Lock globalRNGMutex around all shared globalRNG access#10824
Open
yosuke-wolfssl wants to merge 1 commit into
Open
Lock globalRNGMutex around all shared globalRNG access#10824yosuke-wolfssl wants to merge 1 commit into
yosuke-wolfssl wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR strengthens thread safety in the OpenSSL-compat RNG path by extending the existing globalRNGMutex locking discipline to all remaining operations that touch the shared static WC_RNG globalRNG, preventing races in DRBG/seed state when called concurrently.
Changes:
- Add
globalRNGMutexlocking aroundglobalRNGoperations inwolfSSL_RAND_write_file,wolfSSL_RAND_egd, andwolfSSL_RAND_poll. - Add
globalRNGMutexlocking around detached S/MIME boundary generation inwolfSSL_SMIME_write_PKCS7.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/ssl.c | Adds missing globalRNGMutex locking around reseed/seed/generate operations on the shared globalRNG. |
| src/ssl_p7p12.c | Locks globalRNGMutex while generating the detached S/MIME boundary using globalRNG. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ffef7a3 to
b9efc8e
Compare
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10824
Scan targets checked: wolfssl-bugs, wolfssl-src
No new issues found in the changed files. ✅
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The OpenSSL-compat layer shares a single static
WC_RNG globalRNGwhoseHash-DRBG state is not internally thread-safe. The canonical access pattern
(
wolfSSL_RAND_bytes) holdsglobalRNGMutexfor the entire duration of anyoperation on
globalRNG. Several sibling functions mutated the sameglobalRNGwithout taking the lock, so concurrent callers — or onerunning alongside a lock-holding
RAND_bytes/RAND_addcaller — could raceon the shared DRBG V/C/reseed-counter and seed state, corrupting the DRBG and
the randomness it yields to compat consumers (IVs, nonces, keys).
This PR extends the existing
globalRNGMutexdiscipline to every remainingunprotected access.
Addressed by f_6555 and f_6556.
Changes
src/ssl.cwolfSSL_RAND_write_file: acquireglobalRNGMutexaroundwc_RNG_GenerateBlock(&globalRNG, ...), unlocking before the file I/O tokeep the critical section minimal.
wolfSSL_RAND_egd: lock around thewc_RNG_DRBG_Reseed(&globalRNG, ...)of the collected EGD entropy.
wolfSSL_RAND_poll: hold the lock from beforewc_GenerateSeed(&globalRNG.seed, ...)(previously an unlocked write to
globalRNG.seed) throughwc_RNG_DRBG_Reseed, unlocking on every path (including theHAVE_INTEL_RDRANDand no-HASHDRBG branches). Added a comment noting thelock intentionally covers
wc_GenerateSeedso the scope is not narrowedback later.
src/ssl_p7p12.cwolfSSL_SMIME_write_PKCS7: lock around thewc_RNG_GenerateBlock(&globalRNG, ...)that generates the detached S/MIME MIME boundary, following the function's
existing
ret > 0fallthrough style.Notes
wolfSSL_RAND_pollis called bywolfSSL_RAND_bytesonly after thatfunction releases
globalRNGMutex(and it re-acquires it afterward), sohaving
RAND_polltake the lock itself does not self-deadlock.globalRNGMutexis in scope forssl_p7p12.cbecause it is#includedinto
ssl.cafter the mutex'sstaticdefinition, within the sameOPENSSL_EXTRA/HAVE_GLOBAL_RNGcontext.Testing
./configure --enable-allbuilt under-fsanitize=address,undefined -fno-omit-frame-pointer; full./tests/unit.testpasses (exit 0),including
test_wolfSSL_RAND_poll, theossl_randgroup, andtest_wolfSSL_SMIME_write_PKCS7.