evp_rand_free(rand);
return NULL;
}
-
rand->refcnt = 1;
-
return rand;
}
+/* Enable locking of the underlying DRBG/RAND if available */
+int EVP_RAND_CTX_enable_locking(EVP_RAND_CTX *rand)
+{
+ if (rand->meth->enable_prov_locking != NULL)
+ return rand->meth->enable_prov_locking(rand->data);
+ return 1;
+}
+
+/* Lock the underlying DRBG/RAND if available */
+static int evp_rand_lock(EVP_RAND_CTX *rand)
+{
+ if (rand->meth->prov_lock != NULL)
+ return rand->meth->prov_lock(rand->data);
+ return 1;
+}
+
+/* Unlock the underlying DRBG/RAND if available */
+static void evp_rand_unlock(EVP_RAND_CTX *rand)
+{
+ if (rand->meth->prov_unlock != NULL)
+ rand->meth->prov_unlock(rand->data);
+}
+
static void *evp_rand_from_dispatch(int name_id,
const OSSL_DISPATCH *fns,
OSSL_PROVIDER *prov)
{
EVP_RAND *rand = NULL;
int fnrandcnt = 0, fnctxcnt = 0;
+#ifdef FIPS_MODULE
+ int fnfipscnt = 0;
+#endif
if ((rand = evp_rand_new()) == NULL) {
EVPerr(0, ERR_R_MALLOC_FAILURE);
break;
rand->set_ctx_params = OSSL_get_OP_rand_set_ctx_params(fns);
break;
+ case OSSL_FUNC_RAND_VERIFY_ZEROIZATION:
+ if (rand->verify_zeroization != NULL)
+ break;
+ rand->verify_zeroization = OSSL_get_OP_rand_verify_zeroization(fns);
+#ifdef FIPS_MODULE
+ fnfipscnt++;
+#endif
+ break;
}
}
- if (fnrandcnt != 3 || fnctxcnt != 2) {
+ if (fnrandcnt != 3
+ || fnctxcnt != 2
+#ifdef FIPS_MODULE
+ || fnfipscnt != 1
+#endif
+ ) {
/*
* In order to be a consistent set of functions we must have at least
* a complete set of "rand" functions and a complete set of context
- * management functions.
+ * management functions. In FIPS mode, we also require the zeroization
+ * verification function.
*/
evp_rand_free(rand);
ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS);
return 1;
}
-EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, unsigned int df,
- EVP_RAND_CTX *parent)
+EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, EVP_RAND_CTX *parent)
{
EVP_RAND_CTX *ctx;
void *parent_ctx = NULL;
if (ctx == NULL)
return NULL;
if (parent != NULL) {
+ EVP_RAND_CTX_enable_locking(parent);
parent_ctx = parent->data;
parent_dispatch = parent->meth->dispatch;
}
- if ((ctx->data = rand->newctx(ossl_provider_ctx(rand->prov), secure, df,
+ if ((ctx->data = rand->newctx(ossl_provider_ctx(rand->prov), secure,
parent_ctx, parent_dispatch)) == NULL
|| !EVP_RAND_up_ref(rand)) {
EVPerr(0, ERR_R_MALLOC_FAILURE);
int EVP_RAND_CTX_get_params(EVP_RAND_CTX *ctx, OSSL_PARAM params[])
{
- if (ctx->meth->get_ctx_params != NULL)
- return ctx->meth->get_ctx_params(ctx->data, params);
- return 1;
+ int res = 1;
+
+ if (ctx->meth->get_ctx_params != NULL) {
+ if (!evp_rand_lock(ctx))
+ return 0;
+ res = ctx->meth->get_ctx_params(ctx->data, params);
+ evp_rand_unlock(ctx);
+ }
+ return res;
}
int EVP_RAND_CTX_set_params(EVP_RAND_CTX *ctx, const OSSL_PARAM params[])
{
- if (ctx->meth->set_ctx_params != NULL)
- return ctx->meth->set_ctx_params(ctx->data, params);
- return 1;
+ int res = 1;
+
+ if (ctx->meth->set_ctx_params != NULL) {
+ if (!evp_rand_lock(ctx))
+ return 0;
+ res = ctx->meth->set_ctx_params(ctx->data, params);
+ evp_rand_unlock(ctx);
+ /* Clear out the cache state because the values can change on a set */
+ ctx->strength = 0;
+ ctx->max_request = 0;
+ }
+ return res;
}
const OSSL_PARAM *EVP_RAND_gettable_params(const EVP_RAND *rand)
evp_names_do_all(rand->prov, rand->name_id, fn, data);
}
-int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, int strength,
+int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, unsigned int strength,
int prediction_resistance,
const unsigned char *pstr, size_t pstr_len)
{
- return ctx->meth->instantiate(ctx->data, strength, prediction_resistance,
- pstr, pstr_len);
+ int res;
+
+ if (!evp_rand_lock(ctx))
+ return 0;
+ res = ctx->meth->instantiate(ctx->data, strength, prediction_resistance,
+ pstr, pstr_len);
+ evp_rand_unlock(ctx);
+ return res;
}
int EVP_RAND_CTX_uninstantiate(EVP_RAND_CTX *ctx)
{
- return ctx->meth->uninstantiate(ctx->data);
+ int res;
+
+ if (!evp_rand_lock(ctx))
+ return 0;
+ res = ctx->meth->uninstantiate(ctx->data);
+ evp_rand_unlock(ctx);
+ return res;
}
int EVP_RAND_CTX_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen,
- int strength, int prediction_resistance,
+ unsigned int strength, int prediction_resistance,
const unsigned char *addin, size_t addin_len)
{
- return ctx->meth->generate(ctx->data, out, outlen, strength,
- prediction_resistance, addin, addin_len);
+ size_t chunk;
+ OSSL_PARAM params[2];
+ int res = 0;
+
+ if (!evp_rand_lock(ctx))
+ return 0;
+ if (ctx->max_request == 0) {
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_DRBG_PARAM_MAX_REQUEST,
+ &ctx->max_request);
+ params[1] = OSSL_PARAM_construct_end();
+ if (!EVP_RAND_CTX_get_params(ctx, params)
+ || ctx->max_request == 0)
+ goto err;
+ }
+ for (; outlen > 0; outlen -= chunk, out += chunk) {
+ chunk = outlen > ctx->max_request ? ctx->max_request : outlen;
+ if (!ctx->meth->generate(ctx->data, out, chunk, strength,
+ prediction_resistance, addin, addin_len))
+ goto err;
+ }
+ res = 1;
+err:
+ evp_rand_unlock(ctx);
+ return res;
}
int EVP_RAND_CTX_reseed(EVP_RAND_CTX *ctx, int prediction_resistance,
+ const unsigned char *ent, size_t ent_len,
const unsigned char *addin, size_t addin_len)
{
- if (ctx->meth->reseed == NULL)
- return 1;
- return ctx->meth->reseed(ctx->data, prediction_resistance,
- addin, addin_len);
+ int res = 1;
+
+ if (!evp_rand_lock(ctx))
+ return 0;
+ if (ctx->meth->reseed != NULL)
+ res = ctx->meth->reseed(ctx->data, prediction_resistance,
+ ent, ent_len, addin, addin_len);
+ evp_rand_unlock(ctx);
+ return res;
}
int EVP_RAND_CTX_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen)
{
- if (ctx->meth->nonce != NULL)
- return ctx->meth->nonce(ctx->data, out, outlen);
- return ctx->meth->generate(ctx->data, out, outlen, 0, 0, NULL, 0);
+ int res = 1;
+
+ if (!evp_rand_lock(ctx))
+ return 0;
+ if (ctx->meth->nonce == NULL
+ || !ctx->meth->nonce(ctx->data, out, 0, outlen, outlen))
+ res = ctx->meth->generate(ctx->data, out, outlen, 0, 0, NULL, 0);
+ evp_rand_unlock(ctx);
+ return res;
+}
+
+unsigned int EVP_RAND_CTX_strength(EVP_RAND_CTX *ctx)
+{
+ OSSL_PARAM params[2];
+ int res;
+
+ if (ctx->strength == 0) {
+ params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH,
+ &ctx->strength);
+ params[1] = OSSL_PARAM_construct_end();
+ if (!evp_rand_lock(ctx))
+ return 0;
+ res = EVP_RAND_CTX_get_params(ctx, params);
+ evp_rand_unlock(ctx);
+ if (!res)
+ return 0;
+ }
+ return ctx->strength;
}
-int EVP_RAND_CTX_set_callbacks(const EVP_RAND_CTX *ctx,
- OSSL_CALLBACK *get_entropy,
- OSSL_CALLBACK *cleanup_entropy,
- OSSL_CALLBACK *get_nonce,
- OSSL_CALLBACK *cleanup_nonce)
+int EVP_RAND_CTX_state(EVP_RAND_CTX *ctx)
{
- if (ctx->meth->set_callbacks == NULL)
+ OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+ int status, res;
+
+ params[0] = OSSL_PARAM_construct_int(OSSL_RAND_PARAM_STATE,
+ &status);
+ if (!evp_rand_lock(ctx))
return 0;
- return ctx->meth->set_callbacks(ctx->data, get_entropy, cleanup_entropy,
- get_nonce, cleanup_nonce);
+ res = EVP_RAND_CTX_get_params(ctx, params);
+ evp_rand_unlock(ctx);
+ if (!res)
+ status = EVP_RAND_STATE_ERROR;
+ return status;
}
+int EVP_RAND_CTX_verify_zeroization(EVP_RAND_CTX *ctx)
+{
+ int res = 0;
+
+ if (ctx->meth->verify_zeroization != NULL) {
+ if (!evp_rand_lock(ctx))
+ return 0;
+ res = ctx->meth->verify_zeroization(ctx->data);
+ evp_rand_unlock(ctx);
+ }
+ return res;
+}
#define OSSL_KDF_NAME_KBKDF "KBKDF"
#define OSSL_KDF_NAME_KRB5KDF "KRB5KDF"
+/* Know RAND names */
+#define OSSL_RAND_PARAM_STATUS "status"
+#define OSSL_RAND_PARAM_STRENGTH "strength"
+#define OSSL_RAND_PARAM_RESEED_REQUESTS "reseed_requests"
+#define OSSL_RAND_PARAM_RESEED_TIME_INTERVAL "reseed_time_interval"
+#define OSSL_RAND_PARAM_MAX_REQUEST "max_request"
+#define OSSL_RAND_PARAM_MIN_ENTROPYLEN "min_entropylen"
+#define OSSL_RAND_PARAM_MAX_ENTROPYLEN "max_entropylen"
+#define OSSL_RAND_PARAM_MIN_NONCELEN "min_noncelen"
+#define OSSL_RAND_PARAM_MAX_NONCELEN "max_noncelen"
+#define OSSL_RAND_PARAM_MAX_PERSLEN "max_perslen"
+#define OSSL_RAND_PARAM_MAX_ADINLEN "max_adinlen"
+#define OSSL_RAND_PARAM_RESEED_CTR "reseed_counter"
+#define OSSL_RAND_PARAM_RESEED_PROP_CTR "reseed_prop_counter"
+#define OSSL_RAND_PARAM_PROPERTIES OSSL_ALG_PARAM_PROPERTIES
+#define OSSL_RAND_PARAM_DIGEST OSSL_ALG_PARAM_DIGEST
+#define OSSL_RAND_PARAM_CIPHER OSSL_ALG_PARAM_CIPHER
+#define OSSL_RAND_PARAM_TEST_ENTROPY "test_entropy"
+#define OSSL_RAND_PARAM_TEST_NONCE "test_nonce"
+
/* PKEY parameters */
/* Common PKEY parameters */
#define OSSL_PKEY_PARAM_BITS "bits" /* integer */
# define OSSL_FUNC_RAND_GET_CTX_PARAMS 15
# define OSSL_FUNC_RAND_SET_CTX_PARAMS 16
# define OSSL_FUNC_RAND_SET_CALLBACKS 17
+# define OSSL_FUNC_RAND_VERIFY_ZEROIZATION 18
OSSL_CORE_MAKE_FUNC(void *, OP_rand_newctx,
- (void *provctx, int secure, unsigned int df, void *parent,
+ (void *provctx, int secure, void *parent,
const OSSL_DISPATCH *parent_calls))
OSSL_CORE_MAKE_FUNC(void, OP_rand_freectx, (void *vctx))
OSSL_CORE_MAKE_FUNC(int, OP_rand_instantiate,
- (void *vdrbg, int strength, int prediction_resistance,
+ (void *vdrbg, unsigned int strength,
+ int prediction_resistance,
const unsigned char *pstr, size_t pstr_len))
OSSL_CORE_MAKE_FUNC(int, OP_rand_uninstantiate, (void *vdrbg))
OSSL_CORE_MAKE_FUNC(int, OP_rand_generate,
(void *vctx, unsigned char *out, size_t outlen,
- int strength, int prediction_resistance,
+ unsigned int strength, int prediction_resistance,
const unsigned char *addin, size_t addin_len))
OSSL_CORE_MAKE_FUNC(int, OP_rand_reseed,
(void *vctx, int prediction_resistance,
+ const unsigned char *ent, size_t ent_len,
const unsigned char *addin, size_t addin_len))
-OSSL_CORE_MAKE_FUNC(int, OP_rand_nonce,
- (void *vctx, unsigned char *out, size_t outlen))
+OSSL_CORE_MAKE_FUNC(size_t, OP_rand_nonce,
+ (void *vctx, unsigned char *out, int strength,
+ size_t min_noncelen, size_t max_noncelen))
OSSL_CORE_MAKE_FUNC(int, OP_rand_set_callbacks,
(void *vctx,
OSSL_CALLBACK *get_entropy, OSSL_CALLBACK *cleanup_entropy,
(void *vctx, OSSL_PARAM params[]))
OSSL_CORE_MAKE_FUNC(int, OP_rand_set_ctx_params,
(void *vctx, const OSSL_PARAM params[]))
+OSSL_CORE_MAKE_FUNC(int, OP_rand_verify_zeroization,
+ (void *vctx))
/*-
* Key management
/* RAND stuff */
EVP_RAND *EVP_RAND_fetch(OPENSSL_CTX *libctx, const char *algorithm,
- const char *properties);
+ const char *properties);
int EVP_RAND_up_ref(EVP_RAND *rand);
void EVP_RAND_free(EVP_RAND *rand);
int EVP_RAND_number(const EVP_RAND *rand);
const OSSL_PROVIDER *EVP_RAND_provider(const EVP_RAND *rand);
int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]);
-EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure, unsigned int df,
+EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, int secure,
EVP_RAND_CTX *parent);
void EVP_RAND_CTX_free(EVP_RAND_CTX *ctx);
EVP_RAND *EVP_RAND_CTX_rand(EVP_RAND_CTX *ctx);
void (*fn)(const char *name, void *data),
void *data);
-int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, int strength,
+int EVP_RAND_CTX_instantiate(EVP_RAND_CTX *ctx, unsigned int strength,
int prediction_resistance,
const unsigned char *pstr, size_t pstr_len);
int EVP_RAND_CTX_uninstantiate(EVP_RAND_CTX *ctx);
int EVP_RAND_CTX_generate(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen,
- int strength, int prediction_resistance,
+ unsigned int strength, int prediction_resistance,
const unsigned char *addin, size_t addin_len);
int EVP_RAND_CTX_reseed(EVP_RAND_CTX *ctx, int prediction_resistance,
+ const unsigned char *ent, size_t ent_len,
const unsigned char *addin, size_t addin_len);
int EVP_RAND_CTX_nonce(EVP_RAND_CTX *ctx, unsigned char *out, size_t outlen);
int EVP_RAND_CTX_set_callbacks(const EVP_RAND_CTX *rand,
OSSL_CALLBACK *cleanup_entropy,
OSSL_CALLBACK *get_nonce,
OSSL_CALLBACK *cleanup_nonce);
+int EVP_RAND_CTX_enable_locking(EVP_RAND_CTX *ctx);
+int EVP_RAND_CTX_verify_zeroization(EVP_RAND_CTX *ctx);
+unsigned int EVP_RAND_CTX_strength(EVP_RAND_CTX *ctx);
+int EVP_RAND_CTX_state(EVP_RAND_CTX *ctx);
+
+#define EVP_RAND_STATE_UNINITIALISED 0
+#define EVP_RAND_STATE_READY 1
+#define EVP_RAND_STATE_ERROR 2
/* PKEY stuff */
DEPRECATEDIN_3_0(int EVP_PKEY_decrypt_old(unsigned char *dec_key,
-SUBDIRS=digests ciphers macs kdfs exchange keymgmt signature asymciphers \
+SUBDIRS=digests ciphers rands macs kdfs exchange keymgmt signature asymciphers \
serializers
* https://www.openssl.org/source/license.html
*/
+#include <openssl/core.h>
+#include <openssl/types.h>
+
/* Digests */
extern const OSSL_DISPATCH sha1_functions[];
extern const OSSL_DISPATCH sha224_functions[];
#endif
extern const OSSL_DISPATCH kdf_krb5kdf_functions[];
+/* RNGs */
+extern const OSSL_DISPATCH test_rng_functions[];
+extern const OSSL_DISPATCH drbg_hash_functions[];
+extern const OSSL_DISPATCH drbg_hmac_functions[];
+extern const OSSL_DISPATCH drbg_ctr_functions[];
+extern const OSSL_DISPATCH crngt_functions[];
/* Key management */
extern const OSSL_DISPATCH dh_keymgmt_functions[];
--- /dev/null
+
+# Missing: drbg_ctr.c
+SOURCE[../../libfips.a]=drbg.c
+SOURCE[../../libnonfips.a]=drbg.c
+
+# Missing: drbg_hmac.c crngt.c
+SOURCE[../../libimplementations.a]=test_rng.c drbg_hash.c
--- /dev/null
+/*
+ * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include "crypto/rand.h"
+#include "drbg_local.h"
+#include "internal/thread_once.h"
+#include "crypto/cryptlib.h"
+#include "seeding/seeding.h"
+#include "crypto/rand_pool.h"
+
+/*
+ * Support framework for NIST SP 800-90A DRBG
+ *
+ * See manual page PROV_DRBG(7) for a general overview.
+ *
+ * The OpenSSL model is to have new and free functions, and that new
+ * does all initialization. That is not the NIST model, which has
+ * instantiation and un-instantiate, and re-use within a new/free
+ * lifecycle. (No doubt this comes from the desire to support hardware
+ * DRBG, where allocation of resources on something like an HSM is
+ * a much bigger deal than just re-setting an allocated resource.)
+ */
+
+#ifdef FIPS_MODULE
+# define get_entropy prov_crngt_get_entropy
+# define cleanup_entropy prov_crngt_cleanup_entropy
+#else
+# define get_entropy prov_drbg_get_entropy
+# define cleanup_entropy prov_drbg_cleanup_entropy
+#endif
+
+/* NIST SP 800-90A DRBG recommends the use of a personalization string. */
+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
+
+static unsigned int master_reseed_interval = MASTER_RESEED_INTERVAL;
+static unsigned int slave_reseed_interval = SLAVE_RESEED_INTERVAL;
+
+static time_t master_reseed_time_interval = MASTER_RESEED_TIME_INTERVAL;
+static time_t slave_reseed_time_interval = SLAVE_RESEED_TIME_INTERVAL;
+
+static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
+ int function);
+
+int drbg_lock(void *vctx)
+{
+ PROV_DRBG *drbg = vctx;
+
+ if (drbg == NULL || drbg->lock == NULL)
+ return 1;
+ return CRYPTO_THREAD_write_lock(drbg->lock);
+}
+
+void drbg_unlock(void *vctx)
+{
+ PROV_DRBG *drbg = vctx;
+
+ if (drbg != NULL && drbg->lock != NULL)
+ CRYPTO_THREAD_unlock(drbg->lock);
+}
+
+static int drbg_lock_parent(PROV_DRBG *drbg)
+{
+ void *parent = drbg->parent;
+ const OSSL_DISPATCH *pfunc;
+
+ if (parent != NULL) {
+ pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_LOCK);
+ if (pfunc != NULL && !OSSL_get_OP_rand_lock(pfunc)(parent)) {
+ ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_LOCKING_NOT_ENABLED);
+ return 0;
+ }
+ }
+ return 1;
+}
+
+static void drbg_unlock_parent(PROV_DRBG *drbg)
+{
+ void *parent = drbg->parent;
+ const OSSL_DISPATCH *pfunc;
+
+ if (parent != NULL) {
+ pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_UNLOCK);
+ if (pfunc != NULL)
+ OSSL_get_OP_rand_unlock(pfunc)(parent);
+ }
+}
+
+static int get_parent_strength(PROV_DRBG *drbg, int *str)
+{
+ OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+ const OSSL_DISPATCH *pfunc;
+ void *parent = drbg->parent;
+
+ pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS);
+ if (pfunc == NULL) {
+ ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_PARENT_STRENGTH);
+ return 0;
+ }
+ *params = OSSL_PARAM_construct_int(OSSL_RAND_PARAM_STRENGTH, str);
+ if (!drbg_lock_parent(drbg)) {
+ ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_LOCK_PARENT);
+ return 0;
+ }
+ if (!OSSL_get_OP_rand_get_ctx_params(pfunc)(parent, params)) {
+ drbg_unlock_parent(drbg);
+ ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_PARENT_STRENGTH);
+ return 0;
+ }
+ drbg_unlock_parent(drbg);
+ return 1;
+}
+
+static unsigned int get_parent_reseed_count(PROV_DRBG *drbg)
+{
+ OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+ const OSSL_DISPATCH *pfunc;
+ void *parent = drbg->parent;
+ unsigned int r;
+
+ pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS);
+ if (pfunc == NULL) {
+ ERR_raise(ERR_LIB_PROV,
+ RAND_R_UNABLE_TO_GET_PARENT_RESEED_PROP_COUNTER);
+ goto err;
+ }
+ *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_RESEED_PROP_CTR, &r);
+ if (!drbg_lock_parent(drbg)) {
+ ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_LOCK_PARENT);
+ goto err;
+ }
+ if (!OSSL_get_OP_rand_get_ctx_params(pfunc)(parent, params)) {
+ drbg_unlock_parent(drbg);
+ ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_RESEED_PROP_CTR);
+ goto err;
+ }
+ drbg_unlock_parent(drbg);
+ return r;
+
+ err:
+ r = tsan_load(&drbg->reseed_prop_counter) - 2;
+ if (r == 0)
+ r = UINT_MAX;
+ return r;
+}
+
+#ifndef FIPS_MODULE
+/*
+ * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks())
+ *
+ * If the DRBG has a parent, then the required amount of entropy input
+ * is fetched using the parent's RAND_DRBG_generate().
+ *
+ * Otherwise, the entropy is polled from the system entropy sources
+ * using rand_pool_acquire_entropy().
+ *
+ * If a random pool has been added to the DRBG using RAND_add(), then
+ * its entropy will be used up first.
+ */
+static size_t prov_drbg_get_entropy(PROV_DRBG *drbg, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance)
+{
+ size_t ret = 0;
+ size_t entropy_available = 0;
+ RAND_POOL *pool;
+ int p_str;
+ const OSSL_DISPATCH *pfunc;
+
+ if (drbg->parent != NULL) {
+ if (!get_parent_strength(drbg, &p_str))
+ return 0;
+ if (drbg->strength > p_str) {
+ /*
+ * We currently don't support the algorithm from NIST SP 800-90C
+ * 10.1.2 to use a weaker DRBG as source
+ */
+ RANDerr(0, RAND_R_PARENT_STRENGTH_TOO_WEAK);
+ return 0;
+ }
+ }
+
+ if (drbg->seed_pool != NULL) {
+ pool = drbg->seed_pool;
+ pool->entropy_requested = entropy;
+ } else {
+ pool = rand_pool_new(entropy, drbg->secure, min_len, max_len);
+ if (pool == NULL)
+ return 0;
+ }
+
+ if (drbg->parent != NULL) {
+ size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
+ unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed);
+
+ if (buffer != NULL) {
+ size_t bytes = 0;
+
+ /*
+ * Get random data from parent. Include our address as additional input,
+ * in order to provide some additional distinction between different
+ * DRBG child instances.
+ * Our lock is already held, but we need to lock our parent before
+ * generating bits from it. (Note: taking the lock will be a no-op
+ * if locking if drbg->parent->lock == NULL.)
+ */
+ pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GENERATE);
+ if (pfunc == NULL)
+ return 0;
+ drbg_lock_parent(drbg);
+ if (OSSL_get_OP_rand_generate(pfunc)(drbg->parent, buffer, bytes_needed,
+ drbg->strength,
+ prediction_resistance,
+ (unsigned char *)&drbg,
+ sizeof(drbg)) != 0)
+ bytes = bytes_needed;
+ drbg->reseed_next_counter = get_parent_reseed_count(drbg);
+ drbg_unlock_parent(drbg);
+
+ rand_pool_add_end(pool, bytes, 8 * bytes);
+ entropy_available = rand_pool_entropy_available(pool);
+ }
+ } else {
+ /* Get entropy by polling system entropy sources. */
+ entropy_available = rand_pool_acquire_entropy(pool);
+ }
+
+ if (entropy_available > 0) {
+ ret = rand_pool_length(pool);
+ *pout = rand_pool_detach(pool);
+ }
+
+ if (drbg->seed_pool == NULL)
+ rand_pool_free(pool);
+ return ret;
+}
+
+/*
+ * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks())
+ *
+ */
+static void prov_drbg_cleanup_entropy(PROV_DRBG *drbg,
+ unsigned char *out, size_t outlen)
+{
+ if (drbg->seed_pool == NULL) {
+ if (drbg->secure)
+ OPENSSL_secure_clear_free(out, outlen);
+ else
+ OPENSSL_clear_free(out, outlen);
+ }
+}
+#endif
+
+#ifndef PROV_RAND_GET_RANDOM_NONCE
+typedef struct prov_drbg_nonce_global_st {
+ CRYPTO_RWLOCK *rand_nonce_lock;
+ int rand_nonce_count;
+} PROV_DRBG_NONCE_GLOBAL;
+
+/*
+ * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce()
+ * which needs to get the rand_nonce_lock out of the OPENSSL_CTX...but since
+ * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock
+ * to be in a different global data object. Otherwise we will go into an
+ * infinite recursion loop.
+ */
+static void *prov_drbg_nonce_ossl_ctx_new(OPENSSL_CTX *libctx)
+{
+ PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl));
+
+ if (dngbl == NULL)
+ return NULL;
+
+ dngbl->rand_nonce_lock = CRYPTO_THREAD_lock_new();
+ if (dngbl->rand_nonce_lock == NULL) {
+ OPENSSL_free(dngbl);
+ return NULL;
+ }
+
+ return dngbl;
+}
+
+static void prov_drbg_nonce_ossl_ctx_free(void *vdngbl)
+{
+ PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl;
+
+ if (dngbl == NULL)
+ return;
+
+ CRYPTO_THREAD_lock_free(dngbl->rand_nonce_lock);
+
+ OPENSSL_free(dngbl);
+}
+
+static const OPENSSL_CTX_METHOD drbg_nonce_ossl_ctx_method = {
+ prov_drbg_nonce_ossl_ctx_new,
+ prov_drbg_nonce_ossl_ctx_free,
+};
+
+/* Get a nonce from the operating system */
+static size_t prov_drbg_get_nonce(PROV_DRBG *drbg,
+ unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ size_t ret = 0;
+ RAND_POOL *pool;
+ PROV_DRBG_NONCE_GLOBAL *dngbl
+ = openssl_ctx_get_data(drbg->libctx, OPENSSL_CTX_DRBG_NONCE_INDEX,
+ &drbg_nonce_ossl_ctx_method);
+ struct {
+ void *instance;
+ int count;
+ } data;
+
+
+ if (dngbl == NULL)
+ return 0;
+
+ memset(&data, 0, sizeof(data));
+ pool = rand_pool_new(0, 0, min_len, max_len);
+ if (pool == NULL)
+ return 0;
+
+ if (rand_pool_add_nonce_data(pool) == 0)
+ goto err;
+
+ data.instance = drbg;
+ CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count,
+ dngbl->rand_nonce_lock);
+
+ if (rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0) == 0)
+ goto err;
+
+ ret = rand_pool_length(pool);
+ *pout = rand_pool_detach(pool);
+
+ err:
+ rand_pool_free(pool);
+
+ return ret;
+}
+#endif
+
+/*
+ * Implements the cleanup_nonce() callback (see PROV_DRBG_set_callbacks())
+ *
+ */
+static void prov_drbg_cleanup_nonce(PROV_DRBG *drbg,
+ unsigned char *out, size_t outlen)
+{
+ OPENSSL_clear_free(out, outlen);
+}
+
+/*
+ * Instantiate |drbg|, after it has been initialized. Use |pers| and
+ * |perslen| as prediction-resistance input.
+ *
+ * Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
+ */
+int PROV_DRBG_instantiate(PROV_DRBG *drbg, int strength,
+ int prediction_resistance,
+ const unsigned char *pers, size_t perslen,
+ int (*ifnc)(PROV_DRBG *drbg,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *nonce,
+ size_t nonce_len,
+ const unsigned char *pstr,
+ size_t pstr_len))
+{
+ unsigned char *nonce = NULL, *entropy = NULL;
+ size_t noncelen = 0, entropylen = 0;
+ size_t min_entropy, min_entropylen, max_entropylen;
+ const OSSL_DISPATCH *pnonce;
+
+ if (strength > drbg->strength) {
+ PROVerr(0, RAND_R_INSUFFICIENT_DRBG_STRENGTH);
+ goto end;
+ }
+ min_entropy = drbg->strength;
+ min_entropylen = drbg->min_entropylen;
+ max_entropylen = drbg->max_entropylen;
+
+ if (pers == NULL) {
+ pers = (const unsigned char *)ossl_pers_string;
+ perslen = sizeof(ossl_pers_string);
+ }
+ if (perslen > drbg->max_perslen) {
+ PROVerr(0, RAND_R_PERSONALISATION_STRING_TOO_LONG);
+ goto end;
+ }
+
+ if (drbg->state != DRBG_UNINITIALISED) {
+ if (drbg->state == DRBG_ERROR)
+ PROVerr(0, RAND_R_IN_ERROR_STATE);
+ else
+ PROVerr(0, RAND_R_ALREADY_INSTANTIATED);
+ goto end;
+ }
+
+ drbg->state = DRBG_ERROR;
+
+ if (drbg->min_noncelen > 0) {
+#ifndef PROV_RAND_GET_RANDOM_NONCE
+ if (drbg->parent != NULL)
+#endif
+ {
+ pnonce = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_NONCE);
+ if (pnonce == NULL) {
+ /*
+ * NIST SP800-90Ar1 section 9.1 says you can combine getting
+ * the entropy and nonce in 1 call by increasing the entropy
+ * with 50% and increasing the minimum length to accommodate
+ * the length of the nonce. We do this in case a nonce is
+ * required and there is no parental nonce capability.
+ */
+ min_entropy += drbg->strength / 2;
+ min_entropylen += drbg->min_noncelen;
+ max_entropylen += drbg->max_noncelen;
+ } else {
+ drbg_lock_parent(drbg);
+ noncelen = OSSL_get_OP_rand_nonce(pnonce)(drbg->parent, &nonce,
+ drbg->strength / 2,
+ drbg->min_noncelen,
+ drbg->max_noncelen);
+ drbg_unlock_parent(drbg);
+ if (noncelen < drbg->min_noncelen
+ || noncelen > drbg->max_noncelen) {
+ PROVerr(0, RAND_R_ERROR_RETRIEVING_NONCE);
+ goto end;
+ }
+ }
+ }
+#ifndef PROV_RAND_GET_RANDOM_NONCE
+ else { /* parent == NULL */
+ noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->strength / 2,
+ drbg->min_noncelen,
+ drbg->max_noncelen);
+ if (noncelen < drbg->min_noncelen
+ || noncelen > drbg->max_noncelen) {
+ PROVerr(0, RAND_R_ERROR_RETRIEVING_NONCE);
+ goto end;
+ }
+ }
+#endif
+ }
+
+ drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
+ if (drbg->reseed_next_counter) {
+ drbg->reseed_next_counter++;
+ if(!drbg->reseed_next_counter)
+ drbg->reseed_next_counter = 1;
+ }
+
+ entropylen = get_entropy(drbg, &entropy, min_entropy,
+ min_entropylen, max_entropylen,
+ prediction_resistance);
+ if (entropylen < min_entropylen
+ || entropylen > max_entropylen) {
+ PROVerr(0, RAND_R_ERROR_RETRIEVING_ENTROPY);
+ goto end;
+ }
+
+ if (!ifnc(drbg, entropy, entropylen, nonce, noncelen, pers, perslen)) {
+ PROVerr(0, RAND_R_ERROR_INSTANTIATING_DRBG);
+ goto end;
+ }
+
+ drbg->state = DRBG_READY;
+ drbg->reseed_gen_counter = 1;
+ drbg->reseed_time = time(NULL);
+ tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
+
+ end:
+ if (entropy != NULL)
+ cleanup_entropy(drbg, entropy, entropylen);
+ if (nonce != NULL)
+ prov_drbg_cleanup_nonce(drbg, nonce, noncelen);
+ if (drbg->state == DRBG_READY)
+ return 1;
+ return 0;
+}
+
+/*
+ * Reseed |drbg|, mixing in the specified data
+ *
+ * Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
+ */
+int PROV_DRBG_reseed(PROV_DRBG *drbg, int prediction_resistance,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *adin, size_t adinlen,
+ int (*reseed)(PROV_DRBG *drbg,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *adin, size_t adin_len))
+{
+ unsigned char *entropy = NULL;
+ size_t entropylen = 0;
+
+ if (drbg->state == DRBG_ERROR) {
+ PROVerr(0, RAND_R_IN_ERROR_STATE);
+ return 0;
+ }
+ if (drbg->state == DRBG_UNINITIALISED) {
+ PROVerr(0, RAND_R_NOT_INSTANTIATED);
+ return 0;
+ }
+
+ if (adin == NULL) {
+ adinlen = 0;
+ } else if (adinlen > drbg->max_adinlen) {
+ PROVerr(0, RAND_R_ADDITIONAL_INPUT_TOO_LONG);
+ return 0;
+ }
+
+ drbg->state = DRBG_ERROR;
+
+ drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
+ if (drbg->reseed_next_counter) {
+ drbg->reseed_next_counter++;
+ if(!drbg->reseed_next_counter)
+ drbg->reseed_next_counter = 1;
+ }
+
+ entropylen = get_entropy(drbg, &entropy, drbg->strength,
+ drbg->min_entropylen, drbg->max_entropylen,
+ prediction_resistance);
+ if (entropylen < drbg->min_entropylen
+ || entropylen > drbg->max_entropylen) {
+ PROVerr(0, RAND_R_ERROR_RETRIEVING_ENTROPY);
+ goto end;
+ }
+
+ if (!reseed(drbg, entropy, entropylen, adin, adinlen))
+ goto end;
+
+ drbg->state = DRBG_READY;
+ drbg->reseed_gen_counter = 1;
+ drbg->reseed_time = time(NULL);
+ tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
+
+ end:
+ if (entropy != NULL)
+ OPENSSL_cleanse(entropy, entropylen);
+ if (drbg->state == DRBG_READY)
+ return 1;
+ return 0;
+}
+
+/*
+ * Generate |outlen| bytes into the buffer at |out|. Reseed if we need
+ * to or if |prediction_resistance| is set. Additional input can be
+ * sent in |adin| and |adinlen|.
+ *
+ * Requires that drbg->lock is already locked for write, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
+ *
+ */
+int PROV_DRBG_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
+ int strength, int prediction_resistance,
+ const unsigned char *adin, size_t adinlen,
+ int (*generate)(PROV_DRBG *, unsigned char *out,
+ size_t outlen, const unsigned char *adin,
+ size_t adin_len),
+ int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent,
+ size_t ent_len, const unsigned char *adin,
+ size_t adin_len))
+{
+ int fork_id;
+ int reseed_required = 0;
+
+ if (drbg->state != DRBG_READY) {
+ if (drbg->state == DRBG_ERROR) {
+ PROVerr(0, RAND_R_IN_ERROR_STATE);
+ return 0;
+ }
+ if (drbg->state == DRBG_UNINITIALISED) {
+ PROVerr(0, RAND_R_NOT_INSTANTIATED);
+ return 0;
+ }
+ }
+
+ if (outlen > drbg->max_request) {
+ PROVerr(0, RAND_R_REQUEST_TOO_LARGE_FOR_DRBG);
+ return 0;
+ }
+ if (adinlen > drbg->max_adinlen) {
+ PROVerr(0, RAND_R_ADDITIONAL_INPUT_TOO_LONG);
+ return 0;
+ }
+
+ fork_id = openssl_get_fork_id();
+
+ if (drbg->fork_id != fork_id) {
+ drbg->fork_id = fork_id;
+ reseed_required = 1;
+ }
+
+ if (drbg->reseed_interval > 0) {
+ if (drbg->reseed_gen_counter > drbg->reseed_interval)
+ reseed_required = 1;
+ }
+ if (drbg->reseed_time_interval > 0) {
+ time_t now = time(NULL);
+ if (now < drbg->reseed_time
+ || now - drbg->reseed_time >= drbg->reseed_time_interval)
+ reseed_required = 1;
+ }
+ if (drbg->parent != NULL) {
+ unsigned int reseed_counter = 0;
+
+ if (reseed_counter > 0
+ && get_parent_reseed_count(drbg) !=
+ tsan_load(&drbg->reseed_prop_counter))
+ reseed_required = 1;
+ }
+
+ if (reseed_required || prediction_resistance) {
+ if (!PROV_DRBG_reseed(drbg, prediction_resistance, NULL, 0,
+ adin, adinlen, reseed)) {
+ PROVerr(0, RAND_R_RESEED_ERROR);
+ return 0;
+ }
+ adin = NULL;
+ adinlen = 0;
+ }
+
+ if (!generate(drbg, out, outlen, adin, adinlen)) {
+ drbg->state = DRBG_ERROR;
+ PROVerr(0, RAND_R_GENERATE_ERROR);
+ return 0;
+ }
+
+ drbg->reseed_gen_counter++;
+
+ return 1;
+}
+
+#if 0
+/*
+ * Calculates the minimum length of a full entropy buffer
+ * which is necessary to seed (i.e. instantiate) the DRBG
+ * successfully.
+ */
+size_t prov_drbg_seedlen(PROV_DRBG *drbg)
+{
+ /*
+ * If no os entropy source is available then PROV_seed(buffer, bufsize)
+ * is expected to succeed if and only if the buffer length satisfies
+ * the following requirements, which follow from the calculations
+ * in PROV_DRBG_instantiate().
+ */
+ size_t min_entropy = drbg->strength;
+ size_t min_entropylen = drbg->min_entropylen;
+
+ /*
+ * Extra entropy for the random nonce in the absence of a
+ * get_nonce callback, see comment in PROV_DRBG_instantiate().
+ */
+ if (drbg->min_noncelen > 0) {
+#ifndef PROV_RAND_GET_RANDOM_NONCE
+ if (drbg->parent != NULL)
+#endif
+ if (find_call(drbg->parent_dispatch,
+ OSSL_FUNC_RAND_NONCE) == NULL) {
+ min_entropy += drbg->strength / 2;
+ min_entropylen += drbg->min_noncelen;
+ }
+ }
+
+ /*
+ * Convert entropy requirement from bits to bytes
+ * (dividing by 8 without rounding upwards, because
+ * all entropy requirements are divisible by 8).
+ */
+ min_entropy >>= 3;
+
+ /* Return a value that satisfies both requirements */
+ return min_entropy > min_entropylen ? min_entropy : min_entropylen;
+}
+#endif
+
+/* Provider support from here down */
+static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
+ int function)
+{
+ if (dispatch != NULL)
+ while (dispatch->function_id != 0)
+ if (dispatch->function_id == function)
+ return dispatch;
+ return NULL;
+}
+
+int drbg_enable_locking(void *vctx)
+{
+ PROV_DRBG *drbg = vctx;
+ const OSSL_DISPATCH *pfunc;
+
+ if (drbg == NULL)
+ return 1;
+ if (drbg->lock == NULL) {
+ if (drbg->state != DRBG_UNINITIALISED) {
+ ERR_raise(ERR_LIB_PROV, RAND_R_DRBG_ALREADY_INITIALIZED);
+ return 0;
+ }
+
+ pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING);
+ if (pfunc != NULL)
+ if (!OSSL_get_OP_rand_enable_locking(pfunc)(drbg->parent)) {
+ ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_LOCKING_NOT_ENABLED);
+ return 0;
+ }
+ drbg->lock = CRYPTO_THREAD_lock_new();
+ if (drbg->lock == NULL) {
+ ERR_raise(ERR_LIB_PROV, RAND_R_FAILED_TO_CREATE_LOCK);
+ return 0;
+ }
+ }
+ return 1;
+}
+
+/*
+ * Allocate memory and initialize a new DRBG. The DRBG is allocated on
+ * the secure heap if |secure| is nonzero and the secure heap is enabled.
+ * The |parent|, if not NULL, will be used as random source for reseeding.
+ * This also requires the parent's provider context and the parent's lock.
+ *
+ * Returns a pointer to the new DRBG instance on success, NULL on failure.
+ */
+PROV_DRBG *prov_rand_drbg_new(void *provctx, int secure, void *parent,
+ const OSSL_DISPATCH *parent_dispatch,
+ int (*dnew)(PROV_DRBG *ctx, int secure))
+{
+ PROV_DRBG *drbg = OPENSSL_zalloc(sizeof(*drbg));
+ int p_str;
+
+ if (drbg == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+
+ drbg->libctx = provctx;
+ drbg->secure = secure;
+ drbg->parent = parent;
+ drbg->parent_dispatch = parent_dispatch;
+
+ /* Set some default maximums up */
+ drbg->max_entropylen = DRBG_MAX_LENGTH;
+ drbg->max_noncelen = DRBG_MAX_LENGTH;
+ drbg->max_perslen = DRBG_MAX_LENGTH;
+ drbg->max_adinlen = DRBG_MAX_LENGTH;
+ drbg->reseed_gen_counter = 1;
+
+ /* TODO(3.0) clean this up */
+ if (parent == NULL) {
+ drbg->reseed_interval = master_reseed_interval;
+ drbg->reseed_time_interval = master_reseed_time_interval;
+ } else {
+ /*
+ * Do not provide nonce callbacks, the child DRBGs will
+ * obtain their nonce using random bits from the parent.
+ */
+ drbg->reseed_interval = slave_reseed_interval;
+ drbg->reseed_time_interval = slave_reseed_time_interval;
+ }
+
+ if (!dnew(drbg, secure))
+ goto err;
+
+ if (parent != NULL) {
+ if (!get_parent_strength(drbg, &p_str))
+ goto err;
+ if (drbg->strength > p_str) {
+ /*
+ * We currently don't support the algorithm from NIST SP 800-90C
+ * 10.1.2 to use a weaker DRBG as source
+ */
+ ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_STRENGTH_TOO_WEAK);
+ goto err;
+ }
+ }
+ return drbg;
+
+ err:
+ prov_rand_drbg_free(drbg);
+ return NULL;
+}
+
+void prov_rand_drbg_free(PROV_DRBG *drbg)
+{
+ if (drbg == NULL)
+ return;
+
+ rand_pool_free(drbg->adin_pool);
+ CRYPTO_THREAD_lock_free(drbg->lock);
+#ifndef FIPS_MODULE
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RAND_DRBG, drbg, &drbg->ex_data);
+#endif
+}
+
+int drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[])
+{
+ OSSL_PARAM *p;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATUS);
+ if (p != NULL && !OSSL_PARAM_set_int(p, drbg->state))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);
+ if (p != NULL && !OSSL_PARAM_set_int(p, drbg->strength))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
+ if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_request))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MIN_ENTROPYLEN);
+ if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_entropylen))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_ENTROPYLEN);
+ if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_entropylen))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MIN_NONCELEN);
+ if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_noncelen))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_NONCELEN);
+ if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_noncelen))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_PERSLEN);
+ if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_perslen))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_ADINLEN);
+ if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_adinlen))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_CTR);
+ if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_gen_counter))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_REQUESTS);
+ if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_TIME_INTERVAL);
+ if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval))
+ return 0;
+
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_PROP_CTR);
+ if (p != NULL
+ && !OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_prop_counter)))
+ return 0;
+ return 1;
+}
+
+int drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[])
+{
+ const OSSL_PARAM *p;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_RAND_PARAM_RESEED_REQUESTS);
+ if (p != NULL && !OSSL_PARAM_get_uint(p, &drbg->reseed_interval))
+ return 0;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_RAND_PARAM_RESEED_TIME_INTERVAL);
+ if (p != NULL && !OSSL_PARAM_get_time_t(p, &drbg->reseed_time_interval))
+ return 0;
+ return 1;
+}
--- /dev/null
+/*
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_PROV_LOCAL_H
+# define OSSL_CRYPTO_PROV_LOCAL_H
+
+# include <openssl/evp.h>
+# include <openssl/core_numbers.h>
+# include <openssl/core_names.h>
+# include <openssl/params.h>
+# include "internal/tsan_assist.h"
+
+# include "internal/numbers.h"
+
+/* How many times to read the TSC as a randomness source. */
+# define TSC_READ_COUNT 4
+
+/* Maximum reseed intervals */
+# define MAX_RESEED_INTERVAL (1 << 24)
+# define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */
+
+/* Default reseed intervals */
+# define MASTER_RESEED_INTERVAL (1 << 8)
+# define SLAVE_RESEED_INTERVAL (1 << 16)
+# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
+# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
+
+/*
+ * The number of bytes that constitutes an atomic lump of entropy with respect
+ * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat
+ * arbitrary, the smaller the value, the less entropy is consumed on first
+ * read but the higher the probability of the test failing by accident.
+ *
+ * The value is in bytes.
+ */
+#define CRNGT_BUFSIZ 16
+
+/*
+ * Maximum input size for the DRBG (entropy, nonce, personalization string)
+ *
+ * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes.
+ *
+ * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes.
+ */
+# define DRBG_MAX_LENGTH INT32_MAX
+
+/* The default nonce */
+#ifdef CHARSET_EBCDIC
+# define DRBG_DEFAULT_PERS_STRING { 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, \
+ 0x4c, 0x20, 0x4e, 0x49, 0x53, 0x54, 0x20, 0x53, 0x50, 0x20, 0x38, 0x30, \
+ 0x30, 0x2d, 0x39, 0x30, 0x41, 0x20, 0x44, 0x52, 0x42, 0x47, 0x00};
+#else
+# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"
+#endif
+
+typedef struct prov_drbg_st PROV_DRBG;
+
+/* DRBG status values */
+typedef enum drbg_status_e {
+ DRBG_UNINITIALISED,
+ DRBG_READY,
+ DRBG_ERROR
+} DRBG_STATUS;
+
+/*
+ * The DRBG methods
+ */
+
+typedef struct rand_drbg_hmac_st {
+ EVP_MD *md;
+ HMAC_CTX *ctx;
+ size_t blocklen;
+ unsigned char K[EVP_MAX_MD_SIZE];
+ unsigned char V[EVP_MAX_MD_SIZE];
+} PROV_DRBG_HMAC;
+
+/*
+ * The state of a DRBG AES-CTR.
+ */
+typedef struct rand_drbg_ctr_st {
+ EVP_CIPHER_CTX *ctx_ecb;
+ EVP_CIPHER_CTX *ctx_ctr;
+ EVP_CIPHER_CTX *ctx_df;
+ EVP_CIPHER *cipher_ecb;
+ EVP_CIPHER *cipher_ctr;
+ size_t keylen;
+ unsigned char K[32];
+ unsigned char V[16];
+ /* Temporary block storage used by ctr_df */
+ unsigned char bltmp[16];
+ size_t bltmp_pos;
+ unsigned char KX[48];
+} PROV_DRBG_CTR;
+
+
+/*
+ * The state of all types of DRBGs, even though we only have CTR mode
+ * right now.
+ */
+struct prov_drbg_st {
+ CRYPTO_RWLOCK *lock;
+ /* The library context this DRBG is associated with, if any */
+ OPENSSL_CTX *libctx;
+ void *parent;
+ const OSSL_DISPATCH *parent_dispatch;
+ int secure; /* 1: allocated on the secure heap, 0: otherwise */
+ /*
+ * Stores the return value of openssl_get_fork_id() as of when we last
+ * reseeded. The DRBG reseeds automatically whenever drbg->fork_id !=
+ * openssl_get_fork_id(). Used to provide fork-safety and reseed this
+ * DRBG in the child process.
+ */
+ int fork_id;
+ unsigned short flags; /* various external flags */
+
+ /*
+ * The random_data is used by PROV_add()/drbg_add() to attach random
+ * data to the global drbg, such that the rand_drbg_get_entropy() callback
+ * can pull it during instantiation and reseeding. This is necessary to
+ * reconcile the different philosophies of the PROV and the PROV_DRBG
+ * with respect to how randomness is added to the RNG during reseeding
+ * (see PR #4328).
+ */
+ struct rand_pool_st *seed_pool;
+
+ /*
+ * Auxiliary pool for additional data.
+ */
+ struct rand_pool_st *adin_pool;
+
+ /*
+ * The following parameters are setup by the per-type "init" function.
+ *
+ * The supported types and their init functions are:
+ * (1) CTR_DRBG: drbg_ctr_init().
+ * (2) HMAC_DRBG: drbg_hmac_init().
+ * (3) HASH_DRBG: drbg_hash_init().
+ *
+ * The parameters are closely related to the ones described in
+ * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one
+ * crucial difference: In the NIST standard, all counts are given
+ * in bits, whereas in OpenSSL entropy counts are given in bits
+ * and buffer lengths are given in bytes.
+ *
+ * Since this difference has lead to some confusion in the past,
+ * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055])
+ * the 'len' suffix has been added to all buffer sizes for
+ * clarification.
+ */
+
+ int strength;
+ size_t max_request;
+ size_t min_entropylen, max_entropylen;
+ size_t min_noncelen, max_noncelen;
+ size_t max_perslen, max_adinlen;
+
+ /*
+ * Counts the number of generate requests since the last reseed
+ * (Starts at 1). This value is the reseed_counter as defined in
+ * NIST SP 800-90Ar1
+ */
+ unsigned int reseed_gen_counter;
+ /*
+ * Maximum number of generate requests until a reseed is required.
+ * This value is ignored if it is zero.
+ */
+ unsigned int reseed_interval;
+ /* Stores the time when the last reseeding occurred */
+ time_t reseed_time;
+ /*
+ * Specifies the maximum time interval (in seconds) between reseeds.
+ * This value is ignored if it is zero.
+ */
+ time_t reseed_time_interval;
+ /*
+ * Counts the number of reseeds since instantiation.
+ * This value is ignored if it is zero.
+ *
+ * This counter is used only for seed propagation from the <master> DRBG
+ * to its two children, the <public> and <private> DRBG. This feature is
+ * very special and its sole purpose is to ensure that any randomness which
+ * is added by PROV_add() or PROV_seed() will have an immediate effect on
+ * the output of PROV_bytes() resp. PROV_priv_bytes().
+ */
+ TSAN_QUALIFIER unsigned int reseed_prop_counter;
+ unsigned int reseed_next_counter;
+
+ size_t seedlen;
+ DRBG_STATUS state;
+
+ void *data;
+
+#ifndef FIPS_MODULE
+ /* Application data, mainly used in the KATs. */
+ CRYPTO_EX_DATA ex_data;
+#endif
+};
+
+/* DRBG helpers */
+int rand_drbg_restart(PROV_DRBG *drbg,
+ const unsigned char *buffer, size_t len, size_t entropy);
+size_t rand_drbg_seedlen(PROV_DRBG *drbg);
+
+PROV_DRBG *prov_rand_drbg_new(void *provctx, int secure, void *parent,
+ const OSSL_DISPATCH *parent_dispatch,
+ int (*dnew)(PROV_DRBG *ctx, int secure));
+void prov_rand_free(PROV_DRBG *drbg);
+
+int PROV_DRBG_instantiate(PROV_DRBG *drbg, int strength,
+ int prediction_resistance,
+ const unsigned char *pers, size_t perslen,
+ int (*ifnc)(PROV_DRBG *drbg,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *nonce,
+ size_t nonce_len,
+ const unsigned char *pstr,
+ size_t pstr_len));
+
+int PROV_DRBG_reseed(PROV_DRBG *drbg, int prediction_resistance,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *adin, size_t adinlen,
+ int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent,
+ size_t ent_len, const unsigned char *adin,
+ size_t adin_len));
+
+int PROV_DRBG_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
+ int strength, int prediction_resistance,
+ const unsigned char *adin, size_t adinlen,
+ int (*generate)(PROV_DRBG *, unsigned char *out,
+ size_t outlen, const unsigned char *adin,
+ size_t adin_len),
+ int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent,
+ size_t ent_len, const unsigned char *adin,
+ size_t adin_len));
+
+/* locking api */
+OSSL_OP_rand_enable_locking_fn drbg_enable_locking;
+OSSL_OP_rand_lock_fn drbg_lock;
+OSSL_OP_rand_unlock_fn drbg_unlock;
+
+int drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]);
+int drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[]);
+
+#define OSSL_PARAM_DRBG_SETABLE_CTX_COMMON \
+ OSSL_PARAM_uint(OSSL_RAND_PARAM_RESEED_REQUESTS, NULL), \
+ OSSL_PARAM_uint64(OSSL_RAND_PARAM_RESEED_TIME_INTERVAL, NULL)
+
+#define OSSL_PARAM_DRBG_GETABLE_CTX_COMMON \
+ OSSL_PARAM_int(OSSL_RAND_PARAM_STATUS, NULL), \
+ OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), \
+ OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), \
+ OSSL_PARAM_size_t(OSSL_RAND_PARAM_MIN_ENTROPYLEN, NULL), \
+ OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_ENTROPYLEN, NULL), \
+ OSSL_PARAM_size_t(OSSL_RAND_PARAM_MIN_NONCELEN, NULL), \
+ OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_NONCELEN, NULL), \
+ OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_PERSLEN, NULL), \
+ OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_ADINLEN, NULL), \
+ OSSL_PARAM_uint(OSSL_RAND_PARAM_RESEED_CTR, NULL), \
+ OSSL_PARAM_uint(OSSL_RAND_PARAM_RESEED_REQUESTS, NULL), \
+ OSSL_PARAM_uint64(OSSL_RAND_PARAM_RESEED_TIME_INTERVAL, NULL)
+
+size_t prov_crngt_get_entropy(PROV_DRBG *drbg,
+ unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance);
+void prov_crngt_cleanup_entropy(PROV_DRBG *drbg,
+ unsigned char *out, size_t outlen);
+
+/*
+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
+ * These need to be exposed for the unit tests.
+ */
+#if 0
+int rand_crngt_get_entropy_cb(OPENSSL_CTX *ctx, PROV_POOL *pool,
+ unsigned char *buf, unsigned char *md,
+ unsigned int *md_size);
+extern int (*crngt_get_entropy)(OPENSSL_CTX *ctx, PROV_POOL *pool,
+ unsigned char *buf, unsigned char *md,
+ unsigned int *md_size);
+#endif
+#endif
#include "crypto/rand.h"
#include "internal/thread_once.h"
#include "internal/cryptlib.h"
-#include "rand_local.h"
+#include "crypto/rand_pool.h"
+#include "drbg_local.h"
+#include "crypto/rand_pool.h"
+#include "seeding/seeding.h"
typedef struct crng_test_global_st {
unsigned char crngt_prev[EVP_MAX_MD_SIZE];
RAND_POOL *crngt_pool;
} CRNG_TEST_GLOBAL;
-int (*crngt_get_entropy)(OPENSSL_CTX *, RAND_POOL *, unsigned char *,
- unsigned char *, unsigned int *)
- = &rand_crngt_get_entropy_cb;
+static int crngt_get_entropy(OPENSSL_CTX *ctx, RAND_POOL *pool,
+ unsigned char *buf, unsigned char *md,
+ unsigned int *md_size)
+{
+ int r;
+ size_t n;
+ unsigned char *p;
+
+ if (pool == NULL)
+ return 0;
+
+ n = prov_pool_acquire_entropy(pool);
+ if (n >= CRNGT_BUFSIZ) {
+ EVP_MD *fmd = EVP_MD_fetch(ctx, "SHA256", "");
+ if (fmd == NULL)
+ return 0;
+ p = rand_pool_detach(pool);
+ r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, fmd, NULL);
+ if (r != 0)
+ memcpy(buf, p, CRNGT_BUFSIZ);
+ rand_pool_reattach(pool, p);
+ EVP_MD_free(fmd);
+ return r;
+ }
+ return 0;
+}
static void rand_crng_ossl_ctx_free(void *vcrngt_glob)
{
{
OPENSSL_secure_clear_free(out, outlen);
}
+
+#if 0
+const OSSL_DISPATCH crngt_functions[] = {
+ { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))crngt_new },
+ { OSSL_FUNC_RAND_FREECTX, (void(*)(void))crngt_free },
+ { OSSL_FUNC_RAND_INSTANTIATE, (void(*)(void))crngt_instantiate },
+ { OSSL_FUNC_RAND_UNINSTANTIATE, (void(*)(void))crngt_uninstantiate },
+ { OSSL_FUNC_RAND_GENERATE, (void(*)(void))crngt_generate },
+ { OSSL_FUNC_RAND_RESEED, (void(*)(void))crngt_reseed },
+ { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))drbg_enable_locking },
+ { OSSL_FUNC_RAND_LOCK, (void(*)(void))drbg_lock },
+ { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))drbg_unlock },
+ { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS,
+ (void(*)(void))crngt_settable_ctx_params },
+ { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void(*)(void))crngt_set_ctx_params },
+ { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
+ (void(*)(void))crngt_gettable_ctx_params },
+ { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))crngt_get_ctx_params },
+ { 0, NULL }
+};
+#endif