drbg: provide requested amount of entropy, rather than self-strength

Parent DRBG can be seed source (os or jitter) and thus able to provide
unlimited entropy.

get_entropy is documented to provide at least the request amount of
entropy. If requested amount of entropy is same as, or less than
drbg->strength, everything is compliant. However, if requested entropy
is more than drbg->strength (unlikely, but possible), the returned
amount of entropy will be insufficient and additional repeated calls
to get_entropy will be required.

Reading history of refactors, it seems to me that this function call
previouslly had assumptions and usecases that couldn't ever request or
require more than strength amount of entropy.

If entropy is set, request that amount, otherwise request
drbg->strength amount.

Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25850)

diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
index 81f52cc267b3962aa70539e36a561bbeb2bd06e0..b359f6ecf5d78b8e2a59575c33f3f788265156c2 100644 (file)
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
@@ -235,7 +235,8 @@ static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
      *       a warning in some static code analyzers, but it's
      *       intentional and correct here.
      */
-    bytes = drbg->parent_get_seed(drbg->parent, pout, drbg->strength,
+    bytes = drbg->parent_get_seed(drbg->parent, pout,
+                                  entropy > 0 ? entropy : (int) drbg->strength,
                                   min_len, max_len, prediction_resistance,
                                   (unsigned char *)&drbg, sizeof(drbg));
     ossl_drbg_unlock_parent(drbg);