1/* 2 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#ifndef OSSL_CRYPTO_PROV_LOCAL_H 11# define OSSL_CRYPTO_PROV_LOCAL_H 12 13# include <openssl/evp.h> 14# include <openssl/core_dispatch.h> 15# include <openssl/core_names.h> 16# include <openssl/params.h> 17# include "internal/tsan_assist.h" 18# include "internal/nelem.h" 19# include "internal/numbers.h" 20# include "prov/provider_ctx.h" 21 22/* How many times to read the TSC as a randomness source. */ 23# define TSC_READ_COUNT 4 24 25/* Maximum reseed intervals */ 26# define MAX_RESEED_INTERVAL (1 << 24) 27# define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */ 28 29/* Default reseed intervals */ 30# define RESEED_INTERVAL (1 << 8) 31# define TIME_INTERVAL (60*60) /* 1 hour */ 32 33/* 34 * The number of bytes that constitutes an atomic lump of entropy with respect 35 * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat 36 * arbitrary, the smaller the value, the less entropy is consumed on first 37 * read but the higher the probability of the test failing by accident. 38 * 39 * The value is in bytes. 40 */ 41#define CRNGT_BUFSIZ 16 42 43/* 44 * Maximum input size for the DRBG (entropy, nonce, personalization string) 45 * 46 * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes. 47 * 48 * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes. 49 */ 50# define DRBG_MAX_LENGTH INT32_MAX 51 52/* The default nonce */ 53#ifdef CHARSET_EBCDIC 54# define DRBG_DEFAULT_PERS_STRING { 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, \ 55 0x4c, 0x20, 0x4e, 0x49, 0x53, 0x54, 0x20, 0x53, 0x50, 0x20, 0x38, 0x30, \ 56 0x30, 0x2d, 0x39, 0x30, 0x41, 0x20, 0x44, 0x52, 0x42, 0x47, 0x00}; 57#else 58# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" 59#endif 60 61typedef struct prov_drbg_st PROV_DRBG; 62 63/* DRBG status values */ 64typedef enum drbg_status_e { 65 DRBG_UNINITIALISED, 66 DRBG_READY, 67 DRBG_ERROR 68} DRBG_STATUS; 69 70/* 71 * The state of all types of DRBGs. 72 */ 73struct prov_drbg_st { 74 CRYPTO_RWLOCK *lock; 75 PROV_CTX *provctx; 76 77 /* Virtual functions are cache here */ 78 int (*instantiate)(PROV_DRBG *drbg, 79 const unsigned char *entropy, size_t entropylen, 80 const unsigned char *nonce, size_t noncelen, 81 const unsigned char *pers, size_t perslen); 82 int (*uninstantiate)(PROV_DRBG *ctx); 83 int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len, 84 const unsigned char *adin, size_t adin_len); 85 int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen, 86 const unsigned char *adin, size_t adin_len); 87 88 /* Parent PROV_RAND and its dispatch table functions */ 89 void *parent; 90 OSSL_FUNC_rand_enable_locking_fn *parent_enable_locking; 91 OSSL_FUNC_rand_lock_fn *parent_lock; 92 OSSL_FUNC_rand_unlock_fn *parent_unlock; 93 OSSL_FUNC_rand_get_ctx_params_fn *parent_get_ctx_params; 94 OSSL_FUNC_rand_nonce_fn *parent_nonce; 95 OSSL_FUNC_rand_get_seed_fn *parent_get_seed; 96 OSSL_FUNC_rand_clear_seed_fn *parent_clear_seed; 97 98 const OSSL_DISPATCH *parent_dispatch; 99 100 /* 101 * Stores the return value of openssl_get_fork_id() as of when we last 102 * reseeded. The DRBG reseeds automatically whenever drbg->fork_id != 103 * openssl_get_fork_id(). Used to provide fork-safety and reseed this 104 * DRBG in the child process. 105 */ 106 int fork_id; 107 unsigned short flags; /* various external flags */ 108 109 /* 110 * The following parameters are setup by the per-type "init" function. 111 * 112 * The supported types and their init functions are: 113 * (1) CTR_DRBG: drbg_ctr_init(). 114 * (2) HMAC_DRBG: drbg_hmac_init(). 115 * (3) HASH_DRBG: drbg_hash_init(). 116 * 117 * The parameters are closely related to the ones described in 118 * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one 119 * crucial difference: In the NIST standard, all counts are given 120 * in bits, whereas in OpenSSL entropy counts are given in bits 121 * and buffer lengths are given in bytes. 122 * 123 * Since this difference has lead to some confusion in the past, 124 * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) 125 * the 'len' suffix has been added to all buffer sizes for 126 * clarification. 127 */ 128 129 unsigned int strength; 130 size_t max_request; 131 size_t min_entropylen, max_entropylen; 132 size_t min_noncelen, max_noncelen; 133 size_t max_perslen, max_adinlen; 134 135 /* 136 * Counts the number of generate requests since the last reseed 137 * (Starts at 1). This value is the reseed_counter as defined in 138 * NIST SP 800-90Ar1 139 */ 140 unsigned int generate_counter; 141 /* 142 * Maximum number of generate requests until a reseed is required. 143 * This value is ignored if it is zero. 144 */ 145 unsigned int reseed_interval; 146 /* Stores the time when the last reseeding occurred */ 147 time_t reseed_time; 148 /* 149 * Specifies the maximum time interval (in seconds) between reseeds. 150 * This value is ignored if it is zero. 151 */ 152 time_t reseed_time_interval; 153 /* 154 * Counts the number of reseeds since instantiation. 155 * This value is ignored if it is zero. 156 * 157 * This counter is used only for seed propagation from the <master> DRBG 158 * to its two children, the <public> and <private> DRBG. This feature is 159 * very special and its sole purpose is to ensure that any randomness which 160 * is added by PROV_add() or PROV_seed() will have an immediate effect on 161 * the output of PROV_bytes() resp. PROV_priv_bytes(). 162 */ 163 TSAN_QUALIFIER unsigned int reseed_counter; 164 unsigned int reseed_next_counter; 165 unsigned int parent_reseed_counter; 166 167 size_t seedlen; 168 DRBG_STATUS state; 169 170 /* DRBG specific data */ 171 void *data; 172 173 /* Entropy and nonce gathering callbacks */ 174 void *callback_arg; 175 OSSL_INOUT_CALLBACK *get_entropy_fn; 176 OSSL_CALLBACK *cleanup_entropy_fn; 177 OSSL_INOUT_CALLBACK *get_nonce_fn; 178 OSSL_CALLBACK *cleanup_nonce_fn; 179}; 180 181PROV_DRBG *ossl_rand_drbg_new 182 (void *provctx, void *parent, const OSSL_DISPATCH *parent_dispatch, 183 int (*dnew)(PROV_DRBG *ctx), 184 void (*dfree)(void *vctx), 185 int (*instantiate)(PROV_DRBG *drbg, 186 const unsigned char *entropy, size_t entropylen, 187 const unsigned char *nonce, size_t noncelen, 188 const unsigned char *pers, size_t perslen), 189 int (*uninstantiate)(PROV_DRBG *ctx), 190 int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len, 191 const unsigned char *adin, size_t adin_len), 192 int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen, 193 const unsigned char *adin, size_t adin_len)); 194void ossl_rand_drbg_free(PROV_DRBG *drbg); 195 196int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, 197 int prediction_resistance, 198 const unsigned char *pers, size_t perslen); 199 200int ossl_prov_drbg_uninstantiate(PROV_DRBG *drbg); 201 202int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance, 203 const unsigned char *ent, size_t ent_len, 204 const unsigned char *adin, size_t adinlen); 205 206int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen, 207 unsigned int strength, int prediction_resistance, 208 const unsigned char *adin, size_t adinlen); 209 210/* Seeding api */ 211OSSL_FUNC_rand_get_seed_fn ossl_drbg_get_seed; 212OSSL_FUNC_rand_clear_seed_fn ossl_drbg_clear_seed; 213 214/* Verify that an array of numeric values is all zero */ 215#define PROV_DRBG_VERYIFY_ZEROIZATION(v) \ 216 { \ 217 size_t i; \ 218 \ 219 for (i = 0; i < OSSL_NELEM(v); i++) \ 220 if ((v)[i] != 0) \ 221 return 0; \ 222 } 223 224/* locking api */ 225OSSL_FUNC_rand_enable_locking_fn ossl_drbg_enable_locking; 226OSSL_FUNC_rand_lock_fn ossl_drbg_lock; 227OSSL_FUNC_rand_unlock_fn ossl_drbg_unlock; 228 229/* Common parameters for all of our DRBGs */ 230int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]); 231int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[]); 232 233#define OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON \ 234 OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS, NULL), \ 235 OSSL_PARAM_uint64(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL, NULL) 236 237#define OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON \ 238 OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), \ 239 OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), \ 240 OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), \ 241 OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MIN_ENTROPYLEN, NULL), \ 242 OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_ENTROPYLEN, NULL), \ 243 OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MIN_NONCELEN, NULL), \ 244 OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_NONCELEN, NULL), \ 245 OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_PERSLEN, NULL), \ 246 OSSL_PARAM_size_t(OSSL_DRBG_PARAM_MAX_ADINLEN, NULL), \ 247 OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_COUNTER, NULL), \ 248 OSSL_PARAM_time_t(OSSL_DRBG_PARAM_RESEED_TIME, NULL), \ 249 OSSL_PARAM_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS, NULL), \ 250 OSSL_PARAM_uint64(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL, NULL) 251 252/* Continuous test "entropy" calls */ 253size_t ossl_crngt_get_entropy(PROV_DRBG *drbg, 254 unsigned char **pout, 255 int entropy, size_t min_len, size_t max_len, 256 int prediction_resistance); 257void ossl_crngt_cleanup_entropy(PROV_DRBG *drbg, 258 unsigned char *out, size_t outlen); 259 260#endif 261