1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4 /* ====================================================================
5 * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
33 * 6. Redistributions of any form whatsoever must retain the following
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
53 #define OPENSSL_FIPSAPI
56 #include <openssl/crypto.h>
57 #include <openssl/err.h>
58 #include <openssl/fips_rand.h>
59 #include "fips_rand_lcl.h"
61 /* Support framework for SP800-90 DRBGs */
63 int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
66 memset(dctx, 0, sizeof(DRBG_CTX));
67 dctx->status = DRBG_STATUS_UNINITIALISED;
72 dctx->entropy_blocklen = 0;
73 dctx->health_check_cnt = 0;
74 dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
76 rv = fips_drbg_hash_init(dctx);
79 rv = fips_drbg_ctr_init(dctx);
81 rv = fips_drbg_hmac_init(dctx);
83 rv = fips_drbg_ec_init(dctx);
88 FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
90 FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
93 /* If not in test mode run selftests on DRBG of the same type */
95 if (!(dctx->xflags & DRBG_FLAG_TEST))
97 if (!FIPS_drbg_health_check(dctx))
99 FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
107 DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
110 dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
113 FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
119 memset(dctx, 0, sizeof(DRBG_CTX));
121 dctx->status = DRBG_STATUS_UNINITIALISED;
125 if (FIPS_drbg_init(dctx, type, flags) <= 0)
134 void FIPS_drbg_free(DRBG_CTX *dctx)
136 if (dctx->uninstantiate)
137 dctx->uninstantiate(dctx);
138 /* Don't free up default DRBG */
139 if (dctx == FIPS_get_default_drbg())
141 memset(dctx, 0, sizeof(DRBG_CTX));
143 dctx->status = DRBG_STATUS_UNINITIALISED;
147 OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
152 static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
153 int entropy, size_t min_len, size_t max_len)
155 unsigned char *tout, *p;
156 size_t bl = dctx->entropy_blocklen, rv;
157 if (dctx->xflags & DRBG_FLAG_TEST || !bl)
158 return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
159 rv = dctx->get_entropy(dctx, &tout, entropy + bl,
160 min_len + bl, max_len + bl);
162 if (rv < (min_len + bl) || (rv % bl))
164 /* Compare consecutive blocks for continuous PRNG test */
165 for (p = tout; p < tout + rv - bl; p += bl)
167 if (!memcmp(p, p + bl, bl))
169 FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
179 static void fips_cleanup_entropy(DRBG_CTX *dctx,
180 unsigned char *out, size_t olen)
183 if (dctx->xflags & DRBG_FLAG_TEST)
186 bl = dctx->entropy_blocklen;
187 /* Call cleanup with original arguments */
188 dctx->cleanup_entropy(dctx, out - bl, olen + bl);
192 int FIPS_drbg_instantiate(DRBG_CTX *dctx,
193 const unsigned char *pers, size_t perslen)
195 size_t entlen = 0, noncelen = 0;
196 unsigned char *nonce = NULL, *entropy = NULL;
199 /* Put here so error script picks them up */
200 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
201 FIPS_R_PERSONALISATION_STRING_TOO_LONG);
202 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
203 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
204 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
205 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
206 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
207 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
212 if (perslen > dctx->max_pers)
214 r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
218 if (!dctx->instantiate)
220 r = FIPS_R_DRBG_NOT_INITIALISED;
224 if (dctx->status != DRBG_STATUS_UNINITIALISED)
226 if (dctx->status == DRBG_STATUS_ERROR)
227 r = FIPS_R_IN_ERROR_STATE;
229 r = FIPS_R_ALREADY_INSTANTIATED;
233 dctx->status = DRBG_STATUS_ERROR;
235 entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
236 dctx->min_entropy, dctx->max_entropy);
238 if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
240 r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
244 if (dctx->max_nonce > 0)
246 noncelen = dctx->get_nonce(dctx, &nonce,
248 dctx->min_nonce, dctx->max_nonce);
250 if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce)
252 r = FIPS_R_ERROR_RETRIEVING_NONCE;
258 if (!dctx->instantiate(dctx,
263 r = FIPS_R_ERROR_INSTANTIATING_DRBG;
268 dctx->status = DRBG_STATUS_READY;
269 if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
270 dctx->reseed_counter = 1;
274 if (entropy && dctx->cleanup_entropy)
275 fips_cleanup_entropy(dctx, entropy, entlen);
277 if (nonce && dctx->cleanup_nonce)
278 dctx->cleanup_nonce(dctx, nonce, noncelen);
280 if (dctx->status == DRBG_STATUS_READY)
283 if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
284 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
290 static int drbg_reseed(DRBG_CTX *dctx,
291 const unsigned char *adin, size_t adinlen, int hcheck)
293 unsigned char *entropy = NULL;
298 FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
299 FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
301 if (dctx->status != DRBG_STATUS_READY
302 && dctx->status != DRBG_STATUS_RESEED)
304 if (dctx->status == DRBG_STATUS_ERROR)
305 r = FIPS_R_IN_ERROR_STATE;
306 else if(dctx->status == DRBG_STATUS_UNINITIALISED)
307 r = FIPS_R_NOT_INSTANTIATED;
313 else if (adinlen > dctx->max_adin)
315 r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
319 dctx->status = DRBG_STATUS_ERROR;
320 /* Peform health check on all reseed operations if not a prediction
321 * resistance request and not in test mode.
323 if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST))
325 if (!FIPS_drbg_health_check(dctx))
327 r = FIPS_R_SELFTEST_FAILURE;
332 entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
333 dctx->min_entropy, dctx->max_entropy);
335 if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
337 r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
341 if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
344 dctx->status = DRBG_STATUS_READY;
345 if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
346 dctx->reseed_counter = 1;
349 if (entropy && dctx->cleanup_entropy)
350 fips_cleanup_entropy(dctx, entropy, entlen);
352 if (dctx->status == DRBG_STATUS_READY)
355 if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
356 FIPSerr(FIPS_F_DRBG_RESEED, r);
361 int FIPS_drbg_reseed(DRBG_CTX *dctx,
362 const unsigned char *adin, size_t adinlen)
364 return drbg_reseed(dctx, adin, adinlen, 1);
367 static int fips_drbg_check(DRBG_CTX *dctx)
369 if (dctx->xflags & DRBG_FLAG_TEST)
371 dctx->health_check_cnt++;
372 if (dctx->health_check_cnt >= dctx->health_check_interval)
374 if (!FIPS_drbg_health_check(dctx))
376 FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
383 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
384 int prediction_resistance,
385 const unsigned char *adin, size_t adinlen)
389 if (FIPS_selftest_failed())
391 FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
395 if (!fips_drbg_check(dctx))
398 if (dctx->status != DRBG_STATUS_READY
399 && dctx->status != DRBG_STATUS_RESEED)
401 if (dctx->status == DRBG_STATUS_ERROR)
402 r = FIPS_R_IN_ERROR_STATE;
403 else if(dctx->status == DRBG_STATUS_UNINITIALISED)
404 r = FIPS_R_NOT_INSTANTIATED;
408 if (outlen > dctx->max_request)
410 r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
414 if (adinlen > dctx->max_adin)
416 r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
420 if (dctx->iflags & DRBG_CUSTOM_RESEED)
421 dctx->generate(dctx, NULL, outlen, NULL, 0);
422 else if (dctx->reseed_counter >= dctx->reseed_interval)
423 dctx->status = DRBG_STATUS_RESEED;
425 if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
427 /* If prediction resistance request don't do health check */
428 int hcheck = prediction_resistance ? 0 : 1;
430 if (!drbg_reseed(dctx, adin, adinlen, hcheck))
432 r = FIPS_R_RESEED_ERROR;
439 if (!dctx->generate(dctx, out, outlen, adin, adinlen))
441 r = FIPS_R_GENERATE_ERROR;
442 dctx->status = DRBG_STATUS_ERROR;
445 if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
447 if (dctx->reseed_counter >= dctx->reseed_interval)
448 dctx->status = DRBG_STATUS_RESEED;
450 dctx->reseed_counter++;
456 if (!(dctx->iflags & DRBG_FLAG_NOERR))
457 FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
464 int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
467 if (!dctx->uninstantiate)
470 rv = dctx->uninstantiate(dctx);
471 /* Although we'd like to cleanse here we can't because we have to
472 * test the uninstantiate really zeroes the data.
474 memset(&dctx->d, 0, sizeof(dctx->d));
475 dctx->status = DRBG_STATUS_UNINITIALISED;
476 /* If method has problems uninstantiating, return error */
480 int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
481 size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
482 int entropy, size_t min_len, size_t max_len),
483 void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
484 size_t entropy_blocklen,
485 size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
486 int entropy, size_t min_len, size_t max_len),
487 void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
489 if (dctx->status != DRBG_STATUS_UNINITIALISED)
491 dctx->entropy_blocklen = entropy_blocklen;
492 dctx->get_entropy = get_entropy;
493 dctx->cleanup_entropy = cleanup_entropy;
494 dctx->get_nonce = get_nonce;
495 dctx->cleanup_nonce = cleanup_nonce;
499 int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
500 size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout),
501 void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
502 int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num),
503 int (*rand_add_cb)(DRBG_CTX *ctx,
504 const void *buf, int num, double entropy))
506 if (dctx->status != DRBG_STATUS_UNINITIALISED)
508 dctx->get_adin = get_adin;
509 dctx->cleanup_adin = cleanup_adin;
510 dctx->rand_seed_cb = rand_seed_cb;
511 dctx->rand_add_cb = rand_add_cb;
515 void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
517 return dctx->app_data;
520 void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
522 dctx->app_data = app_data;
525 size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
527 return dctx->blocklength;
530 int FIPS_drbg_get_strength(DRBG_CTX *dctx)
532 return dctx->strength;
535 void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
537 dctx->health_check_interval = interval;
540 void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
542 dctx->reseed_interval = interval;
545 static int drbg_stick = 0;
547 void FIPS_drbg_stick(int onoff)
552 /* Continuous DRBG utility function */
553 int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
555 /* No CPRNG in test mode */
556 if (dctx->xflags & DRBG_FLAG_TEST)
558 /* Check block is valid: should never happen */
559 if (dctx->lb_valid == 0)
561 FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
562 fips_set_selftest_fail();
566 memcpy(dctx->lb, out, dctx->blocklength);
567 /* Check against last block: fail if match */
568 if (!memcmp(dctx->lb, out, dctx->blocklength))
570 FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
571 fips_set_selftest_fail();
574 /* Save last block for next comparison */
575 memcpy(dctx->lb, out, dctx->blocklength);