Commit efb8128a authored by Dr. Matthias St. Pierre's avatar Dr. Matthias St. Pierre
Browse files

Make DRBG uninstantiate() and instantiate() methods inverse to each other 



Previously, the RAND_DRBG_uninstantiate() call was not exactly inverse to
RAND_DRBG_instantiate(), because some important member values of the
drbg->ctr member where cleared. Now these values are restored internally.

Signed-off-by: default avatarDr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
Reviewed-by: default avatarKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)
parent 933033b6

crypto/rand/drbg_lib.c

+18 −13
Original line number Diff line number Diff line
@@ -103,8 +103,8 @@ static void drbg_cleanup(RAND_DRBG *drbg); 


/*

 * Set/initialize |drbg| to be of type |nid|, with optional |flags|.

 * Return -2 if the type is not supported, 1 on success and -1 on

 * failure.

 *

 * Returns 1 on success, 0 on failure.

 */

int RAND_DRBG_set(RAND_DRBG *drbg, int nid, unsigned int flags)

{
@@ -117,7 +117,7 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int nid, unsigned int flags) 
    switch (nid) {

    default:

        RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);

        return -2;

        return 0;

    case 0:

        /* Uninitialized; that's okay. */

        return 1;
@@ -128,7 +128,7 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int nid, unsigned int flags) 
        break;

    }



    if (ret < 0)

    if (ret == 0)

        RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG);

    return ret;

}
@@ -149,7 +149,7 @@ RAND_DRBG *RAND_DRBG_new(int type, unsigned int flags, RAND_DRBG *parent) 
    }

    drbg->fork_count = rand_fork_count;

    drbg->parent = parent;

    if (RAND_DRBG_set(drbg, type, flags) < 0)

    if (RAND_DRBG_set(drbg, type, flags) == 0)

        goto err;



    if (!RAND_DRBG_set_callbacks(drbg, rand_drbg_get_entropy,
@@ -182,6 +182,8 @@ void RAND_DRBG_free(RAND_DRBG *drbg) 
 * |perslen| as prediction-resistance input.

 *

 * Requires that drbg->lock is already locked for write, if non-null.

 *

 * Returns 1 on success, 0 on failure.

 */

int RAND_DRBG_instantiate(RAND_DRBG *drbg,

                          const unsigned char *pers, size_t perslen)
@@ -260,19 +262,25 @@ end: 
 * Uninstantiate |drbg|. Must be instantiated before it can be used.

 *

 * Requires that drbg->lock is already locked for write, if non-null.

 *

 * Returns 1 on success, 0 on failure.

 */

int RAND_DRBG_uninstantiate(RAND_DRBG *drbg)

{

    int ret = ctr_uninstantiate(drbg);



    drbg->state = DRBG_UNINITIALISED;

    return ret;

    /* Clear the entire drbg->ctr struct, then reset some important

     * members of the drbg->ctr struct (e.g. keysize, df_ks) to their

     * initial values.

     */

    ctr_uninstantiate(drbg);

    return RAND_DRBG_set(drbg, drbg->nid, drbg->flags);

}



/*

 * Reseed |drbg|, mixing in the specified data

 *

 * Requires that drbg->lock is already locked for write, if non-null.

 *

 * Returns 1 on success, 0 on failure.

 */

int RAND_DRBG_reseed(RAND_DRBG *drbg,

                     const unsigned char *adin, size_t adinlen)
@@ -388,11 +396,8 @@ int rand_drbg_restart(RAND_DRBG *drbg, 
    }



    /* repair error state */

    if (drbg->state == DRBG_ERROR) {

    if (drbg->state == DRBG_ERROR)

        RAND_DRBG_uninstantiate(drbg);

        /* The drbg->ctr member needs to be reinitialized before reinstantiation */

        RAND_DRBG_set(drbg, drbg->nid, drbg->flags);

    }



    /* repair uninitialized state */

    if (drbg->state == DRBG_UNINITIALISED) {

crypto/rand/drbg_rand.c

+1 −1
Original line number Diff line number Diff line
@@ -313,7 +313,7 @@ int ctr_init(RAND_DRBG *drbg) 
    switch (drbg->nid) {

    default:

        /* This can't happen, but silence the compiler warning. */

        return -1;

        return 0;

    case NID_aes_128_ctr:

        keylen = 16;

        break;