Coverage Report

Created: 2024-11-21 07:03

/src/openssl/providers/implementations/rands/drbg_hash.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2011-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
#include <assert.h>
11
#include <stdlib.h>
12
#include <string.h>
13
#include <openssl/sha.h>
14
#include <openssl/crypto.h>
15
#include <openssl/err.h>
16
#include <openssl/rand.h>
17
#include <openssl/core_dispatch.h>
18
#include <openssl/proverr.h>
19
#include "internal/thread_once.h"
20
#include "prov/providercommon.h"
21
#include "prov/provider_ctx.h"
22
#include "prov/provider_util.h"
23
#include "prov/implementations.h"
24
#include "drbg_local.h"
25
26
static OSSL_FUNC_rand_newctx_fn drbg_hash_new_wrapper;
27
static OSSL_FUNC_rand_freectx_fn drbg_hash_free;
28
static OSSL_FUNC_rand_instantiate_fn drbg_hash_instantiate_wrapper;
29
static OSSL_FUNC_rand_uninstantiate_fn drbg_hash_uninstantiate_wrapper;
30
static OSSL_FUNC_rand_generate_fn drbg_hash_generate_wrapper;
31
static OSSL_FUNC_rand_reseed_fn drbg_hash_reseed_wrapper;
32
static OSSL_FUNC_rand_settable_ctx_params_fn drbg_hash_settable_ctx_params;
33
static OSSL_FUNC_rand_set_ctx_params_fn drbg_hash_set_ctx_params;
34
static OSSL_FUNC_rand_gettable_ctx_params_fn drbg_hash_gettable_ctx_params;
35
static OSSL_FUNC_rand_get_ctx_params_fn drbg_hash_get_ctx_params;
36
static OSSL_FUNC_rand_verify_zeroization_fn drbg_hash_verify_zeroization;
37
38
static int drbg_hash_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]);
39
40
/* 888 bits from SP800-90Ar1 10.1 table 2 */
41
0
#define HASH_PRNG_MAX_SEEDLEN    (888/8)
42
43
/* 440 bits from SP800-90Ar1 10.1 table 2 */
44
0
#define HASH_PRNG_SMALL_SEEDLEN   (440/8)
45
46
/* Determine what seedlen to use based on the block length */
47
0
#define MAX_BLOCKLEN_USING_SMALL_SEEDLEN (256/8)
48
0
#define INBYTE_IGNORE ((unsigned char)0xFF)
49
50
typedef struct rand_drbg_hash_st {
51
    PROV_DIGEST digest;
52
    EVP_MD_CTX *ctx;
53
    size_t blocklen;
54
    unsigned char V[HASH_PRNG_MAX_SEEDLEN];
55
    unsigned char C[HASH_PRNG_MAX_SEEDLEN];
56
    /* Temporary value storage: should always exceed max digest length */
57
    unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
58
} PROV_DRBG_HASH;
59
60
/*
61
 * SP800-90Ar1 10.3.1 Derivation function using a Hash Function (Hash_df).
62
 * The input string used is composed of:
63
 *    inbyte - An optional leading byte (ignore if equal to INBYTE_IGNORE)
64
 *    in - input string 1 (A Non NULL value).
65
 *    in2 - optional input string (Can be NULL).
66
 *    in3 - optional input string (Can be NULL).
67
 *    These are concatenated as part of the DigestUpdate process.
68
 */
69
static int hash_df(PROV_DRBG *drbg, unsigned char *out,
70
                   const unsigned char inbyte,
71
                   const unsigned char *in, size_t inlen,
72
                   const unsigned char *in2, size_t in2len,
73
                   const unsigned char *in3, size_t in3len)
74
0
{
75
0
    PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
76
0
    EVP_MD_CTX *ctx = hash->ctx;
77
0
    unsigned char *vtmp = hash->vtmp;
78
    /* tmp = counter || num_bits_returned || [inbyte] */
79
0
    unsigned char tmp[1 + 4 + 1];
80
0
    int tmp_sz = 0;
81
0
    size_t outlen = drbg->seedlen;
82
0
    size_t num_bits_returned = outlen * 8;
83
    /*
84
     * No need to check outlen size here, as the standard only ever needs
85
     * seedlen bytes which is always less than the maximum permitted.
86
     */
87
88
    /* (Step 3) counter = 1 (tmp[0] is the 8 bit counter) */
89
0
    tmp[tmp_sz++] = 1;
90
    /* tmp[1..4] is the fixed 32 bit no_of_bits_to_return */
91
0
    tmp[tmp_sz++] = (unsigned char)((num_bits_returned >> 24) & 0xff);
92
0
    tmp[tmp_sz++] = (unsigned char)((num_bits_returned >> 16) & 0xff);
93
0
    tmp[tmp_sz++] = (unsigned char)((num_bits_returned >> 8) & 0xff);
94
0
    tmp[tmp_sz++] = (unsigned char)(num_bits_returned & 0xff);
95
    /* Tack the additional input byte onto the end of tmp if it exists */
96
0
    if (inbyte != INBYTE_IGNORE)
97
0
        tmp[tmp_sz++] = inbyte;
98
99
    /* (Step 4) */
100
0
    for (;;) {
101
        /*
102
         * (Step 4.1) out = out || Hash(tmp || in || [in2] || [in3])
103
         *            (where tmp = counter || num_bits_returned || [inbyte])
104
         */
105
0
        if (!(EVP_DigestInit_ex(ctx, ossl_prov_digest_md(&hash->digest), NULL)
106
0
                && EVP_DigestUpdate(ctx, tmp, tmp_sz)
107
0
                && EVP_DigestUpdate(ctx, in, inlen)
108
0
                && (in2 == NULL || EVP_DigestUpdate(ctx, in2, in2len))
109
0
                && (in3 == NULL || EVP_DigestUpdate(ctx, in3, in3len))))
110
0
            return 0;
111
112
0
        if (outlen < hash->blocklen) {
113
0
            if (!EVP_DigestFinal(ctx, vtmp, NULL))
114
0
                return 0;
115
0
            memcpy(out, vtmp, outlen);
116
0
            OPENSSL_cleanse(vtmp, hash->blocklen);
117
0
            break;
118
0
        } else if (!EVP_DigestFinal(ctx, out, NULL)) {
119
0
            return 0;
120
0
        }
121
122
0
        outlen -= hash->blocklen;
123
0
        if (outlen == 0)
124
0
            break;
125
        /* (Step 4.2) counter++ */
126
0
        tmp[0]++;
127
0
        out += hash->blocklen;
128
0
    }
129
0
    return 1;
130
0
}
131
132
/* Helper function that just passes 2 input parameters to hash_df() */
133
static int hash_df1(PROV_DRBG *drbg, unsigned char *out,
134
                    const unsigned char in_byte,
135
                    const unsigned char *in1, size_t in1len)
136
0
{
137
0
    return hash_df(drbg, out, in_byte, in1, in1len, NULL, 0, NULL, 0);
138
0
}
139
140
/*
141
 * Add 2 byte buffers together. The first elements in each buffer are the top
142
 * most bytes. The result is stored in the dst buffer.
143
 * The final carry is ignored i.e: dst =  (dst + in) mod (2^seedlen_bits).
144
 * where dst size is drbg->seedlen, and inlen <= drbg->seedlen.
145
 */
146
static int add_bytes(PROV_DRBG *drbg, unsigned char *dst,
147
                     unsigned char *in, size_t inlen)
148
0
{
149
0
    size_t i;
150
0
    int result;
151
0
    const unsigned char *add;
152
0
    unsigned char carry = 0, *d;
153
154
0
    assert(drbg->seedlen >= 1 && inlen >= 1 && inlen <= drbg->seedlen);
155
156
0
    d = &dst[drbg->seedlen - 1];
157
0
    add = &in[inlen - 1];
158
159
0
    for (i = inlen; i > 0; i--, d--, add--) {
160
0
        result = *d + *add + carry;
161
0
        carry = (unsigned char)(result >> 8);
162
0
        *d = (unsigned char)(result & 0xff);
163
0
    }
164
165
0
    if (carry != 0) {
166
        /* Add the carry to the top of the dst if inlen is not the same size */
167
0
        for (i = drbg->seedlen - inlen; i > 0; --i, d--) {
168
0
            *d += 1;     /* Carry can only be 1 */
169
0
            if (*d != 0) /* exit if carry doesn't propagate to the next byte */
170
0
                break;
171
0
        }
172
0
    }
173
0
    return 1;
174
0
}
175
176
/* V = (V + Hash(inbyte || V  || [additional_input]) mod (2^seedlen) */
177
static int add_hash_to_v(PROV_DRBG *drbg, unsigned char inbyte,
178
                         const unsigned char *adin, size_t adinlen)
179
0
{
180
0
    PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
181
0
    EVP_MD_CTX *ctx = hash->ctx;
182
183
0
    return EVP_DigestInit_ex(ctx, ossl_prov_digest_md(&hash->digest), NULL)
184
0
           && EVP_DigestUpdate(ctx, &inbyte, 1)
185
0
           && EVP_DigestUpdate(ctx, hash->V, drbg->seedlen)
186
0
           && (adin == NULL || EVP_DigestUpdate(ctx, adin, adinlen))
187
0
           && EVP_DigestFinal(ctx, hash->vtmp, NULL)
188
0
           && add_bytes(drbg, hash->V, hash->vtmp, hash->blocklen);
189
0
}
190
191
/*
192
 * The Hashgen() as listed in SP800-90Ar1 10.1.1.4 Hash_DRBG_Generate_Process.
193
 *
194
 * drbg contains the current value of V.
195
 * outlen is the requested number of bytes.
196
 * out is a buffer to return the generated bits.
197
 *
198
 * The algorithm to generate the bits is:
199
 *     data = V
200
 *     w = NULL
201
 *     for (i = 1 to m) {
202
 *        W = W || Hash(data)
203
 *        data = (data + 1) mod (2^seedlen)
204
 *     }
205
 *     out = Leftmost(W, outlen)
206
 *
207
 * Returns zero if an error occurs otherwise it returns 1.
208
 */
209
static int hash_gen(PROV_DRBG *drbg, unsigned char *out, size_t outlen)
210
0
{
211
0
    PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
212
0
    unsigned char one = 1;
213
214
0
    if (outlen == 0)
215
0
        return 1;
216
0
    memcpy(hash->vtmp, hash->V, drbg->seedlen);
217
0
    for (;;) {
218
0
        if (!EVP_DigestInit_ex(hash->ctx, ossl_prov_digest_md(&hash->digest),
219
0
                               NULL)
220
0
                || !EVP_DigestUpdate(hash->ctx, hash->vtmp, drbg->seedlen))
221
0
            return 0;
222
223
0
        if (outlen < hash->blocklen) {
224
0
            if (!EVP_DigestFinal(hash->ctx, hash->vtmp, NULL))
225
0
                return 0;
226
0
            memcpy(out, hash->vtmp, outlen);
227
0
            return 1;
228
0
        } else {
229
0
            if (!EVP_DigestFinal(hash->ctx, out, NULL))
230
0
                return 0;
231
0
            outlen -= hash->blocklen;
232
0
            if (outlen == 0)
233
0
                break;
234
0
            out += hash->blocklen;
235
0
        }
236
0
        add_bytes(drbg, hash->vtmp, &one, 1);
237
0
    }
238
0
    return 1;
239
0
}
240
241
/*
242
 * SP800-90Ar1 10.1.1.2 Hash_DRBG_Instantiate_Process:
243
 *
244
 * ent is entropy input obtained from a randomness source of length ent_len.
245
 * nonce is a string of bytes of length nonce_len.
246
 * pstr is a personalization string received from an application. May be NULL.
247
 *
248
 * Returns zero if an error occurs otherwise it returns 1.
249
 */
250
static int drbg_hash_instantiate(PROV_DRBG *drbg,
251
                                 const unsigned char *ent, size_t ent_len,
252
                                 const unsigned char *nonce, size_t nonce_len,
253
                                 const unsigned char *pstr, size_t pstr_len)
254
0
{
255
0
    PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
256
257
0
    EVP_MD_CTX_free(hash->ctx);
258
0
    hash->ctx = EVP_MD_CTX_new();
259
260
    /* (Step 1-3) V = Hash_df(entropy||nonce||pers, seedlen) */
261
0
    return hash->ctx != NULL
262
0
           && hash_df(drbg, hash->V, INBYTE_IGNORE,
263
0
                      ent, ent_len, nonce, nonce_len, pstr, pstr_len)
264
           /* (Step 4) C = Hash_df(0x00||V, seedlen) */
265
0
           && hash_df1(drbg, hash->C, 0x00, hash->V, drbg->seedlen);
266
0
}
267
268
static int drbg_hash_instantiate_wrapper(void *vdrbg, unsigned int strength,
269
                                         int prediction_resistance,
270
                                         const unsigned char *pstr,
271
                                         size_t pstr_len,
272
                                         const OSSL_PARAM params[])
273
0
{
274
0
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
275
0
    int ret = 0;
276
277
0
    if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
278
0
        return 0;
279
280
0
    if (!ossl_prov_is_running()
281
0
            || !drbg_hash_set_ctx_params_locked(drbg, params))
282
0
        goto err;
283
0
    ret = ossl_prov_drbg_instantiate(drbg, strength, prediction_resistance,
284
0
                                     pstr, pstr_len);
285
0
 err:
286
0
    if (drbg->lock != NULL)
287
0
        CRYPTO_THREAD_unlock(drbg->lock);
288
0
    return ret;
289
0
}
290
291
/*
292
 * SP800-90Ar1 10.1.1.3 Hash_DRBG_Reseed_Process:
293
 *
294
 * ent is entropy input bytes obtained from a randomness source.
295
 * addin is additional input received from an application. May be NULL.
296
 *
297
 * Returns zero if an error occurs otherwise it returns 1.
298
 */
299
static int drbg_hash_reseed(PROV_DRBG *drbg,
300
                            const unsigned char *ent, size_t ent_len,
301
                            const unsigned char *adin, size_t adin_len)
302
0
{
303
0
    PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
304
305
    /* (Step 1-2) V = Hash_df(0x01 || V || entropy_input || additional_input) */
306
    /* V about to be updated so use C as output instead */
307
0
    if (!hash_df(drbg, hash->C, 0x01, hash->V, drbg->seedlen, ent, ent_len,
308
0
                 adin, adin_len))
309
0
        return 0;
310
0
    memcpy(hash->V, hash->C, drbg->seedlen);
311
    /* (Step 4) C = Hash_df(0x00||V, seedlen) */
312
0
    return hash_df1(drbg, hash->C, 0x00, hash->V, drbg->seedlen);
313
0
}
314
315
static int drbg_hash_reseed_wrapper(void *vdrbg, int prediction_resistance,
316
                                    const unsigned char *ent, size_t ent_len,
317
                                    const unsigned char *adin, size_t adin_len)
318
0
{
319
0
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
320
321
0
    return ossl_prov_drbg_reseed(drbg, prediction_resistance, ent, ent_len,
322
0
                                 adin, adin_len);
323
0
}
324
325
/*
326
 * SP800-90Ar1 10.1.1.4 Hash_DRBG_Generate_Process:
327
 *
328
 * Generates pseudo random bytes using the drbg.
329
 * out is a buffer to fill with outlen bytes of pseudo random data.
330
 * addin is additional input received from an application. May be NULL.
331
 *
332
 * Returns zero if an error occurs otherwise it returns 1.
333
 */
334
static int drbg_hash_generate(PROV_DRBG *drbg,
335
                              unsigned char *out, size_t outlen,
336
                              const unsigned char *adin, size_t adin_len)
337
0
{
338
0
    PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
339
0
    unsigned char counter[4];
340
0
    int reseed_counter = drbg->generate_counter;
341
342
0
    counter[0] = (unsigned char)((reseed_counter >> 24) & 0xff);
343
0
    counter[1] = (unsigned char)((reseed_counter >> 16) & 0xff);
344
0
    counter[2] = (unsigned char)((reseed_counter >> 8) & 0xff);
345
0
    counter[3] = (unsigned char)(reseed_counter & 0xff);
346
347
0
    return hash->ctx != NULL
348
0
           && (adin == NULL
349
           /* (Step 2) if adin != NULL then V = V + Hash(0x02||V||adin) */
350
0
               || adin_len == 0
351
0
               || add_hash_to_v(drbg, 0x02, adin, adin_len))
352
           /* (Step 3) Hashgen(outlen, V) */
353
0
           && hash_gen(drbg, out, outlen)
354
           /* (Step 4/5) H = V = (V + Hash(0x03||V) mod (2^seedlen_bits) */
355
0
           && add_hash_to_v(drbg, 0x03, NULL, 0)
356
           /* (Step 5) V = (V + H + C + reseed_counter) mod (2^seedlen_bits) */
357
           /* V = (V + C) mod (2^seedlen_bits) */
358
0
           && add_bytes(drbg, hash->V, hash->C, drbg->seedlen)
359
           /* V = (V + reseed_counter) mod (2^seedlen_bits) */
360
0
           && add_bytes(drbg, hash->V, counter, 4);
361
0
}
362
363
static int drbg_hash_generate_wrapper
364
    (void *vdrbg, unsigned char *out, size_t outlen, unsigned int strength,
365
     int prediction_resistance, const unsigned char *adin, size_t adin_len)
366
0
{
367
0
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
368
369
0
    return ossl_prov_drbg_generate(drbg, out, outlen, strength,
370
0
                                   prediction_resistance, adin, adin_len);
371
0
}
372
373
static int drbg_hash_uninstantiate(PROV_DRBG *drbg)
374
0
{
375
0
    PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
376
377
0
    OPENSSL_cleanse(hash->V, sizeof(hash->V));
378
0
    OPENSSL_cleanse(hash->C, sizeof(hash->C));
379
0
    OPENSSL_cleanse(hash->vtmp, sizeof(hash->vtmp));
380
0
    return ossl_prov_drbg_uninstantiate(drbg);
381
0
}
382
383
static int drbg_hash_uninstantiate_wrapper(void *vdrbg)
384
0
{
385
0
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
386
0
    int ret;
387
388
0
    if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
389
0
        return 0;
390
391
0
    ret = drbg_hash_uninstantiate(drbg);
392
393
0
    if (drbg->lock != NULL)
394
0
        CRYPTO_THREAD_unlock(drbg->lock);
395
396
0
    return ret;
397
0
}
398
399
static int drbg_hash_verify_zeroization(void *vdrbg)
400
0
{
401
0
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
402
0
    PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
403
0
    int ret = 0;
404
405
0
    if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))
406
0
        return 0;
407
408
0
    PROV_DRBG_VERIFY_ZEROIZATION(hash->V);
409
0
    PROV_DRBG_VERIFY_ZEROIZATION(hash->C);
410
0
    PROV_DRBG_VERIFY_ZEROIZATION(hash->vtmp);
411
412
0
    ret = 1;
413
0
 err:
414
0
    if (drbg->lock != NULL)
415
0
        CRYPTO_THREAD_unlock(drbg->lock);
416
0
    return ret;
417
0
}
418
419
static int drbg_hash_new(PROV_DRBG *ctx)
420
0
{
421
0
    PROV_DRBG_HASH *hash;
422
423
0
    hash = OPENSSL_secure_zalloc(sizeof(*hash));
424
0
    if (hash == NULL)
425
0
        return 0;
426
427
0
    OSSL_FIPS_IND_INIT(ctx)
428
429
0
    ctx->data = hash;
430
0
    ctx->seedlen = HASH_PRNG_MAX_SEEDLEN;
431
0
    ctx->max_entropylen = DRBG_MAX_LENGTH;
432
0
    ctx->max_noncelen = DRBG_MAX_LENGTH;
433
0
    ctx->max_perslen = DRBG_MAX_LENGTH;
434
0
    ctx->max_adinlen = DRBG_MAX_LENGTH;
435
436
    /* Maximum number of bits per request = 2^19  = 2^16 bytes */
437
0
    ctx->max_request = 1 << 16;
438
0
    return 1;
439
0
}
440
441
static void *drbg_hash_new_wrapper(void *provctx, void *parent,
442
                                   const OSSL_DISPATCH *parent_dispatch)
443
0
{
444
0
    return ossl_rand_drbg_new(provctx, parent, parent_dispatch,
445
0
                              &drbg_hash_new, &drbg_hash_free,
446
0
                              &drbg_hash_instantiate, &drbg_hash_uninstantiate,
447
0
                              &drbg_hash_reseed, &drbg_hash_generate);
448
0
}
449
450
static void drbg_hash_free(void *vdrbg)
451
0
{
452
0
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
453
0
    PROV_DRBG_HASH *hash;
454
455
0
    if (drbg != NULL && (hash = (PROV_DRBG_HASH *)drbg->data) != NULL) {
456
0
        EVP_MD_CTX_free(hash->ctx);
457
0
        ossl_prov_digest_reset(&hash->digest);
458
0
        OPENSSL_secure_clear_free(hash, sizeof(*hash));
459
0
    }
460
0
    ossl_rand_drbg_free(drbg);
461
0
}
462
463
static int drbg_hash_get_ctx_params(void *vdrbg, OSSL_PARAM params[])
464
0
{
465
0
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
466
0
    PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
467
0
    const EVP_MD *md;
468
0
    OSSL_PARAM *p;
469
0
    int ret = 0, complete = 0;
470
471
0
    if (!ossl_drbg_get_ctx_params_no_lock(drbg, params, &complete))
472
0
        return 0;
473
474
0
    if (complete)
475
0
        return 1;
476
477
0
    if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))
478
0
        return 0;
479
480
0
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_DIGEST);
481
0
    if (p != NULL) {
482
0
        md = ossl_prov_digest_md(&hash->digest);
483
0
        if (md == NULL || !OSSL_PARAM_set_utf8_string(p, EVP_MD_get0_name(md)))
484
0
            goto err;
485
0
    }
486
487
0
    ret = ossl_drbg_get_ctx_params(drbg, params);
488
0
 err:
489
0
    if (drbg->lock != NULL)
490
0
        CRYPTO_THREAD_unlock(drbg->lock);
491
492
0
    return ret;
493
0
}
494
495
static const OSSL_PARAM *drbg_hash_gettable_ctx_params(ossl_unused void *vctx,
496
                                                       ossl_unused void *p_ctx)
497
0
{
498
0
    static const OSSL_PARAM known_gettable_ctx_params[] = {
499
0
        OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0),
500
0
        OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON,
501
0
        OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
502
0
        OSSL_PARAM_END
503
0
    };
504
0
    return known_gettable_ctx_params;
505
0
}
506
507
static int drbg_hash_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[])
508
0
{
509
0
    PROV_DRBG *ctx = (PROV_DRBG *)vctx;
510
0
    PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)ctx->data;
511
0
    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
512
0
    const EVP_MD *md;
513
0
    int md_size;
514
515
0
    if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params,
516
0
                                     OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK))
517
0
        return 0;
518
519
0
    if (!ossl_prov_digest_load_from_params(&hash->digest, params, libctx))
520
0
        return 0;
521
522
0
    md = ossl_prov_digest_md(&hash->digest);
523
0
    if (md != NULL) {
524
0
        if (!ossl_drbg_verify_digest(ctx, libctx, md))
525
0
            return 0;   /* Error already raised for us */
526
527
        /* These are taken from SP 800-90 10.1 Table 2 */
528
0
        md_size = EVP_MD_get_size(md);
529
0
        if (md_size <= 0)
530
0
            return 0;
531
0
        hash->blocklen = md_size;
532
        /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
533
0
        ctx->strength = 64 * (hash->blocklen >> 3);
534
0
        if (ctx->strength > 256)
535
0
            ctx->strength = 256;
536
0
        if (hash->blocklen > MAX_BLOCKLEN_USING_SMALL_SEEDLEN)
537
0
            ctx->seedlen = HASH_PRNG_MAX_SEEDLEN;
538
0
        else
539
0
            ctx->seedlen = HASH_PRNG_SMALL_SEEDLEN;
540
541
0
        ctx->min_entropylen = ctx->strength / 8;
542
0
        ctx->min_noncelen = ctx->min_entropylen / 2;
543
0
    }
544
545
0
    return ossl_drbg_set_ctx_params(ctx, params);
546
0
}
547
548
static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[])
549
0
{
550
0
    PROV_DRBG *drbg = (PROV_DRBG *)vctx;
551
0
    int ret;
552
553
0
    if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
554
0
        return 0;
555
556
0
    ret = drbg_hash_set_ctx_params_locked(vctx, params);
557
558
0
    if (drbg->lock != NULL)
559
0
        CRYPTO_THREAD_unlock(drbg->lock);
560
561
0
    return ret;
562
0
}
563
564
static const OSSL_PARAM *drbg_hash_settable_ctx_params(ossl_unused void *vctx,
565
                                                       ossl_unused void *p_ctx)
566
0
{
567
0
    static const OSSL_PARAM known_settable_ctx_params[] = {
568
0
        OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0),
569
0
        OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0),
570
0
        OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON,
571
0
        OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK)
572
0
        OSSL_PARAM_END
573
0
    };
574
0
    return known_settable_ctx_params;
575
0
}
576
577
const OSSL_DISPATCH ossl_drbg_hash_functions[] = {
578
    { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))drbg_hash_new_wrapper },
579
    { OSSL_FUNC_RAND_FREECTX, (void(*)(void))drbg_hash_free },
580
    { OSSL_FUNC_RAND_INSTANTIATE,
581
      (void(*)(void))drbg_hash_instantiate_wrapper },
582
    { OSSL_FUNC_RAND_UNINSTANTIATE,
583
      (void(*)(void))drbg_hash_uninstantiate_wrapper },
584
    { OSSL_FUNC_RAND_GENERATE, (void(*)(void))drbg_hash_generate_wrapper },
585
    { OSSL_FUNC_RAND_RESEED, (void(*)(void))drbg_hash_reseed_wrapper },
586
    { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))ossl_drbg_enable_locking },
587
    { OSSL_FUNC_RAND_LOCK, (void(*)(void))ossl_drbg_lock },
588
    { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))ossl_drbg_unlock },
589
    { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS,
590
      (void(*)(void))drbg_hash_settable_ctx_params },
591
    { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void(*)(void))drbg_hash_set_ctx_params },
592
    { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
593
      (void(*)(void))drbg_hash_gettable_ctx_params },
594
    { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))drbg_hash_get_ctx_params },
595
    { OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
596
      (void(*)(void))drbg_hash_verify_zeroization },
597
    { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))ossl_drbg_get_seed },
598
    { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))ossl_drbg_clear_seed },
599
    OSSL_DISPATCH_END
600
};