Commit e8d866dc authored by Bernd Edlinger's avatar Bernd Edlinger Committed by Pauli
Browse files

Allocate DRBG additional data pool from non-secure memory 



The additional data allocates 12K per DRBG instance in the
secure memory, which is not necessary. Also nonces are not
considered secret.

[extended tests]

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9424)
parent 77cb2434

crypto/include/internal/rand_int.h

+2 −1
Original line number Diff line number Diff line
@@ -52,7 +52,8 @@ void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out); 
/*

 * RAND_POOL functions

 */

RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len);

RAND_POOL *rand_pool_new(int entropy_requested, int secure,

                         size_t min_len, size_t max_len);

RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len,

                            size_t entropy);

void rand_pool_free(RAND_POOL *pool);

crypto/rand/drbg_lib.c

+1 −1
Original line number Diff line number Diff line
@@ -664,7 +664,7 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen) 
    if (drbg->adin_pool == NULL) {

        if (drbg->type == 0)

            goto err;

        drbg->adin_pool = rand_pool_new(0, 0, drbg->max_adinlen);

        drbg->adin_pool = rand_pool_new(0, 0, 0, drbg->max_adinlen);

        if (drbg->adin_pool == NULL)

            goto err;

    }

crypto/rand/rand_lcl.h

+1 −0
Original line number Diff line number Diff line
@@ -150,6 +150,7 @@ struct rand_pool_st { 
    size_t len; /* current number of random bytes contained in the pool */



    int attached;  /* true pool was attached to existing buffer */

    int secure;    /* 1: allocated on the secure heap, 0: otherwise */



    size_t min_len; /* minimum number of random bytes requested */

    size_t max_len; /* maximum number of random bytes (allocated buffer size) */

crypto/rand/rand_lib.c

+25 −10
Original line number Diff line number Diff line
@@ -150,7 +150,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, 
        pool = drbg->seed_pool;

        pool->entropy_requested = entropy;

    } else {

        pool = rand_pool_new(entropy, min_len, max_len);

        pool = rand_pool_new(entropy, drbg->secure, min_len, max_len);

        if (pool == NULL)

            return 0;

    }
@@ -216,8 +216,12 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, 
void rand_drbg_cleanup_entropy(RAND_DRBG *drbg,

                               unsigned char *out, size_t outlen)

{

    if (drbg->seed_pool == NULL)

    if (drbg->seed_pool == NULL) {

        if (drbg->secure)

            OPENSSL_secure_clear_free(out, outlen);

        else

            OPENSSL_clear_free(out, outlen);

    }

}
@@ -238,7 +242,7 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg, 
    } data;



    memset(&data, 0, sizeof(data));

    pool = rand_pool_new(0, min_len, max_len);

    pool = rand_pool_new(0, 0, min_len, max_len);

    if (pool == NULL)

        return 0;
@@ -267,7 +271,7 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg, 
void rand_drbg_cleanup_nonce(RAND_DRBG *drbg,

                             unsigned char *out, size_t outlen)

{

    OPENSSL_secure_clear_free(out, outlen);

    OPENSSL_clear_free(out, outlen);

}



/*
@@ -402,7 +406,7 @@ int RAND_poll(void) 


    } else {

        /* fill random pool and seed the current legacy RNG */

        pool = rand_pool_new(RAND_DRBG_STRENGTH,

        pool = rand_pool_new(RAND_DRBG_STRENGTH, 1,

                             (RAND_DRBG_STRENGTH + 7) / 8,

                             RAND_POOL_MAX_LENGTH);

        if (pool == NULL)
@@ -429,7 +433,8 @@ err: 
 * Allocate memory and initialize a new random pool

 */



RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len)

RAND_POOL *rand_pool_new(int entropy_requested, int secure,

                         size_t min_len, size_t max_len)

{

    RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
@@ -442,13 +447,18 @@ RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len) 
    pool->max_len = (max_len > RAND_POOL_MAX_LENGTH) ?

        RAND_POOL_MAX_LENGTH : max_len;



    if (secure)

        pool->buffer = OPENSSL_secure_zalloc(pool->max_len);

    else

        pool->buffer = OPENSSL_zalloc(pool->max_len);



    if (pool->buffer == NULL) {

        RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE);

        goto err;

    }



    pool->entropy_requested = entropy_requested;

    pool->secure = secure;



    return pool;
@@ -503,8 +513,13 @@ void rand_pool_free(RAND_POOL *pool) 
     * to rand_pool_attach() as `const unsigned char*`.

     * (see corresponding comment in rand_pool_attach()).

     */

    if (!pool->attached)

    if (!pool->attached) {

        if (pool->secure)

            OPENSSL_secure_clear_free(pool->buffer, pool->max_len);

        else

            OPENSSL_clear_free(pool->buffer, pool->max_len);

    }



    OPENSSL_free(pool);

}