openssl/fips/rand/fips_drbg_lib.c

/* fips/rand/fips_drbg_lib.c */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
/* ====================================================================
 * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */

#define OPENSSL_FIPSAPI

#include <string.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/aes.h>
#include <openssl/err.h>
#include <openssl/fips_rand.h>
#include "fips_rand_lcl.h"

/* Support framework for SP800-90 DRBGs */

int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
	{
	int rv;
	memset(dctx, 0, sizeof(DRBG_CTX));
	dctx->status = DRBG_STATUS_UNINITIALISED;
	dctx->flags = flags;
	dctx->type = type;

	dctx->entropy_blocklen = 0;
	dctx->health_check_cnt = 0;
	dctx->health_check_interval = DRBG_HEALTH_INTERVAL;

	rv = fips_drbg_hash_init(dctx);

	if (rv == -2)
		rv = fips_drbg_ctr_init(dctx);

	if (rv <= 0)
		{
		if (rv == -2)
			FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
		else
			FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
		}

	/* If not in test mode run selftests on DRBG of the same type */

	if (!(dctx->flags & DRBG_FLAG_TEST))
		{
		DRBG_CTX tctx;
		if (!fips_drbg_kat(&tctx, type, flags | DRBG_FLAG_TEST))
			{
			FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
			return 0;
			}
		}

	return rv;
	}

DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
	{
	DRBG_CTX *dctx;
	dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
	if (!dctx)
		{
		FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
		return NULL;
		}
	if (type == 0)
		return dctx;

	if (FIPS_drbg_init(dctx, type, flags) <= 0)
		{
		OPENSSL_free(dctx);
		return NULL;
		}
		
	return dctx;
	}

void FIPS_drbg_free(DRBG_CTX *dctx)
	{
	if (dctx->uninstantiate)
		dctx->uninstantiate(dctx);
	OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
	OPENSSL_free(dctx);
	}

static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
				int entropy, size_t min_len, size_t max_len)
	{
	unsigned char *tout, *p;
	size_t bl = dctx->entropy_blocklen, rv;
	if (dctx->flags & DRBG_FLAG_TEST || !bl)
		return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
	rv = dctx->get_entropy(dctx, &tout, entropy + bl,
				min_len + bl, max_len + bl);
	*pout = tout + bl;
	if (rv < (min_len + bl) || (rv % bl))
		return 0;
	/* Compare consecutive blocks for continuous PRNG test */
	for (p = tout; p < tout + rv; p += bl)
		{
		if (!memcmp(p, p + bl, bl))
			{
			FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
			return 0;
			}
		}
	rv -= bl;
	if (rv > max_len)
		return max_len;
	return rv;
	}

static void fips_cleanup_entropy(DRBG_CTX *dctx,
					unsigned char *out, size_t olen)
	{
	size_t bl;
	if (dctx->flags & DRBG_FLAG_TEST)
		bl = 0;
	else
		bl = dctx->entropy_blocklen;
	/* Call cleanup with original arguments */
	dctx->cleanup_entropy(dctx, out - bl, olen + bl);
	}


int FIPS_drbg_instantiate(DRBG_CTX *dctx,
				const unsigned char *pers, size_t perslen)
	{
	size_t entlen = 0, noncelen = 0;
	unsigned char *nonce = NULL, *entropy = NULL;

#if 0
	/* Put here so error script picks them up */
	FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
				FIPS_R_PERSONALISATION_STRING_TOO_LONG);
	FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
	FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
	FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
	FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
	FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
#endif

	int r = 0;

	if (perslen > dctx->max_pers)
		{
		r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
		goto end;
		}

	if (dctx->status != DRBG_STATUS_UNINITIALISED)
		{
		if (dctx->status == DRBG_STATUS_ERROR)
			r = FIPS_R_IN_ERROR_STATE;
		else
			r = FIPS_R_ALREADY_INSTANTIATED;
		goto end;
		}

	dctx->status = DRBG_STATUS_ERROR;

	entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
				dctx->min_entropy, dctx->max_entropy);

	if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
		{
		r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
		goto end;
		}

	if (dctx->max_nonce > 0)
		{
		noncelen = dctx->get_nonce(dctx, &nonce,
					dctx->strength / 2,
					dctx->min_nonce, dctx->max_nonce);

		if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce)
			{
			r = FIPS_R_ERROR_RETRIEVING_NONCE;
			goto end;
			}

		}

	if (!dctx->instantiate(dctx, 
				entropy, entlen,
				nonce, noncelen,
				pers, perslen))
		{
		r = FIPS_R_ERROR_INSTANTIATING_DRBG;
		goto end;
		}


	dctx->status = DRBG_STATUS_READY;
	dctx->reseed_counter = 1;

	end:

	if (entropy && dctx->cleanup_entropy)
		fips_cleanup_entropy(dctx, entropy, entlen);

	if (nonce && dctx->cleanup_nonce)
		dctx->cleanup_nonce(dctx, nonce, noncelen);

	if (dctx->status == DRBG_STATUS_READY)
		return 1;

	if (r && !(dctx->flags & DRBG_FLAG_NOERR))
		FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);

	return 0;

	}

int FIPS_drbg_reseed(DRBG_CTX *dctx,
			const unsigned char *adin, size_t adinlen)
	{
	unsigned char *entropy = NULL;
	size_t entlen;
	int r = 0;

#if 0
	FIPSerr(FIPS_F_FIPS_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
	FIPSerr(FIPS_F_FIPS_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
#endif
	if (dctx->status != DRBG_STATUS_READY
		&& dctx->status != DRBG_STATUS_RESEED)
		{
		if (dctx->status == DRBG_STATUS_ERROR)
			r = FIPS_R_IN_ERROR_STATE;
		else if(dctx->status == DRBG_STATUS_UNINITIALISED)
			r = FIPS_R_NOT_INSTANTIATED;
		goto end;
		}

	if (!adin)
		adinlen = 0;
	else if (adinlen > dctx->max_adin)
		{
		r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
		goto end;
		}

	dctx->status = DRBG_STATUS_ERROR;

	entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
				dctx->min_entropy, dctx->max_entropy);

	if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
		{
		r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
		goto end;
		}

	if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
		goto end;

	dctx->status = DRBG_STATUS_READY;
	dctx->reseed_counter = 1;
	end:

	if (entropy && dctx->cleanup_entropy)
		fips_cleanup_entropy(dctx, entropy, entlen);

	if (dctx->status == DRBG_STATUS_READY)
		return 1;

	if (r && !(dctx->flags & DRBG_FLAG_NOERR))
		FIPSerr(FIPS_F_FIPS_DRBG_RESEED, r);

	return 0;
	}

static int fips_drbg_check(DRBG_CTX *dctx)
	{
	if (dctx->flags & DRBG_FLAG_TEST)
		return 1;
	dctx->health_check_cnt++;
	if (dctx->health_check_cnt >= dctx->health_check_interval)
		{
		DRBG_CTX tctx;
		if (!fips_drbg_kat(&tctx, dctx->type,
						dctx->flags | DRBG_FLAG_TEST))
			{
			FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
			return 0;
			}
		dctx->health_check_cnt = 0;
		}
	return 1;
	}

int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
			int strength, int prediction_resistance,
			const unsigned char *adin, size_t adinlen)
	{
	int r = 0;

	if (!fips_drbg_check(dctx))
		return 0;

	if (dctx->status != DRBG_STATUS_READY
		&& dctx->status != DRBG_STATUS_RESEED)
		{
		if (dctx->status == DRBG_STATUS_ERROR)
			r = FIPS_R_IN_ERROR_STATE;
		else if(dctx->status == DRBG_STATUS_UNINITIALISED)
			r = FIPS_R_NOT_INSTANTIATED;
		goto end;
		}

	if (outlen > dctx->max_request)
		{
		r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
		return 0;
		}

	if (strength > dctx->strength)
		{
		r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
		goto end;
		}

	if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
		{
		if (!FIPS_drbg_reseed(dctx, adin, adinlen))
			{
			r = FIPS_R_RESEED_ERROR;
			goto end;
			}
		adin = NULL;
		adinlen = 0;
		}

	if (!dctx->generate(dctx, out, outlen, adin, adinlen))
		{
		r = FIPS_R_GENERATE_ERROR;
		dctx->status = DRBG_STATUS_ERROR;
		goto end;
		}
	if (dctx->reseed_counter >= dctx->reseed_interval)
		dctx->status = DRBG_STATUS_RESEED;
	else
		dctx->reseed_counter++;

	end:
	if (r)
		{
		if (!(dctx->flags & DRBG_FLAG_NOERR))
			FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
		return 0;
		}

	return 1;
	}

int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
	{
	int rv;
	if (!dctx->uninstantiate)
		rv = 1;
	else
		rv = dctx->uninstantiate(dctx);
	/* Although we'd like to cleanse here we can't because we have to
	 * test the uninstantiate really zeroes the data.
	 */
	memset(&dctx->d, 0, sizeof(dctx->d));
	dctx->status = DRBG_STATUS_UNINITIALISED;
	/* If method has problems uninstantiating, return error */
	return rv;
	}

int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
	size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
				int entropy, size_t min_len, size_t max_len),
	void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
	size_t entropy_blocklen,
	size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
				int entropy, size_t min_len, size_t max_len),
	void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
	{
	if (dctx->status != DRBG_STATUS_UNINITIALISED)
		return 0;
	dctx->entropy_blocklen = entropy_blocklen;
	dctx->get_entropy = get_entropy;
	dctx->cleanup_entropy = cleanup_entropy;
	dctx->get_nonce = get_nonce;
	dctx->cleanup_nonce = cleanup_nonce;
	return 1;
	}

int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
	size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout),
	void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
	int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num),
	int (*rand_add_cb)(DRBG_CTX *ctx,
				const void *buf, int num, double entropy))
	{
	if (dctx->status != DRBG_STATUS_UNINITIALISED)
		return 0;
	dctx->get_adin = get_adin;
	dctx->cleanup_adin = cleanup_adin;
	dctx->rand_seed_cb = rand_seed_cb;
	dctx->rand_add_cb = rand_add_cb;
	return 1;
	}

void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
	{
	return dctx->app_data;
	}

void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
	{
	dctx->app_data = app_data;
	}

size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
	{
	return dctx->blocklength;
	}

int FIPS_drbg_get_strength(DRBG_CTX *dctx)
	{
	return dctx->strength;
	}

void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
	{
	dctx->health_check_interval = interval;
	}

static int drbg_stick = 0;

void FIPS_drbg_stick(void)
	{
	drbg_stick = 1;
	}

/* Continuous DRBG utility function */
int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
	{
	/* No CPRNG in test mode */
	if (dctx->flags & DRBG_FLAG_TEST)
		return 1;
	/* Check block is valid: should never happen */
	if (dctx->lb_valid == 0)
		{
		FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
		fips_set_selftest_fail();
		return 0;
		}
	if (drbg_stick)
		memcpy(dctx->lb, out, dctx->blocklength);
	/* Check against last block: fail if match */
	if (!memcmp(dctx->lb, out, dctx->blocklength))
		{
		FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
		fips_set_selftest_fail();
		return 0;
		}
	/* Save last block for next comparison */
	memcpy(dctx->lb, out, dctx->blocklength);
	return 1;
	}