Don't use a ssl specific DRBG anymore Since the public and private DRBG are per thread we don't need one per ssl object anymore. It could also try to get entropy from a DRBG that's really from an other thread because the SSL object moved to an other thread. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5547)
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index fa902f3..c21a478 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c
@@ -972,7 +972,7 @@ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); return -1; - } else if (ssl_randbytes(s, recs[ctr].input, ivlen) <= 0) { + } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); return -1;
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 966d498..d6a08de 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c
@@ -168,7 +168,6 @@ */ EVP_CIPHER_CTX_reset(s->enc_write_ctx); } - EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg); dd = s->enc_write_ctx; if (ssl_replace_hash(&s->write_hash, m) == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index f230b5f..bbf49a2 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c
@@ -4524,12 +4524,12 @@ unsigned char *p = result; l2n(Time, p); - ret = ssl_randbytes(s, p, len - 4); + ret = RAND_bytes(p, len - 4); } else { - ret = ssl_randbytes(s, result, len); + ret = RAND_bytes(result, len); } #ifndef OPENSSL_NO_TLS13DOWNGRADE - if (ret) { + if (ret > 0) { if (!ossl_assert(sizeof(tls11downgrade) < len) || !ossl_assert(sizeof(tls12downgrade) < len)) return 0;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index cd972ae..e423331 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c
@@ -690,20 +690,6 @@ goto err; } - /* - * If not using the standard RAND (say for fuzzing), then don't use a - * chained DRBG. - */ - if (RAND_get_rand_method() == RAND_OpenSSL()) { - s->drbg = - RAND_DRBG_new(0, 0, RAND_DRBG_get0_public()); - if (s->drbg == NULL - || RAND_DRBG_instantiate(s->drbg, - (const unsigned char *) SSL_version_str, - sizeof(SSL_version_str) - 1) == 0) - goto err; - } - RECORD_LAYER_init(&s->rlayer, s); s->options = ctx->options; @@ -1220,7 +1206,6 @@ sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); #endif - RAND_DRBG_free(s->drbg); CRYPTO_THREAD_lock_free(s->lock); OPENSSL_free(s); @@ -5397,28 +5382,6 @@ return s->max_early_data; } -int ssl_randbytes(SSL *s, unsigned char *rnd, size_t size) -{ - if (s->drbg != NULL) { - /* - * Currently, it's the duty of the caller to serialize the generate - * requests to the DRBG. So formally we have to check whether - * s->drbg->lock != NULL and take the lock if this is the case. - * However, this DRBG is unique to a given SSL object, and we already - * require that SSL objects are only accessed by a single thread at - * a given time. Also, SSL DRBGs have no child DRBG, so there is - * no risk that this DRBG is accessed by a child DRBG in parallel - * for reseeding. As such, we can rely on the application's - * serialization of SSL accesses for the needed concurrency protection - * here. - */ - return RAND_DRBG_bytes(s->drbg, rnd, size); - } - if (size > INT_MAX) - return 0; - return RAND_bytes(rnd, size); -} - __owur unsigned int ssl_get_max_send_fragment(const SSL *ssl) { /* Return any active Max Fragment Len extension */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4b8482a..83a0334 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h
@@ -1407,7 +1407,6 @@ size_t block_padding; CRYPTO_RWLOCK *lock; - RAND_DRBG *drbg; }; /* @@ -2238,7 +2237,6 @@ __owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref); -__owur int ssl_randbytes(SSL *s, unsigned char *buf, size_t num); __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other); __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other);
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 6513bf8..2dd5456 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c
@@ -295,7 +295,7 @@ { unsigned int retry = 0; do - if (ssl_randbytes(ssl, id, *id_len) <= 0) + if (RAND_bytes(id, *id_len) <= 0) return 0; while (SSL_has_matching_session_id(ssl, id, *id_len) && (++retry < MAX_SESS_ID_ATTEMPTS)) ;
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index d770706..86cf5b6 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c
@@ -1188,8 +1188,7 @@ s->tmp_session_id_len = sess_id_len; session_id = s->tmp_session_id; if (s->hello_retry_request == SSL_HRR_NONE - && ssl_randbytes(s, s->tmp_session_id, - sess_id_len) <= 0) { + && RAND_bytes(s->tmp_session_id, sess_id_len) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); @@ -2925,7 +2924,7 @@ pms[0] = s->client_version >> 8; pms[1] = s->client_version & 0xff; /* TODO(size_t): Convert this function */ - if (ssl_randbytes(s, pms + 2, (int)(pmslen - 2)) <= 0) { + if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_MALLOC_FAILURE); goto err; @@ -3146,7 +3145,7 @@ /* Generate session key * TODO(size_t): Convert this function */ - || ssl_randbytes(s, pms, (int)pmslen) <= 0) { + || RAND_bytes(pms, (int)pmslen) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR); goto err;
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index c198aa7..8826b7f 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c
@@ -2737,7 +2737,7 @@ OPENSSL_free(s->pha_context); s->pha_context_len = 32; if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL - || ssl_randbytes(s, s->pha_context, s->pha_context_len) <= 0 + || RAND_bytes(s->pha_context, s->pha_context_len) <= 0 || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, @@ -2926,7 +2926,7 @@ * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */ - if (ssl_randbytes(s, rand_premaster_secret, + if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR); @@ -3692,7 +3692,7 @@ /* SSLfatal() already called */ goto err; } - if (ssl_randbytes(s, age_add_u.age_add_c, sizeof(age_add_u)) <= 0) { + if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); @@ -3758,7 +3758,6 @@ SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); goto err; } - EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_DRBG, 0, s->drbg); p = senc; if (!i2d_SSL_SESSION(s->session, &p)) { @@ -3830,7 +3829,7 @@ const EVP_CIPHER *cipher = EVP_aes_256_cbc(); iv_len = EVP_CIPHER_iv_length(cipher); - if (ssl_randbytes(s, iv, iv_len) <= 0 + if (RAND_bytes(iv, iv_len) <= 0 || !EVP_EncryptInit_ex(ctx, cipher, NULL, tctx->ext.tick_aes_key, iv) || !HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index a138b60..58d5e25 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c
@@ -171,7 +171,6 @@ ERR_R_MALLOC_FAILURE); goto err; } - EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg); dd = s->enc_write_ctx; if (SSL_IS_DTLS(s)) { mac_ctx = EVP_MD_CTX_new();
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 7f43958..a793e0c 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c
@@ -407,7 +407,6 @@ SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } - EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg); } ciph_ctx = s->enc_write_ctx; iv = s->write_iv;
diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index d732328..87614cb 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c
@@ -157,7 +157,7 @@ (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL)) return SSL3_AL_FATAL; - if (ssl_randbytes(s, b, sizeof(b)) <= 0) + if (RAND_bytes(b, sizeof(b)) <= 0) return SSL3_AL_FATAL; s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL); OPENSSL_cleanse(b, sizeof(b)); @@ -369,7 +369,7 @@ { unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; - if (ssl_randbytes(s, rnd, sizeof(rnd)) <= 0) + if (RAND_bytes(rnd, sizeof(rnd)) <= 0) return 0; s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a); OPENSSL_cleanse(rnd, sizeof(rnd));