crypto/openssl-0.9.7e/fips/rand/fips_rand.c

   1 /* ====================================================================
   2  * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  *
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  *
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in
  13  *    the documentation and/or other materials provided with the
  14  *    distribution.
  15  *
  16  * 3. All advertising materials mentioning features or use of this
  17  *    software must display the following acknowledgment:
  18  *    "This product includes software developed by the OpenSSL Project
  19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  20  *
  21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  22  *    endorse or promote products derived from this software without
  23  *    prior written permission. For written permission, please contact
  24  *    openssl-core@openssl.org.
  25  *
  26  * 5. Products derived from this software may not be called "OpenSSL"
  27  *    nor may "OpenSSL" appear in their names without prior written
  28  *    permission of the OpenSSL Project.
  29  *
  30  * 6. Redistributions of any form whatsoever must retain the following
  31  *    acknowledgment:
  32  *    "This product includes software developed by the OpenSSL Project
  33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  34  *
  35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  46  * OF THE POSSIBILITY OF SUCH DAMAGE.
  47  *
  48  */
  49
  50 /*
  51  * This is a FIPS approved PRNG, ANSI X9.31 A.2.4.
  52  */
  53
  54 #include "e_os.h"
  55
  56 /* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
  57    be defined and gettimeofday() won't be declared with strict compilers
  58    like DEC C in ANSI C mode.  */
  59 #define _XOPEN_SOURCE_EXTENDED
  60
  61 #include <openssl/des.h>
  62 #include <openssl/rand.h>
  63 #include <openssl/err.h>
  64 #include <openssl/fips_rand.h>
  65 #ifndef OPENSSL_SYS_WIN32
  66 #include <sys/time.h>
  67 #endif
  68 #include <assert.h>
  69 #ifndef OPENSSL_SYS_WIN32
  70 # ifdef OPENSSL_UNISTD
  71 #  include OPENSSL_UNISTD
  72 # else
  73 #  include <unistd.h>
  74 # endif
  75 #endif
  76 #include <string.h>
  77
  78 #ifdef OPENSSL_FIPS
  79
  80 #define SEED_SIZE       8
  81
  82 static unsigned char seed[SEED_SIZE];
  83 static FIPS_RAND_SIZE_T n_seed;
  84 static FIPS_RAND_SIZE_T o_seed;
  85 static DES_cblock key1;
  86 static DES_cblock key2;
  87 static DES_key_schedule ks1,ks2;
  88 static int key_set;
  89 static int test_mode;
  90 static unsigned char test_faketime[8];
  91
  92 #ifndef GETPID_IS_MEANINGLESS
  93 static int seed_pid;
  94 static int key_pid;
  95 #endif
  96
  97 static void fips_rand_cleanup(void);
  98 static void fips_rand_add(const void *buf, FIPS_RAND_SIZE_T num, double add_entropy);
  99 static int fips_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num);
 100 static int fips_rand_status(void);
 101
 102 static RAND_METHOD rand_fips_meth=
 103     {
 104     FIPS_rand_seed,
 105     fips_rand_bytes,
 106     fips_rand_cleanup,
 107     fips_rand_add,
 108     fips_rand_bytes,
 109     fips_rand_status
 110     };
 111
 112 static int second;
 113
 114 RAND_METHOD *FIPS_rand_method(void)
 115 {
 116   return &rand_fips_meth;
 117 }
 118
 119 void FIPS_set_prng_key(const unsigned char k1[8],const unsigned char k2[8])
 120     {
 121     memcpy(&key1,k1,sizeof key1);
 122     memcpy(&key2,k2,sizeof key2);
 123     key_set=1;
 124 #ifndef GETPID_IS_MEANINGLESS
 125     key_pid=getpid();
 126 #endif
 127     second=0;
 128     }
 129
 130 void FIPS_test_mode(int test,const unsigned char faketime[8])
 131     {
 132     test_mode=test;
 133     if(!test_mode)
 134         return;
 135     memcpy(test_faketime,faketime,sizeof test_faketime);
 136     }
 137
 138 /* NB: this returns true if _partially_ seeded */
 139 int FIPS_rand_seeded()
 140     { return key_set || n_seed; }
 141
 142 static void fips_gettime(unsigned char buf[8])
 143     {
 144 #ifdef OPENSSL_SYS_WIN32
 145     FILETIME ft;
 146 #else
 147     struct timeval tv;
 148 #endif
 149
 150     if(test_mode)
 151         {
 152         fprintf(stderr,"WARNING!!! PRNG IN TEST MODE!!!\n");
 153         memcpy(buf,test_faketime,sizeof test_faketime);
 154         return;
 155         }
 156 #ifdef OPENSSL_SYS_WIN32
 157     GetSystemTimeAsFileTime(&ft);
 158     buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
 159     buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
 160     buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
 161     buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
 162     buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
 163     buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
 164     buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
 165     buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
 166 #else
 167     gettimeofday(&tv,NULL);
 168     buf[0] = (unsigned char) (tv.tv_sec & 0xff);
 169     buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
 170     buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
 171     buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
 172     buf[4] = (unsigned char) (tv.tv_usec & 0xff);
 173     buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
 174     buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
 175     buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
 176 #endif
 177
 178 #if 0  /* This eminently sensible strategy is not acceptable to NIST. Sigh. */
 179 #ifndef GETPID_IS_MEANINGLESS
 180     /* we mix in the PID to ensure that after a fork the children don't give
 181      * the same results as each other
 182      */
 183     pid=getpid();
 184     /* make sure we shift the pid to the MSB */
 185     if((pid&0xffff0000) == 0)
 186         pid<<=16;
 187     *(long *)&buf[0]^=pid;
 188 #endif
 189 #endif
 190     }
 191
 192 static void fips_rand_encrypt(unsigned char *out,const unsigned char *in)
 193     {
 194     DES_ecb2_encrypt(in,out,&ks1,&ks2,1);
 195     }
 196
 197 static void fips_rand_cleanup(void)
 198     {
 199     OPENSSL_cleanse(seed,sizeof seed);
 200     n_seed=0;
 201     }
 202
 203 void FIPS_rand_seed(const void *buf_, FIPS_RAND_SIZE_T num)
 204     {
 205     const char *buf=buf_;
 206     FIPS_RAND_SIZE_T n;
 207     static int init;
 208
 209     /* If the key hasn't been set, we can't seed! */
 210     if(!key_set)
 211         return;
 212
 213     CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 214     if(!init)
 215         {
 216         init=1;
 217         DES_set_key(&key1,&ks1);
 218         DES_set_key(&key2,&ks2);
 219         }
 220
 221     /*
 222      * This algorithm only uses 64 bits of seed, so ensure that we use
 223      * the most recent 64 bits.
 224      */
 225     for(n=0 ; n < num ; )
 226         {
 227         FIPS_RAND_SIZE_T t=num-n;
 228
 229         if(o_seed+t > sizeof seed)
 230             t=sizeof seed-o_seed;
 231         memcpy(seed+o_seed,buf+n,t);
 232         n+=t;
 233         o_seed+=t;
 234         if(o_seed == sizeof seed)
 235             o_seed=0;
 236         if(n_seed < sizeof seed)
 237             n_seed+=t;
 238         }
 239
 240 #ifndef GETPID_IS_MEANINGLESS
 241     seed_pid=getpid();
 242 #endif
 243
 244     CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 245     }
 246
 247 static void fips_rand_add(const void *buf, FIPS_RAND_SIZE_T num, double add_entropy)
 248     {
 249     FIPS_rand_seed(buf,num);
 250     }
 251
 252 static int fips_rand_bytes(unsigned char *buf,FIPS_RAND_SIZE_T num)
 253     {
 254     FIPS_RAND_SIZE_T n;
 255     unsigned char timeseed[8];
 256     unsigned char intermediate[SEED_SIZE];
 257     unsigned char output[SEED_SIZE];
 258     static unsigned char previous[SEED_SIZE];
 259 #ifndef GETPID_IS_MEANINGLESS
 260     int pid;
 261 #endif
 262
 263     if(n_seed < sizeof seed)
 264         {
 265         RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
 266         return 0;
 267         }
 268
 269 #ifdef FIPS_RAND_MAX_SIZE_T
 270     if (num > FIPS_RAND_MAX_SIZE_T)
 271         {
 272 #ifdef RAND_R_PRNG_ASKING_FOR_TOO_MUCH
 273         RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_ASKING_FOR_TOO_MUCH);
 274         return 0;
 275 #else
 276         return -1; /* signal "not supported" condition */
 277 #endif
 278         }
 279 #endif
 280
 281 #ifndef GETPID_IS_MEANINGLESS
 282     pid=getpid();
 283     if(pid != seed_pid)
 284         {
 285         RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_RESEEDED);
 286         return 0;
 287         }
 288     if(pid != key_pid)
 289         {
 290         RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_REKEYED);
 291         return 0;
 292         }
 293 #endif
 294
 295     CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 296
 297     for(n=0 ; n < num ; )
 298         {
 299         unsigned char t[SEED_SIZE];
 300         FIPS_RAND_SIZE_T l;
 301
 302         /* ANS X9.31 A.2.4:     I = ede*K(DT)
 303                timeseed == DT
 304                intermediate == I
 305         */
 306         fips_gettime(timeseed);
 307         fips_rand_encrypt(intermediate,timeseed);
 308
 309         /* ANS X9.31 A.2.4:     R = ede*K(I^V)
 310                intermediate == I
 311                seed == V
 312                output == R
 313         */
 314         for(l=0 ; l < sizeof t ; ++l)
 315             t[l]=intermediate[l]^seed[l];
 316         fips_rand_encrypt(output,t);
 317
 318         /* ANS X9.31 A.2.4:     V = ede*K(R^I)
 319                output == R
 320                intermediate == I
 321                seed == V
 322         */
 323         for(l=0 ; l < sizeof t ; ++l)
 324             t[l]=output[l]^intermediate[l];
 325         fips_rand_encrypt(seed,t);
 326
 327         if(second && !memcmp(output,previous,sizeof previous))
 328             {
 329             RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_STUCK);
 330             CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 331             return 0;
 332             }
 333         memcpy(previous,output,sizeof previous);
 334         second=1;
 335
 336         /* Successive values of R may be concatenated to produce a
 337            pseudo random number of the desired length */
 338         l=SEED_SIZE < num-n ? SEED_SIZE : num-n;
 339         memcpy(buf+n,output,l);
 340         n+=l;
 341         }
 342
 343     CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 344
 345     return 1;
 346     }
 347
 348 static int fips_rand_status(void)
 349     {
 350     return n_seed == sizeof seed;
 351     }
 352
 353 #endif /* OPENSSL_FIPS */