/* init_once initializes the state of this module to values previously * requested. This is the only function that modifies |urandom_fd| and * |urandom_buffering|, whose values may be read safely after calling the * once. */ static void init_once(void) { CRYPTO_STATIC_MUTEX_lock_read(&requested_lock); urandom_buffering = urandom_buffering_requested; int fd = urandom_fd_requested; CRYPTO_STATIC_MUTEX_unlock_read(&requested_lock); #if defined(USE_SYS_getrandom) uint8_t dummy; long getrandom_ret = syscall(SYS_getrandom, &dummy, sizeof(dummy), GRND_NONBLOCK); if (getrandom_ret == 1) { urandom_fd = kHaveGetrandom; return; } else if (getrandom_ret == -1 && errno == EAGAIN) { fprintf(stderr, "getrandom indicates that the entropy pool has not been " "initialized. Rather than continue with poor entropy, this process " "will block until entropy is available.\n"); do { getrandom_ret = syscall(SYS_getrandom, &dummy, sizeof(dummy), 0 /* no flags */); } while (getrandom_ret == -1 && errno == EINTR); if (getrandom_ret == 1) { urandom_fd = kHaveGetrandom; return; } } #endif /* USE_SYS_getrandom */ if (fd == kUnset) { do { fd = open("/dev/urandom", O_RDONLY); } while (fd == -1 && errno == EINTR); } if (fd < 0) { abort(); } int flags = fcntl(fd, F_GETFD); if (flags == -1) { /* Native Client doesn't implement |fcntl|. */ if (errno != ENOSYS) { abort(); } } else { flags |= FD_CLOEXEC; if (fcntl(fd, F_SETFD, flags) == -1) { abort(); } } urandom_fd = fd; }
const X509_POLICY_CACHE *policy_cache_set(X509 *x) { X509_POLICY_CACHE *cache; CRYPTO_STATIC_MUTEX_lock_read(&g_x509_policy_cache_lock); cache = x->policy_cache; CRYPTO_STATIC_MUTEX_unlock(&g_x509_policy_cache_lock); if (cache != NULL) return cache; CRYPTO_STATIC_MUTEX_lock_write(&g_x509_policy_cache_lock); if (x->policy_cache == NULL) policy_cache_new(x); cache = x->policy_cache; CRYPTO_STATIC_MUTEX_unlock(&g_x509_policy_cache_lock); return cache; }
void CRYPTO_STATIC_MUTEX_lock_write(struct CRYPTO_STATIC_MUTEX *lock) { CRYPTO_STATIC_MUTEX_lock_read(lock); }
void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, const uint8_t user_additional_data[32]) { if (out_len == 0) { return; } // Additional data is mixed into every CTR-DRBG call to protect, as best we // can, against forks & VM clones. We do not over-read this information and // don't reseed with it so, from the point of view of FIPS, this doesn't // provide “prediction resistance”. But, in practice, it does. uint8_t additional_data[32]; if (!hwrand(additional_data, sizeof(additional_data))) { // Without a hardware RNG to save us from address-space duplication, the OS // entropy is used. This can be expensive (one read per |RAND_bytes| call) // and so can be disabled by applications that we have ensured don't fork // and aren't at risk of VM cloning. if (!rand_fork_unsafe_buffering_enabled()) { CRYPTO_sysrand(additional_data, sizeof(additional_data)); } else { OPENSSL_memset(additional_data, 0, sizeof(additional_data)); } } for (size_t i = 0; i < sizeof(additional_data); i++) { additional_data[i] ^= user_additional_data[i]; } struct rand_state stack_state; struct rand_state *state = rand_state_get(); if (state == NULL) { // If the system is out of memory, use an ephemeral state on the // stack. state = &stack_state; rand_state_init(state); } if (state->calls >= kReseedInterval) { uint8_t seed[CTR_DRBG_ENTROPY_LEN]; rand_get_seed(state, seed); #if defined(BORINGSSL_FIPS) // Take a read lock around accesses to |state->drbg|. This is needed to // avoid returning bad entropy if we race with // |rand_state_clear_all|. // // This lock must be taken after any calls to |CRYPTO_sysrand| to avoid a // bug on ppc64le. glibc may implement pthread locks by wrapping user code // in a hardware transaction, but, on some older versions of glibc and the // kernel, syscalls made with |syscall| did not abort the transaction. CRYPTO_STATIC_MUTEX_lock_read(rand_drbg_lock_bss_get()); #endif if (!CTR_DRBG_reseed(&state->drbg, seed, NULL, 0)) { abort(); } state->calls = 0; } else { #if defined(BORINGSSL_FIPS) CRYPTO_STATIC_MUTEX_lock_read(rand_drbg_lock_bss_get()); #endif } int first_call = 1; while (out_len > 0) { size_t todo = out_len; if (todo > CTR_DRBG_MAX_GENERATE_LENGTH) { todo = CTR_DRBG_MAX_GENERATE_LENGTH; } if (!CTR_DRBG_generate(&state->drbg, out, todo, additional_data, first_call ? sizeof(additional_data) : 0)) { abort(); } out += todo; out_len -= todo; state->calls++; first_call = 0; } if (state == &stack_state) { CTR_DRBG_clear(&state->drbg); } #if defined(BORINGSSL_FIPS) CRYPTO_STATIC_MUTEX_unlock_read(rand_drbg_lock_bss_get()); #endif if (state != &stack_state) { rand_state_put(state); } }
EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) { EVP_PKEY *ret=NULL; if (key == NULL) goto error; CRYPTO_STATIC_MUTEX_lock_read(&g_pubkey_lock); if (key->pkey != NULL) { CRYPTO_STATIC_MUTEX_unlock(&g_pubkey_lock); return EVP_PKEY_up_ref(key->pkey); } CRYPTO_STATIC_MUTEX_unlock(&g_pubkey_lock); if (key->public_key == NULL) goto error; if ((ret = EVP_PKEY_new()) == NULL) { OPENSSL_PUT_ERROR(X509, X509_PUBKEY_get, ERR_R_MALLOC_FAILURE); goto error; } if (!EVP_PKEY_set_type(ret, OBJ_obj2nid(key->algor->algorithm))) { OPENSSL_PUT_ERROR(X509, X509_PUBKEY_get, X509_R_UNSUPPORTED_ALGORITHM); goto error; } if (ret->ameth->pub_decode) { if (!ret->ameth->pub_decode(ret, key)) { OPENSSL_PUT_ERROR(X509, X509_PUBKEY_get, X509_R_PUBLIC_KEY_DECODE_ERROR); goto error; } } else { OPENSSL_PUT_ERROR(X509, X509_PUBKEY_get, X509_R_METHOD_NOT_SUPPORTED); goto error; } /* Check to see if another thread set key->pkey first */ CRYPTO_STATIC_MUTEX_lock_write(&g_pubkey_lock); if (key->pkey) { CRYPTO_STATIC_MUTEX_unlock(&g_pubkey_lock); EVP_PKEY_free(ret); ret = key->pkey; } else { key->pkey = ret; CRYPTO_STATIC_MUTEX_unlock(&g_pubkey_lock); } return EVP_PKEY_up_ref(ret); error: if (ret != NULL) EVP_PKEY_free(ret); return(NULL); }