From faca6bfac3b0c5a657cd01dcf6cb306d61cebd0f Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 29 Oct 2018 13:48:53 +0100 Subject: [PATCH] Fix a race condition in drbg_add Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7523) (cherry picked from commit 4011bab1f85d4429bad1e9388bed90a8d0da5639) --- crypto/rand/drbg_lib.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index 4795213d38..43e7509e6a 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -1003,6 +1003,7 @@ static int drbg_add(const void *buf, int num, double randomness) if (num < 0 || randomness < 0.0) return 0; + rand_drbg_lock(drbg); seedlen = rand_drbg_seedlen(drbg); buflen = (size_t)num; @@ -1014,10 +1015,13 @@ static int drbg_add(const void *buf, int num, double randomness) * inevitably. So we use a trick to mix the buffer contents into * the DRBG state without forcing a reseeding: we generate a * dummy random byte, using the buffer content as additional data. + * Note: This won't work with RAND_DRBG_FLAG_CTR_NO_DF. */ unsigned char dummy[1]; - return RAND_DRBG_generate(drbg, dummy, sizeof(dummy), 0, buf, buflen); + ret = RAND_DRBG_generate(drbg, dummy, sizeof(dummy), 0, buf, buflen); + rand_drbg_unlock(drbg); + return ret; #else /* * If an os entropy source is avaible then we declare the buffer content @@ -1041,7 +1045,6 @@ static int drbg_add(const void *buf, int num, double randomness) randomness = (double)seedlen; } - rand_drbg_lock(drbg); ret = rand_drbg_restart(drbg, buf, buflen, (size_t)(8 * randomness)); rand_drbg_unlock(drbg);