/*
- * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
+#include <openssl/evp.h>
#include "crypto/rand.h"
+#include <openssl/proverr.h>
#include "drbg_local.h"
#include "internal/thread_once.h"
#include "crypto/cryptlib.h"
-#include "seeding/seeding.h"
+#include "prov/seeding.h"
#include "crypto/rand_pool.h"
+#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
+#include "prov/fipscommon.h"
+#include "crypto/context.h"
/*
* Support framework for NIST SP 800-90A DRBG
*
* The OpenSSL model is to have new and free functions, and that new
* does all initialization. That is not the NIST model, which has
- * instantiation and un-instantiate, and re-use within a new/free
+ * instantiation and un-instantiate, and reuse within a new/free
* lifecycle. (No doubt this comes from the desire to support hardware
* DRBG, where allocation of resources on something like an HSM is
* a much bigger deal than just re-setting an allocated resource.)
*/
-#ifdef FIPS_MODULE
-# define get_entropy prov_crngt_get_entropy
-# define cleanup_entropy prov_crngt_cleanup_entropy
-#else
-# define get_entropy prov_drbg_get_entropy
-# define cleanup_entropy prov_drbg_cleanup_entropy
-#endif
-
/* NIST SP 800-90A DRBG recommends the use of a personalization string. */
static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
-static unsigned int master_reseed_interval = MASTER_RESEED_INTERVAL;
-static unsigned int slave_reseed_interval = SLAVE_RESEED_INTERVAL;
-
-static time_t master_reseed_time_interval = MASTER_RESEED_TIME_INTERVAL;
-static time_t slave_reseed_time_interval = SLAVE_RESEED_TIME_INTERVAL;
-
static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
int function);
-int drbg_lock(void *vctx)
-{
- PROV_DRBG *drbg = vctx;
+static int rand_drbg_restart(PROV_DRBG *drbg);
- if (drbg == NULL || drbg->lock == NULL)
- return 1;
- return CRYPTO_THREAD_write_lock(drbg->lock);
+/*
+ * We interpret a call to this function as a hint only and ignore it. This
+ * occurs when the EVP layer thinks we should do some locking. In practice
+ * however we manage for ourselves when we take a lock or not on the basis
+ * of whether drbg->lock is present or not.
+ */
+int ossl_drbg_lock(void *vctx)
+{
+ return 1;
}
-void drbg_unlock(void *vctx)
+/* Interpreted as a hint only and ignored as for ossl_drbg_lock() */
+void ossl_drbg_unlock(void *vctx)
{
- PROV_DRBG *drbg = vctx;
-
- if (drbg != NULL && drbg->lock != NULL)
- CRYPTO_THREAD_unlock(drbg->lock);
}
-static int drbg_lock_parent(PROV_DRBG *drbg)
+static int ossl_drbg_lock_parent(PROV_DRBG *drbg)
{
void *parent = drbg->parent;
- const OSSL_DISPATCH *pfunc;
- if (parent != NULL) {
- pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_LOCK);
- if (pfunc != NULL && !OSSL_get_OP_rand_lock(pfunc)(parent)) {
- ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_LOCKING_NOT_ENABLED);
- return 0;
- }
+ if (parent != NULL
+ && drbg->parent_lock != NULL
+ && !drbg->parent_lock(parent)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
+ return 0;
}
return 1;
}
-static void drbg_unlock_parent(PROV_DRBG *drbg)
+static void ossl_drbg_unlock_parent(PROV_DRBG *drbg)
{
void *parent = drbg->parent;
- const OSSL_DISPATCH *pfunc;
- if (parent != NULL) {
- pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_UNLOCK);
- if (pfunc != NULL)
- OSSL_get_OP_rand_unlock(pfunc)(parent);
- }
+ if (parent != NULL && drbg->parent_unlock != NULL)
+ drbg->parent_unlock(parent);
}
-static int get_parent_strength(PROV_DRBG *drbg, int *str)
+static int get_parent_strength(PROV_DRBG *drbg, unsigned int *str)
{
OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
- const OSSL_DISPATCH *pfunc;
void *parent = drbg->parent;
+ int res;
- pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS);
- if (pfunc == NULL) {
- ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_PARENT_STRENGTH);
+ if (drbg->parent_get_ctx_params == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);
return 0;
}
- *params = OSSL_PARAM_construct_int(OSSL_RAND_PARAM_STRENGTH, str);
- if (!drbg_lock_parent(drbg)) {
- ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_LOCK_PARENT);
+
+ *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, str);
+ if (!ossl_drbg_lock_parent(drbg)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);
return 0;
}
- if (!OSSL_get_OP_rand_get_ctx_params(pfunc)(parent, params)) {
- drbg_unlock_parent(drbg);
- ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_PARENT_STRENGTH);
+ res = drbg->parent_get_ctx_params(parent, params);
+ ossl_drbg_unlock_parent(drbg);
+ if (!res) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);
return 0;
}
- drbg_unlock_parent(drbg);
return 1;
}
static unsigned int get_parent_reseed_count(PROV_DRBG *drbg)
{
OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
- const OSSL_DISPATCH *pfunc;
void *parent = drbg->parent;
- unsigned int r;
+ unsigned int r = 0;
- pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS);
- if (pfunc == NULL) {
- ERR_raise(ERR_LIB_PROV,
- RAND_R_UNABLE_TO_GET_PARENT_RESEED_PROP_COUNTER);
- goto err;
- }
- *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_RESEED_PROP_CTR, &r);
- if (!drbg_lock_parent(drbg)) {
- ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_LOCK_PARENT);
- goto err;
- }
- if (!OSSL_get_OP_rand_get_ctx_params(pfunc)(parent, params)) {
- drbg_unlock_parent(drbg);
- ERR_raise(ERR_LIB_PROV, RAND_R_UNABLE_TO_GET_RESEED_PROP_CTR);
+ *params = OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_COUNTER, &r);
+ if (!ossl_drbg_lock_parent(drbg)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);
goto err;
}
- drbg_unlock_parent(drbg);
+ if (!drbg->parent_get_ctx_params(parent, params))
+ r = 0;
+ ossl_drbg_unlock_parent(drbg);
return r;
err:
- r = tsan_load(&drbg->reseed_prop_counter) - 2;
+ r = tsan_load(&drbg->reseed_counter) - 2;
if (r == 0)
r = UINT_MAX;
return r;
}
-#ifndef FIPS_MODULE
/*
- * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks())
+ * Implements the get_entropy() callback
*
* If the DRBG has a parent, then the required amount of entropy input
- * is fetched using the parent's RAND_DRBG_generate().
+ * is fetched using the parent's ossl_prov_drbg_generate().
*
* Otherwise, the entropy is polled from the system entropy sources
- * using rand_pool_acquire_entropy().
+ * using ossl_pool_acquire_entropy().
*
* If a random pool has been added to the DRBG using RAND_add(), then
* its entropy will be used up first.
*/
-static size_t prov_drbg_get_entropy(PROV_DRBG *drbg, unsigned char **pout,
- int entropy, size_t min_len, size_t max_len,
- int prediction_resistance)
+size_t ossl_drbg_get_seed(void *vdrbg, unsigned char **pout,
+ int entropy, size_t min_len,
+ size_t max_len, int prediction_resistance,
+ const unsigned char *adin, size_t adin_len)
{
- size_t ret = 0;
- size_t entropy_available = 0;
- RAND_POOL *pool;
- int p_str;
- const OSSL_DISPATCH *pfunc;
+ PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
+ size_t bytes_needed;
+ unsigned char *buffer;
+
+ /* Figure out how many bytes we need */
+ bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0;
+ if (bytes_needed < min_len)
+ bytes_needed = min_len;
+ if (bytes_needed > max_len)
+ bytes_needed = max_len;
+
+ /* Allocate storage */
+ buffer = OPENSSL_secure_malloc(bytes_needed);
+ if (buffer == NULL)
+ return 0;
- if (drbg->parent != NULL) {
- if (!get_parent_strength(drbg, &p_str))
- return 0;
- if (drbg->strength > p_str) {
- /*
- * We currently don't support the algorithm from NIST SP 800-90C
- * 10.1.2 to use a weaker DRBG as source
- */
- RANDerr(0, RAND_R_PARENT_STRENGTH_TOO_WEAK);
- return 0;
- }
+ /*
+ * Get random data. Include our DRBG address as
+ * additional input, in order to provide a distinction between
+ * different DRBG child instances.
+ *
+ * Note: using the sizeof() operator on a pointer triggers
+ * a warning in some static code analyzers, but it's
+ * intentional and correct here.
+ */
+ if (!ossl_prov_drbg_generate(drbg, buffer, bytes_needed,
+ drbg->strength, prediction_resistance,
+ (unsigned char *)&drbg, sizeof(drbg))) {
+ OPENSSL_secure_clear_free(buffer, bytes_needed);
+ ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR);
+ return 0;
}
+ *pout = buffer;
+ return bytes_needed;
+}
- if (drbg->seed_pool != NULL) {
- pool = drbg->seed_pool;
- pool->entropy_requested = entropy;
- } else {
- pool = rand_pool_new(entropy, drbg->secure, min_len, max_len);
- if (pool == NULL)
- return 0;
- }
+/* Implements the cleanup_entropy() callback */
+void ossl_drbg_clear_seed(ossl_unused void *vdrbg,
+ unsigned char *out, size_t outlen)
+{
+ OPENSSL_secure_clear_free(out, outlen);
+}
- if (drbg->parent != NULL) {
- size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
- unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed);
+static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
+ size_t min_len, size_t max_len,
+ int prediction_resistance)
+{
+ size_t bytes;
+ unsigned int p_str;
- if (buffer != NULL) {
- size_t bytes = 0;
+ if (drbg->parent == NULL)
+#ifdef FIPS_MODULE
+ return ossl_crngt_get_entropy(drbg, pout, entropy, min_len, max_len,
+ prediction_resistance);
+#else
+ return ossl_prov_get_entropy(drbg->provctx, pout, entropy, min_len,
+ max_len);
+#endif
- /*
- * Get random data from parent. Include our address as additional input,
- * in order to provide some additional distinction between different
- * DRBG child instances.
- * Our lock is already held, but we need to lock our parent before
- * generating bits from it. (Note: taking the lock will be a no-op
- * if locking if drbg->parent->lock == NULL.)
- */
- pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_GENERATE);
- if (pfunc == NULL)
- return 0;
- drbg_lock_parent(drbg);
- if (OSSL_get_OP_rand_generate(pfunc)(drbg->parent, buffer, bytes_needed,
- drbg->strength,
- prediction_resistance,
- (unsigned char *)&drbg,
- sizeof(drbg)) != 0)
- bytes = bytes_needed;
- drbg->reseed_next_counter = get_parent_reseed_count(drbg);
- drbg_unlock_parent(drbg);
-
- rand_pool_add_end(pool, bytes, 8 * bytes);
- entropy_available = rand_pool_entropy_available(pool);
- }
- } else {
- /* Get entropy by polling system entropy sources. */
- entropy_available = rand_pool_acquire_entropy(pool);
+ if (drbg->parent_get_seed == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED);
+ return 0;
}
-
- if (entropy_available > 0) {
- ret = rand_pool_length(pool);
- *pout = rand_pool_detach(pool);
+ if (!get_parent_strength(drbg, &p_str))
+ return 0;
+ if (drbg->strength > p_str) {
+ /*
+ * We currently don't support the algorithm from NIST SP 800-90C
+ * 10.1.2 to use a weaker DRBG as source
+ */
+ ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);
+ return 0;
}
- if (drbg->seed_pool == NULL)
- rand_pool_free(pool);
- return ret;
+ /*
+ * Our lock is already held, but we need to lock our parent before
+ * generating bits from it. Note: taking the lock will be a no-op
+ * if locking is not required (while drbg->parent->lock == NULL).
+ */
+ if (!ossl_drbg_lock_parent(drbg))
+ return 0;
+ /*
+ * Get random data from parent. Include our DRBG address as
+ * additional input, in order to provide a distinction between
+ * different DRBG child instances.
+ *
+ * Note: using the sizeof() operator on a pointer triggers
+ * a warning in some static code analyzers, but it's
+ * intentional and correct here.
+ */
+ bytes = drbg->parent_get_seed(drbg->parent, pout, drbg->strength,
+ min_len, max_len, prediction_resistance,
+ (unsigned char *)&drbg, sizeof(drbg));
+ ossl_drbg_unlock_parent(drbg);
+ return bytes;
}
-/*
- * Implements the cleanup_entropy() callback (see RAND_DRBG_set_callbacks())
- *
- */
-static void prov_drbg_cleanup_entropy(PROV_DRBG *drbg,
- unsigned char *out, size_t outlen)
+static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen)
{
- if (drbg->seed_pool == NULL) {
- if (drbg->secure)
- OPENSSL_secure_clear_free(out, outlen);
- else
- OPENSSL_clear_free(out, outlen);
+ if (drbg->parent == NULL) {
+#ifdef FIPS_MODULE
+ ossl_crngt_cleanup_entropy(drbg, out, outlen);
+#else
+ ossl_prov_cleanup_entropy(drbg->provctx, out, outlen);
+#endif
+ } else if (drbg->parent_clear_seed != NULL) {
+ if (!ossl_drbg_lock_parent(drbg))
+ return;
+ drbg->parent_clear_seed(drbg->parent, out, outlen);
+ ossl_drbg_unlock_parent(drbg);
}
}
-#endif
#ifndef PROV_RAND_GET_RANDOM_NONCE
typedef struct prov_drbg_nonce_global_st {
/*
* drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce()
- * which needs to get the rand_nonce_lock out of the OPENSSL_CTX...but since
+ * which needs to get the rand_nonce_lock out of the OSSL_LIB_CTX...but since
* drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock
* to be in a different global data object. Otherwise we will go into an
* infinite recursion loop.
*/
-static void *prov_drbg_nonce_ossl_ctx_new(OPENSSL_CTX *libctx)
+void *ossl_prov_drbg_nonce_ctx_new(OSSL_LIB_CTX *libctx)
{
PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl));
return dngbl;
}
-static void prov_drbg_nonce_ossl_ctx_free(void *vdngbl)
+void ossl_prov_drbg_nonce_ctx_free(void *vdngbl)
{
PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl;
OPENSSL_free(dngbl);
}
-static const OPENSSL_CTX_METHOD drbg_nonce_ossl_ctx_method = {
- prov_drbg_nonce_ossl_ctx_new,
- prov_drbg_nonce_ossl_ctx_free,
-};
-
/* Get a nonce from the operating system */
-static size_t prov_drbg_get_nonce(PROV_DRBG *drbg,
- unsigned char **pout,
- int entropy, size_t min_len, size_t max_len)
+static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, unsigned char **pout,
+ size_t min_len, size_t max_len)
{
- size_t ret = 0;
- RAND_POOL *pool;
+ size_t ret = 0, n;
+ unsigned char *buf = NULL;
+ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx);
PROV_DRBG_NONCE_GLOBAL *dngbl
- = openssl_ctx_get_data(drbg->libctx, OPENSSL_CTX_DRBG_NONCE_INDEX,
- &drbg_nonce_ossl_ctx_method);
+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_NONCE_INDEX);
struct {
- void *instance;
+ void *drbg;
int count;
} data;
-
if (dngbl == NULL)
return 0;
+ if (drbg->parent != NULL && drbg->parent_nonce != NULL) {
+ n = drbg->parent_nonce(drbg->parent, NULL, 0, drbg->min_noncelen,
+ drbg->max_noncelen);
+ if (n > 0 && (buf = OPENSSL_malloc(n)) != NULL) {
+ ret = drbg->parent_nonce(drbg->parent, buf, 0,
+ drbg->min_noncelen, drbg->max_noncelen);
+ if (ret == n) {
+ *pout = buf;
+ return ret;
+ }
+ OPENSSL_free(buf);
+ }
+ }
+
+ /* Use the built in nonce source plus some of our specifics */
memset(&data, 0, sizeof(data));
- pool = rand_pool_new(0, 0, min_len, max_len);
- if (pool == NULL)
+ data.drbg = drbg;
+ if (!CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count,
+ dngbl->rand_nonce_lock))
return 0;
-
- if (rand_pool_add_nonce_data(pool) == 0)
- goto err;
-
- data.instance = drbg;
- CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count,
- dngbl->rand_nonce_lock);
-
- if (rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0) == 0)
- goto err;
-
- ret = rand_pool_length(pool);
- *pout = rand_pool_detach(pool);
-
- err:
- rand_pool_free(pool);
-
- return ret;
-}
-#endif
-
-/*
- * Implements the cleanup_nonce() callback (see PROV_DRBG_set_callbacks())
- *
- */
-static void prov_drbg_cleanup_nonce(PROV_DRBG *drbg,
- unsigned char *out, size_t outlen)
-{
- OPENSSL_clear_free(out, outlen);
+ return ossl_prov_get_nonce(drbg->provctx, pout, min_len, max_len,
+ &data, sizeof(data));
}
+#endif /* PROV_RAND_GET_RANDOM_NONCE */
/*
* Instantiate |drbg|, after it has been initialized. Use |pers| and
*
* Returns 1 on success, 0 on failure.
*/
-int PROV_DRBG_instantiate(PROV_DRBG *drbg, int strength,
- int prediction_resistance,
- const unsigned char *pers, size_t perslen,
- int (*ifnc)(PROV_DRBG *drbg,
- const unsigned char *ent, size_t ent_len,
- const unsigned char *nonce,
- size_t nonce_len,
- const unsigned char *pstr,
- size_t pstr_len))
+int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength,
+ int prediction_resistance,
+ const unsigned char *pers, size_t perslen)
{
unsigned char *nonce = NULL, *entropy = NULL;
size_t noncelen = 0, entropylen = 0;
size_t min_entropy, min_entropylen, max_entropylen;
- const OSSL_DISPATCH *pnonce;
if (strength > drbg->strength) {
- PROVerr(0, RAND_R_INSUFFICIENT_DRBG_STRENGTH);
+ ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
goto end;
}
min_entropy = drbg->strength;
perslen = sizeof(ossl_pers_string);
}
if (perslen > drbg->max_perslen) {
- PROVerr(0, RAND_R_PERSONALISATION_STRING_TOO_LONG);
+ ERR_raise(ERR_LIB_PROV, PROV_R_PERSONALISATION_STRING_TOO_LONG);
goto end;
}
- if (drbg->state != DRBG_UNINITIALISED) {
- if (drbg->state == DRBG_ERROR)
- PROVerr(0, RAND_R_IN_ERROR_STATE);
+ if (drbg->state != EVP_RAND_STATE_UNINITIALISED) {
+ if (drbg->state == EVP_RAND_STATE_ERROR)
+ ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
else
- PROVerr(0, RAND_R_ALREADY_INSTANTIATED);
+ ERR_raise(ERR_LIB_PROV, PROV_R_ALREADY_INSTANTIATED);
goto end;
}
- drbg->state = DRBG_ERROR;
+ drbg->state = EVP_RAND_STATE_ERROR;
if (drbg->min_noncelen > 0) {
+ if (drbg->parent_nonce != NULL) {
+ noncelen = drbg->parent_nonce(drbg->parent, NULL, drbg->strength,
+ drbg->min_noncelen,
+ drbg->max_noncelen);
+ if (noncelen == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
+ goto end;
+ }
+ nonce = OPENSSL_malloc(noncelen);
+ if (nonce == NULL) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
+ goto end;
+ }
+ if (noncelen != drbg->parent_nonce(drbg->parent, nonce,
+ drbg->strength,
+ drbg->min_noncelen,
+ drbg->max_noncelen)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
+ goto end;
+ }
#ifndef PROV_RAND_GET_RANDOM_NONCE
- if (drbg->parent != NULL)
+ } else if (drbg->parent != NULL) {
#endif
- {
- pnonce = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_NONCE);
- if (pnonce == NULL) {
- /*
- * NIST SP800-90Ar1 section 9.1 says you can combine getting
- * the entropy and nonce in 1 call by increasing the entropy
- * with 50% and increasing the minimum length to accommodate
- * the length of the nonce. We do this in case a nonce is
- * required and there is no parental nonce capability.
- */
- min_entropy += drbg->strength / 2;
- min_entropylen += drbg->min_noncelen;
- max_entropylen += drbg->max_noncelen;
- } else {
- drbg_lock_parent(drbg);
- noncelen = OSSL_get_OP_rand_nonce(pnonce)(drbg->parent, &nonce,
- drbg->strength / 2,
- drbg->min_noncelen,
- drbg->max_noncelen);
- drbg_unlock_parent(drbg);
- if (noncelen < drbg->min_noncelen
- || noncelen > drbg->max_noncelen) {
- PROVerr(0, RAND_R_ERROR_RETRIEVING_NONCE);
- goto end;
- }
- }
+ /*
+ * NIST SP800-90Ar1 section 9.1 says you can combine getting
+ * the entropy and nonce in 1 call by increasing the entropy
+ * with 50% and increasing the minimum length to accommodate
+ * the length of the nonce. We do this in case a nonce is
+ * required and there is no parental nonce capability.
+ */
+ min_entropy += drbg->strength / 2;
+ min_entropylen += drbg->min_noncelen;
+ max_entropylen += drbg->max_noncelen;
}
#ifndef PROV_RAND_GET_RANDOM_NONCE
else { /* parent == NULL */
- noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->strength / 2,
- drbg->min_noncelen,
+ noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->min_noncelen,
drbg->max_noncelen);
if (noncelen < drbg->min_noncelen
|| noncelen > drbg->max_noncelen) {
- PROVerr(0, RAND_R_ERROR_RETRIEVING_NONCE);
+ ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
goto end;
}
}
#endif
}
- drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
+ drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);
if (drbg->reseed_next_counter) {
drbg->reseed_next_counter++;
- if(!drbg->reseed_next_counter)
+ if (!drbg->reseed_next_counter)
drbg->reseed_next_counter = 1;
}
prediction_resistance);
if (entropylen < min_entropylen
|| entropylen > max_entropylen) {
- PROVerr(0, RAND_R_ERROR_RETRIEVING_ENTROPY);
+ ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY);
goto end;
}
- if (!ifnc(drbg, entropy, entropylen, nonce, noncelen, pers, perslen)) {
- PROVerr(0, RAND_R_ERROR_INSTANTIATING_DRBG);
+ if (!drbg->instantiate(drbg, entropy, entropylen, nonce, noncelen,
+ pers, perslen)) {
+ cleanup_entropy(drbg, entropy, entropylen);
+ ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_INSTANTIATING_DRBG);
goto end;
}
+ cleanup_entropy(drbg, entropy, entropylen);
- drbg->state = DRBG_READY;
- drbg->reseed_gen_counter = 1;
+ drbg->state = EVP_RAND_STATE_READY;
+ drbg->generate_counter = 1;
drbg->reseed_time = time(NULL);
- tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
+ tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);
end:
- if (entropy != NULL)
- cleanup_entropy(drbg, entropy, entropylen);
if (nonce != NULL)
- prov_drbg_cleanup_nonce(drbg, nonce, noncelen);
- if (drbg->state == DRBG_READY)
+ ossl_prov_cleanup_nonce(drbg->provctx, nonce, noncelen);
+ if (drbg->state == EVP_RAND_STATE_READY)
return 1;
return 0;
}
/*
- * Reseed |drbg|, mixing in the specified data
+ * Uninstantiate |drbg|. Must be instantiated before it can be used.
*
* Requires that drbg->lock is already locked for write, if non-null.
*
* Returns 1 on success, 0 on failure.
*/
-int PROV_DRBG_reseed(PROV_DRBG *drbg, int prediction_resistance,
- const unsigned char *ent, size_t ent_len,
- const unsigned char *adin, size_t adinlen,
- int (*reseed)(PROV_DRBG *drbg,
- const unsigned char *ent, size_t ent_len,
- const unsigned char *adin, size_t adin_len))
+int ossl_prov_drbg_uninstantiate(PROV_DRBG *drbg)
+{
+ drbg->state = EVP_RAND_STATE_UNINITIALISED;
+ return 1;
+}
+
+static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg,
+ int prediction_resistance,
+ const unsigned char *ent,
+ size_t ent_len,
+ const unsigned char *adin,
+ size_t adinlen)
{
unsigned char *entropy = NULL;
size_t entropylen = 0;
- if (drbg->state == DRBG_ERROR) {
- PROVerr(0, RAND_R_IN_ERROR_STATE);
+ if (!ossl_prov_is_running())
return 0;
+
+ if (drbg->state != EVP_RAND_STATE_READY) {
+ /* try to recover from previous errors */
+ rand_drbg_restart(drbg);
+
+ if (drbg->state == EVP_RAND_STATE_ERROR) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
+ return 0;
+ }
+ if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED);
+ return 0;
+ }
}
- if (drbg->state == DRBG_UNINITIALISED) {
- PROVerr(0, RAND_R_NOT_INSTANTIATED);
- return 0;
+
+ if (ent != NULL) {
+ if (ent_len < drbg->min_entropylen) {
+ ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_OUT_OF_RANGE);
+ drbg->state = EVP_RAND_STATE_ERROR;
+ return 0;
+ }
+ if (ent_len > drbg->max_entropylen) {
+ ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_INPUT_TOO_LONG);
+ drbg->state = EVP_RAND_STATE_ERROR;
+ return 0;
+ }
}
if (adin == NULL) {
adinlen = 0;
} else if (adinlen > drbg->max_adinlen) {
- PROVerr(0, RAND_R_ADDITIONAL_INPUT_TOO_LONG);
+ ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG);
return 0;
}
- drbg->state = DRBG_ERROR;
+ drbg->state = EVP_RAND_STATE_ERROR;
- drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
+ drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);
if (drbg->reseed_next_counter) {
drbg->reseed_next_counter++;
- if(!drbg->reseed_next_counter)
+ if (!drbg->reseed_next_counter)
drbg->reseed_next_counter = 1;
}
+ if (ent != NULL) {
+#ifdef FIPS_MODULE
+ /*
+ * NIST SP-800-90A mandates that entropy *shall not* be provided
+ * by the consuming application. Instead the data is added as additional
+ * input.
+ *
+ * (NIST SP-800-90Ar1, Sections 9.1 and 9.2)
+ */
+ if (!drbg->reseed(drbg, NULL, 0, ent, ent_len)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);
+ return 0;
+ }
+#else
+ if (!drbg->reseed(drbg, ent, ent_len, adin, adinlen)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);
+ return 0;
+ }
+ /* There isn't much point adding the same additional input twice */
+ adin = NULL;
+ adinlen = 0;
+#endif
+ }
+
+ /* Reseed using our sources in addition */
entropylen = get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen, drbg->max_entropylen,
prediction_resistance);
if (entropylen < drbg->min_entropylen
|| entropylen > drbg->max_entropylen) {
- PROVerr(0, RAND_R_ERROR_RETRIEVING_ENTROPY);
+ ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY);
goto end;
}
- if (!reseed(drbg, entropy, entropylen, adin, adinlen))
+ if (!drbg->reseed(drbg, entropy, entropylen, adin, adinlen))
goto end;
- drbg->state = DRBG_READY;
- drbg->reseed_gen_counter = 1;
+ drbg->state = EVP_RAND_STATE_READY;
+ drbg->generate_counter = 1;
drbg->reseed_time = time(NULL);
- tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
+ tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);
+ if (drbg->parent != NULL)
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
end:
- if (entropy != NULL)
- OPENSSL_cleanse(entropy, entropylen);
- if (drbg->state == DRBG_READY)
+ cleanup_entropy(drbg, entropy, entropylen);
+ if (drbg->state == EVP_RAND_STATE_READY)
return 1;
return 0;
}
+/*
+ * Reseed |drbg|, mixing in the specified data
+ *
+ * Acquires the drbg->lock for writing, if non-null.
+ *
+ * Returns 1 on success, 0 on failure.
+ */
+int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *adin, size_t adinlen)
+{
+ int ret;
+
+ if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
+ return 0;
+
+ ret = ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, ent,
+ ent_len, adin, adinlen);
+
+ if (drbg->lock != NULL)
+ CRYPTO_THREAD_unlock(drbg->lock);
+
+ return ret;
+}
+
/*
* Generate |outlen| bytes into the buffer at |out|. Reseed if we need
* to or if |prediction_resistance| is set. Additional input can be
* sent in |adin| and |adinlen|.
*
- * Requires that drbg->lock is already locked for write, if non-null.
+ * Acquires the drbg->lock for writing if available
*
* Returns 1 on success, 0 on failure.
*
*/
-int PROV_DRBG_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
- int strength, int prediction_resistance,
- const unsigned char *adin, size_t adinlen,
- int (*generate)(PROV_DRBG *, unsigned char *out,
- size_t outlen, const unsigned char *adin,
- size_t adin_len),
- int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent,
- size_t ent_len, const unsigned char *adin,
- size_t adin_len))
+int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
+ unsigned int strength, int prediction_resistance,
+ const unsigned char *adin, size_t adinlen)
{
int fork_id;
int reseed_required = 0;
+ int ret = 0;
- if (drbg->state != DRBG_READY) {
- if (drbg->state == DRBG_ERROR) {
- PROVerr(0, RAND_R_IN_ERROR_STATE);
- return 0;
+ if (!ossl_prov_is_running())
+ return 0;
+
+ if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
+ return 0;
+
+ if (drbg->state != EVP_RAND_STATE_READY) {
+ /* try to recover from previous errors */
+ rand_drbg_restart(drbg);
+
+ if (drbg->state == EVP_RAND_STATE_ERROR) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
+ goto err;
}
- if (drbg->state == DRBG_UNINITIALISED) {
- PROVerr(0, RAND_R_NOT_INSTANTIATED);
- return 0;
+ if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED);
+ goto err;
}
}
+ if (strength > drbg->strength) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
+ goto err;
+ }
if (outlen > drbg->max_request) {
- PROVerr(0, RAND_R_REQUEST_TOO_LARGE_FOR_DRBG);
- return 0;
+ ERR_raise(ERR_LIB_PROV, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG);
+ goto err;
}
if (adinlen > drbg->max_adinlen) {
- PROVerr(0, RAND_R_ADDITIONAL_INPUT_TOO_LONG);
- return 0;
+ ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG);
+ goto err;
}
fork_id = openssl_get_fork_id();
}
if (drbg->reseed_interval > 0) {
- if (drbg->reseed_gen_counter > drbg->reseed_interval)
+ if (drbg->generate_counter >= drbg->reseed_interval)
reseed_required = 1;
}
if (drbg->reseed_time_interval > 0) {
|| now - drbg->reseed_time >= drbg->reseed_time_interval)
reseed_required = 1;
}
- if (drbg->parent != NULL) {
- unsigned int reseed_counter = 0;
-
- if (reseed_counter > 0
- && get_parent_reseed_count(drbg) !=
- tsan_load(&drbg->reseed_prop_counter))
- reseed_required = 1;
- }
+ if (drbg->parent != NULL
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
+ reseed_required = 1;
if (reseed_required || prediction_resistance) {
- if (!PROV_DRBG_reseed(drbg, prediction_resistance, NULL, 0,
- adin, adinlen, reseed)) {
- PROVerr(0, RAND_R_RESEED_ERROR);
- return 0;
+ if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
+ 0, adin, adinlen)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_RESEED_ERROR);
+ goto err;
}
adin = NULL;
adinlen = 0;
}
- if (!generate(drbg, out, outlen, adin, adinlen)) {
- drbg->state = DRBG_ERROR;
- PROVerr(0, RAND_R_GENERATE_ERROR);
- return 0;
+ if (!drbg->generate(drbg, out, outlen, adin, adinlen)) {
+ drbg->state = EVP_RAND_STATE_ERROR;
+ ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR);
+ goto err;
}
- drbg->reseed_gen_counter++;
+ drbg->generate_counter++;
- return 1;
+ ret = 1;
+ err:
+ if (drbg->lock != NULL)
+ CRYPTO_THREAD_unlock(drbg->lock);
+
+ return ret;
}
-#if 0
/*
- * Calculates the minimum length of a full entropy buffer
- * which is necessary to seed (i.e. instantiate) the DRBG
- * successfully.
+ * Restart |drbg|, using the specified entropy or additional input
+ *
+ * Tries its best to get the drbg instantiated by all means,
+ * regardless of its current state.
+ *
+ * Optionally, a |buffer| of |len| random bytes can be passed,
+ * which is assumed to contain at least |entropy| bits of entropy.
+ *
+ * If |entropy| > 0, the buffer content is used as entropy input.
+ *
+ * If |entropy| == 0, the buffer content is used as additional input
+ *
+ * Returns 1 on success, 0 on failure.
+ *
+ * This function is used internally only.
*/
-size_t prov_drbg_seedlen(PROV_DRBG *drbg)
+static int rand_drbg_restart(PROV_DRBG *drbg)
{
- /*
- * If no os entropy source is available then PROV_seed(buffer, bufsize)
- * is expected to succeed if and only if the buffer length satisfies
- * the following requirements, which follow from the calculations
- * in PROV_DRBG_instantiate().
- */
- size_t min_entropy = drbg->strength;
- size_t min_entropylen = drbg->min_entropylen;
-
- /*
- * Extra entropy for the random nonce in the absence of a
- * get_nonce callback, see comment in PROV_DRBG_instantiate().
- */
- if (drbg->min_noncelen > 0) {
-#ifndef PROV_RAND_GET_RANDOM_NONCE
- if (drbg->parent != NULL)
-#endif
- if (find_call(drbg->parent_dispatch,
- OSSL_FUNC_RAND_NONCE) == NULL) {
- min_entropy += drbg->strength / 2;
- min_entropylen += drbg->min_noncelen;
- }
- }
+ /* repair error state */
+ if (drbg->state == EVP_RAND_STATE_ERROR)
+ drbg->uninstantiate(drbg);
- /*
- * Convert entropy requirement from bits to bytes
- * (dividing by 8 without rounding upwards, because
- * all entropy requirements are divisible by 8).
- */
- min_entropy >>= 3;
+ /* repair uninitialized state */
+ if (drbg->state == EVP_RAND_STATE_UNINITIALISED)
+ /* reinstantiate drbg */
+ ossl_prov_drbg_instantiate(drbg, drbg->strength, 0, NULL, 0);
- /* Return a value that satisfies both requirements */
- return min_entropy > min_entropylen ? min_entropy : min_entropylen;
+ return drbg->state == EVP_RAND_STATE_READY;
}
-#endif
/* Provider support from here down */
static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
int function)
{
if (dispatch != NULL)
- while (dispatch->function_id != 0)
+ while (dispatch->function_id != 0) {
if (dispatch->function_id == function)
return dispatch;
+ dispatch++;
+ }
return NULL;
}
-int drbg_enable_locking(void *vctx)
+int ossl_drbg_enable_locking(void *vctx)
{
PROV_DRBG *drbg = vctx;
- const OSSL_DISPATCH *pfunc;
-
- if (drbg == NULL)
- return 1;
- if (drbg->lock == NULL) {
- if (drbg->state != DRBG_UNINITIALISED) {
- ERR_raise(ERR_LIB_PROV, RAND_R_DRBG_ALREADY_INITIALIZED);
- return 0;
- }
- pfunc = find_call(drbg->parent_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING);
- if (pfunc != NULL)
- if (!OSSL_get_OP_rand_enable_locking(pfunc)(drbg->parent)) {
- ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_LOCKING_NOT_ENABLED);
+ if (drbg != NULL && drbg->lock == NULL) {
+ if (drbg->parent_enable_locking != NULL)
+ if (!drbg->parent_enable_locking(drbg->parent)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
return 0;
}
drbg->lock = CRYPTO_THREAD_lock_new();
if (drbg->lock == NULL) {
- ERR_raise(ERR_LIB_PROV, RAND_R_FAILED_TO_CREATE_LOCK);
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_CREATE_LOCK);
return 0;
}
}
*
* Returns a pointer to the new DRBG instance on success, NULL on failure.
*/
-PROV_DRBG *prov_rand_drbg_new(void *provctx, int secure, void *parent,
- const OSSL_DISPATCH *parent_dispatch,
- int (*dnew)(PROV_DRBG *ctx, int secure))
+PROV_DRBG *ossl_rand_drbg_new
+ (void *provctx, void *parent, const OSSL_DISPATCH *p_dispatch,
+ int (*dnew)(PROV_DRBG *ctx),
+ void (*dfree)(void *vctx),
+ int (*instantiate)(PROV_DRBG *drbg,
+ const unsigned char *entropy, size_t entropylen,
+ const unsigned char *nonce, size_t noncelen,
+ const unsigned char *pers, size_t perslen),
+ int (*uninstantiate)(PROV_DRBG *ctx),
+ int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len,
+ const unsigned char *adin, size_t adin_len),
+ int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen,
+ const unsigned char *adin, size_t adin_len))
{
- PROV_DRBG *drbg = OPENSSL_zalloc(sizeof(*drbg));
- int p_str;
+ PROV_DRBG *drbg;
+ unsigned int p_str;
+ const OSSL_DISPATCH *pfunc;
- if (drbg == NULL) {
- ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ if (!ossl_prov_is_running())
return NULL;
- }
- drbg->libctx = provctx;
- drbg->secure = secure;
+ drbg = OPENSSL_zalloc(sizeof(*drbg));
+ if (drbg == NULL)
+ return NULL;
+
+ drbg->provctx = provctx;
+ drbg->instantiate = instantiate;
+ drbg->uninstantiate = uninstantiate;
+ drbg->reseed = reseed;
+ drbg->generate = generate;
+ drbg->fork_id = openssl_get_fork_id();
+
+ /* Extract parent's functions */
drbg->parent = parent;
- drbg->parent_dispatch = parent_dispatch;
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING)) != NULL)
+ drbg->parent_enable_locking = OSSL_FUNC_rand_enable_locking(pfunc);
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_LOCK)) != NULL)
+ drbg->parent_lock = OSSL_FUNC_rand_lock(pfunc);
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_UNLOCK)) != NULL)
+ drbg->parent_unlock = OSSL_FUNC_rand_unlock(pfunc);
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS)) != NULL)
+ drbg->parent_get_ctx_params = OSSL_FUNC_rand_get_ctx_params(pfunc);
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_NONCE)) != NULL)
+ drbg->parent_nonce = OSSL_FUNC_rand_nonce(pfunc);
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_SEED)) != NULL)
+ drbg->parent_get_seed = OSSL_FUNC_rand_get_seed(pfunc);
+ if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_CLEAR_SEED)) != NULL)
+ drbg->parent_clear_seed = OSSL_FUNC_rand_clear_seed(pfunc);
/* Set some default maximums up */
drbg->max_entropylen = DRBG_MAX_LENGTH;
drbg->max_noncelen = DRBG_MAX_LENGTH;
drbg->max_perslen = DRBG_MAX_LENGTH;
drbg->max_adinlen = DRBG_MAX_LENGTH;
- drbg->reseed_gen_counter = 1;
-
- /* TODO(3.0) clean this up */
- if (parent == NULL) {
- drbg->reseed_interval = master_reseed_interval;
- drbg->reseed_time_interval = master_reseed_time_interval;
- } else {
- /*
- * Do not provide nonce callbacks, the child DRBGs will
- * obtain their nonce using random bits from the parent.
- */
- drbg->reseed_interval = slave_reseed_interval;
- drbg->reseed_time_interval = slave_reseed_time_interval;
- }
+ drbg->generate_counter = 1;
+ drbg->reseed_counter = 1;
+ drbg->reseed_interval = RESEED_INTERVAL;
+ drbg->reseed_time_interval = TIME_INTERVAL;
- if (!dnew(drbg, secure))
+ if (!dnew(drbg))
goto err;
if (parent != NULL) {
* We currently don't support the algorithm from NIST SP 800-90C
* 10.1.2 to use a weaker DRBG as source
*/
- ERR_raise(ERR_LIB_PROV, RAND_R_PARENT_STRENGTH_TOO_WEAK);
+ ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);
goto err;
}
}
+#ifdef TSAN_REQUIRES_LOCKING
+ if (!ossl_drbg_enable_locking(drbg))
+ goto err;
+#endif
return drbg;
err:
- prov_rand_drbg_free(drbg);
+ dfree(drbg);
return NULL;
}
-void prov_rand_drbg_free(PROV_DRBG *drbg)
+void ossl_rand_drbg_free(PROV_DRBG *drbg)
{
if (drbg == NULL)
return;
- rand_pool_free(drbg->adin_pool);
CRYPTO_THREAD_lock_free(drbg->lock);
-#ifndef FIPS_MODULE
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RAND_DRBG, drbg, &drbg->ex_data);
-#endif
+ OPENSSL_free(drbg);
}
-int drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[])
+/*
+ * Helper function called by internal DRBG implementations. Assumes that at
+ * least a read lock has been taken on drbg->lock
+ */
+int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[])
{
OSSL_PARAM *p;
- p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATUS);
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE);
if (p != NULL && !OSSL_PARAM_set_int(p, drbg->state))
return 0;
if (p != NULL && !OSSL_PARAM_set_int(p, drbg->strength))
return 0;
- p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
- if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_request))
- return 0;
-
- p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MIN_ENTROPYLEN);
+ p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_ENTROPYLEN);
if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_entropylen))
return 0;
- p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_ENTROPYLEN);
+ p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ENTROPYLEN);
if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_entropylen))
return 0;
- p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MIN_NONCELEN);
+ p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_NONCELEN);
if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_noncelen))
return 0;
- p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_NONCELEN);
+ p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_NONCELEN);
if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_noncelen))
return 0;
- p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_PERSLEN);
+ p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_PERSLEN);
if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_perslen))
return 0;
- p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_ADINLEN);
+ p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ADINLEN);
if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_adinlen))
return 0;
- p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_CTR);
- if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_gen_counter))
+ p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
+ if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval))
return 0;
- p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_REQUESTS);
- if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval))
+ p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME);
+ if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time))
return 0;
- p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_TIME_INTERVAL);
+ p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);
if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval))
return 0;
- p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_RESEED_PROP_CTR);
- if (p != NULL
- && !OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_prop_counter)))
- return 0;
return 1;
}
-int drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[])
+/*
+ * Helper function to get certain params that require no lock to obtain. Sets
+ * *complete to 1 if all the params were processed, or 0 otherwise
+ */
+int ossl_drbg_get_ctx_params_no_lock(PROV_DRBG *drbg, OSSL_PARAM params[],
+ int *complete)
+{
+ size_t cnt = 0;
+ OSSL_PARAM *p;
+
+ /* This value never changes once set */
+ p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
+ if (p != NULL) {
+ if (!OSSL_PARAM_set_size_t(p, drbg->max_request))
+ return 0;
+ cnt++;
+ }
+
+ /*
+ * Can be changed by multiple threads, but we tolerate inaccuracies in this
+ * value.
+ */
+ p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_COUNTER);
+ if (p != NULL) {
+ if (!OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_counter)))
+ return 0;
+ cnt++;
+ }
+
+ if (params[cnt].key == NULL)
+ *complete = 1;
+ else
+ *complete = 0;
+
+ return 1;
+}
+
+int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[])
{
const OSSL_PARAM *p;
- p = OSSL_PARAM_locate_const(params, OSSL_RAND_PARAM_RESEED_REQUESTS);
+ if (params == NULL)
+ return 1;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
if (p != NULL && !OSSL_PARAM_get_uint(p, &drbg->reseed_interval))
return 0;
- p = OSSL_PARAM_locate_const(params, OSSL_RAND_PARAM_RESEED_TIME_INTERVAL);
+ p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);
if (p != NULL && !OSSL_PARAM_get_time_t(p, &drbg->reseed_time_interval))
return 0;
return 1;
}
+
+/* Confirm digest is allowed to be used with a DRBG */
+int ossl_drbg_verify_digest(ossl_unused OSSL_LIB_CTX *libctx, const EVP_MD *md)
+{
+#ifdef FIPS_MODULE
+ /* FIPS 140-3 IG D.R limited DRBG digests to a specific set */
+ static const char *const allowed_digests[] = {
+ "SHA1", /* SHA 1 allowed */
+ "SHA2-256", "SHA2-512", /* non-truncated SHA2 allowed */
+ "SHA3-256", "SHA3-512", /* non-truncated SHA3 allowed */
+ };
+ size_t i;
+
+ if (FIPS_restricted_drbg_digests_enabled(libctx)) {
+ for (i = 0; i < OSSL_NELEM(allowed_digests); i++)
+ if (EVP_MD_is_a(md, allowed_digests[i]))
+ return 1;
+ ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
+ return 0;
+ }
+#endif
+ /* Outside of FIPS, any digests that are not XOF are allowed */
+ if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+ return 0;
+ }
+ return 1;
+}
projects / openssl.git / blobdiff