2
0

drbg_local.h 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268
  1. /*
  2. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #ifndef OSSL_CRYPTO_PROV_LOCAL_H
  10. # define OSSL_CRYPTO_PROV_LOCAL_H
  11. # include <openssl/evp.h>
  12. # include <openssl/core_dispatch.h>
  13. # include <openssl/core_names.h>
  14. # include <openssl/params.h>
  15. # include "internal/tsan_assist.h"
  16. # include "internal/nelem.h"
  17. # include "internal/numbers.h"
  18. /* How many times to read the TSC as a randomness source. */
  19. # define TSC_READ_COUNT 4
  20. /* Maximum reseed intervals */
  21. # define MAX_RESEED_INTERVAL (1 << 24)
  22. # define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */
  23. /* Default reseed intervals */
  24. # define RESEED_INTERVAL (1 << 8)
  25. # define TIME_INTERVAL (60*60) /* 1 hour */
  26. /*
  27. * The number of bytes that constitutes an atomic lump of entropy with respect
  28. * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat
  29. * arbitrary, the smaller the value, the less entropy is consumed on first
  30. * read but the higher the probability of the test failing by accident.
  31. *
  32. * The value is in bytes.
  33. */
  34. #define CRNGT_BUFSIZ 16
  35. /*
  36. * Maximum input size for the DRBG (entropy, nonce, personalization string)
  37. *
  38. * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes.
  39. *
  40. * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes.
  41. */
  42. # define DRBG_MAX_LENGTH INT32_MAX
  43. /* The default nonce */
  44. #ifdef CHARSET_EBCDIC
  45. # define DRBG_DEFAULT_PERS_STRING { 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, \
  46. 0x4c, 0x20, 0x4e, 0x49, 0x53, 0x54, 0x20, 0x53, 0x50, 0x20, 0x38, 0x30, \
  47. 0x30, 0x2d, 0x39, 0x30, 0x41, 0x20, 0x44, 0x52, 0x42, 0x47, 0x00};
  48. #else
  49. # define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"
  50. #endif
  51. typedef struct prov_drbg_st PROV_DRBG;
  52. /* DRBG status values */
  53. typedef enum drbg_status_e {
  54. DRBG_UNINITIALISED,
  55. DRBG_READY,
  56. DRBG_ERROR
  57. } DRBG_STATUS;
  58. /*
  59. * The state of all types of DRBGs.
  60. */
  61. struct prov_drbg_st {
  62. CRYPTO_RWLOCK *lock;
  63. void *provctx;
  64. /* Virtual functions are cache here */
  65. int (*instantiate)(PROV_DRBG *drbg,
  66. const unsigned char *entropy, size_t entropylen,
  67. const unsigned char *nonce, size_t noncelen,
  68. const unsigned char *pers, size_t perslen);
  69. int (*uninstantiate)(PROV_DRBG *ctx);
  70. int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len,
  71. const unsigned char *adin, size_t adin_len);
  72. int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen,
  73. const unsigned char *adin, size_t adin_len);
  74. /* Parent PROV_RAND and its dispatch table functions */
  75. void *parent;
  76. OSSL_FUNC_rand_enable_locking_fn *parent_enable_locking;
  77. OSSL_FUNC_rand_lock_fn *parent_lock;
  78. OSSL_FUNC_rand_unlock_fn *parent_unlock;
  79. OSSL_FUNC_rand_get_ctx_params_fn *parent_get_ctx_params;
  80. OSSL_FUNC_rand_generate_fn *parent_generate;
  81. OSSL_FUNC_rand_nonce_fn *parent_nonce;
  82. const OSSL_DISPATCH *parent_dispatch;
  83. /*
  84. * Stores the return value of openssl_get_fork_id() as of when we last
  85. * reseeded. The DRBG reseeds automatically whenever drbg->fork_id !=
  86. * openssl_get_fork_id(). Used to provide fork-safety and reseed this
  87. * DRBG in the child process.
  88. */
  89. int fork_id;
  90. unsigned short flags; /* various external flags */
  91. /*
  92. * The random_data is used by PROV_add()/drbg_add() to attach random
  93. * data to the global drbg, such that the rand_drbg_get_entropy() callback
  94. * can pull it during instantiation and reseeding. This is necessary to
  95. * reconcile the different philosophies of the PROV and the PROV_DRBG
  96. * with respect to how randomness is added to the RNG during reseeding
  97. * (see PR #4328).
  98. */
  99. struct rand_pool_st *seed_pool;
  100. /*
  101. * Auxiliary pool for additional data.
  102. */
  103. struct rand_pool_st *adin_pool;
  104. /*
  105. * The following parameters are setup by the per-type "init" function.
  106. *
  107. * The supported types and their init functions are:
  108. * (1) CTR_DRBG: drbg_ctr_init().
  109. * (2) HMAC_DRBG: drbg_hmac_init().
  110. * (3) HASH_DRBG: drbg_hash_init().
  111. *
  112. * The parameters are closely related to the ones described in
  113. * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one
  114. * crucial difference: In the NIST standard, all counts are given
  115. * in bits, whereas in OpenSSL entropy counts are given in bits
  116. * and buffer lengths are given in bytes.
  117. *
  118. * Since this difference has lead to some confusion in the past,
  119. * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055])
  120. * the 'len' suffix has been added to all buffer sizes for
  121. * clarification.
  122. */
  123. unsigned int strength;
  124. size_t max_request;
  125. size_t min_entropylen, max_entropylen;
  126. size_t min_noncelen, max_noncelen;
  127. size_t max_perslen, max_adinlen;
  128. /*
  129. * Counts the number of generate requests since the last reseed
  130. * (Starts at 1). This value is the reseed_counter as defined in
  131. * NIST SP 800-90Ar1
  132. */
  133. unsigned int reseed_gen_counter;
  134. /*
  135. * Maximum number of generate requests until a reseed is required.
  136. * This value is ignored if it is zero.
  137. */
  138. unsigned int reseed_interval;
  139. /* Stores the time when the last reseeding occurred */
  140. time_t reseed_time;
  141. /*
  142. * Specifies the maximum time interval (in seconds) between reseeds.
  143. * This value is ignored if it is zero.
  144. */
  145. time_t reseed_time_interval;
  146. /*
  147. * Counts the number of reseeds since instantiation.
  148. * This value is ignored if it is zero.
  149. *
  150. * This counter is used only for seed propagation from the <master> DRBG
  151. * to its two children, the <public> and <private> DRBG. This feature is
  152. * very special and its sole purpose is to ensure that any randomness which
  153. * is added by PROV_add() or PROV_seed() will have an immediate effect on
  154. * the output of PROV_bytes() resp. PROV_priv_bytes().
  155. */
  156. TSAN_QUALIFIER unsigned int reseed_counter;
  157. unsigned int reseed_next_counter;
  158. unsigned int parent_reseed_counter;
  159. size_t seedlen;
  160. DRBG_STATUS state;
  161. /* DRBG specific data */
  162. void *data;
  163. /* Entropy and nonce gathering callbacks */
  164. void *callback_arg;
  165. OSSL_INOUT_CALLBACK *get_entropy_fn;
  166. OSSL_CALLBACK *cleanup_entropy_fn;
  167. OSSL_INOUT_CALLBACK *get_nonce_fn;
  168. OSSL_CALLBACK *cleanup_nonce_fn;
  169. };
  170. PROV_DRBG *prov_rand_drbg_new
  171. (void *provctx, void *parent, const OSSL_DISPATCH *parent_dispatch,
  172. int (*dnew)(PROV_DRBG *ctx),
  173. int (*instantiate)(PROV_DRBG *drbg,
  174. const unsigned char *entropy, size_t entropylen,
  175. const unsigned char *nonce, size_t noncelen,
  176. const unsigned char *pers, size_t perslen),
  177. int (*uninstantiate)(PROV_DRBG *ctx),
  178. int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len,
  179. const unsigned char *adin, size_t adin_len),
  180. int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen,
  181. const unsigned char *adin, size_t adin_len));
  182. void prov_rand_drbg_free(PROV_DRBG *drbg);
  183. int PROV_DRBG_instantiate(PROV_DRBG *drbg, unsigned int strength,
  184. int prediction_resistance,
  185. const unsigned char *pers, size_t perslen);
  186. int PROV_DRBG_uninstantiate(PROV_DRBG *drbg);
  187. int PROV_DRBG_reseed(PROV_DRBG *drbg, int prediction_resistance,
  188. const unsigned char *ent, size_t ent_len,
  189. const unsigned char *adin, size_t adinlen);
  190. int PROV_DRBG_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
  191. unsigned int strength, int prediction_resistance,
  192. const unsigned char *adin, size_t adinlen);
  193. /* Verify that an array of numeric values is all zero */
  194. #define PROV_DRBG_VERYIFY_ZEROIZATION(v) \
  195. { \
  196. size_t i; \
  197. \
  198. for (i = 0; i < OSSL_NELEM(v); i++) \
  199. if ((v)[i] != 0) \
  200. return 0; \
  201. }
  202. /* locking api */
  203. OSSL_FUNC_rand_enable_locking_fn drbg_enable_locking;
  204. OSSL_FUNC_rand_lock_fn drbg_lock;
  205. OSSL_FUNC_rand_unlock_fn drbg_unlock;
  206. /* Common parameters for all of our DRBGs */
  207. int drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]);
  208. int drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[]);
  209. #define OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON \
  210. OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS, NULL), \
  211. OSSL_PARAM_uint64(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL, NULL)
  212. #define OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON \
  213. OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), \
  214. OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), \
  215. OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_REQUEST, NULL), \
  216. OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MIN_ENTROPYLEN, NULL), \
  217. OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_ENTROPYLEN, NULL), \
  218. OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MIN_NONCELEN, NULL), \
  219. OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_NONCELEN, NULL), \
  220. OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_PERSLEN, NULL), \
  221. OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_ADINLEN, NULL), \
  222. OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_CTR, NULL), \
  223. OSSL_PARAM_time_t(OSSL_DRBG_PARAM_RESEED_TIME, NULL), \
  224. OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS, NULL), \
  225. OSSL_PARAM_uint64(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL, NULL)
  226. /* Continuous test "entropy" calls */
  227. size_t prov_crngt_get_entropy(PROV_DRBG *drbg,
  228. unsigned char **pout,
  229. int entropy, size_t min_len, size_t max_len,
  230. int prediction_resistance);
  231. void prov_crngt_cleanup_entropy(PROV_DRBG *drbg,
  232. unsigned char *out, size_t outlen);
  233. #endif