]>
Commit | Line | Data |
---|---|---|
714a1bb3 | 1 | /* |
da1c088f | 2 | * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. |
714a1bb3 P |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <string.h> | |
11 | #include <openssl/crypto.h> | |
12 | #include <openssl/err.h> | |
13 | #include <openssl/rand.h> | |
f000e828 | 14 | #include <openssl/evp.h> |
714a1bb3 | 15 | #include "crypto/rand.h" |
2741128e | 16 | #include <openssl/proverr.h> |
714a1bb3 P |
17 | #include "drbg_local.h" |
18 | #include "internal/thread_once.h" | |
19 | #include "crypto/cryptlib.h" | |
f000e828 | 20 | #include "prov/seeding.h" |
08edd447 | 21 | #include "crypto/rand_pool.h" |
f000e828 | 22 | #include "prov/provider_ctx.h" |
aef30ad0 | 23 | #include "prov/providercommon.h" |
30ab7747 | 24 | #include "prov/fipscommon.h" |
927d0566 | 25 | #include "crypto/context.h" |
714a1bb3 P |
26 | |
27 | /* | |
28 | * Support framework for NIST SP 800-90A DRBG | |
29 | * | |
30 | * See manual page PROV_DRBG(7) for a general overview. | |
31 | * | |
32 | * The OpenSSL model is to have new and free functions, and that new | |
33 | * does all initialization. That is not the NIST model, which has | |
34 | * instantiation and un-instantiate, and re-use within a new/free | |
35 | * lifecycle. (No doubt this comes from the desire to support hardware | |
36 | * DRBG, where allocation of resources on something like an HSM is | |
37 | * a much bigger deal than just re-setting an allocated resource.) | |
38 | */ | |
39 | ||
714a1bb3 P |
40 | /* NIST SP 800-90A DRBG recommends the use of a personalization string. */ |
41 | static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING; | |
42 | ||
714a1bb3 P |
43 | static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch, |
44 | int function); | |
45 | ||
f000e828 P |
46 | static int rand_drbg_restart(PROV_DRBG *drbg); |
47 | ||
189ad3ab MC |
48 | /* |
49 | * We interpret a call to this function as a hint only and ignore it. This | |
50 | * occurs when the EVP layer thinks we should do some locking. In practice | |
51 | * however we manage for ourselves when we take a lock or not on the basis | |
52 | * of whether drbg->lock is present or not. | |
53 | */ | |
b24d6c33 | 54 | int ossl_drbg_lock(void *vctx) |
714a1bb3 | 55 | { |
189ad3ab | 56 | return 1; |
714a1bb3 P |
57 | } |
58 | ||
189ad3ab | 59 | /* Interpreted as a hint only and ignored as for ossl_drbg_lock() */ |
b24d6c33 | 60 | void ossl_drbg_unlock(void *vctx) |
714a1bb3 | 61 | { |
714a1bb3 P |
62 | } |
63 | ||
b24d6c33 | 64 | static int ossl_drbg_lock_parent(PROV_DRBG *drbg) |
714a1bb3 P |
65 | { |
66 | void *parent = drbg->parent; | |
714a1bb3 | 67 | |
f000e828 P |
68 | if (parent != NULL |
69 | && drbg->parent_lock != NULL | |
70 | && !drbg->parent_lock(parent)) { | |
71 | ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED); | |
72 | return 0; | |
714a1bb3 P |
73 | } |
74 | return 1; | |
75 | } | |
76 | ||
b24d6c33 | 77 | static void ossl_drbg_unlock_parent(PROV_DRBG *drbg) |
714a1bb3 P |
78 | { |
79 | void *parent = drbg->parent; | |
714a1bb3 | 80 | |
f000e828 P |
81 | if (parent != NULL && drbg->parent_unlock != NULL) |
82 | drbg->parent_unlock(parent); | |
714a1bb3 P |
83 | } |
84 | ||
f000e828 | 85 | static int get_parent_strength(PROV_DRBG *drbg, unsigned int *str) |
714a1bb3 P |
86 | { |
87 | OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; | |
714a1bb3 | 88 | void *parent = drbg->parent; |
f000e828 | 89 | int res; |
714a1bb3 | 90 | |
f000e828 P |
91 | if (drbg->parent_get_ctx_params == NULL) { |
92 | ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH); | |
714a1bb3 P |
93 | return 0; |
94 | } | |
f000e828 P |
95 | |
96 | *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, str); | |
b24d6c33 | 97 | if (!ossl_drbg_lock_parent(drbg)) { |
f000e828 | 98 | ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT); |
714a1bb3 P |
99 | return 0; |
100 | } | |
f000e828 | 101 | res = drbg->parent_get_ctx_params(parent, params); |
b24d6c33 | 102 | ossl_drbg_unlock_parent(drbg); |
f000e828 P |
103 | if (!res) { |
104 | ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH); | |
714a1bb3 P |
105 | return 0; |
106 | } | |
714a1bb3 P |
107 | return 1; |
108 | } | |
109 | ||
110 | static unsigned int get_parent_reseed_count(PROV_DRBG *drbg) | |
111 | { | |
112 | OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; | |
714a1bb3 | 113 | void *parent = drbg->parent; |
08edd447 | 114 | unsigned int r = 0; |
714a1bb3 | 115 | |
b0614f0a | 116 | *params = OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_COUNTER, &r); |
b24d6c33 | 117 | if (!ossl_drbg_lock_parent(drbg)) { |
f000e828 | 118 | ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT); |
714a1bb3 P |
119 | goto err; |
120 | } | |
08edd447 P |
121 | if (!drbg->parent_get_ctx_params(parent, params)) |
122 | r = 0; | |
b24d6c33 | 123 | ossl_drbg_unlock_parent(drbg); |
714a1bb3 P |
124 | return r; |
125 | ||
126 | err: | |
f000e828 | 127 | r = tsan_load(&drbg->reseed_counter) - 2; |
714a1bb3 P |
128 | if (r == 0) |
129 | r = UINT_MAX; | |
130 | return r; | |
131 | } | |
132 | ||
714a1bb3 | 133 | /* |
4f14a378 | 134 | * Implements the get_entropy() callback |
714a1bb3 P |
135 | * |
136 | * If the DRBG has a parent, then the required amount of entropy input | |
7d6766cb | 137 | * is fetched using the parent's ossl_prov_drbg_generate(). |
714a1bb3 P |
138 | * |
139 | * Otherwise, the entropy is polled from the system entropy sources | |
1dc188ba | 140 | * using ossl_pool_acquire_entropy(). |
714a1bb3 P |
141 | * |
142 | * If a random pool has been added to the DRBG using RAND_add(), then | |
143 | * its entropy will be used up first. | |
144 | */ | |
335e85f5 P |
145 | size_t ossl_drbg_get_seed(void *vdrbg, unsigned char **pout, |
146 | int entropy, size_t min_len, | |
147 | size_t max_len, int prediction_resistance, | |
148 | const unsigned char *adin, size_t adin_len) | |
714a1bb3 | 149 | { |
335e85f5 P |
150 | PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; |
151 | size_t bytes_needed; | |
08edd447 | 152 | unsigned char *buffer; |
714a1bb3 | 153 | |
08edd447 P |
154 | /* Figure out how many bytes we need */ |
155 | bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0; | |
156 | if (bytes_needed < min_len) | |
157 | bytes_needed = min_len; | |
158 | if (bytes_needed > max_len) | |
159 | bytes_needed = max_len; | |
714a1bb3 | 160 | |
08edd447 P |
161 | /* Allocate storage */ |
162 | buffer = OPENSSL_secure_malloc(bytes_needed); | |
e077455e | 163 | if (buffer == NULL) |
08edd447 | 164 | return 0; |
714a1bb3 | 165 | |
08edd447 | 166 | /* |
335e85f5 | 167 | * Get random data. Include our DRBG address as |
08edd447 P |
168 | * additional input, in order to provide a distinction between |
169 | * different DRBG child instances. | |
170 | * | |
171 | * Note: using the sizeof() operator on a pointer triggers | |
172 | * a warning in some static code analyzers, but it's | |
173 | * intentional and correct here. | |
174 | */ | |
335e85f5 P |
175 | if (!ossl_prov_drbg_generate(drbg, buffer, bytes_needed, |
176 | drbg->strength, prediction_resistance, | |
177 | (unsigned char *)&drbg, sizeof(drbg))) { | |
08edd447 P |
178 | OPENSSL_secure_clear_free(buffer, bytes_needed); |
179 | ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR); | |
180 | return 0; | |
714a1bb3 | 181 | } |
08edd447 P |
182 | *pout = buffer; |
183 | return bytes_needed; | |
714a1bb3 P |
184 | } |
185 | ||
335e85f5 P |
186 | /* Implements the cleanup_entropy() callback */ |
187 | void ossl_drbg_clear_seed(ossl_unused void *vdrbg, | |
188 | unsigned char *out, size_t outlen) | |
714a1bb3 | 189 | { |
08edd447 | 190 | OPENSSL_secure_clear_free(out, outlen); |
714a1bb3 | 191 | } |
f000e828 P |
192 | |
193 | static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy, | |
194 | size_t min_len, size_t max_len, | |
195 | int prediction_resistance) | |
196 | { | |
335e85f5 P |
197 | size_t bytes; |
198 | unsigned int p_str; | |
199 | ||
f000e828 | 200 | if (drbg->parent == NULL) |
08edd447 | 201 | #ifdef FIPS_MODULE |
1dc188ba | 202 | return ossl_crngt_get_entropy(drbg, pout, entropy, min_len, max_len, |
f000e828 | 203 | prediction_resistance); |
08edd447 P |
204 | #else |
205 | return ossl_prov_get_entropy(drbg->provctx, pout, entropy, min_len, | |
206 | max_len); | |
f000e828 P |
207 | #endif |
208 | ||
335e85f5 P |
209 | if (drbg->parent_get_seed == NULL) { |
210 | ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED); | |
211 | return 0; | |
212 | } | |
213 | if (!get_parent_strength(drbg, &p_str)) | |
214 | return 0; | |
215 | if (drbg->strength > p_str) { | |
216 | /* | |
217 | * We currently don't support the algorithm from NIST SP 800-90C | |
218 | * 10.1.2 to use a weaker DRBG as source | |
219 | */ | |
220 | ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK); | |
221 | return 0; | |
222 | } | |
223 | ||
224 | /* | |
225 | * Our lock is already held, but we need to lock our parent before | |
226 | * generating bits from it. Note: taking the lock will be a no-op | |
227 | * if locking is not required (while drbg->parent->lock == NULL). | |
228 | */ | |
229 | if (!ossl_drbg_lock_parent(drbg)) | |
230 | return 0; | |
231 | /* | |
232 | * Get random data from parent. Include our DRBG address as | |
233 | * additional input, in order to provide a distinction between | |
234 | * different DRBG child instances. | |
235 | * | |
236 | * Note: using the sizeof() operator on a pointer triggers | |
237 | * a warning in some static code analyzers, but it's | |
238 | * intentional and correct here. | |
239 | */ | |
240 | bytes = drbg->parent_get_seed(drbg->parent, pout, drbg->strength, | |
241 | min_len, max_len, prediction_resistance, | |
242 | (unsigned char *)&drbg, sizeof(drbg)); | |
243 | ossl_drbg_unlock_parent(drbg); | |
244 | return bytes; | |
f000e828 P |
245 | } |
246 | ||
247 | static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen) | |
248 | { | |
08edd447 | 249 | if (drbg->parent == NULL) { |
f000e828 | 250 | #ifdef FIPS_MODULE |
1dc188ba | 251 | ossl_crngt_cleanup_entropy(drbg, out, outlen); |
08edd447 P |
252 | #else |
253 | ossl_prov_cleanup_entropy(drbg->provctx, out, outlen); | |
714a1bb3 | 254 | #endif |
335e85f5 P |
255 | } else if (drbg->parent_clear_seed != NULL) { |
256 | if (!ossl_drbg_lock_parent(drbg)) | |
257 | return; | |
6d45fd47 | 258 | drbg->parent_clear_seed(drbg->parent, out, outlen); |
335e85f5 | 259 | ossl_drbg_unlock_parent(drbg); |
08edd447 | 260 | } |
f000e828 | 261 | } |
714a1bb3 P |
262 | |
263 | #ifndef PROV_RAND_GET_RANDOM_NONCE | |
264 | typedef struct prov_drbg_nonce_global_st { | |
265 | CRYPTO_RWLOCK *rand_nonce_lock; | |
266 | int rand_nonce_count; | |
267 | } PROV_DRBG_NONCE_GLOBAL; | |
268 | ||
269 | /* | |
270 | * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce() | |
b4250010 | 271 | * which needs to get the rand_nonce_lock out of the OSSL_LIB_CTX...but since |
714a1bb3 P |
272 | * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock |
273 | * to be in a different global data object. Otherwise we will go into an | |
274 | * infinite recursion loop. | |
275 | */ | |
927d0566 | 276 | void *ossl_prov_drbg_nonce_ctx_new(OSSL_LIB_CTX *libctx) |
714a1bb3 P |
277 | { |
278 | PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl)); | |
279 | ||
280 | if (dngbl == NULL) | |
281 | return NULL; | |
282 | ||
283 | dngbl->rand_nonce_lock = CRYPTO_THREAD_lock_new(); | |
284 | if (dngbl->rand_nonce_lock == NULL) { | |
285 | OPENSSL_free(dngbl); | |
286 | return NULL; | |
287 | } | |
288 | ||
289 | return dngbl; | |
290 | } | |
291 | ||
927d0566 | 292 | void ossl_prov_drbg_nonce_ctx_free(void *vdngbl) |
714a1bb3 P |
293 | { |
294 | PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl; | |
295 | ||
296 | if (dngbl == NULL) | |
297 | return; | |
298 | ||
299 | CRYPTO_THREAD_lock_free(dngbl->rand_nonce_lock); | |
300 | ||
301 | OPENSSL_free(dngbl); | |
302 | } | |
303 | ||
714a1bb3 | 304 | /* Get a nonce from the operating system */ |
08edd447 P |
305 | static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, unsigned char **pout, |
306 | size_t min_len, size_t max_len) | |
714a1bb3 | 307 | { |
f000e828 | 308 | size_t ret = 0, n; |
f000e828 | 309 | unsigned char *buf = NULL; |
08edd447 | 310 | OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx); |
714a1bb3 | 311 | PROV_DRBG_NONCE_GLOBAL *dngbl |
927d0566 | 312 | = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_NONCE_INDEX); |
714a1bb3 | 313 | struct { |
08edd447 | 314 | void *drbg; |
714a1bb3 P |
315 | int count; |
316 | } data; | |
08edd447 | 317 | |
714a1bb3 P |
318 | if (dngbl == NULL) |
319 | return 0; | |
320 | ||
08edd447 P |
321 | if (drbg->parent != NULL && drbg->parent_nonce != NULL) { |
322 | n = drbg->parent_nonce(drbg->parent, NULL, 0, drbg->min_noncelen, | |
323 | drbg->max_noncelen); | |
324 | if (n > 0 && (buf = OPENSSL_malloc(n)) != NULL) { | |
325 | ret = drbg->parent_nonce(drbg->parent, buf, 0, | |
326 | drbg->min_noncelen, drbg->max_noncelen); | |
327 | if (ret == n) { | |
328 | *pout = buf; | |
329 | return ret; | |
f000e828 | 330 | } |
08edd447 | 331 | OPENSSL_free(buf); |
f000e828 P |
332 | } |
333 | } | |
334 | ||
08edd447 | 335 | /* Use the built in nonce source plus some of our specifics */ |
714a1bb3 | 336 | memset(&data, 0, sizeof(data)); |
08edd447 | 337 | data.drbg = drbg; |
7efc073d TM |
338 | if (!CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count, |
339 | dngbl->rand_nonce_lock)) | |
340 | return 0; | |
08edd447 P |
341 | return ossl_prov_get_nonce(drbg->provctx, pout, min_len, max_len, |
342 | &data, sizeof(data)); | |
714a1bb3 | 343 | } |
f000e828 | 344 | #endif /* PROV_RAND_GET_RANDOM_NONCE */ |
714a1bb3 P |
345 | |
346 | /* | |
347 | * Instantiate |drbg|, after it has been initialized. Use |pers| and | |
348 | * |perslen| as prediction-resistance input. | |
349 | * | |
350 | * Requires that drbg->lock is already locked for write, if non-null. | |
351 | * | |
352 | * Returns 1 on success, 0 on failure. | |
353 | */ | |
7d6766cb P |
354 | int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, |
355 | int prediction_resistance, | |
356 | const unsigned char *pers, size_t perslen) | |
714a1bb3 P |
357 | { |
358 | unsigned char *nonce = NULL, *entropy = NULL; | |
359 | size_t noncelen = 0, entropylen = 0; | |
360 | size_t min_entropy, min_entropylen, max_entropylen; | |
714a1bb3 P |
361 | |
362 | if (strength > drbg->strength) { | |
6debc6ab | 363 | ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH); |
714a1bb3 P |
364 | goto end; |
365 | } | |
366 | min_entropy = drbg->strength; | |
367 | min_entropylen = drbg->min_entropylen; | |
368 | max_entropylen = drbg->max_entropylen; | |
369 | ||
370 | if (pers == NULL) { | |
371 | pers = (const unsigned char *)ossl_pers_string; | |
372 | perslen = sizeof(ossl_pers_string); | |
373 | } | |
374 | if (perslen > drbg->max_perslen) { | |
6debc6ab | 375 | ERR_raise(ERR_LIB_PROV, PROV_R_PERSONALISATION_STRING_TOO_LONG); |
714a1bb3 P |
376 | goto end; |
377 | } | |
378 | ||
f000e828 P |
379 | if (drbg->state != EVP_RAND_STATE_UNINITIALISED) { |
380 | if (drbg->state == EVP_RAND_STATE_ERROR) | |
6debc6ab | 381 | ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE); |
714a1bb3 | 382 | else |
6debc6ab | 383 | ERR_raise(ERR_LIB_PROV, PROV_R_ALREADY_INSTANTIATED); |
714a1bb3 P |
384 | goto end; |
385 | } | |
386 | ||
f000e828 | 387 | drbg->state = EVP_RAND_STATE_ERROR; |
714a1bb3 P |
388 | |
389 | if (drbg->min_noncelen > 0) { | |
f000e828 P |
390 | if (drbg->parent_nonce != NULL) { |
391 | noncelen = drbg->parent_nonce(drbg->parent, NULL, drbg->strength, | |
392 | drbg->min_noncelen, | |
393 | drbg->max_noncelen); | |
394 | if (noncelen == 0) { | |
6debc6ab | 395 | ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE); |
f000e828 P |
396 | goto end; |
397 | } | |
398 | nonce = OPENSSL_malloc(noncelen); | |
399 | if (nonce == NULL) { | |
6debc6ab | 400 | ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE); |
f000e828 P |
401 | goto end; |
402 | } | |
403 | if (noncelen != drbg->parent_nonce(drbg->parent, nonce, | |
404 | drbg->strength, | |
405 | drbg->min_noncelen, | |
406 | drbg->max_noncelen)) { | |
6debc6ab | 407 | ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE); |
c4d02214 | 408 | goto end; |
f000e828 | 409 | } |
714a1bb3 | 410 | #ifndef PROV_RAND_GET_RANDOM_NONCE |
f000e828 | 411 | } else if (drbg->parent != NULL) { |
714a1bb3 | 412 | #endif |
f000e828 P |
413 | /* |
414 | * NIST SP800-90Ar1 section 9.1 says you can combine getting | |
415 | * the entropy and nonce in 1 call by increasing the entropy | |
416 | * with 50% and increasing the minimum length to accommodate | |
417 | * the length of the nonce. We do this in case a nonce is | |
418 | * required and there is no parental nonce capability. | |
419 | */ | |
420 | min_entropy += drbg->strength / 2; | |
421 | min_entropylen += drbg->min_noncelen; | |
422 | max_entropylen += drbg->max_noncelen; | |
714a1bb3 P |
423 | } |
424 | #ifndef PROV_RAND_GET_RANDOM_NONCE | |
425 | else { /* parent == NULL */ | |
08edd447 | 426 | noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->min_noncelen, |
714a1bb3 P |
427 | drbg->max_noncelen); |
428 | if (noncelen < drbg->min_noncelen | |
429 | || noncelen > drbg->max_noncelen) { | |
6debc6ab | 430 | ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE); |
714a1bb3 P |
431 | goto end; |
432 | } | |
433 | } | |
434 | #endif | |
435 | } | |
436 | ||
f000e828 | 437 | drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter); |
714a1bb3 P |
438 | if (drbg->reseed_next_counter) { |
439 | drbg->reseed_next_counter++; | |
f000e828 | 440 | if (!drbg->reseed_next_counter) |
714a1bb3 P |
441 | drbg->reseed_next_counter = 1; |
442 | } | |
443 | ||
444 | entropylen = get_entropy(drbg, &entropy, min_entropy, | |
445 | min_entropylen, max_entropylen, | |
446 | prediction_resistance); | |
447 | if (entropylen < min_entropylen | |
448 | || entropylen > max_entropylen) { | |
6debc6ab | 449 | ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY); |
714a1bb3 P |
450 | goto end; |
451 | } | |
452 | ||
f000e828 P |
453 | if (!drbg->instantiate(drbg, entropy, entropylen, nonce, noncelen, |
454 | pers, perslen)) { | |
caf569a5 | 455 | cleanup_entropy(drbg, entropy, entropylen); |
6debc6ab | 456 | ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_INSTANTIATING_DRBG); |
714a1bb3 P |
457 | goto end; |
458 | } | |
caf569a5 | 459 | cleanup_entropy(drbg, entropy, entropylen); |
714a1bb3 | 460 | |
f000e828 | 461 | drbg->state = EVP_RAND_STATE_READY; |
b0614f0a | 462 | drbg->generate_counter = 1; |
714a1bb3 | 463 | drbg->reseed_time = time(NULL); |
f000e828 | 464 | tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter); |
714a1bb3 P |
465 | |
466 | end: | |
08edd447 P |
467 | if (nonce != NULL) |
468 | ossl_prov_cleanup_nonce(drbg->provctx, nonce, noncelen); | |
f000e828 | 469 | if (drbg->state == EVP_RAND_STATE_READY) |
714a1bb3 P |
470 | return 1; |
471 | return 0; | |
472 | } | |
473 | ||
f000e828 P |
474 | /* |
475 | * Uninstantiate |drbg|. Must be instantiated before it can be used. | |
476 | * | |
477 | * Requires that drbg->lock is already locked for write, if non-null. | |
478 | * | |
479 | * Returns 1 on success, 0 on failure. | |
480 | */ | |
7d6766cb | 481 | int ossl_prov_drbg_uninstantiate(PROV_DRBG *drbg) |
f000e828 P |
482 | { |
483 | drbg->state = EVP_RAND_STATE_UNINITIALISED; | |
484 | return 1; | |
485 | } | |
486 | ||
189ad3ab MC |
487 | static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg, |
488 | int prediction_resistance, | |
489 | const unsigned char *ent, | |
490 | size_t ent_len, | |
491 | const unsigned char *adin, | |
492 | size_t adinlen) | |
714a1bb3 P |
493 | { |
494 | unsigned char *entropy = NULL; | |
495 | size_t entropylen = 0; | |
496 | ||
aef30ad0 P |
497 | if (!ossl_prov_is_running()) |
498 | return 0; | |
499 | ||
f000e828 P |
500 | if (drbg->state != EVP_RAND_STATE_READY) { |
501 | /* try to recover from previous errors */ | |
502 | rand_drbg_restart(drbg); | |
503 | ||
504 | if (drbg->state == EVP_RAND_STATE_ERROR) { | |
6debc6ab | 505 | ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE); |
f000e828 P |
506 | return 0; |
507 | } | |
508 | if (drbg->state == EVP_RAND_STATE_UNINITIALISED) { | |
6debc6ab | 509 | ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED); |
f000e828 P |
510 | return 0; |
511 | } | |
714a1bb3 | 512 | } |
f000e828 P |
513 | |
514 | if (ent != NULL) { | |
515 | if (ent_len < drbg->min_entropylen) { | |
6debc6ab | 516 | ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_OUT_OF_RANGE); |
f000e828 P |
517 | drbg->state = EVP_RAND_STATE_ERROR; |
518 | return 0; | |
519 | } | |
520 | if (ent_len > drbg->max_entropylen) { | |
6debc6ab | 521 | ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_INPUT_TOO_LONG); |
f000e828 P |
522 | drbg->state = EVP_RAND_STATE_ERROR; |
523 | return 0; | |
524 | } | |
714a1bb3 P |
525 | } |
526 | ||
527 | if (adin == NULL) { | |
528 | adinlen = 0; | |
529 | } else if (adinlen > drbg->max_adinlen) { | |
6debc6ab | 530 | ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG); |
714a1bb3 P |
531 | return 0; |
532 | } | |
533 | ||
f000e828 | 534 | drbg->state = EVP_RAND_STATE_ERROR; |
714a1bb3 | 535 | |
f000e828 | 536 | drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter); |
714a1bb3 P |
537 | if (drbg->reseed_next_counter) { |
538 | drbg->reseed_next_counter++; | |
f000e828 | 539 | if (!drbg->reseed_next_counter) |
714a1bb3 P |
540 | drbg->reseed_next_counter = 1; |
541 | } | |
542 | ||
f000e828 | 543 | if (ent != NULL) { |
1d30b0a4 | 544 | #ifdef FIPS_MODULE |
f000e828 P |
545 | /* |
546 | * NIST SP-800-90A mandates that entropy *shall not* be provided | |
547 | * by the consuming application. Instead the data is added as additional | |
548 | * input. | |
549 | * | |
550 | * (NIST SP-800-90Ar1, Sections 9.1 and 9.2) | |
551 | */ | |
552 | if (!drbg->reseed(drbg, NULL, 0, ent, ent_len)) { | |
553 | ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED); | |
554 | return 0; | |
555 | } | |
556 | #else | |
557 | if (!drbg->reseed(drbg, ent, ent_len, adin, adinlen)) { | |
558 | ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED); | |
559 | return 0; | |
560 | } | |
561 | /* There isn't much point adding the same additional input twice */ | |
562 | adin = NULL; | |
563 | adinlen = 0; | |
564 | #endif | |
565 | } | |
566 | ||
567 | /* Reseed using our sources in addition */ | |
714a1bb3 P |
568 | entropylen = get_entropy(drbg, &entropy, drbg->strength, |
569 | drbg->min_entropylen, drbg->max_entropylen, | |
570 | prediction_resistance); | |
571 | if (entropylen < drbg->min_entropylen | |
572 | || entropylen > drbg->max_entropylen) { | |
6debc6ab | 573 | ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY); |
714a1bb3 P |
574 | goto end; |
575 | } | |
576 | ||
f000e828 | 577 | if (!drbg->reseed(drbg, entropy, entropylen, adin, adinlen)) |
714a1bb3 P |
578 | goto end; |
579 | ||
f000e828 | 580 | drbg->state = EVP_RAND_STATE_READY; |
b0614f0a | 581 | drbg->generate_counter = 1; |
714a1bb3 | 582 | drbg->reseed_time = time(NULL); |
f000e828 P |
583 | tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter); |
584 | if (drbg->parent != NULL) | |
585 | drbg->parent_reseed_counter = get_parent_reseed_count(drbg); | |
714a1bb3 P |
586 | |
587 | end: | |
f000e828 P |
588 | cleanup_entropy(drbg, entropy, entropylen); |
589 | if (drbg->state == EVP_RAND_STATE_READY) | |
714a1bb3 P |
590 | return 1; |
591 | return 0; | |
592 | } | |
593 | ||
189ad3ab MC |
594 | /* |
595 | * Reseed |drbg|, mixing in the specified data | |
596 | * | |
597 | * Acquires the drbg->lock for writing, if non-null. | |
598 | * | |
599 | * Returns 1 on success, 0 on failure. | |
600 | */ | |
601 | int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance, | |
602 | const unsigned char *ent, size_t ent_len, | |
603 | const unsigned char *adin, size_t adinlen) | |
604 | { | |
605 | int ret; | |
606 | ||
607 | if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock)) | |
608 | return 0; | |
609 | ||
610 | ret = ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, ent, | |
611 | ent_len, adin, adinlen); | |
612 | ||
613 | if (drbg->lock != NULL) | |
614 | CRYPTO_THREAD_unlock(drbg->lock); | |
615 | ||
616 | return ret; | |
617 | } | |
618 | ||
714a1bb3 P |
619 | /* |
620 | * Generate |outlen| bytes into the buffer at |out|. Reseed if we need | |
621 | * to or if |prediction_resistance| is set. Additional input can be | |
622 | * sent in |adin| and |adinlen|. | |
623 | * | |
189ad3ab | 624 | * Acquires the drbg->lock for writing if available |
714a1bb3 P |
625 | * |
626 | * Returns 1 on success, 0 on failure. | |
627 | * | |
628 | */ | |
7d6766cb P |
629 | int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen, |
630 | unsigned int strength, int prediction_resistance, | |
631 | const unsigned char *adin, size_t adinlen) | |
714a1bb3 P |
632 | { |
633 | int fork_id; | |
634 | int reseed_required = 0; | |
189ad3ab | 635 | int ret = 0; |
714a1bb3 | 636 | |
aef30ad0 P |
637 | if (!ossl_prov_is_running()) |
638 | return 0; | |
639 | ||
189ad3ab MC |
640 | if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock)) |
641 | return 0; | |
642 | ||
f000e828 P |
643 | if (drbg->state != EVP_RAND_STATE_READY) { |
644 | /* try to recover from previous errors */ | |
645 | rand_drbg_restart(drbg); | |
646 | ||
647 | if (drbg->state == EVP_RAND_STATE_ERROR) { | |
6debc6ab | 648 | ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE); |
189ad3ab | 649 | goto err; |
714a1bb3 | 650 | } |
f000e828 | 651 | if (drbg->state == EVP_RAND_STATE_UNINITIALISED) { |
6debc6ab | 652 | ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED); |
189ad3ab | 653 | goto err; |
714a1bb3 P |
654 | } |
655 | } | |
f000e828 | 656 | if (strength > drbg->strength) { |
6debc6ab | 657 | ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH); |
189ad3ab | 658 | goto err; |
f000e828 | 659 | } |
714a1bb3 P |
660 | |
661 | if (outlen > drbg->max_request) { | |
6debc6ab | 662 | ERR_raise(ERR_LIB_PROV, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG); |
189ad3ab | 663 | goto err; |
714a1bb3 P |
664 | } |
665 | if (adinlen > drbg->max_adinlen) { | |
6debc6ab | 666 | ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG); |
189ad3ab | 667 | goto err; |
714a1bb3 P |
668 | } |
669 | ||
670 | fork_id = openssl_get_fork_id(); | |
671 | ||
672 | if (drbg->fork_id != fork_id) { | |
673 | drbg->fork_id = fork_id; | |
674 | reseed_required = 1; | |
675 | } | |
676 | ||
677 | if (drbg->reseed_interval > 0) { | |
b0614f0a | 678 | if (drbg->generate_counter >= drbg->reseed_interval) |
714a1bb3 P |
679 | reseed_required = 1; |
680 | } | |
681 | if (drbg->reseed_time_interval > 0) { | |
682 | time_t now = time(NULL); | |
683 | if (now < drbg->reseed_time | |
684 | || now - drbg->reseed_time >= drbg->reseed_time_interval) | |
685 | reseed_required = 1; | |
686 | } | |
f000e828 P |
687 | if (drbg->parent != NULL |
688 | && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) | |
689 | reseed_required = 1; | |
714a1bb3 P |
690 | |
691 | if (reseed_required || prediction_resistance) { | |
189ad3ab MC |
692 | if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL, |
693 | 0, adin, adinlen)) { | |
6debc6ab | 694 | ERR_raise(ERR_LIB_PROV, PROV_R_RESEED_ERROR); |
189ad3ab | 695 | goto err; |
714a1bb3 P |
696 | } |
697 | adin = NULL; | |
698 | adinlen = 0; | |
699 | } | |
700 | ||
f000e828 P |
701 | if (!drbg->generate(drbg, out, outlen, adin, adinlen)) { |
702 | drbg->state = EVP_RAND_STATE_ERROR; | |
6debc6ab | 703 | ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR); |
189ad3ab | 704 | goto err; |
714a1bb3 P |
705 | } |
706 | ||
b0614f0a | 707 | drbg->generate_counter++; |
714a1bb3 | 708 | |
189ad3ab MC |
709 | ret = 1; |
710 | err: | |
711 | if (drbg->lock != NULL) | |
712 | CRYPTO_THREAD_unlock(drbg->lock); | |
713 | ||
714 | return ret; | |
714a1bb3 P |
715 | } |
716 | ||
714a1bb3 | 717 | /* |
f000e828 P |
718 | * Restart |drbg|, using the specified entropy or additional input |
719 | * | |
720 | * Tries its best to get the drbg instantiated by all means, | |
721 | * regardless of its current state. | |
722 | * | |
723 | * Optionally, a |buffer| of |len| random bytes can be passed, | |
724 | * which is assumed to contain at least |entropy| bits of entropy. | |
725 | * | |
726 | * If |entropy| > 0, the buffer content is used as entropy input. | |
727 | * | |
728 | * If |entropy| == 0, the buffer content is used as additional input | |
729 | * | |
730 | * Returns 1 on success, 0 on failure. | |
731 | * | |
732 | * This function is used internally only. | |
714a1bb3 | 733 | */ |
f000e828 | 734 | static int rand_drbg_restart(PROV_DRBG *drbg) |
714a1bb3 | 735 | { |
f000e828 P |
736 | /* repair error state */ |
737 | if (drbg->state == EVP_RAND_STATE_ERROR) | |
738 | drbg->uninstantiate(drbg); | |
739 | ||
740 | /* repair uninitialized state */ | |
741 | if (drbg->state == EVP_RAND_STATE_UNINITIALISED) | |
742 | /* reinstantiate drbg */ | |
7d6766cb | 743 | ossl_prov_drbg_instantiate(drbg, drbg->strength, 0, NULL, 0); |
714a1bb3 | 744 | |
f000e828 | 745 | return drbg->state == EVP_RAND_STATE_READY; |
714a1bb3 | 746 | } |
714a1bb3 P |
747 | |
748 | /* Provider support from here down */ | |
749 | static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch, | |
750 | int function) | |
751 | { | |
752 | if (dispatch != NULL) | |
f000e828 | 753 | while (dispatch->function_id != 0) { |
714a1bb3 P |
754 | if (dispatch->function_id == function) |
755 | return dispatch; | |
f000e828 P |
756 | dispatch++; |
757 | } | |
714a1bb3 P |
758 | return NULL; |
759 | } | |
760 | ||
b24d6c33 | 761 | int ossl_drbg_enable_locking(void *vctx) |
714a1bb3 P |
762 | { |
763 | PROV_DRBG *drbg = vctx; | |
714a1bb3 | 764 | |
f000e828 P |
765 | if (drbg != NULL && drbg->lock == NULL) { |
766 | if (drbg->parent_enable_locking != NULL) | |
767 | if (!drbg->parent_enable_locking(drbg->parent)) { | |
768 | ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED); | |
714a1bb3 P |
769 | return 0; |
770 | } | |
771 | drbg->lock = CRYPTO_THREAD_lock_new(); | |
772 | if (drbg->lock == NULL) { | |
f000e828 | 773 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_CREATE_LOCK); |
714a1bb3 P |
774 | return 0; |
775 | } | |
776 | } | |
777 | return 1; | |
778 | } | |
779 | ||
780 | /* | |
781 | * Allocate memory and initialize a new DRBG. The DRBG is allocated on | |
782 | * the secure heap if |secure| is nonzero and the secure heap is enabled. | |
783 | * The |parent|, if not NULL, will be used as random source for reseeding. | |
784 | * This also requires the parent's provider context and the parent's lock. | |
785 | * | |
786 | * Returns a pointer to the new DRBG instance on success, NULL on failure. | |
787 | */ | |
1dc188ba | 788 | PROV_DRBG *ossl_rand_drbg_new |
f000e828 P |
789 | (void *provctx, void *parent, const OSSL_DISPATCH *p_dispatch, |
790 | int (*dnew)(PROV_DRBG *ctx), | |
791 | int (*instantiate)(PROV_DRBG *drbg, | |
792 | const unsigned char *entropy, size_t entropylen, | |
793 | const unsigned char *nonce, size_t noncelen, | |
794 | const unsigned char *pers, size_t perslen), | |
795 | int (*uninstantiate)(PROV_DRBG *ctx), | |
796 | int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len, | |
797 | const unsigned char *adin, size_t adin_len), | |
798 | int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen, | |
799 | const unsigned char *adin, size_t adin_len)) | |
714a1bb3 | 800 | { |
aef30ad0 | 801 | PROV_DRBG *drbg; |
f000e828 P |
802 | unsigned int p_str; |
803 | const OSSL_DISPATCH *pfunc; | |
714a1bb3 | 804 | |
aef30ad0 P |
805 | if (!ossl_prov_is_running()) |
806 | return NULL; | |
807 | ||
808 | drbg = OPENSSL_zalloc(sizeof(*drbg)); | |
e077455e | 809 | if (drbg == NULL) |
714a1bb3 | 810 | return NULL; |
714a1bb3 | 811 | |
f000e828 P |
812 | drbg->provctx = provctx; |
813 | drbg->instantiate = instantiate; | |
814 | drbg->uninstantiate = uninstantiate; | |
815 | drbg->reseed = reseed; | |
816 | drbg->generate = generate; | |
817 | drbg->fork_id = openssl_get_fork_id(); | |
818 | ||
819 | /* Extract parent's functions */ | |
714a1bb3 | 820 | drbg->parent = parent; |
f000e828 | 821 | if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING)) != NULL) |
363b1e5d | 822 | drbg->parent_enable_locking = OSSL_FUNC_rand_enable_locking(pfunc); |
f000e828 | 823 | if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_LOCK)) != NULL) |
363b1e5d | 824 | drbg->parent_lock = OSSL_FUNC_rand_lock(pfunc); |
f000e828 | 825 | if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_UNLOCK)) != NULL) |
363b1e5d | 826 | drbg->parent_unlock = OSSL_FUNC_rand_unlock(pfunc); |
f000e828 | 827 | if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS)) != NULL) |
363b1e5d | 828 | drbg->parent_get_ctx_params = OSSL_FUNC_rand_get_ctx_params(pfunc); |
f000e828 | 829 | if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_NONCE)) != NULL) |
363b1e5d | 830 | drbg->parent_nonce = OSSL_FUNC_rand_nonce(pfunc); |
335e85f5 P |
831 | if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_SEED)) != NULL) |
832 | drbg->parent_get_seed = OSSL_FUNC_rand_get_seed(pfunc); | |
833 | if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_CLEAR_SEED)) != NULL) | |
834 | drbg->parent_clear_seed = OSSL_FUNC_rand_clear_seed(pfunc); | |
714a1bb3 P |
835 | |
836 | /* Set some default maximums up */ | |
837 | drbg->max_entropylen = DRBG_MAX_LENGTH; | |
838 | drbg->max_noncelen = DRBG_MAX_LENGTH; | |
839 | drbg->max_perslen = DRBG_MAX_LENGTH; | |
840 | drbg->max_adinlen = DRBG_MAX_LENGTH; | |
b0614f0a | 841 | drbg->generate_counter = 1; |
f000e828 P |
842 | drbg->reseed_counter = 1; |
843 | drbg->reseed_interval = RESEED_INTERVAL; | |
844 | drbg->reseed_time_interval = TIME_INTERVAL; | |
714a1bb3 | 845 | |
f000e828 | 846 | if (!dnew(drbg)) |
714a1bb3 P |
847 | goto err; |
848 | ||
849 | if (parent != NULL) { | |
850 | if (!get_parent_strength(drbg, &p_str)) | |
851 | goto err; | |
852 | if (drbg->strength > p_str) { | |
853 | /* | |
854 | * We currently don't support the algorithm from NIST SP 800-90C | |
855 | * 10.1.2 to use a weaker DRBG as source | |
856 | */ | |
f000e828 | 857 | ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK); |
714a1bb3 P |
858 | goto err; |
859 | } | |
860 | } | |
8ff861dc P |
861 | #ifdef TSAN_REQUIRES_LOCKING |
862 | if (!ossl_drbg_enable_locking(drbg)) | |
863 | goto err; | |
864 | #endif | |
714a1bb3 P |
865 | return drbg; |
866 | ||
867 | err: | |
1dc188ba | 868 | ossl_rand_drbg_free(drbg); |
714a1bb3 P |
869 | return NULL; |
870 | } | |
871 | ||
1dc188ba | 872 | void ossl_rand_drbg_free(PROV_DRBG *drbg) |
714a1bb3 P |
873 | { |
874 | if (drbg == NULL) | |
875 | return; | |
876 | ||
714a1bb3 | 877 | CRYPTO_THREAD_lock_free(drbg->lock); |
f000e828 | 878 | OPENSSL_free(drbg); |
714a1bb3 P |
879 | } |
880 | ||
189ad3ab MC |
881 | /* |
882 | * Helper function called by internal DRBG implementations. Assumes that at | |
883 | * least a read lock has been taken on drbg->lock | |
884 | */ | |
b24d6c33 | 885 | int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]) |
714a1bb3 P |
886 | { |
887 | OSSL_PARAM *p; | |
888 | ||
f000e828 | 889 | p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE); |
714a1bb3 P |
890 | if (p != NULL && !OSSL_PARAM_set_int(p, drbg->state)) |
891 | return 0; | |
892 | ||
893 | p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH); | |
894 | if (p != NULL && !OSSL_PARAM_set_int(p, drbg->strength)) | |
895 | return 0; | |
896 | ||
f000e828 | 897 | p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_ENTROPYLEN); |
714a1bb3 P |
898 | if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_entropylen)) |
899 | return 0; | |
900 | ||
f000e828 | 901 | p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ENTROPYLEN); |
714a1bb3 P |
902 | if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_entropylen)) |
903 | return 0; | |
904 | ||
f000e828 | 905 | p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_NONCELEN); |
714a1bb3 P |
906 | if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_noncelen)) |
907 | return 0; | |
908 | ||
f000e828 | 909 | p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_NONCELEN); |
714a1bb3 P |
910 | if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_noncelen)) |
911 | return 0; | |
912 | ||
f000e828 | 913 | p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_PERSLEN); |
714a1bb3 P |
914 | if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_perslen)) |
915 | return 0; | |
916 | ||
f000e828 | 917 | p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ADINLEN); |
714a1bb3 P |
918 | if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_adinlen)) |
919 | return 0; | |
920 | ||
f000e828 P |
921 | p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_REQUESTS); |
922 | if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval)) | |
714a1bb3 P |
923 | return 0; |
924 | ||
f000e828 P |
925 | p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME); |
926 | if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time)) | |
714a1bb3 P |
927 | return 0; |
928 | ||
f000e828 | 929 | p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL); |
714a1bb3 P |
930 | if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval)) |
931 | return 0; | |
932 | ||
61f11cad MC |
933 | return 1; |
934 | } | |
935 | ||
936 | /* | |
937 | * Helper function to get certain params that require no lock to obtain. Sets | |
938 | * *complete to 1 if all the params were processed, or 0 otherwise | |
939 | */ | |
940 | int ossl_drbg_get_ctx_params_no_lock(PROV_DRBG *drbg, OSSL_PARAM params[], | |
941 | int *complete) | |
942 | { | |
943 | size_t cnt = 0; | |
944 | OSSL_PARAM *p; | |
945 | ||
946 | /* This value never changes once set */ | |
947 | p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST); | |
948 | if (p != NULL) { | |
949 | if (!OSSL_PARAM_set_size_t(p, drbg->max_request)) | |
950 | return 0; | |
951 | cnt++; | |
952 | } | |
953 | ||
954 | /* | |
955 | * Can be changed by multiple threads, but we tolerate inaccuracies in this | |
956 | * value. | |
957 | */ | |
b0614f0a | 958 | p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_COUNTER); |
61f11cad MC |
959 | if (p != NULL) { |
960 | if (!OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_counter))) | |
961 | return 0; | |
962 | cnt++; | |
963 | } | |
964 | ||
965 | if (params[cnt].key == NULL) | |
966 | *complete = 1; | |
967 | else | |
968 | *complete = 0; | |
969 | ||
714a1bb3 P |
970 | return 1; |
971 | } | |
972 | ||
b24d6c33 | 973 | int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[]) |
714a1bb3 P |
974 | { |
975 | const OSSL_PARAM *p; | |
976 | ||
20b8dc6f P |
977 | if (params == NULL) |
978 | return 1; | |
979 | ||
f000e828 | 980 | p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_REQUESTS); |
714a1bb3 P |
981 | if (p != NULL && !OSSL_PARAM_get_uint(p, &drbg->reseed_interval)) |
982 | return 0; | |
983 | ||
f000e828 | 984 | p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL); |
714a1bb3 P |
985 | if (p != NULL && !OSSL_PARAM_get_time_t(p, &drbg->reseed_time_interval)) |
986 | return 0; | |
987 | return 1; | |
988 | } | |
f553c0f0 P |
989 | |
990 | /* Confirm digest is allowed to be used with a DRBG */ | |
991 | int ossl_drbg_verify_digest(ossl_unused OSSL_LIB_CTX *libctx, const EVP_MD *md) | |
992 | { | |
993 | #ifdef FIPS_MODULE | |
994 | /* FIPS 140-3 IG D.R limited DRBG digests to a specific set */ | |
995 | static const char *const allowed_digests[] = { | |
996 | "SHA1", /* SHA 1 allowed */ | |
997 | "SHA2-256", "SHA2-512", /* non-truncated SHA2 allowed */ | |
998 | "SHA3-256", "SHA3-512", /* non-truncated SHA3 allowed */ | |
999 | }; | |
1000 | size_t i; | |
f553c0f0 P |
1001 | |
1002 | if (FIPS_restricted_drbg_digests_enabled(libctx)) { | |
1003 | for (i = 0; i < OSSL_NELEM(allowed_digests); i++) | |
1004 | if (EVP_MD_is_a(md, allowed_digests[i])) | |
1005 | return 1; | |
1006 | ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); | |
1007 | return 0; | |
1008 | } | |
1009 | #endif | |
1010 | /* Outside of FIPS, any digests that are not XOF are allowed */ | |
1011 | if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) { | |
1012 | ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); | |
1013 | return 0; | |
1014 | } | |
1015 | return 1; | |
1016 | } |