DRBG: fix reseeding via RAND_add()/RAND_seed() with large input

  *)

 Changes between 1.1.1 and 1.1.1a [xx XXX xxxx]

  *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input

     if its length exceeds 4096 bytes. The limit has been raised to a buffer size

     of two gigabytes and the error handling improved.

     This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been

     categorized as a normal bug, not a security issue, because the DRBG reseeds

     automatically and is fully functional even without additional randomness

     provided by the application.

 Changes between 1.1.0i and 1.1.1 [11 Sep 2018]

  *) Add a new ClientHello callback. Provides a callback interface that gives

  *) A minor bug in ssl/s3_clnt.c where there would always be 4 0

     bytes sent in the client random.

     [Edward Bishop <ebishop@spyglass.com>]

RAND_F_RAND_POOL_ADD:103:rand_pool_add

RAND_F_RAND_POOL_ADD_BEGIN:113:rand_pool_add_begin

RAND_F_RAND_POOL_ADD_END:114:rand_pool_add_end

RAND_F_RAND_POOL_ATTACH:124:rand_pool_attach

RAND_F_RAND_POOL_BYTES_NEEDED:115:rand_pool_bytes_needed

RAND_F_RAND_POOL_NEW:116:rand_pool_new

RAND_F_RAND_WRITE_FILE:112:RAND_write_file

 * RAND_POOL functions

 */

RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len);

RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len,

                            size_t entropy);

void rand_pool_free(RAND_POOL *pool);

const unsigned char *rand_pool_buffer(RAND_POOL *pool);

            return 0;

        drbg->min_entropylen = ctr->keylen;

        drbg->max_entropylen = DRBG_MINMAX_FACTOR * drbg->min_entropylen;

        drbg->max_entropylen = DRBG_MAX_LENGTH;

        drbg->min_noncelen = drbg->min_entropylen / 2;

        drbg->max_noncelen = DRBG_MINMAX_FACTOR * drbg->min_noncelen;

        drbg->max_noncelen = DRBG_MAX_LENGTH;

        drbg->max_perslen = DRBG_MAX_LENGTH;

        drbg->max_adinlen = DRBG_MAX_LENGTH;

    } else {

    if (drbg->pool != NULL) {

        RANDerr(RAND_F_RAND_DRBG_RESTART, ERR_R_INTERNAL_ERROR);

        drbg->state = DRBG_ERROR;

        rand_pool_free(drbg->pool);

        drbg->pool = NULL;

        return 0;

    }

    if (buffer != NULL) {

            if (drbg->max_entropylen < len) {

                RANDerr(RAND_F_RAND_DRBG_RESTART,

                    RAND_R_ENTROPY_INPUT_TOO_LONG);

                drbg->state = DRBG_ERROR;

                return 0;

            }

            if (entropy > 8 * len) {

                RANDerr(RAND_F_RAND_DRBG_RESTART, RAND_R_ENTROPY_OUT_OF_RANGE);

                drbg->state = DRBG_ERROR;

                return 0;

            }

            /* will be picked up by the rand_drbg_get_entropy() callback */

            drbg->pool = rand_pool_new(entropy, len, len);

            drbg->pool = rand_pool_attach(buffer, len, entropy);

            if (drbg->pool == NULL)

                return 0;

            rand_pool_add(drbg->pool, buffer, len, entropy);

        } else {

            if (drbg->max_adinlen < len) {

                RANDerr(RAND_F_RAND_DRBG_RESTART,

                        RAND_R_ADDITIONAL_INPUT_TOO_LONG);

                drbg->state = DRBG_ERROR;

                return 0;

            }

            adin = buffer;

    if (num < 0 || randomness < 0.0)

        return 0;

    if (randomness > (double)drbg->max_entropylen) {

    if (randomness > (double)RAND_DRBG_STRENGTH) {

        /*

         * The purpose of this check is to bound |randomness| by a

         * relatively small value in order to prevent an integer

         * overflow when multiplying by 8 in the rand_drbg_restart()

         * call below.

         * call below. Note that randomness is measured in bytes,

         * not bits, so this value corresponds to eight times the

         * security strength.

         */

        return 0;

        randomness = (double)RAND_DRBG_STRENGTH;

    }

    rand_drbg_lock(drbg);