Don't use a ssl specific DRBG anymore
Since the public and private DRBG are per thread we don't need one
per ssl object anymore. It could also try to get entropy from a DRBG
that's really from an other thread because the SSL object moved to an
other thread.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5547)
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index fa902f3..c21a478 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -972,7 +972,7 @@
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
ERR_R_INTERNAL_ERROR);
return -1;
- } else if (ssl_randbytes(s, recs[ctr].input, ivlen) <= 0) {
+ } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
ERR_R_INTERNAL_ERROR);
return -1;
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 966d498..d6a08de 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -168,7 +168,6 @@
*/
EVP_CIPHER_CTX_reset(s->enc_write_ctx);
}
- EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
dd = s->enc_write_ctx;
if (ssl_replace_hash(&s->write_hash, m) == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index f230b5f..bbf49a2 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4524,12 +4524,12 @@
unsigned char *p = result;
l2n(Time, p);
- ret = ssl_randbytes(s, p, len - 4);
+ ret = RAND_bytes(p, len - 4);
} else {
- ret = ssl_randbytes(s, result, len);
+ ret = RAND_bytes(result, len);
}
#ifndef OPENSSL_NO_TLS13DOWNGRADE
- if (ret) {
+ if (ret > 0) {
if (!ossl_assert(sizeof(tls11downgrade) < len)
|| !ossl_assert(sizeof(tls12downgrade) < len))
return 0;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index cd972ae..e423331 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -690,20 +690,6 @@
goto err;
}
- /*
- * If not using the standard RAND (say for fuzzing), then don't use a
- * chained DRBG.
- */
- if (RAND_get_rand_method() == RAND_OpenSSL()) {
- s->drbg =
- RAND_DRBG_new(0, 0, RAND_DRBG_get0_public());
- if (s->drbg == NULL
- || RAND_DRBG_instantiate(s->drbg,
- (const unsigned char *) SSL_version_str,
- sizeof(SSL_version_str) - 1) == 0)
- goto err;
- }
-
RECORD_LAYER_init(&s->rlayer, s);
s->options = ctx->options;
@@ -1220,7 +1206,6 @@
sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
#endif
- RAND_DRBG_free(s->drbg);
CRYPTO_THREAD_lock_free(s->lock);
OPENSSL_free(s);
@@ -5397,28 +5382,6 @@
return s->max_early_data;
}
-int ssl_randbytes(SSL *s, unsigned char *rnd, size_t size)
-{
- if (s->drbg != NULL) {
- /*
- * Currently, it's the duty of the caller to serialize the generate
- * requests to the DRBG. So formally we have to check whether
- * s->drbg->lock != NULL and take the lock if this is the case.
- * However, this DRBG is unique to a given SSL object, and we already
- * require that SSL objects are only accessed by a single thread at
- * a given time. Also, SSL DRBGs have no child DRBG, so there is
- * no risk that this DRBG is accessed by a child DRBG in parallel
- * for reseeding. As such, we can rely on the application's
- * serialization of SSL accesses for the needed concurrency protection
- * here.
- */
- return RAND_DRBG_bytes(s->drbg, rnd, size);
- }
- if (size > INT_MAX)
- return 0;
- return RAND_bytes(rnd, size);
-}
-
__owur unsigned int ssl_get_max_send_fragment(const SSL *ssl)
{
/* Return any active Max Fragment Len extension */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4b8482a..83a0334 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1407,7 +1407,6 @@
size_t block_padding;
CRYPTO_RWLOCK *lock;
- RAND_DRBG *drbg;
};
/*
@@ -2238,7 +2237,6 @@
__owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain,
int ref);
-__owur int ssl_randbytes(SSL *s, unsigned char *buf, size_t num);
__owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);
__owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
void *other);
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 6513bf8..2dd5456 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -295,7 +295,7 @@
{
unsigned int retry = 0;
do
- if (ssl_randbytes(ssl, id, *id_len) <= 0)
+ if (RAND_bytes(id, *id_len) <= 0)
return 0;
while (SSL_has_matching_session_id(ssl, id, *id_len) &&
(++retry < MAX_SESS_ID_ATTEMPTS)) ;
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index d770706..86cf5b6 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1188,8 +1188,7 @@
s->tmp_session_id_len = sess_id_len;
session_id = s->tmp_session_id;
if (s->hello_retry_request == SSL_HRR_NONE
- && ssl_randbytes(s, s->tmp_session_id,
- sess_id_len) <= 0) {
+ && RAND_bytes(s->tmp_session_id, sess_id_len) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
@@ -2925,7 +2924,7 @@
pms[0] = s->client_version >> 8;
pms[1] = s->client_version & 0xff;
/* TODO(size_t): Convert this function */
- if (ssl_randbytes(s, pms + 2, (int)(pmslen - 2)) <= 0) {
+ if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
ERR_R_MALLOC_FAILURE);
goto err;
@@ -3146,7 +3145,7 @@
/* Generate session key
* TODO(size_t): Convert this function
*/
- || ssl_randbytes(s, pms, (int)pmslen) <= 0) {
+ || RAND_bytes(pms, (int)pmslen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
ERR_R_INTERNAL_ERROR);
goto err;
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index c198aa7..8826b7f 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2737,7 +2737,7 @@
OPENSSL_free(s->pha_context);
s->pha_context_len = 32;
if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL
- || ssl_randbytes(s, s->pha_context, s->pha_context_len) <= 0
+ || RAND_bytes(s->pha_context, s->pha_context_len) <= 0
|| !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
@@ -2926,7 +2926,7 @@
* fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
*/
- if (ssl_randbytes(s, rand_premaster_secret,
+ if (RAND_bytes(rand_premaster_secret,
sizeof(rand_premaster_secret)) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
ERR_R_INTERNAL_ERROR);
@@ -3692,7 +3692,7 @@
/* SSLfatal() already called */
goto err;
}
- if (ssl_randbytes(s, age_add_u.age_add_c, sizeof(age_add_u)) <= 0) {
+ if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
ERR_R_INTERNAL_ERROR);
@@ -3758,7 +3758,6 @@
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
goto err;
}
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
p = senc;
if (!i2d_SSL_SESSION(s->session, &p)) {
@@ -3830,7 +3829,7 @@
const EVP_CIPHER *cipher = EVP_aes_256_cbc();
iv_len = EVP_CIPHER_iv_length(cipher);
- if (ssl_randbytes(s, iv, iv_len) <= 0
+ if (RAND_bytes(iv, iv_len) <= 0
|| !EVP_EncryptInit_ex(ctx, cipher, NULL,
tctx->ext.tick_aes_key, iv)
|| !HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index a138b60..58d5e25 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -171,7 +171,6 @@
ERR_R_MALLOC_FAILURE);
goto err;
}
- EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
dd = s->enc_write_ctx;
if (SSL_IS_DTLS(s)) {
mac_ctx = EVP_MD_CTX_new();
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 7f43958..a793e0c 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -407,7 +407,6 @@
SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
goto err;
}
- EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
}
ciph_ctx = s->enc_write_ctx;
iv = s->write_iv;
diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
index d732328..87614cb 100644
--- a/ssl/tls_srp.c
+++ b/ssl/tls_srp.c
@@ -157,7 +157,7 @@
(s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
return SSL3_AL_FATAL;
- if (ssl_randbytes(s, b, sizeof(b)) <= 0)
+ if (RAND_bytes(b, sizeof(b)) <= 0)
return SSL3_AL_FATAL;
s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
OPENSSL_cleanse(b, sizeof(b));
@@ -369,7 +369,7 @@
{
unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
- if (ssl_randbytes(s, rnd, sizeof(rnd)) <= 0)
+ if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
return 0;
s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
OPENSSL_cleanse(rnd, sizeof(rnd));
