/*
* Initialise and instantiate DRBG based on selftest data
*/
static int instantiate(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td,
TEST_CTX *t)
{
if (!TEST_true(init(drbg, td, t))
|| !TEST_true(RAND_DRBG_instantiate(drbg, td->pers, td->perslen)))
return 0;
return 1;
}
/*
* Allocates a new global DRBG on the secure heap (if enabled) and
* initializes it with default settings.
* A global lock for the DRBG is created with the given name.
*
* Returns a pointer to the new DRBG instance on success, NULL on failure.
*/
static RAND_DRBG *drbg_setup(const char *name, RAND_DRBG *parent)
{
RAND_DRBG *drbg;
if (name == NULL) {
RANDerr(RAND_F_DRBG_SETUP, ERR_R_INTERNAL_ERROR);
return NULL;
}
drbg = OPENSSL_secure_zalloc(sizeof(RAND_DRBG));
if (drbg == NULL)
return NULL;
drbg->lock = CRYPTO_THREAD_glock_new(name);
if (drbg->lock == NULL) {
RANDerr(RAND_F_DRBG_SETUP, RAND_R_FAILED_TO_CREATE_LOCK);
goto err;
}
if (RAND_DRBG_set(drbg,
RAND_DRBG_NID, RAND_DRBG_FLAG_CTR_USE_DF) != 1)
goto err;
if (RAND_DRBG_set_callbacks(drbg, rand_drbg_get_entropy,
rand_drbg_cleanup_entropy, NULL, NULL) != 1)
goto err;
if (parent == NULL) {
drbg->reseed_interval = MASTER_RESEED_INTERVAL;
drbg->reseed_time_interval = MASTER_RESEED_TIME_INTERVAL;
} else {
drbg->parent = parent;
drbg->reseed_interval = SLAVE_RESEED_INTERVAL;
drbg->reseed_time_interval = SLAVE_RESEED_TIME_INTERVAL;
}
/* enable seed propagation */
drbg->reseed_counter = 1;
/*
* Ignore instantiation error so support just-in-time instantiation.
*
* The state of the drbg will be checked in RAND_DRBG_generate() and
* an automatic recovery is attempted.
*/
RAND_DRBG_instantiate(drbg,
(const unsigned char *) ossl_pers_string,
sizeof(ossl_pers_string) - 1);
return drbg;
err:
drbg_cleanup(drbg);
return NULL;
}
/*
* This function is not part of RAND_METHOD, so if we're not using
* the default method, then just call RAND_bytes(). Otherwise make
* sure we're instantiated and use the private DRBG.
*/
int RAND_priv_bytes(unsigned char *buf, int num)
{
const RAND_METHOD *meth = RAND_get_rand_method();
if (meth != RAND_OpenSSL())
return RAND_bytes(buf, num);
if (priv_drbg.state == DRBG_UNINITIALISED
&& RAND_DRBG_instantiate(&priv_drbg, NULL, 0) == 0)
return 0;
return RAND_DRBG_generate(&priv_drbg, buf, num, 0, NULL, 0);
}
/*
* Disable CRNG testing if it is enabled.
* If the DRBG is ready or in an error state, this means an instantiate cycle
* for which the default personalisation string is used.
*/
static int disable_crngt(RAND_DRBG *drbg)
{
static const char pers[] = DRBG_DEFAULT_PERS_STRING;
const int instantiate = drbg->state != DRBG_UNINITIALISED;
if (drbg->get_entropy != rand_crngt_get_entropy)
return 1;
if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
|| !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
&rand_drbg_cleanup_entropy,
&rand_drbg_get_nonce,
&rand_drbg_cleanup_nonce))
|| (instantiate
&& !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
sizeof(pers) - 1)))
return 0;
return 1;
}
/*
* Perform extensive error checking as required by SP800-90.
* Induce several failure modes and check an error condition is set.
*/
static int error_check(DRBG_SELFTEST_DATA *td)
{
static char zero[sizeof(RAND_DRBG)];
RAND_DRBG *drbg = NULL;
TEST_CTX t;
unsigned char buff[1024];
unsigned int generate_counter_tmp;
int ret = 0;
if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
goto err;
/*
* Personalisation string tests
*/
/* Test detection of too large personlisation string */
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1) > 0)
goto err;
/*
* Entropy source tests
*/
/* Test entropy source failure detecion: i.e. returns no data */
t.entropylen = 0;
if (TEST_int_le(RAND_DRBG_instantiate(drbg, td->pers, td->perslen), 0))
goto err;
/* Try to generate output from uninstantiated DRBG */
if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !uninstantiate(drbg))
goto err;
/* Test insufficient entropy */
t.entropylen = drbg->min_entropylen - 1;
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|| !uninstantiate(drbg))
goto err;
/* Test too much entropy */
t.entropylen = drbg->max_entropylen + 1;
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|| !uninstantiate(drbg))
goto err;
/*
* Nonce tests
*/
/* Test too small nonce */
if (drbg->min_noncelen) {
t.noncelen = drbg->min_noncelen - 1;
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|| !uninstantiate(drbg))
goto err;
}
/* Test too large nonce */
if (drbg->max_noncelen) {
t.noncelen = drbg->max_noncelen + 1;
if (!init(drbg, td, &t)
|| RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
|| !uninstantiate(drbg))
goto err;
}
/* Instantiate with valid data, Check generation is now OK */
if (!instantiate(drbg, td, &t)
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen)))
goto err;
/* Request too much data for one request */
if (!TEST_false(RAND_DRBG_generate(drbg, buff, drbg->max_request + 1, 0,
td->adin, td->adinlen)))
goto err;
/* Try too large additional input */
if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, drbg->max_adinlen + 1)))
goto err;
/*
* Check prediction resistance request fails if entropy source
* failure.
*/
t.entropylen = 0;
if (TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 1,
td->adin, td->adinlen))
|| !uninstantiate(drbg))
goto err;
/* Instantiate again with valid data */
if (!instantiate(drbg, td, &t))
goto err;
generate_counter_tmp = drbg->generate_counter;
drbg->generate_counter = drbg->reseed_interval;
/* Generate output and check entropy has been requested for reseed */
t.entropycnt = 0;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_int_eq(t.entropycnt, 1)
|| !TEST_int_eq(drbg->generate_counter, generate_counter_tmp + 1)
|| !uninstantiate(drbg))
goto err;
/*
* Check prediction resistance request fails if entropy source
* failure.
*/
t.entropylen = 0;
if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 1,
td->adin, td->adinlen))
|| !uninstantiate(drbg))
goto err;
/* Test reseed counter works */
if (!instantiate(drbg, td, &t))
goto err;
generate_counter_tmp = drbg->generate_counter;
drbg->generate_counter = drbg->reseed_interval;
/* Generate output and check entropy has been requested for reseed */
t.entropycnt = 0;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_int_eq(t.entropycnt, 1)
|| !TEST_int_eq(drbg->generate_counter, generate_counter_tmp + 1)
|| !uninstantiate(drbg))
goto err;
/*
* Explicit reseed tests
*/
/* Test explicit reseed with too large additional input */
if (!init(drbg, td, &t)
|| RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0) > 0)
goto err;
/* Test explicit reseed with entropy source failure */
t.entropylen = 0;
if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0)
|| !uninstantiate(drbg))
goto err;
/* Test explicit reseed with too much entropy */
if (!init(drbg, td, &t))
goto err;
t.entropylen = drbg->max_entropylen + 1;
if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0)
|| !uninstantiate(drbg))
goto err;
/* Test explicit reseed with too little entropy */
if (!init(drbg, td, &t))
goto err;
t.entropylen = drbg->min_entropylen - 1;
if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0)
|| !uninstantiate(drbg))
goto err;
/* Standard says we have to check uninstantiate really zeroes */
if (!TEST_mem_eq(zero, sizeof(drbg->data), &drbg->data, sizeof(drbg->data)))
goto err;
ret = 1;
err:
uninstantiate(drbg);
RAND_DRBG_free(drbg);
return ret;
}
/*
* Do a single KAT test. Return 0 on failure.
*/
static int single_kat(DRBG_SELFTEST_DATA *td)
{
RAND_DRBG *drbg = NULL;
TEST_CTX t;
int failures = 0;
unsigned char buff[1024];
/*
* Test without PR: Instantiate DRBG with test entropy, nonce and
* personalisation string.
*/
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
return 0;
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
kat_nonce, NULL))) {
failures++;
goto err;
}
memset(&t, 0, sizeof(t));
t.entropy = td->entropy;
t.entropylen = td->entropylen;
t.nonce = td->nonce;
t.noncelen = td->noncelen;
RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
if (!TEST_true(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_mem_eq(td->expected, td->exlen, buff, td->exlen))
failures++;
/* Reseed DRBG with test entropy and additional input */
t.entropy = td->entropyreseed;
t.entropylen = td->entropyreseedlen;
if (!TEST_true(RAND_DRBG_reseed(drbg, td->adinreseed, td->adinreseedlen, 0)
|| !TEST_true(RAND_DRBG_generate(drbg, buff, td->kat2len, 0,
td->adin2, td->adin2len))
|| !TEST_mem_eq(td->kat2, td->kat2len, buff, td->kat2len)))
failures++;
uninstantiate(drbg);
/*
* Now test with PR: Instantiate DRBG with test entropy, nonce and
* personalisation string.
*/
if (!TEST_true(RAND_DRBG_set(drbg, td->nid, td->flags))
|| !TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
kat_nonce, NULL)))
failures++;
RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
t.entropy = td->entropy_pr;
t.entropylen = td->entropylen_pr;
t.nonce = td->nonce_pr;
t.noncelen = td->noncelen_pr;
t.entropycnt = 0;
t.noncecnt = 0;
if (!TEST_true(RAND_DRBG_instantiate(drbg, td->pers_pr, td->perslen_pr)))
failures++;
/*
* Now generate with PR: we need to supply entropy as this will
* perform a reseed operation.
*/
t.entropy = td->entropypr_pr;
t.entropylen = td->entropyprlen_pr;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->katlen_pr, 1,
td->adin_pr, td->adinlen_pr))
|| !TEST_mem_eq(td->kat_pr, td->katlen_pr, buff, td->katlen_pr))
failures++;
/*
* Now generate again with PR: supply new entropy again.
*/
t.entropy = td->entropyg_pr;
t.entropylen = td->entropyglen_pr;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->kat2len_pr, 1,
td->ading_pr, td->adinglen_pr))
|| !TEST_mem_eq(td->kat2_pr, td->kat2len_pr,
buff, td->kat2len_pr))
failures++;
err:
uninstantiate(drbg);
RAND_DRBG_free(drbg);
return failures == 0;
}
/*
* Restart |drbg|, using the specified entropy or additional input
*
* Tries its best to get the drbg instantiated by all means,
* regardless of its current state.
*
* Optionally, a |buffer| of |len| random bytes can be passed,
* which is assumed to contain at least |entropy| bits of entropy.
*
* If |entropy| > 0, the buffer content is used as entropy input.
*
* If |entropy| == 0, the buffer content is used as additional input
*
* Returns 1 on success, 0 on failure.
*
* This function is used internally only.
*/
int rand_drbg_restart(RAND_DRBG *drbg,
const unsigned char *buffer, size_t len, size_t entropy)
{
int reseeded = 0;
const unsigned char *adin = NULL;
size_t adinlen = 0;
if (drbg->pool != NULL) {
RANDerr(RAND_F_RAND_DRBG_RESTART, ERR_R_INTERNAL_ERROR);
rand_pool_free(drbg->pool);
drbg->pool = NULL;
}
if (buffer != NULL) {
if (entropy > 0) {
if (drbg->max_entropylen < len) {
RANDerr(RAND_F_RAND_DRBG_RESTART,
RAND_R_ENTROPY_INPUT_TOO_LONG);
return 0;
}
if (entropy > 8 * len) {
RANDerr(RAND_F_RAND_DRBG_RESTART, RAND_R_ENTROPY_OUT_OF_RANGE);
return 0;
}
/* will be picked up by the rand_drbg_get_entropy() callback */
drbg->pool = rand_pool_new(entropy, len, len);
if (drbg->pool == NULL)
return 0;
rand_pool_add(drbg->pool, buffer, len, entropy);
} else {
if (drbg->max_adinlen < len) {
RANDerr(RAND_F_RAND_DRBG_RESTART,
RAND_R_ADDITIONAL_INPUT_TOO_LONG);
return 0;
}
adin = buffer;
adinlen = len;
}
}
/* repair error state */
if (drbg->state == DRBG_ERROR)
RAND_DRBG_uninstantiate(drbg);
/* repair uninitialized state */
if (drbg->state == DRBG_UNINITIALISED) {
/* reinstantiate drbg */
RAND_DRBG_instantiate(drbg,
(const unsigned char *) ossl_pers_string,
sizeof(ossl_pers_string) - 1);
/* already reseeded. prevent second reseeding below */
reseeded = (drbg->state == DRBG_READY);
}
/* refresh current state if entropy or additional input has been provided */
if (drbg->state == DRBG_READY) {
if (adin != NULL) {
/*
* mix in additional input without reseeding
*
* Similar to RAND_DRBG_reseed(), but the provided additional
* data |adin| is mixed into the current state without pulling
* entropy from the trusted entropy source using get_entropy().
* This is not a reseeding in the strict sense of NIST SP 800-90A.
*/
drbg->meth->reseed(drbg, adin, adinlen, NULL, 0);
} else if (reseeded == 0) {
/* do a full reseeding if it has not been done yet above */
RAND_DRBG_reseed(drbg, NULL, 0, 0);
}
}
/* check whether a given entropy pool was cleared properly during reseed */
if (drbg->pool != NULL) {
drbg->state = DRBG_ERROR;
RANDerr(RAND_F_RAND_DRBG_RESTART, ERR_R_INTERNAL_ERROR);
rand_pool_free(drbg->pool);
drbg->pool = NULL;
return 0;
}
return drbg->state == DRBG_READY;
}