]> git.ipfire.org Git - thirdparty/openssl.git/blame - providers/implementations/rands/drbg.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Copyright year updates
[thirdparty/openssl.git] / providers / implementations / rands / drbg.c
CommitLineData
714a1bb3 1/*
da1c088f 2 * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved.
714a1bb3
P		 3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <string.h>
11#include <openssl/crypto.h>
12#include <openssl/err.h>
13#include <openssl/rand.h>
f000e828 14#include <openssl/evp.h>
714a1bb3 15#include "crypto/rand.h"
2741128e 16#include <openssl/proverr.h>
714a1bb3
P		 17#include "drbg_local.h"
18#include "internal/thread_once.h"
19#include "crypto/cryptlib.h"
f000e828 20#include "prov/seeding.h"
08edd447 21#include "crypto/rand_pool.h"
f000e828 22#include "prov/provider_ctx.h"
aef30ad0 23#include "prov/providercommon.h"
30ab7747 24#include "prov/fipscommon.h"
927d0566 25#include "crypto/context.h"
714a1bb3
P		 26
27/*
28 * Support framework for NIST SP 800-90A DRBG
29 *
30 * See manual page PROV_DRBG(7) for a general overview.
31 *
32 * The OpenSSL model is to have new and free functions, and that new
33 * does all initialization. That is not the NIST model, which has
34 * instantiation and un-instantiate, and re-use within a new/free
35 * lifecycle. (No doubt this comes from the desire to support hardware
36 * DRBG, where allocation of resources on something like an HSM is
37 * a much bigger deal than just re-setting an allocated resource.)
38 */
39
714a1bb3
P		 40/* NIST SP 800-90A DRBG recommends the use of a personalization string. */
41static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
42
714a1bb3
P		 43static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
44 int function);
45
f000e828
P		 46static int rand_drbg_restart(PROV_DRBG *drbg);
47
189ad3ab
MC		 48/*
49 * We interpret a call to this function as a hint only and ignore it. This
50 * occurs when the EVP layer thinks we should do some locking. In practice
51 * however we manage for ourselves when we take a lock or not on the basis
52 * of whether drbg->lock is present or not.
53 */
b24d6c33 54int ossl_drbg_lock(void *vctx)
714a1bb3 55{
189ad3ab 56 return 1;
714a1bb3
P		 57}
58
189ad3ab 59/* Interpreted as a hint only and ignored as for ossl_drbg_lock() */
b24d6c33 60void ossl_drbg_unlock(void *vctx)
714a1bb3 61{
714a1bb3
P		 62}
63
b24d6c33 64static int ossl_drbg_lock_parent(PROV_DRBG *drbg)
714a1bb3
P		 65{
66 void *parent = drbg->parent;
714a1bb3 67
f000e828
P		 68 if (parent != NULL
69 && drbg->parent_lock != NULL
70 && !drbg->parent_lock(parent)) {
71 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
72 return 0;
714a1bb3
P		 73 }
74 return 1;
75}
76
b24d6c33 77static void ossl_drbg_unlock_parent(PROV_DRBG *drbg)
714a1bb3
P		 78{
79 void *parent = drbg->parent;
714a1bb3 80
f000e828
P		 81 if (parent != NULL && drbg->parent_unlock != NULL)
82 drbg->parent_unlock(parent);
714a1bb3
P		 83}
84
f000e828 85static int get_parent_strength(PROV_DRBG *drbg, unsigned int *str)
714a1bb3
P		 86{
87 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
714a1bb3 88 void *parent = drbg->parent;
f000e828 89 int res;
714a1bb3 90
f000e828
P		 91 if (drbg->parent_get_ctx_params == NULL) {
92 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);
714a1bb3
P		 93 return 0;
94 }
f000e828
P		 95
96 *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, str);
b24d6c33 97 if (!ossl_drbg_lock_parent(drbg)) {
f000e828 98 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);
714a1bb3
P		 99 return 0;
100 }
f000e828 101 res = drbg->parent_get_ctx_params(parent, params);
b24d6c33 102 ossl_drbg_unlock_parent(drbg);
f000e828
P		 103 if (!res) {
104 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);
714a1bb3
P		 105 return 0;
106 }
714a1bb3
P		 107 return 1;
108}
109
110static unsigned int get_parent_reseed_count(PROV_DRBG *drbg)
111{
112 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
714a1bb3 113 void *parent = drbg->parent;
08edd447 114 unsigned int r = 0;
714a1bb3 115
b0614f0a 116 *params = OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_COUNTER, &r);
b24d6c33 117 if (!ossl_drbg_lock_parent(drbg)) {
f000e828 118 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);
714a1bb3
P		 119 goto err;
120 }
08edd447
P		 121 if (!drbg->parent_get_ctx_params(parent, params))
122 r = 0;
b24d6c33 123 ossl_drbg_unlock_parent(drbg);
714a1bb3
P		 124 return r;
125
126 err:
f000e828 127 r = tsan_load(&drbg->reseed_counter) - 2;
714a1bb3
P		 128 if (r == 0)
129 r = UINT_MAX;
130 return r;
131}
132
714a1bb3 133/*
4f14a378 134 * Implements the get_entropy() callback
714a1bb3
P		 135 *
136 * If the DRBG has a parent, then the required amount of entropy input
7d6766cb 137 * is fetched using the parent's ossl_prov_drbg_generate().
714a1bb3
P		 138 *
139 * Otherwise, the entropy is polled from the system entropy sources
1dc188ba 140 * using ossl_pool_acquire_entropy().
714a1bb3
P		 141 *
142 * If a random pool has been added to the DRBG using RAND_add(), then
143 * its entropy will be used up first.
144 */
335e85f5
P		 145size_t ossl_drbg_get_seed(void *vdrbg, unsigned char **pout,
146 int entropy, size_t min_len,
147 size_t max_len, int prediction_resistance,
148 const unsigned char *adin, size_t adin_len)
714a1bb3 149{
335e85f5
P		 150 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
151 size_t bytes_needed;
08edd447 152 unsigned char *buffer;
714a1bb3 153
08edd447
P		 154 /* Figure out how many bytes we need */
155 bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0;
156 if (bytes_needed < min_len)
157 bytes_needed = min_len;
158 if (bytes_needed > max_len)
159 bytes_needed = max_len;
714a1bb3 160
08edd447
P		 161 /* Allocate storage */
162 buffer = OPENSSL_secure_malloc(bytes_needed);
e077455e 163 if (buffer == NULL)
08edd447 164 return 0;
714a1bb3 165
08edd447 166 /*
335e85f5 167 * Get random data. Include our DRBG address as
08edd447
P		 168 * additional input, in order to provide a distinction between
169 * different DRBG child instances.
170 *
171 * Note: using the sizeof() operator on a pointer triggers
172 * a warning in some static code analyzers, but it's
173 * intentional and correct here.
174 */
335e85f5
P		 175 if (!ossl_prov_drbg_generate(drbg, buffer, bytes_needed,
176 drbg->strength, prediction_resistance,
177 (unsigned char *)&drbg, sizeof(drbg))) {
08edd447
P		 178 OPENSSL_secure_clear_free(buffer, bytes_needed);
179 ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR);
180 return 0;
714a1bb3 181 }
08edd447
P		 182 *pout = buffer;
183 return bytes_needed;
714a1bb3
P		 184}
185
335e85f5
P		 186/* Implements the cleanup_entropy() callback */
187void ossl_drbg_clear_seed(ossl_unused void *vdrbg,
188 unsigned char *out, size_t outlen)
714a1bb3 189{
08edd447 190 OPENSSL_secure_clear_free(out, outlen);
714a1bb3 191}
f000e828
P		 192
193static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
194 size_t min_len, size_t max_len,
195 int prediction_resistance)
196{
335e85f5
P		 197 size_t bytes;
198 unsigned int p_str;
199
f000e828 200 if (drbg->parent == NULL)
08edd447 201#ifdef FIPS_MODULE
1dc188ba 202 return ossl_crngt_get_entropy(drbg, pout, entropy, min_len, max_len,
f000e828 203 prediction_resistance);
08edd447
P		 204#else
205 return ossl_prov_get_entropy(drbg->provctx, pout, entropy, min_len,
206 max_len);
f000e828
P		 207#endif
208
335e85f5
P		 209 if (drbg->parent_get_seed == NULL) {
210 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED);
211 return 0;
212 }
213 if (!get_parent_strength(drbg, &p_str))
214 return 0;
215 if (drbg->strength > p_str) {
216 /*
217 * We currently don't support the algorithm from NIST SP 800-90C
218 * 10.1.2 to use a weaker DRBG as source
219 */
220 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);
221 return 0;
222 }
223
224 /*
225 * Our lock is already held, but we need to lock our parent before
226 * generating bits from it. Note: taking the lock will be a no-op
227 * if locking is not required (while drbg->parent->lock == NULL).
228 */
229 if (!ossl_drbg_lock_parent(drbg))
230 return 0;
231 /*
232 * Get random data from parent. Include our DRBG address as
233 * additional input, in order to provide a distinction between
234 * different DRBG child instances.
235 *
236 * Note: using the sizeof() operator on a pointer triggers
237 * a warning in some static code analyzers, but it's
238 * intentional and correct here.
239 */
240 bytes = drbg->parent_get_seed(drbg->parent, pout, drbg->strength,
241 min_len, max_len, prediction_resistance,
242 (unsigned char *)&drbg, sizeof(drbg));
243 ossl_drbg_unlock_parent(drbg);
244 return bytes;
f000e828
P		 245}
246
247static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen)
248{
08edd447 249 if (drbg->parent == NULL) {
f000e828 250#ifdef FIPS_MODULE
1dc188ba 251 ossl_crngt_cleanup_entropy(drbg, out, outlen);
08edd447
P		 252#else
253 ossl_prov_cleanup_entropy(drbg->provctx, out, outlen);
714a1bb3 254#endif
335e85f5
P		 255 } else if (drbg->parent_clear_seed != NULL) {
256 if (!ossl_drbg_lock_parent(drbg))
257 return;
6d45fd47 258 drbg->parent_clear_seed(drbg->parent, out, outlen);
335e85f5 259 ossl_drbg_unlock_parent(drbg);
08edd447 260 }
f000e828 261}
714a1bb3
P		 262
263#ifndef PROV_RAND_GET_RANDOM_NONCE
264typedef struct prov_drbg_nonce_global_st {
265 CRYPTO_RWLOCK *rand_nonce_lock;
266 int rand_nonce_count;
267} PROV_DRBG_NONCE_GLOBAL;
268
269/*
270 * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce()
b4250010 271 * which needs to get the rand_nonce_lock out of the OSSL_LIB_CTX...but since
714a1bb3
P		 272 * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock
273 * to be in a different global data object. Otherwise we will go into an
274 * infinite recursion loop.
275 */
927d0566 276void *ossl_prov_drbg_nonce_ctx_new(OSSL_LIB_CTX *libctx)
714a1bb3
P		 277{
278 PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl));
279
280 if (dngbl == NULL)
281 return NULL;
282
283 dngbl->rand_nonce_lock = CRYPTO_THREAD_lock_new();
284 if (dngbl->rand_nonce_lock == NULL) {
285 OPENSSL_free(dngbl);
286 return NULL;
287 }
288
289 return dngbl;
290}
291
927d0566 292void ossl_prov_drbg_nonce_ctx_free(void *vdngbl)
714a1bb3
P		 293{
294 PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl;
295
296 if (dngbl == NULL)
297 return;
298
299 CRYPTO_THREAD_lock_free(dngbl->rand_nonce_lock);
300
301 OPENSSL_free(dngbl);
302}
303
714a1bb3 304/* Get a nonce from the operating system */
08edd447
P		 305static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, unsigned char **pout,
306 size_t min_len, size_t max_len)
714a1bb3 307{
f000e828 308 size_t ret = 0, n;
f000e828 309 unsigned char *buf = NULL;
08edd447 310 OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx);
714a1bb3 311 PROV_DRBG_NONCE_GLOBAL *dngbl
927d0566 312 = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_NONCE_INDEX);
714a1bb3 313 struct {
08edd447 314 void *drbg;
714a1bb3
P		 315 int count;
316 } data;
08edd447 317
714a1bb3
P		 318 if (dngbl == NULL)
319 return 0;
320
08edd447
P		 321 if (drbg->parent != NULL && drbg->parent_nonce != NULL) {
322 n = drbg->parent_nonce(drbg->parent, NULL, 0, drbg->min_noncelen,
323 drbg->max_noncelen);
324 if (n > 0 && (buf = OPENSSL_malloc(n)) != NULL) {
325 ret = drbg->parent_nonce(drbg->parent, buf, 0,
326 drbg->min_noncelen, drbg->max_noncelen);
327 if (ret == n) {
328 *pout = buf;
329 return ret;
f000e828 330 }
08edd447 331 OPENSSL_free(buf);
f000e828
P		 332 }
333 }
334
08edd447 335 /* Use the built in nonce source plus some of our specifics */
714a1bb3 336 memset(&data, 0, sizeof(data));
08edd447 337 data.drbg = drbg;
7efc073d
TM		 338 if (!CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count,
339 dngbl->rand_nonce_lock))
340 return 0;
08edd447
P		 341 return ossl_prov_get_nonce(drbg->provctx, pout, min_len, max_len,
342 &data, sizeof(data));
714a1bb3 343}
f000e828 344#endif /* PROV_RAND_GET_RANDOM_NONCE */
714a1bb3
P		 345
346/*
347 * Instantiate |drbg|, after it has been initialized. Use |pers| and
348 * |perslen| as prediction-resistance input.
349 *
350 * Requires that drbg->lock is already locked for write, if non-null.
351 *
352 * Returns 1 on success, 0 on failure.
353 */
7d6766cb
P		 354int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength,
355 int prediction_resistance,
356 const unsigned char *pers, size_t perslen)
714a1bb3
P		 357{
358 unsigned char *nonce = NULL, *entropy = NULL;
359 size_t noncelen = 0, entropylen = 0;
360 size_t min_entropy, min_entropylen, max_entropylen;
714a1bb3
P		 361
362 if (strength > drbg->strength) {
6debc6ab 363 ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
714a1bb3
P		 364 goto end;
365 }
366 min_entropy = drbg->strength;
367 min_entropylen = drbg->min_entropylen;
368 max_entropylen = drbg->max_entropylen;
369
370 if (pers == NULL) {
371 pers = (const unsigned char *)ossl_pers_string;
372 perslen = sizeof(ossl_pers_string);
373 }
374 if (perslen > drbg->max_perslen) {
6debc6ab 375 ERR_raise(ERR_LIB_PROV, PROV_R_PERSONALISATION_STRING_TOO_LONG);
714a1bb3
P		 376 goto end;
377 }
378
f000e828
P		 379 if (drbg->state != EVP_RAND_STATE_UNINITIALISED) {
380 if (drbg->state == EVP_RAND_STATE_ERROR)
6debc6ab 381 ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
714a1bb3 382 else
6debc6ab 383 ERR_raise(ERR_LIB_PROV, PROV_R_ALREADY_INSTANTIATED);
714a1bb3
P		 384 goto end;
385 }
386
f000e828 387 drbg->state = EVP_RAND_STATE_ERROR;
714a1bb3
P		 388
389 if (drbg->min_noncelen > 0) {
f000e828
P		 390 if (drbg->parent_nonce != NULL) {
391 noncelen = drbg->parent_nonce(drbg->parent, NULL, drbg->strength,
392 drbg->min_noncelen,
393 drbg->max_noncelen);
394 if (noncelen == 0) {
6debc6ab 395 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
f000e828
P		 396 goto end;
397 }
398 nonce = OPENSSL_malloc(noncelen);
399 if (nonce == NULL) {
6debc6ab 400 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
f000e828
P		 401 goto end;
402 }
403 if (noncelen != drbg->parent_nonce(drbg->parent, nonce,
404 drbg->strength,
405 drbg->min_noncelen,
406 drbg->max_noncelen)) {
6debc6ab 407 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
c4d02214 408 goto end;
f000e828 409 }
714a1bb3 410#ifndef PROV_RAND_GET_RANDOM_NONCE
f000e828 411 } else if (drbg->parent != NULL) {
714a1bb3 412#endif
f000e828
P		 413 /*
414 * NIST SP800-90Ar1 section 9.1 says you can combine getting
415 * the entropy and nonce in 1 call by increasing the entropy
416 * with 50% and increasing the minimum length to accommodate
417 * the length of the nonce. We do this in case a nonce is
418 * required and there is no parental nonce capability.
419 */
420 min_entropy += drbg->strength / 2;
421 min_entropylen += drbg->min_noncelen;
422 max_entropylen += drbg->max_noncelen;
714a1bb3
P		 423 }
424#ifndef PROV_RAND_GET_RANDOM_NONCE
425 else { /* parent == NULL */
08edd447 426 noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->min_noncelen,
714a1bb3
P		 427 drbg->max_noncelen);
428 if (noncelen < drbg->min_noncelen
429 || noncelen > drbg->max_noncelen) {
6debc6ab 430 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
714a1bb3
P		 431 goto end;
432 }
433 }
434#endif
435 }
436
f000e828 437 drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);
714a1bb3
P		 438 if (drbg->reseed_next_counter) {
439 drbg->reseed_next_counter++;
f000e828 440 if (!drbg->reseed_next_counter)
714a1bb3
P		 441 drbg->reseed_next_counter = 1;
442 }
443
444 entropylen = get_entropy(drbg, &entropy, min_entropy,
445 min_entropylen, max_entropylen,
446 prediction_resistance);
447 if (entropylen < min_entropylen
448 || entropylen > max_entropylen) {
6debc6ab 449 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY);
714a1bb3
P		 450 goto end;
451 }
452
f000e828
P		 453 if (!drbg->instantiate(drbg, entropy, entropylen, nonce, noncelen,
454 pers, perslen)) {
caf569a5 455 cleanup_entropy(drbg, entropy, entropylen);
6debc6ab 456 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_INSTANTIATING_DRBG);
714a1bb3
P		 457 goto end;
458 }
caf569a5 459 cleanup_entropy(drbg, entropy, entropylen);
714a1bb3 460
f000e828 461 drbg->state = EVP_RAND_STATE_READY;
b0614f0a 462 drbg->generate_counter = 1;
714a1bb3 463 drbg->reseed_time = time(NULL);
f000e828 464 tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);
714a1bb3
P		 465
466 end:
08edd447
P		 467 if (nonce != NULL)
468 ossl_prov_cleanup_nonce(drbg->provctx, nonce, noncelen);
f000e828 469 if (drbg->state == EVP_RAND_STATE_READY)
714a1bb3
P		 470 return 1;
471 return 0;
472}
473
f000e828
P		 474/*
475 * Uninstantiate |drbg|. Must be instantiated before it can be used.
476 *
477 * Requires that drbg->lock is already locked for write, if non-null.
478 *
479 * Returns 1 on success, 0 on failure.
480 */
7d6766cb 481int ossl_prov_drbg_uninstantiate(PROV_DRBG *drbg)
f000e828
P		 482{
483 drbg->state = EVP_RAND_STATE_UNINITIALISED;
484 return 1;
485}
486
189ad3ab
MC		 487static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg,
488 int prediction_resistance,
489 const unsigned char *ent,
490 size_t ent_len,
491 const unsigned char *adin,
492 size_t adinlen)
714a1bb3
P		 493{
494 unsigned char *entropy = NULL;
495 size_t entropylen = 0;
496
aef30ad0
P		 497 if (!ossl_prov_is_running())
498 return 0;
499
f000e828
P		 500 if (drbg->state != EVP_RAND_STATE_READY) {
501 /* try to recover from previous errors */
502 rand_drbg_restart(drbg);
503
504 if (drbg->state == EVP_RAND_STATE_ERROR) {
6debc6ab 505 ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
f000e828
P		 506 return 0;
507 }
508 if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {
6debc6ab 509 ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED);
f000e828
P		 510 return 0;
511 }
714a1bb3 512 }
f000e828
P		 513
514 if (ent != NULL) {
515 if (ent_len < drbg->min_entropylen) {
6debc6ab 516 ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_OUT_OF_RANGE);
f000e828
P		 517 drbg->state = EVP_RAND_STATE_ERROR;
518 return 0;
519 }
520 if (ent_len > drbg->max_entropylen) {
6debc6ab 521 ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_INPUT_TOO_LONG);
f000e828
P		 522 drbg->state = EVP_RAND_STATE_ERROR;
523 return 0;
524 }
714a1bb3
P		 525 }
526
527 if (adin == NULL) {
528 adinlen = 0;
529 } else if (adinlen > drbg->max_adinlen) {
6debc6ab 530 ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG);
714a1bb3
P		 531 return 0;
532 }
533
f000e828 534 drbg->state = EVP_RAND_STATE_ERROR;
714a1bb3 535
f000e828 536 drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);
714a1bb3
P		 537 if (drbg->reseed_next_counter) {
538 drbg->reseed_next_counter++;
f000e828 539 if (!drbg->reseed_next_counter)
714a1bb3
P		 540 drbg->reseed_next_counter = 1;
541 }
542
f000e828 543 if (ent != NULL) {
1d30b0a4 544#ifdef FIPS_MODULE
f000e828
P		 545 /*
546 * NIST SP-800-90A mandates that entropy *shall not* be provided
547 * by the consuming application. Instead the data is added as additional
548 * input.
549 *
550 * (NIST SP-800-90Ar1, Sections 9.1 and 9.2)
551 */
552 if (!drbg->reseed(drbg, NULL, 0, ent, ent_len)) {
553 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);
554 return 0;
555 }
556#else
557 if (!drbg->reseed(drbg, ent, ent_len, adin, adinlen)) {
558 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);
559 return 0;
560 }
561 /* There isn't much point adding the same additional input twice */
562 adin = NULL;
563 adinlen = 0;
564#endif
565 }
566
567 /* Reseed using our sources in addition */
714a1bb3
P		 568 entropylen = get_entropy(drbg, &entropy, drbg->strength,
569 drbg->min_entropylen, drbg->max_entropylen,
570 prediction_resistance);
571 if (entropylen < drbg->min_entropylen
572 || entropylen > drbg->max_entropylen) {
6debc6ab 573 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY);
714a1bb3
P		 574 goto end;
575 }
576
f000e828 577 if (!drbg->reseed(drbg, entropy, entropylen, adin, adinlen))
714a1bb3
P		 578 goto end;
579
f000e828 580 drbg->state = EVP_RAND_STATE_READY;
b0614f0a 581 drbg->generate_counter = 1;
714a1bb3 582 drbg->reseed_time = time(NULL);
f000e828
P		 583 tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);
584 if (drbg->parent != NULL)
585 drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
714a1bb3
P		 586
587 end:
f000e828
P		 588 cleanup_entropy(drbg, entropy, entropylen);
589 if (drbg->state == EVP_RAND_STATE_READY)
714a1bb3
P		 590 return 1;
591 return 0;
592}
593
189ad3ab
MC		 594/*
595 * Reseed |drbg|, mixing in the specified data
596 *
597 * Acquires the drbg->lock for writing, if non-null.
598 *
599 * Returns 1 on success, 0 on failure.
600 */
601int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance,
602 const unsigned char *ent, size_t ent_len,
603 const unsigned char *adin, size_t adinlen)
604{
605 int ret;
606
607 if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
608 return 0;
609
610 ret = ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, ent,
611 ent_len, adin, adinlen);
612
613 if (drbg->lock != NULL)
614 CRYPTO_THREAD_unlock(drbg->lock);
615
616 return ret;
617}
618
714a1bb3
P		 619/*
620 * Generate |outlen| bytes into the buffer at |out|. Reseed if we need
621 * to or if |prediction_resistance| is set. Additional input can be
622 * sent in |adin| and |adinlen|.
623 *
189ad3ab 624 * Acquires the drbg->lock for writing if available
714a1bb3
P		 625 *
626 * Returns 1 on success, 0 on failure.
627 *
628 */
7d6766cb
P		 629int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
630 unsigned int strength, int prediction_resistance,
631 const unsigned char *adin, size_t adinlen)
714a1bb3
P		 632{
633 int fork_id;
634 int reseed_required = 0;
189ad3ab 635 int ret = 0;
714a1bb3 636
aef30ad0
P		 637 if (!ossl_prov_is_running())
638 return 0;
639
189ad3ab
MC		 640 if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
641 return 0;
642
f000e828
P		 643 if (drbg->state != EVP_RAND_STATE_READY) {
644 /* try to recover from previous errors */
645 rand_drbg_restart(drbg);
646
647 if (drbg->state == EVP_RAND_STATE_ERROR) {
6debc6ab 648 ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
189ad3ab 649 goto err;
714a1bb3 650 }
f000e828 651 if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {
6debc6ab 652 ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED);
189ad3ab 653 goto err;
714a1bb3
P		 654 }
655 }
f000e828 656 if (strength > drbg->strength) {
6debc6ab 657 ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
189ad3ab 658 goto err;
f000e828 659 }
714a1bb3
P		 660
661 if (outlen > drbg->max_request) {
6debc6ab 662 ERR_raise(ERR_LIB_PROV, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG);
189ad3ab 663 goto err;
714a1bb3
P		 664 }
665 if (adinlen > drbg->max_adinlen) {
6debc6ab 666 ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG);
189ad3ab 667 goto err;
714a1bb3
P		 668 }
669
670 fork_id = openssl_get_fork_id();
671
672 if (drbg->fork_id != fork_id) {
673 drbg->fork_id = fork_id;
674 reseed_required = 1;
675 }
676
677 if (drbg->reseed_interval > 0) {
b0614f0a 678 if (drbg->generate_counter >= drbg->reseed_interval)
714a1bb3
P		 679 reseed_required = 1;
680 }
681 if (drbg->reseed_time_interval > 0) {
682 time_t now = time(NULL);
683 if (now < drbg->reseed_time
684 || now - drbg->reseed_time >= drbg->reseed_time_interval)
685 reseed_required = 1;
686 }
f000e828
P		 687 if (drbg->parent != NULL
688 && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
689 reseed_required = 1;
714a1bb3
P		 690
691 if (reseed_required || prediction_resistance) {
189ad3ab
MC		 692 if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
693 0, adin, adinlen)) {
6debc6ab 694 ERR_raise(ERR_LIB_PROV, PROV_R_RESEED_ERROR);
189ad3ab 695 goto err;
714a1bb3
P		 696 }
697 adin = NULL;
698 adinlen = 0;
699 }
700
f000e828
P		 701 if (!drbg->generate(drbg, out, outlen, adin, adinlen)) {
702 drbg->state = EVP_RAND_STATE_ERROR;
6debc6ab 703 ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR);
189ad3ab 704 goto err;
714a1bb3
P		 705 }
706
b0614f0a 707 drbg->generate_counter++;
714a1bb3 708
189ad3ab
MC		 709 ret = 1;
710 err:
711 if (drbg->lock != NULL)
712 CRYPTO_THREAD_unlock(drbg->lock);
713
714 return ret;
714a1bb3
P		 715}
716
714a1bb3 717/*
f000e828
P		 718 * Restart |drbg|, using the specified entropy or additional input
719 *
720 * Tries its best to get the drbg instantiated by all means,
721 * regardless of its current state.
722 *
723 * Optionally, a |buffer| of |len| random bytes can be passed,
724 * which is assumed to contain at least |entropy| bits of entropy.
725 *
726 * If |entropy| > 0, the buffer content is used as entropy input.
727 *
728 * If |entropy| == 0, the buffer content is used as additional input
729 *
730 * Returns 1 on success, 0 on failure.
731 *
732 * This function is used internally only.
714a1bb3 733 */
f000e828 734static int rand_drbg_restart(PROV_DRBG *drbg)
714a1bb3 735{
f000e828
P		 736 /* repair error state */
737 if (drbg->state == EVP_RAND_STATE_ERROR)
738 drbg->uninstantiate(drbg);
739
740 /* repair uninitialized state */
741 if (drbg->state == EVP_RAND_STATE_UNINITIALISED)
742 /* reinstantiate drbg */
7d6766cb 743 ossl_prov_drbg_instantiate(drbg, drbg->strength, 0, NULL, 0);
714a1bb3 744
f000e828 745 return drbg->state == EVP_RAND_STATE_READY;
714a1bb3 746}
714a1bb3
P		 747
748/* Provider support from here down */
749static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
750 int function)
751{
752 if (dispatch != NULL)
f000e828 753 while (dispatch->function_id != 0) {
714a1bb3
P		 754 if (dispatch->function_id == function)
755 return dispatch;
f000e828
P		 756 dispatch++;
757 }
714a1bb3
P		 758 return NULL;
759}
760
b24d6c33 761int ossl_drbg_enable_locking(void *vctx)
714a1bb3
P		 762{
763 PROV_DRBG *drbg = vctx;
714a1bb3 764
f000e828
P		 765 if (drbg != NULL && drbg->lock == NULL) {
766 if (drbg->parent_enable_locking != NULL)
767 if (!drbg->parent_enable_locking(drbg->parent)) {
768 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
714a1bb3
P		 769 return 0;
770 }
771 drbg->lock = CRYPTO_THREAD_lock_new();
772 if (drbg->lock == NULL) {
f000e828 773 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_CREATE_LOCK);
714a1bb3
P		 774 return 0;
775 }
776 }
777 return 1;
778}
779
780/*
781 * Allocate memory and initialize a new DRBG. The DRBG is allocated on
782 * the secure heap if |secure| is nonzero and the secure heap is enabled.
783 * The |parent|, if not NULL, will be used as random source for reseeding.
784 * This also requires the parent's provider context and the parent's lock.
785 *
786 * Returns a pointer to the new DRBG instance on success, NULL on failure.
787 */
1dc188ba 788PROV_DRBG *ossl_rand_drbg_new
f000e828
P		 789 (void *provctx, void *parent, const OSSL_DISPATCH *p_dispatch,
790 int (*dnew)(PROV_DRBG *ctx),
791 int (*instantiate)(PROV_DRBG *drbg,
792 const unsigned char *entropy, size_t entropylen,
793 const unsigned char *nonce, size_t noncelen,
794 const unsigned char *pers, size_t perslen),
795 int (*uninstantiate)(PROV_DRBG *ctx),
796 int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len,
797 const unsigned char *adin, size_t adin_len),
798 int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen,
799 const unsigned char *adin, size_t adin_len))
714a1bb3 800{
aef30ad0 801 PROV_DRBG *drbg;
f000e828
P		 802 unsigned int p_str;
803 const OSSL_DISPATCH *pfunc;
714a1bb3 804
aef30ad0
P		 805 if (!ossl_prov_is_running())
806 return NULL;
807
808 drbg = OPENSSL_zalloc(sizeof(*drbg));
e077455e 809 if (drbg == NULL)
714a1bb3 810 return NULL;
714a1bb3 811
f000e828
P		 812 drbg->provctx = provctx;
813 drbg->instantiate = instantiate;
814 drbg->uninstantiate = uninstantiate;
815 drbg->reseed = reseed;
816 drbg->generate = generate;
817 drbg->fork_id = openssl_get_fork_id();
818
819 /* Extract parent's functions */
714a1bb3 820 drbg->parent = parent;
f000e828 821 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING)) != NULL)
363b1e5d 822 drbg->parent_enable_locking = OSSL_FUNC_rand_enable_locking(pfunc);
f000e828 823 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_LOCK)) != NULL)
363b1e5d 824 drbg->parent_lock = OSSL_FUNC_rand_lock(pfunc);
f000e828 825 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_UNLOCK)) != NULL)
363b1e5d 826 drbg->parent_unlock = OSSL_FUNC_rand_unlock(pfunc);
f000e828 827 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS)) != NULL)
363b1e5d 828 drbg->parent_get_ctx_params = OSSL_FUNC_rand_get_ctx_params(pfunc);
f000e828 829 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_NONCE)) != NULL)
363b1e5d 830 drbg->parent_nonce = OSSL_FUNC_rand_nonce(pfunc);
335e85f5
P		 831 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_SEED)) != NULL)
832 drbg->parent_get_seed = OSSL_FUNC_rand_get_seed(pfunc);
833 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_CLEAR_SEED)) != NULL)
834 drbg->parent_clear_seed = OSSL_FUNC_rand_clear_seed(pfunc);
714a1bb3
P		 835
836 /* Set some default maximums up */
837 drbg->max_entropylen = DRBG_MAX_LENGTH;
838 drbg->max_noncelen = DRBG_MAX_LENGTH;
839 drbg->max_perslen = DRBG_MAX_LENGTH;
840 drbg->max_adinlen = DRBG_MAX_LENGTH;
b0614f0a 841 drbg->generate_counter = 1;
f000e828
P		 842 drbg->reseed_counter = 1;
843 drbg->reseed_interval = RESEED_INTERVAL;
844 drbg->reseed_time_interval = TIME_INTERVAL;
714a1bb3 845
f000e828 846 if (!dnew(drbg))
714a1bb3
P		 847 goto err;
848
849 if (parent != NULL) {
850 if (!get_parent_strength(drbg, &p_str))
851 goto err;
852 if (drbg->strength > p_str) {
853 /*
854 * We currently don't support the algorithm from NIST SP 800-90C
855 * 10.1.2 to use a weaker DRBG as source
856 */
f000e828 857 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);
714a1bb3
P		 858 goto err;
859 }
860 }
8ff861dc
P		 861#ifdef TSAN_REQUIRES_LOCKING
862 if (!ossl_drbg_enable_locking(drbg))
863 goto err;
864#endif
714a1bb3
P		 865 return drbg;
866
867 err:
1dc188ba 868 ossl_rand_drbg_free(drbg);
714a1bb3
P		 869 return NULL;
870}
871
1dc188ba 872void ossl_rand_drbg_free(PROV_DRBG *drbg)
714a1bb3
P		 873{
874 if (drbg == NULL)
875 return;
876
714a1bb3 877 CRYPTO_THREAD_lock_free(drbg->lock);
f000e828 878 OPENSSL_free(drbg);
714a1bb3
P		 879}
880
189ad3ab
MC		 881/*
882 * Helper function called by internal DRBG implementations. Assumes that at
883 * least a read lock has been taken on drbg->lock
884 */
b24d6c33 885int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[])
714a1bb3
P		 886{
887 OSSL_PARAM *p;
888
f000e828 889 p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE);
714a1bb3
P		 890 if (p != NULL && !OSSL_PARAM_set_int(p, drbg->state))
891 return 0;
892
893 p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);
894 if (p != NULL && !OSSL_PARAM_set_int(p, drbg->strength))
895 return 0;
896
f000e828 897 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_ENTROPYLEN);
714a1bb3
P		 898 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_entropylen))
899 return 0;
900
f000e828 901 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ENTROPYLEN);
714a1bb3
P		 902 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_entropylen))
903 return 0;
904
f000e828 905 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_NONCELEN);
714a1bb3
P		 906 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_noncelen))
907 return 0;
908
f000e828 909 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_NONCELEN);
714a1bb3
P		 910 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_noncelen))
911 return 0;
912
f000e828 913 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_PERSLEN);
714a1bb3
P		 914 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_perslen))
915 return 0;
916
f000e828 917 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ADINLEN);
714a1bb3
P		 918 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_adinlen))
919 return 0;
920
f000e828
P		 921 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
922 if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval))
714a1bb3
P		 923 return 0;
924
f000e828
P		 925 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME);
926 if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time))
714a1bb3
P		 927 return 0;
928
f000e828 929 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);
714a1bb3
P		 930 if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval))
931 return 0;
932
61f11cad
MC		 933 return 1;
934}
935
936/*
937 * Helper function to get certain params that require no lock to obtain. Sets
938 * *complete to 1 if all the params were processed, or 0 otherwise
939 */
940int ossl_drbg_get_ctx_params_no_lock(PROV_DRBG *drbg, OSSL_PARAM params[],
941 int *complete)
942{
943 size_t cnt = 0;
944 OSSL_PARAM *p;
945
946 /* This value never changes once set */
947 p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
948 if (p != NULL) {
949 if (!OSSL_PARAM_set_size_t(p, drbg->max_request))
950 return 0;
951 cnt++;
952 }
953
954 /*
955 * Can be changed by multiple threads, but we tolerate inaccuracies in this
956 * value.
957 */
b0614f0a 958 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_COUNTER);
61f11cad
MC		 959 if (p != NULL) {
960 if (!OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_counter)))
961 return 0;
962 cnt++;
963 }
964
965 if (params[cnt].key == NULL)
966 *complete = 1;
967 else
968 *complete = 0;
969
714a1bb3
P		 970 return 1;
971}
972
b24d6c33 973int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[])
714a1bb3
P		 974{
975 const OSSL_PARAM *p;
976
20b8dc6f
P		 977 if (params == NULL)
978 return 1;
979
f000e828 980 p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
714a1bb3
P		 981 if (p != NULL && !OSSL_PARAM_get_uint(p, &drbg->reseed_interval))
982 return 0;
983
f000e828 984 p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);
714a1bb3
P		 985 if (p != NULL && !OSSL_PARAM_get_time_t(p, &drbg->reseed_time_interval))
986 return 0;
987 return 1;
988}
f553c0f0
P		 989
990/* Confirm digest is allowed to be used with a DRBG */
991int ossl_drbg_verify_digest(ossl_unused OSSL_LIB_CTX *libctx, const EVP_MD *md)
992{
993#ifdef FIPS_MODULE
994 /* FIPS 140-3 IG D.R limited DRBG digests to a specific set */
995 static const char *const allowed_digests[] = {
996 "SHA1", /* SHA 1 allowed */
997 "SHA2-256", "SHA2-512", /* non-truncated SHA2 allowed */
998 "SHA3-256", "SHA3-512", /* non-truncated SHA3 allowed */
999 };
1000 size_t i;
f553c0f0
P		 1001
1002 if (FIPS_restricted_drbg_digests_enabled(libctx)) {
1003 for (i = 0; i < OSSL_NELEM(allowed_digests); i++)
1004 if (EVP_MD_is_a(md, allowed_digests[i]))
1005 return 1;
1006 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
1007 return 0;
1008 }
1009#endif
1010 /* Outside of FIPS, any digests that are not XOF are allowed */
1011 if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) {
1012 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
1013 return 0;
1014 }
1015 return 1;
1016}
A mirror of the official openssl repository