Skip to content
  • Dr. Matthias St. Pierre's avatar
    DRBG: fix reseeding via RAND_add()/RAND_seed() with large input · dbf0a496
    Dr. Matthias St. Pierre authored
    
    
    In pull request #4328 the seeding of the DRBG via RAND_add()/RAND_seed()
    was implemented by buffering the data in a random pool where it is
    picked up later by the rand_drbg_get_entropy() callback. This buffer
    was limited to the size of 4096 bytes.
    
    When a larger input was added via RAND_add() or RAND_seed() to the DRBG,
    the reseeding failed, but the error returned by the DRBG was ignored
    by the two calling functions, which both don't return an error code.
    As a consequence, the data provided by the application was effectively
    ignored.
    
    This commit fixes the problem by a more efficient implementation which
    does not copy the data in memory and by raising the buffer the size limit
    to INT32_MAX (2 gigabytes). This is less than the NIST limit of 2^35 bits
    but it was chosen intentionally to avoid platform dependent problems
    like integer sizes and/or signed/unsigned conversion.
    
    Additionally, the DRBG is now less permissive on errors: In addition to
    pushing a message to the openssl error stack, it enters the error state,
    which forces a reinstantiation on next call.
    
    Thanks go to Dr. Falko Strenzke for reporting this issue to the
    openssl-security mailing list. After internal discussion the issue
    has been categorized as not being security relevant, because the DRBG
    reseeds automatically and is fully functional even without additional
    randomness provided by the application.
    
    Fixes #7381
    
    Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/7382)
    
    (cherry picked from commit 3064b55134434a0b2850f07eff57120f35bb269a)
    dbf0a496
To find the state of this project's repository at the time of any of these versions, check out the tags.