]>
Commit | Line | Data |
---|---|---|
12fb8c3d RS |
1 | /* |
2 | * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <string.h> | |
11 | #include <openssl/crypto.h> | |
12 | #include <openssl/err.h> | |
13 | #include <openssl/rand.h> | |
14 | #include "rand_lcl.h" | |
15 | ||
16 | /* | |
17 | * Support framework for NIST SP 800-90A DRBG, AES-CTR mode. | |
18 | */ | |
19 | ||
20 | /* | |
21 | * Get entropy from the existing callback. This is mainly used for KATs. | |
22 | */ | |
23 | static size_t get_entropy(DRBG_CTX *dctx, unsigned char **pout, | |
24 | int entropy, size_t min_len, size_t max_len) | |
25 | { | |
26 | if (dctx->get_entropy != NULL) | |
27 | return dctx->get_entropy(dctx, pout, entropy, min_len, max_len); | |
28 | /* TODO: Get from parent if it exists. */ | |
29 | return 0; | |
30 | } | |
31 | ||
32 | /* | |
33 | * Cleanup entropy. | |
34 | */ | |
35 | static void cleanup_entropy(DRBG_CTX *dctx, unsigned char *out, size_t olen) | |
36 | { | |
37 | if (dctx->cleanup_entropy != NULL) | |
38 | dctx->cleanup_entropy(dctx, out, olen); | |
39 | } | |
40 | ||
41 | /* | |
42 | * The OpenSSL model is to have new and free functions, and that new | |
43 | * does all initialization. That is not the NIST model, which has | |
44 | * instantiation and un-instantiate, and re-use within a new/free | |
45 | * lifecycle. (No doubt this comes from the desire to support hardware | |
46 | * DRBG, where allocation of resources on something like an HSM is | |
47 | * a much bigger deal than just re-setting an allocated resource.) | |
48 | * | |
49 | * The DRBG_CTX is OpenSSL's opaque pointer to an instance of the | |
50 | * DRBG. | |
51 | */ | |
52 | ||
53 | /* | |
54 | * Set/initialize |dctx| to be of type |nid|, with optional |flags|. | |
55 | * Return -2 if the type is not supported, 1 on success and -1 on | |
56 | * failure. | |
57 | */ | |
58 | int RAND_DRBG_set(DRBG_CTX *dctx, int nid, unsigned int flags) | |
59 | { | |
60 | int ret = 1; | |
61 | ||
62 | dctx->status = DRBG_STATUS_UNINITIALISED; | |
63 | dctx->flags = flags; | |
64 | dctx->nid = nid; | |
65 | ||
66 | switch (nid) { | |
67 | default: | |
68 | RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE); | |
69 | return -2; | |
70 | case 0: | |
71 | /* Uninitialized; that's okay. */ | |
72 | return 1; | |
73 | case NID_aes_128_ctr: | |
74 | case NID_aes_192_ctr: | |
75 | case NID_aes_256_ctr: | |
76 | ret = ctr_init(dctx); | |
77 | break; | |
78 | } | |
79 | ||
80 | if (ret < 0) | |
81 | RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG); | |
82 | return ret; | |
83 | } | |
84 | ||
85 | /* | |
86 | * Allocate memory and initialize a new DRBG. The |parent|, if not | |
87 | * NULL, will be used to auto-seed this DRBG_CTX as needed. | |
88 | */ | |
89 | DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent) | |
90 | { | |
91 | DRBG_CTX *dctx = OPENSSL_zalloc(sizeof(*dctx)); | |
92 | ||
93 | if (dctx == NULL) { | |
94 | RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE); | |
95 | return NULL; | |
96 | } | |
97 | ||
98 | dctx->parent = parent; | |
99 | if (RAND_DRBG_set(dctx, type, flags) < 0) { | |
100 | OPENSSL_free(dctx); | |
101 | return NULL; | |
102 | } | |
103 | return dctx; | |
104 | } | |
105 | ||
106 | /* | |
107 | * Uninstantiate |dctx| and free all memory. | |
108 | */ | |
109 | void RAND_DRBG_free(DRBG_CTX *dctx) | |
110 | { | |
111 | if (dctx == NULL) | |
112 | return; | |
113 | ||
114 | ctr_uninstantiate(dctx); | |
115 | CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, dctx, &dctx->ex_data); | |
116 | ||
117 | /* Don't free up default DRBG */ | |
118 | if (dctx == RAND_DRBG_get_default()) { | |
119 | memset(dctx, 0, sizeof(DRBG_CTX)); | |
120 | dctx->nid = 0; | |
121 | dctx->status = DRBG_STATUS_UNINITIALISED; | |
122 | } else { | |
123 | OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr)); | |
124 | OPENSSL_free(dctx); | |
125 | } | |
126 | } | |
127 | ||
128 | /* | |
129 | * Instantiate |dctx|, after it has been initialized. Use |pers| and | |
130 | * |perslen| as prediction-resistance input. | |
131 | */ | |
132 | int RAND_DRBG_instantiate(DRBG_CTX *dctx, | |
133 | const unsigned char *pers, size_t perslen) | |
134 | { | |
135 | size_t entlen = 0, noncelen = 0; | |
136 | unsigned char *nonce = NULL, *entropy = NULL; | |
137 | int r = 0; | |
138 | ||
139 | if (perslen > dctx->max_pers) { | |
140 | r = RAND_R_PERSONALISATION_STRING_TOO_LONG; | |
141 | goto end; | |
142 | } | |
143 | if (dctx->status != DRBG_STATUS_UNINITIALISED) { | |
144 | r = dctx->status == DRBG_STATUS_ERROR ? RAND_R_IN_ERROR_STATE | |
145 | : RAND_R_ALREADY_INSTANTIATED; | |
146 | goto end; | |
147 | } | |
148 | ||
149 | dctx->status = DRBG_STATUS_ERROR; | |
150 | entlen = get_entropy(dctx, &entropy, dctx->strength, | |
151 | dctx->min_entropy, dctx->max_entropy); | |
152 | if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { | |
153 | r = RAND_R_ERROR_RETRIEVING_ENTROPY; | |
154 | goto end; | |
155 | } | |
156 | ||
157 | if (dctx->max_nonce > 0 && dctx->get_nonce != NULL) { | |
158 | noncelen = dctx->get_nonce(dctx, &nonce, | |
159 | dctx->strength / 2, | |
160 | dctx->min_nonce, dctx->max_nonce); | |
161 | ||
162 | if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) { | |
163 | r = RAND_R_ERROR_RETRIEVING_NONCE; | |
164 | goto end; | |
165 | } | |
166 | } | |
167 | ||
168 | if (!ctr_instantiate(dctx, entropy, entlen, | |
169 | nonce, noncelen, pers, perslen)) { | |
170 | r = RAND_R_ERROR_INSTANTIATING_DRBG; | |
171 | goto end; | |
172 | } | |
173 | ||
174 | dctx->status = DRBG_STATUS_READY; | |
175 | dctx->reseed_counter = 1; | |
176 | ||
177 | end: | |
178 | if (entropy != NULL && dctx->cleanup_entropy != NULL) | |
179 | dctx->cleanup_entropy(dctx, entropy, entlen); | |
180 | if (nonce != NULL && dctx->cleanup_nonce!= NULL ) | |
181 | dctx->cleanup_nonce(dctx, nonce, noncelen); | |
182 | if (dctx->status == DRBG_STATUS_READY) | |
183 | return 1; | |
184 | ||
185 | if (r) | |
186 | RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, r); | |
187 | return 0; | |
188 | } | |
189 | ||
190 | /* | |
191 | * Uninstantiate |dctx|. Must be instantiated before it can be used. | |
192 | */ | |
193 | int RAND_DRBG_uninstantiate(DRBG_CTX *dctx) | |
194 | { | |
195 | int ret = ctr_uninstantiate(dctx); | |
196 | ||
197 | OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr)); | |
198 | dctx->status = DRBG_STATUS_UNINITIALISED; | |
199 | return ret; | |
200 | } | |
201 | ||
202 | /* | |
203 | * Mix in the specified data to reseed |dctx|. | |
204 | */ | |
205 | int RAND_DRBG_reseed(DRBG_CTX *dctx, | |
206 | const unsigned char *adin, size_t adinlen) | |
207 | { | |
208 | unsigned char *entropy = NULL; | |
209 | size_t entlen = 0; | |
210 | int r = 0; | |
211 | ||
212 | if (dctx->status != DRBG_STATUS_READY | |
213 | && dctx->status != DRBG_STATUS_RESEED) { | |
214 | if (dctx->status == DRBG_STATUS_ERROR) | |
215 | r = RAND_R_IN_ERROR_STATE; | |
216 | else if (dctx->status == DRBG_STATUS_UNINITIALISED) | |
217 | r = RAND_R_NOT_INSTANTIATED; | |
218 | goto end; | |
219 | } | |
220 | ||
221 | if (adin == NULL) | |
222 | adinlen = 0; | |
223 | else if (adinlen > dctx->max_adin) { | |
224 | r = RAND_R_ADDITIONAL_INPUT_TOO_LONG; | |
225 | goto end; | |
226 | } | |
227 | ||
228 | dctx->status = DRBG_STATUS_ERROR; | |
229 | entlen = get_entropy(dctx, &entropy, dctx->strength, | |
230 | dctx->min_entropy, dctx->max_entropy); | |
231 | ||
232 | if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { | |
233 | r = RAND_R_ERROR_RETRIEVING_ENTROPY; | |
234 | goto end; | |
235 | } | |
236 | ||
237 | if (!ctr_reseed(dctx, entropy, entlen, adin, adinlen)) | |
238 | goto end; | |
239 | dctx->status = DRBG_STATUS_READY; | |
240 | dctx->reseed_counter = 1; | |
241 | ||
242 | end: | |
243 | if (entropy != NULL && dctx->cleanup_entropy != NULL) | |
244 | cleanup_entropy(dctx, entropy, entlen); | |
245 | if (dctx->status == DRBG_STATUS_READY) | |
246 | return 1; | |
247 | if (r) | |
248 | RANDerr(RAND_F_RAND_DRBG_RESEED, r); | |
249 | ||
250 | return 0; | |
251 | } | |
252 | ||
253 | /* | |
254 | * Generate |outlen| bytes into the buffer at |out|. Reseed if we need | |
255 | * to or if |prediction_resistance| is set. Additional input can be | |
256 | * sent in |adin| and |adinlen|. | |
257 | */ | |
258 | int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, | |
259 | int prediction_resistance, | |
260 | const unsigned char *adin, size_t adinlen) | |
261 | { | |
262 | int r = 0; | |
263 | ||
264 | if (dctx->status != DRBG_STATUS_READY | |
265 | && dctx->status != DRBG_STATUS_RESEED) { | |
266 | if (dctx->status == DRBG_STATUS_ERROR) | |
267 | r = RAND_R_IN_ERROR_STATE; | |
268 | else if(dctx->status == DRBG_STATUS_UNINITIALISED) | |
269 | r = RAND_R_NOT_INSTANTIATED; | |
270 | goto end; | |
271 | } | |
272 | ||
273 | if (outlen > dctx->max_request) { | |
274 | r = RAND_R_REQUEST_TOO_LARGE_FOR_DRBG; | |
275 | return 0; | |
276 | } | |
277 | if (adinlen > dctx->max_adin) { | |
278 | r = RAND_R_ADDITIONAL_INPUT_TOO_LONG; | |
279 | goto end; | |
280 | } | |
281 | ||
282 | if (dctx->reseed_counter >= dctx->reseed_interval) | |
283 | dctx->status = DRBG_STATUS_RESEED; | |
284 | ||
285 | if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) { | |
286 | if (!RAND_DRBG_reseed(dctx, adin, adinlen)) { | |
287 | r = RAND_R_RESEED_ERROR; | |
288 | goto end; | |
289 | } | |
290 | adin = NULL; | |
291 | adinlen = 0; | |
292 | } | |
293 | ||
294 | if (!ctr_generate(dctx, out, outlen, adin, adinlen)) { | |
295 | r = RAND_R_GENERATE_ERROR; | |
296 | dctx->status = DRBG_STATUS_ERROR; | |
297 | goto end; | |
298 | } | |
299 | if (dctx->reseed_counter >= dctx->reseed_interval) | |
300 | dctx->status = DRBG_STATUS_RESEED; | |
301 | else | |
302 | dctx->reseed_counter++; | |
303 | return 1; | |
304 | ||
305 | end: | |
306 | RANDerr(RAND_F_RAND_DRBG_GENERATE, r); | |
307 | return 0; | |
308 | } | |
309 | ||
310 | /* | |
311 | * Set the callbacks for entropy and nonce. Used mainly for the KATs | |
312 | */ | |
313 | int RAND_DRBG_set_callbacks(DRBG_CTX *dctx, | |
314 | size_t (*cb_get_entropy)(DRBG_CTX *ctx, unsigned char **pout, | |
315 | int entropy, size_t min_len, size_t max_len), | |
316 | void (*cb_cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen), | |
317 | size_t (*cb_get_nonce)(DRBG_CTX *ctx, unsigned char **pout, | |
318 | int entropy, size_t min_len, size_t max_len), | |
319 | void (*cb_cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen)) | |
320 | { | |
321 | if (dctx->status != DRBG_STATUS_UNINITIALISED) | |
322 | return 0; | |
323 | dctx->get_entropy = cb_get_entropy; | |
324 | dctx->cleanup_entropy = cb_cleanup_entropy; | |
325 | dctx->get_nonce = cb_get_nonce; | |
326 | dctx->cleanup_nonce = cb_cleanup_nonce; | |
327 | return 1; | |
328 | } | |
329 | ||
330 | /* | |
331 | * Set the reseed internal. Used mainly for the KATs. | |
332 | */ | |
333 | void RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval) | |
334 | { | |
335 | dctx->reseed_interval = interval; | |
336 | } | |
337 | ||
338 | /* | |
339 | * Get and set the EXDATA | |
340 | */ | |
341 | int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg) | |
342 | { | |
343 | return CRYPTO_set_ex_data(&dctx->ex_data, idx, arg); | |
344 | } | |
345 | ||
346 | void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx) | |
347 | { | |
348 | return CRYPTO_get_ex_data(&dctx->ex_data, idx); | |
349 | } |