summaryrefslogtreecommitdiffstats
path: root/ssl
diff options
context:
space:
mode:
authorKurt Roeckx <kurt@roeckx.be>2018-03-08 22:30:28 +0100
committerDr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>2018-03-19 15:04:40 +0100
commit16cfc2c90d9e7776965db07c1f31bbec2f6c41e3 (patch)
treedab155d1453fce5e7e2a5d6c2d4d02557227cb41 /ssl
parentMake the public and private DRBG thread local (diff)
downloadopenssl-16cfc2c90d9e7776965db07c1f31bbec2f6c41e3.tar.xz
openssl-16cfc2c90d9e7776965db07c1f31bbec2f6c41e3.zip
Don't use a ssl specific DRBG anymore
Since the public and private DRBG are per thread we don't need one per ssl object anymore. It could also try to get entropy from a DRBG that's really from an other thread because the SSL object moved to an other thread. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5547)
Diffstat (limited to 'ssl')
-rw-r--r--ssl/record/ssl3_record.c2
-rw-r--r--ssl/s3_enc.c1
-rw-r--r--ssl/s3_lib.c6
-rw-r--r--ssl/ssl_lib.c37
-rw-r--r--ssl/ssl_locl.h2
-rw-r--r--ssl/ssl_sess.c2
-rw-r--r--ssl/statem/statem_clnt.c7
-rw-r--r--ssl/statem/statem_srvr.c9
-rw-r--r--ssl/t1_enc.c1
-rw-r--r--ssl/tls13_enc.c1
-rw-r--r--ssl/tls_srp.c4
11 files changed, 14 insertions, 58 deletions
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index fa902f30fb..c21a478a71 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -972,7 +972,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
ERR_R_INTERNAL_ERROR);
return -1;
- } else if (ssl_randbytes(s, recs[ctr].input, ivlen) <= 0) {
+ } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
ERR_R_INTERNAL_ERROR);
return -1;
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 966d498e61..d6a08de5a6 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -168,7 +168,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
*/
EVP_CIPHER_CTX_reset(s->enc_write_ctx);
}
- EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
dd = s->enc_write_ctx;
if (ssl_replace_hash(&s->write_hash, m) == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index f230b5ff46..bbf49a205d 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4524,12 +4524,12 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len,
unsigned char *p = result;
l2n(Time, p);
- ret = ssl_randbytes(s, p, len - 4);
+ ret = RAND_bytes(p, len - 4);
} else {
- ret = ssl_randbytes(s, result, len);
+ ret = RAND_bytes(result, len);
}
#ifndef OPENSSL_NO_TLS13DOWNGRADE
- if (ret) {
+ if (ret > 0) {
if (!ossl_assert(sizeof(tls11downgrade) < len)
|| !ossl_assert(sizeof(tls12downgrade) < len))
return 0;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index cd972ae63f..e42333160b 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -690,20 +690,6 @@ SSL *SSL_new(SSL_CTX *ctx)
goto err;
}
- /*
- * If not using the standard RAND (say for fuzzing), then don't use a
- * chained DRBG.
- */
- if (RAND_get_rand_method() == RAND_OpenSSL()) {
- s->drbg =
- RAND_DRBG_new(0, 0, RAND_DRBG_get0_public());
- if (s->drbg == NULL
- || RAND_DRBG_instantiate(s->drbg,
- (const unsigned char *) SSL_version_str,
- sizeof(SSL_version_str) - 1) == 0)
- goto err;
- }
-
RECORD_LAYER_init(&s->rlayer, s);
s->options = ctx->options;
@@ -1220,7 +1206,6 @@ void SSL_free(SSL *s)
sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
#endif
- RAND_DRBG_free(s->drbg);
CRYPTO_THREAD_lock_free(s->lock);
OPENSSL_free(s);
@@ -5397,28 +5382,6 @@ uint32_t SSL_get_max_early_data(const SSL *s)
return s->max_early_data;
}
-int ssl_randbytes(SSL *s, unsigned char *rnd, size_t size)
-{
- if (s->drbg != NULL) {
- /*
- * Currently, it's the duty of the caller to serialize the generate
- * requests to the DRBG. So formally we have to check whether
- * s->drbg->lock != NULL and take the lock if this is the case.
- * However, this DRBG is unique to a given SSL object, and we already
- * require that SSL objects are only accessed by a single thread at
- * a given time. Also, SSL DRBGs have no child DRBG, so there is
- * no risk that this DRBG is accessed by a child DRBG in parallel
- * for reseeding. As such, we can rely on the application's
- * serialization of SSL accesses for the needed concurrency protection
- * here.
- */
- return RAND_DRBG_bytes(s->drbg, rnd, size);
- }
- if (size > INT_MAX)
- return 0;
- return RAND_bytes(rnd, size);
-}
-
__owur unsigned int ssl_get_max_send_fragment(const SSL *ssl)
{
/* Return any active Max Fragment Len extension */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4b8482aeb7..83a033445d 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1407,7 +1407,6 @@ struct ssl_st {
size_t block_padding;
CRYPTO_RWLOCK *lock;
- RAND_DRBG *drbg;
};
/*
@@ -2238,7 +2237,6 @@ __owur int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags);
__owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain,
int ref);
-__owur int ssl_randbytes(SSL *s, unsigned char *buf, size_t num);
__owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);
__owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
void *other);
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 6513bf84cc..2dd54566ef 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -295,7 +295,7 @@ static int def_generate_session_id(SSL *ssl, unsigned char *id,
{
unsigned int retry = 0;
do
- if (ssl_randbytes(ssl, id, *id_len) <= 0)
+ if (RAND_bytes(id, *id_len) <= 0)
return 0;
while (SSL_has_matching_session_id(ssl, id, *id_len) &&
(++retry < MAX_SESS_ID_ATTEMPTS)) ;
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index d770706a6e..86cf5b6ab2 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1188,8 +1188,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
s->tmp_session_id_len = sess_id_len;
session_id = s->tmp_session_id;
if (s->hello_retry_request == SSL_HRR_NONE
- && ssl_randbytes(s, s->tmp_session_id,
- sess_id_len) <= 0) {
+ && RAND_bytes(s->tmp_session_id, sess_id_len) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
@@ -2925,7 +2924,7 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt)
pms[0] = s->client_version >> 8;
pms[1] = s->client_version & 0xff;
/* TODO(size_t): Convert this function */
- if (ssl_randbytes(s, pms + 2, (int)(pmslen - 2)) <= 0) {
+ if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
ERR_R_MALLOC_FAILURE);
goto err;
@@ -3146,7 +3145,7 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt)
/* Generate session key
* TODO(size_t): Convert this function
*/
- || ssl_randbytes(s, pms, (int)pmslen) <= 0) {
+ || RAND_bytes(pms, (int)pmslen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
ERR_R_INTERNAL_ERROR);
goto err;
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index c198aa7246..8826b7f00f 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2737,7 +2737,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
OPENSSL_free(s->pha_context);
s->pha_context_len = 32;
if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL
- || ssl_randbytes(s, s->pha_context, s->pha_context_len) <= 0
+ || RAND_bytes(s->pha_context, s->pha_context_len) <= 0
|| !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
@@ -2926,7 +2926,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
* fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
*/
- if (ssl_randbytes(s, rand_premaster_secret,
+ if (RAND_bytes(rand_premaster_secret,
sizeof(rand_premaster_secret)) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
ERR_R_INTERNAL_ERROR);
@@ -3692,7 +3692,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
/* SSLfatal() already called */
goto err;
}
- if (ssl_randbytes(s, age_add_u.age_add_c, sizeof(age_add_u)) <= 0) {
+ if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
ERR_R_INTERNAL_ERROR);
@@ -3758,7 +3758,6 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
goto err;
}
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
p = senc;
if (!i2d_SSL_SESSION(s->session, &p)) {
@@ -3830,7 +3829,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
const EVP_CIPHER *cipher = EVP_aes_256_cbc();
iv_len = EVP_CIPHER_iv_length(cipher);
- if (ssl_randbytes(s, iv, iv_len) <= 0
+ if (RAND_bytes(iv, iv_len) <= 0
|| !EVP_EncryptInit_ex(ctx, cipher, NULL,
tctx->ext.tick_aes_key, iv)
|| !HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index a138b60633..58d5e25361 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -171,7 +171,6 @@ int tls1_change_cipher_state(SSL *s, int which)
ERR_R_MALLOC_FAILURE);
goto err;
}
- EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
dd = s->enc_write_ctx;
if (SSL_IS_DTLS(s)) {
mac_ctx = EVP_MD_CTX_new();
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 7f4395843a..a793e0c8af 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -407,7 +407,6 @@ int tls13_change_cipher_state(SSL *s, int which)
SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
goto err;
}
- EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
}
ciph_ctx = s->enc_write_ctx;
iv = s->write_iv;
diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
index d7323289ac..87614cb003 100644
--- a/ssl/tls_srp.c
+++ b/ssl/tls_srp.c
@@ -157,7 +157,7 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad)
(s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
return SSL3_AL_FATAL;
- if (ssl_randbytes(s, b, sizeof(b)) <= 0)
+ if (RAND_bytes(b, sizeof(b)) <= 0)
return SSL3_AL_FATAL;
s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
OPENSSL_cleanse(b, sizeof(b));
@@ -369,7 +369,7 @@ int SRP_Calc_A_param(SSL *s)
{
unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
- if (ssl_randbytes(s, rnd, sizeof(rnd)) <= 0)
+ if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
return 0;
s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
OPENSSL_cleanse(rnd, sizeof(rnd));