4c75ee8588
As suggested by Kurt. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/3970)
352 lines
9.8 KiB
C
352 lines
9.8 KiB
C
/*
|
|
* Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
#include <string.h>
|
|
#include <openssl/crypto.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/rand.h>
|
|
#include "rand_lcl.h"
|
|
|
|
/*
|
|
* Support framework for NIST SP 800-90A DRBG, AES-CTR mode.
|
|
*/
|
|
|
|
/*
|
|
* Get entropy from the existing callback. This is mainly used for KATs.
|
|
*/
|
|
static size_t get_entropy(DRBG_CTX *dctx, unsigned char **pout,
|
|
int entropy, size_t min_len, size_t max_len)
|
|
{
|
|
if (dctx->get_entropy != NULL)
|
|
return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
|
|
/* TODO: Get from parent if it exists. */
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Cleanup entropy.
|
|
*/
|
|
static void cleanup_entropy(DRBG_CTX *dctx, unsigned char *out, size_t olen)
|
|
{
|
|
if (dctx->cleanup_entropy != NULL)
|
|
dctx->cleanup_entropy(dctx, out, olen);
|
|
}
|
|
|
|
/*
|
|
* The OpenSSL model is to have new and free functions, and that new
|
|
* does all initialization. That is not the NIST model, which has
|
|
* instantiation and un-instantiate, and re-use within a new/free
|
|
* lifecycle. (No doubt this comes from the desire to support hardware
|
|
* DRBG, where allocation of resources on something like an HSM is
|
|
* a much bigger deal than just re-setting an allocated resource.)
|
|
*
|
|
* The DRBG_CTX is OpenSSL's opaque pointer to an instance of the
|
|
* DRBG.
|
|
*/
|
|
|
|
/*
|
|
* Set/initialize |dctx| to be of type |nid|, with optional |flags|.
|
|
* Return -2 if the type is not supported, 1 on success and -1 on
|
|
* failure.
|
|
*/
|
|
int RAND_DRBG_set(DRBG_CTX *dctx, int nid, unsigned int flags)
|
|
{
|
|
int ret = 1;
|
|
|
|
dctx->status = DRBG_STATUS_UNINITIALISED;
|
|
dctx->flags = flags;
|
|
dctx->nid = nid;
|
|
|
|
switch (nid) {
|
|
default:
|
|
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
|
|
return -2;
|
|
case 0:
|
|
/* Uninitialized; that's okay. */
|
|
return 1;
|
|
case NID_aes_128_ctr:
|
|
case NID_aes_192_ctr:
|
|
case NID_aes_256_ctr:
|
|
ret = ctr_init(dctx);
|
|
break;
|
|
}
|
|
|
|
if (ret < 0)
|
|
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Allocate memory and initialize a new DRBG. The |parent|, if not
|
|
* NULL, will be used to auto-seed this DRBG_CTX as needed.
|
|
*/
|
|
DRBG_CTX *RAND_DRBG_new(int type, unsigned int flags, DRBG_CTX *parent)
|
|
{
|
|
DRBG_CTX *dctx = OPENSSL_zalloc(sizeof(*dctx));
|
|
|
|
if (dctx == NULL) {
|
|
RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE);
|
|
return NULL;
|
|
}
|
|
|
|
dctx->parent = parent;
|
|
if (RAND_DRBG_set(dctx, type, flags) < 0) {
|
|
OPENSSL_free(dctx);
|
|
return NULL;
|
|
}
|
|
return dctx;
|
|
}
|
|
|
|
/*
|
|
* Uninstantiate |dctx| and free all memory.
|
|
*/
|
|
void RAND_DRBG_free(DRBG_CTX *dctx)
|
|
{
|
|
if (dctx == NULL)
|
|
return;
|
|
|
|
ctr_uninstantiate(dctx);
|
|
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, dctx, &dctx->ex_data);
|
|
|
|
/* Don't free up default DRBG */
|
|
if (dctx == RAND_DRBG_get_default()) {
|
|
memset(dctx, 0, sizeof(DRBG_CTX));
|
|
dctx->nid = 0;
|
|
dctx->status = DRBG_STATUS_UNINITIALISED;
|
|
} else {
|
|
OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr));
|
|
OPENSSL_free(dctx);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Instantiate |dctx|, after it has been initialized. Use |pers| and
|
|
* |perslen| as prediction-resistance input.
|
|
*/
|
|
int RAND_DRBG_instantiate(DRBG_CTX *dctx,
|
|
const unsigned char *pers, size_t perslen)
|
|
{
|
|
size_t entlen = 0, noncelen = 0;
|
|
unsigned char *nonce = NULL, *entropy = NULL;
|
|
int r = 0;
|
|
|
|
if (perslen > dctx->max_pers) {
|
|
r = RAND_R_PERSONALISATION_STRING_TOO_LONG;
|
|
goto end;
|
|
}
|
|
if (dctx->status != DRBG_STATUS_UNINITIALISED) {
|
|
r = dctx->status == DRBG_STATUS_ERROR ? RAND_R_IN_ERROR_STATE
|
|
: RAND_R_ALREADY_INSTANTIATED;
|
|
goto end;
|
|
}
|
|
|
|
dctx->status = DRBG_STATUS_ERROR;
|
|
entlen = get_entropy(dctx, &entropy, dctx->strength,
|
|
dctx->min_entropy, dctx->max_entropy);
|
|
if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
|
|
r = RAND_R_ERROR_RETRIEVING_ENTROPY;
|
|
goto end;
|
|
}
|
|
|
|
if (dctx->max_nonce > 0 && dctx->get_nonce != NULL) {
|
|
noncelen = dctx->get_nonce(dctx, &nonce,
|
|
dctx->strength / 2,
|
|
dctx->min_nonce, dctx->max_nonce);
|
|
|
|
if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
|
|
r = RAND_R_ERROR_RETRIEVING_NONCE;
|
|
goto end;
|
|
}
|
|
}
|
|
|
|
if (!ctr_instantiate(dctx, entropy, entlen,
|
|
nonce, noncelen, pers, perslen)) {
|
|
r = RAND_R_ERROR_INSTANTIATING_DRBG;
|
|
goto end;
|
|
}
|
|
|
|
dctx->status = DRBG_STATUS_READY;
|
|
dctx->reseed_counter = 1;
|
|
|
|
end:
|
|
if (entropy != NULL && dctx->cleanup_entropy != NULL)
|
|
dctx->cleanup_entropy(dctx, entropy, entlen);
|
|
if (nonce != NULL && dctx->cleanup_nonce!= NULL )
|
|
dctx->cleanup_nonce(dctx, nonce, noncelen);
|
|
if (dctx->status == DRBG_STATUS_READY)
|
|
return 1;
|
|
|
|
if (r)
|
|
RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, r);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Uninstantiate |dctx|. Must be instantiated before it can be used.
|
|
*/
|
|
int RAND_DRBG_uninstantiate(DRBG_CTX *dctx)
|
|
{
|
|
int ret = ctr_uninstantiate(dctx);
|
|
|
|
OPENSSL_cleanse(&dctx->ctr, sizeof(dctx->ctr));
|
|
dctx->status = DRBG_STATUS_UNINITIALISED;
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Mix in the specified data to reseed |dctx|.
|
|
*/
|
|
int RAND_DRBG_reseed(DRBG_CTX *dctx,
|
|
const unsigned char *adin, size_t adinlen)
|
|
{
|
|
unsigned char *entropy = NULL;
|
|
size_t entlen = 0;
|
|
int r = 0;
|
|
|
|
if (dctx->status != DRBG_STATUS_READY
|
|
&& dctx->status != DRBG_STATUS_RESEED) {
|
|
if (dctx->status == DRBG_STATUS_ERROR)
|
|
r = RAND_R_IN_ERROR_STATE;
|
|
else if (dctx->status == DRBG_STATUS_UNINITIALISED)
|
|
r = RAND_R_NOT_INSTANTIATED;
|
|
goto end;
|
|
}
|
|
|
|
if (adin == NULL)
|
|
adinlen = 0;
|
|
else if (adinlen > dctx->max_adin) {
|
|
r = RAND_R_ADDITIONAL_INPUT_TOO_LONG;
|
|
goto end;
|
|
}
|
|
|
|
dctx->status = DRBG_STATUS_ERROR;
|
|
entlen = get_entropy(dctx, &entropy, dctx->strength,
|
|
dctx->min_entropy, dctx->max_entropy);
|
|
|
|
if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
|
|
r = RAND_R_ERROR_RETRIEVING_ENTROPY;
|
|
goto end;
|
|
}
|
|
|
|
if (!ctr_reseed(dctx, entropy, entlen, adin, adinlen))
|
|
goto end;
|
|
dctx->status = DRBG_STATUS_READY;
|
|
dctx->reseed_counter = 1;
|
|
|
|
end:
|
|
if (entropy != NULL && dctx->cleanup_entropy != NULL)
|
|
cleanup_entropy(dctx, entropy, entlen);
|
|
if (dctx->status == DRBG_STATUS_READY)
|
|
return 1;
|
|
if (r)
|
|
RANDerr(RAND_F_RAND_DRBG_RESEED, r);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Generate |outlen| bytes into the buffer at |out|. Reseed if we need
|
|
* to or if |prediction_resistance| is set. Additional input can be
|
|
* sent in |adin| and |adinlen|.
|
|
*/
|
|
int RAND_DRBG_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
|
|
int prediction_resistance,
|
|
const unsigned char *adin, size_t adinlen)
|
|
{
|
|
int r = 0;
|
|
|
|
if (dctx->status != DRBG_STATUS_READY
|
|
&& dctx->status != DRBG_STATUS_RESEED) {
|
|
if (dctx->status == DRBG_STATUS_ERROR)
|
|
r = RAND_R_IN_ERROR_STATE;
|
|
else if(dctx->status == DRBG_STATUS_UNINITIALISED)
|
|
r = RAND_R_NOT_INSTANTIATED;
|
|
goto end;
|
|
}
|
|
|
|
if (outlen > dctx->max_request) {
|
|
r = RAND_R_REQUEST_TOO_LARGE_FOR_DRBG;
|
|
return 0;
|
|
}
|
|
if (adinlen > dctx->max_adin) {
|
|
r = RAND_R_ADDITIONAL_INPUT_TOO_LONG;
|
|
goto end;
|
|
}
|
|
|
|
if (dctx->reseed_counter >= dctx->reseed_interval)
|
|
dctx->status = DRBG_STATUS_RESEED;
|
|
|
|
if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
|
|
if (!RAND_DRBG_reseed(dctx, adin, adinlen)) {
|
|
r = RAND_R_RESEED_ERROR;
|
|
goto end;
|
|
}
|
|
adin = NULL;
|
|
adinlen = 0;
|
|
}
|
|
|
|
if (!ctr_generate(dctx, out, outlen, adin, adinlen)) {
|
|
r = RAND_R_GENERATE_ERROR;
|
|
dctx->status = DRBG_STATUS_ERROR;
|
|
goto end;
|
|
}
|
|
if (dctx->reseed_counter >= dctx->reseed_interval)
|
|
dctx->status = DRBG_STATUS_RESEED;
|
|
else
|
|
dctx->reseed_counter++;
|
|
return 1;
|
|
|
|
end:
|
|
RANDerr(RAND_F_RAND_DRBG_GENERATE, r);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Set the callbacks for entropy and nonce. Used mainly for the KATs
|
|
*/
|
|
int RAND_DRBG_set_callbacks(DRBG_CTX *dctx,
|
|
size_t (*cb_get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
|
|
int entropy, size_t min_len, size_t max_len),
|
|
void (*cb_cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
|
|
size_t (*cb_get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
|
|
int entropy, size_t min_len, size_t max_len),
|
|
void (*cb_cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
|
|
{
|
|
if (dctx->status != DRBG_STATUS_UNINITIALISED)
|
|
return 0;
|
|
dctx->get_entropy = cb_get_entropy;
|
|
dctx->cleanup_entropy = cb_cleanup_entropy;
|
|
dctx->get_nonce = cb_get_nonce;
|
|
dctx->cleanup_nonce = cb_cleanup_nonce;
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
* Set the reseed interval. Used mainly for the KATs.
|
|
*/
|
|
int RAND_DRBG_set_reseed_interval(DRBG_CTX *dctx, int interval)
|
|
{
|
|
if (interval < 0 || interval > MAX_RESEED)
|
|
return 0;
|
|
dctx->reseed_interval = interval;
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
* Get and set the EXDATA
|
|
*/
|
|
int RAND_DRBG_set_ex_data(DRBG_CTX *dctx, int idx, void *arg)
|
|
{
|
|
return CRYPTO_set_ex_data(&dctx->ex_data, idx, arg);
|
|
}
|
|
|
|
void *RAND_DRBG_get_ex_data(const DRBG_CTX *dctx, int idx)
|
|
{
|
|
return CRYPTO_get_ex_data(&dctx->ex_data, idx);
|
|
}
|