2
0

fips_drbg_lib.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515
  1. /* fips/rand/fips_drbg_lib.c */
  2. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  3. * project.
  4. */
  5. /* ====================================================================
  6. * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
  7. *
  8. * Redistribution and use in source and binary forms, with or without
  9. * modification, are permitted provided that the following conditions
  10. * are met:
  11. *
  12. * 1. Redistributions of source code must retain the above copyright
  13. * notice, this list of conditions and the following disclaimer.
  14. *
  15. * 2. Redistributions in binary form must reproduce the above copyright
  16. * notice, this list of conditions and the following disclaimer in
  17. * the documentation and/or other materials provided with the
  18. * distribution.
  19. *
  20. * 3. All advertising materials mentioning features or use of this
  21. * software must display the following acknowledgment:
  22. * "This product includes software developed by the OpenSSL Project
  23. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24. *
  25. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26. * endorse or promote products derived from this software without
  27. * prior written permission. For written permission, please contact
  28. * licensing@OpenSSL.org.
  29. *
  30. * 5. Products derived from this software may not be called "OpenSSL"
  31. * nor may "OpenSSL" appear in their names without prior written
  32. * permission of the OpenSSL Project.
  33. *
  34. * 6. Redistributions of any form whatsoever must retain the following
  35. * acknowledgment:
  36. * "This product includes software developed by the OpenSSL Project
  37. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38. *
  39. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50. * OF THE POSSIBILITY OF SUCH DAMAGE.
  51. * ====================================================================
  52. */
  53. #define OPENSSL_FIPSAPI
  54. #include <string.h>
  55. #include <openssl/crypto.h>
  56. #include <openssl/evp.h>
  57. #include <openssl/aes.h>
  58. #include <openssl/err.h>
  59. #include <openssl/fips_rand.h>
  60. #include "fips_rand_lcl.h"
  61. /* Support framework for SP800-90 DRBGs */
  62. int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
  63. {
  64. int rv;
  65. memset(dctx, 0, sizeof(DRBG_CTX));
  66. dctx->status = DRBG_STATUS_UNINITIALISED;
  67. dctx->flags = flags;
  68. dctx->type = type;
  69. dctx->entropy_blocklen = 0;
  70. dctx->health_check_cnt = 0;
  71. dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
  72. rv = fips_drbg_hash_init(dctx);
  73. if (rv == -2)
  74. rv = fips_drbg_ctr_init(dctx);
  75. if (rv <= 0)
  76. {
  77. if (rv == -2)
  78. FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
  79. else
  80. FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
  81. }
  82. /* If not in test mode run selftests on DRBG of the same type */
  83. if (!(dctx->flags & DRBG_FLAG_TEST))
  84. {
  85. DRBG_CTX tctx;
  86. if (!fips_drbg_kat(&tctx, type, flags | DRBG_FLAG_TEST))
  87. {
  88. FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
  89. return 0;
  90. }
  91. }
  92. return rv;
  93. }
  94. DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
  95. {
  96. DRBG_CTX *dctx;
  97. dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
  98. if (!dctx)
  99. {
  100. FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
  101. return NULL;
  102. }
  103. if (type == 0)
  104. return dctx;
  105. if (FIPS_drbg_init(dctx, type, flags) <= 0)
  106. {
  107. OPENSSL_free(dctx);
  108. return NULL;
  109. }
  110. return dctx;
  111. }
  112. void FIPS_drbg_free(DRBG_CTX *dctx)
  113. {
  114. if (dctx->uninstantiate)
  115. dctx->uninstantiate(dctx);
  116. OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
  117. OPENSSL_free(dctx);
  118. }
  119. static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
  120. int entropy, size_t min_len, size_t max_len)
  121. {
  122. unsigned char *tout, *p;
  123. size_t bl = dctx->entropy_blocklen, rv;
  124. if (dctx->flags & DRBG_FLAG_TEST || !bl)
  125. return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
  126. rv = dctx->get_entropy(dctx, &tout, entropy + bl,
  127. min_len + bl, max_len + bl);
  128. *pout = tout + bl;
  129. if (rv < (min_len + bl) || (rv % bl))
  130. return 0;
  131. /* Compare consecutive blocks for continuous PRNG test */
  132. for (p = tout; p < tout + rv; p += bl)
  133. {
  134. if (!memcmp(p, p + bl, bl))
  135. {
  136. FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
  137. return 0;
  138. }
  139. }
  140. rv -= bl;
  141. if (rv > max_len)
  142. return max_len;
  143. return rv;
  144. }
  145. static void fips_cleanup_entropy(DRBG_CTX *dctx,
  146. unsigned char *out, size_t olen)
  147. {
  148. size_t bl;
  149. if (dctx->flags & DRBG_FLAG_TEST)
  150. bl = 0;
  151. else
  152. bl = dctx->entropy_blocklen;
  153. /* Call cleanup with original arguments */
  154. dctx->cleanup_entropy(dctx, out - bl, olen + bl);
  155. }
  156. int FIPS_drbg_instantiate(DRBG_CTX *dctx,
  157. const unsigned char *pers, size_t perslen)
  158. {
  159. size_t entlen = 0, noncelen = 0;
  160. unsigned char *nonce = NULL, *entropy = NULL;
  161. #if 0
  162. /* Put here so error script picks them up */
  163. FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
  164. FIPS_R_PERSONALISATION_STRING_TOO_LONG);
  165. FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
  166. FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
  167. FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
  168. FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
  169. FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
  170. #endif
  171. int r = 0;
  172. if (perslen > dctx->max_pers)
  173. {
  174. r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
  175. goto end;
  176. }
  177. if (dctx->status != DRBG_STATUS_UNINITIALISED)
  178. {
  179. if (dctx->status == DRBG_STATUS_ERROR)
  180. r = FIPS_R_IN_ERROR_STATE;
  181. else
  182. r = FIPS_R_ALREADY_INSTANTIATED;
  183. goto end;
  184. }
  185. dctx->status = DRBG_STATUS_ERROR;
  186. entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
  187. dctx->min_entropy, dctx->max_entropy);
  188. if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
  189. {
  190. r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
  191. goto end;
  192. }
  193. if (dctx->max_nonce > 0)
  194. {
  195. noncelen = dctx->get_nonce(dctx, &nonce,
  196. dctx->strength / 2,
  197. dctx->min_nonce, dctx->max_nonce);
  198. if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce)
  199. {
  200. r = FIPS_R_ERROR_RETRIEVING_NONCE;
  201. goto end;
  202. }
  203. }
  204. if (!dctx->instantiate(dctx,
  205. entropy, entlen,
  206. nonce, noncelen,
  207. pers, perslen))
  208. {
  209. r = FIPS_R_ERROR_INSTANTIATING_DRBG;
  210. goto end;
  211. }
  212. dctx->status = DRBG_STATUS_READY;
  213. dctx->reseed_counter = 1;
  214. end:
  215. if (entropy && dctx->cleanup_entropy)
  216. fips_cleanup_entropy(dctx, entropy, entlen);
  217. if (nonce && dctx->cleanup_nonce)
  218. dctx->cleanup_nonce(dctx, nonce, noncelen);
  219. if (dctx->status == DRBG_STATUS_READY)
  220. return 1;
  221. if (r && !(dctx->flags & DRBG_FLAG_NOERR))
  222. FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
  223. return 0;
  224. }
  225. int FIPS_drbg_reseed(DRBG_CTX *dctx,
  226. const unsigned char *adin, size_t adinlen)
  227. {
  228. unsigned char *entropy = NULL;
  229. size_t entlen;
  230. int r = 0;
  231. #if 0
  232. FIPSerr(FIPS_F_FIPS_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
  233. FIPSerr(FIPS_F_FIPS_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
  234. #endif
  235. if (dctx->status != DRBG_STATUS_READY
  236. && dctx->status != DRBG_STATUS_RESEED)
  237. {
  238. if (dctx->status == DRBG_STATUS_ERROR)
  239. r = FIPS_R_IN_ERROR_STATE;
  240. else if(dctx->status == DRBG_STATUS_UNINITIALISED)
  241. r = FIPS_R_NOT_INSTANTIATED;
  242. goto end;
  243. }
  244. if (!adin)
  245. adinlen = 0;
  246. else if (adinlen > dctx->max_adin)
  247. {
  248. r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
  249. goto end;
  250. }
  251. dctx->status = DRBG_STATUS_ERROR;
  252. entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
  253. dctx->min_entropy, dctx->max_entropy);
  254. if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
  255. {
  256. r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
  257. goto end;
  258. }
  259. if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
  260. goto end;
  261. dctx->status = DRBG_STATUS_READY;
  262. dctx->reseed_counter = 1;
  263. end:
  264. if (entropy && dctx->cleanup_entropy)
  265. fips_cleanup_entropy(dctx, entropy, entlen);
  266. if (dctx->status == DRBG_STATUS_READY)
  267. return 1;
  268. if (r && !(dctx->flags & DRBG_FLAG_NOERR))
  269. FIPSerr(FIPS_F_FIPS_DRBG_RESEED, r);
  270. return 0;
  271. }
  272. static int fips_drbg_check(DRBG_CTX *dctx)
  273. {
  274. if (dctx->flags & DRBG_FLAG_TEST)
  275. return 1;
  276. dctx->health_check_cnt++;
  277. if (dctx->health_check_cnt >= dctx->health_check_interval)
  278. {
  279. DRBG_CTX tctx;
  280. if (!fips_drbg_kat(&tctx, dctx->type,
  281. dctx->flags | DRBG_FLAG_TEST))
  282. {
  283. FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
  284. return 0;
  285. }
  286. dctx->health_check_cnt = 0;
  287. }
  288. return 1;
  289. }
  290. int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
  291. int strength, int prediction_resistance,
  292. const unsigned char *adin, size_t adinlen)
  293. {
  294. int r = 0;
  295. if (!fips_drbg_check(dctx))
  296. return 0;
  297. if (dctx->status != DRBG_STATUS_READY
  298. && dctx->status != DRBG_STATUS_RESEED)
  299. {
  300. if (dctx->status == DRBG_STATUS_ERROR)
  301. r = FIPS_R_IN_ERROR_STATE;
  302. else if(dctx->status == DRBG_STATUS_UNINITIALISED)
  303. r = FIPS_R_NOT_INSTANTIATED;
  304. goto end;
  305. }
  306. if (outlen > dctx->max_request)
  307. {
  308. r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
  309. return 0;
  310. }
  311. if (strength > dctx->strength)
  312. {
  313. r = FIPS_R_INSUFFICIENT_SECURITY_STRENGTH;
  314. goto end;
  315. }
  316. if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
  317. {
  318. if (!FIPS_drbg_reseed(dctx, adin, adinlen))
  319. {
  320. r = FIPS_R_RESEED_ERROR;
  321. goto end;
  322. }
  323. adin = NULL;
  324. adinlen = 0;
  325. }
  326. if (!dctx->generate(dctx, out, outlen, adin, adinlen))
  327. {
  328. r = FIPS_R_GENERATE_ERROR;
  329. dctx->status = DRBG_STATUS_ERROR;
  330. goto end;
  331. }
  332. if (dctx->reseed_counter >= dctx->reseed_interval)
  333. dctx->status = DRBG_STATUS_RESEED;
  334. else
  335. dctx->reseed_counter++;
  336. end:
  337. if (r)
  338. {
  339. if (!(dctx->flags & DRBG_FLAG_NOERR))
  340. FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
  341. return 0;
  342. }
  343. return 1;
  344. }
  345. int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
  346. {
  347. int rv;
  348. if (!dctx->uninstantiate)
  349. rv = 1;
  350. else
  351. rv = dctx->uninstantiate(dctx);
  352. /* Although we'd like to cleanse here we can't because we have to
  353. * test the uninstantiate really zeroes the data.
  354. */
  355. memset(&dctx->d, 0, sizeof(dctx->d));
  356. dctx->status = DRBG_STATUS_UNINITIALISED;
  357. /* If method has problems uninstantiating, return error */
  358. return rv;
  359. }
  360. int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
  361. size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
  362. int entropy, size_t min_len, size_t max_len),
  363. void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
  364. size_t entropy_blocklen,
  365. size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
  366. int entropy, size_t min_len, size_t max_len),
  367. void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
  368. {
  369. if (dctx->status != DRBG_STATUS_UNINITIALISED)
  370. return 0;
  371. dctx->entropy_blocklen = entropy_blocklen;
  372. dctx->get_entropy = get_entropy;
  373. dctx->cleanup_entropy = cleanup_entropy;
  374. dctx->get_nonce = get_nonce;
  375. dctx->cleanup_nonce = cleanup_nonce;
  376. return 1;
  377. }
  378. int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
  379. size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout),
  380. void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
  381. int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num),
  382. int (*rand_add_cb)(DRBG_CTX *ctx,
  383. const void *buf, int num, double entropy))
  384. {
  385. if (dctx->status != DRBG_STATUS_UNINITIALISED)
  386. return 0;
  387. dctx->get_adin = get_adin;
  388. dctx->cleanup_adin = cleanup_adin;
  389. dctx->rand_seed_cb = rand_seed_cb;
  390. dctx->rand_add_cb = rand_add_cb;
  391. return 1;
  392. }
  393. void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
  394. {
  395. return dctx->app_data;
  396. }
  397. void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
  398. {
  399. dctx->app_data = app_data;
  400. }
  401. size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
  402. {
  403. return dctx->blocklength;
  404. }
  405. int FIPS_drbg_get_strength(DRBG_CTX *dctx)
  406. {
  407. return dctx->strength;
  408. }
  409. void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
  410. {
  411. dctx->health_check_interval = interval;
  412. }
  413. static int drbg_stick = 0;
  414. void FIPS_drbg_stick(void)
  415. {
  416. drbg_stick = 1;
  417. }
  418. /* Continuous DRBG utility function */
  419. int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
  420. {
  421. /* No CPRNG in test mode */
  422. if (dctx->flags & DRBG_FLAG_TEST)
  423. return 1;
  424. /* Check block is valid: should never happen */
  425. if (dctx->lb_valid == 0)
  426. {
  427. FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
  428. fips_set_selftest_fail();
  429. return 0;
  430. }
  431. if (drbg_stick)
  432. memcpy(dctx->lb, out, dctx->blocklength);
  433. /* Check against last block: fail if match */
  434. if (!memcmp(dctx->lb, out, dctx->blocklength))
  435. {
  436. FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
  437. fips_set_selftest_fail();
  438. return 0;
  439. }
  440. /* Save last block for next comparison */
  441. memcpy(dctx->lb, out, dctx->blocklength);
  442. return 1;
  443. }