md_rand.c revision 340704
1/* crypto/rand/md_rand.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112#define OPENSSL_FIPSEVP 113 114#ifdef MD_RAND_DEBUG 115# ifndef NDEBUG 116# define NDEBUG 117# endif 118#endif 119 120#include <assert.h> 121#include <stdio.h> 122#include <string.h> 123 124#include "e_os.h" 125 126#include <openssl/crypto.h> 127#include <openssl/rand.h> 128#include "rand_lcl.h" 129 130#include <openssl/err.h> 131 132#ifdef BN_DEBUG 133# define PREDICT 134#endif 135 136/* #define PREDICT 1 */ 137 138#define STATE_SIZE 1023 139static size_t state_num = 0, state_index = 0; 140static unsigned char state[STATE_SIZE + MD_DIGEST_LENGTH]; 141static unsigned char md[MD_DIGEST_LENGTH]; 142static long md_count[2] = { 0, 0 }; 143 144static double entropy = 0; 145static int initialized = 0; 146 147static unsigned int crypto_lock_rand = 0; /* may be set only when a thread 148 * holds CRYPTO_LOCK_RAND (to 149 * prevent double locking) */ 150/* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */ 151/* valid iff crypto_lock_rand is set */ 152static CRYPTO_THREADID locking_threadid; 153 154#ifdef PREDICT 155int rand_predictable = 0; 156#endif 157 158const char RAND_version[] = "RAND" OPENSSL_VERSION_PTEXT; 159 160static void ssleay_rand_cleanup(void); 161static void ssleay_rand_seed(const void *buf, int num); 162static void ssleay_rand_add(const void *buf, int num, double add_entropy); 163static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num); 164static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num); 165static int ssleay_rand_status(void); 166 167RAND_METHOD rand_ssleay_meth = { 168 ssleay_rand_seed, 169 ssleay_rand_nopseudo_bytes, 170 ssleay_rand_cleanup, 171 ssleay_rand_add, 172 ssleay_rand_pseudo_bytes, 173 ssleay_rand_status 174}; 175 176RAND_METHOD *RAND_SSLeay(void) 177{ 178 return (&rand_ssleay_meth); 179} 180 181static void ssleay_rand_cleanup(void) 182{ 183 OPENSSL_cleanse(state, sizeof(state)); 184 state_num = 0; 185 state_index = 0; 186 OPENSSL_cleanse(md, MD_DIGEST_LENGTH); 187 md_count[0] = 0; 188 md_count[1] = 0; 189 entropy = 0; 190 initialized = 0; 191} 192 193static void ssleay_rand_add(const void *buf, int num, double add) 194{ 195 int i, j, k, st_idx; 196 long md_c[2]; 197 unsigned char local_md[MD_DIGEST_LENGTH]; 198 EVP_MD_CTX m; 199 int do_not_lock; 200 201 if (!num) 202 return; 203 204 /* 205 * (Based on the rand(3) manpage) 206 * 207 * The input is chopped up into units of 20 bytes (or less for 208 * the last block). Each of these blocks is run through the hash 209 * function as follows: The data passed to the hash function 210 * is the current 'md', the same number of bytes from the 'state' 211 * (the location determined by in incremented looping index) as 212 * the current 'block', the new key data 'block', and 'count' 213 * (which is incremented after each use). 214 * The result of this is kept in 'md' and also xored into the 215 * 'state' at the same locations that were used as input into the 216 * hash function. 217 */ 218 219 /* check if we already have the lock */ 220 if (crypto_lock_rand) { 221 CRYPTO_THREADID cur; 222 CRYPTO_THREADID_current(&cur); 223 CRYPTO_r_lock(CRYPTO_LOCK_RAND2); 224 do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur); 225 CRYPTO_r_unlock(CRYPTO_LOCK_RAND2); 226 } else 227 do_not_lock = 0; 228 229 if (!do_not_lock) 230 CRYPTO_w_lock(CRYPTO_LOCK_RAND); 231 st_idx = state_index; 232 233 /* 234 * use our own copies of the counters so that even if a concurrent thread 235 * seeds with exactly the same data and uses the same subarray there's 236 * _some_ difference 237 */ 238 md_c[0] = md_count[0]; 239 md_c[1] = md_count[1]; 240 241 memcpy(local_md, md, sizeof(md)); 242 243 /* state_index <= state_num <= STATE_SIZE */ 244 state_index += num; 245 if (state_index >= STATE_SIZE) { 246 state_index %= STATE_SIZE; 247 state_num = STATE_SIZE; 248 } else if (state_num < STATE_SIZE) { 249 if (state_index > state_num) 250 state_num = state_index; 251 } 252 /* state_index <= state_num <= STATE_SIZE */ 253 254 /* 255 * state[st_idx], ..., state[(st_idx + num - 1) % STATE_SIZE] are what we 256 * will use now, but other threads may use them as well 257 */ 258 259 md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0); 260 261 if (!do_not_lock) 262 CRYPTO_w_unlock(CRYPTO_LOCK_RAND); 263 264 EVP_MD_CTX_init(&m); 265 for (i = 0; i < num; i += MD_DIGEST_LENGTH) { 266 j = (num - i); 267 j = (j > MD_DIGEST_LENGTH) ? MD_DIGEST_LENGTH : j; 268 269 if (!MD_Init(&m) || 270 !MD_Update(&m, local_md, MD_DIGEST_LENGTH)) 271 goto err; 272 k = (st_idx + j) - STATE_SIZE; 273 if (k > 0) { 274 if (!MD_Update(&m, &(state[st_idx]), j - k) || 275 !MD_Update(&m, &(state[0]), k)) 276 goto err; 277 } else 278 if (!MD_Update(&m, &(state[st_idx]), j)) 279 goto err; 280 281 /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */ 282 if (!MD_Update(&m, buf, j)) 283 goto err; 284 /* 285 * We know that line may cause programs such as purify and valgrind 286 * to complain about use of uninitialized data. The problem is not, 287 * it's with the caller. Removing that line will make sure you get 288 * really bad randomness and thereby other problems such as very 289 * insecure keys. 290 */ 291 292 if (!MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c)) || 293 !MD_Final(&m, local_md)) 294 goto err; 295 md_c[1]++; 296 297 buf = (const char *)buf + j; 298 299 for (k = 0; k < j; k++) { 300 /* 301 * Parallel threads may interfere with this, but always each byte 302 * of the new state is the XOR of some previous value of its and 303 * local_md (itermediate values may be lost). Alway using locking 304 * could hurt performance more than necessary given that 305 * conflicts occur only when the total seeding is longer than the 306 * random state. 307 */ 308 state[st_idx++] ^= local_md[k]; 309 if (st_idx >= STATE_SIZE) 310 st_idx = 0; 311 } 312 } 313 314 if (!do_not_lock) 315 CRYPTO_w_lock(CRYPTO_LOCK_RAND); 316 /* 317 * Don't just copy back local_md into md -- this could mean that other 318 * thread's seeding remains without effect (except for the incremented 319 * counter). By XORing it we keep at least as much entropy as fits into 320 * md. 321 */ 322 for (k = 0; k < (int)sizeof(md); k++) { 323 md[k] ^= local_md[k]; 324 } 325 if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */ 326 entropy += add; 327 if (!do_not_lock) 328 CRYPTO_w_unlock(CRYPTO_LOCK_RAND); 329 330#if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) 331 assert(md_c[1] == md_count[1]); 332#endif 333 334 err: 335 EVP_MD_CTX_cleanup(&m); 336} 337 338static void ssleay_rand_seed(const void *buf, int num) 339{ 340 ssleay_rand_add(buf, num, (double)num); 341} 342 343int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) 344{ 345 static volatile int stirred_pool = 0; 346 int i, j, k; 347 size_t num_ceil, st_idx, st_num; 348 long md_c[2]; 349 unsigned char local_md[MD_DIGEST_LENGTH]; 350 EVP_MD_CTX m; 351#ifndef GETPID_IS_MEANINGLESS 352 pid_t curr_pid = getpid(); 353#endif 354 int do_stir_pool = 0; 355 356#ifdef PREDICT 357 if (rand_predictable) { 358 static unsigned char val = 0; 359 360 for (i = 0; i < num; i++) 361 buf[i] = val++; 362 return (1); 363 } 364#endif 365 366 if (num <= 0) 367 return 1; 368 369 EVP_MD_CTX_init(&m); 370 /* round upwards to multiple of MD_DIGEST_LENGTH/2 */ 371 num_ceil = 372 (1 + (num - 1) / (MD_DIGEST_LENGTH / 2)) * (MD_DIGEST_LENGTH / 2); 373 374 /* 375 * (Based on the rand(3) manpage:) 376 * 377 * For each group of 10 bytes (or less), we do the following: 378 * 379 * Input into the hash function the local 'md' (which is initialized from 380 * the global 'md' before any bytes are generated), the bytes that are to 381 * be overwritten by the random bytes, and bytes from the 'state' 382 * (incrementing looping index). From this digest output (which is kept 383 * in 'md'), the top (up to) 10 bytes are returned to the caller and the 384 * bottom 10 bytes are xored into the 'state'. 385 * 386 * Finally, after we have finished 'num' random bytes for the 387 * caller, 'count' (which is incremented) and the local and global 'md' 388 * are fed into the hash function and the results are kept in the 389 * global 'md'. 390 */ 391 if (lock) 392 CRYPTO_w_lock(CRYPTO_LOCK_RAND); 393 394 /* prevent ssleay_rand_bytes() from trying to obtain the lock again */ 395 CRYPTO_w_lock(CRYPTO_LOCK_RAND2); 396 CRYPTO_THREADID_current(&locking_threadid); 397 CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); 398 crypto_lock_rand = 1; 399 400 if (!initialized) { 401 RAND_poll(); 402 initialized = (entropy >= ENTROPY_NEEDED); 403 } 404 405 if (!stirred_pool) 406 do_stir_pool = 1; 407 408 if (!initialized) { 409 /* 410 * If the PRNG state is not yet unpredictable, then seeing the PRNG 411 * output may help attackers to determine the new state; thus we have 412 * to decrease the entropy estimate. Once we've had enough initial 413 * seeding we don't bother to adjust the entropy count, though, 414 * because we're not ambitious to provide *information-theoretic* 415 * randomness. NOTE: This approach fails if the program forks before 416 * we have enough entropy. Entropy should be collected in a separate 417 * input pool and be transferred to the output pool only when the 418 * entropy limit has been reached. 419 */ 420 entropy -= num; 421 if (entropy < 0) 422 entropy = 0; 423 } 424 425 if (do_stir_pool) { 426 /* 427 * In the output function only half of 'md' remains secret, so we 428 * better make sure that the required entropy gets 'evenly 429 * distributed' through 'state', our randomness pool. The input 430 * function (ssleay_rand_add) chains all of 'md', which makes it more 431 * suitable for this purpose. 432 */ 433 434 int n = STATE_SIZE; /* so that the complete pool gets accessed */ 435 while (n > 0) { 436#if MD_DIGEST_LENGTH > 20 437# error "Please adjust DUMMY_SEED." 438#endif 439#define DUMMY_SEED "...................." /* at least MD_DIGEST_LENGTH */ 440 /* 441 * Note that the seed does not matter, it's just that 442 * ssleay_rand_add expects to have something to hash. 443 */ 444 ssleay_rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0); 445 n -= MD_DIGEST_LENGTH; 446 } 447 if (initialized) 448 stirred_pool = 1; 449 } 450 451 st_idx = state_index; 452 st_num = state_num; 453 md_c[0] = md_count[0]; 454 md_c[1] = md_count[1]; 455 memcpy(local_md, md, sizeof(md)); 456 457 state_index += num_ceil; 458 if (state_index > state_num) 459 state_index %= state_num; 460 461 /* 462 * state[st_idx], ..., state[(st_idx + num_ceil - 1) % st_num] are now 463 * ours (but other threads may use them too) 464 */ 465 466 md_count[0] += 1; 467 468 /* before unlocking, we must clear 'crypto_lock_rand' */ 469 crypto_lock_rand = 0; 470 if (lock) 471 CRYPTO_w_unlock(CRYPTO_LOCK_RAND); 472 473 while (num > 0) { 474 /* num_ceil -= MD_DIGEST_LENGTH/2 */ 475 j = (num >= MD_DIGEST_LENGTH / 2) ? MD_DIGEST_LENGTH / 2 : num; 476 num -= j; 477 if (!MD_Init(&m)) 478 goto err; 479#ifndef GETPID_IS_MEANINGLESS 480 if (curr_pid) { /* just in the first iteration to save time */ 481 if (!MD_Update(&m, (unsigned char *)&curr_pid, sizeof(curr_pid))) 482 goto err; 483 curr_pid = 0; 484 } 485#endif 486 if (!MD_Update(&m, local_md, MD_DIGEST_LENGTH) || 487 !MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c))) 488 goto err; 489 490#ifndef PURIFY /* purify complains */ 491 /* 492 * The following line uses the supplied buffer as a small source of 493 * entropy: since this buffer is often uninitialised it may cause 494 * programs such as purify or valgrind to complain. So for those 495 * builds it is not used: the removal of such a small source of 496 * entropy has negligible impact on security. 497 */ 498 if (!MD_Update(&m, buf, j)) 499 goto err; 500#endif 501 502 k = (st_idx + MD_DIGEST_LENGTH / 2) - st_num; 503 if (k > 0) { 504 if (!MD_Update(&m, &(state[st_idx]), MD_DIGEST_LENGTH / 2 - k) || 505 !MD_Update(&m, &(state[0]), k)) 506 goto err; 507 } else { 508 if (!MD_Update(&m, &(state[st_idx]), MD_DIGEST_LENGTH / 2)) 509 goto err; 510 } 511 if (!MD_Final(&m, local_md)) 512 goto err; 513 514 for (i = 0; i < MD_DIGEST_LENGTH / 2; i++) { 515 /* may compete with other threads */ 516 state[st_idx++] ^= local_md[i]; 517 if (st_idx >= st_num) 518 st_idx = 0; 519 if (i < j) 520 *(buf++) = local_md[i + MD_DIGEST_LENGTH / 2]; 521 } 522 } 523 524 if (!MD_Init(&m) || 525 !MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c)) || 526 !MD_Update(&m, local_md, MD_DIGEST_LENGTH)) 527 goto err; 528 if (lock) 529 CRYPTO_w_lock(CRYPTO_LOCK_RAND); 530 if (!MD_Update(&m, md, MD_DIGEST_LENGTH) || 531 !MD_Final(&m, md)) { 532 if (lock) 533 CRYPTO_w_unlock(CRYPTO_LOCK_RAND); 534 goto err; 535 } 536 if (lock) 537 CRYPTO_w_unlock(CRYPTO_LOCK_RAND); 538 539 EVP_MD_CTX_cleanup(&m); 540 if (initialized) 541 return (1); 542 else if (pseudo) 543 return 0; 544 else { 545 RANDerr(RAND_F_SSLEAY_RAND_BYTES, RAND_R_PRNG_NOT_SEEDED); 546 ERR_add_error_data(1, "You need to read the OpenSSL FAQ, " 547 "http://www.openssl.org/support/faq.html"); 548 return (0); 549 } 550 551 err: 552 EVP_MD_CTX_cleanup(&m); 553 return (0); 554} 555 556/* 557 * Returns ssleay_rand_bytes(), enforcing a reseeding from the 558 * system entropy sources using RAND_poll() before generating 559`* the random bytes. 560 */ 561 562int ssleay_rand_bytes_from_system(unsigned char *buf, int num) 563{ 564 initialized = 0; 565 return ssleay_rand_bytes(buf, num, 0, 0); 566} 567 568static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num) 569{ 570 return ssleay_rand_bytes(buf, num, 0, 1); 571} 572 573/* 574 * pseudo-random bytes that are guaranteed to be unique but not unpredictable 575 */ 576static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) 577{ 578 return ssleay_rand_bytes(buf, num, 1, 1); 579} 580 581static int ssleay_rand_status(void) 582{ 583 CRYPTO_THREADID cur; 584 int ret; 585 int do_not_lock; 586 587 CRYPTO_THREADID_current(&cur); 588 /* 589 * check if we already have the lock (could happen if a RAND_poll() 590 * implementation calls RAND_status()) 591 */ 592 if (crypto_lock_rand) { 593 CRYPTO_r_lock(CRYPTO_LOCK_RAND2); 594 do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur); 595 CRYPTO_r_unlock(CRYPTO_LOCK_RAND2); 596 } else 597 do_not_lock = 0; 598 599 if (!do_not_lock) { 600 CRYPTO_w_lock(CRYPTO_LOCK_RAND); 601 602 /* 603 * prevent ssleay_rand_bytes() from trying to obtain the lock again 604 */ 605 CRYPTO_w_lock(CRYPTO_LOCK_RAND2); 606 CRYPTO_THREADID_cpy(&locking_threadid, &cur); 607 CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); 608 crypto_lock_rand = 1; 609 } 610 611 if (!initialized) { 612 RAND_poll(); 613 initialized = (entropy >= ENTROPY_NEEDED); 614 } 615 616 ret = initialized; 617 618 if (!do_not_lock) { 619 /* before unlocking, we must clear 'crypto_lock_rand' */ 620 crypto_lock_rand = 0; 621 622 CRYPTO_w_unlock(CRYPTO_LOCK_RAND); 623 } 624 625 return ret; 626} 627