From d91f45688c2d0bfcc5b3b57fb20cc80b010eef0b Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Sun, 5 Nov 2017 14:37:15 +0100 Subject: [PATCH] Tell the ciphers which DRBG to use for generating random bytes. Reviewed-by: Richard Levitte GH: #4672 --- crypto/evp/e_aes.c | 22 +++++++++++++++++----- crypto/evp/e_aes_cbc_hmac_sha1.c | 15 ++++++++++++--- crypto/evp/e_aes_cbc_hmac_sha256.c | 15 ++++++++++++--- crypto/evp/e_aria.c | 12 +++++++++--- crypto/evp/e_des.c | 8 +++++++- crypto/evp/e_des3.c | 13 +++++++++++-- crypto/evp/evp_enc.c | 16 +++++++++++++++- crypto/evp/evp_locl.h | 1 + crypto/evp/p_seal.c | 13 ++++++++++--- doc/man3/EVP_EncryptInit.pod | 14 ++++++++++++++ include/openssl/evp.h | 2 ++ ssl/s3_enc.c | 1 + ssl/statem/statem_srvr.c | 1 + ssl/t1_enc.c | 1 + ssl/tls13_enc.c | 1 + 15 files changed, 114 insertions(+), 21 deletions(-) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 1d5007acf8..bed9b2743e 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -17,6 +17,7 @@ #include "internal/evp_int.h" #include "modes_lcl.h" #include +#include #include "evp_locl.h" typedef struct { @@ -1404,8 +1405,14 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) memcpy(gctx->iv, ptr, arg); enc = EVP_CIPHER_CTX_encrypting(c); - if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) - return 0; + if (enc) { + if (c->drbg != NULL) { + if (RAND_DRBG_bytes(c->drbg, gctx->iv + arg, gctx->ivlen - arg) == 0) + return 0; + } else if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) { + return 0; + } + } gctx->iv_gen = 1; return 1; @@ -2632,9 +2639,14 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) return 0; if (arg) memcpy(gctx->iv, ptr, arg); - if (EVP_CIPHER_CTX_encrypting(c) - && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) - return 0; + if (EVP_CIPHER_CTX_encrypting(c)) { + if (c->drbg != NULL) { + if (RAND_DRBG_bytes(c->drbg, gctx->iv + arg, gctx->ivlen - arg) == 0) + return 0; + } else if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) { + return 0; + } + } gctx->iv_gen = 1; return 1; diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index 09d24dc3d0..053189e685 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -17,9 +17,11 @@ #include #include #include +#include #include "modes_lcl.h" #include "internal/evp_int.h" #include "internal/constant_time_locl.h" +#include "evp_locl.h" typedef struct { AES_KEY ks; @@ -154,7 +156,8 @@ void aesni_multi_cbc_encrypt(CIPH_DESC *, void *, int); static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, unsigned char *out, const unsigned char *inp, - size_t inp_len, int n4x) + size_t inp_len, int n4x, + RAND_DRBG *drbg) { /* n4x is 1 or 2 */ HASH_DESC hash_d[8], edges[8]; CIPH_DESC ciph_d[8]; @@ -174,8 +177,13 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, # endif /* ask for IVs in bulk */ - if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0) + IVs = blocks[0].c; + if (drbg != NULL) { + if (RAND_DRBG_bytes(drbg, IVs, 16 * x4) == 0) + return 0; + } else if (RAND_bytes(IVs, 16 * x4) <= 0) { return 0; + } ctx = (SHA1_MB_CTX *) (storage + 32 - ((size_t)storage % 32)); /* align */ @@ -893,7 +901,8 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, return (int)tls1_1_multi_block_encrypt(key, param->out, param->inp, param->len, - param->interleave / 4); + param->interleave / 4, + ctx->drbg); } case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT: # endif diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c index caac0c9d3d..215e02f131 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha256.c +++ b/crypto/evp/e_aes_cbc_hmac_sha256.c @@ -18,9 +18,11 @@ #include #include #include +#include #include "modes_lcl.h" #include "internal/constant_time_locl.h" #include "internal/evp_int.h" +#include "evp_locl.h" typedef struct { AES_KEY ks; @@ -150,7 +152,8 @@ void aesni_multi_cbc_encrypt(CIPH_DESC *, void *, int); static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, unsigned char *out, const unsigned char *inp, - size_t inp_len, int n4x) + size_t inp_len, int n4x, + RAND_DRBG *drbg) { /* n4x is 1 or 2 */ HASH_DESC hash_d[8], edges[8]; CIPH_DESC ciph_d[8]; @@ -170,8 +173,13 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, # endif /* ask for IVs in bulk */ - if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0) + IVs = blocks[0].c; + if (drbg != NULL) { + if (RAND_DRBG_bytes(drbg, IVs, 16 * x4) == 0) + return 0; + } else if (RAND_bytes(IVs, 16 * x4) <= 0) { return 0; + } /* align */ ctx = (SHA256_MB_CTX *) (storage + 32 - ((size_t)storage % 32)); @@ -877,7 +885,8 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, return (int)tls1_1_multi_block_encrypt(key, param->out, param->inp, param->len, - param->interleave / 4); + param->interleave / 4, + ctx->drbg); } case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT: # endif diff --git a/crypto/evp/e_aria.c b/crypto/evp/e_aria.c index 00e008a368..10525a84d9 100644 --- a/crypto/evp/e_aria.c +++ b/crypto/evp/e_aria.c @@ -15,6 +15,7 @@ # include # include "internal/aria.h" # include "internal/evp_int.h" +# include "internal/rand.h" # include "modes_lcl.h" # include "evp_locl.h" @@ -301,9 +302,14 @@ static int aria_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) return 0; if (arg) memcpy(gctx->iv, ptr, arg); - if (EVP_CIPHER_CTX_encrypting(c) - && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) - return 0; + if (EVP_CIPHER_CTX_encrypting(c)) { + if (c->drbg != NULL) { + if (RAND_DRBG_bytes(c->drbg, gctx->iv + arg, gctx->ivlen - arg) == 0) + return 0; + } else if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) { + return 0; + } + } gctx->iv_gen = 1; return 1; diff --git a/crypto/evp/e_des.c b/crypto/evp/e_des.c index 9b2facfecf..d8c4afa886 100644 --- a/crypto/evp/e_des.c +++ b/crypto/evp/e_des.c @@ -15,6 +15,8 @@ # include "internal/evp_int.h" # include # include +# include +# include "evp_locl.h" typedef struct { union { @@ -229,8 +231,12 @@ static int des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) switch (type) { case EVP_CTRL_RAND_KEY: - if (RAND_bytes(ptr, 8) <= 0) + if (c->drbg != NULL) { + if (RAND_DRBG_bytes(c->drbg, ptr, 8) == 0) + return 0; + } else if (RAND_bytes(ptr, 8) <= 0) { return 0; + } DES_set_odd_parity((DES_cblock *)ptr); return 1; diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index da77936c96..75e6ecf314 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -15,6 +15,7 @@ # include "internal/evp_int.h" # include # include +# include # include "evp_locl.h" typedef struct { @@ -283,8 +284,12 @@ static int des3_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) switch (type) { case EVP_CTRL_RAND_KEY: - if (RAND_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) + if (ctx->drbg != NULL) { + if (RAND_DRBG_bytes(ctx->drbg, ptr, EVP_CIPHER_CTX_key_length(ctx)) == 0) + return 0; + } else if (RAND_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) { return 0; + } DES_set_odd_parity(deskey); if (EVP_CIPHER_CTX_key_length(ctx) >= 16) DES_set_odd_parity(deskey + 1); @@ -372,8 +377,12 @@ static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out, memcpy(out + inl + 8, sha1tmp, 8); OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH); /* Generate random IV */ - if (RAND_bytes(EVP_CIPHER_CTX_iv_noconst(ctx), 8) <= 0) + if (ctx->drbg != NULL) { + if (RAND_DRBG_bytes(ctx->drbg, EVP_CIPHER_CTX_iv_noconst(ctx), 8) == 0) + return -1; + } else if (RAND_bytes(EVP_CIPHER_CTX_iv_noconst(ctx), 8) <= 0) { return -1; + } memcpy(out, EVP_CIPHER_CTX_iv_noconst(ctx), 8); /* Encrypt everything after IV in place */ des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8); diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 2c4a2db64f..3176c61538 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -15,6 +15,7 @@ #include #include #include "internal/evp_int.h" +#include "internal/rand.h" #include "evp_locl.h" int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c) @@ -577,6 +578,15 @@ int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad) int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) { int ret; + + if (type == EVP_CTRL_GET_DRBG) { + *(RAND_DRBG **)ptr = ctx->drbg; + return 1; + } + if (type == EVP_CTRL_SET_DRBG) { + ctx->drbg = ptr; + return 1; + } if (!ctx->cipher) { EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_NO_CIPHER_SET); return 0; @@ -600,8 +610,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) { if (ctx->cipher->flags & EVP_CIPH_RAND_KEY) return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key); - if (RAND_bytes(key, ctx->key_len) <= 0) + if (ctx->drbg) { + if (RAND_DRBG_bytes(ctx->drbg, key, ctx->key_len) == 0) + return 0; + } else if (RAND_bytes(key, ctx->key_len) <= 0) { return 0; + } return 1; } diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h index 209577b7c2..82b9433f75 100644 --- a/crypto/evp/evp_locl.h +++ b/crypto/evp/evp_locl.h @@ -39,6 +39,7 @@ struct evp_cipher_ctx_st { int final_used; int block_mask; unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ + RAND_DRBG *drbg; } /* EVP_CIPHER_CTX */ ; int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c index 50ea60235a..3b79dab8b8 100644 --- a/crypto/evp/p_seal.c +++ b/crypto/evp/p_seal.c @@ -14,6 +14,8 @@ #include #include #include +#include +#include "evp_locl.h" int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek, int *ekl, unsigned char *iv, @@ -31,9 +33,14 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, return 1; if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) return 0; - if (EVP_CIPHER_CTX_iv_length(ctx) - && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) - return 0; + if (EVP_CIPHER_CTX_iv_length(ctx)) { + if (ctx->drbg) { + if (RAND_DRBG_bytes(ctx->drbg, iv, EVP_CIPHER_CTX_iv_length(ctx)) == 0) + return 0; + } else if (RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) { + return 0; + } + } if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) return 0; diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 619a94eccf..3022c7a054 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -457,6 +457,20 @@ This call is only valid when decrypting data. =back +=head1 Random numbers + +The following can be used to select the DRBG that is used to generate the random +numbers: + +EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_DRBG, 0, drbg) + +The following can be used to get the DRBG: + +EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_DRBG, 0, &drbg) + +By default it's set to NULL which results in RAND_bytes() being used. + + =head1 NOTES Where possible the B interface to symmetric ciphers should be used in diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 268e90f3d5..e135de69f2 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -344,6 +344,8 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *, # define EVP_CTRL_SET_PIPELINE_INPUT_BUFS 0x23 /* Set the input buffer lengths to use for a pipelined operation */ # define EVP_CTRL_SET_PIPELINE_INPUT_LENS 0x24 +# define EVP_CTRL_GET_DRBG 0x25 +# define EVP_CTRL_SET_DRBG 0x26 /* Padding modes */ #define EVP_PADDING_PKCS7 1 diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 4c63d4acd5..f775f26b3d 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -167,6 +167,7 @@ int ssl3_change_cipher_state(SSL *s, int which) */ EVP_CIPHER_CTX_reset(s->enc_write_ctx); } + EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg); dd = s->enc_write_ctx; if (ssl_replace_hash(&s->write_hash, m) == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index d3358196d5..8092684af7 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3753,6 +3753,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); goto err; } + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_DRBG, 0, s->drbg); p = senc; if (!i2d_SSL_SESSION(s->session, &p)) { diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 465d483407..774625a202 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -170,6 +170,7 @@ int tls1_change_cipher_state(SSL *s, int which) ERR_R_MALLOC_FAILURE); goto err; } + EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg); dd = s->enc_write_ctx; if (SSL_IS_DTLS(s)) { mac_ctx = EVP_MD_CTX_new(); diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 63328045cc..5982c8e93d 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -406,6 +406,7 @@ int tls13_change_cipher_state(SSL *s, int which) SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } + EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg); } ciph_ctx = s->enc_write_ctx; iv = s->write_iv; -- 2.25.1