1 /*
2 * Copyright 2011-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <assert.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <openssl/sha.h>
14 #include <openssl/crypto.h>
15 #include <openssl/err.h>
16 #include <openssl/rand.h>
17 #include <openssl/core_dispatch.h>
18 #include <openssl/proverr.h>
19 #include "internal/thread_once.h"
20 #include "prov/providercommon.h"
21 #include "prov/provider_ctx.h"
22 #include "prov/provider_util.h"
23 #include "prov/implementations.h"
24 #include "drbg_local.h"
25 #include "crypto/evp.h"
26 #include "crypto/evp/evp_local.h"
27 #include "internal/provider.h"
28
29 static OSSL_FUNC_rand_newctx_fn drbg_hash_new_wrapper;
30 static OSSL_FUNC_rand_freectx_fn drbg_hash_free;
31 static OSSL_FUNC_rand_instantiate_fn drbg_hash_instantiate_wrapper;
32 static OSSL_FUNC_rand_uninstantiate_fn drbg_hash_uninstantiate_wrapper;
33 static OSSL_FUNC_rand_generate_fn drbg_hash_generate_wrapper;
34 static OSSL_FUNC_rand_reseed_fn drbg_hash_reseed_wrapper;
35 static OSSL_FUNC_rand_settable_ctx_params_fn drbg_hash_settable_ctx_params;
36 static OSSL_FUNC_rand_set_ctx_params_fn drbg_hash_set_ctx_params;
37 static OSSL_FUNC_rand_gettable_ctx_params_fn drbg_hash_gettable_ctx_params;
38 static OSSL_FUNC_rand_get_ctx_params_fn drbg_hash_get_ctx_params;
39 static OSSL_FUNC_rand_verify_zeroization_fn drbg_hash_verify_zeroization;
40
41 static int drbg_hash_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]);
42
43 /* 888 bits from SP800-90Ar1 10.1 table 2 */
44 #define HASH_PRNG_MAX_SEEDLEN (888 / 8)
45
46 /* 440 bits from SP800-90Ar1 10.1 table 2 */
47 #define HASH_PRNG_SMALL_SEEDLEN (440 / 8)
48
49 /* Determine what seedlen to use based on the block length */
50 #define MAX_BLOCKLEN_USING_SMALL_SEEDLEN (256 / 8)
51 #define INBYTE_IGNORE ((unsigned char)0xFF)
52
53 typedef struct rand_drbg_hash_st {
54 PROV_DIGEST digest;
55 EVP_MD_CTX *ctx;
56 size_t blocklen;
57 unsigned char V[HASH_PRNG_MAX_SEEDLEN];
58 unsigned char C[HASH_PRNG_MAX_SEEDLEN];
59 /* Temporary value storage: should always exceed max digest length */
60 unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
61 } PROV_DRBG_HASH;
62
63 /*
64 * SP800-90Ar1 10.3.1 Derivation function using a Hash Function (Hash_df).
65 * The input string used is composed of:
66 * inbyte - An optional leading byte (ignore if equal to INBYTE_IGNORE)
67 * in - input string 1 (A Non NULL value).
68 * in2 - optional input string (Can be NULL).
69 * in3 - optional input string (Can be NULL).
70 * These are concatenated as part of the DigestUpdate process.
71 */
hash_df(PROV_DRBG * drbg,unsigned char * out,const unsigned char inbyte,const unsigned char * in,size_t inlen,const unsigned char * in2,size_t in2len,const unsigned char * in3,size_t in3len)72 static int hash_df(PROV_DRBG *drbg, unsigned char *out,
73 const unsigned char inbyte,
74 const unsigned char *in, size_t inlen,
75 const unsigned char *in2, size_t in2len,
76 const unsigned char *in3, size_t in3len)
77 {
78 PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
79 EVP_MD_CTX *ctx = hash->ctx;
80 unsigned char *vtmp = hash->vtmp;
81 /* tmp = counter || num_bits_returned || [inbyte] */
82 unsigned char tmp[1 + 4 + 1];
83 int tmp_sz = 0;
84 size_t outlen = drbg->seedlen;
85 size_t num_bits_returned = outlen * 8;
86 /*
87 * No need to check outlen size here, as the standard only ever needs
88 * seedlen bytes which is always less than the maximum permitted.
89 */
90
91 /* (Step 3) counter = 1 (tmp[0] is the 8 bit counter) */
92 tmp[tmp_sz++] = 1;
93 /* tmp[1..4] is the fixed 32 bit no_of_bits_to_return */
94 tmp[tmp_sz++] = (unsigned char)((num_bits_returned >> 24) & 0xff);
95 tmp[tmp_sz++] = (unsigned char)((num_bits_returned >> 16) & 0xff);
96 tmp[tmp_sz++] = (unsigned char)((num_bits_returned >> 8) & 0xff);
97 tmp[tmp_sz++] = (unsigned char)(num_bits_returned & 0xff);
98 /* Tack the additional input byte onto the end of tmp if it exists */
99 if (inbyte != INBYTE_IGNORE)
100 tmp[tmp_sz++] = inbyte;
101
102 /* (Step 4) */
103 for (;;) {
104 /*
105 * (Step 4.1) out = out || Hash(tmp || in || [in2] || [in3])
106 * (where tmp = counter || num_bits_returned || [inbyte])
107 */
108 if (!(EVP_DigestInit_ex(ctx, ossl_prov_digest_md(&hash->digest), NULL)
109 && EVP_DigestUpdate(ctx, tmp, tmp_sz)
110 && EVP_DigestUpdate(ctx, in, inlen)
111 && (in2 == NULL || EVP_DigestUpdate(ctx, in2, in2len))
112 && (in3 == NULL || EVP_DigestUpdate(ctx, in3, in3len))))
113 return 0;
114
115 if (outlen < hash->blocklen) {
116 if (!EVP_DigestFinal(ctx, vtmp, NULL))
117 return 0;
118 memcpy(out, vtmp, outlen);
119 OPENSSL_cleanse(vtmp, hash->blocklen);
120 break;
121 } else if (!EVP_DigestFinal(ctx, out, NULL)) {
122 return 0;
123 }
124
125 outlen -= hash->blocklen;
126 if (outlen == 0)
127 break;
128 /* (Step 4.2) counter++ */
129 tmp[0]++;
130 out += hash->blocklen;
131 }
132 return 1;
133 }
134
135 /* Helper function that just passes 2 input parameters to hash_df() */
hash_df1(PROV_DRBG * drbg,unsigned char * out,const unsigned char in_byte,const unsigned char * in1,size_t in1len)136 static int hash_df1(PROV_DRBG *drbg, unsigned char *out,
137 const unsigned char in_byte,
138 const unsigned char *in1, size_t in1len)
139 {
140 return hash_df(drbg, out, in_byte, in1, in1len, NULL, 0, NULL, 0);
141 }
142
143 /*
144 * Add 2 byte buffers together. The first elements in each buffer are the top
145 * most bytes. The result is stored in the dst buffer.
146 * The final carry is ignored i.e: dst = (dst + in) mod (2^seedlen_bits).
147 * where dst size is drbg->seedlen, and inlen <= drbg->seedlen.
148 */
add_bytes(PROV_DRBG * drbg,unsigned char * dst,unsigned char * in,size_t inlen)149 static int add_bytes(PROV_DRBG *drbg, unsigned char *dst,
150 unsigned char *in, size_t inlen)
151 {
152 size_t i;
153 int result;
154 const unsigned char *add;
155 unsigned char carry = 0, *d;
156
157 assert(drbg->seedlen >= 1 && inlen >= 1 && inlen <= drbg->seedlen);
158
159 d = &dst[drbg->seedlen - 1];
160 add = &in[inlen - 1];
161
162 for (i = inlen; i > 0; i--, d--, add--) {
163 result = *d + *add + carry;
164 carry = (unsigned char)(result >> 8);
165 *d = (unsigned char)(result & 0xff);
166 }
167
168 if (carry != 0) {
169 /* Add the carry to the top of the dst if inlen is not the same size */
170 for (i = drbg->seedlen - inlen; i > 0; --i, d--) {
171 *d += 1; /* Carry can only be 1 */
172 if (*d != 0) /* exit if carry doesn't propagate to the next byte */
173 break;
174 }
175 }
176 return 1;
177 }
178
179 /* V = (V + Hash(inbyte || V || [additional_input]) mod (2^seedlen) */
add_hash_to_v(PROV_DRBG * drbg,unsigned char inbyte,const unsigned char * adin,size_t adinlen)180 static int add_hash_to_v(PROV_DRBG *drbg, unsigned char inbyte,
181 const unsigned char *adin, size_t adinlen)
182 {
183 PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
184 EVP_MD_CTX *ctx = hash->ctx;
185
186 return EVP_DigestInit_ex(ctx, ossl_prov_digest_md(&hash->digest), NULL)
187 && EVP_DigestUpdate(ctx, &inbyte, 1)
188 && EVP_DigestUpdate(ctx, hash->V, drbg->seedlen)
189 && (adin == NULL || EVP_DigestUpdate(ctx, adin, adinlen))
190 && EVP_DigestFinal(ctx, hash->vtmp, NULL)
191 && add_bytes(drbg, hash->V, hash->vtmp, hash->blocklen);
192 }
193
194 /*
195 * The Hashgen() as listed in SP800-90Ar1 10.1.1.4 Hash_DRBG_Generate_Process.
196 *
197 * drbg contains the current value of V.
198 * outlen is the requested number of bytes.
199 * out is a buffer to return the generated bits.
200 *
201 * The algorithm to generate the bits is:
202 * data = V
203 * w = NULL
204 * for (i = 1 to m) {
205 * W = W || Hash(data)
206 * data = (data + 1) mod (2^seedlen)
207 * }
208 * out = Leftmost(W, outlen)
209 *
210 * Returns zero if an error occurs otherwise it returns 1.
211 */
hash_gen(PROV_DRBG * drbg,unsigned char * out,size_t outlen)212 static int hash_gen(PROV_DRBG *drbg, unsigned char *out, size_t outlen)
213 {
214 PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
215 unsigned char one = 1;
216
217 if (outlen == 0)
218 return 1;
219 memcpy(hash->vtmp, hash->V, drbg->seedlen);
220 for (;;) {
221 if (!EVP_DigestInit_ex(hash->ctx, ossl_prov_digest_md(&hash->digest),
222 NULL)
223 || !EVP_DigestUpdate(hash->ctx, hash->vtmp, drbg->seedlen))
224 return 0;
225
226 if (outlen < hash->blocklen) {
227 if (!EVP_DigestFinal(hash->ctx, hash->vtmp, NULL))
228 return 0;
229 memcpy(out, hash->vtmp, outlen);
230 return 1;
231 } else {
232 if (!EVP_DigestFinal(hash->ctx, out, NULL))
233 return 0;
234 outlen -= hash->blocklen;
235 if (outlen == 0)
236 break;
237 out += hash->blocklen;
238 }
239 add_bytes(drbg, hash->vtmp, &one, 1);
240 }
241 return 1;
242 }
243
244 /*
245 * SP800-90Ar1 10.1.1.2 Hash_DRBG_Instantiate_Process:
246 *
247 * ent is entropy input obtained from a randomness source of length ent_len.
248 * nonce is a string of bytes of length nonce_len.
249 * pstr is a personalization string received from an application. May be NULL.
250 *
251 * Returns zero if an error occurs otherwise it returns 1.
252 */
drbg_hash_instantiate(PROV_DRBG * drbg,const unsigned char * ent,size_t ent_len,const unsigned char * nonce,size_t nonce_len,const unsigned char * pstr,size_t pstr_len)253 static int drbg_hash_instantiate(PROV_DRBG *drbg,
254 const unsigned char *ent, size_t ent_len,
255 const unsigned char *nonce, size_t nonce_len,
256 const unsigned char *pstr, size_t pstr_len)
257 {
258 PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
259
260 EVP_MD_CTX_free(hash->ctx);
261 hash->ctx = EVP_MD_CTX_new();
262
263 /* (Step 1-3) V = Hash_df(entropy||nonce||pers, seedlen) */
264 return hash->ctx != NULL
265 && hash_df(drbg, hash->V, INBYTE_IGNORE,
266 ent, ent_len, nonce, nonce_len, pstr, pstr_len)
267 /* (Step 4) C = Hash_df(0x00||V, seedlen) */
268 && hash_df1(drbg, hash->C, 0x00, hash->V, drbg->seedlen);
269 }
270
drbg_hash_instantiate_wrapper(void * vdrbg,unsigned int strength,int prediction_resistance,const unsigned char * pstr,size_t pstr_len,const OSSL_PARAM params[])271 static int drbg_hash_instantiate_wrapper(void *vdrbg, unsigned int strength,
272 int prediction_resistance,
273 const unsigned char *pstr,
274 size_t pstr_len,
275 const OSSL_PARAM params[])
276 {
277 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
278 int ret = 0;
279
280 if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
281 return 0;
282
283 if (!ossl_prov_is_running()
284 || !drbg_hash_set_ctx_params_locked(drbg, params))
285 goto err;
286 ret = ossl_prov_drbg_instantiate(drbg, strength, prediction_resistance,
287 pstr, pstr_len);
288 err:
289 if (drbg->lock != NULL)
290 CRYPTO_THREAD_unlock(drbg->lock);
291 return ret;
292 }
293
294 /*
295 * SP800-90Ar1 10.1.1.3 Hash_DRBG_Reseed_Process:
296 *
297 * ent is entropy input bytes obtained from a randomness source.
298 * addin is additional input received from an application. May be NULL.
299 *
300 * Returns zero if an error occurs otherwise it returns 1.
301 */
drbg_hash_reseed(PROV_DRBG * drbg,const unsigned char * ent,size_t ent_len,const unsigned char * adin,size_t adin_len)302 static int drbg_hash_reseed(PROV_DRBG *drbg,
303 const unsigned char *ent, size_t ent_len,
304 const unsigned char *adin, size_t adin_len)
305 {
306 PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
307
308 /* (Step 1-2) V = Hash_df(0x01 || V || entropy_input || additional_input) */
309 /* V about to be updated so use C as output instead */
310 if (!hash_df(drbg, hash->C, 0x01, hash->V, drbg->seedlen, ent, ent_len,
311 adin, adin_len))
312 return 0;
313 memcpy(hash->V, hash->C, drbg->seedlen);
314 /* (Step 4) C = Hash_df(0x00||V, seedlen) */
315 return hash_df1(drbg, hash->C, 0x00, hash->V, drbg->seedlen);
316 }
317
drbg_hash_reseed_wrapper(void * vdrbg,int prediction_resistance,const unsigned char * ent,size_t ent_len,const unsigned char * adin,size_t adin_len)318 static int drbg_hash_reseed_wrapper(void *vdrbg, int prediction_resistance,
319 const unsigned char *ent, size_t ent_len,
320 const unsigned char *adin, size_t adin_len)
321 {
322 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
323
324 return ossl_prov_drbg_reseed(drbg, prediction_resistance, ent, ent_len,
325 adin, adin_len);
326 }
327
328 /*
329 * SP800-90Ar1 10.1.1.4 Hash_DRBG_Generate_Process:
330 *
331 * Generates pseudo random bytes using the drbg.
332 * out is a buffer to fill with outlen bytes of pseudo random data.
333 * addin is additional input received from an application. May be NULL.
334 *
335 * Returns zero if an error occurs otherwise it returns 1.
336 */
drbg_hash_generate(PROV_DRBG * drbg,unsigned char * out,size_t outlen,const unsigned char * adin,size_t adin_len)337 static int drbg_hash_generate(PROV_DRBG *drbg,
338 unsigned char *out, size_t outlen,
339 const unsigned char *adin, size_t adin_len)
340 {
341 PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
342 unsigned char counter[4];
343 int reseed_counter = drbg->generate_counter;
344
345 counter[0] = (unsigned char)((reseed_counter >> 24) & 0xff);
346 counter[1] = (unsigned char)((reseed_counter >> 16) & 0xff);
347 counter[2] = (unsigned char)((reseed_counter >> 8) & 0xff);
348 counter[3] = (unsigned char)(reseed_counter & 0xff);
349
350 return hash->ctx != NULL
351 && (adin == NULL
352 /* (Step 2) if adin != NULL then V = V + Hash(0x02||V||adin) */
353 || adin_len == 0
354 || add_hash_to_v(drbg, 0x02, adin, adin_len))
355 /* (Step 3) Hashgen(outlen, V) */
356 && hash_gen(drbg, out, outlen)
357 /* (Step 4/5) H = V = (V + Hash(0x03||V) mod (2^seedlen_bits) */
358 && add_hash_to_v(drbg, 0x03, NULL, 0)
359 /* (Step 5) V = (V + H + C + reseed_counter) mod (2^seedlen_bits) */
360 /* V = (V + C) mod (2^seedlen_bits) */
361 && add_bytes(drbg, hash->V, hash->C, drbg->seedlen)
362 /* V = (V + reseed_counter) mod (2^seedlen_bits) */
363 && add_bytes(drbg, hash->V, counter, 4);
364 }
365
drbg_hash_generate_wrapper(void * vdrbg,unsigned char * out,size_t outlen,unsigned int strength,int prediction_resistance,const unsigned char * adin,size_t adin_len)366 static int drbg_hash_generate_wrapper(void *vdrbg, unsigned char *out, size_t outlen, unsigned int strength,
367 int prediction_resistance, const unsigned char *adin, size_t adin_len)
368 {
369 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
370
371 return ossl_prov_drbg_generate(drbg, out, outlen, strength,
372 prediction_resistance, adin, adin_len);
373 }
374
drbg_hash_uninstantiate(PROV_DRBG * drbg)375 static int drbg_hash_uninstantiate(PROV_DRBG *drbg)
376 {
377 PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
378
379 OPENSSL_cleanse(hash->V, sizeof(hash->V));
380 OPENSSL_cleanse(hash->C, sizeof(hash->C));
381 OPENSSL_cleanse(hash->vtmp, sizeof(hash->vtmp));
382 return ossl_prov_drbg_uninstantiate(drbg);
383 }
384
drbg_hash_uninstantiate_wrapper(void * vdrbg)385 static int drbg_hash_uninstantiate_wrapper(void *vdrbg)
386 {
387 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
388 int ret;
389
390 if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
391 return 0;
392
393 ret = drbg_hash_uninstantiate(drbg);
394
395 if (drbg->lock != NULL)
396 CRYPTO_THREAD_unlock(drbg->lock);
397
398 return ret;
399 }
400
drbg_hash_verify_zeroization(void * vdrbg)401 static int drbg_hash_verify_zeroization(void *vdrbg)
402 {
403 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
404 PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
405 int ret = 0;
406
407 if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))
408 return 0;
409
410 PROV_DRBG_VERIFY_ZEROIZATION(hash->V);
411 PROV_DRBG_VERIFY_ZEROIZATION(hash->C);
412 PROV_DRBG_VERIFY_ZEROIZATION(hash->vtmp);
413
414 ret = 1;
415 err:
416 if (drbg->lock != NULL)
417 CRYPTO_THREAD_unlock(drbg->lock);
418 return ret;
419 }
420
drbg_hash_new(PROV_DRBG * ctx)421 static int drbg_hash_new(PROV_DRBG *ctx)
422 {
423 PROV_DRBG_HASH *hash;
424
425 hash = OPENSSL_secure_zalloc(sizeof(*hash));
426 if (hash == NULL)
427 return 0;
428
429 OSSL_FIPS_IND_INIT(ctx)
430
431 ctx->data = hash;
432 ctx->seedlen = HASH_PRNG_MAX_SEEDLEN;
433 ctx->max_entropylen = DRBG_MAX_LENGTH;
434 ctx->max_noncelen = DRBG_MAX_LENGTH;
435 ctx->max_perslen = DRBG_MAX_LENGTH;
436 ctx->max_adinlen = DRBG_MAX_LENGTH;
437
438 /* Maximum number of bits per request = 2^19 = 2^16 bytes */
439 ctx->max_request = 1 << 16;
440 return 1;
441 }
442
drbg_hash_new_wrapper(void * provctx,void * parent,const OSSL_DISPATCH * parent_dispatch)443 static void *drbg_hash_new_wrapper(void *provctx, void *parent,
444 const OSSL_DISPATCH *parent_dispatch)
445 {
446 return ossl_rand_drbg_new(provctx, parent, parent_dispatch,
447 &drbg_hash_new, &drbg_hash_free,
448 &drbg_hash_instantiate, &drbg_hash_uninstantiate,
449 &drbg_hash_reseed, &drbg_hash_generate);
450 }
451
drbg_hash_free(void * vdrbg)452 static void drbg_hash_free(void *vdrbg)
453 {
454 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
455 PROV_DRBG_HASH *hash;
456
457 if (drbg != NULL && (hash = (PROV_DRBG_HASH *)drbg->data) != NULL) {
458 EVP_MD_CTX_free(hash->ctx);
459 ossl_prov_digest_reset(&hash->digest);
460 OPENSSL_secure_clear_free(hash, sizeof(*hash));
461 }
462 ossl_rand_drbg_free(drbg);
463 }
464
drbg_hash_get_ctx_params(void * vdrbg,OSSL_PARAM params[])465 static int drbg_hash_get_ctx_params(void *vdrbg, OSSL_PARAM params[])
466 {
467 PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;
468 PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)drbg->data;
469 const EVP_MD *md;
470 OSSL_PARAM *p;
471 int ret = 0, complete = 0;
472
473 if (!ossl_drbg_get_ctx_params_no_lock(drbg, params, &complete))
474 return 0;
475
476 if (complete)
477 return 1;
478
479 if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock))
480 return 0;
481
482 p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_DIGEST);
483 if (p != NULL) {
484 md = ossl_prov_digest_md(&hash->digest);
485 if (md == NULL || !OSSL_PARAM_set_utf8_string(p, EVP_MD_get0_name(md)))
486 goto err;
487 }
488
489 ret = ossl_drbg_get_ctx_params(drbg, params);
490 err:
491 if (drbg->lock != NULL)
492 CRYPTO_THREAD_unlock(drbg->lock);
493
494 return ret;
495 }
496
drbg_hash_gettable_ctx_params(ossl_unused void * vctx,ossl_unused void * p_ctx)497 static const OSSL_PARAM *drbg_hash_gettable_ctx_params(ossl_unused void *vctx,
498 ossl_unused void *p_ctx)
499 {
500 static const OSSL_PARAM known_gettable_ctx_params[] = {
501 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0),
502 OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON,
503 OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
504 OSSL_PARAM_END
505 };
506 return known_gettable_ctx_params;
507 }
508
drbg_fetch_digest_from_prov(const OSSL_PARAM params[],OSSL_LIB_CTX * libctx,EVP_MD ** digest)509 static int drbg_fetch_digest_from_prov(const OSSL_PARAM params[],
510 OSSL_LIB_CTX *libctx,
511 EVP_MD **digest)
512 {
513 OSSL_PROVIDER *prov = NULL;
514 const OSSL_PARAM *p;
515 EVP_MD *md = NULL;
516 int ret = 0;
517
518 if (digest == NULL)
519 return 0;
520
521 if ((p = OSSL_PARAM_locate_const(params,
522 OSSL_PROV_PARAM_CORE_PROV_NAME))
523 == NULL)
524 return 0;
525 if (p->data_type != OSSL_PARAM_UTF8_STRING)
526 return 0;
527 if ((prov = ossl_provider_find(libctx, (const char *)p->data, 1)) == NULL)
528 return 0;
529
530 p = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST);
531 if (p == NULL) {
532 ret = 1;
533 goto done;
534 }
535
536 if (p->data_type != OSSL_PARAM_UTF8_STRING)
537 goto done;
538
539 md = evp_digest_fetch_from_prov(prov, (const char *)p->data, NULL);
540 if (md) {
541 EVP_MD_free(*digest);
542 *digest = md;
543 ret = 1;
544 }
545
546 done:
547 ossl_provider_free(prov);
548 return ret;
549 }
550
drbg_hash_set_ctx_params_locked(void * vctx,const OSSL_PARAM params[])551 static int drbg_hash_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[])
552 {
553 PROV_DRBG *ctx = (PROV_DRBG *)vctx;
554 PROV_DRBG_HASH *hash = (PROV_DRBG_HASH *)ctx->data;
555 OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
556 EVP_MD *prov_md = NULL;
557 const EVP_MD *md;
558 int md_size;
559
560 if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params,
561 OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK))
562 return 0;
563
564 /* try to fetch digest from provider */
565 (void)ERR_set_mark();
566 if (!drbg_fetch_digest_from_prov(params, libctx, &prov_md)) {
567 (void)ERR_pop_to_mark();
568 /* fall back to full implementation search */
569 if (!ossl_prov_digest_load_from_params(&hash->digest, params, libctx))
570 return 0;
571 } else {
572 (void)ERR_clear_last_mark();
573 if (prov_md)
574 ossl_prov_digest_set_md(&hash->digest, prov_md);
575 }
576
577 md = ossl_prov_digest_md(&hash->digest);
578 if (md != NULL) {
579 if (!ossl_drbg_verify_digest(ctx, libctx, md))
580 return 0; /* Error already raised for us */
581
582 /* These are taken from SP 800-90 10.1 Table 2 */
583 md_size = EVP_MD_get_size(md);
584 if (md_size <= 0)
585 return 0;
586 hash->blocklen = md_size;
587 /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
588 ctx->strength = 64 * (hash->blocklen >> 3);
589 if (ctx->strength > 256)
590 ctx->strength = 256;
591 if (hash->blocklen > MAX_BLOCKLEN_USING_SMALL_SEEDLEN)
592 ctx->seedlen = HASH_PRNG_MAX_SEEDLEN;
593 else
594 ctx->seedlen = HASH_PRNG_SMALL_SEEDLEN;
595
596 ctx->min_entropylen = ctx->strength / 8;
597 ctx->min_noncelen = ctx->min_entropylen / 2;
598 }
599
600 return ossl_drbg_set_ctx_params(ctx, params);
601 }
602
drbg_hash_set_ctx_params(void * vctx,const OSSL_PARAM params[])603 static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[])
604 {
605 PROV_DRBG *drbg = (PROV_DRBG *)vctx;
606 int ret;
607
608 if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))
609 return 0;
610
611 ret = drbg_hash_set_ctx_params_locked(vctx, params);
612
613 if (drbg->lock != NULL)
614 CRYPTO_THREAD_unlock(drbg->lock);
615
616 return ret;
617 }
618
drbg_hash_settable_ctx_params(ossl_unused void * vctx,ossl_unused void * p_ctx)619 static const OSSL_PARAM *drbg_hash_settable_ctx_params(ossl_unused void *vctx,
620 ossl_unused void *p_ctx)
621 {
622 static const OSSL_PARAM known_settable_ctx_params[] = {
623 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0),
624 OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0),
625 OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON,
626 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK)
627 OSSL_PARAM_END
628 };
629 return known_settable_ctx_params;
630 }
631
632 const OSSL_DISPATCH ossl_drbg_hash_functions[] = {
633 { OSSL_FUNC_RAND_NEWCTX, (void (*)(void))drbg_hash_new_wrapper },
634 { OSSL_FUNC_RAND_FREECTX, (void (*)(void))drbg_hash_free },
635 { OSSL_FUNC_RAND_INSTANTIATE,
636 (void (*)(void))drbg_hash_instantiate_wrapper },
637 { OSSL_FUNC_RAND_UNINSTANTIATE,
638 (void (*)(void))drbg_hash_uninstantiate_wrapper },
639 { OSSL_FUNC_RAND_GENERATE, (void (*)(void))drbg_hash_generate_wrapper },
640 { OSSL_FUNC_RAND_RESEED, (void (*)(void))drbg_hash_reseed_wrapper },
641 { OSSL_FUNC_RAND_ENABLE_LOCKING, (void (*)(void))ossl_drbg_enable_locking },
642 { OSSL_FUNC_RAND_LOCK, (void (*)(void))ossl_drbg_lock },
643 { OSSL_FUNC_RAND_UNLOCK, (void (*)(void))ossl_drbg_unlock },
644 { OSSL_FUNC_RAND_SETTABLE_CTX_PARAMS,
645 (void (*)(void))drbg_hash_settable_ctx_params },
646 { OSSL_FUNC_RAND_SET_CTX_PARAMS, (void (*)(void))drbg_hash_set_ctx_params },
647 { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
648 (void (*)(void))drbg_hash_gettable_ctx_params },
649 { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void (*)(void))drbg_hash_get_ctx_params },
650 { OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
651 (void (*)(void))drbg_hash_verify_zeroization },
652 { OSSL_FUNC_RAND_GET_SEED, (void (*)(void))ossl_drbg_get_seed },
653 { OSSL_FUNC_RAND_CLEAR_SEED, (void (*)(void))ossl_drbg_clear_seed },
654 OSSL_DISPATCH_END
655 };
656