Blob Blame History Raw
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1561465415 -7200
#      Tue Jun 25 14:23:35 2019 +0200
# Node ID a0114e3d8b22d4c6ee77504c483a0fe0037f4c71
# Parent  313dfef345bd93bc67982249bffa2cfdd5a9d1b5
Bug 1560329, drbg: perform continuous test on entropy source

Summary: FIPS 140-2 section 4.9.2 requires a conditional self test to check that consecutive entropy blocks from the system are different.  As neither getentropy() nor /dev/urandom provides that check on the output, this adds the self test at caller side.

Reviewers: rrelyea

Bug #: 1560329

Differential Revision: https://phabricator.services.mozilla.com/D35636

diff --git a/lib/freebl/drbg.c b/lib/freebl/drbg.c
--- a/lib/freebl/drbg.c
+++ b/lib/freebl/drbg.c
@@ -30,6 +30,7 @@
 #define PRNG_ADDITONAL_DATA_CACHE_SIZE (8 * 1024) /* must be less than          \
                                                    *  PRNG_MAX_ADDITIONAL_BYTES \
                                                    */
+#define PRNG_ENTROPY_BLOCK_SIZE SHA256_LENGTH
 
 /* RESEED_COUNT is how many calls to the prng before we need to reseed
  * under normal NIST rules, you must return an error. In the NSS case, we
@@ -96,6 +97,8 @@ struct RNGContextStr {
     PRUint32 additionalAvail;
     PRBool isValid;   /* false if RNG reaches an invalid state */
     PRBool isKatTest; /* true if running NIST PRNG KAT tests */
+    /* for continuous entropy check */
+    PRUint8 previousEntropyHash[SHA256_LENGTH];
 };
 
 typedef struct RNGContextStr RNGContext;
@@ -169,6 +172,82 @@ prng_instantiate(RNGContext *rng, const 
     return SECSuccess;
 }
 
+static PRCallOnceType coRNGInitEntropy;
+
+static PRStatus
+prng_initEntropy(void)
+{
+    size_t length;
+    PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE];
+    SHA256Context ctx;
+
+    /* For FIPS 140-2 4.9.2 continuous random number generator test,
+     * fetch the initial entropy from the system RNG and keep it for
+     * later comparison. */
+    length = RNG_SystemRNG(block, sizeof(block));
+    if (length == 0) {
+        return PR_FAILURE; /* error is already set */
+    }
+    PORT_Assert(length == sizeof(block));
+
+    /* Store the hash of the entropy block rather than the block
+     * itself for backward secrecy. */
+    SHA256_Begin(&ctx);
+    SHA256_Update(&ctx, block, sizeof(block));
+    SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
+               sizeof(globalrng->previousEntropyHash));
+    PORT_Memset(block, 0, sizeof(block));
+    return PR_SUCCESS;
+}
+
+static SECStatus
+prng_getEntropy(PRUint8 *buffer, size_t requestLength)
+{
+    size_t total = 0;
+    PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE];
+    PRUint8 hash[SHA256_LENGTH];
+    SHA256Context ctx;
+    SECStatus rv = SECSuccess;
+
+    if (PR_CallOnce(&coRNGInitEntropy, prng_initEntropy) != PR_SUCCESS) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    /* For FIPS 140-2 4.9.2 continuous random generator test,
+     * iteratively fetch fixed sized blocks from the system and
+     * compare consecutive blocks. */
+    while (total < requestLength) {
+        size_t length = RNG_SystemRNG(block, sizeof(block));
+        if (length == 0) {
+            rv = SECFailure; /* error is already set */
+            goto out;
+        }
+        PORT_Assert(length == sizeof(block));
+
+        /* Store the hash of the entropy block rather than the block
+         * itself for backward secrecy. */
+        SHA256_Begin(&ctx);
+        SHA256_Update(&ctx, block, sizeof(block));
+        SHA256_End(&ctx, hash, NULL, sizeof(hash));
+
+        if (PORT_Memcmp(globalrng->previousEntropyHash, hash, sizeof(hash)) == 0) {
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            rv = SECFailure;
+            goto out;
+        }
+        PORT_Memcpy(globalrng->previousEntropyHash, hash, sizeof(hash));
+        length = PR_MIN(requestLength - total, sizeof(block));
+        PORT_Memcpy(buffer, block, length);
+        total += length;
+        buffer += length;
+    }
+
+  out:
+    PORT_Memset(block, 0, sizeof block);
+    return rv;
+}
+
 /*
  * Update the global random number generator with more seeding
  * material. Use the Hash_DRBG reseed algorithm from NIST SP-800-90
@@ -182,11 +261,15 @@ prng_reseed(RNGContext *rng, const PRUin
 {
     PRUint8 noiseData[(sizeof rng->V_Data) + PRNG_SEEDLEN];
     PRUint8 *noise = &noiseData[0];
+    SECStatus rv;
 
     /* if entropy wasn't supplied, fetch it. (normal operation case) */
     if (entropy == NULL) {
-        entropy_len = (unsigned int)RNG_SystemRNG(
-            &noiseData[sizeof rng->V_Data], PRNG_SEEDLEN);
+        entropy_len = PRNG_SEEDLEN;
+        rv = prng_getEntropy(&noiseData[sizeof rng->V_Data], entropy_len);
+        if (rv != SECSuccess) {
+            return SECFailure; /* error is already set */
+        }
     } else {
         /* NOTE: this code is only available for testing, not to applications */
         /* if entropy was too big for the stack variable, get it from malloc */
@@ -384,7 +467,6 @@ static PRStatus
 rng_init(void)
 {
     PRUint8 bytes[PRNG_SEEDLEN * 2]; /* entropy + nonce */
-    unsigned int numBytes;
     SECStatus rv = SECSuccess;
 
     if (globalrng == NULL) {
@@ -403,18 +485,17 @@ rng_init(void)
         }
 
         /* Try to get some seed data for the RNG */
-        numBytes = (unsigned int)RNG_SystemRNG(bytes, sizeof bytes);
-        PORT_Assert(numBytes == 0 || numBytes == sizeof bytes);
-        if (numBytes != 0) {
+        rv = prng_getEntropy(bytes, sizeof bytes);
+        if (rv == SECSuccess) {
             /* if this is our first call,  instantiate, otherwise reseed
              * prng_instantiate gets a new clean state, we want to mix
              * any previous entropy we may have collected */
             if (V(globalrng)[0] == 0) {
-                rv = prng_instantiate(globalrng, bytes, numBytes);
+                rv = prng_instantiate(globalrng, bytes, sizeof bytes);
             } else {
-                rv = prng_reseed_test(globalrng, bytes, numBytes, NULL, 0);
+                rv = prng_reseed_test(globalrng, bytes, sizeof bytes, NULL, 0);
             }
-            memset(bytes, 0, numBytes);
+            memset(bytes, 0, sizeof bytes);
         } else {
             PZ_DestroyLock(globalrng->lock);
             globalrng->lock = NULL;