From 63180182ecfe6474fbc50bc4021e558d11414e88 Mon Sep 17 00:00:00 2001 From: "Dr. Matthias St. Pierre" Date: Thu, 30 May 2019 18:37:29 +0200 Subject: [PATCH] drbg: fix issue where DRBG_CTR fails if NO_DF is used (2nd attempt) Since commit 7c226dfc434d a chained DRBG does not add additional data anymore when reseeding from its parent. The reason is that the size of the additional data exceeded the allowed size when no derivation function was used. This commit provides an alternative fix: instead of adding the entire DRBG's complete state, we just add the DRBG's address in memory, thereby providing some distinction between the different DRBG instances. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9802) --- crypto/rand/rand_lib.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index ce4e17c414..945ea1e795 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -161,7 +161,9 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, size_t bytes = 0; /* - * Get random from parent, include our state as additional input. + * Get random data from parent. Include our address as additional input, + * in order to provide some additional distinction between different + * DRBG child instances. * Our lock is already held, but we need to lock our parent before * generating bits from it. (Note: taking the lock will be a no-op * if locking if drbg->parent->lock == NULL.) @@ -170,7 +172,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, if (RAND_DRBG_generate(drbg->parent, buffer, bytes_needed, prediction_resistance, - NULL, 0) != 0) + (unsigned char *)&drbg, sizeof(drbg)) != 0) bytes = bytes_needed; drbg->reseed_next_counter = tsan_load(&drbg->parent->reseed_prop_counter); -- 2.25.1