[openssl/openssl] bb9615: rand: improve error message for rand pool overflows

Matthias St. Pierre noreply at github.com
Tue Oct 24 10:29:40 UTC 2023 

  Branch: refs/heads/openssl-3.1
  Home:   https://github.com/openssl/openssl
  Commit: bb9615930882fd9b6677c27a01446f38e417ddcd
      https://github.com/openssl/openssl/commit/bb9615930882fd9b6677c27a01446f38e417ddcd
  Author: Richard Levitte <levitte at openssl.org>
  Date:   2023-10-24 (Tue, 24 Oct 2023)

  Changed paths:
    M crypto/rand/rand_pool.c

  Log Message:
  -----------
  rand: improve error message for rand pool overflows

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22394)

(cherry picked from commit 0a8faac3c7cc2e88f46a8bdce5bd039dc22abdec)


  Commit: 380ae1b3ac7052f873099dcccd9c378f64e11fc1
      https://github.com/openssl/openssl/commit/380ae1b3ac7052f873099dcccd9c378f64e11fc1
  Author: Matthias St. Pierre <matthias.st.pierre at ncp-e.com>
  Date:   2023-10-24 (Tue, 24 Oct 2023)

  Changed paths:
    M crypto/evp/evp_rand.c
    M crypto/rand/prov_seed.c
    M include/crypto/evp.h
    M providers/implementations/rands/seed_src.c

  Log Message:
  -----------
  rand: fix seeding from a weak entropy source

The 'rand_generate' method is not well suited for being used with
weak entropy sources in the 'get_entropy' callback, because the
caller needs to provide a preallocated buffer without knowing
how much bytes are actually needed to collect the required entropy.

Instead we use the 'rand_get_seed' and 'rand_clear_seed' methods
which were exactly designed for this purpose: it's the callee who
allocates and fills the buffer, and finally cleans it up again.

The 'rand_get_seed' and 'rand_clear_seed' methods are currently
optional for a provided random generator. We could fall back to
using 'rand_generate' if those methods are not implemented.
However, imo it would be better to simply make them an officially
documented requirement for seed sources.

Fixes #22332

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22394)

(cherry picked from commit 7998e7dc07d8f1f516af32887f2490c03cd8c594)


Compare: https://github.com/openssl/openssl/compare/f0b1591b3764...380ae1b3ac70

More information about the openssl-commits mailing list