michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #ifdef FREEBL_NO_DEPEND michael@0: #include "stubs.h" michael@0: #endif michael@0: michael@0: #include "prerror.h" michael@0: #include "secerr.h" michael@0: michael@0: #include "prtypes.h" michael@0: #include "prinit.h" michael@0: #include "blapi.h" michael@0: #include "blapii.h" michael@0: #include "nssilock.h" michael@0: #include "secitem.h" michael@0: #include "sha_fast.h" michael@0: #include "sha256.h" michael@0: #include "secrng.h" /* for RNG_SystemRNG() */ michael@0: #include "secmpi.h" michael@0: michael@0: /* PRNG_SEEDLEN defined in NIST SP 800-90 section 10.1 michael@0: * for SHA-1, SHA-224, and SHA-256 it's 440 bits. michael@0: * for SHA-384 and SHA-512 it's 888 bits */ michael@0: #define PRNG_SEEDLEN (440/PR_BITS_PER_BYTE) michael@0: static const PRInt64 PRNG_MAX_ADDITIONAL_BYTES = LL_INIT(0x1, 0x0); michael@0: /* 2^35 bits or 2^32 bytes */ michael@0: #define PRNG_MAX_REQUEST_SIZE 0x10000 /* 2^19 bits or 2^16 bytes */ michael@0: #define PRNG_ADDITONAL_DATA_CACHE_SIZE (8*1024) /* must be less than michael@0: * PRNG_MAX_ADDITIONAL_BYTES michael@0: */ michael@0: michael@0: /* RESEED_COUNT is how many calls to the prng before we need to reseed michael@0: * under normal NIST rules, you must return an error. In the NSS case, we michael@0: * self-reseed with RNG_SystemRNG(). Count can be a large number. For code michael@0: * simplicity, we specify count with 2 components: RESEED_BYTE (which is michael@0: * the same as LOG256(RESEED_COUNT)) and RESEED_VALUE (which is the same as michael@0: * RESEED_COUNT / (256 ^ RESEED_BYTE)). Another way to look at this is michael@0: * RESEED_COUNT = RESEED_VALUE * (256 ^ RESEED_BYTE). For Hash based DRBG michael@0: * we use the maximum count value, 2^48, or RESEED_BYTE=6 and RESEED_VALUE=1 michael@0: */ michael@0: #define RESEED_BYTE 6 michael@0: #define RESEED_VALUE 1 michael@0: michael@0: #define PRNG_RESET_RESEED_COUNT(rng) \ michael@0: PORT_Memset((rng)->reseed_counter, 0, sizeof (rng)->reseed_counter); \ michael@0: (rng)->reseed_counter[RESEED_BYTE] = 1; michael@0: michael@0: michael@0: /* michael@0: * The actual values of this enum are specified in SP 800-90, 10.1.1.* michael@0: * The spec does not name the types, it only uses bare values michael@0: */ michael@0: typedef enum { michael@0: prngCGenerateType = 0, /* used when creating a new 'C' */ michael@0: prngReseedType = 1, /* used in reseeding */ michael@0: prngAdditionalDataType = 2, /* used in mixing additional data */ michael@0: prngGenerateByteType = 3 /* used when mixing internal state while michael@0: * generating bytes */ michael@0: } prngVTypes; michael@0: michael@0: /* michael@0: * Global RNG context michael@0: */ michael@0: struct RNGContextStr { michael@0: PZLock *lock; /* Lock to serialize access to global rng */ michael@0: /* michael@0: * NOTE, a number of steps in the drbg algorithm need to hash michael@0: * V_type || V. The code, therefore, depends on the V array following michael@0: * immediately after V_type to avoid extra copies. To accomplish this michael@0: * in a way that compiliers can't perturb, we declare V_type and V michael@0: * as a V_Data array and reference them by macros */ michael@0: PRUint8 V_Data[PRNG_SEEDLEN+1]; /* internal state variables */ michael@0: #define V_type V_Data[0] michael@0: #define V(rng) (((rng)->V_Data)+1) michael@0: #define VSize(rng) ((sizeof (rng)->V_Data) -1) michael@0: PRUint8 C[PRNG_SEEDLEN]; /* internal state variables */ michael@0: PRUint8 oldV[PRNG_SEEDLEN]; /* for continuous rng checking */ michael@0: /* If we get calls for the PRNG to return less than the length of our michael@0: * hash, we extend the request for a full hash (since we'll be doing michael@0: * the full hash anyway). Future requests for random numbers are fulfilled michael@0: * from the remainder of the bytes we generated. Requests for bytes longer michael@0: * than the hash size are fulfilled directly from the HashGen function michael@0: * of the random number generator. */ michael@0: PRUint8 reseed_counter[RESEED_BYTE+1]; /* number of requests since the michael@0: * last reseed. Need only be michael@0: * big enough to hold the whole michael@0: * reseed count */ michael@0: PRUint8 data[SHA256_LENGTH]; /* when we request less than a block michael@0: * save the rest of the rng output for michael@0: * another partial block */ michael@0: PRUint8 dataAvail; /* # bytes of output available in our cache, michael@0: * [0...SHA256_LENGTH] */ michael@0: /* store additional data that has been shovelled off to us by michael@0: * RNG_RandomUpdate. */ michael@0: PRUint8 additionalDataCache[PRNG_ADDITONAL_DATA_CACHE_SIZE]; michael@0: PRUint32 additionalAvail; michael@0: PRBool isValid; /* false if RNG reaches an invalid state */ michael@0: }; michael@0: michael@0: typedef struct RNGContextStr RNGContext; michael@0: static RNGContext *globalrng = NULL; michael@0: static RNGContext theGlobalRng; michael@0: michael@0: michael@0: /* michael@0: * The next several functions are derived from the NIST SP 800-90 michael@0: * spec. In these functions, an attempt was made to use names consistent michael@0: * with the names in the spec, even if they differ from normal NSS usage. michael@0: */ michael@0: michael@0: /* michael@0: * Hash Derive function defined in NISP SP 800-90 Section 10.4.1. michael@0: * This function is used in the Instantiate and Reseed functions. michael@0: * michael@0: * NOTE: requested_bytes cannot overlap with input_string_1 or input_string_2. michael@0: * input_string_1 and input_string_2 are logically concatentated. michael@0: * input_string_1 must be supplied. michael@0: * if input_string_2 is not supplied, NULL should be passed for this parameter. michael@0: */ michael@0: static SECStatus michael@0: prng_Hash_df(PRUint8 *requested_bytes, unsigned int no_of_bytes_to_return, michael@0: const PRUint8 *input_string_1, unsigned int input_string_1_len, michael@0: const PRUint8 *input_string_2, unsigned int input_string_2_len) michael@0: { michael@0: SHA256Context ctx; michael@0: PRUint32 tmp; michael@0: PRUint8 counter; michael@0: michael@0: tmp=SHA_HTONL(no_of_bytes_to_return*8); michael@0: michael@0: for (counter = 1 ; no_of_bytes_to_return > 0; counter++) { michael@0: unsigned int hash_return_len; michael@0: SHA256_Begin(&ctx); michael@0: SHA256_Update(&ctx, &counter, 1); michael@0: SHA256_Update(&ctx, (unsigned char *)&tmp, sizeof tmp); michael@0: SHA256_Update(&ctx, input_string_1, input_string_1_len); michael@0: if (input_string_2) { michael@0: SHA256_Update(&ctx, input_string_2, input_string_2_len); michael@0: } michael@0: SHA256_End(&ctx, requested_bytes, &hash_return_len, michael@0: no_of_bytes_to_return); michael@0: requested_bytes += hash_return_len; michael@0: no_of_bytes_to_return -= hash_return_len; michael@0: } michael@0: return SECSuccess; michael@0: } michael@0: michael@0: michael@0: /* michael@0: * Hash_DRBG Instantiate NIST SP 800-80 10.1.1.2 michael@0: * michael@0: * NOTE: bytes & len are entropy || nonce || personalization_string. In michael@0: * normal operation, NSS calculates them all together in a single call. michael@0: */ michael@0: static SECStatus michael@0: prng_instantiate(RNGContext *rng, const PRUint8 *bytes, unsigned int len) michael@0: { michael@0: if (len < PRNG_SEEDLEN) { michael@0: /* if the seedlen is to small, it's probably because we failed to get michael@0: * enough random data */ michael@0: PORT_SetError(SEC_ERROR_NEED_RANDOM); michael@0: return SECFailure; michael@0: } michael@0: prng_Hash_df(V(rng), VSize(rng), bytes, len, NULL, 0); michael@0: rng->V_type = prngCGenerateType; michael@0: prng_Hash_df(rng->C,sizeof rng->C,rng->V_Data,sizeof rng->V_Data,NULL,0); michael@0: PRNG_RESET_RESEED_COUNT(rng) michael@0: return SECSuccess; michael@0: } michael@0: michael@0: michael@0: /* michael@0: * Update the global random number generator with more seeding michael@0: * material. Use the Hash_DRBG reseed algorithm from NIST SP-800-90 michael@0: * section 10.1.1.3 michael@0: * michael@0: * If entropy is NULL, it is fetched from the noise generator. michael@0: */ michael@0: static SECStatus michael@0: prng_reseed(RNGContext *rng, const PRUint8 *entropy, unsigned int entropy_len, michael@0: const PRUint8 *additional_input, unsigned int additional_input_len) michael@0: { michael@0: PRUint8 noiseData[(sizeof rng->V_Data)+PRNG_SEEDLEN]; michael@0: PRUint8 *noise = &noiseData[0]; michael@0: michael@0: /* if entropy wasn't supplied, fetch it. (normal operation case) */ michael@0: if (entropy == NULL) { michael@0: entropy_len = (unsigned int) RNG_SystemRNG( michael@0: &noiseData[sizeof rng->V_Data], PRNG_SEEDLEN); michael@0: } else { michael@0: /* NOTE: this code is only available for testing, not to applications */ michael@0: /* if entropy was too big for the stack variable, get it from malloc */ michael@0: if (entropy_len > PRNG_SEEDLEN) { michael@0: noise = PORT_Alloc(entropy_len + (sizeof rng->V_Data)); michael@0: if (noise == NULL) { michael@0: return SECFailure; michael@0: } michael@0: } michael@0: PORT_Memcpy(&noise[sizeof rng->V_Data],entropy, entropy_len); michael@0: } michael@0: michael@0: if (entropy_len < 256/PR_BITS_PER_BYTE) { michael@0: /* noise == &noiseData[0] at this point, so nothing to free */ michael@0: PORT_SetError(SEC_ERROR_NEED_RANDOM); michael@0: return SECFailure; michael@0: } michael@0: michael@0: rng->V_type = prngReseedType; michael@0: PORT_Memcpy(noise, rng->V_Data, sizeof rng->V_Data); michael@0: prng_Hash_df(V(rng), VSize(rng), noise, (sizeof rng->V_Data) + entropy_len, michael@0: additional_input, additional_input_len); michael@0: /* clear potential CSP */ michael@0: PORT_Memset(noise, 0, (sizeof rng->V_Data) + entropy_len); michael@0: rng->V_type = prngCGenerateType; michael@0: prng_Hash_df(rng->C,sizeof rng->C,rng->V_Data,sizeof rng->V_Data,NULL,0); michael@0: PRNG_RESET_RESEED_COUNT(rng) michael@0: michael@0: if (noise != &noiseData[0]) { michael@0: PORT_Free(noise); michael@0: } michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* michael@0: * SP 800-90 requires we rerun our health tests on reseed michael@0: */ michael@0: static SECStatus michael@0: prng_reseed_test(RNGContext *rng, const PRUint8 *entropy, michael@0: unsigned int entropy_len, const PRUint8 *additional_input, michael@0: unsigned int additional_input_len) michael@0: { michael@0: SECStatus rv; michael@0: michael@0: /* do health checks in FIPS mode */ michael@0: rv = PRNGTEST_RunHealthTests(); michael@0: if (rv != SECSuccess) { michael@0: /* error set by PRNGTEST_RunHealTests() */ michael@0: rng->isValid = PR_FALSE; michael@0: return SECFailure; michael@0: } michael@0: return prng_reseed(rng, entropy, entropy_len, michael@0: additional_input, additional_input_len); michael@0: } michael@0: michael@0: /* michael@0: * build some fast inline functions for adding. michael@0: */ michael@0: #define PRNG_ADD_CARRY_ONLY(dest, start, cy) \ michael@0: carry = cy; \ michael@0: for (k1=start; carry && k1 >=0 ; k1--) { \ michael@0: carry = !(++dest[k1]); \ michael@0: } michael@0: michael@0: /* michael@0: * NOTE: dest must be an array for the following to work. michael@0: */ michael@0: #define PRNG_ADD_BITS(dest, dest_len, add, len) \ michael@0: carry = 0; \ michael@0: for (k1=dest_len -1, k2=len-1; k2 >= 0; --k1, --k2) { \ michael@0: carry += dest[k1]+ add[k2]; \ michael@0: dest[k1] = (PRUint8) carry; \ michael@0: carry >>= 8; \ michael@0: } michael@0: michael@0: #define PRNG_ADD_BITS_AND_CARRY(dest, dest_len, add, len) \ michael@0: PRNG_ADD_BITS(dest, dest_len, add, len) \ michael@0: PRNG_ADD_CARRY_ONLY(dest, k1, carry) michael@0: michael@0: /* michael@0: * This function expands the internal state of the prng to fulfill any number michael@0: * of bytes we need for this request. We only use this call if we need more michael@0: * than can be supplied by a single call to SHA256_HashBuf. michael@0: * michael@0: * This function is specified in NIST SP 800-90 section 10.1.1.4, Hashgen michael@0: */ michael@0: static void michael@0: prng_Hashgen(RNGContext *rng, PRUint8 *returned_bytes, michael@0: unsigned int no_of_returned_bytes) michael@0: { michael@0: PRUint8 data[VSize(rng)]; michael@0: michael@0: PORT_Memcpy(data, V(rng), VSize(rng)); michael@0: while (no_of_returned_bytes) { michael@0: SHA256Context ctx; michael@0: unsigned int len; michael@0: unsigned int carry; michael@0: int k1; michael@0: michael@0: SHA256_Begin(&ctx); michael@0: SHA256_Update(&ctx, data, sizeof data); michael@0: SHA256_End(&ctx, returned_bytes, &len, no_of_returned_bytes); michael@0: returned_bytes += len; michael@0: no_of_returned_bytes -= len; michael@0: /* The carry parameter is a bool (increment or not). michael@0: * This increments data if no_of_returned_bytes is not zero */ michael@0: PRNG_ADD_CARRY_ONLY(data, (sizeof data)- 1, no_of_returned_bytes); michael@0: } michael@0: PORT_Memset(data, 0, sizeof data); michael@0: } michael@0: michael@0: /* michael@0: * Generates new random bytes and advances the internal prng state. michael@0: * additional bytes are only used in algorithm testing. michael@0: * michael@0: * This function is specified in NIST SP 800-90 section 10.1.1.4 michael@0: */ michael@0: static SECStatus michael@0: prng_generateNewBytes(RNGContext *rng, michael@0: PRUint8 *returned_bytes, unsigned int no_of_returned_bytes, michael@0: const PRUint8 *additional_input, michael@0: unsigned int additional_input_len) michael@0: { michael@0: PRUint8 H[SHA256_LENGTH]; /* both H and w since they michael@0: * aren't used concurrently */ michael@0: unsigned int carry; michael@0: int k1, k2; michael@0: michael@0: if (!rng->isValid) { michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: /* This code only triggers during tests, normal michael@0: * prng operation does not use additional_input */ michael@0: if (additional_input){ michael@0: SHA256Context ctx; michael@0: /* NIST SP 800-90 defines two temporaries in their calculations, michael@0: * w and H. These temporaries are the same lengths, and used michael@0: * at different times, so we use the following macro to collapse michael@0: * them to the same variable, but keeping their unique names for michael@0: * easy comparison to the spec */ michael@0: #define w H michael@0: rng->V_type = prngAdditionalDataType; michael@0: SHA256_Begin(&ctx); michael@0: SHA256_Update(&ctx, rng->V_Data, sizeof rng->V_Data); michael@0: SHA256_Update(&ctx, additional_input, additional_input_len); michael@0: SHA256_End(&ctx, w, NULL, sizeof w); michael@0: PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), w, sizeof w) michael@0: PORT_Memset(w, 0, sizeof w); michael@0: #undef w michael@0: } michael@0: michael@0: if (no_of_returned_bytes == SHA256_LENGTH) { michael@0: /* short_cut to hashbuf and save a copy and a clear */ michael@0: SHA256_HashBuf(returned_bytes, V(rng), VSize(rng) ); michael@0: } else { michael@0: prng_Hashgen(rng, returned_bytes, no_of_returned_bytes); michael@0: } michael@0: /* advance our internal state... */ michael@0: rng->V_type = prngGenerateByteType; michael@0: SHA256_HashBuf(H, rng->V_Data, sizeof rng->V_Data); michael@0: PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), H, sizeof H) michael@0: PRNG_ADD_BITS(V(rng), VSize(rng), rng->C, sizeof rng->C); michael@0: PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), rng->reseed_counter, michael@0: sizeof rng->reseed_counter) michael@0: PRNG_ADD_CARRY_ONLY(rng->reseed_counter,(sizeof rng->reseed_counter)-1, 1); michael@0: michael@0: /* continuous rng check */ michael@0: if (memcmp(V(rng), rng->oldV, sizeof rng->oldV) == 0) { michael@0: rng->isValid = PR_FALSE; michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: PORT_Memcpy(rng->oldV, V(rng), sizeof rng->oldV); michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* Use NSPR to prevent RNG_RNGInit from being called from separate michael@0: * threads, creating a race condition. michael@0: */ michael@0: static const PRCallOnceType pristineCallOnce; michael@0: static PRCallOnceType coRNGInit; michael@0: static PRStatus rng_init(void) michael@0: { michael@0: PRUint8 bytes[PRNG_SEEDLEN*2]; /* entropy + nonce */ michael@0: unsigned int numBytes; michael@0: SECStatus rv = SECSuccess; michael@0: michael@0: if (globalrng == NULL) { michael@0: /* bytes needs to have enough space to hold michael@0: * a SHA256 hash value. Blow up at compile time if this isn't true */ michael@0: PR_STATIC_ASSERT(sizeof(bytes) >= SHA256_LENGTH); michael@0: /* create a new global RNG context */ michael@0: globalrng = &theGlobalRng; michael@0: PORT_Assert(NULL == globalrng->lock); michael@0: /* create a lock for it */ michael@0: globalrng->lock = PZ_NewLock(nssILockOther); michael@0: if (globalrng->lock == NULL) { michael@0: globalrng = NULL; michael@0: PORT_SetError(PR_OUT_OF_MEMORY_ERROR); michael@0: return PR_FAILURE; michael@0: } michael@0: michael@0: /* Try to get some seed data for the RNG */ michael@0: numBytes = (unsigned int) RNG_SystemRNG(bytes, sizeof bytes); michael@0: PORT_Assert(numBytes == 0 || numBytes == sizeof bytes); michael@0: if (numBytes != 0) { michael@0: /* if this is our first call, instantiate, otherwise reseed michael@0: * prng_instantiate gets a new clean state, we want to mix michael@0: * any previous entropy we may have collected */ michael@0: if (V(globalrng)[0] == 0) { michael@0: rv = prng_instantiate(globalrng, bytes, numBytes); michael@0: } else { michael@0: rv = prng_reseed_test(globalrng, bytes, numBytes, NULL, 0); michael@0: } michael@0: memset(bytes, 0, numBytes); michael@0: } else { michael@0: PZ_DestroyLock(globalrng->lock); michael@0: globalrng->lock = NULL; michael@0: globalrng = NULL; michael@0: return PR_FAILURE; michael@0: } michael@0: michael@0: if (rv != SECSuccess) { michael@0: return PR_FAILURE; michael@0: } michael@0: /* the RNG is in a valid state */ michael@0: globalrng->isValid = PR_TRUE; michael@0: michael@0: /* fetch one random value so that we can populate rng->oldV for our michael@0: * continous random number test. */ michael@0: prng_generateNewBytes(globalrng, bytes, SHA256_LENGTH, NULL, 0); michael@0: michael@0: /* Fetch more entropy into the PRNG */ michael@0: RNG_SystemInfoForRNG(); michael@0: } michael@0: return PR_SUCCESS; michael@0: } michael@0: michael@0: /* michael@0: * Clean up the global RNG context michael@0: */ michael@0: static void michael@0: prng_freeRNGContext(RNGContext *rng) michael@0: { michael@0: PRUint8 inputhash[VSize(rng) + (sizeof rng->C)]; michael@0: michael@0: /* destroy context lock */ michael@0: SKIP_AFTER_FORK(PZ_DestroyLock(globalrng->lock)); michael@0: michael@0: /* zero global RNG context except for C & V to preserve entropy */ michael@0: prng_Hash_df(inputhash, sizeof rng->C, rng->C, sizeof rng->C, NULL, 0); michael@0: prng_Hash_df(&inputhash[sizeof rng->C], VSize(rng), V(rng), VSize(rng), michael@0: NULL, 0); michael@0: memset(rng, 0, sizeof *rng); michael@0: memcpy(rng->C, inputhash, sizeof rng->C); michael@0: memcpy(V(rng), &inputhash[sizeof rng->C], VSize(rng)); michael@0: michael@0: memset(inputhash, 0, sizeof inputhash); michael@0: } michael@0: michael@0: /* michael@0: * Public functions michael@0: */ michael@0: michael@0: /* michael@0: * Initialize the global RNG context and give it some seed input taken michael@0: * from the system. This function is thread-safe and will only allow michael@0: * the global context to be initialized once. The seed input is likely michael@0: * small, so it is imperative that RNG_RandomUpdate() be called with michael@0: * additional seed data before the generator is used. A good way to michael@0: * provide the generator with additional entropy is to call michael@0: * RNG_SystemInfoForRNG(). Note that C_Initialize() does exactly that. michael@0: */ michael@0: SECStatus michael@0: RNG_RNGInit(void) michael@0: { michael@0: /* Allow only one call to initialize the context */ michael@0: PR_CallOnce(&coRNGInit, rng_init); michael@0: /* Make sure there is a context */ michael@0: return (globalrng != NULL) ? SECSuccess : SECFailure; michael@0: } michael@0: michael@0: /* michael@0: ** Update the global random number generator with more seeding michael@0: ** material. michael@0: */ michael@0: SECStatus michael@0: RNG_RandomUpdate(const void *data, size_t bytes) michael@0: { michael@0: SECStatus rv; michael@0: michael@0: /* Make sure our assumption that size_t is unsigned is true */ michael@0: PR_STATIC_ASSERT(((size_t)-1) > (size_t)1); michael@0: michael@0: #if defined(NS_PTR_GT_32) || (defined(NSS_USE_64) && !defined(NS_PTR_LE_32)) michael@0: /* michael@0: * NIST 800-90 requires us to verify our inputs. This value can michael@0: * come from the application, so we need to make sure it's within the michael@0: * spec. The spec says it must be less than 2^32 bytes (2^35 bits). michael@0: * This can only happen if size_t is greater than 32 bits (i.e. on michael@0: * most 64 bit platforms). The 90% case (perhaps 100% case), size_t michael@0: * is less than or equal to 32 bits if the platform is not 64 bits, and michael@0: * greater than 32 bits if it is a 64 bit platform. The corner michael@0: * cases are handled with explicit defines NS_PTR_GT_32 and NS_PTR_LE_32. michael@0: * michael@0: * In general, neither NS_PTR_GT_32 nor NS_PTR_LE_32 will need to be michael@0: * defined. If you trip over the next two size ASSERTS at compile time, michael@0: * you will need to define them for your platform. michael@0: * michael@0: * if 'sizeof(size_t) > 4' is triggered it means that we were expecting michael@0: * sizeof(size_t) to be greater than 4, but it wasn't. Setting michael@0: * NS_PTR_LE_32 will correct that mistake. michael@0: * michael@0: * if 'sizeof(size_t) <= 4' is triggered, it means that we were expecting michael@0: * sizeof(size_t) to be less than or equal to 4, but it wasn't. Setting michael@0: * NS_PTR_GT_32 will correct that mistake. michael@0: */ michael@0: michael@0: PR_STATIC_ASSERT(sizeof(size_t) > 4); michael@0: michael@0: if (bytes > PRNG_MAX_ADDITIONAL_BYTES) { michael@0: bytes = PRNG_MAX_ADDITIONAL_BYTES; michael@0: } michael@0: #else michael@0: PR_STATIC_ASSERT(sizeof(size_t) <= 4); michael@0: #endif michael@0: michael@0: PZ_Lock(globalrng->lock); michael@0: /* if we're passed more than our additionalDataCache, simply michael@0: * call reseed with that data */ michael@0: if (bytes > sizeof (globalrng->additionalDataCache)) { michael@0: rv = prng_reseed_test(globalrng, NULL, 0, data, (unsigned int) bytes); michael@0: /* if we aren't going to fill or overflow the buffer, just cache it */ michael@0: } else if (bytes < ((sizeof globalrng->additionalDataCache) michael@0: - globalrng->additionalAvail)) { michael@0: PORT_Memcpy(globalrng->additionalDataCache+globalrng->additionalAvail, michael@0: data, bytes); michael@0: globalrng->additionalAvail += (PRUint32) bytes; michael@0: rv = SECSuccess; michael@0: } else { michael@0: /* we are going to fill or overflow the buffer. In this case we will michael@0: * fill the entropy buffer, reseed with it, start a new buffer with the michael@0: * remainder. We know the remainder will fit in the buffer because michael@0: * we already handled the case where bytes > the size of the buffer. michael@0: */ michael@0: size_t bufRemain = (sizeof globalrng->additionalDataCache) michael@0: - globalrng->additionalAvail; michael@0: /* fill the rest of the buffer */ michael@0: if (bufRemain) { michael@0: PORT_Memcpy(globalrng->additionalDataCache michael@0: +globalrng->additionalAvail, michael@0: data, bufRemain); michael@0: data = ((unsigned char *)data) + bufRemain; michael@0: bytes -= bufRemain; michael@0: } michael@0: /* reseed from buffer */ michael@0: rv = prng_reseed_test(globalrng, NULL, 0, michael@0: globalrng->additionalDataCache, michael@0: sizeof globalrng->additionalDataCache); michael@0: michael@0: /* copy the rest into the cache */ michael@0: PORT_Memcpy(globalrng->additionalDataCache, data, bytes); michael@0: globalrng->additionalAvail = (PRUint32) bytes; michael@0: } michael@0: michael@0: PZ_Unlock(globalrng->lock); michael@0: return rv; michael@0: } michael@0: michael@0: /* michael@0: ** Generate some random bytes, using the global random number generator michael@0: ** object. michael@0: */ michael@0: static SECStatus michael@0: prng_GenerateGlobalRandomBytes(RNGContext *rng, michael@0: void *dest, size_t len) michael@0: { michael@0: SECStatus rv = SECSuccess; michael@0: PRUint8 *output = dest; michael@0: /* check for a valid global RNG context */ michael@0: PORT_Assert(rng != NULL); michael@0: if (rng == NULL) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: /* FIPS limits the amount of entropy available in a single request */ michael@0: if (len > PRNG_MAX_REQUEST_SIZE) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: /* --- LOCKED --- */ michael@0: PZ_Lock(rng->lock); michael@0: /* Check the amount of seed data in the generator. If not enough, michael@0: * don't produce any data. michael@0: */ michael@0: if (rng->reseed_counter[0] >= RESEED_VALUE) { michael@0: rv = prng_reseed_test(rng, NULL, 0, NULL, 0); michael@0: PZ_Unlock(rng->lock); michael@0: if (rv != SECSuccess) { michael@0: return rv; michael@0: } michael@0: RNG_SystemInfoForRNG(); michael@0: PZ_Lock(rng->lock); michael@0: } michael@0: /* michael@0: * see if we have enough bytes to fulfill the request. michael@0: */ michael@0: if (len <= rng->dataAvail) { michael@0: memcpy(output, rng->data + ((sizeof rng->data) - rng->dataAvail), len); michael@0: memset(rng->data + ((sizeof rng->data) - rng->dataAvail), 0, len); michael@0: rng->dataAvail -= len; michael@0: rv = SECSuccess; michael@0: /* if we are asking for a small number of bytes, cache the rest of michael@0: * the bytes */ michael@0: } else if (len < sizeof rng->data) { michael@0: rv = prng_generateNewBytes(rng, rng->data, sizeof rng->data, michael@0: rng->additionalAvail ? rng->additionalDataCache : NULL, michael@0: rng->additionalAvail); michael@0: rng->additionalAvail = 0; michael@0: if (rv == SECSuccess) { michael@0: memcpy(output, rng->data, len); michael@0: memset(rng->data, 0, len); michael@0: rng->dataAvail = (sizeof rng->data) - len; michael@0: } michael@0: /* we are asking for lots of bytes, just ask the generator to pass them */ michael@0: } else { michael@0: rv = prng_generateNewBytes(rng, output, len, michael@0: rng->additionalAvail ? rng->additionalDataCache : NULL, michael@0: rng->additionalAvail); michael@0: rng->additionalAvail = 0; michael@0: } michael@0: PZ_Unlock(rng->lock); michael@0: /* --- UNLOCKED --- */ michael@0: return rv; michael@0: } michael@0: michael@0: /* michael@0: ** Generate some random bytes, using the global random number generator michael@0: ** object. michael@0: */ michael@0: SECStatus michael@0: RNG_GenerateGlobalRandomBytes(void *dest, size_t len) michael@0: { michael@0: return prng_GenerateGlobalRandomBytes(globalrng, dest, len); michael@0: } michael@0: michael@0: void michael@0: RNG_RNGShutdown(void) michael@0: { michael@0: /* check for a valid global RNG context */ michael@0: PORT_Assert(globalrng != NULL); michael@0: if (globalrng == NULL) { michael@0: /* Should set a "not initialized" error code. */ michael@0: PORT_SetError(SEC_ERROR_NO_MEMORY); michael@0: return; michael@0: } michael@0: /* clear */ michael@0: prng_freeRNGContext(globalrng); michael@0: globalrng = NULL; michael@0: /* reset the callonce struct to allow a new call to RNG_RNGInit() */ michael@0: coRNGInit = pristineCallOnce; michael@0: } michael@0: michael@0: /* michael@0: * Test case interface. used by fips testing and power on self test michael@0: */ michael@0: /* make sure the test context is separate from the global context, This michael@0: * allows us to test the internal random number generator without losing michael@0: * entropy we may have previously collected. */ michael@0: RNGContext testContext; michael@0: michael@0: /* michael@0: * Test vector API. Use NIST SP 800-90 general interface so one of the michael@0: * other NIST SP 800-90 algorithms may be used in the future. michael@0: */ michael@0: SECStatus michael@0: PRNGTEST_Instantiate(const PRUint8 *entropy, unsigned int entropy_len, michael@0: const PRUint8 *nonce, unsigned int nonce_len, michael@0: const PRUint8 *personal_string, unsigned int ps_len) michael@0: { michael@0: int bytes_len = entropy_len + nonce_len + ps_len; michael@0: PRUint8 *bytes = NULL; michael@0: SECStatus rv; michael@0: michael@0: if (entropy_len < 256/PR_BITS_PER_BYTE) { michael@0: PORT_SetError(SEC_ERROR_NEED_RANDOM); michael@0: return SECFailure; michael@0: } michael@0: michael@0: bytes = PORT_Alloc(bytes_len); michael@0: if (bytes == NULL) { michael@0: PORT_SetError(SEC_ERROR_NO_MEMORY); michael@0: return SECFailure; michael@0: } michael@0: /* concatenate the various inputs, internally NSS only instantiates with michael@0: * a single long string */ michael@0: PORT_Memcpy(bytes, entropy, entropy_len); michael@0: if (nonce) { michael@0: PORT_Memcpy(&bytes[entropy_len], nonce, nonce_len); michael@0: } else { michael@0: PORT_Assert(nonce_len == 0); michael@0: } michael@0: if (personal_string) { michael@0: PORT_Memcpy(&bytes[entropy_len+nonce_len], personal_string, ps_len); michael@0: } else { michael@0: PORT_Assert(ps_len == 0); michael@0: } michael@0: rv = prng_instantiate(&testContext, bytes, bytes_len); michael@0: PORT_ZFree(bytes, bytes_len); michael@0: if (rv == SECFailure) { michael@0: return SECFailure; michael@0: } michael@0: testContext.isValid = PR_TRUE; michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECStatus michael@0: PRNGTEST_Reseed(const PRUint8 *entropy, unsigned int entropy_len, michael@0: const PRUint8 *additional, unsigned int additional_len) michael@0: { michael@0: if (!testContext.isValid) { michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: /* This magic input tells us to set the reseed count to it's max count, michael@0: * so we can simulate PRNGTEST_Generate reaching max reseed count */ michael@0: if ((entropy == NULL) && (entropy_len == 0) && michael@0: (additional == NULL) && (additional_len == 0)) { michael@0: testContext.reseed_counter[0] = RESEED_VALUE; michael@0: return SECSuccess; michael@0: } michael@0: return prng_reseed(&testContext, entropy, entropy_len, additional, michael@0: additional_len); michael@0: michael@0: } michael@0: michael@0: SECStatus michael@0: PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len, michael@0: const PRUint8 *additional, unsigned int additional_len) michael@0: { michael@0: SECStatus rv; michael@0: if (!testContext.isValid) { michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: /* replicate reseed test from prng_GenerateGlobalRandomBytes */ michael@0: if (testContext.reseed_counter[0] >= RESEED_VALUE) { michael@0: rv = prng_reseed(&testContext, NULL, 0, NULL, 0); michael@0: if (rv != SECSuccess) { michael@0: return rv; michael@0: } michael@0: } michael@0: return prng_generateNewBytes(&testContext, bytes, bytes_len, michael@0: additional, additional_len); michael@0: michael@0: } michael@0: michael@0: SECStatus michael@0: PRNGTEST_Uninstantiate() michael@0: { michael@0: if (!testContext.isValid) { michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: PORT_Memset(&testContext, 0, sizeof testContext); michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECStatus michael@0: PRNGTEST_RunHealthTests() michael@0: { michael@0: static const PRUint8 entropy[] = { michael@0: 0x8e,0x9c,0x0d,0x25,0x75,0x22,0x04,0xf9, michael@0: 0xc5,0x79,0x10,0x8b,0x23,0x79,0x37,0x14, michael@0: 0x9f,0x2c,0xc7,0x0b,0x39,0xf8,0xee,0xef, michael@0: 0x95,0x0c,0x97,0x59,0xfc,0x0a,0x85,0x41, michael@0: 0x76,0x9d,0x6d,0x67,0x00,0x4e,0x19,0x12, michael@0: 0x02,0x16,0x53,0xea,0xf2,0x73,0xd7,0xd6, michael@0: 0x7f,0x7e,0xc8,0xae,0x9c,0x09,0x99,0x7d, michael@0: 0xbb,0x9e,0x48,0x7f,0xbb,0x96,0x46,0xb3, michael@0: 0x03,0x75,0xf8,0xc8,0x69,0x45,0x3f,0x97, michael@0: 0x5e,0x2e,0x48,0xe1,0x5d,0x58,0x97,0x4c }; michael@0: static const PRUint8 rng_known_result[] = { michael@0: 0x16,0xe1,0x8c,0x57,0x21,0xd8,0xf1,0x7e, michael@0: 0x5a,0xa0,0x16,0x0b,0x7e,0xa6,0x25,0xb4, michael@0: 0x24,0x19,0xdb,0x54,0xfa,0x35,0x13,0x66, michael@0: 0xbb,0xaa,0x2a,0x1b,0x22,0x33,0x2e,0x4a, michael@0: 0x14,0x07,0x9d,0x52,0xfc,0x73,0x61,0x48, michael@0: 0xac,0xc1,0x22,0xfc,0xa4,0xfc,0xac,0xa4, michael@0: 0xdb,0xda,0x5b,0x27,0x33,0xc4,0xb3 }; michael@0: static const PRUint8 reseed_entropy[] = { michael@0: 0xc6,0x0b,0x0a,0x30,0x67,0x07,0xf4,0xe2, michael@0: 0x24,0xa7,0x51,0x6f,0x5f,0x85,0x3e,0x5d, michael@0: 0x67,0x97,0xb8,0x3b,0x30,0x9c,0x7a,0xb1, michael@0: 0x52,0xc6,0x1b,0xc9,0x46,0xa8,0x62,0x79 }; michael@0: static const PRUint8 additional_input[] = { michael@0: 0x86,0x82,0x28,0x98,0xe7,0xcb,0x01,0x14, michael@0: 0xae,0x87,0x4b,0x1d,0x99,0x1b,0xc7,0x41, michael@0: 0x33,0xff,0x33,0x66,0x40,0x95,0x54,0xc6, michael@0: 0x67,0x4d,0x40,0x2a,0x1f,0xf9,0xeb,0x65 }; michael@0: static const PRUint8 rng_reseed_result[] = { michael@0: 0x02,0x0c,0xc6,0x17,0x86,0x49,0xba,0xc4, michael@0: 0x7b,0x71,0x35,0x05,0xf0,0xdb,0x4a,0xc2, michael@0: 0x2c,0x38,0xc1,0xa4,0x42,0xe5,0x46,0x4a, michael@0: 0x7d,0xf0,0xbe,0x47,0x88,0xb8,0x0e,0xc6, michael@0: 0x25,0x2b,0x1d,0x13,0xef,0xa6,0x87,0x96, michael@0: 0xa3,0x7d,0x5b,0x80,0xc2,0x38,0x76,0x61, michael@0: 0xc7,0x80,0x5d,0x0f,0x05,0x76,0x85 }; michael@0: static const PRUint8 rng_no_reseed_result[] = { michael@0: 0xc4,0x40,0x41,0x8c,0xbf,0x2f,0x70,0x23, michael@0: 0x88,0xf2,0x7b,0x30,0xc3,0xca,0x1e,0xf3, michael@0: 0xef,0x53,0x81,0x5d,0x30,0xed,0x4c,0xf1, michael@0: 0xff,0x89,0xa5,0xee,0x92,0xf8,0xc0,0x0f, michael@0: 0x88,0x53,0xdf,0xb6,0x76,0xf0,0xaa,0xd3, michael@0: 0x2e,0x1d,0x64,0x37,0x3e,0xe8,0x4a,0x02, michael@0: 0xff,0x0a,0x7f,0xe5,0xe9,0x2b,0x6d }; michael@0: michael@0: SECStatus rng_status = SECSuccess; michael@0: PR_STATIC_ASSERT(sizeof(rng_known_result) >= sizeof(rng_reseed_result)); michael@0: PRUint8 result[sizeof(rng_known_result)]; michael@0: michael@0: /********************************************/ michael@0: /* First test instantiate error path. */ michael@0: /* In this case we supply enough entropy, */ michael@0: /* but not enough seed. This will trigger */ michael@0: /* the code that checks for a entropy */ michael@0: /* source failure. */ michael@0: /********************************************/ michael@0: rng_status = PRNGTEST_Instantiate(entropy, 256/PR_BITS_PER_BYTE, michael@0: NULL, 0, NULL, 0); michael@0: if (rng_status == SECSuccess) { michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: if (PORT_GetError() != SEC_ERROR_NEED_RANDOM) { michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: /* we failed with the proper error code, we can continue */ michael@0: michael@0: /********************************************/ michael@0: /* Generate random bytes with a known seed. */ michael@0: /********************************************/ michael@0: rng_status = PRNGTEST_Instantiate(entropy, sizeof entropy, michael@0: NULL, 0, NULL, 0); michael@0: if (rng_status != SECSuccess) { michael@0: /* Error set by PRNGTEST_Instantiate */ michael@0: return SECFailure; michael@0: } michael@0: rng_status = PRNGTEST_Generate(result, sizeof rng_known_result, NULL, 0); michael@0: if ( ( rng_status != SECSuccess) || michael@0: ( PORT_Memcmp( result, rng_known_result, michael@0: sizeof rng_known_result ) != 0 ) ) { michael@0: PRNGTEST_Uninstantiate(); michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: rng_status = PRNGTEST_Reseed(reseed_entropy, sizeof reseed_entropy, michael@0: additional_input, sizeof additional_input); michael@0: if (rng_status != SECSuccess) { michael@0: /* Error set by PRNG_Reseed */ michael@0: PRNGTEST_Uninstantiate(); michael@0: return SECFailure; michael@0: } michael@0: rng_status = PRNGTEST_Generate(result, sizeof rng_reseed_result, NULL, 0); michael@0: if ( ( rng_status != SECSuccess) || michael@0: ( PORT_Memcmp( result, rng_reseed_result, michael@0: sizeof rng_reseed_result ) != 0 ) ) { michael@0: PRNGTEST_Uninstantiate(); michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: /* This magic forces the reseed count to it's max count, so we can see if michael@0: * PRNGTEST_Generate will actually when it reaches it's count */ michael@0: rng_status = PRNGTEST_Reseed(NULL, 0, NULL, 0); michael@0: if (rng_status != SECSuccess) { michael@0: PRNGTEST_Uninstantiate(); michael@0: /* Error set by PRNG_Reseed */ michael@0: return SECFailure; michael@0: } michael@0: /* This generate should now reseed */ michael@0: rng_status = PRNGTEST_Generate(result, sizeof rng_reseed_result, NULL, 0); michael@0: if ( ( rng_status != SECSuccess) || michael@0: /* NOTE we fail if the result is equal to the no_reseed_result. michael@0: * no_reseed_result is the value we would have gotten if we didn't michael@0: * do an automatic reseed in PRNGTEST_Generate */ michael@0: ( PORT_Memcmp( result, rng_no_reseed_result, michael@0: sizeof rng_no_reseed_result ) == 0 ) ) { michael@0: PRNGTEST_Uninstantiate(); michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: /* make sure reseed fails when we don't supply enough entropy */ michael@0: rng_status = PRNGTEST_Reseed(reseed_entropy, 4, NULL, 0); michael@0: if (rng_status == SECSuccess) { michael@0: PRNGTEST_Uninstantiate(); michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: if (PORT_GetError() != SEC_ERROR_NEED_RANDOM) { michael@0: PRNGTEST_Uninstantiate(); michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: rng_status = PRNGTEST_Uninstantiate(); michael@0: if (rng_status != SECSuccess) { michael@0: /* Error set by PRNG_Uninstantiate */ michael@0: return rng_status; michael@0: } michael@0: /* make sure uninstantiate fails if the contest is not initiated (also tests michael@0: * if the context was cleared in the previous Uninstantiate) */ michael@0: rng_status = PRNGTEST_Uninstantiate(); michael@0: if (rng_status == SECSuccess) { michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: if (PORT_GetError() != SEC_ERROR_LIBRARY_FAILURE) { michael@0: return rng_status; michael@0: } michael@0: michael@0: return SECSuccess; michael@0: }