Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/openssl/providers/implementations/rands/drbg.c
106879 views
1
/*

2
 * Copyright 2011-2025 The OpenSSL Project Authors. All Rights Reserved.

3
 *

4
 * Licensed under the Apache License 2.0 (the "License").  You may not use

5
 * this file except in compliance with the License.  You can obtain a copy

6
 * in the file LICENSE in the source distribution or at

7
 * https://www.openssl.org/source/license.html

8
 */

9


10
#include <string.h>

11
#include <openssl/crypto.h>

12
#include <openssl/err.h>

13
#include <openssl/rand.h>

14
#include <openssl/evp.h>

15
#include "crypto/rand.h"

16
#include <openssl/proverr.h>

17
#include "drbg_local.h"

18
#include "internal/thread_once.h"

19
#include "crypto/cryptlib.h"

20
#include "prov/seeding.h"

21
#include "crypto/rand_pool.h"

22
#include "prov/provider_ctx.h"

23
#include "prov/providercommon.h"

24
#include "crypto/context.h"

25


26
/*

27
 * Support framework for NIST SP 800-90A DRBG

28
 *

29
 * See manual page PROV_DRBG(7) for a general overview.

30
 *

31
 * The OpenSSL model is to have new and free functions, and that new

32
 * does all initialization.  That is not the NIST model, which has

33
 * instantiation and un-instantiate, and reuse within a new/free

34
 * lifecycle.  (No doubt this comes from the desire to support hardware

35
 * DRBG, where allocation of resources on something like an HSM is

36
 * a much bigger deal than just re-setting an allocated resource.)

37
 */

38


39
/* NIST SP 800-90A DRBG recommends the use of a personalization string. */

40
static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;

41


42
static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,

43
    int function);

44


45
static int rand_drbg_restart(PROV_DRBG *drbg);

46


47
/*

48
 * We interpret a call to this function as a hint only and ignore it. This

49
 * occurs when the EVP layer thinks we should do some locking. In practice

50
 * however we manage for ourselves when we take a lock or not on the basis

51
 * of whether drbg->lock is present or not.

52
 */

53
int ossl_drbg_lock(void *vctx)

54
{

55
    return 1;

56
}

57


58
/* Interpreted as a hint only and ignored as for ossl_drbg_lock() */

59
void ossl_drbg_unlock(void *vctx)

60
{

61
}

62


63
static int ossl_drbg_lock_parent(PROV_DRBG *drbg)

64
{

65
    void *parent = drbg->parent;

66


67
    if (parent != NULL

68
        && drbg->parent_lock != NULL

69
        && !drbg->parent_lock(parent)) {

70
        ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);

71
        return 0;

72
    }

73
    return 1;

74
}

75


76
static void ossl_drbg_unlock_parent(PROV_DRBG *drbg)

77
{

78
    void *parent = drbg->parent;

79


80
    if (parent != NULL && drbg->parent_unlock != NULL)

81
        drbg->parent_unlock(parent);

82
}

83


84
static int get_parent_strength(PROV_DRBG *drbg, unsigned int *str)

85
{

86
    OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };

87
    void *parent = drbg->parent;

88
    int res;

89


90
    if (drbg->parent_get_ctx_params == NULL) {

91
        ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);

92
        return 0;

93
    }

94


95
    *params = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, str);

96
    if (!ossl_drbg_lock_parent(drbg)) {

97
        ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);

98
        return 0;

99
    }

100
    res = drbg->parent_get_ctx_params(parent, params);

101
    ossl_drbg_unlock_parent(drbg);

102
    if (!res) {

103
        ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH);

104
        return 0;

105
    }

106
    return 1;

107
}

108


109
static unsigned int get_parent_reseed_count(PROV_DRBG *drbg)

110
{

111
    OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };

112
    void *parent = drbg->parent;

113
    unsigned int r = 0;

114


115
    *params = OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_COUNTER, &r);

116
    if (!ossl_drbg_lock_parent(drbg)) {

117
        ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOCK_PARENT);

118
        goto err;

119
    }

120
    if (!drbg->parent_get_ctx_params(parent, params))

121
        r = 0;

122
    ossl_drbg_unlock_parent(drbg);

123
    return r;

124


125
err:

126
    r = tsan_load(&drbg->reseed_counter) - 2;

127
    if (r == 0)

128
        r = UINT_MAX;

129
    return r;

130
}

131


132
/*

133
 * Implements the get_entropy() callback

134
 *

135
 * If the DRBG has a parent, then the required amount of entropy input

136
 * is fetched using the parent's ossl_prov_drbg_generate().

137
 *

138
 * Otherwise, the entropy is polled from the system entropy sources

139
 * using ossl_pool_acquire_entropy().

140
 *

141
 * If a random pool has been added to the DRBG using RAND_add(), then

142
 * its entropy will be used up first.

143
 */

144
size_t ossl_drbg_get_seed(void *vdrbg, unsigned char **pout,

145
    int entropy, size_t min_len,

146
    size_t max_len, int prediction_resistance,

147
    const unsigned char *adin, size_t adin_len)

148
{

149
    PROV_DRBG *drbg = (PROV_DRBG *)vdrbg;

150
    size_t bytes_needed;

151
    unsigned char *buffer;

152


153
    /* Figure out how many bytes we need */

154
    bytes_needed = entropy >= 0 ? (entropy + 7) / 8 : 0;

155
    if (bytes_needed < min_len)

156
        bytes_needed = min_len;

157
    if (bytes_needed > max_len)

158
        bytes_needed = max_len;

159


160
    /* Allocate storage */

161
    buffer = OPENSSL_secure_malloc(bytes_needed);

162
    if (buffer == NULL)

163
        return 0;

164


165
    /*

166
     * Get random data.  Include our DRBG address as

167
     * additional input, in order to provide a distinction between

168
     * different DRBG child instances.

169
     *

170
     * Note: using the sizeof() operator on a pointer triggers

171
     *       a warning in some static code analyzers, but it's

172
     *       intentional and correct here.

173
     */

174
    if (!ossl_prov_drbg_generate(drbg, buffer, bytes_needed,

175
            drbg->strength, prediction_resistance,

176
            (unsigned char *)&drbg, sizeof(drbg))) {

177
        OPENSSL_secure_clear_free(buffer, bytes_needed);

178
        ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR);

179
        return 0;

180
    }

181
    *pout = buffer;

182
    return bytes_needed;

183
}

184


185
/* Implements the cleanup_entropy() callback */

186
void ossl_drbg_clear_seed(ossl_unused void *vdrbg,

187
    unsigned char *out, size_t outlen)

188
{

189
    OPENSSL_secure_clear_free(out, outlen);

190
}

191


192
static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,

193
    size_t min_len, size_t max_len,

194
    int prediction_resistance)

195
{

196
    size_t bytes;

197
    unsigned int p_str;

198


199
    if (drbg->parent == NULL)

200
        /*

201
         * In normal use (i.e. OpenSSL's own uses), this is never called.

202
         * This remains purely for legacy reasons.

203
         */

204
        return ossl_prov_get_entropy(drbg->provctx, pout, entropy, min_len,

205
            max_len);

206


207
    if (drbg->parent_get_seed == NULL) {

208
        ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED);

209
        return 0;

210
    }

211
    if (!get_parent_strength(drbg, &p_str))

212
        return 0;

213
    if (drbg->strength > p_str) {

214
        /*

215
         * We currently don't support the algorithm from NIST SP 800-90C

216
         * 10.1.2 to use a weaker DRBG as source

217
         */

218
        ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);

219
        return 0;

220
    }

221


222
    /*

223
     * Our lock is already held, but we need to lock our parent before

224
     * generating bits from it.  Note: taking the lock will be a no-op

225
     * if locking is not required (while drbg->parent->lock == NULL).

226
     */

227
    if (!ossl_drbg_lock_parent(drbg))

228
        return 0;

229
    /*

230
     * Get random data from parent.  Include our DRBG address as

231
     * additional input, in order to provide a distinction between

232
     * different DRBG child instances.

233
     *

234
     * Note: using the sizeof() operator on a pointer triggers

235
     *       a warning in some static code analyzers, but it's

236
     *       intentional and correct here.

237
     */

238
    bytes = drbg->parent_get_seed(drbg->parent, pout,

239
        entropy > 0 ? entropy : (int)drbg->strength,

240
        min_len, max_len, prediction_resistance,

241
        (unsigned char *)&drbg, sizeof(drbg));

242
    ossl_drbg_unlock_parent(drbg);

243
    return bytes;

244
}

245


246
static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen)

247
{

248
    if (drbg->parent == NULL) {

249
        ossl_prov_cleanup_entropy(drbg->provctx, out, outlen);

250
    } else if (drbg->parent_clear_seed != NULL) {

251
        if (!ossl_drbg_lock_parent(drbg))

252
            return;

253
        drbg->parent_clear_seed(drbg->parent, out, outlen);

254
        ossl_drbg_unlock_parent(drbg);

255
    }

256
}

257


258
#ifndef PROV_RAND_GET_RANDOM_NONCE

259
typedef struct prov_drbg_nonce_global_st {

260
    CRYPTO_RWLOCK *rand_nonce_lock;

261
    int rand_nonce_count;

262
} PROV_DRBG_NONCE_GLOBAL;

263


264
/*

265
 * drbg_ossl_ctx_new() calls drgb_setup() which calls rand_drbg_get_nonce()

266
 * which needs to get the rand_nonce_lock out of the OSSL_LIB_CTX...but since

267
 * drbg_ossl_ctx_new() hasn't finished running yet we need the rand_nonce_lock

268
 * to be in a different global data object. Otherwise we will go into an

269
 * infinite recursion loop.

270
 */

271
void *ossl_prov_drbg_nonce_ctx_new(OSSL_LIB_CTX *libctx)

272
{

273
    PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl));

274


275
    if (dngbl == NULL)

276
        return NULL;

277


278
    dngbl->rand_nonce_lock = CRYPTO_THREAD_lock_new();

279
    if (dngbl->rand_nonce_lock == NULL) {

280
        OPENSSL_free(dngbl);

281
        return NULL;

282
    }

283


284
    return dngbl;

285
}

286


287
void ossl_prov_drbg_nonce_ctx_free(void *vdngbl)

288
{

289
    PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl;

290


291
    if (dngbl == NULL)

292
        return;

293


294
    CRYPTO_THREAD_lock_free(dngbl->rand_nonce_lock);

295


296
    OPENSSL_free(dngbl);

297
}

298


299
/* Get a nonce from the operating system */

300
static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, unsigned char **pout,

301
    size_t min_len, size_t max_len)

302
{

303
    size_t ret = 0, n;

304
    unsigned char *buf = NULL;

305
    OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx);

306
    PROV_DRBG_NONCE_GLOBAL *dngbl

307
        = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_NONCE_INDEX);

308
    struct {

309
        void *drbg;

310
        int count;

311
    } data;

312


313
    if (dngbl == NULL)

314
        return 0;

315


316
    if (drbg->parent != NULL && drbg->parent_nonce != NULL) {

317
        n = drbg->parent_nonce(drbg->parent, NULL, 0, drbg->min_noncelen,

318
            drbg->max_noncelen);

319
        if (n > 0 && (buf = OPENSSL_malloc(n)) != NULL) {

320
            ret = drbg->parent_nonce(drbg->parent, buf, 0,

321
                drbg->min_noncelen, drbg->max_noncelen);

322
            if (ret == n) {

323
                *pout = buf;

324
                return ret;

325
            }

326
            OPENSSL_free(buf);

327
        }

328
    }

329


330
    /* Use the built in nonce source plus some of our specifics */

331
    memset(&data, 0, sizeof(data));

332
    data.drbg = drbg;

333
    if (!CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count,

334
            dngbl->rand_nonce_lock))

335
        return 0;

336
    return ossl_prov_get_nonce(drbg->provctx, pout, min_len, max_len,

337
        &data, sizeof(data));

338
}

339
#endif /* PROV_RAND_GET_RANDOM_NONCE */

340


341
/*

342
 * Instantiate |drbg|, after it has been initialized.  Use |pers| and

343
 * |perslen| as prediction-resistance input.

344
 *

345
 * Requires that drbg->lock is already locked for write, if non-null.

346
 *

347
 * Returns 1 on success, 0 on failure.

348
 */

349
int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength,

350
    int prediction_resistance,

351
    const unsigned char *pers, size_t perslen)

352
{

353
    unsigned char *nonce = NULL, *entropy = NULL;

354
    size_t noncelen = 0, entropylen = 0;

355
    size_t min_entropy, min_entropylen, max_entropylen;

356


357
    if (strength > drbg->strength) {

358
        ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH);

359
        goto end;

360
    }

361
    min_entropy = drbg->strength;

362
    min_entropylen = drbg->min_entropylen;

363
    max_entropylen = drbg->max_entropylen;

364


365
    if (pers == NULL) {

366
        pers = (const unsigned char *)ossl_pers_string;

367
        perslen = sizeof(ossl_pers_string);

368
    }

369
    if (perslen > drbg->max_perslen) {

370
        ERR_raise(ERR_LIB_PROV, PROV_R_PERSONALISATION_STRING_TOO_LONG);

371
        goto end;

372
    }

373


374
    if (drbg->state != EVP_RAND_STATE_UNINITIALISED) {

375
        if (drbg->state == EVP_RAND_STATE_ERROR)

376
            ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);

377
        else

378
            ERR_raise(ERR_LIB_PROV, PROV_R_ALREADY_INSTANTIATED);

379
        goto end;

380
    }

381


382
    drbg->state = EVP_RAND_STATE_ERROR;

383


384
    if (drbg->min_noncelen > 0) {

385
        if (drbg->parent_nonce != NULL) {

386
            noncelen = drbg->parent_nonce(drbg->parent, NULL, drbg->strength,

387
                drbg->min_noncelen,

388
                drbg->max_noncelen);

389
            if (noncelen == 0) {

390
                ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);

391
                goto end;

392
            }

393
            nonce = OPENSSL_malloc(noncelen);

394
            if (nonce == NULL) {

395
                ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);

396
                goto end;

397
            }

398
            if (noncelen != drbg->parent_nonce(drbg->parent, nonce, drbg->strength, drbg->min_noncelen, drbg->max_noncelen)) {

399
                ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);

400
                goto end;

401
            }

402
#ifndef PROV_RAND_GET_RANDOM_NONCE

403
        } else if (drbg->parent != NULL) {

404
#endif

405
            /*

406
             * NIST SP800-90Ar1 section 9.1 says you can combine getting

407
             * the entropy and nonce in 1 call by increasing the entropy

408
             * with 50% and increasing the minimum length to accommodate

409
             * the length of the nonce. We do this in case a nonce is

410
             * required and there is no parental nonce capability.

411
             */

412
            min_entropy += drbg->strength / 2;

413
            min_entropylen += drbg->min_noncelen;

414
            max_entropylen += drbg->max_noncelen;

415
        }

416
#ifndef PROV_RAND_GET_RANDOM_NONCE

417
        else { /* parent == NULL */

418
            noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->min_noncelen,

419
                drbg->max_noncelen);

420
            if (noncelen < drbg->min_noncelen

421
                || noncelen > drbg->max_noncelen) {

422
                ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_NONCE);

423
                goto end;

424
            }

425
        }

426
#endif

427
    }

428


429
    drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);

430
    if (drbg->reseed_next_counter) {

431
        drbg->reseed_next_counter++;

432
        if (!drbg->reseed_next_counter)

433
            drbg->reseed_next_counter = 1;

434
    }

435


436
    entropylen = get_entropy(drbg, &entropy, min_entropy,

437
        min_entropylen, max_entropylen,

438
        prediction_resistance);

439
    if (entropylen < min_entropylen

440
        || entropylen > max_entropylen) {

441
        ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY);

442
        goto end;

443
    }

444


445
    if (!drbg->instantiate(drbg, entropy, entropylen, nonce, noncelen,

446
            pers, perslen)) {

447
        cleanup_entropy(drbg, entropy, entropylen);

448
        ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_INSTANTIATING_DRBG);

449
        goto end;

450
    }

451
    cleanup_entropy(drbg, entropy, entropylen);

452


453
    drbg->state = EVP_RAND_STATE_READY;

454
    drbg->generate_counter = 1;

455
    drbg->reseed_time = time(NULL);

456
    tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);

457


458
end:

459
    if (nonce != NULL)

460
        ossl_prov_cleanup_nonce(drbg->provctx, nonce, noncelen);

461
    if (drbg->state == EVP_RAND_STATE_READY)

462
        return 1;

463
    return 0;

464
}

465


466
/*

467
 * Uninstantiate |drbg|. Must be instantiated before it can be used.

468
 *

469
 * Requires that drbg->lock is already locked for write, if non-null.

470
 *

471
 * Returns 1 on success, 0 on failure.

472
 */

473
int ossl_prov_drbg_uninstantiate(PROV_DRBG *drbg)

474
{

475
    drbg->state = EVP_RAND_STATE_UNINITIALISED;

476
    return 1;

477
}

478


479
static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg,

480
    int prediction_resistance,

481
    const unsigned char *ent,

482
    size_t ent_len,

483
    const unsigned char *adin,

484
    size_t adinlen)

485
{

486
    unsigned char *entropy = NULL;

487
    size_t entropylen = 0;

488


489
    if (!ossl_prov_is_running())

490
        return 0;

491


492
    if (drbg->state != EVP_RAND_STATE_READY) {

493
        /* try to recover from previous errors */

494
        rand_drbg_restart(drbg);

495


496
        if (drbg->state == EVP_RAND_STATE_ERROR) {

497
            ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);

498
            return 0;

499
        }

500
        if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {

501
            ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED);

502
            return 0;

503
        }

504
    }

505


506
    if (ent != NULL) {

507
        if (ent_len < drbg->min_entropylen) {

508
            ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_OUT_OF_RANGE);

509
            drbg->state = EVP_RAND_STATE_ERROR;

510
            return 0;

511
        }

512
        if (ent_len > drbg->max_entropylen) {

513
            ERR_raise(ERR_LIB_RAND, RAND_R_ENTROPY_INPUT_TOO_LONG);

514
            drbg->state = EVP_RAND_STATE_ERROR;

515
            return 0;

516
        }

517
    }

518


519
    if (adin == NULL) {

520
        adinlen = 0;

521
    } else if (adinlen > drbg->max_adinlen) {

522
        ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG);

523
        return 0;

524
    }

525


526
    drbg->state = EVP_RAND_STATE_ERROR;

527


528
    drbg->reseed_next_counter = tsan_load(&drbg->reseed_counter);

529
    if (drbg->reseed_next_counter) {

530
        drbg->reseed_next_counter++;

531
        if (!drbg->reseed_next_counter)

532
            drbg->reseed_next_counter = 1;

533
    }

534


535
    if (ent != NULL) {

536
#ifdef FIPS_MODULE

537
        /*

538
         * NIST SP-800-90A mandates that entropy *shall not* be provided

539
         * by the consuming application. Instead the data is added as additional

540
         * input.

541
         *

542
         * (NIST SP-800-90Ar1, Sections 9.1 and 9.2)

543
         */

544
        if (!drbg->reseed(drbg, NULL, 0, ent, ent_len)) {

545
            ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);

546
            return 0;

547
        }

548
#else

549
        if (!drbg->reseed(drbg, ent, ent_len, adin, adinlen)) {

550
            ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_RESEED);

551
            return 0;

552
        }

553
        /* There isn't much point adding the same additional input twice */

554
        adin = NULL;

555
        adinlen = 0;

556
#endif

557
    }

558


559
    /* Reseed using our sources in addition */

560
    entropylen = get_entropy(drbg, &entropy, drbg->strength,

561
        drbg->min_entropylen, drbg->max_entropylen,

562
        prediction_resistance);

563
    if (entropylen < drbg->min_entropylen

564
        || entropylen > drbg->max_entropylen) {

565
        ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_RETRIEVING_ENTROPY);

566
        goto end;

567
    }

568


569
    if (!drbg->reseed(drbg, entropy, entropylen, adin, adinlen))

570
        goto end;

571


572
    drbg->state = EVP_RAND_STATE_READY;

573
    drbg->generate_counter = 1;

574
    drbg->reseed_time = time(NULL);

575
    tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter);

576
    if (drbg->parent != NULL)

577
        drbg->parent_reseed_counter = get_parent_reseed_count(drbg);

578


579
end:

580
    cleanup_entropy(drbg, entropy, entropylen);

581
    if (drbg->state == EVP_RAND_STATE_READY)

582
        return 1;

583
    return 0;

584
}

585


586
/*

587
 * Reseed |drbg|, mixing in the specified data

588
 *

589
 * Acquires the drbg->lock for writing, if non-null.

590
 *

591
 * Returns 1 on success, 0 on failure.

592
 */

593
int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance,

594
    const unsigned char *ent, size_t ent_len,

595
    const unsigned char *adin, size_t adinlen)

596
{

597
    int ret;

598


599
    if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))

600
        return 0;

601


602
    ret = ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, ent,

603
        ent_len, adin, adinlen);

604


605
    if (drbg->lock != NULL)

606
        CRYPTO_THREAD_unlock(drbg->lock);

607


608
    return ret;

609
}

610


611
/*

612
 * Generate |outlen| bytes into the buffer at |out|.  Reseed if we need

613
 * to or if |prediction_resistance| is set.  Additional input can be

614
 * sent in |adin| and |adinlen|.

615
 *

616
 * Acquires the drbg->lock for writing if available

617
 *

618
 * Returns 1 on success, 0 on failure.

619
 *

620
 */

621
int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,

622
    unsigned int strength, int prediction_resistance,

623
    const unsigned char *adin, size_t adinlen)

624
{

625
    int fork_id;

626
    int reseed_required = 0;

627
    int ret = 0;

628


629
    if (!ossl_prov_is_running())

630
        return 0;

631


632
    if (drbg->lock != NULL && !CRYPTO_THREAD_write_lock(drbg->lock))

633
        return 0;

634


635
    if (drbg->state != EVP_RAND_STATE_READY) {

636
        /* try to recover from previous errors */

637
        rand_drbg_restart(drbg);

638


639
        if (drbg->state == EVP_RAND_STATE_ERROR) {

640
            ERR_raise(ERR_LIB_PROV, PROV_R_IN_ERROR_STATE);

641
            goto err;

642
        }

643
        if (drbg->state == EVP_RAND_STATE_UNINITIALISED) {

644
            ERR_raise(ERR_LIB_PROV, PROV_R_NOT_INSTANTIATED);

645
            goto err;

646
        }

647
    }

648
    if (strength > drbg->strength) {

649
        ERR_raise(ERR_LIB_PROV, PROV_R_INSUFFICIENT_DRBG_STRENGTH);

650
        goto err;

651
    }

652


653
    if (outlen > drbg->max_request) {

654
        ERR_raise(ERR_LIB_PROV, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG);

655
        goto err;

656
    }

657
    if (adinlen > drbg->max_adinlen) {

658
        ERR_raise(ERR_LIB_PROV, PROV_R_ADDITIONAL_INPUT_TOO_LONG);

659
        goto err;

660
    }

661


662
    fork_id = openssl_get_fork_id();

663


664
    if (drbg->fork_id != fork_id) {

665
        drbg->fork_id = fork_id;

666
        reseed_required = 1;

667
    }

668


669
    if (drbg->reseed_interval > 0) {

670
        if (drbg->generate_counter >= drbg->reseed_interval)

671
            reseed_required = 1;

672
    }

673
    if (drbg->reseed_time_interval > 0) {

674
        time_t now = time(NULL);

675
        if (now < drbg->reseed_time

676
            || now - drbg->reseed_time >= drbg->reseed_time_interval)

677
            reseed_required = 1;

678
    }

679
    if (drbg->parent != NULL

680
        && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)

681
        reseed_required = 1;

682


683
    if (reseed_required || prediction_resistance) {

684
        if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,

685
                0, adin, adinlen)) {

686
            ERR_raise(ERR_LIB_PROV, PROV_R_RESEED_ERROR);

687
            goto err;

688
        }

689
        adin = NULL;

690
        adinlen = 0;

691
    }

692


693
    if (!drbg->generate(drbg, out, outlen, adin, adinlen)) {

694
        drbg->state = EVP_RAND_STATE_ERROR;

695
        ERR_raise(ERR_LIB_PROV, PROV_R_GENERATE_ERROR);

696
        goto err;

697
    }

698


699
    drbg->generate_counter++;

700


701
    ret = 1;

702
err:

703
    if (drbg->lock != NULL)

704
        CRYPTO_THREAD_unlock(drbg->lock);

705


706
    return ret;

707
}

708


709
/*

710
 * Restart |drbg|, using the specified entropy or additional input

711
 *

712
 * Tries its best to get the drbg instantiated by all means,

713
 * regardless of its current state.

714
 *

715
 * Optionally, a |buffer| of |len| random bytes can be passed,

716
 * which is assumed to contain at least |entropy| bits of entropy.

717
 *

718
 * If |entropy| > 0, the buffer content is used as entropy input.

719
 *

720
 * If |entropy| == 0, the buffer content is used as additional input

721
 *

722
 * Returns 1 on success, 0 on failure.

723
 *

724
 * This function is used internally only.

725
 */

726
static int rand_drbg_restart(PROV_DRBG *drbg)

727
{

728
    /* repair error state */

729
    if (drbg->state == EVP_RAND_STATE_ERROR)

730
        drbg->uninstantiate(drbg);

731


732
    /* repair uninitialized state */

733
    if (drbg->state == EVP_RAND_STATE_UNINITIALISED)

734
        /* reinstantiate drbg */

735
        ossl_prov_drbg_instantiate(drbg, drbg->strength, 0, NULL, 0);

736


737
    return drbg->state == EVP_RAND_STATE_READY;

738
}

739


740
/* Provider support from here down */

741
static const OSSL_DISPATCH *find_call(const OSSL_DISPATCH *dispatch,

742
    int function)

743
{

744
    if (dispatch != NULL)

745
        while (dispatch->function_id != 0) {

746
            if (dispatch->function_id == function)

747
                return dispatch;

748
            dispatch++;

749
        }

750
    return NULL;

751
}

752


753
int ossl_drbg_enable_locking(void *vctx)

754
{

755
    PROV_DRBG *drbg = vctx;

756


757
    if (drbg != NULL && drbg->lock == NULL) {

758
        if (drbg->parent_enable_locking != NULL)

759
            if (!drbg->parent_enable_locking(drbg->parent)) {

760
                ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_LOCKING_NOT_ENABLED);

761
                return 0;

762
            }

763
        drbg->lock = CRYPTO_THREAD_lock_new();

764
        if (drbg->lock == NULL) {

765
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_CREATE_LOCK);

766
            return 0;

767
        }

768
    }

769
    return 1;

770
}

771


772
/*

773
 * Allocate memory and initialize a new DRBG. The DRBG is allocated on

774
 * the secure heap if |secure| is nonzero and the secure heap is enabled.

775
 * The |parent|, if not NULL, will be used as random source for reseeding.

776
 * This also requires the parent's provider context and the parent's lock.

777
 *

778
 * Returns a pointer to the new DRBG instance on success, NULL on failure.

779
 */

780
PROV_DRBG *ossl_rand_drbg_new(void *provctx, void *parent, const OSSL_DISPATCH *p_dispatch,

781
    int (*dnew)(PROV_DRBG *ctx),

782
    void (*dfree)(void *vctx),

783
    int (*instantiate)(PROV_DRBG *drbg,

784
        const unsigned char *entropy, size_t entropylen,

785
        const unsigned char *nonce, size_t noncelen,

786
        const unsigned char *pers, size_t perslen),

787
    int (*uninstantiate)(PROV_DRBG *ctx),

788
    int (*reseed)(PROV_DRBG *drbg, const unsigned char *ent, size_t ent_len,

789
        const unsigned char *adin, size_t adin_len),

790
    int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen,

791
        const unsigned char *adin, size_t adin_len))

792
{

793
    PROV_DRBG *drbg;

794
    unsigned int p_str;

795
    const OSSL_DISPATCH *pfunc;

796


797
    if (!ossl_prov_is_running())

798
        return NULL;

799


800
    drbg = OPENSSL_zalloc(sizeof(*drbg));

801
    if (drbg == NULL)

802
        return NULL;

803


804
    drbg->provctx = provctx;

805
    drbg->instantiate = instantiate;

806
    drbg->uninstantiate = uninstantiate;

807
    drbg->reseed = reseed;

808
    drbg->generate = generate;

809
    drbg->fork_id = openssl_get_fork_id();

810


811
    /* Extract parent's functions */

812
    drbg->parent = parent;

813
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_ENABLE_LOCKING)) != NULL)

814
        drbg->parent_enable_locking = OSSL_FUNC_rand_enable_locking(pfunc);

815
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_LOCK)) != NULL)

816
        drbg->parent_lock = OSSL_FUNC_rand_lock(pfunc);

817
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_UNLOCK)) != NULL)

818
        drbg->parent_unlock = OSSL_FUNC_rand_unlock(pfunc);

819
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_CTX_PARAMS)) != NULL)

820
        drbg->parent_get_ctx_params = OSSL_FUNC_rand_get_ctx_params(pfunc);

821
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_NONCE)) != NULL)

822
        drbg->parent_nonce = OSSL_FUNC_rand_nonce(pfunc);

823
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_GET_SEED)) != NULL)

824
        drbg->parent_get_seed = OSSL_FUNC_rand_get_seed(pfunc);

825
    if ((pfunc = find_call(p_dispatch, OSSL_FUNC_RAND_CLEAR_SEED)) != NULL)

826
        drbg->parent_clear_seed = OSSL_FUNC_rand_clear_seed(pfunc);

827


828
    /* Set some default maximums up */

829
    drbg->max_entropylen = DRBG_MAX_LENGTH;

830
    drbg->max_noncelen = DRBG_MAX_LENGTH;

831
    drbg->max_perslen = DRBG_MAX_LENGTH;

832
    drbg->max_adinlen = DRBG_MAX_LENGTH;

833
    drbg->generate_counter = 1;

834
    drbg->reseed_counter = 1;

835
    drbg->reseed_interval = RESEED_INTERVAL;

836
    drbg->reseed_time_interval = TIME_INTERVAL;

837


838
    if (!dnew(drbg))

839
        goto err;

840


841
    if (parent != NULL) {

842
        if (!get_parent_strength(drbg, &p_str))

843
            goto err;

844
        if (drbg->strength > p_str) {

845
            /*

846
             * We currently don't support the algorithm from NIST SP 800-90C

847
             * 10.1.2 to use a weaker DRBG as source

848
             */

849
            ERR_raise(ERR_LIB_PROV, PROV_R_PARENT_STRENGTH_TOO_WEAK);

850
            goto err;

851
        }

852
    }

853
#ifdef TSAN_REQUIRES_LOCKING

854
    if (!ossl_drbg_enable_locking(drbg))

855
        goto err;

856
#endif

857
    return drbg;

858


859
err:

860
    dfree(drbg);

861
    return NULL;

862
}

863


864
void ossl_rand_drbg_free(PROV_DRBG *drbg)

865
{

866
    if (drbg == NULL)

867
        return;

868


869
    CRYPTO_THREAD_lock_free(drbg->lock);

870
    OPENSSL_free(drbg);

871
}

872


873
/*

874
 * Helper function called by internal DRBG implementations. Assumes that at

875
 * least a read lock has been taken on drbg->lock

876
 */

877
int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[])

878
{

879
    OSSL_PARAM *p;

880


881
    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE);

882
    if (p != NULL && !OSSL_PARAM_set_int(p, drbg->state))

883
        return 0;

884


885
    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);

886
    if (p != NULL && !OSSL_PARAM_set_int(p, drbg->strength))

887
        return 0;

888


889
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_ENTROPYLEN);

890
    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_entropylen))

891
        return 0;

892


893
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ENTROPYLEN);

894
    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_entropylen))

895
        return 0;

896


897
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MIN_NONCELEN);

898
    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->min_noncelen))

899
        return 0;

900


901
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_NONCELEN);

902
    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_noncelen))

903
        return 0;

904


905
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_PERSLEN);

906
    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_perslen))

907
        return 0;

908


909
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_MAX_ADINLEN);

910
    if (p != NULL && !OSSL_PARAM_set_size_t(p, drbg->max_adinlen))

911
        return 0;

912


913
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);

914
    if (p != NULL && !OSSL_PARAM_set_uint(p, drbg->reseed_interval))

915
        return 0;

916


917
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME);

918
    if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time))

919
        return 0;

920


921
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);

922
    if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval))

923
        return 0;

924
    if (!OSSL_FIPS_IND_GET_CTX_PARAM(drbg, params))

925
        return 0;

926
    return 1;

927
}

928


929
/*

930
 * Helper function to get certain params that require no lock to obtain. Sets

931
 * *complete to 1 if all the params were processed, or 0 otherwise

932
 */

933
int ossl_drbg_get_ctx_params_no_lock(PROV_DRBG *drbg, OSSL_PARAM params[],

934
    int *complete)

935
{

936
    size_t cnt = 0;

937
    OSSL_PARAM *p;

938


939
    /* This value never changes once set */

940
    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);

941
    if (p != NULL) {

942
        if (!OSSL_PARAM_set_size_t(p, drbg->max_request))

943
            return 0;

944
        cnt++;

945
    }

946


947
    /*

948
     * Can be changed by multiple threads, but we tolerate inaccuracies in this

949
     * value.

950
     */

951
    p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_COUNTER);

952
    if (p != NULL) {

953
        if (!OSSL_PARAM_set_uint(p, tsan_load(&drbg->reseed_counter)))

954
            return 0;

955
        cnt++;

956
    }

957


958
    if (params[cnt].key == NULL)

959
        *complete = 1;

960
    else

961
        *complete = 0;

962


963
    return 1;

964
}

965


966
int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[])

967
{

968
    const OSSL_PARAM *p;

969


970
    if (ossl_param_is_empty(params))

971
        return 1;

972


973
    p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);

974
    if (p != NULL && !OSSL_PARAM_get_uint(p, &drbg->reseed_interval))

975
        return 0;

976


977
    p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL);

978
    if (p != NULL && !OSSL_PARAM_get_time_t(p, &drbg->reseed_time_interval))

979
        return 0;

980


981
    return 1;

982
}

983


984
#ifdef FIPS_MODULE

985
static int digest_allowed(const EVP_MD *md)

986
{

987
    /* FIPS 140-3 IG D.R limited DRBG digests to a specific set */

988
    static const char *const allowed_digests[] = {

989
        "SHA1", /* SHA 1 allowed */

990
        "SHA2-256",

991
        "SHA2-512", /* non-truncated SHA2 allowed */

992
        "SHA3-256",

993
        "SHA3-512", /* non-truncated SHA3 allowed */

994
    };

995
    size_t i;

996


997
    for (i = 0; i < OSSL_NELEM(allowed_digests); i++) {

998
        if (EVP_MD_is_a(md, allowed_digests[i]))

999
            return 1;

1000
    }

1001
    return 0;

1002
}

1003
#endif

1004


1005
/* Confirm digest is allowed to be used with a DRBG */

1006
int ossl_drbg_verify_digest(PROV_DRBG *drbg, OSSL_LIB_CTX *libctx,

1007
    const EVP_MD *md)

1008
{

1009
#ifdef FIPS_MODULE

1010
    int approved = digest_allowed(md);

1011


1012
    if (!approved) {

1013
        if (!OSSL_FIPS_IND_ON_UNAPPROVED(drbg, OSSL_FIPS_IND_SETTABLE0,

1014
                libctx, "DRBG", "Digest",

1015
                ossl_fips_config_restricted_drbg_digests)) {

1016
            ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);

1017
            return 0;

1018
        }

1019
    }

1020
#else /* FIPS_MODULE */

1021
    /* Outside of FIPS, any digests that are not XOF are allowed */

1022
    if (EVP_MD_xof(md)) {

1023
        ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);

1024
        return 0;

1025
    }

1026
#endif /* FIPS_MODULE */

1027
    return 1;

1028
}

1029


1030