DRBG: Remove 'randomness' buffer from 'RAND_DRBG'

The DRBG callbacks 'get_entropy()' and 'cleanup_entropy()' are designed
in such a way that the randomness buffer does not have to be allocated
by the calling function. It receives the address of a dynamically
allocated buffer from get_entropy() and returns this address to
cleanup_entropy(), where it is freed. If these two calls are properly
paired, the address can be stored in a stack local variable of the
calling function, so there is no need for having a 'randomness' member
(and a 'filled' member) in 'RAND_DRBG'.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
This commit is contained in:
Dr. Matthias St. Pierre 2017-08-25 23:26:53 +02:00 committed by Rich Salz
parent 4871fa49cd
commit 6969a3f49a
5 changed files with 24 additions and 33 deletions

View file

@ -168,9 +168,9 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
end:
if (entropy != NULL && drbg->cleanup_entropy != NULL)
drbg->cleanup_entropy(drbg, entropy);
drbg->cleanup_entropy(drbg, entropy, entropylen);
if (nonce != NULL && drbg->cleanup_nonce!= NULL )
drbg->cleanup_nonce(drbg, nonce);
drbg->cleanup_nonce(drbg, nonce, noncelen);
if (drbg->state == DRBG_READY)
return 1;
return 0;
@ -229,7 +229,7 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
end:
if (entropy != NULL && drbg->cleanup_entropy != NULL)
drbg->cleanup_entropy(drbg, entropy);
drbg->cleanup_entropy(drbg, entropy, entropylen);
if (drbg->state == DRBG_READY)
return 1;
return 0;

View file

@ -94,14 +94,12 @@ struct rand_drbg_st {
int nid; /* the underlying algorithm */
int fork_count;
unsigned short flags; /* various external flags */
char filled;
char secure;
/*
* This is a fixed-size buffer, but we malloc to make it a little
* harder to find; a classic security/performance trade-off.
*/
int size;
unsigned char *randomness;
/*
* The following parameters are setup by the per-type "init" function.
@ -157,7 +155,7 @@ void rand_read_tsc(RAND_poll_cb rand_add, void *arg);
int rand_read_cpu(RAND_poll_cb rand_add, void *arg);
/* DRBG entropy callbacks. */
void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out);
void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out, size_t outlen);
size_t drbg_entropy_from_parent(RAND_DRBG *drbg,
unsigned char **pout,
int entropy, size_t min_len, size_t max_len);

View file

@ -105,20 +105,14 @@ size_t drbg_entropy_from_system(RAND_DRBG *drbg,
int entropy, size_t min_len, size_t max_len)
{
int i;
unsigned char *randomness;
if (min_len > (size_t)drbg->size) {
/* Should not happen. See comment near RANDOMNESS_NEEDED. */
min_len = drbg->size;
}
if (drbg->filled) {
/* Re-use what we have. */
*pout = drbg->randomness;
return drbg->size;
}
drbg->randomness = drbg->secure ? OPENSSL_secure_malloc(drbg->size)
randomness = drbg->secure ? OPENSSL_secure_malloc(drbg->size)
: OPENSSL_malloc(drbg->size);
/* If we don't have enough, try to get more. */
@ -133,15 +127,14 @@ size_t drbg_entropy_from_system(RAND_DRBG *drbg,
if (min_len > rand_bytes.curr)
min_len = rand_bytes.curr;
if (min_len != 0) {
memcpy(drbg->randomness, rand_bytes.buff, min_len);
drbg->filled = 1;
memcpy(randomness, rand_bytes.buff, min_len);
/* Update amount left and shift it down. */
rand_bytes.curr -= min_len;
if (rand_bytes.curr != 0)
memmove(rand_bytes.buff, &rand_bytes.buff[min_len], rand_bytes.curr);
}
CRYPTO_THREAD_unlock(rand_bytes.lock);
*pout = drbg->randomness;
*pout = randomness;
return min_len;
}
@ -150,33 +143,33 @@ size_t drbg_entropy_from_parent(RAND_DRBG *drbg,
int entropy, size_t min_len, size_t max_len)
{
int st;
unsigned char *randomness;
if (min_len > (size_t)drbg->size) {
/* Should not happen. See comment near RANDOMNESS_NEEDED. */
min_len = drbg->size;
}
drbg->randomness = drbg->secure ? OPENSSL_secure_malloc(drbg->size)
randomness = drbg->secure ? OPENSSL_secure_malloc(drbg->size)
: OPENSSL_malloc(drbg->size);
/* Get random from parent, include our state as additional input. */
st = RAND_DRBG_generate(drbg->parent, drbg->randomness, min_len, 0,
st = RAND_DRBG_generate(drbg->parent, randomness, min_len, 0,
(unsigned char *)drbg, sizeof(*drbg));
if (st == 0)
if (st == 0) {
drbg_release_entropy(drbg, randomness, min_len);
return 0;
drbg->filled = 1;
*pout = drbg->randomness;
}
*pout = randomness;
return min_len;
}
void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out)
void drbg_release_entropy(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
{
drbg->filled = 0;
if (drbg->secure)
OPENSSL_secure_clear_free(drbg->randomness, drbg->size);
OPENSSL_secure_clear_free(out, outlen);
else
OPENSSL_clear_free(drbg->randomness, drbg->size);
drbg->randomness = NULL;
OPENSSL_clear_free(out, outlen);
}
@ -191,7 +184,6 @@ static int setup_drbg(RAND_DRBG *drbg)
ret &= drbg->lock != NULL;
drbg->size = RANDOMNESS_NEEDED;
drbg->secure = CRYPTO_secure_malloc_initialized();
drbg->randomness = NULL;
/* If you change these parameters, see RANDOMNESS_NEEDED */
ret &= RAND_DRBG_set(drbg,
NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF) == 1;

View file

@ -178,11 +178,11 @@ int RAND_poll_ex(RAND_poll_cb rand_add, void *arg)
# endif
# ifdef OPENSSL_RAND_SEED_RDTSC
rand_read_tsc(cb, arg);
rand_read_tsc(rand_add, arg);
# endif
# ifdef OPENSSL_RAND_SEED_RDCPU
if (rand_read_cpu(cb, arg))
if (rand_read_cpu(rand_add, arg))
goto done;
# endif

View file

@ -50,11 +50,12 @@ typedef size_t (*RAND_DRBG_get_entropy_fn)(RAND_DRBG *ctx,
int entropy, size_t min_len,
size_t max_len);
typedef void (*RAND_DRBG_cleanup_entropy_fn)(RAND_DRBG *ctx,
unsigned char *out);
unsigned char *out, size_t outlen);
typedef size_t (*RAND_DRBG_get_nonce_fn)(RAND_DRBG *ctx, unsigned char **pout,
int entropy, size_t min_len,
size_t max_len);
typedef void (*RAND_DRBG_cleanup_nonce_fn)(RAND_DRBG *ctx, unsigned char *out);
typedef void (*RAND_DRBG_cleanup_nonce_fn)(RAND_DRBG *ctx,
unsigned char *out, size_t outlen);
int RAND_DRBG_set_callbacks(RAND_DRBG *dctx,
RAND_DRBG_get_entropy_fn get_entropy,