistance (see NIST SP 800-90C, | |
233 | * Section 5.4). | |
234 | */ | |
235 | RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY, | |
236 | RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED); | |
237 | return 0; | |
238 | } | |
239 | ||
c16de9d8 | 240 | /* Get entropy by polling system entropy sources. */ |
6decf943 | 241 | entropy_available = rand_pool_acquire_entropy(pool); |
75e2c877 RS |
242 | } |
243 | ||
c16de9d8 | 244 | if (entropy_available > 0) { |
6decf943 DMSP |
245 | ret = rand_pool_length(pool); |
246 | *pout = rand_pool_detach(pool); | |
6969a3f4 | 247 | } |
c16de9d8 | 248 | |
6decf943 | 249 | rand_pool_free(pool); |
c16de9d8 | 250 | return ret; |
75e2c877 RS |
251 | } |
252 | ||
2b66fd57 | 253 | /* |
60595292 | 254 | * Find a suitable source of time. Start with the highest resolution source |
2b66fd57 P |
255 | * and work down to the slower ones. This is added as additional data and |
256 | * isn't counted as randomness, so any result is acceptable. | |
60595292 KR |
257 | * |
258 | * Returns 0 when we weren't able to find any time source | |
2b66fd57 P |
259 | */ |
260 | static uint64_t get_timer_bits(void) | |
261 | { | |
262 | uint64_t res = OPENSSL_rdtsc(); | |
263 | ||
264 | if (res != 0) | |
265 | return res; | |
266 | #if defined(_WIN32) | |
267 | { | |
268 | LARGE_INTEGER t; | |
269 | FILETIME ft; | |
270 | ||
271 | if (QueryPerformanceCounter(&t) != 0) | |
272 | return t.QuadPart; | |
273 | GetSystemTimeAsFileTime(&ft); | |
274 | return TWO32TO64(ft.dwHighDateTime, ft.dwLowDateTime); | |
275 | } | |
276 | #elif defined(__sun) || defined(__hpux) | |
277 | return gethrtime(); | |
278 | #elif defined(_AIX) | |
279 | { | |
280 | timebasestruct_t t; | |
281 | ||
282 | read_wall_time(&t, TIMEBASE_SZ); | |
283 | return TWO32TO64(t.tb_high, t.tb_low); | |
284 | } | |
285 | #else | |
286 | ||
60595292 | 287 | # if defined(OSSL_POSIX_TIMER_OKAY) |
2b66fd57 P |
288 | { |
289 | struct timespec ts; | |
290 | clockid_t cid; | |
291 | ||
292 | # ifdef CLOCK_BOOTTIME | |
293 | cid = CLOCK_BOOTTIME; | |
294 | # elif defined(_POSIX_MONOTONIC_CLOCK) | |
295 | cid = CLOCK_MONOTONIC; | |
296 | # else | |
297 | cid = CLOCK_REALTIME; | |
298 | # endif | |
299 | ||
300 | if (clock_gettime(cid, &ts) == 0) | |
301 | return TWO32TO64(ts.tv_sec, ts.tv_nsec); | |
302 | } | |
303 | # endif | |
304 | # if defined(__unix__) \ | |
305 | || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) | |
306 | { | |
307 | struct timeval tv; | |
308 | ||
309 | if (gettimeofday(&tv, NULL) == 0) | |
310 | return TWO32TO64(tv.tv_sec, tv.tv_usec); | |
311 | } | |
312 | # endif | |
60595292 KR |
313 | { |
314 | time_t t = time(NULL); | |
315 | if (t == (time_t)-1) | |
316 | return 0; | |
317 | return t; | |
318 | } | |
2b66fd57 P |
319 | #endif |
320 | } | |
321 | ||
20928ff6 KR |
322 | /* |
323 | * Generate additional data that can be used for the drbg. The data does | |
324 | * not need to contain entropy, but it's useful if it contains at least | |
325 | * some bits that are unpredictable. | |
326 | * | |
327 | * Returns 0 on failure. | |
328 | * | |
329 | * On success it allocates a buffer at |*pout| and returns the length of | |
330 | * the data. The buffer should get freed using OPENSSL_secure_clear_free(). | |
331 | */ | |
332 | size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len) | |
333 | { | |
334 | RAND_POOL *pool; | |
335 | CRYPTO_THREAD_ID thread_id; | |
336 | size_t len; | |
337 | #ifdef OPENSSL_SYS_UNIX | |
338 | pid_t pid; | |
20928ff6 KR |
339 | #elif defined(OPENSSL_SYS_WIN32) |
340 | DWORD pid; | |
2e230e86 | 341 | #endif |
2b66fd57 | 342 | uint64_t tbits; |
20928ff6 | 343 | |
6decf943 | 344 | pool = rand_pool_new(0, 0, max_len); |
20928ff6 KR |
345 | if (pool == NULL) |
346 | return 0; | |
347 | ||
348 | #ifdef OPENSSL_SYS_UNIX | |
349 | pid = getpid(); | |
6decf943 | 350 | rand_pool_add(pool, (unsigned char *)&pid, sizeof(pid), 0); |
20928ff6 KR |
351 | #elif defined(OPENSSL_SYS_WIN32) |
352 | pid = GetCurrentProcessId(); | |
6decf943 | 353 | rand_pool_add(pool, (unsigned char *)&pid, sizeof(pid), 0); |
20928ff6 KR |
354 | #endif |
355 | ||
356 | thread_id = CRYPTO_THREAD_get_current_id(); | |
357 | if (thread_id != 0) | |
6decf943 | 358 | rand_pool_add(pool, (unsigned char *)&thread_id, sizeof(thread_id), 0); |
20928ff6 | 359 | |
2b66fd57 | 360 | tbits = get_timer_bits(); |
60595292 | 361 | if (tbits != 0) |
6decf943 | 362 | rand_pool_add(pool, (unsigned char *)&tbits, sizeof(tbits), 0); |
20928ff6 KR |
363 | |
364 | /* TODO: Use RDSEED? */ | |
365 | ||
6decf943 | 366 | len = rand_pool_length(pool); |
20928ff6 | 367 | if (len != 0) |
6decf943 DMSP |
368 | *pout = rand_pool_detach(pool); |
369 | rand_pool_free(pool); | |
20928ff6 KR |
370 | |
371 | return len; | |
372 | } | |
c16de9d8 DMSP |
373 | |
374 | /* | |
375 | * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks()) | |
376 | * | |
377 | */ | |
378 | void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, | |
379 | unsigned char *out, size_t outlen) | |
75e2c877 | 380 | { |
c16de9d8 | 381 | OPENSSL_secure_clear_free(out, outlen); |
ddc6a5c8 RS |
382 | } |
383 | ||
a35f607c RS |
384 | void rand_fork() |
385 | { | |
386 | rand_fork_count++; | |
387 | } | |
388 | ||
da8fc25a | 389 | DEFINE_RUN_ONCE_STATIC(do_rand_init) |
87975cfa | 390 | { |
2f881d2d | 391 | int ret = 1; |
75e2c877 | 392 | |
87975cfa | 393 | #ifndef OPENSSL_NO_ENGINE |
63ab5ea1 | 394 | rand_engine_lock = CRYPTO_THREAD_lock_new(); |
2f881d2d | 395 | ret &= rand_engine_lock != NULL; |
87975cfa | 396 | #endif |
63ab5ea1 | 397 | rand_meth_lock = CRYPTO_THREAD_lock_new(); |
2f881d2d | 398 | ret &= rand_meth_lock != NULL; |
75e2c877 | 399 | |
2f881d2d | 400 | return ret; |
87975cfa | 401 | } |
dfeab068 | 402 | |
da8fc25a RS |
403 | void rand_cleanup_int(void) |
404 | { | |
405 | const RAND_METHOD *meth = default_RAND_meth; | |
406 | ||
407 | if (meth != NULL && meth->cleanup != NULL) | |
408 | meth->cleanup(); | |
409 | RAND_set_rand_method(NULL); | |
410 | #ifndef OPENSSL_NO_ENGINE | |
411 | CRYPTO_THREAD_lock_free(rand_engine_lock); | |
412 | #endif | |
413 | CRYPTO_THREAD_lock_free(rand_meth_lock); | |
75e2c877 RS |
414 | } |
415 | ||
416 | /* | |
c16de9d8 DMSP |
417 | * RAND_poll() reseeds the default RNG using random input |
418 | * | |
419 | * The random input is obtained from polling various entropy | |
420 | * sources which depend on the operating system and are | |
421 | * configurable via the --with-rand-seed configure option. | |
422 | */ | |
423 | int RAND_poll(void) | |
424 | { | |
425 | int ret = 0; | |
426 | ||
427 | RAND_POOL *pool = NULL; | |
428 | ||
429 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
430 | ||
431 | if (meth == RAND_OpenSSL()) { | |
a93ba405 DMSP |
432 | /* fill random pool and seed the master DRBG */ |
433 | RAND_DRBG *drbg = RAND_DRBG_get0_master(); | |
c16de9d8 DMSP |
434 | |
435 | if (drbg == NULL) | |
436 | return 0; | |
437 | ||
812b1537 | 438 | rand_drbg_lock(drbg); |
c16de9d8 | 439 | ret = rand_drbg_restart(drbg, NULL, 0, 0); |
812b1537 | 440 | rand_drbg_unlock(drbg); |
c16de9d8 DMSP |
441 | |
442 | return ret; | |
443 | ||
444 | } else { | |
445 | /* fill random pool and seed the current legacy RNG */ | |
6decf943 | 446 | pool = rand_pool_new(RAND_DRBG_STRENGTH, |
c16de9d8 DMSP |
447 | RAND_DRBG_STRENGTH / 8, |
448 | DRBG_MINMAX_FACTOR * (RAND_DRBG_STRENGTH / 8)); | |
449 | if (pool == NULL) | |
450 | return 0; | |
451 | ||
6decf943 | 452 | if (rand_pool_acquire_entropy(pool) == 0) |
c16de9d8 DMSP |
453 | goto err; |
454 | ||
455 | if (meth->add == NULL | |
6decf943 DMSP |
456 | || meth->add(rand_pool_buffer(pool), |
457 | rand_pool_length(pool), | |
458 | (rand_pool_entropy(pool) / 8.0)) == 0) | |
c16de9d8 DMSP |
459 | goto err; |
460 | ||
461 | ret = 1; | |
462 | } | |
463 | ||
464 | err: | |
6decf943 | 465 | rand_pool_free(pool); |
c16de9d8 DMSP |
466 | return ret; |
467 | } | |
468 | ||
c16de9d8 DMSP |
469 | /* |
470 | * Allocate memory and initialize a new random pool | |
471 | */ | |
472 | ||
6decf943 | 473 | RAND_POOL *rand_pool_new(int entropy, size_t min_len, size_t max_len) |
75e2c877 | 474 | { |
c16de9d8 DMSP |
475 | RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); |
476 | ||
477 | if (pool == NULL) { | |
478 | RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); | |
479 | goto err; | |
480 | } | |
481 | ||
482 | pool->min_len = min_len; | |
483 | pool->max_len = max_len; | |
484 | ||
485 | pool->buffer = OPENSSL_secure_zalloc(pool->max_len); | |
486 | if (pool->buffer == NULL) { | |
487 | RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); | |
488 | goto err; | |
489 | } | |
490 | ||
491 | pool->requested_entropy = entropy; | |
492 | ||
493 | return pool; | |
494 | ||
495 | err: | |
496 | OPENSSL_free(pool); | |
497 | return NULL; | |
75e2c877 RS |
498 | } |
499 | ||
c16de9d8 DMSP |
500 | /* |
501 | * Free |pool|, securely erasing its buffer. | |
502 | */ | |
6decf943 | 503 | void rand_pool_free(RAND_POOL *pool) |
c16de9d8 DMSP |
504 | { |
505 | if (pool == NULL) | |
506 | return; | |
507 | ||
508 | OPENSSL_secure_clear_free(pool->buffer, pool->max_len); | |
509 | OPENSSL_free(pool); | |
510 | } | |
511 | ||
512 | /* | |
513 | * Return the |pool|'s buffer to the caller (readonly). | |
514 | */ | |
6decf943 | 515 | const unsigned char *rand_pool_buffer(RAND_POOL *pool) |
c16de9d8 DMSP |
516 | { |
517 | return pool->buffer; | |
518 | } | |
519 | ||
520 | /* | |
521 | * Return the |pool|'s entropy to the caller. | |
522 | */ | |
6decf943 | 523 | size_t rand_pool_entropy(RAND_POOL *pool) |
c16de9d8 DMSP |
524 | { |
525 | return pool->entropy; | |
526 | } | |
527 | ||
528 | /* | |
529 | * Return the |pool|'s buffer length to the caller. | |
530 | */ | |
6decf943 | 531 | size_t rand_pool_length(RAND_POOL *pool) |
c16de9d8 DMSP |
532 | { |
533 | return pool->len; | |
534 | } | |
535 | ||
536 | /* | |
537 | * Detach the |pool| buffer and return it to the caller. | |
538 | * It's the responsibility of the caller to free the buffer | |
539 | * using OPENSSL_secure_clear_free(). | |
540 | */ | |
6decf943 | 541 | unsigned char *rand_pool_detach(RAND_POOL *pool) |
c16de9d8 DMSP |
542 | { |
543 | unsigned char *ret = pool->buffer; | |
544 | pool->buffer = NULL; | |
545 | return ret; | |
546 | } | |
547 | ||
548 | ||
549 | /* | |
550 | * If every byte of the input contains |entropy_per_bytes| bits of entropy, | |
551 | * how many bytes does one need to obtain at least |bits| bits of entropy? | |
552 | */ | |
553 | #define ENTROPY_TO_BYTES(bits, entropy_per_bytes) \ | |
554 | (((bits) + ((entropy_per_bytes) - 1))/(entropy_per_bytes)) | |
555 | ||
556 | ||
557 | /* | |
558 | * Checks whether the |pool|'s entropy is available to the caller. | |
559 | * This is the case when entropy count and buffer length are high enough. | |
560 | * Returns | |
561 | * | |
562 | * |entropy| if the entropy count and buffer size is large enough | |
563 | * 0 otherwise | |
564 | */ | |
6decf943 | 565 | size_t rand_pool_entropy_available(RAND_POOL *pool) |
c16de9d8 DMSP |
566 | { |
567 | if (pool->entropy < pool->requested_entropy) | |
568 | return 0; | |
569 | ||
570 | if (pool->len < pool->min_len) | |
571 | return 0; | |
572 | ||
573 | return pool->entropy; | |
574 | } | |
575 | ||
576 | /* | |
577 | * Returns the (remaining) amount of entropy needed to fill | |
578 | * the random pool. | |
579 | */ | |
580 | ||
6decf943 | 581 | size_t rand_pool_entropy_needed(RAND_POOL *pool) |
c16de9d8 DMSP |
582 | { |
583 | if (pool->entropy < pool->requested_entropy) | |
584 | return pool->requested_entropy - pool->entropy; | |
585 | ||
586 | return 0; | |
587 | } | |
588 | ||
589 | /* | |
590 | * Returns the number of bytes needed to fill the pool, assuming | |
591 | * the input has 'entropy_per_byte' entropy bits per byte. | |
592 | * In case of an error, 0 is returned. | |
593 | */ | |
594 | ||
6decf943 | 595 | size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_per_byte) |
c16de9d8 DMSP |
596 | { |
597 | size_t bytes_needed; | |
6decf943 | 598 | size_t entropy_needed = rand_pool_entropy_needed(pool); |
c16de9d8 DMSP |
599 | |
600 | if (entropy_per_byte < 1 || entropy_per_byte > 8) { | |
601 | RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_ARGUMENT_OUT_OF_RANGE); | |
602 | return 0; | |
603 | } | |
604 | ||
605 | bytes_needed = ENTROPY_TO_BYTES(entropy_needed, entropy_per_byte); | |
606 | ||
607 | if (bytes_needed > pool->max_len - pool->len) { | |
608 | /* not enough space left */ | |
609 | RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_RANDOM_POOL_OVERFLOW); | |
610 | return 0; | |
611 | } | |
612 | ||
613 | if (pool->len < pool->min_len && | |
614 | bytes_needed < pool->min_len - pool->len) | |
615 | /* to meet the min_len requirement */ | |
616 | bytes_needed = pool->min_len - pool->len; | |
617 | ||
618 | return bytes_needed; | |
619 | } | |
620 | ||
621 | /* Returns the remaining number of bytes available */ | |
6decf943 | 622 | size_t rand_pool_bytes_remaining(RAND_POOL *pool) |
75e2c877 | 623 | { |
c16de9d8 DMSP |
624 | return pool->max_len - pool->len; |
625 | } | |
626 | ||
627 | /* | |
628 | * Add random bytes to the random pool. | |
629 | * | |
630 | * It is expected that the |buffer| contains |len| bytes of | |
631 | * random input which contains at least |entropy| bits of | |
632 | * randomness. | |
633 | * | |
634 | * Return available amount of entropy after this operation. | |
6decf943 | 635 | * (see rand_pool_entropy_available(pool)) |
c16de9d8 | 636 | */ |
6decf943 | 637 | size_t rand_pool_add(RAND_POOL *pool, |
c16de9d8 DMSP |
638 | const unsigned char *buffer, size_t len, size_t entropy) |
639 | { | |
640 | if (len > pool->max_len - pool->len) { | |
641 | RANDerr(RAND_F_RAND_POOL_ADD, RAND_R_ENTROPY_INPUT_TOO_LONG); | |
642 | return 0; | |
643 | } | |
644 | ||
645 | if (len > 0) { | |
646 | memcpy(pool->buffer + pool->len, buffer, len); | |
647 | pool->len += len; | |
648 | pool->entropy += entropy; | |
649 | } | |
650 | ||
6decf943 | 651 | return rand_pool_entropy_available(pool); |
c16de9d8 DMSP |
652 | } |
653 | ||
654 | /* | |
655 | * Start to add random bytes to the random pool in-place. | |
656 | * | |
657 | * Reserves the next |len| bytes for adding random bytes in-place | |
658 | * and returns a pointer to the buffer. | |
659 | * The caller is allowed to copy up to |len| bytes into the buffer. | |
660 | * If |len| == 0 this is considered a no-op and a NULL pointer | |
661 | * is returned without producing an error message. | |
662 | * | |
6decf943 | 663 | * After updating the buffer, rand_pool_add_end() needs to be called |
c16de9d8 DMSP |
664 | * to finish the udpate operation (see next comment). |
665 | */ | |
6decf943 | 666 | unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) |
c16de9d8 DMSP |
667 | { |
668 | if (len == 0) | |
669 | return NULL; | |
670 | ||
671 | if (len > pool->max_len - pool->len) { | |
672 | RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, RAND_R_RANDOM_POOL_OVERFLOW); | |
673 | return NULL; | |
674 | } | |
675 | ||
676 | return pool->buffer + pool->len; | |
677 | } | |
678 | ||
679 | /* | |
680 | * Finish to add random bytes to the random pool in-place. | |
681 | * | |
682 | * Finishes an in-place update of the random pool started by | |
6decf943 | 683 | * rand_pool_add_begin() (see previous comment). |
c16de9d8 DMSP |
684 | * It is expected that |len| bytes of random input have been added |
685 | * to the buffer which contain at least |entropy| bits of randomness. | |
686 | * It is allowed to add less bytes than originally reserved. | |
687 | */ | |
6decf943 | 688 | size_t rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy) |
c16de9d8 DMSP |
689 | { |
690 | if (len > pool->max_len - pool->len) { | |
691 | RANDerr(RAND_F_RAND_POOL_ADD_END, RAND_R_RANDOM_POOL_OVERFLOW); | |
692 | return 0; | |
693 | } | |
694 | ||
695 | if (len > 0) { | |
696 | pool->len += len; | |
697 | pool->entropy += entropy; | |
698 | } | |
699 | ||
6decf943 | 700 | return rand_pool_entropy_available(pool); |
da8fc25a RS |
701 | } |
702 | ||
cb78486d | 703 | int RAND_set_rand_method(const RAND_METHOD *meth) |
0f113f3e | 704 | { |
da8fc25a | 705 | if (!RUN_ONCE(&rand_init, do_rand_init)) |
87975cfa RL |
706 | return 0; |
707 | ||
708 | CRYPTO_THREAD_write_lock(rand_meth_lock); | |
0b13e9f0 | 709 | #ifndef OPENSSL_NO_ENGINE |
7c96dbcd RS |
710 | ENGINE_finish(funct_ref); |
711 | funct_ref = NULL; | |
0b13e9f0 | 712 | #endif |
0f113f3e | 713 | default_RAND_meth = meth; |
87975cfa | 714 | CRYPTO_THREAD_unlock(rand_meth_lock); |
0f113f3e MC |
715 | return 1; |
716 | } | |
dfeab068 | 717 | |
a4a9d97a | 718 | const RAND_METHOD *RAND_get_rand_method(void) |
0f113f3e | 719 | { |
87975cfa RL |
720 | const RAND_METHOD *tmp_meth = NULL; |
721 | ||
da8fc25a | 722 | if (!RUN_ONCE(&rand_init, do_rand_init)) |
87975cfa RL |
723 | return NULL; |
724 | ||
725 | CRYPTO_THREAD_write_lock(rand_meth_lock); | |
da8fc25a | 726 | if (default_RAND_meth == NULL) { |
0b13e9f0 | 727 | #ifndef OPENSSL_NO_ENGINE |
da8fc25a RS |
728 | ENGINE *e; |
729 | ||
730 | /* If we have an engine that can do RAND, use it. */ | |
731 | if ((e = ENGINE_get_default_RAND()) != NULL | |
732 | && (tmp_meth = ENGINE_get_RAND(e)) != NULL) { | |
0f113f3e | 733 | funct_ref = e; |
da8fc25a RS |
734 | default_RAND_meth = tmp_meth; |
735 | } else { | |
736 | ENGINE_finish(e); | |
75e2c877 | 737 | default_RAND_meth = &rand_meth; |
da8fc25a RS |
738 | } |
739 | #else | |
75e2c877 | 740 | default_RAND_meth = &rand_meth; |
0b13e9f0 | 741 | #endif |
0f113f3e | 742 | } |
87975cfa RL |
743 | tmp_meth = default_RAND_meth; |
744 | CRYPTO_THREAD_unlock(rand_meth_lock); | |
745 | return tmp_meth; | |
0f113f3e | 746 | } |
cb78486d | 747 | |
0b13e9f0 | 748 | #ifndef OPENSSL_NO_ENGINE |
cb78486d | 749 | int RAND_set_rand_engine(ENGINE *engine) |
0f113f3e MC |
750 | { |
751 | const RAND_METHOD *tmp_meth = NULL; | |
87975cfa | 752 | |
da8fc25a | 753 | if (!RUN_ONCE(&rand_init, do_rand_init)) |
87975cfa RL |
754 | return 0; |
755 | ||
da8fc25a | 756 | if (engine != NULL) { |
0f113f3e MC |
757 | if (!ENGINE_init(engine)) |
758 | return 0; | |
759 | tmp_meth = ENGINE_get_RAND(engine); | |
7c96dbcd | 760 | if (tmp_meth == NULL) { |
0f113f3e MC |
761 | ENGINE_finish(engine); |
762 | return 0; | |
763 | } | |
764 | } | |
87975cfa | 765 | CRYPTO_THREAD_write_lock(rand_engine_lock); |
0f113f3e MC |
766 | /* This function releases any prior ENGINE so call it first */ |
767 | RAND_set_rand_method(tmp_meth); | |
768 | funct_ref = engine; | |
87975cfa | 769 | CRYPTO_THREAD_unlock(rand_engine_lock); |
0f113f3e MC |
770 | return 1; |
771 | } | |
0b13e9f0 | 772 | #endif |
dfeab068 | 773 | |
6343829a | 774 | void RAND_seed(const void *buf, int num) |
0f113f3e MC |
775 | { |
776 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
da8fc25a RS |
777 | |
778 | if (meth->seed != NULL) | |
0f113f3e MC |
779 | meth->seed(buf, num); |
780 | } | |
dfeab068 | 781 | |
da8fc25a | 782 | void RAND_add(const void *buf, int num, double randomness) |
0f113f3e MC |
783 | { |
784 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
da8fc25a RS |
785 | |
786 | if (meth->add != NULL) | |
787 | meth->add(buf, num, randomness); | |
0f113f3e | 788 | } |
eb952088 | 789 | |
ddc6a5c8 RS |
790 | /* |
791 | * This function is not part of RAND_METHOD, so if we're not using | |
792 | * the default method, then just call RAND_bytes(). Otherwise make | |
793 | * sure we're instantiated and use the private DRBG. | |
794 | */ | |
795 | int RAND_priv_bytes(unsigned char *buf, int num) | |
796 | { | |
797 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
0b14a5b7 | 798 | RAND_DRBG *drbg; |
2139145b | 799 | int ret; |
ddc6a5c8 RS |
800 | |
801 | if (meth != RAND_OpenSSL()) | |
802 | return RAND_bytes(buf, num); | |
803 | ||
a93ba405 | 804 | drbg = RAND_DRBG_get0_private(); |
0b14a5b7 | 805 | if (drbg == NULL) |
ddc6a5c8 | 806 | return 0; |
ddc6a5c8 | 807 | |
f61f62ea | 808 | ret = RAND_DRBG_bytes(drbg, buf, num); |
2139145b | 809 | return ret; |
ddc6a5c8 RS |
810 | } |
811 | ||
6343829a | 812 | int RAND_bytes(unsigned char *buf, int num) |
0f113f3e MC |
813 | { |
814 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
da8fc25a RS |
815 | |
816 | if (meth->bytes != NULL) | |
0f113f3e | 817 | return meth->bytes(buf, num); |
0ea155fc | 818 | RANDerr(RAND_F_RAND_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); |
da8fc25a | 819 | return -1; |
0f113f3e | 820 | } |
dfeab068 | 821 | |
98186eb4 | 822 | #if OPENSSL_API_COMPAT < 0x10100000L |
6343829a | 823 | int RAND_pseudo_bytes(unsigned char *buf, int num) |
0f113f3e MC |
824 | { |
825 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
da8fc25a RS |
826 | |
827 | if (meth->pseudorand != NULL) | |
0f113f3e | 828 | return meth->pseudorand(buf, num); |
da8fc25a | 829 | return -1; |
0f113f3e | 830 | } |
302d38e3 | 831 | #endif |
5eb8ca4d BM |
832 | |
833 | int RAND_status(void) | |
0f113f3e MC |
834 | { |
835 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
da8fc25a RS |
836 | |
837 | if (meth->status != NULL) | |
0f113f3e MC |
838 | return meth->status(); |
839 | return 0; | |
840 | } |