]>
Commit | Line | Data |
---|---|---|
714a1bb3 | 1 | /* |
da1c088f | 2 | * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. |
714a1bb3 P |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #ifndef OSSL_CRYPTO_PROV_LOCAL_H | |
11 | # define OSSL_CRYPTO_PROV_LOCAL_H | |
12 | ||
13 | # include <openssl/evp.h> | |
363b1e5d | 14 | # include <openssl/core_dispatch.h> |
714a1bb3 P |
15 | # include <openssl/core_names.h> |
16 | # include <openssl/params.h> | |
17 | # include "internal/tsan_assist.h" | |
f000e828 | 18 | # include "internal/nelem.h" |
714a1bb3 | 19 | # include "internal/numbers.h" |
08edd447 | 20 | # include "prov/provider_ctx.h" |
714a1bb3 P |
21 | |
22 | /* How many times to read the TSC as a randomness source. */ | |
23 | # define TSC_READ_COUNT 4 | |
24 | ||
25 | /* Maximum reseed intervals */ | |
26 | # define MAX_RESEED_INTERVAL (1 << 24) | |
27 | # define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */ | |
28 | ||
29 | /* Default reseed intervals */ | |
f000e828 P |
30 | # define RESEED_INTERVAL (1 << 8) |
31 | # define TIME_INTERVAL (60*60) /* 1 hour */ | |
714a1bb3 P |
32 | |
33 | /* | |
34 | * The number of bytes that constitutes an atomic lump of entropy with respect | |
35 | * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat | |
36 | * arbitrary, the smaller the value, the less entropy is consumed on first | |
37 | * read but the higher the probability of the test failing by accident. | |
38 | * | |
39 | * The value is in bytes. | |
40 | */ | |
41 | #define CRNGT_BUFSIZ 16 | |
42 | ||
43 | /* | |
44 | * Maximum input size for the DRBG (entropy, nonce, personalization string) | |
45 | * | |
46 | * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes. | |
47 | * | |
48 | * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes. | |
49 | */ | |
50 | # define DRBG_MAX_LENGTH INT32_MAX | |
51 | ||
52 | /* The default nonce */ | |
44e47328 TS |
53 | /* ASCII: "OpenSSL NIST SP 800-90A DRBG", in hex for EBCDIC compatibility */ |
54 | #define DRBG_DEFAULT_PERS_STRING "\x4f\x70\x65\x6e\x53\x53\x4c\x20\x4e\x49\x53\x54\x20\x53\x50\x20\x38\x30\x30\x2d\x39\x30\x41\x20\x44\x52\x42\x47" | |
714a1bb3 P |
55 | |
56 | typedef struct prov_drbg_st PROV_DRBG; | |
57 | ||
58 | /* DRBG status values */ | |
59 | typedef enum drbg_status_e { | |
60 | DRBG_UNINITIALISED, | |
61 | DRBG_READY, | |
62 | DRBG_ERROR | |
63 | } DRBG_STATUS; | |
64 | ||
65 | /* | |
f000e828 | 66 | * The state of all types of DRBGs. |
714a1bb3 P |
67 | */ |
68 | struct prov_drbg_st { | |
69 | CRYPTO_RWLOCK *lock; | |
08edd447 | 70 | PROV_CTX *provctx; |
f000e828 P |
71 | |
72 | /* Virtual functions are cache here */ | |
73 | int (*instantiate)(PROV_DRBG *drbg, | |
74 | const unsigned char *entropy, size_t entropylen, | |
75 | const unsigned char *nonce, size_t noncelen, | |
76 | const unsigned char *pers, size_t perslen); | |
77 | int (*uninstantiate)(PROV_DRBG *ctx); | |
78 | int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len, | |
79 | const unsigned char *adin, size_t adin_len); | |
80 | int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen, | |
81 | const unsigned char *adin, size_t adin_len); | |
82 | ||
83 | /* Parent PROV_RAND and its dispatch table functions */ | |
714a1bb3 | 84 | void *parent; |
363b1e5d DMSP |
85 | OSSL_FUNC_rand_enable_locking_fn *parent_enable_locking; |
86 | OSSL_FUNC_rand_lock_fn *parent_lock; | |
87 | OSSL_FUNC_rand_unlock_fn *parent_unlock; | |
88 | OSSL_FUNC_rand_get_ctx_params_fn *parent_get_ctx_params; | |
363b1e5d | 89 | OSSL_FUNC_rand_nonce_fn *parent_nonce; |
335e85f5 P |
90 | OSSL_FUNC_rand_get_seed_fn *parent_get_seed; |
91 | OSSL_FUNC_rand_clear_seed_fn *parent_clear_seed; | |
f000e828 | 92 | |
714a1bb3 | 93 | const OSSL_DISPATCH *parent_dispatch; |
f000e828 | 94 | |
714a1bb3 P |
95 | /* |
96 | * Stores the return value of openssl_get_fork_id() as of when we last | |
97 | * reseeded. The DRBG reseeds automatically whenever drbg->fork_id != | |
98 | * openssl_get_fork_id(). Used to provide fork-safety and reseed this | |
99 | * DRBG in the child process. | |
100 | */ | |
101 | int fork_id; | |
102 | unsigned short flags; /* various external flags */ | |
103 | ||
714a1bb3 P |
104 | /* |
105 | * The following parameters are setup by the per-type "init" function. | |
106 | * | |
107 | * The supported types and their init functions are: | |
108 | * (1) CTR_DRBG: drbg_ctr_init(). | |
109 | * (2) HMAC_DRBG: drbg_hmac_init(). | |
110 | * (3) HASH_DRBG: drbg_hash_init(). | |
111 | * | |
112 | * The parameters are closely related to the ones described in | |
113 | * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one | |
114 | * crucial difference: In the NIST standard, all counts are given | |
115 | * in bits, whereas in OpenSSL entropy counts are given in bits | |
116 | * and buffer lengths are given in bytes. | |
117 | * | |
118 | * Since this difference has lead to some confusion in the past, | |
119 | * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) | |
120 | * the 'len' suffix has been added to all buffer sizes for | |
121 | * clarification. | |
122 | */ | |
123 | ||
f000e828 | 124 | unsigned int strength; |
714a1bb3 P |
125 | size_t max_request; |
126 | size_t min_entropylen, max_entropylen; | |
127 | size_t min_noncelen, max_noncelen; | |
128 | size_t max_perslen, max_adinlen; | |
129 | ||
130 | /* | |
131 | * Counts the number of generate requests since the last reseed | |
132 | * (Starts at 1). This value is the reseed_counter as defined in | |
133 | * NIST SP 800-90Ar1 | |
134 | */ | |
b0614f0a | 135 | unsigned int generate_counter; |
714a1bb3 P |
136 | /* |
137 | * Maximum number of generate requests until a reseed is required. | |
138 | * This value is ignored if it is zero. | |
139 | */ | |
140 | unsigned int reseed_interval; | |
141 | /* Stores the time when the last reseeding occurred */ | |
142 | time_t reseed_time; | |
143 | /* | |
144 | * Specifies the maximum time interval (in seconds) between reseeds. | |
145 | * This value is ignored if it is zero. | |
146 | */ | |
147 | time_t reseed_time_interval; | |
148 | /* | |
149 | * Counts the number of reseeds since instantiation. | |
150 | * This value is ignored if it is zero. | |
151 | * | |
152 | * This counter is used only for seed propagation from the <master> DRBG | |
153 | * to its two children, the <public> and <private> DRBG. This feature is | |
154 | * very special and its sole purpose is to ensure that any randomness which | |
155 | * is added by PROV_add() or PROV_seed() will have an immediate effect on | |
156 | * the output of PROV_bytes() resp. PROV_priv_bytes(). | |
157 | */ | |
f000e828 | 158 | TSAN_QUALIFIER unsigned int reseed_counter; |
714a1bb3 | 159 | unsigned int reseed_next_counter; |
f000e828 | 160 | unsigned int parent_reseed_counter; |
714a1bb3 P |
161 | |
162 | size_t seedlen; | |
163 | DRBG_STATUS state; | |
164 | ||
f000e828 | 165 | /* DRBG specific data */ |
714a1bb3 P |
166 | void *data; |
167 | ||
f000e828 P |
168 | /* Entropy and nonce gathering callbacks */ |
169 | void *callback_arg; | |
170 | OSSL_INOUT_CALLBACK *get_entropy_fn; | |
171 | OSSL_CALLBACK *cleanup_entropy_fn; | |
172 | OSSL_INOUT_CALLBACK *get_nonce_fn; | |
173 | OSSL_CALLBACK *cleanup_nonce_fn; | |
714a1bb3 P |
174 | }; |
175 | ||
1dc188ba | 176 | PROV_DRBG *ossl_rand_drbg_new |
f000e828 P |
177 | (void *provctx, void *parent, const OSSL_DISPATCH *parent_dispatch, |
178 | int (*dnew)(PROV_DRBG *ctx), | |
cb4f7a6e | 179 | void (*dfree)(void *vctx), |
f000e828 P |
180 | int (*instantiate)(PROV_DRBG *drbg, |
181 | const unsigned char *entropy, size_t entropylen, | |
182 | const unsigned char *nonce, size_t noncelen, | |
183 | const unsigned char *pers, size_t perslen), | |
184 | int (*uninstantiate)(PROV_DRBG *ctx), | |
185 | int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len, | |
186 | const unsigned char *adin, size_t adin_len), | |
187 | int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen, | |
188 | const unsigned char *adin, size_t adin_len)); | |
1dc188ba | 189 | void ossl_rand_drbg_free(PROV_DRBG *drbg); |
f000e828 | 190 | |
7d6766cb P |
191 | int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, |
192 | int prediction_resistance, | |
193 | const unsigned char *pers, size_t perslen); | |
f000e828 | 194 | |
7d6766cb | 195 | int ossl_prov_drbg_uninstantiate(PROV_DRBG *drbg); |
714a1bb3 | 196 | |
7d6766cb P |
197 | int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance, |
198 | const unsigned char *ent, size_t ent_len, | |
199 | const unsigned char *adin, size_t adinlen); | |
714a1bb3 | 200 | |
7d6766cb P |
201 | int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen, |
202 | unsigned int strength, int prediction_resistance, | |
203 | const unsigned char *adin, size_t adinlen); | |
f000e828 | 204 | |
335e85f5 P |
205 | /* Seeding api */ |
206 | OSSL_FUNC_rand_get_seed_fn ossl_drbg_get_seed; | |
207 | OSSL_FUNC_rand_clear_seed_fn ossl_drbg_clear_seed; | |
208 | ||
f000e828 | 209 | /* Verify that an array of numeric values is all zero */ |
10fe5e29 | 210 | #define PROV_DRBG_VERIFY_ZEROIZATION(v) \ |
f000e828 P |
211 | { \ |
212 | size_t i; \ | |
213 | \ | |
214 | for (i = 0; i < OSSL_NELEM(v); i++) \ | |
215 | if ((v)[i] != 0) \ | |
189ad3ab | 216 | goto err; \ |
f000e828 | 217 | } |
714a1bb3 P |
218 | |
219 | /* locking api */ | |
b24d6c33 P |
220 | OSSL_FUNC_rand_enable_locking_fn ossl_drbg_enable_locking; |
221 | OSSL_FUNC_rand_lock_fn ossl_drbg_lock; | |
222 | OSSL_FUNC_rand_unlock_fn ossl_drbg_unlock; | |
714a1bb3 | 223 | |
f000e828 | 224 | /* Common parameters for all of our DRBGs */ |
b24d6c33 | 225 | int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]); |
61f11cad MC |
226 | int ossl_drbg_get_ctx_params_no_lock(PROV_DRBG *drbg, OSSL_PARAM params[], |
227 | int *complete); | |
b24d6c33 | 228 | int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[]); |
714a1bb3 | 229 | |
f3090fc7 | 230 | #define OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON \ |
f000e828 P |
231 | OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS, NULL), \ |
232 | OSSL_PARAM_uint64(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL, NULL) | |
714a1bb3 | 233 | |
08edd447 | 234 | #define OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON \ |
f000e828 | 235 | OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), \ |
714a1bb3 | 236 | OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), \ |
08edd447 | 237 | OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), \ |
f000e828 P |
238 | OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MIN_ENTROPYLEN, NULL), \ |
239 | OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_ENTROPYLEN, NULL), \ | |
240 | OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MIN_NONCELEN, NULL), \ | |
241 | OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_NONCELEN, NULL), \ | |
242 | OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_PERSLEN, NULL), \ | |
243 | OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_ADINLEN, NULL), \ | |
08edd447 | 244 | OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_COUNTER, NULL), \ |
f000e828 P |
245 | OSSL_PARAM_time_t(OSSL_DRBG_PARAM_RESEED_TIME, NULL), \ |
246 | OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS, NULL), \ | |
247 | OSSL_PARAM_uint64(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL, NULL) | |
248 | ||
249 | /* Continuous test "entropy" calls */ | |
1dc188ba | 250 | size_t ossl_crngt_get_entropy(PROV_DRBG *drbg, |
714a1bb3 P |
251 | unsigned char **pout, |
252 | int entropy, size_t min_len, size_t max_len, | |
253 | int prediction_resistance); | |
1dc188ba | 254 | void ossl_crngt_cleanup_entropy(PROV_DRBG *drbg, |
714a1bb3 P |
255 | unsigned char *out, size_t outlen); |
256 | ||
f553c0f0 P |
257 | /* Confirm digest is allowed to be used with a DRBG */ |
258 | int ossl_drbg_verify_digest(ossl_unused OSSL_LIB_CTX *libctx, const EVP_MD *md); | |
259 | ||
714a1bb3 | 260 | #endif |