/src/openssl/crypto/rand/md_rand.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* crypto/rand/md_rand.c */ |
2 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | | * All rights reserved. |
4 | | * |
5 | | * This package is an SSL implementation written |
6 | | * by Eric Young (eay@cryptsoft.com). |
7 | | * The implementation was written so as to conform with Netscapes SSL. |
8 | | * |
9 | | * This library is free for commercial and non-commercial use as long as |
10 | | * the following conditions are aheared to. The following conditions |
11 | | * apply to all code found in this distribution, be it the RC4, RSA, |
12 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 | | * included with this distribution is covered by the same copyright terms |
14 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 | | * |
16 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | | * the code are not to be removed. |
18 | | * If this package is used in a product, Eric Young should be given attribution |
19 | | * as the author of the parts of the library used. |
20 | | * This can be in the form of a textual message at program startup or |
21 | | * in documentation (online or textual) provided with the package. |
22 | | * |
23 | | * Redistribution and use in source and binary forms, with or without |
24 | | * modification, are permitted provided that the following conditions |
25 | | * are met: |
26 | | * 1. Redistributions of source code must retain the copyright |
27 | | * notice, this list of conditions and the following disclaimer. |
28 | | * 2. Redistributions in binary form must reproduce the above copyright |
29 | | * notice, this list of conditions and the following disclaimer in the |
30 | | * documentation and/or other materials provided with the distribution. |
31 | | * 3. All advertising materials mentioning features or use of this software |
32 | | * must display the following acknowledgement: |
33 | | * "This product includes cryptographic software written by |
34 | | * Eric Young (eay@cryptsoft.com)" |
35 | | * The word 'cryptographic' can be left out if the rouines from the library |
36 | | * being used are not cryptographic related :-). |
37 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
38 | | * the apps directory (application code) you must include an acknowledgement: |
39 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 | | * |
41 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 | | * SUCH DAMAGE. |
52 | | * |
53 | | * The licence and distribution terms for any publically available version or |
54 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 | | * copied and put under another distribution licence |
56 | | * [including the GNU Public Licence.] |
57 | | */ |
58 | | /* ==================================================================== |
59 | | * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. |
60 | | * |
61 | | * Redistribution and use in source and binary forms, with or without |
62 | | * modification, are permitted provided that the following conditions |
63 | | * are met: |
64 | | * |
65 | | * 1. Redistributions of source code must retain the above copyright |
66 | | * notice, this list of conditions and the following disclaimer. |
67 | | * |
68 | | * 2. Redistributions in binary form must reproduce the above copyright |
69 | | * notice, this list of conditions and the following disclaimer in |
70 | | * the documentation and/or other materials provided with the |
71 | | * distribution. |
72 | | * |
73 | | * 3. All advertising materials mentioning features or use of this |
74 | | * software must display the following acknowledgment: |
75 | | * "This product includes software developed by the OpenSSL Project |
76 | | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
77 | | * |
78 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
79 | | * endorse or promote products derived from this software without |
80 | | * prior written permission. For written permission, please contact |
81 | | * openssl-core@openssl.org. |
82 | | * |
83 | | * 5. Products derived from this software may not be called "OpenSSL" |
84 | | * nor may "OpenSSL" appear in their names without prior written |
85 | | * permission of the OpenSSL Project. |
86 | | * |
87 | | * 6. Redistributions of any form whatsoever must retain the following |
88 | | * acknowledgment: |
89 | | * "This product includes software developed by the OpenSSL Project |
90 | | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
91 | | * |
92 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
93 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
94 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
95 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
96 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
97 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
98 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
99 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
100 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
101 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
102 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
103 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
104 | | * ==================================================================== |
105 | | * |
106 | | * This product includes cryptographic software written by Eric Young |
107 | | * (eay@cryptsoft.com). This product includes software written by Tim |
108 | | * Hudson (tjh@cryptsoft.com). |
109 | | * |
110 | | */ |
111 | | |
112 | | #define OPENSSL_FIPSEVP |
113 | | |
114 | | #ifdef MD_RAND_DEBUG |
115 | | # ifndef NDEBUG |
116 | | # define NDEBUG |
117 | | # endif |
118 | | #endif |
119 | | |
120 | | #include <assert.h> |
121 | | #include <stdio.h> |
122 | | #include <string.h> |
123 | | |
124 | | #include "e_os.h" |
125 | | |
126 | | #include <openssl/crypto.h> |
127 | | #include <openssl/rand.h> |
128 | | #include "rand_lcl.h" |
129 | | |
130 | | #include <openssl/err.h> |
131 | | |
132 | | #ifdef BN_DEBUG |
133 | | # define PREDICT |
134 | | #endif |
135 | | |
136 | | /* #define PREDICT 1 */ |
137 | | |
138 | 22.8k | #define STATE_SIZE 1023 |
139 | | static size_t state_num = 0, state_index = 0; |
140 | | static unsigned char state[STATE_SIZE + MD_DIGEST_LENGTH]; |
141 | | static unsigned char md[MD_DIGEST_LENGTH]; |
142 | | static long md_count[2] = { 0, 0 }; |
143 | | |
144 | | static double entropy = 0; |
145 | | static int initialized = 0; |
146 | | |
147 | | static unsigned int crypto_lock_rand = 0; /* may be set only when a thread |
148 | | * holds CRYPTO_LOCK_RAND (to |
149 | | * prevent double locking) */ |
150 | | /* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */ |
151 | | /* valid iff crypto_lock_rand is set */ |
152 | | static CRYPTO_THREADID locking_threadid; |
153 | | |
154 | | #ifdef PREDICT |
155 | | int rand_predictable = 0; |
156 | | #endif |
157 | | |
158 | | const char RAND_version[] = "RAND" OPENSSL_VERSION_PTEXT; |
159 | | |
160 | | static void ssleay_rand_cleanup(void); |
161 | | static void ssleay_rand_seed(const void *buf, int num); |
162 | | static void ssleay_rand_add(const void *buf, int num, double add_entropy); |
163 | | static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num); |
164 | | static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num); |
165 | | static int ssleay_rand_status(void); |
166 | | |
167 | | RAND_METHOD rand_ssleay_meth = { |
168 | | ssleay_rand_seed, |
169 | | ssleay_rand_nopseudo_bytes, |
170 | | ssleay_rand_cleanup, |
171 | | ssleay_rand_add, |
172 | | ssleay_rand_pseudo_bytes, |
173 | | ssleay_rand_status |
174 | | }; |
175 | | |
176 | | RAND_METHOD *RAND_SSLeay(void) |
177 | 18 | { |
178 | 18 | return (&rand_ssleay_meth); |
179 | 18 | } |
180 | | |
181 | | static void ssleay_rand_cleanup(void) |
182 | 0 | { |
183 | 0 | OPENSSL_cleanse(state, sizeof(state)); |
184 | 0 | state_num = 0; |
185 | 0 | state_index = 0; |
186 | 0 | OPENSSL_cleanse(md, MD_DIGEST_LENGTH); |
187 | 0 | md_count[0] = 0; |
188 | 0 | md_count[1] = 0; |
189 | 0 | entropy = 0; |
190 | 0 | initialized = 0; |
191 | 0 | } |
192 | | |
193 | | static void ssleay_rand_add(const void *buf, int num, double add) |
194 | 1.00k | { |
195 | 1.00k | int i, j, k, st_idx; |
196 | 1.00k | long md_c[2]; |
197 | 1.00k | unsigned char local_md[MD_DIGEST_LENGTH]; |
198 | 1.00k | EVP_MD_CTX m; |
199 | 1.00k | int do_not_lock; |
200 | | |
201 | 1.00k | if (!num) |
202 | 0 | return; |
203 | | |
204 | | /* |
205 | | * (Based on the rand(3) manpage) |
206 | | * |
207 | | * The input is chopped up into units of 20 bytes (or less for |
208 | | * the last block). Each of these blocks is run through the hash |
209 | | * function as follows: The data passed to the hash function |
210 | | * is the current 'md', the same number of bytes from the 'state' |
211 | | * (the location determined by in incremented looping index) as |
212 | | * the current 'block', the new key data 'block', and 'count' |
213 | | * (which is incremented after each use). |
214 | | * The result of this is kept in 'md' and also xored into the |
215 | | * 'state' at the same locations that were used as input into the |
216 | | * hash function. |
217 | | */ |
218 | | |
219 | | /* check if we already have the lock */ |
220 | 1.00k | if (crypto_lock_rand) { |
221 | 1.00k | CRYPTO_THREADID cur; |
222 | 1.00k | CRYPTO_THREADID_current(&cur); |
223 | 1.00k | CRYPTO_r_lock(CRYPTO_LOCK_RAND2); |
224 | 1.00k | do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur); |
225 | 1.00k | CRYPTO_r_unlock(CRYPTO_LOCK_RAND2); |
226 | 1.00k | } else |
227 | 0 | do_not_lock = 0; |
228 | | |
229 | 1.00k | if (!do_not_lock) |
230 | 0 | CRYPTO_w_lock(CRYPTO_LOCK_RAND); |
231 | 1.00k | st_idx = state_index; |
232 | | |
233 | | /* |
234 | | * use our own copies of the counters so that even if a concurrent thread |
235 | | * seeds with exactly the same data and uses the same subarray there's |
236 | | * _some_ difference |
237 | | */ |
238 | 1.00k | md_c[0] = md_count[0]; |
239 | 1.00k | md_c[1] = md_count[1]; |
240 | | |
241 | 1.00k | memcpy(local_md, md, sizeof md); |
242 | | |
243 | | /* state_index <= state_num <= STATE_SIZE */ |
244 | 1.00k | state_index += num; |
245 | 1.00k | if (state_index >= STATE_SIZE) { |
246 | 18 | state_index %= STATE_SIZE; |
247 | 18 | state_num = STATE_SIZE; |
248 | 990 | } else if (state_num < STATE_SIZE) { |
249 | 936 | if (state_index > state_num) |
250 | 936 | state_num = state_index; |
251 | 936 | } |
252 | | /* state_index <= state_num <= STATE_SIZE */ |
253 | | |
254 | | /* |
255 | | * state[st_idx], ..., state[(st_idx + num - 1) % STATE_SIZE] are what we |
256 | | * will use now, but other threads may use them as well |
257 | | */ |
258 | | |
259 | 1.00k | md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0); |
260 | | |
261 | 1.00k | if (!do_not_lock) |
262 | 0 | CRYPTO_w_unlock(CRYPTO_LOCK_RAND); |
263 | | |
264 | 1.00k | EVP_MD_CTX_init(&m); |
265 | 2.03k | for (i = 0; i < num; i += MD_DIGEST_LENGTH) { |
266 | 1.02k | j = (num - i); |
267 | 1.02k | j = (j > MD_DIGEST_LENGTH) ? MD_DIGEST_LENGTH : j; |
268 | | |
269 | 1.02k | if (!MD_Init(&m) || |
270 | 1.02k | !MD_Update(&m, local_md, MD_DIGEST_LENGTH)) |
271 | 0 | goto err; |
272 | 1.02k | k = (st_idx + j) - STATE_SIZE; |
273 | 1.02k | if (k > 0) { |
274 | 18 | if (!MD_Update(&m, &(state[st_idx]), j - k) || |
275 | 18 | !MD_Update(&m, &(state[0]), k)) |
276 | 0 | goto err; |
277 | 18 | } else |
278 | 1.00k | if (!MD_Update(&m, &(state[st_idx]), j)) |
279 | 0 | goto err; |
280 | | |
281 | | /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */ |
282 | 1.02k | if (!MD_Update(&m, buf, j)) |
283 | 0 | goto err; |
284 | | /* |
285 | | * We know that line may cause programs such as purify and valgrind |
286 | | * to complain about use of uninitialized data. The problem is not, |
287 | | * it's with the caller. Removing that line will make sure you get |
288 | | * really bad randomness and thereby other problems such as very |
289 | | * insecure keys. |
290 | | */ |
291 | | |
292 | 1.02k | if (!MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c)) || |
293 | 1.02k | !MD_Final(&m, local_md)) |
294 | 0 | goto err; |
295 | 1.02k | md_c[1]++; |
296 | | |
297 | 1.02k | buf = (const char *)buf + j; |
298 | | |
299 | 20.7k | for (k = 0; k < j; k++) { |
300 | | /* |
301 | | * Parallel threads may interfere with this, but always each byte |
302 | | * of the new state is the XOR of some previous value of its and |
303 | | * local_md (itermediate values may be lost). Alway using locking |
304 | | * could hurt performance more than necessary given that |
305 | | * conflicts occur only when the total seeding is longer than the |
306 | | * random state. |
307 | | */ |
308 | 19.7k | state[st_idx++] ^= local_md[k]; |
309 | 19.7k | if (st_idx >= STATE_SIZE) |
310 | 18 | st_idx = 0; |
311 | 19.7k | } |
312 | 1.02k | } |
313 | | |
314 | 1.00k | if (!do_not_lock) |
315 | 0 | CRYPTO_w_lock(CRYPTO_LOCK_RAND); |
316 | | /* |
317 | | * Don't just copy back local_md into md -- this could mean that other |
318 | | * thread's seeding remains without effect (except for the incremented |
319 | | * counter). By XORing it we keep at least as much entropy as fits into |
320 | | * md. |
321 | | */ |
322 | 21.1k | for (k = 0; k < (int)sizeof(md); k++) { |
323 | 20.1k | md[k] ^= local_md[k]; |
324 | 20.1k | } |
325 | 1.00k | if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */ |
326 | 18 | entropy += add; |
327 | 1.00k | if (!do_not_lock) |
328 | 0 | CRYPTO_w_unlock(CRYPTO_LOCK_RAND); |
329 | | |
330 | | #if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) |
331 | | assert(md_c[1] == md_count[1]); |
332 | | #endif |
333 | | |
334 | 1.00k | err: |
335 | 1.00k | EVP_MD_CTX_cleanup(&m); |
336 | 1.00k | } |
337 | | |
338 | | static void ssleay_rand_seed(const void *buf, int num) |
339 | 0 | { |
340 | 0 | ssleay_rand_add(buf, num, (double)num); |
341 | 0 | } |
342 | | |
343 | | int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) |
344 | 30.3k | { |
345 | 30.3k | static volatile int stirred_pool = 0; |
346 | 30.3k | int i, j, k; |
347 | 30.3k | size_t num_ceil, st_idx, st_num; |
348 | 30.3k | int ok; |
349 | 30.3k | long md_c[2]; |
350 | 30.3k | unsigned char local_md[MD_DIGEST_LENGTH]; |
351 | 30.3k | EVP_MD_CTX m; |
352 | 30.3k | #ifndef GETPID_IS_MEANINGLESS |
353 | 30.3k | pid_t curr_pid = getpid(); |
354 | 30.3k | #endif |
355 | 30.3k | int do_stir_pool = 0; |
356 | | |
357 | | #ifdef PREDICT |
358 | | if (rand_predictable) { |
359 | | static unsigned char val = 0; |
360 | | |
361 | | for (i = 0; i < num; i++) |
362 | | buf[i] = val++; |
363 | | return (1); |
364 | | } |
365 | | #endif |
366 | | |
367 | 30.3k | if (num <= 0) |
368 | 0 | return 1; |
369 | | |
370 | 30.3k | EVP_MD_CTX_init(&m); |
371 | | /* round upwards to multiple of MD_DIGEST_LENGTH/2 */ |
372 | 30.3k | num_ceil = |
373 | 30.3k | (1 + (num - 1) / (MD_DIGEST_LENGTH / 2)) * (MD_DIGEST_LENGTH / 2); |
374 | | |
375 | | /* |
376 | | * (Based on the rand(3) manpage:) |
377 | | * |
378 | | * For each group of 10 bytes (or less), we do the following: |
379 | | * |
380 | | * Input into the hash function the local 'md' (which is initialized from |
381 | | * the global 'md' before any bytes are generated), the bytes that are to |
382 | | * be overwritten by the random bytes, and bytes from the 'state' |
383 | | * (incrementing looping index). From this digest output (which is kept |
384 | | * in 'md'), the top (up to) 10 bytes are returned to the caller and the |
385 | | * bottom 10 bytes are xored into the 'state'. |
386 | | * |
387 | | * Finally, after we have finished 'num' random bytes for the |
388 | | * caller, 'count' (which is incremented) and the local and global 'md' |
389 | | * are fed into the hash function and the results are kept in the |
390 | | * global 'md'. |
391 | | */ |
392 | 30.3k | if (lock) |
393 | 30.3k | CRYPTO_w_lock(CRYPTO_LOCK_RAND); |
394 | | |
395 | | /* prevent ssleay_rand_bytes() from trying to obtain the lock again */ |
396 | 30.3k | CRYPTO_w_lock(CRYPTO_LOCK_RAND2); |
397 | 30.3k | CRYPTO_THREADID_current(&locking_threadid); |
398 | 30.3k | CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); |
399 | 30.3k | crypto_lock_rand = 1; |
400 | | |
401 | 30.3k | if (!initialized) { |
402 | 0 | RAND_poll(); |
403 | 0 | initialized = 1; |
404 | 0 | } |
405 | | |
406 | 30.3k | if (!stirred_pool) |
407 | 18 | do_stir_pool = 1; |
408 | | |
409 | 30.3k | ok = (entropy >= ENTROPY_NEEDED); |
410 | 30.3k | if (!ok) { |
411 | | /* |
412 | | * If the PRNG state is not yet unpredictable, then seeing the PRNG |
413 | | * output may help attackers to determine the new state; thus we have |
414 | | * to decrease the entropy estimate. Once we've had enough initial |
415 | | * seeding we don't bother to adjust the entropy count, though, |
416 | | * because we're not ambitious to provide *information-theoretic* |
417 | | * randomness. NOTE: This approach fails if the program forks before |
418 | | * we have enough entropy. Entropy should be collected in a separate |
419 | | * input pool and be transferred to the output pool only when the |
420 | | * entropy limit has been reached. |
421 | | */ |
422 | 0 | entropy -= num; |
423 | 0 | if (entropy < 0) |
424 | 0 | entropy = 0; |
425 | 0 | } |
426 | | |
427 | 30.3k | if (do_stir_pool) { |
428 | | /* |
429 | | * In the output function only half of 'md' remains secret, so we |
430 | | * better make sure that the required entropy gets 'evenly |
431 | | * distributed' through 'state', our randomness pool. The input |
432 | | * function (ssleay_rand_add) chains all of 'md', which makes it more |
433 | | * suitable for this purpose. |
434 | | */ |
435 | | |
436 | 18 | int n = STATE_SIZE; /* so that the complete pool gets accessed */ |
437 | 954 | while (n > 0) { |
438 | | #if MD_DIGEST_LENGTH > 20 |
439 | | # error "Please adjust DUMMY_SEED." |
440 | | #endif |
441 | 936 | #define DUMMY_SEED "...................." /* at least MD_DIGEST_LENGTH */ |
442 | | /* |
443 | | * Note that the seed does not matter, it's just that |
444 | | * ssleay_rand_add expects to have something to hash. |
445 | | */ |
446 | 936 | ssleay_rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0); |
447 | 936 | n -= MD_DIGEST_LENGTH; |
448 | 936 | } |
449 | 18 | if (ok) |
450 | 18 | stirred_pool = 1; |
451 | 18 | } |
452 | | |
453 | 30.3k | st_idx = state_index; |
454 | 30.3k | st_num = state_num; |
455 | 30.3k | md_c[0] = md_count[0]; |
456 | 30.3k | md_c[1] = md_count[1]; |
457 | 30.3k | memcpy(local_md, md, sizeof md); |
458 | | |
459 | 30.3k | state_index += num_ceil; |
460 | 30.3k | if (state_index > state_num) |
461 | 325 | state_index %= state_num; |
462 | | |
463 | | /* |
464 | | * state[st_idx], ..., state[(st_idx + num_ceil - 1) % st_num] are now |
465 | | * ours (but other threads may use them too) |
466 | | */ |
467 | | |
468 | 30.3k | md_count[0] += 1; |
469 | | |
470 | | /* before unlocking, we must clear 'crypto_lock_rand' */ |
471 | 30.3k | crypto_lock_rand = 0; |
472 | 30.3k | if (lock) |
473 | 30.3k | CRYPTO_w_unlock(CRYPTO_LOCK_RAND); |
474 | | |
475 | 64.3k | while (num > 0) { |
476 | | /* num_ceil -= MD_DIGEST_LENGTH/2 */ |
477 | 34.0k | j = (num >= MD_DIGEST_LENGTH / 2) ? MD_DIGEST_LENGTH / 2 : num; |
478 | 34.0k | num -= j; |
479 | 34.0k | if (!MD_Init(&m)) |
480 | 0 | goto err; |
481 | 34.0k | #ifndef GETPID_IS_MEANINGLESS |
482 | 34.0k | if (curr_pid) { /* just in the first iteration to save time */ |
483 | 30.3k | if (!MD_Update(&m, (unsigned char *)&curr_pid, sizeof curr_pid)) |
484 | 0 | goto err; |
485 | 30.3k | curr_pid = 0; |
486 | 30.3k | } |
487 | 34.0k | #endif |
488 | 34.0k | if (!MD_Update(&m, local_md, MD_DIGEST_LENGTH) || |
489 | 34.0k | !MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c))) |
490 | 0 | goto err; |
491 | | |
492 | 34.0k | #ifndef PURIFY /* purify complains */ |
493 | | /* |
494 | | * The following line uses the supplied buffer as a small source of |
495 | | * entropy: since this buffer is often uninitialised it may cause |
496 | | * programs such as purify or valgrind to complain. So for those |
497 | | * builds it is not used: the removal of such a small source of |
498 | | * entropy has negligible impact on security. |
499 | | */ |
500 | 34.0k | if (!MD_Update(&m, buf, j)) |
501 | 0 | goto err; |
502 | 34.0k | #endif |
503 | | |
504 | 34.0k | k = (st_idx + MD_DIGEST_LENGTH / 2) - st_num; |
505 | 34.0k | if (k > 0) { |
506 | 315 | if (!MD_Update(&m, &(state[st_idx]), MD_DIGEST_LENGTH / 2 - k) || |
507 | 315 | !MD_Update(&m, &(state[0]), k)) |
508 | 0 | goto err; |
509 | 33.7k | } else { |
510 | 33.7k | if (!MD_Update(&m, &(state[st_idx]), MD_DIGEST_LENGTH / 2)) |
511 | 0 | goto err; |
512 | 33.7k | } |
513 | 34.0k | if (!MD_Final(&m, local_md)) |
514 | 0 | goto err; |
515 | | |
516 | 374k | for (i = 0; i < MD_DIGEST_LENGTH / 2; i++) { |
517 | | /* may compete with other threads */ |
518 | 340k | state[st_idx++] ^= local_md[i]; |
519 | 340k | if (st_idx >= st_num) |
520 | 356 | st_idx = 0; |
521 | 340k | if (i < j) |
522 | 165k | *(buf++) = local_md[i + MD_DIGEST_LENGTH / 2]; |
523 | 340k | } |
524 | 34.0k | } |
525 | | |
526 | 30.3k | if (!MD_Init(&m) || |
527 | 30.3k | !MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c)) || |
528 | 30.3k | !MD_Update(&m, local_md, MD_DIGEST_LENGTH)) |
529 | 0 | goto err; |
530 | 30.3k | if (lock) |
531 | 30.3k | CRYPTO_w_lock(CRYPTO_LOCK_RAND); |
532 | 30.3k | if (!MD_Update(&m, md, MD_DIGEST_LENGTH) || |
533 | 30.3k | !MD_Final(&m, md)) { |
534 | 0 | if (lock) |
535 | 0 | CRYPTO_w_unlock(CRYPTO_LOCK_RAND); |
536 | 0 | goto err; |
537 | 0 | } |
538 | 30.3k | if (lock) |
539 | 30.3k | CRYPTO_w_unlock(CRYPTO_LOCK_RAND); |
540 | | |
541 | 30.3k | EVP_MD_CTX_cleanup(&m); |
542 | 30.3k | if (ok) |
543 | 30.3k | return (1); |
544 | 0 | else if (pseudo) |
545 | 0 | return 0; |
546 | 0 | else { |
547 | 0 | RANDerr(RAND_F_SSLEAY_RAND_BYTES, RAND_R_PRNG_NOT_SEEDED); |
548 | 0 | ERR_add_error_data(1, "You need to read the OpenSSL FAQ, " |
549 | 0 | "http://www.openssl.org/support/faq.html"); |
550 | 0 | return (0); |
551 | 0 | } |
552 | | |
553 | 0 | err: |
554 | 0 | EVP_MD_CTX_cleanup(&m); |
555 | 0 | return (0); |
556 | 30.3k | } |
557 | | |
558 | | static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num) |
559 | 30.3k | { |
560 | 30.3k | return ssleay_rand_bytes(buf, num, 0, 1); |
561 | 30.3k | } |
562 | | |
563 | | /* |
564 | | * pseudo-random bytes that are guaranteed to be unique but not unpredictable |
565 | | */ |
566 | | static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) |
567 | 0 | { |
568 | 0 | return ssleay_rand_bytes(buf, num, 1, 1); |
569 | 0 | } |
570 | | |
571 | | static int ssleay_rand_status(void) |
572 | 19.2k | { |
573 | 19.2k | CRYPTO_THREADID cur; |
574 | 19.2k | int ret; |
575 | 19.2k | int do_not_lock; |
576 | | |
577 | 19.2k | CRYPTO_THREADID_current(&cur); |
578 | | /* |
579 | | * check if we already have the lock (could happen if a RAND_poll() |
580 | | * implementation calls RAND_status()) |
581 | | */ |
582 | 19.2k | if (crypto_lock_rand) { |
583 | 0 | CRYPTO_r_lock(CRYPTO_LOCK_RAND2); |
584 | 0 | do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur); |
585 | 0 | CRYPTO_r_unlock(CRYPTO_LOCK_RAND2); |
586 | 0 | } else |
587 | 19.2k | do_not_lock = 0; |
588 | | |
589 | 19.2k | if (!do_not_lock) { |
590 | 19.2k | CRYPTO_w_lock(CRYPTO_LOCK_RAND); |
591 | | |
592 | | /* |
593 | | * prevent ssleay_rand_bytes() from trying to obtain the lock again |
594 | | */ |
595 | 19.2k | CRYPTO_w_lock(CRYPTO_LOCK_RAND2); |
596 | 19.2k | CRYPTO_THREADID_cpy(&locking_threadid, &cur); |
597 | 19.2k | CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); |
598 | 19.2k | crypto_lock_rand = 1; |
599 | 19.2k | } |
600 | | |
601 | 19.2k | if (!initialized) { |
602 | 18 | RAND_poll(); |
603 | 18 | initialized = 1; |
604 | 18 | } |
605 | | |
606 | 19.2k | ret = entropy >= ENTROPY_NEEDED; |
607 | | |
608 | 19.2k | if (!do_not_lock) { |
609 | | /* before unlocking, we must clear 'crypto_lock_rand' */ |
610 | 19.2k | crypto_lock_rand = 0; |
611 | | |
612 | 19.2k | CRYPTO_w_unlock(CRYPTO_LOCK_RAND); |
613 | 19.2k | } |
614 | | |
615 | 19.2k | return ret; |
616 | 19.2k | } |