Commit graph

665 commits

Author SHA1 Message Date
Bernd Edlinger
79f5e2f4b9 Fix a potential crash in rand_unix.c
Due to the dynamic allocation that was added to rand_pool_add_begin
this function could now return a null pointer where it was previously
guaranteed to succeed. But the return value of this function does
not need to be checked by design.

Move rand_pool_grow from rand_pool_add_begin to rand_pool_bytes_needed.
Make an allocation error persistent to avoid falling back to less secure
or blocking entropy sources.

Fixes: a6a66e4511 ("Make rand_pool buffers more dynamic in their sizing.")

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9687)

(cherry picked from commit fa3eb248e29ca8031e6a14e8a2c6f3cd58b5450e)
2019-09-10 10:03:04 +01:00
Bernd Edlinger
1d36536457 Fix a strict warnings error in rand_pool_acquire_entropy
There was a warning about unused variables in this config:
./config --strict-warnings --with-rand-seed=rdcpu

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9687)

(cherry picked from commit e301c147a763f67dcc5ba63eb7e2ae40d83a68aa)
2019-09-10 10:03:04 +01:00
Dr. Matthias St. Pierre
63180182ec drbg: fix issue where DRBG_CTR fails if NO_DF is used (2nd attempt)
Since commit 7c226dfc43 a chained DRBG does not add additional
data anymore when reseeding from its parent. The reason is that
the size of the additional data exceeded the allowed size when
no derivation function was used.

This commit provides an alternative fix: instead of adding the
entire DRBG's complete state, we just add the DRBG's address
in memory, thereby providing some distinction between the different
DRBG instances.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9802)
2019-09-09 17:09:06 +01:00
Dr. Matthias St. Pierre
5520695c73 drbg: add fork id to additional data on UNIX systems
Provides a little extra fork-safety on UNIX systems, adding to the
fact that all DRBGs reseed automatically when the fork_id changes.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9802)
2019-09-09 17:09:06 +01:00
Dr. Matthias St. Pierre
1b0fe00e27 drbg: ensure fork-safety without using a pthread_atfork handler
When the new OpenSSL CSPRNG was introduced in version 1.1.1,
it was announced in the release notes that it would be fork-safe,
which the old CSPRNG hadn't been.

The fork-safety was implemented using a fork count, which was
incremented by a pthread_atfork handler. Initially, this handler
was enabled by default. Unfortunately, the default behaviour
had to be changed for other reasons in commit b5319bdbd0, so
the new OpenSSL CSPRNG failed to keep its promise.

This commit restores the fork-safety using a different approach.
It replaces the fork count by a fork id, which coincides with
the process id on UNIX-like operating systems and is zero on other
operating systems. It is used to detect when an automatic reseed
after a fork is necessary.

To prevent a future regression, it also adds a test to verify that
the child reseeds after fork.

CVE-2019-1549

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9802)
2019-09-09 17:09:06 +01:00
Bernd Edlinger
827eab4cd7 Fix build with VS2008
crypto/rand/rand_win.c(70) : error C2065: 'BCRYPT_USE_SYSTEM_PREFERRED_RNG' : undeclared identifier

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9827)

(cherry picked from commit d3a1128bc25ec8bf835c81821e1be68fba39ab4b)
2019-09-09 16:45:22 +02:00
Bernd Edlinger
ce1ab24163 Cleanup includes in rand_unix.c
Fixes #9757

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9761)

(cherry picked from commit 41ffd2ab09d24692c71850ccd7d5ff154196fe01)
2019-09-05 08:33:48 +02:00
Bernd Edlinger
aa24cc0195 Remove ifndef FIPS_MODE from rand_unix.c
This will never be the case for 1.1.1 so removed.

Fixes: comment 1 of #9757

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9762)
2019-09-05 08:25:18 +02:00
Pauli
f493bd6f94 Fix NITs in comments and CHANGES for DEVRANDOM seeded check.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9734)

(cherry picked from commit 46a9cc9451213039fd53f62733b2ccd04e853bb2)
2019-08-30 07:57:55 +10:00
Pauli
4bdab25717 Avoid overflowing FDSET when using select(2).
There is a problem in the rand_unix.c code when the random seed fd is greater
than or equal to FD_SETSIZE and the FDSET overruns its limit and walks the
stack.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9686)

(cherry picked from commit e1f8584d47)
2019-08-24 16:45:53 +10:00
Pauli
3ff98f5581 Start up DEVRANDOM entropy improvement for older Linux devices.
Improve handling of low entropy at start up from /dev/urandom by waiting for
a read(2) call on /dev/random to succeed.  Once one such call has succeeded,
a shared memory segment is created and persisted as an indicator to other
processes that /dev/urandom is properly seeded.

This does not fully prevent against attacks weakening the entropy source.
An attacker who has control of the machine early in its boot sequence
could create the shared memory segment preventing detection of low entropy
conditions.  However, this is no worse than the current situation.

An attacker would also be capable of removing the shared memory segment
and causing seeding to reoccur resulting in a denial of service attack.
This is partially mitigated by keeping the shared memory alive for the
duration of the process's existence.  Thus, an attacker would not only need
to have called call shmctl(2) with the IPC_RMID command but the system
must subsequently enter a state where no instances of libcrypto exist in
any process.  Even one long running process will prevent this attack.

The System V shared memory calls used here go back at least as far as
Linux kernel 2.0.  Linux kernels 4.8 and later, don't have a reliable way
to detect that /dev/urandom has been properly seeded, so a failure is raised
for this case (i.e. the getentropy(2) call has already failed).

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9595)

[manual merge]
2019-08-20 16:19:20 +10:00
Bernd Edlinger
84814f7734 Add a fallback definition for __NR_getrandom for x86 linux
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9639)

(cherry picked from commit 038b381ecf)
2019-08-19 16:06:39 +02:00
Bernd Edlinger
31dd6414a0 Add a fallback definition for __NR_getrandom for ARM linux
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9619)

(cherry picked from commit 24d932ec84)
2019-08-19 07:06:56 +02:00
opensslonzos-github
cd5e2b0a68 Add missing EBCDIC strings
Fix a few places where calling ossl_isdigit does the wrong thing on
EBCDIC based systems.
Replaced with ascii_isdigit.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9556)

(cherry picked from commit 48102247ff)
2019-08-14 10:52:31 +01:00
Antoine Cœur
a5c83db4ae Fix Typos
CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9295)
2019-07-31 19:48:30 +02:00
Pauli
b4b42d441d Make rand_pool buffers more dynamic in their sizing.
The rand pool support allocates maximal sized buffers -- this is typically
12288 bytes in size.  These pools are allocated in secure memory which is a
scarse resource.  They are also allocated per DRBG of which there are up to two
per thread.

This change allocates 64 byte pools and grows them dynamically if required.
64 is chosen to be sufficiently large so that pools do not normally need to
grow.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9428)

(cherry picked from commit a6a66e4511)
2019-07-23 23:30:12 +10:00
Bernd Edlinger
e8d866dcb1 Allocate DRBG additional data pool from non-secure memory
The additional data allocates 12K per DRBG instance in the
secure memory, which is not necessary. Also nonces are not
considered secret.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9424)
2019-07-23 23:14:14 +10:00
Rebecca Cran
444ec8d5e7 Fix UEFI build on FreeBSD by not including system headers
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9149)
2019-06-19 14:39:45 +02:00
Dr. Matthias St. Pierre
ad416c8058 Revert the DEVRANDOM_WAIT feature
The DEVRANDOM_WAIT feature added a select() call to wait for the
`/dev/random` device to become readable before reading from the
`/dev/urandom` device. It was introduced in commit 38023b87f0
in order to mitigate the fact that the `/dev/urandom` device
does not block until the initial seeding of the kernel CSPRNG
has completed, contrary to the behaviour of the `getrandom()`
system call.

It turned out that this change had negative side effects on
performance which were not acceptable. After some discussion it
was decided to revert this feature and leave it up to the OS
resp. the platform maintainer to ensure a proper initialization
during early boot time.

Fixes #9078

This partially reverts commit 38023b87f0.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

(cherry picked from commit a08714e181)

(Merged from https://github.com/openssl/openssl/pull/9118)
2019-06-09 09:53:39 +02:00
Pauli
15d7e7997e Fix broken change from b3d113e.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8606)

(cherry picked from commit 711a161f03)
2019-05-30 11:47:59 +02:00
Richard Levitte
35fd99538a Update copyright year
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9034)
2019-05-28 14:49:38 +02:00
Richard Levitte
a88bafcdb7 Revert "crypto/rand/rand_win.c: include "e_os.h" to get the default _WIN32_WINNT"
I turns out that this made crypto/rand/rand_win.c to never build with
BCrypt support unless the user sets _WIN32_WINNT.  That wasn't the
intent.

This reverts commit cc8926ec8f.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8641)

(cherry picked from commit 705a27f7e0)
2019-04-02 14:50:33 +02:00
Dr. Matthias St. Pierre
5a87dd1d34 rand_win.c: loosen version requirements for BCryptGenRandom
BCryptGenRandom() is available for Windows Vista and newer versions, see
https://docs.microsoft.com/en-us/windows/desktop/api/bcrypt/nf-bcrypt-bcryptgenrandom

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8639)

(cherry picked from commit 2621e6405d)
2019-04-02 14:29:59 +02:00
Richard Levitte
7a3c4b374b crypto/rand/rand_win.c: include "e_os.h" to get the default _WIN32_WINNT
This helps decide if the BCrypt API should be used or not.

Fixes #8635

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8638)

(cherry picked from commit cc8926ec8f)
2019-04-02 11:30:43 +02:00
Soujyu Tanaka
fd1ab9af22 Circumvent a problem of lacking GetEnvironmentVariable() in WindowsCE.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8596)

(cherry picked from commit 3d098890b2)
2019-03-29 10:02:06 +00:00
Pauli
e3568508c3 Cosmetic rand/drbg changes.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8554)

(cherry picked from commit b3d113ed29)
2019-03-22 16:23:05 +10:00
Dr. Matthias St. Pierre
b8caae27f1 VMS: only use the high precision on VMS v8.4 and up
Fixes #8487
Amends #7230

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8488)

(cherry picked from commit 355417eb46)
2019-03-15 08:46:29 +01:00
Bernd Edlinger
c352bd07ed Fix seeding from random device w/o getrandom syscall
Use select to wait for /dev/random in readable state,
but do not actually read anything from /dev/random,
use /dev/urandom first.

Use linux define __NR_getrandom instead of the
glibc define SYS_getrandom, in case the kernel headers
are more current than the glibc headers.

Fixes #8215

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8251)

(cherry picked from commit 38023b87f0)
2019-03-01 18:29:56 +01:00
Matt Caswell
72a7a7021f Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8347)
2019-02-26 14:05:09 +00:00
Klotz, Tobias
b6d41ff733 Cleanup vxworks support to be able to compile for VxWorks 7
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7569)

(cherry picked from commit 5c8b7b4caa)
2019-01-24 17:58:27 +01:00
Bernd Edlinger
bdb8897691 Fix issues with do_rand_init/rand_cleanup_int
Fixes #7022

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7588)

(cherry picked from commit e2d227bb4a)
2018-11-09 13:37:38 +01:00
Dr. Matthias St. Pierre
abf58ed319 rand_unix.c: open random devices on first use only
Commit c7504aeb64 (pr #6432) fixed a regression for applications in
chroot environments, which compensated the fact that the new OpenSSL CSPRNG
(based on the NIST DRBG) now reseeds periodically, which the previous
one didn't. Now the reseeding could fail in the chroot environment if the
DEVRANDOM devices were not present anymore and no other entropy source
(e.g. getrandom()) was available.

The solution was to keep the file handles for the DEVRANDOM devices open
by default. In fact, the fix did more than this, it opened the DEVRANDOM
devices early and unconditionally in rand_pool_init(), which had the
unwanted side effect that the devices were opened (and kept open) even
in cases when they were not used at all, for example when the getrandom()
system call was available. Due  to a bug (issue #7419) this even happened
when the feature was disabled by the application.

This commit removes the unconditional opening of all DEVRANDOM devices.
They will now only be opened (and kept open) on first use. In particular,
if getrandom() is available, the handles will not be opened unnecessarily.

This change does not introduce a regression for applications compiled for
libcrypto 1.1.0, because the SSLEAY RNG also seeds on first use. So in the
above constellation the CSPRNG will only be properly seeded if it is happens
before the forking and chrooting.

Fixes #7419

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7437)

(cherry picked from commit 8cfc19716c)
2018-11-08 16:41:24 +01:00
Dr. Matthias St. Pierre
c39df745b0 Test: link drbgtest statically against libcrypto
and remove duplicate rand_drbg_seedlen() implementation again.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7462)

(cherry picked from commit 1c615e4ce9)
2018-11-08 16:32:30 +01:00
Pauli
f7258489d8 Add missing RAND initialisation call.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7587)

(cherry picked from commit ac765685d4)
2018-11-08 08:13:16 +10:00
Bernd Edlinger
294941aebb Rename the rand_drbg_st data member "pool" to "seed_pool"
... to make the intended use more clear and differentiate
it from the data member "adin_pool".

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7575)

(cherry picked from commit 31f32abb8e)
2018-11-07 15:23:39 +01:00
Bernd Edlinger
9bc987f008 Initialize reseed_gen_counter to 1, like it is done in master
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7532)
2018-11-07 15:16:19 +01:00
Bernd Edlinger
939ef2ea11 Avoid two memory allocations in each RAND_DRBG_bytes
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7518)
2018-11-05 22:52:24 +01:00
Bernd Edlinger
c40c1ef4f3 Fix error handling in RAND_DRBG_uninstantiate
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7519)
2018-11-05 22:46:21 +01:00
Bernd Edlinger
ee5a79104c Fix error handling in rand_drbg_new
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7519)
2018-11-05 22:46:20 +01:00
Bernd Edlinger
f98a893ed4 Fix error handling in RAND_DRBG_set
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7519)
2018-11-05 22:46:20 +01:00
Bernd Edlinger
faca6bfac3 Fix a race condition in drbg_add
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7523)

(cherry picked from commit 4011bab1f8)
2018-10-30 23:28:12 +01:00
Bernd Edlinger
6101850baf Rework and simplify resource flow in drbg_add
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7504)

(cherry picked from commit f9e43929c4)
2018-10-29 12:31:21 +01:00
Dr. Matthias St. Pierre
c7a7ed3870 randfile.c: fix a Coverity warning
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7510)

(cherry picked from commit 040a03470c)
2018-10-28 23:39:13 +01:00
Dr. Matthias St. Pierre
d2953e5e7d drbg_lib: avoid NULL pointer dereference in drbg_add
Found by Coverity Scan

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7511)

(cherry picked from commit 59f90557dd)
2018-10-28 19:21:12 +01:00
Bernd Edlinger
1f98527659 Fix data race in RAND_DRBG_generate
Fixes #7394

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7399)

(cherry picked from commit a83dc59afa)
2018-10-27 13:04:55 +02:00
Dr. Matthias St. Pierre
d597a9a877 RAND_add()/RAND_seed(): fix failure on short input or low entropy
Commit 5b4cb385c1 (#7382) introduced a bug which had the effect
that RAND_add()/RAND_seed() failed for buffer sizes less than
32 bytes. The reason was that now the added random data was used
exlusively as entropy source for reseeding. When the random input
was too short or contained not enough entropy, the DRBG failed
without querying the available entropy sources.

This commit makes drbg_add() act smarter: it checks the entropy
requirements explicitely. If the random input fails this check,
it won't be added as entropy input, but only as additional data.
More precisely, the behaviour depends on whether an os entropy
source was configured (which is the default on most os):

- If an os entropy source is avaible then we declare the buffer
  content as additional data by setting randomness to zero and
  trigger a regular   reseeding.

- If no os entropy source is available, a reseeding will fail
  inevitably. So drbg_add() uses a trick to mix the buffer contents
  into the DRBG state without forcing a reseeding: it generates a
  dummy random byte, using the buffer content as additional data.

Related-to: #7449

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7456)

(cherry picked from commit 8817215d5c)
2018-10-27 13:03:35 +02:00
Dr. Matthias St. Pierre
35a34508ef Backport some DRBG renamings and typo fixes
In commit 8bf3665196 some renamings andd typo fixes were made
while adding back the DRBG-HMAC and DRBG-HASH implementation.
Since the commit could not be backported, a lot of unnecessary
differences between master and 1.1.1 were introduced.

These differences result in tiresome merge conflicts when
cherry-picking. To minimize these merge-conflicts, this patch
ports all 'non-feature' changes of commit 8bf3665196
(e.g., renamings of private variables, fixes of typographical
errors, comment changes) manually back to 1.1.1.

The commits a83dc59afa (#7399) and 8817215d5c (#7456)
failed to cherry-pick previously to 1.1.1, with this patch
they both cherry-pick without conflicts.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7505)
2018-10-26 23:04:23 +02:00
Bernd Edlinger
f3f7f1a826 Fix a possible crash in rand_drbg_get_entropy
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7474)

(cherry picked from commit 21311777ad)
2018-10-26 15:26:21 +02:00
Dr. Matthias St. Pierre
1d0671b81f RAND_load_file(): avoid adding small chunks to RAND_add()
Increase the load buffer size such that it exceeds the chunk
size by a comfortable amount. This is done to avoid calling
RAND_add() with a small final chunk. Instead, such a small
final chunk will be added together with the previous chunk
(unless it's the only one).

Related-to: #7449

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7456)
2018-10-26 08:50:26 +02:00
Dr. Matthias St. Pierre
13ce86259e RAND_load_file(): return error if reseeding failed
The failure of RAND_load_file was only noticed because of the
heap corruption which was reported in #7499 and fixed in commit
5b4cb385c1. To prevent this in the future, RAND_load_file()
now explicitly checks RAND_status() and reports an error if it
fails.

Related-to: #7449

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7456)
2018-10-26 08:50:26 +02:00