Skip to content

Commit

Permalink
rand: fix seeding from a weak entropy source
Browse files Browse the repository at this point in the history 
The 'rand_generate' method is not well suited for being used with
weak entropy sources in the 'get_entropy' callback, because the
caller needs to provide a preallocated buffer without knowing
how much bytes are actually needed to collect the required entropy.

Instead we use the 'rand_get_seed' and 'rand_clear_seed' methods
which were exactly designed for this purpose: it's the callee who
allocates and fills the buffer, and finally cleans it up again.

The 'rand_get_seed' and 'rand_clear_seed' methods are currently
optional for a provided random generator. We could fall back to
using 'rand_generate' if those methods are not implemented.
However, imo it would be better to simply make them an officially
documented requirement for seed sources.

Fixes #22332

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from #22394)

(cherry picked from commit 7998e7d)
  • Loading branch information
@mspncp @mattcaswell
mspncp authored and mattcaswell committed Oct 24, 2023
1 parent bb96159 commit 380ae1b
Show file tree
Hide file tree
Showing 4 changed files with 109 additions and 48 deletions.
68 changes: 68 additions & 0 deletions crypto/evp/evp_rand.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ struct evp_rand_st {
OSSL_FUNC_rand_get_ctx_params_fn *get_ctx_params;
OSSL_FUNC_rand_set_ctx_params_fn *set_ctx_params;
OSSL_FUNC_rand_verify_zeroization_fn *verify_zeroization;
OSSL_FUNC_rand_get_seed_fn *get_seed;
OSSL_FUNC_rand_clear_seed_fn *clear_seed;
} /* EVP_RAND */ ;

static int evp_rand_up_ref(void *vrand)
Expand Down Expand Up @@ -236,6 +238,16 @@ static void *evp_rand_from_algorithm(int name_id,
fnzeroizecnt++;
#endif
break;
case OSSL_FUNC_RAND_GET_SEED:
if (rand->get_seed != NULL)
break;
rand->get_seed = OSSL_FUNC_rand_get_seed(fns);
break;
case OSSL_FUNC_RAND_CLEAR_SEED:
if (rand->clear_seed != NULL)
break;
rand->clear_seed = OSSL_FUNC_rand_clear_seed(fns);
break;
}
}
/*
Expand Down Expand Up @@ -680,3 +692,59 @@ int EVP_RAND_verify_zeroization(EVP_RAND_CTX *ctx)
evp_rand_unlock(ctx);
return res;
}

int evp_rand_can_seed(EVP_RAND_CTX *ctx)
{
return ctx->meth->get_seed != NULL;
}

static size_t evp_rand_get_seed_locked(EVP_RAND_CTX *ctx,
unsigned char **buffer,
int entropy,
size_t min_len, size_t max_len,
int prediction_resistance,
const unsigned char *adin,
size_t adin_len)
{
if (ctx->meth->get_seed != NULL)
return ctx->meth->get_seed(ctx->algctx, buffer,
entropy, min_len, max_len,
prediction_resistance,
adin, adin_len);
return 0;
}

size_t evp_rand_get_seed(EVP_RAND_CTX *ctx,
unsigned char **buffer,
int entropy, size_t min_len, size_t max_len,
int prediction_resistance,
const unsigned char *adin, size_t adin_len)
{
int res;

if (!evp_rand_lock(ctx))
return 0;
res = evp_rand_get_seed_locked(ctx,
buffer,
entropy, min_len, max_len,
prediction_resistance,
adin, adin_len);
evp_rand_unlock(ctx);
return res;
}

static void evp_rand_clear_seed_locked(EVP_RAND_CTX *ctx,
unsigned char *buffer, size_t b_len)
{
if (ctx->meth->clear_seed != NULL)
ctx->meth->clear_seed(ctx->algctx, buffer, b_len);
}

void evp_rand_clear_seed(EVP_RAND_CTX *ctx,
unsigned char *buffer, size_t b_len)
{
if (!evp_rand_lock(ctx))
return;
evp_rand_clear_seed_locked(ctx, buffer, b_len);
evp_rand_unlock(ctx);
}
34 changes: 11 additions & 23 deletions crypto/rand/prov_seed.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
*/

#include "rand_local.h"
#include "crypto/evp.h"
#include "crypto/rand.h"
#include "crypto/rand_pool.h"
#include "internal/core.h"
Expand Down Expand Up @@ -44,31 +45,13 @@ size_t ossl_rand_get_user_entropy(OSSL_LIB_CTX *ctx,
unsigned char **pout, int entropy,
size_t min_len, size_t max_len)
{
unsigned char *buf;
EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx);
size_t ret;

if (rng == NULL)
if (rng != NULL && evp_rand_can_seed(rng))
return evp_rand_get_seed(rng, pout, entropy, min_len, max_len,
0, NULL, 0);
else
return ossl_rand_get_entropy(ctx, pout, entropy, min_len, max_len);

/* Determine how many bytes to generate */
ret = entropy > 0 ? (size_t)(7 + entropy) / 8 : min_len;
if (ret < min_len)
ret = min_len;
else if (ret > max_len)
ret = max_len;

/* Allocate the return buffer */
if ((buf = OPENSSL_secure_malloc(ret)) == NULL)
return 0;

/* Fill the buffer */
if (!EVP_RAND_generate(rng, buf, ret, entropy, 0, NULL, 0)) {
OPENSSL_free(buf);
return 0;
}
*pout = buf;
return ret;
}

void ossl_rand_cleanup_entropy(ossl_unused OSSL_LIB_CTX *ctx,
Expand All @@ -80,7 +63,12 @@ void ossl_rand_cleanup_entropy(ossl_unused OSSL_LIB_CTX *ctx,
void ossl_rand_cleanup_user_entropy(OSSL_LIB_CTX *ctx,
unsigned char *buf, size_t len)
{
OPENSSL_secure_clear_free(buf, len);
EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx);

if (rng != NULL && evp_rand_can_seed(rng))
evp_rand_clear_seed(rng, buf, len);
else
OPENSSL_secure_clear_free(buf, len);
}

size_t ossl_rand_get_nonce(ossl_unused OSSL_LIB_CTX *ctx,
Expand Down
8 changes: 8 additions & 0 deletions include/crypto/evp.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -949,6 +949,14 @@ int evp_keymgmt_get_number(const EVP_KEYMGMT *keymgmt);
int evp_mac_get_number(const EVP_MAC *mac);
int evp_md_get_number(const EVP_MD *md);
int evp_rand_get_number(const EVP_RAND *rand);
int evp_rand_can_seed(EVP_RAND_CTX *ctx);
size_t evp_rand_get_seed(EVP_RAND_CTX *ctx,
unsigned char **buffer,
int entropy, size_t min_len, size_t max_len,
int prediction_resistance,
const unsigned char *adin, size_t adin_len);
void evp_rand_clear_seed(EVP_RAND_CTX *ctx,
unsigned char *buffer, size_t b_len);
int evp_signature_get_number(const EVP_SIGNATURE *signature);

#endif /* OSSL_CRYPTO_EVP_H */
47 changes: 22 additions & 25 deletions providers/implementations/rands/seed_src.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,35 +179,32 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout,
int prediction_resistance,
const unsigned char *adin, size_t adin_len)
{
size_t bytes_needed;
unsigned char *p;

/*
* Figure out how many bytes we need.
* This assumes that the seed sources provide eight bits of entropy
* per byte. For lower quality sources, the formula will need to be
* different.
*/
bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0;
if (bytes_needed < min_len)
bytes_needed = min_len;
if (bytes_needed > max_len) {
ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK);
return 0;
}
size_t ret = 0;
size_t entropy_available = 0;
size_t i;
RAND_POOL *pool;

p = OPENSSL_secure_malloc(bytes_needed);
if (p == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
if (pool == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
return 0;
}
if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance,
adin, adin_len) != 0) {
*pout = p;
return bytes_needed;

/* Get entropy by polling system entropy sources. */
entropy_available = ossl_pool_acquire_entropy(pool);

if (entropy_available > 0) {
ret = ossl_rand_pool_length(pool);
*pout = ossl_rand_pool_detach(pool);

/* xor the additional data into the output */
for (i = 0 ; i < adin_len ; ++i)
(*pout)[i % ret] ^= adin[i];
} else {
ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK);
}
OPENSSL_secure_clear_free(p, bytes_needed);
return 0;
ossl_rand_pool_free(pool);
return ret;
}

static void seed_clear_seed(ossl_unused void *vdrbg,
Expand Down

0 comments on commit 380ae1b

Please sign in to comment.