]> git.ipfire.org Git - thirdparty/openssl.git/blob - fips/rand/fips_drbg_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Use function name FIPS_drbg_health_check() for health check function.
[thirdparty/openssl.git] / fips / rand / fips_drbg_lib.c
1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2 * project.
3 */
4 /* ====================================================================
5 * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 */
52
53 #define OPENSSL_FIPSAPI
54
55 #include <string.h>
56 #include <openssl/crypto.h>
57 #include <openssl/err.h>
58 #include <openssl/fips_rand.h>
59 #include "fips_rand_lcl.h"
60
61 /* Support framework for SP800-90 DRBGs */
62
63 int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
64 {
65 int rv;
66 memset(dctx, 0, sizeof(DRBG_CTX));
67 dctx->status = DRBG_STATUS_UNINITIALISED;
68 dctx->xflags = flags;
69 dctx->type = type;
70
71 dctx->iflags = 0;
72 dctx->entropy_blocklen = 0;
73 dctx->health_check_cnt = 0;
74 dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
75
76 rv = fips_drbg_hash_init(dctx);
77
78 if (rv == -2)
79 rv = fips_drbg_ctr_init(dctx);
80 if (rv == -2)
81 rv = fips_drbg_hmac_init(dctx);
82 if (rv == -2)
83 rv = fips_drbg_ec_init(dctx);
84
85 if (rv <= 0)
86 {
87 if (rv == -2)
88 FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
89 else
90 FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
91 }
92
93 /* If not in test mode run selftests on DRBG of the same type */
94
95 if (!(dctx->xflags & DRBG_FLAG_TEST))
96 {
97 if (!FIPS_drbg_health_check(dctx))
98 {
99 FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
100 return 0;
101 }
102 }
103
104 return rv;
105 }
106
107 DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
108 {
109 DRBG_CTX *dctx;
110 dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
111 if (!dctx)
112 {
113 FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
114 return NULL;
115 }
116
117 if (type == 0)
118 {
119 memset(dctx, 0, sizeof(DRBG_CTX));
120 dctx->type = 0;
121 dctx->status = DRBG_STATUS_UNINITIALISED;
122 return dctx;
123 }
124
125 if (FIPS_drbg_init(dctx, type, flags) <= 0)
126 {
127 OPENSSL_free(dctx);
128 return NULL;
129 }
130
131 return dctx;
132 }
133
134 void FIPS_drbg_free(DRBG_CTX *dctx)
135 {
136 if (dctx->uninstantiate)
137 dctx->uninstantiate(dctx);
138 OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
139 OPENSSL_free(dctx);
140 }
141
142 static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
143 int entropy, size_t min_len, size_t max_len)
144 {
145 unsigned char *tout, *p;
146 size_t bl = dctx->entropy_blocklen, rv;
147 if (dctx->xflags & DRBG_FLAG_TEST || !bl)
148 return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
149 rv = dctx->get_entropy(dctx, &tout, entropy + bl,
150 min_len + bl, max_len + bl);
151 *pout = tout + bl;
152 if (rv < (min_len + bl) || (rv % bl))
153 return 0;
154 /* Compare consecutive blocks for continuous PRNG test */
155 for (p = tout; p < tout + rv - bl; p += bl)
156 {
157 if (!memcmp(p, p + bl, bl))
158 {
159 FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
160 return 0;
161 }
162 }
163 rv -= bl;
164 if (rv > max_len)
165 return max_len;
166 return rv;
167 }
168
169 static void fips_cleanup_entropy(DRBG_CTX *dctx,
170 unsigned char *out, size_t olen)
171 {
172 size_t bl;
173 if (dctx->xflags & DRBG_FLAG_TEST)
174 bl = 0;
175 else
176 bl = dctx->entropy_blocklen;
177 /* Call cleanup with original arguments */
178 dctx->cleanup_entropy(dctx, out - bl, olen + bl);
179 }
180
181
182 int FIPS_drbg_instantiate(DRBG_CTX *dctx,
183 const unsigned char *pers, size_t perslen)
184 {
185 size_t entlen = 0, noncelen = 0;
186 unsigned char *nonce = NULL, *entropy = NULL;
187
188 #if 0
189 /* Put here so error script picks them up */
190 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
191 FIPS_R_PERSONALISATION_STRING_TOO_LONG);
192 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
193 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
194 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
195 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
196 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
197 #endif
198
199 int r = 0;
200
201 if (perslen > dctx->max_pers)
202 {
203 r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
204 goto end;
205 }
206
207 if (dctx->status != DRBG_STATUS_UNINITIALISED)
208 {
209 if (dctx->status == DRBG_STATUS_ERROR)
210 r = FIPS_R_IN_ERROR_STATE;
211 else
212 r = FIPS_R_ALREADY_INSTANTIATED;
213 goto end;
214 }
215
216 dctx->status = DRBG_STATUS_ERROR;
217
218 entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
219 dctx->min_entropy, dctx->max_entropy);
220
221 if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
222 {
223 r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
224 goto end;
225 }
226
227 if (dctx->max_nonce > 0)
228 {
229 noncelen = dctx->get_nonce(dctx, &nonce,
230 dctx->strength / 2,
231 dctx->min_nonce, dctx->max_nonce);
232
233 if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce)
234 {
235 r = FIPS_R_ERROR_RETRIEVING_NONCE;
236 goto end;
237 }
238
239 }
240
241 if (!dctx->instantiate(dctx,
242 entropy, entlen,
243 nonce, noncelen,
244 pers, perslen))
245 {
246 r = FIPS_R_ERROR_INSTANTIATING_DRBG;
247 goto end;
248 }
249
250
251 dctx->status = DRBG_STATUS_READY;
252 if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
253 dctx->reseed_counter = 1;
254
255 end:
256
257 if (entropy && dctx->cleanup_entropy)
258 fips_cleanup_entropy(dctx, entropy, entlen);
259
260 if (nonce && dctx->cleanup_nonce)
261 dctx->cleanup_nonce(dctx, nonce, noncelen);
262
263 if (dctx->status == DRBG_STATUS_READY)
264 return 1;
265
266 if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
267 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
268
269 return 0;
270
271 }
272
273 static int drbg_reseed(DRBG_CTX *dctx,
274 const unsigned char *adin, size_t adinlen, int hcheck)
275 {
276 unsigned char *entropy = NULL;
277 size_t entlen;
278 int r = 0;
279
280 #if 0
281 FIPSerr(FIPS_F_FIPS_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
282 FIPSerr(FIPS_F_FIPS_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
283 #endif
284 if (dctx->status != DRBG_STATUS_READY
285 && dctx->status != DRBG_STATUS_RESEED)
286 {
287 if (dctx->status == DRBG_STATUS_ERROR)
288 r = FIPS_R_IN_ERROR_STATE;
289 else if(dctx->status == DRBG_STATUS_UNINITIALISED)
290 r = FIPS_R_NOT_INSTANTIATED;
291 goto end;
292 }
293
294 if (!adin)
295 adinlen = 0;
296 else if (adinlen > dctx->max_adin)
297 {
298 r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
299 goto end;
300 }
301
302 dctx->status = DRBG_STATUS_ERROR;
303 /* Peform health check on all reseed operations if not a prediction
304 * resistance request and not in test mode.
305 */
306 if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST))
307 {
308 if (!FIPS_drbg_health_check(dctx))
309 {
310 r = FIPS_R_SELFTEST_FAILURE;
311 goto end;
312 }
313 }
314
315 entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
316 dctx->min_entropy, dctx->max_entropy);
317
318 if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
319 {
320 r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
321 goto end;
322 }
323
324 if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
325 goto end;
326
327 dctx->status = DRBG_STATUS_READY;
328 if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
329 dctx->reseed_counter = 1;
330 end:
331
332 if (entropy && dctx->cleanup_entropy)
333 fips_cleanup_entropy(dctx, entropy, entlen);
334
335 if (dctx->status == DRBG_STATUS_READY)
336 return 1;
337
338 if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
339 FIPSerr(FIPS_F_FIPS_DRBG_RESEED, r);
340
341 return 0;
342 }
343
344 int FIPS_drbg_reseed(DRBG_CTX *dctx,
345 const unsigned char *adin, size_t adinlen)
346 {
347 return drbg_reseed(dctx, adin, adinlen, 1);
348 }
349
350 static int fips_drbg_check(DRBG_CTX *dctx)
351 {
352 if (dctx->xflags & DRBG_FLAG_TEST)
353 return 1;
354 dctx->health_check_cnt++;
355 if (dctx->health_check_cnt >= dctx->health_check_interval)
356 {
357 if (!FIPS_drbg_health_check(dctx))
358 {
359 FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
360 return 0;
361 }
362 }
363 return 1;
364 }
365
366 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
367 int prediction_resistance,
368 const unsigned char *adin, size_t adinlen)
369 {
370 int r = 0;
371
372 if (!fips_drbg_check(dctx))
373 return 0;
374
375 if (dctx->status != DRBG_STATUS_READY
376 && dctx->status != DRBG_STATUS_RESEED)
377 {
378 if (dctx->status == DRBG_STATUS_ERROR)
379 r = FIPS_R_IN_ERROR_STATE;
380 else if(dctx->status == DRBG_STATUS_UNINITIALISED)
381 r = FIPS_R_NOT_INSTANTIATED;
382 goto end;
383 }
384
385 if (outlen > dctx->max_request)
386 {
387 r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
388 return 0;
389 }
390
391 if (adinlen > dctx->max_adin)
392 {
393 r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
394 goto end;
395 }
396
397 if (dctx->iflags & DRBG_CUSTOM_RESEED)
398 dctx->generate(dctx, NULL, outlen, NULL, 0);
399 else if (dctx->reseed_counter >= dctx->reseed_interval)
400 dctx->status = DRBG_STATUS_RESEED;
401
402 if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
403 {
404 /* If prediction resistance request don't do health check */
405 int hcheck = prediction_resistance ? 0 : 1;
406
407 if (!drbg_reseed(dctx, adin, adinlen, hcheck))
408 {
409 r = FIPS_R_RESEED_ERROR;
410 goto end;
411 }
412 adin = NULL;
413 adinlen = 0;
414 }
415
416 if (!dctx->generate(dctx, out, outlen, adin, adinlen))
417 {
418 r = FIPS_R_GENERATE_ERROR;
419 dctx->status = DRBG_STATUS_ERROR;
420 goto end;
421 }
422 if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
423 {
424 if (dctx->reseed_counter >= dctx->reseed_interval)
425 dctx->status = DRBG_STATUS_RESEED;
426 else
427 dctx->reseed_counter++;
428 }
429
430 end:
431 if (r)
432 {
433 if (!(dctx->iflags & DRBG_FLAG_NOERR))
434 FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
435 return 0;
436 }
437
438 return 1;
439 }
440
441 int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
442 {
443 int rv;
444 if (!dctx->uninstantiate)
445 rv = 1;
446 else
447 rv = dctx->uninstantiate(dctx);
448 /* Although we'd like to cleanse here we can't because we have to
449 * test the uninstantiate really zeroes the data.
450 */
451 memset(&dctx->d, 0, sizeof(dctx->d));
452 dctx->status = DRBG_STATUS_UNINITIALISED;
453 /* If method has problems uninstantiating, return error */
454 return rv;
455 }
456
457 int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
458 size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
459 int entropy, size_t min_len, size_t max_len),
460 void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
461 size_t entropy_blocklen,
462 size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
463 int entropy, size_t min_len, size_t max_len),
464 void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
465 {
466 if (dctx->status != DRBG_STATUS_UNINITIALISED)
467 return 0;
468 dctx->entropy_blocklen = entropy_blocklen;
469 dctx->get_entropy = get_entropy;
470 dctx->cleanup_entropy = cleanup_entropy;
471 dctx->get_nonce = get_nonce;
472 dctx->cleanup_nonce = cleanup_nonce;
473 return 1;
474 }
475
476 int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
477 size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout),
478 void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
479 int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num),
480 int (*rand_add_cb)(DRBG_CTX *ctx,
481 const void *buf, int num, double entropy))
482 {
483 if (dctx->status != DRBG_STATUS_UNINITIALISED)
484 return 0;
485 dctx->get_adin = get_adin;
486 dctx->cleanup_adin = cleanup_adin;
487 dctx->rand_seed_cb = rand_seed_cb;
488 dctx->rand_add_cb = rand_add_cb;
489 return 1;
490 }
491
492 void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
493 {
494 return dctx->app_data;
495 }
496
497 void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
498 {
499 dctx->app_data = app_data;
500 }
501
502 size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
503 {
504 return dctx->blocklength;
505 }
506
507 int FIPS_drbg_get_strength(DRBG_CTX *dctx)
508 {
509 return dctx->strength;
510 }
511
512 void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
513 {
514 dctx->health_check_interval = interval;
515 }
516
517 void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
518 {
519 dctx->reseed_interval = interval;
520 }
521
522 static int drbg_stick = 0;
523
524 void FIPS_drbg_stick(void)
525 {
526 drbg_stick = 1;
527 }
528
529 /* Continuous DRBG utility function */
530 int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
531 {
532 /* No CPRNG in test mode */
533 if (dctx->xflags & DRBG_FLAG_TEST)
534 return 1;
535 /* Check block is valid: should never happen */
536 if (dctx->lb_valid == 0)
537 {
538 FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
539 fips_set_selftest_fail();
540 return 0;
541 }
542 if (drbg_stick)
543 memcpy(dctx->lb, out, dctx->blocklength);
544 /* Check against last block: fail if match */
545 if (!memcmp(dctx->lb, out, dctx->blocklength))
546 {
547 FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
548 fips_set_selftest_fail();
549 return 0;
550 }
551 /* Save last block for next comparison */
552 memcpy(dctx->lb, out, dctx->blocklength);
553 return 1;
554 }
A mirror of the official openssl repository