/src/gnutls/lib/nettle/rnd.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2010-2012 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2016-2017 Red Hat, Inc. |
4 | | * |
5 | | * Author: Nikos Mavrogiannopoulos |
6 | | * |
7 | | * This file is part of GNUTLS. |
8 | | * |
9 | | * The GNUTLS library is free software; you can redistribute it and/or |
10 | | * modify it under the terms of the GNU Lesser General Public License |
11 | | * as published by the Free Software Foundation; either version 2.1 of |
12 | | * the License, or (at your option) any later version. |
13 | | * |
14 | | * This library is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | | * Lesser General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU Lesser General Public License |
20 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
21 | | * |
22 | | */ |
23 | | |
24 | | #include "gnutls_int.h" |
25 | | #include "errors.h" |
26 | | #include "locks.h" |
27 | | #include "num.h" |
28 | | #include <nettle/chacha.h> |
29 | | #include "rnd-common.h" |
30 | | #include "system.h" |
31 | | #include "atfork.h" |
32 | | #include <errno.h> |
33 | | #include <minmax.h> |
34 | | |
35 | 0 | #define PRNG_KEY_SIZE CHACHA_KEY_SIZE |
36 | | |
37 | | /* For a high level description see the documentation and |
38 | | * the 'Random number generation' section of chapter |
39 | | * 'Using GnuTLS as a cryptographic library'. |
40 | | */ |
41 | | |
42 | | /* We have two "refresh" operations for the PRNG: |
43 | | * re-seed: the random generator obtains a new key from the system or another PRNG |
44 | | * (occurs when a time or data-based limit is reached for the GNUTLS_RND_RANDOM |
45 | | * and GNUTLS_RND_KEY levels and data-based for the nonce level) |
46 | | * re-key: the random generator obtains a new key by utilizing its own output. |
47 | | * This only happens for the GNUTLS_RND_KEY level, on every operation. |
48 | | */ |
49 | | |
50 | | /* after this number of bytes PRNG will rekey using the system RNG */ |
51 | | static const unsigned prng_reseed_limits[] = { |
52 | | [GNUTLS_RND_NONCE] = |
53 | | 16 * 1024 * |
54 | | 1024, /* 16 MB - we re-seed using the GNUTLS_RND_RANDOM output */ |
55 | | [GNUTLS_RND_RANDOM] = |
56 | | 2 * 1024 * 1024, /* 2MB - we re-seed by time as well */ |
57 | | [GNUTLS_RND_KEY] = |
58 | | 2 * 1024 * |
59 | | 1024 /* same as GNUTLS_RND_RANDOM - but we re-key on every operation */ |
60 | | }; |
61 | | |
62 | | static const time_t prng_reseed_time[] = { |
63 | | [GNUTLS_RND_NONCE] = 14400, /* 4 hours */ |
64 | | [GNUTLS_RND_RANDOM] = 7200, /* 2 hours */ |
65 | | [GNUTLS_RND_KEY] = 7200 /* same as RANDOM */ |
66 | | }; |
67 | | |
68 | | struct prng_ctx_st { |
69 | | struct chacha_ctx ctx; |
70 | | size_t counter; |
71 | | unsigned int forkid; |
72 | | time_t last_reseed; |
73 | | }; |
74 | | |
75 | | struct generators_ctx_st { |
76 | | struct prng_ctx_st nonce; /* GNUTLS_RND_NONCE */ |
77 | | struct prng_ctx_st normal; /* GNUTLS_RND_RANDOM, GNUTLS_RND_KEY */ |
78 | | }; |
79 | | |
80 | | static void wrap_nettle_rnd_deinit(void *_ctx) |
81 | 0 | { |
82 | 0 | gnutls_free(_ctx); |
83 | 0 | } |
84 | | |
85 | | /* Initializes the nonce level random generator. |
86 | | * |
87 | | * the @new_key must be provided. |
88 | | * |
89 | | * @init must be non zero on first initialization, and |
90 | | * zero on any subsequent reinitializations. |
91 | | */ |
92 | | static int single_prng_init(struct prng_ctx_st *ctx, |
93 | | uint8_t new_key[PRNG_KEY_SIZE], |
94 | | unsigned new_key_size, unsigned init) |
95 | 0 | { |
96 | 0 | uint8_t nonce[CHACHA_NONCE_SIZE]; |
97 | |
|
98 | 0 | memset(nonce, 0, sizeof(nonce)); /* to prevent valgrind from whinning */ |
99 | |
|
100 | 0 | if (init == 0) { |
101 | | /* use the previous key to generate IV as well */ |
102 | 0 | chacha_crypt(&ctx->ctx, sizeof(nonce), nonce, nonce); |
103 | | |
104 | | /* Add key continuity by XORing the new key with data generated |
105 | | * from the old key */ |
106 | 0 | chacha_crypt(&ctx->ctx, new_key_size, new_key, new_key); |
107 | 0 | } else { |
108 | 0 | struct timespec now; /* current time */ |
109 | |
|
110 | 0 | ctx->forkid = _gnutls_get_forkid(); |
111 | |
|
112 | 0 | gnutls_gettime(&now); |
113 | 0 | memcpy(nonce, &now, MIN(sizeof(nonce), sizeof(now))); |
114 | 0 | ctx->last_reseed = now.tv_sec; |
115 | 0 | } |
116 | |
|
117 | 0 | chacha_set_key(&ctx->ctx, new_key); |
118 | 0 | chacha_set_nonce(&ctx->ctx, nonce); |
119 | |
|
120 | 0 | zeroize_key(new_key, new_key_size); |
121 | |
|
122 | 0 | ctx->counter = 0; |
123 | |
|
124 | 0 | return 0; |
125 | 0 | } |
126 | | |
127 | | /* API functions */ |
128 | | |
129 | | static int wrap_nettle_rnd_init(void **_ctx) |
130 | 0 | { |
131 | 0 | int ret; |
132 | 0 | uint8_t new_key[PRNG_KEY_SIZE * 2]; |
133 | 0 | struct generators_ctx_st *ctx; |
134 | |
|
135 | 0 | ctx = calloc(1, sizeof(*ctx)); |
136 | 0 | if (ctx == NULL) |
137 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
138 | | |
139 | | /* initialize the nonce RNG */ |
140 | 0 | ret = _rnd_get_system_entropy(new_key, sizeof(new_key)); |
141 | 0 | if (ret < 0) { |
142 | 0 | gnutls_assert(); |
143 | 0 | goto fail; |
144 | 0 | } |
145 | | |
146 | 0 | ret = single_prng_init(&ctx->nonce, new_key, PRNG_KEY_SIZE, 1); |
147 | 0 | if (ret < 0) { |
148 | 0 | gnutls_assert(); |
149 | 0 | goto fail; |
150 | 0 | } |
151 | | |
152 | | /* initialize the random/key RNG */ |
153 | 0 | ret = single_prng_init(&ctx->normal, new_key + PRNG_KEY_SIZE, |
154 | 0 | PRNG_KEY_SIZE, 1); |
155 | 0 | if (ret < 0) { |
156 | 0 | gnutls_assert(); |
157 | 0 | goto fail; |
158 | 0 | } |
159 | | |
160 | 0 | *_ctx = ctx; |
161 | |
|
162 | 0 | return 0; |
163 | 0 | fail: |
164 | 0 | gnutls_free(ctx); |
165 | 0 | return ret; |
166 | 0 | } |
167 | | |
168 | | static int wrap_nettle_rnd(void *_ctx, int level, void *data, size_t datasize) |
169 | 0 | { |
170 | 0 | struct generators_ctx_st *ctx = _ctx; |
171 | 0 | struct prng_ctx_st *prng_ctx; |
172 | 0 | int ret, reseed = 0; |
173 | 0 | uint8_t new_key[PRNG_KEY_SIZE]; |
174 | 0 | time_t now; |
175 | |
|
176 | 0 | if (level == GNUTLS_RND_RANDOM || level == GNUTLS_RND_KEY) |
177 | 0 | prng_ctx = &ctx->normal; |
178 | 0 | else if (level == GNUTLS_RND_NONCE) |
179 | 0 | prng_ctx = &ctx->nonce; |
180 | 0 | else { |
181 | 0 | _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); |
182 | 0 | return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED); |
183 | 0 | } |
184 | | |
185 | | /* Two reasons for this memset(): |
186 | | * 1. avoid getting filled with valgrind warnings |
187 | | * 2. avoid a cipher/PRNG failure to expose stack data |
188 | | */ |
189 | 0 | memset(data, 0, datasize); |
190 | |
|
191 | 0 | now = gnutls_time(0); |
192 | | |
193 | | /* We re-seed based on time in addition to output data. That is, |
194 | | * to prevent a temporal state compromise to become permanent for low |
195 | | * traffic sites */ |
196 | 0 | if (unlikely(_gnutls_detect_fork(prng_ctx->forkid))) { |
197 | 0 | reseed = 1; |
198 | 0 | } else { |
199 | 0 | if (now > prng_ctx->last_reseed + prng_reseed_time[level]) |
200 | 0 | reseed = 1; |
201 | 0 | } |
202 | |
|
203 | 0 | if (reseed != 0 || prng_ctx->counter > prng_reseed_limits[level]) { |
204 | 0 | if (level == GNUTLS_RND_NONCE) { |
205 | 0 | ret = wrap_nettle_rnd(_ctx, GNUTLS_RND_RANDOM, new_key, |
206 | 0 | sizeof(new_key)); |
207 | 0 | } else { |
208 | | /* we also use the system entropy to reduce the impact |
209 | | * of a temporal state compromise for these two levels. */ |
210 | 0 | ret = _rnd_get_system_entropy(new_key, sizeof(new_key)); |
211 | 0 | } |
212 | |
|
213 | 0 | if (ret < 0) { |
214 | 0 | gnutls_assert(); |
215 | 0 | _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); |
216 | 0 | goto cleanup; |
217 | 0 | } |
218 | | |
219 | 0 | ret = single_prng_init(prng_ctx, new_key, sizeof(new_key), 0); |
220 | 0 | if (ret < 0) { |
221 | 0 | gnutls_assert(); |
222 | 0 | _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); |
223 | 0 | goto cleanup; |
224 | 0 | } |
225 | | |
226 | 0 | prng_ctx->last_reseed = now; |
227 | 0 | prng_ctx->forkid = _gnutls_get_forkid(); |
228 | 0 | } |
229 | | |
230 | 0 | chacha_crypt(&prng_ctx->ctx, datasize, data, data); |
231 | 0 | prng_ctx->counter += datasize; |
232 | |
|
233 | 0 | if (level == GNUTLS_RND_KEY) { /* prevent backtracking */ |
234 | 0 | ret = wrap_nettle_rnd(_ctx, GNUTLS_RND_RANDOM, new_key, |
235 | 0 | sizeof(new_key)); |
236 | 0 | if (ret < 0) { |
237 | 0 | gnutls_assert(); |
238 | 0 | _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); |
239 | 0 | goto cleanup; |
240 | 0 | } |
241 | | |
242 | 0 | ret = single_prng_init(prng_ctx, new_key, sizeof(new_key), 0); |
243 | 0 | if (ret < 0) { |
244 | 0 | gnutls_assert(); |
245 | 0 | _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); |
246 | 0 | goto cleanup; |
247 | 0 | } |
248 | 0 | } |
249 | | |
250 | 0 | ret = 0; |
251 | 0 | _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED); |
252 | |
|
253 | 0 | cleanup: |
254 | 0 | return ret; |
255 | 0 | } |
256 | | |
257 | | static void wrap_nettle_rnd_refresh(void *_ctx) |
258 | 0 | { |
259 | 0 | struct generators_ctx_st *ctx = _ctx; |
260 | 0 | char tmp; |
261 | | |
262 | | /* force reseed */ |
263 | 0 | ctx->nonce.counter = prng_reseed_limits[GNUTLS_RND_NONCE] + 1; |
264 | 0 | ctx->normal.counter = prng_reseed_limits[GNUTLS_RND_RANDOM] + 1; |
265 | |
|
266 | 0 | wrap_nettle_rnd(_ctx, GNUTLS_RND_NONCE, &tmp, 1); |
267 | 0 | wrap_nettle_rnd(_ctx, GNUTLS_RND_RANDOM, &tmp, 1); |
268 | 0 | } |
269 | | |
270 | | int crypto_rnd_prio = INT_MAX; |
271 | | |
272 | | gnutls_crypto_rnd_st _gnutls_rnd_ops = { |
273 | | .init = wrap_nettle_rnd_init, |
274 | | .deinit = wrap_nettle_rnd_deinit, |
275 | | .rnd = wrap_nettle_rnd, |
276 | | .rnd_refresh = wrap_nettle_rnd_refresh, |
277 | | .self_test = NULL, |
278 | | }; |