fips/rand/fips_drbg_lib.c

   1 /* fips/rand/fips_drbg_lib.c */
   2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
   3  * project.
   4  */
   5 /* ====================================================================
   6  * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in
  17  *    the documentation and/or other materials provided with the
  18  *    distribution.
  19  *
  20  * 3. All advertising materials mentioning features or use of this
  21  *    software must display the following acknowledgment:
  22  *    "This product includes software developed by the OpenSSL Project
  23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24  *
  25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26  *    endorse or promote products derived from this software without
  27  *    prior written permission. For written permission, please contact
  28  *    licensing@OpenSSL.org.
  29  *
  30  * 5. Products derived from this software may not be called "OpenSSL"
  31  *    nor may "OpenSSL" appear in their names without prior written
  32  *    permission of the OpenSSL Project.
  33  *
  34  * 6. Redistributions of any form whatsoever must retain the following
  35  *    acknowledgment:
  36  *    "This product includes software developed by the OpenSSL Project
  37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38  *
  39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50  * OF THE POSSIBILITY OF SUCH DAMAGE.
  51  * ====================================================================
  52  */
  53
  54 #define OPENSSL_FIPSAPI
  55
  56 #include <string.h>
  57 #include <openssl/crypto.h>
  58 #include <openssl/evp.h>
  59 #include <openssl/aes.h>
  60 #include <openssl/err.h>
  61 #include <openssl/fips_rand.h>
  62 #include "fips_rand_lcl.h"
  63
  64 /* Support framework for SP800-90 DRBGs */
  65
  66 int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
  67         {
  68         int rv;
  69         memset(dctx, 0, sizeof(DRBG_CTX));
  70         dctx->status = DRBG_STATUS_UNINITIALISED;
  71         dctx->flags = flags;
  72         dctx->type = type;
  73
  74         rv = fips_drbg_hash_init(dctx);
  75
  76         if (rv == -2)
  77                 rv = fips_drbg_ctr_init(dctx);
  78
  79         if (rv <= 0)
  80                 {
  81                 if (rv == -2)
  82                         FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
  83                 else
  84                         FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
  85                 }
  86
  87         return rv;
  88         }
  89
  90 DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
  91         {
  92         int rv;
  93         DRBG_CTX *dctx;
  94         dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
  95         if (!dctx)
  96                 {
  97                 FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
  98                 return NULL;
  99                 }
 100         if (type == 0)
 101                 return dctx;
 102         rv = FIPS_drbg_init(dctx, type, flags);
 103
 104         if (FIPS_drbg_init(dctx, type, flags) <= 0)
 105                 {
 106                 OPENSSL_free(dctx);
 107                 return NULL;
 108                 }
 109
 110         return dctx;
 111         }
 112
 113 void FIPS_drbg_free(DRBG_CTX *dctx)
 114         {
 115         dctx->uninstantiate(dctx);
 116         OPENSSL_cleanse(dctx, sizeof(DRBG_CTX));
 117         OPENSSL_free(dctx);
 118         }
 119
 120 int FIPS_drbg_instantiate(DRBG_CTX *dctx,
 121                                 int strength,
 122                                 const unsigned char *pers, size_t perslen)
 123         {
 124         size_t entlen, noncelen;
 125
 126 #if 0
 127         /* Put here so error script picks them up */
 128         FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
 129                                 FIPS_R_PERSONALISATION_STRING_TOO_LONG);
 130         FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
 131         FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
 132         FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
 133         FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
 134         FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
 135 #endif
 136
 137         int r = 0;
 138
 139         if (perslen > dctx->max_pers)
 140                 {
 141                 r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
 142                 goto end;
 143                 }
 144
 145         if (dctx->status != DRBG_STATUS_UNINITIALISED)
 146                 {
 147                 if (dctx->status == DRBG_STATUS_ERROR)
 148                         r = FIPS_R_IN_ERROR_STATE;
 149                 else
 150                         r = FIPS_R_ALREADY_INSTANTIATED;
 151                 goto end;
 152                 }
 153
 154         if (strength > dctx->strength)
 155                 {
 156                 r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
 157                 goto end;
 158                 }
 159
 160         dctx->status = DRBG_STATUS_ERROR;
 161
 162         entlen = dctx->get_entropy(dctx, dctx->entropy, dctx->strength,
 163                                 dctx->min_entropy, dctx->max_entropy);
 164
 165         if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
 166                 {
 167                 r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
 168                 goto end;
 169                 }
 170
 171         if (dctx->max_nonce > 0)
 172                 {
 173
 174                 noncelen = dctx->get_nonce(dctx, dctx->nonce,
 175                                         dctx->strength / 2,
 176                                         dctx->min_nonce, dctx->max_nonce);
 177
 178                 if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce)
 179                         {
 180                         r = FIPS_R_ERROR_RETRIEVING_NONCE;
 181                         goto end;
 182                         }
 183
 184                 }
 185         else
 186                 noncelen = 0;
 187
 188         if (!dctx->instantiate(dctx,
 189                                 dctx->entropy, entlen,
 190                                 dctx->nonce, noncelen,
 191                                 pers, perslen))
 192                 {
 193                 r = FIPS_R_ERROR_INSTANTIATING_DRBG;
 194                 goto end;
 195                 }
 196
 197
 198         dctx->status = DRBG_STATUS_READY;
 199         dctx->reseed_counter = 1;
 200         /* Initial test value for reseed interval */
 201         dctx->reseed_interval = 1<<24;
 202
 203         end:
 204
 205         OPENSSL_cleanse(dctx->entropy, sizeof(dctx->entropy));
 206         OPENSSL_cleanse(dctx->nonce, sizeof(dctx->nonce));
 207
 208         if (dctx->status == DRBG_STATUS_READY)
 209                 return 1;
 210
 211         if (r && !(dctx->flags & DRBG_FLAG_TEST))
 212                 FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
 213
 214         return 0;
 215
 216         }
 217
 218 int FIPS_drbg_reseed(DRBG_CTX *dctx,
 219                         const unsigned char *adin, size_t adinlen)
 220         {
 221         size_t entlen;
 222         int r = 0;
 223
 224 #if 0
 225         FIPSerr(FIPS_F_FIPS_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
 226         FIPSerr(FIPS_F_FIPS_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
 227 #endif
 228         if (dctx->status != DRBG_STATUS_READY
 229                 && dctx->status != DRBG_STATUS_RESEED)
 230                 {
 231                 if (dctx->status == DRBG_STATUS_ERROR)
 232                         r = FIPS_R_IN_ERROR_STATE;
 233                 else if(dctx->status == DRBG_STATUS_UNINITIALISED)
 234                         r = FIPS_R_NOT_INSTANTIATED;
 235                 goto end;
 236                 }
 237
 238         if (!adin)
 239                 adinlen = 0;
 240         else if (adinlen > dctx->max_adin)
 241                 {
 242                 r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
 243                 goto end;
 244                 }
 245
 246         dctx->status = DRBG_STATUS_ERROR;
 247
 248         entlen = dctx->get_entropy(dctx, dctx->entropy, dctx->strength,
 249                                 dctx->min_entropy, dctx->max_entropy);
 250
 251         if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
 252                 {
 253                 r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
 254                 goto end;
 255                 }
 256
 257         if (!dctx->reseed(dctx, dctx->entropy, entlen, adin, adinlen))
 258                 goto end;
 259
 260         dctx->status = DRBG_STATUS_READY;
 261         dctx->reseed_counter = 1;
 262         end:
 263         OPENSSL_cleanse(dctx->entropy, sizeof(dctx->entropy));
 264
 265         if (dctx->status == DRBG_STATUS_READY)
 266                 return 1;
 267
 268         if (r && !(dctx->flags & DRBG_FLAG_TEST))
 269                 FIPSerr(FIPS_F_FIPS_DRBG_RESEED, r);
 270
 271         return 0;
 272         }
 273
 274
 275 int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
 276                         int strength, int prediction_resistance,
 277                         const unsigned char *adin, size_t adinlen)
 278         {
 279         int r = 0;
 280         if (outlen > dctx->max_request)
 281                 {
 282                 r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
 283                 return 0;
 284                 }
 285
 286         if (strength > dctx->strength)
 287                 {
 288                 r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
 289                 goto end;
 290                 }
 291
 292         if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
 293                 {
 294                 if (!FIPS_drbg_reseed(dctx, adin, adinlen))
 295                         {
 296                         r = FIPS_R_RESEED_ERROR;
 297                         goto end;
 298                         }
 299                 adin = NULL;
 300                 adinlen = 0;
 301                 }
 302         if (dctx->status != DRBG_STATUS_READY)
 303                 {
 304                 if (dctx->status == DRBG_STATUS_ERROR)
 305                         r = FIPS_R_IN_ERROR_STATE;
 306                 else if(dctx->status == DRBG_STATUS_UNINITIALISED)
 307                         r = FIPS_R_NOT_INSTANTIATED;
 308                 goto end;
 309                 }
 310         if (!dctx->generate(dctx, out, outlen, adin, adinlen))
 311                 {
 312                 r = FIPS_R_GENERATE_ERROR;
 313                 dctx->status = DRBG_STATUS_ERROR;
 314                 goto end;
 315                 }
 316         if (dctx->reseed_counter > dctx->reseed_interval)
 317                 dctx->status = DRBG_STATUS_RESEED;
 318         else
 319                 dctx->reseed_counter++;
 320
 321         end:
 322         if (r)
 323                 {
 324                 if (!(dctx->flags & DRBG_FLAG_TEST))
 325                         FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
 326                 return 0;
 327                 }
 328
 329         return 1;
 330         }
 331
 332 int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
 333         {
 334         int save_type, save_flags, rv;
 335         save_type = dctx->type;
 336         save_flags = dctx->flags;
 337         rv = dctx->uninstantiate(dctx);
 338         OPENSSL_cleanse(dctx, sizeof(DRBG_CTX));
 339         /* If method has problems uninstantiating, return error */
 340         return rv;
 341         }
 342
 343 int FIPS_drbg_set_test_mode(DRBG_CTX *dctx,
 344         size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char *out,
 345                                 int entropy, size_t min_len, size_t max_len),
 346         size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char *out,
 347                                 int entropy, size_t min_len, size_t max_len))
 348         {
 349         if (dctx->status != DRBG_STATUS_UNINITIALISED)
 350                 return 0;
 351         dctx->flags |= DRBG_FLAG_TEST;
 352         dctx->get_entropy = get_entropy;
 353         dctx->get_nonce = get_nonce;
 354         return 1;
 355         }
 356
 357 void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
 358         {
 359         return dctx->app_data;
 360         }
 361
 362 void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
 363         {
 364         dctx->app_data = app_data;
 365         }
 366
 367 size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
 368         {
 369         return dctx->blocklength;
 370         }
 371
 372 int FIPS_drbg_get_strength(DRBG_CTX *dctx)
 373         {
 374         return dctx->strength;
 375         }