1 /* 2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <time.h> 12 #include "internal/cryptlib.h" 13 #include <openssl/opensslconf.h> 14 #include "internal/rand_int.h" 15 #include <openssl/engine.h> 16 #include "internal/thread_once.h" 17 #include "rand_lcl.h" 18 #include "e_os.h" 19 20 #ifndef OPENSSL_NO_ENGINE 21 /* non-NULL if default_RAND_meth is ENGINE-provided */ 22 static ENGINE *funct_ref; 23 static CRYPTO_RWLOCK *rand_engine_lock; 24 #endif 25 static CRYPTO_RWLOCK *rand_meth_lock; 26 static const RAND_METHOD *default_RAND_meth; 27 static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT; 28 29 int rand_fork_count; 30 31 static CRYPTO_RWLOCK *rand_nonce_lock; 32 static int rand_nonce_count; 33 34 static int rand_inited = 0; 35 36 #ifdef OPENSSL_RAND_SEED_RDTSC 37 /* 38 * IMPORTANT NOTE: It is not currently possible to use this code 39 * because we are not sure about the amount of randomness it provides. 40 * Some SP900 tests have been run, but there is internal skepticism. 41 * So for now this code is not used. 42 */ 43 # error "RDTSC enabled? Should not be possible!" 44 45 /* 46 * Acquire entropy from high-speed clock 47 * 48 * Since we get some randomness from the low-order bits of the 49 * high-speed clock, it can help. 50 * 51 * Returns the total entropy count, if it exceeds the requested 52 * entropy count. Otherwise, returns an entropy count of 0. 53 */ 54 size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool) 55 { 56 unsigned char c; 57 int i; 58 59 if ((OPENSSL_ia32cap_P[0] & (1 << 4)) != 0) { 60 for (i = 0; i < TSC_READ_COUNT; i++) { 61 c = (unsigned char)(OPENSSL_rdtsc() & 0xFF); 62 rand_pool_add(pool, &c, 1, 4); 63 } 64 } 65 return rand_pool_entropy_available(pool); 66 } 67 #endif 68 69 #ifdef OPENSSL_RAND_SEED_RDCPU 70 size_t OPENSSL_ia32_rdseed_bytes(unsigned char *buf, size_t len); 71 size_t OPENSSL_ia32_rdrand_bytes(unsigned char *buf, size_t len); 72 73 extern unsigned int OPENSSL_ia32cap_P[]; 74 75 /* 76 * Acquire entropy using Intel-specific cpu instructions 77 * 78 * Uses the RDSEED instruction if available, otherwise uses 79 * RDRAND if available. 80 * 81 * For the differences between RDSEED and RDRAND, and why RDSEED 82 * is the preferred choice, see https://goo.gl/oK3KcN 83 * 84 * Returns the total entropy count, if it exceeds the requested 85 * entropy count. Otherwise, returns an entropy count of 0. 86 */ 87 size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool) 88 { 89 size_t bytes_needed; 90 unsigned char *buffer; 91 92 bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); 93 if (bytes_needed > 0) { 94 buffer = rand_pool_add_begin(pool, bytes_needed); 95 96 if (buffer != NULL) { 97 /* Whichever comes first, use RDSEED, RDRAND or nothing */ 98 if ((OPENSSL_ia32cap_P[2] & (1 << 18)) != 0) { 99 if (OPENSSL_ia32_rdseed_bytes(buffer, bytes_needed) 100 == bytes_needed) { 101 rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); 102 } 103 } else if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) { 104 if (OPENSSL_ia32_rdrand_bytes(buffer, bytes_needed) 105 == bytes_needed) { 106 rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); 107 } 108 } else { 109 rand_pool_add_end(pool, 0, 0); 110 } 111 } 112 } 113 114 return rand_pool_entropy_available(pool); 115 } 116 #endif 117 118 119 /* 120 * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks()) 121 * 122 * If the DRBG has a parent, then the required amount of entropy input 123 * is fetched using the parent's RAND_DRBG_generate(). 124 * 125 * Otherwise, the entropy is polled from the system entropy sources 126 * using rand_pool_acquire_entropy(). 127 * 128 * If a random pool has been added to the DRBG using RAND_add(), then 129 * its entropy will be used up first. 130 */ 131 size_t rand_drbg_get_entropy(RAND_DRBG *drbg, 132 unsigned char **pout, 133 int entropy, size_t min_len, size_t max_len, 134 int prediction_resistance) 135 { 136 size_t ret = 0; 137 size_t entropy_available = 0; 138 RAND_POOL *pool; 139 140 if (drbg->parent && drbg->strength > drbg->parent->strength) { 141 /* 142 * We currently don't support the algorithm from NIST SP 800-90C 143 * 10.1.2 to use a weaker DRBG as source 144 */ 145 RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY, RAND_R_PARENT_STRENGTH_TOO_WEAK); 146 return 0; 147 } 148 149 if (drbg->seed_pool != NULL) { 150 pool = drbg->seed_pool; 151 pool->entropy_requested = entropy; 152 } else { 153 pool = rand_pool_new(entropy, min_len, max_len); 154 if (pool == NULL) 155 return 0; 156 } 157 158 if (drbg->parent) { 159 size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); 160 unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed); 161 162 if (buffer != NULL) { 163 size_t bytes = 0; 164 165 /* 166 * Get random from parent, include our state as additional input. 167 * Our lock is already held, but we need to lock our parent before 168 * generating bits from it. (Note: taking the lock will be a no-op 169 * if locking if drbg->parent->lock == NULL.) 170 */ 171 rand_drbg_lock(drbg->parent); 172 if (RAND_DRBG_generate(drbg->parent, 173 buffer, bytes_needed, 174 prediction_resistance, 175 NULL, 0) != 0) 176 bytes = bytes_needed; 177 drbg->reseed_next_counter 178 = tsan_load(&drbg->parent->reseed_prop_counter); 179 rand_drbg_unlock(drbg->parent); 180 181 rand_pool_add_end(pool, bytes, 8 * bytes); 182 entropy_available = rand_pool_entropy_available(pool); 183 } 184 185 } else { 186 if (prediction_resistance) { 187 /* 188 * We don't have any entropy sources that comply with the NIST 189 * standard to provide prediction resistance (see NIST SP 800-90C, 190 * Section 5.4). 191 */ 192 RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY, 193 RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED); 194 goto err; 195 } 196 197 /* Get entropy by polling system entropy sources. */ 198 entropy_available = rand_pool_acquire_entropy(pool); 199 } 200 201 if (entropy_available > 0) { 202 ret = rand_pool_length(pool); 203 *pout = rand_pool_detach(pool); 204 } 205 206 err: 207 if (drbg->seed_pool == NULL) 208 rand_pool_free(pool); 209 return ret; 210 } 211 212 /* 213 * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks()) 214 * 215 */ 216 void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, 217 unsigned char *out, size_t outlen) 218 { 219 if (drbg->seed_pool == NULL) 220 OPENSSL_secure_clear_free(out, outlen); 221 } 222 223 224 /* 225 * Implements the get_nonce() callback (see RAND_DRBG_set_callbacks()) 226 * 227 */ 228 size_t rand_drbg_get_nonce(RAND_DRBG *drbg, 229 unsigned char **pout, 230 int entropy, size_t min_len, size_t max_len) 231 { 232 size_t ret = 0; 233 RAND_POOL *pool; 234 235 struct { 236 void * instance; 237 int count; 238 } data = { 0 }; 239 240 pool = rand_pool_new(0, min_len, max_len); 241 if (pool == NULL) 242 return 0; 243 244 if (rand_pool_add_nonce_data(pool) == 0) 245 goto err; 246 247 data.instance = drbg; 248 CRYPTO_atomic_add(&rand_nonce_count, 1, &data.count, rand_nonce_lock); 249 250 if (rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0) == 0) 251 goto err; 252 253 ret = rand_pool_length(pool); 254 *pout = rand_pool_detach(pool); 255 256 err: 257 rand_pool_free(pool); 258 259 return ret; 260 } 261 262 /* 263 * Implements the cleanup_nonce() callback (see RAND_DRBG_set_callbacks()) 264 * 265 */ 266 void rand_drbg_cleanup_nonce(RAND_DRBG *drbg, 267 unsigned char *out, size_t outlen) 268 { 269 OPENSSL_secure_clear_free(out, outlen); 270 } 271 272 /* 273 * Generate additional data that can be used for the drbg. The data does 274 * not need to contain entropy, but it's useful if it contains at least 275 * some bits that are unpredictable. 276 * 277 * Returns 0 on failure. 278 * 279 * On success it allocates a buffer at |*pout| and returns the length of 280 * the data. The buffer should get freed using OPENSSL_secure_clear_free(). 281 */ 282 size_t rand_drbg_get_additional_data(RAND_POOL *pool, unsigned char **pout) 283 { 284 size_t ret = 0; 285 286 if (rand_pool_add_additional_data(pool) == 0) 287 goto err; 288 289 ret = rand_pool_length(pool); 290 *pout = rand_pool_detach(pool); 291 292 err: 293 return ret; 294 } 295 296 void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out) 297 { 298 rand_pool_reattach(pool, out); 299 } 300 301 void rand_fork(void) 302 { 303 rand_fork_count++; 304 } 305 306 DEFINE_RUN_ONCE_STATIC(do_rand_init) 307 { 308 #ifndef OPENSSL_NO_ENGINE 309 rand_engine_lock = CRYPTO_THREAD_lock_new(); 310 if (rand_engine_lock == NULL) 311 return 0; 312 #endif 313 314 rand_meth_lock = CRYPTO_THREAD_lock_new(); 315 if (rand_meth_lock == NULL) 316 goto err1; 317 318 rand_nonce_lock = CRYPTO_THREAD_lock_new(); 319 if (rand_nonce_lock == NULL) 320 goto err2; 321 322 if (!rand_pool_init()) 323 goto err3; 324 325 rand_inited = 1; 326 return 1; 327 328 err3: 329 CRYPTO_THREAD_lock_free(rand_nonce_lock); 330 rand_nonce_lock = NULL; 331 err2: 332 CRYPTO_THREAD_lock_free(rand_meth_lock); 333 rand_meth_lock = NULL; 334 err1: 335 #ifndef OPENSSL_NO_ENGINE 336 CRYPTO_THREAD_lock_free(rand_engine_lock); 337 rand_engine_lock = NULL; 338 #endif 339 return 0; 340 } 341 342 void rand_cleanup_int(void) 343 { 344 const RAND_METHOD *meth = default_RAND_meth; 345 346 if (!rand_inited) 347 return; 348 349 if (meth != NULL && meth->cleanup != NULL) 350 meth->cleanup(); 351 RAND_set_rand_method(NULL); 352 rand_pool_cleanup(); 353 #ifndef OPENSSL_NO_ENGINE 354 CRYPTO_THREAD_lock_free(rand_engine_lock); 355 rand_engine_lock = NULL; 356 #endif 357 CRYPTO_THREAD_lock_free(rand_meth_lock); 358 rand_meth_lock = NULL; 359 CRYPTO_THREAD_lock_free(rand_nonce_lock); 360 rand_nonce_lock = NULL; 361 rand_inited = 0; 362 } 363 364 /* 365 * RAND_close_seed_files() ensures that any seed file decriptors are 366 * closed after use. 367 */ 368 void RAND_keep_random_devices_open(int keep) 369 { 370 if (RUN_ONCE(&rand_init, do_rand_init)) 371 rand_pool_keep_random_devices_open(keep); 372 } 373 374 /* 375 * RAND_poll() reseeds the default RNG using random input 376 * 377 * The random input is obtained from polling various entropy 378 * sources which depend on the operating system and are 379 * configurable via the --with-rand-seed configure option. 380 */ 381 int RAND_poll(void) 382 { 383 int ret = 0; 384 385 RAND_POOL *pool = NULL; 386 387 const RAND_METHOD *meth = RAND_get_rand_method(); 388 389 if (meth == RAND_OpenSSL()) { 390 /* fill random pool and seed the master DRBG */ 391 RAND_DRBG *drbg = RAND_DRBG_get0_master(); 392 393 if (drbg == NULL) 394 return 0; 395 396 rand_drbg_lock(drbg); 397 ret = rand_drbg_restart(drbg, NULL, 0, 0); 398 rand_drbg_unlock(drbg); 399 400 return ret; 401 402 } else { 403 /* fill random pool and seed the current legacy RNG */ 404 pool = rand_pool_new(RAND_DRBG_STRENGTH, 405 RAND_DRBG_STRENGTH / 8, 406 RAND_POOL_MAX_LENGTH); 407 if (pool == NULL) 408 return 0; 409 410 if (rand_pool_acquire_entropy(pool) == 0) 411 goto err; 412 413 if (meth->add == NULL 414 || meth->add(rand_pool_buffer(pool), 415 rand_pool_length(pool), 416 (rand_pool_entropy(pool) / 8.0)) == 0) 417 goto err; 418 419 ret = 1; 420 } 421 422 err: 423 rand_pool_free(pool); 424 return ret; 425 } 426 427 /* 428 * Allocate memory and initialize a new random pool 429 */ 430 431 RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len) 432 { 433 RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); 434 435 if (pool == NULL) { 436 RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); 437 return NULL; 438 } 439 440 pool->min_len = min_len; 441 pool->max_len = (max_len > RAND_POOL_MAX_LENGTH) ? 442 RAND_POOL_MAX_LENGTH : max_len; 443 444 pool->buffer = OPENSSL_secure_zalloc(pool->max_len); 445 if (pool->buffer == NULL) { 446 RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); 447 goto err; 448 } 449 450 pool->entropy_requested = entropy_requested; 451 452 return pool; 453 454 err: 455 OPENSSL_free(pool); 456 return NULL; 457 } 458 459 /* 460 * Attach new random pool to the given buffer 461 * 462 * This function is intended to be used only for feeding random data 463 * provided by RAND_add() and RAND_seed() into the <master> DRBG. 464 */ 465 RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len, 466 size_t entropy) 467 { 468 RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); 469 470 if (pool == NULL) { 471 RANDerr(RAND_F_RAND_POOL_ATTACH, ERR_R_MALLOC_FAILURE); 472 return NULL; 473 } 474 475 /* 476 * The const needs to be cast away, but attached buffers will not be 477 * modified (in contrary to allocated buffers which are zeroed and 478 * freed in the end). 479 */ 480 pool->buffer = (unsigned char *) buffer; 481 pool->len = len; 482 483 pool->attached = 1; 484 485 pool->min_len = pool->max_len = pool->len; 486 pool->entropy = entropy; 487 488 return pool; 489 } 490 491 /* 492 * Free |pool|, securely erasing its buffer. 493 */ 494 void rand_pool_free(RAND_POOL *pool) 495 { 496 if (pool == NULL) 497 return; 498 499 /* 500 * Although it would be advisable from a cryptographical viewpoint, 501 * we are not allowed to clear attached buffers, since they are passed 502 * to rand_pool_attach() as `const unsigned char*`. 503 * (see corresponding comment in rand_pool_attach()). 504 */ 505 if (!pool->attached) 506 OPENSSL_secure_clear_free(pool->buffer, pool->max_len); 507 OPENSSL_free(pool); 508 } 509 510 /* 511 * Return the |pool|'s buffer to the caller (readonly). 512 */ 513 const unsigned char *rand_pool_buffer(RAND_POOL *pool) 514 { 515 return pool->buffer; 516 } 517 518 /* 519 * Return the |pool|'s entropy to the caller. 520 */ 521 size_t rand_pool_entropy(RAND_POOL *pool) 522 { 523 return pool->entropy; 524 } 525 526 /* 527 * Return the |pool|'s buffer length to the caller. 528 */ 529 size_t rand_pool_length(RAND_POOL *pool) 530 { 531 return pool->len; 532 } 533 534 /* 535 * Detach the |pool| buffer and return it to the caller. 536 * It's the responsibility of the caller to free the buffer 537 * using OPENSSL_secure_clear_free() or to re-attach it 538 * again to the pool using rand_pool_reattach(). 539 */ 540 unsigned char *rand_pool_detach(RAND_POOL *pool) 541 { 542 unsigned char *ret = pool->buffer; 543 pool->buffer = NULL; 544 pool->entropy = 0; 545 return ret; 546 } 547 548 /* 549 * Re-attach the |pool| buffer. It is only allowed to pass 550 * the |buffer| which was previously detached from the same pool. 551 */ 552 void rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer) 553 { 554 pool->buffer = buffer; 555 OPENSSL_cleanse(pool->buffer, pool->len); 556 pool->len = 0; 557 } 558 559 /* 560 * If |entropy_factor| bits contain 1 bit of entropy, how many bytes does one 561 * need to obtain at least |bits| bits of entropy? 562 */ 563 #define ENTROPY_TO_BYTES(bits, entropy_factor) \ 564 (((bits) * (entropy_factor) + 7) / 8) 565 566 567 /* 568 * Checks whether the |pool|'s entropy is available to the caller. 569 * This is the case when entropy count and buffer length are high enough. 570 * Returns 571 * 572 * |entropy| if the entropy count and buffer size is large enough 573 * 0 otherwise 574 */ 575 size_t rand_pool_entropy_available(RAND_POOL *pool) 576 { 577 if (pool->entropy < pool->entropy_requested) 578 return 0; 579 580 if (pool->len < pool->min_len) 581 return 0; 582 583 return pool->entropy; 584 } 585 586 /* 587 * Returns the (remaining) amount of entropy needed to fill 588 * the random pool. 589 */ 590 591 size_t rand_pool_entropy_needed(RAND_POOL *pool) 592 { 593 if (pool->entropy < pool->entropy_requested) 594 return pool->entropy_requested - pool->entropy; 595 596 return 0; 597 } 598 599 /* 600 * Returns the number of bytes needed to fill the pool, assuming 601 * the input has 1 / |entropy_factor| entropy bits per data bit. 602 * In case of an error, 0 is returned. 603 */ 604 605 size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_factor) 606 { 607 size_t bytes_needed; 608 size_t entropy_needed = rand_pool_entropy_needed(pool); 609 610 if (entropy_factor < 1) { 611 RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_ARGUMENT_OUT_OF_RANGE); 612 return 0; 613 } 614 615 bytes_needed = ENTROPY_TO_BYTES(entropy_needed, entropy_factor); 616 617 if (bytes_needed > pool->max_len - pool->len) { 618 /* not enough space left */ 619 RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_RANDOM_POOL_OVERFLOW); 620 return 0; 621 } 622 623 if (pool->len < pool->min_len && 624 bytes_needed < pool->min_len - pool->len) 625 /* to meet the min_len requirement */ 626 bytes_needed = pool->min_len - pool->len; 627 628 return bytes_needed; 629 } 630 631 /* Returns the remaining number of bytes available */ 632 size_t rand_pool_bytes_remaining(RAND_POOL *pool) 633 { 634 return pool->max_len - pool->len; 635 } 636 637 /* 638 * Add random bytes to the random pool. 639 * 640 * It is expected that the |buffer| contains |len| bytes of 641 * random input which contains at least |entropy| bits of 642 * randomness. 643 * 644 * Returns 1 if the added amount is adequate, otherwise 0 645 */ 646 int rand_pool_add(RAND_POOL *pool, 647 const unsigned char *buffer, size_t len, size_t entropy) 648 { 649 if (len > pool->max_len - pool->len) { 650 RANDerr(RAND_F_RAND_POOL_ADD, RAND_R_ENTROPY_INPUT_TOO_LONG); 651 return 0; 652 } 653 654 if (pool->buffer == NULL) { 655 RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR); 656 return 0; 657 } 658 659 if (len > 0) { 660 memcpy(pool->buffer + pool->len, buffer, len); 661 pool->len += len; 662 pool->entropy += entropy; 663 } 664 665 return 1; 666 } 667 668 /* 669 * Start to add random bytes to the random pool in-place. 670 * 671 * Reserves the next |len| bytes for adding random bytes in-place 672 * and returns a pointer to the buffer. 673 * The caller is allowed to copy up to |len| bytes into the buffer. 674 * If |len| == 0 this is considered a no-op and a NULL pointer 675 * is returned without producing an error message. 676 * 677 * After updating the buffer, rand_pool_add_end() needs to be called 678 * to finish the udpate operation (see next comment). 679 */ 680 unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) 681 { 682 if (len == 0) 683 return NULL; 684 685 if (len > pool->max_len - pool->len) { 686 RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, RAND_R_RANDOM_POOL_OVERFLOW); 687 return NULL; 688 } 689 690 if (pool->buffer == NULL) { 691 RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, ERR_R_INTERNAL_ERROR); 692 return 0; 693 } 694 695 return pool->buffer + pool->len; 696 } 697 698 /* 699 * Finish to add random bytes to the random pool in-place. 700 * 701 * Finishes an in-place update of the random pool started by 702 * rand_pool_add_begin() (see previous comment). 703 * It is expected that |len| bytes of random input have been added 704 * to the buffer which contain at least |entropy| bits of randomness. 705 * It is allowed to add less bytes than originally reserved. 706 */ 707 int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy) 708 { 709 if (len > pool->max_len - pool->len) { 710 RANDerr(RAND_F_RAND_POOL_ADD_END, RAND_R_RANDOM_POOL_OVERFLOW); 711 return 0; 712 } 713 714 if (len > 0) { 715 pool->len += len; 716 pool->entropy += entropy; 717 } 718 719 return 1; 720 } 721 722 int RAND_set_rand_method(const RAND_METHOD *meth) 723 { 724 if (!RUN_ONCE(&rand_init, do_rand_init)) 725 return 0; 726 727 CRYPTO_THREAD_write_lock(rand_meth_lock); 728 #ifndef OPENSSL_NO_ENGINE 729 ENGINE_finish(funct_ref); 730 funct_ref = NULL; 731 #endif 732 default_RAND_meth = meth; 733 CRYPTO_THREAD_unlock(rand_meth_lock); 734 return 1; 735 } 736 737 const RAND_METHOD *RAND_get_rand_method(void) 738 { 739 const RAND_METHOD *tmp_meth = NULL; 740 741 if (!RUN_ONCE(&rand_init, do_rand_init)) 742 return NULL; 743 744 CRYPTO_THREAD_write_lock(rand_meth_lock); 745 if (default_RAND_meth == NULL) { 746 #ifndef OPENSSL_NO_ENGINE 747 ENGINE *e; 748 749 /* If we have an engine that can do RAND, use it. */ 750 if ((e = ENGINE_get_default_RAND()) != NULL 751 && (tmp_meth = ENGINE_get_RAND(e)) != NULL) { 752 funct_ref = e; 753 default_RAND_meth = tmp_meth; 754 } else { 755 ENGINE_finish(e); 756 default_RAND_meth = &rand_meth; 757 } 758 #else 759 default_RAND_meth = &rand_meth; 760 #endif 761 } 762 tmp_meth = default_RAND_meth; 763 CRYPTO_THREAD_unlock(rand_meth_lock); 764 return tmp_meth; 765 } 766 767 #ifndef OPENSSL_NO_ENGINE 768 int RAND_set_rand_engine(ENGINE *engine) 769 { 770 const RAND_METHOD *tmp_meth = NULL; 771 772 if (!RUN_ONCE(&rand_init, do_rand_init)) 773 return 0; 774 775 if (engine != NULL) { 776 if (!ENGINE_init(engine)) 777 return 0; 778 tmp_meth = ENGINE_get_RAND(engine); 779 if (tmp_meth == NULL) { 780 ENGINE_finish(engine); 781 return 0; 782 } 783 } 784 CRYPTO_THREAD_write_lock(rand_engine_lock); 785 /* This function releases any prior ENGINE so call it first */ 786 RAND_set_rand_method(tmp_meth); 787 funct_ref = engine; 788 CRYPTO_THREAD_unlock(rand_engine_lock); 789 return 1; 790 } 791 #endif 792 793 void RAND_seed(const void *buf, int num) 794 { 795 const RAND_METHOD *meth = RAND_get_rand_method(); 796 797 if (meth->seed != NULL) 798 meth->seed(buf, num); 799 } 800 801 void RAND_add(const void *buf, int num, double randomness) 802 { 803 const RAND_METHOD *meth = RAND_get_rand_method(); 804 805 if (meth->add != NULL) 806 meth->add(buf, num, randomness); 807 } 808 809 /* 810 * This function is not part of RAND_METHOD, so if we're not using 811 * the default method, then just call RAND_bytes(). Otherwise make 812 * sure we're instantiated and use the private DRBG. 813 */ 814 int RAND_priv_bytes(unsigned char *buf, int num) 815 { 816 const RAND_METHOD *meth = RAND_get_rand_method(); 817 RAND_DRBG *drbg; 818 int ret; 819 820 if (meth != RAND_OpenSSL()) 821 return RAND_bytes(buf, num); 822 823 drbg = RAND_DRBG_get0_private(); 824 if (drbg == NULL) 825 return 0; 826 827 ret = RAND_DRBG_bytes(drbg, buf, num); 828 return ret; 829 } 830 831 int RAND_bytes(unsigned char *buf, int num) 832 { 833 const RAND_METHOD *meth = RAND_get_rand_method(); 834 835 if (meth->bytes != NULL) 836 return meth->bytes(buf, num); 837 RANDerr(RAND_F_RAND_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); 838 return -1; 839 } 840 841 #if OPENSSL_API_COMPAT < 0x10100000L 842 int RAND_pseudo_bytes(unsigned char *buf, int num) 843 { 844 const RAND_METHOD *meth = RAND_get_rand_method(); 845 846 if (meth->pseudorand != NULL) 847 return meth->pseudorand(buf, num); 848 return -1; 849 } 850 #endif 851 852 int RAND_status(void) 853 { 854 const RAND_METHOD *meth = RAND_get_rand_method(); 855 856 if (meth->status != NULL) 857 return meth->status(); 858 return 0; 859 } 860