fips/rand/fips_drbg_lib.c

   1 /* fips/rand/fips_drbg_lib.c */
   2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
   3  * project.
   4  */
   5 /* ====================================================================
   6  * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in
  17  *    the documentation and/or other materials provided with the
  18  *    distribution.
  19  *
  20  * 3. All advertising materials mentioning features or use of this
  21  *    software must display the following acknowledgment:
  22  *    "This product includes software developed by the OpenSSL Project
  23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24  *
  25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26  *    endorse or promote products derived from this software without
  27  *    prior written permission. For written permission, please contact
  28  *    licensing@OpenSSL.org.
  29  *
  30  * 5. Products derived from this software may not be called "OpenSSL"
  31  *    nor may "OpenSSL" appear in their names without prior written
  32  *    permission of the OpenSSL Project.
  33  *
  34  * 6. Redistributions of any form whatsoever must retain the following
  35  *    acknowledgment:
  36  *    "This product includes software developed by the OpenSSL Project
  37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38  *
  39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50  * OF THE POSSIBILITY OF SUCH DAMAGE.
  51  * ====================================================================
  52  */
  53
  54 #define OPENSSL_FIPSAPI
  55
  56 #include <string.h>
  57 #include <openssl/crypto.h>
  58 #include <openssl/evp.h>
  59 #include <openssl/aes.h>
  60 #include <openssl/err.h>
  61 #include <openssl/fips_rand.h>
  62 #include "fips_rand_lcl.h"
  63
  64 /* Support framework for SP800-90 DRBGs */
  65
  66 static int fips_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
  67         {
  68         int rv;
  69         memset(dctx, 0, sizeof(DRBG_CTX));
  70         dctx->status = DRBG_STATUS_UNINITIALISED;
  71         dctx->flags = flags;
  72         dctx->type = type;
  73
  74         rv = fips_drbg_hash_init(dctx);
  75
  76         if (rv == -2)
  77                 rv = fips_drbg_ctr_init(dctx);
  78
  79         return rv;
  80         }
  81
  82 DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
  83         {
  84         int rv;
  85         DRBG_CTX *dctx;
  86         dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
  87         if (!dctx)
  88                 {
  89                 FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
  90                 return NULL;
  91                 }
  92         rv = fips_drbg_init(dctx, type, flags);
  93
  94         if (rv <= 0)
  95                 {
  96                 if (rv == -2)
  97                         FIPSerr(FIPS_F_FIPS_DRBG_NEW, FIPS_R_UNSUPPORTED_DRBG_TYPE);
  98                 else
  99                         FIPSerr(FIPS_F_FIPS_DRBG_NEW, FIPS_R_ERROR_INITIALISING_DRBG);
 100
 101                 OPENSSL_free(dctx);
 102                 return NULL;
 103                 }
 104         return dctx;
 105         }
 106
 107 void FIPS_drbg_free(DRBG_CTX *dctx)
 108         {
 109         dctx->uninstantiate(dctx);
 110         OPENSSL_cleanse(dctx, sizeof(DRBG_CTX));
 111         OPENSSL_free(dctx);
 112         }
 113
 114 int FIPS_drbg_instantiate(DRBG_CTX *dctx,
 115                                 int strength,
 116                                 const unsigned char *pers, size_t perslen)
 117         {
 118         size_t entlen, noncelen;
 119
 120 #if 0
 121         /* Put here so error script picks them up */
 122         FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
 123                                 FIPS_R_PERSONALISATION_STRING_TOO_LONG);
 124         FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
 125         FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
 126         FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
 127         FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
 128         FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
 129 #endif
 130
 131         int r = 0;
 132
 133         if (perslen > dctx->max_pers)
 134                 {
 135                 r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
 136                 goto end;
 137                 }
 138
 139         if (dctx->status != DRBG_STATUS_UNINITIALISED)
 140                 {
 141                 if (dctx->status == DRBG_STATUS_ERROR)
 142                         r = FIPS_R_IN_ERROR_STATE;
 143                 else
 144                         r = FIPS_R_ALREADY_INSTANTIATED;
 145                 goto end;
 146                 }
 147
 148         if (strength > dctx->strength)
 149                 {
 150                 r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
 151                 goto end;
 152                 }
 153
 154         dctx->status = DRBG_STATUS_ERROR;
 155
 156         entlen = dctx->get_entropy(dctx, dctx->entropy, dctx->strength,
 157                                 dctx->min_entropy, dctx->max_entropy);
 158
 159         if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
 160                 {
 161                 r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
 162                 goto end;
 163                 }
 164
 165         if (dctx->max_nonce > 0)
 166                 {
 167
 168                 noncelen = dctx->get_nonce(dctx, dctx->nonce,
 169                                         dctx->strength / 2,
 170                                         dctx->min_nonce, dctx->max_nonce);
 171
 172                 if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce)
 173                         {
 174                         r = FIPS_R_ERROR_RETRIEVING_NONCE;
 175                         goto end;
 176                         }
 177
 178                 }
 179         else
 180                 noncelen = 0;
 181
 182         if (!dctx->instantiate(dctx,
 183                                 dctx->entropy, entlen,
 184                                 dctx->nonce, noncelen,
 185                                 pers, perslen))
 186                 {
 187                 r = FIPS_R_ERROR_INSTANTIATING_DRBG;
 188                 goto end;
 189                 }
 190
 191
 192         dctx->status = DRBG_STATUS_READY;
 193         dctx->reseed_counter = 1;
 194         /* Initial test value for reseed interval */
 195         dctx->reseed_interval = 1<<24;
 196
 197         end:
 198
 199         OPENSSL_cleanse(dctx->entropy, sizeof(dctx->entropy));
 200         OPENSSL_cleanse(dctx->nonce, sizeof(dctx->nonce));
 201
 202         if (dctx->status == DRBG_STATUS_READY)
 203                 return 1;
 204
 205         if (r && !(dctx->flags & DRBG_FLAG_TEST))
 206                 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
 207
 208         return 0;
 209
 210         }
 211
 212 int FIPS_drbg_reseed(DRBG_CTX *dctx,
 213                         const unsigned char *adin, size_t adinlen)
 214         {
 215         size_t entlen;
 216         int r = 0;
 217
 218 #if 0
 219         FIPSerr(FIPS_F_FIPS_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
 220         FIPSerr(FIPS_F_FIPS_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
 221 #endif
 222         if (dctx->status != DRBG_STATUS_READY
 223                 && dctx->status != DRBG_STATUS_RESEED)
 224                 {
 225                 if (dctx->status == DRBG_STATUS_ERROR)
 226                         r = FIPS_R_IN_ERROR_STATE;
 227                 else if(dctx->status == DRBG_STATUS_UNINITIALISED)
 228                         r = FIPS_R_NOT_INSTANTIATED;
 229                 goto end;
 230                 }
 231
 232         if (!adin)
 233                 adinlen = 0;
 234         else if (adinlen > dctx->max_adin)
 235                 {
 236                 r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
 237                 goto end;
 238                 }
 239
 240         dctx->status = DRBG_STATUS_ERROR;
 241
 242         entlen = dctx->get_entropy(dctx, dctx->entropy, dctx->strength,
 243                                 dctx->min_entropy, dctx->max_entropy);
 244
 245         if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
 246                 {
 247                 r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
 248                 goto end;
 249                 }
 250
 251         if (!dctx->reseed(dctx, dctx->entropy, entlen, adin, adinlen))
 252                 goto end;
 253
 254         dctx->status = DRBG_STATUS_READY;
 255         dctx->reseed_counter = 1;
 256         end:
 257         OPENSSL_cleanse(dctx->entropy, sizeof(dctx->entropy));
 258
 259         if (dctx->status == DRBG_STATUS_READY)
 260                 return 1;
 261
 262         if (r && !(dctx->flags & DRBG_FLAG_TEST))
 263                 FIPSerr(FIPS_F_FIPS_DRBG_RESEED, r);
 264
 265         return 0;
 266         }
 267
 268
 269 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
 270                         int strength, int prediction_resistance,
 271                         const unsigned char *adin, size_t adinlen)
 272         {
 273         int r = 0;
 274         if (outlen > dctx->max_request)
 275                 {
 276                 r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
 277                 return 0;
 278                 }
 279
 280         if (strength > dctx->strength)
 281                 {
 282                 r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
 283                 goto end;
 284                 }
 285
 286         if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
 287                 {
 288                 if (!FIPS_drbg_reseed(dctx, adin, adinlen))
 289                         {
 290                         r = FIPS_R_RESEED_ERROR;
 291                         goto end;
 292                         }
 293                 adin = NULL;
 294                 adinlen = 0;
 295                 }
 296         if (dctx->status != DRBG_STATUS_READY)
 297                 {
 298                 if (dctx->status == DRBG_STATUS_ERROR)
 299                         r = FIPS_R_IN_ERROR_STATE;
 300                 else if(dctx->status == DRBG_STATUS_UNINITIALISED)
 301                         r = FIPS_R_NOT_INSTANTIATED;
 302                 goto end;
 303                 }
 304         if (!dctx->generate(dctx, out, outlen, adin, adinlen))
 305                 {
 306                 r = FIPS_R_GENERATE_ERROR;
 307                 dctx->status = DRBG_STATUS_ERROR;
 308                 goto end;
 309                 }
 310         if (dctx->reseed_counter > dctx->reseed_interval)
 311                 dctx->status = DRBG_STATUS_RESEED;
 312         else
 313                 dctx->reseed_counter++;
 314
 315         end:
 316         if (r)
 317                 {
 318                 if (!(dctx->flags & DRBG_FLAG_TEST))
 319                         FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
 320                 return 0;
 321                 }
 322
 323         return 1;
 324         }
 325
 326 int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
 327         {
 328         int save_type, save_flags, rv;
 329         save_type = dctx->type;
 330         save_flags = dctx->flags;
 331         rv = dctx->uninstantiate(dctx);
 332         OPENSSL_cleanse(dctx, sizeof(DRBG_CTX));
 333         /* If method has problems uninstantiating, return error */
 334         if (rv <= 0)
 335                 return rv;
 336         return fips_drbg_init(dctx, save_type, save_flags);
 337         }
 338
 339 int FIPS_drbg_set_test_mode(DRBG_CTX *dctx,
 340         size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char *out,
 341                                 int entropy, size_t min_len, size_t max_len),
 342         size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char *out,
 343                                 int entropy, size_t min_len, size_t max_len))
 344         {
 345         if (dctx->status != DRBG_STATUS_UNINITIALISED)
 346                 return 0;
 347         dctx->flags |= DRBG_FLAG_TEST;
 348         dctx->get_entropy = get_entropy;
 349         dctx->get_nonce = get_nonce;
 350         return 1;
 351         }
 352
 353 void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
 354         {
 355         return dctx->app_data;
 356         }
 357
 358 void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
 359         {
 360         dctx->app_data = app_data;
 361         }
 362
 363 size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
 364         {
 365         return dctx->blocklength;
 366         }
 367
 368 int FIPS_drbg_get_strength(DRBG_CTX *dctx)
 369         {
 370         return dctx->strength;
 371         }