]>
Commit | Line | Data |
---|---|---|
b1322259 RS |
1 | /* |
2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. | |
8ad7635e | 3 | * |
b1322259 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8ad7635e UM |
8 | */ |
9 | ||
10 | #ifndef HEADER_RAND_LCL_H | |
0f113f3e | 11 | # define HEADER_RAND_LCL_H |
8ad7635e | 12 | |
12fb8c3d RS |
13 | # include <openssl/aes.h> |
14 | # include <openssl/evp.h> | |
15 | # include <openssl/sha.h> | |
16 | # include <openssl/hmac.h> | |
17 | # include <openssl/ec.h> | |
f2766f75 | 18 | # include "internal/rand.h" |
12fb8c3d | 19 | |
9ed79d8e RS |
20 | /* How many times to read the TSC as a randomness source. */ |
21 | # define TSC_READ_COUNT 4 | |
22 | ||
4c75ee85 | 23 | /* Maximum count allowed in reseeding */ |
75e2c877 | 24 | # define MAX_RESEED (1 << 24) |
4c75ee85 | 25 | |
c16de9d8 DMSP |
26 | /* Max size of additional input and personalization string. */ |
27 | # define DRBG_MAX_LENGTH 4096 | |
12fb8c3d | 28 | |
c16de9d8 DMSP |
29 | /* |
30 | * The quotient between max_{entropy,nonce}len and min_{entropy,nonce}len | |
31 | * | |
32 | * The current factor is large enough that the RAND_POOL can store a | |
33 | * random input which has a lousy entropy rate of 0.0625 bits per byte. | |
34 | * This input will be sent through the derivation function which 'compresses' | |
35 | * the low quality input into a high quality output. | |
36 | */ | |
37 | # define DRBG_MINMAX_FACTOR 128 | |
12fb8c3d | 38 | |
75e2c877 RS |
39 | |
40 | /* DRBG status values */ | |
41 | typedef enum drbg_status_e { | |
42 | DRBG_UNINITIALISED, | |
43 | DRBG_READY, | |
75e2c877 RS |
44 | DRBG_ERROR |
45 | } DRBG_STATUS; | |
46 | ||
47 | ||
75e2c877 RS |
48 | /* |
49 | * The state of a DRBG AES-CTR. | |
50 | */ | |
51 | typedef struct rand_drbg_ctr_st { | |
12fb8c3d RS |
52 | AES_KEY ks; |
53 | size_t keylen; | |
54 | unsigned char K[32]; | |
55 | unsigned char V[16]; | |
56 | /* Temp variables used by derivation function */ | |
57 | AES_KEY df_ks; | |
58 | AES_KEY df_kxks; | |
59 | /* Temporary block storage used by ctr_df */ | |
60 | unsigned char bltmp[16]; | |
61 | size_t bltmp_pos; | |
62 | unsigned char KX[48]; | |
75e2c877 | 63 | } RAND_DRBG_CTR; |
12fb8c3d | 64 | |
8389ec4b RS |
65 | |
66 | /* | |
75e2c877 RS |
67 | * The state of all types of DRBGs, even though we only have CTR mode |
68 | * right now. | |
8389ec4b | 69 | */ |
75e2c877 | 70 | struct rand_drbg_st { |
12fb8c3d | 71 | CRYPTO_RWLOCK *lock; |
75e2c877 RS |
72 | RAND_DRBG *parent; |
73 | int nid; /* the underlying algorithm */ | |
a35f607c | 74 | int fork_count; |
75e2c877 | 75 | unsigned short flags; /* various external flags */ |
c16de9d8 | 76 | |
75e2c877 | 77 | /* |
c16de9d8 DMSP |
78 | * The random pool is used by RAND_add()/drbg_add() to attach random |
79 | * data to the global drbg, such that the rand_drbg_get_entropy() callback | |
80 | * can pull it during instantiation and reseeding. This is necessary to | |
81 | * reconcile the different philosophies of the RAND and the RAND_DRBG | |
82 | * with respect to how randomness is added to the RNG during reseeding | |
83 | * (see PR #4328). | |
75e2c877 | 84 | */ |
c16de9d8 | 85 | RAND_POOL *pool; |
75e2c877 | 86 | |
c16de9d8 | 87 | /* |
aa048aef DMSP |
88 | * The following parameters are setup by the per-type "init" function. |
89 | * | |
90 | * Currently the only type is CTR_DRBG, its init function is ctr_init(). | |
91 | * | |
c16de9d8 | 92 | * The parameters are closely related to the ones described in |
aa048aef DMSP |
93 | * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one |
94 | * crucial difference: In the NIST standard, all counts are given | |
c16de9d8 | 95 | * in bits, whereas in OpenSSL entropy counts are given in bits |
aa048aef | 96 | * and buffer lengths are given in bytes. |
c16de9d8 | 97 | * |
aa048aef DMSP |
98 | * Since this difference has lead to some confusion in the past, |
99 | * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) | |
c16de9d8 | 100 | * the 'len' suffix has been added to all buffer sizes for |
aa048aef DMSP |
101 | * clarification. |
102 | */ | |
c16de9d8 | 103 | |
12fb8c3d | 104 | int strength; |
12fb8c3d | 105 | size_t max_request; |
aa048aef DMSP |
106 | size_t min_entropylen, max_entropylen; |
107 | size_t min_noncelen, max_noncelen; | |
108 | size_t max_perslen, max_adinlen; | |
12fb8c3d RS |
109 | unsigned int reseed_counter; |
110 | unsigned int reseed_interval; | |
111 | size_t seedlen; | |
75e2c877 | 112 | DRBG_STATUS state; |
12fb8c3d | 113 | |
75e2c877 | 114 | /* Application data, mainly used in the KATs. */ |
12fb8c3d RS |
115 | CRYPTO_EX_DATA ex_data; |
116 | ||
75e2c877 RS |
117 | /* Implementation specific structures; was a union, but inline for now */ |
118 | RAND_DRBG_CTR ctr; | |
12fb8c3d | 119 | |
75e2c877 | 120 | /* Callback functions. See comments in rand_lib.c */ |
16960a9b | 121 | RAND_DRBG_get_entropy_fn get_entropy; |
16960a9b | 122 | RAND_DRBG_cleanup_entropy_fn cleanup_entropy; |
16960a9b | 123 | RAND_DRBG_get_nonce_fn get_nonce; |
16960a9b | 124 | RAND_DRBG_cleanup_nonce_fn cleanup_nonce; |
12fb8c3d | 125 | }; |
da8fc25a | 126 | |
75e2c877 RS |
127 | /* The global RAND method, and the global buffer and DRBG instance. */ |
128 | extern RAND_METHOD rand_meth; | |
12fb8c3d | 129 | |
a35f607c RS |
130 | /* How often we've forked (only incremented in child). */ |
131 | extern int rand_fork_count; | |
132 | ||
8389ec4b | 133 | /* Hardware-based seeding functions. */ |
c16de9d8 DMSP |
134 | size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool); |
135 | size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool); | |
75e2c877 RS |
136 | |
137 | /* DRBG entropy callbacks. */ | |
c16de9d8 DMSP |
138 | size_t rand_drbg_get_entropy(RAND_DRBG *drbg, |
139 | unsigned char **pout, | |
140 | int entropy, size_t min_len, size_t max_len); | |
141 | void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, | |
142 | unsigned char *out, size_t outlen); | |
143 | ||
144 | /* DRBG helpers */ | |
145 | int rand_drbg_restart(RAND_DRBG *drbg, | |
146 | const unsigned char *buffer, size_t len, size_t entropy); | |
8389ec4b RS |
147 | |
148 | /* DRBG functions implementing AES-CTR */ | |
75e2c877 RS |
149 | int ctr_init(RAND_DRBG *drbg); |
150 | int ctr_uninstantiate(RAND_DRBG *drbg); | |
151 | int ctr_instantiate(RAND_DRBG *drbg, | |
aa048aef | 152 | const unsigned char *entropy, size_t entropylen, |
12fb8c3d RS |
153 | const unsigned char *nonce, size_t noncelen, |
154 | const unsigned char *pers, size_t perslen); | |
75e2c877 | 155 | int ctr_reseed(RAND_DRBG *drbg, |
aa048aef | 156 | const unsigned char *entropy, size_t entropylen, |
12fb8c3d | 157 | const unsigned char *adin, size_t adinlen); |
75e2c877 | 158 | int ctr_generate(RAND_DRBG *drbg, |
12fb8c3d RS |
159 | unsigned char *out, size_t outlen, |
160 | const unsigned char *adin, size_t adinlen); | |
8ad7635e UM |
161 | |
162 | #endif |