1 /*
2  * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <string.h>
11 #include <openssl/rand.h>
12 #include <openssl/core_dispatch.h>
13 #include <openssl/e_os2.h>
14 #include <openssl/params.h>
15 #include <openssl/core_names.h>
16 #include <openssl/evp.h>
17 #include <openssl/err.h>
18 #include <openssl/randerr.h>
19 #include <openssl/proverr.h>
20 #include <openssl/self_test.h>
21 #include "prov/implementations.h"
22 #include "prov/provider_ctx.h"
23 #include "prov/providercommon.h"
24 #include "crypto/rand.h"
25 #include "crypto/rand_pool.h"
26 
27 #ifndef OPENSSL_NO_JITTER
28 # include <jitterentropy.h>
29 
30 # define JITTER_MAX_NUM_TRIES 3
31 
32 static OSSL_FUNC_rand_newctx_fn jitter_new;
33 static OSSL_FUNC_rand_freectx_fn jitter_free;
34 static OSSL_FUNC_rand_instantiate_fn jitter_instantiate;
35 static OSSL_FUNC_rand_uninstantiate_fn jitter_uninstantiate;
36 static OSSL_FUNC_rand_generate_fn jitter_generate;
37 static OSSL_FUNC_rand_reseed_fn jitter_reseed;
38 static OSSL_FUNC_rand_gettable_ctx_params_fn jitter_gettable_ctx_params;
39 static OSSL_FUNC_rand_get_ctx_params_fn jitter_get_ctx_params;
40 static OSSL_FUNC_rand_verify_zeroization_fn jitter_verify_zeroization;
41 static OSSL_FUNC_rand_enable_locking_fn jitter_enable_locking;
42 static OSSL_FUNC_rand_lock_fn jitter_lock;
43 static OSSL_FUNC_rand_unlock_fn jitter_unlock;
44 static OSSL_FUNC_rand_get_seed_fn jitter_get_seed;
45 static OSSL_FUNC_rand_clear_seed_fn jitter_clear_seed;
46 
47 typedef struct {
48     void *provctx;
49     int state;
50 } PROV_JITTER;
51 
52 static size_t get_jitter_random_value(PROV_JITTER *s, unsigned char *buf, size_t len);
53 
54 /*
55  * Acquire entropy from jitterentropy library
56  *
57  * Returns the total entropy count, if it exceeds the requested
58  * entropy count. Otherwise, returns an entropy count of 0.
59  */
ossl_prov_acquire_entropy_from_jitter(PROV_JITTER * s,RAND_POOL * pool)60 static size_t ossl_prov_acquire_entropy_from_jitter(PROV_JITTER *s,
61                                                     RAND_POOL *pool)
62 {
63     size_t bytes_needed;
64     unsigned char *buffer;
65 
66     bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /* entropy_factor */);
67     if (bytes_needed > 0) {
68         buffer = ossl_rand_pool_add_begin(pool, bytes_needed);
69 
70         if (buffer != NULL) {
71             if (get_jitter_random_value(s, buffer, bytes_needed) == bytes_needed) {
72                 ossl_rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed);
73             } else {
74                 ossl_rand_pool_add_end(pool, 0, 0);
75             }
76         }
77     }
78 
79     return ossl_rand_pool_entropy_available(pool);
80 }
81 
82 /* Obtain random bytes from the jitter library */
get_jitter_random_value(PROV_JITTER * s,unsigned char * buf,size_t len)83 static size_t get_jitter_random_value(PROV_JITTER *s,
84                                       unsigned char *buf, size_t len)
85 {
86     struct rand_data *jitter_ec = NULL;
87     ssize_t result = 0;
88     size_t num_tries;
89 
90     /* Retry intermittent failures, then give up */
91     for (num_tries = 0; num_tries < JITTER_MAX_NUM_TRIES; num_tries++) {
92         /* Allocate a fresh collector */
93         jitter_ec = jent_entropy_collector_alloc(0, JENT_FORCE_FIPS);
94         if (jitter_ec == NULL)
95             continue;
96 
97         /* Do not use _safe API as per typical security policies */
98         result = jent_read_entropy(jitter_ec, (char *) buf, len);
99         jent_entropy_collector_free(jitter_ec);
100 
101         /*
102          * Permanent Failure
103          * https://github.com/smuellerDD/jitterentropy-library/blob/master/doc/jitterentropy.3#L234
104          */
105         if (result < -5) {
106             ossl_set_error_state(OSSL_SELF_TEST_TYPE_CRNG);
107             break;
108         }
109 
110         /* Success */
111         if (result >= 0 && (size_t)result == len)
112             return len;
113     }
114 
115     /* Permanent failure or too many intermittent failures */
116     s->state = EVP_RAND_STATE_ERROR;
117     ERR_raise_data(ERR_LIB_RAND, RAND_R_ERROR_RETRIEVING_ENTROPY,
118                    "jent_read_entropy (%d)", result);
119     return 0;
120 }
121 
jitter_new(void * provctx,void * parent,const OSSL_DISPATCH * parent_dispatch)122 static void *jitter_new(void *provctx, void *parent,
123                         const OSSL_DISPATCH *parent_dispatch)
124 {
125     PROV_JITTER *s;
126 
127     if (parent != NULL) {
128         ERR_raise(ERR_LIB_PROV, PROV_R_SEED_SOURCES_MUST_NOT_HAVE_A_PARENT);
129         return NULL;
130     }
131 
132     s = OPENSSL_zalloc(sizeof(*s));
133     if (s == NULL)
134         return NULL;
135 
136     s->provctx = provctx;
137     s->state = EVP_RAND_STATE_UNINITIALISED;
138     return s;
139 }
140 
jitter_free(void * vseed)141 static void jitter_free(void *vseed)
142 {
143     OPENSSL_free(vseed);
144 }
145 
jitter_instantiate(void * vseed,unsigned int strength,int prediction_resistance,const unsigned char * pstr,size_t pstr_len,ossl_unused const OSSL_PARAM params[])146 static int jitter_instantiate(void *vseed, unsigned int strength,
147                               int prediction_resistance,
148                               const unsigned char *pstr,
149                               size_t pstr_len,
150                               ossl_unused const OSSL_PARAM params[])
151 {
152     PROV_JITTER *s = (PROV_JITTER *)vseed;
153     int ret;
154 
155     if ((ret = jent_entropy_init_ex(0, JENT_FORCE_FIPS)) != 0) {
156         ERR_raise_data(ERR_LIB_RAND, RAND_R_ERROR_RETRIEVING_ENTROPY,
157                        "jent_entropy_init_ex (%d)", ret);
158         s->state = EVP_RAND_STATE_ERROR;
159         return 0;
160     }
161 
162     s->state = EVP_RAND_STATE_READY;
163     return 1;
164 }
165 
jitter_uninstantiate(void * vseed)166 static int jitter_uninstantiate(void *vseed)
167 {
168     PROV_JITTER *s = (PROV_JITTER *)vseed;
169 
170     s->state = EVP_RAND_STATE_UNINITIALISED;
171     return 1;
172 }
173 
jitter_generate(void * vseed,unsigned char * out,size_t outlen,unsigned int strength,ossl_unused int prediction_resistance,ossl_unused const unsigned char * adin,ossl_unused size_t adin_len)174 static int jitter_generate(void *vseed, unsigned char *out, size_t outlen,
175                            unsigned int strength,
176                            ossl_unused int prediction_resistance,
177                            ossl_unused const unsigned char *adin,
178                            ossl_unused size_t adin_len)
179 {
180     PROV_JITTER *s = (PROV_JITTER *)vseed;
181     size_t entropy_available;
182     RAND_POOL *pool;
183 
184     if (s->state != EVP_RAND_STATE_READY) {
185         ERR_raise(ERR_LIB_PROV,
186                   s->state == EVP_RAND_STATE_ERROR ? PROV_R_IN_ERROR_STATE
187                                                    : PROV_R_NOT_INSTANTIATED);
188         return 0;
189     }
190 
191     pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
192     if (pool == NULL) {
193         ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
194         return 0;
195     }
196 
197     /* Get entropy from jitter entropy library. */
198     entropy_available = ossl_prov_acquire_entropy_from_jitter(s, pool);
199 
200     if (entropy_available > 0) {
201         if (!ossl_rand_pool_adin_mix_in(pool, adin, adin_len)) {
202             ossl_rand_pool_free(pool);
203             return 0;
204         }
205         memcpy(out, ossl_rand_pool_buffer(pool), ossl_rand_pool_length(pool));
206     }
207 
208     ossl_rand_pool_free(pool);
209     return entropy_available > 0;
210 }
211 
jitter_reseed(void * vseed,ossl_unused int prediction_resistance,ossl_unused const unsigned char * ent,ossl_unused size_t ent_len,ossl_unused const unsigned char * adin,ossl_unused size_t adin_len)212 static int jitter_reseed(void *vseed,
213                          ossl_unused int prediction_resistance,
214                          ossl_unused const unsigned char *ent,
215                          ossl_unused size_t ent_len,
216                          ossl_unused const unsigned char *adin,
217                          ossl_unused size_t adin_len)
218 {
219     PROV_JITTER *s = (PROV_JITTER *)vseed;
220 
221     if (s->state != EVP_RAND_STATE_READY) {
222         ERR_raise(ERR_LIB_PROV,
223                   s->state == EVP_RAND_STATE_ERROR ? PROV_R_IN_ERROR_STATE
224                                                    : PROV_R_NOT_INSTANTIATED);
225         return 0;
226     }
227     return 1;
228 }
229 
jitter_get_ctx_params(void * vseed,OSSL_PARAM params[])230 static int jitter_get_ctx_params(void *vseed, OSSL_PARAM params[])
231 {
232     PROV_JITTER *s = (PROV_JITTER *)vseed;
233     OSSL_PARAM *p;
234 
235     p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE);
236     if (p != NULL && !OSSL_PARAM_set_int(p, s->state))
237         return 0;
238 
239     p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);
240     if (p != NULL && !OSSL_PARAM_set_int(p, 1024))
241         return 0;
242 
243     p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
244     if (p != NULL && !OSSL_PARAM_set_size_t(p, 128))
245         return 0;
246     return 1;
247 }
248 
jitter_gettable_ctx_params(ossl_unused void * vseed,ossl_unused void * provctx)249 static const OSSL_PARAM *jitter_gettable_ctx_params(ossl_unused void *vseed,
250                                                     ossl_unused void *provctx)
251 {
252     static const OSSL_PARAM known_gettable_ctx_params[] = {
253         OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL),
254         OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL),
255         OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL),
256         OSSL_PARAM_END
257     };
258     return known_gettable_ctx_params;
259 }
260 
jitter_verify_zeroization(ossl_unused void * vseed)261 static int jitter_verify_zeroization(ossl_unused void *vseed)
262 {
263     return 1;
264 }
265 
jitter_get_seed(void * vseed,unsigned char ** pout,int entropy,size_t min_len,size_t max_len,int prediction_resistance,const unsigned char * adin,size_t adin_len)266 static size_t jitter_get_seed(void *vseed, unsigned char **pout,
267                               int entropy, size_t min_len,
268                               size_t max_len,
269                               int prediction_resistance,
270                               const unsigned char *adin,
271                               size_t adin_len)
272 {
273     size_t ret = 0;
274     size_t entropy_available = 0;
275     RAND_POOL *pool;
276     PROV_JITTER *s = (PROV_JITTER *)vseed;
277 
278     pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
279     if (pool == NULL) {
280         ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
281         return 0;
282     }
283 
284     /* Get entropy from jitter entropy library. */
285     entropy_available = ossl_prov_acquire_entropy_from_jitter(s, pool);
286 
287     if (entropy_available > 0
288         && ossl_rand_pool_adin_mix_in(pool, adin, adin_len)) {
289         ret = ossl_rand_pool_length(pool);
290         *pout = ossl_rand_pool_detach(pool);
291     } else {
292         ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK);
293     }
294     ossl_rand_pool_free(pool);
295     return ret;
296 }
297 
jitter_clear_seed(ossl_unused void * vdrbg,unsigned char * out,size_t outlen)298 static void jitter_clear_seed(ossl_unused void *vdrbg,
299                               unsigned char *out, size_t outlen)
300 {
301     OPENSSL_secure_clear_free(out, outlen);
302 }
303 
jitter_enable_locking(ossl_unused void * vseed)304 static int jitter_enable_locking(ossl_unused void *vseed)
305 {
306     return 1;
307 }
308 
jitter_lock(ossl_unused void * vctx)309 int jitter_lock(ossl_unused void *vctx)
310 {
311     return 1;
312 }
313 
jitter_unlock(ossl_unused void * vctx)314 void jitter_unlock(ossl_unused void *vctx)
315 {
316 }
317 
318 const OSSL_DISPATCH ossl_jitter_functions[] = {
319     { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))jitter_new },
320     { OSSL_FUNC_RAND_FREECTX, (void(*)(void))jitter_free },
321     { OSSL_FUNC_RAND_INSTANTIATE,
322       (void(*)(void))jitter_instantiate },
323     { OSSL_FUNC_RAND_UNINSTANTIATE,
324       (void(*)(void))jitter_uninstantiate },
325     { OSSL_FUNC_RAND_GENERATE, (void(*)(void))jitter_generate },
326     { OSSL_FUNC_RAND_RESEED, (void(*)(void))jitter_reseed },
327     { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))jitter_enable_locking },
328     { OSSL_FUNC_RAND_LOCK, (void(*)(void))jitter_lock },
329     { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))jitter_unlock },
330     { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS,
331       (void(*)(void))jitter_gettable_ctx_params },
332     { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))jitter_get_ctx_params },
333     { OSSL_FUNC_RAND_VERIFY_ZEROIZATION,
334       (void(*)(void))jitter_verify_zeroization },
335     { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))jitter_get_seed },
336     { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))jitter_clear_seed },
337     OSSL_DISPATCH_END
338 };
339 #else
340 NON_EMPTY_TRANSLATION_UNIT
341 #endif
342