1 /* 2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <time.h> 12 #include "internal/cryptlib.h" 13 #include <openssl/opensslconf.h> 14 #include "crypto/rand.h" 15 #include <openssl/engine.h> 16 #include "internal/thread_once.h" 17 #include "rand_local.h" 18 #include "e_os.h" 19 20 #ifndef OPENSSL_NO_ENGINE 21 /* non-NULL if default_RAND_meth is ENGINE-provided */ 22 static ENGINE *funct_ref; 23 static CRYPTO_RWLOCK *rand_engine_lock; 24 #endif 25 static CRYPTO_RWLOCK *rand_meth_lock; 26 static const RAND_METHOD *default_RAND_meth; 27 static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT; 28 29 static CRYPTO_RWLOCK *rand_nonce_lock; 30 static int rand_nonce_count; 31 32 static int rand_inited = 0; 33 34 #ifdef OPENSSL_RAND_SEED_RDTSC 35 /* 36 * IMPORTANT NOTE: It is not currently possible to use this code 37 * because we are not sure about the amount of randomness it provides. 38 * Some SP900 tests have been run, but there is internal skepticism. 39 * So for now this code is not used. 40 */ 41 # error "RDTSC enabled? Should not be possible!" 42 43 /* 44 * Acquire entropy from high-speed clock 45 * 46 * Since we get some randomness from the low-order bits of the 47 * high-speed clock, it can help. 48 * 49 * Returns the total entropy count, if it exceeds the requested 50 * entropy count. Otherwise, returns an entropy count of 0. 51 */ 52 size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool) 53 { 54 unsigned char c; 55 int i; 56 57 if ((OPENSSL_ia32cap_P[0] & (1 << 4)) != 0) { 58 for (i = 0; i < TSC_READ_COUNT; i++) { 59 c = (unsigned char)(OPENSSL_rdtsc() & 0xFF); 60 rand_pool_add(pool, &c, 1, 4); 61 } 62 } 63 return rand_pool_entropy_available(pool); 64 } 65 #endif 66 67 #ifdef OPENSSL_RAND_SEED_RDCPU 68 size_t OPENSSL_ia32_rdseed_bytes(unsigned char *buf, size_t len); 69 size_t OPENSSL_ia32_rdrand_bytes(unsigned char *buf, size_t len); 70 71 extern unsigned int OPENSSL_ia32cap_P[]; 72 73 /* 74 * Acquire entropy using Intel-specific cpu instructions 75 * 76 * Uses the RDSEED instruction if available, otherwise uses 77 * RDRAND if available. 78 * 79 * For the differences between RDSEED and RDRAND, and why RDSEED 80 * is the preferred choice, see https://goo.gl/oK3KcN 81 * 82 * Returns the total entropy count, if it exceeds the requested 83 * entropy count. Otherwise, returns an entropy count of 0. 84 */ 85 size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool) 86 { 87 size_t bytes_needed; 88 unsigned char *buffer; 89 90 bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); 91 if (bytes_needed > 0) { 92 buffer = rand_pool_add_begin(pool, bytes_needed); 93 94 if (buffer != NULL) { 95 /* Whichever comes first, use RDSEED, RDRAND or nothing */ 96 if ((OPENSSL_ia32cap_P[2] & (1 << 18)) != 0) { 97 if (OPENSSL_ia32_rdseed_bytes(buffer, bytes_needed) 98 == bytes_needed) { 99 rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); 100 } 101 } else if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) { 102 if (OPENSSL_ia32_rdrand_bytes(buffer, bytes_needed) 103 == bytes_needed) { 104 rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); 105 } 106 } else { 107 rand_pool_add_end(pool, 0, 0); 108 } 109 } 110 } 111 112 return rand_pool_entropy_available(pool); 113 } 114 #endif 115 116 117 /* 118 * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks()) 119 * 120 * If the DRBG has a parent, then the required amount of entropy input 121 * is fetched using the parent's RAND_DRBG_generate(). 122 * 123 * Otherwise, the entropy is polled from the system entropy sources 124 * using rand_pool_acquire_entropy(). 125 * 126 * If a random pool has been added to the DRBG using RAND_add(), then 127 * its entropy will be used up first. 128 */ 129 size_t rand_drbg_get_entropy(RAND_DRBG *drbg, 130 unsigned char **pout, 131 int entropy, size_t min_len, size_t max_len, 132 int prediction_resistance) 133 { 134 size_t ret = 0; 135 size_t entropy_available = 0; 136 RAND_POOL *pool; 137 138 if (drbg->parent != NULL && drbg->strength > drbg->parent->strength) { 139 /* 140 * We currently don't support the algorithm from NIST SP 800-90C 141 * 10.1.2 to use a weaker DRBG as source 142 */ 143 RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY, RAND_R_PARENT_STRENGTH_TOO_WEAK); 144 return 0; 145 } 146 147 if (drbg->seed_pool != NULL) { 148 pool = drbg->seed_pool; 149 pool->entropy_requested = entropy; 150 } else { 151 pool = rand_pool_new(entropy, drbg->secure, min_len, max_len); 152 if (pool == NULL) 153 return 0; 154 } 155 156 if (drbg->parent != NULL) { 157 size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); 158 unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed); 159 160 if (buffer != NULL) { 161 size_t bytes = 0; 162 163 /* 164 * Get random data from parent. Include our address as additional input, 165 * in order to provide some additional distinction between different 166 * DRBG child instances. 167 * Our lock is already held, but we need to lock our parent before 168 * generating bits from it. (Note: taking the lock will be a no-op 169 * if locking if drbg->parent->lock == NULL.) 170 */ 171 rand_drbg_lock(drbg->parent); 172 if (RAND_DRBG_generate(drbg->parent, 173 buffer, bytes_needed, 174 prediction_resistance, 175 (unsigned char *)&drbg, sizeof(drbg)) != 0) 176 bytes = bytes_needed; 177 drbg->reseed_next_counter 178 = tsan_load(&drbg->parent->reseed_prop_counter); 179 rand_drbg_unlock(drbg->parent); 180 181 rand_pool_add_end(pool, bytes, 8 * bytes); 182 entropy_available = rand_pool_entropy_available(pool); 183 } 184 185 } else { 186 if (prediction_resistance) { 187 /* 188 * We don't have any entropy sources that comply with the NIST 189 * standard to provide prediction resistance (see NIST SP 800-90C, 190 * Section 5.4). 191 */ 192 RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY, 193 RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED); 194 goto err; 195 } 196 197 /* Get entropy by polling system entropy sources. */ 198 entropy_available = rand_pool_acquire_entropy(pool); 199 } 200 201 if (entropy_available > 0) { 202 ret = rand_pool_length(pool); 203 *pout = rand_pool_detach(pool); 204 } 205 206 err: 207 if (drbg->seed_pool == NULL) 208 rand_pool_free(pool); 209 return ret; 210 } 211 212 /* 213 * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks()) 214 * 215 */ 216 void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, 217 unsigned char *out, size_t outlen) 218 { 219 if (drbg->seed_pool == NULL) { 220 if (drbg->secure) 221 OPENSSL_secure_clear_free(out, outlen); 222 else 223 OPENSSL_clear_free(out, outlen); 224 } 225 } 226 227 228 /* 229 * Implements the get_nonce() callback (see RAND_DRBG_set_callbacks()) 230 * 231 */ 232 size_t rand_drbg_get_nonce(RAND_DRBG *drbg, 233 unsigned char **pout, 234 int entropy, size_t min_len, size_t max_len) 235 { 236 size_t ret = 0; 237 RAND_POOL *pool; 238 239 struct { 240 void * instance; 241 int count; 242 } data; 243 244 memset(&data, 0, sizeof(data)); 245 pool = rand_pool_new(0, 0, min_len, max_len); 246 if (pool == NULL) 247 return 0; 248 249 if (rand_pool_add_nonce_data(pool) == 0) 250 goto err; 251 252 data.instance = drbg; 253 CRYPTO_atomic_add(&rand_nonce_count, 1, &data.count, rand_nonce_lock); 254 255 if (rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0) == 0) 256 goto err; 257 258 ret = rand_pool_length(pool); 259 *pout = rand_pool_detach(pool); 260 261 err: 262 rand_pool_free(pool); 263 264 return ret; 265 } 266 267 /* 268 * Implements the cleanup_nonce() callback (see RAND_DRBG_set_callbacks()) 269 * 270 */ 271 void rand_drbg_cleanup_nonce(RAND_DRBG *drbg, 272 unsigned char *out, size_t outlen) 273 { 274 OPENSSL_clear_free(out, outlen); 275 } 276 277 /* 278 * Generate additional data that can be used for the drbg. The data does 279 * not need to contain entropy, but it's useful if it contains at least 280 * some bits that are unpredictable. 281 * 282 * Returns 0 on failure. 283 * 284 * On success it allocates a buffer at |*pout| and returns the length of 285 * the data. The buffer should get freed using OPENSSL_secure_clear_free(). 286 */ 287 size_t rand_drbg_get_additional_data(RAND_POOL *pool, unsigned char **pout) 288 { 289 size_t ret = 0; 290 291 if (rand_pool_add_additional_data(pool) == 0) 292 goto err; 293 294 ret = rand_pool_length(pool); 295 *pout = rand_pool_detach(pool); 296 297 err: 298 return ret; 299 } 300 301 void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out) 302 { 303 rand_pool_reattach(pool, out); 304 } 305 306 DEFINE_RUN_ONCE_STATIC(do_rand_init) 307 { 308 #ifndef OPENSSL_NO_ENGINE 309 rand_engine_lock = CRYPTO_THREAD_lock_new(); 310 if (rand_engine_lock == NULL) 311 return 0; 312 #endif 313 314 rand_meth_lock = CRYPTO_THREAD_lock_new(); 315 if (rand_meth_lock == NULL) 316 goto err1; 317 318 rand_nonce_lock = CRYPTO_THREAD_lock_new(); 319 if (rand_nonce_lock == NULL) 320 goto err2; 321 322 if (!rand_pool_init()) 323 goto err3; 324 325 rand_inited = 1; 326 return 1; 327 328 err3: 329 CRYPTO_THREAD_lock_free(rand_nonce_lock); 330 rand_nonce_lock = NULL; 331 err2: 332 CRYPTO_THREAD_lock_free(rand_meth_lock); 333 rand_meth_lock = NULL; 334 err1: 335 #ifndef OPENSSL_NO_ENGINE 336 CRYPTO_THREAD_lock_free(rand_engine_lock); 337 rand_engine_lock = NULL; 338 #endif 339 return 0; 340 } 341 342 void rand_cleanup_int(void) 343 { 344 const RAND_METHOD *meth = default_RAND_meth; 345 346 if (!rand_inited) 347 return; 348 349 if (meth != NULL && meth->cleanup != NULL) 350 meth->cleanup(); 351 RAND_set_rand_method(NULL); 352 rand_pool_cleanup(); 353 #ifndef OPENSSL_NO_ENGINE 354 CRYPTO_THREAD_lock_free(rand_engine_lock); 355 rand_engine_lock = NULL; 356 #endif 357 CRYPTO_THREAD_lock_free(rand_meth_lock); 358 rand_meth_lock = NULL; 359 CRYPTO_THREAD_lock_free(rand_nonce_lock); 360 rand_nonce_lock = NULL; 361 rand_inited = 0; 362 } 363 364 /* 365 * RAND_close_seed_files() ensures that any seed file descriptors are 366 * closed after use. 367 */ 368 void RAND_keep_random_devices_open(int keep) 369 { 370 if (RUN_ONCE(&rand_init, do_rand_init)) 371 rand_pool_keep_random_devices_open(keep); 372 } 373 374 /* 375 * RAND_poll() reseeds the default RNG using random input 376 * 377 * The random input is obtained from polling various entropy 378 * sources which depend on the operating system and are 379 * configurable via the --with-rand-seed configure option. 380 */ 381 int RAND_poll(void) 382 { 383 int ret = 0; 384 385 RAND_POOL *pool = NULL; 386 387 const RAND_METHOD *meth = RAND_get_rand_method(); 388 389 if (meth == NULL) 390 return 0; 391 392 if (meth == RAND_OpenSSL()) { 393 /* fill random pool and seed the master DRBG */ 394 RAND_DRBG *drbg = RAND_DRBG_get0_master(); 395 396 if (drbg == NULL) 397 return 0; 398 399 rand_drbg_lock(drbg); 400 ret = rand_drbg_restart(drbg, NULL, 0, 0); 401 rand_drbg_unlock(drbg); 402 403 return ret; 404 405 } else { 406 /* fill random pool and seed the current legacy RNG */ 407 pool = rand_pool_new(RAND_DRBG_STRENGTH, 1, 408 (RAND_DRBG_STRENGTH + 7) / 8, 409 RAND_POOL_MAX_LENGTH); 410 if (pool == NULL) 411 return 0; 412 413 if (rand_pool_acquire_entropy(pool) == 0) 414 goto err; 415 416 if (meth->add == NULL 417 || meth->add(rand_pool_buffer(pool), 418 rand_pool_length(pool), 419 (rand_pool_entropy(pool) / 8.0)) == 0) 420 goto err; 421 422 ret = 1; 423 } 424 425 err: 426 rand_pool_free(pool); 427 return ret; 428 } 429 430 /* 431 * Allocate memory and initialize a new random pool 432 */ 433 434 RAND_POOL *rand_pool_new(int entropy_requested, int secure, 435 size_t min_len, size_t max_len) 436 { 437 RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); 438 size_t min_alloc_size = RAND_POOL_MIN_ALLOCATION(secure); 439 440 if (pool == NULL) { 441 RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); 442 return NULL; 443 } 444 445 pool->min_len = min_len; 446 pool->max_len = (max_len > RAND_POOL_MAX_LENGTH) ? 447 RAND_POOL_MAX_LENGTH : max_len; 448 pool->alloc_len = min_len < min_alloc_size ? min_alloc_size : min_len; 449 if (pool->alloc_len > pool->max_len) 450 pool->alloc_len = pool->max_len; 451 452 if (secure) 453 pool->buffer = OPENSSL_secure_zalloc(pool->alloc_len); 454 else 455 pool->buffer = OPENSSL_zalloc(pool->alloc_len); 456 457 if (pool->buffer == NULL) { 458 RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); 459 goto err; 460 } 461 462 pool->entropy_requested = entropy_requested; 463 pool->secure = secure; 464 465 return pool; 466 467 err: 468 OPENSSL_free(pool); 469 return NULL; 470 } 471 472 /* 473 * Attach new random pool to the given buffer 474 * 475 * This function is intended to be used only for feeding random data 476 * provided by RAND_add() and RAND_seed() into the <master> DRBG. 477 */ 478 RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len, 479 size_t entropy) 480 { 481 RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); 482 483 if (pool == NULL) { 484 RANDerr(RAND_F_RAND_POOL_ATTACH, ERR_R_MALLOC_FAILURE); 485 return NULL; 486 } 487 488 /* 489 * The const needs to be cast away, but attached buffers will not be 490 * modified (in contrary to allocated buffers which are zeroed and 491 * freed in the end). 492 */ 493 pool->buffer = (unsigned char *) buffer; 494 pool->len = len; 495 496 pool->attached = 1; 497 498 pool->min_len = pool->max_len = pool->alloc_len = pool->len; 499 pool->entropy = entropy; 500 501 return pool; 502 } 503 504 /* 505 * Free |pool|, securely erasing its buffer. 506 */ 507 void rand_pool_free(RAND_POOL *pool) 508 { 509 if (pool == NULL) 510 return; 511 512 /* 513 * Although it would be advisable from a cryptographical viewpoint, 514 * we are not allowed to clear attached buffers, since they are passed 515 * to rand_pool_attach() as `const unsigned char*`. 516 * (see corresponding comment in rand_pool_attach()). 517 */ 518 if (!pool->attached) { 519 if (pool->secure) 520 OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len); 521 else 522 OPENSSL_clear_free(pool->buffer, pool->alloc_len); 523 } 524 525 OPENSSL_free(pool); 526 } 527 528 /* 529 * Return the |pool|'s buffer to the caller (readonly). 530 */ 531 const unsigned char *rand_pool_buffer(RAND_POOL *pool) 532 { 533 return pool->buffer; 534 } 535 536 /* 537 * Return the |pool|'s entropy to the caller. 538 */ 539 size_t rand_pool_entropy(RAND_POOL *pool) 540 { 541 return pool->entropy; 542 } 543 544 /* 545 * Return the |pool|'s buffer length to the caller. 546 */ 547 size_t rand_pool_length(RAND_POOL *pool) 548 { 549 return pool->len; 550 } 551 552 /* 553 * Detach the |pool| buffer and return it to the caller. 554 * It's the responsibility of the caller to free the buffer 555 * using OPENSSL_secure_clear_free() or to re-attach it 556 * again to the pool using rand_pool_reattach(). 557 */ 558 unsigned char *rand_pool_detach(RAND_POOL *pool) 559 { 560 unsigned char *ret = pool->buffer; 561 pool->buffer = NULL; 562 pool->entropy = 0; 563 return ret; 564 } 565 566 /* 567 * Re-attach the |pool| buffer. It is only allowed to pass 568 * the |buffer| which was previously detached from the same pool. 569 */ 570 void rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer) 571 { 572 pool->buffer = buffer; 573 OPENSSL_cleanse(pool->buffer, pool->len); 574 pool->len = 0; 575 } 576 577 /* 578 * If |entropy_factor| bits contain 1 bit of entropy, how many bytes does one 579 * need to obtain at least |bits| bits of entropy? 580 */ 581 #define ENTROPY_TO_BYTES(bits, entropy_factor) \ 582 (((bits) * (entropy_factor) + 7) / 8) 583 584 585 /* 586 * Checks whether the |pool|'s entropy is available to the caller. 587 * This is the case when entropy count and buffer length are high enough. 588 * Returns 589 * 590 * |entropy| if the entropy count and buffer size is large enough 591 * 0 otherwise 592 */ 593 size_t rand_pool_entropy_available(RAND_POOL *pool) 594 { 595 if (pool->entropy < pool->entropy_requested) 596 return 0; 597 598 if (pool->len < pool->min_len) 599 return 0; 600 601 return pool->entropy; 602 } 603 604 /* 605 * Returns the (remaining) amount of entropy needed to fill 606 * the random pool. 607 */ 608 609 size_t rand_pool_entropy_needed(RAND_POOL *pool) 610 { 611 if (pool->entropy < pool->entropy_requested) 612 return pool->entropy_requested - pool->entropy; 613 614 return 0; 615 } 616 617 /* Increase the allocation size -- not usable for an attached pool */ 618 static int rand_pool_grow(RAND_POOL *pool, size_t len) 619 { 620 if (len > pool->alloc_len - pool->len) { 621 unsigned char *p; 622 const size_t limit = pool->max_len / 2; 623 size_t newlen = pool->alloc_len; 624 625 if (pool->attached || len > pool->max_len - pool->len) { 626 RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_INTERNAL_ERROR); 627 return 0; 628 } 629 630 do 631 newlen = newlen < limit ? newlen * 2 : pool->max_len; 632 while (len > newlen - pool->len); 633 634 if (pool->secure) 635 p = OPENSSL_secure_zalloc(newlen); 636 else 637 p = OPENSSL_zalloc(newlen); 638 if (p == NULL) { 639 RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_MALLOC_FAILURE); 640 return 0; 641 } 642 memcpy(p, pool->buffer, pool->len); 643 if (pool->secure) 644 OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len); 645 else 646 OPENSSL_clear_free(pool->buffer, pool->alloc_len); 647 pool->buffer = p; 648 pool->alloc_len = newlen; 649 } 650 return 1; 651 } 652 653 /* 654 * Returns the number of bytes needed to fill the pool, assuming 655 * the input has 1 / |entropy_factor| entropy bits per data bit. 656 * In case of an error, 0 is returned. 657 */ 658 659 size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_factor) 660 { 661 size_t bytes_needed; 662 size_t entropy_needed = rand_pool_entropy_needed(pool); 663 664 if (entropy_factor < 1) { 665 RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_ARGUMENT_OUT_OF_RANGE); 666 return 0; 667 } 668 669 bytes_needed = ENTROPY_TO_BYTES(entropy_needed, entropy_factor); 670 671 if (bytes_needed > pool->max_len - pool->len) { 672 /* not enough space left */ 673 RANDerr(RAND_F_RAND_POOL_BYTES_NEEDED, RAND_R_RANDOM_POOL_OVERFLOW); 674 return 0; 675 } 676 677 if (pool->len < pool->min_len && 678 bytes_needed < pool->min_len - pool->len) 679 /* to meet the min_len requirement */ 680 bytes_needed = pool->min_len - pool->len; 681 682 /* 683 * Make sure the buffer is large enough for the requested amount 684 * of data. This guarantees that existing code patterns where 685 * rand_pool_add_begin, rand_pool_add_end or rand_pool_add 686 * are used to collect entropy data without any error handling 687 * whatsoever, continue to be valid. 688 * Furthermore if the allocation here fails once, make sure that 689 * we don't fall back to a less secure or even blocking random source, 690 * as that could happen by the existing code patterns. 691 * This is not a concern for additional data, therefore that 692 * is not needed if rand_pool_grow fails in other places. 693 */ 694 if (!rand_pool_grow(pool, bytes_needed)) { 695 /* persistent error for this pool */ 696 pool->max_len = pool->len = 0; 697 return 0; 698 } 699 700 return bytes_needed; 701 } 702 703 /* Returns the remaining number of bytes available */ 704 size_t rand_pool_bytes_remaining(RAND_POOL *pool) 705 { 706 return pool->max_len - pool->len; 707 } 708 709 /* 710 * Add random bytes to the random pool. 711 * 712 * It is expected that the |buffer| contains |len| bytes of 713 * random input which contains at least |entropy| bits of 714 * randomness. 715 * 716 * Returns 1 if the added amount is adequate, otherwise 0 717 */ 718 int rand_pool_add(RAND_POOL *pool, 719 const unsigned char *buffer, size_t len, size_t entropy) 720 { 721 if (len > pool->max_len - pool->len) { 722 RANDerr(RAND_F_RAND_POOL_ADD, RAND_R_ENTROPY_INPUT_TOO_LONG); 723 return 0; 724 } 725 726 if (pool->buffer == NULL) { 727 RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR); 728 return 0; 729 } 730 731 if (len > 0) { 732 /* 733 * This is to protect us from accidentally passing the buffer 734 * returned from rand_pool_add_begin. 735 * The check for alloc_len makes sure we do not compare the 736 * address of the end of the allocated memory to something 737 * different, since that comparison would have an 738 * indeterminate result. 739 */ 740 if (pool->alloc_len > pool->len && pool->buffer + pool->len == buffer) { 741 RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR); 742 return 0; 743 } 744 /* 745 * We have that only for cases when a pool is used to collect 746 * additional data. 747 * For entropy data, as long as the allocation request stays within 748 * the limits given by rand_pool_bytes_needed this rand_pool_grow 749 * below is guaranteed to succeed, thus no allocation happens. 750 */ 751 if (!rand_pool_grow(pool, len)) 752 return 0; 753 memcpy(pool->buffer + pool->len, buffer, len); 754 pool->len += len; 755 pool->entropy += entropy; 756 } 757 758 return 1; 759 } 760 761 /* 762 * Start to add random bytes to the random pool in-place. 763 * 764 * Reserves the next |len| bytes for adding random bytes in-place 765 * and returns a pointer to the buffer. 766 * The caller is allowed to copy up to |len| bytes into the buffer. 767 * If |len| == 0 this is considered a no-op and a NULL pointer 768 * is returned without producing an error message. 769 * 770 * After updating the buffer, rand_pool_add_end() needs to be called 771 * to finish the update operation (see next comment). 772 */ 773 unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) 774 { 775 if (len == 0) 776 return NULL; 777 778 if (len > pool->max_len - pool->len) { 779 RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, RAND_R_RANDOM_POOL_OVERFLOW); 780 return NULL; 781 } 782 783 if (pool->buffer == NULL) { 784 RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, ERR_R_INTERNAL_ERROR); 785 return NULL; 786 } 787 788 /* 789 * As long as the allocation request stays within the limits given 790 * by rand_pool_bytes_needed this rand_pool_grow below is guaranteed 791 * to succeed, thus no allocation happens. 792 * We have that only for cases when a pool is used to collect 793 * additional data. Then the buffer might need to grow here, 794 * and of course the caller is responsible to check the return 795 * value of this function. 796 */ 797 if (!rand_pool_grow(pool, len)) 798 return NULL; 799 800 return pool->buffer + pool->len; 801 } 802 803 /* 804 * Finish to add random bytes to the random pool in-place. 805 * 806 * Finishes an in-place update of the random pool started by 807 * rand_pool_add_begin() (see previous comment). 808 * It is expected that |len| bytes of random input have been added 809 * to the buffer which contain at least |entropy| bits of randomness. 810 * It is allowed to add less bytes than originally reserved. 811 */ 812 int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy) 813 { 814 if (len > pool->alloc_len - pool->len) { 815 RANDerr(RAND_F_RAND_POOL_ADD_END, RAND_R_RANDOM_POOL_OVERFLOW); 816 return 0; 817 } 818 819 if (len > 0) { 820 pool->len += len; 821 pool->entropy += entropy; 822 } 823 824 return 1; 825 } 826 827 int RAND_set_rand_method(const RAND_METHOD *meth) 828 { 829 if (!RUN_ONCE(&rand_init, do_rand_init)) 830 return 0; 831 832 CRYPTO_THREAD_write_lock(rand_meth_lock); 833 #ifndef OPENSSL_NO_ENGINE 834 ENGINE_finish(funct_ref); 835 funct_ref = NULL; 836 #endif 837 default_RAND_meth = meth; 838 CRYPTO_THREAD_unlock(rand_meth_lock); 839 return 1; 840 } 841 842 const RAND_METHOD *RAND_get_rand_method(void) 843 { 844 const RAND_METHOD *tmp_meth = NULL; 845 846 if (!RUN_ONCE(&rand_init, do_rand_init)) 847 return NULL; 848 849 CRYPTO_THREAD_write_lock(rand_meth_lock); 850 if (default_RAND_meth == NULL) { 851 #ifndef OPENSSL_NO_ENGINE 852 ENGINE *e; 853 854 /* If we have an engine that can do RAND, use it. */ 855 if ((e = ENGINE_get_default_RAND()) != NULL 856 && (tmp_meth = ENGINE_get_RAND(e)) != NULL) { 857 funct_ref = e; 858 default_RAND_meth = tmp_meth; 859 } else { 860 ENGINE_finish(e); 861 default_RAND_meth = &rand_meth; 862 } 863 #else 864 default_RAND_meth = &rand_meth; 865 #endif 866 } 867 tmp_meth = default_RAND_meth; 868 CRYPTO_THREAD_unlock(rand_meth_lock); 869 return tmp_meth; 870 } 871 872 #ifndef OPENSSL_NO_ENGINE 873 int RAND_set_rand_engine(ENGINE *engine) 874 { 875 const RAND_METHOD *tmp_meth = NULL; 876 877 if (!RUN_ONCE(&rand_init, do_rand_init)) 878 return 0; 879 880 if (engine != NULL) { 881 if (!ENGINE_init(engine)) 882 return 0; 883 tmp_meth = ENGINE_get_RAND(engine); 884 if (tmp_meth == NULL) { 885 ENGINE_finish(engine); 886 return 0; 887 } 888 } 889 CRYPTO_THREAD_write_lock(rand_engine_lock); 890 /* This function releases any prior ENGINE so call it first */ 891 RAND_set_rand_method(tmp_meth); 892 funct_ref = engine; 893 CRYPTO_THREAD_unlock(rand_engine_lock); 894 return 1; 895 } 896 #endif 897 898 void RAND_seed(const void *buf, int num) 899 { 900 const RAND_METHOD *meth = RAND_get_rand_method(); 901 902 if (meth != NULL && meth->seed != NULL) 903 meth->seed(buf, num); 904 } 905 906 void RAND_add(const void *buf, int num, double randomness) 907 { 908 const RAND_METHOD *meth = RAND_get_rand_method(); 909 910 if (meth != NULL && meth->add != NULL) 911 meth->add(buf, num, randomness); 912 } 913 914 /* 915 * This function is not part of RAND_METHOD, so if we're not using 916 * the default method, then just call RAND_bytes(). Otherwise make 917 * sure we're instantiated and use the private DRBG. 918 */ 919 int RAND_priv_bytes(unsigned char *buf, int num) 920 { 921 const RAND_METHOD *meth = RAND_get_rand_method(); 922 RAND_DRBG *drbg; 923 924 if (meth != NULL && meth != RAND_OpenSSL()) 925 return RAND_bytes(buf, num); 926 927 drbg = RAND_DRBG_get0_private(); 928 if (drbg != NULL) 929 return RAND_DRBG_bytes(drbg, buf, num); 930 931 return 0; 932 } 933 934 int RAND_bytes(unsigned char *buf, int num) 935 { 936 const RAND_METHOD *meth = RAND_get_rand_method(); 937 938 if (meth != NULL && meth->bytes != NULL) 939 return meth->bytes(buf, num); 940 RANDerr(RAND_F_RAND_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); 941 return -1; 942 } 943 944 #if OPENSSL_API_COMPAT < 0x10100000L 945 int RAND_pseudo_bytes(unsigned char *buf, int num) 946 { 947 const RAND_METHOD *meth = RAND_get_rand_method(); 948 949 if (meth != NULL && meth->pseudorand != NULL) 950 return meth->pseudorand(buf, num); 951 RANDerr(RAND_F_RAND_PSEUDO_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); 952 return -1; 953 } 954 #endif 955 956 int RAND_status(void) 957 { 958 const RAND_METHOD *meth = RAND_get_rand_method(); 959 960 if (meth != NULL && meth->status != NULL) 961 return meth->status(); 962 return 0; 963 } 964