mirror of
https://github.com/openssl/openssl.git
synced 2025-04-06 20:20:50 +08:00
fips: continuous random bit generator tests
For FIPS 140-3 the continuous tests specified in SP 800-90B need to be
included on the output of any entropy source.
They are implemented here as a replacement for the primary DRBG in the FIPS
provider. This results in a setup that looks like this:
+-------------+
| |
| Seed Source |
| |
+------+------+
|
|
v
+-------------+
| |
| CRNG Test |
| |
++----------+-+
| |
| |
v v
+--------------+ +--------------+
| | | |
| Public DRBG | | Private DRBG |
| | | |
+--------------+ +--------------+
An additional benefit, that of avoiding DRBG chains, is also gained.
The current standards do not permit the output of one DRBG to be used
as the input for a second (i.e. a chain).
This also leaves open the future possibility of incorporating a seed
source inside the FIPS boundary.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25415)
This commit is contained in:
Pauli
parent
59eaa8c4af
commit
6f20c6804e
@ -19,7 +19,7 @@
|
||||
#include "crypto/context.h"
|
||||
|
||||
struct ossl_lib_ctx_st {
|
||||
CRYPTO_RWLOCK *lock, *rand_crngt_lock;
|
||||
CRYPTO_RWLOCK *lock;
|
||||
OSSL_EX_DATA_GLOBAL global;
|
||||
|
||||
void *property_string_data;
|
||||
@ -45,7 +45,6 @@ struct ossl_lib_ctx_st {
|
||||
#if defined(OPENSSL_THREADS)
|
||||
void *threads;
|
||||
#endif
|
||||
void *rand_crngt;
|
||||
#ifdef FIPS_MODULE
|
||||
void *thread_event_handler;
|
||||
void *fips_prov;
|
||||
@ -93,10 +92,6 @@ static int context_init(OSSL_LIB_CTX *ctx)
|
||||
if (ctx->lock == NULL)
|
||||
goto err;
|
||||
|
||||
ctx->rand_crngt_lock = CRYPTO_THREAD_lock_new();
|
||||
if (ctx->rand_crngt_lock == NULL)
|
||||
goto err;
|
||||
|
||||
/* Initialize ex_data. */
|
||||
if (!ossl_do_ex_data_init(ctx))
|
||||
goto err;
|
||||
@ -222,7 +217,6 @@ static int context_init(OSSL_LIB_CTX *ctx)
|
||||
if (exdata_done)
|
||||
ossl_crypto_cleanup_all_ex_data_int(ctx);
|
||||
|
||||
CRYPTO_THREAD_lock_free(ctx->rand_crngt_lock);
|
||||
CRYPTO_THREAD_lock_free(ctx->lock);
|
||||
CRYPTO_THREAD_cleanup_local(&ctx->rcu_local_key);
|
||||
memset(ctx, '\0', sizeof(*ctx));
|
||||
@ -328,11 +322,6 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
|
||||
}
|
||||
#endif
|
||||
|
||||
if (ctx->rand_crngt != NULL) {
|
||||
ossl_rand_crng_ctx_free(ctx->rand_crngt);
|
||||
ctx->rand_crngt = NULL;
|
||||
}
|
||||
|
||||
#ifdef FIPS_MODULE
|
||||
if (ctx->thread_event_handler != NULL) {
|
||||
ossl_thread_event_ctx_free(ctx->thread_event_handler);
|
||||
@ -380,9 +369,7 @@ static int context_deinit(OSSL_LIB_CTX *ctx)
|
||||
|
||||
ossl_crypto_cleanup_all_ex_data_int(ctx);
|
||||
|
||||
CRYPTO_THREAD_lock_free(ctx->rand_crngt_lock);
|
||||
CRYPTO_THREAD_lock_free(ctx->lock);
|
||||
ctx->rand_crngt_lock = NULL;
|
||||
ctx->lock = NULL;
|
||||
CRYPTO_THREAD_cleanup_local(&ctx->rcu_local_key);
|
||||
return 1;
|
||||
@ -573,8 +560,6 @@ int ossl_lib_ctx_is_global_default(OSSL_LIB_CTX *ctx)
|
||||
|
||||
void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
|
||||
{
|
||||
void *p;
|
||||
|
||||
ctx = ossl_lib_ctx_get_concrete(ctx);
|
||||
if (ctx == NULL)
|
||||
return NULL;
|
||||
@ -621,36 +606,6 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
|
||||
return ctx->threads;
|
||||
#endif
|
||||
|
||||
case OSSL_LIB_CTX_RAND_CRNGT_INDEX: {
|
||||
|
||||
/*
|
||||
* rand_crngt must be lazily initialized because it calls into
|
||||
* libctx, so must not be called from context_init, else a deadlock
|
||||
* will occur.
|
||||
*
|
||||
* We use a separate lock because code called by the instantiation
|
||||
* of rand_crngt is liable to try and take the libctx lock.
|
||||
*/
|
||||
if (CRYPTO_THREAD_read_lock(ctx->rand_crngt_lock) != 1)
|
||||
return NULL;
|
||||
|
||||
if (ctx->rand_crngt == NULL) {
|
||||
CRYPTO_THREAD_unlock(ctx->rand_crngt_lock);
|
||||
|
||||
if (CRYPTO_THREAD_write_lock(ctx->rand_crngt_lock) != 1)
|
||||
return NULL;
|
||||
|
||||
if (ctx->rand_crngt == NULL)
|
||||
ctx->rand_crngt = ossl_rand_crng_ctx_new(ctx);
|
||||
}
|
||||
|
||||
p = ctx->rand_crngt;
|
||||
|
||||
CRYPTO_THREAD_unlock(ctx->rand_crngt_lock);
|
||||
|
||||
return p;
|
||||
}
|
||||
|
||||
#ifdef FIPS_MODULE
|
||||
case OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX:
|
||||
return ctx->thread_event_handler;
|
||||
|
||||
@ -696,6 +696,33 @@ static EVP_RAND_CTX *rand_new_drbg(OSSL_LIB_CTX *libctx, EVP_RAND_CTX *parent,
|
||||
return ctx;
|
||||
}
|
||||
|
||||
#ifdef FIPS_MODULE
|
||||
static EVP_RAND_CTX *rand_new_crngt(OSSL_LIB_CTX *libctx, EVP_RAND_CTX *parent)
|
||||
{
|
||||
EVP_RAND *rand;
|
||||
EVP_RAND_CTX *ctx;
|
||||
|
||||
rand = EVP_RAND_fetch(libctx, "CRNG-TEST", "fips=no");
|
||||
if (rand == NULL) {
|
||||
ERR_raise(ERR_LIB_RAND, RAND_R_UNABLE_TO_FETCH_DRBG);
|
||||
return NULL;
|
||||
}
|
||||
ctx = EVP_RAND_CTX_new(rand, parent);
|
||||
EVP_RAND_free(rand);
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_RAND, RAND_R_UNABLE_TO_CREATE_DRBG);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!EVP_RAND_instantiate(ctx, 0, 0, NULL, 0, NULL)) {
|
||||
ERR_raise(ERR_LIB_RAND, RAND_R_ERROR_INSTANTIATING_DRBG);
|
||||
EVP_RAND_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
return ctx;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Get the primary random generator.
|
||||
* Returns pointer to its EVP_RAND_CTX on success, NULL on failure.
|
||||
@ -727,21 +754,23 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
#ifdef FIPS_MODULE
|
||||
ret = rand_new_crngt(ctx, dgbl->seed);
|
||||
#else
|
||||
if (dgbl->seed == NULL) {
|
||||
ERR_set_mark();
|
||||
dgbl->seed = rand_new_seed(ctx);
|
||||
ERR_pop_to_mark();
|
||||
}
|
||||
ret = rand_new_drbg(ctx, dgbl->seed, PRIMARY_RESEED_INTERVAL,
|
||||
PRIMARY_RESEED_TIME_INTERVAL, 1);
|
||||
#endif
|
||||
|
||||
ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
|
||||
PRIMARY_RESEED_INTERVAL,
|
||||
PRIMARY_RESEED_TIME_INTERVAL, 1);
|
||||
/*
|
||||
* The primary DRBG may be shared between multiple threads so we must
|
||||
* enable locking.
|
||||
*/
|
||||
* The primary DRBG may be shared between multiple threads so we must
|
||||
* enable locking.
|
||||
*/
|
||||
dgbl->primary = ret;
|
||||
if (ret != NULL && !EVP_RAND_enable_locking(ret)) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_UNABLE_TO_ENABLE_LOCKING);
|
||||
EVP_RAND_CTX_free(ret);
|
||||
|
||||
@ -100,7 +100,7 @@ typedef struct ossl_ex_data_global_st {
|
||||
# define OSSL_LIB_CTX_NAMEMAP_INDEX 4
|
||||
# define OSSL_LIB_CTX_DRBG_INDEX 5
|
||||
# define OSSL_LIB_CTX_DRBG_NONCE_INDEX 6
|
||||
# define OSSL_LIB_CTX_RAND_CRNGT_INDEX 7
|
||||
/* slot 7 unused, was CRNG test data and can be reused */
|
||||
# ifdef FIPS_MODULE
|
||||
# define OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX 8
|
||||
# endif
|
||||
|
||||
@ -386,6 +386,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
|
||||
};
|
||||
|
||||
static const OSSL_ALGORITHM fips_rands[] = {
|
||||
{ PROV_NAMES_CRNG_TEST, FIPS_UNAPPROVED_PROPERTIES, ossl_crng_test_functions },
|
||||
{ PROV_NAMES_CTR_DRBG, FIPS_DEFAULT_PROPERTIES, ossl_drbg_ctr_functions },
|
||||
{ PROV_NAMES_HASH_DRBG, FIPS_DEFAULT_PROPERTIES, ossl_drbg_hash_functions },
|
||||
{ PROV_NAMES_HMAC_DRBG, FIPS_DEFAULT_PROPERTIES, ossl_drbg_ossl_hmac_functions },
|
||||
|
||||
@ -296,6 +296,7 @@ extern const OSSL_DISPATCH ossl_kdf_argon2id_functions[];
|
||||
extern const OSSL_DISPATCH ossl_test_rng_functions[];
|
||||
extern const OSSL_DISPATCH ossl_seed_src_functions[];
|
||||
extern const OSSL_DISPATCH ossl_jitter_functions[];
|
||||
extern const OSSL_DISPATCH ossl_crng_test_functions[];
|
||||
extern const OSSL_DISPATCH ossl_drbg_hash_functions[];
|
||||
extern const OSSL_DISPATCH ossl_drbg_ossl_hmac_functions[];
|
||||
extern const OSSL_DISPATCH ossl_drbg_ctr_functions[];
|
||||
|
||||
@ -306,6 +306,7 @@
|
||||
* RANDs
|
||||
* -----
|
||||
*/
|
||||
#define PROV_NAMES_CRNG_TEST "CRNG-TEST"
|
||||
#define PROV_NAMES_CTR_DRBG "CTR-DRBG"
|
||||
#define PROV_NAMES_HASH_DRBG "HASH-DRBG"
|
||||
#define PROV_NAMES_HMAC_DRBG "HMAC-DRBG"
|
||||
|
||||
@ -2,5 +2,6 @@ SUBDIRS=seeding
|
||||
|
||||
$RANDS_GOAL=../../libdefault.a ../../libfips.a
|
||||
|
||||
SOURCE[$RANDS_GOAL]=drbg.c test_rng.c drbg_ctr.c drbg_hash.c drbg_hmac.c crngt.c
|
||||
SOURCE[$RANDS_GOAL]=drbg.c test_rng.c drbg_ctr.c drbg_hash.c drbg_hmac.c
|
||||
SOURCE[../../libdefault.a]=seed_src.c seed_src_jitter.c
|
||||
SOURCE[../../libfips.a]=fips_crng_test.c
|
||||
|
||||
@ -1,192 +0,0 @@
|
||||
/*
|
||||
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/self_test.h>
|
||||
#include "prov/providercommon.h"
|
||||
#include "prov/provider_ctx.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include "crypto/rand_pool.h"
|
||||
#include "drbg_local.h"
|
||||
#include "prov/seeding.h"
|
||||
#include "crypto/context.h"
|
||||
|
||||
typedef struct crng_test_global_st {
|
||||
unsigned char crngt_prev[EVP_MAX_MD_SIZE];
|
||||
EVP_MD *md;
|
||||
int preloaded;
|
||||
CRYPTO_RWLOCK *lock;
|
||||
} CRNG_TEST_GLOBAL;
|
||||
|
||||
static int crngt_get_entropy(PROV_CTX *provctx, const EVP_MD *digest,
|
||||
unsigned char *buf, unsigned char *md,
|
||||
unsigned int *md_size)
|
||||
{
|
||||
int r;
|
||||
size_t n;
|
||||
unsigned char *p;
|
||||
|
||||
n = ossl_prov_get_entropy(provctx, &p, 0, CRNGT_BUFSIZ, CRNGT_BUFSIZ);
|
||||
if (n == CRNGT_BUFSIZ) {
|
||||
r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, digest, NULL);
|
||||
if (r != 0)
|
||||
memcpy(buf, p, CRNGT_BUFSIZ);
|
||||
ossl_prov_cleanup_entropy(provctx, p, n);
|
||||
return r != 0;
|
||||
}
|
||||
if (n != 0)
|
||||
ossl_prov_cleanup_entropy(provctx, p, n);
|
||||
return 0;
|
||||
}
|
||||
|
||||
void ossl_rand_crng_ctx_free(void *vcrngt_glob)
|
||||
{
|
||||
CRNG_TEST_GLOBAL *crngt_glob = vcrngt_glob;
|
||||
|
||||
CRYPTO_THREAD_lock_free(crngt_glob->lock);
|
||||
EVP_MD_free(crngt_glob->md);
|
||||
OPENSSL_free(crngt_glob);
|
||||
}
|
||||
|
||||
void *ossl_rand_crng_ctx_new(OSSL_LIB_CTX *ctx)
|
||||
{
|
||||
CRNG_TEST_GLOBAL *crngt_glob = OPENSSL_zalloc(sizeof(*crngt_glob));
|
||||
|
||||
if (crngt_glob == NULL)
|
||||
return NULL;
|
||||
|
||||
if ((crngt_glob->md = EVP_MD_fetch(ctx, "SHA256", "")) == NULL) {
|
||||
OPENSSL_free(crngt_glob);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if ((crngt_glob->lock = CRYPTO_THREAD_lock_new()) == NULL) {
|
||||
EVP_MD_free(crngt_glob->md);
|
||||
OPENSSL_free(crngt_glob);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return crngt_glob;
|
||||
}
|
||||
|
||||
static int prov_crngt_compare_previous(const unsigned char *prev,
|
||||
const unsigned char *cur,
|
||||
size_t sz)
|
||||
{
|
||||
const int res = memcmp(prev, cur, sz) != 0;
|
||||
|
||||
if (!res)
|
||||
ossl_set_error_state(OSSL_SELF_TEST_TYPE_CRNG);
|
||||
return res;
|
||||
}
|
||||
|
||||
size_t ossl_crngt_get_entropy(PROV_DRBG *drbg,
|
||||
unsigned char **pout,
|
||||
int entropy, size_t min_len, size_t max_len,
|
||||
int prediction_resistance)
|
||||
{
|
||||
unsigned char md[EVP_MAX_MD_SIZE];
|
||||
unsigned char buf[CRNGT_BUFSIZ];
|
||||
unsigned char *ent, *entp, *entbuf;
|
||||
unsigned int sz;
|
||||
size_t bytes_needed;
|
||||
size_t r = 0, s, t;
|
||||
int crng_test_pass = 1;
|
||||
OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx);
|
||||
CRNG_TEST_GLOBAL *crngt_glob
|
||||
= ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_RAND_CRNGT_INDEX);
|
||||
OSSL_CALLBACK *stcb = NULL;
|
||||
void *stcbarg = NULL;
|
||||
OSSL_SELF_TEST *st = NULL;
|
||||
|
||||
if (crngt_glob == NULL)
|
||||
return 0;
|
||||
|
||||
if (!CRYPTO_THREAD_write_lock(crngt_glob->lock))
|
||||
return 0;
|
||||
|
||||
if (!crngt_glob->preloaded) {
|
||||
if (!crngt_get_entropy(drbg->provctx, crngt_glob->md, buf,
|
||||
crngt_glob->crngt_prev, NULL)) {
|
||||
OPENSSL_cleanse(buf, sizeof(buf));
|
||||
goto unlock_return;
|
||||
}
|
||||
crngt_glob->preloaded = 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Calculate how many bytes of seed material we require, rounded up
|
||||
* to the nearest byte. If the entropy is of less than full quality,
|
||||
* the amount required should be scaled up appropriately here.
|
||||
*/
|
||||
bytes_needed = (entropy + 7) / 8;
|
||||
if (bytes_needed < min_len)
|
||||
bytes_needed = min_len;
|
||||
if (bytes_needed > max_len)
|
||||
goto unlock_return;
|
||||
entp = ent = OPENSSL_secure_malloc(bytes_needed);
|
||||
if (ent == NULL)
|
||||
goto unlock_return;
|
||||
|
||||
OSSL_SELF_TEST_get_callback(libctx, &stcb, &stcbarg);
|
||||
if (stcb != NULL) {
|
||||
st = OSSL_SELF_TEST_new(stcb, stcbarg);
|
||||
if (st == NULL)
|
||||
goto err;
|
||||
OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_CRNG,
|
||||
OSSL_SELF_TEST_DESC_RNG);
|
||||
}
|
||||
|
||||
for (t = bytes_needed; t > 0;) {
|
||||
/* Care needs to be taken to avoid overrunning the buffer */
|
||||
s = t >= CRNGT_BUFSIZ ? CRNGT_BUFSIZ : t;
|
||||
entbuf = t >= CRNGT_BUFSIZ ? entp : buf;
|
||||
if (!crngt_get_entropy(drbg->provctx, crngt_glob->md, entbuf, md, &sz))
|
||||
goto err;
|
||||
if (t < CRNGT_BUFSIZ)
|
||||
memcpy(entp, buf, t);
|
||||
/* Force a failure here if the callback returns 1 */
|
||||
if (OSSL_SELF_TEST_oncorrupt_byte(st, md))
|
||||
memcpy(md, crngt_glob->crngt_prev, sz);
|
||||
if (!prov_crngt_compare_previous(crngt_glob->crngt_prev, md, sz)) {
|
||||
crng_test_pass = 0;
|
||||
goto err;
|
||||
}
|
||||
/* Update for next block */
|
||||
memcpy(crngt_glob->crngt_prev, md, sz);
|
||||
entp += s;
|
||||
t -= s;
|
||||
}
|
||||
r = bytes_needed;
|
||||
*pout = ent;
|
||||
ent = NULL;
|
||||
|
||||
err:
|
||||
OSSL_SELF_TEST_onend(st, crng_test_pass);
|
||||
OSSL_SELF_TEST_free(st);
|
||||
OPENSSL_secure_clear_free(ent, bytes_needed);
|
||||
|
||||
unlock_return:
|
||||
CRYPTO_THREAD_unlock(crngt_glob->lock);
|
||||
return r;
|
||||
}
|
||||
|
||||
void ossl_crngt_cleanup_entropy(ossl_unused PROV_DRBG *drbg,
|
||||
unsigned char *out, size_t outlen)
|
||||
{
|
||||
OPENSSL_secure_clear_free(out, outlen);
|
||||
}
|
||||
@ -197,18 +197,12 @@ static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
|
||||
unsigned int p_str;
|
||||
|
||||
if (drbg->parent == NULL)
|
||||
#ifdef FIPS_MODULE
|
||||
return ossl_crngt_get_entropy(drbg, pout, entropy, min_len, max_len,
|
||||
prediction_resistance);
|
||||
#else
|
||||
/*
|
||||
* In normal use (i.e. OpenSSL's own uses), this is never called.
|
||||
* Outside of the FIPS provider, OpenSSL sets its DRBGs up so that
|
||||
* they always have a parent. This remains purely for legacy reasons.
|
||||
* This remains purely for legacy reasons.
|
||||
*/
|
||||
return ossl_prov_get_entropy(drbg->provctx, pout, entropy, min_len,
|
||||
max_len);
|
||||
#endif
|
||||
|
||||
if (drbg->parent_get_seed == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED);
|
||||
@ -251,11 +245,7 @@ static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
|
||||
static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen)
|
||||
{
|
||||
if (drbg->parent == NULL) {
|
||||
#ifdef FIPS_MODULE
|
||||
ossl_crngt_cleanup_entropy(drbg, out, outlen);
|
||||
#else
|
||||
ossl_prov_cleanup_entropy(drbg->provctx, out, outlen);
|
||||
#endif
|
||||
} else if (drbg->parent_clear_seed != NULL) {
|
||||
if (!ossl_drbg_lock_parent(drbg))
|
||||
return;
|
||||
|
||||
434
providers/implementations/rands/fips_crng_test.c
Normal file
434
providers/implementations/rands/fips_crng_test.c
Normal file
@ -0,0 +1,434 @@
|
||||
/*
|
||||
* Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* Implementation of SP 800-90B section 4.4 Approved Continuous Health Tests.
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/self_test.h>
|
||||
#include <openssl/proverr.h>
|
||||
#include "prov/providercommon.h"
|
||||
#include "prov/provider_ctx.h"
|
||||
#include "prov/implementations.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include "crypto/rand_pool.h"
|
||||
#include "drbg_local.h"
|
||||
#include "prov/seeding.h"
|
||||
#include "crypto/context.h"
|
||||
|
||||
static OSSL_FUNC_rand_newctx_fn crng_test_new;
|
||||
static OSSL_FUNC_rand_freectx_fn crng_test_free;
|
||||
static OSSL_FUNC_rand_instantiate_fn crng_test_instantiate;
|
||||
static OSSL_FUNC_rand_uninstantiate_fn crng_test_uninstantiate;
|
||||
static OSSL_FUNC_rand_generate_fn crng_test_generate;
|
||||
static OSSL_FUNC_rand_reseed_fn crng_test_reseed;
|
||||
static OSSL_FUNC_rand_gettable_ctx_params_fn crng_test_gettable_ctx_params;
|
||||
static OSSL_FUNC_rand_get_ctx_params_fn crng_test_get_ctx_params;
|
||||
static OSSL_FUNC_rand_verify_zeroization_fn crng_test_verify_zeroization;
|
||||
static OSSL_FUNC_rand_enable_locking_fn crng_test_enable_locking;
|
||||
static OSSL_FUNC_rand_lock_fn crng_test_lock;
|
||||
static OSSL_FUNC_rand_unlock_fn crng_test_unlock;
|
||||
static OSSL_FUNC_rand_get_seed_fn crng_test_get_seed;
|
||||
static OSSL_FUNC_rand_clear_seed_fn crng_test_clear_seed;
|
||||
|
||||
#ifndef ENTROPY_H
|
||||
# define ENTROPY_H 6 /* default to six bits per byte of entropy */
|
||||
#endif
|
||||
#ifndef ENTROPY_APT_W
|
||||
# define ENTROPY_APT_W 512
|
||||
#endif
|
||||
|
||||
typedef struct crng_testal_st {
|
||||
void *provctx;
|
||||
CRYPTO_RWLOCK *lock;
|
||||
int state;
|
||||
|
||||
/* State for SP 800-90B 4.4.1 Repetition Count Test */
|
||||
struct {
|
||||
unsigned int b;
|
||||
uint8_t a;
|
||||
} rct;
|
||||
|
||||
/* State for SP 800-90B 4.4.2 Adaptive Proportion Test */
|
||||
struct {
|
||||
unsigned int b;
|
||||
unsigned int i;
|
||||
uint8_t a;
|
||||
} apt;
|
||||
|
||||
/* Parent PROV_RAND and its dispatch table functions */
|
||||
void *parent;
|
||||
OSSL_FUNC_rand_enable_locking_fn *parent_enable_locking;
|
||||
OSSL_FUNC_rand_lock_fn *parent_lock;
|
||||
OSSL_FUNC_rand_unlock_fn *parent_unlock;
|
||||
OSSL_FUNC_rand_get_ctx_params_fn *parent_get_ctx_params;
|
||||
OSSL_FUNC_rand_gettable_ctx_params_fn *parent_gettable_ctx_params;
|
||||
OSSL_FUNC_rand_get_seed_fn *parent_get_seed;
|
||||
OSSL_FUNC_rand_clear_seed_fn *parent_clear_seed;
|
||||
} CRNG_TEST;
|
||||
|
||||
/*
|
||||
* Some helper functions
|
||||
*/
|
||||
static int lock_parent(CRNG_TEST *crngt)
|
||||
{
|
||||
void *parent = crngt->parent;
|
||||
|
||||
if (parent != NULL
|
||||
&& crngt->parent_lock != NULL
|
||||
&& !crngt->parent_lock(parent)) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void unlock_parent(CRNG_TEST *crngt)
|
||||
{
|
||||
void *parent = crngt->parent;
|
||||
|
||||
if (parent != NULL && crngt->parent_unlock != NULL)
|
||||
crngt->parent_unlock(parent);
|
||||
}
|
||||
|
||||
/*
|
||||
* Implementation of SP 800-90B section 4.4.1: Repetition Count Test
|
||||
*/
|
||||
static int RCT_test(CRNG_TEST *crngt, uint8_t next)
|
||||
{
|
||||
/*
|
||||
* Critical values for this test are computed using:
|
||||
*
|
||||
* C = 1 + \left\lceil\frac{-log_2 \alpha}H\right\rceil
|
||||
*
|
||||
* where alpha = 2^-20 and H is the expected entropy per sample.
|
||||
*/
|
||||
static const unsigned int rct_c[9] = {
|
||||
41, /* H = 0.5 */
|
||||
21, 11, 8, 6, 5, 5, 4, 4 /* H = 1, ..., 8 */
|
||||
};
|
||||
|
||||
if (ossl_likely(crngt->rct.b != 0)
|
||||
&& ossl_unlikely(next == crngt->rct.a))
|
||||
return ossl_likely(++crngt->rct.b < rct_c[ENTROPY_H]);
|
||||
crngt->rct.a = next;
|
||||
crngt->rct.b = 1;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Implementation of SP 800-90B section 4.4.2: Adaptive Proportion Test
|
||||
*/
|
||||
static int APT_test(CRNG_TEST *crngt, uint8_t next)
|
||||
{
|
||||
/*
|
||||
* Critical values for this test are drawn from a binomial
|
||||
* distribution with n = 512, p = 2^-H at a critical threshold of
|
||||
* 2^-20. H being the expected entropy per sample. Refer SP 800-90B
|
||||
* section 4.4.2, table 2.
|
||||
*/
|
||||
static const unsigned int apt_c[9] = {
|
||||
410, /* H = 0.5 */
|
||||
311, 177, 103, 62, 39, 25, 18, 13 /* H = 1, ..., 8 */
|
||||
};
|
||||
|
||||
if (ossl_likely(crngt->apt.b != 0)) {
|
||||
if (ossl_unlikely(crngt->apt.a == next)
|
||||
&& ossl_unlikely(++crngt->apt.b >= apt_c[ENTROPY_H])) {
|
||||
crngt->apt.b = 0;
|
||||
return 0;
|
||||
}
|
||||
if (ossl_unlikely(++crngt->apt.i >= ENTROPY_APT_W))
|
||||
crngt->apt.b = 0;
|
||||
return 1;
|
||||
}
|
||||
crngt->apt.a = next;
|
||||
crngt->apt.b = 1;
|
||||
crngt->apt.i = 1;
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int crng_test(CRNG_TEST *crngt, const unsigned char *buf, size_t n)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
for (i = 0; i < n; i++)
|
||||
if (!RCT_test(crngt, buf[i]) || !APT_test(crngt, buf[i])) {
|
||||
crngt->state = EVP_RAND_STATE_ERROR;
|
||||
ERR_raise(ERR_LIB_PROV,
|
||||
PROV_R_ENTROPY_SOURCE_FAILED_CONTINUOUS_TESTS);
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,
|
||||
int function)
|
||||
{
|
||||
if (dispatch != NULL)
|
||||
while (dispatch->function_id != 0) {
|
||||
if (dispatch->function_id == function)
|
||||
return dispatch;
|
||||
dispatch++;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static void *crng_test_new(void *provctx, void *parent,
|
||||
const OSSL_DISPATCH *p_dispatch)
|
||||
{
|
||||
CRNG_TEST *crngt = OPENSSL_zalloc(sizeof(*crngt));
|
||||
const OSSL_DISPATCH *pfunc;
|
||||
|
||||
if (crngt == NULL)
|
||||
return NULL;
|
||||
|
||||
crngt->provctx = provctx;
|
||||
crngt->state = EVP_RAND_STATE_UNINITIALISED;
|
||||
|
||||
/* Extract parent's functions */
|
||||
if (parent != NULL) {
|
||||
crngt->parent = parent;
|
||||
if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING)) != NULL)
|
||||
crngt->parent_enable_locking = OSSL_FUNC_rand_enable_locking(pfunc);
|
||||
if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_LOCK)) != NULL)
|
||||
crngt->parent_lock = OSSL_FUNC_rand_lock(pfunc);
|
||||
if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_UNLOCK)) != NULL)
|
||||
crngt->parent_unlock = OSSL_FUNC_rand_unlock(pfunc);
|
||||
if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS)) != NULL)
|
||||
crngt->parent_gettable_ctx_params = OSSL_FUNC_rand_gettable_ctx_params(pfunc);
|
||||
if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS)) != NULL)
|
||||
crngt->parent_get_ctx_params = OSSL_FUNC_rand_get_ctx_params(pfunc);
|
||||
if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_SEED)) != NULL)
|
||||
crngt->parent_get_seed = OSSL_FUNC_rand_get_seed(pfunc);
|
||||
if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_CLEAR_SEED)) != NULL)
|
||||
crngt->parent_clear_seed = OSSL_FUNC_rand_clear_seed(pfunc);
|
||||
}
|
||||
|
||||
return crngt;
|
||||
}
|
||||
|
||||
static void crng_test_free(void *vcrngt)
|
||||
{
|
||||
CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
|
||||
|
||||
if (crngt != NULL) {
|
||||
CRYPTO_THREAD_lock_free(crngt->lock);
|
||||
OPENSSL_free(crngt);
|
||||
}
|
||||
}
|
||||
|
||||
static int crng_test_instantiate(void *vcrngt, unsigned int strength,
|
||||
int prediction_resistance,
|
||||
const unsigned char *pstr,
|
||||
size_t pstr_len,
|
||||
ossl_unused const OSSL_PARAM params[])
|
||||
{
|
||||
CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
|
||||
|
||||
/* Start up health tests should go here */
|
||||
crngt->state = EVP_RAND_STATE_READY;
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int crng_test_uninstantiate(void *vcrngt)
|
||||
{
|
||||
CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
|
||||
|
||||
crngt->state = EVP_RAND_STATE_UNINITIALISED;
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int crng_test_generate(void *vcrngt, unsigned char *out, size_t outlen,
|
||||
unsigned int strength, int prediction_resistance,
|
||||
const unsigned char *adin, size_t adin_len)
|
||||
{
|
||||
unsigned char *p;
|
||||
CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
|
||||
|
||||
if (!crng_test_get_seed(crngt, &p, 0, outlen, outlen, prediction_resistance,
|
||||
adin, adin_len))
|
||||
return 0;
|
||||
memcpy(out, p, outlen);
|
||||
crng_test_clear_seed(crngt, p, outlen);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int crng_test_reseed(ossl_unused void *vcrngt,
|
||||
ossl_unused int prediction_resistance,
|
||||
ossl_unused const unsigned char *ent,
|
||||
ossl_unused size_t ent_len,
|
||||
ossl_unused const unsigned char *adin,
|
||||
ossl_unused size_t adin_len)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int crng_test_verify_zeroization(ossl_unused void *vcrngt)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
|
||||
static size_t crng_test_get_seed(void *vcrngt, unsigned char **pout,
|
||||
int entropy, size_t min_len,
|
||||
size_t max_len,
|
||||
int prediction_resistance,
|
||||
const unsigned char *adin,
|
||||
size_t adin_len)
|
||||
{
|
||||
CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
|
||||
size_t n;
|
||||
int r = 0;
|
||||
|
||||
/* Without a parent, we rely on the up calls */
|
||||
if (crngt->parent == NULL
|
||||
|| crngt->parent_get_seed == NULL) {
|
||||
n = ossl_prov_get_entropy(crngt->provctx, pout, entropy,
|
||||
min_len, max_len);
|
||||
if (n == 0)
|
||||
return 0;
|
||||
r = crng_test(crngt, *pout, n);
|
||||
return r > 0 ? n : 0;
|
||||
}
|
||||
|
||||
/* Grab seed from our parent */
|
||||
if (!crng_test_lock(crngt))
|
||||
return 0;
|
||||
if (!lock_parent(crngt)) {
|
||||
crng_test_unlock(crngt);
|
||||
return 0;
|
||||
}
|
||||
n = crngt->parent_get_seed(crngt->parent, pout, entropy,
|
||||
min_len, max_len, prediction_resistance,
|
||||
adin, adin_len);
|
||||
unlock_parent(crngt);
|
||||
if (n > 0)
|
||||
r = crng_test(crngt, *pout, n);
|
||||
crng_test_unlock(crngt);
|
||||
if (n > 0 && r > 0)
|
||||
return n;
|
||||
if (crngt->parent_clear_seed != NULL)
|
||||
crngt->parent_clear_seed(crngt->parent, *pout, n);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void crng_test_clear_seed(void *vcrngt,
|
||||
unsigned char *out, size_t outlen)
|
||||
{
|
||||
CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
|
||||
|
||||
if (crngt->parent == NULL || crngt->parent_get_seed == NULL)
|
||||
ossl_prov_cleanup_entropy(crngt->provctx, out, outlen);
|
||||
else if (crngt->parent_clear_seed != NULL)
|
||||
crngt->parent_clear_seed(crngt->parent, out, outlen);
|
||||
}
|
||||
|
||||
static int crng_test_enable_locking(void *vcrngt)
|
||||
{
|
||||
CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
|
||||
|
||||
if (crngt != NULL && crngt->lock == NULL) {
|
||||
if (crngt->parent_enable_locking != NULL)
|
||||
if (!crngt->parent_enable_locking(crngt->parent)) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);
|
||||
return 0;
|
||||
}
|
||||
crngt->lock = CRYPTO_THREAD_lock_new();
|
||||
if (crngt->lock == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_CREATE_LOCK);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int crng_test_lock(ossl_unused void *vcrngt)
|
||||
{
|
||||
CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
|
||||
|
||||
return crngt->lock == NULL || CRYPTO_THREAD_write_lock(crngt->lock);
|
||||
}
|
||||
|
||||
static void crng_test_unlock(ossl_unused void *vcrngt)
|
||||
{
|
||||
CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
|
||||
|
||||
if (crngt->lock != NULL)
|
||||
CRYPTO_THREAD_unlock(crngt->lock);
|
||||
}
|
||||
|
||||
static int crng_test_get_ctx_params(void *vcrngt, OSSL_PARAM params[])
|
||||
{
|
||||
CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
|
||||
OSSL_PARAM *p;
|
||||
|
||||
if (crngt->parent != NULL && crngt->parent_get_ctx_params != NULL)
|
||||
return crngt->parent_get_ctx_params(crngt->parent, params);
|
||||
|
||||
/* No parent means we are using call backs for entropy */
|
||||
p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE);
|
||||
if (p != NULL && !OSSL_PARAM_set_int(p, crngt->state))
|
||||
return 0;
|
||||
|
||||
p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);
|
||||
if (p != NULL && !OSSL_PARAM_set_int(p, 1024))
|
||||
return 0;
|
||||
|
||||
p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
|
||||
if (p != NULL && !OSSL_PARAM_set_size_t(p, 128))
|
||||
return 0;
|
||||
|
||||
p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR);
|
||||
if (p != NULL && !OSSL_PARAM_set_int(p, 0))
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *crng_test_gettable_ctx_params(void *vcrngt,
|
||||
void *provctx)
|
||||
{
|
||||
CRNG_TEST *crngt = (CRNG_TEST *)vcrngt;
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL),
|
||||
OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL),
|
||||
OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL),
|
||||
OSSL_PARAM_int(OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR, NULL),
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
if (crngt->parent != NULL && crngt->parent_gettable_ctx_params != NULL)
|
||||
return crngt->parent_gettable_ctx_params(crngt->parent, provctx);
|
||||
return known_gettable_ctx_params;
|
||||
}
|
||||
|
||||
const OSSL_DISPATCH ossl_crng_test_functions[] = {
|
||||
{ OSSL_FUNC_RAND_NEWCTX, (void(*)(void))crng_test_new },
|
||||
{ OSSL_FUNC_RAND_FREECTX, (void(*)(void))crng_test_free },
|
||||
{ OSSL_FUNC_RAND_INSTANTIATE,
|
||||
(void(*)(void))crng_test_instantiate },
|
||||
{ OSSL_FUNC_RAND_UNINSTANTIATE,
|
||||
(void(*)(void))crng_test_uninstantiate },
|
||||
{ OSSL_FUNC_RAND_GENERATE, (void(*)(void))crng_test_generate },
|
||||
{ OSSL_FUNC_RAND_RESEED, (void(*)(void))crng_test_reseed },
|
||||
{ OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))crng_test_enable_locking },
|
||||
{ OSSL_FUNC_RAND_LOCK, (void(*)(void))crng_test_lock },
|
||||
{ OSSL_FUNC_RAND_UNLOCK, (void(*)(void))crng_test_unlock },
|
||||
{ OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
|
||||
(void(*)(void))crng_test_gettable_ctx_params },
|
||||
{ OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))crng_test_get_ctx_params },
|
||||
{ OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
|
||||
(void(*)(void))crng_test_verify_zeroization },
|
||||
{ OSSL_FUNC_RAND_GET_SEED, (void(*)(void))crng_test_get_seed },
|
||||
{ OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))crng_test_clear_seed },
|
||||
OSSL_DISPATCH_END
|
||||
};
|
||||
Loading…
x
Reference in New Issue
Block a user