diff options
author | Rich Salz <rsalz@openssl.org> | 2017-06-27 12:04:37 -0400 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2017-07-19 03:25:16 -0400 |
commit | 12fb8c3d2dd00f3d4f1b084385403d26ed64a596 (patch) | |
tree | 7fc90f8f80e16ab4e8b79def2162a56dd2d704dc | |
parent | 0299f3f790437d124d15f60489c774407325f82b (diff) |
Add DRBG random method
Ported from the last FIPS release, with DUAL_EC and SHA1 and the
self-tests removed. Since only AES-CTR is supported, other code
simplifications were done. Removed the "entropy blocklen" concept.
Moved internal functions to new include/internal/rand.h.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3789)
-rw-r--r-- | crypto/err/openssl.txt | 35 | ||||
-rw-r--r-- | crypto/rand/build.info | 2 | ||||
-rw-r--r-- | crypto/rand/drbg_lib.c | 349 | ||||
-rw-r--r-- | crypto/rand/drbg_rand.c | 449 | ||||
-rw-r--r-- | crypto/rand/ossl_rand.c | 52 | ||||
-rw-r--r-- | crypto/rand/rand_err.c | 38 | ||||
-rw-r--r-- | crypto/rand/rand_lcl.h | 86 | ||||
-rw-r--r-- | crypto/rand/rand_lib.c | 1 | ||||
-rw-r--r-- | include/internal/rand.h | 50 | ||||
-rw-r--r-- | include/openssl/crypto.h | 3 | ||||
-rw-r--r-- | include/openssl/ossl_typ.h | 1 | ||||
-rw-r--r-- | include/openssl/rand.h | 19 | ||||
-rw-r--r-- | include/openssl/randerr.h | 35 | ||||
-rw-r--r-- | test/build.info | 7 | ||||
-rw-r--r-- | test/drbgtest.c | 490 | ||||
-rw-r--r-- | test/drbgtest.h | 579 | ||||
-rw-r--r-- | test/recipes/05-test_rand.t | 9 | ||||
-rw-r--r-- | util/libcrypto.num | 13 | ||||
-rwxr-xr-x | util/mkdef.pl | 1 |
19 files changed, 2165 insertions, 54 deletions
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index f8428706d2..d8fcb9ac60 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -860,9 +860,17 @@ PKCS7_F_PKCS7_SIGNER_INFO_SIGN:139:PKCS7_SIGNER_INFO_sign PKCS7_F_PKCS7_SIGN_ADD_SIGNER:137:PKCS7_sign_add_signer PKCS7_F_PKCS7_SIMPLE_SMIMECAP:119:PKCS7_simple_smimecap PKCS7_F_PKCS7_VERIFY:117:PKCS7_verify +RAND_F_DRBG_BYTES:101:drbg_bytes +RAND_F_DRBG_GET_ENTROPY:105:drbg_get_entropy +RAND_F_GET_ENTROPY:106:get_entropy RAND_F_RAND_BYTES:100:RAND_bytes -RAND_F_RAND_LOAD_FILE:101:RAND_load_file -RAND_F_RAND_WRITE_FILE:102:RAND_write_file +RAND_F_RAND_DRBG_GENERATE:107:RAND_DRBG_generate +RAND_F_RAND_DRBG_INSTANTIATE:108:RAND_DRBG_instantiate +RAND_F_RAND_DRBG_NEW:109:RAND_DRBG_new +RAND_F_RAND_DRBG_RESEED:110:RAND_DRBG_reseed +RAND_F_RAND_DRBG_SET:104:RAND_DRBG_set +RAND_F_RAND_LOAD_FILE:111:RAND_load_file +RAND_F_RAND_WRITE_FILE:112:RAND_write_file RSA_F_CHECK_PADDING_MD:140:check_padding_md RSA_F_ENCODE_PKCS1:146:encode_pkcs1 RSA_F_INT_RSA_VERIFY:145:int_rsa_verify @@ -2098,11 +2106,28 @@ PKCS7_R_UNSUPPORTED_CIPHER_TYPE:111:unsupported cipher type PKCS7_R_UNSUPPORTED_CONTENT_TYPE:112:unsupported content type PKCS7_R_WRONG_CONTENT_TYPE:113:wrong content type PKCS7_R_WRONG_PKCS7_TYPE:114:wrong pkcs7 type -RAND_R_CANNOT_OPEN_FILE:102:Cannot open file +RAND_R_ADDITIONAL_INPUT_TOO_LONG:102:additional input too long +RAND_R_ALREADY_INSTANTIATED:103:already instantiated +RAND_R_CANNOT_OPEN_FILE:121:Cannot open file +RAND_R_DRBG_NOT_INITIALISED:104:drbg not initialised +RAND_R_ERROR_INITIALISING_DRBG:107:error initialising drbg +RAND_R_ERROR_INSTANTIATING_DRBG:108:error instantiating drbg +RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT:109:error retrieving additional input +RAND_R_ERROR_RETRIEVING_ENTROPY:110:error retrieving entropy +RAND_R_ERROR_RETRIEVING_NONCE:111:error retrieving nonce RAND_R_FUNC_NOT_IMPLEMENTED:101:Function not implemented -RAND_R_FWRITE_ERROR:103:Error writing file -RAND_R_NOT_A_REGULAR_FILE:104:Not a regular file +RAND_R_FWRITE_ERROR:123:Error writing file +RAND_R_GENERATE_ERROR:112:generate error +RAND_R_INTERNAL_ERROR:113:internal error +RAND_R_IN_ERROR_STATE:114:in error state +RAND_R_NOT_A_REGULAR_FILE:122:Not a regular file +RAND_R_NOT_INSTANTIATED:115:not instantiated +RAND_R_PERSONALISATION_STRING_TOO_LONG:116:personalisation string too long RAND_R_PRNG_NOT_SEEDED:100:PRNG not seeded +RAND_R_REQUEST_TOO_LARGE_FOR_DRBG:117:request too large for drbg +RAND_R_RESEED_ERROR:118:reseed error +RAND_R_SELFTEST_FAILURE:119:selftest failure +RAND_R_UNSUPPORTED_DRBG_TYPE:120:unsupported drbg type RSA_R_ALGORITHM_MISMATCH:100:algorithm mismatch RSA_R_BAD_E_VALUE:101:bad e value RSA_R_BAD_FIXED_HEADER_DECRYPT:102:bad fixed header decrypt diff --git a/crypto/rand/build.info b/crypto/rand/build.info index 9e0a90b73d..f011d78d88 100644 --- a/crypto/rand/build.info +++ b/crypto/rand/build.info @@ -1,4 +1,4 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ ossl_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c \ - rand_win.c rand_unix.c rand_vms.c + rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_rand.c diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c new file mode 100644 index 0000000000..b9161ab23c --- /dev/null +++ b/crypto/rand/drbg_lib.c @@ -0,0 +1,349 @@ +/* + * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <string.h> +#include <openssl/crypto.h> +#include <openssl/err.h> +#include <openssl/rand.h> +#include "rand_lcl.h" + +/* + * Support framework for NIST SP 800-90A DRBG, AES-CTR mode. + */ + +/* + * Get entropy from the existing callback. This is mainly used for KATs. + */ +static size_t get_entropy(DRBG_CTX *dctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + if (dctx->get_entropy != NULL) + return dctx->get_entropy(dctx, pout, entropy, min_len, max_len); + /* TODO: Get from parent if it exists. */ + return 0; +} + +/* + * Cleanup entropy. + */ +static void cleanup_entropy(DRBG_CTX *dctx, unsigned char *out, size_t olen) +{ + if (dctx->cleanup_entropy != NULL) + dctx->cleanup_entropy(dctx, out, olen); +} + +/* + * The OpenSSL model is to have new and free functions, and that new + * does all initialization. That is not the NIST model, which has + * instantiation and un-instantiate, and re-use within a new/free + * lifecycle. (No doubt this comes from the desire to support hardware + * DRBG, where allocation of resources on something like an HSM is + * a much bigger deal than just re-setting an allocated resource.) + * + * The DRBG_CTX is OpenSSL's opaque pointer to an instance of the + * DRBG. + */ + +/* + * Set/initialize |dctx| to be of type |nid|, with optional |flags|. + * Return -2 if the type is not supported, 1 on success and -1 on + * failure. + */ +int RAND_DRBG_set(DRBG_CTX *dctx, int nid, unsigned int flags) +{ + int ret = 1; + + dctx->status = DRBG_STATUS_UNINITIALISED; + dctx->flags = flags; + dctx->nid = nid; + + switch (nid) { + default: + RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE); + return -2; + case 0: + /* Uninitialized; that's okay. */ + return 1; + case NID_aes_128_ctr: + case NID_aes_192_ctr: + case NID_aes_256_ctr: + ret = ctr_init(dctx); + break; + } + + if (ret < 0) + RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG); + return ret; +} + +/* + * Allocate memory and initialize a new DRBG. The |parent|, if not + * NULL, will be used to auto-seed this DRBG_CTX as needed. + */ +DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent) +{ + DRBG_CTX *dctx = OPENSSL_zalloc(sizeof(*dctx)); + + if (dctx == NULL) { + RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE); + return NULL; + } + + dctx->parent = parent; + if (RAND_DRBG_set(dctx, type, flags) < 0) { + OPENSSL_free(dctx); + return NULL; + } + return dctx; +} + +/* + * Uninstantiate |dctx| and free all memory. + */ +void RAND_DRBG_free(DRBG_CTX *dctx) +{ + if (dctx == NULL) + return; + + ctr_uninstantiate(dctx); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, dctx, &dctx->ex_data); + + /* Don't free up default DRBG */ + if (dctx == RAND_DRBG_get_default()) { + memset(dctx, 0, sizeof(DRBG_CTX)); + dctx->nid = 0; + dctx->status = DRBG_STATUS_UNINITIALISED; + } else { + OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr)); + OPENSSL_free(dctx); + } +} + +/* + * Instantiate |dctx|, after it has been initialized. Use |pers| and + * |perslen| as prediction-resistance input. + */ +int RAND_DRBG_instantiate(DRBG_CTX *dctx, + const unsigned char *pers, size_t perslen) +{ + size_t entlen = 0, noncelen = 0; + unsigned char *nonce = NULL, *entropy = NULL; + int r = 0; + + if (perslen > dctx->max_pers) { + r = RAND_R_PERSONALISATION_STRING_TOO_LONG; + goto end; + } + if (dctx->status != DRBG_STATUS_UNINITIALISED) { + r = dctx->status == DRBG_STATUS_ERROR ? RAND_R_IN_ERROR_STATE + : RAND_R_ALREADY_INSTANTIATED; + goto end; + } + + dctx->status = DRBG_STATUS_ERROR; + entlen = get_entropy(dctx, &entropy, dctx->strength, + dctx->min_entropy, dctx->max_entropy); + if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { + r = RAND_R_ERROR_RETRIEVING_ENTROPY; + goto end; + } + + if (dctx->max_nonce > 0 && dctx->get_nonce != NULL) { + noncelen = dctx->get_nonce(dctx, &nonce, + dctx->strength / 2, + dctx->min_nonce, dctx->max_nonce); + + if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) { + r = RAND_R_ERROR_RETRIEVING_NONCE; + goto end; + } + } + + if (!ctr_instantiate(dctx, entropy, entlen, + nonce, noncelen, pers, perslen)) { + r = RAND_R_ERROR_INSTANTIATING_DRBG; + goto end; + } + + dctx->status = DRBG_STATUS_READY; + dctx->reseed_counter = 1; + +end: + if (entropy != NULL && dctx->cleanup_entropy != NULL) + dctx->cleanup_entropy(dctx, entropy, entlen); + if (nonce != NULL && dctx->cleanup_nonce!= NULL ) + dctx->cleanup_nonce(dctx, nonce, noncelen); + if (dctx->status == DRBG_STATUS_READY) + return 1; + + if (r) + RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, r); + return 0; +} + +/* + * Uninstantiate |dctx|. Must be instantiated before it can be used. + */ +int RAND_DRBG_uninstantiate(DRBG_CTX *dctx) +{ + int ret = ctr_uninstantiate(dctx); + + OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr)); + dctx->status = DRBG_STATUS_UNINITIALISED; + return ret; +} + +/* + * Mix in the specified data to reseed |dctx|. + */ +int RAND_DRBG_reseed(DRBG_CTX *dctx, + const unsigned char *adin, size_t adinlen) +{ + unsigned char *entropy = NULL; + size_t entlen = 0; + int r = 0; + + if (dctx->status != DRBG_STATUS_READY + && dctx->status != DRBG_STATUS_RESEED) { + if (dctx->status == DRBG_STATUS_ERROR) + r = RAND_R_IN_ERROR_STATE; + else if (dctx->status == DRBG_STATUS_UNINITIALISED) + r = RAND_R_NOT_INSTANTIATED; + goto end; + } + + if (adin == NULL) + adinlen = 0; + else if (adinlen > dctx->max_adin) { + r = RAND_R_ADDITIONAL_INPUT_TOO_LONG; + goto end; + } + + dctx->status = DRBG_STATUS_ERROR; + entlen = get_entropy(dctx, &entropy, dctx->strength, + dctx->min_entropy, dctx->max_entropy); + + if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { + r = RAND_R_ERROR_RETRIEVING_ENTROPY; + goto end; + } + + if (!ctr_reseed(dctx, entropy, entlen, adin, adinlen)) + goto end; + dctx->status = DRBG_STATUS_READY; + dctx->reseed_counter = 1; + +end: + if (entropy != NULL && dctx->cleanup_entropy != NULL) + cleanup_entropy(dctx, entropy, entlen); + if (dctx->status == DRBG_STATUS_READY) + return 1; + if (r) + RANDerr(RAND_F_RAND_DRBG_RESEED, r); + + return 0; +} + +/* + * Generate |outlen| bytes into the buffer at |out|. Reseed if we need + * to or if |prediction_resistance| is set. Additional input can be + * sent in |adin| and |adinlen|. + */ +int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, + int prediction_resistance, + const unsigned char *adin, size_t adinlen) +{ + int r = 0; + + if (dctx->status != DRBG_STATUS_READY + && dctx->status != DRBG_STATUS_RESEED) { + if (dctx->status == DRBG_STATUS_ERROR) + r = RAND_R_IN_ERROR_STATE; + else if(dctx->status == DRBG_STATUS_UNINITIALISED) + r = RAND_R_NOT_INSTANTIATED; + goto end; + } + + if (outlen > dctx->max_request) { + r = RAND_R_REQUEST_TOO_LARGE_FOR_DRBG; + return 0; + } + if (adinlen > dctx->max_adin) { + r = RAND_R_ADDITIONAL_INPUT_TOO_LONG; + goto end; + } + + if (dctx->reseed_counter >= dctx->reseed_interval) + dctx->status = DRBG_STATUS_RESEED; + + if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) { + if (!RAND_DRBG_reseed(dctx, adin, adinlen)) { + r = RAND_R_RESEED_ERROR; + goto end; + } + adin = NULL; + adinlen = 0; + } + + if (!ctr_generate(dctx, out, outlen, adin, adinlen)) { + r = RAND_R_GENERATE_ERROR; + dctx->status = DRBG_STATUS_ERROR; + goto end; + } + if (dctx->reseed_counter >= dctx->reseed_interval) + dctx->status = DRBG_STATUS_RESEED; + else + dctx->reseed_counter++; + return 1; + +end: + RANDerr(RAND_F_RAND_DRBG_GENERATE, r); + return 0; +} + +/* + * Set the callbacks for entropy and nonce. Used mainly for the KATs + */ +int RAND_DRBG_set_callbacks(DRBG_CTX *dctx, + size_t (*cb_get_entropy)(DRBG_CTX *ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len), + void (*cb_cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen), + size_t (*cb_get_nonce)(DRBG_CTX *ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len), + void (*cb_cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen)) +{ + if (dctx->status != DRBG_STATUS_UNINITIALISED) + return 0; + dctx->get_entropy = cb_get_entropy; + dctx->cleanup_entropy = cb_cleanup_entropy; + dctx->get_nonce = cb_get_nonce; + dctx->cleanup_nonce = cb_cleanup_nonce; + return 1; +} + +/* + * Set the reseed internal. Used mainly for the KATs. + */ +void RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval) +{ + dctx->reseed_interval = interval; +} + +/* + * Get and set the EXDATA + */ +int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg) +{ + return CRYPTO_set_ex_data(&dctx->ex_data, idx, arg); +} + +void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx) +{ + return CRYPTO_get_ex_data(&dctx->ex_data, idx); +} diff --git a/crypto/rand/drbg_rand.c b/crypto/rand/drbg_rand.c new file mode 100644 index 0000000000..858f74a45e --- /dev/null +++ b/crypto/rand/drbg_rand.c @@ -0,0 +1,449 @@ +/* + * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdlib.h> +#include <string.h> +#include <openssl/crypto.h> +#include <openssl/err.h> +#include <openssl/rand.h> +#include "rand_lcl.h" +#include "internal/thread_once.h" + +/* + * Mapping of NIST SP 800-90A DRBG to OpenSSL RAND_METHOD. + */ + + +/* + * The default global DRBG and its auto-init/auto-cleanup. + */ +static DRBG_CTX ossl_drbg; + +static CRYPTO_ONCE ossl_drbg_init = CRYPTO_ONCE_STATIC_INIT; + +DEFINE_RUN_ONCE_STATIC(do_ossl_drbg_init) +{ + ossl_drbg.lock = CRYPTO_THREAD_lock_new(); + return ossl_drbg.lock != NULL; +} + +void rand_drbg_cleanup(void) +{ + CRYPTO_THREAD_lock_free(ossl_drbg.lock); +} + +static void inc_128(DRBG_CTR_CTX *cctx) +{ + int i; + unsigned char c; + unsigned char *p = &cctx->V[15]; + + for (i = 0; i < 16; i++, p--) { + c = *p; + c++; + *p = c; + if (c != 0) { + /* If we didn't wrap around, we're done. */ + break; + } + } +} + +static void ctr_XOR(DRBG_CTR_CTX *cctx, const unsigned char *in, size_t inlen) +{ + size_t i, n; + + if (in == NULL || inlen == 0) + return; + + /* + * Any zero padding will have no effect on the result as we + * are XORing. So just process however much input we have. + */ + n = inlen < cctx->keylen ? inlen : cctx->keylen; + for (i = 0; i < n; i++) + cctx->K[i] ^= in[i]; + if (inlen <= cctx->keylen) + return; + + n = inlen - cctx->keylen; + if (n > 16) { + /* Should never happen */ + n = 16; + } + for (i = 0; i < 16; i++) + cctx->V[i] ^= in[i + cctx->keylen]; +} + +/* + * Process a complete block using BCC algorithm of SP 800-90A 10.3.3 + */ +static void ctr_BCC_block(DRBG_CTR_CTX *cctx, unsigned char *out, + const unsigned char *in) +{ + int i; + + for (i = 0; i < 16; i++) + out[i] ^= in[i]; + AES_encrypt(out, out, &cctx->df_ks); +} + + +/* + * Handle several BCC operations for as much data as we need for K and X + */ +static void ctr_BCC_blocks(DRBG_CTR_CTX *cctx, const unsigned char *in) +{ + ctr_BCC_block(cctx, cctx->KX, in); + ctr_BCC_block(cctx, cctx->KX + 16, in); + if (cctx->keylen != 16) + ctr_BCC_block(cctx, cctx->KX + 32, in); +} + +/* + * Initialise BCC blocks: these have the value 0,1,2 in leftmost positions: + * see 10.3.1 stage 7. + */ +static void ctr_BCC_init(DRBG_CTR_CTX *cctx) +{ + memset(cctx->KX, 0, 48); + memset(cctx->bltmp, 0, 16); + ctr_BCC_block(cctx, cctx->KX, cctx->bltmp); + cctx->bltmp[3] = 1; + ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp); + if (cctx->keylen != 16) { + cctx->bltmp[3] = 2; + ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp); + } +} + +/* + * Process several blocks into BCC algorithm, some possibly partial + */ +static void ctr_BCC_update(DRBG_CTR_CTX *cctx, + const unsigned char *in, size_t inlen) +{ + if (in == NULL || inlen == 0) + return; + + /* If we have partial block handle it first */ + if (cctx->bltmp_pos) { + size_t left = 16 - cctx->bltmp_pos; + + /* If we now have a complete block process it */ + if (inlen >= left) { + memcpy(cctx->bltmp + cctx->bltmp_pos, in, left); + ctr_BCC_blocks(cctx, cctx->bltmp); + cctx->bltmp_pos = 0; + inlen -= left; + in += left; + } + } + + /* Process zero or more complete blocks */ + for (; inlen >= 16; in += 16, inlen -= 16) { + ctr_BCC_blocks(cctx, in); + } + + /* Copy any remaining partial block to the temporary buffer */ + if (inlen > 0) { + memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen); + cctx->bltmp_pos += inlen; + } +} + +static void ctr_BCC_final(DRBG_CTR_CTX *cctx) +{ + if (cctx->bltmp_pos) { + memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos); + ctr_BCC_blocks(cctx, cctx->bltmp); + } +} + +static void ctr_df(DRBG_CTR_CTX *cctx, + const unsigned char *in1, size_t in1len, + const unsigned char *in2, size_t in2len, + const unsigned char *in3, size_t in3len) +{ + static unsigned char c80 = 0x80; + size_t inlen; + unsigned char *p = cctx->bltmp; + + ctr_BCC_init(cctx); + if (in1 == NULL) + in1len = 0; + if (in2 == NULL) + in2len = 0; + if (in3 == NULL) + in3len = 0; + inlen = in1len + in2len + in3len; + /* Initialise L||N in temporary block */ + *p++ = (inlen >> 24) & 0xff; + *p++ = (inlen >> 16) & 0xff; + *p++ = (inlen >> 8) & 0xff; + *p++ = inlen & 0xff; + + /* NB keylen is at most 32 bytes */ + *p++ = 0; + *p++ = 0; + *p++ = 0; + *p = (unsigned char)((cctx->keylen + 16) & 0xff); + cctx->bltmp_pos = 8; + ctr_BCC_update(cctx, in1, in1len); + ctr_BCC_update(cctx, in2, in2len); + ctr_BCC_update(cctx, in3, in3len); + ctr_BCC_update(cctx, &c80, 1); + ctr_BCC_final(cctx); + /* Set up key K */ + AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks); + /* X follows key K */ + AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks); + AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks); + if (cctx->keylen != 16) + AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks); +} + +/* + * NB the no-df Update in SP800-90A specifies a constant input length + * of seedlen, however other uses of this algorithm pad the input with + * zeroes if necessary and have up to two parameters XORed together, + * handle both cases in this function instead. + */ +static void ctr_update(DRBG_CTX *dctx, + const unsigned char *in1, size_t in1len, + const unsigned char *in2, size_t in2len, + const unsigned char *nonce, size_t noncelen) +{ + DRBG_CTR_CTX *cctx = &dctx->ctr; + + /* ks is already setup for correct key */ + inc_128(cctx); + AES_encrypt(cctx->V, cctx->K, &cctx->ks); + + /* If keylen longer than 128 bits need extra encrypt */ + if (cctx->keylen != 16) { + inc_128(cctx); + AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks); + } + inc_128(cctx); + AES_encrypt(cctx->V, cctx->V, &cctx->ks); + + /* If 192 bit key part of V is on end of K */ + if (cctx->keylen == 24) { + memcpy(cctx->V + 8, cctx->V, 8); + memcpy(cctx->V, cctx->K + 24, 8); + } + + if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) { + /* If no input reuse existing derived value */ + if (in1 != NULL || nonce != NULL || in2 != NULL) + ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len); + /* If this a reuse input in1len != 0 */ + if (in1len) + ctr_XOR(cctx, cctx->KX, dctx->seedlen); + } else { + ctr_XOR(cctx, in1, in1len); + ctr_XOR(cctx, in2, in2len); + } + + AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); +} + +int ctr_instantiate(DRBG_CTX *dctx, + const unsigned char *ent, size_t entlen, + const unsigned char *nonce, size_t noncelen, + const unsigned char *pers, size_t perslen) +{ + DRBG_CTR_CTX *cctx = &dctx->ctr; + + memset(cctx->K, 0, sizeof(cctx->K)); + memset(cctx->V, 0, sizeof(cctx->V)); + AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); + ctr_update(dctx, ent, entlen, pers, perslen, nonce, noncelen); + return 1; +} + +int ctr_reseed(DRBG_CTX *dctx, + const unsigned char *ent, size_t entlen, + const unsigned char *adin, size_t adinlen) +{ + ctr_update(dctx, ent, entlen, adin, adinlen, NULL, 0); + return 1; +} + +int ctr_generate(DRBG_CTX *dctx, + unsigned char *out, size_t outlen, + const unsigned char *adin, size_t adinlen) +{ + DRBG_CTR_CTX *cctx = &dctx->ctr; + + if (adin != NULL && adinlen != 0) { + ctr_update(dctx, adin, adinlen, NULL, 0, NULL, 0); + /* This means we reuse derived value */ + if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) { + adin = NULL; + adinlen = 1; + } + } else { + adinlen = 0; + } + + for ( ; ; ) { + inc_128(cctx); + if (outlen < 16) { + /* Use K as temp space as it will be updated */ + AES_encrypt(cctx->V, cctx->K, &cctx->ks); + memcpy(out, cctx->K, outlen); + break; + } + AES_encrypt(cctx->V, out, &cctx->ks); + out += 16; + outlen -= 16; + if (outlen == 0) + break; + } + + ctr_update(dctx, adin, adinlen, NULL, 0, NULL, 0); + return 1; +} + +int ctr_uninstantiate(DRBG_CTX *dctx) +{ + memset(&dctx->ctr, 0, sizeof(dctx->ctr)); + return 1; +} + +int ctr_init(DRBG_CTX *dctx) +{ + DRBG_CTR_CTX *cctx = &dctx->ctr; + size_t keylen; + + switch (dctx->nid) { + default: + /* This can't happen, but silence the compiler warning. */ + return -1; + case NID_aes_128_ctr: + keylen = 16; + break; + case NID_aes_192_ctr: + keylen = 24; + break; + case NID_aes_256_ctr: + keylen = 32; + break; + } + + cctx->keylen = keylen; + dctx->strength = keylen * 8; + dctx->blocklength = 16; + dctx->seedlen = keylen + 16; + + if (dctx->flags & RAND_DRBG_FLAG_CTR_USE_DF) { + /* df initialisation */ + static unsigned char df_key[32] = { + 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07, + 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f, + 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17, + 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f + }; + /* Set key schedule for df_key */ + AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks); + + dctx->min_entropy = cctx->keylen; + dctx->max_entropy = DRBG_MAX_LENGTH; + dctx->min_nonce = dctx->min_entropy / 2; + dctx->max_nonce = DRBG_MAX_LENGTH; + dctx->max_pers = DRBG_MAX_LENGTH; + dctx->max_adin = DRBG_MAX_LENGTH; + } else { + dctx->min_entropy = dctx->seedlen; + dctx->max_entropy = dctx->seedlen; + /* Nonce not used */ + dctx->min_nonce = 0; + dctx->max_nonce = 0; + dctx->max_pers = dctx->seedlen; + dctx->max_adin = dctx->seedlen; + } + + dctx->max_request = 1 << 16; + dctx->reseed_interval = 1 << 24; + return 1; +} + + +/* + * The following function tie the DRBG code into the RAND_METHOD + */ + +DRBG_CTX *RAND_DRBG_get_default(void) +{ + if (!RUN_ONCE(&ossl_drbg_init, do_ossl_drbg_init)) + return NULL; + return &ossl_drbg; +} + +static int drbg_bytes(unsigned char *out, int count) +{ + DRBG_CTX *dctx = RAND_DRBG_get_default(); + int ret = 0; + + CRYPTO_THREAD_write_lock(dctx->lock); + do { + size_t rcnt; + + if (count > (int)dctx->max_request) + rcnt = dctx->max_request; + else + rcnt = count; + ret = RAND_DRBG_generate(dctx, out, rcnt, 0, NULL, 0); + if (!ret) + goto err; + out += rcnt; + count -= rcnt; + } while (count); + ret = 1; +err: + CRYPTO_THREAD_unlock(dctx->lock); + return ret; +} + +static int drbg_status(void) +{ + DRBG_CTX *dctx = RAND_DRBG_get_default(); + int ret; + + CRYPTO_THREAD_write_lock(dctx->lock); + ret = dctx->status == DRBG_STATUS_READY ? 1 : 0; + CRYPTO_THREAD_unlock(dctx->lock); + return ret; +} + +static void drbg_cleanup(void) +{ + DRBG_CTX *dctx = RAND_DRBG_get_default(); + + CRYPTO_THREAD_write_lock(dctx->lock); + RAND_DRBG_uninstantiate(dctx); + CRYPTO_THREAD_unlock(dctx->lock); +} + +static const RAND_METHOD rand_drbg_meth = +{ + NULL, + drbg_bytes, + drbg_cleanup, + NULL, + drbg_bytes, + drbg_status +}; + +const RAND_METHOD *RAND_drbg(void) +{ + return &rand_drbg_meth; +} diff --git a/crypto/rand/ossl_rand.c b/crypto/rand/ossl_rand.c index 016653d227..1b4b21ba4a 100644 --- a/crypto/rand/ossl_rand.c +++ b/crypto/rand/ossl_rand.c @@ -38,8 +38,8 @@ typedef struct ossl_rand_state_st OSSL_RAND_STATE; struct ossl_rand_state_st { size_t num; size_t index; - unsigned char state[STATE_SIZE + RAND_DIGEST_LENGTH]; - unsigned char md[RAND_DIGEST_LENGTH]; + unsigned char state[STATE_SIZE + SHA_DIGEST_LENGTH]; + unsigned char md[SHA_DIGEST_LENGTH]; long md_count[2]; }; @@ -103,7 +103,7 @@ static int rand_add(const void *buf, int num, double add) { int i, j, k, st_idx; long md_c[2]; - unsigned char local_md[RAND_DIGEST_LENGTH]; + unsigned char local_md[SHA_DIGEST_LENGTH]; EVP_MD_CTX *m; int do_not_lock; int rv = 0; @@ -178,18 +178,18 @@ static int rand_add(const void *buf, int num, double add) * will use now, but other threads may use them as well */ - sp->md_count[1] += (num / RAND_DIGEST_LENGTH) + (num % RAND_DIGEST_LENGTH > 0); + sp->md_count[1] += (num / SHA_DIGEST_LENGTH) + (num % SHA_DIGEST_LENGTH > 0); if (!do_not_lock) CRYPTO_THREAD_unlock(rand_lock); - for (i = 0; i < num; i += RAND_DIGEST_LENGTH) { + for (i = 0; i < num; i += SHA_DIGEST_LENGTH) { j = (num - i); - j = (j > RAND_DIGEST_LENGTH) ? RAND_DIGEST_LENGTH : j; + j = (j > SHA_DIGEST_LENGTH) ? SHA_DIGEST_LENGTH : j; - if (!EVP_DigestInit_ex(m, RAND_DIGEST, NULL)) + if (!EVP_DigestInit_ex(m, EVP_sha1(), NULL)) goto err; - if (!EVP_DigestUpdate(m, local_md, RAND_DIGEST_LENGTH)) + if (!EVP_DigestUpdate(m, local_md, SHA_DIGEST_LENGTH)) goto err; k = (st_idx + j) - STATE_SIZE; if (k > 0) { @@ -268,7 +268,7 @@ static int rand_bytes(unsigned char *buf, int num) size_t num_ceil, st_idx, st_num; int ok; long md_c[2]; - unsigned char local_md[RAND_DIGEST_LENGTH]; + unsigned char local_md[SHA_DIGEST_LENGTH]; EVP_MD_CTX *m; OSSL_RAND_STATE *sp = &global_state; #ifndef GETPID_IS_MEANINGLESS @@ -314,9 +314,9 @@ static int rand_bytes(unsigned char *buf, int num) if (m == NULL) goto err_mem; - /* round upwards to multiple of RAND_DIG |