]> git.ipfire.org Git - thirdparty/openssl.git/blob - providers/implementations/rands/drbg.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
rand_drbg: remove RAND_DRBG.
[thirdparty/openssl.git] / providers / implementations / rands / drbg.c
1 /*
2 * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11 #include <openssl/crypto.h>
12 #include <openssl/err.h>
13 #include <openssl/rand.h>
14 #include <openssl/evp.h>
15 #include "crypto/rand.h"
16 #include "drbg_local.h"
17 #include "internal/thread_once.h"
18 #include "crypto/cryptlib.h"
19 #include "prov/seeding.h"
20 #include "prov/rand_pool.h"
21 #include "prov/provider_ctx.h"
22 #include "prov/providercommonerr.h"
23
24 /*
25 * Support framework for NIST SP 800-90A DRBG
26 *
27 * See manual page PROV_DRBG(7) for a general overview.
28 *
29 * The OpenSSL model is to have new and free functions, and that new
30 * does all initialization. That is not the NIST model, which has
31 * instantiation and un-instantiate, and re-use within a new/free
32 * lifecycle. (No doubt this comes from the desire to support hardware
33 * DRBG, where allocation of resources on something like an HSM is
34 * a much bigger deal than just re-setting an allocated resource.)
35 */
36
37 /* NIST SP 800-90A DRBG recommends the use of a personalization string. */
38 static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
39
40 static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
41 int function);
42
43 static int rand_drbg_restart(PROV_DRBG *drbg);
44
45 int drbg_lock(void *vctx)
46 {
47 PROV_DRBG *drbg = vctx;
48
49 if (drbg == NULL || drbg->lock == NULL)
50 return 1;
51 return CRYPTO_THREAD_write_lock(drbg->lock);
52 }
53
54 void drbg_unlock(void *vctx)
55 {
56 PROV_DRBG *drbg = vctx;
57
58 if (drbg != NULL && drbg->lock != NULL)
59 CRYPTO_THREAD_unlock(drbg->lock);
60 }
61
62 static int drbg_lock_parent(PROV_DRBG *drbg)
63 {
64 void *parent = drbg->parent;
65
66 if (parent != NULL
67 && drbg->parent_lock != NULL
68 && !drbg->parent_lock(parent)) {
69 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
70 return 0;
71 }
72 return 1;
73 }
74
75 static void drbg_unlock_parent(PROV_DRBG *drbg)
76 {
77 void *parent = drbg->parent;
78
79 if (parent != NULL && drbg->parent_unlock != NULL)
80 drbg->parent_unlock(parent);
81 }
82
83 static int get_parent_strength(PROV_DRBG *drbg, unsigned int *str)
84 {
85 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
86 void *parent = drbg->parent;
87 int res;
88
89 if (drbg->parent_get_ctx_params == NULL) {
90 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);
91 return 0;
92 }
93
94 *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, str);
95 if (!drbg_lock_parent(drbg)) {
96 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);
97 return 0;
98 }
99 res = drbg->parent_get_ctx_params(parent, params);
100 drbg_unlock_parent(drbg);
101 if (!res) {
102 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);
103 return 0;
104 }
105 return 1;
106 }
107
108 static unsigned int get_parent_reseed_count(PROV_DRBG *drbg)
109 {
110 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
111 void *parent = drbg->parent;
112 unsigned int r;
113
114 *params = OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_CTR, &r);
115 if (!drbg_lock_parent(drbg)) {
116 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);
117 goto err;
118 }
119 if (!drbg->parent_get_ctx_params(parent, params)) {
120 drbg_unlock_parent(drbg);
121 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_RESEED_PROP_CTR);
122 goto err;
123 }
124 drbg_unlock_parent(drbg);
125 return r;
126
127 err:
128 r = tsan_load(&drbg->reseed_counter) - 2;
129 if (r == 0)
130 r = UINT_MAX;
131 return r;
132 }
133
134 /*
135 * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks())
136 *
137 * If the DRBG has a parent, then the required amount of entropy input
138 * is fetched using the parent's RAND_DRBG_generate().
139 *
140 * Otherwise, the entropy is polled from the system entropy sources
141 * using prov_pool_acquire_entropy().
142 *
143 * If a random pool has been added to the DRBG using RAND_add(), then
144 * its entropy will be used up first.
145 */
146 static size_t prov_drbg_get_entropy(PROV_DRBG *drbg, unsigned char **pout,
147 int entropy, size_t min_len,
148 size_t max_len, int prediction_resistance)
149 {
150 size_t ret = 0;
151 size_t entropy_available = 0;
152 RAND_POOL *pool;
153 unsigned int p_str;
154
155 if (drbg->parent != NULL) {
156 if (!get_parent_strength(drbg, &p_str))
157 return 0;
158 if (drbg->strength > p_str) {
159 /*
160 * We currently don't support the algorithm from NIST SP 800-90C
161 * 10.1.2 to use a weaker DRBG as source
162 */
163 RANDerr(0, PROV_R_PARENT_STRENGTH_TOO_WEAK);
164 return 0;
165 }
166 }
167
168 if (drbg->seed_pool != NULL) {
169 pool = drbg->seed_pool;
170 pool->entropy_requested = entropy;
171 } else {
172 pool = rand_pool_new(entropy, 1, min_len, max_len);
173 if (pool == NULL) {
174 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
175 return 0;
176 }
177 }
178
179 if (drbg->parent != NULL) {
180 size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
181 unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed);
182
183 if (buffer != NULL) {
184 size_t bytes = 0;
185
186 /*
187 * Get random data from parent. Include our address as additional input,
188 * in order to provide some additional distinction between different
189 * DRBG child instances.
190 * Our lock is already held, but we need to lock our parent before
191 * generating bits from it. (Note: taking the lock will be a no-op
192 * if locking if drbg->parent->lock == NULL.)
193 */
194 if (drbg->parent_generate == NULL)
195 goto err;
196 drbg_lock_parent(drbg);
197 if (drbg->parent_generate(drbg->parent, buffer, bytes_needed,
198 drbg->strength, prediction_resistance,
199 (unsigned char *)&drbg,
200 sizeof(drbg)) != 0)
201 bytes = bytes_needed;
202 drbg_unlock_parent(drbg);
203 drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
204
205 rand_pool_add_end(pool, bytes, 8 * bytes);
206 entropy_available = rand_pool_entropy_available(pool);
207 }
208 } else {
209 /* Get entropy by polling system entropy sources. */
210 entropy_available = prov_pool_acquire_entropy(pool);
211 }
212
213 if (entropy_available > 0) {
214 ret = rand_pool_length(pool);
215 *pout = rand_pool_detach(pool);
216 }
217
218 err:
219 if (drbg->seed_pool == NULL)
220 rand_pool_free(pool);
221 return ret;
222 }
223
224 /*
225 * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks())
226 *
227 */
228 static void prov_drbg_cleanup_entropy(PROV_DRBG *drbg,
229 unsigned char *out, size_t outlen)
230 {
231 if (drbg->seed_pool == NULL) {
232 OPENSSL_secure_clear_free(out, outlen);
233 }
234 }
235
236 static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
237 size_t min_len, size_t max_len,
238 int prediction_resistance)
239 {
240 #ifdef FIPS_MODULE
241 if (drbg->parent == NULL)
242 return prov_crngt_get_entropy(drbg, pout, entropy, min_len, max_len,
243 prediction_resistance);
244 #endif
245
246 return prov_drbg_get_entropy(drbg, pout, entropy, min_len, max_len,
247 prediction_resistance);
248 }
249
250 static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen)
251 {
252 #ifdef FIPS_MODULE
253 if (drbg->parent == NULL)
254 prov_crngt_cleanup_entropy(drbg, out, outlen);
255 else
256 #endif
257 prov_drbg_cleanup_entropy(drbg, out, outlen);
258 }
259
260 #ifndef PROV_RAND_GET_RANDOM_NONCE
261 typedef struct prov_drbg_nonce_global_st {
262 CRYPTO_RWLOCK *rand_nonce_lock;
263 int rand_nonce_count;
264 } PROV_DRBG_NONCE_GLOBAL;
265
266 /*
267 * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce()
268 * which needs to get the rand_nonce_lock out of the OPENSSL_CTX...but since
269 * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock
270 * to be in a different global data object. Otherwise we will go into an
271 * infinite recursion loop.
272 */
273 static void *prov_drbg_nonce_ossl_ctx_new(OPENSSL_CTX *libctx)
274 {
275 PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl));
276
277 if (dngbl == NULL)
278 return NULL;
279
280 dngbl->rand_nonce_lock = CRYPTO_THREAD_lock_new();
281 if (dngbl->rand_nonce_lock == NULL) {
282 OPENSSL_free(dngbl);
283 return NULL;
284 }
285
286 return dngbl;
287 }
288
289 static void prov_drbg_nonce_ossl_ctx_free(void *vdngbl)
290 {
291 PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl;
292
293 if (dngbl == NULL)
294 return;
295
296 CRYPTO_THREAD_lock_free(dngbl->rand_nonce_lock);
297
298 OPENSSL_free(dngbl);
299 }
300
301 static const OPENSSL_CTX_METHOD drbg_nonce_ossl_ctx_method = {
302 prov_drbg_nonce_ossl_ctx_new,
303 prov_drbg_nonce_ossl_ctx_free,
304 };
305
306 /* Get a nonce from the operating system */
307 static size_t prov_drbg_get_nonce(PROV_DRBG *drbg,
308 unsigned char **pout,
309 int entropy, size_t min_len, size_t max_len)
310 {
311 size_t ret = 0, n;
312 RAND_POOL *pool;
313 unsigned char *buf = NULL;
314 OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(drbg->provctx);
315 PROV_DRBG_NONCE_GLOBAL *dngbl
316 = openssl_ctx_get_data(libctx, OPENSSL_CTX_DRBG_NONCE_INDEX,
317 &drbg_nonce_ossl_ctx_method);
318 struct {
319 void *instance;
320 int count;
321 } data;
322
323 if (dngbl == NULL)
324 return 0;
325
326 if (drbg->parent != NULL) {
327 if (drbg->parent_nonce != NULL) {
328 n = drbg->parent_nonce(drbg->parent, NULL, 0, drbg->min_noncelen,
329 drbg->max_noncelen);
330 if (n > 0 && (buf = OPENSSL_malloc(n)) != NULL) {
331 ret = drbg->parent_nonce(drbg->parent, buf, 0,
332 drbg->min_noncelen,
333 drbg->max_noncelen);
334 if (ret == n) {
335 *pout = buf;
336 return ret;
337 }
338 OPENSSL_free(buf);
339 }
340 }
341 }
342
343 /* Use the built in nonce source */
344 memset(&data, 0, sizeof(data));
345 pool = rand_pool_new(0, 0, min_len, max_len);
346 if (pool == NULL)
347 return 0;
348
349 if (prov_pool_add_nonce_data(pool) == 0)
350 goto err;
351
352 data.instance = drbg;
353 CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count,
354 dngbl->rand_nonce_lock);
355
356 if (rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0) == 0)
357 goto err;
358
359 ret = rand_pool_length(pool);
360 *pout = rand_pool_detach(pool);
361
362 err:
363 rand_pool_free(pool);
364
365 return ret;
366 }
367
368 static void prov_drbg_clear_nonce(PROV_DRBG *drbg, unsigned char *nonce,
369 size_t noncelen)
370 {
371 OPENSSL_clear_free(nonce, noncelen);
372 }
373 #else
374 # define prov_drbg_clear_nonce(drbg, nonce, len) \
375 OPENSSL_clear_free((nonce), (len))
376 #endif /* PROV_RAND_GET_RANDOM_NONCE */
377
378 /*
379 * Instantiate |drbg|, after it has been initialized. Use |pers| and
380 * |perslen| as prediction-resistance input.
381 *
382 * Requires that drbg->lock is already locked for write, if non-null.
383 *
384 * Returns 1 on success, 0 on failure.
385 */
386 int PROV_DRBG_instantiate(PROV_DRBG *drbg, unsigned int strength,
387 int prediction_resistance,
388 const unsigned char *pers, size_t perslen)
389 {
390 unsigned char *nonce = NULL, *entropy = NULL;
391 size_t noncelen = 0, entropylen = 0;
392 size_t min_entropy, min_entropylen, max_entropylen;
393
394 if (strength > drbg->strength) {
395 PROVerr(0, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
396 goto end;
397 }
398 min_entropy = drbg->strength;
399 min_entropylen = drbg->min_entropylen;
400 max_entropylen = drbg->max_entropylen;
401
402 if (pers == NULL) {
403 pers = (const unsigned char *)ossl_pers_string;
404 perslen = sizeof(ossl_pers_string);
405 }
406 if (perslen > drbg->max_perslen) {
407 PROVerr(0, PROV_R_PERSONALISATION_STRING_TOO_LONG);
408 goto end;
409 }
410
411 if (drbg->state != EVP_RAND_STATE_UNINITIALISED) {
412 if (drbg->state == EVP_RAND_STATE_ERROR)
413 PROVerr(0, PROV_R_IN_ERROR_STATE);
414 else
415 PROVerr(0, PROV_R_ALREADY_INSTANTIATED);
416 goto end;
417 }
418
419 drbg->state = EVP_RAND_STATE_ERROR;
420
421 if (drbg->min_noncelen > 0) {
422 if (drbg->parent_nonce != NULL) {
423 noncelen = drbg->parent_nonce(drbg->parent, NULL, drbg->strength,
424 drbg->min_noncelen,
425 drbg->max_noncelen);
426 if (noncelen == 0) {
427 PROVerr(0, PROV_R_ERROR_RETRIEVING_NONCE);
428 goto end;
429 }
430 nonce = OPENSSL_malloc(noncelen);
431 if (nonce == NULL) {
432 PROVerr(0, PROV_R_ERROR_RETRIEVING_NONCE);
433 goto end;
434 }
435 if (noncelen != drbg->parent_nonce(drbg->parent, nonce,
436 drbg->strength,
437 drbg->min_noncelen,
438 drbg->max_noncelen)) {
439 PROVerr(0, PROV_R_ERROR_RETRIEVING_NONCE);
440 goto end;
441 }
442 #ifndef PROV_RAND_GET_RANDOM_NONCE
443 } else if (drbg->parent != NULL) {
444 #endif
445 /*
446 * NIST SP800-90Ar1 section 9.1 says you can combine getting
447 * the entropy and nonce in 1 call by increasing the entropy
448 * with 50% and increasing the minimum length to accommodate
449 * the length of the nonce. We do this in case a nonce is
450 * required and there is no parental nonce capability.
451 */
452 min_entropy += drbg->strength / 2;
453 min_entropylen += drbg->min_noncelen;
454 max_entropylen += drbg->max_noncelen;
455 }
456 #ifndef PROV_RAND_GET_RANDOM_NONCE
457 else { /* parent == NULL */
458 noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->strength / 2,
459 drbg->min_noncelen,
460 drbg->max_noncelen);
461 if (noncelen < drbg->min_noncelen
462 || noncelen > drbg->max_noncelen) {
463 PROVerr(0, PROV_R_ERROR_RETRIEVING_NONCE);
464 goto end;
465 }
466 }
467 #endif
468 }
469
470 drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);
471 if (drbg->reseed_next_counter) {
472 drbg->reseed_next_counter++;
473 if (!drbg->reseed_next_counter)
474 drbg->reseed_next_counter = 1;
475 }
476
477 entropylen = get_entropy(drbg, &entropy, min_entropy,
478 min_entropylen, max_entropylen,
479 prediction_resistance);
480 if (entropylen < min_entropylen
481 || entropylen > max_entropylen) {
482 PROVerr(0, PROV_R_ERROR_RETRIEVING_ENTROPY);
483 goto end;
484 }
485
486 if (!drbg->instantiate(drbg, entropy, entropylen, nonce, noncelen,
487 pers, perslen)) {
488 PROVerr(0, PROV_R_ERROR_INSTANTIATING_DRBG);
489 goto end;
490 }
491
492 drbg->state = EVP_RAND_STATE_READY;
493 drbg->reseed_gen_counter = 1;
494 drbg->reseed_time = time(NULL);
495 tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);
496
497 end:
498 if (entropy != NULL)
499 cleanup_entropy(drbg, entropy, entropylen);
500 prov_drbg_clear_nonce(drbg, nonce, noncelen);
501 if (drbg->state == EVP_RAND_STATE_READY)
502 return 1;
503 return 0;
504 }
505
506 /*
507 * Uninstantiate |drbg|. Must be instantiated before it can be used.
508 *
509 * Requires that drbg->lock is already locked for write, if non-null.
510 *
511 * Returns 1 on success, 0 on failure.
512 */
513 int PROV_DRBG_uninstantiate(PROV_DRBG *drbg)
514 {
515 drbg->state = EVP_RAND_STATE_UNINITIALISED;
516 return 1;
517 }
518
519 /*
520 * Reseed |drbg|, mixing in the specified data
521 *
522 * Requires that drbg->lock is already locked for write, if non-null.
523 *
524 * Returns 1 on success, 0 on failure.
525 */
526 int PROV_DRBG_reseed(PROV_DRBG *drbg, int prediction_resistance,
527 const unsigned char *ent, size_t ent_len,
528 const unsigned char *adin, size_t adinlen)
529 {
530 unsigned char *entropy = NULL;
531 size_t entropylen = 0;
532
533 if (drbg->state != EVP_RAND_STATE_READY) {
534 /* try to recover from previous errors */
535 rand_drbg_restart(drbg);
536
537 if (drbg->state == EVP_RAND_STATE_ERROR) {
538 PROVerr(0, PROV_R_IN_ERROR_STATE);
539 return 0;
540 }
541 if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {
542 PROVerr(0, PROV_R_NOT_INSTANTIATED);
543 return 0;
544 }
545 }
546
547 if (ent != NULL) {
548 if (ent_len < drbg->min_entropylen) {
549 RANDerr(0, RAND_R_ENTROPY_OUT_OF_RANGE);
550 drbg->state = EVP_RAND_STATE_ERROR;
551 return 0;
552 }
553 if (ent_len > drbg->max_entropylen) {
554 RANDerr(0, RAND_R_ENTROPY_INPUT_TOO_LONG);
555 drbg->state = EVP_RAND_STATE_ERROR;
556 return 0;
557 }
558 }
559
560 if (adin == NULL) {
561 adinlen = 0;
562 } else if (adinlen > drbg->max_adinlen) {
563 PROVerr(0, PROV_R_ADDITIONAL_INPUT_TOO_LONG);
564 return 0;
565 }
566
567 drbg->state = EVP_RAND_STATE_ERROR;
568
569 drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);
570 if (drbg->reseed_next_counter) {
571 drbg->reseed_next_counter++;
572 if (!drbg->reseed_next_counter)
573 drbg->reseed_next_counter = 1;
574 }
575
576 if (ent != NULL) {
577 #ifdef FIP_MODULE
578 /*
579 * NIST SP-800-90A mandates that entropy *shall not* be provided
580 * by the consuming application. Instead the data is added as additional
581 * input.
582 *
583 * (NIST SP-800-90Ar1, Sections 9.1 and 9.2)
584 */
585 if (!drbg->reseed(drbg, NULL, 0, ent, ent_len)) {
586 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);
587 return 0;
588 }
589 #else
590 if (!drbg->reseed(drbg, ent, ent_len, adin, adinlen)) {
591 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);
592 return 0;
593 }
594 /* There isn't much point adding the same additional input twice */
595 adin = NULL;
596 adinlen = 0;
597 #endif
598 }
599
600 /* Reseed using our sources in addition */
601 entropylen = get_entropy(drbg, &entropy, drbg->strength,
602 drbg->min_entropylen, drbg->max_entropylen,
603 prediction_resistance);
604 if (entropylen < drbg->min_entropylen
605 || entropylen > drbg->max_entropylen) {
606 PROVerr(0, PROV_R_ERROR_RETRIEVING_ENTROPY);
607 goto end;
608 }
609
610 if (!drbg->reseed(drbg, entropy, entropylen, adin, adinlen))
611 goto end;
612
613 drbg->state = EVP_RAND_STATE_READY;
614 drbg->reseed_gen_counter = 1;
615 drbg->reseed_time = time(NULL);
616 tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);
617 if (drbg->parent != NULL)
618 drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
619
620 end:
621 cleanup_entropy(drbg, entropy, entropylen);
622 if (drbg->state == EVP_RAND_STATE_READY)
623 return 1;
624 return 0;
625 }
626
627 /*
628 * Generate |outlen| bytes into the buffer at |out|. Reseed if we need
629 * to or if |prediction_resistance| is set. Additional input can be
630 * sent in |adin| and |adinlen|.
631 *
632 * Requires that drbg->lock is already locked for write, if non-null.
633 *
634 * Returns 1 on success, 0 on failure.
635 *
636 */
637 int PROV_DRBG_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
638 unsigned int strength, int prediction_resistance,
639 const unsigned char *adin, size_t adinlen)
640 {
641 int fork_id;
642 int reseed_required = 0;
643
644 if (drbg->state != EVP_RAND_STATE_READY) {
645 /* try to recover from previous errors */
646 rand_drbg_restart(drbg);
647
648 if (drbg->state == EVP_RAND_STATE_ERROR) {
649 PROVerr(0, PROV_R_IN_ERROR_STATE);
650 return 0;
651 }
652 if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {
653 PROVerr(0, PROV_R_NOT_INSTANTIATED);
654 return 0;
655 }
656 }
657 if (strength > drbg->strength) {
658 PROVerr(0, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
659 return 0;
660 }
661
662 if (outlen > drbg->max_request) {
663 PROVerr(0, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG);
664 return 0;
665 }
666 if (adinlen > drbg->max_adinlen) {
667 PROVerr(0, PROV_R_ADDITIONAL_INPUT_TOO_LONG);
668 return 0;
669 }
670
671 fork_id = openssl_get_fork_id();
672
673 if (drbg->fork_id != fork_id) {
674 drbg->fork_id = fork_id;
675 reseed_required = 1;
676 }
677
678 if (drbg->reseed_interval > 0) {
679 if (drbg->reseed_gen_counter >= drbg->reseed_interval)
680 reseed_required = 1;
681 }
682 if (drbg->reseed_time_interval > 0) {
683 time_t now = time(NULL);
684 if (now < drbg->reseed_time
685 || now - drbg->reseed_time >= drbg->reseed_time_interval)
686 reseed_required = 1;
687 }
688 if (drbg->parent != NULL
689 && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
690 reseed_required = 1;
691
692 if (reseed_required || prediction_resistance) {
693 if (!PROV_DRBG_reseed(drbg, prediction_resistance, NULL, 0,
694 adin, adinlen)) {
695 PROVerr(0, PROV_R_RESEED_ERROR);
696 return 0;
697 }
698 adin = NULL;
699 adinlen = 0;
700 }
701
702 if (!drbg->generate(drbg, out, outlen, adin, adinlen)) {
703 drbg->state = EVP_RAND_STATE_ERROR;
704 PROVerr(0, PROV_R_GENERATE_ERROR);
705 return 0;
706 }
707
708 drbg->reseed_gen_counter++;
709
710 return 1;
711 }
712
713 /*
714 * Restart |drbg|, using the specified entropy or additional input
715 *
716 * Tries its best to get the drbg instantiated by all means,
717 * regardless of its current state.
718 *
719 * Optionally, a |buffer| of |len| random bytes can be passed,
720 * which is assumed to contain at least |entropy| bits of entropy.
721 *
722 * If |entropy| > 0, the buffer content is used as entropy input.
723 *
724 * If |entropy| == 0, the buffer content is used as additional input
725 *
726 * Returns 1 on success, 0 on failure.
727 *
728 * This function is used internally only.
729 */
730 static int rand_drbg_restart(PROV_DRBG *drbg)
731 {
732 if (drbg->seed_pool != NULL) {
733 drbg->state = EVP_RAND_STATE_ERROR;
734 rand_pool_free(drbg->seed_pool);
735 drbg->seed_pool = NULL;
736 RANDerr(0, ERR_R_INTERNAL_ERROR);
737 return 0;
738 }
739
740 /* repair error state */
741 if (drbg->state == EVP_RAND_STATE_ERROR)
742 drbg->uninstantiate(drbg);
743
744 /* repair uninitialized state */
745 if (drbg->state == EVP_RAND_STATE_UNINITIALISED)
746 /* reinstantiate drbg */
747 PROV_DRBG_instantiate(drbg, drbg->strength, 0, NULL, 0);
748
749 rand_pool_free(drbg->seed_pool);
750 drbg->seed_pool = NULL;
751 return drbg->state == EVP_RAND_STATE_READY;
752 }
753
754 /* Provider support from here down */
755 static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
756 int function)
757 {
758 if (dispatch != NULL)
759 while (dispatch->function_id != 0) {
760 if (dispatch->function_id == function)
761 return dispatch;
762 dispatch++;
763 }
764 return NULL;
765 }
766
767 int drbg_enable_locking(void *vctx)
768 {
769 PROV_DRBG *drbg = vctx;
770
771 if (drbg != NULL && drbg->lock == NULL) {
772 if (drbg->parent_enable_locking != NULL)
773 if (!drbg->parent_enable_locking(drbg->parent)) {
774 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
775 return 0;
776 }
777 drbg->lock = CRYPTO_THREAD_lock_new();
778 if (drbg->lock == NULL) {
779 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_CREATE_LOCK);
780 return 0;
781 }
782 }
783 return 1;
784 }
785
786 /*
787 * Allocate memory and initialize a new DRBG. The DRBG is allocated on
788 * the secure heap if |secure| is nonzero and the secure heap is enabled.
789 * The |parent|, if not NULL, will be used as random source for reseeding.
790 * This also requires the parent's provider context and the parent's lock.
791 *
792 * Returns a pointer to the new DRBG instance on success, NULL on failure.
793 */
794 PROV_DRBG *prov_rand_drbg_new
795 (void *provctx, void *parent, const OSSL_DISPATCH *p_dispatch,
796 int (*dnew)(PROV_DRBG *ctx),
797 int (*instantiate)(PROV_DRBG *drbg,
798 const unsigned char *entropy, size_t entropylen,
799 const unsigned char *nonce, size_t noncelen,
800 const unsigned char *pers, size_t perslen),
801 int (*uninstantiate)(PROV_DRBG *ctx),
802 int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len,
803 const unsigned char *adin, size_t adin_len),
804 int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen,
805 const unsigned char *adin, size_t adin_len))
806 {
807 PROV_DRBG *drbg = OPENSSL_zalloc(sizeof(*drbg));
808 unsigned int p_str;
809 const OSSL_DISPATCH *pfunc;
810
811 if (drbg == NULL) {
812 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
813 return NULL;
814 }
815
816 drbg->provctx = provctx;
817 drbg->instantiate = instantiate;
818 drbg->uninstantiate = uninstantiate;
819 drbg->reseed = reseed;
820 drbg->generate = generate;
821 drbg->fork_id = openssl_get_fork_id();
822
823 /* Extract parent's functions */
824 drbg->parent = parent;
825 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING)) != NULL)
826 drbg->parent_enable_locking = OSSL_FUNC_rand_enable_locking(pfunc);
827 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_LOCK)) != NULL)
828 drbg->parent_lock = OSSL_FUNC_rand_lock(pfunc);
829 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_UNLOCK)) != NULL)
830 drbg->parent_unlock = OSSL_FUNC_rand_unlock(pfunc);
831 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS)) != NULL)
832 drbg->parent_get_ctx_params = OSSL_FUNC_rand_get_ctx_params(pfunc);
833 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GENERATE)) != NULL)
834 drbg->parent_generate = OSSL_FUNC_rand_generate(pfunc);
835 if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_NONCE)) != NULL)
836 drbg->parent_nonce = OSSL_FUNC_rand_nonce(pfunc);
837
838 /* Set some default maximums up */
839 drbg->max_entropylen = DRBG_MAX_LENGTH;
840 drbg->max_noncelen = DRBG_MAX_LENGTH;
841 drbg->max_perslen = DRBG_MAX_LENGTH;
842 drbg->max_adinlen = DRBG_MAX_LENGTH;
843 drbg->reseed_gen_counter = 1;
844 drbg->reseed_counter = 1;
845 drbg->reseed_interval = RESEED_INTERVAL;
846 drbg->reseed_time_interval = TIME_INTERVAL;
847
848 if (!dnew(drbg))
849 goto err;
850
851 if (parent != NULL) {
852 if (!get_parent_strength(drbg, &p_str))
853 goto err;
854 if (drbg->strength > p_str) {
855 /*
856 * We currently don't support the algorithm from NIST SP 800-90C
857 * 10.1.2 to use a weaker DRBG as source
858 */
859 ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);
860 goto err;
861 }
862 }
863 return drbg;
864
865 err:
866 prov_rand_drbg_free(drbg);
867 return NULL;
868 }
869
870 void prov_rand_drbg_free(PROV_DRBG *drbg)
871 {
872 if (drbg == NULL)
873 return;
874
875 rand_pool_free(drbg->adin_pool);
876 CRYPTO_THREAD_lock_free(drbg->lock);
877 OPENSSL_free(drbg);
878 }
879
880 int drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[])
881 {
882 OSSL_PARAM *p;
883
884 p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE);
885 if (p != NULL && !OSSL_PARAM_set_int(p, drbg->state))
886 return 0;
887
888 p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);
889 if (p != NULL && !OSSL_PARAM_set_int(p, drbg->strength))
890 return 0;
891
892 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_REQUEST);
893 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_request))
894 return 0;
895
896 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_ENTROPYLEN);
897 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_entropylen))
898 return 0;
899
900 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ENTROPYLEN);
901 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_entropylen))
902 return 0;
903
904 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_NONCELEN);
905 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_noncelen))
906 return 0;
907
908 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_NONCELEN);
909 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_noncelen))
910 return 0;
911
912 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_PERSLEN);
913 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_perslen))
914 return 0;
915
916 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ADINLEN);
917 if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_adinlen))
918 return 0;
919
920 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
921 if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval))
922 return 0;
923
924 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME);
925 if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time))
926 return 0;
927
928 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);
929 if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval))
930 return 0;
931
932 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_CTR);
933 if (p != NULL
934 && !OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_counter)))
935 return 0;
936 return 1;
937 }
938
939 int drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[])
940 {
941 const OSSL_PARAM *p;
942
943 p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
944 if (p != NULL && !OSSL_PARAM_get_uint(p, &drbg->reseed_interval))
945 return 0;
946
947 p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);
948 if (p != NULL && !OSSL_PARAM_get_time_t(p, &drbg->reseed_time_interval))
949 return 0;
950 return 1;
951 }
A mirror of the official openssl repository