]> git.ipfire.org Git - thirdparty/openssl.git/blame - providers/implementations/rands/drbg.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update copyright year
[thirdparty/openssl.git] / providers / implementations / rands / drbg.c
CommitLineData
714a1bb3 1/*
fecb3aae 2 * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved.
714a1bb3
P		 3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <string.h>
11#include <openssl/crypto.h>
12#include <openssl/err.h>
13#include <openssl/rand.h>
f000e828 14#include <openssl/evp.h>
714a1bb3 15#include "crypto/rand.h"
2741128e 16#include <openssl/proverr.h>
714a1bb3
P		 17#include "drbg_local.h"
18#include "internal/thread_once.h"
19#include "crypto/cryptlib.h"
f000e828 20#include "prov/seeding.h"
08edd447 21#include "crypto/rand_pool.h"
f000e828 22#include "prov/provider_ctx.h"
aef30ad0 23#include "prov/providercommon.h"
927d0566 24#include "crypto/context.h"
714a1bb3
P		 25
26/*
27 * Support framework for NIST SP 800-90A DRBG
28 *
29 * See manual page PROV_DRBG(7) for a general overview.
30 *
31 * The OpenSSL model is to have new and free functions, and that new
32 * does all initialization. That is not the NIST model, which has
33 * instantiation and un-instantiate, and re-use within a new/free
34 * lifecycle. (No doubt this comes from the desire to support hardware
35 * DRBG, where allocation of resources on something like an HSM is
36 * a much bigger deal than just re-setting an allocated resource.)
37 */
38
714a1bb3
P		 39/* NIST SP 800-90A DRBG recommends the use of a personalization string. */
40static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
41
714a1bb3
P		 42static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
43 int function);
44
f000e828
P		 45static int rand_drbg_restart(PROV_DRBG *drbg);
46
b24d6c33 47int ossl_drbg_lock(void *vctx)
714a1bb3
P		 48{
49 PROV_DRBG *drbg = vctx;
50
51 if (drbg == NULL || drbg->lock == NULL)
52 return 1;
53 return CRYPTO_THREAD_write_lock(drbg->lock);
54}
55
b24d6c33 56void ossl_drbg_unlock(void *vctx)
714a1bb3
P		 57{
58 PROV_DRBG *drbg = vctx;
59
60 if (drbg != NULL && drbg->lock != NULL)
61 CRYPTO_THREAD_unlock(drbg->lock);
62}
63
b24d6c33 64static int ossl_drbg_lock_parent(PROV_DRBG *drbg)
714a1bb3
P		 65{
66 void *parent = drbg->parent;
714a1bb3 67
f000e828
P		 68 if (parent != NULL
69 && drbg->parent_lock != NULL
70 && !drbg->parent_lock(parent)) {
71 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
72 return 0;
714a1bb3
P		 73 }
74 return 1;
75}
76
b24d6c33 77static void ossl_drbg_unlock_parent(PROV_DRBG *drbg)
714a1bb3
P		 78{
79 void *parent = drbg->parent;
714a1bb3 80
f000e828
P		 81 if (parent != NULL && drbg->parent_unlock != NULL)
82 drbg->parent_unlock(parent);
714a1bb3
P		 83}
84
f000e828 85static int get_parent_strength(PROV_DRBG *drbg, unsigned int *str)
714a1bb3
P		 86{
87 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
714a1bb3 88 void *parent = drbg->parent;
f000e828 89 int res;
714a1bb3 90
f000e828
P		 91 if (drbg->parent_get_ctx_params == NULL) {
92 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);
714a1bb3
P		 93 return 0;
94 }
f000e828
P		 95
96 *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, str);
b24d6c33 97 if (!ossl_drbg_lock_parent(drbg)) {
f000e828 98 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);
714a1bb3
P		 99 return 0;
100 }
f000e828 101 res = drbg->parent_get_ctx_params(parent, params);
b24d6c33 102 ossl_drbg_unlock_parent(drbg);
f000e828
P		 103 if (!res) {
104 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);
714a1bb3
P		 105 return 0;
106 }
714a1bb3
P		 107 return 1;
108}
109
110static unsigned int get_parent_reseed_count(PROV_DRBG *drbg)
111{
112 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
714a1bb3 113 void *parent = drbg->parent;
08edd447 114 unsigned int r = 0;
714a1bb3 115
b0614f0a 116 *params = OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_COUNTER, &r);
b24d6c33 117 if (!ossl_drbg_lock_parent(drbg)) {
f000e828 118 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);
714a1bb3
P		 119 goto err;
120 }
08edd447
P		 121 if (!drbg->parent_get_ctx_params(parent, params))
122 r = 0;
b24d6c33 123 ossl_drbg_unlock_parent(drbg);
714a1bb3
P		 124 return r;
125
126 err:
f000e828 127 r = tsan_load(&drbg->reseed_counter) - 2;
714a1bb3
P		 128 if (r == 0)
129 r = UINT_MAX;
130 return r;
131}
132
714a1bb3 133/*
4f14a378 134 * Implements the get_entropy() callback
714a1bb3
P		 135 *
136 * If the DRBG has a parent, then the required amount of entropy input
7d6766cb 137 * is fetched using the parent's ossl_prov_drbg_generate().
714a1bb3
P		 138 *
139 * Otherwise, the entropy is polled from the system entropy sources
1dc188ba 140 * using ossl_pool_acquire_entropy().
714a1bb3
P		 141 *
142 * If a random pool has been added to the DRBG using RAND_add(), then
143 * its entropy will be used up first.
144 */
335e85f5
P		 145size_t ossl_drbg_get_seed(void *vdrbg, unsigned char **pout,
146 int entropy, size_t min_len,
147 size_t max_len, int prediction_resistance,
148 const unsigned char *adin, size_t adin_len)
714a1bb3 149{
335e85f5
P		 150 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
151 size_t bytes_needed;
08edd447 152 unsigned char *buffer;
714a1bb3 153
08edd447
P		 154 /* Figure out how many bytes we need */
155 bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0;
156 if (bytes_needed < min_len)
157 bytes_needed = min_len;
158 if (bytes_needed > max_len)
159 bytes_needed = max_len;
714a1bb3 160
08edd447
P		 161 /* Allocate storage */
162 buffer = OPENSSL_secure_malloc(bytes_needed);
163 if (buffer == NULL) {
164 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
165 return 0;
714a1bb3
P		 166 }
167
08edd447 168 /*
335e85f5 169 * Get random data. Include our DRBG address as
08edd447
P		 170 * additional input, in order to provide a distinction between
171 * different DRBG child instances.
172 *
173 * Note: using the sizeof() operator on a pointer triggers
174 * a warning in some static code analyzers, but it's
175 * intentional and correct here.
176 */
335e85f5
P		 177 if (!ossl_prov_drbg_generate(drbg, buffer, bytes_needed,
178 drbg->strength, prediction_resistance,
179 (unsigned char *)&drbg, sizeof(drbg))) {
08edd447
P		 180 OPENSSL_secure_clear_free(buffer, bytes_needed);
181 ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR);
182 return 0;
714a1bb3 183 }
08edd447
P		 184 *pout = buffer;
185 return bytes_needed;
714a1bb3
P		 186}
187
335e85f5
P		 188/* Implements the cleanup_entropy() callback */
189void ossl_drbg_clear_seed(ossl_unused void *vdrbg,
190 unsigned char *out, size_t outlen)
714a1bb3 191{
08edd447 192 OPENSSL_secure_clear_free(out, outlen);
714a1bb3 193}
f000e828
P		 194
195static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
196 size_t min_len, size_t max_len,
197 int prediction_resistance)
198{
335e85f5
P		 199 size_t bytes;
200 unsigned int p_str;
201
f000e828 202 if (drbg->parent == NULL)
08edd447 203#ifdef FIPS_MODULE
1dc188ba 204 return ossl_crngt_get_entropy(drbg, pout, entropy, min_len, max_len,
f000e828 205 prediction_resistance);
08edd447
P		 206#else
207 return ossl_prov_get_entropy(drbg->provctx, pout, entropy, min_len,
208 max_len);
f000e828
P		 209#endif
210
335e85f5
P		 211 if (drbg->parent_get_seed == NULL) {
212 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED);
213 return 0;
214 }
215 if (!get_parent_strength(drbg, &p_str))
216 return 0;
217 if (drbg->strength > p_str) {
218 /*
219 * We currently don't support the algorithm from NIST SP 800-90C
220 * 10.1.2 to use a weaker DRBG as source
221 */
222 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);
223 return 0;
224 }
225
226 /*
227 * Our lock is already held, but we need to lock our parent before
228 * generating bits from it. Note: taking the lock will be a no-op
229 * if locking is not required (while drbg->parent->lock == NULL).
230 */
231 if (!ossl_drbg_lock_parent(drbg))
232 return 0;
233 /*
234 * Get random data from parent. Include our DRBG address as
235 * additional input, in order to provide a distinction between
236 * different DRBG child instances.
237 *
238 * Note: using the sizeof() operator on a pointer triggers
239 * a warning in some static code analyzers, but it's
240 * intentional and correct here.
241 */
242 bytes = drbg->parent_get_seed(drbg->parent, pout, drbg->strength,
243 min_len, max_len, prediction_resistance,
244 (unsigned char *)&drbg, sizeof(drbg));
245 ossl_drbg_unlock_parent(drbg);
246 return bytes;
f000e828
P		 247}
248
249static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen)
250{
08edd447 251 if (drbg->parent == NULL) {
f000e828 252#ifdef FIPS_MODULE
1dc188ba 253 ossl_crngt_cleanup_entropy(drbg, out, outlen);
08edd447
P		 254#else
255 ossl_prov_cleanup_entropy(drbg->provctx, out, outlen);
714a1bb3 256#endif
335e85f5
P		 257 } else if (drbg->parent_clear_seed != NULL) {
258 if (!ossl_drbg_lock_parent(drbg))
259 return;
260 drbg->parent_clear_seed(drbg, out, outlen);
261 ossl_drbg_unlock_parent(drbg);
08edd447 262 }
f000e828 263}
714a1bb3
P		 264
265#ifndef PROV_RAND_GET_RANDOM_NONCE
266typedef struct prov_drbg_nonce_global_st {
267 CRYPTO_RWLOCK *rand_nonce_lock;
268 int rand_nonce_count;
269} PROV_DRBG_NONCE_GLOBAL;
270
271/*
272 * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce()
b4250010 273 * which needs to get the rand_nonce_lock out of the OSSL_LIB_CTX...but since
714a1bb3
P		 274 * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock
275 * to be in a different global data object. Otherwise we will go into an
276 * infinite recursion loop.
277 */
927d0566 278void *ossl_prov_drbg_nonce_ctx_new(OSSL_LIB_CTX *libctx)
714a1bb3
P		 279{
280 PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl));
281
282 if (dngbl == NULL)
283 return NULL;
284
285 dngbl->rand_nonce_lock = CRYPTO_THREAD_lock_new();
286 if (dngbl->rand_nonce_lock == NULL) {
287 OPENSSL_free(dngbl);
288 return NULL;
289 }
290
291 return dngbl;
292}
293
927d0566 294void ossl_prov_drbg_nonce_ctx_free(void *vdngbl)
714a1bb3
P		 295{
296 PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl;
297
298 if (dngbl == NULL)
299 return;
300
301 CRYPTO_THREAD_lock_free(dngbl->rand_nonce_lock);
302
303 OPENSSL_free(dngbl);
304}
305
714a1bb3 306/* Get a nonce from the operating system */
08edd447
P		 307static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, unsigned char **pout,
308 size_t min_len, size_t max_len)
714a1bb3 309{
f000e828 310 size_t ret = 0, n;
f000e828 311 unsigned char *buf = NULL;
08edd447 312 OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx);
714a1bb3 313 PROV_DRBG_NONCE_GLOBAL *dngbl
927d0566 314 = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_NONCE_INDEX);
714a1bb3 315 struct {
08edd447 316 void *drbg;
714a1bb3
P		 317 int count;
318 } data;
08edd447 319
714a1bb3
P		 320 if (dngbl == NULL)
321 return 0;
322
08edd447
P		 323 if (drbg->parent != NULL && drbg->parent_nonce != NULL) {
324 n = drbg->parent_nonce(drbg->parent, NULL, 0, drbg->min_noncelen,
325 drbg->max_noncelen);
326 if (n > 0 && (buf = OPENSSL_malloc(n)) != NULL) {
327 ret = drbg->parent_nonce(drbg->parent, buf, 0,
328 drbg->min_noncelen, drbg->max_noncelen);
329 if (ret == n) {
330 *pout = buf;
331 return ret;
f000e828 332 }
08edd447 333 OPENSSL_free(buf);
f000e828
P		 334 }
335 }
336
08edd447 337 /* Use the built in nonce source plus some of our specifics */
714a1bb3 338 memset(&data, 0, sizeof(data));
08edd447 339 data.drbg = drbg;
714a1bb3
P		 340 CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count,
341 dngbl->rand_nonce_lock);
08edd447
P		 342 return ossl_prov_get_nonce(drbg->provctx, pout, min_len, max_len,
343 &data, sizeof(data));
714a1bb3 344}
f000e828 345#endif /* PROV_RAND_GET_RANDOM_NONCE */
714a1bb3
P		 346
347/*
348 * Instantiate |drbg|, after it has been initialized. Use |pers| and
349 * |perslen| as prediction-resistance input.
350 *
351 * Requires that drbg->lock is already locked for write, if non-null.
352 *
353 * Returns 1 on success, 0 on failure.
354 */
7d6766cb
P		 355int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength,
356 int prediction_resistance,
357 const unsigned char *pers, size_t perslen)
714a1bb3
P		 358{
359 unsigned char *nonce = NULL, *entropy = NULL;
360 size_t noncelen = 0, entropylen = 0;
361 size_t min_entropy, min_entropylen, max_entropylen;
714a1bb3
P		 362
363 if (strength > drbg->strength) {
6debc6ab 364 ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
714a1bb3
P		 365 goto end;
366 }
367 min_entropy = drbg->strength;
368 min_entropylen = drbg->min_entropylen;
369 max_entropylen = drbg->max_entropylen;
370
371 if (pers == NULL) {
372 pers = (const unsigned char *)ossl_pers_string;
373 perslen = sizeof(ossl_pers_string);
374 }
375 if (perslen > drbg->max_perslen) {
6debc6ab 376 ERR_raise(ERR_LIB_PROV, PROV_R_PERSONALISATION_STRING_TOO_LONG);
714a1bb3
P		 377 goto end;
378 }
379
f000e828
P		 380 if (drbg->state != EVP_RAND_STATE_UNINITIALISED) {
381 if (drbg->state == EVP_RAND_STATE_ERROR)
6debc6ab 382 ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
714a1bb3 383 else
6debc6ab 384 ERR_raise(ERR_LIB_PROV, PROV_R_ALREADY_INSTANTIATED);
714a1bb3
P		 385 goto end;
386 }
387
f000e828 388 drbg->state = EVP_RAND_STATE_ERROR;
714a1bb3
P		 389
390 if (drbg->min_noncelen > 0) {
f000e828
P		 391 if (drbg->parent_nonce != NULL) {
392 noncelen = drbg->parent_nonce(drbg->parent, NULL, drbg->strength,
393 drbg->min_noncelen,
394 drbg->max_noncelen);
395 if (noncelen == 0) {
6debc6ab 396 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
f000e828
P		 397 goto end;
398 }
399 nonce = OPENSSL_malloc(noncelen);
400 if (nonce == NULL) {
6debc6ab 401 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
f000e828
P		 402 goto end;
403 }
404 if (noncelen != drbg->parent_nonce(drbg->parent, nonce,
405 drbg->strength,
406 drbg->min_noncelen,
407 drbg->max_noncelen)) {
6debc6ab 408 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
c4d02214 409 goto end;
f000e828 410 }
714a1bb3 411#ifndef PROV_RAND_GET_RANDOM_NONCE
f000e828 412 } else if (drbg->parent != NULL) {
714a1bb3 413#endif
f000e828
P		 414 /*
415 * NIST SP800-90Ar1 section 9.1 says you can combine getting
416 * the entropy and nonce in 1 call by increasing the entropy
417 * with 50% and increasing the minimum length to accommodate
418 * the length of the nonce. We do this in case a nonce is
419 * required and there is no parental nonce capability.
420 */
421 min_entropy += drbg->strength / 2;
422 min_entropylen += drbg->min_noncelen;
423 max_entropylen += drbg->max_noncelen;
714a1bb3
P		 424 }
425#ifndef PROV_RAND_GET_RANDOM_NONCE
426 else { /* parent == NULL */
08edd447 427 noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->min_noncelen,
714a1bb3
P		 428 drbg->max_noncelen);
429 if (noncelen < drbg->min_noncelen
430 || noncelen > drbg->max_noncelen) {
6debc6ab 431 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
714a1bb3
P		 432 goto end;
433 }
434 }
435#endif
436 }
437
f000e828 438 drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);
714a1bb3
P		 439 if (drbg->reseed_next_counter) {
440 drbg->reseed_next_counter++;
f000e828 441 if (!drbg->reseed_next_counter)
714a1bb3
P		 442 drbg->reseed_next_counter = 1;
443 }
444
445 entropylen = get_entropy(drbg, &entropy, min_entropy,
446 min_entropylen, max_entropylen,
447 prediction_resistance);
448 if (entropylen < min_entropylen
449 || entropylen > max_entropylen) {
6debc6ab 450 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY);
714a1bb3
P		 451 goto end;
452 }
453
f000e828
P		 454 if (!drbg->instantiate(drbg, entropy, entropylen, nonce, noncelen,
455 pers, perslen)) {
caf569a5 456 cleanup_entropy(drbg, entropy, entropylen);
6debc6ab 457 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_INSTANTIATING_DRBG);
714a1bb3
P		 458 goto end;
459 }
caf569a5 460 cleanup_entropy(drbg, entropy, entropylen);
714a1bb3 461
f000e828 462 drbg->state = EVP_RAND_STATE_READY;
b0614f0a 463 drbg->generate_counter = 1;
714a1bb3 464 drbg->reseed_time = time(NULL);
f000e828 465 tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);
714a1bb3
P		 466
467 end:
08edd447
P		 468 if (nonce != NULL)
469 ossl_prov_cleanup_nonce(drbg->provctx, nonce, noncelen);
f000e828 470 if (drbg->state == EVP_RAND_STATE_READY)
714a1bb3
P		 471 return 1;
472 return 0;
473}
474
f000e828
P		 475/*
476 * Uninstantiate |drbg|. Must be instantiated before it can be used.
477 *
478 * Requires that drbg->lock is already locked for write, if non-null.
479 *
480 * Returns 1 on success, 0 on failure.
481 */
7d6766cb 482int ossl_prov_drbg_uninstantiate(PROV_DRBG *drbg)
f000e828
P		 483{
484 drbg->state = EVP_RAND_STATE_UNINITIALISED;
485 return 1;
486}
487
714a1bb3
P		 488/*
489 * Reseed |drbg|, mixing in the specified data
490 *
491 * Requires that drbg->lock is already locked for write, if non-null.
492 *
493 * Returns 1 on success, 0 on failure.
494 */
7d6766cb
P		 495int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance,
496 const unsigned char *ent, size_t ent_len,
497 const unsigned char *adin, size_t adinlen)
714a1bb3
P		 498{
499 unsigned char *entropy = NULL;
500 size_t entropylen = 0;
501
aef30ad0
P		 502 if (!ossl_prov_is_running())
503 return 0;
504
f000e828
P		 505 if (drbg->state != EVP_RAND_STATE_READY) {
506 /* try to recover from previous errors */
507 rand_drbg_restart(drbg);
508
509 if (drbg->state == EVP_RAND_STATE_ERROR) {
6debc6ab 510 ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
f000e828
P		 511 return 0;
512 }
513 if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {
6debc6ab 514 ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED);
f000e828
P		 515 return 0;
516 }
714a1bb3 517 }
f000e828
P		 518
519 if (ent != NULL) {
520 if (ent_len < drbg->min_entropylen) {
6debc6ab 521 ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_OUT_OF_RANGE);
f000e828
P		 522 drbg->state = EVP_RAND_STATE_ERROR;
523 return 0;
524 }
525 if (ent_len > drbg->max_entropylen) {
6debc6ab 526 ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_INPUT_TOO_LONG);
f000e828
P		 527 drbg->state = EVP_RAND_STATE_ERROR;
528 return 0;
529 }
714a1bb3
P		 530 }
531
532 if (adin == NULL) {
533 adinlen = 0;
534 } else if (adinlen > drbg->max_adinlen) {
6debc6ab 535 ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG);
714a1bb3
P		 536 return 0;
537 }
538
f000e828 539 drbg->state = EVP_RAND_STATE_ERROR;
714a1bb3 540
f000e828 541 drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);
714a1bb3
P		 542 if (drbg->reseed_next_counter) {
543 drbg->reseed_next_counter++;
f000e828 544 if (!drbg->reseed_next_counter)
714a1bb3
P		 545 drbg->reseed_next_counter = 1;
546 }
547
f000e828 548 if (ent != NULL) {
1d30b0a4 549#ifdef FIPS_MODULE
f000e828
P		 550 /*
551 * NIST SP-800-90A mandates that entropy *shall not* be provided
552 * by the consuming application. Instead the data is added as additional
553 * input.
554 *
555 * (NIST SP-800-90Ar1, Sections 9.1 and 9.2)
556 */
557 if (!drbg->reseed(drbg, NULL, 0, ent, ent_len)) {
558 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);
559 return 0;
560 }
561#else
562 if (!drbg->reseed(drbg, ent, ent_len, adin, adinlen)) {
563 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);
564 return 0;
565 }
566 /* There isn't much point adding the same additional input twice */
567 adin = NULL;
568 adinlen = 0;
569#endif
570 }
571
572 /* Reseed using our sources in addition */
714a1bb3
P		 573 entropylen = get_entropy(drbg, &entropy, drbg->strength,
574 drbg->min_entropylen, drbg->max_entropylen,
575 prediction_resistance);
576 if (entropylen < drbg->min_entropylen
577 || entropylen > drbg->max_entropylen) {
6debc6ab 578 ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY);
714a1bb3
P		 579 goto end;
580 }
581
f000e828 582 if (!drbg->reseed(drbg, entropy, entropylen, adin, adinlen))
714a1bb3
P		 583 goto end;
584
f000e828 585 drbg->state = EVP_RAND_STATE_READY;
b0614f0a 586 drbg->generate_counter = 1;
714a1bb3 587 drbg->reseed_time = time(NULL);
f000e828
P		 588 tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);
589 if (drbg->parent != NULL)
590 drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
714a1bb3
P		 591
592 end:
f000e828
P		 593 cleanup_entropy(drbg, entropy, entropylen);
594 if (drbg->state == EVP_RAND_STATE_READY)
714a1bb3
P		 595 return 1;
596 return 0;
597}
598
599/*
600 * Generate |outlen| bytes into the buffer at |out|. Reseed if we need
601 * to or if |prediction_resistance| is set. Additional input can be
602 * sent in |adin| and |adinlen|.
603 *
604 * Requires that drbg->lock is already locked for write, if non-null.
605 *
606 * Returns 1 on success, 0 on failure.
607 *
608 */
7d6766cb
P		 609int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
610 unsigned int strength, int prediction_resistance,
611 const unsigned char *adin, size_t adinlen)
714a1bb3
P		 612{
613 int fork_id;
614 int reseed_required = 0;
615
aef30ad0
P		 616 if (!ossl_prov_is_running())
617 return 0;
618
f000e828
P		 619 if (drbg->state != EVP_RAND_STATE_READY) {
620 /* try to recover from previous errors */
621 rand_drbg_restart(drbg);
622
623 if (drbg->state == EVP_RAND_STATE_ERROR) {
6debc6ab 624 ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
714a1bb3
P		 625 return 0;
626 }
f000e828 627 if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {
6debc6ab 628 ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED);
714a1bb3
P		 629 return 0;
630 }
631 }
f000e828 632 if (strength > drbg->strength) {
6debc6ab 633 ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
f000e828
P		 634 return 0;
635 }
714a1bb3
P		 636
637 if (outlen > drbg->max_request) {
6debc6ab 638 ERR_raise(ERR_LIB_PROV, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG);
714a1bb3
P		 639 return 0;
640 }
641 if (adinlen > drbg->max_adinlen) {
6debc6ab 642 ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG);
714a1bb3
P		 643 return 0;
644 }
645
646 fork_id = openssl_get_fork_id();
647
648 if (drbg->fork_id != fork_id) {
649 drbg->fork_id = fork_id;
650 reseed_required = 1;
651 }
652
653 if (drbg->reseed_interval > 0) {
b0614f0a 654 if (drbg->generate_counter >= drbg->reseed_interval)
714a1bb3
P		 655 reseed_required = 1;
656 }
657 if (drbg->reseed_time_interval > 0) {
658 time_t now = time(NULL);
659 if (now < drbg->reseed_time
660 || now - drbg->reseed_time >= drbg->reseed_time_interval)
661 reseed_required = 1;
662 }
f000e828
P		 663 if (drbg->parent != NULL
664 && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
665 reseed_required = 1;
714a1bb3
P		 666
667 if (reseed_required || prediction_resistance) {
7d6766cb
P		 668 if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0,
669 adin, adinlen)) {
6debc6ab 670 ERR_raise(ERR_LIB_PROV, PROV_R_RESEED_ERROR);
714a1bb3
P		 671 return 0;
672 }
673 adin = NULL;
674 adinlen = 0;
675 }
676
f000e828
P		 677 if (!drbg->generate(drbg, out, outlen, adin, adinlen)) {
678 drbg->state = EVP_RAND_STATE_ERROR;
6debc6ab 679 ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR);
714a1bb3
P		 680 return 0;
681 }
682
b0614f0a 683 drbg->generate_counter++;
714a1bb3
P		 684
685 return 1;
686}
687
714a1bb3 688/*
f000e828
P		 689 * Restart |drbg|, using the specified entropy or additional input
690 *
691 * Tries its best to get the drbg instantiated by all means,
692 * regardless of its current state.
693 *
694 * Optionally, a |buffer| of |len| random bytes can be passed,
695 * which is assumed to contain at least |entropy| bits of entropy.
696 *
697 * If |entropy| > 0, the buffer content is used as entropy input.
698 *
699 * If |entropy| == 0, the buffer content is used as additional input
700 *
701 * Returns 1 on success, 0 on failure.
702 *
703 * This function is used internally only.
714a1bb3 704 */
f000e828 705static int rand_drbg_restart(PROV_DRBG *drbg)
714a1bb3 706{
f000e828
P		 707 /* repair error state */
708 if (drbg->state == EVP_RAND_STATE_ERROR)
709 drbg->uninstantiate(drbg);
710
711 /* repair uninitialized state */
712 if (drbg->state == EVP_RAND_STATE_UNINITIALISED)
713 /* reinstantiate drbg */
7d6766cb 714 ossl_prov_drbg_instantiate(drbg, drbg->strength, 0, NULL, 0);
714a1bb3 715
f000e828 716 return drbg->state == EVP_RAND_STATE_READY;
714a1bb3 717}
714a1bb3
P		 718
719/* Provider support from here down */
720static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
721 int function)
722{
723 if (dispatch != NULL)
f000e828 724 while (dispatch->function_id != 0) {
714a1bb3
P		 725 if (dispatch->function_id == function)
726 return dispatch;
f000e828
P		 727 dispatch++;
728 }
714a1bb3
P		 729 return NULL;
730}
731
b24d6c33 732int ossl_drbg_enable_locking(void *vctx)
714a1bb3
P		 733{
734 PROV_DRBG *drbg = vctx;
714a1bb3 735
f000e828
P		 736 if (drbg != NULL && drbg->lock == NULL) {
737 if (drbg->parent_enable_locking != NULL)
738 if (!drbg->parent_enable_locking(drbg->parent)) {
739 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
714a1bb3
P		 740 return 0;
741 }
742 drbg->lock = CRYPTO_THREAD_lock_new();
743 if (drbg->lock == NULL) {
f000e828 744 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_CREATE_LOCK);
714a1bb3
P		 745 return 0;
746 }
747 }
748 return 1;
749}
750
751/*
752 * Allocate memory and initialize a new DRBG. The DRBG is allocated on
753 * the secure heap if |secure| is nonzero and the secure heap is enabled.
754 * The |parent|, if not NULL, will be used as random source for reseeding.
755 * This also requires the parent's provider context and the parent's lock.
756 *
757 * Returns a pointer to the new DRBG instance on success, NULL on failure.
758 */
1dc188ba 759PROV_DRBG *ossl_rand_drbg_new
f000e828
P		 760 (void *provctx, void *parent, const OSSL_DISPATCH *p_dispatch,
761 int (*dnew)(PROV_DRBG *ctx),
762 int (*instantiate)(PROV_DRBG *drbg,
763 const unsigned char *entropy, size_t entropylen,
764 const unsigned char *nonce, size_t noncelen,
765 const unsigned char *pers, size_t perslen),
766 int (*uninstantiate)(PROV_DRBG *ctx),
767 int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len,
768 const unsigned char *adin, size_t adin_len),
769 int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen,
770 const unsigned char *adin, size_t adin_len))
714a1bb3 771{
aef30ad0 772 PROV_DRBG *drbg;
f000e828
P		 773 unsigned int p_str;
774 const OSSL_DISPATCH *pfunc;
714a1bb3 775
aef30ad0
P		 776 if (!ossl_prov_is_running())
777 return NULL;
778
779 drbg = OPENSSL_zalloc(sizeof(*drbg));
714a1bb3
P		 780 if (drbg == NULL) {
781 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
782 return NULL;
783 }
784
f000e828
P		 785 drbg->provctx = provctx;
786 drbg->instantiate = instantiate;
787 drbg->uninstantiate = uninstantiate;
788 drbg->reseed = reseed;
789 drbg->generate = generate;
790 drbg->fork_id = openssl_get_fork_id();
791
792 /* Extract parent's functions */
714a1bb3 793 drbg->parent = parent;
f000e828 794 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING)) != NULL)
363b1e5d 795 drbg->parent_enable_locking = OSSL_FUNC_rand_enable_locking(pfunc);
f000e828 796 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_LOCK)) != NULL)
363b1e5d 797 drbg->parent_lock = OSSL_FUNC_rand_lock(pfunc);
f000e828 798 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_UNLOCK)) != NULL)
363b1e5d 799 drbg->parent_unlock = OSSL_FUNC_rand_unlock(pfunc);
f000e828 800 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS)) != NULL)
363b1e5d 801 drbg->parent_get_ctx_params = OSSL_FUNC_rand_get_ctx_params(pfunc);
f000e828 802 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_NONCE)) != NULL)
363b1e5d 803 drbg->parent_nonce = OSSL_FUNC_rand_nonce(pfunc);
335e85f5
P		 804 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_SEED)) != NULL)
805 drbg->parent_get_seed = OSSL_FUNC_rand_get_seed(pfunc);
806 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_CLEAR_SEED)) != NULL)
807 drbg->parent_clear_seed = OSSL_FUNC_rand_clear_seed(pfunc);
714a1bb3
P		 808
809 /* Set some default maximums up */
810 drbg->max_entropylen = DRBG_MAX_LENGTH;
811 drbg->max_noncelen = DRBG_MAX_LENGTH;
812 drbg->max_perslen = DRBG_MAX_LENGTH;
813 drbg->max_adinlen = DRBG_MAX_LENGTH;
b0614f0a 814 drbg->generate_counter = 1;
f000e828
P		 815 drbg->reseed_counter = 1;
816 drbg->reseed_interval = RESEED_INTERVAL;
817 drbg->reseed_time_interval = TIME_INTERVAL;
714a1bb3 818
f000e828 819 if (!dnew(drbg))
714a1bb3
P		 820 goto err;
821
822 if (parent != NULL) {
823 if (!get_parent_strength(drbg, &p_str))
824 goto err;
825 if (drbg->strength > p_str) {
826 /*
827 * We currently don't support the algorithm from NIST SP 800-90C
828 * 10.1.2 to use a weaker DRBG as source
829 */
f000e828 830 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);
714a1bb3
P		 831 goto err;
832 }
833 }
8ff861dc
P		 834#ifdef TSAN_REQUIRES_LOCKING
835 if (!ossl_drbg_enable_locking(drbg))
836 goto err;
837#endif
714a1bb3
P		 838 return drbg;
839
840 err:
1dc188ba 841 ossl_rand_drbg_free(drbg);
714a1bb3
P		 842 return NULL;
843}
844
1dc188ba 845void ossl_rand_drbg_free(PROV_DRBG *drbg)
714a1bb3
P		 846{
847 if (drbg == NULL)
848 return;
849
714a1bb3 850 CRYPTO_THREAD_lock_free(drbg->lock);
f000e828 851 OPENSSL_free(drbg);
714a1bb3
P		 852}
853
b24d6c33 854int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[])
714a1bb3
P		 855{
856 OSSL_PARAM *p;
857
f000e828 858 p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE);
714a1bb3
P		 859 if (p != NULL && !OSSL_PARAM_set_int(p, drbg->state))
860 return 0;
861
862 p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);
863 if (p != NULL && !OSSL_PARAM_set_int(p, drbg->strength))
864 return 0;
865
08edd447 866 p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
714a1bb3
P		 867 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_request))
868 return 0;
869
f000e828 870 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_ENTROPYLEN);
714a1bb3
P		 871 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_entropylen))
872 return 0;
873
f000e828 874 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ENTROPYLEN);
714a1bb3
P		 875 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_entropylen))
876 return 0;
877
f000e828 878 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_NONCELEN);
714a1bb3
P		 879 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_noncelen))
880 return 0;
881
f000e828 882 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_NONCELEN);
714a1bb3
P		 883 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_noncelen))
884 return 0;
885
f000e828 886 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_PERSLEN);
714a1bb3
P		 887 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_perslen))
888 return 0;
889
f000e828 890 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ADINLEN);
714a1bb3
P		 891 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_adinlen))
892 return 0;
893
f000e828
P		 894 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
895 if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval))
714a1bb3
P		 896 return 0;
897
f000e828
P		 898 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME);
899 if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time))
714a1bb3
P		 900 return 0;
901
f000e828 902 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);
714a1bb3
P		 903 if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval))
904 return 0;
905
b0614f0a 906 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_COUNTER);
714a1bb3 907 if (p != NULL
f000e828 908 && !OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_counter)))
714a1bb3
P		 909 return 0;
910 return 1;
911}
912
b24d6c33 913int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[])
714a1bb3
P		 914{
915 const OSSL_PARAM *p;
916
20b8dc6f
P		 917 if (params == NULL)
918 return 1;
919
f000e828 920 p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
714a1bb3
P		 921 if (p != NULL && !OSSL_PARAM_get_uint(p, &drbg->reseed_interval))
922 return 0;
923
f000e828 924 p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);
714a1bb3
P		 925 if (p != NULL && !OSSL_PARAM_get_time_t(p, &drbg->reseed_time_interval))
926 return 0;
927 return 1;
928}
A mirror of the official openssl repository