fips/rand/fips_rand.c

   1 /* ====================================================================
   2  * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  *
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  *
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in
  13  *    the documentation and/or other materials provided with the
  14  *    distribution.
  15  *
  16  * 3. All advertising materials mentioning features or use of this
  17  *    software must display the following acknowledgment:
  18  *    "This product includes software developed by the OpenSSL Project
  19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  20  *
  21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  22  *    endorse or promote products derived from this software without
  23  *    prior written permission. For written permission, please contact
  24  *    openssl-core@openssl.org.
  25  *
  26  * 5. Products derived from this software may not be called "OpenSSL"
  27  *    nor may "OpenSSL" appear in their names without prior written
  28  *    permission of the OpenSSL Project.
  29  *
  30  * 6. Redistributions of any form whatsoever must retain the following
  31  *    acknowledgment:
  32  *    "This product includes software developed by the OpenSSL Project
  33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  34  *
  35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  46  * OF THE POSSIBILITY OF SUCH DAMAGE.
  47  *
  48  */
  49
  50 #define OPENSSL_FIPSAPI
  51
  52 /*
  53  * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
  54  */
  55 #include <openssl/crypto.h>
  56 #include "e_os.h"
  57
  58 /* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
  59    be defined and gettimeofday() won't be declared with strict compilers
  60    like DEC C in ANSI C mode.  */
  61 #ifndef _XOPEN_SOURCE_EXTENDED
  62 #define _XOPEN_SOURCE_EXTENDED 1
  63 #endif
  64
  65 #include <openssl/rand.h>
  66 #include <openssl/aes.h>
  67 #include <openssl/err.h>
  68 #include <openssl/fips_rand.h>
  69 #if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
  70 # include <sys/time.h>
  71 #endif
  72 #if defined(OPENSSL_SYS_VXWORKS)
  73 # include <time.h>
  74 #endif
  75 #include <assert.h>
  76 #ifndef OPENSSL_SYS_WIN32
  77 # ifdef OPENSSL_UNISTD
  78 #  include OPENSSL_UNISTD
  79 # else
  80 #  include <unistd.h>
  81 # endif
  82 #endif
  83 #include <string.h>
  84 #include <openssl/fips.h>
  85 #include "fips_locl.h"
  86
  87 #ifdef OPENSSL_FIPS
  88
  89 void *OPENSSL_stderr(void);
  90
  91 #define AES_BLOCK_LENGTH        16
  92
  93
  94 /* AES FIPS PRNG implementation */
  95
  96 typedef struct
  97         {
  98         int seeded;
  99         int keyed;
 100         int test_mode;
 101         int second;
 102         int error;
 103         unsigned long counter;
 104         AES_KEY ks;
 105         int vpos;
 106         /* Temporary storage for key if it equals seed length */
 107         unsigned char tmp_key[AES_BLOCK_LENGTH];
 108         unsigned char V[AES_BLOCK_LENGTH];
 109         unsigned char DT[AES_BLOCK_LENGTH];
 110         unsigned char last[AES_BLOCK_LENGTH];
 111         } FIPS_PRNG_CTX;
 112
 113 static FIPS_PRNG_CTX sctx;
 114
 115 static int fips_prng_fail = 0;
 116
 117 void FIPS_x931_stick(void)
 118         {
 119         fips_prng_fail = 1;
 120         }
 121
 122 static void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx)
 123         {
 124         ctx->seeded = 0;
 125         ctx->keyed = 0;
 126         ctx->test_mode = 0;
 127         ctx->counter = 0;
 128         ctx->second = 0;
 129         ctx->error = 0;
 130         ctx->vpos = 0;
 131         OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
 132         OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
 133         }
 134
 135
 136 static int fips_set_prng_key(FIPS_PRNG_CTX *ctx,
 137                         const unsigned char *key, unsigned int keylen)
 138         {
 139         if (FIPS_selftest_failed())
 140                 {
 141                 FIPSerr(FIPS_F_FIPS_SET_PRNG_KEY, FIPS_R_SELFTEST_FAILED);
 142                 return 0;
 143                 }
 144         if (keylen != 16 && keylen != 24 && keylen != 32)
 145                 {
 146                 /* error: invalid key size */
 147                 return 0;
 148                 }
 149         AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
 150         if (keylen == 16)
 151                 {
 152                 memcpy(ctx->tmp_key, key, 16);
 153                 ctx->keyed = 2;
 154                 }
 155         else
 156                 ctx->keyed = 1;
 157         ctx->seeded = 0;
 158         ctx->second = 0;
 159         return 1;
 160         }
 161
 162 static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx,
 163                         const unsigned char *seed, unsigned int seedlen)
 164         {
 165         unsigned int i;
 166         if (!ctx->keyed)
 167                 return 0;
 168         /* In test mode seed is just supplied data */
 169         if (ctx->test_mode)
 170                 {
 171                 if (seedlen != AES_BLOCK_LENGTH)
 172                         return 0;
 173                 memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
 174                 ctx->seeded = 1;
 175                 return 1;
 176                 }
 177         /* Outside test mode XOR supplied data with existing seed */
 178         for (i = 0; i < seedlen; i++)
 179                 {
 180                 ctx->V[ctx->vpos++] ^= seed[i];
 181                 if (ctx->vpos == AES_BLOCK_LENGTH)
 182                         {
 183                         ctx->vpos = 0;
 184                         /* Special case if first seed and key length equals
 185                          * block size check key and seed do not match.
 186                          */
 187                         if (ctx->keyed == 2)
 188                                 {
 189                                 if (!memcmp(ctx->tmp_key, ctx->V, 16))
 190                                         {
 191                                         RANDerr(RAND_F_FIPS_SET_PRNG_SEED,
 192                                                 RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY);
 193                                         return 0;
 194                                         }
 195                                 OPENSSL_cleanse(ctx->tmp_key, 16);
 196                                 ctx->keyed = 1;
 197                                 }
 198                         ctx->seeded = 1;
 199                         }
 200                 }
 201         return 1;
 202         }
 203
 204 static int fips_set_test_mode(FIPS_PRNG_CTX *ctx)
 205         {
 206         if (ctx->keyed)
 207                 {
 208                 RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED);
 209                 return 0;
 210                 }
 211         ctx->test_mode = 1;
 212         return 1;
 213         }
 214
 215 int FIPS_x931_test_mode(void)
 216         {
 217         return fips_set_test_mode(&sctx);
 218         }
 219
 220 int FIPS_x931_set_dt(unsigned char *dt)
 221         {
 222         if (!sctx.test_mode)
 223                 {
 224                 RANDerr(RAND_F_FIPS_X931_SET_DT,RAND_R_NOT_IN_TEST_MODE);
 225                 return 0;
 226                 }
 227         memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
 228         return 1;
 229         }
 230
 231 void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
 232         {
 233 #ifdef OPENSSL_SYS_WIN32
 234         FILETIME ft;
 235 #elif defined(OPENSSL_SYS_VXWORKS)
 236         struct timespec ts;
 237 #else
 238         struct timeval tv;
 239 #endif
 240
 241 #ifndef GETPID_IS_MEANINGLESS
 242         unsigned long pid;
 243 #endif
 244
 245 #ifdef OPENSSL_SYS_WIN32
 246         GetSystemTimeAsFileTime(&ft);
 247         buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
 248         buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
 249         buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
 250         buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
 251         buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
 252         buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
 253         buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
 254         buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
 255 #elif defined(OPENSSL_SYS_VXWORKS)
 256         clock_gettime(CLOCK_REALTIME, &ts);
 257         buf[0] = (unsigned char) (ts.tv_sec & 0xff);
 258         buf[1] = (unsigned char) ((ts.tv_sec >> 8) & 0xff);
 259         buf[2] = (unsigned char) ((ts.tv_sec >> 16) & 0xff);
 260         buf[3] = (unsigned char) ((ts.tv_sec >> 24) & 0xff);
 261         buf[4] = (unsigned char) (ts.tv_nsec & 0xff);
 262         buf[5] = (unsigned char) ((ts.tv_nsec >> 8) & 0xff);
 263         buf[6] = (unsigned char) ((ts.tv_nsec >> 16) & 0xff);
 264         buf[7] = (unsigned char) ((ts.tv_nsec >> 24) & 0xff);
 265 #else
 266         gettimeofday(&tv,NULL);
 267         buf[0] = (unsigned char) (tv.tv_sec & 0xff);
 268         buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
 269         buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
 270         buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
 271         buf[4] = (unsigned char) (tv.tv_usec & 0xff);
 272         buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
 273         buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
 274         buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
 275 #endif
 276         buf[8] = (unsigned char) (*pctr & 0xff);
 277         buf[9] = (unsigned char) ((*pctr >> 8) & 0xff);
 278         buf[10] = (unsigned char) ((*pctr >> 16) & 0xff);
 279         buf[11] = (unsigned char) ((*pctr >> 24) & 0xff);
 280
 281         (*pctr)++;
 282
 283
 284 #ifndef GETPID_IS_MEANINGLESS
 285         pid=(unsigned long)getpid();
 286         buf[12] = (unsigned char) (pid & 0xff);
 287         buf[13] = (unsigned char) ((pid >> 8) & 0xff);
 288         buf[14] = (unsigned char) ((pid >> 16) & 0xff);
 289         buf[15] = (unsigned char) ((pid >> 24) & 0xff);
 290 #endif
 291     }
 292
 293 static int fips_rand(FIPS_PRNG_CTX *ctx,
 294                         unsigned char *out, unsigned int outlen)
 295         {
 296         unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
 297         unsigned char tmp[AES_BLOCK_LENGTH];
 298         int i;
 299         if (ctx->error)
 300                 {
 301                 RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
 302                 return 0;
 303                 }
 304         if (!ctx->keyed)
 305                 {
 306                 RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET);
 307                 return 0;
 308                 }
 309         if (!ctx->seeded)
 310                 {
 311                 RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED);
 312                 return 0;
 313                 }
 314         for (;;)
 315                 {
 316                 if (!ctx->test_mode)
 317                         FIPS_get_timevec(ctx->DT, &ctx->counter);
 318                 AES_encrypt(ctx->DT, I, &ctx->ks);
 319                 for (i = 0; i < AES_BLOCK_LENGTH; i++)
 320                         tmp[i] = I[i] ^ ctx->V[i];
 321                 AES_encrypt(tmp, R, &ctx->ks);
 322                 for (i = 0; i < AES_BLOCK_LENGTH; i++)
 323                         tmp[i] = R[i] ^ I[i];
 324                 AES_encrypt(tmp, ctx->V, &ctx->ks);
 325                 /* Continuous PRNG test */
 326                 if (ctx->second)
 327                         {
 328                         if (fips_prng_fail)
 329                                 memcpy(ctx->last, R, AES_BLOCK_LENGTH);
 330                         if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
 331                                 {
 332                                 RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
 333                                 ctx->error = 1;
 334                                 fips_set_selftest_fail();
 335                                 return 0;
 336                                 }
 337                         }
 338                 memcpy(ctx->last, R, AES_BLOCK_LENGTH);
 339                 if (!ctx->second)
 340                         {
 341                         ctx->second = 1;
 342                         if (!ctx->test_mode)
 343                                 continue;
 344                         }
 345
 346                 if (outlen <= AES_BLOCK_LENGTH)
 347                         {
 348                         memcpy(out, R, outlen);
 349                         break;
 350                         }
 351
 352                 memcpy(out, R, AES_BLOCK_LENGTH);
 353                 out += AES_BLOCK_LENGTH;
 354                 outlen -= AES_BLOCK_LENGTH;
 355                 }
 356         return 1;
 357         }
 358
 359
 360 int FIPS_x931_set_key(const unsigned char *key, int keylen)
 361         {
 362         int ret;
 363         CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 364         ret = fips_set_prng_key(&sctx, key, keylen);
 365         CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 366         return ret;
 367         }
 368
 369 int FIPS_x931_seed(const void *seed, int seedlen)
 370         {
 371         int ret;
 372         CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 373         ret = fips_set_prng_seed(&sctx, seed, seedlen);
 374         CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 375         return ret;
 376         }
 377
 378
 379 int FIPS_x931_bytes(unsigned char *out, int count)
 380         {
 381         int ret;
 382         CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 383         ret = fips_rand(&sctx, out, count);
 384         CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 385         return ret;
 386         }
 387
 388 int FIPS_x931_status(void)
 389         {
 390         int ret;
 391         CRYPTO_r_lock(CRYPTO_LOCK_RAND);
 392         ret = sctx.seeded;
 393         CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
 394         return ret;
 395         }
 396
 397 void FIPS_x931_reset(void)
 398         {
 399         CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 400         fips_rand_prng_reset(&sctx);
 401         CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 402         }
 403
 404 static int fips_do_rand_seed(const void *seed, int seedlen)
 405         {
 406         FIPS_x931_seed(seed, seedlen);
 407         return 1;
 408         }
 409
 410 static int fips_do_rand_add(const void *seed, int seedlen,
 411                                         double add_entropy)
 412         {
 413         FIPS_x931_seed(seed, seedlen);
 414         return 1;
 415         }
 416
 417 static const RAND_METHOD rand_x931_meth=
 418     {
 419     fips_do_rand_seed,
 420     FIPS_x931_bytes,
 421     FIPS_x931_reset,
 422     fips_do_rand_add,
 423     FIPS_x931_bytes,
 424     FIPS_x931_status
 425     };
 426
 427 const RAND_METHOD *FIPS_x931_method(void)
 428 {
 429   return &rand_x931_meth;
 430 }
 431
 432 #endif