Coverage Report

Created: 2024-11-21 07:03

/src/openssl/providers/implementations/rands/drbg.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2011-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
#include <string.h>
11
#include <openssl/crypto.h>
12
#include <openssl/err.h>
13
#include <openssl/rand.h>
14
#include <openssl/evp.h>
15
#include "crypto/rand.h"
16
#include <openssl/proverr.h>
17
#include "drbg_local.h"
18
#include "internal/thread_once.h"
19
#include "crypto/cryptlib.h"
20
#include "prov/seeding.h"
21
#include "crypto/rand_pool.h"
22
#include "prov/provider_ctx.h"
23
#include "prov/providercommon.h"
24
#include "crypto/context.h"
25
26
/*
27
 * Support framework for NIST SP 800-90A DRBG
28
 *
29
 * See manual page PROV_DRBG(7) for a general overview.
30
 *
31
 * The OpenSSL model is to have new and free functions, and that new
32
 * does all initialization.  That is not the NIST model, which has
33
 * instantiation and un-instantiate, and reuse within a new/free
34
 * lifecycle.  (No doubt this comes from the desire to support hardware
35
 * DRBG, where allocation of resources on something like an HSM is
36
 * a much bigger deal than just re-setting an allocated resource.)
37
 */
38
39
/* NIST SP 800-90A DRBG recommends the use of a personalization string. */
40
static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
41
42
static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
43
                                      int function);
44
45
static int rand_drbg_restart(PROV_DRBG *drbg);
46
47
/*
48
 * We interpret a call to this function as a hint only and ignore it. This
49
 * occurs when the EVP layer thinks we should do some locking. In practice
50
 * however we manage for ourselves when we take a lock or not on the basis
51
 * of whether drbg->lock is present or not.
52
 */
53
int ossl_drbg_lock(void *vctx)
54
251k
{
55
251k
    return 1;
56
251k
}
57
58
/* Interpreted as a hint only and ignored as for ossl_drbg_lock() */
59
void ossl_drbg_unlock(void *vctx)
60
251k
{
61
251k
}
62
63
static int ossl_drbg_lock_parent(PROV_DRBG *drbg)
64
125k
{
65
125k
    void *parent = drbg->parent;
66
67
125k
    if (parent != NULL
68
125k
            && drbg->parent_lock != NULL
69
125k
            && !drbg->parent_lock(parent)) {
70
0
        ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
71
0
        return 0;
72
0
    }
73
125k
    return 1;
74
125k
}
75
76
static void ossl_drbg_unlock_parent(PROV_DRBG *drbg)
77
125k
{
78
125k
    void *parent = drbg->parent;
79
80
125k
    if (parent != NULL && drbg->parent_unlock != NULL)
81
125k
        drbg->parent_unlock(parent);
82
125k
}
83
84
static int get_parent_strength(PROV_DRBG *drbg, unsigned int *str)
85
12
{
86
12
    OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
87
12
    void *parent = drbg->parent;
88
12
    int res;
89
90
12
    if (drbg->parent_get_ctx_params == NULL) {
91
0
        ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);
92
0
        return 0;
93
0
    }
94
95
12
    *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, str);
96
12
    if (!ossl_drbg_lock_parent(drbg)) {
97
0
        ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);
98
0
        return 0;
99
0
    }
100
12
    res = drbg->parent_get_ctx_params(parent, params);
101
12
    ossl_drbg_unlock_parent(drbg);
102
12
    if (!res) {
103
0
        ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);
104
0
        return 0;
105
0
    }
106
12
    return 1;
107
12
}
108
109
static unsigned int get_parent_reseed_count(PROV_DRBG *drbg)
110
125k
{
111
125k
    OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
112
125k
    void *parent = drbg->parent;
113
125k
    unsigned int r = 0;
114
115
125k
    *params = OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_COUNTER, &r);
116
125k
    if (!ossl_drbg_lock_parent(drbg)) {
117
0
        ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);
118
0
        goto err;
119
0
    }
120
125k
    if (!drbg->parent_get_ctx_params(parent, params))
121
0
        r = 0;
122
125k
    ossl_drbg_unlock_parent(drbg);
123
125k
    return r;
124
125
0
 err:
126
0
    r = tsan_load(&drbg->reseed_counter) - 2;
127
0
    if (r == 0)
128
0
        r = UINT_MAX;
129
0
    return r;
130
125k
}
131
132
/*
133
 * Implements the get_entropy() callback
134
 *
135
 * If the DRBG has a parent, then the required amount of entropy input
136
 * is fetched using the parent's ossl_prov_drbg_generate().
137
 *
138
 * Otherwise, the entropy is polled from the system entropy sources
139
 * using ossl_pool_acquire_entropy().
140
 *
141
 * If a random pool has been added to the DRBG using RAND_add(), then
142
 * its entropy will be used up first.
143
 */
144
size_t ossl_drbg_get_seed(void *vdrbg, unsigned char **pout,
145
                          int entropy, size_t min_len,
146
                          size_t max_len, int prediction_resistance,
147
                          const unsigned char *adin, size_t adin_len)
148
6
{
149
6
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
150
6
    size_t bytes_needed;
151
6
    unsigned char *buffer;
152
153
    /* Figure out how many bytes we need */
154
6
    bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0;
155
6
    if (bytes_needed < min_len)
156
2
        bytes_needed = min_len;
157
6
    if (bytes_needed > max_len)
158
0
        bytes_needed = max_len;
159
160
    /* Allocate storage */
161
6
    buffer = OPENSSL_secure_malloc(bytes_needed);
162
6
    if (buffer == NULL)
163
0
        return 0;
164
165
    /*
166
     * Get random data.  Include our DRBG address as
167
     * additional input, in order to provide a distinction between
168
     * different DRBG child instances.
169
     *
170
     * Note: using the sizeof() operator on a pointer triggers
171
     *       a warning in some static code analyzers, but it's
172
     *       intentional and correct here.
173
     */
174
6
    if (!ossl_prov_drbg_generate(drbg, buffer, bytes_needed,
175
6
                                 drbg->strength, prediction_resistance,
176
6
                                 (unsigned char *)&drbg, sizeof(drbg))) {
177
0
        OPENSSL_secure_clear_free(buffer, bytes_needed);
178
0
        ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR);
179
0
        return 0;
180
0
    }
181
6
    *pout = buffer;
182
6
    return bytes_needed;
183
6
}
184
185
/* Implements the cleanup_entropy() callback */
186
void ossl_drbg_clear_seed(ossl_unused void *vdrbg,
187
                          unsigned char *out, size_t outlen)
188
6
{
189
6
    OPENSSL_secure_clear_free(out, outlen);
190
6
}
191
192
static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
193
                          size_t min_len, size_t max_len,
194
                          int prediction_resistance)
195
8
{
196
8
    size_t bytes;
197
8
    unsigned int p_str;
198
199
8
    if (drbg->parent == NULL)
200
        /*
201
         * In normal use (i.e. OpenSSL's own uses), this is never called.
202
         * This remains purely for legacy reasons.
203
         */
204
0
        return ossl_prov_get_entropy(drbg->provctx, pout, entropy, min_len,
205
0
                                     max_len);
206
207
8
    if (drbg->parent_get_seed == NULL) {
208
0
        ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED);
209
0
        return 0;
210
0
    }
211
8
    if (!get_parent_strength(drbg, &p_str))
212
0
        return 0;
213
8
    if (drbg->strength > p_str) {
214
        /*
215
         * We currently don't support the algorithm from NIST SP 800-90C
216
         * 10.1.2 to use a weaker DRBG as source
217
         */
218
0
        ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);
219
0
        return 0;
220
0
    }
221
222
    /*
223
     * Our lock is already held, but we need to lock our parent before
224
     * generating bits from it.  Note: taking the lock will be a no-op
225
     * if locking is not required (while drbg->parent->lock == NULL).
226
     */
227
8
    if (!ossl_drbg_lock_parent(drbg))
228
0
        return 0;
229
    /*
230
     * Get random data from parent.  Include our DRBG address as
231
     * additional input, in order to provide a distinction between
232
     * different DRBG child instances.
233
     *
234
     * Note: using the sizeof() operator on a pointer triggers
235
     *       a warning in some static code analyzers, but it's
236
     *       intentional and correct here.
237
     */
238
8
    bytes = drbg->parent_get_seed(drbg->parent, pout, drbg->strength,
239
8
                                  min_len, max_len, prediction_resistance,
240
8
                                  (unsigned char *)&drbg, sizeof(drbg));
241
8
    ossl_drbg_unlock_parent(drbg);
242
8
    return bytes;
243
8
}
244
245
static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen)
246
8
{
247
8
    if (drbg->parent == NULL) {
248
0
        ossl_prov_cleanup_entropy(drbg->provctx, out, outlen);
249
8
    } else if (drbg->parent_clear_seed != NULL) {
250
8
        if (!ossl_drbg_lock_parent(drbg))
251
0
            return;
252
8
        drbg->parent_clear_seed(drbg->parent, out, outlen);
253
8
        ossl_drbg_unlock_parent(drbg);
254
8
    }
255
8
}
256
257
#ifndef PROV_RAND_GET_RANDOM_NONCE
258
typedef struct prov_drbg_nonce_global_st {
259
    CRYPTO_RWLOCK *rand_nonce_lock;
260
    int rand_nonce_count;
261
} PROV_DRBG_NONCE_GLOBAL;
262
263
/*
264
 * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce()
265
 * which needs to get the rand_nonce_lock out of the OSSL_LIB_CTX...but since
266
 * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock
267
 * to be in a different global data object. Otherwise we will go into an
268
 * infinite recursion loop.
269
 */
270
void *ossl_prov_drbg_nonce_ctx_new(OSSL_LIB_CTX *libctx)
271
4
{
272
4
    PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl));
273
274
4
    if (dngbl == NULL)
275
0
        return NULL;
276
277
4
    dngbl->rand_nonce_lock = CRYPTO_THREAD_lock_new();
278
4
    if (dngbl->rand_nonce_lock == NULL) {
279
0
        OPENSSL_free(dngbl);
280
0
        return NULL;
281
0
    }
282
283
4
    return dngbl;
284
4
}
285
286
void ossl_prov_drbg_nonce_ctx_free(void *vdngbl)
287
4
{
288
4
    PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl;
289
290
4
    if (dngbl == NULL)
291
0
        return;
292
293
4
    CRYPTO_THREAD_lock_free(dngbl->rand_nonce_lock);
294
295
4
    OPENSSL_free(dngbl);
296
4
}
297
298
/* Get a nonce from the operating system */
299
static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, unsigned char **pout,
300
                                  size_t min_len, size_t max_len)
301
0
{
302
0
    size_t ret = 0, n;
303
0
    unsigned char *buf = NULL;
304
0
    OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx);
305
0
    PROV_DRBG_NONCE_GLOBAL *dngbl
306
0
        = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_NONCE_INDEX);
307
0
    struct {
308
0
        void *drbg;
309
0
        int count;
310
0
    } data;
311
312
0
    if (dngbl == NULL)
313
0
        return 0;
314
315
0
    if (drbg->parent != NULL && drbg->parent_nonce != NULL) {
316
0
        n = drbg->parent_nonce(drbg->parent, NULL, 0, drbg->min_noncelen,
317
0
                               drbg->max_noncelen);
318
0
        if (n > 0 && (buf = OPENSSL_malloc(n)) != NULL) {
319
0
            ret = drbg->parent_nonce(drbg->parent, buf, 0,
320
0
                                     drbg->min_noncelen, drbg->max_noncelen);
321
0
            if (ret == n) {
322
0
                *pout = buf;
323
0
                return ret;
324
0
            }
325
0
            OPENSSL_free(buf);
326
0
        }
327
0
    }
328
329
    /* Use the built in nonce source plus some of our specifics */
330
0
    memset(&data, 0, sizeof(data));
331
0
    data.drbg = drbg;
332
0
    if (!CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count,
333
0
                           dngbl->rand_nonce_lock))
334
0
        return 0;
335
0
    return ossl_prov_get_nonce(drbg->provctx, pout, min_len, max_len,
336
0
                               &data, sizeof(data));
337
0
}
338
#endif /* PROV_RAND_GET_RANDOM_NONCE */
339
340
/*
341
 * Instantiate |drbg|, after it has been initialized.  Use |pers| and
342
 * |perslen| as prediction-resistance input.
343
 *
344
 * Requires that drbg->lock is already locked for write, if non-null.
345
 *
346
 * Returns 1 on success, 0 on failure.
347
 */
348
int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength,
349
                               int prediction_resistance,
350
                               const unsigned char *pers, size_t perslen)
351
4
{
352
4
    unsigned char *nonce = NULL, *entropy = NULL;
353
4
    size_t noncelen = 0, entropylen = 0;
354
4
    size_t min_entropy, min_entropylen, max_entropylen;
355
356
4
    if (strength > drbg->strength) {
357
0
        ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
358
0
        goto end;
359
0
    }
360
4
    min_entropy = drbg->strength;
361
4
    min_entropylen = drbg->min_entropylen;
362
4
    max_entropylen = drbg->max_entropylen;
363
364
4
    if (pers == NULL) {
365
4
        pers = (const unsigned char *)ossl_pers_string;
366
4
        perslen = sizeof(ossl_pers_string);
367
4
    }
368
4
    if (perslen > drbg->max_perslen) {
369
0
        ERR_raise(ERR_LIB_PROV, PROV_R_PERSONALISATION_STRING_TOO_LONG);
370
0
        goto end;
371
0
    }
372
373
4
    if (drbg->state != EVP_RAND_STATE_UNINITIALISED) {
374
0
        if (drbg->state == EVP_RAND_STATE_ERROR)
375
0
            ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
376
0
        else
377
0
            ERR_raise(ERR_LIB_PROV, PROV_R_ALREADY_INSTANTIATED);
378
0
        goto end;
379
0
    }
380
381
4
    drbg->state = EVP_RAND_STATE_ERROR;
382
383
4
    if (drbg->min_noncelen > 0) {
384
4
        if (drbg->parent_nonce != NULL) {
385
0
            noncelen = drbg->parent_nonce(drbg->parent, NULL, drbg->strength,
386
0
                                          drbg->min_noncelen,
387
0
                                          drbg->max_noncelen);
388
0
            if (noncelen == 0) {
389
0
                ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
390
0
                goto end;
391
0
            }
392
0
            nonce = OPENSSL_malloc(noncelen);
393
0
            if (nonce == NULL) {
394
0
                ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
395
0
                goto end;
396
0
            }
397
0
            if (noncelen != drbg->parent_nonce(drbg->parent, nonce,
398
0
                                               drbg->strength,
399
0
                                               drbg->min_noncelen,
400
0
                                               drbg->max_noncelen)) {
401
0
                ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
402
0
                goto end;
403
0
            }
404
0
#ifndef PROV_RAND_GET_RANDOM_NONCE
405
4
        } else if (drbg->parent != NULL) {
406
4
#endif
407
            /*
408
             * NIST SP800-90Ar1 section 9.1 says you can combine getting
409
             * the entropy and nonce in 1 call by increasing the entropy
410
             * with 50% and increasing the minimum length to accommodate
411
             * the length of the nonce. We do this in case a nonce is
412
             * required and there is no parental nonce capability.
413
             */
414
4
            min_entropy += drbg->strength / 2;
415
4
            min_entropylen += drbg->min_noncelen;
416
4
            max_entropylen += drbg->max_noncelen;
417
4
        }
418
0
#ifndef PROV_RAND_GET_RANDOM_NONCE
419
0
        else { /* parent == NULL */
420
0
            noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->min_noncelen,
421
0
                                           drbg->max_noncelen);
422
0
            if (noncelen < drbg->min_noncelen
423
0
                    || noncelen > drbg->max_noncelen) {
424
0
                ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);
425
0
                goto end;
426
0
            }
427
0
        }
428
4
#endif
429
4
    }
430
431
4
    drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);
432
4
    if (drbg->reseed_next_counter) {
433
4
        drbg->reseed_next_counter++;
434
4
        if (!drbg->reseed_next_counter)
435
0
            drbg->reseed_next_counter = 1;
436
4
    }
437
438
4
    entropylen = get_entropy(drbg, &entropy, min_entropy,
439
4
                             min_entropylen, max_entropylen,
440
4
                             prediction_resistance);
441
4
    if (entropylen < min_entropylen
442
4
            || entropylen > max_entropylen) {
443
0
        ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY);
444
0
        goto end;
445
0
    }
446
447
4
    if (!drbg->instantiate(drbg, entropy, entropylen, nonce, noncelen,
448
4
                           pers, perslen)) {
449
0
        cleanup_entropy(drbg, entropy, entropylen);
450
0
        ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_INSTANTIATING_DRBG);
451
0
        goto end;
452
0
    }
453
4
    cleanup_entropy(drbg, entropy, entropylen);
454
455
4
    drbg->state = EVP_RAND_STATE_READY;
456
4
    drbg->generate_counter = 1;
457
4
    drbg->reseed_time = time(NULL);
458
4
    tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);
459
460
4
 end:
461
4
    if (nonce != NULL)
462
0
        ossl_prov_cleanup_nonce(drbg->provctx, nonce, noncelen);
463
4
    if (drbg->state == EVP_RAND_STATE_READY)
464
4
        return 1;
465
0
    return 0;
466
4
}
467
468
/*
469
 * Uninstantiate |drbg|. Must be instantiated before it can be used.
470
 *
471
 * Requires that drbg->lock is already locked for write, if non-null.
472
 *
473
 * Returns 1 on success, 0 on failure.
474
 */
475
int ossl_prov_drbg_uninstantiate(PROV_DRBG *drbg)
476
0
{
477
0
    drbg->state = EVP_RAND_STATE_UNINITIALISED;
478
0
    return 1;
479
0
}
480
481
static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg,
482
                                          int prediction_resistance,
483
                                          const unsigned char *ent,
484
                                          size_t ent_len,
485
                                          const unsigned char *adin,
486
                                          size_t adinlen)
487
4
{
488
4
    unsigned char *entropy = NULL;
489
4
    size_t entropylen = 0;
490
491
4
    if (!ossl_prov_is_running())
492
0
        return 0;
493
494
4
    if (drbg->state != EVP_RAND_STATE_READY) {
495
        /* try to recover from previous errors */
496
0
        rand_drbg_restart(drbg);
497
498
0
        if (drbg->state == EVP_RAND_STATE_ERROR) {
499
0
            ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
500
0
            return 0;
501
0
        }
502
0
        if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {
503
0
            ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED);
504
0
            return 0;
505
0
        }
506
0
    }
507
508
4
    if (ent != NULL) {
509
0
        if (ent_len < drbg->min_entropylen) {
510
0
            ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_OUT_OF_RANGE);
511
0
            drbg->state = EVP_RAND_STATE_ERROR;
512
0
            return 0;
513
0
        }
514
0
        if (ent_len > drbg->max_entropylen) {
515
0
            ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_INPUT_TOO_LONG);
516
0
            drbg->state = EVP_RAND_STATE_ERROR;
517
0
            return 0;
518
0
        }
519
0
    }
520
521
4
    if (adin == NULL) {
522
4
        adinlen = 0;
523
4
    } else if (adinlen > drbg->max_adinlen) {
524
0
        ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG);
525
0
        return 0;
526
0
    }
527
528
4
    drbg->state = EVP_RAND_STATE_ERROR;
529
530
4
    drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);
531
4
    if (drbg->reseed_next_counter) {
532
4
        drbg->reseed_next_counter++;
533
4
        if (!drbg->reseed_next_counter)
534
0
            drbg->reseed_next_counter = 1;
535
4
    }
536
537
4
    if (ent != NULL) {
538
#ifdef FIPS_MODULE
539
        /*
540
         * NIST SP-800-90A mandates that entropy *shall not* be provided
541
         * by the consuming application. Instead the data is added as additional
542
         * input.
543
         *
544
         * (NIST SP-800-90Ar1, Sections 9.1 and 9.2)
545
         */
546
        if (!drbg->reseed(drbg, NULL, 0, ent, ent_len)) {
547
            ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);
548
            return 0;
549
        }
550
#else
551
0
        if (!drbg->reseed(drbg, ent, ent_len, adin, adinlen)) {
552
0
            ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);
553
0
            return 0;
554
0
        }
555
        /* There isn't much point adding the same additional input twice */
556
0
        adin = NULL;
557
0
        adinlen = 0;
558
0
#endif
559
0
    }
560
561
    /* Reseed using our sources in addition */
562
4
    entropylen = get_entropy(drbg, &entropy, drbg->strength,
563
4
                             drbg->min_entropylen, drbg->max_entropylen,
564
4
                             prediction_resistance);
565
4
    if (entropylen < drbg->min_entropylen
566
4
            || entropylen > drbg->max_entropylen) {
567
0
        ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY);
568
0
        goto end;
569
0
    }
570
571
4
    if (!drbg->reseed(drbg, entropy, entropylen, adin, adinlen))
572
0
        goto end;
573
574
4
    drbg->state = EVP_RAND_STATE_READY;
575
4
    drbg->generate_counter = 1;
576
4
    drbg->reseed_time = time(NULL);
577
4
    tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);
578
4
    if (drbg->parent != NULL)
579
4
        drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
580
581
4
 end:
582
4
    cleanup_entropy(drbg, entropy, entropylen);
583
4
    if (drbg->state == EVP_RAND_STATE_READY)
584
4
        return 1;
585
0
    return 0;
586
4
}
587
588
/*
589
 * Reseed |drbg|, mixing in the specified data
590
 *
591
 * Acquires the drbg->lock for writing, if non-null.
592
 *
593
 * Returns 1 on success, 0 on failure.
594
 */
595
int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance,
596
                          const unsigned char *ent, size_t ent_len,
597
                          const unsigned char *adin, size_t adinlen)
598
0
{
599
0
    int ret;
600
601
0
    if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
602
0
        return 0;
603
604
0
    ret = ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, ent,
605
0
                                         ent_len, adin, adinlen);
606
607
0
    if (drbg->lock != NULL)
608
0
        CRYPTO_THREAD_unlock(drbg->lock);
609
610
0
    return ret;
611
0
}
612
613
/*
614
 * Generate |outlen| bytes into the buffer at |out|.  Reseed if we need
615
 * to or if |prediction_resistance| is set.  Additional input can be
616
 * sent in |adin| and |adinlen|.
617
 *
618
 * Acquires the drbg->lock for writing if available
619
 *
620
 * Returns 1 on success, 0 on failure.
621
 *
622
 */
623
int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
624
                            unsigned int strength, int prediction_resistance,
625
                            const unsigned char *adin, size_t adinlen)
626
125k
{
627
125k
    int fork_id;
628
125k
    int reseed_required = 0;
629
125k
    int ret = 0;
630
631
125k
    if (!ossl_prov_is_running())
632
0
        return 0;
633
634
125k
    if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
635
0
        return 0;
636
637
125k
    if (drbg->state != EVP_RAND_STATE_READY) {
638
        /* try to recover from previous errors */
639
0
        rand_drbg_restart(drbg);
640
641
0
        if (drbg->state == EVP_RAND_STATE_ERROR) {
642
0
            ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);
643
0
            goto err;
644
0
        }
645
0
        if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {
646
0
            ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED);
647
0
            goto err;
648
0
        }
649
0
    }
650
125k
    if (strength > drbg->strength) {
651
0
        ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
652
0
        goto err;
653
0
    }
654
655
125k
    if (outlen > drbg->max_request) {
656
0
        ERR_raise(ERR_LIB_PROV, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG);
657
0
        goto err;
658
0
    }
659
125k
    if (adinlen > drbg->max_adinlen) {
660
0
        ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG);
661
0
        goto err;
662
0
    }
663
664
125k
    fork_id = openssl_get_fork_id();
665
666
125k
    if (drbg->fork_id != fork_id) {
667
0
        drbg->fork_id = fork_id;
668
0
        reseed_required = 1;
669
0
    }
670
671
125k
    if (drbg->reseed_interval > 0) {
672
125k
        if (drbg->generate_counter >= drbg->reseed_interval)
673
1
            reseed_required = 1;
674
125k
    }
675
125k
    if (drbg->reseed_time_interval > 0) {
676
125k
        time_t now = time(NULL);
677
125k
        if (now < drbg->reseed_time
678
125k
            || now - drbg->reseed_time >= drbg->reseed_time_interval)
679
1
            reseed_required = 1;
680
125k
    }
681
125k
    if (drbg->parent != NULL
682
125k
            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
683
2
        reseed_required = 1;
684
685
125k
    if (reseed_required || prediction_resistance) {
686
4
        if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
687
4
                                            0, adin, adinlen)) {
688
0
            ERR_raise(ERR_LIB_PROV, PROV_R_RESEED_ERROR);
689
0
            goto err;
690
0
        }
691
4
        adin = NULL;
692
4
        adinlen = 0;
693
4
    }
694
695
125k
    if (!drbg->generate(drbg, out, outlen, adin, adinlen)) {
696
0
        drbg->state = EVP_RAND_STATE_ERROR;
697
0
        ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR);
698
0
        goto err;
699
0
    }
700
701
125k
    drbg->generate_counter++;
702
703
125k
    ret = 1;
704
125k
 err:
705
125k
    if (drbg->lock != NULL)
706
6
        CRYPTO_THREAD_unlock(drbg->lock);
707
708
125k
    return ret;
709
125k
}
710
711
/*
712
 * Restart |drbg|, using the specified entropy or additional input
713
 *
714
 * Tries its best to get the drbg instantiated by all means,
715
 * regardless of its current state.
716
 *
717
 * Optionally, a |buffer| of |len| random bytes can be passed,
718
 * which is assumed to contain at least |entropy| bits of entropy.
719
 *
720
 * If |entropy| > 0, the buffer content is used as entropy input.
721
 *
722
 * If |entropy| == 0, the buffer content is used as additional input
723
 *
724
 * Returns 1 on success, 0 on failure.
725
 *
726
 * This function is used internally only.
727
 */
728
static int rand_drbg_restart(PROV_DRBG *drbg)
729
0
{
730
    /* repair error state */
731
0
    if (drbg->state == EVP_RAND_STATE_ERROR)
732
0
        drbg->uninstantiate(drbg);
733
734
    /* repair uninitialized state */
735
0
    if (drbg->state == EVP_RAND_STATE_UNINITIALISED)
736
        /* reinstantiate drbg */
737
0
        ossl_prov_drbg_instantiate(drbg, drbg->strength, 0, NULL, 0);
738
739
0
    return drbg->state == EVP_RAND_STATE_READY;
740
0
}
741
742
/* Provider support from here down */
743
static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
744
                                      int function)
745
28
{
746
28
    if (dispatch != NULL)
747
324
        while (dispatch->function_id != 0) {
748
320
            if (dispatch->function_id == function)
749
24
                return dispatch;
750
296
            dispatch++;
751
296
        }
752
4
    return NULL;
753
28
}
754
755
int ossl_drbg_enable_locking(void *vctx)
756
2
{
757
2
    PROV_DRBG *drbg = vctx;
758
759
2
    if (drbg != NULL && drbg->lock == NULL) {
760
2
        if (drbg->parent_enable_locking != NULL)
761
2
            if (!drbg->parent_enable_locking(drbg->parent)) {
762
0
                ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
763
0
                return 0;
764
0
            }
765
2
        drbg->lock = CRYPTO_THREAD_lock_new();
766
2
        if (drbg->lock == NULL) {
767
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_CREATE_LOCK);
768
0
            return 0;
769
0
        }
770
2
    }
771
2
    return 1;
772
2
}
773
774
/*
775
 * Allocate memory and initialize a new DRBG. The DRBG is allocated on
776
 * the secure heap if |secure| is nonzero and the secure heap is enabled.
777
 * The |parent|, if not NULL, will be used as random source for reseeding.
778
 * This also requires the parent's provider context and the parent's lock.
779
 *
780
 * Returns a pointer to the new DRBG instance on success, NULL on failure.
781
 */
782
PROV_DRBG *ossl_rand_drbg_new
783
    (void *provctx, void *parent, const OSSL_DISPATCH *p_dispatch,
784
     int (*dnew)(PROV_DRBG *ctx),
785
     void (*dfree)(void *vctx),
786
     int (*instantiate)(PROV_DRBG *drbg,
787
                        const unsigned char *entropy, size_t entropylen,
788
                        const unsigned char *nonce, size_t noncelen,
789
                        const unsigned char *pers, size_t perslen),
790
     int (*uninstantiate)(PROV_DRBG *ctx),
791
     int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len,
792
                   const unsigned char *adin, size_t adin_len),
793
     int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen,
794
                     const unsigned char *adin, size_t adin_len))
795
4
{
796
4
    PROV_DRBG *drbg;
797
4
    unsigned int p_str;
798
4
    const OSSL_DISPATCH *pfunc;
799
800
4
    if (!ossl_prov_is_running())
801
0
        return NULL;
802
803
4
    drbg = OPENSSL_zalloc(sizeof(*drbg));
804
4
    if (drbg == NULL)
805
0
        return NULL;
806
807
4
    drbg->provctx = provctx;
808
4
    drbg->instantiate = instantiate;
809
4
    drbg->uninstantiate = uninstantiate;
810
4
    drbg->reseed = reseed;
811
4
    drbg->generate = generate;
812
4
    drbg->fork_id = openssl_get_fork_id();
813
814
    /* Extract parent's functions */
815
4
    drbg->parent = parent;
816
4
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING)) != NULL)
817
4
        drbg->parent_enable_locking = OSSL_FUNC_rand_enable_locking(pfunc);
818
4
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_LOCK)) != NULL)
819
4
        drbg->parent_lock = OSSL_FUNC_rand_lock(pfunc);
820
4
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_UNLOCK)) != NULL)
821
4
        drbg->parent_unlock = OSSL_FUNC_rand_unlock(pfunc);
822
4
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS)) != NULL)
823
4
        drbg->parent_get_ctx_params = OSSL_FUNC_rand_get_ctx_params(pfunc);
824
4
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_NONCE)) != NULL)
825
0
        drbg->parent_nonce = OSSL_FUNC_rand_nonce(pfunc);
826
4
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_SEED)) != NULL)
827
4
        drbg->parent_get_seed = OSSL_FUNC_rand_get_seed(pfunc);
828
4
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_CLEAR_SEED)) != NULL)
829
4
        drbg->parent_clear_seed = OSSL_FUNC_rand_clear_seed(pfunc);
830
831
    /* Set some default maximums up */
832
4
    drbg->max_entropylen = DRBG_MAX_LENGTH;
833
4
    drbg->max_noncelen = DRBG_MAX_LENGTH;
834
4
    drbg->max_perslen = DRBG_MAX_LENGTH;
835
4
    drbg->max_adinlen = DRBG_MAX_LENGTH;
836
4
    drbg->generate_counter = 1;
837
4
    drbg->reseed_counter = 1;
838
4
    drbg->reseed_interval = RESEED_INTERVAL;
839
4
    drbg->reseed_time_interval = TIME_INTERVAL;
840
841
4
    if (!dnew(drbg))
842
0
        goto err;
843
844
4
    if (parent != NULL) {
845
4
        if (!get_parent_strength(drbg, &p_str))
846
0
            goto err;
847
4
        if (drbg->strength > p_str) {
848
            /*
849
             * We currently don't support the algorithm from NIST SP 800-90C
850
             * 10.1.2 to use a weaker DRBG as source
851
             */
852
0
            ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);
853
0
            goto err;
854
0
        }
855
4
    }
856
#ifdef TSAN_REQUIRES_LOCKING
857
    if (!ossl_drbg_enable_locking(drbg))
858
        goto err;
859
#endif
860
4
    return drbg;
861
862
0
 err:
863
0
    dfree(drbg);
864
0
    return NULL;
865
4
}
866
867
void ossl_rand_drbg_free(PROV_DRBG *drbg)
868
4
{
869
4
    if (drbg == NULL)
870
0
        return;
871
872
4
    CRYPTO_THREAD_lock_free(drbg->lock);
873
4
    OPENSSL_free(drbg);
874
4
}
875
876
/*
877
 * Helper function called by internal DRBG implementations. Assumes that at
878
 * least a read lock has been taken on drbg->lock
879
 */
880
int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[])
881
8
{
882
8
    OSSL_PARAM *p;
883
884
8
    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE);
885
8
    if (p != NULL && !OSSL_PARAM_set_int(p, drbg->state))
886
0
        return 0;
887
888
8
    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);
889
8
    if (p != NULL && !OSSL_PARAM_set_int(p, drbg->strength))
890
0
        return 0;
891
892
8
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_ENTROPYLEN);
893
8
    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_entropylen))
894
0
        return 0;
895
896
8
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ENTROPYLEN);
897
8
    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_entropylen))
898
0
        return 0;
899
900
8
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_NONCELEN);
901
8
    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_noncelen))
902
0
        return 0;
903
904
8
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_NONCELEN);
905
8
    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_noncelen))
906
0
        return 0;
907
908
8
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_PERSLEN);
909
8
    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_perslen))
910
0
        return 0;
911
912
8
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ADINLEN);
913
8
    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_adinlen))
914
0
        return 0;
915
916
8
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
917
8
    if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval))
918
0
        return 0;
919
920
8
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME);
921
8
    if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time))
922
0
        return 0;
923
924
8
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);
925
8
    if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval))
926
0
        return 0;
927
8
    if (!OSSL_FIPS_IND_GET_CTX_PARAM(drbg, params))
928
0
        return 0;
929
8
    return 1;
930
8
}
931
932
/*
933
 * Helper function to get certain params that require no lock to obtain. Sets
934
 * *complete to 1 if all the params were processed, or 0 otherwise
935
 */
936
int ossl_drbg_get_ctx_params_no_lock(PROV_DRBG *drbg, OSSL_PARAM params[],
937
                                     int *complete)
938
251k
{
939
251k
    size_t cnt = 0;
940
251k
    OSSL_PARAM *p;
941
942
    /* This value never changes once set */
943
251k
    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
944
251k
    if (p != NULL) {
945
125k
        if (!OSSL_PARAM_set_size_t(p, drbg->max_request))
946
0
            return 0;
947
125k
        cnt++;
948
125k
    }
949
950
    /*
951
     * Can be changed by multiple threads, but we tolerate inaccuracies in this
952
     * value.
953
     */
954
251k
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_COUNTER);
955
251k
    if (p != NULL) {
956
125k
        if (!OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_counter)))
957
0
            return 0;
958
125k
        cnt++;
959
125k
    }
960
961
251k
    if (params[cnt].key == NULL)
962
251k
        *complete = 1;
963
8
    else
964
8
        *complete = 0;
965
966
251k
    return 1;
967
251k
}
968
969
int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[])
970
4
{
971
4
    const OSSL_PARAM *p;
972
973
4
    if (ossl_param_is_empty(params))
974
0
        return 1;
975
976
4
    p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
977
4
    if (p != NULL && !OSSL_PARAM_get_uint(p, &drbg->reseed_interval))
978
0
        return 0;
979
980
4
    p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);
981
4
    if (p != NULL && !OSSL_PARAM_get_time_t(p, &drbg->reseed_time_interval))
982
0
        return 0;
983
984
4
    return 1;
985
4
}
986
987
#ifdef FIPS_MODULE
988
static int digest_allowed(const EVP_MD *md)
989
{
990
    /* FIPS 140-3 IG D.R limited DRBG digests to a specific set */
991
    static const char *const allowed_digests[] = {
992
        "SHA1",                     /* SHA 1 allowed */
993
        "SHA2-256", "SHA2-512",     /* non-truncated SHA2 allowed */
994
        "SHA3-256", "SHA3-512",     /* non-truncated SHA3 allowed */
995
    };
996
    size_t i;
997
998
    for (i = 0; i < OSSL_NELEM(allowed_digests); i++) {
999
        if (EVP_MD_is_a(md, allowed_digests[i]))
1000
            return 1;
1001
    }
1002
    return 0;
1003
}
1004
#endif
1005
1006
/* Confirm digest is allowed to be used with a DRBG */
1007
int ossl_drbg_verify_digest(PROV_DRBG *drbg, OSSL_LIB_CTX *libctx,
1008
                            const EVP_MD *md)
1009
0
{
1010
#ifdef FIPS_MODULE
1011
    int approved = digest_allowed(md);
1012
1013
    if (!approved) {
1014
        if (!OSSL_FIPS_IND_ON_UNAPPROVED(drbg, OSSL_FIPS_IND_SETTABLE0,
1015
                                         libctx, "DRBG", "Digest",
1016
                                         ossl_fips_config_restricted_drbg_digests)) {
1017
            ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
1018
            return 0;
1019
        }
1020
    }
1021
#else   /* FIPS_MODULE */
1022
    /* Outside of FIPS, any digests that are not XOF are allowed */
1023
0
    if (EVP_MD_xof(md)) {
1024
0
        ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
1025
0
        return 0;
1026
0
    }
1027
0
#endif  /* FIPS_MODULE */
1028
0
    return 1;
1029
0
}