fips_rand.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432
  1. /* ====================================================================
  2. * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * 1. Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. *
  11. * 2. Redistributions in binary form must reproduce the above copyright
  12. * notice, this list of conditions and the following disclaimer in
  13. * the documentation and/or other materials provided with the
  14. * distribution.
  15. *
  16. * 3. All advertising materials mentioning features or use of this
  17. * software must display the following acknowledgment:
  18. * "This product includes software developed by the OpenSSL Project
  19. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  20. *
  21. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  22. * endorse or promote products derived from this software without
  23. * prior written permission. For written permission, please contact
  24. * openssl-core@openssl.org.
  25. *
  26. * 5. Products derived from this software may not be called "OpenSSL"
  27. * nor may "OpenSSL" appear in their names without prior written
  28. * permission of the OpenSSL Project.
  29. *
  30. * 6. Redistributions of any form whatsoever must retain the following
  31. * acknowledgment:
  32. * "This product includes software developed by the OpenSSL Project
  33. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  34. *
  35. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  36. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  37. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  38. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  39. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  40. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  41. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  42. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  43. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  44. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  45. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  46. * OF THE POSSIBILITY OF SUCH DAMAGE.
  47. *
  48. */
  49. #define OPENSSL_FIPSAPI
  50. /*
  51. * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
  52. */
  53. #include <openssl/crypto.h>
  54. #include "e_os.h"
  55. /* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
  56. be defined and gettimeofday() won't be declared with strict compilers
  57. like DEC C in ANSI C mode. */
  58. #ifndef _XOPEN_SOURCE_EXTENDED
  59. #define _XOPEN_SOURCE_EXTENDED 1
  60. #endif
  61. #include <openssl/rand.h>
  62. #include <openssl/aes.h>
  63. #include <openssl/err.h>
  64. #include <openssl/fips_rand.h>
  65. #if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
  66. # include <sys/time.h>
  67. #endif
  68. #if defined(OPENSSL_SYS_VXWORKS)
  69. # include <time.h>
  70. #endif
  71. #include <assert.h>
  72. #ifndef OPENSSL_SYS_WIN32
  73. # ifdef OPENSSL_UNISTD
  74. # include OPENSSL_UNISTD
  75. # else
  76. # include <unistd.h>
  77. # endif
  78. #endif
  79. #include <string.h>
  80. #include <openssl/fips.h>
  81. #include "fips_locl.h"
  82. #ifdef OPENSSL_FIPS
  83. void *OPENSSL_stderr(void);
  84. #define AES_BLOCK_LENGTH 16
  85. /* AES FIPS PRNG implementation */
  86. typedef struct
  87. {
  88. int seeded;
  89. int keyed;
  90. int test_mode;
  91. int second;
  92. int error;
  93. unsigned long counter;
  94. AES_KEY ks;
  95. int vpos;
  96. /* Temporary storage for key if it equals seed length */
  97. unsigned char tmp_key[AES_BLOCK_LENGTH];
  98. unsigned char V[AES_BLOCK_LENGTH];
  99. unsigned char DT[AES_BLOCK_LENGTH];
  100. unsigned char last[AES_BLOCK_LENGTH];
  101. } FIPS_PRNG_CTX;
  102. static FIPS_PRNG_CTX sctx;
  103. static int fips_prng_fail = 0;
  104. void FIPS_x931_stick(void)
  105. {
  106. fips_prng_fail = 1;
  107. }
  108. static void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx)
  109. {
  110. ctx->seeded = 0;
  111. ctx->keyed = 0;
  112. ctx->test_mode = 0;
  113. ctx->counter = 0;
  114. ctx->second = 0;
  115. ctx->error = 0;
  116. ctx->vpos = 0;
  117. OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
  118. OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
  119. }
  120. static int fips_set_prng_key(FIPS_PRNG_CTX *ctx,
  121. const unsigned char *key, unsigned int keylen)
  122. {
  123. if (FIPS_selftest_failed())
  124. {
  125. FIPSerr(FIPS_F_FIPS_SET_PRNG_KEY, FIPS_R_SELFTEST_FAILED);
  126. return 0;
  127. }
  128. if (keylen != 16 && keylen != 24 && keylen != 32)
  129. {
  130. /* error: invalid key size */
  131. return 0;
  132. }
  133. AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
  134. if (keylen == 16)
  135. {
  136. memcpy(ctx->tmp_key, key, 16);
  137. ctx->keyed = 2;
  138. }
  139. else
  140. ctx->keyed = 1;
  141. ctx->seeded = 0;
  142. ctx->second = 0;
  143. return 1;
  144. }
  145. static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx,
  146. const unsigned char *seed, unsigned int seedlen)
  147. {
  148. unsigned int i;
  149. if (!ctx->keyed)
  150. return 0;
  151. /* In test mode seed is just supplied data */
  152. if (ctx->test_mode)
  153. {
  154. if (seedlen != AES_BLOCK_LENGTH)
  155. return 0;
  156. memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
  157. ctx->seeded = 1;
  158. return 1;
  159. }
  160. /* Outside test mode XOR supplied data with existing seed */
  161. for (i = 0; i < seedlen; i++)
  162. {
  163. ctx->V[ctx->vpos++] ^= seed[i];
  164. if (ctx->vpos == AES_BLOCK_LENGTH)
  165. {
  166. ctx->vpos = 0;
  167. /* Special case if first seed and key length equals
  168. * block size check key and seed do not match.
  169. */
  170. if (ctx->keyed == 2)
  171. {
  172. if (!memcmp(ctx->tmp_key, ctx->V, 16))
  173. {
  174. RANDerr(RAND_F_FIPS_SET_PRNG_SEED,
  175. RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY);
  176. return 0;
  177. }
  178. OPENSSL_cleanse(ctx->tmp_key, 16);
  179. ctx->keyed = 1;
  180. }
  181. ctx->seeded = 1;
  182. }
  183. }
  184. return 1;
  185. }
  186. static int fips_set_test_mode(FIPS_PRNG_CTX *ctx)
  187. {
  188. if (ctx->keyed)
  189. {
  190. RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED);
  191. return 0;
  192. }
  193. ctx->test_mode = 1;
  194. return 1;
  195. }
  196. int FIPS_x931_test_mode(void)
  197. {
  198. return fips_set_test_mode(&sctx);
  199. }
  200. int FIPS_x931_set_dt(unsigned char *dt)
  201. {
  202. if (!sctx.test_mode)
  203. {
  204. RANDerr(RAND_F_FIPS_X931_SET_DT,RAND_R_NOT_IN_TEST_MODE);
  205. return 0;
  206. }
  207. memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
  208. return 1;
  209. }
  210. void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
  211. {
  212. #ifdef OPENSSL_SYS_WIN32
  213. FILETIME ft;
  214. #elif defined(OPENSSL_SYS_VXWORKS)
  215. struct timespec ts;
  216. #else
  217. struct timeval tv;
  218. #endif
  219. #ifndef GETPID_IS_MEANINGLESS
  220. unsigned long pid;
  221. #endif
  222. #ifdef OPENSSL_SYS_WIN32
  223. GetSystemTimeAsFileTime(&ft);
  224. buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
  225. buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
  226. buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
  227. buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
  228. buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
  229. buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
  230. buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
  231. buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
  232. #elif defined(OPENSSL_SYS_VXWORKS)
  233. clock_gettime(CLOCK_REALTIME, &ts);
  234. buf[0] = (unsigned char) (ts.tv_sec & 0xff);
  235. buf[1] = (unsigned char) ((ts.tv_sec >> 8) & 0xff);
  236. buf[2] = (unsigned char) ((ts.tv_sec >> 16) & 0xff);
  237. buf[3] = (unsigned char) ((ts.tv_sec >> 24) & 0xff);
  238. buf[4] = (unsigned char) (ts.tv_nsec & 0xff);
  239. buf[5] = (unsigned char) ((ts.tv_nsec >> 8) & 0xff);
  240. buf[6] = (unsigned char) ((ts.tv_nsec >> 16) & 0xff);
  241. buf[7] = (unsigned char) ((ts.tv_nsec >> 24) & 0xff);
  242. #else
  243. gettimeofday(&tv,NULL);
  244. buf[0] = (unsigned char) (tv.tv_sec & 0xff);
  245. buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
  246. buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
  247. buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
  248. buf[4] = (unsigned char) (tv.tv_usec & 0xff);
  249. buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
  250. buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
  251. buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
  252. #endif
  253. buf[8] = (unsigned char) (*pctr & 0xff);
  254. buf[9] = (unsigned char) ((*pctr >> 8) & 0xff);
  255. buf[10] = (unsigned char) ((*pctr >> 16) & 0xff);
  256. buf[11] = (unsigned char) ((*pctr >> 24) & 0xff);
  257. (*pctr)++;
  258. #ifndef GETPID_IS_MEANINGLESS
  259. pid=(unsigned long)getpid();
  260. buf[12] = (unsigned char) (pid & 0xff);
  261. buf[13] = (unsigned char) ((pid >> 8) & 0xff);
  262. buf[14] = (unsigned char) ((pid >> 16) & 0xff);
  263. buf[15] = (unsigned char) ((pid >> 24) & 0xff);
  264. #endif
  265. }
  266. static int fips_rand(FIPS_PRNG_CTX *ctx,
  267. unsigned char *out, unsigned int outlen)
  268. {
  269. unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
  270. unsigned char tmp[AES_BLOCK_LENGTH];
  271. int i;
  272. if (ctx->error)
  273. {
  274. RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
  275. return 0;
  276. }
  277. if (!ctx->keyed)
  278. {
  279. RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET);
  280. return 0;
  281. }
  282. if (!ctx->seeded)
  283. {
  284. RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED);
  285. return 0;
  286. }
  287. for (;;)
  288. {
  289. if (!ctx->test_mode)
  290. FIPS_get_timevec(ctx->DT, &ctx->counter);
  291. AES_encrypt(ctx->DT, I, &ctx->ks);
  292. for (i = 0; i < AES_BLOCK_LENGTH; i++)
  293. tmp[i] = I[i] ^ ctx->V[i];
  294. AES_encrypt(tmp, R, &ctx->ks);
  295. for (i = 0; i < AES_BLOCK_LENGTH; i++)
  296. tmp[i] = R[i] ^ I[i];
  297. AES_encrypt(tmp, ctx->V, &ctx->ks);
  298. /* Continuous PRNG test */
  299. if (ctx->second)
  300. {
  301. if (fips_prng_fail)
  302. memcpy(ctx->last, R, AES_BLOCK_LENGTH);
  303. if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
  304. {
  305. RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
  306. ctx->error = 1;
  307. fips_set_selftest_fail();
  308. return 0;
  309. }
  310. }
  311. memcpy(ctx->last, R, AES_BLOCK_LENGTH);
  312. if (!ctx->second)
  313. {
  314. ctx->second = 1;
  315. if (!ctx->test_mode)
  316. continue;
  317. }
  318. if (outlen <= AES_BLOCK_LENGTH)
  319. {
  320. memcpy(out, R, outlen);
  321. break;
  322. }
  323. memcpy(out, R, AES_BLOCK_LENGTH);
  324. out += AES_BLOCK_LENGTH;
  325. outlen -= AES_BLOCK_LENGTH;
  326. }
  327. return 1;
  328. }
  329. int FIPS_x931_set_key(const unsigned char *key, int keylen)
  330. {
  331. int ret;
  332. CRYPTO_w_lock(CRYPTO_LOCK_RAND);
  333. ret = fips_set_prng_key(&sctx, key, keylen);
  334. CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
  335. return ret;
  336. }
  337. int FIPS_x931_seed(const void *seed, int seedlen)
  338. {
  339. int ret;
  340. CRYPTO_w_lock(CRYPTO_LOCK_RAND);
  341. ret = fips_set_prng_seed(&sctx, seed, seedlen);
  342. CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
  343. return ret;
  344. }
  345. int FIPS_x931_bytes(unsigned char *out, int count)
  346. {
  347. int ret;
  348. CRYPTO_w_lock(CRYPTO_LOCK_RAND);
  349. ret = fips_rand(&sctx, out, count);
  350. CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
  351. return ret;
  352. }
  353. int FIPS_x931_status(void)
  354. {
  355. int ret;
  356. CRYPTO_r_lock(CRYPTO_LOCK_RAND);
  357. ret = sctx.seeded;
  358. CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
  359. return ret;
  360. }
  361. void FIPS_x931_reset(void)
  362. {
  363. CRYPTO_w_lock(CRYPTO_LOCK_RAND);
  364. fips_rand_prng_reset(&sctx);
  365. CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
  366. }
  367. static int fips_do_rand_seed(const void *seed, int seedlen)
  368. {
  369. FIPS_x931_seed(seed, seedlen);
  370. return 1;
  371. }
  372. static int fips_do_rand_add(const void *seed, int seedlen,
  373. double add_entropy)
  374. {
  375. FIPS_x931_seed(seed, seedlen);
  376. return 1;
  377. }
  378. static const RAND_METHOD rand_x931_meth=
  379. {
  380. fips_do_rand_seed,
  381. FIPS_x931_bytes,
  382. FIPS_x931_reset,
  383. fips_do_rand_add,
  384. FIPS_x931_bytes,
  385. FIPS_x931_status
  386. };
  387. const RAND_METHOD *FIPS_x931_method(void)
  388. {
  389. return &rand_x931_meth;
  390. }
  391. #endif