]>
Commit | Line | Data |
---|---|---|
b1322259 | 1 | /* |
f61f62ea | 2 | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. |
dfeab068 | 3 | * |
b1322259 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
dfeab068 RE |
8 | */ |
9 | ||
10 | #include <stdio.h> | |
dfeab068 | 11 | #include <time.h> |
b39fc560 | 12 | #include "internal/cryptlib.h" |
98186eb4 | 13 | #include <openssl/opensslconf.h> |
63f483e1 | 14 | #include "internal/rand_int.h" |
3c27208f | 15 | #include <openssl/engine.h> |
87975cfa | 16 | #include "internal/thread_once.h" |
da8fc25a | 17 | #include "rand_lcl.h" |
20928ff6 KR |
18 | #ifdef OPENSSL_SYS_UNIX |
19 | # include <sys/types.h> | |
20 | # include <unistd.h> | |
21 | # include <sys/time.h> | |
22 | #endif | |
23 | #include "e_os.h" | |
dfeab068 | 24 | |
2b66fd57 P |
25 | /* Macro to convert two thirty two bit values into a sixty four bit one */ |
26 | #define TWO32TO64(a, b) ((((uint64_t)(a)) << 32) + (b)) | |
27 | ||
0b13e9f0 | 28 | #ifndef OPENSSL_NO_ENGINE |
cb78486d | 29 | /* non-NULL if default_RAND_meth is ENGINE-provided */ |
da8fc25a RS |
30 | static ENGINE *funct_ref; |
31 | static CRYPTO_RWLOCK *rand_engine_lock; | |
0b13e9f0 | 32 | #endif |
da8fc25a RS |
33 | static CRYPTO_RWLOCK *rand_meth_lock; |
34 | static const RAND_METHOD *default_RAND_meth; | |
35 | static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT; | |
c16de9d8 | 36 | |
a35f607c | 37 | int rand_fork_count; |
87975cfa | 38 | |
8389ec4b RS |
39 | #ifdef OPENSSL_RAND_SEED_RDTSC |
40 | /* | |
41 | * IMPORTANT NOTE: It is not currently possible to use this code | |
9ed79d8e RS |
42 | * because we are not sure about the amount of randomness it provides. |
43 | * Some SP900 tests have been run, but there is internal skepticism. | |
8389ec4b RS |
44 | * So for now this code is not used. |
45 | */ | |
46 | # error "RDTSC enabled? Should not be possible!" | |
47 | ||
48 | /* | |
c16de9d8 DMSP |
49 | * Acquire entropy from high-speed clock |
50 | * | |
8389ec4b | 51 | * Since we get some randomness from the low-order bits of the |
c16de9d8 DMSP |
52 | * high-speed clock, it can help. |
53 | * | |
54 | * Returns the total entropy count, if it exceeds the requested | |
55 | * entropy count. Otherwise, returns an entropy count of 0. | |
8389ec4b | 56 | */ |
c16de9d8 | 57 | size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool) |
8389ec4b RS |
58 | { |
59 | unsigned char c; | |
60 | int i; | |
61 | ||
9ed79d8e RS |
62 | if ((OPENSSL_ia32cap_P[0] & (1 << 4)) != 0) { |
63 | for (i = 0; i < TSC_READ_COUNT; i++) { | |
64 | c = (unsigned char)(OPENSSL_rdtsc() & 0xFF); | |
c16de9d8 | 65 | RAND_POOL_add(pool, &c, 1, 4); |
9ed79d8e | 66 | } |
8389ec4b | 67 | } |
c16de9d8 | 68 | return RAND_POOL_entropy_available(pool); |
8389ec4b RS |
69 | } |
70 | #endif | |
71 | ||
72 | #ifdef OPENSSL_RAND_SEED_RDCPU | |
c16de9d8 DMSP |
73 | size_t OPENSSL_ia32_rdseed_bytes(unsigned char *buf, size_t len); |
74 | size_t OPENSSL_ia32_rdrand_bytes(unsigned char *buf, size_t len); | |
8389ec4b RS |
75 | |
76 | extern unsigned int OPENSSL_ia32cap_P[]; | |
77 | ||
c16de9d8 DMSP |
78 | /* |
79 | * Acquire entropy using Intel-specific cpu instructions | |
80 | * | |
81 | * Uses the RDSEED instruction if available, otherwise uses | |
82 | * RDRAND if available. | |
83 | * | |
84 | * For the differences between RDSEED and RDRAND, and why RDSEED | |
85 | * is the preferred choice, see https://goo.gl/oK3KcN | |
86 | * | |
87 | * Returns the total entropy count, if it exceeds the requested | |
88 | * entropy count. Otherwise, returns an entropy count of 0. | |
89 | */ | |
90 | size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool) | |
8389ec4b | 91 | { |
c16de9d8 DMSP |
92 | size_t bytes_needed; |
93 | unsigned char *buffer; | |
94 | ||
95 | bytes_needed = RAND_POOL_bytes_needed(pool, 8 /*entropy_per_byte*/); | |
96 | if (bytes_needed > 0) { | |
97 | buffer = RAND_POOL_add_begin(pool, bytes_needed); | |
98 | ||
99 | if (buffer != NULL) { | |
100 | ||
101 | /* If RDSEED is available, use that. */ | |
102 | if ((OPENSSL_ia32cap_P[2] & (1 << 18)) != 0) { | |
103 | if (OPENSSL_ia32_rdseed_bytes(buffer, bytes_needed) | |
104 | == bytes_needed) | |
105 | return RAND_POOL_add_end(pool, | |
106 | bytes_needed, | |
107 | 8 * bytes_needed); | |
108 | } | |
109 | ||
110 | /* Second choice is RDRAND. */ | |
111 | if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) { | |
112 | if (OPENSSL_ia32_rdrand_bytes(buffer, bytes_needed) | |
113 | == bytes_needed) | |
114 | return RAND_POOL_add_end(pool, | |
115 | bytes_needed, | |
116 | 8 * bytes_needed); | |
117 | } | |
118 | ||
119 | return RAND_POOL_add_end(pool, 0, 0); | |
9ed79d8e | 120 | } |
8389ec4b RS |
121 | } |
122 | ||
c16de9d8 | 123 | return RAND_POOL_entropy_available(pool); |
8389ec4b RS |
124 | } |
125 | #endif | |
da8fc25a | 126 | |
75e2c877 RS |
127 | |
128 | /* | |
c16de9d8 DMSP |
129 | * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks()) |
130 | * | |
131 | * If the DRBG has a parent, then the required amount of entropy input | |
132 | * is fetched using the parent's RAND_DRBG_generate(). | |
75e2c877 | 133 | * |
c16de9d8 DMSP |
134 | * Otherwise, the entropy is polled from the system entropy sources |
135 | * using RAND_POOL_acquire_entropy(). | |
136 | * | |
137 | * If a random pool has been added to the DRBG using RAND_add(), then | |
138 | * its entropy will be used up first. | |
75e2c877 | 139 | */ |
c16de9d8 DMSP |
140 | size_t rand_drbg_get_entropy(RAND_DRBG *drbg, |
141 | unsigned char **pout, | |
142 | int entropy, size_t min_len, size_t max_len) | |
75e2c877 | 143 | { |
c16de9d8 DMSP |
144 | size_t ret = 0; |
145 | size_t entropy_available = 0; | |
146 | RAND_POOL *pool = RAND_POOL_new(entropy, min_len, max_len); | |
75e2c877 | 147 | |
c16de9d8 DMSP |
148 | if (pool == NULL) |
149 | return 0; | |
150 | ||
151 | if (drbg->pool) { | |
152 | RAND_POOL_add(pool, | |
153 | RAND_POOL_buffer(drbg->pool), | |
154 | RAND_POOL_length(drbg->pool), | |
155 | RAND_POOL_entropy(drbg->pool)); | |
156 | RAND_POOL_free(drbg->pool); | |
157 | drbg->pool = NULL; | |
75e2c877 RS |
158 | } |
159 | ||
c16de9d8 DMSP |
160 | if (drbg->parent) { |
161 | size_t bytes_needed = RAND_POOL_bytes_needed(pool, 8); | |
162 | unsigned char *buffer = RAND_POOL_add_begin(pool, bytes_needed); | |
9d951a78 | 163 | |
c16de9d8 DMSP |
164 | if (buffer != NULL) { |
165 | size_t bytes = 0; | |
75e2c877 | 166 | |
2139145b BK |
167 | /* |
168 | * Get random from parent, include our state as additional input. | |
169 | * Our lock is already held, but we need to lock our parent before | |
170 | * generating bits from it. | |
171 | */ | |
172 | if (drbg->parent->lock) | |
173 | CRYPTO_THREAD_write_lock(drbg->parent->lock); | |
c16de9d8 DMSP |
174 | if (RAND_DRBG_generate(drbg->parent, |
175 | buffer, bytes_needed, | |
176 | 0, | |
177 | (unsigned char *)drbg, sizeof(*drbg)) != 0) | |
178 | bytes = bytes_needed; | |
2139145b BK |
179 | if (drbg->parent->lock) |
180 | CRYPTO_THREAD_unlock(drbg->parent->lock); | |
75e2c877 | 181 | |
c16de9d8 DMSP |
182 | entropy_available = RAND_POOL_add_end(pool, bytes, 8 * bytes); |
183 | } | |
0b14a5b7 | 184 | |
c16de9d8 DMSP |
185 | } else { |
186 | /* Get entropy by polling system entropy sources. */ | |
187 | entropy_available = RAND_POOL_acquire_entropy(pool); | |
75e2c877 RS |
188 | } |
189 | ||
c16de9d8 DMSP |
190 | if (entropy_available > 0) { |
191 | ret = RAND_POOL_length(pool); | |
192 | *pout = RAND_POOL_detach(pool); | |
6969a3f4 | 193 | } |
c16de9d8 DMSP |
194 | |
195 | RAND_POOL_free(pool); | |
196 | return ret; | |
75e2c877 RS |
197 | } |
198 | ||
2b66fd57 P |
199 | /* |
200 | * Find a suitable system time. Start with the highest resolution source | |
201 | * and work down to the slower ones. This is added as additional data and | |
202 | * isn't counted as randomness, so any result is acceptable. | |
203 | */ | |
204 | static uint64_t get_timer_bits(void) | |
205 | { | |
206 | uint64_t res = OPENSSL_rdtsc(); | |
207 | ||
208 | if (res != 0) | |
209 | return res; | |
210 | #if defined(_WIN32) | |
211 | { | |
212 | LARGE_INTEGER t; | |
213 | FILETIME ft; | |
214 | ||
215 | if (QueryPerformanceCounter(&t) != 0) | |
216 | return t.QuadPart; | |
217 | GetSystemTimeAsFileTime(&ft); | |
218 | return TWO32TO64(ft.dwHighDateTime, ft.dwLowDateTime); | |
219 | } | |
220 | #elif defined(__sun) || defined(__hpux) | |
221 | return gethrtime(); | |
222 | #elif defined(_AIX) | |
223 | { | |
224 | timebasestruct_t t; | |
225 | ||
226 | read_wall_time(&t, TIMEBASE_SZ); | |
227 | return TWO32TO64(t.tb_high, t.tb_low); | |
228 | } | |
229 | #else | |
230 | ||
231 | # if defined(_POSIX_C_SOURCE) \ | |
232 | && defined(_POSIX_TIMERS) \ | |
233 | && _POSIX_C_SOURCE >= 199309L \ | |
bed4afa8 P |
234 | && (!defined(__GLIBC__) \ |
235 | || (defined(__GLIBC_PREREQ) && __GLIBC_PREREQ(2, 17))) | |
2b66fd57 P |
236 | { |
237 | struct timespec ts; | |
238 | clockid_t cid; | |
239 | ||
240 | # ifdef CLOCK_BOOTTIME | |
241 | cid = CLOCK_BOOTTIME; | |
242 | # elif defined(_POSIX_MONOTONIC_CLOCK) | |
243 | cid = CLOCK_MONOTONIC; | |
244 | # else | |
245 | cid = CLOCK_REALTIME; | |
246 | # endif | |
247 | ||
248 | if (clock_gettime(cid, &ts) == 0) | |
249 | return TWO32TO64(ts.tv_sec, ts.tv_nsec); | |
250 | } | |
251 | # endif | |
252 | # if defined(__unix__) \ | |
253 | || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) | |
254 | { | |
255 | struct timeval tv; | |
256 | ||
257 | if (gettimeofday(&tv, NULL) == 0) | |
258 | return TWO32TO64(tv.tv_sec, tv.tv_usec); | |
259 | } | |
260 | # endif | |
261 | return time(NULL); | |
262 | #endif | |
263 | } | |
264 | ||
20928ff6 KR |
265 | /* |
266 | * Generate additional data that can be used for the drbg. The data does | |
267 | * not need to contain entropy, but it's useful if it contains at least | |
268 | * some bits that are unpredictable. | |
269 | * | |
270 | * Returns 0 on failure. | |
271 | * | |
272 | * On success it allocates a buffer at |*pout| and returns the length of | |
273 | * the data. The buffer should get freed using OPENSSL_secure_clear_free(). | |
274 | */ | |
275 | size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len) | |
276 | { | |
277 | RAND_POOL *pool; | |
278 | CRYPTO_THREAD_ID thread_id; | |
279 | size_t len; | |
280 | #ifdef OPENSSL_SYS_UNIX | |
281 | pid_t pid; | |
20928ff6 KR |
282 | #elif defined(OPENSSL_SYS_WIN32) |
283 | DWORD pid; | |
2e230e86 | 284 | #endif |
2b66fd57 | 285 | uint64_t tbits; |
20928ff6 KR |
286 | |
287 | pool = RAND_POOL_new(0, 0, max_len); | |
288 | if (pool == NULL) | |
289 | return 0; | |
290 | ||
291 | #ifdef OPENSSL_SYS_UNIX | |
292 | pid = getpid(); | |
293 | RAND_POOL_add(pool, (unsigned char *)&pid, sizeof(pid), 0); | |
294 | #elif defined(OPENSSL_SYS_WIN32) | |
295 | pid = GetCurrentProcessId(); | |
296 | RAND_POOL_add(pool, (unsigned char *)&pid, sizeof(pid), 0); | |
297 | #endif | |
298 | ||
299 | thread_id = CRYPTO_THREAD_get_current_id(); | |
300 | if (thread_id != 0) | |
301 | RAND_POOL_add(pool, (unsigned char *)&thread_id, sizeof(thread_id), 0); | |
302 | ||
2b66fd57 P |
303 | tbits = get_timer_bits(); |
304 | RAND_POOL_add(pool, (unsigned char *)&tbits, sizeof(tbits), 0); | |
20928ff6 KR |
305 | |
306 | /* TODO: Use RDSEED? */ | |
307 | ||
308 | len = RAND_POOL_length(pool); | |
309 | if (len != 0) | |
310 | *pout = RAND_POOL_detach(pool); | |
311 | RAND_POOL_free(pool); | |
312 | ||
313 | return len; | |
314 | } | |
c16de9d8 DMSP |
315 | |
316 | /* | |
317 | * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks()) | |
318 | * | |
319 | */ | |
320 | void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, | |
321 | unsigned char *out, size_t outlen) | |
75e2c877 | 322 | { |
c16de9d8 | 323 | OPENSSL_secure_clear_free(out, outlen); |
ddc6a5c8 RS |
324 | } |
325 | ||
a35f607c RS |
326 | void rand_fork() |
327 | { | |
328 | rand_fork_count++; | |
329 | } | |
330 | ||
da8fc25a | 331 | DEFINE_RUN_ONCE_STATIC(do_rand_init) |
87975cfa | 332 | { |
2f881d2d | 333 | int ret = 1; |
75e2c877 | 334 | |
87975cfa | 335 | #ifndef OPENSSL_NO_ENGINE |
63ab5ea1 | 336 | rand_engine_lock = CRYPTO_THREAD_lock_new(); |
2f881d2d | 337 | ret &= rand_engine_lock != NULL; |
87975cfa | 338 | #endif |
63ab5ea1 | 339 | rand_meth_lock = CRYPTO_THREAD_lock_new(); |
2f881d2d | 340 | ret &= rand_meth_lock != NULL; |
75e2c877 | 341 | |
2f881d2d | 342 | return ret; |
87975cfa | 343 | } |
dfeab068 | 344 | |
da8fc25a RS |
345 | void rand_cleanup_int(void) |
346 | { | |
347 | const RAND_METHOD *meth = default_RAND_meth; | |
348 | ||
349 | if (meth != NULL && meth->cleanup != NULL) | |
350 | meth->cleanup(); | |
351 | RAND_set_rand_method(NULL); | |
352 | #ifndef OPENSSL_NO_ENGINE | |
353 | CRYPTO_THREAD_lock_free(rand_engine_lock); | |
354 | #endif | |
355 | CRYPTO_THREAD_lock_free(rand_meth_lock); | |
75e2c877 RS |
356 | } |
357 | ||
358 | /* | |
c16de9d8 DMSP |
359 | * RAND_poll() reseeds the default RNG using random input |
360 | * | |
361 | * The random input is obtained from polling various entropy | |
362 | * sources which depend on the operating system and are | |
363 | * configurable via the --with-rand-seed configure option. | |
364 | */ | |
365 | int RAND_poll(void) | |
366 | { | |
367 | int ret = 0; | |
368 | ||
369 | RAND_POOL *pool = NULL; | |
370 | ||
371 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
372 | ||
373 | if (meth == RAND_OpenSSL()) { | |
a93ba405 DMSP |
374 | /* fill random pool and seed the master DRBG */ |
375 | RAND_DRBG *drbg = RAND_DRBG_get0_master(); | |
c16de9d8 DMSP |
376 | |
377 | if (drbg == NULL) | |
378 | return 0; | |
379 | ||
380 | CRYPTO_THREAD_write_lock(drbg->lock); | |
381 | ret = rand_drbg_restart(drbg, NULL, 0, 0); | |
382 | CRYPTO_THREAD_unlock(drbg->lock); | |
383 | ||
384 | return ret; | |
385 | ||
386 | } else { | |
387 | /* fill random pool and seed the current legacy RNG */ | |
388 | pool = RAND_POOL_new(RAND_DRBG_STRENGTH, | |
389 | RAND_DRBG_STRENGTH / 8, | |
390 | DRBG_MINMAX_FACTOR * (RAND_DRBG_STRENGTH / 8)); | |
391 | if (pool == NULL) | |
392 | return 0; | |
393 | ||
394 | if (RAND_POOL_acquire_entropy(pool) == 0) | |
395 | goto err; | |
396 | ||
397 | if (meth->add == NULL | |
398 | || meth->add(RAND_POOL_buffer(pool), | |
399 | RAND_POOL_length(pool), | |
400 | (RAND_POOL_entropy(pool) / 8.0)) == 0) | |
401 | goto err; | |
402 | ||
403 | ret = 1; | |
404 | } | |
405 | ||
406 | err: | |
407 | RAND_POOL_free(pool); | |
408 | return ret; | |
409 | } | |
410 | ||
411 | /* | |
412 | * The 'random pool' acts as a dumb container for collecting random | |
413 | * input from various entropy sources. The pool has no knowledge about | |
414 | * whether its randomness is fed into a legacy RAND_METHOD via RAND_add() | |
415 | * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the | |
416 | * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and | |
417 | * 4) cleanup the random pool again. | |
418 | * | |
419 | * The random pool contains no locking mechanism because its scope and | |
420 | * lifetime is intended to be restricted to a single stack frame. | |
75e2c877 | 421 | */ |
c16de9d8 DMSP |
422 | struct rand_pool_st { |
423 | unsigned char *buffer; /* points to the beginning of the random pool */ | |
424 | size_t len; /* current number of random bytes contained in the pool */ | |
425 | ||
426 | size_t min_len; /* minimum number of random bytes requested */ | |
427 | size_t max_len; /* maximum number of random bytes (allocated buffer size) */ | |
428 | size_t entropy; /* current entropy count in bits */ | |
429 | size_t requested_entropy; /* requested entropy count in bits */ | |
430 | }; | |
431 | ||
432 | /* | |
433 | * Allocate memory and initialize a new random pool | |
434 | */ | |
435 | ||
436 | RAND_POOL *RAND_POOL_new(int entropy, size_t min_len, size_t max_len) | |
75e2c877 | 437 | { |
c16de9d8 DMSP |
438 | RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); |
439 | ||
440 | if (pool == NULL) { | |
441 | RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); | |
442 | goto err; | |
443 | } | |
444 | ||
445 | pool->min_len = min_len; | |
446 | pool->max_len = max_len; | |
447 | ||
448 | pool->buffer = OPENSSL_secure_zalloc(pool->max_len); | |
449 | if (pool->buffer == NULL) { | |
450 | RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); | |
451 | goto err; | |
452 | } | |
453 | ||
454 | pool->requested_entropy = entropy; | |
455 | ||
456 | return pool; | |
457 | ||
458 | err: | |
459 | OPENSSL_free(pool); | |
460 | return NULL; | |
75e2c877 RS |
461 | } |
462 | ||
c16de9d8 DMSP |
463 | /* |
464 | * Free |pool|, securely erasing its buffer. | |
465 | */ | |
466 | void RAND_POOL_free(RAND_POOL *pool) | |
467 | { | |
468 | if (pool == NULL) | |
469 | return; | |
470 | ||
471 | OPENSSL_secure_clear_free(pool->buffer, pool->max_len); | |
472 | OPENSSL_free(pool); | |
473 | } | |
474 | ||
475 | /* | |
476 | * Return the |pool|'s buffer to the caller (readonly). | |
477 | */ | |
478 | const unsigned char *RAND_POOL_buffer(RAND_POOL *pool) | |
479 | { | |
480 | return pool->buffer; | |
481 | } | |
482 | ||
483 | /* | |
484 | * Return the |pool|'s entropy to the caller. | |
485 | */ | |
486 | size_t RAND_POOL_entropy(RAND_POOL *pool) | |
487 | { | |
488 | return pool->entropy; | |
489 | } | |
490 | ||
491 | /* | |
492 | * Return the |pool|'s buffer length to the caller. | |
493 | */ | |
494 | size_t RAND_POOL_length(RAND_POOL *pool) | |
495 | { | |
496 | return pool->len; | |
497 | } | |
498 | ||
499 | /* | |
500 | * Detach the |pool| buffer and return it to the caller. | |
501 | * It's the responsibility of the caller to free the buffer | |
502 | * using OPENSSL_secure_clear_free(). | |
503 | */ | |
504 | unsigned char *RAND_POOL_detach(RAND_POOL *pool) | |
505 | { | |
506 | unsigned char *ret = pool->buffer; | |
507 | pool->buffer = NULL; | |
508 | return ret; | |
509 | } | |
510 | ||
511 | ||
512 | /* | |
513 | * If every byte of the input contains |entropy_per_bytes| bits of entropy, | |
514 | * how many bytes does one need to obtain at least |bits| bits of entropy? | |
515 | */ | |
516 | #define ENTROPY_TO_BYTES(bits, entropy_per_bytes) \ | |
517 | (((bits) + ((entropy_per_bytes) - 1))/(entropy_per_bytes)) | |
518 | ||
519 | ||
520 | /* | |
521 | * Checks whether the |pool|'s entropy is available to the caller. | |
522 | * This is the case when entropy count and buffer length are high enough. | |
523 | * Returns | |
524 | * | |
525 | * |entropy| if the entropy count and buffer size is large enough | |
526 | * 0 otherwise | |
527 | */ | |
528 | size_t RAND_POOL_entropy_available(RAND_POOL *pool) | |
529 | { | |
530 | if (pool->entropy < pool->requested_entropy) | |
531 | return 0; | |
532 | ||
533 | if (pool->len < pool->min_len) | |
534 | return 0; | |
535 | ||
536 | return pool->entropy; | |
537 | } | |
538 | ||
539 | /* | |
540 | * Returns the (remaining) amount of entropy needed to fill | |
541 | * the random pool. | |
542 | */ | |
543 | ||
544 | size_t RAND_POOL_entropy_needed(RAND_POOL *pool) | |
545 | { | |
546 | if (pool->entropy < pool->requested_entropy) | |
547 | return pool->requested_entropy - pool->entropy; | |
548 | ||
549 | return 0; | |
550 | } | |
551 | ||
552 | /* | |
553 | * Returns the number of bytes needed to fill the pool, assuming | |
554 | * the input has 'entropy_per_byte' entropy bits per byte. | |
555 | * In case of an error, 0 is returned. | |
556 | */ | |
557 | ||
558 | size_t RAND_POOL_bytes_needed(RAND_POOL *pool, unsigned int entropy_per_byte) | |
559 | { | |
560 | size_t bytes_needed; | |
561 | size_t entropy_needed = RAND_POOL_entropy_needed(pool); | |
562 | ||
563 | if (entropy_per_byte < 1 || entropy_per_byte > 8) { | |
564 | RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_ARGUMENT_OUT_OF_RANGE); | |
565 | return 0; | |
566 | } | |
567 | ||
568 | bytes_needed = ENTROPY_TO_BYTES(entropy_needed, entropy_per_byte); | |
569 | ||
570 | if (bytes_needed > pool->max_len - pool->len) { | |
571 | /* not enough space left */ | |
572 | RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_RANDOM_POOL_OVERFLOW); | |
573 | return 0; | |
574 | } | |
575 | ||
576 | if (pool->len < pool->min_len && | |
577 | bytes_needed < pool->min_len - pool->len) | |
578 | /* to meet the min_len requirement */ | |
579 | bytes_needed = pool->min_len - pool->len; | |
580 | ||
581 | return bytes_needed; | |
582 | } | |
583 | ||
584 | /* Returns the remaining number of bytes available */ | |
585 | size_t RAND_POOL_bytes_remaining(RAND_POOL *pool) | |
75e2c877 | 586 | { |
c16de9d8 DMSP |
587 | return pool->max_len - pool->len; |
588 | } | |
589 | ||
590 | /* | |
591 | * Add random bytes to the random pool. | |
592 | * | |
593 | * It is expected that the |buffer| contains |len| bytes of | |
594 | * random input which contains at least |entropy| bits of | |
595 | * randomness. | |
596 | * | |
597 | * Return available amount of entropy after this operation. | |
598 | * (see RAND_POOL_entropy_available(pool)) | |
599 | */ | |
600 | size_t RAND_POOL_add(RAND_POOL *pool, | |
601 | const unsigned char *buffer, size_t len, size_t entropy) | |
602 | { | |
603 | if (len > pool->max_len - pool->len) { | |
604 | RANDerr(RAND_F_RAND_POOL_ADD, RAND_R_ENTROPY_INPUT_TOO_LONG); | |
605 | return 0; | |
606 | } | |
607 | ||
608 | if (len > 0) { | |
609 | memcpy(pool->buffer + pool->len, buffer, len); | |
610 | pool->len += len; | |
611 | pool->entropy += entropy; | |
612 | } | |
613 | ||
614 | return RAND_POOL_entropy_available(pool); | |
615 | } | |
616 | ||
617 | /* | |
618 | * Start to add random bytes to the random pool in-place. | |
619 | * | |
620 | * Reserves the next |len| bytes for adding random bytes in-place | |
621 | * and returns a pointer to the buffer. | |
622 | * The caller is allowed to copy up to |len| bytes into the buffer. | |
623 | * If |len| == 0 this is considered a no-op and a NULL pointer | |
624 | * is returned without producing an error message. | |
625 | * | |
626 | * After updating the buffer, RAND_POOL_add_end() needs to be called | |
627 | * to finish the udpate operation (see next comment). | |
628 | */ | |
629 | unsigned char *RAND_POOL_add_begin(RAND_POOL *pool, size_t len) | |
630 | { | |
631 | if (len == 0) | |
632 | return NULL; | |
633 | ||
634 | if (len > pool->max_len - pool->len) { | |
635 | RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, RAND_R_RANDOM_POOL_OVERFLOW); | |
636 | return NULL; | |
637 | } | |
638 | ||
639 | return pool->buffer + pool->len; | |
640 | } | |
641 | ||
642 | /* | |
643 | * Finish to add random bytes to the random pool in-place. | |
644 | * | |
645 | * Finishes an in-place update of the random pool started by | |
646 | * RAND_POOL_add_begin() (see previous comment). | |
647 | * It is expected that |len| bytes of random input have been added | |
648 | * to the buffer which contain at least |entropy| bits of randomness. | |
649 | * It is allowed to add less bytes than originally reserved. | |
650 | */ | |
651 | size_t RAND_POOL_add_end(RAND_POOL *pool, size_t len, size_t entropy) | |
652 | { | |
653 | if (len > pool->max_len - pool->len) { | |
654 | RANDerr(RAND_F_RAND_POOL_ADD_END, RAND_R_RANDOM_POOL_OVERFLOW); | |
655 | return 0; | |
656 | } | |
657 | ||
658 | if (len > 0) { | |
659 | pool->len += len; | |
660 | pool->entropy += entropy; | |
661 | } | |
662 | ||
663 | return RAND_POOL_entropy_available(pool); | |
da8fc25a RS |
664 | } |
665 | ||
cb78486d | 666 | int RAND_set_rand_method(const RAND_METHOD *meth) |
0f113f3e | 667 | { |
da8fc25a | 668 | if (!RUN_ONCE(&rand_init, do_rand_init)) |
87975cfa RL |
669 | return 0; |
670 | ||
671 | CRYPTO_THREAD_write_lock(rand_meth_lock); | |
0b13e9f0 | 672 | #ifndef OPENSSL_NO_ENGINE |
7c96dbcd RS |
673 | ENGINE_finish(funct_ref); |
674 | funct_ref = NULL; | |
0b13e9f0 | 675 | #endif |
0f113f3e | 676 | default_RAND_meth = meth; |
87975cfa | 677 | CRYPTO_THREAD_unlock(rand_meth_lock); |
0f113f3e MC |
678 | return 1; |
679 | } | |
dfeab068 | 680 | |
a4a9d97a | 681 | const RAND_METHOD *RAND_get_rand_method(void) |
0f113f3e | 682 | { |
87975cfa RL |
683 | const RAND_METHOD *tmp_meth = NULL; |
684 | ||
da8fc25a | 685 | if (!RUN_ONCE(&rand_init, do_rand_init)) |
87975cfa RL |
686 | return NULL; |
687 | ||
688 | CRYPTO_THREAD_write_lock(rand_meth_lock); | |
da8fc25a | 689 | if (default_RAND_meth == NULL) { |
0b13e9f0 | 690 | #ifndef OPENSSL_NO_ENGINE |
da8fc25a RS |
691 | ENGINE *e; |
692 | ||
693 | /* If we have an engine that can do RAND, use it. */ | |
694 | if ((e = ENGINE_get_default_RAND()) != NULL | |
695 | && (tmp_meth = ENGINE_get_RAND(e)) != NULL) { | |
0f113f3e | 696 | funct_ref = e; |
da8fc25a RS |
697 | default_RAND_meth = tmp_meth; |
698 | } else { | |
699 | ENGINE_finish(e); | |
75e2c877 | 700 | default_RAND_meth = &rand_meth; |
da8fc25a RS |
701 | } |
702 | #else | |
75e2c877 | 703 | default_RAND_meth = &rand_meth; |
0b13e9f0 | 704 | #endif |
0f113f3e | 705 | } |
87975cfa RL |
706 | tmp_meth = default_RAND_meth; |
707 | CRYPTO_THREAD_unlock(rand_meth_lock); | |
708 | return tmp_meth; | |
0f113f3e | 709 | } |
cb78486d | 710 | |
0b13e9f0 | 711 | #ifndef OPENSSL_NO_ENGINE |
cb78486d | 712 | int RAND_set_rand_engine(ENGINE *engine) |
0f113f3e MC |
713 | { |
714 | const RAND_METHOD *tmp_meth = NULL; | |
87975cfa | 715 | |
da8fc25a | 716 | if (!RUN_ONCE(&rand_init, do_rand_init)) |
87975cfa RL |
717 | return 0; |
718 | ||
da8fc25a | 719 | if (engine != NULL) { |
0f113f3e MC |
720 | if (!ENGINE_init(engine)) |
721 | return 0; | |
722 | tmp_meth = ENGINE_get_RAND(engine); | |
7c96dbcd | 723 | if (tmp_meth == NULL) { |
0f113f3e MC |
724 | ENGINE_finish(engine); |
725 | return 0; | |
726 | } | |
727 | } | |
87975cfa | 728 | CRYPTO_THREAD_write_lock(rand_engine_lock); |
0f113f3e MC |
729 | /* This function releases any prior ENGINE so call it first */ |
730 | RAND_set_rand_method(tmp_meth); | |
731 | funct_ref = engine; | |
87975cfa | 732 | CRYPTO_THREAD_unlock(rand_engine_lock); |
0f113f3e MC |
733 | return 1; |
734 | } | |
0b13e9f0 | 735 | #endif |
dfeab068 | 736 | |
6343829a | 737 | void RAND_seed(const void *buf, int num) |
0f113f3e MC |
738 | { |
739 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
da8fc25a RS |
740 | |
741 | if (meth->seed != NULL) | |
0f113f3e MC |
742 | meth->seed(buf, num); |
743 | } | |
dfeab068 | 744 | |
da8fc25a | 745 | void RAND_add(const void *buf, int num, double randomness) |
0f113f3e MC |
746 | { |
747 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
da8fc25a RS |
748 | |
749 | if (meth->add != NULL) | |
750 | meth->add(buf, num, randomness); | |
0f113f3e | 751 | } |
eb952088 | 752 | |
ddc6a5c8 RS |
753 | /* |
754 | * This function is not part of RAND_METHOD, so if we're not using | |
755 | * the default method, then just call RAND_bytes(). Otherwise make | |
756 | * sure we're instantiated and use the private DRBG. | |
757 | */ | |
758 | int RAND_priv_bytes(unsigned char *buf, int num) | |
759 | { | |
760 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
0b14a5b7 | 761 | RAND_DRBG *drbg; |
2139145b | 762 | int ret; |
ddc6a5c8 RS |
763 | |
764 | if (meth != RAND_OpenSSL()) | |
765 | return RAND_bytes(buf, num); | |
766 | ||
a93ba405 | 767 | drbg = RAND_DRBG_get0_private(); |
0b14a5b7 | 768 | if (drbg == NULL) |
ddc6a5c8 | 769 | return 0; |
ddc6a5c8 | 770 | |
2139145b BK |
771 | /* We have to lock the DRBG before generating bits from it. */ |
772 | CRYPTO_THREAD_write_lock(drbg->lock); | |
f61f62ea | 773 | ret = RAND_DRBG_bytes(drbg, buf, num); |
2139145b BK |
774 | CRYPTO_THREAD_unlock(drbg->lock); |
775 | return ret; | |
ddc6a5c8 RS |
776 | } |
777 | ||
6343829a | 778 | int RAND_bytes(unsigned char *buf, int num) |
0f113f3e MC |
779 | { |
780 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
da8fc25a RS |
781 | |
782 | if (meth->bytes != NULL) | |
0f113f3e | 783 | return meth->bytes(buf, num); |
0ea155fc | 784 | RANDerr(RAND_F_RAND_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); |
da8fc25a | 785 | return -1; |
0f113f3e | 786 | } |
dfeab068 | 787 | |
98186eb4 | 788 | #if OPENSSL_API_COMPAT < 0x10100000L |
6343829a | 789 | int RAND_pseudo_bytes(unsigned char *buf, int num) |
0f113f3e MC |
790 | { |
791 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
da8fc25a RS |
792 | |
793 | if (meth->pseudorand != NULL) | |
0f113f3e | 794 | return meth->pseudorand(buf, num); |
da8fc25a | 795 | return -1; |
0f113f3e | 796 | } |
302d38e3 | 797 | #endif |
5eb8ca4d BM |
798 | |
799 | int RAND_status(void) | |
0f113f3e MC |
800 | { |
801 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
da8fc25a RS |
802 | |
803 | if (meth->status != NULL) | |
0f113f3e MC |
804 | return meth->status(); |
805 | return 0; | |
806 | } |