1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci#ifndef OSSL_CRYPTO_PROV_LOCAL_H 11e1051a39Sopenharmony_ci# define OSSL_CRYPTO_PROV_LOCAL_H 12e1051a39Sopenharmony_ci 13e1051a39Sopenharmony_ci# include <openssl/evp.h> 14e1051a39Sopenharmony_ci# include <openssl/core_dispatch.h> 15e1051a39Sopenharmony_ci# include <openssl/core_names.h> 16e1051a39Sopenharmony_ci# include <openssl/params.h> 17e1051a39Sopenharmony_ci# include "internal/tsan_assist.h" 18e1051a39Sopenharmony_ci# include "internal/nelem.h" 19e1051a39Sopenharmony_ci# include "internal/numbers.h" 20e1051a39Sopenharmony_ci# include "prov/provider_ctx.h" 21e1051a39Sopenharmony_ci 22e1051a39Sopenharmony_ci/* How many times to read the TSC as a randomness source. */ 23e1051a39Sopenharmony_ci# define TSC_READ_COUNT 4 24e1051a39Sopenharmony_ci 25e1051a39Sopenharmony_ci/* Maximum reseed intervals */ 26e1051a39Sopenharmony_ci# define MAX_RESEED_INTERVAL (1 << 24) 27e1051a39Sopenharmony_ci# define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */ 28e1051a39Sopenharmony_ci 29e1051a39Sopenharmony_ci/* Default reseed intervals */ 30e1051a39Sopenharmony_ci# define RESEED_INTERVAL (1 << 8) 31e1051a39Sopenharmony_ci# define TIME_INTERVAL (60*60) /* 1 hour */ 32e1051a39Sopenharmony_ci 33e1051a39Sopenharmony_ci/* 34e1051a39Sopenharmony_ci * The number of bytes that constitutes an atomic lump of entropy with respect 35e1051a39Sopenharmony_ci * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat 36e1051a39Sopenharmony_ci * arbitrary, the smaller the value, the less entropy is consumed on first 37e1051a39Sopenharmony_ci * read but the higher the probability of the test failing by accident. 38e1051a39Sopenharmony_ci * 39e1051a39Sopenharmony_ci * The value is in bytes. 40e1051a39Sopenharmony_ci */ 41e1051a39Sopenharmony_ci#define CRNGT_BUFSIZ 16 42e1051a39Sopenharmony_ci 43e1051a39Sopenharmony_ci/* 44e1051a39Sopenharmony_ci * Maximum input size for the DRBG (entropy, nonce, personalization string) 45e1051a39Sopenharmony_ci * 46e1051a39Sopenharmony_ci * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes. 47e1051a39Sopenharmony_ci * 48e1051a39Sopenharmony_ci * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes. 49e1051a39Sopenharmony_ci */ 50e1051a39Sopenharmony_ci# define DRBG_MAX_LENGTH INT32_MAX 51e1051a39Sopenharmony_ci 52e1051a39Sopenharmony_ci/* The default nonce */ 53e1051a39Sopenharmony_ci#ifdef CHARSET_EBCDIC 54e1051a39Sopenharmony_ci# define DRBG_DEFAULT_PERS_STRING { 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, \ 55e1051a39Sopenharmony_ci 0x4c, 0x20, 0x4e, 0x49, 0x53, 0x54, 0x20, 0x53, 0x50, 0x20, 0x38, 0x30, \ 56e1051a39Sopenharmony_ci 0x30, 0x2d, 0x39, 0x30, 0x41, 0x20, 0x44, 0x52, 0x42, 0x47, 0x00}; 57e1051a39Sopenharmony_ci#else 58e1051a39Sopenharmony_ci# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" 59e1051a39Sopenharmony_ci#endif 60e1051a39Sopenharmony_ci 61e1051a39Sopenharmony_citypedef struct prov_drbg_st PROV_DRBG; 62e1051a39Sopenharmony_ci 63e1051a39Sopenharmony_ci/* DRBG status values */ 64e1051a39Sopenharmony_citypedef enum drbg_status_e { 65e1051a39Sopenharmony_ci DRBG_UNINITIALISED, 66e1051a39Sopenharmony_ci DRBG_READY, 67e1051a39Sopenharmony_ci DRBG_ERROR 68e1051a39Sopenharmony_ci} DRBG_STATUS; 69e1051a39Sopenharmony_ci 70e1051a39Sopenharmony_ci/* 71e1051a39Sopenharmony_ci * The state of all types of DRBGs. 72e1051a39Sopenharmony_ci */ 73e1051a39Sopenharmony_cistruct prov_drbg_st { 74e1051a39Sopenharmony_ci CRYPTO_RWLOCK *lock; 75e1051a39Sopenharmony_ci PROV_CTX *provctx; 76e1051a39Sopenharmony_ci 77e1051a39Sopenharmony_ci /* Virtual functions are cache here */ 78e1051a39Sopenharmony_ci int (*instantiate)(PROV_DRBG *drbg, 79e1051a39Sopenharmony_ci const unsigned char *entropy, size_t entropylen, 80e1051a39Sopenharmony_ci const unsigned char *nonce, size_t noncelen, 81e1051a39Sopenharmony_ci const unsigned char *pers, size_t perslen); 82e1051a39Sopenharmony_ci int (*uninstantiate)(PROV_DRBG *ctx); 83e1051a39Sopenharmony_ci int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len, 84e1051a39Sopenharmony_ci const unsigned char *adin, size_t adin_len); 85e1051a39Sopenharmony_ci int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen, 86e1051a39Sopenharmony_ci const unsigned char *adin, size_t adin_len); 87e1051a39Sopenharmony_ci 88e1051a39Sopenharmony_ci /* Parent PROV_RAND and its dispatch table functions */ 89e1051a39Sopenharmony_ci void *parent; 90e1051a39Sopenharmony_ci OSSL_FUNC_rand_enable_locking_fn *parent_enable_locking; 91e1051a39Sopenharmony_ci OSSL_FUNC_rand_lock_fn *parent_lock; 92e1051a39Sopenharmony_ci OSSL_FUNC_rand_unlock_fn *parent_unlock; 93e1051a39Sopenharmony_ci OSSL_FUNC_rand_get_ctx_params_fn *parent_get_ctx_params; 94e1051a39Sopenharmony_ci OSSL_FUNC_rand_nonce_fn *parent_nonce; 95e1051a39Sopenharmony_ci OSSL_FUNC_rand_get_seed_fn *parent_get_seed; 96e1051a39Sopenharmony_ci OSSL_FUNC_rand_clear_seed_fn *parent_clear_seed; 97e1051a39Sopenharmony_ci 98e1051a39Sopenharmony_ci const OSSL_DISPATCH *parent_dispatch; 99e1051a39Sopenharmony_ci 100e1051a39Sopenharmony_ci /* 101e1051a39Sopenharmony_ci * Stores the return value of openssl_get_fork_id() as of when we last 102e1051a39Sopenharmony_ci * reseeded. The DRBG reseeds automatically whenever drbg->fork_id != 103e1051a39Sopenharmony_ci * openssl_get_fork_id(). Used to provide fork-safety and reseed this 104e1051a39Sopenharmony_ci * DRBG in the child process. 105e1051a39Sopenharmony_ci */ 106e1051a39Sopenharmony_ci int fork_id; 107e1051a39Sopenharmony_ci unsigned short flags; /* various external flags */ 108e1051a39Sopenharmony_ci 109e1051a39Sopenharmony_ci /* 110e1051a39Sopenharmony_ci * The following parameters are setup by the per-type "init" function. 111e1051a39Sopenharmony_ci * 112e1051a39Sopenharmony_ci * The supported types and their init functions are: 113e1051a39Sopenharmony_ci * (1) CTR_DRBG: drbg_ctr_init(). 114e1051a39Sopenharmony_ci * (2) HMAC_DRBG: drbg_hmac_init(). 115e1051a39Sopenharmony_ci * (3) HASH_DRBG: drbg_hash_init(). 116e1051a39Sopenharmony_ci * 117e1051a39Sopenharmony_ci * The parameters are closely related to the ones described in 118e1051a39Sopenharmony_ci * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one 119e1051a39Sopenharmony_ci * crucial difference: In the NIST standard, all counts are given 120e1051a39Sopenharmony_ci * in bits, whereas in OpenSSL entropy counts are given in bits 121e1051a39Sopenharmony_ci * and buffer lengths are given in bytes. 122e1051a39Sopenharmony_ci * 123e1051a39Sopenharmony_ci * Since this difference has lead to some confusion in the past, 124e1051a39Sopenharmony_ci * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) 125e1051a39Sopenharmony_ci * the 'len' suffix has been added to all buffer sizes for 126e1051a39Sopenharmony_ci * clarification. 127e1051a39Sopenharmony_ci */ 128e1051a39Sopenharmony_ci 129e1051a39Sopenharmony_ci unsigned int strength; 130e1051a39Sopenharmony_ci size_t max_request; 131e1051a39Sopenharmony_ci size_t min_entropylen, max_entropylen; 132e1051a39Sopenharmony_ci size_t min_noncelen, max_noncelen; 133e1051a39Sopenharmony_ci size_t max_perslen, max_adinlen; 134e1051a39Sopenharmony_ci 135e1051a39Sopenharmony_ci /* 136e1051a39Sopenharmony_ci * Counts the number of generate requests since the last reseed 137e1051a39Sopenharmony_ci * (Starts at 1). This value is the reseed_counter as defined in 138e1051a39Sopenharmony_ci * NIST SP 800-90Ar1 139e1051a39Sopenharmony_ci */ 140e1051a39Sopenharmony_ci unsigned int generate_counter; 141e1051a39Sopenharmony_ci /* 142e1051a39Sopenharmony_ci * Maximum number of generate requests until a reseed is required. 143e1051a39Sopenharmony_ci * This value is ignored if it is zero. 144e1051a39Sopenharmony_ci */ 145e1051a39Sopenharmony_ci unsigned int reseed_interval; 146e1051a39Sopenharmony_ci /* Stores the time when the last reseeding occurred */ 147e1051a39Sopenharmony_ci time_t reseed_time; 148e1051a39Sopenharmony_ci /* 149e1051a39Sopenharmony_ci * Specifies the maximum time interval (in seconds) between reseeds. 150e1051a39Sopenharmony_ci * This value is ignored if it is zero. 151e1051a39Sopenharmony_ci */ 152e1051a39Sopenharmony_ci time_t reseed_time_interval; 153e1051a39Sopenharmony_ci /* 154e1051a39Sopenharmony_ci * Counts the number of reseeds since instantiation. 155e1051a39Sopenharmony_ci * This value is ignored if it is zero. 156e1051a39Sopenharmony_ci * 157e1051a39Sopenharmony_ci * This counter is used only for seed propagation from the <master> DRBG 158e1051a39Sopenharmony_ci * to its two children, the <public> and <private> DRBG. This feature is 159e1051a39Sopenharmony_ci * very special and its sole purpose is to ensure that any randomness which 160e1051a39Sopenharmony_ci * is added by PROV_add() or PROV_seed() will have an immediate effect on 161e1051a39Sopenharmony_ci * the output of PROV_bytes() resp. PROV_priv_bytes(). 162e1051a39Sopenharmony_ci */ 163e1051a39Sopenharmony_ci TSAN_QUALIFIER unsigned int reseed_counter; 164e1051a39Sopenharmony_ci unsigned int reseed_next_counter; 165e1051a39Sopenharmony_ci unsigned int parent_reseed_counter; 166e1051a39Sopenharmony_ci 167e1051a39Sopenharmony_ci size_t seedlen; 168e1051a39Sopenharmony_ci DRBG_STATUS state; 169e1051a39Sopenharmony_ci 170e1051a39Sopenharmony_ci /* DRBG specific data */ 171e1051a39Sopenharmony_ci void *data; 172e1051a39Sopenharmony_ci 173e1051a39Sopenharmony_ci /* Entropy and nonce gathering callbacks */ 174e1051a39Sopenharmony_ci void *callback_arg; 175e1051a39Sopenharmony_ci OSSL_INOUT_CALLBACK *get_entropy_fn; 176e1051a39Sopenharmony_ci OSSL_CALLBACK *cleanup_entropy_fn; 177e1051a39Sopenharmony_ci OSSL_INOUT_CALLBACK *get_nonce_fn; 178e1051a39Sopenharmony_ci OSSL_CALLBACK *cleanup_nonce_fn; 179e1051a39Sopenharmony_ci}; 180e1051a39Sopenharmony_ci 181e1051a39Sopenharmony_ciPROV_DRBG *ossl_rand_drbg_new 182e1051a39Sopenharmony_ci (void *provctx, void *parent, const OSSL_DISPATCH *parent_dispatch, 183e1051a39Sopenharmony_ci int (*dnew)(PROV_DRBG *ctx), 184e1051a39Sopenharmony_ci int (*instantiate)(PROV_DRBG *drbg, 185e1051a39Sopenharmony_ci const unsigned char *entropy, size_t entropylen, 186e1051a39Sopenharmony_ci const unsigned char *nonce, size_t noncelen, 187e1051a39Sopenharmony_ci const unsigned char *pers, size_t perslen), 188e1051a39Sopenharmony_ci int (*uninstantiate)(PROV_DRBG *ctx), 189e1051a39Sopenharmony_ci int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len, 190e1051a39Sopenharmony_ci const unsigned char *adin, size_t adin_len), 191e1051a39Sopenharmony_ci int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen, 192e1051a39Sopenharmony_ci const unsigned char *adin, size_t adin_len)); 193e1051a39Sopenharmony_civoid ossl_rand_drbg_free(PROV_DRBG *drbg); 194e1051a39Sopenharmony_ci 195e1051a39Sopenharmony_ciint ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, 196e1051a39Sopenharmony_ci int prediction_resistance, 197e1051a39Sopenharmony_ci const unsigned char *pers, size_t perslen); 198e1051a39Sopenharmony_ci 199e1051a39Sopenharmony_ciint ossl_prov_drbg_uninstantiate(PROV_DRBG *drbg); 200e1051a39Sopenharmony_ci 201e1051a39Sopenharmony_ciint ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance, 202e1051a39Sopenharmony_ci const unsigned char *ent, size_t ent_len, 203e1051a39Sopenharmony_ci const unsigned char *adin, size_t adinlen); 204e1051a39Sopenharmony_ci 205e1051a39Sopenharmony_ciint ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen, 206e1051a39Sopenharmony_ci unsigned int strength, int prediction_resistance, 207e1051a39Sopenharmony_ci const unsigned char *adin, size_t adinlen); 208e1051a39Sopenharmony_ci 209e1051a39Sopenharmony_ci/* Seeding api */ 210e1051a39Sopenharmony_ciOSSL_FUNC_rand_get_seed_fn ossl_drbg_get_seed; 211e1051a39Sopenharmony_ciOSSL_FUNC_rand_clear_seed_fn ossl_drbg_clear_seed; 212e1051a39Sopenharmony_ci 213e1051a39Sopenharmony_ci/* Verify that an array of numeric values is all zero */ 214e1051a39Sopenharmony_ci#define PROV_DRBG_VERYIFY_ZEROIZATION(v) \ 215e1051a39Sopenharmony_ci { \ 216e1051a39Sopenharmony_ci size_t i; \ 217e1051a39Sopenharmony_ci \ 218e1051a39Sopenharmony_ci for (i = 0; i < OSSL_NELEM(v); i++) \ 219e1051a39Sopenharmony_ci if ((v)[i] != 0) \ 220e1051a39Sopenharmony_ci return 0; \ 221e1051a39Sopenharmony_ci } 222e1051a39Sopenharmony_ci 223e1051a39Sopenharmony_ci/* locking api */ 224e1051a39Sopenharmony_ciOSSL_FUNC_rand_enable_locking_fn ossl_drbg_enable_locking; 225e1051a39Sopenharmony_ciOSSL_FUNC_rand_lock_fn ossl_drbg_lock; 226e1051a39Sopenharmony_ciOSSL_FUNC_rand_unlock_fn ossl_drbg_unlock; 227e1051a39Sopenharmony_ci 228e1051a39Sopenharmony_ci/* Common parameters for all of our DRBGs */ 229e1051a39Sopenharmony_ciint ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]); 230e1051a39Sopenharmony_ciint ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[]); 231e1051a39Sopenharmony_ci 232e1051a39Sopenharmony_ci#define OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON \ 233e1051a39Sopenharmony_ci OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS, NULL), \ 234e1051a39Sopenharmony_ci OSSL_PARAM_uint64(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL, NULL) 235e1051a39Sopenharmony_ci 236e1051a39Sopenharmony_ci#define OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON \ 237e1051a39Sopenharmony_ci OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), \ 238e1051a39Sopenharmony_ci OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), \ 239e1051a39Sopenharmony_ci OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), \ 240e1051a39Sopenharmony_ci OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MIN_ENTROPYLEN, NULL), \ 241e1051a39Sopenharmony_ci OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_ENTROPYLEN, NULL), \ 242e1051a39Sopenharmony_ci OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MIN_NONCELEN, NULL), \ 243e1051a39Sopenharmony_ci OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_NONCELEN, NULL), \ 244e1051a39Sopenharmony_ci OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_PERSLEN, NULL), \ 245e1051a39Sopenharmony_ci OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_ADINLEN, NULL), \ 246e1051a39Sopenharmony_ci OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_COUNTER, NULL), \ 247e1051a39Sopenharmony_ci OSSL_PARAM_time_t(OSSL_DRBG_PARAM_RESEED_TIME, NULL), \ 248e1051a39Sopenharmony_ci OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS, NULL), \ 249e1051a39Sopenharmony_ci OSSL_PARAM_uint64(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL, NULL) 250e1051a39Sopenharmony_ci 251e1051a39Sopenharmony_ci/* Continuous test "entropy" calls */ 252e1051a39Sopenharmony_cisize_t ossl_crngt_get_entropy(PROV_DRBG *drbg, 253e1051a39Sopenharmony_ci unsigned char **pout, 254e1051a39Sopenharmony_ci int entropy, size_t min_len, size_t max_len, 255e1051a39Sopenharmony_ci int prediction_resistance); 256e1051a39Sopenharmony_civoid ossl_crngt_cleanup_entropy(PROV_DRBG *drbg, 257e1051a39Sopenharmony_ci unsigned char *out, size_t outlen); 258e1051a39Sopenharmony_ci 259e1051a39Sopenharmony_ci#endif 260