fips/rand/fips_rand.c

   1 /* ====================================================================
   2  * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  *
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  *
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in
  13  *    the documentation and/or other materials provided with the
  14  *    distribution.
  15  *
  16  * 3. All advertising materials mentioning features or use of this
  17  *    software must display the following acknowledgment:
  18  *    "This product includes software developed by the OpenSSL Project
  19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  20  *
  21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  22  *    endorse or promote products derived from this software without
  23  *    prior written permission. For written permission, please contact
  24  *    openssl-core@openssl.org.
  25  *
  26  * 5. Products derived from this software may not be called "OpenSSL"
  27  *    nor may "OpenSSL" appear in their names without prior written
  28  *    permission of the OpenSSL Project.
  29  *
  30  * 6. Redistributions of any form whatsoever must retain the following
  31  *    acknowledgment:
  32  *    "This product includes software developed by the OpenSSL Project
  33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  34  *
  35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  46  * OF THE POSSIBILITY OF SUCH DAMAGE.
  47  *
  48  */
  49
  50 #define OPENSSL_FIPSAPI
  51
  52 /*
  53  * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
  54  */
  55 #include <openssl/crypto.h>
  56 #include "e_os.h"
  57
  58 /* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
  59    be defined and gettimeofday() won't be declared with strict compilers
  60    like DEC C in ANSI C mode.  */
  61 #ifndef _XOPEN_SOURCE_EXTENDED
  62 #define _XOPEN_SOURCE_EXTENDED 1
  63 #endif
  64
  65 #include <openssl/rand.h>
  66 #include <openssl/aes.h>
  67 #include <openssl/err.h>
  68 #include <openssl/fips_rand.h>
  69 #ifndef OPENSSL_SYS_WIN32
  70 #include <sys/time.h>
  71 #endif
  72 #include <assert.h>
  73 #ifndef OPENSSL_SYS_WIN32
  74 # ifdef OPENSSL_UNISTD
  75 #  include OPENSSL_UNISTD
  76 # else
  77 #  include <unistd.h>
  78 # endif
  79 #endif
  80 #include <string.h>
  81 #include <openssl/fips.h>
  82 #include "fips_locl.h"
  83
  84 #ifdef OPENSSL_FIPS
  85
  86 void *OPENSSL_stderr(void);
  87
  88 #define AES_BLOCK_LENGTH        16
  89
  90
  91 /* AES FIPS PRNG implementation */
  92
  93 typedef struct
  94         {
  95         int seeded;
  96         int keyed;
  97         int test_mode;
  98         int second;
  99         int error;
 100         unsigned long counter;
 101         AES_KEY ks;
 102         int vpos;
 103         /* Temporary storage for key if it equals seed length */
 104         unsigned char tmp_key[AES_BLOCK_LENGTH];
 105         unsigned char V[AES_BLOCK_LENGTH];
 106         unsigned char DT[AES_BLOCK_LENGTH];
 107         unsigned char last[AES_BLOCK_LENGTH];
 108         } FIPS_PRNG_CTX;
 109
 110 static FIPS_PRNG_CTX sctx;
 111
 112 static int fips_prng_fail = 0;
 113
 114 void FIPS_x931_stick(void)
 115         {
 116         fips_prng_fail = 1;
 117         }
 118
 119 static void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx)
 120         {
 121         ctx->seeded = 0;
 122         ctx->keyed = 0;
 123         ctx->test_mode = 0;
 124         ctx->counter = 0;
 125         ctx->second = 0;
 126         ctx->error = 0;
 127         ctx->vpos = 0;
 128         OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
 129         OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
 130         }
 131
 132
 133 static int fips_set_prng_key(FIPS_PRNG_CTX *ctx,
 134                         const unsigned char *key, unsigned int keylen)
 135         {
 136         FIPS_selftest_check();
 137         if (keylen != 16 && keylen != 24 && keylen != 32)
 138                 {
 139                 /* error: invalid key size */
 140                 return 0;
 141                 }
 142         AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
 143         if (keylen == 16)
 144                 {
 145                 memcpy(ctx->tmp_key, key, 16);
 146                 ctx->keyed = 2;
 147                 }
 148         else
 149                 ctx->keyed = 1;
 150         ctx->seeded = 0;
 151         ctx->second = 0;
 152         return 1;
 153         }
 154
 155 static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx,
 156                         const unsigned char *seed, unsigned int seedlen)
 157         {
 158         unsigned int i;
 159         if (!ctx->keyed)
 160                 return 0;
 161         /* In test mode seed is just supplied data */
 162         if (ctx->test_mode)
 163                 {
 164                 if (seedlen != AES_BLOCK_LENGTH)
 165                         return 0;
 166                 memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
 167                 ctx->seeded = 1;
 168                 return 1;
 169                 }
 170         /* Outside test mode XOR supplied data with existing seed */
 171         for (i = 0; i < seedlen; i++)
 172                 {
 173                 ctx->V[ctx->vpos++] ^= seed[i];
 174                 if (ctx->vpos == AES_BLOCK_LENGTH)
 175                         {
 176                         ctx->vpos = 0;
 177                         /* Special case if first seed and key length equals
 178                          * block size check key and seed do not match.
 179                          */
 180                         if (ctx->keyed == 2)
 181                                 {
 182                                 if (!memcmp(ctx->tmp_key, ctx->V, 16))
 183                                         {
 184                                         RANDerr(RAND_F_FIPS_SET_PRNG_SEED,
 185                                                 RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY);
 186                                         return 0;
 187                                         }
 188                                 OPENSSL_cleanse(ctx->tmp_key, 16);
 189                                 ctx->keyed = 1;
 190                                 }
 191                         ctx->seeded = 1;
 192                         }
 193                 }
 194         return 1;
 195         }
 196
 197 static int fips_set_test_mode(FIPS_PRNG_CTX *ctx)
 198         {
 199         if (ctx->keyed)
 200                 {
 201                 RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED);
 202                 return 0;
 203                 }
 204         ctx->test_mode = 1;
 205         return 1;
 206         }
 207
 208 int FIPS_x931_test_mode(void)
 209         {
 210         return fips_set_test_mode(&sctx);
 211         }
 212
 213 int FIPS_x931_set_dt(unsigned char *dt)
 214         {
 215         if (!sctx.test_mode)
 216                 {
 217                 RANDerr(RAND_F_FIPS_X931_SET_DT,RAND_R_NOT_IN_TEST_MODE);
 218                 return 0;
 219                 }
 220         memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
 221         return 1;
 222         }
 223
 224 void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
 225         {
 226 #ifdef OPENSSL_SYS_WIN32
 227         FILETIME ft;
 228 #else
 229         struct timeval tv;
 230 #endif
 231
 232 #ifndef GETPID_IS_MEANINGLESS
 233         unsigned long pid;
 234 #endif
 235
 236 #ifdef OPENSSL_SYS_WIN32
 237         GetSystemTimeAsFileTime(&ft);
 238         buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
 239         buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
 240         buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
 241         buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
 242         buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
 243         buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
 244         buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
 245         buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
 246 #else
 247         gettimeofday(&tv,NULL);
 248         buf[0] = (unsigned char) (tv.tv_sec & 0xff);
 249         buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
 250         buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
 251         buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
 252         buf[4] = (unsigned char) (tv.tv_usec & 0xff);
 253         buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
 254         buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
 255         buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
 256 #endif
 257         buf[8] = (unsigned char) (*pctr & 0xff);
 258         buf[9] = (unsigned char) ((*pctr >> 8) & 0xff);
 259         buf[10] = (unsigned char) ((*pctr >> 16) & 0xff);
 260         buf[11] = (unsigned char) ((*pctr >> 24) & 0xff);
 261
 262         (*pctr)++;
 263
 264
 265 #ifndef GETPID_IS_MEANINGLESS
 266         pid=(unsigned long)getpid();
 267         buf[12] = (unsigned char) (pid & 0xff);
 268         buf[13] = (unsigned char) ((pid >> 8) & 0xff);
 269         buf[14] = (unsigned char) ((pid >> 16) & 0xff);
 270         buf[15] = (unsigned char) ((pid >> 24) & 0xff);
 271 #endif
 272     }
 273
 274 static int fips_rand(FIPS_PRNG_CTX *ctx,
 275                         unsigned char *out, unsigned int outlen)
 276         {
 277         unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
 278         unsigned char tmp[AES_BLOCK_LENGTH];
 279         int i;
 280         if (ctx->error)
 281                 {
 282                 RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
 283                 return 0;
 284                 }
 285         if (!ctx->keyed)
 286                 {
 287                 RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET);
 288                 return 0;
 289                 }
 290         if (!ctx->seeded)
 291                 {
 292                 RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED);
 293                 return 0;
 294                 }
 295         for (;;)
 296                 {
 297                 if (!ctx->test_mode)
 298                         FIPS_get_timevec(ctx->DT, &ctx->counter);
 299                 AES_encrypt(ctx->DT, I, &ctx->ks);
 300                 for (i = 0; i < AES_BLOCK_LENGTH; i++)
 301                         tmp[i] = I[i] ^ ctx->V[i];
 302                 AES_encrypt(tmp, R, &ctx->ks);
 303                 for (i = 0; i < AES_BLOCK_LENGTH; i++)
 304                         tmp[i] = R[i] ^ I[i];
 305                 AES_encrypt(tmp, ctx->V, &ctx->ks);
 306                 /* Continuous PRNG test */
 307                 if (ctx->second)
 308                         {
 309                         if (fips_prng_fail)
 310                                 memcpy(ctx->last, R, AES_BLOCK_LENGTH);
 311                         if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
 312                                 {
 313                                 RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
 314                                 ctx->error = 1;
 315                                 fips_set_selftest_fail();
 316                                 return 0;
 317                                 }
 318                         }
 319                 memcpy(ctx->last, R, AES_BLOCK_LENGTH);
 320                 if (!ctx->second)
 321                         {
 322                         ctx->second = 1;
 323                         if (!ctx->test_mode)
 324                                 continue;
 325                         }
 326
 327                 if (outlen <= AES_BLOCK_LENGTH)
 328                         {
 329                         memcpy(out, R, outlen);
 330                         break;
 331                         }
 332
 333                 memcpy(out, R, AES_BLOCK_LENGTH);
 334                 out += AES_BLOCK_LENGTH;
 335                 outlen -= AES_BLOCK_LENGTH;
 336                 }
 337         return 1;
 338         }
 339
 340
 341 int FIPS_x931_set_key(const unsigned char *key, int keylen)
 342         {
 343         int ret;
 344         CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 345         ret = fips_set_prng_key(&sctx, key, keylen);
 346         CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 347         return ret;
 348         }
 349
 350 int FIPS_x931_seed(const void *seed, int seedlen)
 351         {
 352         int ret;
 353         CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 354         ret = fips_set_prng_seed(&sctx, seed, seedlen);
 355         CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 356         return ret;
 357         }
 358
 359
 360 int FIPS_x931_bytes(unsigned char *out, int count)
 361         {
 362         int ret;
 363         CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 364         ret = fips_rand(&sctx, out, count);
 365         CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 366         return ret;
 367         }
 368
 369 int FIPS_x931_status(void)
 370         {
 371         int ret;
 372         CRYPTO_r_lock(CRYPTO_LOCK_RAND);
 373         ret = sctx.seeded;
 374         CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
 375         return ret;
 376         }
 377
 378 void FIPS_x931_reset(void)
 379         {
 380         CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 381         fips_rand_prng_reset(&sctx);
 382         CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 383         }
 384
 385 static int fips_do_rand_seed(const void *seed, int seedlen)
 386         {
 387         FIPS_x931_seed(seed, seedlen);
 388         return 1;
 389         }
 390
 391 static int fips_do_rand_add(const void *seed, int seedlen,
 392                                         double add_entropy)
 393         {
 394         FIPS_x931_seed(seed, seedlen);
 395         return 1;
 396         }
 397
 398 static const RAND_METHOD rand_x931_meth=
 399     {
 400     fips_do_rand_seed,
 401     FIPS_x931_bytes,
 402     FIPS_x931_reset,
 403     fips_do_rand_add,
 404     FIPS_x931_bytes,
 405     FIPS_x931_status
 406     };
 407
 408 const RAND_METHOD *FIPS_x931_method(void)
 409 {
 410   return &rand_x931_meth;
 411 }
 412
 413 #endif