]>
Commit | Line | Data |
---|---|---|
b1322259 | 1 | /* |
3c7d0945 | 2 | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. |
8ad7635e | 3 | * |
0db63de9 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
b1322259 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8ad7635e UM |
8 | */ |
9 | ||
10 | #ifndef HEADER_RAND_LCL_H | |
0f113f3e | 11 | # define HEADER_RAND_LCL_H |
8ad7635e | 12 | |
12fb8c3d RS |
13 | # include <openssl/aes.h> |
14 | # include <openssl/evp.h> | |
15 | # include <openssl/sha.h> | |
16 | # include <openssl/hmac.h> | |
17 | # include <openssl/ec.h> | |
6decf943 | 18 | # include <openssl/rand_drbg.h> |
a83dc59a | 19 | # include "internal/tsan_assist.h" |
25f2138b | 20 | # include "crypto/rand.h" |
12fb8c3d | 21 | |
f81b043a RL |
22 | # include "internal/numbers.h" |
23 | ||
9ed79d8e RS |
24 | /* How many times to read the TSC as a randomness source. */ |
25 | # define TSC_READ_COUNT 4 | |
26 | ||
08a65d96 | 27 | /* Maximum reseed intervals */ |
a93ba405 | 28 | # define MAX_RESEED_INTERVAL (1 << 24) |
08a65d96 | 29 | # define MAX_RESEED_TIME_INTERVAL (1 << 20) /* approx. 12 days */ |
a93ba405 DMSP |
30 | |
31 | /* Default reseed intervals */ | |
32 | # define MASTER_RESEED_INTERVAL (1 << 8) | |
33 | # define SLAVE_RESEED_INTERVAL (1 << 16) | |
08a65d96 DMSP |
34 | # define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ |
35 | # define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ | |
36 | ||
d69226a3 P |
37 | /* |
38 | * The number of bytes that constitutes an atomic lump of entropy with respect | |
39 | * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat | |
40 | * arbitrary, the smaller the value, the less entropy is consumed on first | |
41 | * read but the higher the probability of the test failing by accident. | |
42 | * | |
43 | * The value is in bytes. | |
44 | */ | |
45 | #define CRNGT_BUFSIZ 16 | |
4c75ee85 | 46 | |
3064b551 DMSP |
47 | /* |
48 | * Maximum input size for the DRBG (entropy, nonce, personalization string) | |
49 | * | |
50 | * NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes. | |
51 | * | |
52 | * We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes. | |
53 | */ | |
54 | # define DRBG_MAX_LENGTH INT32_MAX | |
55 | ||
d69226a3 | 56 | /* The default nonce */ |
48102247 | 57 | #ifdef CHARSET_EBCDIC |
58 | # define DRBG_DEFAULT_PERS_STRING { 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, \ | |
59 | 0x4c, 0x20, 0x4e, 0x49, 0x53, 0x54, 0x20, 0x53, 0x50, 0x20, 0x38, 0x30, \ | |
60 | 0x30, 0x2d, 0x39, 0x30, 0x41, 0x20, 0x44, 0x52, 0x42, 0x47, 0x00}; | |
61 | #else | |
d69226a3 | 62 | # define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" |
48102247 | 63 | #endif |
12fb8c3d | 64 | |
c16de9d8 | 65 | /* |
3064b551 | 66 | * Maximum allocation size for RANDOM_POOL buffers |
c16de9d8 | 67 | * |
3064b551 DMSP |
68 | * The max_len value for the buffer provided to the rand_drbg_get_entropy() |
69 | * callback is currently 2^31 bytes (2 gigabytes), if a derivation function | |
70 | * is used. Since this is much too large to be allocated, the rand_pool_new() | |
71 | * function chooses more modest values as default pool length, bounded | |
72 | * by RAND_POOL_MIN_LENGTH and RAND_POOL_MAX_LENGTH | |
73 | * | |
74 | * The choice of the RAND_POOL_FACTOR is large enough such that the | |
75 | * RAND_POOL can store a random input which has a lousy entropy rate of | |
76 | * 8/256 (= 0.03125) bits per byte. This input will be sent through the | |
77 | * derivation function which 'compresses' the low quality input into a | |
78 | * high quality output. | |
79 | * | |
80 | * The factor 1.5 below is the pessimistic estimate for the extra amount | |
81 | * of entropy required when no get_nonce() callback is defined. | |
82 | */ | |
83 | # define RAND_POOL_FACTOR 256 | |
84 | # define RAND_POOL_MAX_LENGTH (RAND_POOL_FACTOR * \ | |
85 | 3 * (RAND_DRBG_STRENGTH / 16)) | |
86 | /* | |
87 | * = (RAND_POOL_FACTOR * \ | |
88 | * 1.5 * (RAND_DRBG_STRENGTH / 8)) | |
c16de9d8 | 89 | */ |
12fb8c3d | 90 | |
a6a66e45 P |
91 | /* |
92 | * Initial allocation minimum. | |
93 | * | |
94 | * There is a distinction between the secure and normal allocation minimums. | |
95 | * Ideally, the secure allocation size should be a power of two. The normal | |
96 | * allocation size doesn't have any such restriction. | |
97 | * | |
98 | * The secure value is based on 128 bits of secure material, which is 16 bytes. | |
99 | * Typically, the DRBGs will set a minimum larger than this so optimal | |
100 | * allocation ought to take place (for full quality seed material). | |
101 | * | |
102 | * The normal value has been chosed by noticing that the rand_drbg_get_nonce | |
103 | * function is usually the largest of the built in allocation (twenty four | |
104 | * bytes and then appending another sixteen bytes). This means the buffer ends | |
105 | * with 40 bytes. The value of forty eight is comfortably above this which | |
106 | * allows some slack in the platform specific values used. | |
107 | */ | |
108 | # define RAND_POOL_MIN_ALLOCATION(secure) ((secure) ? 16 : 48) | |
75e2c877 RS |
109 | |
110 | /* DRBG status values */ | |
111 | typedef enum drbg_status_e { | |
112 | DRBG_UNINITIALISED, | |
113 | DRBG_READY, | |
75e2c877 RS |
114 | DRBG_ERROR |
115 | } DRBG_STATUS; | |
116 | ||
117 | ||
8bf36651 | 118 | /* instantiate */ |
8212d505 DMSP |
119 | typedef int (*RAND_DRBG_instantiate_fn)(RAND_DRBG *ctx, |
120 | const unsigned char *ent, | |
121 | size_t entlen, | |
122 | const unsigned char *nonce, | |
123 | size_t noncelen, | |
124 | const unsigned char *pers, | |
125 | size_t perslen); | |
126 | /* reseed */ | |
127 | typedef int (*RAND_DRBG_reseed_fn)(RAND_DRBG *ctx, | |
128 | const unsigned char *ent, | |
129 | size_t entlen, | |
130 | const unsigned char *adin, | |
131 | size_t adinlen); | |
8bf36651 | 132 | /* generate output */ |
8212d505 DMSP |
133 | typedef int (*RAND_DRBG_generate_fn)(RAND_DRBG *ctx, |
134 | unsigned char *out, | |
135 | size_t outlen, | |
136 | const unsigned char *adin, | |
137 | size_t adinlen); | |
138 | /* uninstantiate */ | |
139 | typedef int (*RAND_DRBG_uninstantiate_fn)(RAND_DRBG *ctx); | |
140 | ||
141 | ||
142 | /* | |
143 | * The DRBG methods | |
144 | */ | |
145 | ||
146 | typedef struct rand_drbg_method_st { | |
147 | RAND_DRBG_instantiate_fn instantiate; | |
148 | RAND_DRBG_reseed_fn reseed; | |
149 | RAND_DRBG_generate_fn generate; | |
150 | RAND_DRBG_uninstantiate_fn uninstantiate; | |
151 | } RAND_DRBG_METHOD; | |
152 | ||
8bf36651 SL |
153 | /* 888 bits from SP800-90Ar1 10.1 table 2 */ |
154 | #define HASH_PRNG_MAX_SEEDLEN (888/8) | |
155 | ||
156 | typedef struct rand_drbg_hash_st { | |
57ca171a | 157 | EVP_MD *md; |
8bf36651 SL |
158 | EVP_MD_CTX *ctx; |
159 | size_t blocklen; | |
160 | unsigned char V[HASH_PRNG_MAX_SEEDLEN]; | |
161 | unsigned char C[HASH_PRNG_MAX_SEEDLEN]; | |
162 | /* Temporary value storage: should always exceed max digest length */ | |
163 | unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN]; | |
164 | } RAND_DRBG_HASH; | |
165 | ||
166 | typedef struct rand_drbg_hmac_st { | |
57ca171a | 167 | EVP_MD *md; |
8bf36651 SL |
168 | HMAC_CTX *ctx; |
169 | size_t blocklen; | |
170 | unsigned char K[EVP_MAX_MD_SIZE]; | |
171 | unsigned char V[EVP_MAX_MD_SIZE]; | |
172 | } RAND_DRBG_HMAC; | |
8212d505 | 173 | |
75e2c877 RS |
174 | /* |
175 | * The state of a DRBG AES-CTR. | |
176 | */ | |
177 | typedef struct rand_drbg_ctr_st { | |
dbdcc04f KR |
178 | EVP_CIPHER_CTX *ctx; |
179 | EVP_CIPHER_CTX *ctx_df; | |
57ca171a | 180 | EVP_CIPHER *cipher; |
12fb8c3d RS |
181 | size_t keylen; |
182 | unsigned char K[32]; | |
183 | unsigned char V[16]; | |
12fb8c3d RS |
184 | /* Temporary block storage used by ctr_df */ |
185 | unsigned char bltmp[16]; | |
186 | size_t bltmp_pos; | |
187 | unsigned char KX[48]; | |
75e2c877 | 188 | } RAND_DRBG_CTR; |
12fb8c3d | 189 | |
8389ec4b | 190 | |
2a70d65b KR |
191 | /* |
192 | * The 'random pool' acts as a dumb container for collecting random | |
193 | * input from various entropy sources. The pool has no knowledge about | |
194 | * whether its randomness is fed into a legacy RAND_METHOD via RAND_add() | |
195 | * or into a new style RAND_DRBG. It is the callers duty to 1) initialize the | |
196 | * random pool, 2) pass it to the polling callbacks, 3) seed the RNG, and | |
197 | * 4) cleanup the random pool again. | |
198 | * | |
199 | * The random pool contains no locking mechanism because its scope and | |
200 | * lifetime is intended to be restricted to a single stack frame. | |
201 | */ | |
202 | struct rand_pool_st { | |
203 | unsigned char *buffer; /* points to the beginning of the random pool */ | |
204 | size_t len; /* current number of random bytes contained in the pool */ | |
205 | ||
3064b551 | 206 | int attached; /* true pool was attached to existing buffer */ |
1372560f | 207 | int secure; /* 1: allocated on the secure heap, 0: otherwise */ |
3064b551 | 208 | |
2a70d65b KR |
209 | size_t min_len; /* minimum number of random bytes requested */ |
210 | size_t max_len; /* maximum number of random bytes (allocated buffer size) */ | |
a6a66e45 | 211 | size_t alloc_len; /* current number of bytes allocated */ |
2a70d65b | 212 | size_t entropy; /* current entropy count in bits */ |
3064b551 | 213 | size_t entropy_requested; /* requested entropy count in bits */ |
2a70d65b KR |
214 | }; |
215 | ||
8389ec4b | 216 | /* |
75e2c877 RS |
217 | * The state of all types of DRBGs, even though we only have CTR mode |
218 | * right now. | |
8389ec4b | 219 | */ |
75e2c877 | 220 | struct rand_drbg_st { |
12fb8c3d | 221 | CRYPTO_RWLOCK *lock; |
da0d114c MC |
222 | /* The library context this DRBG is associated with, if any */ |
223 | OPENSSL_CTX *libctx; | |
75e2c877 | 224 | RAND_DRBG *parent; |
4f9dabbf | 225 | int secure; /* 1: allocated on the secure heap, 0: otherwise */ |
31393fd9 | 226 | int type; /* the nid of the underlying algorithm */ |
f2633200 | 227 | /* |
84952925 DMSP |
228 | * Stores the return value of openssl_get_fork_id() as of when we last |
229 | * reseeded. The DRBG reseeds automatically whenever drbg->fork_id != | |
230 | * openssl_get_fork_id(). Used to provide fork-safety and reseed this | |
231 | * DRBG in the child process. | |
f2633200 | 232 | */ |
84952925 | 233 | int fork_id; |
75e2c877 | 234 | unsigned short flags; /* various external flags */ |
c16de9d8 | 235 | |
75e2c877 | 236 | /* |
3064b551 | 237 | * The random_data is used by RAND_add()/drbg_add() to attach random |
c16de9d8 DMSP |
238 | * data to the global drbg, such that the rand_drbg_get_entropy() callback |
239 | * can pull it during instantiation and reseeding. This is necessary to | |
240 | * reconcile the different philosophies of the RAND and the RAND_DRBG | |
241 | * with respect to how randomness is added to the RNG during reseeding | |
242 | * (see PR #4328). | |
75e2c877 | 243 | */ |
31f32abb | 244 | struct rand_pool_st *seed_pool; |
75e2c877 | 245 | |
54f3e855 BE |
246 | /* |
247 | * Auxiliary pool for additional data. | |
248 | */ | |
249 | struct rand_pool_st *adin_pool; | |
250 | ||
c16de9d8 | 251 | /* |
aa048aef DMSP |
252 | * The following parameters are setup by the per-type "init" function. |
253 | * | |
8bf36651 SL |
254 | * The supported types and their init functions are: |
255 | * (1) CTR_DRBG: drbg_ctr_init(). | |
256 | * (2) HMAC_DRBG: drbg_hmac_init(). | |
257 | * (3) HASH_DRBG: drbg_hash_init(). | |
aa048aef | 258 | * |
c16de9d8 | 259 | * The parameters are closely related to the ones described in |
aa048aef DMSP |
260 | * section '10.2.1 CTR_DRBG' of [NIST SP 800-90Ar1], with one |
261 | * crucial difference: In the NIST standard, all counts are given | |
c16de9d8 | 262 | * in bits, whereas in OpenSSL entropy counts are given in bits |
aa048aef | 263 | * and buffer lengths are given in bytes. |
c16de9d8 | 264 | * |
aa048aef DMSP |
265 | * Since this difference has lead to some confusion in the past, |
266 | * (see [GitHub Issue #2443], formerly [rt.openssl.org #4055]) | |
c16de9d8 | 267 | * the 'len' suffix has been added to all buffer sizes for |
aa048aef DMSP |
268 | * clarification. |
269 | */ | |
c16de9d8 | 270 | |
12fb8c3d | 271 | int strength; |
12fb8c3d | 272 | size_t max_request; |
aa048aef DMSP |
273 | size_t min_entropylen, max_entropylen; |
274 | size_t min_noncelen, max_noncelen; | |
275 | size_t max_perslen, max_adinlen; | |
a93ba405 | 276 | |
8bf36651 SL |
277 | /* |
278 | * Counts the number of generate requests since the last reseed | |
279 | * (Starts at 1). This value is the reseed_counter as defined in | |
280 | * NIST SP 800-90Ar1 | |
281 | */ | |
282 | unsigned int reseed_gen_counter; | |
a93ba405 DMSP |
283 | /* |
284 | * Maximum number of generate requests until a reseed is required. | |
285 | * This value is ignored if it is zero. | |
286 | */ | |
12fb8c3d | 287 | unsigned int reseed_interval; |
08a65d96 DMSP |
288 | /* Stores the time when the last reseeding occurred */ |
289 | time_t reseed_time; | |
290 | /* | |
291 | * Specifies the maximum time interval (in seconds) between reseeds. | |
292 | * This value is ignored if it is zero. | |
293 | */ | |
294 | time_t reseed_time_interval; | |
a93ba405 DMSP |
295 | /* |
296 | * Counts the number of reseeds since instantiation. | |
297 | * This value is ignored if it is zero. | |
298 | * | |
299 | * This counter is used only for seed propagation from the <master> DRBG | |
300 | * to its two children, the <public> and <private> DRBG. This feature is | |
301 | * very special and its sole purpose is to ensure that any randomness which | |
302 | * is added by RAND_add() or RAND_seed() will have an immediate effect on | |
303 | * the output of RAND_bytes() resp. RAND_priv_bytes(). | |
304 | */ | |
a83dc59a BE |
305 | TSAN_QUALIFIER unsigned int reseed_prop_counter; |
306 | unsigned int reseed_next_counter; | |
a93ba405 | 307 | |
12fb8c3d | 308 | size_t seedlen; |
75e2c877 | 309 | DRBG_STATUS state; |
12fb8c3d | 310 | |
75e2c877 | 311 | /* Application data, mainly used in the KATs. */ |
12fb8c3d RS |
312 | CRYPTO_EX_DATA ex_data; |
313 | ||
8bf36651 | 314 | /* Implementation specific data */ |
8212d505 DMSP |
315 | union { |
316 | RAND_DRBG_CTR ctr; | |
8bf36651 SL |
317 | RAND_DRBG_HASH hash; |
318 | RAND_DRBG_HMAC hmac; | |
8212d505 DMSP |
319 | } data; |
320 | ||
321 | /* Implementation specific methods */ | |
322 | RAND_DRBG_METHOD *meth; | |
12fb8c3d | 323 | |
75e2c877 | 324 | /* Callback functions. See comments in rand_lib.c */ |
16960a9b | 325 | RAND_DRBG_get_entropy_fn get_entropy; |
16960a9b | 326 | RAND_DRBG_cleanup_entropy_fn cleanup_entropy; |
16960a9b | 327 | RAND_DRBG_get_nonce_fn get_nonce; |
16960a9b | 328 | RAND_DRBG_cleanup_nonce_fn cleanup_nonce; |
12fb8c3d | 329 | }; |
da8fc25a | 330 | |
75e2c877 RS |
331 | /* The global RAND method, and the global buffer and DRBG instance. */ |
332 | extern RAND_METHOD rand_meth; | |
12fb8c3d | 333 | |
c16de9d8 DMSP |
334 | /* DRBG helpers */ |
335 | int rand_drbg_restart(RAND_DRBG *drbg, | |
336 | const unsigned char *buffer, size_t len, size_t entropy); | |
1c615e4c | 337 | size_t rand_drbg_seedlen(RAND_DRBG *drbg); |
812b1537 DMSP |
338 | /* locking api */ |
339 | int rand_drbg_lock(RAND_DRBG *drbg); | |
340 | int rand_drbg_unlock(RAND_DRBG *drbg); | |
341 | int rand_drbg_enable_locking(RAND_DRBG *drbg); | |
342 | ||
343 | ||
8bf36651 | 344 | /* initializes the DRBG implementation */ |
8212d505 | 345 | int drbg_ctr_init(RAND_DRBG *drbg); |
8bf36651 SL |
346 | int drbg_hash_init(RAND_DRBG *drbg); |
347 | int drbg_hmac_init(RAND_DRBG *drbg); | |
8ad7635e | 348 | |
d69226a3 P |
349 | /* |
350 | * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests. | |
351 | * These need to be exposed for the unit tests. | |
352 | */ | |
57ca171a MC |
353 | int rand_crngt_get_entropy_cb(OPENSSL_CTX *ctx, RAND_POOL *pool, |
354 | unsigned char *buf, unsigned char *md, | |
355 | unsigned int *md_size); | |
356 | extern int (*crngt_get_entropy)(OPENSSL_CTX *ctx, RAND_POOL *pool, | |
357 | unsigned char *buf, unsigned char *md, | |
8094a694 | 358 | unsigned int *md_size); |
d69226a3 | 359 | |
8ad7635e | 360 | #endif |