drbg: fix issue where DRBG_CTR fails if NO_DF is used (2nd attempt)

Since commit 7c226dfc43 a chained DRBG does not add additional data anymore when reseeding from its parent. The reason is that the size of the additional data exceeded the allowed size when no derivation function was used. This commit provides an alternative fix: instead of adding the entire DRBG's complete state, we just add the DRBG's address in memory, thereby providing some distinction between the different DRBG instances. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9802)
2019-05-30 18:37:29 +02:00 · 2019-05-30 18:37:29 +02:00 · 63180182ec
commit 63180182ec
parent 5520695c73
1 changed files with 4 additions and 2 deletions
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@ -161,7 +161,9 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
            size_t bytes = 0;

            /*
-             * Get random from parent, include our state as additional input.
+             * Get random data from parent. Include our address as additional input,
+             * in order to provide some additional distinction between different
+             * DRBG child instances.
             * Our lock is already held, but we need to lock our parent before
             * generating bits from it. (Note: taking the lock will be a no-op
             * if locking if drbg->parent->lock == NULL.)
@ -170,7 +172,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
            if (RAND_DRBG_generate(drbg->parent,
                                   buffer, bytes_needed,
                                   prediction_resistance,
-                                   NULL, 0) != 0)
+                                   (unsigned char *)&drbg, sizeof(drbg)) != 0)
                bytes = bytes_needed;
            drbg->reseed_next_counter
                = tsan_load(&drbg->parent->reseed_prop_counter);