[openssl] master update
matthias.st.pierre at ncp-e.com
matthias.st.pierre at ncp-e.com
Tue Feb 25 10:30:54 UTC 2020
The branch master has been updated
via e70452155e7d93118d33f4dde964a67d4ac1b505 (commit)
via 75ff4f7404fe53304ad28279923760b61d6c2ace (commit)
from 19ded1a717b6c72c3db241f06787a353f1190755 (commit)
- Log -----------------------------------------------------------------
commit e70452155e7d93118d33f4dde964a67d4ac1b505
Author: Dr. Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
Date: Mon Feb 17 19:39:05 2020 +0100
Check that the DRBG's internal state has been zeroized after uninstantiation
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11111)
commit 75ff4f7404fe53304ad28279923760b61d6c2ace
Author: Dr. Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
Date: Mon Feb 17 19:25:55 2020 +0100
DRBG: delay initialization of DRBG method until instantiation
Previously, the initialization was done immediately in RAND_DRBG_set(),
which is also called in RAND_DRBG_uninstantiate().
This made it difficult for the FIPS DRBG self test to verify that the
internal state had been zeroized, because it had the side effect that
the drbg->data structure was reinitialized immediately.
To solve the problem, RAND_DRBG_set() has been split in two parts
static int rand_drbg_set(RAND_DRBG *drbg, int type, unsigned int flags);
static int rand_drbg_init_method(RAND_DRBG *drbg);
and only the first part is called from RAND_DRBG_uninstantiate().
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11111)
-----------------------------------------------------------------------
Summary of changes:
crypto/err/openssl.txt | 3 +-
crypto/rand/drbg_lib.c | 75 ++++++++++++++++++++++++-----------------
crypto/rand/rand_err.c | 2 +-
include/openssl/randerr.h | 2 +-
providers/fips/self_test_kats.c | 18 +++-------
5 files changed, 54 insertions(+), 46 deletions(-)
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 47a20e828f..04775f55ac 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1132,6 +1132,7 @@ RAND_F_RAND_DRBG_ENABLE_LOCKING:119:rand_drbg_enable_locking
RAND_F_RAND_DRBG_GENERATE:107:RAND_DRBG_generate
RAND_F_RAND_DRBG_GET_ENTROPY:120:rand_drbg_get_entropy
RAND_F_RAND_DRBG_GET_NONCE:123:rand_drbg_get_nonce
+RAND_F_RAND_DRBG_INIT_METHOD:130:
RAND_F_RAND_DRBG_INSTANTIATE:108:RAND_DRBG_instantiate
RAND_F_RAND_DRBG_NEW:109:RAND_DRBG_new
RAND_F_RAND_DRBG_RESEED:110:RAND_DRBG_reseed
@@ -3388,8 +3389,8 @@ X509_R_BAD_SELECTOR:133:bad selector
X509_R_BAD_X509_FILETYPE:100:bad x509 filetype
X509_R_BASE64_DECODE_ERROR:118:base64 decode error
X509_R_CANT_CHECK_DH_KEY:114:cant check dh key
-X509_R_CERT_ALREADY_IN_HASH_TABLE:101:cert already in hash table
X509_R_CERTIFICATE_VERIFICATION_FAILED:139:certificate verification failed
+X509_R_CERT_ALREADY_IN_HASH_TABLE:101:cert already in hash table
X509_R_CRL_ALREADY_DELTA:127:crl already delta
X509_R_CRL_VERIFY_FAILURE:131:crl verify failure
X509_R_IDP_MISMATCH:128:idp mismatch
diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c
index 029cc6e77c..0334dee99d 100644
--- a/crypto/rand/drbg_lib.c
+++ b/crypto/rand/drbg_lib.c
@@ -115,6 +115,9 @@ static RAND_DRBG *rand_drbg_new(OPENSSL_CTX *ctx,
unsigned int flags,
RAND_DRBG *parent);
+static int rand_drbg_set(RAND_DRBG *drbg, int type, unsigned int flags);
+static int rand_drbg_init_method(RAND_DRBG *drbg);
+
static int is_ctr(int type)
{
switch (type) {
@@ -341,8 +344,11 @@ void *RAND_DRBG_get_callback_data(RAND_DRBG *drbg)
*/
int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
{
- int ret = 1;
+ return rand_drbg_set(drbg, type, flags) && rand_drbg_init_method(drbg);
+}
+static int rand_drbg_set(RAND_DRBG *drbg, int type, unsigned int flags)
+{
if (type == 0 && flags == 0) {
type = rand_drbg_type[RAND_DRBG_TYPE_MASTER];
flags = rand_drbg_flags[RAND_DRBG_TYPE_MASTER];
@@ -350,7 +356,8 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
/* If set is called multiple times - clear the old one */
if (drbg->type != 0 && (type != drbg->type || flags != drbg->flags)) {
- drbg->meth->uninstantiate(drbg);
+ if (drbg->meth != NULL)
+ drbg->meth->uninstantiate(drbg);
rand_pool_free(drbg->adin_pool);
drbg->adin_pool = NULL;
}
@@ -358,29 +365,43 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
drbg->state = DRBG_UNINITIALISED;
drbg->flags = flags;
drbg->type = type;
+ drbg->meth = NULL;
- if (type == 0) {
- /* Uninitialized; that's okay. */
- drbg->meth = NULL;
+ if (type == 0 || is_ctr(type) || is_digest(type))
return 1;
- } else if (is_ctr(type)) {
+
+ drbg->type = 0;
+ drbg->flags = 0;
+ RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
+
+ return 0;
+}
+
+static int rand_drbg_init_method(RAND_DRBG *drbg)
+{
+ int ret;
+
+ if (drbg->meth != NULL)
+ return 1;
+
+ if (is_ctr(drbg->type)) {
ret = drbg_ctr_init(drbg);
- } else if (is_digest(type)) {
- if (flags & RAND_DRBG_FLAG_HMAC)
+ } else if (is_digest(drbg->type)) {
+ if (drbg->flags & RAND_DRBG_FLAG_HMAC)
ret = drbg_hmac_init(drbg);
else
ret = drbg_hash_init(drbg);
} else {
+ /* other cases should already be excluded */
+ RANDerr(RAND_F_RAND_DRBG_INIT_METHOD, ERR_R_INTERNAL_ERROR);
drbg->type = 0;
drbg->flags = 0;
- drbg->meth = NULL;
- RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
return 0;
}
if (ret == 0) {
drbg->state = DRBG_ERROR;
- RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG);
+ RANDerr(RAND_F_RAND_DRBG_INIT_METHOD, RAND_R_ERROR_INITIALISING_DRBG);
}
return ret;
}
@@ -554,19 +575,21 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
{
unsigned char *nonce = NULL, *entropy = NULL;
size_t noncelen = 0, entropylen = 0;
- size_t min_entropy = drbg->strength;
- size_t min_entropylen = drbg->min_entropylen;
- size_t max_entropylen = drbg->max_entropylen;
+ size_t min_entropy, min_entropylen, max_entropylen;
- if (perslen > drbg->max_perslen) {
+ if (drbg->meth == NULL && !rand_drbg_init_method(drbg)) {
RANDerr(RAND_F_RAND_DRBG_INSTANTIATE,
- RAND_R_PERSONALISATION_STRING_TOO_LONG);
+ RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
goto end;
}
- if (drbg->meth == NULL) {
+ min_entropy = drbg->strength;
+ min_entropylen = drbg->min_entropylen;
+ max_entropylen = drbg->max_entropylen;
+
+ if (perslen > drbg->max_perslen) {
RANDerr(RAND_F_RAND_DRBG_INSTANTIATE,
- RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
+ RAND_R_PERSONALISATION_STRING_TOO_LONG);
goto end;
}
@@ -648,19 +671,11 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
int RAND_DRBG_uninstantiate(RAND_DRBG *drbg)
{
int index = -1, type, flags;
- if (drbg->meth == NULL) {
- drbg->state = DRBG_ERROR;
- RANDerr(RAND_F_RAND_DRBG_UNINSTANTIATE,
- RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
- return 0;
+ if (drbg->meth != NULL) {
+ drbg->meth->uninstantiate(drbg);
+ drbg->meth = NULL;
}
- /* Clear the entire drbg->ctr struct, then reset some important
- * members of the drbg->ctr struct (e.g. keysize, df_ks) to their
- * initial values.
- */
- drbg->meth->uninstantiate(drbg);
-
/* The reset uses the default values for type and flags */
if (drbg->flags & RAND_DRBG_FLAG_MASTER)
index = RAND_DRBG_TYPE_MASTER;
@@ -676,7 +691,7 @@ int RAND_DRBG_uninstantiate(RAND_DRBG *drbg)
flags = drbg->flags;
type = drbg->type;
}
- return RAND_DRBG_set(drbg, type, flags);
+ return rand_drbg_set(drbg, type, flags);
}
/*
diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c
index 53d329380a..73b488fb90 100644
--- a/crypto/rand/rand_err.c
+++ b/crypto/rand/rand_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/include/openssl/randerr.h b/include/openssl/randerr.h
index 68992d771d..780d2680a5 100644
--- a/include/openssl/randerr.h
+++ b/include/openssl/randerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index 128e2aa118..06f12a1ead 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -234,6 +234,7 @@ static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_ST_EVENT *event,
OSSL_PARAM drbg_params[3] = {
OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
};
+ static const unsigned char zero[sizeof(drbg->data)] = { 0 };
SELF_TEST_EVENT_onbegin(event, OSSL_SELF_TEST_TYPE_DRBG, t->desc);
@@ -287,20 +288,11 @@ static int self_test_drbg(const ST_KAT_DRBG *t, OSSL_ST_EVENT *event,
if (!RAND_DRBG_uninstantiate(drbg))
goto err;
/*
- * TODO(3.0) : Check that the DRBG data has been zeroed after
- * RAND_DRBG_uninstantiate. Its a bit hard currently to do this when
- * the drbg->data is reinitialized by this call..
+ * Check that the DRBG data has been zeroized after RAND_DRBG_uninstantiate.
*/
-#if 0
- {
- size_t i, sz = sizeof(drbg->data);
- unsigned char *p = (unsigned char *)&drbg->data;
-
- for (i = 0; i < sz; ++i)
- if (*p++ != 0)
- goto err;
- }
-#endif
+ if (memcmp((unsigned char *)&drbg->data, zero, sizeof(drbg->data)) != 0)
+ goto err;
+
ret = 1;
err:
RAND_DRBG_free(drbg);
More information about the openssl-commits
mailing list