diff options
author | Pauli <paul.dale@oracle.com> | 2020-05-08 10:22:45 +1000 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2020-06-24 20:05:41 +1000 |
commit | 714a1bb380ddb2bf7538f6a61f47ac87200e3e06 (patch) | |
tree | 429c1298eed420258ad1fb2974638ef1b5bc3e1f | |
parent | 94478bd8d7303dc1656d142caabaf05b2a2180eb (diff) |
rand: set up EVP and DRBG infrastructure for RAND from providers.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)
-rw-r--r-- | crypto/evp/rand_meth.c | 204 | ||||
-rw-r--r-- | include/openssl/core_names.h | 20 | ||||
-rw-r--r-- | include/openssl/core_numbers.h | 16 | ||||
-rw-r--r-- | include/openssl/evp.h | 17 | ||||
-rw-r--r-- | providers/implementations/build.info | 2 | ||||
-rw-r--r-- | providers/implementations/include/prov/implementations.h | 9 | ||||
-rw-r--r-- | providers/implementations/rands/build.info | 7 | ||||
-rw-r--r-- | providers/implementations/rands/drbg.c | 884 | ||||
-rw-r--r-- | providers/implementations/rands/drbg_local.h | 287 | ||||
-rw-r--r-- | providers/implementations/rands/rand_crng_test.c | 55 |
10 files changed, 1452 insertions, 49 deletions
diff --git a/crypto/evp/rand_meth.c b/crypto/evp/rand_meth.c index e2b1d68ce0..0f1745411d 100644 --- a/crypto/evp/rand_meth.c +++ b/crypto/evp/rand_meth.c @@ -58,18 +58,42 @@ static void *evp_rand_new(void) evp_rand_free(rand); return NULL; } - rand->refcnt = 1; - return rand; } +/* Enable locking of the underlying DRBG/RAND if available */ +int EVP_RAND_CTX_enable_locking(EVP_RAND_CTX *rand) +{ + if (rand->meth->enable_prov_locking != NULL) + return rand->meth->enable_prov_locking(rand->data); + return 1; +} + +/* Lock the underlying DRBG/RAND if available */ +static int evp_rand_lock(EVP_RAND_CTX *rand) +{ + if (rand->meth->prov_lock != NULL) + return rand->meth->prov_lock(rand->data); + return 1; +} + +/* Unlock the underlying DRBG/RAND if available */ +static void evp_rand_unlock(EVP_RAND_CTX *rand) +{ + if (rand->meth->prov_unlock != NULL) + rand->meth->prov_unlock(rand->data); +} + static void *evp_rand_from_dispatch(int name_id, const OSSL_DISPATCH *fns, OSSL_PROVIDER *prov) { EVP_RAND *rand = NULL; int fnrandcnt = 0, fnctxcnt = 0; +#ifdef FIPS_MODULE + int fnfipscnt = 0; +#endif if ((rand = evp_rand_new()) == NULL) { EVPerr(0, ERR_R_MALLOC_FAILURE); @@ -172,13 +196,27 @@ static void *evp_rand_from_dispatch(int name_id, break; rand->set_ctx_params = OSSL_get_OP_rand_set_ctx_params(fns); break; + case OSSL_FUNC_RAND_VERIFY_ZEROIZATION: + if (rand->verify_zeroization != NULL) + break; + rand->verify_zeroization = OSSL_get_OP_rand_verify_zeroization(fns); +#ifdef FIPS_MODULE + fnfipscnt++; +#endif + break; } } - if (fnrandcnt != 3 || fnctxcnt != 2) { + if (fnrandcnt != 3 + || fnctxcnt != 2 +#ifdef FIPS_MODULE + || fnfipscnt != 1 +#endif + ) { /* * In order to be a consistent set of functions we must have at least * a complete set of "rand" functions and a complete set of context - * management functions. + * management functions. In FIPS mode, we also require the zeroization + * verification function. */ evp_rand_free(rand); ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS); @@ -236,8 +274,7 @@ int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]) return 1; } -EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, unsigned int df, - EVP_RAND_CTX *parent) +EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, EVP_RAND_CTX *parent) { EVP_RAND_CTX *ctx; void *parent_ctx = NULL; @@ -250,10 +287,11 @@ EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, unsigned int df, if (ctx == NULL) return NULL; if (parent != NULL) { + EVP_RAND_CTX_enable_locking(parent); parent_ctx = parent->data; parent_dispatch = parent->meth->dispatch; } - if ((ctx->data = rand->newctx(ossl_provider_ctx(rand->prov), secure, df, + if ((ctx->data = rand->newctx(ossl_provider_ctx(rand->prov), secure, parent_ctx, parent_dispatch)) == NULL || !EVP_RAND_up_ref(rand)) { EVPerr(0, ERR_R_MALLOC_FAILURE); @@ -283,16 +321,31 @@ EVP_RAND *EVP_RAND_CTX_rand(EVP_RAND_CTX *ctx) int EVP_RAND_CTX_get_params(EVP_RAND_CTX *ctx, OSSL_PARAM params[]) { - if (ctx->meth->get_ctx_params != NULL) - return ctx->meth->get_ctx_params(ctx->data, params); - return 1; + int res = 1; + + if (ctx->meth->get_ctx_params != NULL) { + if (!evp_rand_lock(ctx)) + return 0; + res = ctx->meth->get_ctx_params(ctx->data, params); + evp_rand_unlock(ctx); + } + return res; } int EVP_RAND_CTX_set_params(EVP_RAND_CTX *ctx, const OSSL_PARAM params[]) { - if (ctx->meth->set_ctx_params != NULL) - return ctx->meth->set_ctx_params(ctx->data, params); - return 1; + int res = 1; + + if (ctx->meth->set_ctx_params != NULL) { + if (!evp_rand_lock(ctx)) + return 0; + res = ctx->meth->set_ctx_params(ctx->data, params); + evp_rand_unlock(ctx); + /* Clear out the cache state because the values can change on a set */ + ctx->strength = 0; + ctx->max_request = 0; + } + return res; } const OSSL_PARAM *EVP_RAND_gettable_params(const EVP_RAND *rand) @@ -333,52 +386,133 @@ void EVP_RAND_names_do_all(const EVP_RAND *rand, evp_names_do_all(rand->prov, rand->name_id, fn, data); } -int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, int strength, +int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, unsigned int strength, int prediction_resistance, const unsigned char *pstr, size_t pstr_len) { - return ctx->meth->instantiate(ctx->data, strength, prediction_resistance, - pstr, pstr_len); + int res; + + if (!evp_rand_lock(ctx)) + return 0; + res = ctx->meth->instantiate(ctx->data, strength, prediction_resistance, + pstr, pstr_len); + evp_rand_unlock(ctx); + return res; } int EVP_RAND_CTX_uninstantiate(EVP_RAND_CTX *ctx) { - return ctx->meth->uninstantiate(ctx->data); + int res; + + if (!evp_rand_lock(ctx)) + return 0; + res = ctx->meth->uninstantiate(ctx->data); + evp_rand_unlock(ctx); + return res; } int EVP_RAND_CTX_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen, - int strength, int prediction_resistance, + unsigned int strength, int prediction_resistance, const unsigned char *addin, size_t addin_len) { - return ctx->meth->generate(ctx->data, out, outlen, strength, - prediction_resistance, addin, addin_len); + size_t chunk; + OSSL_PARAM params[2]; + int res = 0; + + if (!evp_rand_lock(ctx)) + return 0; + if (ctx->max_request == 0) { + params[0] = OSSL_PARAM_construct_size_t(OSSL_DRBG_PARAM_MAX_REQUEST, + &ctx->max_request); + params[1] = OSSL_PARAM_construct_end(); + if (!EVP_RAND_CTX_get_params(ctx, params) + || ctx->max_request == 0) + goto err; + } + for (; outlen > 0; outlen -= chunk, out += chunk) { + chunk = outlen > ctx->max_request ? ctx->max_request : outlen; + if (!ctx->meth->generate(ctx->data, out, chunk, strength, + prediction_resistance, addin, addin_len)) + goto err; + } + res = 1; +err: + evp_rand_unlock(ctx); + return res; } int EVP_RAND_CTX_reseed(EVP_RAND_CTX *ctx, int prediction_resistance, + const unsigned char *ent, size_t ent_len, const unsigned char *addin, size_t addin_len) { - if (ctx->meth->reseed == NULL) - return 1; - return ctx->meth->reseed(ctx->data, prediction_resistance, - addin, addin_len); + int res = 1; + + if (!evp_rand_lock(ctx)) + return 0; + if (ctx->meth->reseed != NULL) + res = ctx->meth->reseed(ctx->data, prediction_resistance, + ent, ent_len, addin, addin_len); + evp_rand_unlock(ctx); + return res; } int EVP_RAND_CTX_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen) { - if (ctx->meth->nonce != NULL) - return ctx->meth->nonce(ctx->data, out, outlen); - return ctx->meth->generate(ctx->data, out, outlen, 0, 0, NULL, 0); + int res = 1; + + if (!evp_rand_lock(ctx)) + return 0; + if (ctx->meth->nonce == NULL + || !ctx->meth->nonce(ctx->data, out, 0, outlen, outlen)) + res = ctx->meth->generate(ctx->data, out, outlen, 0, 0, NULL, 0); + evp_rand_unlock(ctx); + return res; +} + +unsigned int EVP_RAND_CTX_strength(EVP_RAND_CTX *ctx) +{ + OSSL_PARAM params[2]; + int res; + + if (ctx->strength == 0) { + params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, + &ctx->strength); + params[1] = OSSL_PARAM_construct_end(); + if (!evp_rand_lock(ctx)) + return 0; + res = EVP_RAND_CTX_get_params(ctx, params); + evp_rand_unlock(ctx); + if (!res) + return 0; + } + return ctx->strength; } -int EVP_RAND_CTX_set_callbacks(const EVP_RAND_CTX *ctx, - OSSL_CALLBACK *get_entropy, - OSSL_CALLBACK *cleanup_entropy, - OSSL_CALLBACK *get_nonce, - OSSL_CALLBACK *cleanup_nonce) +int EVP_RAND_CTX_state(EVP_RAND_CTX *ctx) { - if (ctx->meth->set_callbacks == NULL) + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + int status, res; + + params[0] = OSSL_PARAM_construct_int(OSSL_RAND_PARAM_STATE, + &status); + if (!evp_rand_lock(ctx)) return 0; - return ctx->meth->set_callbacks(ctx->data, get_entropy, cleanup_entropy, - get_nonce, cleanup_nonce); + res = EVP_RAND_CTX_get_params(ctx, params); + evp_rand_unlock(ctx); + if (!res) + status = EVP_RAND_STATE_ERROR; + return status; } +int EVP_RAND_CTX_verify_zeroization(EVP_RAND_CTX *ctx) +{ + int res = 0; + + if (ctx->meth->verify_zeroization != NULL) { + if (!evp_rand_lock(ctx)) + return 0; + res = ctx->meth->verify_zeroization(ctx->data); + evp_rand_unlock(ctx); + } + return res; +} diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 7da0186392..e7b522a810 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -180,6 +180,26 @@ extern "C" { #define OSSL_KDF_NAME_KBKDF "KBKDF" #define OSSL_KDF_NAME_KRB5KDF "KRB5KDF" +/* Know RAND names */ +#define OSSL_RAND_PARAM_STATUS "status" +#define OSSL_RAND_PARAM_STRENGTH "strength" +#define OSSL_RAND_PARAM_RESEED_REQUESTS "reseed_requests" +#define OSSL_RAND_PARAM_RESEED_TIME_INTERVAL "reseed_time_interval" +#define OSSL_RAND_PARAM_MAX_REQUEST "max_request" +#define OSSL_RAND_PARAM_MIN_ENTROPYLEN "min_entropylen" +#define OSSL_RAND_PARAM_MAX_ENTROPYLEN "max_entropylen" +#define OSSL_RAND_PARAM_MIN_NONCELEN "min_noncelen" +#define OSSL_RAND_PARAM_MAX_NONCELEN "max_noncelen" +#define OSSL_RAND_PARAM_MAX_PERSLEN "max_perslen" +#define OSSL_RAND_PARAM_MAX_ADINLEN "max_adinlen" +#define OSSL_RAND_PARAM_RESEED_CTR "reseed_counter" +#define OSSL_RAND_PARAM_RESEED_PROP_CTR "reseed_prop_counter" +#define OSSL_RAND_PARAM_PROPERTIES OSSL_ALG_PARAM_PROPERTIES +#define OSSL_RAND_PARAM_DIGEST OSSL_ALG_PARAM_DIGEST +#define OSSL_RAND_PARAM_CIPHER OSSL_ALG_PARAM_CIPHER +#define OSSL_RAND_PARAM_TEST_ENTROPY "test_entropy" +#define OSSL_RAND_PARAM_TEST_NONCE "test_nonce" + /* PKEY parameters */ /* Common PKEY parameters */ #define OSSL_PKEY_PARAM_BITS "bits" /* integer */ diff --git a/include/openssl/core_numbers.h b/include/openssl/core_numbers.h index ce8306e5bc..acc758e462 100644 --- a/include/openssl/core_numbers.h +++ b/include/openssl/core_numbers.h @@ -359,24 +359,28 @@ OSSL_CORE_MAKE_FUNC(int, OP_kdf_set_ctx_params, # define OSSL_FUNC_RAND_GET_CTX_PARAMS 15 # define OSSL_FUNC_RAND_SET_CTX_PARAMS 16 # define OSSL_FUNC_RAND_SET_CALLBACKS 17 +# define OSSL_FUNC_RAND_VERIFY_ZEROIZATION 18 OSSL_CORE_MAKE_FUNC(void *, OP_rand_newctx, - (void *provctx, int secure, unsigned int df, void *parent, + (void *provctx, int secure, void *parent, const OSSL_DISPATCH *parent_calls)) OSSL_CORE_MAKE_FUNC(void, OP_rand_freectx, (void *vctx)) OSSL_CORE_MAKE_FUNC(int, OP_rand_instantiate, - (void *vdrbg, int strength, int prediction_resistance, + (void *vdrbg, unsigned int strength, + int prediction_resistance, const unsigned char *pstr, size_t pstr_len)) OSSL_CORE_MAKE_FUNC(int, OP_rand_uninstantiate, (void *vdrbg)) OSSL_CORE_MAKE_FUNC(int, OP_rand_generate, (void *vctx, unsigned char *out, size_t outlen, - int strength, int prediction_resistance, + unsigned int strength, int prediction_resistance, const unsigned char *addin, size_t addin_len)) OSSL_CORE_MAKE_FUNC(int, OP_rand_reseed, (void *vctx, int prediction_resistance, + const unsigned char *ent, size_t ent_len, const unsigned char *addin, size_t addin_len)) -OSSL_CORE_MAKE_FUNC(int, OP_rand_nonce, - (void *vctx, unsigned char *out, size_t outlen)) +OSSL_CORE_MAKE_FUNC(size_t, OP_rand_nonce, + (void *vctx, unsigned char *out, int strength, + size_t min_noncelen, size_t max_noncelen)) OSSL_CORE_MAKE_FUNC(int, OP_rand_set_callbacks, (void *vctx, OSSL_CALLBACK *get_entropy, OSSL_CALLBACK *cleanup_entropy, @@ -392,6 +396,8 @@ OSSL_CORE_MAKE_FUNC(int, OP_rand_get_ctx_params, (void *vctx, OSSL_PARAM params[])) OSSL_CORE_MAKE_FUNC(int, OP_rand_set_ctx_params, (void *vctx, const OSSL_PARAM params[])) +OSSL_CORE_MAKE_FUNC(int, OP_rand_verify_zeroization, + (void *vctx)) /*- * Key management diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 9d8b447525..2e6f855031 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1073,7 +1073,7 @@ void EVP_MD_do_all_provided(OPENSSL_CTX *libctx, /* RAND stuff */ EVP_RAND *EVP_RAND_fetch(OPENSSL_CTX *libctx, const char *algorithm, - const char *properties); + const char *properties); int EVP_RAND_up_ref(EVP_RAND *rand); void EVP_RAND_free(EVP_RAND *rand); int EVP_RAND_number(const EVP_RAND *rand); @@ -1082,7 +1082,7 @@ int EVP_RAND_is_a(const EVP_RAND *rand, const char *name); const OSSL_PROVIDER *EVP_RAND_provider(const EVP_RAND *rand); int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]); -EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, unsigned int df, +EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, EVP_RAND_CTX *parent); void EVP_RAND_CTX_free(EVP_RAND_CTX *ctx); EVP_RAND *EVP_RAND_CTX_rand(EVP_RAND_CTX *ctx); @@ -1099,14 +1099,15 @@ void EVP_RAND_names_do_all(const EVP_RAND *rand, void (*fn)(const char *name, void *data), void *data); -int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, int strength, +int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, unsigned int strength, int prediction_resistance, const unsigned char *pstr, size_t pstr_len); int EVP_RAND_CTX_uninstantiate(EVP_RAND_CTX *ctx); int EVP_RAND_CTX_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen, - int strength, int prediction_resistance, + unsigned int strength, int prediction_resistance, const unsigned char *addin, size_t addin_len); int EVP_RAND_CTX_reseed(EVP_RAND_CTX *ctx, int prediction_resistance, + const unsigned char *ent, size_t ent_len, const unsigned char *addin, size_t addin_len); int EVP_RAND_CTX_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen); int EVP_RAND_CTX_set_callbacks(const EVP_RAND_CTX *rand, @@ -1114,6 +1115,14 @@ int EVP_RAND_CTX_set_callbacks(const EVP_RAND_CTX *rand, OSSL_CALLBACK *cleanup_entropy, OSSL_CALLBACK *get_nonce, OSSL_CALLBACK *cleanup_nonce); +int EVP_RAND_CTX_enable_locking(EVP_RAND_CTX *ctx); +int EVP_RAND_CTX_verify_zeroization(EVP_RAND_CTX *ctx); +unsigned int EVP_RAND_CTX_strength(EVP_RAND_CTX *ctx); +int EVP_RAND_CTX_state(EVP_RAND_CTX *ctx); + +#define EVP_RAND_STATE_UNINITIALISED 0 +#define EVP_RAND_STATE_READY 1 +#define EVP_RAND_STATE_ERROR 2 /* PKEY stuff */ DEPRECATEDIN_3_0(int EVP_PKEY_decrypt_old(unsigned char *dec_key, diff --git a/providers/implementations/build.info b/providers/implementations/build.info index e4cab9bd2e..839478ef36 100644 --- a/providers/implementations/build.info +++ b/providers/implementations/build.info @@ -1,2 +1,2 @@ -SUBDIRS=digests ciphers macs kdfs exchange keymgmt signature asymciphers \ +SUBDIRS=digests ciphers rands macs kdfs exchange keymgmt signature asymciphers \ serializers diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index 0589a6e996..ee942e94e1 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -7,6 +7,9 @@ * https://www.openssl.org/source/license.html */ +#include <openssl/core.h> +#include <openssl/types.h> + /* Digests */ extern const OSSL_DISPATCH sha1_functions[]; extern const OSSL_DISPATCH sha224_functions[]; @@ -252,6 +255,12 @@ extern const OSSL_DISPATCH kdf_x942_kdf_functions[]; #endif extern const OSSL_DISPATCH kdf_krb5kdf_functions[]; +/* RNGs */ +extern const OSSL_DISPATCH test_rng_functions[]; +extern const OSSL_DISPATCH drbg_hash_functions[]; +extern const OSSL_DISPATCH drbg_hmac_functions[]; +extern const OSSL_DISPATCH drbg_ctr_functions[]; +extern const OSSL_DISPATCH crngt_functions[]; /* Key management */ extern const OSSL_DISPATCH dh_keymgmt_functions[]; diff --git a/providers/implementations/rands/build.info b/providers/implementations/rands/build.info new file mode 100644 index 0000000000..29f7238c1a --- /dev/null +++ b/providers/implementations/rands/build.info @@ -0,0 +1,7 @@ + +# Missing: drbg_ctr.c +SOURCE[../../libfips.a]=drbg.c +SOURCE[../../libnonfips.a]=drbg.c + +# Missing: drbg_hmac.c crngt.c +SOURCE[../../libimplementations.a]=test_rng.c drbg_hash.c diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c new file mode 100644 index 0000000000..c9e4cd4b60 --- /dev/null +++ b/providers/implementations/rands/drbg.c @@ -0,0 +1,884 @@ +/* + * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <string.h> +#include <openssl/crypto.h> +#include <openssl/err.h> +#include <openssl/rand.h> +#include "crypto/rand.h" +#include "drbg_local.h" +#include "internal/thread_once.h" +#include "crypto/cryptlib.h" +#include "seeding/seeding.h" +#include "crypto/rand_pool.h" + +/* + * Support framework for NIST SP 800-90A DRBG + * + * See manual page PROV_DRBG(7) for a general overview. + * + * The OpenSSL model is to have new and free functions, and that new + * does all initialization. That is not the NIST model, which has + * instantiation and un-instantiate, and re-use within a new/free + * lifecycle. (No doubt this comes from the desire to support hardware + * DRBG, where allocation of resources on something like an HSM is + * a much bigger deal than just re-setting an allocated resource.) + */ + +#ifdef FIPS_MODULE +# define get_entropy prov_crngt_get_entropy +# define cleanup_entropy prov_crngt_cleanup_entropy +#else +# define get_entropy prov_drbg_get_entropy +# define cleanup_entropy prov_drbg_cleanup_entropy +#endif + +/* NIST SP 800-90A DRBG recommends the use of a personalization string. */ +static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING; + +static unsigned int master_reseed_interval = MASTER_RESEED_INTERVAL; +static unsigned int slave_reseed_interval = SLAVE_RESEED_INTERVAL; + +static time_t master_reseed_time_interval = MASTER_RESEED_TIME_INTERVAL; +static time_t slave_reseed_time_interval = SLAVE_RESEED_TIME_INTERVAL; + +static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch, + int function); + +int drbg_lock(void *vctx) +{ + PROV_DRBG *drbg = vctx; + + if (drbg == NULL || drbg->lock == NULL) + return 1; + return CRYPTO_THREAD_write_lock(drbg->lock); +} + +void drbg_unlock(void *vctx) +{ + PROV_DRBG *drbg = vctx; + + if (drbg != NULL && drbg->lock != NULL) + CRYPTO_THREAD_unlock(drbg->lock); +} + +static int drbg_lock_parent(PROV_DRBG *drbg) +{ + void *parent = drbg->parent; + const OSSL_DISPATCH *pfunc; + + if (parent != NULL) { + pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_LOCK); + if (pfunc != NULL && !OSSL_get_OP_rand_lock(pfunc)(parent)) { + ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_LOCKING_NOT_ENABLED); + return 0; + } + } + return 1; +} + +static void drbg_unlock_parent(PROV_DRBG *drbg) +{ + void *parent = drbg->parent; + const OSSL_DISPATCH *pfunc; + + if (parent != NULL) { + pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_UNLOCK); + if (pfunc != NULL) + OSSL_get_OP_rand_unlock(pfunc)(parent); + } +} + +static int get_parent_strength(PROV_DRBG *drbg, int *str) +{ + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + const OSSL_DISPATCH *pfunc; + void *parent = drbg->parent; + + pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS); + if (pfunc == NULL) { + ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_PARENT_STRENGTH); + return 0; + } + *params = OSSL_PARAM_construct_int(OSSL_RAND_PARAM_STRENGTH, str); + if (!drbg_lock_parent(drbg)) { + ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_LOCK_PARENT); + return 0; + } + if (!OSSL_get_OP_rand_get_ctx_params(pfunc)(parent, params)) { + drbg_unlock_parent(drbg); + ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_PARENT_STRENGTH); + return 0; + } + drbg_unlock_parent(drbg); + return 1; +} + +static unsigned int get_parent_reseed_count(PROV_DRBG *drbg) +{ + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + const OSSL_DISPATCH *pfunc; + void *parent = drbg->parent; + unsigned int r; + + pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS); + if (pfunc == NULL) { + ERR_raise(ERR_LIB_PROV, + RAND_R_UNABLE_TO_GET_PARENT_RESEED_PROP_COUNTER); + goto err; + } + *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_RESEED_PROP_CTR, &r); + if (!drbg_lock_parent(drbg)) { + ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_LOCK_PARENT); + goto err; + } + if (!OSSL_get_OP_rand_get_ctx_params(pfunc)(parent, params)) { + drbg_unlock_parent(drbg); + ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_RESEED_PROP_CTR); + goto err; + } + drbg_unlock_parent(drbg); + return r; + + err: + r = tsan_load(&drbg->reseed_prop_counter) - 2; + if (r == 0) + r = UINT_MAX; + return r; +} + +#ifndef FIPS_MODULE +/* + * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks()) + * + * If the DRBG has a parent, then the required amount of entropy input + * is fetched using the parent's RAND_DRBG_generate(). + * + * Otherwise, the entropy is polled from the system entropy sources + * using rand_pool_acquire_entropy(). + * + * If a random pool has been added to the DRBG using RAND_add(), then + * its entropy will be used up first. + */ +static size_t prov_drbg_get_entropy(PROV_DRBG *drbg, unsigned char **pout, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance) +{ + size_t ret = 0; + size_t entropy_available = 0; + RAND_POOL *pool; + int p_str; + const OSSL_DISPATCH *pfunc; + + if (drbg->parent != NULL) { + if (!get_parent_strength(drbg, &p_str)) + return 0; + if (drbg->strength > p_str) { + /* + * We currently don't support the algorithm from NIST SP 800-90C + * 10.1.2 to use a weaker DRBG as source + */ + RANDerr(0, RAND_R_PARENT_STRENGTH_TOO_WEAK); + return 0; + } + } + + if (drbg->seed_pool != NULL) { + pool = drbg->seed_pool; + pool->entropy_requested = entropy; + } else { + pool = rand_pool_new(entropy, drbg->secure, min_len, max_len); + if (pool == NULL) + return 0; + } + + if (drbg->parent != NULL) { + size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); + unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed); + + if (buffer != NULL) { + size_t bytes = 0; + + /* + * Get random data from parent. Include our address as additional input, + * in order to provide some additional distinction between different + * DRBG child instances. + * Our lock is already held, but we need to lock our parent before + * generating bits from it. (Note: taking the lock will be a no-op + * if locking if drbg->parent->lock == NULL.) + */ + pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GENERATE); + if (pfunc == NULL) + return 0; + drbg_lock_parent(drbg); + if (OSSL_get_OP_rand_generate(pfunc)(drbg->parent, buffer, bytes_needed, + drbg->strength, + prediction_resistance, + (unsigned char *)&drbg, + sizeof(drbg)) != 0) + bytes = bytes_needed; + drbg->reseed_next_counter = get_parent_reseed_count(drbg); + drbg_unlock_parent(drbg); + + rand_pool_add_end(pool, bytes, 8 * bytes); + entropy_available = rand_pool_entropy_available(pool); + } + } else { + /* Get entropy by polling system entropy sources. */ + entropy_available = rand_pool_acquire_entropy(pool); + } + + if (entropy_available > 0) { + ret = rand_pool_length(pool); + *pout = rand_pool_detach(pool); + } + + if (drbg->seed_pool == NULL) + rand_pool_free(pool); + return ret; +} + +/* + * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks()) + * + */ +static void prov_drbg_cleanup_entropy(PROV_DRBG *drbg, + unsigned char *out, size_t outlen) +{ + if (drbg->seed_pool == NULL) { + if (drbg->secure) + OPENSSL_secure_clear_free(out, outlen); + else + OPENSSL_clear_free(out, outlen); + } +} +#endif + +#ifndef PROV_RAND_GET_RANDOM_NONCE +typedef struct prov_drbg_nonce_global_st { + CRYPTO_RWLOCK *rand_nonce_lock; + int rand_nonce_count; +} PROV_DRBG_NONCE_GLOBAL; + +/* + * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce() + * which needs to get the rand_nonce_lock out of the OPENSSL_CTX...but since + * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock + * to be in a different global data object. Otherwise we will go into an + * infinite recursion loop. + */ +static void *prov_drbg_nonce_ossl_ctx_new(OPENSSL_CTX *libctx) +{ + PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl)); + + if (dngbl == NULL) + return NULL; + + dngbl->rand_nonce_lock = CRYPTO_THREAD_lock_new(); + if (dngbl->rand_nonce_lock == NULL) { + OPENSSL_free(dngbl); + return NULL; + } + + return dngbl; +} + +static void prov_drbg_nonce_ossl_ctx_free(void *vdngbl) +{ + PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl; + + if (dngbl == NULL) + return; + + CRYPTO_THREAD_lock_free(dngbl->rand_nonce_lock); + + OPENSSL_free(dngbl); +} + +static const OPENSSL_CTX_METHOD drbg_nonce_ossl_ctx_method = { + prov_drbg_nonce_ossl_ctx_new, + prov_drbg_nonce_ossl_ctx_free, +}; + +/* Get a nonce from the operating system */ +static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, + unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + size_t ret = 0; + RAND_POOL *pool; + PROV_DRBG_NONCE_GLOBAL *dngbl + = openssl_ctx_get_data(drbg->libctx, OPENSSL_CTX_DRBG_NONCE_INDEX, + &drbg_nonce_ossl_ctx_method); + struct { + void *instance; + int count; + } data; + + + if (dngbl == NULL) + return 0; + + memset(&data, 0, sizeof(data)); + pool = rand_pool_new(0, 0, min_len, max_len); + if (pool == NULL) + return 0; + + if (rand_pool_add_nonce_data(pool) == 0) + goto err; + + data.instance = drbg; + CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count, + dngbl->rand_nonce_lock); + + if (rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0) == 0) + goto err; + + ret = rand_pool_length(pool); + *pout = rand_pool_detach(pool); + + err: + rand_pool_free(pool); + + return ret; +} +#endif + +/* + * Implements the cleanup_nonce() callback (see PROV_DRBG_set_callbacks()) + * + */ +static void prov_drbg_cleanup_nonce(PROV_DRBG *drbg, + unsigned char *out, size_t outlen) +{ + OPENSSL_clear_free(out, outlen); +} + +/* + * Instantiate |drbg|, after it has been initialized. Use |pers| and + * |perslen| as prediction-resistance input. + * + * Requires that drbg->lock is already locked for write, if non-null. + * + * Returns 1 on success, 0 on failure. + */ +int PROV_DRBG_instantiate(PROV_DRBG *drbg, int strength, + int prediction_resistance, + const unsigned char *pers, size_t perslen, + int (*ifnc)(PROV_DRBG *drbg, + const unsigned char *ent, size_t ent_len, + const unsigned char *nonce, + size_t nonce_len, + const unsigned char *pstr, + size_t pstr_len)) +{ + unsigned char *nonce = NULL, *entropy = NULL; + size_t noncelen = 0, entropylen = 0; + size_t min_entropy, min_entropylen, max_entropylen; + const OSSL_DISPATCH *pnonce; + + if (strength > drbg->strength) { + PROVerr(0, RAND_R_INSUFFICIENT_DRBG_STRENGTH); + goto end; + } + min_entropy = drbg->strength; + min_entropylen = drbg->min_entropylen; + max_entropylen = drbg->max_entropylen; + + if (pers == NULL) { + pers = (const unsigned char *)ossl_pers_string; + perslen = sizeof(ossl_pers_string); + } + if (perslen > drbg->max_perslen) { + PROVerr(0, RAND_R_PERSONALISATION_STRING_TOO_LONG); + goto end; + } |