[openssl-commits] [openssl] master update
Kurt Roeckx
kurt at openssl.org
Wed Feb 28 20:21:31 UTC 2018
The branch master has been updated
via d91f45688c2d0bfcc5b3b57fb20cc80b010eef0b (commit)
from b3f9064cc66324d2359dba5350c71540ce869ceb (commit)
- Log -----------------------------------------------------------------
commit d91f45688c2d0bfcc5b3b57fb20cc80b010eef0b
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sun Nov 5 14:37:15 2017 +0100
Tell the ciphers which DRBG to use for generating random bytes.
Reviewed-by: Richard Levitte <levitte at openssl.org>
GH: #4672
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/e_aes.c | 22 +++++++++++++++++-----
crypto/evp/e_aes_cbc_hmac_sha1.c | 15 ++++++++++++---
crypto/evp/e_aes_cbc_hmac_sha256.c | 15 ++++++++++++---
crypto/evp/e_aria.c | 12 +++++++++---
crypto/evp/e_des.c | 8 +++++++-
crypto/evp/e_des3.c | 13 +++++++++++--
crypto/evp/evp_enc.c | 16 +++++++++++++++-
crypto/evp/evp_locl.h | 1 +
crypto/evp/p_seal.c | 13 ++++++++++---
doc/man3/EVP_EncryptInit.pod | 14 ++++++++++++++
include/openssl/evp.h | 2 ++
ssl/s3_enc.c | 1 +
ssl/statem/statem_srvr.c | 1 +
ssl/t1_enc.c | 1 +
ssl/tls13_enc.c | 1 +
15 files changed, 114 insertions(+), 21 deletions(-)
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 1d5007a..bed9b27 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -17,6 +17,7 @@
#include "internal/evp_int.h"
#include "modes_lcl.h"
#include <openssl/rand.h>
+#include <internal/rand.h>
#include "evp_locl.h"
typedef struct {
@@ -1404,8 +1405,14 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
memcpy(gctx->iv, ptr, arg);
enc = EVP_CIPHER_CTX_encrypting(c);
- if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
- return 0;
+ if (enc) {
+ if (c->drbg != NULL) {
+ if (RAND_DRBG_bytes(c->drbg, gctx->iv + arg, gctx->ivlen - arg) == 0)
+ return 0;
+ } else if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) {
+ return 0;
+ }
+ }
gctx->iv_gen = 1;
return 1;
@@ -2632,9 +2639,14 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
return 0;
if (arg)
memcpy(gctx->iv, ptr, arg);
- if (EVP_CIPHER_CTX_encrypting(c)
- && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
- return 0;
+ if (EVP_CIPHER_CTX_encrypting(c)) {
+ if (c->drbg != NULL) {
+ if (RAND_DRBG_bytes(c->drbg, gctx->iv + arg, gctx->ivlen - arg) == 0)
+ return 0;
+ } else if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) {
+ return 0;
+ }
+ }
gctx->iv_gen = 1;
return 1;
diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
index 09d24dc..053189e 100644
--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -17,9 +17,11 @@
#include <openssl/aes.h>
#include <openssl/sha.h>
#include <openssl/rand.h>
+#include <internal/rand.h>
#include "modes_lcl.h"
#include "internal/evp_int.h"
#include "internal/constant_time_locl.h"
+#include "evp_locl.h"
typedef struct {
AES_KEY ks;
@@ -154,7 +156,8 @@ void aesni_multi_cbc_encrypt(CIPH_DESC *, void *, int);
static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
unsigned char *out,
const unsigned char *inp,
- size_t inp_len, int n4x)
+ size_t inp_len, int n4x,
+ RAND_DRBG *drbg)
{ /* n4x is 1 or 2 */
HASH_DESC hash_d[8], edges[8];
CIPH_DESC ciph_d[8];
@@ -174,8 +177,13 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
# endif
/* ask for IVs in bulk */
- if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0)
+ IVs = blocks[0].c;
+ if (drbg != NULL) {
+ if (RAND_DRBG_bytes(drbg, IVs, 16 * x4) == 0)
+ return 0;
+ } else if (RAND_bytes(IVs, 16 * x4) <= 0) {
return 0;
+ }
ctx = (SHA1_MB_CTX *) (storage + 32 - ((size_t)storage % 32)); /* align */
@@ -893,7 +901,8 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
return (int)tls1_1_multi_block_encrypt(key, param->out,
param->inp, param->len,
- param->interleave / 4);
+ param->interleave / 4,
+ ctx->drbg);
}
case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT:
# endif
diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c
index caac0c9..215e02f 100644
--- a/crypto/evp/e_aes_cbc_hmac_sha256.c
+++ b/crypto/evp/e_aes_cbc_hmac_sha256.c
@@ -18,9 +18,11 @@
#include <openssl/aes.h>
#include <openssl/sha.h>
#include <openssl/rand.h>
+#include <internal/rand.h>
#include "modes_lcl.h"
#include "internal/constant_time_locl.h"
#include "internal/evp_int.h"
+#include "evp_locl.h"
typedef struct {
AES_KEY ks;
@@ -150,7 +152,8 @@ void aesni_multi_cbc_encrypt(CIPH_DESC *, void *, int);
static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
unsigned char *out,
const unsigned char *inp,
- size_t inp_len, int n4x)
+ size_t inp_len, int n4x,
+ RAND_DRBG *drbg)
{ /* n4x is 1 or 2 */
HASH_DESC hash_d[8], edges[8];
CIPH_DESC ciph_d[8];
@@ -170,8 +173,13 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
# endif
/* ask for IVs in bulk */
- if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0)
+ IVs = blocks[0].c;
+ if (drbg != NULL) {
+ if (RAND_DRBG_bytes(drbg, IVs, 16 * x4) == 0)
+ return 0;
+ } else if (RAND_bytes(IVs, 16 * x4) <= 0) {
return 0;
+ }
/* align */
ctx = (SHA256_MB_CTX *) (storage + 32 - ((size_t)storage % 32));
@@ -877,7 +885,8 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
return (int)tls1_1_multi_block_encrypt(key, param->out,
param->inp, param->len,
- param->interleave / 4);
+ param->interleave / 4,
+ ctx->drbg);
}
case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT:
# endif
diff --git a/crypto/evp/e_aria.c b/crypto/evp/e_aria.c
index 00e008a..10525a8 100644
--- a/crypto/evp/e_aria.c
+++ b/crypto/evp/e_aria.c
@@ -15,6 +15,7 @@
# include <openssl/rand.h>
# include "internal/aria.h"
# include "internal/evp_int.h"
+# include "internal/rand.h"
# include "modes_lcl.h"
# include "evp_locl.h"
@@ -301,9 +302,14 @@ static int aria_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
return 0;
if (arg)
memcpy(gctx->iv, ptr, arg);
- if (EVP_CIPHER_CTX_encrypting(c)
- && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
- return 0;
+ if (EVP_CIPHER_CTX_encrypting(c)) {
+ if (c->drbg != NULL) {
+ if (RAND_DRBG_bytes(c->drbg, gctx->iv + arg, gctx->ivlen - arg) == 0)
+ return 0;
+ } else if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) {
+ return 0;
+ }
+ }
gctx->iv_gen = 1;
return 1;
diff --git a/crypto/evp/e_des.c b/crypto/evp/e_des.c
index 9b2facf..d8c4afa 100644
--- a/crypto/evp/e_des.c
+++ b/crypto/evp/e_des.c
@@ -15,6 +15,8 @@
# include "internal/evp_int.h"
# include <openssl/des.h>
# include <openssl/rand.h>
+# include <internal/rand.h>
+# include "evp_locl.h"
typedef struct {
union {
@@ -229,8 +231,12 @@ static int des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
switch (type) {
case EVP_CTRL_RAND_KEY:
- if (RAND_bytes(ptr, 8) <= 0)
+ if (c->drbg != NULL) {
+ if (RAND_DRBG_bytes(c->drbg, ptr, 8) == 0)
+ return 0;
+ } else if (RAND_bytes(ptr, 8) <= 0) {
return 0;
+ }
DES_set_odd_parity((DES_cblock *)ptr);
return 1;
diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c
index da77936..75e6ecf 100644
--- a/crypto/evp/e_des3.c
+++ b/crypto/evp/e_des3.c
@@ -15,6 +15,7 @@
# include "internal/evp_int.h"
# include <openssl/des.h>
# include <openssl/rand.h>
+# include <internal/rand.h>
# include "evp_locl.h"
typedef struct {
@@ -283,8 +284,12 @@ static int des3_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
switch (type) {
case EVP_CTRL_RAND_KEY:
- if (RAND_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0)
+ if (ctx->drbg != NULL) {
+ if (RAND_DRBG_bytes(ctx->drbg, ptr, EVP_CIPHER_CTX_key_length(ctx)) == 0)
+ return 0;
+ } else if (RAND_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) {
return 0;
+ }
DES_set_odd_parity(deskey);
if (EVP_CIPHER_CTX_key_length(ctx) >= 16)
DES_set_odd_parity(deskey + 1);
@@ -372,8 +377,12 @@ static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
memcpy(out + inl + 8, sha1tmp, 8);
OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
/* Generate random IV */
- if (RAND_bytes(EVP_CIPHER_CTX_iv_noconst(ctx), 8) <= 0)
+ if (ctx->drbg != NULL) {
+ if (RAND_DRBG_bytes(ctx->drbg, EVP_CIPHER_CTX_iv_noconst(ctx), 8) == 0)
+ return -1;
+ } else if (RAND_bytes(EVP_CIPHER_CTX_iv_noconst(ctx), 8) <= 0) {
return -1;
+ }
memcpy(out, EVP_CIPHER_CTX_iv_noconst(ctx), 8);
/* Encrypt everything after IV in place */
des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8);
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 2c4a2db..3176c61 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -15,6 +15,7 @@
#include <openssl/rand.h>
#include <openssl/engine.h>
#include "internal/evp_int.h"
+#include "internal/rand.h"
#include "evp_locl.h"
int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
@@ -577,6 +578,15 @@ int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad)
int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
{
int ret;
+
+ if (type == EVP_CTRL_GET_DRBG) {
+ *(RAND_DRBG **)ptr = ctx->drbg;
+ return 1;
+ }
+ if (type == EVP_CTRL_SET_DRBG) {
+ ctx->drbg = ptr;
+ return 1;
+ }
if (!ctx->cipher) {
EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_NO_CIPHER_SET);
return 0;
@@ -600,8 +610,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
{
if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
- if (RAND_bytes(key, ctx->key_len) <= 0)
+ if (ctx->drbg) {
+ if (RAND_DRBG_bytes(ctx->drbg, key, ctx->key_len) == 0)
+ return 0;
+ } else if (RAND_bytes(key, ctx->key_len) <= 0) {
return 0;
+ }
return 1;
}
diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h
index 209577b..82b9433 100644
--- a/crypto/evp/evp_locl.h
+++ b/crypto/evp/evp_locl.h
@@ -39,6 +39,7 @@ struct evp_cipher_ctx_st {
int final_used;
int block_mask;
unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
+ RAND_DRBG *drbg;
} /* EVP_CIPHER_CTX */ ;
int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c
index 50ea602..3b79dab 100644
--- a/crypto/evp/p_seal.c
+++ b/crypto/evp/p_seal.c
@@ -14,6 +14,8 @@
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
+#include <internal/rand.h>
+#include "evp_locl.h"
int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
unsigned char **ek, int *ekl, unsigned char *iv,
@@ -31,9 +33,14 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
return 1;
if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
return 0;
- if (EVP_CIPHER_CTX_iv_length(ctx)
- && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0)
- return 0;
+ if (EVP_CIPHER_CTX_iv_length(ctx)) {
+ if (ctx->drbg) {
+ if (RAND_DRBG_bytes(ctx->drbg, iv, EVP_CIPHER_CTX_iv_length(ctx)) == 0)
+ return 0;
+ } else if (RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) {
+ return 0;
+ }
+ }
if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
return 0;
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index 619a94e..3022c7a 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -457,6 +457,20 @@ This call is only valid when decrypting data.
=back
+=head1 Random numbers
+
+The following can be used to select the DRBG that is used to generate the random
+numbers:
+
+EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_DRBG, 0, drbg)
+
+The following can be used to get the DRBG:
+
+EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_DRBG, 0, &drbg)
+
+By default it's set to NULL which results in RAND_bytes() being used.
+
+
=head1 NOTES
Where possible the B<EVP> interface to symmetric ciphers should be used in
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 268e90f..e135de6 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -344,6 +344,8 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
# define EVP_CTRL_SET_PIPELINE_INPUT_BUFS 0x23
/* Set the input buffer lengths to use for a pipelined operation */
# define EVP_CTRL_SET_PIPELINE_INPUT_LENS 0x24
+# define EVP_CTRL_GET_DRBG 0x25
+# define EVP_CTRL_SET_DRBG 0x26
/* Padding modes */
#define EVP_PADDING_PKCS7 1
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 4c63d4a..f775f26 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -167,6 +167,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
*/
EVP_CIPHER_CTX_reset(s->enc_write_ctx);
}
+ EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
dd = s->enc_write_ctx;
if (ssl_replace_hash(&s->write_hash, m) == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index d335819..8092684 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3753,6 +3753,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
goto err;
}
+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
p = senc;
if (!i2d_SSL_SESSION(s->session, &p)) {
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 465d483..774625a 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -170,6 +170,7 @@ int tls1_change_cipher_state(SSL *s, int which)
ERR_R_MALLOC_FAILURE);
goto err;
}
+ EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
dd = s->enc_write_ctx;
if (SSL_IS_DTLS(s)) {
mac_ctx = EVP_MD_CTX_new();
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 6332804..5982c8e 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -406,6 +406,7 @@ int tls13_change_cipher_state(SSL *s, int which)
SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
goto err;
}
+ EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
}
ciph_ctx = s->enc_write_ctx;
iv = s->write_iv;
More information about the openssl-commits
mailing list