From: Pauli Date: Mon, 21 Jul 2025 02:13:47 +0000 (+1000) Subject: drbg: convert DRBGs to use generated ctx get param decoders X-Git-Tag: openssl-3.6.0-alpha1~160 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2044bc76793670e894c5ec895a73d0a6a3aaef96;p=thirdparty%2Fopenssl.git drbg: convert DRBGs to use generated ctx get param decoders Reviewed-by: Paul Yang Reviewed-by: Shane Lontis Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/28143) --- diff --git a/providers/implementations/include/prov/drbg.h b/providers/implementations/include/prov/drbg.h index a4ae58e1f4a..917b21c48b2 100644 --- a/providers/implementations/include/prov/drbg.h +++ b/providers/implementations/include/prov/drbg.h @@ -213,8 +213,32 @@ OSSL_FUNC_rand_lock_fn ossl_drbg_lock; OSSL_FUNC_rand_unlock_fn ossl_drbg_unlock; /* Common parameters for all of our DRBGs */ -int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]); -int ossl_drbg_get_ctx_params_no_lock(PROV_DRBG *drbg, OSSL_PARAM params[], +struct drbg_get_ctx_params_st { + OSSL_PARAM *state; + OSSL_PARAM *str; + OSSL_PARAM *maxreq; + OSSL_PARAM *minentlen; + OSSL_PARAM *maxentlen; + OSSL_PARAM *minnonlen; + OSSL_PARAM *maxnonlen; + OSSL_PARAM *maxperlen; + OSSL_PARAM *maxadlen; + OSSL_PARAM *reseed_cnt; + OSSL_PARAM *reseed_time; + OSSL_PARAM *reseed_req; + OSSL_PARAM *reseed_int; + OSSL_PARAM *ind; + OSSL_PARAM *cipher; /* CTR DRBG */ + OSSL_PARAM *df; /* CTR DRBG */ + OSSL_PARAM *digest; /* HASH & HMAC DRBG */ + OSSL_PARAM *mac; /* HMAC DRBG */ +}; + +int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, + const struct drbg_get_ctx_params_st *p); +int ossl_drbg_get_ctx_params_no_lock(PROV_DRBG *drbg, + const struct drbg_get_ctx_params_st *p, + const OSSL_PARAM params[], int *complete); struct drbg_set_ctx_params_st { diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index d1666059560..f4771794566 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -883,55 +883,54 @@ void ossl_rand_drbg_free(PROV_DRBG *drbg) * Helper function called by internal DRBG implementations. Assumes that at * least a read lock has been taken on drbg->lock */ -int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]) +int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, + const struct drbg_get_ctx_params_st *p) { - OSSL_PARAM *p; - - p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE); - if (p != NULL && !OSSL_PARAM_set_int(p, drbg->state)) + if (p->state != NULL && !OSSL_PARAM_set_int(p->state, drbg->state)) return 0; - p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH); - if (p != NULL && !OSSL_PARAM_set_int(p, drbg->strength)) + if (p->str != NULL && !OSSL_PARAM_set_int(p->str, drbg->strength)) return 0; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_ENTROPYLEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_entropylen)) + if (p->minentlen != NULL + && !OSSL_PARAM_set_size_t(p->minentlen, drbg->min_entropylen)) return 0; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ENTROPYLEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_entropylen)) + if (p->maxentlen != NULL + && !OSSL_PARAM_set_size_t(p->maxentlen, drbg->max_entropylen)) return 0; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_NONCELEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_noncelen)) + if (p->minnonlen != NULL + && !OSSL_PARAM_set_size_t(p->minnonlen, drbg->min_noncelen)) return 0; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_NONCELEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_noncelen)) + if (p->maxnonlen != NULL + && !OSSL_PARAM_set_size_t(p->maxnonlen, drbg->max_noncelen)) return 0; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_PERSLEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_perslen)) + if (p->maxperlen != NULL + && !OSSL_PARAM_set_size_t(p->maxperlen, drbg->max_perslen)) return 0; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ADINLEN); - if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_adinlen)) + if (p->maxadlen != NULL + && !OSSL_PARAM_set_size_t(p->maxadlen, drbg->max_adinlen)) return 0; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_REQUESTS); - if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval)) + if (p->reseed_req != NULL + && !OSSL_PARAM_set_uint(p->reseed_req, drbg->reseed_interval)) return 0; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME); - if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time)) + if (p->reseed_time != NULL + && !OSSL_PARAM_set_time_t(p->reseed_time, drbg->reseed_time)) return 0; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL); - if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval)) + if (p->reseed_int != NULL + && !OSSL_PARAM_set_time_t(p->reseed_int, drbg->reseed_time_interval)) return 0; - if (!OSSL_FIPS_IND_GET_CTX_PARAM(drbg, params)) + + if (!OSSL_FIPS_IND_GET_CTX_FROM_PARAM(drbg, p->ind)) return 0; + return 1; } @@ -939,16 +938,15 @@ int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]) * Helper function to get certain params that require no lock to obtain. Sets * *complete to 1 if all the params were processed, or 0 otherwise */ -int ossl_drbg_get_ctx_params_no_lock(PROV_DRBG *drbg, OSSL_PARAM params[], - int *complete) +int ossl_drbg_get_ctx_params_no_lock(PROV_DRBG *drbg, + const struct drbg_get_ctx_params_st *p, + const OSSL_PARAM params[], int *complete) { size_t cnt = 0; - OSSL_PARAM *p; /* This value never changes once set */ - p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST); - if (p != NULL) { - if (!OSSL_PARAM_set_size_t(p, drbg->max_request)) + if (p->maxreq != NULL) { + if (!OSSL_PARAM_set_size_t(p->maxreq, drbg->max_request)) return 0; cnt++; } @@ -957,9 +955,8 @@ int ossl_drbg_get_ctx_params_no_lock(PROV_DRBG *drbg, OSSL_PARAM params[], * Can be changed by multiple threads, but we tolerate inaccuracies in this * value. */ - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_COUNTER); - if (p != NULL) { - if (!OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_counter))) + if (p->reseed_cnt != NULL) { + if (!OSSL_PARAM_set_uint(p->reseed_cnt, tsan_load(&drbg->reseed_counter))) return 0; cnt++; } diff --git a/providers/implementations/rands/drbg_ctr.c.in b/providers/implementations/rands/drbg_ctr.c.in index 675713139a3..2a19f71a968 100644 --- a/providers/implementations/rands/drbg_ctr.c.in +++ b/providers/implementations/rands/drbg_ctr.c.in @@ -350,7 +350,6 @@ static int drbg_ctr_instantiate_wrapper(void *vdrbg, unsigned int strength, if (drbg == NULL || !drbg_ctr_set_ctx_params_decoder(params, &p)) return 0; - if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock)) return 0; @@ -672,35 +671,59 @@ static void drbg_ctr_free(void *vdrbg) ossl_rand_drbg_free(drbg); } +#define drbg_ctr_get_ctx_params_st drbg_get_ctx_params_st + +{- produce_param_decoder('drbg_ctr_get_ctx_params', + (['DRBG_PARAM_CIPHER', 'cipher', 'utf8_string'], + ['DRBG_PARAM_USE_DF', 'df', 'int'], + ['RAND_PARAM_STATE', 'state', 'int'], + ['RAND_PARAM_STRENGTH', 'str', 'uint'], + ['RAND_PARAM_MAX_REQUEST', 'maxreq', 'size_t'], + ['DRBG_PARAM_MIN_ENTROPYLEN', 'minentlen', 'size_t'], + ['DRBG_PARAM_MAX_ENTROPYLEN', 'maxentlen', 'size_t'], + ['DRBG_PARAM_MIN_NONCELEN', 'minnonlen', 'size_t'], + ['DRBG_PARAM_MAX_NONCELEN', 'maxnonlen', 'size_t'], + ['DRBG_PARAM_MAX_PERSLEN', 'maxperlen', 'size_t'], + ['DRBG_PARAM_MAX_ADINLEN', 'maxadlen', 'size_t'], + ['DRBG_PARAM_RESEED_COUNTER', 'reseed_cnt', 'uint'], + ['DRBG_PARAM_RESEED_TIME', 'reseed_time', 'time_t'], + ['DRBG_PARAM_RESEED_REQUESTS', 'reseed_req', 'uint'], + ['DRBG_PARAM_RESEED_TIME_INTERVAL', 'reseed_int', 'uint64'], + ['KDF_PARAM_FIPS_APPROVED_INDICATOR', 'ind', 'int'], + )); -} + static int drbg_ctr_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) { PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; - PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data; - OSSL_PARAM *p; + PROV_DRBG_CTR *ctr; + struct drbg_ctr_get_ctx_params_st p; int ret = 0, complete = 0; - if (!ossl_drbg_get_ctx_params_no_lock(drbg, params, &complete)) + if (drbg == NULL || !drbg_ctr_get_ctx_params_decoder(params, &p)) + return 0; + + if (!ossl_drbg_get_ctx_params_no_lock(drbg, &p, params, &complete)) return 0; if (complete) return 1; + ctr = (PROV_DRBG_CTR *)drbg->data; + if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock)) return 0; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_USE_DF); - if (p != NULL && !OSSL_PARAM_set_int(p, ctr->use_df)) + if (p.df != NULL && !OSSL_PARAM_set_int(p.df, ctr->use_df)) goto err; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_CIPHER); - if (p != NULL) { + if (p.cipher != NULL) { if (ctr->cipher_ctr == NULL - || !OSSL_PARAM_set_utf8_string(p, + || !OSSL_PARAM_set_utf8_string(p.cipher, EVP_CIPHER_get0_name(ctr->cipher_ctr))) goto err; } - ret = ossl_drbg_get_ctx_params(drbg, params); + ret = ossl_drbg_get_ctx_params(drbg, &p); err: if (drbg->lock != NULL) CRYPTO_THREAD_unlock(drbg->lock); @@ -711,14 +734,7 @@ static int drbg_ctr_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) static const OSSL_PARAM *drbg_ctr_gettable_ctx_params(ossl_unused void *vctx, ossl_unused void *provctx) { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0), - OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL), - OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON, - OSSL_FIPS_IND_GETTABLE_CTX_PARAM() - OSSL_PARAM_END - }; - return known_gettable_ctx_params; + return drbg_ctr_get_ctx_params_list; } static int drbg_ctr_set_ctx_params_locked(PROV_DRBG *ctx, diff --git a/providers/implementations/rands/drbg_hash.c.in b/providers/implementations/rands/drbg_hash.c.in index af1e578603e..e059d1d8c84 100644 --- a/providers/implementations/rands/drbg_hash.c.in +++ b/providers/implementations/rands/drbg_hash.c.in @@ -474,31 +474,56 @@ static void drbg_hash_free(void *vdrbg) ossl_rand_drbg_free(drbg); } +#define drbg_hash_get_ctx_params_st drbg_get_ctx_params_st + +{- produce_param_decoder('drbg_hash_get_ctx_params', + (['DRBG_PARAM_DIGEST', 'digest', 'utf8_string'], + ['RAND_PARAM_STATE', 'state', 'int'], + ['RAND_PARAM_STRENGTH', 'str', 'uint'], + ['RAND_PARAM_MAX_REQUEST', 'maxreq', 'size_t'], + ['DRBG_PARAM_MIN_ENTROPYLEN', 'minentlen', 'size_t'], + ['DRBG_PARAM_MAX_ENTROPYLEN', 'maxentlen', 'size_t'], + ['DRBG_PARAM_MIN_NONCELEN', 'minnonlen', 'size_t'], + ['DRBG_PARAM_MAX_NONCELEN', 'maxnonlen', 'size_t'], + ['DRBG_PARAM_MAX_PERSLEN', 'maxperlen', 'size_t'], + ['DRBG_PARAM_MAX_ADINLEN', 'maxadlen', 'size_t'], + ['DRBG_PARAM_RESEED_COUNTER', 'reseed_cnt', 'uint'], + ['DRBG_PARAM_RESEED_TIME', 'reseed_time', 'time_t'], + ['DRBG_PARAM_RESEED_REQUESTS', 'reseed_req', 'uint'], + ['DRBG_PARAM_RESEED_TIME_INTERVAL', 'reseed_int', 'uint64'], + ['KDF_PARAM_FIPS_APPROVED_INDICATOR', 'ind', 'int'], + )); -} + static int drbg_hash_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) { PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; - PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data; + PROV_DRBG_HASH *hash; const EVP_MD *md; - OSSL_PARAM *p; + struct drbg_get_ctx_params_st p; int ret = 0, complete = 0; - if (!ossl_drbg_get_ctx_params_no_lock(drbg, params, &complete)) + if (drbg == NULL || !drbg_hash_get_ctx_params_decoder(params, &p)) + return 0; + + if (!ossl_drbg_get_ctx_params_no_lock(drbg, &p, params, &complete)) return 0; if (complete) return 1; + hash = (PROV_DRBG_HASH *)drbg->data; + if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock)) return 0; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_DIGEST); - if (p != NULL) { + if (p.digest != NULL) { md = ossl_prov_digest_md(&hash->digest); - if (md == NULL || !OSSL_PARAM_set_utf8_string(p, EVP_MD_get0_name(md))) + if (md == NULL + || !OSSL_PARAM_set_utf8_string(p.digest, EVP_MD_get0_name(md))) goto err; } - ret = ossl_drbg_get_ctx_params(drbg, params); + ret = ossl_drbg_get_ctx_params(drbg, &p); err: if (drbg->lock != NULL) CRYPTO_THREAD_unlock(drbg->lock); @@ -509,13 +534,7 @@ static int drbg_hash_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) static const OSSL_PARAM *drbg_hash_gettable_ctx_params(ossl_unused void *vctx, ossl_unused void *p_ctx) { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0), - OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON, - OSSL_FIPS_IND_GETTABLE_CTX_PARAM() - OSSL_PARAM_END - }; - return known_gettable_ctx_params; + return drbg_hash_get_ctx_params_list; } static int drbg_fetch_digest_from_prov(const struct drbg_set_ctx_params_st *p, diff --git a/providers/implementations/rands/drbg_hmac.c.in b/providers/implementations/rands/drbg_hmac.c.in index 4b819dadbce..6b7a15c894e 100644 --- a/providers/implementations/rands/drbg_hmac.c.in +++ b/providers/implementations/rands/drbg_hmac.c.in @@ -366,41 +366,66 @@ static void drbg_hmac_free(void *vdrbg) ossl_rand_drbg_free(drbg); } +#define drbg_hmac_get_ctx_params_st drbg_get_ctx_params_st + +{- produce_param_decoder('drbg_hmac_get_ctx_params', + (['DRBG_PARAM_MAC', 'mac', 'utf8_string'], + ['DRBG_PARAM_DIGEST', 'digest', 'utf8_string'], + ['RAND_PARAM_STATE', 'state', 'int'], + ['RAND_PARAM_STRENGTH', 'str', 'uint'], + ['RAND_PARAM_MAX_REQUEST', 'maxreq', 'size_t'], + ['DRBG_PARAM_MIN_ENTROPYLEN', 'minentlen', 'size_t'], + ['DRBG_PARAM_MAX_ENTROPYLEN', 'maxentlen', 'size_t'], + ['DRBG_PARAM_MIN_NONCELEN', 'minnonlen', 'size_t'], + ['DRBG_PARAM_MAX_NONCELEN', 'maxnonlen', 'size_t'], + ['DRBG_PARAM_MAX_PERSLEN', 'maxperlen', 'size_t'], + ['DRBG_PARAM_MAX_ADINLEN', 'maxadlen', 'size_t'], + ['DRBG_PARAM_RESEED_COUNTER', 'reseed_cnt', 'uint'], + ['DRBG_PARAM_RESEED_TIME', 'reseed_time', 'time_t'], + ['DRBG_PARAM_RESEED_REQUESTS', 'reseed_req', 'uint'], + ['DRBG_PARAM_RESEED_TIME_INTERVAL', 'reseed_int', 'uint64'], + ['KDF_PARAM_FIPS_APPROVED_INDICATOR', 'ind', 'int'], + )); -} + static int drbg_hmac_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) { PROV_DRBG *drbg = (PROV_DRBG *)vdrbg; - PROV_DRBG_HMAC *hmac = (PROV_DRBG_HMAC *)drbg->data; + PROV_DRBG_HMAC *hmac; const char *name; const EVP_MD *md; - OSSL_PARAM *p; + struct drbg_get_ctx_params_st p; int ret = 0, complete = 0; - if (!ossl_drbg_get_ctx_params_no_lock(drbg, params, &complete)) + if (drbg == NULL || !drbg_hmac_get_ctx_params_decoder(params, &p)) + return 0; + + if (!ossl_drbg_get_ctx_params_no_lock(drbg, &p, params, &complete)) return 0; if (complete) return 1; + hmac = (PROV_DRBG_HMAC *)drbg->data; + if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock)) return 0; - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAC); - if (p != NULL) { + if (p.mac != NULL) { if (hmac->ctx == NULL) goto err; name = EVP_MAC_get0_name(EVP_MAC_CTX_get0_mac(hmac->ctx)); - if (!OSSL_PARAM_set_utf8_string(p, name)) + if (!OSSL_PARAM_set_utf8_string(p.mac, name)) goto err; } - p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_DIGEST); - if (p != NULL) { + if (p.digest != NULL) { md = ossl_prov_digest_md(&hmac->digest); - if (md == NULL || !OSSL_PARAM_set_utf8_string(p, EVP_MD_get0_name(md))) + if (md == NULL + || !OSSL_PARAM_set_utf8_string(p.digest, EVP_MD_get0_name(md))) goto err; } - ret = ossl_drbg_get_ctx_params(drbg, params); + ret = ossl_drbg_get_ctx_params(drbg, &p); err: if (drbg->lock != NULL) CRYPTO_THREAD_unlock(drbg->lock); @@ -411,14 +436,7 @@ static int drbg_hmac_get_ctx_params(void *vdrbg, OSSL_PARAM params[]) static const OSSL_PARAM *drbg_hmac_gettable_ctx_params(ossl_unused void *vctx, ossl_unused void *p_ctx) { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_MAC, NULL, 0), - OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0), - OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON, - OSSL_FIPS_IND_GETTABLE_CTX_PARAM() - OSSL_PARAM_END - }; - return known_gettable_ctx_params; + return drbg_hmac_get_ctx_params_list; } static int drbg_fetch_algs_from_prov(const struct drbg_set_ctx_params_st *p, @@ -439,7 +457,7 @@ static int drbg_fetch_algs_from_prov(const struct drbg_set_ctx_params_st *p, if ((prov = ossl_provider_find(libctx, (const char *)p->prov->data, 1)) == NULL) return 0; - if (p->digest) { + if (p->digest != NULL) { if (p->digest->data_type != OSSL_PARAM_UTF8_STRING) goto done;