diff options
| author | tpashkin <tpashkin@yandex-team.ru> | 2022-02-10 16:46:42 +0300 |
|---|---|---|
| committer | Daniil Cherednik <dcherednik@yandex-team.ru> | 2022-02-10 16:46:42 +0300 |
| commit | 656921707c02b816d730f31c1fdc1d615adbfe00 (patch) | |
| tree | 49e222ea1c5804306084bb3ae065bb702625360f /contrib/libs/openssl/crypto/rand | |
| parent | 5475379a04e37df30085bd1724f1c57e3f40996f (diff) | |
| download | ydb-656921707c02b816d730f31c1fdc1d615adbfe00.tar.gz | |
Restoring authorship annotation for <tpashkin@yandex-team.ru>. Commit 2 of 2.
Diffstat (limited to 'contrib/libs/openssl/crypto/rand')
| -rw-r--r-- | contrib/libs/openssl/crypto/rand/drbg_ctr.c | 26 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/rand/drbg_lib.c | 10 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/rand/rand_err.c | 8 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/rand/rand_lib.c | 32 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/rand/rand_local.h | 588 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/rand/rand_unix.c | 110 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/rand/rand_vms.c | 200 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/rand/rand_win.c | 6 |
8 files changed, 490 insertions, 490 deletions
diff --git a/contrib/libs/openssl/crypto/rand/drbg_ctr.c b/contrib/libs/openssl/crypto/rand/drbg_ctr.c index cadd402a91..c8b3bd79bb 100644 --- a/contrib/libs/openssl/crypto/rand/drbg_ctr.c +++ b/contrib/libs/openssl/crypto/rand/drbg_ctr.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,26 +12,26 @@ #include <openssl/crypto.h> #include <openssl/err.h> #include <openssl/rand.h> -#include "modes_local.h" +#include "modes_local.h" #include "internal/thread_once.h" -#include "rand_local.h" +#include "rand_local.h" #include "sanitizers.h" - + /* * Implementation of NIST SP 800-90A CTR DRBG. */ static void inc_128(RAND_DRBG_CTR *ctr) { - unsigned char *p = &ctr->V[0]; - u32 n = 16, c = 1; - - do { - --n; - c += p[n]; - p[n] = (u8)c; - c >>= 8; - } while (n); + unsigned char *p = &ctr->V[0]; + u32 n = 16, c = 1; + + do { + --n; + c += p[n]; + p[n] = (u8)c; + c >>= 8; + } while (n); } static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen) diff --git a/contrib/libs/openssl/crypto/rand/drbg_lib.c b/contrib/libs/openssl/crypto/rand/drbg_lib.c index 68bb1d12dd..8c7c28c970 100644 --- a/contrib/libs/openssl/crypto/rand/drbg_lib.c +++ b/contrib/libs/openssl/crypto/rand/drbg_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,10 +11,10 @@ #include <openssl/crypto.h> #include <openssl/err.h> #include <openssl/rand.h> -#include "rand_local.h" +#include "rand_local.h" #include "internal/thread_once.h" -#include "crypto/rand.h" -#include "crypto/cryptlib.h" +#include "crypto/rand.h" +#include "crypto/cryptlib.h" /* * Support framework for NIST SP 800-90A DRBG @@ -1040,7 +1040,7 @@ static int drbg_add(const void *buf, int num, double randomness) return ret; #else /* - * If an os entropy source is available then we declare the buffer content + * If an os entropy source is available then we declare the buffer content * as additional data by setting randomness to zero and trigger a regular * reseeding. */ diff --git a/contrib/libs/openssl/crypto/rand/rand_err.c b/contrib/libs/openssl/crypto/rand/rand_err.c index 9ca23cfff5..a3ae5f53c2 100644 --- a/contrib/libs/openssl/crypto/rand/rand_err.c +++ b/contrib/libs/openssl/crypto/rand/rand_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,8 +14,8 @@ #ifndef OPENSSL_NO_ERR static const ERR_STRING_DATA RAND_str_functs[] = { - {ERR_PACK(ERR_LIB_RAND, RAND_F_DATA_COLLECT_METHOD, 0), - "data_collect_method"}, + {ERR_PACK(ERR_LIB_RAND, RAND_F_DATA_COLLECT_METHOD, 0), + "data_collect_method"}, {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_BYTES, 0), "drbg_bytes"}, {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_GET_ENTROPY, 0), "drbg_get_entropy"}, {ERR_PACK(ERR_LIB_RAND, RAND_F_DRBG_SETUP, 0), "drbg_setup"}, @@ -51,7 +51,7 @@ static const ERR_STRING_DATA RAND_str_functs[] = { "rand_pool_bytes_needed"}, {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_GROW, 0), "rand_pool_grow"}, {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_NEW, 0), "rand_pool_new"}, - {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_PSEUDO_BYTES, 0), "RAND_pseudo_bytes"}, + {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_PSEUDO_BYTES, 0), "RAND_pseudo_bytes"}, {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_WRITE_FILE, 0), "RAND_write_file"}, {0, NULL} }; diff --git a/contrib/libs/openssl/crypto/rand/rand_lib.c b/contrib/libs/openssl/crypto/rand/rand_lib.c index 8a8a672774..5c72fad8ca 100644 --- a/contrib/libs/openssl/crypto/rand/rand_lib.c +++ b/contrib/libs/openssl/crypto/rand/rand_lib.c @@ -11,10 +11,10 @@ #include <time.h> #include "internal/cryptlib.h" #include <openssl/opensslconf.h> -#include "crypto/rand.h" +#include "crypto/rand.h" #include <openssl/engine.h> #include "internal/thread_once.h" -#include "rand_local.h" +#include "rand_local.h" #include "e_os.h" #ifndef OPENSSL_NO_ENGINE @@ -384,9 +384,9 @@ int RAND_poll(void) const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth == NULL) - return 0; - + if (meth == NULL) + return 0; + if (meth == RAND_OpenSSL()) { /* fill random pool and seed the master DRBG */ RAND_DRBG *drbg = RAND_DRBG_get0_master(); @@ -770,7 +770,7 @@ int rand_pool_add(RAND_POOL *pool, * is returned without producing an error message. * * After updating the buffer, rand_pool_add_end() needs to be called - * to finish the update operation (see next comment). + * to finish the update operation (see next comment). */ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) { @@ -901,7 +901,7 @@ void RAND_seed(const void *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth != NULL && meth->seed != NULL) + if (meth != NULL && meth->seed != NULL) meth->seed(buf, num); } @@ -909,7 +909,7 @@ void RAND_add(const void *buf, int num, double randomness) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth != NULL && meth->add != NULL) + if (meth != NULL && meth->add != NULL) meth->add(buf, num, randomness); } @@ -923,21 +923,21 @@ int RAND_priv_bytes(unsigned char *buf, int num) const RAND_METHOD *meth = RAND_get_rand_method(); RAND_DRBG *drbg; - if (meth != NULL && meth != RAND_OpenSSL()) + if (meth != NULL && meth != RAND_OpenSSL()) return RAND_bytes(buf, num); drbg = RAND_DRBG_get0_private(); - if (drbg != NULL) - return RAND_DRBG_bytes(drbg, buf, num); + if (drbg != NULL) + return RAND_DRBG_bytes(drbg, buf, num); - return 0; + return 0; } int RAND_bytes(unsigned char *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth != NULL && meth->bytes != NULL) + if (meth != NULL && meth->bytes != NULL) return meth->bytes(buf, num); RANDerr(RAND_F_RAND_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); return -1; @@ -948,9 +948,9 @@ int RAND_pseudo_bytes(unsigned char *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth != NULL && meth->pseudorand != NULL) + if (meth != NULL && meth->pseudorand != NULL) return meth->pseudorand(buf, num); - RANDerr(RAND_F_RAND_PSEUDO_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); + RANDerr(RAND_F_RAND_PSEUDO_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); return -1; } #endif @@ -959,7 +959,7 @@ int RAND_status(void) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth != NULL && meth->status != NULL) + if (meth != NULL && meth->status != NULL) return meth->status(); return 0; } diff --git a/contrib/libs/openssl/crypto/rand/rand_local.h b/contrib/libs/openssl/crypto/rand/rand_local.h index a71f1cc9a9..a5de5252dc 100644 --- a/contrib/libs/openssl/crypto/rand/rand_local.h +++ b/contrib/libs/openssl/crypto/rand/rand_local.h @@ -1,306 +1,306 @@ -/* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#ifndef OSSL_CRYPTO_RAND_LOCAL_H -# define OSSL_CRYPTO_RAND_LOCAL_H - -# include <openssl/aes.h> -# include <openssl/evp.h> -# include <openssl/sha.h> -# include <openssl/hmac.h> -# include <openssl/ec.h> -# include <openssl/rand_drbg.h> -# include "internal/tsan_assist.h" - -# include "internal/numbers.h" - -/* How many times to read the TSC as a randomness source. */ -# define TSC_READ_COUNT 4 - -/* Maximum reseed intervals */ -# define MAX_RESEED_INTERVAL (1 << 24) -# define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */ - -/* Default reseed intervals */ -# define MASTER_RESEED_INTERVAL (1 << 8) -# define SLAVE_RESEED_INTERVAL (1 << 16) -# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ -# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ - - - -/* - * Maximum input size for the DRBG (entropy, nonce, personalization string) - * - * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes. - * - * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes. - */ -# define DRBG_MAX_LENGTH INT32_MAX - - -/* - * Maximum allocation size for RANDOM_POOL buffers - * - * The max_len value for the buffer provided to the rand_drbg_get_entropy() - * callback is currently 2^31 bytes (2 gigabytes), if a derivation function - * is used. Since this is much too large to be allocated, the rand_pool_new() - * function chooses more modest values as default pool length, bounded - * by RAND_POOL_MIN_LENGTH and RAND_POOL_MAX_LENGTH - * - * The choice of the RAND_POOL_FACTOR is large enough such that the - * RAND_POOL can store a random input which has a lousy entropy rate of - * 8/256 (= 0.03125) bits per byte. This input will be sent through the - * derivation function which 'compresses' the low quality input into a - * high quality output. - * - * The factor 1.5 below is the pessimistic estimate for the extra amount - * of entropy required when no get_nonce() callback is defined. - */ -# define RAND_POOL_FACTOR 256 -# define RAND_POOL_MAX_LENGTH (RAND_POOL_FACTOR * \ - 3 * (RAND_DRBG_STRENGTH / 16)) -/* - * = (RAND_POOL_FACTOR * \ - * 1.5 * (RAND_DRBG_STRENGTH / 8)) - */ - -/* - * Initial allocation minimum. - * - * There is a distinction between the secure and normal allocation minimums. - * Ideally, the secure allocation size should be a power of two. The normal - * allocation size doesn't have any such restriction. - * - * The secure value is based on 128 bits of secure material, which is 16 bytes. - * Typically, the DRBGs will set a minimum larger than this so optimal - * allocation ought to take place (for full quality seed material). - * - * The normal value has been chosen by noticing that the rand_drbg_get_nonce - * function is usually the largest of the built in allocation (twenty four - * bytes and then appending another sixteen bytes). This means the buffer ends - * with 40 bytes. The value of forty eight is comfortably above this which - * allows some slack in the platform specific values used. - */ -# define RAND_POOL_MIN_ALLOCATION(secure) ((secure) ? 16 : 48) - -/* DRBG status values */ -typedef enum drbg_status_e { - DRBG_UNINITIALISED, - DRBG_READY, - DRBG_ERROR -} DRBG_STATUS; - - -/* instantiate */ -typedef int (*RAND_DRBG_instantiate_fn)(RAND_DRBG *ctx, - const unsigned char *ent, - size_t entlen, - const unsigned char *nonce, - size_t noncelen, - const unsigned char *pers, - size_t perslen); -/* reseed */ -typedef int (*RAND_DRBG_reseed_fn)(RAND_DRBG *ctx, - const unsigned char *ent, - size_t entlen, - const unsigned char *adin, - size_t adinlen); -/* generate output */ -typedef int (*RAND_DRBG_generate_fn)(RAND_DRBG *ctx, - unsigned char *out, - size_t outlen, - const unsigned char *adin, - size_t adinlen); -/* uninstantiate */ -typedef int (*RAND_DRBG_uninstantiate_fn)(RAND_DRBG *ctx); - - -/* - * The DRBG methods - */ - -typedef struct rand_drbg_method_st { - RAND_DRBG_instantiate_fn instantiate; - RAND_DRBG_reseed_fn reseed; - RAND_DRBG_generate_fn generate; - RAND_DRBG_uninstantiate_fn uninstantiate; -} RAND_DRBG_METHOD; - - -/* - * The state of a DRBG AES-CTR. - */ -typedef struct rand_drbg_ctr_st { +/* + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OSSL_CRYPTO_RAND_LOCAL_H +# define OSSL_CRYPTO_RAND_LOCAL_H + +# include <openssl/aes.h> +# include <openssl/evp.h> +# include <openssl/sha.h> +# include <openssl/hmac.h> +# include <openssl/ec.h> +# include <openssl/rand_drbg.h> +# include "internal/tsan_assist.h" + +# include "internal/numbers.h" + +/* How many times to read the TSC as a randomness source. */ +# define TSC_READ_COUNT 4 + +/* Maximum reseed intervals */ +# define MAX_RESEED_INTERVAL (1 << 24) +# define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */ + +/* Default reseed intervals */ +# define MASTER_RESEED_INTERVAL (1 << 8) +# define SLAVE_RESEED_INTERVAL (1 << 16) +# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ +# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ + + + +/* + * Maximum input size for the DRBG (entropy, nonce, personalization string) + * + * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes. + * + * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes. + */ +# define DRBG_MAX_LENGTH INT32_MAX + + +/* + * Maximum allocation size for RANDOM_POOL buffers + * + * The max_len value for the buffer provided to the rand_drbg_get_entropy() + * callback is currently 2^31 bytes (2 gigabytes), if a derivation function + * is used. Since this is much too large to be allocated, the rand_pool_new() + * function chooses more modest values as default pool length, bounded + * by RAND_POOL_MIN_LENGTH and RAND_POOL_MAX_LENGTH + * + * The choice of the RAND_POOL_FACTOR is large enough such that the + * RAND_POOL can store a random input which has a lousy entropy rate of + * 8/256 (= 0.03125) bits per byte. This input will be sent through the + * derivation function which 'compresses' the low quality input into a + * high quality output. + * + * The factor 1.5 below is the pessimistic estimate for the extra amount + * of entropy required when no get_nonce() callback is defined. + */ +# define RAND_POOL_FACTOR 256 +# define RAND_POOL_MAX_LENGTH (RAND_POOL_FACTOR * \ + 3 * (RAND_DRBG_STRENGTH / 16)) +/* + * = (RAND_POOL_FACTOR * \ + * 1.5 * (RAND_DRBG_STRENGTH / 8)) + */ + +/* + * Initial allocation minimum. + * + * There is a distinction between the secure and normal allocation minimums. + * Ideally, the secure allocation size should be a power of two. The normal + * allocation size doesn't have any such restriction. + * + * The secure value is based on 128 bits of secure material, which is 16 bytes. + * Typically, the DRBGs will set a minimum larger than this so optimal + * allocation ought to take place (for full quality seed material). + * + * The normal value has been chosen by noticing that the rand_drbg_get_nonce + * function is usually the largest of the built in allocation (twenty four + * bytes and then appending another sixteen bytes). This means the buffer ends + * with 40 bytes. The value of forty eight is comfortably above this which + * allows some slack in the platform specific values used. + */ +# define RAND_POOL_MIN_ALLOCATION(secure) ((secure) ? 16 : 48) + +/* DRBG status values */ +typedef enum drbg_status_e { + DRBG_UNINITIALISED, + DRBG_READY, + DRBG_ERROR +} DRBG_STATUS; + + +/* instantiate */ +typedef int (*RAND_DRBG_instantiate_fn)(RAND_DRBG *ctx, + const unsigned char *ent, + size_t entlen, + const unsigned char *nonce, + size_t noncelen, + const unsigned char *pers, + size_t perslen); +/* reseed */ +typedef int (*RAND_DRBG_reseed_fn)(RAND_DRBG *ctx, + const unsigned char *ent, + size_t entlen, + const unsigned char *adin, + size_t adinlen); +/* generate output */ +typedef int (*RAND_DRBG_generate_fn)(RAND_DRBG *ctx, + unsigned char *out, + size_t outlen, + const unsigned char *adin, + size_t adinlen); +/* uninstantiate */ +typedef int (*RAND_DRBG_uninstantiate_fn)(RAND_DRBG *ctx); + + +/* + * The DRBG methods + */ + +typedef struct rand_drbg_method_st { + RAND_DRBG_instantiate_fn instantiate; + RAND_DRBG_reseed_fn reseed; + RAND_DRBG_generate_fn generate; + RAND_DRBG_uninstantiate_fn uninstantiate; +} RAND_DRBG_METHOD; + + +/* + * The state of a DRBG AES-CTR. + */ +typedef struct rand_drbg_ctr_st { EVP_CIPHER_CTX *ctx_ecb; EVP_CIPHER_CTX *ctx_ctr; - EVP_CIPHER_CTX *ctx_df; + EVP_CIPHER_CTX *ctx_df; const EVP_CIPHER *cipher_ecb; const EVP_CIPHER *cipher_ctr; - size_t keylen; - unsigned char K[32]; - unsigned char V[16]; - /* Temporary block storage used by ctr_df */ - unsigned char bltmp[16]; - size_t bltmp_pos; - unsigned char KX[48]; -} RAND_DRBG_CTR; - - -/* - * The 'random pool' acts as a dumb container for collecting random - * input from various entropy sources. The pool has no knowledge about - * whether its randomness is fed into a legacy RAND_METHOD via RAND_add() - * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the - * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and - * 4) cleanup the random pool again. - * - * The random pool contains no locking mechanism because its scope and - * lifetime is intended to be restricted to a single stack frame. - */ -struct rand_pool_st { - unsigned char *buffer; /* points to the beginning of the random pool */ - size_t len; /* current number of random bytes contained in the pool */ - - int attached; /* true pool was attached to existing buffer */ - int secure; /* 1: allocated on the secure heap, 0: otherwise */ - - size_t min_len; /* minimum number of random bytes requested */ - size_t max_len; /* maximum number of random bytes (allocated buffer size) */ - size_t alloc_len; /* current number of bytes allocated */ - size_t entropy; /* current entropy count in bits */ - size_t entropy_requested; /* requested entropy count in bits */ -}; - -/* - * The state of all types of DRBGs, even though we only have CTR mode - * right now. - */ -struct rand_drbg_st { - CRYPTO_RWLOCK *lock; - RAND_DRBG *parent; - int secure; /* 1: allocated on the secure heap, 0: otherwise */ - int type; /* the nid of the underlying algorithm */ - /* - * Stores the return value of openssl_get_fork_id() as of when we last - * reseeded. The DRBG reseeds automatically whenever drbg->fork_id != - * openssl_get_fork_id(). Used to provide fork-safety and reseed this - * DRBG in the child process. - */ - int fork_id; - unsigned short flags; /* various external flags */ - - /* - * The random_data is used by RAND_add()/drbg_add() to attach random - * data to the global drbg, such that the rand_drbg_get_entropy() callback - * can pull it during instantiation and reseeding. This is necessary to - * reconcile the different philosophies of the RAND and the RAND_DRBG - * with respect to how randomness is added to the RNG during reseeding - * (see PR #4328). - */ - struct rand_pool_st *seed_pool; - - /* - * Auxiliary pool for additional data. - */ - struct rand_pool_st *adin_pool; - - /* - * The following parameters are setup by the per-type "init" function. - * - * Currently the only type is CTR_DRBG, its init function is drbg_ctr_init(). - * - * The parameters are closely related to the ones described in - * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one - * crucial difference: In the NIST standard, all counts are given - * in bits, whereas in OpenSSL entropy counts are given in bits - * and buffer lengths are given in bytes. - * - * Since this difference has lead to some confusion in the past, - * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) - * the 'len' suffix has been added to all buffer sizes for - * clarification. - */ - - int strength; - size_t max_request; - size_t min_entropylen, max_entropylen; - size_t min_noncelen, max_noncelen; - size_t max_perslen, max_adinlen; - - /* Counts the number of generate requests since the last reseed. */ + size_t keylen; + unsigned char K[32]; + unsigned char V[16]; + /* Temporary block storage used by ctr_df */ + unsigned char bltmp[16]; + size_t bltmp_pos; + unsigned char KX[48]; +} RAND_DRBG_CTR; + + +/* + * The 'random pool' acts as a dumb container for collecting random + * input from various entropy sources. The pool has no knowledge about + * whether its randomness is fed into a legacy RAND_METHOD via RAND_add() + * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the + * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and + * 4) cleanup the random pool again. + * + * The random pool contains no locking mechanism because its scope and + * lifetime is intended to be restricted to a single stack frame. + */ +struct rand_pool_st { + unsigned char *buffer; /* points to the beginning of the random pool */ + size_t len; /* current number of random bytes contained in the pool */ + + int attached; /* true pool was attached to existing buffer */ + int secure; /* 1: allocated on the secure heap, 0: otherwise */ + + size_t min_len; /* minimum number of random bytes requested */ + size_t max_len; /* maximum number of random bytes (allocated buffer size) */ + size_t alloc_len; /* current number of bytes allocated */ + size_t entropy; /* current entropy count in bits */ + size_t entropy_requested; /* requested entropy count in bits */ +}; + +/* + * The state of all types of DRBGs, even though we only have CTR mode + * right now. + */ +struct rand_drbg_st { + CRYPTO_RWLOCK *lock; + RAND_DRBG *parent; + int secure; /* 1: allocated on the secure heap, 0: otherwise */ + int type; /* the nid of the underlying algorithm */ + /* + * Stores the return value of openssl_get_fork_id() as of when we last + * reseeded. The DRBG reseeds automatically whenever drbg->fork_id != + * openssl_get_fork_id(). Used to provide fork-safety and reseed this + * DRBG in the child process. + */ + int fork_id; + unsigned short flags; /* various external flags */ + + /* + * The random_data is used by RAND_add()/drbg_add() to attach random + * data to the global drbg, such that the rand_drbg_get_entropy() callback + * can pull it during instantiation and reseeding. This is necessary to + * reconcile the different philosophies of the RAND and the RAND_DRBG + * with respect to how randomness is added to the RNG during reseeding + * (see PR #4328). + */ + struct rand_pool_st *seed_pool; + + /* + * Auxiliary pool for additional data. + */ + struct rand_pool_st *adin_pool; + + /* + * The following parameters are setup by the per-type "init" function. + * + * Currently the only type is CTR_DRBG, its init function is drbg_ctr_init(). + * + * The parameters are closely related to the ones described in + * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one + * crucial difference: In the NIST standard, all counts are given + * in bits, whereas in OpenSSL entropy counts are given in bits + * and buffer lengths are given in bytes. + * + * Since this difference has lead to some confusion in the past, + * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) + * the 'len' suffix has been added to all buffer sizes for + * clarification. + */ + + int strength; + size_t max_request; + size_t min_entropylen, max_entropylen; + size_t min_noncelen, max_noncelen; + size_t max_perslen, max_adinlen; + + /* Counts the number of generate requests since the last reseed. */ unsigned int generate_counter; - /* - * Maximum number of generate requests until a reseed is required. - * This value is ignored if it is zero. - */ - unsigned int reseed_interval; - /* Stores the time when the last reseeding occurred */ - time_t reseed_time; - /* - * Specifies the maximum time interval (in seconds) between reseeds. - * This value is ignored if it is zero. - */ - time_t reseed_time_interval; - - /* + /* + * Maximum number of generate requests until a reseed is required. + * This value is ignored if it is zero. + */ + unsigned int reseed_interval; + /* Stores the time when the last reseeding occurred */ + time_t reseed_time; + /* + * Specifies the maximum time interval (in seconds) between reseeds. + * This value is ignored if it is zero. + */ + time_t reseed_time_interval; + + /* * Enables reseed propagation (see following comment) */ unsigned int enable_reseed_propagation; /* - * Counts the number of reseeds since instantiation. + * Counts the number of reseeds since instantiation. * This value is ignored if enable_reseed_propagation is zero. - * - * This counter is used only for seed propagation from the <master> DRBG - * to its two children, the <public> and <private> DRBG. This feature is - * very special and its sole purpose is to ensure that any randomness which - * is added by RAND_add() or RAND_seed() will have an immediate effect on - * the output of RAND_bytes() resp. RAND_priv_bytes(). - */ + * + * This counter is used only for seed propagation from the <master> DRBG + * to its two children, the <public> and <private> DRBG. This feature is + * very special and its sole purpose is to ensure that any randomness which + * is added by RAND_add() or RAND_seed() will have an immediate effect on + * the output of RAND_bytes() resp. RAND_priv_bytes(). + */ TSAN_QUALIFIER unsigned int reseed_counter; - - size_t seedlen; - DRBG_STATUS state; - - /* Application data, mainly used in the KATs. */ - CRYPTO_EX_DATA ex_data; - - /* Implementation specific data (currently only one implementation) */ - union { - RAND_DRBG_CTR ctr; - } data; - - /* Implementation specific methods */ - RAND_DRBG_METHOD *meth; - - /* Callback functions. See comments in rand_lib.c */ - RAND_DRBG_get_entropy_fn get_entropy; - RAND_DRBG_cleanup_entropy_fn cleanup_entropy; - RAND_DRBG_get_nonce_fn get_nonce; - RAND_DRBG_cleanup_nonce_fn cleanup_nonce; -}; - -/* The global RAND method, and the global buffer and DRBG instance. */ -extern RAND_METHOD rand_meth; - -/* DRBG helpers */ -int rand_drbg_restart(RAND_DRBG *drbg, - const unsigned char *buffer, size_t len, size_t entropy); -size_t rand_drbg_seedlen(RAND_DRBG *drbg); -/* locking api */ -int rand_drbg_lock(RAND_DRBG *drbg); -int rand_drbg_unlock(RAND_DRBG *drbg); -int rand_drbg_enable_locking(RAND_DRBG *drbg); - - -/* initializes the AES-CTR DRBG implementation */ -int drbg_ctr_init(RAND_DRBG *drbg); - -#endif + + size_t seedlen; + DRBG_STATUS state; + + /* Application data, mainly used in the KATs. */ + CRYPTO_EX_DATA ex_data; + + /* Implementation specific data (currently only one implementation) */ + union { + RAND_DRBG_CTR ctr; + } data; + + /* Implementation specific methods */ + RAND_DRBG_METHOD *meth; + + /* Callback functions. See comments in rand_lib.c */ + RAND_DRBG_get_entropy_fn get_entropy; + RAND_DRBG_cleanup_entropy_fn cleanup_entropy; + RAND_DRBG_get_nonce_fn get_nonce; + RAND_DRBG_cleanup_nonce_fn cleanup_nonce; +}; + +/* The global RAND method, and the global buffer and DRBG instance. */ +extern RAND_METHOD rand_meth; + +/* DRBG helpers */ +int rand_drbg_restart(RAND_DRBG *drbg, + const unsigned char *buffer, size_t len, size_t entropy); +size_t rand_drbg_seedlen(RAND_DRBG *drbg); +/* locking api */ +int rand_drbg_lock(RAND_DRBG *drbg); +int rand_drbg_unlock(RAND_DRBG *drbg); +int rand_drbg_enable_locking(RAND_DRBG *drbg); + + +/* initializes the AES-CTR DRBG implementation */ +int drbg_ctr_init(RAND_DRBG *drbg); + +#endif diff --git a/contrib/libs/openssl/crypto/rand/rand_unix.c b/contrib/libs/openssl/crypto/rand/rand_unix.c index e28b67daf2..5766e5abe7 100644 --- a/contrib/libs/openssl/crypto/rand/rand_unix.c +++ b/contrib/libs/openssl/crypto/rand/rand_unix.c @@ -15,8 +15,8 @@ #include "internal/cryptlib.h" #include <openssl/rand.h> #include <openssl/crypto.h> -#include "rand_local.h" -#include "crypto/rand.h" +#include "rand_local.h" +#include "crypto/rand.h" #include <stdio.h> #include "internal/dso.h" #ifdef __linux @@ -83,8 +83,8 @@ static uint64_t get_timer_bits(void); # define OSSL_POSIX_TIMER_OKAY # endif # endif -#endif /* (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) - || defined(__DJGPP__) */ +#endif /* (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) + || defined(__DJGPP__) */ #if defined(OPENSSL_RAND_SEED_NONE) /* none means none. this simplifies the following logic */ @@ -288,58 +288,58 @@ static ssize_t sysctl_random(char *buf, size_t buflen) # if defined(OPENSSL_RAND_SEED_GETRANDOM) # if defined(__linux) && !defined(__NR_getrandom) -# if defined(__arm__) +# if defined(__arm__) # define __NR_getrandom (__NR_SYSCALL_BASE+384) # elif defined(__i386__) # define __NR_getrandom 355 -# elif defined(__x86_64__) -# if defined(__ILP32__) -# define __NR_getrandom (__X32_SYSCALL_BIT + 318) -# else -# define __NR_getrandom 318 -# endif -# elif defined(__xtensa__) -# define __NR_getrandom 338 -# elif defined(__s390__) || defined(__s390x__) -# define __NR_getrandom 349 -# elif defined(__bfin__) -# define __NR_getrandom 389 -# elif defined(__powerpc__) -# define __NR_getrandom 359 -# elif defined(__mips__) || defined(__mips64) -# if _MIPS_SIM == _MIPS_SIM_ABI32 -# define __NR_getrandom (__NR_Linux + 353) -# elif _MIPS_SIM == _MIPS_SIM_ABI64 -# define __NR_getrandom (__NR_Linux + 313) -# elif _MIPS_SIM == _MIPS_SIM_NABI32 -# define __NR_getrandom (__NR_Linux + 317) -# endif -# elif defined(__hppa__) -# define __NR_getrandom (__NR_Linux + 339) -# elif defined(__sparc__) -# define __NR_getrandom 347 -# elif defined(__ia64__) -# define __NR_getrandom 1339 -# elif defined(__alpha__) -# define __NR_getrandom 511 -# elif defined(__sh__) -# if defined(__SH5__) -# define __NR_getrandom 373 -# else -# define __NR_getrandom 384 -# endif -# elif defined(__avr32__) -# define __NR_getrandom 317 -# elif defined(__microblaze__) -# define __NR_getrandom 385 -# elif defined(__m68k__) -# define __NR_getrandom 352 -# elif defined(__cris__) -# define __NR_getrandom 356 -# elif defined(__aarch64__) -# define __NR_getrandom 278 -# else /* generic */ -# define __NR_getrandom 278 +# elif defined(__x86_64__) +# if defined(__ILP32__) +# define __NR_getrandom (__X32_SYSCALL_BIT + 318) +# else +# define __NR_getrandom 318 +# endif +# elif defined(__xtensa__) +# define __NR_getrandom 338 +# elif defined(__s390__) || defined(__s390x__) +# define __NR_getrandom 349 +# elif defined(__bfin__) +# define __NR_getrandom 389 +# elif defined(__powerpc__) +# define __NR_getrandom 359 +# elif defined(__mips__) || defined(__mips64) +# if _MIPS_SIM == _MIPS_SIM_ABI32 +# define __NR_getrandom (__NR_Linux + 353) +# elif _MIPS_SIM == _MIPS_SIM_ABI64 +# define __NR_getrandom (__NR_Linux + 313) +# elif _MIPS_SIM == _MIPS_SIM_NABI32 +# define __NR_getrandom (__NR_Linux + 317) +# endif +# elif defined(__hppa__) +# define __NR_getrandom (__NR_Linux + 339) +# elif defined(__sparc__) +# define __NR_getrandom 347 +# elif defined(__ia64__) +# define __NR_getrandom 1339 +# elif defined(__alpha__) +# define __NR_getrandom 511 +# elif defined(__sh__) +# if defined(__SH5__) +# define __NR_getrandom 373 +# else +# define __NR_getrandom 384 +# endif +# elif defined(__avr32__) +# define __NR_getrandom 317 +# elif defined(__microblaze__) +# define __NR_getrandom 385 +# elif defined(__m68k__) +# define __NR_getrandom 352 +# elif defined(__cris__) +# define __NR_getrandom 356 +# elif defined(__aarch64__) +# define __NR_getrandom 278 +# else /* generic */ +# define __NR_getrandom 278 # endif # endif @@ -879,5 +879,5 @@ static uint64_t get_timer_bits(void) # endif return time(NULL); } -#endif /* (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) - || defined(__DJGPP__) */ +#endif /* (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) + || defined(__DJGPP__) */ diff --git a/contrib/libs/openssl/crypto/rand/rand_vms.c b/contrib/libs/openssl/crypto/rand/rand_vms.c index 349f5dd301..b1e9f7974e 100644 --- a/contrib/libs/openssl/crypto/rand/rand_vms.c +++ b/contrib/libs/openssl/crypto/rand/rand_vms.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,42 +13,42 @@ # define __NEW_STARLET 1 /* New starlet definitions since VMS 7.0 */ # include <unistd.h> # include "internal/cryptlib.h" -# include <openssl/bio.h> -# include <openssl/err.h> +# include <openssl/bio.h> +# include <openssl/err.h> # include <openssl/rand.h> -# include "crypto/rand.h" -# include "rand_local.h" +# include "crypto/rand.h" +# include "rand_local.h" # include <descrip.h> # include <dvidef.h> # include <jpidef.h> -# error #include <rmidef.h> +# error #include <rmidef.h> # include <syidef.h> # include <ssdef.h> # include <starlet.h> -# error #include <efndef.h> +# error #include <efndef.h> # include <gen64def.h> -# error #include <iosbdef.h> +# error #include <iosbdef.h> # include <iledef.h> # include <lib$routines.h> # ifdef __DECC # pragma message disable DOLLARID # endif -# include <dlfcn.h> /* SYS$GET_ENTROPY presence */ - +# include <dlfcn.h> /* SYS$GET_ENTROPY presence */ + # ifndef OPENSSL_RAND_SEED_OS # error "Unsupported seeding method configured; must be os" # endif -/* - * DATA COLLECTION METHOD - * ====================== - * - * This is a method to get low quality entropy. - * It works by collecting all kinds of statistical data that - * VMS offers and using them as random seed. - */ - +/* + * DATA COLLECTION METHOD + * ====================== + * + * This is a method to get low quality entropy. + * It works by collecting all kinds of statistical data that + * VMS offers and using them as random seed. + */ + /* We need to make sure we have the right size pointer in some cases */ # if __INITIAL_POINTER_SIZE == 64 # pragma pointer_size save @@ -343,7 +343,7 @@ static void massage_JPI(ILE3 *items) */ #define ENTROPY_FACTOR 20 -size_t data_collect_method(RAND_POOL *pool) +size_t data_collect_method(RAND_POOL *pool) { ILE3 JPI_items_64bit[OSSL_NELEM(JPI_item_data_64bit) + 1]; ILE3 RMI_items_64bit[OSSL_NELEM(RMI_item_data_64bit) + 1]; @@ -458,12 +458,12 @@ size_t data_collect_method(RAND_POOL *pool) * If we can't feed the requirements from the caller, we're in deep trouble. */ if (!ossl_assert(total_length >= bytes_needed)) { - char buf[100]; /* That should be enough */ + char buf[100]; /* That should be enough */ - BIO_snprintf(buf, sizeof(buf), "Needed: %zu, Available: %zu", - bytes_needed, total_length); - RANDerr(RAND_F_DATA_COLLECT_METHOD, RAND_R_RANDOM_POOL_UNDERFLOW); - ERR_add_error_data(1, buf); + BIO_snprintf(buf, sizeof(buf), "Needed: %zu, Available: %zu", + bytes_needed, total_length); + RANDerr(RAND_F_DATA_COLLECT_METHOD, RAND_R_RANDOM_POOL_UNDERFLOW); + ERR_add_error_data(1, buf); return 0; } @@ -490,7 +490,7 @@ int rand_pool_add_nonce_data(RAND_POOL *pool) /* * Add process id, thread id, and a high resolution timestamp * (where available, which is OpenVMS v8.4 and up) to ensure that - * the nonce is unique with high probability for different process + * the nonce is unique with high probability for different process * instances. */ data.pid = getpid(); @@ -504,80 +504,80 @@ int rand_pool_add_nonce_data(RAND_POOL *pool) return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); } -/* - * SYS$GET_ENTROPY METHOD - * ====================== - * - * This is a high entropy method based on a new system service that is - * based on getentropy() from FreeBSD 12. It's only used if available, - * and its availability is detected at run-time. - * - * We assume that this function provides full entropy random output. - */ -#define PUBLIC_VECTORS "SYS$LIBRARY:SYS$PUBLIC_VECTORS.EXE" -#define GET_ENTROPY "SYS$GET_ENTROPY" - -static int get_entropy_address_flag = 0; -static int (*get_entropy_address)(void *buffer, size_t buffer_size) = NULL; -static int init_get_entropy_address(void) -{ - if (get_entropy_address_flag == 0) - get_entropy_address = dlsym(dlopen(PUBLIC_VECTORS, 0), GET_ENTROPY); - get_entropy_address_flag = 1; - return get_entropy_address != NULL; -} - -size_t get_entropy_method(RAND_POOL *pool) -{ - /* - * The documentation says that SYS$GET_ENTROPY will give a maximum of - * 256 bytes of data. - */ - unsigned char buffer[256]; - size_t bytes_needed; - size_t bytes_to_get = 0; - uint32_t status; - - for (bytes_needed = rand_pool_bytes_needed(pool, 1); - bytes_needed > 0; - bytes_needed -= bytes_to_get) { - bytes_to_get = - bytes_needed > sizeof(buffer) ? sizeof(buffer) : bytes_needed; - - status = get_entropy_address(buffer, bytes_to_get); - if (status == SS$_RETRY) { - /* Set to zero so the loop doesn't diminish |bytes_needed| */ - bytes_to_get = 0; - /* Should sleep some amount of time */ - continue; - } - - if (status != SS$_NORMAL) { - lib$signal(status); - return 0; - } - - rand_pool_add(pool, buffer, bytes_to_get, 8 * bytes_to_get); - } - - return rand_pool_entropy_available(pool); -} - -/* - * MAIN ENTROPY ACQUISITION FUNCTIONS - * ================================== - * - * These functions are called by the RAND / DRBG functions - */ - -size_t rand_pool_acquire_entropy(RAND_POOL *pool) -{ - if (init_get_entropy_address()) - return get_entropy_method(pool); - return data_collect_method(pool); -} - - +/* + * SYS$GET_ENTROPY METHOD + * ====================== + * + * This is a high entropy method based on a new system service that is + * based on getentropy() from FreeBSD 12. It's only used if available, + * and its availability is detected at run-time. + * + * We assume that this function provides full entropy random output. + */ +#define PUBLIC_VECTORS "SYS$LIBRARY:SYS$PUBLIC_VECTORS.EXE" +#define GET_ENTROPY "SYS$GET_ENTROPY" + +static int get_entropy_address_flag = 0; +static int (*get_entropy_address)(void *buffer, size_t buffer_size) = NULL; +static int init_get_entropy_address(void) +{ + if (get_entropy_address_flag == 0) + get_entropy_address = dlsym(dlopen(PUBLIC_VECTORS, 0), GET_ENTROPY); + get_entropy_address_flag = 1; + return get_entropy_address != NULL; +} + +size_t get_entropy_method(RAND_POOL *pool) +{ + /* + * The documentation says that SYS$GET_ENTROPY will give a maximum of + * 256 bytes of data. + */ + unsigned char buffer[256]; + size_t bytes_needed; + size_t bytes_to_get = 0; + uint32_t status; + + for (bytes_needed = rand_pool_bytes_needed(pool, 1); + bytes_needed > 0; + bytes_needed -= bytes_to_get) { + bytes_to_get = + bytes_needed > sizeof(buffer) ? sizeof(buffer) : bytes_needed; + + status = get_entropy_address(buffer, bytes_to_get); + if (status == SS$_RETRY) { + /* Set to zero so the loop doesn't diminish |bytes_needed| */ + bytes_to_get = 0; + /* Should sleep some amount of time */ + continue; + } + + if (status != SS$_NORMAL) { + lib$signal(status); + return 0; + } + + rand_pool_add(pool, buffer, bytes_to_get, 8 * bytes_to_get); + } + + return rand_pool_entropy_available(pool); +} + +/* + * MAIN ENTROPY ACQUISITION FUNCTIONS + * ================================== + * + * These functions are called by the RAND / DRBG functions + */ + +size_t rand_pool_acquire_entropy(RAND_POOL *pool) +{ + if (init_get_entropy_address()) + return get_entropy_method(pool); + return data_collect_method(pool); +} + + int rand_pool_add_additional_data(RAND_POOL *pool) { struct { diff --git a/contrib/libs/openssl/crypto/rand/rand_win.c b/contrib/libs/openssl/crypto/rand/rand_win.c index 24cfd3ac39..9036546008 100644 --- a/contrib/libs/openssl/crypto/rand/rand_win.c +++ b/contrib/libs/openssl/crypto/rand/rand_win.c @@ -9,8 +9,8 @@ #include "internal/cryptlib.h" #include <openssl/rand.h> -#include "rand_local.h" -#include "crypto/rand.h" +#include "rand_local.h" +#include "crypto/rand.h" #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) # ifndef OPENSSL_RAND_SEED_OS @@ -130,7 +130,7 @@ int rand_pool_add_nonce_data(RAND_POOL *pool) /* * Add process id, thread id, and a high resolution timestamp to - * ensure that the nonce is unique with high probability for + * ensure that the nonce is unique with high probability for * different process instances. */ data.pid = GetCurrentProcessId(); |