fips: continuous random bit generator tests

author Pauli <ppzgs1@gmail.com>

Thu, 5 Sep 2024 00:24:07 +0000 (10:24 +1000)

committer Pauli <ppzgs1@gmail.com>

Wed, 18 Sep 2024 22:44:14 +0000 (08:44 +1000)
author Pauli <ppzgs1@gmail.com>
Thu, 5 Sep 2024 00:24:07 +0000 (10:24 +1000)
committer Pauli <ppzgs1@gmail.com>
Wed, 18 Sep 2024 22:44:14 +0000 (08:44 +1000)
diff --git a/crypto/context.c b/crypto/context.c

index f3d9f384fc82a3541371385f96794d78a8ecaffc..96216abcdaba81379e6b64fa8e90892d0fc5894c 100644 (file)
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -19,7 +19,7 @@
  #include "crypto/context.h"
  
  struct ossl_lib_ctx_st {
-    CRYPTO_RWLOCK *lock, *rand_crngt_lock;
+    CRYPTO_RWLOCK *lock;
      OSSL_EX_DATA_GLOBAL global;
  
      void *property_string_data;
@@ -45,7 +45,6 @@ struct ossl_lib_ctx_st {
  #if defined(OPENSSL_THREADS)
      void *threads;
  #endif
-    void *rand_crngt;
  #ifdef FIPS_MODULE
      void *thread_event_handler;
      void *fips_prov;
@@ -93,10 +92,6 @@ static int context_init(OSSL_LIB_CTX *ctx)
      if (ctx->lock == NULL)
          goto err;
  
-    ctx->rand_crngt_lock = CRYPTO_THREAD_lock_new();
-    if (ctx->rand_crngt_lock == NULL)
-        goto err;
-
      /* Initialize ex_data. */
      if (!ossl_do_ex_data_init(ctx))
          goto err;
@@ -222,7 +217,6 @@ static int context_init(OSSL_LIB_CTX *ctx)
      if (exdata_done)
          ossl_crypto_cleanup_all_ex_data_int(ctx);
  
-    CRYPTO_THREAD_lock_free(ctx->rand_crngt_lock);
      CRYPTO_THREAD_lock_free(ctx->lock);
      CRYPTO_THREAD_cleanup_local(&ctx->rcu_local_key);
      memset(ctx, '\0', sizeof(*ctx));
@@ -328,11 +322,6 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
      }
  #endif
  
-    if (ctx->rand_crngt != NULL) {
-        ossl_rand_crng_ctx_free(ctx->rand_crngt);
-        ctx->rand_crngt = NULL;
-    }
-
  #ifdef FIPS_MODULE
      if (ctx->thread_event_handler != NULL) {
          ossl_thread_event_ctx_free(ctx->thread_event_handler);
@@ -380,9 +369,7 @@ static int context_deinit(OSSL_LIB_CTX *ctx)
  
      ossl_crypto_cleanup_all_ex_data_int(ctx);
  
-    CRYPTO_THREAD_lock_free(ctx->rand_crngt_lock);
      CRYPTO_THREAD_lock_free(ctx->lock);
-    ctx->rand_crngt_lock = NULL;
      ctx->lock = NULL;
      CRYPTO_THREAD_cleanup_local(&ctx->rcu_local_key);
      return 1;
@@ -573,8 +560,6 @@ int ossl_lib_ctx_is_global_default(OSSL_LIB_CTX *ctx)
  
  void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
  {
-    void *p;
-
      ctx = ossl_lib_ctx_get_concrete(ctx);
      if (ctx == NULL)
          return NULL;
@@ -621,36 +606,6 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
          return ctx->threads;
  #endif
  
-    case OSSL_LIB_CTX_RAND_CRNGT_INDEX: {
-
-        /*
-         * rand_crngt must be lazily initialized because it calls into
-         * libctx, so must not be called from context_init, else a deadlock
-         * will occur.
-         *
-         * We use a separate lock because code called by the instantiation
-         * of rand_crngt is liable to try and take the libctx lock.
-         */
-        if (CRYPTO_THREAD_read_lock(ctx->rand_crngt_lock) != 1)
-            return NULL;
-
-        if (ctx->rand_crngt == NULL) {
-            CRYPTO_THREAD_unlock(ctx->rand_crngt_lock);
-
-            if (CRYPTO_THREAD_write_lock(ctx->rand_crngt_lock) != 1)
-                return NULL;
-
-            if (ctx->rand_crngt == NULL)
-                ctx->rand_crngt = ossl_rand_crng_ctx_new(ctx);
-        }
-
-        p = ctx->rand_crngt;
-
-        CRYPTO_THREAD_unlock(ctx->rand_crngt_lock);
-
-        return p;
-    }
-
  #ifdef FIPS_MODULE
      case OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX:
          return ctx->thread_event_handler;
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c

index b117a67f916ec73c2db9ffd5c2b8f5e04229ebe5..9e147f27bbe8e477d9ec1f99d65be552b689ebf6 100644 (file)
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -696,6 +696,33 @@ static EVP_RAND_CTX *rand_new_drbg(OSSL_LIB_CTX *libctx, EVP_RAND_CTX *parent,
      return ctx;
  }
  
+#ifdef FIPS_MODULE
+static EVP_RAND_CTX *rand_new_crngt(OSSL_LIB_CTX *libctx, EVP_RAND_CTX *parent)
+{
+    EVP_RAND *rand;
+    EVP_RAND_CTX *ctx;
+
+    rand = EVP_RAND_fetch(libctx, "CRNG-TEST", "fips=no");
+    if (rand == NULL) {
+        ERR_raise(ERR_LIB_RAND, RAND_R_UNABLE_TO_FETCH_DRBG);
+        return NULL;
+    }
+    ctx = EVP_RAND_CTX_new(rand, parent);
+    EVP_RAND_free(rand);
+    if (ctx == NULL) {
+        ERR_raise(ERR_LIB_RAND, RAND_R_UNABLE_TO_CREATE_DRBG);
+        return NULL;
+    }
+
+    if (!EVP_RAND_instantiate(ctx, 0, 0, NULL, 0, NULL)) {
+        ERR_raise(ERR_LIB_RAND, RAND_R_ERROR_INSTANTIATING_DRBG);
+        EVP_RAND_CTX_free(ctx);
+        return NULL;
+    }
+    return ctx;
+}
+#endif
+
  /*
   * Get the primary random generator.
   * Returns pointer to its EVP_RAND_CTX on success, NULL on failure.
@@ -727,21 +754,23 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
          return ret;
      }
  
-#ifndef FIPS_MODULE
+#ifdef FIPS_MODULE
+    ret = rand_new_crngt(ctx, dgbl->seed);
+#else
      if (dgbl->seed == NULL) {
          ERR_set_mark();
          dgbl->seed = rand_new_seed(ctx);
          ERR_pop_to_mark();
      }
+    ret = rand_new_drbg(ctx, dgbl->seed, PRIMARY_RESEED_INTERVAL,
+                        PRIMARY_RESEED_TIME_INTERVAL, 1);
  #endif
  
-    ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
-                                        PRIMARY_RESEED_INTERVAL,
-                                        PRIMARY_RESEED_TIME_INTERVAL, 1);
      /*
-    * The primary DRBG may be shared between multiple threads so we must
-    * enable locking.
-    */
+     * The primary DRBG may be shared between multiple threads so we must
+     * enable locking.
+     */
+    dgbl->primary = ret;
      if (ret != NULL && !EVP_RAND_enable_locking(ret)) {
          ERR_raise(ERR_LIB_EVP, EVP_R_UNABLE_TO_ENABLE_LOCKING);
          EVP_RAND_CTX_free(ret);
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h

index 6b90b729e3aa6ad3e58b8b98b7bc6cd0f42f4ee7..3227f9fcf9bed2094f3a8c72268f5f7bf589633d 100644 (file)
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -100,7 +100,7 @@ typedef struct ossl_ex_data_global_st {
  # define OSSL_LIB_CTX_NAMEMAP_INDEX                  4
  # define OSSL_LIB_CTX_DRBG_INDEX                     5
  # define OSSL_LIB_CTX_DRBG_NONCE_INDEX               6
-# define OSSL_LIB_CTX_RAND_CRNGT_INDEX               7
+/* slot 7 unused, was CRNG test data and can be reused */
  # ifdef FIPS_MODULE
  #  define OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX    8
  # endif
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c

index c446367dea390fd6e7caafb1e286e229a2eb859c..561f7123ad2ce77c9c981442a422ab68dda6c999 100644 (file)
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -386,6 +386,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
  };
  
  static const OSSL_ALGORITHM fips_rands[] = {
+    { PROV_NAMES_CRNG_TEST, FIPS_UNAPPROVED_PROPERTIES, ossl_crng_test_functions },
      { PROV_NAMES_CTR_DRBG, FIPS_DEFAULT_PROPERTIES, ossl_drbg_ctr_functions },
      { PROV_NAMES_HASH_DRBG, FIPS_DEFAULT_PROPERTIES, ossl_drbg_hash_functions },
      { PROV_NAMES_HMAC_DRBG, FIPS_DEFAULT_PROPERTIES, ossl_drbg_ossl_hmac_functions },
diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h

index 66f42e0a149727d1672fada0fd430e4e223dce6e..5b9190565775bc439861b69019c2f73be9487fb4 100644 (file)
--- a/providers/implementations/include/prov/implementations.h
+++ b/providers/implementations/include/prov/implementations.h
@@ -296,6 +296,7 @@ extern const OSSL_DISPATCH ossl_kdf_argon2id_functions[];
  extern const OSSL_DISPATCH ossl_test_rng_functions[];
  extern const OSSL_DISPATCH ossl_seed_src_functions[];
  extern const OSSL_DISPATCH ossl_jitter_functions[];
+extern const OSSL_DISPATCH ossl_crng_test_functions[];
  extern const OSSL_DISPATCH ossl_drbg_hash_functions[];
  extern const OSSL_DISPATCH ossl_drbg_ossl_hmac_functions[];
  extern const OSSL_DISPATCH ossl_drbg_ctr_functions[];
diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h

index 05df498d0ed80af8d5294a5e8fac882b6cb08b2c..d422dbac296ef6583ac692b3ca93a487456f75ed 100644 (file)
--- a/providers/implementations/include/prov/names.h
+++ b/providers/implementations/include/prov/names.h
@@ -306,6 +306,7 @@
   * RANDs
   * -----
   */
+#define PROV_NAMES_CRNG_TEST "CRNG-TEST"
  #define PROV_NAMES_CTR_DRBG "CTR-DRBG"
  #define PROV_NAMES_HASH_DRBG "HASH-DRBG"
  #define PROV_NAMES_HMAC_DRBG "HMAC-DRBG"
diff --git a/providers/implementations/rands/build.info b/providers/implementations/rands/build.info

index 70f84541938fd0233ab6adb092d67747f2248fe3..8e0894faa65aac8ebbe1e9dd4d831b0441414351 100644 (file)
--- a/providers/implementations/rands/build.info
+++ b/providers/implementations/rands/build.info
@@ -2,5 +2,6 @@ SUBDIRS=seeding
  
  $RANDS_GOAL=../../libdefault.a ../../libfips.a
  
-SOURCE[$RANDS_GOAL]=drbg.c test_rng.c drbg_ctr.c drbg_hash.c drbg_hmac.c crngt.c
+SOURCE[$RANDS_GOAL]=drbg.c test_rng.c drbg_ctr.c drbg_hash.c drbg_hmac.c
  SOURCE[../../libdefault.a]=seed_src.c seed_src_jitter.c
+SOURCE[../../libfips.a]=fips_crng_test.c
diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c

deleted file mode 100644 (file)

index fa4a2db..0000000
--- a/providers/implementations/rands/crngt.c
+++ /dev/null
@@ -1,192 +0,0 @@
-/*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
- */
-
-#include <string.h>
-#include <openssl/evp.h>
-#include <openssl/core_dispatch.h>
-#include <openssl/params.h>
-#include <openssl/self_test.h>
-#include "prov/providercommon.h"
-#include "prov/provider_ctx.h"
-#include "internal/cryptlib.h"
-#include "crypto/rand_pool.h"
-#include "drbg_local.h"
-#include "prov/seeding.h"
-#include "crypto/context.h"
-
-typedef struct crng_test_global_st {
-    unsigned char crngt_prev[EVP_MAX_MD_SIZE];
-    EVP_MD *md;
-    int preloaded;
-    CRYPTO_RWLOCK *lock;
-} CRNG_TEST_GLOBAL;
-
-static int crngt_get_entropy(PROV_CTX *provctx, const EVP_MD *digest,
-                             unsigned char *buf, unsigned char *md,
-                             unsigned int *md_size)
-{
-    int r;
-    size_t n;
-    unsigned char *p;
-
-    n = ossl_prov_get_entropy(provctx, &p, 0, CRNGT_BUFSIZ, CRNGT_BUFSIZ);
-    if (n == CRNGT_BUFSIZ) {
-        r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, digest, NULL);
-        if (r != 0)
-            memcpy(buf, p, CRNGT_BUFSIZ);
-        ossl_prov_cleanup_entropy(provctx, p, n);
-        return r != 0;
-    }
-    if (n != 0)
-        ossl_prov_cleanup_entropy(provctx, p, n);
-    return 0;
-}
-
-void ossl_rand_crng_ctx_free(void *vcrngt_glob)
-{
-    CRNG_TEST_GLOBAL *crngt_glob = vcrngt_glob;
-
-    CRYPTO_THREAD_lock_free(crngt_glob->lock);
-    EVP_MD_free(crngt_glob->md);
-    OPENSSL_free(crngt_glob);
-}
-
-void *ossl_rand_crng_ctx_new(OSSL_LIB_CTX *ctx)
-{
-    CRNG_TEST_GLOBAL *crngt_glob = OPENSSL_zalloc(sizeof(*crngt_glob));
-
-    if (crngt_glob == NULL)
-        return NULL;
-
-    if ((crngt_glob->md = EVP_MD_fetch(ctx, "SHA256", "")) == NULL) {
-        OPENSSL_free(crngt_glob);
-        return NULL;
-    }
-
-    if ((crngt_glob->lock = CRYPTO_THREAD_lock_new()) == NULL) {
-        EVP_MD_free(crngt_glob->md);
-        OPENSSL_free(crngt_glob);
-        return NULL;
-    }
-
-    return crngt_glob;
-}
-
-static int prov_crngt_compare_previous(const unsigned char *prev,
-                                       const unsigned char *cur,
-                                       size_t sz)
-{
-    const int res = memcmp(prev, cur, sz) != 0;
-
-    if (!res)
-        ossl_set_error_state(OSSL_SELF_TEST_TYPE_CRNG);
-    return res;
-}
-
-size_t ossl_crngt_get_entropy(PROV_DRBG *drbg,
-                              unsigned char **pout,
-                              int entropy, size_t min_len, size_t max_len,
-                              int prediction_resistance)
-{
-    unsigned char md[EVP_MAX_MD_SIZE];
-    unsigned char buf[CRNGT_BUFSIZ];
-    unsigned char *ent, *entp, *entbuf;
-    unsigned int sz;
-    size_t bytes_needed;
-    size_t r = 0, s, t;
-    int crng_test_pass = 1;
-    OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx);
-    CRNG_TEST_GLOBAL *crngt_glob
-        = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_RAND_CRNGT_INDEX);
-    OSSL_CALLBACK *stcb = NULL;
-    void *stcbarg = NULL;
-    OSSL_SELF_TEST *st = NULL;
-
-    if (crngt_glob == NULL)
-        return 0;
-
-    if (!CRYPTO_THREAD_write_lock(crngt_glob->lock))
-        return 0;
-
-    if (!crngt_glob->preloaded) {
-        if (!crngt_get_entropy(drbg->provctx, crngt_glob->md, buf,
-                               crngt_glob->crngt_prev, NULL)) {
-            OPENSSL_cleanse(buf, sizeof(buf));
-            goto unlock_return;
-        }
-        crngt_glob->preloaded = 1;
-    }
-
-    /*
-     * Calculate how many bytes of seed material we require, rounded up
-     * to the nearest byte.  If the entropy is of less than full quality,
-     * the amount required should be scaled up appropriately here.
-     */
-    bytes_needed = (entropy + 7) / 8;
-    if (bytes_needed < min_len)
-        bytes_needed = min_len;
-    if (bytes_needed > max_len)
-        goto unlock_return;
-    entp = ent = OPENSSL_secure_malloc(bytes_needed);
-    if (ent == NULL)
-        goto unlock_return;
-
-    OSSL_SELF_TEST_get_callback(libctx, &stcb, &stcbarg);
-    if (stcb != NULL) {
-        st = OSSL_SELF_TEST_new(stcb, stcbarg);
-        if (st == NULL)
-            goto err;
-        OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_CRNG,
-                               OSSL_SELF_TEST_DESC_RNG);
-    }
-
-    for (t = bytes_needed; t > 0;) {
-        /* Care needs to be taken to avoid overrunning the buffer */
-        s = t >= CRNGT_BUFSIZ ? CRNGT_BUFSIZ : t;
-        entbuf = t >= CRNGT_BUFSIZ ? entp : buf;
-        if (!crngt_get_entropy(drbg->provctx, crngt_glob->md, entbuf, md, &sz))
-            goto err;
-        if (t < CRNGT_BUFSIZ)
-            memcpy(entp, buf, t);
-        /* Force a failure here if the callback returns 1 */
-        if (OSSL_SELF_TEST_oncorrupt_byte(st, md))
-            memcpy(md, crngt_glob->crngt_prev, sz);
-        if (!prov_crngt_compare_previous(crngt_glob->crngt_prev, md, sz)) {
-            crng_test_pass = 0;
-            goto err;
-        }
-        /* Update for next block */
-        memcpy(crngt_glob->crngt_prev, md, sz);
-        entp += s;
-        t -= s;
-    }
-    r = bytes_needed;
-    *pout = ent;
-    ent = NULL;
-
- err:
-    OSSL_SELF_TEST_onend(st, crng_test_pass);
-    OSSL_SELF_TEST_free(st);
-    OPENSSL_secure_clear_free(ent, bytes_needed);
-
- unlock_return:
-    CRYPTO_THREAD_unlock(crngt_glob->lock);
-    return r;
-}
-
-void ossl_crngt_cleanup_entropy(ossl_unused PROV_DRBG *drbg,
-                                unsigned char *out, size_t outlen)
-{
-    OPENSSL_secure_clear_free(out, outlen);
-}
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c

index 255bf9b50748c0be9bca66b6091b46c3db604f19..f9aa5e2fae409f13e904fabe47ccb737bdf71132 100644 (file)
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
@@ -197,18 +197,12 @@ static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
      unsigned int p_str;
  
      if (drbg->parent == NULL)
-#ifdef FIPS_MODULE
-        return ossl_crngt_get_entropy(drbg, pout, entropy, min_len, max_len,
-                                      prediction_resistance);
-#else
          /*
           * In normal use (i.e. OpenSSL's own uses), this is never called.
-         * Outside of the FIPS provider, OpenSSL sets its DRBGs up so that
-         * they always have a parent.  This remains purely for legacy reasons.
+         * This remains purely for legacy reasons.
           */
          return ossl_prov_get_entropy(drbg->provctx, pout, entropy, min_len,
                                       max_len);
-#endif
  
      if (drbg->parent_get_seed == NULL) {
          ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED);
@@ -251,11 +245,7 @@ static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
  static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen)
  {
      if (drbg->parent == NULL) {
-#ifdef FIPS_MODULE
-        ossl_crngt_cleanup_entropy(drbg, out, outlen);
-#else
          ossl_prov_cleanup_entropy(drbg->provctx, out, outlen);
-#endif
      } else if (drbg->parent_clear_seed != NULL) {
          if (!ossl_drbg_lock_parent(drbg))
              return;
diff --git a/providers/implementations/rands/fips_crng_test.c b/providers/implementations/rands/fips_crng_test.c

new file mode 100644 (file)

index 0000000..057ae6e
--- /dev/null
+++ b/providers/implementations/rands/fips_crng_test.c
@@ -0,0 +1,434 @@
+/*
+ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Implementation of SP 800-90B section 4.4 Approved Continuous Health Tests.
+ */
+
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/core_dispatch.h>
+#include <openssl/params.h>
+#include <openssl/self_test.h>
+#include <openssl/proverr.h>
+#include "prov/providercommon.h"
+#include "prov/provider_ctx.h"
+#include "prov/implementations.h"
+#include "internal/cryptlib.h"
+#include "crypto/rand_pool.h"
+#include "drbg_local.h"
+#include "prov/seeding.h"
+#include "crypto/context.h"
+
+static OSSL_FUNC_rand_newctx_fn crng_test_new;
+static OSSL_FUNC_rand_freectx_fn crng_test_free;
+static OSSL_FUNC_rand_instantiate_fn crng_test_instantiate;
+static OSSL_FUNC_rand_uninstantiate_fn crng_test_uninstantiate;
+static OSSL_FUNC_rand_generate_fn crng_test_generate;
+static OSSL_FUNC_rand_reseed_fn crng_test_reseed;
+static OSSL_FUNC_rand_gettable_ctx_params_fn crng_test_gettable_ctx_params;
+static OSSL_FUNC_rand_get_ctx_params_fn crng_test_get_ctx_params;
+static OSSL_FUNC_rand_verify_zeroization_fn crng_test_verify_zeroization;
+static OSSL_FUNC_rand_enable_locking_fn crng_test_enable_locking;
+static OSSL_FUNC_rand_lock_fn crng_test_lock;
+static OSSL_FUNC_rand_unlock_fn crng_test_unlock;
+static OSSL_FUNC_rand_get_seed_fn crng_test_get_seed;
+static OSSL_FUNC_rand_clear_seed_fn crng_test_clear_seed;
+
+#ifndef ENTROPY_H
+# define ENTROPY_H 6    /* default to six bits per byte of entropy */
+#endif
+#ifndef ENTROPY_APT_W
+# define ENTROPY_APT_W 512
+#endif
+
+typedef struct crng_testal_st {
+    void *provctx;
+    CRYPTO_RWLOCK *lock;
+    int state;
+
+    /* State for SP 800-90B 4.4.1 Repetition Count Test */
+    struct {
+        unsigned int b;
+        uint8_t a;
+    } rct;
+
+    /* State for SP 800-90B 4.4.2 Adaptive Proportion Test */
+    struct {
+        unsigned int b;
+        unsigned int i;
+        uint8_t a;
+    } apt;
+
+    /* Parent PROV_RAND and its dispatch table functions */
+    void *parent;
+    OSSL_FUNC_rand_enable_locking_fn *parent_enable_locking;
+    OSSL_FUNC_rand_lock_fn *parent_lock;
+    OSSL_FUNC_rand_unlock_fn *parent_unlock;
+    OSSL_FUNC_rand_get_ctx_params_fn *parent_get_ctx_params;
+    OSSL_FUNC_rand_gettable_ctx_params_fn *parent_gettable_ctx_params;
+    OSSL_FUNC_rand_get_seed_fn *parent_get_seed;
+    OSSL_FUNC_rand_clear_seed_fn *parent_clear_seed;
+} CRNG_TEST;
+
+/*
+ * Some helper functions
+ */
+static int lock_parent(CRNG_TEST *crngt)
+{
+    void *parent = crngt->parent;
+
+    if (parent != NULL
+            && crngt->parent_lock != NULL
+            && !crngt->parent_lock(parent)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
+        return 0;
+    }
+    return 1;
+}
+
+static void unlock_parent(CRNG_TEST *crngt)
+{
+    void *parent = crngt->parent;
+
+    if (parent != NULL && crngt->parent_unlock != NULL)
+        crngt->parent_unlock(parent);
+}
+
+/*
+ * Implementation of SP 800-90B section 4.4.1: Repetition Count Test
+ */
+static int RCT_test(CRNG_TEST *crngt, uint8_t next)
+{
+    /*
+     * Critical values for this test are computed using:
+     *
+     *      C = 1 + \left\lceil\frac{-log_2 \alpha}H\right\rceil
+     *
+     * where alpha = 2^-20 and H is the expected entropy per sample.
+     */
+    static const unsigned int rct_c[9] = {
+        41,                                 /* H = 0.5 */
+        21, 11, 8, 6, 5, 5, 4, 4            /* H = 1, ..., 8 */
+    };
+
+    if (ossl_likely(crngt->rct.b != 0)
+            && ossl_unlikely(next == crngt->rct.a))
+        return ossl_likely(++crngt->rct.b < rct_c[ENTROPY_H]);
+    crngt->rct.a = next;
+    crngt->rct.b = 1;
+    return 1;
+}
+
+/*
+ * Implementation of SP 800-90B section 4.4.2: Adaptive Proportion Test
+ */
+static int APT_test(CRNG_TEST *crngt, uint8_t next)
+{
+    /*
+     * Critical values for this test are drawn from a binomial
+     * distribution with n = 512, p = 2^-H at a critical threshold of
+     * 2^-20.  H being the expected entropy per sample.  Refer SP 800-90B
+     * section 4.4.2, table 2.
+     */
+    static const unsigned int apt_c[9] = {
+        410,                                /* H = 0.5 */
+        311, 177, 103, 62, 39, 25, 18, 13   /* H = 1, ..., 8 */
+    };
+
+    if (ossl_likely(crngt->apt.b != 0)) {
+        if (ossl_unlikely(crngt->apt.a == next)
+                && ossl_unlikely(++crngt->apt.b >= apt_c[ENTROPY_H])) {
+            crngt->apt.b = 0;
+            return 0;
+        }
+        if (ossl_unlikely(++crngt->apt.i >= ENTROPY_APT_W))
+            crngt->apt.b = 0;
+        return 1;
+    }
+    crngt->apt.a = next;
+    crngt->apt.b = 1;
+    crngt->apt.i = 1;
+    return 1;
+}
+
+static int crng_test(CRNG_TEST *crngt, const unsigned char *buf, size_t n)
+{
+    size_t i;
+
+    for (i = 0; i < n; i++)
+        if (!RCT_test(crngt, buf[i]) || !APT_test(crngt, buf[i])) {
+            crngt->state = EVP_RAND_STATE_ERROR;
+            ERR_raise(ERR_LIB_PROV,
+                      PROV_R_ENTROPY_SOURCE_FAILED_CONTINUOUS_TESTS);
+            return 0;
+        }
+    return 1;
+}
+
+static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
+                                      int function)
+{
+    if (dispatch != NULL)
+        while (dispatch->function_id != 0) {
+            if (dispatch->function_id == function)
+                return dispatch;
+            dispatch++;
+        }
+    return NULL;
+}
+
+static void *crng_test_new(void *provctx, void *parent,
+                           const OSSL_DISPATCH *p_dispatch)
+{
+    CRNG_TEST *crngt = OPENSSL_zalloc(sizeof(*crngt));
+    const OSSL_DISPATCH *pfunc;
+
+    if (crngt == NULL)
+        return NULL;
+
+    crngt->provctx = provctx;
+    crngt->state = EVP_RAND_STATE_UNINITIALISED;
+
+    /* Extract parent's functions */
+    if (parent != NULL) {
+        crngt->parent = parent;
+        if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING)) != NULL)
+            crngt->parent_enable_locking = OSSL_FUNC_rand_enable_locking(pfunc);
+        if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_LOCK)) != NULL)
+            crngt->parent_lock = OSSL_FUNC_rand_lock(pfunc);
+        if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_UNLOCK)) != NULL)
+            crngt->parent_unlock = OSSL_FUNC_rand_unlock(pfunc);
+        if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS)) != NULL)
+            crngt->parent_gettable_ctx_params = OSSL_FUNC_rand_gettable_ctx_params(pfunc);
+        if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS)) != NULL)
+            crngt->parent_get_ctx_params = OSSL_FUNC_rand_get_ctx_params(pfunc);
+        if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_SEED)) != NULL)
+            crngt->parent_get_seed = OSSL_FUNC_rand_get_seed(pfunc);
+        if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_CLEAR_SEED)) != NULL)
+            crngt->parent_clear_seed = OSSL_FUNC_rand_clear_seed(pfunc);
+    }
+
+    return crngt;
+}
+
+static void crng_test_free(void *vcrngt)
+{
+    CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+    if (crngt != NULL) {
+        CRYPTO_THREAD_lock_free(crngt->lock);
+        OPENSSL_free(crngt);
+    }
+}
+
+static int crng_test_instantiate(void *vcrngt, unsigned int strength,
+                                 int prediction_resistance,
+                                 const unsigned char *pstr,
+                                 size_t pstr_len,
+                                 ossl_unused const OSSL_PARAM params[])
+{
+    CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+    /* Start up health tests should go here */
+    crngt->state = EVP_RAND_STATE_READY;
+    return 1;
+}
+
+static int crng_test_uninstantiate(void *vcrngt)
+{
+    CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+    crngt->state = EVP_RAND_STATE_UNINITIALISED;
+    return 1;
+}
+
+static int crng_test_generate(void *vcrngt, unsigned char *out, size_t outlen,
+                              unsigned int strength, int prediction_resistance,
+                              const unsigned char *adin, size_t adin_len)
+{
+    unsigned char *p;
+    CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+    if (!crng_test_get_seed(crngt, &p, 0, outlen, outlen, prediction_resistance,
+                            adin, adin_len))
+        return 0;
+    memcpy(out, p, outlen);
+    crng_test_clear_seed(crngt, p, outlen);
+    return 1;
+}
+
+static int crng_test_reseed(ossl_unused void *vcrngt,
+                            ossl_unused int prediction_resistance,
+                            ossl_unused const unsigned char *ent,
+                            ossl_unused size_t ent_len,
+                            ossl_unused const unsigned char *adin,
+                            ossl_unused size_t adin_len)
+{
+    return 1;
+}
+
+static int crng_test_verify_zeroization(ossl_unused void *vcrngt)
+{
+    return 1;
+}
+
+static size_t crng_test_get_seed(void *vcrngt, unsigned char **pout,
+                                 int entropy, size_t min_len,
+                                 size_t max_len,
+                                 int prediction_resistance,
+                                 const unsigned char *adin,
+                                 size_t adin_len)
+{
+    CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+    size_t n;
+    int r = 0;
+
+    /* Without a parent, we rely on the up calls */
+    if (crngt->parent == NULL
+            || crngt->parent_get_seed == NULL) {
+        n = ossl_prov_get_entropy(crngt->provctx, pout, entropy,
+                                  min_len, max_len);
+        if (n == 0)
+            return 0;
+        r = crng_test(crngt, *pout, n);
+        return r > 0 ? n : 0;
+    }
+
+    /* Grab seed from our parent */
+    if (!crng_test_lock(crngt))
+        return 0;
+    if (!lock_parent(crngt)) {
+        crng_test_unlock(crngt);
+        return 0;
+    }
+    n = crngt->parent_get_seed(crngt->parent, pout, entropy,
+                               min_len, max_len, prediction_resistance,
+                               adin, adin_len);
+    unlock_parent(crngt);
+    if (n > 0)
+        r = crng_test(crngt, *pout, n);
+    crng_test_unlock(crngt);
+    if (n > 0 && r > 0)
+        return n;
+    if (crngt->parent_clear_seed != NULL)
+        crngt->parent_clear_seed(crngt->parent, *pout, n);
+    return 0;
+}
+
+static void crng_test_clear_seed(void *vcrngt,
+                                 unsigned char *out, size_t outlen)
+{
+    CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+    if (crngt->parent == NULL || crngt->parent_get_seed == NULL)
+        ossl_prov_cleanup_entropy(crngt->provctx, out, outlen);
+    else if (crngt->parent_clear_seed != NULL)
+        crngt->parent_clear_seed(crngt->parent, out, outlen);
+}
+
+static int crng_test_enable_locking(void *vcrngt)
+{
+    CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+    if (crngt != NULL && crngt->lock == NULL) {
+        if (crngt->parent_enable_locking != NULL)
+            if (!crngt->parent_enable_locking(crngt->parent)) {
+                ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
+                return 0;
+            }
+        crngt->lock = CRYPTO_THREAD_lock_new();
+        if (crngt->lock == NULL) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_CREATE_LOCK);
+            return 0;
+        }
+    }
+    return 1;
+}
+
+static int crng_test_lock(ossl_unused void *vcrngt)
+{
+    CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+    return crngt->lock == NULL || CRYPTO_THREAD_write_lock(crngt->lock);
+}
+
+static void crng_test_unlock(ossl_unused void *vcrngt)
+{
+    CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+
+    if (crngt->lock != NULL)
+        CRYPTO_THREAD_unlock(crngt->lock);
+}
+
+static int crng_test_get_ctx_params(void *vcrngt, OSSL_PARAM params[])
+{
+    CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+    OSSL_PARAM *p;
+
+    if (crngt->parent != NULL && crngt->parent_get_ctx_params != NULL)
+        return crngt->parent_get_ctx_params(crngt->parent, params);
+
+    /* No parent means we are using call backs for entropy */
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE);
+    if (p != NULL && !OSSL_PARAM_set_int(p, crngt->state))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);
+    if (p != NULL && !OSSL_PARAM_set_int(p, 1024))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, 128))
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR);
+    if (p != NULL && !OSSL_PARAM_set_int(p, 0))
+        return 0;
+    return 1;
+}
+
+static const OSSL_PARAM *crng_test_gettable_ctx_params(void *vcrngt,
+                                                       void *provctx)
+{
+    CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
+    static const OSSL_PARAM known_gettable_ctx_params[] = {
+        OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL),
+        OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL),
+        OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL),
+        OSSL_PARAM_int(OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR, NULL),
+        OSSL_PARAM_END
+    };
+
+    if (crngt->parent != NULL && crngt->parent_gettable_ctx_params != NULL)
+        return crngt->parent_gettable_ctx_params(crngt->parent, provctx);
+    return known_gettable_ctx_params;
+}
+
+const OSSL_DISPATCH ossl_crng_test_functions[] = {
+    { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))crng_test_new },
+    { OSSL_FUNC_RAND_FREECTX, (void(*)(void))crng_test_free },
+    { OSSL_FUNC_RAND_INSTANTIATE,
+      (void(*)(void))crng_test_instantiate },
+    { OSSL_FUNC_RAND_UNINSTANTIATE,
+      (void(*)(void))crng_test_uninstantiate },
+    { OSSL_FUNC_RAND_GENERATE, (void(*)(void))crng_test_generate },
+    { OSSL_FUNC_RAND_RESEED, (void(*)(void))crng_test_reseed },
+    { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))crng_test_enable_locking },
+    { OSSL_FUNC_RAND_LOCK, (void(*)(void))crng_test_lock },
+    { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))crng_test_unlock },
+    { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
+      (void(*)(void))crng_test_gettable_ctx_params },
+    { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))crng_test_get_ctx_params },
+    { OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
+      (void(*)(void))crng_test_verify_zeroization },
+    { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))crng_test_get_seed },
+    { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))crng_test_clear_seed },
+    OSSL_DISPATCH_END
+};
author	Pauli <ppzgs1@gmail.com>
	Thu, 5 Sep 2024 00:24:07 +0000 (10:24 +1000)
committer	Pauli <ppzgs1@gmail.com>
	Wed, 18 Sep 2024 22:44:14 +0000 (08:44 +1000)
crypto/context.c		patch \| blob \| blame \| history
crypto/rand/rand_lib.c		patch \| blob \| blame \| history
include/internal/cryptlib.h		patch \| blob \| blame \| history
providers/fips/fipsprov.c		patch \| blob \| blame \| history
providers/implementations/include/prov/implementations.h		patch \| blob \| blame \| history
providers/implementations/include/prov/names.h		patch \| blob \| blame \| history
providers/implementations/rands/build.info		patch \| blob \| blame \| history
providers/implementations/rands/crngt.c	[deleted file]	patch \| blob \| blame \| history
providers/implementations/rands/drbg.c		patch \| blob \| blame \| history
providers/implementations/rands/fips_crng_test.c	[new file with mode: 0644]	patch \| blob