DRBG: Remove 'randomness' buffer from 'RAND_DRBG'

The DRBG callbacks 'get_entropy()' and 'cleanup_entropy()' are designed
in such a way that the randomness buffer does not have to be allocated
by the calling function. It receives the address of a dynamically
allocated buffer from get_entropy() and returns this address to
cleanup_entropy(), where it is freed. If these two calls are properly
paired, the address can be stored in a stack local variable of the
calling function, so there is no need for having a 'randomness' member
(and a 'filled' member) in 'RAND_DRBG'.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
This commit is contained in:
Dr. Matthias St. Pierre 2017-08-25 23:26:53 +02:00 committed by Rich Salz
parent 4871fa49cd
commit 6969a3f49a
5 changed files with 24 additions and 33 deletions

View file

@ -168,9 +168,9 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
end: end:
if (entropy != NULL && drbg->cleanup_entropy != NULL) if (entropy != NULL && drbg->cleanup_entropy != NULL)
drbg->cleanup_entropy(drbg, entropy); drbg->cleanup_entropy(drbg, entropy, entropylen);
if (nonce != NULL && drbg->cleanup_nonce!= NULL ) if (nonce != NULL && drbg->cleanup_nonce!= NULL )
drbg->cleanup_nonce(drbg, nonce); drbg->cleanup_nonce(drbg, nonce, noncelen);
if (drbg->state == DRBG_READY) if (drbg->state == DRBG_READY)
return 1; return 1;
return 0; return 0;
@ -229,7 +229,7 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
end: end:
if (entropy != NULL && drbg->cleanup_entropy != NULL) if (entropy != NULL && drbg->cleanup_entropy != NULL)
drbg->cleanup_entropy(drbg, entropy); drbg->cleanup_entropy(drbg, entropy, entropylen);
if (drbg->state == DRBG_READY) if (drbg->state == DRBG_READY)
return 1; return 1;
return 0; return 0;

View file

@ -94,14 +94,12 @@ struct rand_drbg_st {
int nid; /* the underlying algorithm */ int nid; /* the underlying algorithm */
int fork_count; int fork_count;
unsigned short flags; /* various external flags */ unsigned short flags; /* various external flags */
char filled;
char secure; char secure;
/* /*
* This is a fixed-size buffer, but we malloc to make it a little * This is a fixed-size buffer, but we malloc to make it a little
* harder to find; a classic security/performance trade-off. * harder to find; a classic security/performance trade-off.
*/ */
int size; int size;
unsigned char *randomness;
/* /*
* The following parameters are setup by the per-type "init" function. * The following parameters are setup by the per-type "init" function.
@ -157,7 +155,7 @@ void rand_read_tsc(RAND_poll_cb rand_add, void *arg);
int rand_read_cpu(RAND_poll_cb rand_add, void *arg); int rand_read_cpu(RAND_poll_cb rand_add, void *arg);
/* DRBG entropy callbacks. */ /* DRBG entropy callbacks. */
void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out); void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out, size_t outlen);
size_t drbg_entropy_from_parent(RAND_DRBG *drbg, size_t drbg_entropy_from_parent(RAND_DRBG *drbg,
unsigned char **pout, unsigned char **pout,
int entropy, size_t min_len, size_t max_len); int entropy, size_t min_len, size_t max_len);

View file

@ -105,20 +105,14 @@ size_t drbg_entropy_from_system(RAND_DRBG *drbg,
int entropy, size_t min_len, size_t max_len) int entropy, size_t min_len, size_t max_len)
{ {
int i; int i;
unsigned char *randomness;
if (min_len > (size_t)drbg->size) { if (min_len > (size_t)drbg->size) {
/* Should not happen. See comment near RANDOMNESS_NEEDED. */ /* Should not happen. See comment near RANDOMNESS_NEEDED. */
min_len = drbg->size; min_len = drbg->size;
} }
if (drbg->filled) { randomness = drbg->secure ? OPENSSL_secure_malloc(drbg->size)
/* Re-use what we have. */
*pout = drbg->randomness;
return drbg->size;
}
drbg->randomness = drbg->secure ? OPENSSL_secure_malloc(drbg->size)
: OPENSSL_malloc(drbg->size); : OPENSSL_malloc(drbg->size);
/* If we don't have enough, try to get more. */ /* If we don't have enough, try to get more. */
@ -133,15 +127,14 @@ size_t drbg_entropy_from_system(RAND_DRBG *drbg,
if (min_len > rand_bytes.curr) if (min_len > rand_bytes.curr)
min_len = rand_bytes.curr; min_len = rand_bytes.curr;
if (min_len != 0) { if (min_len != 0) {
memcpy(drbg->randomness, rand_bytes.buff, min_len); memcpy(randomness, rand_bytes.buff, min_len);
drbg->filled = 1;
/* Update amount left and shift it down. */ /* Update amount left and shift it down. */
rand_bytes.curr -= min_len; rand_bytes.curr -= min_len;
if (rand_bytes.curr != 0) if (rand_bytes.curr != 0)
memmove(rand_bytes.buff, &rand_bytes.buff[min_len], rand_bytes.curr); memmove(rand_bytes.buff, &rand_bytes.buff[min_len], rand_bytes.curr);
} }
CRYPTO_THREAD_unlock(rand_bytes.lock); CRYPTO_THREAD_unlock(rand_bytes.lock);
*pout = drbg->randomness; *pout = randomness;
return min_len; return min_len;
} }
@ -150,33 +143,33 @@ size_t drbg_entropy_from_parent(RAND_DRBG *drbg,
int entropy, size_t min_len, size_t max_len) int entropy, size_t min_len, size_t max_len)
{ {
int st; int st;
unsigned char *randomness;
if (min_len > (size_t)drbg->size) { if (min_len > (size_t)drbg->size) {
/* Should not happen. See comment near RANDOMNESS_NEEDED. */ /* Should not happen. See comment near RANDOMNESS_NEEDED. */
min_len = drbg->size; min_len = drbg->size;
} }
drbg->randomness = drbg->secure ? OPENSSL_secure_malloc(drbg->size) randomness = drbg->secure ? OPENSSL_secure_malloc(drbg->size)
: OPENSSL_malloc(drbg->size); : OPENSSL_malloc(drbg->size);
/* Get random from parent, include our state as additional input. */ /* Get random from parent, include our state as additional input. */
st = RAND_DRBG_generate(drbg->parent, drbg->randomness, min_len, 0, st = RAND_DRBG_generate(drbg->parent, randomness, min_len, 0,
(unsigned char *)drbg, sizeof(*drbg)); (unsigned char *)drbg, sizeof(*drbg));
if (st == 0) if (st == 0) {
drbg_release_entropy(drbg, randomness, min_len);
return 0; return 0;
drbg->filled = 1; }
*pout = drbg->randomness; *pout = randomness;
return min_len; return min_len;
} }
void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out) void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
{ {
drbg->filled = 0;
if (drbg->secure) if (drbg->secure)
OPENSSL_secure_clear_free(drbg->randomness, drbg->size); OPENSSL_secure_clear_free(out, outlen);
else else
OPENSSL_clear_free(drbg->randomness, drbg->size); OPENSSL_clear_free(out, outlen);
drbg->randomness = NULL;
} }
@ -191,7 +184,6 @@ static int setup_drbg(RAND_DRBG *drbg)
ret &= drbg->lock != NULL; ret &= drbg->lock != NULL;
drbg->size = RANDOMNESS_NEEDED; drbg->size = RANDOMNESS_NEEDED;
drbg->secure = CRYPTO_secure_malloc_initialized(); drbg->secure = CRYPTO_secure_malloc_initialized();
drbg->randomness = NULL;
/* If you change these parameters, see RANDOMNESS_NEEDED */ /* If you change these parameters, see RANDOMNESS_NEEDED */
ret &= RAND_DRBG_set(drbg, ret &= RAND_DRBG_set(drbg,
NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF) == 1; NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF) == 1;

View file

@ -178,11 +178,11 @@ int RAND_poll_ex(RAND_poll_cb rand_add, void *arg)
# endif # endif
# ifdef OPENSSL_RAND_SEED_RDTSC # ifdef OPENSSL_RAND_SEED_RDTSC
rand_read_tsc(cb, arg); rand_read_tsc(rand_add, arg);
# endif # endif
# ifdef OPENSSL_RAND_SEED_RDCPU # ifdef OPENSSL_RAND_SEED_RDCPU
if (rand_read_cpu(cb, arg)) if (rand_read_cpu(rand_add, arg))
goto done; goto done;
# endif # endif

View file

@ -50,11 +50,12 @@ typedef size_t (*RAND_DRBG_get_entropy_fn)(RAND_DRBG *ctx,
int entropy, size_t min_len, int entropy, size_t min_len,
size_t max_len); size_t max_len);
typedef void (*RAND_DRBG_cleanup_entropy_fn)(RAND_DRBG *ctx, typedef void (*RAND_DRBG_cleanup_entropy_fn)(RAND_DRBG *ctx,
unsigned char *out); unsigned char *out, size_t outlen);
typedef size_t (*RAND_DRBG_get_nonce_fn)(RAND_DRBG *ctx, unsigned char **pout, typedef size_t (*RAND_DRBG_get_nonce_fn)(RAND_DRBG *ctx, unsigned char **pout,
int entropy, size_t min_len, int entropy, size_t min_len,
size_t max_len); size_t max_len);
typedef void (*RAND_DRBG_cleanup_nonce_fn)(RAND_DRBG *ctx, unsigned char *out); typedef void (*RAND_DRBG_cleanup_nonce_fn)(RAND_DRBG *ctx,
unsigned char *out, size_t outlen);
int RAND_DRBG_set_callbacks(RAND_DRBG *dctx, int RAND_DRBG_set_callbacks(RAND_DRBG *dctx,
RAND_DRBG_get_entropy_fn get_entropy, RAND_DRBG_get_entropy_fn get_entropy,