void drbg_delete_thread_state()
{
RAND_DRBG *drbg;
drbg = CRYPTO_THREAD_get_local(&public_drbg_thread_local_key);
RAND_DRBG_free(drbg);
drbg = CRYPTO_THREAD_get_local(&private_drbg_thread_local_key);
RAND_DRBG_free(drbg);
}
void drbg_delete_thread_state(void)
{
RAND_DRBG *drbg;
drbg = CRYPTO_THREAD_get_local(&public_drbg);
CRYPTO_THREAD_set_local(&public_drbg, NULL);
RAND_DRBG_free(drbg);
drbg = CRYPTO_THREAD_get_local(&private_drbg);
CRYPTO_THREAD_set_local(&private_drbg, NULL);
RAND_DRBG_free(drbg);
}
/*
* Allocates a new global DRBG on the secure heap (if enabled) and
* initializes it with default settings.
*
* Returns a pointer to the new DRBG instance on success, NULL on failure.
*/
static RAND_DRBG *drbg_setup(RAND_DRBG *parent)
{
RAND_DRBG *drbg;
drbg = RAND_DRBG_secure_new(rand_drbg_type, rand_drbg_flags, parent);
if (drbg == NULL)
return NULL;
/* Only the master DRBG needs to have a lock */
if (parent == NULL && rand_drbg_enable_locking(drbg) == 0)
goto err;
/* enable seed propagation */
drbg->reseed_counter = 1;
/*
* Ignore instantiation error so support just-in-time instantiation.
*
* The state of the drbg will be checked in RAND_DRBG_generate() and
* an automatic recovery is attempted.
*/
RAND_DRBG_instantiate(drbg,
(const unsigned char *) ossl_pers_string,
sizeof(ossl_pers_string) - 1);
return drbg;
err:
RAND_DRBG_free(drbg);
return NULL;
}
/* Clean up the global DRBGs before exit */
void rand_drbg_cleanup_int(void)
{
RAND_DRBG_free(drbg_master);
drbg_master = NULL;
CRYPTO_THREAD_cleanup_local(&private_drbg_thread_local_key);
CRYPTO_THREAD_cleanup_local(&public_drbg_thread_local_key);
}
/* Clean up the global DRBGs before exit */
void rand_drbg_cleanup_int(void)
{
if (master_drbg != NULL) {
RAND_DRBG_free(master_drbg);
master_drbg = NULL;
CRYPTO_THREAD_cleanup_local(&private_drbg);
CRYPTO_THREAD_cleanup_local(&public_drbg);
}
}
/*
* Perform extensive error checking as required by SP800-90.
* Induce several failure modes and check an error condition is set.
*/
static int error_check(DRBG_SELFTEST_DATA *td)
{
static char zero[sizeof(RAND_DRBG)];
RAND_DRBG *drbg = NULL;
TEST_CTX t;
unsigned char buff[1024];
unsigned int generate_counter_tmp;
int ret = 0;
if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
goto err;
/*
* Personalisation string tests
*/
/* Test detection of too large personlisation string */
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1) > 0)
goto err;
/*
* Entropy source tests
*/
/* Test entropy source failure detecion: i.e. returns no data */
t.entropylen = 0;
if (TEST_int_le(RAND_DRBG_instantiate(drbg, td->pers, td->perslen), 0))
goto err;
/* Try to generate output from uninstantiated DRBG */
if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !uninstantiate(drbg))
goto err;
/* Test insufficient entropy */
t.entropylen = drbg->min_entropylen - 1;
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|| !uninstantiate(drbg))
goto err;
/* Test too much entropy */
t.entropylen = drbg->max_entropylen + 1;
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|| !uninstantiate(drbg))
goto err;
/*
* Nonce tests
*/
/* Test too small nonce */
if (drbg->min_noncelen) {
t.noncelen = drbg->min_noncelen - 1;
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|| !uninstantiate(drbg))
goto err;
}
/* Test too large nonce */
if (drbg->max_noncelen) {
t.noncelen = drbg->max_noncelen + 1;
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|| !uninstantiate(drbg))
goto err;
}
/* Instantiate with valid data, Check generation is now OK */
if (!instantiate(drbg, td, &t)
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen)))
goto err;
/* Request too much data for one request */
if (!TEST_false(RAND_DRBG_generate(drbg, buff, drbg->max_request + 1, 0,
td->adin, td->adinlen)))
goto err;
/* Try too large additional input */
if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, drbg->max_adinlen + 1)))
goto err;
/*
* Check prediction resistance request fails if entropy source
* failure.
*/
t.entropylen = 0;
if (TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 1,
td->adin, td->adinlen))
|| !uninstantiate(drbg))
goto err;
/* Instantiate again with valid data */
if (!instantiate(drbg, td, &t))
goto err;
generate_counter_tmp = drbg->generate_counter;
drbg->generate_counter = drbg->reseed_interval;
/* Generate output and check entropy has been requested for reseed */
t.entropycnt = 0;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_int_eq(t.entropycnt, 1)
|| !TEST_int_eq(drbg->generate_counter, generate_counter_tmp + 1)
|| !uninstantiate(drbg))
goto err;
/*
* Check prediction resistance request fails if entropy source
* failure.
*/
t.entropylen = 0;
if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 1,
td->adin, td->adinlen))
|| !uninstantiate(drbg))
goto err;
/* Test reseed counter works */
if (!instantiate(drbg, td, &t))
goto err;
generate_counter_tmp = drbg->generate_counter;
drbg->generate_counter = drbg->reseed_interval;
/* Generate output and check entropy has been requested for reseed */
t.entropycnt = 0;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_int_eq(t.entropycnt, 1)
|| !TEST_int_eq(drbg->generate_counter, generate_counter_tmp + 1)
|| !uninstantiate(drbg))
goto err;
/*
* Explicit reseed tests
*/
/* Test explicit reseed with too large additional input */
if (!init(drbg, td, &t)
|| RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0) > 0)
goto err;
/* Test explicit reseed with entropy source failure */
t.entropylen = 0;
if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0)
|| !uninstantiate(drbg))
goto err;
/* Test explicit reseed with too much entropy */
if (!init(drbg, td, &t))
goto err;
t.entropylen = drbg->max_entropylen + 1;
if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0)
|| !uninstantiate(drbg))
goto err;
/* Test explicit reseed with too little entropy */
if (!init(drbg, td, &t))
goto err;
t.entropylen = drbg->min_entropylen - 1;
if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0)
|| !uninstantiate(drbg))
goto err;
/* Standard says we have to check uninstantiate really zeroes */
if (!TEST_mem_eq(zero, sizeof(drbg->data), &drbg->data, sizeof(drbg->data)))
goto err;
ret = 1;
err:
uninstantiate(drbg);
RAND_DRBG_free(drbg);
return ret;
}
/*
* Do a single KAT test. Return 0 on failure.
*/
static int single_kat(DRBG_SELFTEST_DATA *td)
{
RAND_DRBG *drbg = NULL;
TEST_CTX t;
int failures = 0;
unsigned char buff[1024];
/*
* Test without PR: Instantiate DRBG with test entropy, nonce and
* personalisation string.
*/
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
return 0;
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
kat_nonce, NULL))) {
failures++;
goto err;
}
memset(&t, 0, sizeof(t));
t.entropy = td->entropy;
t.entropylen = td->entropylen;
t.nonce = td->nonce;
t.noncelen = td->noncelen;
RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
if (!TEST_true(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_mem_eq(td->expected, td->exlen, buff, td->exlen))
failures++;
/* Reseed DRBG with test entropy and additional input */
t.entropy = td->entropyreseed;
t.entropylen = td->entropyreseedlen;
if (!TEST_true(RAND_DRBG_reseed(drbg, td->adinreseed, td->adinreseedlen, 0)
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->kat2len, 0,
td->adin2, td->adin2len))
|| !TEST_mem_eq(td->kat2, td->kat2len, buff, td->kat2len)))
failures++;
uninstantiate(drbg);
/*
* Now test with PR: Instantiate DRBG with test entropy, nonce and
* personalisation string.
*/
if (!TEST_true(RAND_DRBG_set(drbg, td->nid, td->flags))
|| !TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
kat_nonce, NULL)))
failures++;
RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
t.entropy = td->entropy_pr;
t.entropylen = td->entropylen_pr;
t.nonce = td->nonce_pr;
t.noncelen = td->noncelen_pr;
t.entropycnt = 0;
t.noncecnt = 0;
if (!TEST_true(RAND_DRBG_instantiate(drbg, td->pers_pr, td->perslen_pr)))
failures++;
/*
* Now generate with PR: we need to supply entropy as this will
* perform a reseed operation.
*/
t.entropy = td->entropypr_pr;
t.entropylen = td->entropyprlen_pr;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->katlen_pr, 1,
td->adin_pr, td->adinlen_pr))
|| !TEST_mem_eq(td->kat_pr, td->katlen_pr, buff, td->katlen_pr))
failures++;
/*
* Now generate again with PR: supply new entropy again.
*/
t.entropy = td->entropyg_pr;
t.entropylen = td->entropyglen_pr;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->kat2len_pr, 1,
td->ading_pr, td->adinglen_pr))
|| !TEST_mem_eq(td->kat2_pr, td->kat2len_pr,
buff, td->kat2len_pr))
failures++;
err:
uninstantiate(drbg);
RAND_DRBG_free(drbg);
return failures == 0;
}
/*
* Allocate memory and initialize a new DRBG. The DRBG is allocated on
* the secure heap if |secure| is nonzero and the secure heap is enabled.
* The |parent|, if not NULL, will be used as random source for reseeding.
*
* Returns a pointer to the new DRBG instance on success, NULL on failure.
*/
static RAND_DRBG *rand_drbg_new(int secure,
int type,
unsigned int flags,
RAND_DRBG *parent)
{
RAND_DRBG *drbg = secure ?
OPENSSL_secure_zalloc(sizeof(*drbg)) : OPENSSL_zalloc(sizeof(*drbg));
if (drbg == NULL) {
RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
drbg->secure = secure && CRYPTO_secure_allocated(drbg);
drbg->fork_count = rand_fork_count;
drbg->parent = parent;
if (parent == NULL) {
drbg->get_entropy = rand_drbg_get_entropy;
drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
#ifndef RAND_DRBG_GET_RANDOM_NONCE
drbg->get_nonce = rand_drbg_get_nonce;
drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
#endif
drbg->reseed_interval = master_reseed_interval;
drbg->reseed_time_interval = master_reseed_time_interval;
} else {
drbg->get_entropy = rand_drbg_get_entropy;
drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
/*
* Do not provide nonce callbacks, the child DRBGs will
* obtain their nonce using random bits from the parent.
*/
drbg->reseed_interval = slave_reseed_interval;
drbg->reseed_time_interval = slave_reseed_time_interval;
}
if (RAND_DRBG_set(drbg, type, flags) == 0)
goto err;
if (parent != NULL) {
rand_drbg_lock(parent);
if (drbg->strength > parent->strength) {
/*
* We currently don't support the algorithm from NIST SP 800-90C
* 10.1.2 to use a weaker DRBG as source
*/
rand_drbg_unlock(parent);
RANDerr(RAND_F_RAND_DRBG_NEW, RAND_R_PARENT_STRENGTH_TOO_WEAK);
goto err;
}
rand_drbg_unlock(parent);
}
return drbg;
err:
RAND_DRBG_free(drbg);
return NULL;
}
