]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <stdio.h> | |
11 | #include <time.h> | |
12 | #include "internal/cryptlib.h" | |
13 | #include <openssl/opensslconf.h> | |
14 | #include "internal/rand_int.h" | |
15 | #include <openssl/engine.h> | |
16 | #include "internal/thread_once.h" | |
17 | #include "rand_lcl.h" | |
18 | #ifdef OPENSSL_SYS_UNIX | |
19 | # include <sys/types.h> | |
20 | # include <unistd.h> | |
21 | # include <sys/time.h> | |
22 | #endif | |
23 | #include "e_os.h" | |
24 | ||
25 | /* Macro to convert two thirty two bit values into a sixty four bit one */ | |
26 | #define TWO32TO64(a, b) ((((uint64_t)(a)) << 32) + (b)) | |
27 | ||
28 | /* | |
29 | * Check for the existence and support of POSIX timers. The standard | |
30 | * says that the _POSIX_TIMERS macro will have a positive value if they | |
31 | * are available. | |
32 | * | |
33 | * However, we want an additional constraint: that the timer support does | |
34 | * not require an extra library dependency. Early versions of glibc | |
35 | * require -lrt to be specified on the link line to access the timers, | |
36 | * so this needs to be checked for. | |
37 | * | |
38 | * It is worse because some libraries define __GLIBC__ but don't | |
39 | * support the version testing macro (e.g. uClibc). This means | |
40 | * an extra check is needed. | |
41 | * | |
42 | * The final condition is: | |
43 | * "have posix timers and either not glibc or glibc without -lrt" | |
44 | * | |
45 | * The nested #if sequences are required to avoid using a parameterised | |
46 | * macro that might be undefined. | |
47 | */ | |
48 | #undef OSSL_POSIX_TIMER_OKAY | |
49 | #if defined(_POSIX_TIMERS) && _POSIX_TIMERS > 0 | |
50 | # if defined(__GLIBC__) | |
51 | # if defined(__GLIBC_PREREQ) | |
52 | # if __GLIBC_PREREQ(2, 17) | |
53 | # define OSSL_POSIX_TIMER_OKAY | |
54 | # endif | |
55 | # endif | |
56 | # else | |
57 | # define OSSL_POSIX_TIMER_OKAY | |
58 | # endif | |
59 | #endif | |
60 | ||
61 | #ifndef OPENSSL_NO_ENGINE | |
62 | /* non-NULL if default_RAND_meth is ENGINE-provided */ | |
63 | static ENGINE *funct_ref; | |
64 | static CRYPTO_RWLOCK *rand_engine_lock; | |
65 | #endif | |
66 | static CRYPTO_RWLOCK *rand_meth_lock; | |
67 | static const RAND_METHOD *default_RAND_meth; | |
68 | static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT; | |
69 | ||
70 | int rand_fork_count; | |
71 | ||
72 | #ifdef OPENSSL_RAND_SEED_RDTSC | |
73 | /* | |
74 | * IMPORTANT NOTE: It is not currently possible to use this code | |
75 | * because we are not sure about the amount of randomness it provides. | |
76 | * Some SP900 tests have been run, but there is internal skepticism. | |
77 | * So for now this code is not used. | |
78 | */ | |
79 | # error "RDTSC enabled? Should not be possible!" | |
80 | ||
81 | /* | |
82 | * Acquire entropy from high-speed clock | |
83 | * | |
84 | * Since we get some randomness from the low-order bits of the | |
85 | * high-speed clock, it can help. | |
86 | * | |
87 | * Returns the total entropy count, if it exceeds the requested | |
88 | * entropy count. Otherwise, returns an entropy count of 0. | |
89 | */ | |
90 | size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool) | |
91 | { | |
92 | unsigned char c; | |
93 | int i; | |
94 | ||
95 | if ((OPENSSL_ia32cap_P[0] & (1 << 4)) != 0) { | |
96 | for (i = 0; i < TSC_READ_COUNT; i++) { | |
97 | c = (unsigned char)(OPENSSL_rdtsc() & 0xFF); | |
98 | rand_pool_add(pool, &c, 1, 4); | |
99 | } | |
100 | } | |
101 | return rand_pool_entropy_available(pool); | |
102 | } | |
103 | #endif | |
104 | ||
105 | #ifdef OPENSSL_RAND_SEED_RDCPU | |
106 | size_t OPENSSL_ia32_rdseed_bytes(unsigned char *buf, size_t len); | |
107 | size_t OPENSSL_ia32_rdrand_bytes(unsigned char *buf, size_t len); | |
108 | ||
109 | extern unsigned int OPENSSL_ia32cap_P[]; | |
110 | ||
111 | /* | |
112 | * Acquire entropy using Intel-specific cpu instructions | |
113 | * | |
114 | * Uses the RDSEED instruction if available, otherwise uses | |
115 | * RDRAND if available. | |
116 | * | |
117 | * For the differences between RDSEED and RDRAND, and why RDSEED | |
118 | * is the preferred choice, see https://goo.gl/oK3KcN | |
119 | * | |
120 | * Returns the total entropy count, if it exceeds the requested | |
121 | * entropy count. Otherwise, returns an entropy count of 0. | |
122 | */ | |
123 | size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool) | |
124 | { | |
125 | size_t bytes_needed; | |
126 | unsigned char *buffer; | |
127 | ||
128 | bytes_needed = rand_pool_bytes_needed(pool, 8 /*entropy_per_byte*/); | |
129 | if (bytes_needed > 0) { | |
130 | buffer = rand_pool_add_begin(pool, bytes_needed); | |
131 | ||
132 | if (buffer != NULL) { | |
133 | ||
134 | /* If RDSEED is available, use that. */ | |
135 | if ((OPENSSL_ia32cap_P[2] & (1 << 18)) != 0) { | |
136 | if (OPENSSL_ia32_rdseed_bytes(buffer, bytes_needed) | |
137 | == bytes_needed) | |
138 | return rand_pool_add_end(pool, | |
139 | bytes_needed, | |
140 | 8 * bytes_needed); | |
141 | } | |
142 | ||
143 | /* Second choice is RDRAND. */ | |
144 | if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) { | |
145 | if (OPENSSL_ia32_rdrand_bytes(buffer, bytes_needed) | |
146 | == bytes_needed) | |
147 | return rand_pool_add_end(pool, | |
148 | bytes_needed, | |
149 | 8 * bytes_needed); | |
150 | } | |
151 | ||
152 | return rand_pool_add_end(pool, 0, 0); | |
153 | } | |
154 | } | |
155 | ||
156 | return rand_pool_entropy_available(pool); | |
157 | } | |
158 | #endif | |
159 | ||
160 | ||
161 | /* | |
162 | * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks()) | |
163 | * | |
164 | * If the DRBG has a parent, then the required amount of entropy input | |
165 | * is fetched using the parent's RAND_DRBG_generate(). | |
166 | * | |
167 | * Otherwise, the entropy is polled from the system entropy sources | |
168 | * using rand_pool_acquire_entropy(). | |
169 | * | |
170 | * If a random pool has been added to the DRBG using RAND_add(), then | |
171 | * its entropy will be used up first. | |
172 | */ | |
173 | size_t rand_drbg_get_entropy(RAND_DRBG *drbg, | |
174 | unsigned char **pout, | |
175 | int entropy, size_t min_len, size_t max_len) | |
176 | { | |
177 | size_t ret = 0; | |
178 | size_t entropy_available = 0; | |
179 | RAND_POOL *pool; | |
180 | ||
181 | if (drbg->parent && drbg->strength > drbg->parent->strength) { | |
182 | /* | |
183 | * We currently don't support the algorithm from NIST SP 800-90C | |
184 | * 10.1.2 to use a weaker DRBG as source | |
185 | */ | |
186 | RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY, RAND_R_PARENT_STRENGTH_TOO_WEAK); | |
187 | return 0; | |
188 | } | |
189 | ||
190 | pool = rand_pool_new(entropy, min_len, max_len); | |
191 | if (pool == NULL) | |
192 | return 0; | |
193 | ||
194 | if (drbg->pool) { | |
195 | rand_pool_add(pool, | |
196 | rand_pool_buffer(drbg->pool), | |
197 | rand_pool_length(drbg->pool), | |
198 | rand_pool_entropy(drbg->pool)); | |
199 | rand_pool_free(drbg->pool); | |
200 | drbg->pool = NULL; | |
201 | } | |
202 | ||
203 | if (drbg->parent) { | |
204 | size_t bytes_needed = rand_pool_bytes_needed(pool, 8); | |
205 | unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed); | |
206 | ||
207 | if (buffer != NULL) { | |
208 | size_t bytes = 0; | |
209 | ||
210 | /* | |
211 | * Get random from parent, include our state as additional input. | |
212 | * Our lock is already held, but we need to lock our parent before | |
213 | * generating bits from it. (Note: taking the lock will be a no-op | |
214 | * if locking if drbg->parent->lock == NULL.) | |
215 | */ | |
216 | rand_drbg_lock(drbg->parent); | |
217 | if (RAND_DRBG_generate(drbg->parent, | |
218 | buffer, bytes_needed, | |
219 | 0, | |
220 | (unsigned char *)drbg, sizeof(*drbg)) != 0) | |
221 | bytes = bytes_needed; | |
222 | rand_drbg_unlock(drbg->parent); | |
223 | ||
224 | entropy_available = rand_pool_add_end(pool, bytes, 8 * bytes); | |
225 | } | |
226 | ||
227 | } else { | |
228 | /* Get entropy by polling system entropy sources. */ | |
229 | entropy_available = rand_pool_acquire_entropy(pool); | |
230 | } | |
231 | ||
232 | if (entropy_available > 0) { | |
233 | ret = rand_pool_length(pool); | |
234 | *pout = rand_pool_detach(pool); | |
235 | } | |
236 | ||
237 | rand_pool_free(pool); | |
238 | return ret; | |
239 | } | |
240 | ||
241 | /* | |
242 | * Find a suitable source of time. Start with the highest resolution source | |
243 | * and work down to the slower ones. This is added as additional data and | |
244 | * isn't counted as randomness, so any result is acceptable. | |
245 | * | |
246 | * Returns 0 when we weren't able to find any time source | |
247 | */ | |
248 | static uint64_t get_timer_bits(void) | |
249 | { | |
250 | uint64_t res = OPENSSL_rdtsc(); | |
251 | ||
252 | if (res != 0) | |
253 | return res; | |
254 | #if defined(_WIN32) | |
255 | { | |
256 | LARGE_INTEGER t; | |
257 | FILETIME ft; | |
258 | ||
259 | if (QueryPerformanceCounter(&t) != 0) | |
260 | return t.QuadPart; | |
261 | GetSystemTimeAsFileTime(&ft); | |
262 | return TWO32TO64(ft.dwHighDateTime, ft.dwLowDateTime); | |
263 | } | |
264 | #elif defined(__sun) || defined(__hpux) | |
265 | return gethrtime(); | |
266 | #elif defined(_AIX) | |
267 | { | |
268 | timebasestruct_t t; | |
269 | ||
270 | read_wall_time(&t, TIMEBASE_SZ); | |
271 | return TWO32TO64(t.tb_high, t.tb_low); | |
272 | } | |
273 | #else | |
274 | ||
275 | # if defined(OSSL_POSIX_TIMER_OKAY) | |
276 | { | |
277 | struct timespec ts; | |
278 | clockid_t cid; | |
279 | ||
280 | # ifdef CLOCK_BOOTTIME | |
281 | cid = CLOCK_BOOTTIME; | |
282 | # elif defined(_POSIX_MONOTONIC_CLOCK) | |
283 | cid = CLOCK_MONOTONIC; | |
284 | # else | |
285 | cid = CLOCK_REALTIME; | |
286 | # endif | |
287 | ||
288 | if (clock_gettime(cid, &ts) == 0) | |
289 | return TWO32TO64(ts.tv_sec, ts.tv_nsec); | |
290 | } | |
291 | # endif | |
292 | # if defined(__unix__) \ | |
293 | || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) | |
294 | { | |
295 | struct timeval tv; | |
296 | ||
297 | if (gettimeofday(&tv, NULL) == 0) | |
298 | return TWO32TO64(tv.tv_sec, tv.tv_usec); | |
299 | } | |
300 | # endif | |
301 | { | |
302 | time_t t = time(NULL); | |
303 | if (t == (time_t)-1) | |
304 | return 0; | |
305 | return t; | |
306 | } | |
307 | #endif | |
308 | } | |
309 | ||
310 | /* | |
311 | * Generate additional data that can be used for the drbg. The data does | |
312 | * not need to contain entropy, but it's useful if it contains at least | |
313 | * some bits that are unpredictable. | |
314 | * | |
315 | * Returns 0 on failure. | |
316 | * | |
317 | * On success it allocates a buffer at |*pout| and returns the length of | |
318 | * the data. The buffer should get freed using OPENSSL_secure_clear_free(). | |
319 | */ | |
320 | size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len) | |
321 | { | |
322 | RAND_POOL *pool; | |
323 | CRYPTO_THREAD_ID thread_id; | |
324 | size_t len; | |
325 | #ifdef OPENSSL_SYS_UNIX | |
326 | pid_t pid; | |
327 | #elif defined(OPENSSL_SYS_WIN32) | |
328 | DWORD pid; | |
329 | #endif | |
330 | uint64_t tbits; | |
331 | ||
332 | pool = rand_pool_new(0, 0, max_len); | |
333 | if (pool == NULL) | |
334 | return 0; | |
335 | ||
336 | #ifdef OPENSSL_SYS_UNIX | |
337 | pid = getpid(); | |
338 | rand_pool_add(pool, (unsigned char *)&pid, sizeof(pid), 0); | |
339 | #elif defined(OPENSSL_SYS_WIN32) | |
340 | pid = GetCurrentProcessId(); | |
341 | rand_pool_add(pool, (unsigned char *)&pid, sizeof(pid), 0); | |
342 | #endif | |
343 | ||
344 | thread_id = CRYPTO_THREAD_get_current_id(); | |
345 | if (thread_id != 0) | |
346 | rand_pool_add(pool, (unsigned char *)&thread_id, sizeof(thread_id), 0); | |
347 | ||
348 | tbits = get_timer_bits(); | |
349 | if (tbits != 0) | |
350 | rand_pool_add(pool, (unsigned char *)&tbits, sizeof(tbits), 0); | |
351 | ||
352 | /* TODO: Use RDSEED? */ | |
353 | ||
354 | len = rand_pool_length(pool); | |
355 | if (len != 0) | |
356 | *pout = rand_pool_detach(pool); | |
357 | rand_pool_free(pool); | |
358 | ||
359 | return len; | |
360 | } | |
361 | ||
362 | /* | |
363 | * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks()) | |
364 | * | |
365 | */ | |
366 | void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, | |
367 | unsigned char *out, size_t outlen) | |
368 | { | |
369 | OPENSSL_secure_clear_free(out, outlen); | |
370 | } | |
371 | ||
372 | void rand_fork() | |
373 | { | |
374 | rand_fork_count++; | |
375 | } | |
376 | ||
377 | DEFINE_RUN_ONCE_STATIC(do_rand_init) | |
378 | { | |
379 | int ret = 1; | |
380 | ||
381 | #ifndef OPENSSL_NO_ENGINE | |
382 | rand_engine_lock = CRYPTO_THREAD_lock_new(); | |
383 | ret &= rand_engine_lock != NULL; | |
384 | #endif | |
385 | rand_meth_lock = CRYPTO_THREAD_lock_new(); | |
386 | ret &= rand_meth_lock != NULL; | |
387 | ||
388 | return ret; | |
389 | } | |
390 | ||
391 | void rand_cleanup_int(void) | |
392 | { | |
393 | const RAND_METHOD *meth = default_RAND_meth; | |
394 | ||
395 | if (meth != NULL && meth->cleanup != NULL) | |
396 | meth->cleanup(); | |
397 | RAND_set_rand_method(NULL); | |
398 | #ifndef OPENSSL_NO_ENGINE | |
399 | CRYPTO_THREAD_lock_free(rand_engine_lock); | |
400 | #endif | |
401 | CRYPTO_THREAD_lock_free(rand_meth_lock); | |
402 | } | |
403 | ||
404 | /* | |
405 | * RAND_poll() reseeds the default RNG using random input | |
406 | * | |
407 | * The random input is obtained from polling various entropy | |
408 | * sources which depend on the operating system and are | |
409 | * configurable via the --with-rand-seed configure option. | |
410 | */ | |
411 | int RAND_poll(void) | |
412 | { | |
413 | int ret = 0; | |
414 | ||
415 | RAND_POOL *pool = NULL; | |
416 | ||
417 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
418 | ||
419 | if (meth == RAND_OpenSSL()) { | |
420 | /* fill random pool and seed the master DRBG */ | |
421 | RAND_DRBG *drbg = RAND_DRBG_get0_master(); | |
422 | ||
423 | if (drbg == NULL) | |
424 | return 0; | |
425 | ||
426 | rand_drbg_lock(drbg); | |
427 | ret = rand_drbg_restart(drbg, NULL, 0, 0); | |
428 | rand_drbg_unlock(drbg); | |
429 | ||
430 | return ret; | |
431 | ||
432 | } else { | |
433 | /* fill random pool and seed the current legacy RNG */ | |
434 | pool = rand_pool_new(RAND_DRBG_STRENGTH, | |
435 | RAND_DRBG_STRENGTH / 8, | |
436 | DRBG_MINMAX_FACTOR * (RAND_DRBG_STRENGTH / 8)); | |
437 | if (pool == NULL) | |
438 | return 0; | |
439 | ||
440 | if (rand_pool_acquire_entropy(pool) == 0) | |
441 | goto err; | |
442 | ||
443 | if (meth->add == NULL | |
444 | || meth->add(rand_pool_buffer(pool), | |
445 | rand_pool_length(pool), | |
446 | (rand_pool_entropy(pool) / 8.0)) == 0) | |
447 | goto err; | |
448 | ||
449 | ret = 1; | |
450 | } | |
451 | ||
452 | err: | |
453 | rand_pool_free(pool); | |
454 | return ret; | |
455 | } | |
456 | ||
457 | /* | |
458 | * The 'random pool' acts as a dumb container for collecting random | |
459 | * input from various entropy sources. The pool has no knowledge about | |
460 | * whether its randomness is fed into a legacy RAND_METHOD via RAND_add() | |
461 | * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the | |
462 | * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and | |
463 | * 4) cleanup the random pool again. | |
464 | * | |
465 | * The random pool contains no locking mechanism because its scope and | |
466 | * lifetime is intended to be restricted to a single stack frame. | |
467 | */ | |
468 | struct rand_pool_st { | |
469 | unsigned char *buffer; /* points to the beginning of the random pool */ | |
470 | size_t len; /* current number of random bytes contained in the pool */ | |
471 | ||
472 | size_t min_len; /* minimum number of random bytes requested */ | |
473 | size_t max_len; /* maximum number of random bytes (allocated buffer size) */ | |
474 | size_t entropy; /* current entropy count in bits */ | |
475 | size_t requested_entropy; /* requested entropy count in bits */ | |
476 | }; | |
477 | ||
478 | /* | |
479 | * Allocate memory and initialize a new random pool | |
480 | */ | |
481 | ||
482 | RAND_POOL *rand_pool_new(int entropy, size_t min_len, size_t max_len) | |
483 | { | |
484 | RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); | |
485 | ||
486 | if (pool == NULL) { | |
487 | RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); | |
488 | goto err; | |
489 | } | |
490 | ||
491 | pool->min_len = min_len; | |
492 | pool->max_len = max_len; | |
493 | ||
494 | pool->buffer = OPENSSL_secure_zalloc(pool->max_len); | |
495 | if (pool->buffer == NULL) { | |
496 | RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); | |
497 | goto err; | |
498 | } | |
499 | ||
500 | pool->requested_entropy = entropy; | |
501 | ||
502 | return pool; | |
503 | ||
504 | err: | |
505 | OPENSSL_free(pool); | |
506 | return NULL; | |
507 | } | |
508 | ||
509 | /* | |
510 | * Free |pool|, securely erasing its buffer. | |
511 | */ | |
512 | void rand_pool_free(RAND_POOL *pool) | |
513 | { | |
514 | if (pool == NULL) | |
515 | return; | |
516 | ||
517 | OPENSSL_secure_clear_free(pool->buffer, pool->max_len); | |
518 | OPENSSL_free(pool); | |
519 | } | |
520 | ||
521 | /* | |
522 | * Return the |pool|'s buffer to the caller (readonly). | |
523 | */ | |
524 | const unsigned char *rand_pool_buffer(RAND_POOL *pool) | |
525 | { | |
526 | return pool->buffer; | |
527 | } | |
528 | ||
529 | /* | |
530 | * Return the |pool|'s entropy to the caller. | |
531 | */ | |
532 | size_t rand_pool_entropy(RAND_POOL *pool) | |
533 | { | |
534 | return pool->entropy; | |
535 | } | |
536 | ||
537 | /* | |
538 | * Return the |pool|'s buffer length to the caller. | |
539 | */ | |
540 | size_t rand_pool_length(RAND_POOL *pool) | |
541 | { | |
542 | return pool->len; | |
543 | } | |
544 | ||
545 | /* | |
546 | * Detach the |pool| buffer and return it to the caller. | |
547 | * It's the responsibility of the caller to free the buffer | |
548 | * using OPENSSL_secure_clear_free(). | |
549 | */ | |
550 | unsigned char *rand_pool_detach(RAND_POOL *pool) | |
551 | { | |
552 | unsigned char *ret = pool->buffer; | |
553 | pool->buffer = NULL; | |
554 | return ret; | |
555 | } | |
556 | ||
557 | ||
558 | /* | |
559 | * If every byte of the input contains |entropy_per_bytes| bits of entropy, | |
560 | * how many bytes does one need to obtain at least |bits| bits of entropy? | |
561 | */ | |
562 | #define ENTROPY_TO_BYTES(bits, entropy_per_bytes) \ | |
563 | (((bits) + ((entropy_per_bytes) - 1))/(entropy_per_bytes)) | |
564 | ||
565 | ||
566 | /* | |
567 | * Checks whether the |pool|'s entropy is available to the caller. | |
568 | * This is the case when entropy count and buffer length are high enough. | |
569 | * Returns | |
570 | * | |
571 | * |entropy| if the entropy count and buffer size is large enough | |
572 | * 0 otherwise | |
573 | */ | |
574 | size_t rand_pool_entropy_available(RAND_POOL *pool) | |
575 | { | |
576 | if (pool->entropy < pool->requested_entropy) | |
577 | return 0; | |
578 | ||
579 | if (pool->len < pool->min_len) | |
580 | return 0; | |
581 | ||
582 | return pool->entropy; | |
583 | } | |
584 | ||
585 | /* | |
586 | * Returns the (remaining) amount of entropy needed to fill | |
587 | * the random pool. | |
588 | */ | |
589 | ||
590 | size_t rand_pool_entropy_needed(RAND_POOL *pool) | |
591 | { | |
592 | if (pool->entropy < pool->requested_entropy) | |
593 | return pool->requested_entropy - pool->entropy; | |
594 | ||
595 | return 0; | |
596 | } | |
597 | ||
598 | /* | |
599 | * Returns the number of bytes needed to fill the pool, assuming | |
600 | * the input has 'entropy_per_byte' entropy bits per byte. | |
601 | * In case of an error, 0 is returned. | |
602 | */ | |
603 | ||
604 | size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_per_byte) | |
605 | { | |
606 | size_t bytes_needed; | |
607 | size_t entropy_needed = rand_pool_entropy_needed(pool); | |
608 | ||
609 | if (entropy_per_byte < 1 || entropy_per_byte > 8) { | |
610 | RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_ARGUMENT_OUT_OF_RANGE); | |
611 | return 0; | |
612 | } | |
613 | ||
614 | bytes_needed = ENTROPY_TO_BYTES(entropy_needed, entropy_per_byte); | |
615 | ||
616 | if (bytes_needed > pool->max_len - pool->len) { | |
617 | /* not enough space left */ | |
618 | RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_RANDOM_POOL_OVERFLOW); | |
619 | return 0; | |
620 | } | |
621 | ||
622 | if (pool->len < pool->min_len && | |
623 | bytes_needed < pool->min_len - pool->len) | |
624 | /* to meet the min_len requirement */ | |
625 | bytes_needed = pool->min_len - pool->len; | |
626 | ||
627 | return bytes_needed; | |
628 | } | |
629 | ||
630 | /* Returns the remaining number of bytes available */ | |
631 | size_t rand_pool_bytes_remaining(RAND_POOL *pool) | |
632 | { | |
633 | return pool->max_len - pool->len; | |
634 | } | |
635 | ||
636 | /* | |
637 | * Add random bytes to the random pool. | |
638 | * | |
639 | * It is expected that the |buffer| contains |len| bytes of | |
640 | * random input which contains at least |entropy| bits of | |
641 | * randomness. | |
642 | * | |
643 | * Return available amount of entropy after this operation. | |
644 | * (see rand_pool_entropy_available(pool)) | |
645 | */ | |
646 | size_t rand_pool_add(RAND_POOL *pool, | |
647 | const unsigned char *buffer, size_t len, size_t entropy) | |
648 | { | |
649 | if (len > pool->max_len - pool->len) { | |
650 | RANDerr(RAND_F_RAND_POOL_ADD, RAND_R_ENTROPY_INPUT_TOO_LONG); | |
651 | return 0; | |
652 | } | |
653 | ||
654 | if (len > 0) { | |
655 | memcpy(pool->buffer + pool->len, buffer, len); | |
656 | pool->len += len; | |
657 | pool->entropy += entropy; | |
658 | } | |
659 | ||
660 | return rand_pool_entropy_available(pool); | |
661 | } | |
662 | ||
663 | /* | |
664 | * Start to add random bytes to the random pool in-place. | |
665 | * | |
666 | * Reserves the next |len| bytes for adding random bytes in-place | |
667 | * and returns a pointer to the buffer. | |
668 | * The caller is allowed to copy up to |len| bytes into the buffer. | |
669 | * If |len| == 0 this is considered a no-op and a NULL pointer | |
670 | * is returned without producing an error message. | |
671 | * | |
672 | * After updating the buffer, rand_pool_add_end() needs to be called | |
673 | * to finish the udpate operation (see next comment). | |
674 | */ | |
675 | unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) | |
676 | { | |
677 | if (len == 0) | |
678 | return NULL; | |
679 | ||
680 | if (len > pool->max_len - pool->len) { | |
681 | RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, RAND_R_RANDOM_POOL_OVERFLOW); | |
682 | return NULL; | |
683 | } | |
684 | ||
685 | return pool->buffer + pool->len; | |
686 | } | |
687 | ||
688 | /* | |
689 | * Finish to add random bytes to the random pool in-place. | |
690 | * | |
691 | * Finishes an in-place update of the random pool started by | |
692 | * rand_pool_add_begin() (see previous comment). | |
693 | * It is expected that |len| bytes of random input have been added | |
694 | * to the buffer which contain at least |entropy| bits of randomness. | |
695 | * It is allowed to add less bytes than originally reserved. | |
696 | */ | |
697 | size_t rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy) | |
698 | { | |
699 | if (len > pool->max_len - pool->len) { | |
700 | RANDerr(RAND_F_RAND_POOL_ADD_END, RAND_R_RANDOM_POOL_OVERFLOW); | |
701 | return 0; | |
702 | } | |
703 | ||
704 | if (len > 0) { | |
705 | pool->len += len; | |
706 | pool->entropy += entropy; | |
707 | } | |
708 | ||
709 | return rand_pool_entropy_available(pool); | |
710 | } | |
711 | ||
712 | int RAND_set_rand_method(const RAND_METHOD *meth) | |
713 | { | |
714 | if (!RUN_ONCE(&rand_init, do_rand_init)) | |
715 | return 0; | |
716 | ||
717 | CRYPTO_THREAD_write_lock(rand_meth_lock); | |
718 | #ifndef OPENSSL_NO_ENGINE | |
719 | ENGINE_finish(funct_ref); | |
720 | funct_ref = NULL; | |
721 | #endif | |
722 | default_RAND_meth = meth; | |
723 | CRYPTO_THREAD_unlock(rand_meth_lock); | |
724 | return 1; | |
725 | } | |
726 | ||
727 | const RAND_METHOD *RAND_get_rand_method(void) | |
728 | { | |
729 | const RAND_METHOD *tmp_meth = NULL; | |
730 | ||
731 | if (!RUN_ONCE(&rand_init, do_rand_init)) | |
732 | return NULL; | |
733 | ||
734 | CRYPTO_THREAD_write_lock(rand_meth_lock); | |
735 | if (default_RAND_meth == NULL) { | |
736 | #ifndef OPENSSL_NO_ENGINE | |
737 | ENGINE *e; | |
738 | ||
739 | /* If we have an engine that can do RAND, use it. */ | |
740 | if ((e = ENGINE_get_default_RAND()) != NULL | |
741 | && (tmp_meth = ENGINE_get_RAND(e)) != NULL) { | |
742 | funct_ref = e; | |
743 | default_RAND_meth = tmp_meth; | |
744 | } else { | |
745 | ENGINE_finish(e); | |
746 | default_RAND_meth = &rand_meth; | |
747 | } | |
748 | #else | |
749 | default_RAND_meth = &rand_meth; | |
750 | #endif | |
751 | } | |
752 | tmp_meth = default_RAND_meth; | |
753 | CRYPTO_THREAD_unlock(rand_meth_lock); | |
754 | return tmp_meth; | |
755 | } | |
756 | ||
757 | #ifndef OPENSSL_NO_ENGINE | |
758 | int RAND_set_rand_engine(ENGINE *engine) | |
759 | { | |
760 | const RAND_METHOD *tmp_meth = NULL; | |
761 | ||
762 | if (!RUN_ONCE(&rand_init, do_rand_init)) | |
763 | return 0; | |
764 | ||
765 | if (engine != NULL) { | |
766 | if (!ENGINE_init(engine)) | |
767 | return 0; | |
768 | tmp_meth = ENGINE_get_RAND(engine); | |
769 | if (tmp_meth == NULL) { | |
770 | ENGINE_finish(engine); | |
771 | return 0; | |
772 | } | |
773 | } | |
774 | CRYPTO_THREAD_write_lock(rand_engine_lock); | |
775 | /* This function releases any prior ENGINE so call it first */ | |
776 | RAND_set_rand_method(tmp_meth); | |
777 | funct_ref = engine; | |
778 | CRYPTO_THREAD_unlock(rand_engine_lock); | |
779 | return 1; | |
780 | } | |
781 | #endif | |
782 | ||
783 | void RAND_seed(const void *buf, int num) | |
784 | { | |
785 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
786 | ||
787 | if (meth->seed != NULL) | |
788 | meth->seed(buf, num); | |
789 | } | |
790 | ||
791 | void RAND_add(const void *buf, int num, double randomness) | |
792 | { | |
793 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
794 | ||
795 | if (meth->add != NULL) | |
796 | meth->add(buf, num, randomness); | |
797 | } | |
798 | ||
799 | /* | |
800 | * This function is not part of RAND_METHOD, so if we're not using | |
801 | * the default method, then just call RAND_bytes(). Otherwise make | |
802 | * sure we're instantiated and use the private DRBG. | |
803 | */ | |
804 | int RAND_priv_bytes(unsigned char *buf, int num) | |
805 | { | |
806 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
807 | RAND_DRBG *drbg; | |
808 | int ret; | |
809 | ||
810 | if (meth != RAND_OpenSSL()) | |
811 | return RAND_bytes(buf, num); | |
812 | ||
813 | drbg = RAND_DRBG_get0_private(); | |
814 | if (drbg == NULL) | |
815 | return 0; | |
816 | ||
817 | /* We have to lock the DRBG before generating bits from it. */ | |
818 | rand_drbg_lock(drbg); | |
819 | ret = RAND_DRBG_bytes(drbg, buf, num); | |
820 | rand_drbg_unlock(drbg); | |
821 | return ret; | |
822 | } | |
823 | ||
824 | int RAND_bytes(unsigned char *buf, int num) | |
825 | { | |
826 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
827 | ||
828 | if (meth->bytes != NULL) | |
829 | return meth->bytes(buf, num); | |
830 | RANDerr(RAND_F_RAND_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); | |
831 | return -1; | |
832 | } | |
833 | ||
834 | #if OPENSSL_API_COMPAT < 0x10100000L | |
835 | int RAND_pseudo_bytes(unsigned char *buf, int num) | |
836 | { | |
837 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
838 | ||
839 | if (meth->pseudorand != NULL) | |
840 | return meth->pseudorand(buf, num); | |
841 | return -1; | |
842 | } | |
843 | #endif | |
844 | ||
845 | int RAND_status(void) | |
846 | { | |
847 | const RAND_METHOD *meth = RAND_get_rand_method(); | |
848 | ||
849 | if (meth->status != NULL) | |
850 | return meth->status(); | |
851 | return 0; | |
852 | } |