From 714a1bb380ddb2bf7538f6a61f47ac87200e3e06 Mon Sep 17 00:00:00 2001 From: Pauli Date: Fri, 8 May 2020 10:22:45 +1000 Subject: rand: set up EVP and DRBG infrastructure for RAND from providers. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/11682) --- crypto/evp/rand_meth.c | 204 ++++- include/openssl/core_names.h | 20 + include/openssl/core_numbers.h | 16 +- include/openssl/evp.h | 17 +- providers/implementations/build.info | 2 +- .../implementations/include/prov/implementations.h | 9 + providers/implementations/rands/build.info | 7 + providers/implementations/rands/drbg.c | 884 +++++++++++++++++++++ providers/implementations/rands/drbg_local.h | 287 +++++++ providers/implementations/rands/rand_crng_test.c | 55 +- 10 files changed, 1452 insertions(+), 49 deletions(-) create mode 100644 providers/implementations/rands/build.info create mode 100644 providers/implementations/rands/drbg.c create mode 100644 providers/implementations/rands/drbg_local.h diff --git a/crypto/evp/rand_meth.c b/crypto/evp/rand_meth.c index e2b1d68ce0..0f1745411d 100644 --- a/crypto/evp/rand_meth.c +++ b/crypto/evp/rand_meth.c @@ -58,18 +58,42 @@ static void *evp_rand_new(void) evp_rand_free(rand); return NULL; } - rand->refcnt = 1; - return rand; } +/* Enable locking of the underlying DRBG/RAND if available */ +int EVP_RAND_CTX_enable_locking(EVP_RAND_CTX *rand) +{ + if (rand->meth->enable_prov_locking != NULL) + return rand->meth->enable_prov_locking(rand->data); + return 1; +} + +/* Lock the underlying DRBG/RAND if available */ +static int evp_rand_lock(EVP_RAND_CTX *rand) +{ + if (rand->meth->prov_lock != NULL) + return rand->meth->prov_lock(rand->data); + return 1; +} + +/* Unlock the underlying DRBG/RAND if available */ +static void evp_rand_unlock(EVP_RAND_CTX *rand) +{ + if (rand->meth->prov_unlock != NULL) + rand->meth->prov_unlock(rand->data); +} + static void *evp_rand_from_dispatch(int name_id, const OSSL_DISPATCH *fns, OSSL_PROVIDER *prov) { EVP_RAND *rand = NULL; int fnrandcnt = 0, fnctxcnt = 0; +#ifdef FIPS_MODULE + int fnfipscnt = 0; +#endif if ((rand = evp_rand_new()) == NULL) { EVPerr(0, ERR_R_MALLOC_FAILURE); @@ -172,13 +196,27 @@ static void *evp_rand_from_dispatch(int name_id, break; rand->set_ctx_params = OSSL_get_OP_rand_set_ctx_params(fns); break; + case OSSL_FUNC_RAND_VERIFY_ZEROIZATION: + if (rand->verify_zeroization != NULL) + break; + rand->verify_zeroization = OSSL_get_OP_rand_verify_zeroization(fns); +#ifdef FIPS_MODULE + fnfipscnt++; +#endif + break; } } - if (fnrandcnt != 3 || fnctxcnt != 2) { + if (fnrandcnt != 3 + || fnctxcnt != 2 +#ifdef FIPS_MODULE + || fnfipscnt != 1 +#endif + ) { /* * In order to be a consistent set of functions we must have at least * a complete set of "rand" functions and a complete set of context - * management functions. + * management functions. In FIPS mode, we also require the zeroization + * verification function. */ evp_rand_free(rand); ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS); @@ -236,8 +274,7 @@ int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]) return 1; } -EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, unsigned int df, - EVP_RAND_CTX *parent) +EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, EVP_RAND_CTX *parent) { EVP_RAND_CTX *ctx; void *parent_ctx = NULL; @@ -250,10 +287,11 @@ EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, unsigned int df, if (ctx == NULL) return NULL; if (parent != NULL) { + EVP_RAND_CTX_enable_locking(parent); parent_ctx = parent->data; parent_dispatch = parent->meth->dispatch; } - if ((ctx->data = rand->newctx(ossl_provider_ctx(rand->prov), secure, df, + if ((ctx->data = rand->newctx(ossl_provider_ctx(rand->prov), secure, parent_ctx, parent_dispatch)) == NULL || !EVP_RAND_up_ref(rand)) { EVPerr(0, ERR_R_MALLOC_FAILURE); @@ -283,16 +321,31 @@ EVP_RAND *EVP_RAND_CTX_rand(EVP_RAND_CTX *ctx) int EVP_RAND_CTX_get_params(EVP_RAND_CTX *ctx, OSSL_PARAM params[]) { - if (ctx->meth->get_ctx_params != NULL) - return ctx->meth->get_ctx_params(ctx->data, params); - return 1; + int res = 1; + + if (ctx->meth->get_ctx_params != NULL) { + if (!evp_rand_lock(ctx)) + return 0; + res = ctx->meth->get_ctx_params(ctx->data, params); + evp_rand_unlock(ctx); + } + return res; } int EVP_RAND_CTX_set_params(EVP_RAND_CTX *ctx, const OSSL_PARAM params[]) { - if (ctx->meth->set_ctx_params != NULL) - return ctx->meth->set_ctx_params(ctx->data, params); - return 1; + int res = 1; + + if (ctx->meth->set_ctx_params != NULL) { + if (!evp_rand_lock(ctx)) + return 0; + res = ctx->meth->set_ctx_params(ctx->data, params); + evp_rand_unlock(ctx); + /* Clear out the cache state because the values can change on a set */ + ctx->strength = 0; + ctx->max_request = 0; + } + return res; } const OSSL_PARAM *EVP_RAND_gettable_params(const EVP_RAND *rand) @@ -333,52 +386,133 @@ void EVP_RAND_names_do_all(const EVP_RAND *rand, evp_names_do_all(rand->prov, rand->name_id, fn, data); } -int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, int strength, +int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, unsigned int strength, int prediction_resistance, const unsigned char *pstr, size_t pstr_len) { - return ctx->meth->instantiate(ctx->data, strength, prediction_resistance, - pstr, pstr_len); + int res; + + if (!evp_rand_lock(ctx)) + return 0; + res = ctx->meth->instantiate(ctx->data, strength, prediction_resistance, + pstr, pstr_len); + evp_rand_unlock(ctx); + return res; } int EVP_RAND_CTX_uninstantiate(EVP_RAND_CTX *ctx) { - return ctx->meth->uninstantiate(ctx->data); + int res; + + if (!evp_rand_lock(ctx)) + return 0; + res = ctx->meth->uninstantiate(ctx->data); + evp_rand_unlock(ctx); + return res; } int EVP_RAND_CTX_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen, - int strength, int prediction_resistance, + unsigned int strength, int prediction_resistance, const unsigned char *addin, size_t addin_len) { - return ctx->meth->generate(ctx->data, out, outlen, strength, - prediction_resistance, addin, addin_len); + size_t chunk; + OSSL_PARAM params[2]; + int res = 0; + + if (!evp_rand_lock(ctx)) + return 0; + if (ctx->max_request == 0) { + params[0] = OSSL_PARAM_construct_size_t(OSSL_DRBG_PARAM_MAX_REQUEST, + &ctx->max_request); + params[1] = OSSL_PARAM_construct_end(); + if (!EVP_RAND_CTX_get_params(ctx, params) + || ctx->max_request == 0) + goto err; + } + for (; outlen > 0; outlen -= chunk, out += chunk) { + chunk = outlen > ctx->max_request ? ctx->max_request : outlen; + if (!ctx->meth->generate(ctx->data, out, chunk, strength, + prediction_resistance, addin, addin_len)) + goto err; + } + res = 1; +err: + evp_rand_unlock(ctx); + return res; } int EVP_RAND_CTX_reseed(EVP_RAND_CTX *ctx, int prediction_resistance, + const unsigned char *ent, size_t ent_len, const unsigned char *addin, size_t addin_len) { - if (ctx->meth->reseed == NULL) - return 1; - return ctx->meth->reseed(ctx->data, prediction_resistance, - addin, addin_len); + int res = 1; + + if (!evp_rand_lock(ctx)) + return 0; + if (ctx->meth->reseed != NULL) + res = ctx->meth->reseed(ctx->data, prediction_resistance, + ent, ent_len, addin, addin_len); + evp_rand_unlock(ctx); + return res; } int EVP_RAND_CTX_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen) { - if (ctx->meth->nonce != NULL) - return ctx->meth->nonce(ctx->data, out, outlen); - return ctx->meth->generate(ctx->data, out, outlen, 0, 0, NULL, 0); + int res = 1; + + if (!evp_rand_lock(ctx)) + return 0; + if (ctx->meth->nonce == NULL + || !ctx->meth->nonce(ctx->data, out, 0, outlen, outlen)) + res = ctx->meth->generate(ctx->data, out, outlen, 0, 0, NULL, 0); + evp_rand_unlock(ctx); + return res; +} + +unsigned int EVP_RAND_CTX_strength(EVP_RAND_CTX *ctx) +{ + OSSL_PARAM params[2]; + int res; + + if (ctx->strength == 0) { + params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, + &ctx->strength); + params[1] = OSSL_PARAM_construct_end(); + if (!evp_rand_lock(ctx)) + return 0; + res = EVP_RAND_CTX_get_params(ctx, params); + evp_rand_unlock(ctx); + if (!res) + return 0; + } + return ctx->strength; } -int EVP_RAND_CTX_set_callbacks(const EVP_RAND_CTX *ctx, - OSSL_CALLBACK *get_entropy, - OSSL_CALLBACK *cleanup_entropy, - OSSL_CALLBACK *get_nonce, - OSSL_CALLBACK *cleanup_nonce) +int EVP_RAND_CTX_state(EVP_RAND_CTX *ctx) { - if (ctx->meth->set_callbacks == NULL) + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + int status, res; + + params[0] = OSSL_PARAM_construct_int(OSSL_RAND_PARAM_STATE, + &status); + if (!evp_rand_lock(ctx)) return 0; - return ctx->meth->set_callbacks(ctx->data, get_entropy, cleanup_entropy, - get_nonce, cleanup_nonce); + res = EVP_RAND_CTX_get_params(ctx, params); + evp_rand_unlock(ctx); + if (!res) + status = EVP_RAND_STATE_ERROR; + return status; } +int EVP_RAND_CTX_verify_zeroization(EVP_RAND_CTX *ctx) +{ + int res = 0; + + if (ctx->meth->verify_zeroization != NULL) { + if (!evp_rand_lock(ctx)) + return 0; + res = ctx->meth->verify_zeroization(ctx->data); + evp_rand_unlock(ctx); + } + return res; +} diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 7da0186392..e7b522a810 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -180,6 +180,26 @@ extern "C" { #define OSSL_KDF_NAME_KBKDF "KBKDF" #define OSSL_KDF_NAME_KRB5KDF "KRB5KDF" +/* Know RAND names */ +#define OSSL_RAND_PARAM_STATUS "status" +#define OSSL_RAND_PARAM_STRENGTH "strength" +#define OSSL_RAND_PARAM_RESEED_REQUESTS "reseed_requests" +#define OSSL_RAND_PARAM_RESEED_TIME_INTERVAL "reseed_time_interval" +#define OSSL_RAND_PARAM_MAX_REQUEST "max_request" +#define OSSL_RAND_PARAM_MIN_ENTROPYLEN "min_entropylen" +#define OSSL_RAND_PARAM_MAX_ENTROPYLEN "max_entropylen" +#define OSSL_RAND_PARAM_MIN_NONCELEN "min_noncelen" +#define OSSL_RAND_PARAM_MAX_NONCELEN "max_noncelen" +#define OSSL_RAND_PARAM_MAX_PERSLEN "max_perslen" +#define OSSL_RAND_PARAM_MAX_ADINLEN "max_adinlen" +#define OSSL_RAND_PARAM_RESEED_CTR "reseed_counter" +#define OSSL_RAND_PARAM_RESEED_PROP_CTR "reseed_prop_counter" +#define OSSL_RAND_PARAM_PROPERTIES OSSL_ALG_PARAM_PROPERTIES +#define OSSL_RAND_PARAM_DIGEST OSSL_ALG_PARAM_DIGEST +#define OSSL_RAND_PARAM_CIPHER OSSL_ALG_PARAM_CIPHER +#define OSSL_RAND_PARAM_TEST_ENTROPY "test_entropy" +#define OSSL_RAND_PARAM_TEST_NONCE "test_nonce" + /* PKEY parameters */ /* Common PKEY parameters */ #define OSSL_PKEY_PARAM_BITS "bits" /* integer */ diff --git a/include/openssl/core_numbers.h b/include/openssl/core_numbers.h index ce8306e5bc..acc758e462 100644 --- a/include/openssl/core_numbers.h +++ b/include/openssl/core_numbers.h @@ -359,24 +359,28 @@ OSSL_CORE_MAKE_FUNC(int, OP_kdf_set_ctx_params, # define OSSL_FUNC_RAND_GET_CTX_PARAMS 15 # define OSSL_FUNC_RAND_SET_CTX_PARAMS 16 # define OSSL_FUNC_RAND_SET_CALLBACKS 17 +# define OSSL_FUNC_RAND_VERIFY_ZEROIZATION 18 OSSL_CORE_MAKE_FUNC(void *, OP_rand_newctx, - (void *provctx, int secure, unsigned int df, void *parent, + (void *provctx, int secure, void *parent, const OSSL_DISPATCH *parent_calls)) OSSL_CORE_MAKE_FUNC(void, OP_rand_freectx, (void *vctx)) OSSL_CORE_MAKE_FUNC(int, OP_rand_instantiate, - (void *vdrbg, int strength, int prediction_resistance, + (void *vdrbg, unsigned int strength, + int prediction_resistance, const unsigned char *pstr, size_t pstr_len)) OSSL_CORE_MAKE_FUNC(int, OP_rand_uninstantiate, (void *vdrbg)) OSSL_CORE_MAKE_FUNC(int, OP_rand_generate, (void *vctx, unsigned char *out, size_t outlen, - int strength, int prediction_resistance, + unsigned int strength, int prediction_resistance, const unsigned char *addin, size_t addin_len)) OSSL_CORE_MAKE_FUNC(int, OP_rand_reseed, (void *vctx, int prediction_resistance, + const unsigned char *ent, size_t ent_len, const unsigned char *addin, size_t addin_len)) -OSSL_CORE_MAKE_FUNC(int, OP_rand_nonce, - (void *vctx, unsigned char *out, size_t outlen)) +OSSL_CORE_MAKE_FUNC(size_t, OP_rand_nonce, + (void *vctx, unsigned char *out, int strength, + size_t min_noncelen, size_t max_noncelen)) OSSL_CORE_MAKE_FUNC(int, OP_rand_set_callbacks, (void *vctx, OSSL_CALLBACK *get_entropy, OSSL_CALLBACK *cleanup_entropy, @@ -392,6 +396,8 @@ OSSL_CORE_MAKE_FUNC(int, OP_rand_get_ctx_params, (void *vctx, OSSL_PARAM params[])) OSSL_CORE_MAKE_FUNC(int, OP_rand_set_ctx_params, (void *vctx, const OSSL_PARAM params[])) +OSSL_CORE_MAKE_FUNC(int, OP_rand_verify_zeroization, + (void *vctx)) /*- * Key management diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 9d8b447525..2e6f855031 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1073,7 +1073,7 @@ void EVP_MD_do_all_provided(OPENSSL_CTX *libctx, /* RAND stuff */ EVP_RAND *EVP_RAND_fetch(OPENSSL_CTX *libctx, const char *algorithm, - const char *properties); + const char *properties); int EVP_RAND_up_ref(EVP_RAND *rand); void EVP_RAND_free(EVP_RAND *rand); int EVP_RAND_number(const EVP_RAND *rand); @@ -1082,7 +1082,7 @@ int EVP_RAND_is_a(const EVP_RAND *rand, const char *name); const OSSL_PROVIDER *EVP_RAND_provider(const EVP_RAND *rand); int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]); -EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, unsigned int df, +EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, EVP_RAND_CTX *parent); void EVP_RAND_CTX_free(EVP_RAND_CTX *ctx); EVP_RAND *EVP_RAND_CTX_rand(EVP_RAND_CTX *ctx); @@ -1099,14 +1099,15 @@ void EVP_RAND_names_do_all(const EVP_RAND *rand, void (*fn)(const char *name, void *data), void *data); -int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, int strength, +int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, unsigned int strength, int prediction_resistance, const unsigned char *pstr, size_t pstr_len); int EVP_RAND_CTX_uninstantiate(EVP_RAND_CTX *ctx); int EVP_RAND_CTX_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen, - int strength, int prediction_resistance, + unsigned int strength, int prediction_resistance, const unsigned char *addin, size_t addin_len); int EVP_RAND_CTX_reseed(EVP_RAND_CTX *ctx, int prediction_resistance, + const unsigned char *ent, size_t ent_len, const unsigned char *addin, size_t addin_len); int EVP_RAND_CTX_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen); int EVP_RAND_CTX_set_callbacks(const EVP_RAND_CTX *rand, @@ -1114,6 +1115,14 @@ int EVP_RAND_CTX_set_callbacks(const EVP_RAND_CTX *rand, OSSL_CALLBACK *cleanup_entropy, OSSL_CALLBACK *get_nonce, OSSL_CALLBACK *cleanup_nonce); +int EVP_RAND_CTX_enable_locking(EVP_RAND_CTX *ctx); +int EVP_RAND_CTX_verify_zeroization(EVP_RAND_CTX *ctx); +unsigned int EVP_RAND_CTX_strength(EVP_RAND_CTX *ctx); +int EVP_RAND_CTX_state(EVP_RAND_CTX *ctx); + +#define EVP_RAND_STATE_UNINITIALISED 0 +#define EVP_RAND_STATE_READY 1 +#define EVP_RAND_STATE_ERROR 2 /* PKEY stuff */ DEPRECATEDIN_3_0(int EVP_PKEY_decrypt_old(unsigned char *dec_key, diff --git a/providers/implementations/build.info b/providers/implementations/build.info index e4cab9bd2e..839478ef36 100644 --- a/providers/implementations/build.info +++ b/providers/implementations/build.info @@ -1,2 +1,2 @@ -SUBDIRS=digests ciphers macs kdfs exchange keymgmt signature asymciphers \ +SUBDIRS=digests ciphers rands macs kdfs exchange keymgmt signature asymciphers \ serializers diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index 0589a6e996..ee942e94e1 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -7,6 +7,9 @@ * https://www.openssl.org/source/license.html */ +#include +#include + /* Digests */ extern const OSSL_DISPATCH sha1_functions[]; extern const OSSL_DISPATCH sha224_functions[]; @@ -252,6 +255,12 @@ extern const OSSL_DISPATCH kdf_x942_kdf_functions[]; #endif extern const OSSL_DISPATCH kdf_krb5kdf_functions[]; +/* RNGs */ +extern const OSSL_DISPATCH test_rng_functions[]; +extern const OSSL_DISPATCH drbg_hash_functions[]; +extern const OSSL_DISPATCH drbg_hmac_functions[]; +extern const OSSL_DISPATCH drbg_ctr_functions[]; +extern const OSSL_DISPATCH crngt_functions[]; /* Key management */ extern const OSSL_DISPATCH dh_keymgmt_functions[]; diff --git a/providers/implementations/rands/build.info b/providers/implementations/rands/build.info new file mode 100644 index 0000000000..29f7238c1a --- /dev/null +++ b/providers/implementations/rands/build.info @@ -0,0 +1,7 @@ + +# Missing: drbg_ctr.c +SOURCE[../../libfips.a]=drbg.c +SOURCE[../../libnonfips.a]=drbg.c + +# Missing: drbg_hmac.c crngt.c +SOURCE[../../libimplementations.a]=test_rng.c drbg_hash.c diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c new file mode 100644 index 0000000000..c9e4cd4b60 --- /dev/null +++ b/providers/implementations/rands/drbg.c @@ -0,0 +1,884 @@ +/* + * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "crypto/rand.h" +#include "drbg_local.h" +#include "internal/thread_once.h" +#include "crypto/cryptlib.h" +#include "seeding/seeding.h" +#include "crypto/rand_pool.h" + +/* + * Support framework for NIST SP 800-90A DRBG + * + * See manual page PROV_DRBG(7) for a general overview. + * + * The OpenSSL model is to have new and free functions, and that new + * does all initialization. That is not the NIST model, which has + * instantiation and un-instantiate, and re-use within a new/free + * lifecycle. (No doubt this comes from the desire to support hardware + * DRBG, where allocation of resources on something like an HSM is + * a much bigger deal than just re-setting an allocated resource.) + */ + +#ifdef FIPS_MODULE +# define get_entropy prov_crngt_get_entropy +# define cleanup_entropy prov_crngt_cleanup_entropy +#else +# define get_entropy prov_drbg_get_entropy +# define cleanup_entropy prov_drbg_cleanup_entropy +#endif + +/* NIST SP 800-90A DRBG recommends the use of a personalization string. */ +static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING; + +static unsigned int master_reseed_interval = MASTER_RESEED_INTERVAL; +static unsigned int slave_reseed_interval = SLAVE_RESEED_INTERVAL; + +static time_t master_reseed_time_interval = MASTER_RESEED_TIME_INTERVAL; +static time_t slave_reseed_time_interval = SLAVE_RESEED_TIME_INTERVAL; + +static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch, + int function); + +int drbg_lock(void *vctx) +{ + PROV_DRBG *drbg = vctx; + + if (drbg == NULL || drbg->lock == NULL) + return 1; + return CRYPTO_THREAD_write_lock(drbg->lock); +} + +void drbg_unlock(void *vctx) +{ + PROV_DRBG *drbg = vctx; + + if (drbg != NULL && drbg->lock != NULL) + CRYPTO_THREAD_unlock(drbg->lock); +} + +static int drbg_lock_parent(PROV_DRBG *drbg) +{ + void *parent = drbg->parent; + const OSSL_DISPATCH *pfunc; + + if (parent != NULL) { + pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_LOCK); + if (pfunc != NULL && !OSSL_get_OP_rand_lock(pfunc)(parent)) { + ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_LOCKING_NOT_ENABLED); + return 0; + } + } + return 1; +} + +static void drbg_unlock_parent(PROV_DRBG *drbg) +{ + void *parent = drbg->parent; + const OSSL_DISPATCH *pfunc; + + if (parent != NULL) { + pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_UNLOCK); + if (pfunc != NULL) + OSSL_get_OP_rand_unlock(pfunc)(parent); + } +} + +static int get_parent_strength(PROV_DRBG *drbg, int *str) +{ + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + const OSSL_DISPATCH *pfunc; + void *parent = drbg->parent; + + pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS); + if (pfunc == NULL) { + ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_PARENT_STRENGTH); + return 0; + } + *params = OSSL_PARAM_construct_int(OSSL_RAND_PARAM_STRENGTH, str); + if (!drbg_lock_parent(drbg)) { + ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_LOCK_PARENT); + return 0; + } + if (!OSSL_get_OP_rand_get_ctx_params(pfunc)(parent, params)) { + drbg_unlock_parent(drbg); + ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_PARENT_STRENGTH); + return 0; + } + drbg_unlock_parent(drbg); + return 1; +} + +static unsigned int get_parent_reseed_count(PROV_DRBG *drbg) +{ + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + const OSSL_DISPATCH *pfunc; + void *parent = drbg->parent; + unsigned int r; + + pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS); + if (pfunc == NULL) { + ERR_raise(ERR_LIB_PROV, + RAND_R_UNABLE_TO_GET_PARENT_RESEED_PROP_COUNTER); + goto err; + } + *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_RESEED_PROP_CTR, &r); + if (!drbg_lock_parent(drbg)) { + ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_LOCK_PARENT); + goto err; + } + if (!OSSL_get_OP_rand_get_ctx_params(pfunc)(parent, params)) { + drbg_unlock_parent(drbg); + ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_RESEED_PROP_CTR); + goto err; + } + drbg_unlock_parent(drbg); + return r; + + err: + r = tsan_load(&drbg->reseed_prop_counter) - 2; + if (r == 0) + r = UINT_MAX; + return r; +} + +#ifndef FIPS_MODULE +/* + * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks()) + * + * If the DRBG has a parent, then the required amount of entropy input + * is fetched using the parent's RAND_DRBG_generate(). + * + * Otherwise, the entropy is polled from the system entropy sources + * using rand_pool_acquire_entropy(). + * + * If a random pool has been added to the DRBG using RAND_add(), then + * its entropy will be used up first. + */ +static size_t prov_drbg_get_entropy(PROV_DRBG *drbg, unsigned char **pout, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance) +{ + size_t ret = 0; + size_t entropy_available = 0; + RAND_POOL *pool; + int p_str; + const OSSL_DISPATCH *pfunc; + + if (drbg->parent != NULL) { + if (!get_parent_strength(drbg, &p_str)) + return 0; + if (drbg->strength > p_str) { + /* + * We currently don't support the algorithm from NIST SP 800-90C + * 10.1.2 to use a weaker DRBG as source + */ + RANDerr(0, RAND_R_PARENT_STRENGTH_TOO_WEAK); + return 0; + } + } + + if (drbg->seed_pool != NULL) { + pool = drbg->seed_pool; + pool->entropy_requested = entropy; + } else { + pool = rand_pool_new(entropy, drbg->secure, min_len, max_len); + if (pool == NULL) + return 0; + } + + if (drbg->parent != NULL) { + size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); + unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed); + + if (buffer != NULL) { + size_t bytes = 0; + + /* + * Get random data from parent. Include our address as additional input, + * in order to provide some additional distinction between different + * DRBG child instances. + * Our lock is already held, but we need to lock our parent before + * generating bits from it. (Note: taking the lock will be a no-op + * if locking if drbg->parent->lock == NULL.) + */ + pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GENERATE); + if (pfunc == NULL) + return 0; + drbg_lock_parent(drbg); + if (OSSL_get_OP_rand_generate(pfunc)(drbg->parent, buffer, bytes_needed, + drbg->strength, + prediction_resistance, + (unsigned char *)&drbg, + sizeof(drbg)) != 0) + bytes = bytes_needed; + drbg->reseed_next_counter = get_parent_reseed_count(drbg); + drbg_unlock_parent(drbg); + + rand_pool_add_end(pool, bytes, 8 * bytes); + entropy_available = rand_pool_entropy_available(pool); + } + } else { + /* Get entropy by polling system entropy sources. */ + entropy_available = rand_pool_acquire_entropy(pool); + } + + if (entropy_available > 0) { + ret = rand_pool_length(pool); + *pout = rand_pool_detach(pool); + } + + if (drbg->seed_pool == NULL) + rand_pool_free(pool); + return ret; +} + +/* + * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks()) + * + */ +static void prov_drbg_cleanup_entropy(PROV_DRBG *drbg, + unsigned char *out, size_t outlen) +{ + if (drbg->seed_pool == NULL) { + if (drbg->secure) + OPENSSL_secure_clear_free(out, outlen); + else + OPENSSL_clear_free(out, outlen); + } +} +#endif + +#ifndef PROV_RAND_GET_RANDOM_NONCE +typedef struct prov_drbg_nonce_global_st { + CRYPTO_RWLOCK *rand_nonce_lock; + int rand_nonce_count; +} PROV_DRBG_NONCE_GLOBAL; + +/* + * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce() + * which needs to get the rand_nonce_lock out of the OPENSSL_CTX...but since + * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock + * to be in a different global data object. Otherwise we will go into an + * infinite recursion loop. + */ +static void *prov_drbg_nonce_ossl_ctx_new(OPENSSL_CTX *libctx) +{ + PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl)); + + if (dngbl == NULL) + return NULL; + + dngbl->rand_nonce_lock = CRYPTO_THREAD_lock_new(); + if (dngbl->rand_nonce_lock == NULL) { + OPENSSL_free(dngbl); + return NULL; + } + + return dngbl; +} + +static void prov_drbg_nonce_ossl_ctx_free(void *vdngbl) +{ + PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl; + + if (dngbl == NULL) + return; + + CRYPTO_THREAD_lock_free(dngbl->rand_nonce_lock); + + OPENSSL_free(dngbl); +} + +static const OPENSSL_CTX_METHOD drbg_nonce_ossl_ctx_method = { + prov_drbg_nonce_ossl_ctx_new, + prov_drbg_nonce_ossl_ctx_free, +}; + +/* Get a nonce from the operating system */ +static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, + unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + size_t ret = 0; + RAND_POOL *pool; + PROV_DRBG_NONCE_GLOBAL *dngbl + = openssl_ctx_get_data(drbg->libctx, OPENSSL_CTX_DRBG_NONCE_INDEX, + &drbg_nonce_ossl_ctx_method); + struct { + void *instance; + int count; + } data; + + + if (dngbl == NULL) + return 0; + + memset(&data, 0, sizeof(data)); + pool = rand_pool_new(0, 0, min_len, max_len); + if (pool == NULL) + return 0; + + if (rand_pool_add_nonce_data(pool) == 0) + goto err; + + data.instance = drbg; + CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count, + dngbl->rand_nonce_lock); + + if (rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0) == 0) + goto err; + + ret = rand_pool_length(pool); + *pout = rand_pool_detach(pool); + + err: + rand_pool_free(pool); + + return ret; +} +#endif + +/* + * Implements the cleanup_nonce() callback (see PROV_DRBG_set_callbacks()) + * + */ +static void prov_drbg_cleanup_nonce(PROV_DRBG *drbg, + unsigned char *out, size_t outlen) +{ + OPENSSL_clear_free(out, outlen); +} + +/* + * Instantiate |drbg|, after it has been initialized. Use |pers| and + * |perslen| as prediction-resistance input. + * + * Requires that drbg->lock is already locked for write, if non-null. + * + * Returns 1 on success, 0 on failure. + */ +int PROV_DRBG_instantiate(PROV_DRBG *drbg, int strength, + int prediction_resistance, + const unsigned char *pers, size_t perslen, + int (*ifnc)(PROV_DRBG *drbg, + const unsigned char *ent, size_t ent_len, + const unsigned char *nonce, + size_t nonce_len, + const unsigned char *pstr, + size_t pstr_len)) +{ + unsigned char *nonce = NULL, *entropy = NULL; + size_t noncelen = 0, entropylen = 0; + size_t min_entropy, min_entropylen, max_entropylen; + const OSSL_DISPATCH *pnonce; + + if (strength > drbg->strength) { + PROVerr(0, RAND_R_INSUFFICIENT_DRBG_STRENGTH); + goto end; + } + min_entropy = drbg->strength; + min_entropylen = drbg->min_entropylen; + max_entropylen = drbg->max_entropylen; + + if (pers == NULL) { + pers = (const unsigned char *)ossl_pers_string; + perslen = sizeof(ossl_pers_string); + } + if (perslen > drbg->max_perslen) { + PROVerr(0, RAND_R_PERSONALISATION_STRING_TOO_LONG); + goto end; + } + + if (drbg->state != DRBG_UNINITIALISED) { + if (drbg->state == DRBG_ERROR) + PROVerr(0, RAND_R_IN_ERROR_STATE); + else + PROVerr(0, RAND_R_ALREADY_INSTANTIATED); + goto end; + } + + drbg->state = DRBG_ERROR; + + if (drbg->min_noncelen > 0) { +#ifndef PROV_RAND_GET_RANDOM_NONCE + if (drbg->parent != NULL) +#endif + { + pnonce = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_NONCE); + if (pnonce == NULL) { + /* + * NIST SP800-90Ar1 section 9.1 says you can combine getting + * the entropy and nonce in 1 call by increasing the entropy + * with 50% and increasing the minimum length to accommodate + * the length of the nonce. We do this in case a nonce is + * required and there is no parental nonce capability. + */ + min_entropy += drbg->strength / 2; + min_entropylen += drbg->min_noncelen; + max_entropylen += drbg->max_noncelen; + } else { + drbg_lock_parent(drbg); + noncelen = OSSL_get_OP_rand_nonce(pnonce)(drbg->parent, &nonce, + drbg->strength / 2, + drbg->min_noncelen, + drbg->max_noncelen); + drbg_unlock_parent(drbg); + if (noncelen < drbg->min_noncelen + || noncelen > drbg->max_noncelen) { + PROVerr(0, RAND_R_ERROR_RETRIEVING_NONCE); + goto end; + } + } + } +#ifndef PROV_RAND_GET_RANDOM_NONCE + else { /* parent == NULL */ + noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->strength / 2, + drbg->min_noncelen, + drbg->max_noncelen); + if (noncelen < drbg->min_noncelen + || noncelen > drbg->max_noncelen) { + PROVerr(0, RAND_R_ERROR_RETRIEVING_NONCE); + goto end; + } + } +#endif + } + + drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter); + if (drbg->reseed_next_counter) { + drbg->reseed_next_counter++; + if(!drbg->reseed_next_counter) + drbg->reseed_next_counter = 1; + } + + entropylen = get_entropy(drbg, &entropy, min_entropy, + min_entropylen, max_entropylen, + prediction_resistance); + if (entropylen < min_entropylen + || entropylen > max_entropylen) { + PROVerr(0, RAND_R_ERROR_RETRIEVING_ENTROPY); + goto end; + } + + if (!ifnc(drbg, entropy, entropylen, nonce, noncelen, pers, perslen)) { + PROVerr(0, RAND_R_ERROR_INSTANTIATING_DRBG); + goto end; + } + + drbg->state = DRBG_READY; + drbg->reseed_gen_counter = 1; + drbg->reseed_time = time(NULL); + tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter); + + end: + if (entropy != NULL) + cleanup_entropy(drbg, entropy, entropylen); + if (nonce != NULL) + prov_drbg_cleanup_nonce(drbg, nonce, noncelen); + if (drbg->state == DRBG_READY) + return 1; + return 0; +} + +/* + * Reseed |drbg|, mixing in the specified data + * + * Requires that drbg->lock is already locked for write, if non-null. + * + * Returns 1 on success, 0 on failure. + */ +int PROV_DRBG_reseed(PROV_DRBG *drbg, int prediction_resistance, + const unsigned char *ent, size_t ent_len, + const unsigned char *adin, size_t adinlen, + int (*reseed)(PROV_DRBG *drbg, + const unsigned char *ent, size_t ent_len, + const unsigned char *adin, size_t adin_len)) +{ + unsigned char *entropy = NULL; + size_t entropylen = 0; + + if (drbg->state == DRBG_ERROR) { + PROVerr(0, RAND_R_IN_ERROR_STATE); + return 0; + } + if (drbg->state == DRBG_UNINITIALISED) { + PROVerr(0, RAND_R_NOT_INSTANTIATED); + return 0; + } + + if (adin == NULL) { + adinlen = 0; + } else if (adinlen > drbg->max_adinlen) { + PROVerr(0, RAND_R_ADDITIONAL_INPUT_TOO_LONG); + return 0; + } + + drbg->state = DRBG_ERROR; + + drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter); + if (drbg->reseed_next_counter) { + drbg->reseed_next_counter++; + if(!drbg->reseed_next_counter) + drbg->reseed_next_counter = 1; + } + + entropylen = get_entropy(drbg, &entropy, drbg->strength, + drbg->min_entropylen, drbg->max_entropylen, + prediction_resistance); + if (entropylen < drbg->min_entropylen + || entropylen > drbg->max_entropylen) { + PROVerr(0, RAND_R_ERROR_RETRIEVING_ENTROPY); + goto end; + } + + if (!reseed(drbg, entropy, entropylen, adin, adinlen)) + goto end; + + drbg->state = DRBG_READY; + drbg->reseed_gen_counter = 1; + drbg->reseed_time = time(NULL); + tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter); + + end: + if (entropy != NULL) + OPENSSL_cleanse(entropy, entropylen); + if (drbg->state == DRBG_READY) + return 1; + return 0; +} + +/* + * Generate |outlen| bytes into the buffer at |out|. Reseed if we need + * to or if |prediction_resistance| is set. Additional input can be + * sent in |adin| and |adinlen|. + * + * Requires that drbg->lock is already locked for write, if non-null. + * + * Returns 1 on success, 0 on failure. + * + */ +int PROV_DRBG_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen, + int strength, int prediction_resistance, + const unsigned char *adin, size_t adinlen, + int (*generate)(PROV_DRBG *, unsigned char *out, + size_t outlen, const unsigned char *adin, + size_t adin_len), + int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, + size_t ent_len, const unsigned char *adin, + size_t adin_len)) +{ + int fork_id; + int reseed_required = 0; + + if (drbg->state != DRBG_READY) { + if (drbg->state == DRBG_ERROR) { + PROVerr(0, RAND_R_IN_ERROR_STATE); + return 0; + } + if (drbg->state == DRBG_UNINITIALISED) { + PROVerr(0, RAND_R_NOT_INSTANTIATED); + return 0; + } + } + + if (outlen > drbg->max_request) { + PROVerr(0, RAND_R_REQUEST_TOO_LARGE_FOR_DRBG); + return 0; + } + if (adinlen > drbg->max_adinlen) { + PROVerr(0, RAND_R_ADDITIONAL_INPUT_TOO_LONG); + return 0; + } + + fork_id = openssl_get_fork_id(); + + if (drbg->fork_id != fork_id) { + drbg->fork_id = fork_id; + reseed_required = 1; + } + + if (drbg->reseed_interval > 0) { + if (drbg->reseed_gen_counter > drbg->reseed_interval) + reseed_required = 1; + } + if (drbg->reseed_time_interval > 0) { + time_t now = time(NULL); + if (now < drbg->reseed_time + || now - drbg->reseed_time >= drbg->reseed_time_interval) + reseed_required = 1; + } + if (drbg->parent != NULL) { + unsigned int reseed_counter = 0; + + if (reseed_counter > 0 + && get_parent_reseed_count(drbg) != + tsan_load(&drbg->reseed_prop_counter)) + reseed_required = 1; + } + + if (reseed_required || prediction_resistance) { + if (!PROV_DRBG_reseed(drbg, prediction_resistance, NULL, 0, + adin, adinlen, reseed)) { + PROVerr(0, RAND_R_RESEED_ERROR); + return 0; + } + adin = NULL; + adinlen = 0; + } + + if (!generate(drbg, out, outlen, adin, adinlen)) { + drbg->state = DRBG_ERROR; + PROVerr(0, RAND_R_GENERATE_ERROR); + return 0; + } + + drbg->reseed_gen_counter++; + + return 1; +} + +#if 0 +/* + * Calculates the minimum length of a full entropy buffer + * which is necessary to seed (i.e. instantiate) the DRBG + * successfully. + */ +size_t prov_drbg_seedlen(PROV_DRBG *drbg) +{ + /* + * If no os entropy source is available then PROV_seed(buffer, bufsize) + * is expected to succeed if and only if the buffer length satisfies + * the following requirements, which follow from the calculations + * in PROV_DRBG_instantiate(). + */ + size_t min_entropy = drbg->strength; + size_t min_entropylen = drbg->min_entropylen; + + /* + * Extra entropy for the random nonce in the absence of a + * get_nonce callback, see comment in PROV_DRBG_instantiate(). + */ + if (drbg->min_noncelen > 0) { +#ifndef PROV_RAND_GET_RANDOM_NONCE + if (drbg->parent != NULL) +#endif + if (find_call(drbg->parent_dispatch, + OSSL_FUNC_RAND_NONCE) == NULL) { + min_entropy += drbg->strength / 2; + min_entropylen += drbg->min_noncelen; + } + } + + /* + * Convert entropy requirement from bits to bytes + * (dividing by 8 without rounding upwards, because + * all entropy requirements are divisible by 8). + */ + min_entropy >>= 3; + + /* Return a value that satisfies both requirements */ + return min_entropy > min_entropylen ? min_entropy : min_entropylen; +} +#endif + +/* Provider support from here down */ +static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch, + int function) +{ + if (dispatch != NULL) + while (dispatch->function_id != 0) + if (dispatch->function_id == function) + return dispatch; + return NULL; +} + +int drbg_enable_locking(void *vctx) +{ + PROV_DRBG *drbg = vctx; + const OSSL_DISPATCH *pfunc; + + if (drbg == NULL) + return 1; + if (drbg->lock == NULL) { + if (drbg->state != DRBG_UNINITIALISED) { + ERR_raise(ERR_LIB_PROV, RAND_R_DRBG_ALREADY_INITIALIZED); + return 0; + } + + pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING); + if (pfunc != NULL) + if (!OSSL_get_OP_rand_enable_locking(pfunc)(drbg->parent)) { + ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_LOCKING_NOT_ENABLED); + return 0; + } + drbg->lock = CRYPTO_THREAD_lock_new(); + if (drbg->lock == NULL) { + ERR_raise(ERR_LIB_PROV, RAND_R_FAILED_TO_CREATE_LOCK); + return 0; + } + } + return 1; +} + +/* + * Allocate memory and initialize a new DRBG. The DRBG is allocated on + * the secure heap if |secure| is nonzero and the secure heap is enabled. + * The |parent|, if not NULL, will be used as random source for reseeding. + * This also requires the parent's provider context and the parent's lock. + * + * Returns a pointer to the new DRBG instance on success, NULL on failure. + */ +PROV_DRBG *prov_rand_drbg_new(void *provctx, int secure, void *parent, + const OSSL_DISPATCH *parent_dispatch, + int (*dnew)(PROV_DRBG *ctx, int secure)) +{ + PROV_DRBG *drbg = OPENSSL_zalloc(sizeof(*drbg)); + int p_str; + + if (drbg == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + return NULL; + } + + drbg->libctx = provctx; + drbg->secure = secure; + drbg->parent = parent; + drbg->parent_dispatch = parent_dispatch; + + /* Set some default maximums up */ + drbg->max_entropylen = DRBG_MAX_LENGTH; + drbg->max_noncelen = DRBG_MAX_LENGTH; + drbg->max_perslen = DRBG_MAX_LENGTH; + drbg->max_adinlen = DRBG_MAX_LENGTH; + drbg->reseed_gen_counter = 1; + + /* TODO(3.0) clean this up */ + if (parent == NULL) { + drbg->reseed_interval = master_reseed_interval; + drbg->reseed_time_interval = master_reseed_time_interval; + } else { + /* + * Do not provide nonce callbacks, the child DRBGs will + * obtain their nonce using random bits from the parent. + */ + drbg->reseed_interval = slave_reseed_interval; + drbg->reseed_time_interval = slave_reseed_time_interval; + } + + if (!dnew(drbg, secure)) + goto err; + + if (parent != NULL) { + if (!get_parent_strength(drbg, &p_str)) + goto err; + if (drbg->strength > p_str) { + /* + * We currently don't support the algorithm from NIST SP 800-90C + * 10.1.2 to use a weaker DRBG as source + */ + ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_STRENGTH_TOO_WEAK); + goto err; + } + } + return drbg; + + err: + prov_rand_drbg_free(drbg); + return NULL; +} + +void prov_rand_drbg_free(PROV_DRBG *drbg) +{ + if (drbg == NULL) + return; + + rand_pool_free(drbg->adin_pool); + CRYPTO_THREAD_lock_free(drbg->lock); +#ifndef FIPS_MODULE + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RAND_DRBG, drbg, &drbg->ex_data); +#endif +} + +int drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]) +{ + OSSL_PARAM *p; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATUS); + if (p != NULL && !OSSL_PARAM_set_int(p, drbg->state)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH); + if (p != NULL && !OSSL_PARAM_set_int(p, drbg->strength)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST); + if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_request)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MIN_ENTROPYLEN); + if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_entropylen)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_ENTROPYLEN); + if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_entropylen)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MIN_NONCELEN); + if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_noncelen)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_NONCELEN); + if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_noncelen)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_PERSLEN); + if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_perslen)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_ADINLEN); + if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_adinlen)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_CTR); + if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_gen_counter)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_REQUESTS); + if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_TIME_INTERVAL); + if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_PROP_CTR); + if (p != NULL + && !OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_prop_counter))) + return 0; + return 1; +} + +int drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + + p = OSSL_PARAM_locate_const(params, OSSL_RAND_PARAM_RESEED_REQUESTS); + if (p != NULL && !OSSL_PARAM_get_uint(p, &drbg->reseed_interval)) + return 0; + + p = OSSL_PARAM_locate_const(params, OSSL_RAND_PARAM_RESEED_TIME_INTERVAL); + if (p != NULL && !OSSL_PARAM_get_time_t(p, &drbg->reseed_time_interval)) + return 0; + return 1; +} diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h new file mode 100644 index 0000000000..a605186947 --- /dev/null +++ b/providers/implementations/rands/drbg_local.h @@ -0,0 +1,287 @@ +/* + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OSSL_CRYPTO_PROV_LOCAL_H +# define OSSL_CRYPTO_PROV_LOCAL_H + +# include +# include +# include +# include +# include "internal/tsan_assist.h" + +# include "internal/numbers.h" + +/* How many times to read the TSC as a randomness source. */ +# define TSC_READ_COUNT 4 + +/* Maximum reseed intervals */ +# define MAX_RESEED_INTERVAL (1 << 24) +# define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */ + +/* Default reseed intervals */ +# define MASTER_RESEED_INTERVAL (1 << 8) +# define SLAVE_RESEED_INTERVAL (1 << 16) +# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ +# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ + +/* + * The number of bytes that constitutes an atomic lump of entropy with respect + * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat + * arbitrary, the smaller the value, the less entropy is consumed on first + * read but the higher the probability of the test failing by accident. + * + * The value is in bytes. + */ +#define CRNGT_BUFSIZ 16 + +/* + * Maximum input size for the DRBG (entropy, nonce, personalization string) + * + * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes. + * + * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes. + */ +# define DRBG_MAX_LENGTH INT32_MAX + +/* The default nonce */ +#ifdef CHARSET_EBCDIC +# define DRBG_DEFAULT_PERS_STRING { 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, \ + 0x4c, 0x20, 0x4e, 0x49, 0x53, 0x54, 0x20, 0x53, 0x50, 0x20, 0x38, 0x30, \ + 0x30, 0x2d, 0x39, 0x30, 0x41, 0x20, 0x44, 0x52, 0x42, 0x47, 0x00}; +#else +# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" +#endif + +typedef struct prov_drbg_st PROV_DRBG; + +/* DRBG status values */ +typedef enum drbg_status_e { + DRBG_UNINITIALISED, + DRBG_READY, + DRBG_ERROR +} DRBG_STATUS; + +/* + * The DRBG methods + */ + +typedef struct rand_drbg_hmac_st { + EVP_MD *md; + HMAC_CTX *ctx; + size_t blocklen; + unsigned char K[EVP_MAX_MD_SIZE]; + unsigned char V[EVP_MAX_MD_SIZE]; +} PROV_DRBG_HMAC; + +/* + * The state of a DRBG AES-CTR. + */ +typedef struct rand_drbg_ctr_st { + EVP_CIPHER_CTX *ctx_ecb; + EVP_CIPHER_CTX *ctx_ctr; + EVP_CIPHER_CTX *ctx_df; + EVP_CIPHER *cipher_ecb; + EVP_CIPHER *cipher_ctr; + size_t keylen; + unsigned char K[32]; + unsigned char V[16]; + /* Temporary block storage used by ctr_df */ + unsigned char bltmp[16]; + size_t bltmp_pos; + unsigned char KX[48]; +} PROV_DRBG_CTR; + + +/* + * The state of all types of DRBGs, even though we only have CTR mode + * right now. + */ +struct prov_drbg_st { + CRYPTO_RWLOCK *lock; + /* The library context this DRBG is associated with, if any */ + OPENSSL_CTX *libctx; + void *parent; + const OSSL_DISPATCH *parent_dispatch; + int secure; /* 1: allocated on the secure heap, 0: otherwise */ + /* + * Stores the return value of openssl_get_fork_id() as of when we last + * reseeded. The DRBG reseeds automatically whenever drbg->fork_id != + * openssl_get_fork_id(). Used to provide fork-safety and reseed this + * DRBG in the child process. + */ + int fork_id; + unsigned short flags; /* various external flags */ + + /* + * The random_data is used by PROV_add()/drbg_add() to attach random + * data to the global drbg, such that the rand_drbg_get_entropy() callback + * can pull it during instantiation and reseeding. This is necessary to + * reconcile the different philosophies of the PROV and the PROV_DRBG + * with respect to how randomness is added to the RNG during reseeding + * (see PR #4328). + */ + struct rand_pool_st *seed_pool; + + /* + * Auxiliary pool for additional data. + */ + struct rand_pool_st *adin_pool; + + /* + * The following parameters are setup by the per-type "init" function. + * + * The supported types and their init functions are: + * (1) CTR_DRBG: drbg_ctr_init(). + * (2) HMAC_DRBG: drbg_hmac_init(). + * (3) HASH_DRBG: drbg_hash_init(). + * + * The parameters are closely related to the ones described in + * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one + * crucial difference: In the NIST standard, all counts are given + * in bits, whereas in OpenSSL entropy counts are given in bits + * and buffer lengths are given in bytes. + * + * Since this difference has lead to some confusion in the past, + * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) + * the 'len' suffix has been added to all buffer sizes for + * clarification. + */ + + int strength; + size_t max_request; + size_t min_entropylen, max_entropylen; + size_t min_noncelen, max_noncelen; + size_t max_perslen, max_adinlen; + + /* + * Counts the number of generate requests since the last reseed + * (Starts at 1). This value is the reseed_counter as defined in + * NIST SP 800-90Ar1 + */ + unsigned int reseed_gen_counter; + /* + * Maximum number of generate requests until a reseed is required. + * This value is ignored if it is zero. + */ + unsigned int reseed_interval; + /* Stores the time when the last reseeding occurred */ + time_t reseed_time; + /* + * Specifies the maximum time interval (in seconds) between reseeds. + * This value is ignored if it is zero. + */ + time_t reseed_time_interval; + /* + * Counts the number of reseeds since instantiation. + * This value is ignored if it is zero. + * + * This counter is used only for seed propagation from the DRBG + * to its two children, the and DRBG. This feature is + * very special and its sole purpose is to ensure that any randomness which + * is added by PROV_add() or PROV_seed() will have an immediate effect on + * the output of PROV_bytes() resp. PROV_priv_bytes(). + */ + TSAN_QUALIFIER unsigned int reseed_prop_counter; + unsigned int reseed_next_counter; + + size_t seedlen; + DRBG_STATUS state; + + void *data; + +#ifndef FIPS_MODULE + /* Application data, mainly used in the KATs. */ + CRYPTO_EX_DATA ex_data; +#endif +}; + +/* DRBG helpers */ +int rand_drbg_restart(PROV_DRBG *drbg, + const unsigned char *buffer, size_t len, size_t entropy); +size_t rand_drbg_seedlen(PROV_DRBG *drbg); + +PROV_DRBG *prov_rand_drbg_new(void *provctx, int secure, void *parent, + const OSSL_DISPATCH *parent_dispatch, + int (*dnew)(PROV_DRBG *ctx, int secure)); +void prov_rand_free(PROV_DRBG *drbg); + +int PROV_DRBG_instantiate(PROV_DRBG *drbg, int strength, + int prediction_resistance, + const unsigned char *pers, size_t perslen, + int (*ifnc)(PROV_DRBG *drbg, + const unsigned char *ent, size_t ent_len, + const unsigned char *nonce, + size_t nonce_len, + const unsigned char *pstr, + size_t pstr_len)); + +int PROV_DRBG_reseed(PROV_DRBG *drbg, int prediction_resistance, + const unsigned char *ent, size_t ent_len, + const unsigned char *adin, size_t adinlen, + int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, + size_t ent_len, const unsigned char *adin, + size_t adin_len)); + +int PROV_DRBG_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen, + int strength, int prediction_resistance, + const unsigned char *adin, size_t adinlen, + int (*generate)(PROV_DRBG *, unsigned char *out, + size_t outlen, const unsigned char *adin, + size_t adin_len), + int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, + size_t ent_len, const unsigned char *adin, + size_t adin_len)); + +/* locking api */ +OSSL_OP_rand_enable_locking_fn drbg_enable_locking; +OSSL_OP_rand_lock_fn drbg_lock; +OSSL_OP_rand_unlock_fn drbg_unlock; + +int drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]); +int drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[]); + +#define OSSL_PARAM_DRBG_SETABLE_CTX_COMMON \ + OSSL_PARAM_uint(OSSL_RAND_PARAM_RESEED_REQUESTS, NULL), \ + OSSL_PARAM_uint64(OSSL_RAND_PARAM_RESEED_TIME_INTERVAL, NULL) + +#define OSSL_PARAM_DRBG_GETABLE_CTX_COMMON \ + OSSL_PARAM_int(OSSL_RAND_PARAM_STATUS, NULL), \ + OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), \ + OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), \ + OSSL_PARAM_size_t(OSSL_RAND_PARAM_MIN_ENTROPYLEN, NULL), \ + OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_ENTROPYLEN, NULL), \ + OSSL_PARAM_size_t(OSSL_RAND_PARAM_MIN_NONCELEN, NULL), \ + OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_NONCELEN, NULL), \ + OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_PERSLEN, NULL), \ + OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_ADINLEN, NULL), \ + OSSL_PARAM_uint(OSSL_RAND_PARAM_RESEED_CTR, NULL), \ + OSSL_PARAM_uint(OSSL_RAND_PARAM_RESEED_REQUESTS, NULL), \ + OSSL_PARAM_uint64(OSSL_RAND_PARAM_RESEED_TIME_INTERVAL, NULL) + +size_t prov_crngt_get_entropy(PROV_DRBG *drbg, + unsigned char **pout, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance); +void prov_crngt_cleanup_entropy(PROV_DRBG *drbg, + unsigned char *out, size_t outlen); + +/* + * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests. + * These need to be exposed for the unit tests. + */ +#if 0 +int rand_crngt_get_entropy_cb(OPENSSL_CTX *ctx, PROV_POOL *pool, + unsigned char *buf, unsigned char *md, + unsigned int *md_size); +extern int (*crngt_get_entropy)(OPENSSL_CTX *ctx, PROV_POOL *pool, + unsigned char *buf, unsigned char *md, + unsigned int *md_size); +#endif +#endif diff --git a/providers/implementations/rands/rand_crng_test.c b/providers/implementations/rands/rand_crng_test.c index 950cc629d7..b348b40d82 100644 --- a/providers/implementations/rands/rand_crng_test.c +++ b/providers/implementations/rands/rand_crng_test.c @@ -17,16 +17,42 @@ #include "crypto/rand.h" #include "internal/thread_once.h" #include "internal/cryptlib.h" -#include "rand_local.h" +#include "crypto/rand_pool.h" +#include "drbg_local.h" +#include "crypto/rand_pool.h" +#include "seeding/seeding.h" typedef struct crng_test_global_st { unsigned char crngt_prev[EVP_MAX_MD_SIZE]; RAND_POOL *crngt_pool; } CRNG_TEST_GLOBAL; -int (*crngt_get_entropy)(OPENSSL_CTX *, RAND_POOL *, unsigned char *, - unsigned char *, unsigned int *) - = &rand_crngt_get_entropy_cb; +static int crngt_get_entropy(OPENSSL_CTX *ctx, RAND_POOL *pool, + unsigned char *buf, unsigned char *md, + unsigned int *md_size) +{ + int r; + size_t n; + unsigned char *p; + + if (pool == NULL) + return 0; + + n = prov_pool_acquire_entropy(pool); + if (n >= CRNGT_BUFSIZ) { + EVP_MD *fmd = EVP_MD_fetch(ctx, "SHA256", ""); + if (fmd == NULL) + return 0; + p = rand_pool_detach(pool); + r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, fmd, NULL); + if (r != 0) + memcpy(buf, p, CRNGT_BUFSIZ); + rand_pool_reattach(pool, p); + EVP_MD_free(fmd); + return r; + } + return 0; +} static void rand_crng_ossl_ctx_free(void *vcrngt_glob) { @@ -137,3 +163,24 @@ void rand_crngt_cleanup_entropy(RAND_DRBG *drbg, { OPENSSL_secure_clear_free(out, outlen); } + +#if 0 +const OSSL_DISPATCH crngt_functions[] = { + { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))crngt_new }, + { OSSL_FUNC_RAND_FREECTX, (void(*)(void))crngt_free }, + { OSSL_FUNC_RAND_INSTANTIATE, (void(*)(void))crngt_instantiate }, + { OSSL_FUNC_RAND_UNINSTANTIATE, (void(*)(void))crngt_uninstantiate }, + { OSSL_FUNC_RAND_GENERATE, (void(*)(void))crngt_generate }, + { OSSL_FUNC_RAND_RESEED, (void(*)(void))crngt_reseed }, + { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))drbg_enable_locking }, + { OSSL_FUNC_RAND_LOCK, (void(*)(void))drbg_lock }, + { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))drbg_unlock }, + { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS, + (void(*)(void))crngt_settable_ctx_params }, + { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void(*)(void))crngt_set_ctx_params }, + { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS, + (void(*)(void))crngt_gettable_ctx_params }, + { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))crngt_get_ctx_params }, + { 0, NULL } +}; +#endif -- cgit v1.2.3