wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
openssl/crypto
History
Benjamin Kaduk 2139145b72 Add missing RAND_DRBG locking 
The drbg's lock must be held across calls to RAND_DRBG_generate()
to prevent simultaneous modification of internal state.

This was observed in practice with simultaneous SSL_new() calls attempting
to seed the (separate) per-SSL RAND_DRBG instances from the global
rand_drbg instance; this eventually led to simultaneous calls to
ctr_BCC_update() attempting to increment drbg->bltmp_pos for their
respective partial final block, violating the invariant that bltmp_pos < 16.
The AES operations performed in ctr_BCC_blocks() makes the race window
quite easy to trigger.  A value of bltmp_pos greater than 16 induces
catastrophic failure in ctr_BCC_final(), with subtraction overflowing
and leading to an attempt to memset() to zero a very large range,
which eventually reaches an unmapped page and segfaults.

Provide the needed locking in get_entropy_from_parent(), as well as
fixing a similar issue in RAND_priv_bytes().  There is also an
unlocked call to RAND_DRBG_generate() in ssl_randbytes(), but the
requisite serialization is already guaranteed by the requirements on
the application's usage of SSL objects, and no further locking is
needed for correct behavior.  In that case, leave a comment noting
the apparent discrepancy and the reason for its safety (at present).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4328)
2017-10-18 08:39:20 -05:00
..
aes s390x assembly pack: remove capability double-checking. 2017-10-17 21:55:33 +02:00
aria Fix potential null problem. 2017-09-01 09:30:18 +10:00
asn1 Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
async Add stack space reservations. 2017-09-28 06:53:40 +10:00
bf Remove filename argument to x86 asm_init. 2017-05-11 17:00:23 -04:00
bio Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
blake2 Move e_os.h to be the very first include. 2017-08-30 07:20:44 +10:00
bn Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
buffer Use OPENSSL_secure_clear_free for secure mem BIOs and X25519 private keys 2017-07-29 19:26:06 +02:00
camellia Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
cast e_os.h removal from other headers and source files. 2017-08-30 07:20:43 +10:00
chacha x86_64 assembly pack: "optimize" for Knights Landing, add AVX-512 results. 2017-07-21 14:07:32 +02:00
cmac Don't use deprecated EVP_CIPHER_CTX_cleanup() internally 2017-03-01 11:42:50 +01:00
cms Code hygiene; initialize some pointers. 2017-10-16 14:46:53 -04:00
comp make error tables const and separate header file 2017-06-07 15:12:03 -04:00
conf Use safestack.h exclusively internally. 2017-09-28 13:14:33 +10:00
ct Null pointer used. 2017-09-18 06:52:13 +10:00
des Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
dh Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
dsa Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
dso Since return is inconsistent, I removed unnecessary parentheses and 2017-10-09 13:17:09 +01:00
ec Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
engine Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
err Fix reseeding issues of the public RAND_DRBG 2017-10-18 08:39:20 -05:00
evp Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
hmac Remove OPENSSL_assert() from crypto/hmac 2017-08-21 08:44:44 +01:00
idea Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
include/internal Fix reseeding issues of the public RAND_DRBG 2017-10-18 08:39:20 -05:00
kdf More updates following review feedback 2017-08-21 08:44:44 +01:00
lhash Document that lhash isn't thread safe under any circumstances and 2017-10-09 07:50:18 +10:00
md2 Convert memset calls to OPENSSL_cleanse 2016-06-30 15:51:57 +01:00
md4 Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
md5 Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
mdc2 Convert mdc2 test print to internal test 2016-11-03 13:13:31 +01:00
modes s390x assembly pack: remove capability double-checking. 2017-10-17 21:55:33 +02:00
objects added cmcCA and cmcRA as per rfc6402, capitalized per RFC7030 author 2017-10-16 14:56:14 -04:00
ocsp Move e_os.h to be the very first include. 2017-08-30 07:20:44 +10:00
pem This has been added to avoid the situation where some host ctype.h functions 2017-08-22 09:45:25 +10:00
perlasm perlasm/ppc-xlate.pl: add PowerISA 3.0B instructions. 2017-06-13 18:37:08 +02:00
pkcs7 Code hygiene; initialize some pointers. 2017-10-16 14:46:53 -04:00
pkcs12 Add checks for alloc failing. 2017-09-06 09:52:16 -04:00
poly1305 x86_64 assembly pack: "optimize" for Knights Landing, add AVX-512 results. 2017-07-21 14:07:32 +02:00
rand Add missing RAND_DRBG locking 2017-10-18 08:39:20 -05:00
rc2 Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
rc4 Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
rc5 Remove filename argument to x86 asm_init. 2017-05-11 17:00:23 -04:00
ripemd Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
rsa Remove unnecessary #include <openssl/lhash.h> directives. 2017-09-29 07:38:56 +10:00
seed Use _WIN32 over WIN32 for preprocessor conditional 2017-02-16 08:59:47 -05:00
sha s390x assembly pack: remove capability double-checking. 2017-10-17 21:55:33 +02:00
siphash Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
srp Remove custom base64 code. 2017-08-22 11:03:32 -04:00
stack stack/stack.c: various cleanups. 2017-10-05 21:23:23 +02:00
store Fix OSSL_STORE's 'file' loader: make sure peekbuf is initialised 2017-09-05 17:07:20 +02:00
ts struct timeval include guards 2017-09-01 09:55:43 +10:00
txt_db Since return is inconsistent, I removed unnecessary parentheses and 2017-10-09 13:17:09 +01:00
ui Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
whrlpool Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
x509 Since return is inconsistent, I removed unnecessary parentheses and 2017-10-09 13:17:09 +01:00
x509v3 x509v3/v3_utl.c: avoid double-free. 2017-10-17 21:36:31 +02:00
alphacpuid.pl Add assembly CRYPTO_memcmp. 2016-05-19 22:33:00 +02:00
arm64cpuid.pl Add assembly CRYPTO_memcmp. 2016-05-19 22:33:00 +02:00
arm_arch.h Copyright consolidation 07/10 2016-05-17 14:51:26 -04:00
armcap.c Fix typo in files in crypto folder 2017-08-05 20:42:06 +02:00
armv4cpuid.pl ARMv4 assembly pack: harmonize Thumb-ification of iOS build. 2017-02-15 23:16:01 +01:00
build.info This has been added to avoid the situation where some host ctype.h functions 2017-08-22 09:45:25 +10:00
c64xpluscpuid.pl Add assembly CRYPTO_memcmp. 2016-05-19 22:33:00 +02:00
cpt_err.c make error tables const and separate header file 2017-06-07 15:12:03 -04:00
cryptlib.c crypto/cryptlib.c: mask more capability bits upon FXSR bit flip. 2017-09-01 08:48:32 +02:00
ctype.c Check for EOF in ASCII conversions. 2017-08-25 06:42:17 +10:00
cversion.c Undo commit d420ac2 2017-07-05 11:32:35 +10:00
dllmain.c Move e_os.h to be the very first include. 2017-08-30 07:20:44 +10:00
ebcdic.c Remove email addresses from source code. 2017-10-13 10:06:59 -04:00
ex_data.c Remove unnecessary #include <openssl/lhash.h> directives. 2017-09-29 07:38:56 +10:00
ia64cpuid.S Fix typo in files in crypto folder 2017-08-05 20:42:06 +02:00
init.c Fix reseeding issues of the public RAND_DRBG 2017-10-18 08:39:20 -05:00
LPdir_nyi.c Fix typo (note by oneton@users.github) 2017-06-20 08:15:00 -04:00
LPdir_unix.c Fix typo (note by oneton@users.github) 2017-06-20 08:15:00 -04:00
LPdir_vms.c Fix typo (note by oneton@users.github) 2017-06-20 08:15:00 -04:00
LPdir_win.c Fix typo (note by oneton@users.github) 2017-06-20 08:15:00 -04:00
LPdir_win32.c Fix typo (note by oneton@users.github) 2017-06-20 08:15:00 -04:00
LPdir_wince.c Fix typo (note by oneton@users.github) 2017-06-20 08:15:00 -04:00
mem.c Add CRYPTO_get_alloc_counts. 2017-10-12 22:04:12 -04:00
mem_clr.c Fix some style issues... 2016-08-02 09:59:23 +02:00
mem_dbg.c Add CRYPTO_get_alloc_counts. 2017-10-12 22:04:12 -04:00
mem_sec.c Add CRYPTO_thread_glock_new 2017-08-31 19:42:03 -04:00
mips_arch.h Remove trailing whitespace from some files. 2016-10-10 23:36:21 +01:00
o_dir.c Move e_os.h to be the very first include. 2017-08-30 07:20:44 +10:00
o_fips.c Clean up references to FIPS 2017-02-28 15:26:25 +01:00
o_fopen.c Fix a few if(, for(, while( inside code. 2016-07-20 07:21:53 -04:00
o_init.c Use "" not <> on e_os.h include 2017-08-22 11:07:56 -04:00
o_str.c Revert "GH614: Use memcpy()/strdup() when possible" 2017-09-14 10:26:54 +10:00
o_time.c Fix typo in files in crypto folder 2017-08-05 20:42:06 +02:00
pariscid.pl Add assembly CRYPTO_memcmp. 2016-05-19 22:33:00 +02:00
ppc_arch.h GH919: Fix wrappers for two headers 2016-05-24 11:04:38 -04:00
ppccap.c crypto/ppccap.c: SIGILL-free processor capabilities detection on MacOS X. 2017-04-02 20:45:59 +02:00
ppccpuid.pl Add assembly CRYPTO_memcmp. 2016-05-19 22:33:00 +02:00
s390xcap.c Fix strict-warnings build 2016-10-18 17:09:47 +01:00
s390xcpuid.S s390x assembly pack: improve portability. 2016-06-06 11:08:04 +02:00
sparc_arch.h Copyright consolidation 09/10 2016-05-17 14:53:16 -04:00
sparccpuid.S Clean up references to FIPS 2017-02-28 15:26:25 +01:00
sparcv9cap.c crypto/sparcv9cap.c: add missing declaration. 2016-08-12 10:26:20 +02:00
threads_none.c Add atomic write call 2017-10-10 08:45:53 +10:00
threads_pthread.c Return a value from atomic read on Windows. 2017-10-11 09:47:54 +10:00
threads_win.c Return a value from atomic read on Windows. 2017-10-11 09:47:54 +10:00
uid.c Cleaning UEFI Build with additional OPENSSL_SYS_UEFI flags 2017-03-29 07:35:59 +02:00
vms_rms.h Copyright consolidation 09/10 2016-05-17 14:53:16 -04:00
x86_64cpuid.pl Fix comment typo. 2017-07-26 23:10:52 -04:00
x86cpuid.pl Remove filename argument to x86 asm_init. 2017-05-11 17:00:23 -04:00