]>
Commit | Line | Data |
---|---|---|
714a1bb3 P |
1 | /* |
2 | * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #ifndef OSSL_CRYPTO_PROV_LOCAL_H | |
11 | # define OSSL_CRYPTO_PROV_LOCAL_H | |
12 | ||
13 | # include <openssl/evp.h> | |
363b1e5d | 14 | # include <openssl/core_dispatch.h> |
714a1bb3 P |
15 | # include <openssl/core_names.h> |
16 | # include <openssl/params.h> | |
17 | # include "internal/tsan_assist.h" | |
f000e828 | 18 | # include "internal/nelem.h" |
714a1bb3 | 19 | # include "internal/numbers.h" |
08edd447 | 20 | # include "prov/provider_ctx.h" |
714a1bb3 P |
21 | |
22 | /* How many times to read the TSC as a randomness source. */ | |
23 | # define TSC_READ_COUNT 4 | |
24 | ||
25 | /* Maximum reseed intervals */ | |
26 | # define MAX_RESEED_INTERVAL (1 << 24) | |
27 | # define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */ | |
28 | ||
29 | /* Default reseed intervals */ | |
f000e828 P |
30 | # define RESEED_INTERVAL (1 << 8) |
31 | # define TIME_INTERVAL (60*60) /* 1 hour */ | |
714a1bb3 P |
32 | |
33 | /* | |
34 | * The number of bytes that constitutes an atomic lump of entropy with respect | |
35 | * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat | |
36 | * arbitrary, the smaller the value, the less entropy is consumed on first | |
37 | * read but the higher the probability of the test failing by accident. | |
38 | * | |
39 | * The value is in bytes. | |
40 | */ | |
41 | #define CRNGT_BUFSIZ 16 | |
42 | ||
43 | /* | |
44 | * Maximum input size for the DRBG (entropy, nonce, personalization string) | |
45 | * | |
46 | * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes. | |
47 | * | |
48 | * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes. | |
49 | */ | |
50 | # define DRBG_MAX_LENGTH INT32_MAX | |
51 | ||
52 | /* The default nonce */ | |
53 | #ifdef CHARSET_EBCDIC | |
54 | # define DRBG_DEFAULT_PERS_STRING { 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, \ | |
55 | 0x4c, 0x20, 0x4e, 0x49, 0x53, 0x54, 0x20, 0x53, 0x50, 0x20, 0x38, 0x30, \ | |
56 | 0x30, 0x2d, 0x39, 0x30, 0x41, 0x20, 0x44, 0x52, 0x42, 0x47, 0x00}; | |
57 | #else | |
58 | # define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" | |
59 | #endif | |
60 | ||
61 | typedef struct prov_drbg_st PROV_DRBG; | |
62 | ||
63 | /* DRBG status values */ | |
64 | typedef enum drbg_status_e { | |
65 | DRBG_UNINITIALISED, | |
66 | DRBG_READY, | |
67 | DRBG_ERROR | |
68 | } DRBG_STATUS; | |
69 | ||
70 | /* | |
f000e828 | 71 | * The state of all types of DRBGs. |
714a1bb3 P |
72 | */ |
73 | struct prov_drbg_st { | |
74 | CRYPTO_RWLOCK *lock; | |
08edd447 | 75 | PROV_CTX *provctx; |
f000e828 P |
76 | |
77 | /* Virtual functions are cache here */ | |
78 | int (*instantiate)(PROV_DRBG *drbg, | |
79 | const unsigned char *entropy, size_t entropylen, | |
80 | const unsigned char *nonce, size_t noncelen, | |
81 | const unsigned char *pers, size_t perslen); | |
82 | int (*uninstantiate)(PROV_DRBG *ctx); | |
83 | int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len, | |
84 | const unsigned char *adin, size_t adin_len); | |
85 | int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen, | |
86 | const unsigned char *adin, size_t adin_len); | |
87 | ||
88 | /* Parent PROV_RAND and its dispatch table functions */ | |
714a1bb3 | 89 | void *parent; |
363b1e5d DMSP |
90 | OSSL_FUNC_rand_enable_locking_fn *parent_enable_locking; |
91 | OSSL_FUNC_rand_lock_fn *parent_lock; | |
92 | OSSL_FUNC_rand_unlock_fn *parent_unlock; | |
93 | OSSL_FUNC_rand_get_ctx_params_fn *parent_get_ctx_params; | |
94 | OSSL_FUNC_rand_generate_fn *parent_generate; | |
95 | OSSL_FUNC_rand_nonce_fn *parent_nonce; | |
f000e828 | 96 | |
714a1bb3 | 97 | const OSSL_DISPATCH *parent_dispatch; |
f000e828 | 98 | |
714a1bb3 P |
99 | /* |
100 | * Stores the return value of openssl_get_fork_id() as of when we last | |
101 | * reseeded. The DRBG reseeds automatically whenever drbg->fork_id != | |
102 | * openssl_get_fork_id(). Used to provide fork-safety and reseed this | |
103 | * DRBG in the child process. | |
104 | */ | |
105 | int fork_id; | |
106 | unsigned short flags; /* various external flags */ | |
107 | ||
714a1bb3 P |
108 | /* |
109 | * The following parameters are setup by the per-type "init" function. | |
110 | * | |
111 | * The supported types and their init functions are: | |
112 | * (1) CTR_DRBG: drbg_ctr_init(). | |
113 | * (2) HMAC_DRBG: drbg_hmac_init(). | |
114 | * (3) HASH_DRBG: drbg_hash_init(). | |
115 | * | |
116 | * The parameters are closely related to the ones described in | |
117 | * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one | |
118 | * crucial difference: In the NIST standard, all counts are given | |
119 | * in bits, whereas in OpenSSL entropy counts are given in bits | |
120 | * and buffer lengths are given in bytes. | |
121 | * | |
122 | * Since this difference has lead to some confusion in the past, | |
123 | * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) | |
124 | * the 'len' suffix has been added to all buffer sizes for | |
125 | * clarification. | |
126 | */ | |
127 | ||
f000e828 | 128 | unsigned int strength; |
714a1bb3 P |
129 | size_t max_request; |
130 | size_t min_entropylen, max_entropylen; | |
131 | size_t min_noncelen, max_noncelen; | |
132 | size_t max_perslen, max_adinlen; | |
133 | ||
134 | /* | |
135 | * Counts the number of generate requests since the last reseed | |
136 | * (Starts at 1). This value is the reseed_counter as defined in | |
137 | * NIST SP 800-90Ar1 | |
138 | */ | |
b0614f0a | 139 | unsigned int generate_counter; |
714a1bb3 P |
140 | /* |
141 | * Maximum number of generate requests until a reseed is required. | |
142 | * This value is ignored if it is zero. | |
143 | */ | |
144 | unsigned int reseed_interval; | |
145 | /* Stores the time when the last reseeding occurred */ | |
146 | time_t reseed_time; | |
147 | /* | |
148 | * Specifies the maximum time interval (in seconds) between reseeds. | |
149 | * This value is ignored if it is zero. | |
150 | */ | |
151 | time_t reseed_time_interval; | |
152 | /* | |
153 | * Counts the number of reseeds since instantiation. | |
154 | * This value is ignored if it is zero. | |
155 | * | |
156 | * This counter is used only for seed propagation from the <master> DRBG | |
157 | * to its two children, the <public> and <private> DRBG. This feature is | |
158 | * very special and its sole purpose is to ensure that any randomness which | |
159 | * is added by PROV_add() or PROV_seed() will have an immediate effect on | |
160 | * the output of PROV_bytes() resp. PROV_priv_bytes(). | |
161 | */ | |
f000e828 | 162 | TSAN_QUALIFIER unsigned int reseed_counter; |
714a1bb3 | 163 | unsigned int reseed_next_counter; |
f000e828 | 164 | unsigned int parent_reseed_counter; |
714a1bb3 P |
165 | |
166 | size_t seedlen; | |
167 | DRBG_STATUS state; | |
168 | ||
f000e828 | 169 | /* DRBG specific data */ |
714a1bb3 P |
170 | void *data; |
171 | ||
f000e828 P |
172 | /* Entropy and nonce gathering callbacks */ |
173 | void *callback_arg; | |
174 | OSSL_INOUT_CALLBACK *get_entropy_fn; | |
175 | OSSL_CALLBACK *cleanup_entropy_fn; | |
176 | OSSL_INOUT_CALLBACK *get_nonce_fn; | |
177 | OSSL_CALLBACK *cleanup_nonce_fn; | |
714a1bb3 P |
178 | }; |
179 | ||
1dc188ba | 180 | PROV_DRBG *ossl_rand_drbg_new |
f000e828 P |
181 | (void *provctx, void *parent, const OSSL_DISPATCH *parent_dispatch, |
182 | int (*dnew)(PROV_DRBG *ctx), | |
183 | int (*instantiate)(PROV_DRBG *drbg, | |
184 | const unsigned char *entropy, size_t entropylen, | |
185 | const unsigned char *nonce, size_t noncelen, | |
186 | const unsigned char *pers, size_t perslen), | |
187 | int (*uninstantiate)(PROV_DRBG *ctx), | |
188 | int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len, | |
189 | const unsigned char *adin, size_t adin_len), | |
190 | int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen, | |
191 | const unsigned char *adin, size_t adin_len)); | |
1dc188ba | 192 | void ossl_rand_drbg_free(PROV_DRBG *drbg); |
f000e828 | 193 | |
7d6766cb P |
194 | int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, |
195 | int prediction_resistance, | |
196 | const unsigned char *pers, size_t perslen); | |
f000e828 | 197 | |
7d6766cb | 198 | int ossl_prov_drbg_uninstantiate(PROV_DRBG *drbg); |
714a1bb3 | 199 | |
7d6766cb P |
200 | int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance, |
201 | const unsigned char *ent, size_t ent_len, | |
202 | const unsigned char *adin, size_t adinlen); | |
714a1bb3 | 203 | |
7d6766cb P |
204 | int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen, |
205 | unsigned int strength, int prediction_resistance, | |
206 | const unsigned char *adin, size_t adinlen); | |
f000e828 | 207 | |
f000e828 P |
208 | /* Verify that an array of numeric values is all zero */ |
209 | #define PROV_DRBG_VERYIFY_ZEROIZATION(v) \ | |
210 | { \ | |
211 | size_t i; \ | |
212 | \ | |
213 | for (i = 0; i < OSSL_NELEM(v); i++) \ | |
214 | if ((v)[i] != 0) \ | |
215 | return 0; \ | |
216 | } | |
714a1bb3 P |
217 | |
218 | /* locking api */ | |
b24d6c33 P |
219 | OSSL_FUNC_rand_enable_locking_fn ossl_drbg_enable_locking; |
220 | OSSL_FUNC_rand_lock_fn ossl_drbg_lock; | |
221 | OSSL_FUNC_rand_unlock_fn ossl_drbg_unlock; | |
714a1bb3 | 222 | |
f000e828 | 223 | /* Common parameters for all of our DRBGs */ |
b24d6c33 P |
224 | int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]); |
225 | int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[]); | |
714a1bb3 | 226 | |
82a7b2fb | 227 | #define OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON \ |
f000e828 P |
228 | OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS, NULL), \ |
229 | OSSL_PARAM_uint64(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL, NULL) | |
714a1bb3 | 230 | |
08edd447 | 231 | #define OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON \ |
f000e828 | 232 | OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), \ |
714a1bb3 | 233 | OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), \ |
08edd447 | 234 | OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), \ |
f000e828 P |
235 | OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MIN_ENTROPYLEN, NULL), \ |
236 | OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_ENTROPYLEN, NULL), \ | |
237 | OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MIN_NONCELEN, NULL), \ | |
238 | OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_NONCELEN, NULL), \ | |
239 | OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_PERSLEN, NULL), \ | |
240 | OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_ADINLEN, NULL), \ | |
08edd447 | 241 | OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_COUNTER, NULL), \ |
f000e828 P |
242 | OSSL_PARAM_time_t(OSSL_DRBG_PARAM_RESEED_TIME, NULL), \ |
243 | OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS, NULL), \ | |
244 | OSSL_PARAM_uint64(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL, NULL) | |
245 | ||
246 | /* Continuous test "entropy" calls */ | |
1dc188ba | 247 | size_t ossl_crngt_get_entropy(PROV_DRBG *drbg, |
714a1bb3 P |
248 | unsigned char **pout, |
249 | int entropy, size_t min_len, size_t max_len, | |
250 | int prediction_resistance); | |
1dc188ba | 251 | void ossl_crngt_cleanup_entropy(PROV_DRBG *drbg, |
714a1bb3 P |
252 | unsigned char *out, size_t outlen); |
253 | ||
714a1bb3 | 254 | #endif |