]>
Commit | Line | Data |
---|---|---|
b1322259 | 1 | /* |
3c7d0945 | 2 | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. |
8ad7635e | 3 | * |
0db63de9 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
b1322259 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8ad7635e UM |
8 | */ |
9 | ||
10 | #ifndef HEADER_RAND_LCL_H | |
0f113f3e | 11 | # define HEADER_RAND_LCL_H |
8ad7635e | 12 | |
12fb8c3d RS |
13 | # include <openssl/aes.h> |
14 | # include <openssl/evp.h> | |
15 | # include <openssl/sha.h> | |
16 | # include <openssl/hmac.h> | |
17 | # include <openssl/ec.h> | |
6decf943 | 18 | # include <openssl/rand_drbg.h> |
a83dc59a | 19 | # include "internal/tsan_assist.h" |
12fb8c3d | 20 | |
f81b043a RL |
21 | # include "internal/numbers.h" |
22 | ||
9ed79d8e RS |
23 | /* How many times to read the TSC as a randomness source. */ |
24 | # define TSC_READ_COUNT 4 | |
25 | ||
08a65d96 | 26 | /* Maximum reseed intervals */ |
a93ba405 | 27 | # define MAX_RESEED_INTERVAL (1 << 24) |
08a65d96 | 28 | # define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */ |
a93ba405 DMSP |
29 | |
30 | /* Default reseed intervals */ | |
31 | # define MASTER_RESEED_INTERVAL (1 << 8) | |
32 | # define SLAVE_RESEED_INTERVAL (1 << 16) | |
08a65d96 DMSP |
33 | # define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ |
34 | # define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ | |
35 | ||
d69226a3 P |
36 | /* |
37 | * The number of bytes that constitutes an atomic lump of entropy with respect | |
38 | * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat | |
39 | * arbitrary, the smaller the value, the less entropy is consumed on first | |
40 | * read but the higher the probability of the test failing by accident. | |
41 | * | |
42 | * The value is in bytes. | |
43 | */ | |
44 | #define CRNGT_BUFSIZ 16 | |
4c75ee85 | 45 | |
3064b551 DMSP |
46 | /* |
47 | * Maximum input size for the DRBG (entropy, nonce, personalization string) | |
48 | * | |
49 | * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes. | |
50 | * | |
51 | * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes. | |
52 | */ | |
53 | # define DRBG_MAX_LENGTH INT32_MAX | |
54 | ||
d69226a3 P |
55 | /* The default nonce */ |
56 | # define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" | |
12fb8c3d | 57 | |
c16de9d8 | 58 | /* |
3064b551 | 59 | * Maximum allocation size for RANDOM_POOL buffers |
c16de9d8 | 60 | * |
3064b551 DMSP |
61 | * The max_len value for the buffer provided to the rand_drbg_get_entropy() |
62 | * callback is currently 2^31 bytes (2 gigabytes), if a derivation function | |
63 | * is used. Since this is much too large to be allocated, the rand_pool_new() | |
64 | * function chooses more modest values as default pool length, bounded | |
65 | * by RAND_POOL_MIN_LENGTH and RAND_POOL_MAX_LENGTH | |
66 | * | |
67 | * The choice of the RAND_POOL_FACTOR is large enough such that the | |
68 | * RAND_POOL can store a random input which has a lousy entropy rate of | |
69 | * 8/256 (= 0.03125) bits per byte. This input will be sent through the | |
70 | * derivation function which 'compresses' the low quality input into a | |
71 | * high quality output. | |
72 | * | |
73 | * The factor 1.5 below is the pessimistic estimate for the extra amount | |
74 | * of entropy required when no get_nonce() callback is defined. | |
75 | */ | |
76 | # define RAND_POOL_FACTOR 256 | |
77 | # define RAND_POOL_MAX_LENGTH (RAND_POOL_FACTOR * \ | |
78 | 3 * (RAND_DRBG_STRENGTH / 16)) | |
79 | /* | |
80 | * = (RAND_POOL_FACTOR * \ | |
81 | * 1.5 * (RAND_DRBG_STRENGTH / 8)) | |
c16de9d8 | 82 | */ |
12fb8c3d | 83 | |
75e2c877 RS |
84 | |
85 | /* DRBG status values */ | |
86 | typedef enum drbg_status_e { | |
87 | DRBG_UNINITIALISED, | |
88 | DRBG_READY, | |
75e2c877 RS |
89 | DRBG_ERROR |
90 | } DRBG_STATUS; | |
91 | ||
92 | ||
8bf36651 | 93 | /* instantiate */ |
8212d505 DMSP |
94 | typedef int (*RAND_DRBG_instantiate_fn)(RAND_DRBG *ctx, |
95 | const unsigned char *ent, | |
96 | size_t entlen, | |
97 | const unsigned char *nonce, | |
98 | size_t noncelen, | |
99 | const unsigned char *pers, | |
100 | size_t perslen); | |
101 | /* reseed */ | |
102 | typedef int (*RAND_DRBG_reseed_fn)(RAND_DRBG *ctx, | |
103 | const unsigned char *ent, | |
104 | size_t entlen, | |
105 | const unsigned char *adin, | |
106 | size_t adinlen); | |
8bf36651 | 107 | /* generate output */ |
8212d505 DMSP |
108 | typedef int (*RAND_DRBG_generate_fn)(RAND_DRBG *ctx, |
109 | unsigned char *out, | |
110 | size_t outlen, | |
111 | const unsigned char *adin, | |
112 | size_t adinlen); | |
113 | /* uninstantiate */ | |
114 | typedef int (*RAND_DRBG_uninstantiate_fn)(RAND_DRBG *ctx); | |
115 | ||
116 | ||
117 | /* | |
118 | * The DRBG methods | |
119 | */ | |
120 | ||
121 | typedef struct rand_drbg_method_st { | |
122 | RAND_DRBG_instantiate_fn instantiate; | |
123 | RAND_DRBG_reseed_fn reseed; | |
124 | RAND_DRBG_generate_fn generate; | |
125 | RAND_DRBG_uninstantiate_fn uninstantiate; | |
126 | } RAND_DRBG_METHOD; | |
127 | ||
8bf36651 SL |
128 | /* 888 bits from SP800-90Ar1 10.1 table 2 */ |
129 | #define HASH_PRNG_MAX_SEEDLEN (888/8) | |
130 | ||
131 | typedef struct rand_drbg_hash_st { | |
132 | const EVP_MD *md; | |
133 | EVP_MD_CTX *ctx; | |
134 | size_t blocklen; | |
135 | unsigned char V[HASH_PRNG_MAX_SEEDLEN]; | |
136 | unsigned char C[HASH_PRNG_MAX_SEEDLEN]; | |
137 | /* Temporary value storage: should always exceed max digest length */ | |
138 | unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN]; | |
139 | } RAND_DRBG_HASH; | |
140 | ||
141 | typedef struct rand_drbg_hmac_st { | |
142 | const EVP_MD *md; | |
143 | HMAC_CTX *ctx; | |
144 | size_t blocklen; | |
145 | unsigned char K[EVP_MAX_MD_SIZE]; | |
146 | unsigned char V[EVP_MAX_MD_SIZE]; | |
147 | } RAND_DRBG_HMAC; | |
8212d505 | 148 | |
75e2c877 RS |
149 | /* |
150 | * The state of a DRBG AES-CTR. | |
151 | */ | |
152 | typedef struct rand_drbg_ctr_st { | |
dbdcc04f KR |
153 | EVP_CIPHER_CTX *ctx; |
154 | EVP_CIPHER_CTX *ctx_df; | |
155 | const EVP_CIPHER *cipher; | |
12fb8c3d RS |
156 | size_t keylen; |
157 | unsigned char K[32]; | |
158 | unsigned char V[16]; | |
12fb8c3d RS |
159 | /* Temporary block storage used by ctr_df */ |
160 | unsigned char bltmp[16]; | |
161 | size_t bltmp_pos; | |
162 | unsigned char KX[48]; | |
75e2c877 | 163 | } RAND_DRBG_CTR; |
12fb8c3d | 164 | |
8389ec4b | 165 | |
2a70d65b KR |
166 | /* |
167 | * The 'random pool' acts as a dumb container for collecting random | |
168 | * input from various entropy sources. The pool has no knowledge about | |
169 | * whether its randomness is fed into a legacy RAND_METHOD via RAND_add() | |
170 | * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the | |
171 | * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and | |
172 | * 4) cleanup the random pool again. | |
173 | * | |
174 | * The random pool contains no locking mechanism because its scope and | |
175 | * lifetime is intended to be restricted to a single stack frame. | |
176 | */ | |
177 | struct rand_pool_st { | |
178 | unsigned char *buffer; /* points to the beginning of the random pool */ | |
179 | size_t len; /* current number of random bytes contained in the pool */ | |
180 | ||
3064b551 DMSP |
181 | int attached; /* true pool was attached to existing buffer */ |
182 | ||
2a70d65b KR |
183 | size_t min_len; /* minimum number of random bytes requested */ |
184 | size_t max_len; /* maximum number of random bytes (allocated buffer size) */ | |
185 | size_t entropy; /* current entropy count in bits */ | |
3064b551 | 186 | size_t entropy_requested; /* requested entropy count in bits */ |
2a70d65b KR |
187 | }; |
188 | ||
8389ec4b | 189 | /* |
75e2c877 RS |
190 | * The state of all types of DRBGs, even though we only have CTR mode |
191 | * right now. | |
8389ec4b | 192 | */ |
75e2c877 | 193 | struct rand_drbg_st { |
12fb8c3d | 194 | CRYPTO_RWLOCK *lock; |
75e2c877 | 195 | RAND_DRBG *parent; |
4f9dabbf | 196 | int secure; /* 1: allocated on the secure heap, 0: otherwise */ |
31393fd9 | 197 | int type; /* the nid of the underlying algorithm */ |
f2633200 BK |
198 | /* |
199 | * Stores the value of the rand_fork_count global as of when we last | |
8bf36651 | 200 | * reseeded. The DRBG reseeds automatically whenever drbg->fork_count != |
f2633200 BK |
201 | * rand_fork_count. Used to provide fork-safety and reseed this DRBG in |
202 | * the child process. | |
203 | */ | |
a35f607c | 204 | int fork_count; |
75e2c877 | 205 | unsigned short flags; /* various external flags */ |
c16de9d8 | 206 | |
75e2c877 | 207 | /* |
3064b551 | 208 | * The random_data is used by RAND_add()/drbg_add() to attach random |
c16de9d8 DMSP |
209 | * data to the global drbg, such that the rand_drbg_get_entropy() callback |
210 | * can pull it during instantiation and reseeding. This is necessary to | |
211 | * reconcile the different philosophies of the RAND and the RAND_DRBG | |
212 | * with respect to how randomness is added to the RNG during reseeding | |
213 | * (see PR #4328). | |
75e2c877 | 214 | */ |
31f32abb | 215 | struct rand_pool_st *seed_pool; |
75e2c877 | 216 | |
54f3e855 BE |
217 | /* |
218 | * Auxiliary pool for additional data. | |
219 | */ | |
220 | struct rand_pool_st *adin_pool; | |
221 | ||
c16de9d8 | 222 | /* |
aa048aef DMSP |
223 | * The following parameters are setup by the per-type "init" function. |
224 | * | |
8bf36651 SL |
225 | * The supported types and their init functions are: |
226 | * (1) CTR_DRBG: drbg_ctr_init(). | |
227 | * (2) HMAC_DRBG: drbg_hmac_init(). | |
228 | * (3) HASH_DRBG: drbg_hash_init(). | |
aa048aef | 229 | * |
c16de9d8 | 230 | * The parameters are closely related to the ones described in |
aa048aef DMSP |
231 | * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one |
232 | * crucial difference: In the NIST standard, all counts are given | |
c16de9d8 | 233 | * in bits, whereas in OpenSSL entropy counts are given in bits |
aa048aef | 234 | * and buffer lengths are given in bytes. |
c16de9d8 | 235 | * |
aa048aef DMSP |
236 | * Since this difference has lead to some confusion in the past, |
237 | * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) | |
c16de9d8 | 238 | * the 'len' suffix has been added to all buffer sizes for |
aa048aef DMSP |
239 | * clarification. |
240 | */ | |
c16de9d8 | 241 | |
12fb8c3d | 242 | int strength; |
12fb8c3d | 243 | size_t max_request; |
aa048aef DMSP |
244 | size_t min_entropylen, max_entropylen; |
245 | size_t min_noncelen, max_noncelen; | |
246 | size_t max_perslen, max_adinlen; | |
a93ba405 | 247 | |
8bf36651 SL |
248 | /* |
249 | * Counts the number of generate requests since the last reseed | |
250 | * (Starts at 1). This value is the reseed_counter as defined in | |
251 | * NIST SP 800-90Ar1 | |
252 | */ | |
253 | unsigned int reseed_gen_counter; | |
a93ba405 DMSP |
254 | /* |
255 | * Maximum number of generate requests until a reseed is required. | |
256 | * This value is ignored if it is zero. | |
257 | */ | |
12fb8c3d | 258 | unsigned int reseed_interval; |
08a65d96 DMSP |
259 | /* Stores the time when the last reseeding occurred */ |
260 | time_t reseed_time; | |
261 | /* | |
262 | * Specifies the maximum time interval (in seconds) between reseeds. | |
263 | * This value is ignored if it is zero. | |
264 | */ | |
265 | time_t reseed_time_interval; | |
a93ba405 DMSP |
266 | /* |
267 | * Counts the number of reseeds since instantiation. | |
268 | * This value is ignored if it is zero. | |
269 | * | |
270 | * This counter is used only for seed propagation from the <master> DRBG | |
271 | * to its two children, the <public> and <private> DRBG. This feature is | |
272 | * very special and its sole purpose is to ensure that any randomness which | |
273 | * is added by RAND_add() or RAND_seed() will have an immediate effect on | |
274 | * the output of RAND_bytes() resp. RAND_priv_bytes(). | |
275 | */ | |
a83dc59a BE |
276 | TSAN_QUALIFIER unsigned int reseed_prop_counter; |
277 | unsigned int reseed_next_counter; | |
a93ba405 | 278 | |
12fb8c3d | 279 | size_t seedlen; |
75e2c877 | 280 | DRBG_STATUS state; |
12fb8c3d | 281 | |
75e2c877 | 282 | /* Application data, mainly used in the KATs. */ |
12fb8c3d RS |
283 | CRYPTO_EX_DATA ex_data; |
284 | ||
8bf36651 | 285 | /* Implementation specific data */ |
8212d505 DMSP |
286 | union { |
287 | RAND_DRBG_CTR ctr; | |
8bf36651 SL |
288 | RAND_DRBG_HASH hash; |
289 | RAND_DRBG_HMAC hmac; | |
8212d505 DMSP |
290 | } data; |
291 | ||
292 | /* Implementation specific methods */ | |
293 | RAND_DRBG_METHOD *meth; | |
12fb8c3d | 294 | |
75e2c877 | 295 | /* Callback functions. See comments in rand_lib.c */ |
16960a9b | 296 | RAND_DRBG_get_entropy_fn get_entropy; |
16960a9b | 297 | RAND_DRBG_cleanup_entropy_fn cleanup_entropy; |
16960a9b | 298 | RAND_DRBG_get_nonce_fn get_nonce; |
16960a9b | 299 | RAND_DRBG_cleanup_nonce_fn cleanup_nonce; |
12fb8c3d | 300 | }; |
da8fc25a | 301 | |
75e2c877 RS |
302 | /* The global RAND method, and the global buffer and DRBG instance. */ |
303 | extern RAND_METHOD rand_meth; | |
12fb8c3d | 304 | |
f2633200 BK |
305 | /* |
306 | * A "generation count" of forks. Incremented in the child process after a | |
307 | * fork. Since rand_fork_count is increment-only, and only ever written to in | |
308 | * the child process of the fork, which is guaranteed to be single-threaded, no | |
309 | * locking is needed for normal (read) accesses; the rest of pthread fork | |
310 | * processing is assumed to introduce the necessary memory barriers. Sibling | |
311 | * children of a given parent will produce duplicate values, but this is not | |
312 | * problematic because the reseeding process pulls input from the system CSPRNG | |
313 | * and/or other global sources, so the siblings will end up generating | |
314 | * different output streams. | |
315 | */ | |
a35f607c RS |
316 | extern int rand_fork_count; |
317 | ||
c16de9d8 DMSP |
318 | /* DRBG helpers */ |
319 | int rand_drbg_restart(RAND_DRBG *drbg, | |
320 | const unsigned char *buffer, size_t len, size_t entropy); | |
1c615e4c | 321 | size_t rand_drbg_seedlen(RAND_DRBG *drbg); |
812b1537 DMSP |
322 | /* locking api */ |
323 | int rand_drbg_lock(RAND_DRBG *drbg); | |
324 | int rand_drbg_unlock(RAND_DRBG *drbg); | |
325 | int rand_drbg_enable_locking(RAND_DRBG *drbg); | |
326 | ||
327 | ||
8bf36651 | 328 | /* initializes the DRBG implementation */ |
8212d505 | 329 | int drbg_ctr_init(RAND_DRBG *drbg); |
8bf36651 SL |
330 | int drbg_hash_init(RAND_DRBG *drbg); |
331 | int drbg_hmac_init(RAND_DRBG *drbg); | |
8ad7635e | 332 | |
d69226a3 P |
333 | /* |
334 | * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests. | |
335 | * These need to be exposed for the unit tests. | |
336 | */ | |
337 | int rand_crngt_get_entropy_cb(unsigned char *buf); | |
338 | extern int (*crngt_get_entropy)(unsigned char *); | |
339 | int rand_crngt_init(void); | |
340 | void rand_crngt_cleanup(void); | |
341 | ||
342 | /* | |
343 | * Expose the run once initialisation function for the unit tests because. | |
344 | * they need to restart from scratch to validate the first block is skipped | |
345 | * properly. | |
346 | */ | |
347 | int rand_crngt_single_init(void); | |
348 | ||
8ad7635e | 349 | #endif |